Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Automated Verification with HIP and SLEEK Asankhaya Sharma.
Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
CMSC 202 Exceptions 2 nd Lecture. Aug 7, Methods may fail for multiple reasons public class BankAccount { private int balance = 0, minDeposit =
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Securing Java applets Erik Poll Security of Systems (SOS) group University of Nijmegen
272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lecture 3: Java Modeling Language and Extended Static Checking.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Extended Static Checking for Java Cormac Flanagan Slides courtesy of Rustan Leino.
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Dynamically Discovering Likely Program Invariants to Support Program Evolution Michael D. Ernst, Jake Cockrell, William G. Griswold, David Notkin Presented.
JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
JML TOOLS REVIEW & EVALUATION Chris Grosshans Mark Lewis-Prazen.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
CMPSC 272: Software Engineering Spring 2003 Instructor: Tevfik Bultan Extended Static Checking.
Lecture 4 Requirements Testing & Requirements Modeling.
Automated Theorem Proving Arnon Avron Mooly Sagiv Based on a presentations by Jonathan Aldrich,Sorin Lerner.
Jonathan Kuhn Robin Mange EPFL-SSC Compaq Systems Research Center Flanagan, Leino, Lillibridge, Nelson, Saxe and Stata.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Designing Programming Languages to Improve Software Quality David J. Pearce Software Quality New Zealand, August
1 Total Correctness of Recursive Functions Using JML4 FSPV George Karabotsos, Patrice Chalin, Perry R. James, Leveda Giannas Dependable Software Research.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
The Daikon system for dynamic detection of likely invariants MIT Computer Science and Artificial Intelligence Lab. 16 January 2007 Presented by Chervet.
Unit Testing 101 Black Box v. White Box. Definition of V&V Verification - is the product correct Validation - is it the correct product.
Houdini, an annotation assistant for ESC/Java K. Rustan M. Leino Compaq SRC Joint work with Cormac Flanagan K. Rustan M. Leino Compaq SRC Joint work with.
Applications of extended static checking K. Rustan M. Leino Compaq SRC K. Rustan M. Leino Compaq SRC Systems Research Center Invited talk, SAS’01, Paris,
Sound Haskell Dana N. Xu University of Cambridge Joint work with Simon Peyton Jones Microsoft Research Cambridge Koen Claessen Chalmers University of Technology.
CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright , Matt Dwyer, John Hatcliff, and.
An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.
Software Engineering 4, Julian Richardson, 30 April Static Analysis Software Engineering HX3 Julian Richardson
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Verification & Testing UEKönighofer, Khalimov, Rabensteiner2015.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Robert Könighofer and Roderick Bloem IAIK – Graz University.
Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
CUTE: A Concolic Unit Testing Engine for C Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
ESCJ 14: ESC/Java Project Review Slides March 6th, 1997.
Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.
A Calculus of Atomic Actions Serdar Tasiran Koc University, Istanbul, Turkey Tayfun ElmasShaz Qadeer Koc University Microsoft Research.
CS 5150 Software Engineering Lecture 21 Reliability 2.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Extended Static Checking for Java
Chapter 6 CS 3370 – C++ Functions.
Accessible Formal Methods A Study of the Java Modeling Language
Hoare-style program verification
Java Modeling Language (JML)
CUTE: A Concolic Unit Testing Engine for C
Presentation transcript:

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for me:  naxos:Software/EscJava/VT

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 2 Roderick Bloem IAIK – Graz University of Technology TitleNamePlace, Date Extended Static Checking based on: C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, R. Stata, Extended Static Checking for Java, Programming Language Design and Implementation (PLDI’02), pp , 2002

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 3 Static Checking

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 4 Static Checking Dynamic or Static? Dynamic  Run time Eraser, locktree, purify, tests,… Static  Compile time Extended Static Checking, Model Checking, …

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 5 Static Checking JML public class BankingExample { public static final int MAX_BALANCE = 1000; public invariant balance >= 0 && balance <= MAX_BALANCE; private int balance; assignable balance; ensures balance == 0; public BankingExample() { this.balance = 0; } requires 0 < amount && amount + balance < MAX_BALANCE; assignable balance; ensures balance == \old(balance) + amount; public void credit(final int amount) { this.balance += amount; } … Adapted from wikipedia article on JML, What is checked when?

