Checking Program Properties with ESC/Java

Similar documents
Analysis of Software Artifacts

Hoare Logic: Proving Programs Correct

Static program checking and verification

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Advances in Programming Languages

Advances in Programming Languages

Lecture Notes: Hoare Logic

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Program Verification (6EC version only)

Advances in Programming Languages

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Verifying Java Programs Verifying Java Programs with KeY

Testing Library Specifications by Verifying Conformance Tests

Advances in Programming Languages

CS 161 Computer Security

Reachability Analysis for Annotated Code

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Automatic Generation of Program Specifications

Formale Entwicklung objektorientierter Software

Overview The Java Modeling Language (Part 1) Related Work

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Java Modelling Language (JML) References

Program Verification. Aarti Gupta

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

FAKULTÄT FÜR INFORMATIK

Extended Static Checking for Java

Verifying Java Programs Verifying Java Programs with KeY

The Java Modeling Language (Part 1)

The Java Modeling Language JML

Verification Condition Generation

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

An Annotated Language

ESC/Java2 Use and Features

Formal Methods for Java

ESC/Java2 Use and Features

Verifying Java Programs with KeY

Software Security: Vulnerability Analysis

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

Static Analysis in Practice

Principles of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013

Top Down Design. 2. Design Methodology

Warm-Up Problem. 1. What is the definition of a Hoare triple satisfying partial correctness? 2. Recall the rule for assignment: x (assignment)

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Lecture 10 Design by Contract

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Static Analysis in Practice

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

Modular and Verified Automatic Program Repairs

Verifying JML specifications with model fields

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Non-null References by Default in the Java Modeling Language

CSCE 548 Building Secure Software Software Analysis Basics

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

CSC Advanced Object Oriented Programming, Spring Specification

Spark verification features

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

JML and Aspects: The Benefits of

Lecture 10 Notes Linked Lists

Announcements. Specifications. Outline. Specifications. HW1 is due Thursday at 1:59:59 pm

CSE 374 Programming Concepts & Tools

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Lecture Notes on Linear Search

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

Plan of the lecture. Quick-Sort. Partition of lists (or using extra workspace) Quick-Sort ( 10.2) Quick-Sort Tree. Partitioning arrays

Code Contracts. Pavel Parízek. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics

hwu-logo.png 1 class Rational { 2 int numerator ; int denominator ; 4 public Rational ( int numerator, int denominator ) {

Java Modelling Language (JML) References

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Lecture 10 Notes Linked Lists

CORRECTNESS ISSUES AND LOOP INVARIANTS

Formal Systems II: Applications

Software Excellence via Program Analysis at Microsoft. Manuvir Das

Code Contracts in C#

Lecture Notes on Contracts

Adam Blank Lecture 2 Winter 2017 CSE 332. Data Structures and Parallelism

Runtime Checking for Program Verification Systems

COMP 507: Computer-Aided Program Design

Java Modeling Language (JML)

Formal Methods. CITS5501 Software Testing and Quality Assurance

III. Check if the divisors add up to the number. Now we may consider each of these tasks separately, assuming the others will be taken care of

Lecture Notes on Memory Layout

JML and Java 1.5+ David R. Cok Eastman Kodak Company, Research Laboratories 9 October 2008 SAVCBS08 workshop

Verification Condition Generation via Theorem Proving

Formal Specification and Verification

Specification and Verification of Garbage Collector by Java Modeling Language

Compositional Cutpoint Verification

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Chapter 1. Introduction

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

Verifying Java Programs

15-122: Principles of Imperative Computation (Section G)

Design for Change (class level)

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Transcription:

Checking Program Properties with ESC/Java 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich 1 ESC/Java A checker for Java programs Finds null pointers, array dereferences Checks Hoare logic specifications Expressed in Java Modeling Language (JML) Goal: Find errors Increase confidence in correctness Unlike a Hoare Logic proof, not a guarantee of correctness Developed at Compaq SRC in the 90s Now open sourced as ESC/Java 2 2 1

