Download presentation
Presentation is loading. Please wait.
Published byHubert Robertson Modified over 9 years ago
1
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson, James B. Saxe, Raymie Stata Compaq SRC 6 Nov 2002 FMCO 2002, Leiden, The Netherlands K. Rustan M. Leino Microsoft Research, Redmond, WA
2
Formal methods coverage effort Note: Illustration not to scale type checking program verification decidability ceiling extended static checking light-weight formal methods
3
User’s view ESC/Java Annotated Java program Warning messages public class Bag { private /*@non_null*/ int[] a; private int n; //@ invariant 0 <= n && n <= a.length; public Bag(/*@non_null*/ int[] initialElements) { n = initialElements.length; a = new int[n]; System.arraycopy(initialElements, 0, a, 0, n); } public void add(int x) { if (n == a.length) { int[] b = new int[2*(a.length+1)]; System.arraycopy(a, 0, b, 0, n); a = b; } a[n] = x; n++; } public int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } if (0 < n) { n--; a[mindex] = a[n]; } return m; } // The program text continues down here, but if you’re // reading this, you probably aren’t paying attention to // the talk. Bag.java:18: Array index possibly too large Bag.java:45: Precondition possibly violated
4
Goals of ESC/Java Practical static checking Detect common run-time errors null dereferences null dereferences array bounds array bounds type casts type casts race conditions race conditions deadlocks deadlocks...... Modular checking
5
ESC/Java distinguishing features Annotation language captures design decisions Annotation language captures design decisions Powered by automatic theorem prover Powered by automatic theorem prover Not decidable Not decidable Not sound or complete Not sound or complete Performs modular checking Performs modular checking
6
Method-modular checking Check that each method satisfies its specification, assuming that all called routines satisfy theirs Check that each method satisfies its specification, assuming that all called routines satisfy theirs Reason about implementation when it is written, not when it is used or extended Reason about implementation when it is written, not when it is used or extended
7
Modular checking Method body Client Interface check check Client check
8
Design tradeoffs Missed errors Missed errors Spurious warnings Spurious warnings Annotation overhead Annotation overhead Performance Performance
9
Tool architecture Translator Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Valid Resource exhausted
10
Tool architecture, detail Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator
11
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Tool architecture, detail Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator
12
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Annotation language Simple Simple non_null non_null Method annotations Method annotations requires E; requires E; modifies w; modifies w; ensures P; ensures P; exsures (T x) Q; exsures (T x) Q; Object invariants Object invariants invariant E; invariant E;
13
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Annotation language Specification expressions Specification expressions side-effect free Java expressions side-effect free Java expressions no ++, no method calls no ++, no method calls \result, \old(E) \result, \old(E) ensures \result == \old(x); ensures \result == \old(x); ==> ==> (\forall T x; P), (\exists T x; P) (\forall T x; P), (\exists T x; P) (\forall int j; 0 a[j] > 0); (\forall int j; 0 a[j] > 0); \typeof(E), \type(T), <: \typeof(E), \type(T), <: requires \typeof(x) == \typeof(this); requires \typeof(x) == \typeof(this);
14
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Annotation language Concurrency Concurrency monitored_by lock monitored_by lock /*@ monitored_by this */long x; /*@ monitored_by this */long x; \lockset[lock] \lockset[lock] requires \lockset[this]; requires \lockset[this]; lock0 < lock1 lock0 < lock1 \max(\lockset) \max(\lockset) requires \max(\lockset) < this; requires \max(\lockset) < this;
15
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Annotation language Concurrency Concurrency monitored_by lock monitored_by lock /*@ monitored_by this */long x; /*@ monitored_by this */long x; \lockset[lock] \lockset[lock] requires \lockset[this]; requires \lockset[this]; lock0 < lock1 lock0 < lock1 \max(\lockset) \max(\lockset) requires \max(\lockset) < this; requires \max(\lockset) < this;
16
