building and using pluggable type checkers
play

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint - PowerPoint PPT Presentation

Jan 10, 2023 •319 likes •624 views

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel, Michael D. Ernst, Kvan Mulu, and Todd W. Schiller 1 Software still has errors 2 Static type systems 0 errors, Crashes 0 warnings Source

  1. Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel, Michael D. Ernst, Kıvanç Muşlu, and Todd W. Schiller 1

  2. Software still has errors 2

  3. Static type systems 0 errors, Crashes 0 warnings Source Compiler, Executable Code Type Checker 3

  4. Static type systems ● Java/C# provide limited type systems ● Static type systems could prevent: ● Null-pointer exceptions [Fähndrich & Leino '03] ● Unwanted mutations [Tschantz & Ernst '05] ● Concurrency errors [Boyapati et al. '02, Cunningham et al. '07] ● Express additional facts about a program ● Statically ensure absence of certain errors 4

  5. Pluggable type checkers Compiler, Source Executable Type Checker Code Pluggable Type Checker Fix Bugs Warnings Add Annotations 5

  6. Pluggable type checkers Compiler, Source Executable Type Checker Code Pluggable Pluggable Pluggable Type Checker Type Checker Type Checker Fix Bugs Guarantees partial Warnings correctness! Add Annotations 6

  7. Pluggable type systems Example: Ensure encrypted communication void send( @Encrypted String msg) {…} @Encrypted String msg1 = ...; send(msg1); // OK String msg2 = ....; send(msg2); // Warning! 7

  8. The Checker Framework ● A framework for pluggable type checkers ● “Plugs” into the OpenJDK compiler ● Easy to use javac -processor EncryptionChecker … ● Eclipse plug-in, Ant and Maven integration 8

  9. Lack of uptake of pluggable types Common assumptions: ● Testing finds all important bugs ● Usage adds annotation clutter ● Learning their usage is hard ● Building checkers is difficult These were true before the Checker Framework. Do they still apply? 9

  10. Our contribution: case studies ● Checkers reveal important latent bugs ● Ran on 2 million LOC of real-world code ● Found 40 user-visible bugs, hundreds of mistakes ● Annotation overhead is low ● Mean 2.6 annotations per kLOC ● Learning their usage is easy ● Used successfully by first-year CS majors ● Building checkers is easy ● New users developed 3 new realistic checkers 10

  11. Kinds of case studies ● 2 existing type checkers ● Absence of null-pointer exceptions ● Correct use of object and reference equality ● 3 new type checkers ● Correct compiler message key substitution ● Consistent use of integer constants as enums ● Consistency of Java class name strings ● Classroom study ● Nullness checker used by first-year CS majors 11

  12. Case study subject programs Swing: 610 kLOC Lucene: 479 kLOC We manually annotated Xerces: 257 kLOC each program for one type OpenJDK (17 packages): 231 kLOC system until all warnings Daikon: 222 kLOC were eliminated. JabRef: 117 kLOC Google Collections: 78 kLOC GanttProject: 69 kLOC ASM: 33 kLOC Checker Framework: 31 kLOC Annotation File Utilities: 17 kLOC 12

  13. Outline 1. Motivation 2. Checkers reveal important latent bugs 3. Annotation overhead is low 4. Learning the usage is easy 5. Building checkers is easy 13

  14. 1. Checkers reveal important latent bugs Nullness Checker: ● 9 crashing bugs in Google Collections ● 45000 tests (2/3 of the LOC) ● Uses FindBugs @Nullable annotations, no FindBugs warnings ● >90 bugs in Daikon 14

  15. Reveals bugs: null-pointer exceptions Example from Google Collections: class ForMapWithDefault { @Nullable Object defaultValue; public int hashCode() { return map.hashCode() + defaultValue.hashCode(); } java.lang.NullPointerException … } 15

  16. Reveals bugs: Java signatures ● JDK's String representations of class names: ● Fully qualified names: package.Outer.Inner ● Binary names: package.Outer$Inner ● Field descriptors: L package/Outer$Inner; ● Important to keep them separated Unqualified FullyQualifiedName BinaryName FieldDescriptor 16

  17. Reveals bugs: Java signatures Signature Checker: ● 11 crashing bugs in OpenJDK ● 13 in libraries 17

  18. Reveals bugs: Java signatures Example from java.lang.Class : static Class<?> forName(String className) “Returns the Class object associated with the class or interface with the given string name. ... Parameters: className - the fully qualified name of the desired class” java.lang.ClassNotFoundException Class.forName(“package.Outer.Inner”) Class.forName(“package.Outer$Inner”) OK! 18