ESC/Java Uses JML Specifications /*@ requires len >= 0 && array!= null && array.length == len; @ @ ensures \result == (\sum int j; 0 <= j && j < len; array[j]); @*/ int sum(int array[], int len) { int sum = 0; int i = 0; /*@ loop_invariant sum == (\sum int j; 0 <= j && j < i; array[j]); */ while (i < len) { sum = sum + array[i]; i = i + 1; } return sum; } 3 Modular Checking with Hoare Logic Simple procedure rule for Hoare Logic Assumes all variables are global Can verify p independent of caller No need to look at S when verifying caller of p Just use post-condition and check precondition No need to look at caller of p to check S Just assume pre-condition 4 2

Modular Checking Example (1) procedure multiply { n > 0 } result := 0; i := 0; { result = m*n } procedure add { result = m*i } result = result + m { result = m*i + m } Loop precondition n > 0 0 = m * 0 && 0 0 n && n > 0 Precondition of add result = m*i && 0 i n && n > 0 && i < n result = m*i Re-establish loop invariant result = m*i + m result = m*(i+1) && 0 i+1 n && n > 0 Does not hold! Need to strengthen add specification 5 Modular Checking Example (2) procedure multiply { n > 0 } result := 0; i := 0; { result = m*n } procedure add {result = m*i && 0 i < n && n > 0 } result = result + m {result = m*i+m && 0 i < n && n > 0 } Loop precondition n > 0 0 = m * 0 && 0 0 n && n > 0 Precondition of add result = m*i && 0 i n && n > 0 && i < n result = m*i && 0 i < n && n > 0 Re-establish loop invariant result = m*i+m && 0 i < n && n > 0 result = m*(i+1) && 0 i+1 n && n > 0 Establish postcondition result = m*i && 0 i n && n > 0 && i n result = m*n 6 3

A Better Rule Increases independence of functions No need to specify invariant of caller in specification of P 7 Modular Checking Example (3) procedure multiply { n > 0 } result := 0; i := 0; { result = m*n } // modifies result procedure add { result = m*i } result = result + m { result = m*i+m } Verification condition for loop: {result = m*i && 0 i n && n > 0 && i < n} {result = m*i && 0 i+1 n && n>0} {result = m*(i+1) && 0 i+1 n && n>0} {result = m*i && 0 i n && n>0 } Add specification still mentions i. 8 4

Modular Checking Example (4) procedure multiply { n > 0 } result := 0; i := 0; { result = m*n } // modifies result int add(int n, int m) { true } return n + m { \result = n+m } Verification condition for loop: {result = m*i && 0 i n && n > 0 && i < n} {result = m*i && 0 i+1 n && n>0} {result = m*(i+1) && 0 i+1 n && n>0} {result = m*i && 0 i n && n>0 } Add specification still mentions i. A better spec works the same way but uses variable renamings. Used in ESC/Java; formal semantics beyond scope of this course 9 Demo: multiply in ESC/Java 10 5

Demo: SimpleSet in ESC/Java 11 ESC/Java s Limitations Does not check for some errors Infinite loops, arithmetic overflow Functional properties not stated by user Non-functional properties May miss some errors Unsound: describes an analysis that can miss errors Only checks one iteration of loops @modifies is unchecked Assumptions about invariants in referred-to objects Several others as well! 12 6

Loops in ESC/Java The loop: //@ loop_invariant E; while (B) { S } Is treated as: //@ assert E; if (B) { S //@ assert E; //@ assume!b; } Can optionally increase # iterations with -loop n 13 ESC/Java s Limitations (con t) May report false positives Often can be solved with an extra precondition or invariant Spurious warnings can also be disabled 14 7

ESC/Java Tradeoffs Attempts to automate Hoare-logic style checking Benefits Easier than manual proof Drawbacks Unsound Still quite labor-intensive Applicability Checking of critical code When it s worth the extra effort to get it right When you can t do a complete Hoare-logic proof Still must use other analysis techniques ESC/Java is unsound The spec must also be validated! 15 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback