practical pluggable types via the checker framework
play

Practical pluggable types via the Checker Framework Matthew Papi, - PowerPoint PPT Presentation

Oct 17, 2022 •427 likes •801 views

void print( @Readonly Object x) { List< @NonNull String> lst; } Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr., Jeff Perkins, Michael Ernst MIT Problem 1: Javas type checking Type

  1. void print( @Readonly Object x) { List< @NonNull String> lst; … } Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr., Jeff Perkins, Michael Ernst MIT

  2. Problem 1: Java’s type checking • Type checking prevents many bugs int i = “hello”; // type error • Type checking doesn’t prevent enough bugs java.lang. NullPointerException at checkers.util.GraphQualifierHierarchy.isSubtype(GraphQualifierHierarchy.java:21 at checkers.types.QualifierHierarchy.isSubtype(QualifierHierarchy.java:70) at checkers.types.TypeHierarchy.isSubtypeImpl(TypeHierarchy.java:100) at checkers.types.TypeHierarchy.isSubtype(TypeHierarchy.java:64) at checkers.basetype.BaseTypeChecker.isSubtype(BaseTypeChecker.java:305) at checkers.basetype.BaseTypeVisitor.commonAssignmentCheck(BaseTypeVisitor.java:48 at checkers.basetype.BaseTypeVisitor.commonAssignmentCheck(BaseTypeVisitor.java:46 at checkers.basetype.BaseTypeVisitor.checkArguments(BaseTypeVisitor.java:597) at checkers.basetype.BaseTypeVisitor.visitMethodInvocation(BaseTypeVisitor.java:27 at com.sun.tools.javac.tree.JCTree$JCMethodInvocation.accept(JCTree.java:1315) at com.sun.source.util.TreePathScanner.scan(TreePathScanner.java:67) at checkers.basetype.BaseTypeVisitor.scan(BaseTypeVisitor.java:110) at com.sun.source.util.TreeScanner.visitExpressionStatement(TreeScanner.java:239) at com.sun.tools.javac.tree.JCTree$JCExpressionStatement.accept(JCTree.java:1155) at com.sun.source.util.TreePathScanner.scan(TreePathScanner.java:67) at checkers.basetype.BaseTypeVisitor.scan(BaseTypeVisitor.java:110) at com.sun.source.util.TreeScanner.scanAndReduce(TreeScanner.java:80)

  3. Problem 1: Java’s type checking • Type checking prevents many bugs int i = “hello”; // type error • Type checking doesn’t prevent enough bugs – Null dereferences – Incorrect equality tests – Incorrect mutation – SQL injection – Privacy violations – Misformatted data – ...

  4. Solution: Pluggable type systems • Design a type system to solve a specific problem • Write type qualifiers in your code (or, type inference) @NonNull Date d = ...; d.getMonth(); // no possible NPE • Type checker warns about violations (bugs) % javac -processor NullnessChecker MyFile.java MyFile.java:149: dereference of possibly-null reference bb2 if (vars1.containsAll(bb2.vars)) ^

  5. Problem 2: Implementing pluggable types • Modify a compiler: hard • Previous frameworks: too weak • Alternatives to case studies: – Soundness proof for core calculus – Toy examples • Hampers understanding and use of type systems • A type system is valuable only if it helps developers to find and prevent errors – Case studies are necessary

  6. Example: Type systems for immutability println(@Readonly Object x) { … } @Readonly Object[] getSigners() { … } Map<@Immutable Date, Object> cache; • Formalisms, proofs, etc. • Crucial insight from case studies – Javari type system [Birka 2004]: 160 KLOC – IGJ type system [Zibin 2007]: 106 KLOC • Larger case studies have revealed even more

  7. Solution: The Checker Framework • Enables creation of pluggable types for Java • Expressive – Can create realistic type systems • Concise – Most checks are built in – Declarative syntax for common cases • Scalable – Large programs – Full Java language – Java toolchain • Aids programmers and type system designers

  8. Contributions • Syntax for type qualifiers in Java • Checker Framework for writing type checkers • 5 checkers written using the framework • Case studies enabled by the infrastructure • Insights about the type systems

  9. Syntax for type qualifiers • Java 7 : annotate any use of a type List<@NonNull String> myStrings; myGraph = (@Immutable Graph) tmpGraph; class UnmodifiableList<T> implements @Readonly List<@Readonly T> {} • Backward ‐ compatible : compile with any Java compiler List</*@NonNull*/ String> myStrings;