  19. 2. Annotation overhead is low Nullness: 13 Ann./kLOC Signature: 1.5 Ann./kLOC Fenum: 1.1 Ann./kLOC Interning: 0.52 Ann./kLOC Compiler Msgs.: 0.35 Ann./kLOC 19

  20. Annotation overhead is low ● Good defaults ● Non-Null Except Locals reflects common usage – Fields, parameters, … are @NonNull – Only local variables are @Nullable ● Define defaults using the tree kind, type kind, or regular expressions ● Flow-sensitive local inference @Nullable Object o; o = new Object(); o.toString(); // OK! o inferred non-null! 20

  21. 3. Learning their usage is easy ● 28 first-year CS majors at UW ● Assignment: prove absence of NPE ● Mean code size: 9 kLOC ● Result: all students fixed unknown bugs! ● Invested time: ● 2 hours of demos and instructions ● 5.6 hours spent on assignment on average 21

  22. 4. Building checkers is easy Example: Ensure encrypted communication void send( @Encrypted String msg) {…} @Encrypted String msg1 = ...; send(msg1); // OK String msg2 = ....; Unqualified send(msg2); // Warning! The complete checker: Encrypted @TypeQualifier @SubtypeOf(Unqualified.class) public @interface Encrypted {} 22

  23. Signature String Checker ● JDK's String representations of class names: ● Fully qualified names: package.Outer.Inner ● Binary names: package.Outer$Inner ● Field descriptors: L package/Outer$Inner; ● Important to keep them separated Unqualified FullyQualifiedName BinaryName FieldDescriptor 23

  24. Signature String Checker Type Qualifiers @TypeQualifier @TypeQualifier @SubtypeOf({Unqualified.class}) @SubtypeOf({BinaryName.class, @ImplicitFor(stringPatterns="^[A-Za-z_] FullyQualifiedName.class}) [A-Za-z_0-9]*(\\.[A-Za-z_][A-Za-z_0-9] public @interface SourceName {} *)*(\\[\\])*$") @TypeQualifier public @interface FullyQualifiedName {} @SubtypeOf({Unqualified.class}) @TypeQualifier public @interface MethodDescriptor {} @SubtypeOf({Unqualified.class}) @TypeQualifier @ImplicitFor(stringPatterns="^[A-Za-z_] @SubtypeOf({BinaryName.class, [A-Za-z_0-9]*(\\.[A-Za-z_][A-Za-z_0-9] FieldDescriptor.class, SourceName.class, *)*(\\$[A-Za-z_][A-Za-z_0-9]*)?(\\[\\] FullyQualifiedName.class, )*$") MethodDescriptor.class}) public @interface BinaryName {} @ImplicitFor(trees={Tree.Kind.NULL_LITERAL}) @TypeQualifier public @interface SignatureBottom {} @SubtypeOf({Unqualified.class}) @TypeQualifiers({BinaryName.class, @ImplicitFor(stringPatterns="^\\[*([BCDF FullyQualifiedName.class, SourceName.class, IJSZ]|L[A-Za-z_][A-Za-z_0-9]*(/[A-Za-z_] FieldDescriptor.class, Unqualified.class, [A-Za-z_0-9]*)*(\\$[A-Za-z_][A-Za-z_0-9] MethodDescriptor.class, SignatureBottom.class}) *)?;)$") public final class SignatureChecker public @interface FieldDescriptor {} extends BaseTypeChecker {} Type Checker 24

  25. Signature String Checker ● Written by a first-year graduate student without prior experience with the framework ● Found 11 crashing bugs in OpenJDK, 13 more in libraries ● Example: class Class<T> { Class<?> forName( @BinaryName String className); @BinaryName String getName(); @FullyQualifiedName String getCanonicalName(); } String name = myclass.getCanonicalName(); Class.forName(name); // Warning 25

  26. Building complex checkers is possible Nullness Checker is actually 3 checkers: ● Correct object initialization ● Nullness itself ● Correct usage of keys in map accesses Refined defaulting: ● Refined flow-sensitive inference ● Heuristics for Map.get behavior 26

  27. Checker Code Sizes Nullness Checker: 4311 LOC Interning Checker: 960 LOC Fake Enumerations Checker: 489 LOC Signature Strings Checker: 167 LOC Compiler Messages Checker: 70 LOC 27