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 6 Static Checking What is Static Checking? Static Checking  Checks program during compile time, not run time  Localizes the proofs to functions, not entire programs  Requires help from user Examples of properties  Null pointer dereferences  Array bounds

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 7 Static Checking Pro & Con Pro  Independent of program size  Systematically excludes bugs  Caveat: may not be perfect  Handles more types of bugs than type checking Con  Requires significant user effort (depending on program size)  Can only check relatively simple properties

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 8 Static Checking Architecture ESC/ Java Java Program Annotations Theorem Prover Verification Conditions Yes/No Answers User provided textprograms

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 9 Static Checking Soundness & Completenes  Soundness: no incorrect programs are deemed correct by the tool (all errors are found)  Completeness: A correct program is deemed correct by the tool (no spurious errors) ESC/Java is neither sound nor complete

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 10 Static Checking Example 1: class Bag{ 2: int size; 3: int[] elts; //valid:elts[0..size-1] 4: 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX_VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: }

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 11 Static Checking Example 1: class Bag{ 2: int size; 3: int[] elts; //valid:elts[0..size-1] 4: 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:6: Warning: Possible null dereference (Null) size = input.length; ^ Bag.java:15: Warning: Possible null dereference (Null) if (elts[i] < min) { ^ Bag.java:21: Warning: Possible null dereference (Null) elts[minIndex] = elts[size]; ^ Bag.java:15: Warning: Array index possibly too large (... if (elts[i] < min) { ^ Bag.java:21: Warning: Possible negative array index (... elts[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 12 Static Checking Example 1: class Bag{ 2: int size; 3: int[] elts; //valid:elts[0..size-1] 4: 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:6: Warning: Possible null dereference (Null) size = input.length; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 13 Static Checking Example 1: class Bag{ 2: int size; 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:6: Warning: Possible null dereference (Null) size = input.length; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 14 Static Checking Example 1: class Bag{ 2: int size; 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:15: Warning: Possible null dereference (Null) if (elts[i] < min) { ^ Bag.java:21: Warning: Possible null dereference (Null) elts[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 15 Static Checking Example 1: class Bag{ 2: int size; 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:15: Warning: Possible null dereference (Null) if (elts[i] < min) { ^ Bag.java:21: Warning: Possible null dereference (Null) elements[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 16 Static Checking Example 1: class Bag{ 2: int size; 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:15: Warning: Array index possibly too large (... if (elts[i] < min) { ^ Bag.java:21: Warning: Possible negative array index (... elts[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 17 Static Checking Example 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:15: Warning: Array index possibly too large (... if (elts[i] < min) { ^ Bag.java:21: Warning: Possible negative array index (... elts[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 18 Static Checking Example 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 1; i <= size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:15: Warning: Array index possibly too large (... if (elts[i] < min) { ^ Bag.java:21: Warning: Possible negative array index (... elts[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 19 Static Checking Example 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 0; i < size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:15: Warning: Array index possibly too large (... if (elts[i] < min) { ^ Bag.java:21: Warning: Possible negative array index (... elts[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 20 Static Checking Example 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 0; i < size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 20a: if(size>=0) 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:15: Warning: Array index possibly too large (... if (elts[i] < min) { ^ Bag.java:21: Warning: Possible negative array index (... elts[minIndex] = elts[size]; ^

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 21 Static Checking Example 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 0; i < size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 20: size−−; 20a: if(size>=0) 21: elts[minIndex]= elts[size]; 22: return min; 23: } 24: } Bag.java:26: Warning: Possible violation of object invariant } ^ Associated declaration is "Bag.java", line 3, col 6: invariant 0 <= size && size <= elts.length ^ Possibly relevant items from the counterexample context: brokenObj == this (brokenObj* refers to the object for which the invariant is broken.)

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 22 Static Checking Example 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 0; i < size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 19a: if(size>0) { 20: size−−; 21: elts[minIndex]= elts[size]; 21a: } 22: return min; 23: } 24: } Bag.java:26: Warning: Possible violation of object invariant } ^ Associated declaration is "Bag.java", line 3, col 6: invariant 0 <= size && size <= elts.length ^ Possibly relevant items from the counterexample context: brokenObj == this (brokenObj* refers to the object for which the invariant is broken.) No more warnings

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 23 Static Checking Specification & Check Specification: class XXX { INVARIANT PRE1 POST1 method1(){ } 1. Prove: {pre1  invariant} method1 {post1  invariant} 2. Prove: {pre1  invariant} method1 {no_null_pointer_dereferences  no_array_out_of_bounds} (For constructores, the invariant is not part of the assumptions) assumption guarantee

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 24 Static Checking Example 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 0; i < size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 19a: if(size>0) { 20: size−−; 21: elts[minIndex]= elts[size]; 21a: } 22: return min; 23: } 24: } For line 6, prove: {input !=null}  {input != null} For constructor, prove: {input !=null} size = input.length; elts = new int[size]; System.arraycopy(input,0,elt s,0,size); {elts != null && 0<=size && size <= elts.length}

