ESC/Java2 Use and Features

Similar documents
ESC/Java2 Use and Features

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Specification tips and pitfalls

Static program checking and verification

Advances in Programming Languages

Program Verification (6EC version only)

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

objects

Extended Static Checking for Java

Advanced JML Erik Poll Radboud University Nijmegen

Java Modelling Language (JML) References

Formal Specification and Verification

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

The Provers of ESC/Java2

The Java Modeling Language (Part 2)

JML. Java Modeling Language

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

The Java Modeling Language JML

JML and Java 1.5+ David R. Cok Eastman Kodak Company, Research Laboratories 9 October 2008 SAVCBS08 workshop

Checking Program Properties with ESC/Java

Testing Library Specifications by Verifying Conformance Tests

Analysis of Software Artifacts

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Design by Contract and JML: concepts and tools

Advances in Programming Languages

Introduction to Programming Using Java (98-388)

Advances in Programming Languages

Chapter 4 Java Language Fundamentals

Advances in Programming Languages

Modular verification of static class invariants

Verifying JML specifications with model fields

Adding native specifications to JML

Non-null References by Default in the Java Modeling Language

OVERRIDING. 7/11/2015 Budditha Hettige 82

CS 220: Introduction to Parallel Computing. Arrays. Lecture 4

5.5 Behavioral Subtyping

A Small Survey of Java Specification Languages *

An overview of JML tools and applications

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Computer Science II. OO Programming Classes Scott C Johnson Rochester Institute of Technology

Java Modelling Language (JML) References

Object Ownership in Program Verification

A Java Reference Model of Transacted Memory for Smart Cards

Cover Page. The handle holds various files of this Leiden University dissertation

Formal Specification and Verification

Zhifu Pei CSCI5448 Spring 2011 Prof. Kenneth M. Anderson

Weiss Chapter 1 terminology (parenthesized numbers are page numbers)

CSC207H: Software Design. Java + OOP. CSC207 Winter 2018

C++ Inheritance and Encapsulation

Formal Techniques for Java-like Programs (FTfJP)

Modular specification of frame properties in JML

Static Semantics. Winter /3/ Hal Perkins & UW CSE I-1

Chapter 4 Defining Classes I

Department of Computer Science 226 Atanasoff Hall Iowa State University Ames, Iowa , USA

Reasoning about Object Structures Using Ownership

Why. an intermediate language for deductive program verification

CMSC131. Inheritance. Object. When we talked about Object, I mentioned that all Java classes are "built" on top of that.

Compiler construction 2009

Object-Oriented Languages and Object-Oriented Design. Ghezzi&Jazayeri: OO Languages 1

Classes, interfaces, & documentation. Review of basic building blocks

Frequently Asked Questions

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

Specification of a transacted memory for smart cards in Java and JML

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Expressions and Casting

Java Modeling Language (JML)

Assertions. Assertions - Example

Motivation was to facilitate development of systems software, especially OS development.

JAVA GUI PROGRAMMING REVISION TOUR III

Formal Methods for Java

CS 61B Data Structures and Programming Methodology. July 3, 2008 David Sun

VIRTUAL FUNCTIONS Chapter 10

Atelier Java - J1. Marwan Burelle. EPITA Première Année Cycle Ingénieur.

UC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara

Formale Entwicklung objektorientierter Software

Absolute C++ Walter Savitch

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

What are the characteristics of Object Oriented programming language?

CS 161 Computer Security

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Prelim 1. CS 2110, September 29, 2016, 7:30 PM Total Question Name Loop invariants

Integrating verification in programming languages

Using Type Annotations to Improve Your Code

CS 330 Homework Comma-Separated Expression

Reachability Analysis for Annotated Code

Inheritance. Inheritance Reserved word protected Reserved word super Overriding methods Class Hierarchies Reading for this lecture: L&L

CnC: Check n Crash. Combining static checking and testing. Christoph Csallner and Yannis Smaragdakis

Java How to Program, 10/e. Copyright by Pearson Education, Inc. All Rights Reserved.