  28. Applicability of type checkers ● Many properties amenable to static checking ● Concurrency ● Object encapsulation ● Energy efficiency ● Even dependencies on external information ● Look for properties that depend on the static structure and not the behavior of code ● Value sound results over heuristics 28

  29. Conclusions 1. Checkers reveal important latent bugs 2. Annotation overhead is low 3. Learning their usage is easy 4. Building checkers is easy It is easy to improve the quality of your Java code, and you should start today! http://checker-framework.googlecode.com/ 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Investigating Safety of a Radiotherapy Machine Using System Models with Pluggable Checkers

Investigating Safety of a Radiotherapy Machine Using System Models with Pluggable Checkers

Investigating Safety of a Radiotherapy Machine Using System Models with Pluggable Checkers Combining Formal Models with Concrete Evidence Stuart Pernsteiner, Calvin Loncaric, Emina T orlak, Zachary T atlock, Xi Wang, Michael D. Ernst, and

258 views • 23 slides
Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable Types for Java Michael D. Ernst University of Washington https://checkerframework.org/ Optional Type Checking int x = &quot;hello world&quot;;

628 views • 60 slides
Preventing errors before they happen: Lightweight verification via pluggable type-checking

Preventing errors before they happen: Lightweight verification via pluggable type-checking

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing errors before they happen: Lightweight verification via pluggable type-checking Michael D. Ernst University of Washington (Seattle, WA, USA) University of Buenos

600 views • 48 slides
Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the

Welcome to the Quality Checkers Presentation Northamptonshire Quality Checkers How did the Quality Checkers project happen? The quality checkers project has been jointly funded by: Northamptonshire Learning Disability Partnership

749 views • 21 slides
Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

void print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr., Jeff Perkins, Michael Ernst MIT Problem 1: Javas type checking Type

801 views • 37 slides
Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi Motivation java.lang.NullPointerException

561 views • 30 slides
The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in

The Quality Checkers Project Employing the Quality Checkers There were information days in January. There were interviews in February. The Great Quality Checkers Paul C Paul B Tom Victor Mike Karl John Sandra Paul G Debbie Alex

368 views • 14 slides
The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java By: Amanj Sherwany 2011 http://www.amanj.me Background Loci is a static checker for thread- Informationsteknologi locality for Java-like

931 views • 50 slides
Unit 7 Fundamental Digital Building Blocks: Decoders &amp; Multiplexers 7.2 CHECKERS / DECODERS

Unit 7 Fundamental Digital Building Blocks: Decoders &amp; Multiplexers 7.2 CHECKERS / DECODERS

7.1 Unit 7 Fundamental Digital Building Blocks: Decoders &amp; Multiplexers 7.2 CHECKERS / DECODERS 7.3 Gates Gates can have more than 2 inputs but the functions stay the same AND = output = 1 if ALL inputs are 1 Outputs 1 for

1.08k views • 42 slides
Unit 8 Fundamental Digital Building Blocks: Decoders &amp; Multiplexers 9.2 Checkers / Decoders

Unit 8 Fundamental Digital Building Blocks: Decoders &amp; Multiplexers 9.2 Checkers / Decoders

9.1 Unit 8 Fundamental Digital Building Blocks: Decoders &amp; Multiplexers 9.2 Checkers / Decoders Recall AND gates output '1' for only a single combination OR gates output '0' for only a single combination Inputs (inverted or

838 views • 45 slides
Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from Constraint Checkers Nicolas Beldiceanu(1), Mats Carlsson(2) and Thierry Petit(1) (1) LINA FRE CNRS 2729, Ecole des Mines de Nantes, FR-44307 Nantes Cedex

642 views • 40 slides
Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2

Proof Certificates for SMT-based Model Checkers Alain Mebsout and Cesare Tinelli SMT 2016 July 2 nd , 2016 Motivation Model checkers return error traces but no evidence when they say yes Complex tools Goal: improve trustworthiness

809 views • 47 slides
02/05/2014 4.1.2 Built-in Potential N-type P-type (a) N d N d N a N a E c q bi (b) E f E

02/05/2014 4.1.2 Built-in Potential N-type P-type (a) N d N d N a N a E c q bi (b) E f E

02/05/2014 Chapter 4 PN Junctions 4.1 Building Blocks of the PN Junction Theory + V I Donor ions N P N-type I P-type diode symbol V Forward bias Reverse bias PN junction is present in perhaps every semiconductor device. Slide

