Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright 2001-2002, Matt Dwyer, John Hatcliff, and.

Published bySuzanna Dalton Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright 2001-2002, Matt Dwyer, John Hatcliff, and."— Presentation transcript:

1 CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright 2001-2002, Matt Dwyer, John Hatcliff, and Rod Howell. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

2 Extended Static Checking Theorem-prover based technology for statically reasoning about annotated programs with respect to run-time errors Long-term project at DEC/Compaq Started in early 90s for Modula-3 Now supports Java

3 Philosophy Can’t check everything Sacrifice generality and thoroughness for speed ESC is incomplete Error reports may not be real defects ESC is unsound Defective programs may not be reported

4 Philosophy Provide a useful tool with little investment Without any specifications Incremental gain for added specifications Focus on common or hard to find errors Null pointer dereference Lock related

5 ESC/Java Annotations Embedded in comments Single line comments //@ … Multi-line comments /*@ */

6 Classes of errors Detects potential run-time errors JVM exceptions NullPointerException, IndexOutOfBoundsException, ClassCastException, ArrayStoreException, ArithmeticException, NegativeArraySizeException Errors reported even if exception is caught Programmer annotations invariants, precondition, postconditions, and assertions

7 ESC/Java Expressions ESC/Java specifications have as a core language Java’s boolean expression syntax ESC restricts some legal Java expressions Side-effect free Java expressions with no calls E.g., cannot use “=“, “++”, “new” ESC introduces some special Java expressions ESC/Java specifications are less expressive than OCL

8 ESC/Java Expression evaluation errors e.g., NullPointerException Do not give rise to error reports Yield undefined values  failure to prove annotation in which expression is embedded

9 ESC/Java Operators (excerpts) \type(E) : construct spec type from Java type \typeof(E) : returns dynamic type of E \elemtype(E) : returns element type of an array S <: T : S is a subtype of T (or equal) void storeObject(T[] a, int I, T x) { a[i] = x; } What happens if the dynamic type of a is “S[]” where S is a subtype of T? ArrayStoreException

10 ESC/Java Operators (excerpts) void storeObject(T[] a, int I, T x) { a[i] = x; } There are multiple ways to specify that this cannot happen: //@ requires \elemtype(\typeof(a)) == \type(T); //@ requires \typeof(a) == \type(T[]); //@ requires x == null || //@ \typeof(x) <: \elemtype(\typeof(a));

11 ESC/Java Operators (excerpts) \old : like “@pre” in OCL (see 3.2.15) \result : return value \fresh(e) : e is non-null in post-state and unallocated in pre-state ==> : implies \exists : existential quantification \forall : universal quantification \nonnullelements : custom \forall A rich set of lock querying operators

12 ESC/Java Operators (excerpts) (\forall T V; E) E is true for all substitutions of values of T bound to variables V For reference types T, quantifier ranges over allocated instances (excluding null) For integral types T, values range over mathematical integers NOT computer-based integers (\exists T V; E) E is true for some substitution of values of T bound to variables V \nonnullelements(A) A != null && (\forall int i; 0 A[i] != null)

13 Modifies Modifies clauses used by caller Implementing method is not checked to see that it does not modify unmentioned variables \old(f) refers to post-state value (!) Unless you include: modifies f Explanation is a bit subtle (see the manual)

14 For You to Do (pause here) Consider an implementation of the “academia” system with the following class that implements the attributes and associations of “Course” in our OCL model: class Course { String name; int number; Instructor teacher; Student[] enrolled; int numEnrolled; Student[] waiting; int numWaiting; Course[] prereqs; numPrereqs; }

15 For You to Do (pause here) Express the following OCL invariants in ESC/Java (assume that you are in the context of the Course class): -- NoWaitingUnlessEnrolled: --.. no one is waiting for a course unless someone is enrolled. context c:Course inv NoWaitingUnlessEnrolled: c.waitList->notEmpty implies c.enrolled->notEmpty -- NoSelfPrerequisite --.. no course has itself as a prerequisite context c:Course inv NoSelfPrerequisite: c.prerequisites->excludes(c)

16 Annotation Based Checking ESC/Java supports many forms of annotation that we are familiar with Data annotations invariant Method annotations requires [pre-condition] modifies[frame-condition] ensures[post-condition] also_requires, … [for sub-typing] exsures [for exceptions]

17 ESC Specific Annotations Basic annotations (pragmas) nowarn, assert, assume, unreachable Data annotations non_null, axiom, loop_invariant Abstraction support spec_public, ghost, set Synchronization specific pragmas

18 For You to Do (pause here) Consider an implementation of the “academia” system with the following class that implements the attributes, associations and operations of the “Course” and “Student” in our OCL model: class Course {class Student { String name; String name; int number; Id sid; Instructor teacher; Course[] taking; Student[] enrolled; int numTaking; int numEnrolled; Course[] waitingFor; Student[] waiting; int numWaitingFor; int numWaiting; TranscriptEntry[] transcript; Course[] prereqs; int numTranscriptEntries; numPrereqs; void dropCourse(Course c) {…} public void addPreReq(Course c) {…} void newId(n : Integer) {…}}

19 For You to Do (pause here) Express the following OCL operation specifications in ESC (assume that you are in the context of the Course class): -- newId pre/post-conditions --.. pre-conditions -- - n is greater than 100 --.. post-conditions -- - Id object is new and its number is equal to the supplied parameter context Student::newId(n : Integer) pre GE100: n >= 100 post NewId: id.oclIsNew post IdNumber: id.number = n -- dropCourse pre/post-conditions --.. pre-conditions -- - currently taking course --.. post-conditions -- - taking same as old taking minus given course context Student::dropCourse(c: Course) pre NowTaking: taking->includes(c) post NotTaking: taking = taking@pre->excluding(c)

20 Checked Annotations ESC Java will analyze the program to see if the annotations hold Local annotations assert E unreachable [assert false] loop_invariant E [do, while loops] Method annotations requires, ensures [specific method entry and exit] Global annotations invariant E [every method entry and exit] non_null V [checked at every assignment]

21 Unchecked Annotations User supplied information about program behavior Suppress warnings at a statement nowarn [parameterized by error] Assumptions about data assume E [local assumption] axiom E [global assumption]

22 Unchecked Annotations Are the main source of unsoundness in ESC Java The user can tell the system that something is true about a variable when it is not the case Are the main mechanism for reducing spurious error reports Due to incompleteness of theorem-prover Sometimes ESC Java warns you that assumptions may invalidate a result

23 Annotation Philosophy Include checked annotations in your program That express the properties you want the code to have Include assumptions only when you obtain an error report When possible use checked annotations rather than assumptions e.g., invariant versus axiom

24 Modular Checking ESC Java analyzes programs one method at a time Performance is improved Accuracy is a problem No information about calling context Possible parameter or field values Does not analyze called methods Use annotations to represent effects of method call

25 Spec Files ESC/Java uses source annotations What if the sources are not available? e.g., libraries Generate simple spec from.class files Constraints that enforce proper typing Use.spec files Routine bodies may be omitted via “;” or “{ }” comes with specs for Java libraries

26 java.util.Stack.spec file public class Stack extends Vector { //@ requires \typeof(item) <: elementType || item==null //@ requires containsNull || item!=null //@ modifies elementCount //@ ensures elementCount == \old(elementCount)+1 //@ ensures \result==item public Object push(/*@non_null*/ Object item) { } //@ requires elementCount > 0 //@ modifies elementCount //@ ensures elementCount == \old(elementCount)-1 //@ ensures \typeof(\result) <: elementType || \result==null //@ ensures !containsNull ==> \result!=null public synchronized Object pop() { } }

27 For You to Do (pause here) What ESC/Java annotations would you use for the “top” method of the stack? i.e., the method that returns the top element, but does not “pop” it Try to be provide annotations at the same level of detail as the one’s just presented.

Download ppt "CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright 2001-2002, Matt Dwyer, John Hatcliff, and."

Similar presentations

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Design By Contract Using JMSAssert.

Design By Contract Using JMSAssert.
Exceptions CSE301 University of Sunderland Harry Erwin, PhD.

Exceptions CSE301 University of Sunderland Harry Erwin, PhD.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 6 Disclaimer. These notes are derived from notes originally.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 6 Disclaimer. These notes are derived from notes originally.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.

Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Copyright 2003-04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.

JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.

Abstract Data Types Data abstraction, or abstract data types, is a programming methodology where one defines not only the data structure to be used, but.
Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.

Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
CS294, YelickESC, p1 CS 294-8 Extended Static Checking

CS294, YelickESC, p1 CS Extended Static Checking
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.

1 Specifying Object Interfaces. 2 Major tasks in this stage: --are there any missing attributes or operations? --how can we reduce coupling, make interface.

Similar presentations

Ads by Google