  10. Tool integration • IDE support: javac, Eclipse, Netbeans – IntelliJ planned • Annotated JDK • Type inference: 3 tools • Building type checkers: – ETH Zurich, MIT, Radboud U., U. of Buenos Aires, U. of California at Los Angeles, U. of Saarland, U. of Washington, U. of Wisconsin – Milwaukee, Washington State U., … • Integrating with other tools: – IBM, INRIA, JetBrains, MIT, Oxford, Sun, Victoria University of Wellington, …

  11. Outline • Syntax for type qualifiers in Java • Checker Framework for writing type checkers • 5 checkers written using the framework • Case studies enabled by the infrastructure • Insights about the type systems • Conclusion

  12. A complete, useful type checker @TypeQualifier @SubtypeOf(Unqualified.class) public @interface Encrypted { } To use it: 1. Write @Encrypted in your program void send(@Encrypted String message) { … } 2. Compile your program javac -processor BasicChecker -Aquals=Encrypted MyProgram.java

  13. Built ‐ in features • Arbitrary type qualifier hierarchy • Subtyping: inheritance, overriding, assignment • Polymorphism – Types (Java generics) – Type qualifiers • Type qualifier inference (flow ‐ sensitivity) • Implicit and default qualifiers • …

  14. Defining a type system @TypeQualifier public @interface NonNull { }

  15. Defining a type system 1. Type qualifier hierarchy 2. Type introduction rules 3. Other type rules @TypeQualifier public @interface NonNull { }

  16. Defining a type system 1. Type qualifier hierarchy 2. Type introduction rules 3. Other type rules @TypeQualifier @SubtypeOf( Nullable.class ) public @interface NonNull { }

  17. Defining a type system 1. Type qualifier hierarchy new Date() 2. Type introduction rules “hello ” + getName() Boolean.TRUE 3. Other type rules @TypeQualifier @SubtypeOf( Nullable.class ) @ImplicitFor(trees={ NEW_CLASS, PLUS, BOOLEAN_LITERAL, ... } ) public @interface NonNull { }

  18. Defining a type system 1. Type qualifier hierarchy synchronized(expr) { … 2. Type introduction rules } 3. Other type rules Warn if expr may be null void visitSynchronized(SynchronizedTree node) { ExpressionTree expr = node.getExpression(); AnnotatedTypeMirror type = getAnnotatedType(expr); if (! type.hasAnnotation(NONNULL)) checker.report(Result.failure(...), expr); }

  19. Type refinement Date d1, d2, d3; // may be null d1 = new Date(); d1.getMonth(); // OK: d1 is non-null assert d2 != null; d2.getMonth(); // OK if (d3 != null) { d3.getMonth(); // OK } Type ‐ checks as if annotations/casts were present “Local flow ‐ sensitive type qualifier inference”

  20. Outline • Syntax for type qualifiers in Java • Checker Framework for writing type checkers • 5 checkers written using the framework • Case studies enabled by the infrastructure • Insights about the type systems • Conclusion

  21. Sample type checkers • Basic checker (subtyping) • Null dereferences (@NonNull) • Errors in equality testing (@Interned) • Reference immutability (Javari) • Reference & object immutability (IGJ) < 500 LOC per checker

  22. Outline • Syntax for type qualifiers in Java • Checker Framework for writing type checkers • 5 checkers written using the framework • Case studies enabled by the infrastructure • Insights about the type systems • Conclusion

  23. Case studies • Annotated existing Java programs • Found bugs in every codebase – Verified by a human and fixed • As of summer 2007: 360 KLOC – Now: > 1 MLOC – Scales to > 200 KLOC

  24. Checkers are easy to use • Natural part of workflow • Feels like Java • Few false positives – Easy to understand and fix

  25. Annotations are not too verbose • Examples: – Nullness: 1 per 75 lines – Interning: 124 in 220 KLOC revealed 11 bugs • Careful choice of defaults • Type refinement • Possible to annotate part of program • Fewer annotations in new code

  26. Comparison: other Nullness tools Null pointer errors False Annotations warnings written Found Missed Checker Framework 8 0 4 35 FindBugs 0 8 1 0 Jlint 0 8 8 0 PMD 0 8 0 0 • Checking a 4KLOC program • The other tools find bugs besides null dereferences