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 25 Static Checking Specification & Check Specification: class XXX { INVARIANT PRE1 POST1 method1(){ body11 method2(); body12; } PRE2 POST2 method2(){ } For nested functions you must prove  PRE2  INVARIANT using PRE1  INVARIANT  POST1  INVARIANT using PRE1  POST2  INVARIANT

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 26 Static Checking Example: Modular Proof requires a != null 0<=i && i < a.size-1 3.f(int[] a; int i){ 4. j = g(i); 5. a[j] = 1; 6.} 7. 8.g(int i){ 9. return i+1; 10.} For f, prove: {a != null && 0  i < a.size - 1} implies {true} and then { a != null && 0  i < a.size - 1 } implies {j < a.size} This fails. This part stays because g does not touch a or i

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 27 Static Checking Example: Modular Proof requires a != null 0<=i && i < a.size-1 3.f(int[] a; int i){ 4. j = g(i); 5. a[j] = 1; 6.} 7. ensures \result = \old i int g(int i){ 10. return i+1; 11.} For f, prove: {a != null && 0  i < a.size - 1} implies {true} and then { a != null && 0  i < a.size – 1 && j = i + 1 } implies {j < a.size} This succeeds, which shows the need for annotations.

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 28 Static Checking Simplification: Loop Unrolling  Loops are hard: unrolling  Proper unrolling: The following three programs are identical: 1.while(c){ s1 } s2 2.if(c){ s1; while(c){ s1 } s2 1.if(c){ s1; if(c){ s1; while(c){ s1 } s2 Proper unrolling gives an equivalent program (but does not make it simpler)

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 29 Static Checking Simplification: Loop Unrolling  Loops are hard: unrolling  Limited unrolling (ESCJava) while(c){ s1 }; s2;  Example: depth 1 if(c){ s1; if(c){ assume(false) } s2  depth 2 while(c){ s1 }; s2; becomes if(c){ s1; if(c){ assume(false) } s2 assume false means “all futher assertions can be assumed true” Correctness is proven if loop is traversed 0, 1, or 2 times (set unrolling using –loop i) No checks for runs that go through loop more often!

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 30 Static Checking Loop Unrolling Effects This program is deemed correct by ESCJava! class Loop { Loop() { int i = 0; while(i < 100){ i++; } assert 4<3; } This program is deemed correct by ESCJava (unles you cal ESCJava using – loop 2 or bigger) import java.util.Random; class Loop { Loop() { int i = 0; Random r = new Random(); while(i < 100){ i++; if(r.nextInt(2)>0) break; } assert i < 2; }

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 31 Static Checking Loop Unrolling: Effects This program is deemed correct by ESCJava import java.util.Random; class Loop { Loop() { int i = 0; Random r = new Random(); while(i < 100){ i++; //if(r.nextInt(2)>0) break; } assert 4<3; } This program is deemed correct by ESCJava import java.util.Random; class Loop { Loop() { int i = 0; Random r = new Random(); while(i < 100){ i++; //if(r.nextInt(2)>0) break; } assert 4<3; }

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 32 Static Checking Loop Unrolling: Effects This program is deemed correct by ESCJava import java.util.Random; class Loop { Loop() { int i = 0; Random r = new Random(); while(i < 100){ i++; //if(r.nextInt(2)>0) break; } assert 4<3; } This program is deemed correct by ESCJava import java.util.Random; class Loop { Loop() { int i = 0; Random r = new Random(); while(i < 100){ i++; //if(r.nextInt(2)>0) break; } assert 4<3; }

Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 33 Static Checking Example: Loop unrolling 1: class Bag{ 2: int size; 2a: invariant 0<=size && size<=elts.length 3: int[] elts; //valid:elts[0..size-1] 4: 4a: input != null 5: Bag(int[ ] input){ 6: size = input.length; 7: elts = new int[size]; 8: System.arraycopy(input,0,elts,0, size); 9: } 10: 11: int extractMin(){ 12: int min = Integer.MAX VALUE; 13: int minIndex = 0; 14: for (int i= 0; i < size ; i++){ 15: if (elts[i] < min){ 16: min = elts[i]; 17: minIndex = i; 18: } 19: } 19a: if(size>0) { 20: size−−; 21: elts[minIndex]= elts[size]; 21a: } 22: return min; 23: } 24: } For line 21, prove: {0<=size && size <= elts.length} min = Integer.MAX VALUE; minIndex = 0; i = 0; if(i < size){ if (elts[i] < min){ min = elts[i]; minIndex = i; } if(elts[i] < min) assume(false); } size−−; {0<=minIndex<=elts.length && 0<=size<=elts.length} This proof fails!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.