Static program checking and verification Correctness class ArraySet - - PowerPoint PPT Presentation

static program checking and verification correctness
SMART_READER_LITE
LIVE PREVIEW

Static program checking and verification Correctness class ArraySet - - PowerPoint PPT Presentation

Sep 13, 2022 251 likes •446 views

Chair of Softw are Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Mller Static program checking and verification Correctness class ArraySet

slide-1
SLIDE 1

Software Engineering

  • Prof. Dr. Bertrand Meyer

March 2007 – June 2007

Chair of Softw are Engineering

Static program checking and verification

Slides: Based on KSE06 – With kind permission of Peter Müller

slide-2
SLIDE 2

Software Engineering, lecture 20: Static program checking and verification 2

Correctness

class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } }

Syntax Rules Context Conditions Semantic Rules Behavioral Specification

slide-3
SLIDE 3

Software Engineering, lecture 20: Static program checking and verification 3

Aspects of correctness

Syntax Rules Context Conditions Semantic Rules Behavioral Specification Syntax Semantics Scanning, Parsing Test, Verification Semantic Analysis, Type Checking

slide-4
SLIDE 4

Software Engineering, lecture 20: Static program checking and verification 4

Test and verification

Test Objective

Detect bugs

Examples

White box test Black box test

Problems

Successful test does not

guarantee correctness Verification Objective

Prove correctness

Examples

Formal verification based

  • n a logic

Symbolic execution

Problems

Expensive Formal specification of

behavior is required

slide-5
SLIDE 5

Software Engineering, lecture 20: Static program checking and verification 5

Levels of coverage

Effort Coverage Type checking Program verification Extended static checking Decidability ceiling

slide-6
SLIDE 6

Software Engineering, lecture 20: Static program checking and verification 6

Extended static checking

ESC/Java developed at DEC, Compaq, and HP Research Fully automated tool Tries to verify

Absence of runtime exceptions and common mistakes

e.g. null dereference, array bounds, type cast errors, deadlocks

Simple user-specified contracts

invariants, pre/postconditions, loop invariants, assertions

Program with Program with specifications specifications Error Error messages messages

Bag.java:18: Array index possibly too large

Program Checker/Verifier

slide-7
SLIDE 7

Software Engineering, lecture 20: Static program checking and verification 7

Program checker design tradeoffs

Objectives

Fully automated reasoning As little annotation overhead as possible Performance

Not sound

Errors may be missed

Not complete

Warnings do not always report errors (false alarms)

Goal

Cost-effective tool Find source of possible bugs quickly

Main reason why it’s called checker and not verifier

slide-8
SLIDE 8

Software Engineering, lecture 20: Static program checking and verification 8

Tool architecture

Translator Translator Annotated Java program Annotated Java program Verification condition Verification condition Counterexample context Counterexample context Warning messages Warning messages Automatic Theorem Prover Automatic Theorem Prover Post Processor Post Processor

Valid Resource exhausted

slide-9
SLIDE 9

Software Engineering, lecture 20: Static program checking and verification 9

Theorem prover: “Simplify”

Automatic: No user interaction Refutation based: To prove ϕ it will attempt to satisfy ¬ϕ

If this is possible, a counterexample is found, and we

know a reason why ϕ is invalid

If it fails to satisfy ¬ϕ then ϕ is considered to be

valid

slide-10
SLIDE 10

Software Engineering, lecture 20: Static program checking and verification 10

Time limits

Logic used in Simplify is semi-decidable

Each procedure that proves all valid formulas loops

forever on some invalid ones Simplify works with a time limit

When time limit is reached, counterexample is

returned

Longer computation might show that returned

counterexample is inconsistent Time limits are a source of incompleteness

Spurious counterexamples lead to spurious warnings

slide-11
SLIDE 11

Software Engineering, lecture 20: Static program checking and verification 11

ESC/ Java2

Successor of ESC/Java Eclipse integration Made specification language compatible with JML Made open source Give it a try! http://secure.ucd.ie/products/opensource/escjava2

slide-12
SLIDE 12

Software Engineering, lecture 20: Static program checking and verification 12

Spec#

Program verification tool developed at MS Research Superset of C#

non-null types pre- and postconditions

  • bject invariants

Tool support

more type checking compiler-emitted run-time checks static program verification fully integrated into Visual Studio .NET 2005

type checking static verification run-time checks degree of checking, effort into the future C# contracts everywhere

slide-13
SLIDE 13

Software Engineering, lecture 20: Static program checking and verification 13

Spec# vs. ESC/ Java(2)

Similarities

Architecture Full automation (even theorem prover is the same) Essential contract language

Differences

Spec# is sound Spec# does modular reasoning

price to pay: need to understand methodology

slide-14
SLIDE 14

Software Engineering, lecture 20: Static program checking and verification 14

Non-null types

T x; The value of x is

  • null or
  • reference to object whose type is a subtype of T.

T! y; The value of y is

  • reference to object whose type is a subtype of T,

and not null.

slide-15
SLIDE 15

Software Engineering, lecture 20: Static program checking and verification 15

Types versus assertions

Without non-null types: Person(string name) requires name != null; With non-null types: Person(string! name)

slide-16
SLIDE 16

Software Engineering, lecture 20: Static program checking and verification 16

Comparing against null

public void M(T x){ if (x == null) { … } else { T! y = x; … } } Spec# performs a data-flow analysis to allow this

slide-17
SLIDE 17

Spec# DEMO

slide-18
SLIDE 18

Software Engineering, lecture 20: Static program checking and verification 18

References

ESC/Java

Flanagan et al.: Extended Static Checking for Java

ESC/Java2

http://secure.ucd.ie/products/opensource/ESCJava2

Spec#

Barnett et al.: Boogie: A Modular Reusable Verifier for

Object-Oriented Programs

http://research.microsoft.com/specsharp

Rustan Leino’s lectures

http://research.microsoft.com/~leino/talks.html