Analyzing objects Daniel Jackson (joint work with Mandana Vaziri & Allison Waingold) MIT Lab for Computer Science NDIST · December 5, 2001.

Slides:

Advertisements

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

Advertisements

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Concrete collections in Java library

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Visit at MIT: Daniel Jackson’s Lectures on Coupling Karl Lieberherr

Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

1 From Yesterday private = accessible only to the class that declares it public = accessible to any class at all protected = accessible to the class and.

Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.

Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger.

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.

Pointer and Shape Analysis Seminar Mooly Sagiv Schriber 317 Office Hours Thursday

Applying Dynamic Analysis to Test Corner Cases First Penka Vassileva Markova Madanlal Musuvathi.

Efficient Modular Glass Box Software Model Checking Michael Roberson Chandrasekhar Boyapati The University of Michigan.

1/25 Pointer Logic Changki PSWLAB Pointer Logic Daniel Kroening and Ofer Strichman Decision Procedure.

Peter Andreae Computer Science Victoria University of Wellington Copyright: Peter Andreae, Victoria University of Wellington Java Programs COMP 102 #3.

EECE 310: Software Engineering Final Exam Review.

Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.

Crowfoot: a verifier for higher order store programs Billiejoe (Nathaniel) Charlton Ben Horsfall Bernhard Reus University of Sussex VMCAI 2012.

Database Systems Group Department for Mathematics and Computer Science Lars Hamann, Martin Gogolla, Mirco Kuhlmann OCL-based Runtime Monitoring of JVM.

MrFlow: Why MrSpidey Failed Philippe Meunier Paul Steckler.

By: Pashootan Vaezipoor Path Invariant Simon Fraser University – Spring 09.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Computer Science and Engineering College of Engineering The Ohio State University Interfaces The credit for these slides goes to Professor Paul Sivilotti.

Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.

Parameterized Unit Tests By Nikolai Tillmann and Wolfram Schulte Proc. of ESEC/FSE 2005 Presented by Yunho Kim Provable Software Lab, KAIST TexPoint fonts.

Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.

AOP-1 Aspect Oriented Programming. AOP-2 Aspects of AOP and Related Tools Limitation of OO Separation of Concerns Aspect Oriented programming AspectJ.

Analysis patterns Daniel Jackson MIT Lab for Computer Science 6898: Advanced Topics in Software Design March 4, 2002.

Module 8: Delegates and Events. Overview Delegates Multicast Delegates Events When to Use Delegates, Events, and Interfaces.

Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.

Shape analysis with SAT Daniel Jackson & Mandana Vaziri Software Design Group, MIT LCS Schloss Ringberg · February 21, 2000.

Computer Science 209 Software Development Handing Errors and Creating Documentation.

Understanding ADTs CSE 331 University of Washington.

Peter Andreae Computer Science Victoria University of Wellington Copyright: Peter Andreae, Victoria University of Wellington Java Programs COMP 102 #3.

Representation invariants and abstraction functions CSE 331 UW CSE.

Concepts and Realization of a Diagram Editor Generator Based on Hypergraph Transformation Author: Mark Minas Presenter: Song Gu.

Programming & Debugging. Key Programming Issues Modularity Modifiability Ease of Use Fail-safe programming Style Debugging.

CSE 331 Software Design & Implementation Dan Grossman Fall 2014 Abstraction Functions (Based on slides by Mike Ernst, David Notkin, Hal Perkins)

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.

© Peter Andreae Java Programs COMP 102 # T1 Peter Andreae Computer Science Victoria University of Wellington.

Finding bugs with a constraint solver daniel jackson. mandana vaziri mit laboratory for computer science issta 2000.

Zach Tatlock / Winter 2016 CSE 331 Software Design and Implementation Lecture 6 Representation Invariants.

ALLOY: A Formal Methods Tool Glenn Gordon Indiana University of Pennsylvania COSC 481- Formal Methods Dr. W. Oblitey 26 April 2005.

CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

Formal methods: Lecture

Modular Alternatives to Testing

EECE 309: Software Engineering

Session 4: Dynamic Modeling

CSE 374 Programming Concepts & Tools

Reasoning about code CSE 331 University of Washington.

White-Box Testing Using Pex

CSC 143 Error Handling Kinds of errors: invalid input vs programming bugs How to handle: Bugs: use assert to trap during testing Bad data: should never.

Design Patterns for Recursive Descent Parsing

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.

Presentation transcript:

analyzing objects Daniel Jackson (joint work with Mandana Vaziri & Allison Waingold) MIT Lab for Computer Science NDIST · December 5, 2001

2 problem want a simple framework ·for specifying & analyzing OO programs ·at the design level (like types) ·automatic (like model checking) desiderata ·handles tricky cases ·helpful reports (eg, counterexamples) ·unlikely to miss errors ·modular: no whole-program assumption

3 what goes wrong? //extends the map m with arbitrary key/val pairs //taken from ks and vs, until one of ks and vs is empty static void zippish (Map m, Set ks, Set vs) { Iterator ki = ks.iterator (); Iterator vi = vs.iterator (); while (ki.hasNext() && vi.hasNext()) { m.put (ki.next(), vi.next()); ki.remove (); vi.remove (); }

4 failure conditions ks contains a key of m ·map is overwritten ks, vs or m is null ·null pointer exception ks or vs is a key of m ·rep invariant of m broken, unpredictable effect ks, vs, m aliased ks is a view of vs, or vice versa ks or vs is a view of m ·comodification exception thrown static void zippish (Map m, Set ks, Set vs) { Iterator ki = keys.iterator (); Iterator vi = vs.iterator (); while (ki.hasNext() && vi.hasNext()) { m.put (ki.next(), vi.next()); ki.remove (); vi.remove (); }

5 roadmap why views? modelling the heap & mutation modelling execution modelling views underlying theme simple first-order model of execution use constraint solver to find counterexample traces

6 why views? decouples client from irrelevant aspect of datatype ·by weakening specification interface Map {… Set keySet (); … } ParserActions HashTable SetMap Parser KeySetHashTable Actions on stylesstylemap

7 modelling the heap & mutation two kinds of atoms ·references -- slots that hold objects ·objects -- values that go in slots sig Ref {} sig Obj {} sig State { refs: set Ref, obj: refs ->? Obj } sig X extends Obj {f: Ref} fun op (s, s’: State, p, q: Ref) { p.(s’.obj).f = q } Obj0 s.obj f Ref0 Ref1Ref2 Obj1 s’.obj f p q

8 frame conditions sig Set extends Obj {elts: set Ref} sig SetRef extends Ref {} fact {SetRef.(State.obj) in Set} fun modifies (s, s’: State, rs: set Ref) { all r: s.refs - rs | r.(s.obj) = r.(s’.obj) } fun add (this: SetRef, s, s’: State, e: Ref) { this.(s’.obj).elts = this.(s.obj).elts + e modifies (s, s’, this) }

9 modelling execution each statement ·modelled as a parameterized formula ·relating pre- and post-state ·instantiated with states at each point BODY =stmt0 (s, s1, …)&& stmt1 (s1, s2, …)&& …&& stmtN (sN, s’, …) every state satisfies a condition ·all s, s1, …, s’: State | Pre(s) && BODY => P(sK) method satisfies spec ·all s, s1, …, s’: State | Pre(s) && BODY => Post(s’)

10 modelling views views are not projections ·map is also view of keyset ·say v is view of b when change to b is propagated to v not all views are bidirectional ·keyset/map is two-way ·iterator/set is one-way ·model bidirectional case with two views ·modification of view which does not back another view invalidates it keysetmap KeySetView KeySetView’

11 modelling views (generic) state holds view relationships sig State { refs: set Ref, obj: refs ->! Object, views: ViewType -> refs -> refs } frame condition propagates changes to view fun modifies (s, s’: State, rs: set Ref) { let vr = ViewType.(s.views), mods = rs.*vr { all r: s.refs - mods | r.(s.obj) = r.(s’.obj) all b: mods, v: s.refs, t: ViewType | b->v in t.(s.views) => viewFrame (t, v.(s.obj), v.(s’.obj), b.(s’.obj)) }}

12 modelling views (view-specific) disj sig KeySetView, KeySetView’, IteratorView extends ViewType {} fun viewFrame (t: ViewType, v, v', b': Object) { t in KeySetView => v'.elts = dom (b'.map) t in KeySetView' => b'.elts = dom (v'.map) t in KeySetView' => domRestrict (b'.elts, v.map) = domRestrict (b'.elts, v'.map) t in IteratorView => v'.elts = b'.left + b'.done }

13 demo: a counterexample generated pre-state: ks and vs aliased

14 after: ki = ks.iterator ()

15 after: vi = vs.iterator ()

16 after: k = ki.next ()

17 after: v = vi.next ()

18 after: m.put (k,v)

19 after: ki.remove()Ref_2 gets invalidated

20 conclusions scenario ·write specs for API’s (and perhaps for program) ·extract relevant code skeleton ·use constraint solver to find bugs unlike most other analyses ·doesn’t require whole program ·can find subtle errors but … ·will analysis scale enough? ·will specs still be too much work? ·will false alarms become a problem?