Extended Static Checking for Java Lukas Erlacher TU Mnchen - - - PowerPoint PPT Presentation

extended static checking for java
SMART_READER_LITE
LIVE PREVIEW

Extended Static Checking for Java Lukas Erlacher TU Mnchen - - - PowerPoint PPT Presentation

Feb 22, 2024 322 likes •663 views

Motivation Example Architecture Discussion Extended Static Checking for Java Lukas Erlacher TU Mnchen - Seminar Verification 14. Juli 2011 Erlacher Extended Static Checking for Java Motivation Example Architecture Discussion Outline

slide-1
SLIDE 1

Motivation Example Architecture Discussion

Extended Static Checking for Java

Lukas Erlacher

TU München - Seminar Verification

  • 14. Juli 2011

Erlacher Extended Static Checking for Java

slide-2
SLIDE 2

Motivation Example Architecture Discussion

Outline

1

Motivation Motivation for static checking

2

Example ESC/Java example

3

Architecture ESC/JAVA architecture VC generator Simplify

4

Discussion JML + ESC/Java annotation language JML What ESC/Java checks Erlacher Extended Static Checking for Java

slide-3
SLIDE 3

Motivation Example Architecture Discussion Motivation for static checking

Motivation for static checking

Why check a program’s behaviour?

Erlacher Extended Static Checking for Java

slide-4
SLIDE 4

Motivation Example Architecture Discussion Motivation for static checking

Motivation for static checking

Why check a program’s behaviour? Errors / program does not do what we want Testing is incomplete and unsound Testing is expensive

Erlacher Extended Static Checking for Java

slide-5
SLIDE 5

Motivation Example Architecture Discussion Motivation for static checking

Motivation for static checking

Why check a program’s behaviour? Errors / program does not do what we want Testing is incomplete and unsound Testing is expensive Why static checking?

Erlacher Extended Static Checking for Java

slide-6
SLIDE 6

Motivation Example Architecture Discussion Motivation for static checking

Motivation for static checking

Why check a program’s behaviour? Errors / program does not do what we want Testing is incomplete and unsound Testing is expensive Why static checking? Does not require executing program Can cover all code paths

Erlacher Extended Static Checking for Java

slide-7
SLIDE 7

Motivation Example Architecture Discussion Motivation for static checking

Motivation for static checking

Why check a program’s behaviour? Errors / program does not do what we want Testing is incomplete and unsound Testing is expensive Why static checking? Does not require executing program Can cover all code paths Why ESC/JAVA?

Erlacher Extended Static Checking for Java

slide-8
SLIDE 8

Motivation Example Architecture Discussion Motivation for static checking

Motivation for static checking

Why check a program’s behaviour? Errors / program does not do what we want Testing is incomplete and unsound Testing is expensive Why static checking? Does not require executing program Can cover all code paths Why ESC/JAVA? First static checker for Java Architecture and working principle very clear and structured Is applicable in practice Annotation language allows to specify design that can also be checked

Erlacher Extended Static Checking for Java

slide-9
SLIDE 9

Motivation Example Architecture Discussion Motivation for static checking

What is static checking?

Erlacher Extended Static Checking for Java

slide-10
SLIDE 10

Motivation Example Architecture Discussion Motivation for static checking

What is static checking?

No checking: Program execution breaks on segfault / null pointer dereference / array bounds violation.

Erlacher Extended Static Checking for Java

slide-11
SLIDE 11

Motivation Example Architecture Discussion Motivation for static checking

What is static checking?

No checking: Program execution breaks on segfault / null pointer dereference / array bounds violation. Type checking: Compiler notices illegal code and violation of specification embedded in type information.

Erlacher Extended Static Checking for Java

slide-12
SLIDE 12

Motivation Example Architecture Discussion Motivation for static checking

What is static checking?

No checking: Program execution breaks on segfault / null pointer dereference / array bounds violation. Type checking: Compiler notices illegal code and violation of specification embedded in type information. Primitive static checking: Flags easily-detected “suspicious” code such as use of uninitialized variables or unreachable code.

Erlacher Extended Static Checking for Java

slide-13
SLIDE 13

Motivation Example Architecture Discussion Motivation for static checking

What is static checking?

No checking: Program execution breaks on segfault / null pointer dereference / array bounds violation. Type checking: Compiler notices illegal code and violation of specification embedded in type information. Primitive static checking: Flags easily-detected “suspicious” code such as use of uninitialized variables or unreachable code. Formal methods: Formally prove that program is correct.

Erlacher Extended Static Checking for Java

slide-14
SLIDE 14

Motivation Example Architecture Discussion Motivation for static checking

What is static checking?

No checking: Program execution breaks on segfault / null pointer dereference / array bounds violation. Type checking: Compiler notices illegal code and violation of specification embedded in type information. Primitive static checking: Flags easily-detected “suspicious” code such as use of uninitialized variables or unreachable code. Formal methods: Formally prove that program is correct. Extended static checking uses annotations and generic formal methods to show whether a program behaves within the constraints of its specification.

Erlacher Extended Static Checking for Java

slide-15
SLIDE 15

Motivation Example Architecture Discussion Motivation for static checking

Comparison of checking methods

coverage effort type checking extended static checking program verification decidability ceiling

Erlacher Extended Static Checking for Java

slide-16
SLIDE 16

Motivation Example Architecture Discussion Motivation for static checking

ESC/JAVA history

Developed at Compaq Systems Research by Flanagan, Leino, Lillibridge, Nelson, Saxe, and Stata Descended from ESC/Modula-3 Developed as practical tool to check programs for semantic errors, specification violations, and synchronization errors in concurrent programs Exploits the space between fast, but primitive syntactic checkers like lint and comprehensive, but costly formal program verification

Erlacher Extended Static Checking for Java

slide-17
SLIDE 17

Motivation Example Architecture Discussion ESC/Java example

ESC/Java example

1

public class Bag {

2

int[] elements;

3

int size;

4 5

Bag(int[] input) {

6

size = input.length;

7

elements = new int[size];

8

System.arraycopy(input, 0, elements, 0, size);

9

}

10 11

..

12

}

Erlacher Extended Static Checking for Java

slide-18
SLIDE 18

Motivation Example Architecture Discussion ESC/Java example

ESC/Java example

1

public class Bag {

2

int[] elements;

3

int size;

4 5

Bag(int[] input) {

6

size = input.length;

7

elements = new int[size];

8

System.arraycopy(input, 0, elements, 0, size);

9

}

10 11

..

12

} Bag.java:6: Warning: Possible null dereference (Null) size = input.length; ^

Erlacher Extended Static Checking for Java

slide-19
SLIDE 19

Motivation Example Architecture Discussion ESC/Java example

ESC/Java example

1

public class Bag {

2

/*@non_null*/ int[] elements;

3

int size;

4 5

Bag(/*@non_null*/ int[] input) {

6

size = input.length;

7

elements = new int[size];

8

System.arraycopy(input, 0, elements, 0, size);

9

}

10 11

..

12

} Bag.java:6: Warning: Possible null dereference (Null) size = input.length; ^

Erlacher Extended Static Checking for Java

slide-20
SLIDE 20

Motivation Example Architecture Discussion ESC/Java example

ESC/Java example

1

public class Bag {

2

/*@non_null*/ int[] elements;

3

int size;

4 5

Bag(/*@non_null*/ int[] input) {

6

size = input.length;

7

elements = new int[size];

8

System.arraycopy(input, 0, elements, 0, size);

9

}

10 11

..

12

}

Erlacher Extended Static Checking for Java

slide-21
SLIDE 21

Motivation Example Architecture Discussion ESC/Java example

ESC/Java example

1

public class Bag {

2

int[] elements; int size;

3

..

4

int extractMin() {

5

int m = Integer.MAX_VALUE;

6

int mindex = 0;

7

for (int i = 0; i < size; i++) {

8

if (elements[i] < m) {

9

mindex = i;

10

m = elements[i];

11

}

12

}

13

size--;

14

elements[mindex] = elements[size];

15

return m;

16

}

17

}

Erlacher Extended Static Checking for Java

slide-22
SLIDE 22

Motivation Example Architecture Discussion ESC/Java example

ESC/Java example

1

public class Bag {

2

int[] elements; int size;

3

..

4

int extractMin() {

5

int m = Integer.MAX_VALUE;

6

int mindex = 0;

7

for (int i = 0; i < size; i++) {

8

if (elements[i] < m) {

9

mindex = i;

10

m = elements[i];

11

}

12

}

13

size--;

14

elements[mindex] = elements[size];

15

return m;

16

}

17

} Bag1.java:8: Warning: Array index possibly too large (IndexTooBig) if (elements[i] < m) { ^

Erlacher Extended Static Checking for Java

slide-23
SLIDE 23

Motivation Example Architecture Discussion ESC/Java example

ESC/Java example

/*@invariant size >= 0 && size <= elements.length; */

1

public class Bag {

2

int[] elements; int size;

3

..