Motivation was to facilitate development of systems software, especially OS development.

From JML to BCSL (Draft Version)

The Sun s Java Certification and its Possible Role in the Joint Teaching Material

Prelim 1 SOLUTION. CS 2110, September 29, 2016, 7:30 PM Total Question Name Loop invariants. Recursion OO Short answer

Transcription:

ESC/Java2 Use and Features The ESC/Java2 tool David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/?? David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.2/?? Structure of ESC/Java2 ESC/Java2 consists of a parsing phase (syntax checks), typechecking phase (type and usage checks), static checking phase (reasoning to find potential bugs) - runs a behind-the-scenes prover called Simplify Parsing and typechecking produce cautions or errors. Static checking produces warnings. The focus of ESC/Java2 is on static checking, but reports of bugs, unreported errors, confusing messages, documentation or behavior, and even just email about your application and degree of success are Very Welcome. [and Caution: this is still an alpha release] Running ESC/Java2 Download the binary distribution from http://secure.ucd.ie/products/opensource/escjava2 Untar the distribution and follow the instructions in README.release about setting environment variables. Run the tool by doing one of the following: Run a script in the release: escjava2 or escj.bat Run the tool directly with java -cp esctools2.jar escjava.main, but then you need to be sure to provide values for the -simplify and -specs options. Run a GUI version of the tool by double-clicking the release version of esctools2.jar Run a GUI version of the tool by executing it with java -jar esctools2.jar (in which case you can add options).

Supported platforms Environment ESC/Java2 is supported on Linux MacOSX Cygwin on Windows Windows (but there are some environment issues still to be resolved) Solaris (in principle - we are not testing there) Note that the tool itself is relatively portable Java, but the underlying prover is a Modula-3 application that must be compiled and supplied for each platform. Help with platform-dependence issues is welcome. The application relies on the environment having a Simplify executable (such as Simplify-1.5.4.macosx) for your platform, typically in the same directory as the application s jar file; the SIMPLIFY environment variable set to the name of the executable for this platform; a set of specifications for Java system files - by default these are bundled into the application jar file, but they are also in jmlspecs.jar. The scripts prefer that the variable ESCTOOLS_RELEASE be set to the directory containing the release. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.5/?? David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.6/?? Command-line options The items on the command-line are either options and their arguments or input entries. Some commonly used options (see the documentation for more): -help - prints a usage message -quiet - turns off informational messages (e.g. progress messages) -nowarn - turns off a warning -classpath - sets the path to find referenced classes [best if it contains. ] -specs - sets the path to library specification files -simplify - provides the path to the simplify executable -f - the argument is a file containing command-line arguments -nocheck - parse and typecheck but no verification -routine - restricts checking to a single routine -eajava, -eajml - enables checking of Java assertions -counterexample - gives detailed information about a warning Input entries The input entries on the command-line are those classes that are actually checked. Many other classes may be referenced for class definitions or specifications - these are found on the classpath (or sourcepath or specspath). file names - of java or specification files (relative to the current directory) directories - processes all java or specification files (relative to the current directory) package - (fully qualified name) - found on the classpath class - (fully qualified name) - found on the classpath list - (prefaced by -list) - a file containing input entries

Specification files Specification file example Specifications may be added directly to.java files Specifications may alternatively be added to specification files. No method bodies No field initializers Recommended suffix:.refines-java Recommend a refines annotation (see documentation) Must also be on the classpath package java.lang; import java.lang.reflect.*; import java.io.inputstream; public final class Class implements java.io.serializable { private Class(); /*@ also public normal_behavior @ ensures \result!= null &&!\result.equals("") @ && (* \result is the name of this class object *); @*/ public /*@ pure @*/ String tostring();. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.9/?? David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.10/?? Bag demo modular reasoning ESC/Java2 reasons about every method individually. So in public void n() { b = new byte[20]; public void m() { n(); b[0] = 2; ESC/Java2 warns that b[0] may be a null dereference here, even though you can see that it won t be.

