Soundness and Completeness Warnings in ESC/Java2 Joe Kiniry, Alan - - PowerPoint PPT Presentation

soundness and completeness warnings in esc java2
SMART_READER_LITE
LIVE PREVIEW

Soundness and Completeness Warnings in ESC/Java2 Joe Kiniry, Alan - - PowerPoint PPT Presentation

Dec 18, 2022 282 likes •631 views

Soundness and Completeness Warnings in ESC/Java2 Joe Kiniry, Alan Morkan, and Barry Denby presented by David Cok Systems Research Group School of Computer Science and Informatics University College Dublin ESC/Java2 by design, neither sound

slide-1
SLIDE 1

Systems Research Group School of Computer Science and Informatics University College Dublin

Soundness and Completeness Warnings in ESC/Java2

Joe Kiniry, Alan Morkan, and Barry Denby presented by David Cok

slide-2
SLIDE 2

Systems Research Group School of Computer Science and Informatics University College Dublin

ESC/Java2

by design, neither sound nor complete popularity of similar tools growing as (lightweight) static analysis tools become more widely used (e.g, Eclipse & FindBugs) developer comprehension and confidence are paramount (program safety via programmer safety) complaints from “soundationalists” drives a desire for “tool honesty” and disclosure

2

slide-3
SLIDE 3

Systems Research Group School of Computer Science and Informatics University College Dublin

Checking Limitations

a fast, automatic tool must “cheat”

many scientific and engineering trade-offs

several sources of soundness and completeness problems

Java and JML semantic incompleteness unsound verification methodology limitations of dependent tools (provers) problems with user specifications

3

slide-4
SLIDE 4

Systems Research Group School of Computer Science and Informatics University College Dublin

Requirements on New Warning Subsystem

contextually warn the user (in detail) about potential soundness and incompleteness

e.g., must take into account the program code, annotations, execution path in tool, and theorem prover in use

provide “tunable” feedback so as to not

  • verwhelm the user with warnings

be itself sound and complete

have no false positives or negatives

4

slide-5
SLIDE 5

Systems Research Group School of Computer Science and Informatics University College Dublin

Detection Methodology

manually analyze and classify all soundness and completeness issues define a type- and annotation-aware AST pattern match for each issue each issue implemented as a single “smart” visitor pattern (separation of concerns) customized warning levels, messages, and criticality per issue

5

slide-6
SLIDE 6

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-7
SLIDE 7

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-8
SLIDE 8

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

Incompleteness Warning: Simplify cannot deal with large integer values. public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-9
SLIDE 9

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-10
SLIDE 10

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-11
SLIDE 11

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } } Soundness Warning: Exposed field may be used in other class invariants.

slide-12
SLIDE 12

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-13
SLIDE 13

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-14
SLIDE 14

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

Soundness Warning: Heuristics for class invariant analysis are not sound. public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-15
SLIDE 15

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-16
SLIDE 16

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-17
SLIDE 17

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-18
SLIDE 18

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-19
SLIDE 19

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } } Incompleteness Warning: Semantics for floating point numbers.

slide-20
SLIDE 20

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-21
SLIDE 21

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-22
SLIDE 22

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-23
SLIDE 23

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-24
SLIDE 24

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } } Incompleteness Warning: Semantics for bitwise OR are not complete.

slide-25
SLIDE 25

Systems Research Group School of Computer Science and Informatics University College Dublin

Example Warnings

public class CreditCard { //@ invariant balance <= maxCredit; public double balance = 0, maxCredit = 100000; public static int STANDARD = 1, SILVER = 2, GOLD = 4; private int accountType = 1; //@ ensures accountType == 4; public void goldCard() { accountType = 4; } //@ requires cost < (maxCredit - balance); //@ ensures \result == \old(balance + cost); public double purchase(double cost) { return balance + cost; } //@ ensures (accountType == GOLD ? 1 : 0); public /*@ pure @*/ boolean isGoldCard() { return accountType | GOLD; } }

slide-26
SLIDE 26

Systems Research Group School of Computer Science and Informatics University College Dublin

Benefits and Drawbacks

increase user awareness of tool limitations

no more “creeping toward functional verification”

increase in user confidence possible excess of user feedback

leads to user confusion and frustration

text-based warnings need refinement

prioritization, graphical feedback, etc.

7

slide-27
SLIDE 27

Systems Research Group School of Computer Science and Informatics University College Dublin

Future Work

finish implementation

  • nly for default code paths

strongest postcondition calculus, loop unrolling and safe loops, simplify

integration with the ESC/Java2 Eclipse plugin and Mobius Tool use theorem proving during analysis automatic visitor generation

8

slide-28
SLIDE 28

Systems Research Group School of Computer Science and Informatics University College Dublin

Thank You! Questions and Comments?

slide-29
SLIDE 29

Systems Research Group School of Computer Science and Informatics University College Dublin

Extra Slides for Questions

slide-30
SLIDE 30

Systems Research Group School of Computer Science and Informatics University College Dublin

Warning Levels

three options for warnings

standard warning mode verbose warning mode no warnings mode

11

slide-31
SLIDE 31

Systems Research Group School of Computer Science and Informatics University College Dublin

Examining the AST: The Precondition

MethodDecl | ModifierPragmaVector / BinaryExpr / \ ..... BinaryExpr (<) / \ FieldAccess ParenExpr (cost) | BinaryExpr(-) / \ FieldAccess FieldAccess (maxCredit) (balance)

slide-32
SLIDE 32

Systems Research Group School of Computer Science and Informatics University College Dublin

The Postcondition

MethodDecl | ModifierPragmaVector / ExprModifierPragma | BinaryExpr (==) / \ ResExpr BinaryExpr(+) / \ NaryExpr FieldAcccess (\old) (cost) | FieldAccess (balance)

slide-33
SLIDE 33

Systems Research Group School of Computer Science and Informatics University College Dublin

The Invariant

....... | BinaryExpr(<=) / \ FieldAccess FieldAccess (balance) (maxCredit)