Extended Static Checking for Java - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Extended Static Checking for Java

Description:

Software construction and maintenance are expensive ... Increased programmer productivity and program reliability through increased rigor ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 39
Provided by: cormacflan
Category:

less

Transcript and Presenter's Notes

Title: Extended Static Checking for Java


1
Extended Static Checkingfor Java
  • Cormac Flanagan

Slides courtesy of Rustan Leino
2
Motivation
3
Software development problem
  • Software construction and maintenance are
    expensive
  • Reliability is costly and difficult to achieve

4
Vision
  • Increased programmer productivity and program
    reliability through increased rigor

Record design decisions Utilize automatic
checking Detect more errors and reduce costs
5
User's view
Error messages
Program with specifications
Program checker
public class Bag private /_at_non_null/ int
a private int n //_at_ invariant 0 lt n n lt
a.length public Bag(/_at_non_null/ int
initialElements) n initialElements.length
a new intn System.arraycopy(initialElement
s, 0, a, 0, n) public void add(int x)
if (n a.length) int b new
int2(a.length1) System.arraycopy(a, 0, b,
0, n) a b an x n public
int extractMin() int m Integer.MAX_VALUE
int mindex 0 for (int i 0 i lt n i)
if (ai lt m) mindex i m
ai if (0 lt n) n-- amindex
an return m // The program text
continues down here, but if youre // reading
this, you probably arent paying attention to //
the talk.
Bag.java18 Array index possibly too large
6
Extended Static Checker for Java (ESC/Java)
  • Built at Systems Research Center
  • Input Java user-supplied annotations
  • Annotation language captures programmer design
    decisions
  • Powered by
  • weakest precondition semantics
  • automatic theorem proving
  • Performs modular checking

7
Weakest Preconditions in Practice
  • Given procedure
  • //_at_ requires Pre
  • //_at_ ensures Post
  • procedure m() c // c is an IMP command
  • Generate verification condition
  • Pre gt WP( c, Post )
  • Check this VC is valid (true in all states)
  • If so, then any execution of m() from a Prestate
    is guaranteed to terminate only in Poststates.
  • Use automatic theorem proving to check VC
  • Performs modular checking, requires annotations

8
ESC/Java demo
9
Program checker design tradeoffs
  • Missed errors
  • Spurious warnings
  • Annotation overhead
  • Performance

10
ESC/Java architecture
Annotated Java program
Translator
Verification condition
Valid
Automatic theorem prover
Resource exhausted
Counterexample context
Post processor
Warning messages
11
Tool architecture, detail
Annotated Java program
Sugared command
Translator
Primitive command
Passive command
Verification condition
Automatic theorem prover
Counterexample context
Post processor
Warning messages
12
Tool architecture, detail
13
Annotation language
Annotated Java program
  • Simple
  • non_null
  • Method annotations
  • requires E
  • ensures E
  • exsures (T x) E
  • modifies w
  • Object invariants
  • invariant E

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
14
Annotation language
Annotated Java program
  • Simple
  • non_null
  • Method annotations
  • requires E
  • modifies w
  • ensures E
  • exsures (T x) E
  • Object invariants
  • invariant E

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
15
Annotation language
Annotated Java program
  • Specification expressions
  • side-effect free Java expressions
  • no , no method calls
  • result
  • ensures result gt 0
  • old(E)
  • ensures x old(x)1
  • (forall T x E), (exists T x E), gt
  • (forall int j 0 lt j j lt n gt aj gt 0)

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
16
Annotation language
Annotated Java program
  • Specification expressions
  • side-effect free Java expressions
  • no , no method calls
  • result
  • ensures result gt 0
  • old(E)
  • ensures x old(x)1
  • (forall T x E), (exists T x E), gt
  • (forall int j 0 lt j j lt n gt aj gt 0)

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
17
Annotation language
Annotated Java program
  • Miscellaneous
  • assert E
  • assume E
  • assume x gt 0 // because x yy
  • nowarn
  • x aj //_at_ nowarn
  • axiom E
  • axiom (forall int x x 2 gt 0)
  • Concurrency, ghost variables

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
18
Sugared commands
Annotated Java program
  • S,T assert E
  • assume E
  • x E
  • raise
  • S T
  • S ! T
  • S T
  • loop inv E S ? T end
  • call x m(E)

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
19
Sugared commands
Annotated Java program
  • x t.f.g
  • assert t ? null
  • tmp select(f, t)
  • assert tmp ? null
  • x select(g, tmp)
  • if (x lt 0) x -x /_at_ assert x gt 0 /
  • ( assume x lt 0 x -x
  • assume ?(x lt 0)
  • )
  • assert x gt 0

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
20
Sugared commands
Annotated Java program
  • x t.f.g
  • assert lblneg(Null_at_58.9, t ? null)
  • tmp select(f, t)
  • assert lblneg(Null_at_58.11, tmp ? null)
  • x select(g, tmp)
  • if (x lt 0) x -x /_at_ assert x gt 0 /
  • ( assume x lt 0 assume lblpos(Then2807,
    true) x -x
  • assume ? (x lt 0) assume lblpos(Else2807,
    true)
  • )
  • assert x gt 0