4

int extractMin() {

5

int m = Integer.MAX_VALUE;

6

int mindex = 0;

7

for (int i = 0; i < size; i++) {

8

if (elements[i] < m) {

9

mindex = i;

10

m = elements[i];

11

}

12

}

13

size--;

14

elements[mindex] = elements[size];

15

return m;

16

}

17

}

Erlacher Extended Static Checking for Java

slide-24
SLIDE 24

Motivation Example Architecture Discussion ESC/Java example

Recap: Examples

non_null: Forces assigners to always assign a valid instance - allows users to assume that instance is always valid invariant: introduces the invariant as precondition and post-condition to every method call precondition: forces caller to establish precondition before calling postcondition: forces method to establish post-condition before returning

Erlacher Extended Static Checking for Java

slide-25
SLIDE 25

Motivation Example Architecture Discussion ESC/JAVA architecture VC generator Simplify

ESC/JAVA architecture

Erlacher Extended Static Checking for Java

slide-26
SLIDE 26

Motivation Example Architecture Discussion ESC/JAVA architecture VC generator Simplify

Guarded Command Language

Originally designed by Dijkstra (1975) Contains only variable declarations and assignments, assertions, assumptions, and constructs to handle sequential composition, branching, and exceptions Routines are translated into guarded commands that capture the relevant semantics of the routine. Guarded command “goes wrong” when it hits an assertion that evaluates to false. Soundness: A guarded command G translated from a routine R goes wrong iff R can be invoked from a state satisfying its stated preconditions and then behaves erroneously by causing an error or terminating in a state violating its specified postconditions

Erlacher Extended Static Checking for Java

slide-27
SLIDE 27

Motivation Example Architecture Discussion ESC/JAVA architecture VC generator Simplify

VC generator

Verification condition: First-order predicate that holds for precisely the program states from which execution of a guarded command does not go wrong. Weakest liberal precondition (wlp) derived directly from a routine’s GC Global information (about Java) and class-scope information forms “Background predicate” (BP) BP ⇒ wlp

Erlacher Extended Static Checking for Java

slide-28
SLIDE 28

Motivation Example Architecture Discussion ESC/JAVA architecture VC generator Simplify

Simplify

Automatic theorem prover developed for ESC/JAVA Verifies the BP ⇒ wlp predicate Limited runtime, caution issued if exceeded Results used by post-processor to generate warnings Incomplete (cannot prove all valid formulas), but sound (does not erroneously prove invalid formulas)

Erlacher Extended Static Checking for Java

slide-29
SLIDE 29

Motivation Example Architecture Discussion JML + ESC/Java annotation language JML What ESC/Java checks

ESC/JAVA annotation language

The annotation language is used to specify usage contracts, encode design properties that are not expressed in the programme code, and assist ESC/JAVA. Annotations are called “pragmas”: Basic pragmas: nowarn / assume, assert / unreachable Routine pragmas: requires, modifies, ensures, exsures, also_. . . Invariant pragmas: non_null, invariant, axiom, loop_invariant Accessibility pragmas: spec_public, readable_if, uninitialized Ghost variable pragmas: ghost, set Synchronization pragmas: monitored_by, monitored

Erlacher Extended Static Checking for Java

slide-30
SLIDE 30

Motivation Example Architecture Discussion JML + ESC/Java annotation language JML What ESC/Java checks

Specification expressions

Superset of side-effect-free Java expressions, plus syntax to express lock hierarchy and type expressions Additional keywords: \old, \modifies, \typeof, \lockset

Erlacher Extended Static Checking for Java

slide-31
SLIDE 31

Motivation Example Architecture Discussion JML + ESC/Java annotation language JML What ESC/Java checks

JML

Java Modelling Language, inspired by ESC/JAVA annotation language Allows to specify behaviour and contracts of Java programs and APIs Used by a big ecosystem of static checkers, testing engines, documentation tools Readable and writeable by Java programmers

Erlacher Extended Static Checking for Java

slide-32
SLIDE 32

Motivation Example Architecture Discussion JML + ESC/Java annotation language JML What ESC/Java checks

What ESC/JAVA checks

Errors: Runtime type errors (array assignment, cast), unchecked exceptions, array bounds violations, null dereference, zero division Concurrency problems: deadlocks, races Violated invariants, pre and post-conditions, loop invariants Violated assertions, non-null pragmas, accessibility pragmas ESC/JAVA does not check: Whether a loop invariant holds past the first iteration of a loop Arithmetic overflow

Erlacher Extended Static Checking for Java