Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Extended Static Checking for Java Cormac Flanagan Slides courtesy of Rustan Leino.
Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Cormac Flanagan Software Model Checking via Iterative Abstraction Refinement of CLP Queries 1 Software Model Checking via Iterative Abstraction Refinement.
Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLine’s CSE 503, Software Engineering University of Washington 26 Apr 2004.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Review: forward E { P } { P && E } TF { P && ! E } { P 1 } { P 2 } { P 1 || P 2 } x = E { P } { \exists … }
Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Lazy Abstraction Lecture 3 : Partial Analysis Ranjit Jhala UC San Diego With: Tom Henzinger, Rupak Majumdar, Ken McMillan, Gregoire Sutre.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Jonathan Kuhn Robin Mange EPFL-SSC Compaq Systems Research Center Flanagan, Leino, Lillibridge, Nelson, Saxe and Stata.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Rule Checking SLAM Checking Temporal Properties of Software with Boolean Programs Thomas Ball, Sriram K. Rajamani Microsoft Research Presented by Okan.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
CS 363 Comparative Programming Languages Semantics.
Houdini, an annotation assistant for ESC/Java K. Rustan M. Leino Compaq SRC Joint work with Cormac Flanagan K. Rustan M. Leino Compaq SRC Joint work with.
Applications of extended static checking K. Rustan M. Leino Compaq SRC K. Rustan M. Leino Compaq SRC Systems Research Center Invited talk, SAS’01, Paris,
Cs2220: Engineering Software Class 6: Defensive Programming Fall 2010 University of Virginia David Evans.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
Array Size Arrays use static allocation of space. That is, when the array is created, we must specify the size of the array, e.g., int[] grades = new int[100];
ESCJ 14: ESC/Java Project Review Slides March 6th, 1997.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Extended Static Checking for Java
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Types for Programs and Proofs
Review Session.
Hoare-style program verification
CSE 1020:Software Development
Gradual Verification Seamlessly and flexibly combine static and dynamic verification by drawing on the general principles from abstract interpretation.
Presentation transcript:

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center

Software QA via Testing u Useful (the dominant methodology), but.. u Costly l half of development cost is testing l finds errors late in development cycle u Incomplete l often fails to ensure needed reliability l hard to test all configurations

Software QA via Static Checking u Statically verify many correctness properties u Type systems catch many errors l e.g. “Cannot multiply a number and a string” u Would like to catch additional errors l e.g. “Array index out of bounds at line 10” u And verify other correctness properties l assertions l object invariants l lightweight method specifications

Extended Static Checker Architecture The translator “understands” the semantics of Java. A verification condition is a logical formula that, ideally, is valid if and only if the program is free of the kinds of error under consideration. The automatic theorem prover is invisible to users. Counterexamples are turned into precise warning messages. ESC/Java Java method + annotations Translator Verification conditions Automatic theorem prover Counterexamples Post-processor Warning messages Index out of bounds on line 218 Method does not preserve object invariant on line 223

ESC/Java Example class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); print( r.getDouble() ); }... } Warning: possible division by zero Warning: invariant possibly not established invariant denom != 0; requires d != 0; Warning: precondition possibly not established

ESC/Java Experience u Tested on 40 KLOC, caught a variety of defects u Ready for educational/research use? Yes! l u Ready for software engineering use? Not really. l annotation overhead significant l annotations increase program size by 10% l requires 1 programmer-hour to annotate 300 lines of code u Need annotation inference for ESC/Java!

Houdini Architecture Class A { String s; … } Generate set of candidate annotations Class A { String s; … … … } Annotation Refutation Loop

Generating Candidate Annotations u Invariants generated heuristically from program text For fields int i,j guess invariant i cmp j; invariant i cmp 0; where cmp  {, >= } For field Object[] a guess invariant a != null; invariant a.length cmp i; invariant (forall int k; 0 <= k && k a[k] != null); u Similar heuristics for preconditions and postconditions

Removing Invalid Annotations State Space Powerset Lattice Initial states... G  Refute some annotations Fixpoint Reachable states Candidate set

Houdini Architecture Class A { String s; … } Generate set of candidate annotations ESC/Java Warning: Invariant not established Warning:... Annotation remover Class A { String s; … … … } Annotation Refutation Loop

Houdini Example class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); print( r.getDouble() ); }... } Warning: invariant possibly not established Warning: precondition possibly not established invariant num != 0; requires d != 0; invariant denom != 0; requires n != 0; u No warnings refuting annotations l Remaining annotations are valid l Houdini algorithm terminates Warning: possible division by zero

Houdini Architecture Class A { String s; … } Generate set of candidate annotations ESC/Java Warning: Invariant not established Warning:... Annotation remover web page generator /#* */ Class A... } NETSCAPE Class A { String s; … … … }

Finding the cause of a warning class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); print( r.getDouble() ); }... } invariant num != 0; requires d != 0; invariant denom != 0; requires n != 0; Warning: possible division by zero Hyperlink

Houdini Example (corrected) class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(n,d); print( r.getDouble() ); }... } Warning: invariant possibly not established Warning: precondition possibly not established invariant num != 0; requires d != 0; invariant denom != 0; requires n != 0; u No warnings refuting annotations l Remaining annotations are valid l Houdini algorithm terminates u No warnings about primitive operations l Division by zero error is impossible

Houdini Architecture Class A { String s; … } Generate set of candidate annotations ESC/Java Warning: Invariant not established Warning:... Annotation remover web page generator /#* */ Class A... } NETSCAPE Library Spec Class L { … … … } Class A { String s; … … … }

Houdini is a Two-Level Analysis u Interprocedural analysis l Uses ESC/Java (weakest preconditions, theorem proving) l Precise, not scalable u Intraprocedural analysis l Abstract interpretation based on powerset lattice l Less precise, but more scalable l Can add annotations manually l Houdini’s heuristics are extensible Eg. to reason about whether int[][] a is rectangular, guess (forall int i,j; 0 <= i && i < a.length && 0 <= j && j < a.length ==> a[i].length == a[j].length);

Evaluation

Houdini for Other Modular Checkers u Houdini originally designed for ESC/Java u But could be ported to other modular checkers Ported to rccjava (Race Condition Checker for Java) Requires new heuristics for guessing annotations Straightforward port Infers useful locking annotations u Houdini for your favorite modular checker?

Conclusions u Houdini is an effective annotation assistant l Infers many useful annotations l Significantly reduces number of ESC/Java warnings u Future work l Refine guessing heuristics Guess fewer “useless” annotations Guess additional properties (aliasing, container classes) l Refine user interface l Check 500,000 LOC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.