modular reasoning modular reasoning To stop ESC/Java2 complaining: add a postcondition //@ ensures b!= null && b.length = 20; public void n() { b = new byte[20]; public void m() { n(); b[0] = 2; So: property of method that is relied on has to be made explicit. Also: subclasses that override methods have to preserve these. Similarly, ESC/Java will complain about b[0] = 2 in public void A() { b = new byte[20]; public void m() { b[0] = 2; Maybe you can see that this is a spurious warning, though this will be harder than in the previous example: you ll have to inspect all constructors and all methods. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.13/?? David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.14/?? modular reasoning To stop ESC/Java2 complaining here: add an invariant //@ invariant b!= null && b.length == 20; // or weaker property for b.length? public void A() { b = new byte[20]; public void m() { b[0] = 2; So again: properties you rely on have to be made explicit. And again: subclasses have to preserve these properties. Alternative to stop ESC/Java2 complaining: add an assumption: assume //@ assume b!= null && b.length > 0; b[0] = 2; Especially useful during development, when you re still trying to discover hidden assumptions, or when ESC/Java2 s reasoning power is too weak. (requires can be understood as a form of assume.)

need for assignable clauses need for assignable clauses public void m() { b = new byte[3]; //@ assert b[0] == 0; // ok! o.n(); //@ assert b[0] == 0; // ok? What does ESC/Java need to know about o.n to check the second assert? public void m() { b = new byte[3]; //@ assert b[0] == 0; // ok! o.n(b); //@ assert b[0] == 0; // ok? A detailed spec for o.n might give a postcondition saying that b[0] is still 0. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.17/?? David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.18/?? need for assignable clauses ESC/Java is not complete public void m() { b = new byte[3]; //@ assert b[0] == 0; // ok! o.n(); //@ assert b[0] == 0; // ok? If the postcondition of o.n doesn t tell us b won t be not null and can t be expected to we need the assignable clause to tell us that o.n won t affect b[0]. Declaring o.n as pure would solve the problem. ESC/Java may produce warnings about correct programs. /*@ requires 0 < n; @ ensures \result == @ (\exists int x,y,z; @ pow(x,n)+pow(y,n) == pow(z,n)); @*/ public static boolean fermat(double n) { return (n==2); Warning: postcondition possibly not satisfied (Typically, the theorem prover times out in complicated cases.)

ESC/Java is not sound ESC/Java is not sound ESC/Java may fail to produce warning about incorrect program. public class Positive{ private int n = 1; //@ invariant n > 0; public void increase(){ n++; ESC/Java(2) produces no warning, but increase may break the invariant, namely if n is 2 32 1. This can be fixed by improved model of Java arithmetic, but this does come at a price (both in specs and in code). More fundamental problem: sound modular verification for OO programs with invariants. public public class B{ B b; int x; int y; //@ invariant x <= b.y; void decr x(){ void decr y(){ x--; y--; How can we know that invoking decr y on some B won t break the invariant of some A, or some object whose invariant depends on a B object. David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.21/?? David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.22/?? ESC/Java is not sound public public class B{ B b; int x; int y; //@ invariant x <= b.y; void decr x(){x++; public class D{ B b; void decr y(){ void incr y(){y++; b.y--; How can D know it might be breaking A s invariant? Modularity problem Modular verification for (open) OO programs with invariants is a big & fundamental problem. Most verification tools fail here. Root causes: 1. invariants talking about another object s fields 2. object modifying another object s field 3. possibility of aliasing NB 1 & 2 are unavoidable, eg. think of an object modifying or its invariant mentioning the contents of an array field Alias control and ownership might provide solutions, eg. universes by Peter Müller & co or explicit pack/unpack operations by Rustan Leino & co.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback