Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.

Published byAllan Knight Modified over 8 years ago

Similar presentations

Presentation on theme: "Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems."— Presentation transcript:

1 Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems Research Center

2 What is “Static Checking”? Annotated Source Code StaticChecker Error:... type systems type systems Error: wrong number of arguments in method call lint lint Error: unreachable code full program verification full program verification Error: qsort does not yield a sorted array

3 Why not just use testing?  Testing essential but Expensive Expensive Finds errors late Finds errors late Misses errors Misses errors  Static checking and testing complementary

4 Comparison of Static Checkers Quality 100% Effort fullverification lint typesystems ExtendedStaticChecking Note: Graph is not to scale ESCModula-3 ESCJava

5 Goals of ESC/Java  Practical static checking  Detect common run-time errors null dereferences null dereferences array bounds array bounds type casts type casts race conditions race conditions deadlocks deadlocks......  Modular checking

6 Non-goals of ESC/Java  Complete functional verification  Completeness May not pass all programs May not pass all programs  Soundness May fail to detect errors May fail to detect errors Error-resistant, not error-proof Error-resistant, not error-proof

7 Architecture of ESC/Java Method + annotations Verification condition generator Automatic theorem prover Counterexample  x.  y.(x > y ==> … ) Error: index out of bounds on line 218 Background axioms

8 Input to ESC/Java Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

9 Modular checking Method body Client Interface check check Client check

10 Describing interfaces public class Vector { Object[] a; Object[] a; int size; int size; public Object elementAt(int i) public Object elementAt(int i) {... } {... } public Object[] copyToArray() public Object[] copyToArray() {... } {... }} //@ invariant a != null //@ invariant a != null //@ invariant size <= a.length //@ invariant size <= a.length //@ requires 0 <= i && i < size //@ requires 0 <= i && i < size //@ ensures RES != null && RES.length == size //@ ensures RES != null && RES.length == size //@ modifies size, a[0], a[*] //@ modifies size, a[0], a[*]

11 Input to ESC/Java’s “checking engine”  Method implementation  Interface annotations requires requires ensures ensures modifies modifies invariants invariants

12 Verification condition generation Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

13 Verification condition generation  Easy for small languages [Dijkstra]  Much harder for real languages  Object-oriented  Typed  Dynamic allocation  Exceptions  Aliasing  Threads

14 Verification conditions for real programs Java Guarded command Verification condition x = a[ i++ ]; i0 = i; i = i + 1; assert (LABEL Null@218: a != null); assert (LABEL IndexNeg@218: 0 <= i0); assert (LABEL IndexTooBig@218: i0 < a.length); x = elems[a][i0];  i0.(i0 == i ==> … ) wlp assume preconditions assume invariants...... assert postconditions assert invariants

15 Exceptions  Java has exceptions  Add exceptions ( raise and catch ) to guarded command language  Calculate wlp of GC statement with respect to normal and exceptional postconditions

16 Method overriding  Method in subclass can override method in superclass Must respect interface of overridden method Must respect interface of overridden method Weaker requires clause Weaker requires clause Stronger ensures clause Stronger ensures clause

17 Verification condition Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

18 Verification condition  Formula in untyped, first-order predicate calculus equality and function symbols equality and function symbols quantifiers quantifiers arithmetic operations arithmetic operations select and store operations select and store operations Eg.  x.  y.(x > y ==> … ) Eg.  x.  y.(x > y ==> … )

19 Example verification condition  Verification condition large but “dumb” (IMPLIES (DISTINCT |ecReturn| |L_14.4|) (IMPLIES (AND (EQ |a@pre:2.8| |a:2.8|) (EQ |a:2.8| (asField |a:2.8| (array |T_int|))) ( | |T_Bag|)) (EQ |@true| (isAllocated |this | alloc)) (NEQ |this | null)) (FORALL (tmp1 |tmp2:21.4| |tmp3:21.6| |m:12.8| |mindex:13.8| |i:14.13| |tmp0:14.28|) (AND (IMPLIES ( |)) (AND (LBLNEG |Null@15.10~15.10| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@15.10~15.11| ( |)))) (IMPLIES ( |)) 1) |MAX_VALUE:3.4.26|) (AND (LBLNEG |Null@17.12~17.12| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@17.12~17.13| ( |)))) (FORALL (|m:17.8|) (IMPLIES (EQ |m:17.8| (select (select elems (select |a:2.8| |this |)) 1)) (FORALL (|i:14.28|) (IMPLIES (AND (EQ |i:14.28| (+ 1 1)) (EQ |@true| |bool$false|)) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG |Null@21.16~21.16| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG |IndexTooBig@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG |Null@21.4~21.4| (NEQ |tmp2:21.4 | null)) (LBLNEG |IndexNegative@21.4~21.5| ( |))) (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |ecReturn| |ecReturn|))))))))))) (IMPLIES (NOT ( |)) 1) |MAX_VALUE:3.4.26|)) (FORALL (|i:14.28|) (IMPLIES (AND (EQ |i:14.28| (+ 1 1)) (EQ |@true| |bool$false|)) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG |Null@21.16~21.16| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG |IndexTooBig@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG |Null@21.4~21.4| (NEQ |tmp2:21.4 | null)) (LBLNEG |IndexNegative@21.4~21.5| ( |))) (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |ecReturn| |ecReturn|)))))))))) (IMPLIES (NOT ( |))) (AND (IMPLIES (EQ |L_14.4| |L_14.4|) (FORALL (|tmp2:21.4 |) (IMPLIES (EQ |tmp2:21.4 | (select |a:2.8| |this |)) (AND (LBLNEG |Null@21.16~21.16| (NEQ (select |a:2.8| |this |) null)) (LBLNEG |IndexNegative@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |))) (LBLNEG |IndexTooBig@21.16~21.17| ( | (- (select |n:3.6| |this |) 1)) |this |) (arrayLength (select |a:2.8| |this |)))) (LBLNEG |Null@21.4~21.4| (NEQ |tmp2:21.4 | null)) (LBLNEG |IndexNegative@21.4~21.5| ( |))) (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |ecReturn| |ecReturn|)))))) (IMPLIES (NOT (EQ |L_14.4| |L_14.4|)) (AND (LBLNEG |Exception:11.6~11.6@11.2~11.2| (EQ |L_14.4| |ecReturn|))))))))))

20 Background axioms Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

21  Additional properties of Java that the theorem prover needs to know  A variable of type T always holds a value whose type is a subtype of T  The subtyping relation is reflexive, anti-symmetric, and transitive  new returns an object that is distinct from all existing objects ... lots more...  java.lang.Object has no supertype

22 Automatic theorem proving Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

23 Automatic theorem proving  Use Simplify Theorem prover from ESC/Modula-3 Theorem prover from ESC/Modula-3 Accepts formulae in untyped, first-order predicate calculus Accepts formulae in untyped, first-order predicate calculus Attempts to prove or refute Attempts to prove or refute

24 Automatic theorem proving Verification condition Automatic theorem prover (Simplify) Counterexample  x.  y.(x > y ==> … ) DivergesValid

25 Handling counterexamples Method + annotations Verification condition generator Automatic theorem prover Counterexample Background axioms

26 Error message from counterexample Verification condition Automatic theorem prover (Simplify) Counterexample:  x.  y. ( … ( … (LABEL IndexTooBig@218 …) …) (LABEL IndexTooBig@218 …) …) x417 > 7 … Label: IndexTooBig@218 … Error: index out of bounds on line 218

27 Initial experience  First implementation is done  Run on 30,000+ lines of code (mostly itself)  Caught several errors null dereference, array bounds null dereference, array bounds  Programmer can annotate and check about 300 lines per hour  Looks promising...

28 Demonstration

29 ESC/Java Summary  Finds more errors than type checking  Costs less than full verification  Currently working; is being evaluated  Potential as “software reliability metric”  Practical checking based on automatic theorem proving may be possible www.research.digital.com/SRC/esc/Esc.html

30

31 Comparison of Static Checkers Quality 100% Effort fullverification lint typesystems decidabilitylimit ExtendedStaticChecking Note: Graph is not to scale

32 Metrics for Static Checkers  Cost of using the tool  Quality Does it miss errors? Does it give spurious warnings?

33 Challenges  Automatic theorem proving  Error messages from counterexample  Verification conditions for real programs  Object-oriented  Typed  Dynamic allocation  Exceptions

34 ESC/Java vs. Testing  Testing essential but Expensive Expensive Finds errors late Finds errors late Misses errors Misses errors  ESC/Java... ?

35 Background axioms Java Guarded command Verification condition Background axioms wlp

36 Additional annotations //@ assert //@ assume //@ nowarn //@ axiom

37 Describing interfaces public Integer[] sum(Integer[] a, Integer[] b); //@ requires a != null && b != null; //@ requires a.length == b.length; //@ ensures RES != null && RES.length == a.length; //@ modifies a[0], b[*];

Download ppt "Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems."

Similar presentations

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”

Synthesis, Analysis, and Verification Lecture 04c Lectures: Viktor Kuncak VC Generation for Programs with Data Structures “Beyond Integers”
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.

JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lecture 3: Java Modeling Language and Extended Static Checking.

272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lecture 3: Java Modeling Language and Extended Static Checking.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.

ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Extended Static Checking for Java Cormac Flanagan Slides courtesy of Rustan Leino.

Extended Static Checking for Java Cormac Flanagan Slides courtesy of Rustan Leino.
Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from.

Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.

1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Similar presentations

Ads by Google