Presentation is loading. Please wait.

Presentation is loading. Please wait.

Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.

Published byMarilyn Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering."— Presentation transcript:

1 Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering Department Concordia University Montreal, Canada Specification and Verification of Component-Based Systems (SAVCBS’06) November 10-11, 2006 held in conjunction with FSE-14, Portland, Oregon, USA

2 2006-11-10 SAVCBS'06 - P.Chalin,p. 2 Static Program Verifiers (SPV) Significant advances in technology. Integration with modern IDEs: –Spec# –JML (well, soon)

3 2006-11-10 SAVCBS'06 - P.Chalin,p. 3 Static Program Verifiers (SPV) Two kinds of error detected by SPV: –Precondition violations (for methods or operators). –Correctness violations (of method bodies). Order.

4 2006-11-10 SAVCBS'06 - P.Chalin,p. 4 SPV: Detection of Errors in … Can be routinely used to detect errors in code relative to specifications. Unfortunately, no error detection in specs. –… beyond conventional type checking. –(maybe because specifiers do not make mistakes?)

5 2006-11-10 SAVCBS'06 - P.Chalin,p. 5 Failing to Detect Errors in Spec’s Is a serious problem because such errors More difficult to detect. More costly to fix (… when identified later ). Motivating example …

6 2006-11-10 SAVCBS'06 - P.Chalin,p. 6 [Motivating example]--------------------- -

7 2006-11-10 SAVCBS'06 - P.Chalin,p. 7 Example: MyUtil Class

8 2006-11-10 SAVCBS'06 - P.Chalin,p. 8 Example: MyUtil Class + Specs

9 2006-11-10 SAVCBS'06 - P.Chalin,p. 9 PairSum Class and Method public class PairSum { public static int pairSum(int[] a, int[] b) { /* returns (a[0] + b[0]) + … + (a[n] + b[n]); * where n is the min length of a and b. */ }

10 2006-11-10 SAVCBS'06 - P.Chalin,p. 10 PairSum code public class PairSum { public static int pairSum(int[] a, int[] b) { int n = MyUtil.minLen(a, b); return MyUtil.sumUpTo(a, n) + MyUtil.sumUpTo(b, n); // by commutativity. }

11 2006-11-10 SAVCBS'06 - P.Chalin,p. 11 Using PairSum int[] a = readFromFile(…); int[] b = readFromFile(…); int sum = pairSum(a, b);... readFromFile is declared to return null on read error. JML tools reports no errors for this code, yet …

12 2006-11-10 SAVCBS'06 - P.Chalin,p. 12 Simple test case: PairSum read error Call trace pairSum(null,null) MyUtil.sumUpTo(null,null)  NullPointerEx

13 2006-11-10 SAVCBS'06 - P.Chalin,p. 13 PairSum called with null public static int pairSum(int[] a, int[] b) { int n = MyUtil.minLen(a null, b null); return … }

14 2006-11-10 SAVCBS'06 - P.Chalin,p. 14 ESC/Java Why did it fail to report a problem? Examine the code annotated with assertions …

15 2006-11-10 SAVCBS'06 - P.Chalin,p. 15 PairSum code + assertions public static int pairSum(int[] a, int[] b) { int n = MyUtil.minLen(a, b); //@ assume (* postcondition of minLen *) //@ assert (* precondition of sumUpTo *) return MyUtil.sumUpTo(a, n) + MyUtil.sumUpTo(b, n); }

16 2006-11-10 SAVCBS'06 - P.Chalin,p. 16 Example: MyUtil Class + Specs

17 2006-11-10 SAVCBS'06 - P.Chalin,p. 17 PairSum code + assertions public static int pairSum(int[] a, int[] b) { int n = MyUtil.minLen(a, b); //@ assume n = min(a.length, b.length); //@ assert n <= a.length && …; return MyUtil.sumUpTo(a, n) + MyUtil.sumUpTo(b, n); }

18 2006-11-10 SAVCBS'06 - P.Chalin,p. 18 PairSum assertions assume n = min( a.length, b.length); assert n <= a.length && …;

19 2006-11-10 SAVCBS'06 - P.Chalin,p. 19 PairSum assertions, trace null … assume n = min(null.length, null.length); assert n <= null.length && …;

20 2006-11-10 SAVCBS'06 - P.Chalin,p. 20 PairSum, trace null & simplifying (1) assume n = null.length; assert n <= null.length && …;

21 2006-11-10 SAVCBS'06 - P.Chalin,p. 21 PairSum, trace null & simplifying (2) assume n = null.length; assert null.length <= null.length && …;

22 2006-11-10 SAVCBS'06 - P.Chalin,p. 22 PairSum, trace null & simplifying (3) assume n = null.length; assert true && true;

23 2006-11-10 SAVCBS'06 - P.Chalin,p. 23 Cause: precond. violation in contract

24 2006-11-10 SAVCBS'06 - P.Chalin,p. 24 SPV Detection of Errors In Specs Two kinds of coding error detected by SPV: –Precondition violations (for methods or operators). –Correctness violations (of method bodies). New ESC/Java2 feature: –definedness checking –“Is-defined checks”, or IDC.

25 2006-11-10 SAVCBS'06 - P.Chalin,p. 25 ESC/Java2 run with IDC MyUtil: minLen(int[], int[])... ----------------------------------------- MyUtil.jml:3: Warning: Possible null deref… //@ java.lang.Math.min(a1.length,…); ^ ----------------------------------------- [0.062 s 12135232 bytes] failed

26 2006-11-10 SAVCBS'06 - P.Chalin,p. 26 [Example 2]----------------------

27 2006-11-10 SAVCBS'06 - P.Chalin,p. 27 Another Motivating Example Consider the following method + contract:

28 2006-11-10 SAVCBS'06 - P.Chalin,p. 28 Another Motivating Example Postconditions are false, hence contract is unimplementable and yet... ESC/Java2 proves method “correct”.

