Usable code verification: balancing costs and benefits Two nuggets: User-defined verifiers Crowd-sourced verification Michael D. Ernst University of Washington.

Slides:

Advertisements

Similar presentations

Static Analysis for Security

Advertisements

Top 10 User Mistakes with Static Analysis Sate IV March 2012.

Javascript Code Quality Check Tools Javascript Code Quality Check Tools JavaScript was originally intended to do small tasks in webpages, but now JavaScript.

Identity and Equality Based on material by Michael Ernst, University of Washington.

MAHDI OMAR JUNIT TUTORIAL. CONTENTS Installation of Junit Eclipse support for Junit Using Junit exercise JUnit options Questions Links and Literature.

Alternate Software Development Methodologies

Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)

GUI Threading Explained and Verified Michael Ernst U. of Washington, Seattle, USA IMDEA Software Institute, Madrid, Spain joint work with Colin Gordon,

Static code check – Klocwork

Detecting and preventing bugs with pluggable type-checking Michael D. Ernst University of Washington Joint work with Mahmood Ali, Werner Dietl, …

1 The JQuery Tool A Generic Query-Based Code browser for Eclipse Project leaders: Kris De Volder, Gregor Kiczales Students: Doug Janzen, Rajeswari Rajagopalan,

Software Practices Lab. -- The University of British Columbia 1 The JQuery Tool A Generic Query-Based Code browser for Eclipse Project leaders: Kris De.

Software Engineering and Design Principles Chapter 1.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

Software Quality Metrics

Visualizing Type Qualifier Inference with Eclipse David Greenfieldboyce Jeffrey S. Foster University of Maryland.

CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May

2007 Adobe Systems Incorporated. All Rights Reserved. 1 Joe Berkovitz VP Engineering Allurent, Inc. Continuous Integration with Flex, FlexUnit, and Ant.

CSE 403 Lecture 11 Static Code Analysis Reading: IEEE Xplore, "Using Static Analysis to Find Bugs" slides created by Marty Stepp

Getting Started With Java Downloading and installing software Running your first program Dr. DwyerFall 2012.

Red Lizard Software Creators of Code Confidence..

Towards Scalable Modular Checking of User-defined Properties Thomas Ball, MSR Brian Hackett, Mozilla Shuvendu Lahiri, MSR Shaz Qadeer, MSR Julien Vanegue,

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

Eng. Mohammed Timraz Electronics & Communication Engineer University of Palestine Faculty of Engineering and Urban planning Software Engineering Department.

T-unit: Tcl Unit Test Package Automated Unit Test Package For Tcl Procedures Final Presentation Joseph Boyle Loyola Marymount University.

Object x) { List lst; … } Detecting and preventing null pointer errors with pluggable type-checking CSE 331 University of Washington.

1.8History of Java Java –Based on C and C++ –Originally developed in early 1991 for intelligent consumer electronic devices Market did not develop, project.

Preventing bugs with pluggable type checking Michael Ernst and Mahmood Ali University of Washington and MIT OOPSLA 2009 tutorial Object.

Ethics of Software Testing Thomas LaToza CS 210 Final Presentation 12 / 2 / 2002.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

Guide to Programming with Python Chapter One Getting Started: The Game Over Program.

COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.

User-defined type checkers for error detection and prevention in Java Michael D. Ernst MIT Computer Science & AI Lab

1 CS210 Intermediate Computing with Data Structures (Java) Saaid Baraty S-3-90.

Unit Testing with JUnit and Clover Based on material from: Daniel Amyot JUnit Web site.

Computer Programming 2 Why do we study Java….. Java is Simple It has none of the following: operator overloading, header files, pre- processor, pointer.

Hack for HHVM Converting Facebook Julien Verlaguet Software Engineer.

DrJava A lightweight pedagogic environment for Java Eric Allen, Robert Cartwright, and Brian Stoler Rice University

CS5103 Software Engineering Lecture 02 More on Software Process Models.

Demo of Scalable Pluggable Types Michael Ernst MIT Dagstuhl Seminar “Scalable Program Analysis” April 17, 2008.

How analysis can hinder source code manipulaton And what to do about it Michael Ernst University of Washington.

1 CS 501 Spring 2003 CS 501: Software Engineering Lecture 26 Delivering the System.

May08-21 Model-Based Software Development Kevin Korslund Daniel De Graaf Cory Kleinheksel Benjamin Miller Client – Rockwell Collins Faculty Advisor – Dr.

JSR 308: Type Annotations Making Java annotations more general and more useful Spec leads: Michael Ernst & Alex Buckley Implementation lead: Werner Dietl.

Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.

Java Annotations. Annotations  Annotations are metadata or data about data. An annotation indicates that the declared element should be processed in.

1 CSE 331 Hash codes; annotations slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia

Java Annotations for Types and Expressions Mathias Ricken October 24, 2008 COMP 617 Seminar.

Detecting and preventing bugs with pluggable type-checking Michael D. Ernst University of Washington Joint work with Werner Dietl, and many others

Testimonial. “Celoxis has been awarded and recognized byWebHostingSearch.com as one of the BEST WEB TOOL FOR PROJECT MANAGEMENT SOFTWARE CATEGORY. ”

Secure Programming with Static Analysis Brian Chess, Ph.D.

Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi Object.

Preventing bugs with pluggable type-checking Michael Ernst MIT

Zach Tatlock / Winter 2016 CSE 331 Software Design and Implementation Lecture 16 Checker Framework.

Findbugs Tin Bui-Huy September, Content What is bug? What is bug? What is Findbugs? What is Findbugs? How to use Findbugs? How to use Findbugs?

How Sage ERP X3 Systems Can Benefit Businesses.  Sage X3 is an affordable and flexible ERP solution designed to help mid-sized companies manage business.

for regular expressions

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

CSE 331 Software Design and Implementation

Paul Ammann & Jeff Offutt

Improving software quality using Visual Studio 11 C++ Code Analysis

CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet

QGen and TQL-1 Qualification

CodePeer Update Arnaud Charlet CodePeer Update Arnaud Charlet

Java Programming Course

CSE 331 Annotations slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia

Annotation-Assisted Lightweight Static Checking

Java Annotations for Invariant Specification

Presentation transcript:

Usable code verification: balancing costs and benefits Two nuggets: User-defined verifiers Crowd-sourced verification Michael D. Ernst University of Washington with: Mahmood Ali, Steph Dietzel, Werner Dietl, Kivanc Muslu, Matt Papi, Todd Schiller, …

Goals for usable verification: scalability to real programs and programmers Natural: fits into developer mindset and IDE – Usable by first-year college students – Comprehensible, predictable success/failure Incremental benefit: instant gratification – Fast verification – Partial correctness domain-specific properties loopholes (hand-checked) – Partial programs: modular Customizable: user can create/extend verifiers

Type systems The (only) shining success of formal verification The built-in type system prevents too few bugs java.lang.NullPointerException

Solution: Pluggable type systems Design a type system to solve a specific problem Write type qualifiers in code (or, use type Date date = new Date(0); date.setTime(70); // compile-time error Type checker warns about violations (bugs) % javac -processor NullnessChecker MyFile.java MyFile.java:149: dereference of possibly-null reference bb2 allVars = bb2.vars; ^

What bugs can you detect & prevent? Null Mutation and Concurrency: Security: Equality Strings: regular expression signature Typestate (e.g., open/closed Users can write their own checkers! The annotation you write: 5 The property you care about:

Using a checker Run in IDE or on command line Works as a compiler plug-in (annotation processor) Uses familiar error messages % javac –processor NullnessChecker MyFile.java MyFile.java:9: incompatible types. nonNullVar = nullableValue; ^ found String String 6

Features Tool support Full type system – Inheritance – Overriding – Type and qualifier polymorphism Pre-/post-conditions Local type inference Qualifier defaults Warning suppression Tool integration: javac, Eclipse, Ant, Maven, … Global inference tools: nullness, mutability Type annotations planned for Java 8 – Write in comments today

Taint checker To use it: in your program List String category) {…} 2.Compile your program javac -processor BasicChecker @ImplicitFor(trees = {STRING_LITERAL}) Untainted { } The complete code Writing a new checker: Simple type-checkers are very easy to write; complicated ones are possible to write

Results: Effective and easy to use Easy to use – Used by students in the first CS majors class at UW – In use industrially – My group has annotated 3 million lines of code Effective: found >300 bugs, in the JDK, Google Collections, Lucene, Xerces, ASM, SVNKit, … Annotations are not verbose – Fewer than 1 per 75 lines – Few false positive warnings

Verification from the genesis Post-hoc annotation and verification is painful Writing annotations with the code is painless Must both write and verify from the beginning (A generalized approach: Ductile subsumes hybrid and gradual typing:

Type systems complement other verification strategies There is a place for both Types are more limited in expressiveness – cf. arbitrary assertions, first-order logic Many important properties are expressible

Nugget 2: Making software correctness profitable Leveraging comparative advantage in software engineering tools

Software bugs cost the US economy an estimated $59.5 billion annually Testing and verification are labor intensive Skilled labor is expensive

An Abundance of Cheap(er) Labor Average software developer$43.00 / hr Average Mechanical Turk worker$1.40 / hr

Adaptive Semi-Automated (ASA) tools use less-skilled, less-expensive, workers Decompose large tasks into automated and human-performed subtasks

Using less-skilled labor can be clean and simple What happens when you can’t cleanly create simple subtasks?

Design Principles 1.Target well-defined skill sets 2.Exploit parallelism between subtasks 3.Create labor markets to minimize costs

Research Questions What skill sets are required for Einstein and John to use the tool? What is the learning curve for Einstein and John to use the tool? Given a task and salaries, how much time and money is saved by using the tool? Given a fixed resource budget, can the tool provide benefits beyond those provided by other methods?

Tool design is an optimization problem ASA tool design requires empirical studies

Checker Framework for creating type checkers – Featureful, effective, easy to use, scalable Prevent bugs at compile time Create custom type- checkers Ask me for a demo, or download: types.cs.washington.edu/ Reduce the cost of software engineering by using less-skilled labor Adaptive to make up for imperfect task decomposition Tool analysis is an optimization problem Pluggable type systems Adaptive semi- automated verification Balancing costs and benefits for widespread verification: Natural, incremental, customizable