546 views • 30 slides
PROPOSAL For a Modular, Pluggable 802.11 MAC Model To Facilitate Experimentation and

PROPOSAL For a Modular, Pluggable 802.11 MAC Model To Facilitate Experimentation and

PROPOSAL For a Modular, Pluggable 802.11 MAC Model To Facilitate Experimentation and Contributions IBM Research - Zurich, Switzerland September 3-4, 2015 Andras Varga 1 IEEE 802.11 Model Goals 1. Full-featured, validated model

558 views • 23 slides
Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo

Whats new in Sudo 1.8? Pluggable modules for Sudo Introduc=on to Sudo Sudo allows a system administrator to give users the ability

439 views • 24 slides
Public-key cryptography in Tor and pluggable transports Tanja Lange Technische Universiteit

Public-key cryptography in Tor and pluggable transports Tanja Lange Technische Universiteit

Public-key cryptography in Tor and pluggable transports Tanja Lange Technische Universiteit Eindhoven 09 June 2016 1 / 17 Tor Attend Rogers talk on Friday. 2 / 17 Motivation Network Sender Receiver Eavesdropper

327 views • 21 slides
CS314 Software Engineering Sprint 5 - Release! Dave Matthews Sprint 5 Summary Use Level 2

CS314 Software Engineering Sprint 5 - Release! Dave Matthews Sprint 5 Summary Use Level 2

4/19/18 CS314 Software Engineering Sprint 5 - Release! Dave Matthews Sprint 5 Summary Use Level 2 and 3 software engineering processes/tools Clean Code, Coverage, White Box Testing, Code Climate Learn about Inspections and Peer

240 views • 9 slides
Presentation of Open Simulation Architecture and Open Simulation Instrumentation Framework

Presentation of Open Simulation Architecture and Open Simulation Instrumentation Framework

Presentation of Open Simulation Architecture and Open Simulation Instrumentation Framework Judicael RIBAULT 1 judicael.ribault@sophia.inria.fr 1- MASCOTTE, INRIA, I3S, CNRS, Univ. Nice Sophia, Sophia Antipolis, France COMRED, March 1, 2010 J.

572 views • 30 slides
iRODS@RENCI LeesaBrieger,JasonCoposky,

iRODS@RENCI LeesaBrieger,JasonCoposky,

iRODS@RENCI LeesaBrieger,JasonCoposky, VijayDantuluri,KevinGamiel,RayIdaszak, OlegKapeljushnik,NassibNassar,JasonReilly, MichaelStealey,LisaStillwell iRODSUserMee,ng

298 views • 29 slides
Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do

Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do

Teaming Up for Software Development Lus Soares Departamento de Informtica Universidade do Minho Engenharia de Aplicaes Lus Soares Teaming Up for Software Development Introduction Agenda In the end of the session the attendee

416 views • 28 slides
Sorting Department of Computer Science University of Maryland, College Park Sorting Goal

Sorting Department of Computer Science University of Maryland, College Park Sorting Goal

CMSC 132: Object-Oriented Programming II Sorting Department of Computer Science University of Maryland, College Park Sorting Goal Arrange elements in predetermined order Based on key for each element Derived from ability to

619 views • 22 slides
Tuning hosts for network performance Glen Turner 2008-01-29 Sysadmin miniconf of linux.conf.au

Tuning hosts for network performance Glen Turner 2008-01-29 Sysadmin miniconf of linux.conf.au

Tuning hosts for network performance Glen Turner 2008-01-29 Sysadmin miniconf of linux.conf.au aar net Australia's Academic and Research Network Motivation Networks are as good as they are going to get Bandwidth is either cheap or

882 views • 48 slides
Communication Standards in Wireless Sensor Networks Bachelor Thesis Lukas Tillmann Advisors:

Communication Standards in Wireless Sensor Networks Bachelor Thesis Lukas Tillmann Advisors:

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Communication Standards in Wireless Sensor Networks Bachelor Thesis Lukas Tillmann Advisors: Alexander Klein, Corinna Schmitt Outline

445 views • 23 slides
1 Type of Service Version Header Total Length length TOS Why the protocol field? Why the

1 Type of Service Version Header Total Length length TOS Why the protocol field? Why the

Internet Protocol (IP) Internet Protocol (IP) RFC 791 (1981) RFC 791 (1981) Lecture 11. Lecture 11. Connectionless datagram delivery service The Internet Layer The Internet Layer best-effort Unreliable no guarantees of

438 views • 9 slides

More recommend