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Annotation language Ghost variables Ghost variables ghost public T x; ghost public T x; ghost public int objectState; ghost public int objectState; ghost public \TYPE elementType; ghost public \TYPE elementType; set x = E; set x = E; set objectState = Open; set objectState = Open; set elementType = \type(T); set elementType = \type(T);
17
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Annotation language Ghost variables Ghost variables ghost public T x; ghost public T x; ghost public int objectState; ghost public int objectState; ghost public \TYPE elementType; ghost public \TYPE elementType; set x = E; set x = E; set objectState = Open; set objectState = Open; set elementType = \type(T); set elementType = \type(T);
18
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Annotation language Miscellaneous Miscellaneous assert E; assert E; assume E; assume E; assume x >= 0; // because x == y*y assume x >= 0; // because x == y*y nowarn nowarn x = a[j]; //@ nowarn x = a[j]; //@ nowarn axiom E; axiom E; axiom (\forall int x; x >> 2 >= 0); axiom (\forall int x; x >> 2 >= 0);
19
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Weakest preconditions wp(assert E, Q) = E Q wp(assert E, Q) = E Q wp(assume E, Q) = E Q wp(assume E, Q) = E Q wp(S;T, Q) = wp(S, wp(T,Q)) wp(S;T, Q) = wp(S, wp(T,Q)) wp(S [] T, Q) = wp(S, Q) wp(T, Q) wp(S [] T, Q) = wp(S, Q) wp(T, Q) wp(S, Q) = wp(S, true) wlp(S, Q) wp(S, Q) = wp(S, true) wlp(S, Q) wlp(S, Q) = wlp(S, false) Q wlp(S, Q) = wlp(S, false) Q
20
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Verification condition Universal background predicate Universal background predicate (FORALL (t) (<: t t)) (FORALL (t) (<: t t)) Type-specific background predicate Type-specific background predicate (<: T_T |T_java.lang.Object|) (<: T_T |T_java.lang.Object|) Verification condition: BP Univ BP T VC method Verification condition: BP Univ BP T VC method
21
Verification condition generation Easy for small languages [Dijkstra] Much harder for real languages Object-oriented Typed Dynamic allocation Exceptions Aliasing Threads
22
Verification conditions for real programs Java Guarded command Verification condition x = a[ i++ ]; i0 = i; i = i + 1; assert (LABEL Null@218: a != null); assert (LABEL IndexNeg@218: 0 <= i0); assert (LABEL IndexTooBig@218: i0 < a.length); x = elems[a][i0]; i0.(i0 == i ==> … ) wlp assume preconditions assume invariants...... assert postconditions assert invariants
23
Verification condition Formula in untyped, first-order predicate calculus equality and function symbols equality and function symbols quantifiers quantifiers arithmetic operations arithmetic operations select and store operations select and store operations Eg. x. y.(x > y ==> … ) Eg. x. y.(x > y ==> … )
24
Background axioms Additional properties of Java that the theorem prover needs to know A variable of type T always holds a value whose type is a subtype of T The subtyping relation is reflexive, anti-symmetric, and transitive new returns an object that is distinct from all existing objects ... lots more... java.lang.Object has no supertype
25
Example verification condition Verification condition large but “dumb” (IMPLIES (DISTINCT |ecReturn| |L_14.4|) (IMPLIES (AND (EQ |a@pre:2.8| |a:2.8|) (EQ |a:2.8| (asField |a:2.8| (array |T_int|))) ( | |T_Bag|)) (EQ |@true| (isAllocated |this | alloc)) (NEQ |this | null)) (FORALL (tmp1 |tmp2:21.4| |tmp3:21.6| |m:12.8| |mindex:13.8| |i:14.13| |tmp0:14.28|) (AND (IMPLIES ( |)) (AND (LBLNEG |Null@15.10~15.10| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@15.10~15.11| ( |)))) (IMPLIES ( |)) 1) |MAX_VALUE:3.4.26|) (AND (LBLNEG |Null@17.12~17.12| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@17.12~17.13| ( |)))) (FORALL (|m:17.8|) (IMPLIES (EQ |m:17.8| (select (select elems (select |a:2.8| |this |)) 1)) (FORALL (|i:14.28|) (IMPLIES (AND (EQ |i:14.28| (+ 1 1)) (EQ |@true| |bool$false|)) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG |Null@21.16~21.16| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG |IndexTooBig@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG |Null@21.4~21.4| (NEQ |tmp2:21.4 | null)) (LBLNEG |IndexNegative@21.4~21.5| ( |))) (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |ecReturn| |ecReturn|))))))))))) (IMPLIES (NOT ( |)) 1) |MAX_VALUE:3.4.26|)) (FORALL (|i:14.28|) (IMPLIES (AND (EQ |i:14.28| (+ 1 1)) (EQ |@true| |bool$false|)) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG |Null@21.16~21.16| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG |IndexTooBig@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG |Null@21.4~21.4| (NEQ |tmp2:21.4 | null)) (LBLNEG |IndexNegative@21.4~21.5| ( |))) (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |ecReturn| |ecReturn|)))))))))) (IMPLIES (NOT ( |))) (AND (IMPLIES (EQ |L_14.4| |L_14.4|) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG |Null@21.16~21.16| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG |IndexTooBig@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG |Null@21.4~21.4| (NEQ |tmp2:21.4 | null)) (LBLNEG |IndexNegative@21.4~21.5| ( |))) (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |ecReturn| |ecReturn|)))))) (IMPLIES (NOT (EQ |L_14.4| |L_14.4|)) (AND (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |L_14.4| |ecReturn|))))))))))
26
(BG_PUSH (AND (<: T_T |T_java.lang.Object|) (EQ T_T (asChild T_T |T_java.lang.Object|)) (DISTINCT arrayType |T_boolean| |T_char| |T_byte| |T_short| |T_int| |T_long| |T_float| |T_double| |T_.TYPE| T_T |T_java.lang.Object|))) (EXPLIES (LBLNEG |vc.T.abs.2.2| (IMPLIES (AND (EQ |elems@pre| elems) (EQ elems (asElems elems)) (< (eClosedTime elems) alloc) (EQ LS (asLockSet LS)) (EQ |alloc@pre| alloc)) (NOT (AND (EQ |@true| (is |x:2.21| T_int)) (OR (AND (OR (AND (< |x:2.21| 0) (LBLPOS |trace.Then^0,3.15| (EQ |@true| |@true|)) (EQ |x:3.17| (- 0 |x:2.21|)) (EQ |x:2.21 | |x:3.17|)) (AND (NOT (< |x:2.21| 0)) (LBLPOS |trace.Else^1,3.4| (EQ |@true| |@true|)) (EQ |x:2.21 | |x:2.21|))) (NOT (LBLNEG |Assert@4.8| (>= |x:2.21 | 0)))) (AND (OR (AND (< |x:2.21| 0) (LBLPOS |trace.Then^0,3.15| (EQ |@true| |@true|)) (EQ |x:3.17| (- 0 |x:2.21|)) (EQ |x:2.21 | |x:3.17|)) (AND (NOT (< |x:2.21| 0)) (LBLPOS |trace.Else^1,3.4| (EQ |@true| |@true|)) (EQ |x:2.21 | |x:2.21|))) (LBLNEG |Assert@4.8| (>= |x:2.21 | 0)) (NOT (LBLNEG |Exception@5.2| (EQ |ecReturn| |ecReturn|))))))))) (AND (DISTINCT |ecReturn|))) Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Verification condition class T { class T { static int abs(int x) { static int abs(int x) { if (x < 0) { x = -x; } if (x < 0) { x = -x; } //@ assert x >= 0; //@ assert x >= 0; }}
27
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Theorem prover: “Simplify” Nelson-Oppen cooperating decision procedures Nelson-Oppen cooperating decision procedures congruence closure congruence closure linear arithmetic linear arithmetic partial orders partial orders quantifiers quantifiers Key features: Key features: automatic: no user interaction automatic: no user interaction refutation based: searches for counterexamples refutation based: searches for counterexamples heuristics tuned for program checking heuristics tuned for program checking labels labels time limit time limit
28
Automatic theorem proving Verification condition Automatic theorem prover (Simplify) Counterexample x. y.(x > y ==> … ) DivergesValid
29
Annotated Java program Verification condition Counterexample context Warning messages Automatic theorem prover Post processor Sugared command Primitive command Passive command Translator Counterexamples and warnings Counterexample: labels: (|IndexTooBig@26.5| |vc.Bag.add.20.2| |trace.Then^0,21.23|) context: (AND (NEQ |tmp1!a:23.23| null) (NEQ this null) (EQ |alloc@pre| alloc) (EQ |tmp4!n:26.6| 0) … (<= alloc (vAllocTime |tmp3!a:26.4|)) ) Bag: add(int)... ------------------------------------------------------------------------ Bag.java:26: Warning: Array index possibly too large (IndexTooBig) a[n] = x; ^ Execution trace information: Executed then branch in "Bag.java", line 21, col 23. ------------------------------------------------------------------------
30
ESC/Java research platform Annotation inference Annotation inference Daikon [Ernst], Houdini [Flanagan & Leino] Daikon [Ernst], Houdini [Flanagan & Leino] Other checking tools Other checking tools Calvin [Qadeer et al.], Stale-value concurrency checker [Burrows & Leino] Calvin [Qadeer et al.], Stale-value concurrency checker [Burrows & Leino] Formal verification without driving theorem prover Formal verification without driving theorem prover Simplify theorem prover Simplify theorem prover SLAM [Ball, Rajamani, et al.], oolong [Leino et al.], … SLAM [Ball, Rajamani, et al.], oolong [Leino et al.], … Teaching Teaching Kansas State University [Dwyer & Hatcliff] Kansas State University [Dwyer & Hatcliff]
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.