29 2006-11-10 SAVCBS'06 - P.Chalin,p. 29 Inconsistency in Arrays.sort contract ESC/Java2 IDC points out …

30 2006-11-10 SAVCBS'06 - P.Chalin,p. 30 [ESC redesign]----------------------

31 2006-11-10 SAVCBS'06 - P.Chalin,p. 31 Supporting Definedness Checking JML’s current assertion semantics –based on classical logic –Partial functions modeled by underspecified total functions

32 2006-11-10 SAVCBS'06 - P.Chalin,p. 32 Newly proposed semantics Based on Strong Validity: an assertion expression is taken to hold iff it is –Defined and –True.

33 2006-11-10 SAVCBS'06 - P.Chalin,p. 33 “Is-Defined” Operator D(e)

34 2006-11-10 SAVCBS'06 - P.Chalin,p. 34 “Is-Defined” Operator In general (for strict functions): D(f(e1, …, en)) = D(e1)  …  D(en)  p(e1,…,en) e.g. –D(e1 / e2) = D(e1)  D(e2)  e2  0

35 2006-11-10 SAVCBS'06 - P.Chalin,p. 35 “Is-Defined” Operator Non-strict operators, e.g. D(e1 && e2) = D(e1)  (e1  D(e2))

36 2006-11-10 SAVCBS'06 - P.Chalin,p. 36 ESC/Java2 Redesign Current / previous architecture

37 2006-11-10 SAVCBS'06 - P.Chalin,p. 37 Guarded Command Language C ::= Id := Expr | ASSUME Expr | ASSERT Expr | C ; C’ | C C’

38 2006-11-10 SAVCBS'06 - P.Chalin,p. 38 Supporting the New Semantics (IDC) Inline assertions 〚 assert R 〛 = ASSERT 〚 D(R) 〛 ; ASSERT 〚 R 〛

39 2006-11-10 SAVCBS'06 - P.Chalin,p. 39 IDC: Basic Method Contracts Without IDC 〚 {P}B{Q} 〛 = ASSUME 〚 P 〛 ; 〚 B 〛 ; ASSERT 〚 Q 〛 With IDC 〚 {P}B{Q} 〛 = ASSERT 〚 D(P) 〛 ; ASSUME 〚 P 〛 ; 〚 B 〛 ; ASSERT 〚 D(Q) 〛 ; ASSERT 〚 Q 〛

40 2006-11-10 SAVCBS'06 - P.Chalin,p. 40 Checking Methods Without Bodies 〚 {P}_{Q} 〛 = ASSERT 〚 D(I(this)) 〛 ; ASSUME 〚  o:C. I(o) 〛 ; ASSERT 〚 D(P) 〛 ; ASSUME 〚 P 〛 ; 〚 return _ 〛 [] 〚 throw … 〛 ; ASSERT 〚 D(Q) 〛 ; ASSERT 〚 D(I(this)) 〛 ;

41 2006-11-10 SAVCBS'06 - P.Chalin,p. 41 If life we this simple, we wouldn’t need … Unfortunately, previous translation gives poor error reporting. ESC will report errors only for GCs: ASSERT Label(L, E). But this gives coarse grained report: 〚 assert R 〛 = ASSERT Label(I, 〚 D(R) 〛 ); ASSERT 〚 R 〛 We want ESC to pinpoint the errors in D(R).

42 2006-11-10 SAVCBS'06 - P.Chalin,p. 42 Better Diagnostics Need to expand ASSERT 〚 D(e) 〛

43 2006-11-10 SAVCBS'06 - P.Chalin,p. 43 Expanded GC for strict functions Recall that D(f(e1, …, en)) = D(e1)  …  D(en)  p(e1,…,en) Expanded GC form, E 〚 D(f(e1, …, en)) 〛, would be: E 〚 D(e1) 〛 ;... ; E 〚 D(en) 〛 ; ASSERT Label(L, 〚 p(e1,…,en) 〛 )

44 2006-11-10 SAVCBS'06 - P.Chalin,p. 44 Expanded GC for non-strict functions E.g. for conditional operator D(e1 ? e2 : e3) = D(e1)  (e1  D(e2))  (  e1  D(e3)) Expanded GC form would be E 〚 D(e1) 〛 ; { ASSUME 〚 e1 〛 ; E 〚 D(e2) 〛 ; [] ASSUME 〚  e1 〛 ; E 〚 D(e3) 〛 ; }

45 2006-11-10 SAVCBS'06 - P.Chalin,p. 45 [IDC results]----------------------

46 2006-11-10 SAVCBS'06 - P.Chalin,p. 46 ESC/Java2 Definedness Checking: Preliminary Results Tested on 90+KLOC code + specs. 50+ errors detected in java.* API specs. Negligible overhead (preliminary). Did not overwhelm Simplify. –Could prove no less than before. Looking forward to using CVC3 backend: offers native support for new semantics.

47 2006-11-10 SAVCBS'06 - P.Chalin,p. 47 Questions?

Download ppt "Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Formal techniques for getting software right: some old ideas and some new tools Applied Formal Methods Research Group 2012-11-02 David Lightfoot:

Formal techniques for getting software right: some old ideas and some new tools Applied Formal Methods Research Group David Lightfoot:
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.

Extended Static Checking for Haskell (ESC/Haskell) Dana N. Xu University of Cambridge advised by Simon Peyton Jones Microsoft Research, Cambridge.
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.

Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,

Programming with Constraint Solvers CS294: Program Synthesis for Everyone Ras Bodik Emina Torlak Division of Computer Science University of California,
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.

JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.

Similar presentations

Ads by Google