  27. Outline • Syntax for type qualifiers in Java • Checker Framework for writing type checkers • 5 checkers written using the framework • Case studies enabled by the infrastructure • Insights about the type systems • Conclusion

  28. Lessons learned • Type systems – Interning – Nullness – Javari – IGJ • Polymorphism • Framework design • Others: supertype qualifiers, simple type systems, inference, syntax, language integration, toolchain, …

  29. Interning type system • New approach to finding equality errors – Purely type system – Fully backward compatible – Permits both interned and uninterned instances

  30. Nullness type system • New default: non ‐ null except locals (NNEL) • Signatures: non ‐ null # anno- • Locals: nullable Default tations Ratio – Inspired by practical use @Nullable 382 11 – Exploits flow sensitivity @NonNull 80 2.3 NNEL 35 1.0 – Applicable to other type systems • Nullness differs from other type systems – More application invariants – Run ‐ time checks – Needs flow ‐ sensitivity

  31. Javari type system • Enhancements: – Permit covariant method parameters class Super { void mymethod(Object x); } class Sub { void mymethod(@Readonly Object x); } – Improved type parameter inference – Improved treatment of fields

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable Types for Java Michael D. Ernst University of Washington https://checkerframework.org/ Optional Type Checking int x = &quot;hello world&quot;;

628 views • 60 slides
I WANT YOU TO FIGHT BAD CODE! Get the tools &amp; demos from: http://types.cs.washington.edu/

I WANT YOU TO FIGHT BAD CODE! Get the tools &amp; demos from: http://types.cs.washington.edu/

I WANT YOU TO FIGHT BAD CODE! Get the tools &amp; demos from: http://types.cs.washington.edu/ checker-framework/2012-oscon/ Developing and Using Pluggable Type Systems Werner M. Dietl Michael D. Ernst University of Washington Computer

582 views • 26 slides
The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java By: Amanj Sherwany 2011 http://www.amanj.me Background Loci is a static checker for thread- Informationsteknologi locality for Java-like

931 views • 50 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
A Pluggable Framework for Composable HPC Scheduling Libraries Max Grossman 1 , Vivek Kumar 2 ,

A Pluggable Framework for Composable HPC Scheduling Libraries Max Grossman 1 , Vivek Kumar 2 ,

A Pluggable Framework for Composable HPC Scheduling Libraries Max Grossman 1 , Vivek Kumar 2 , Nick Vrvilo 1 , Zoran Budimlic 1 , Vivek Sarkar 1 1 Habanero Extreme Scale So=ware Research Group, Rice University 2 IIIT-Delhi AsHES 2017 - May 29 2017

596 views • 36 slides
Dialog Typing paves way for dialog to negotiate communication properties NE Exe Checker - (All)

Dialog Typing paves way for dialog to negotiate communication properties NE Exe Checker - (All)

Dialog Typing paves way for dialog to negotiate communication properties NE Exe Checker - (All) Private types - No Readable types Desired level Accept - No Modifiable types of visibility/ Receiver Sender Reject control? - Fewer private

544 views • 8 slides
The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision

The UPPAAL Model Checker The UPPAAL Model Checker Julin Proenza Systems, Robotics and Vision Group. UIB. SPAIN Julin Proenza. UIB. Oct 2008 The aim of this presentation Introduce the basic concepts of model checking from a practical

804 views • 68 slides
LEDBAT architecture framework consisting of pluggable components

LEDBAT architecture framework consisting of pluggable components

LEDBAT architecture framework consisting of pluggable components draft-mayutan-ledbat-congestionarchitecture-00.txt Mayutan Arumaithurai, Xiaoming Fu, K.K Ramakrishnan March 22, 2010 M. Arumaithurai, X. Fu, K.K. Ramakrishnan () LEDBAT WG

430 views • 16 slides
Practical Analog Filters Overview Types of practical filters Filter specifications

Practical Analog Filters Overview Types of practical filters Filter specifications

Practical Analog Filters Overview Types of practical filters Filter specifications Tradeoffs Many examples J. McNames Portland State University ECE 222 Practical Analog Filters Ver. 1.04 1 Ideal Filters Lowpass Highpass

643 views • 48 slides
ARC Framework Co-Developers The ARC Framework A Practical Toolkit For Parents ARC Rick Simon,

ARC Framework Co-Developers The ARC Framework A Practical Toolkit For Parents ARC Rick Simon,

4/18/2013 1 ARC Framework Co-Developers The ARC Framework A Practical Toolkit For Parents ARC Rick Simon, M.Ed., LCPC Kristine Kinniburgh, LICSW Margaret Blaustein, PHD Clinical Therapist Director of Training &amp; Education Trauma Center

598 views • 47 slides
Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of

Nuspell: version 3 of the new spell checker FOSS spell checker implemented in C++17 with aid of Mozilla Sander van Geloven FOSDEM, Brussels February 1, 2020 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

611 views • 39 slides
Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla.

Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla.

Nuspell: the new spell checker FOSS spell checker implemented in C++14 with aid of Mozilla. Sander van Geloven FOSDEM, Brussels February 2, 2019 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

327 views • 21 slides
Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html

Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html

Have some fun Checker: Checker: http://www.cs.caltech.edu/~ vhuang/cs 20/c/applet/more.html 1 Local Beam Search Run multiple searches to find the Run multiple searches to find the solution The best K states are selected. Like

636 views • 24 slides
Design and Practical Guideline to a CORBA-based-Communication Framework DWARF : Distributed

Design and Practical Guideline to a CORBA-based-Communication Framework DWARF : Distributed

Design and Practical Guideline to a CORBA-based-Communication Framework DWARF : Distributed Wearable Augmented Reality Framework Studienarbeit Lothar Richter Chair for Applied Software Engineering Summary Development of a short and easy

430 views • 30 slides
Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework)

Enabling Practical SDN Security Applications with OFX (The O pen F low e X tension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith Outline Introduction Overview of OFX Using OFX Benchmarks 2 Basic Networking:

604 views • 35 slides
Disproportionate Costs in the EC Water Framework Directive The Concept and its Practical

Disproportionate Costs in the EC Water Framework Directive The Concept and its Practical

Disproportionate Costs in the EC Water Framework Directive The Concept and its Practical Implementation By Benjamin Grlach 1 and Britta Pielen 2 Paper presented at the envecon 2007 Applied Environmental Economics Conference London, 23 March

414 views • 17 slides
CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from

CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from

CSE 447 Natural Language Processing Winter 2018 Introduction Yejin Choi Slides adapted from Dan Klein, Luke Zettlemoyer What is NLP? Fundamental goal: deep understand of broad language Not just string processing or keyword matching

828 views • 47 slides
Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Protection &amp; Security Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. You need to get into a vault Try

1.35k views • 79 slides
CS 188: Artificial Intelligence Language Pieter Abbeel UC Berkeley Slides from Dan Klein

CS 188: Artificial Intelligence Language Pieter Abbeel UC Berkeley Slides from Dan Klein

CS 188: Artificial Intelligence Language Pieter Abbeel UC Berkeley Slides from Dan Klein What is NLP? Fundamental goal: analyze and process human language, broadly, robustly, accurately End systems that we want to build:

275 views • 8 slides
Computer and Information Security Fall 2019 Malware Tyler Bletsch Duke University [SOUP13]

Computer and Information Security Fall 2019 Malware Tyler Bletsch Duke University [SOUP13]

ECE590 Computer and Information Security Fall 2019 Malware Tyler Bletsch Duke University [SOUP13] defines malware as: a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality,

1k views • 52 slides
Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi Motivation java.lang.NullPointerException

561 views • 30 slides
&quot;Secure&quot; Coding Practices Nicholas Weaver based on David Wagners slides from Sp 2016

&quot;Secure&quot; Coding Practices Nicholas Weaver based on David Wagners slides from Sp 2016

Computer Science 161 Fall 2016 Nicholas Weaver &quot;Secure&quot; Coding Practices Nicholas Weaver based on David Wagners slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 Nicholas Weaver 2 Computer Science 161 Fall

732 views • 61 slides
1 After the first cesarean After the first cesarean Risks for abnormal placentation

1 After the first cesarean After the first cesarean Risks for abnormal placentation

Disclosures No financial disclosures LEADING THE QUEST FOR HEALTH No off-label use of medications Nulliparous Term Singleton Vertex (NTSV): Is Healthy People 2020 Goal Possible? Kimberly D. Gregory MD, MPH Vice Chair Womens

339 views • 22 slides
Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation

Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation

Case Example 1: Profitability of using sexed semen: A s tatic and deterministic simulation Different kinds of simulation Friday: Simherd: This morning: SimFlock This afternoon: Sexed semen model Sexed Semen Economics Budgetting:

373 views • 25 slides

More recommend