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
21
Primitive commands
Annotated Java program
  • S,T assert E
  • assume E
  • x E
  • raise
  • S T
  • S ! T
  • S T
  • loop inv E S ? T end
  • call x m(E)

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
22
Primitive commands
Annotated Java program
  • //_at_ requires Pre modifies w ensures
    Postvoid m(U u)
  • call x m(E)
  • var u in
  • u E
  • assert Pre
  • var w0 in
  • w0 w
  • havoc w
  • assume Post
  • x result
  • end
  • end

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
23
Passive commands
Annotated Java program
  • S,T assert E
  • assume E
  • x E

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
24
private int scanPunctuation(int nextchr)
try boolean possibleFloatingPointNumber
(nextchr '.') text0
(char)nextchr textlen 1
m_in.mark() // All paths out of the try must
unmark the stream!! PunctuationPrefixTree
prefix punctuationTable
PunctuationPrefixTree lastPunctuation prefix
int lastPunctuationLength 0 int
index nextchr - '!' if (index lt 0
PunctuationPrefixTree.CHILDLEN lt index) prefix
null else prefix prefix.childrennextch
r - '!' nextchr m_in.read()
if (possibleFloatingPointNumber
Character.isDigit((char)nextchr))
m_in.clearMark() return
finishFloatingPointLiteral(nextchr)
this.append(nextchr) if (prefix !
null prefix.code ! TagConstants.NULL)
lastPunctuation prefix
lastPunctuationLength textlen - 1
m_in.mark() while(prefix !
null) index nextchr - '!'
if (index lt 0 PunctuationPrefixTree.CHILDL
EN lt index) prefix null else
prefix prefix.childrennextchr - '!'
nextchr m_in.read()
this.append(nextchr) if (prefix !
null prefix.code ! TagConstants.NULL)
lastPunctuation prefix
lastPunctuationLength textlen - 1
m_in.mark()
m_in.reset() textlen
lastPunctuationLength endingLoc
m_in.getLocation() ttype
lastPunctuation.code if (ttype !
TagConstants.C_COMMENT ttype !
TagConstants.EOL_COMMENT) nextchr
m_in.read() return ttype catch
(IOException e) m_in.clearMark()
ErrorSet.fatal(m_in.getLocation(),
e.toString()) return TagConstants.NULL
// Dummy

25
Passive commands
Annotated Java program
  • if (x lt 0) x -x /_at_ assert x gt 0 /
  • ( assume x0 lt 0 x1 -x0 x2 x1
  • assume ?(x0 lt 0) x2 x0
  • )
  • assert x2 gt 0

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
26
Passive commands
Annotated Java program
  • if (x lt 0) x -x /_at_ assert x gt 0 /
  • ( assume x0 lt 0 assume x1 -x0 assume x2
    x1
  • assume ?(x0 lt 0) assume x2 x0
  • )
  • assert x2 gt 0

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
27
Weakest preconditions
Annotated Java program
  • A Hoare triple P S Qsays that if command S
    is started in a state satisfying P, then S
    terminates without error in a state satisfying Q
  • The weakest precondition of a command S with
    respect to a postcondition Q, written wp(S, Q),
    is the weakest P such that P S Q

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
28
Weakest preconditions
Annotated Java program
  • wp(assert E, Q) E Q
  • wp(assume E, Q) E gt Q
  • wp(ST, Q) wp(S, wp(T,Q))
  • wp(S T, Q) wp(S, Q) wp(T, Q)
  • wp(x E, Q) Q x E

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
29
private int scanPunctuation(int nextchr)
try boolean possibleFloatingPointNumber
(nextchr '.') text0
(char)nextchr textlen 1
m_in.mark() // All paths out of the try must
unmark the stream!! PunctuationPrefixTree
prefix punctuationTable
PunctuationPrefixTree lastPunctuation prefix
int lastPunctuationLength 0 int
index nextchr - '!' if (index lt 0
PunctuationPrefixTree.CHILDLEN lt index) prefix
null else prefix prefix.childrennextch
r - '!' nextchr m_in.read()
if (possibleFloatingPointNumber
Character.isDigit((char)nextchr))
m_in.clearMark() return
finishFloatingPointLiteral(nextchr)
this.append(nextchr) if (prefix !
null prefix.code ! TagConstants.NULL)
lastPunctuation prefix
lastPunctuationLength textlen - 1
m_in.mark() while(prefix !
null) index nextchr - '!'
if (index lt 0 PunctuationPrefixTree.CHILDL
EN lt index) prefix null else
prefix prefix.childrennextchr - '!'
nextchr m_in.read()
this.append(nextchr) if (prefix !
null prefix.code ! TagConstants.NULL)
lastPunctuation prefix
lastPunctuationLength textlen - 1
m_in.mark()
m_in.reset() textlen
lastPunctuationLength endingLoc
m_in.getLocation() ttype
lastPunctuation.code if (ttype !
TagConstants.C_COMMENT ttype !
TagConstants.EOL_COMMENT) nextchr
m_in.read() return ttype catch
(IOException e) m_in.clearMark()
ErrorSet.fatal(m_in.getLocation(),
e.toString()) return TagConstants.NULL
// Dummy

30
Verification condition
Annotated Java program
  • Universal background predicate
  • (?t ? t lt t)
  • Type-specific background predicate
  • Bag lt java.lang.Object
  • Verification condition BPUniv BPT gt
    VCmethod

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
31
Verification condition
(BG_PUSH (AND (lt T_T T_java.lang.Object)
(EQ T_T (asChild T_T T_java.lang.Object))
(DISTINCT arrayType T_boolean T_char T_byte
T_short T_int T_long
T_float T_double T_.TYPE
T_T T_java.lang.Object))) (EXPLIES (LBLNEG
vc.T.abs.2.2 (IMPLIES (AND (EQ
elems_at_pre elems) (EQ elems (asElems
elems)) (lt (eClosedTime elems) alloc) (EQ
LS (asLockSet LS)) (EQ alloc_at_pre alloc))
(NOT (AND (EQ _at_true (is x2.21
T_int)) (OR (AND (OR
(AND (lt x2.21 0) (LBLPOS
trace.Then0,3.15 (EQ _at_true _at_true))
(EQ x3.17 (- 0 x2.21)) (EQ
x2.21lt1gt x3.17)) (AND (NOT
(lt x2.21 0)) (LBLPOS
trace.Else1,3.4 (EQ _at_true _at_true))
(EQ x2.21lt1gt x2.21))) (NOT (LBLNEG
Assert_at_4.8 (gt x2.21lt1gt 0)))) (AND
(OR (AND (lt x2.21 0)
(LBLPOS trace.Then0,3.15 (EQ _at_true
_at_true)) (EQ x3.17 (- 0 x2.21))
(EQ x2.21lt1gt x3.17)) (AND
(NOT (lt x2.21 0)) (LBLPOS
trace.Else1,3.4 (EQ _at_true _at_true))
(EQ x2.21lt1gt x2.21))) (LBLNEG
Assert_at_4.8 (gt x2.21lt1gt 0)) (NOT
(LBLNEG Exception_at_5.2 (EQ ecReturn
ecReturn))))))))) (AND (DISTINCT
ecReturn)))
Annotated Java program
  • class T
  • static int abs(int x)
  • if (x lt 0) x -x
  • //_at_ assert x gt 0

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
32
Theorem prover Simplify
Annotated Java program
  • Nelson-Oppen cooperating decision procedures
  • conguence closure
  • linear arithmetic
  • partial orders
  • quantifiers
  • Key features
  • automatic no user interaction
  • refutation based searches for counterexamples
  • heuristics tuned for program checking
  • labels
  • time limit

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
33
Counterexamples and warnings
Annotated Java program
  • Counterexample labels (IndexTooBig_at_26.5
    vc.Bag.add.20.2 trace.Then0,21.23)
    context (AND (NEQ tmp1!a23.23
    null) (NEQ this null) (EQ alloc_at_pre
    alloc) (EQ tmp4!n26.6 0)
    (lt alloc (vAllocTime tmp3!a26.4)) )
  • Bag add(int) ...--------------------------------
    ---------------------------Bag.java26 Warning
    Array index possibly too large (IndexTooBig)
    an x Execution trace information
    Executed then branch in "Bag.java", line 21, col
    23.----------------------------------------------
    -------------

Sugared command
Primitive command
Translator
Passive command
Verification condition
Automatictheorem prover
Counterexample context
Post processor
Warning messages
34
Experience annotations
  • Capture common design decisions
  • Suggested immediately by warnings
  • Overhead 4-10 of source code
  • 1 annotation per field or parameter
  • Most common annotations
  • non_null
  • container element types

35
Experience performance
  • 50 of all methods lt 0.5 s
  • 80 of all methods lt 1 s
  • time limit 300 s
  • total time for Javafe (40kloc) 65 min.

36
Related work
  • ESC/Modula-3
  • Full functional specification and verification
  • JML, LOOP, B, Penelope, ...
  • Languages and language features
  • Euclid, Eiffel, Escher, Guava, Vault, Cqual, ...
  • LCLint, refinement types, Types against races,
    ...
  • Other checking techniques
  • Abstract interpretation, PREfix, SLAM,
    Bandera,Java PathFinder 2, Canvas, ESP, AST
    Toolkit, Metal

37
Conclusions
  • Using weakest precondition semantics and
    automatic decision procedures for program
    analysis works!
  • Cost effective?

38
Reading
  • Read Hudaks paper on functional programming.
  • Read at least the initial part of Pierces paper
    on foundational calculi (the part on lambda
    calculus).
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Extended Static Checking for Java" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!