ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Similar documents
ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

ESC/Java2 Use and Features

ESC/Java2 Use and Features

ESC/Java2 Use and Features David Cok, Joe Kiniry, Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Advances in Programming Languages

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Static program checking and verification

Program Verification (6EC version only)

Specification tips and pitfalls

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Checking Program Properties with ESC/Java

The Use of JML in Embedded Real-Time Systems

Advanced JML. and more tips and pitfalls. David Cok, Joe Kiniry, and Erik Poll

Java Modelling Language (JML) References

Advances in Programming Languages

Extended Static Checking for Java

Advances in Programming Languages

Design by Contract and JML: concepts and tools

Analysis of Software Artifacts

Testing Library Specifications by Verifying Conformance Tests

ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Formal Specification and Verification

Formal Methods for Java

SRC Technical Note. ESC/Java User's Manual

Advanced JML Erik Poll Radboud University Nijmegen

Advances in Programming Languages

Korat: Automated Testing Based on Java Predicates. Jeff Stuckman

Testing, Debugging, and Verification

A Small Survey of Java Specification Languages *

Java Modeling Language (JML)

Verifying JML specifications with model fields

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Lecture 10 Design by Contract

objects

An overview of JML tools and applications

FAKULTÄT FÜR INFORMATIK

CSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak

Formale Entwicklung objektorientierter Software

Overview The Java Modeling Language (Part 1) Related Work

The Java Modeling Language JML

Specification of a transacted memory for smart cards in Java and JML

Dafny: An Automatic Program Verifier for Functional Correctness Paper by K. Rustan M. Leino (Microsoft Research)

A Java Reference Model of Transacted Memory for Smart Cards

Runtime Checking for Program Verification Systems

Specification and Verification of Garbage Collector by Java Modeling Language

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

From JML to BCSL (Draft Version)

Lightweight Verification of Array Indexing

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

Java ByteCode Specification Language(BCSL) and how to compile JML to BCSL. Mariela Pavlova March 10, 2006

Regression testing. Whenever you find a bug. Why is this a good idea?

Software Engineering

Reachability Analysis for Annotated Code

Karsten Sohr Center for Computing Technologies Universität Bremen, Germany

Software Engineering Testing and Debugging Testing

Memory Safety (cont d) Software Security

Separation Logic 2: project: Annotation Assistant for Partially Specified Programs plus some high-level observations. Hengle Jiang & John-Paul Ore

JML and ESC/Java2 Homework Exercises

Steps for project success. git status. Milestones. Deliverables. Homework 1 submitted Homework 2 will be posted October 26.

Integration of Java Generics Into The jmle Tool Within The Eclipse IDE

Formal Techniques for Java-like Programs (FTfJP)

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Canica: An IDE for the Java Modeling Language

JML. Java Modeling Language

An introduction to formal specifications and JML. Invariant properties

CS 520 Theory and Practice of Software Engineering Fall 2018

JML and Aspects: The Benefits of

JML and Java 1.5+ David R. Cok Eastman Kodak Company, Research Laboratories 9 October 2008 SAVCBS08 workshop

Combining Static and Dynamic Reasoning for Bug Detection

Toward Instant Gradeification

The Java Modeling Language (Part 1)

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

Automatic Generation of Program Specifications

Announcements. Specifications. Outline. Specifications. HW1 is due Thursday at 1:59:59 pm

How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification

Reasoning about Java Programs with Aliasing and Frame Conditions

Modular verification of static class invariants

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

CS 161 Computer Security

Effective and Efficient Runtime Assertion Checking for JML Through Strong Validity

Specifying Multi-Threaded Java Programs

Formal Methods in Software Development

A Thought on Specification Reflection

Formal Methods for Java

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Reasoning about programs

UC Santa Barbara. CS189A - Capstone. Christopher Kruegel Department of Computer Science UC Santa Barbara

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Full Verification of the KOA Tally System

The Java Modeling Language (Part 2)

Introduction to the Java Modeling Language

Design by Contract with JML

Accessible Formal Methods: A Study of the Java Modeling Language

Software Security: Vulnerability Analysis

Java Bytecode Specification and Verification

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Transcription:

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - JML p.1/??

ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove correctness of specifications, at compile-time, fully automatically Erik Poll - JML p.2/??

ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove correctness of specifications, at compile-time, fully automatically not sound, not complete, but finds lots of potential bugs quickly Erik Poll - JML p.2/??

ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove correctness of specifications, at compile-time, fully automatically not sound, not complete, but finds lots of potential bugs quickly good at proving absence of runtime exceptions (eg Null-, ArrayIndexOutOfBounds-, ClassCast-) and verifying relatively simple properties. Erik Poll - JML p.2/??

ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove correctness of specifications, at compile-time, fully automatically not sound, not complete, but finds lots of potential bugs quickly good at proving absence of runtime exceptions (eg Null-, ArrayIndexOutOfBounds-, ClassCast-) and verifying relatively simple properties. ESC/Java only supported a subset of full JML, but ESC/Java2 by Joe Kiniry [KUN] & David Cok [Kodak] remedies this. Erik Poll - JML p.2/??

Important differences: static checking vs runtime checking ESC/Java checks specs at compile-time, jmlc checks specs at run-time ESC/Java proves correctness of specs, jml only tests correctness of specs. Hence ESC/Java independent of any test suite, results of runtime testing only as good as the test suite, ESC/Java provided higher degree of confidence. Erik Poll - JML p.3/??

ESC/Java demo class Bag { int[] a; int n; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Erik Poll - JML p.4/??

ESC/Java demo class Bag { int[] a; int n; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: possible null deference. Plus other warnings Erik Poll - JML p.5/??

ESC/Java demo class Bag { int[] a; //@ invariant a!= null; int n; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Erik Poll - JML p.6/??

ESC/Java demo class Bag { int[] a; //@ invariant a!= null; int n; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: Array index possibly too large Erik Poll - JML p.7/??

ESC/Java demo class Bag { int[] a; //@ invariant a!= null; int n; //@ invariant 0 <= n && n <= a.length; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Erik Poll - JML p.8/??

ESC/Java demo class Bag { int[] a; //@ invariant a!= null; int n; //@ invariant 0 <= n && n <= a.length; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 1; i <= n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: Array index possibly too large Erik Poll - JML p.9/??

ESC/Java demo class Bag { int[] a; //@ invariant a!= null; int n; //@ invariant 0 <= n && n <= a.length; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Erik Poll - JML p.10/??

ESC/Java demo class Bag { int[] a; //@ invariant a!= null; int n; //@ invariant 0 <= n && n <= a.length; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Warning: Possible negative array index Erik Poll - JML p.11/??

class Bag { int[] a; //@ invariant a!= null; ESC/Java demo int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; } Erik Poll - JML p.12/??

class Bag { int[] a; //@ invariant a!= null; ESC/Java demo int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { n--; if (a[i] < m) { mindex =i; m = a[i]; } } a[mindex] = a[n]; return m; } No more warnings about this code Erik Poll - JML p.13/??

class Bag { int[] a; //@ invariant a!= null; ESC/Java demo int n; //@ invariant 0 <= n && n <= a.length; //@ requires n > 0; int extractmin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex =i; m = a[i]; } } n--; a[mindex] = a[n]; return m; }... but warnings about calls to extractmin() that do not ensure precondition Erik Poll - JML p.14/??

Some points to note ESC/Java forces one to specify some properties. Erik Poll - JML p.15/??

Some points to note ESC/Java forces one to specify some properties. If you understand the code, then these properties are obvious. But for larger programs this may not be the case! Erik Poll - JML p.15/??

Some points to note ESC/Java forces one to specify some properties. If you understand the code, then these properties are obvious. But for larger programs this may not be the case! If you have these properties documented, then understanding the code is easier. Erik Poll - JML p.15/??

ESC/Java vs runtime checking (cont.) For runtime assertion checking, we could choose what we specify, e.g. all, one, or none of the properties we have written for Bag. But for ESC/Java to accept a spec, we are forced to specify all properties (e.g. invariants, preconditions) that this spec relies on. Erik Poll - JML p.16/??

Like most tools, ESC/Java is Limitations of ESC/Java not complete: it may complain about a correct spec not sound: it may fail to warn about an incorrect spec ESC/Java warns about many potential bugs, but not about all actual bugs. These are unavoidable concessions to main goal: pointing out lots of potential bugs quickly & completely automatically In practice ESC/Java is quite good at checking simple specs, e.g. ruling out any NullPointer- and IndexOutOfBoundsExceptions Erik Poll - JML p.17/??

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback