1 / 12

Extended Static Checking for Java

Extended Static Checking for Java. Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata. What is “Static Checking”?. Annotated Source Code. Static Checker. Error:. type systems Error: wrong number of arguments in method call lint

peggy
Download Presentation

Extended Static Checking for Java

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Extended Static Checkingfor Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata

  2. What is “Static Checking”? Annotated Source Code Static Checker Error: ... • type systems Error: wrong number of arguments in method call • lint Error: unreachable code • full program verification Error: qsort does not yield a sorted array

  3. Comparison of Static Checkers Quality full verification 100% Extended Static Checking ESC Modula-3 ESC Java type systems lint Effort Note: Graph is not to scale

  4. ESC/Java • Detect common run-time errors • null dereferences • array bounds • type casts • race conditions • deadlocks • ... • Check other properties • object invariants • method specifications • ...

  5. Architecture of ESC/Java Annotated program Verification condition generator Verification condition  x.  y. (x > y => ...) Automatic theorem prover Error: index out of bounds on line 218 when x = 4 and y = 3 Counter-example

  6. Not Full Verification • Prove absence of run-time errors, not full functional correctness • Simpler method specifications • Verification conditions easier to prove

  7. Example void sort2(int[] a) { if( a[0] < a[1] ) { int t = a[0]; a[0] = a[ ]; a[1] = t; } } //@ requires a != null && a.length == 2 //@ ensures a[0] <= a[1] > 2 1 Error: possible index out of bounds at line 5 Error: possible index out of bounds at line 8 Error: possible null dereference at line 5 Error: postcondition not achieved No more errors detected :-( No more errors detected :-(

  8. Under the Hood • Verification condition large but “dumb” • Proved in < 1 second (FORALL (t1) (FORALL (t2) (IMPLIES (AND (NEQ a null) (EQ (arrayLength a) 2)) (AND (NEQ a null) (AND (AND (<= 0 0) (< 0 (arrayLength a))) (AND (NEQ a null) (AND (AND (<= 0 1) (< 1 (arrayLength a))) (AND (IMPLIES (> (select (select elem a) 0) (select (select elem a) 1)) (FORALL (t3) (AND (NEQ a null) (AND (AND (<= 0 0) (< 0 (arrayLength a))) (FORALL (t) (IMPLIES (EQ t (select (select elem a) 0)) (FORALL (t1) (IMPLIES (EQ t1 a) (AND (NEQ a null) (AND (AND (<= 0 1) (< 1 (arrayLength a))) (AND (NEQ t1 null) (AND (AND (<= 0 0) (< 0 (arrayLength t1))) (FORALL (t2) (IMPLIES (EQ t2 a) (AND (NEQ t2 null) (AND (AND (<= 0 1) (< 1 (arrayLength t2))) (AND (<= (select (select (store (store elem t1 (store (select elem t1) 0 (select (select elem a) 1))) t2 (store (select (store elem t1 (store (select elem t1) 0 (select (select elem a) 1))) t2) 1 t)) a) 0) (select (select (store (store elem t1 (store (select elem t1) 0 (select (select elem a) 1))) t2 (store (select (store elem t1 (store (select elem t1 0 (select (select elem a) 1))) t2 1 t)) a) 1)) (EQ true true)))))))))))))))))) (IMPLIES (NOT (> (select (select elem a) 0) (select (select elem a) 1))) (AND (<= (select (select elem a) 0) (select (select elem a) 1)) (EQ true true)))))))))))

  9. ESC/Java vs. Testing • Testing essential but • Expensive • Finds errors late • Misses errors • ESC/Java ... ?

  10. ESC/Java Summary • Finds more errors than type checking • Costs less than full verification • Currently working on small test programs www.research.digital.com/SRC/esc/Esc.html

  11. Comparison of Static Checkers Quality full verification 100% Extended Static Checking decidability limit type systems lint Effort Note: Graph is not to scale

  12. Metrics for Static Checkers • Cost of using the tool • Quality Does it miss errors? Does it give spurious warnings?

More Related