ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, - - PowerPoint PPT Presentation

esc java
SMART_READER_LITE
LIVE PREVIEW

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, - - PowerPoint PPT Presentation

Oct 12, 2023 109 likes •337 views

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - JML p.1/17 ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove

slide-1
SLIDE 1

ESC/Java

extended static checking for Java Erik Poll, Joe Kiniry, David Cok

University of Nijmegen; Eastman Kodak Company

Erik Poll - JML – p.1/17

slide-2
SLIDE 2

ESC/Java

Extended static checker by Rustan Leino et.al. [Compaq].

  • tries to prove correctness of specifications,

at compile-time, fully automatically

Erik Poll - JML – p.2/17

slide-3
SLIDE 3

ESC/Java

Extended static checker by Rustan Leino et.al. [Compaq].

  • tries to prove correctness of specifications,

at compile-time, fully automatically

  • not sound, not complete, but finds lots of potential

bugs quickly

Erik Poll - JML – p.2/17

slide-4
SLIDE 4

ESC/Java

Extended static checker by Rustan Leino et.al. [Compaq].

  • tries to prove correctness of specifications,

at compile-time, fully automatically

  • not sound, not complete, but finds lots of potential

bugs quickly

  • good at proving absence of runtime exceptions (eg

Null-, ArrayIndexOutOfBounds-, ClassCast-) and verifying

relatively simple properties.

Erik Poll - JML – p.2/17

slide-5
SLIDE 5

ESC/Java

Extended static checker by Rustan Leino et.al. [Compaq].

  • tries to prove correctness of specifications,

at compile-time, fully automatically

  • not sound, not complete, but finds lots of potential

bugs quickly

  • good at proving absence of runtime exceptions (eg

Null-, ArrayIndexOutOfBounds-, ClassCast-) and verifying

relatively simple properties.

  • ESC/Java only supported a subset of full JML, but

ESC/Java2 by Joe Kiniry [KUN] & David Cok [Kodak] remedies this.

Erik Poll - JML – p.2/17

slide-6
SLIDE 6

static checking vs runtime checking

Important differences:

  • ESC/Java checks specs at compile-time,

jmlc checks specs at run-time

  • ESC/Java proves correctness of specs,

jml only tests correctness of specs. Hence

  • ESC/Java independent of any test suite,

results of runtime testing only as good as the test suite,

  • ESC/Java provided higher degree of confidence.

Erik Poll - JML – p.3/17

slide-7
SLIDE 7

ESC/Java “demo”

class Bag { int[] a; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }

Erik Poll - JML – p.4/17

slide-8
SLIDE 8

ESC/Java “demo”

class Bag { int[] a; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: possible null deference. Plus other warnings

Erik Poll - JML – p.5/17

slide-9
SLIDE 9

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }

Erik Poll - JML – p.6/17

slide-10
SLIDE 10

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: Array index possibly too large

Erik Poll - JML – p.7/17

slide-11
SLIDE 11

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }

Erik Poll - JML – p.8/17

slide-12
SLIDE 12

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: Array index possibly too large

Erik Poll - JML – p.9/17

slide-13
SLIDE 13

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }

Erik Poll - JML – p.10/17

slide-14
SLIDE 14

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: Possible negative array index

Erik Poll - JML – p.11/17

slide-15
SLIDE 15

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }

Erik Poll - JML – p.12/17

slide-16
SLIDE 16

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } No more warnings about this code

Erik Poll - JML – p.13/17

slide-17
SLIDE 17

ESC/Java “demo”

class Bag { int[] a; //@ invariant a != null; int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } . . . but warnings about calls to extractMin() that do not ensure precondition

Erik Poll - JML – p.14/17

slide-18
SLIDE 18

Some points to note

  • ESC/Java forces one to specify some properties.

Erik Poll - JML – p.15/17

slide-19
SLIDE 19

Some points to note

  • ESC/Java forces one to specify some properties.
  • If you understand the code,

then these properties are obvious. But for larger programs this may not be the case!

Erik Poll - JML – p.15/17

slide-20
SLIDE 20

Some points to note

  • ESC/Java forces one to specify some properties.
  • If you understand the code,

then these properties are obvious. But for larger programs this may not be the case!

  • If you have these properties documented,

then understanding the code is easier.

Erik Poll - JML – p.15/17

slide-21
SLIDE 21

ESC/Java vs runtime checking (cont.)

  • For runtime assertion checking, we could choose what

we specify, e.g. all, one, or none of the properties we have written for Bag.

  • But for ESC/Java to accept a spec, we are forced to

specify all properties (e.g. invariants, preconditions) that this spec relies on.

Erik Poll - JML – p.16/17

slide-22
SLIDE 22

Limitations of ESC/Java

Like most tools, ESC/Java is

  • not complete: it may complain about a correct spec
  • not sound: it may fail to warn about an incorrect spec

ESC/Java warns about many potential bugs, but not about all actual bugs. These are unavoidable concessions to main goal: pointing out lots of potential bugs quickly & completely automatically In practice ESC/Java is quite good at checking simple specs, e.g. ruling out any NullPointer- and

IndexOutOfBoundsExceptions

Erik Poll - JML – p.17/17