70 likes | 193 Views
print( @Readonly Object x) { List< @NonNull String> lst; … }. Building and using pluggable type systems. Michael D. Ernst University of Washington . Mahmood Ali MIT . The Checker Framework http://types.cs.washington.edu/.
E N D
print(@Readonly Object x) { List<@NonNull String> lst; … } • Building and using • pluggable type systems Michael D. Ernst University of Washington Mahmood Ali MIT The Checker Framework http://types.cs.washington.edu/
Type checking has been wildly successful, but… Type checking prevents too few bugs The annotation you write: The property you care about: • Null dereferences @NonNull • Mutation and side-effects @Immutable • Concurrency: locking @GuardedBy • Security: encryption, @Encryptedtainting @Untainted • Aliasing @Linear • Equality tests @Interned • Strings: localization, @Localizedregular expression syntax, @Regexsignature format@FullyQualified • Typestate (e.g., open/closed files)@State • You can write your own checker!
Solution: Pluggable type systems • Design a custom type system • Write type qualifiers in code @Immutable Date date = new Date(0); date.setTime(70); • Type checker warnsabout violations (bugs) compile-time error % javac -processor NullnessChecker MyFile.java MyFile.java:149: dereference of possibly-null reference bb2 allVars = bb2.vars; ^
Features • Full type system • Inheritance • Overriding • Generics (type and qualifier polymorphism) • Local type inference • Qualifier defaults • Warning suppression • Tool integration: javac, Eclipse, Ant, Maven • Global inference tools: nullness, mutability
Results: Effective and easy to use • Effective: found >300 bugs, in the JDK, Google Collections, Lucene, Xerces, ASM, SVNKit, … • Few false positives • Easy to use • Used by students in the first CS majors class at UW • My group has annotated 3 million lines of code • Annotations are not verbose • Fewer than 1 per 75 lines
Writing a new checker: Taint checker The complete code To use it: • Write @Untainted in your program List getPosts(@Untainted String category) {…} • Compile your program javac -processor BasicChecker -Aquals=Untainted MyProgram.java @TypeQualifier @SubtypeOf(Unqualified.class) @ImplicitFor(trees = {STRING_LITERAL}) public @interface Untainted { } Simple type-checkers are very easy to write; complicated ones are possible to write
Pluggable type-checking • Java 8 syntax for type annotations • Write in comments during transition to Java 8 • Checker Framework for creating type checkers • Featureful, effective, easy to use, scalable • Prevent bugs at compile time • Create custom type-checkers • Learn more, or download the Checker Framework: http://types.cs.washington.edu/jsr308 (or, web search for “Checker Framework” or “JSR 308”)