Automatic Generation of Program Specifications

Similar documents
Automatic Generation of Program Specifications

Learning from Executions

Static program checking and verification

Checking Program Properties with ESC/Java

Mutually Enhancing Test Generation and Specification Inference

CS 6V Program Analysis I: Dynamic Detection of Likely Invariants and Robust Signatures for Kernel Data Structure.

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Improving Test Suites via Operational Abstraction

DySy: Dynamic Symbolic Execution for Invariant Inference

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing

Static Analysis in Practice

Software Security: Vulnerability Analysis

Static Analysis in Practice

Advances in Programming Languages

Formal Methods for Java

Advances in Programming Languages

Program Verification (6EC version only)

EQUIVALENCE PARTITIONING AS A BASIS FOR DYNAMIC CONDITIONAL INVARIANT DETECTION

Java Modelling Language (JML) References

Selecting, Refining, and Evaluating Predicates for Program Analysis

Operational Semantics. One-Slide Summary. Lecture Outline

CS350: Data Structures Stacks

Invariant Inference for Static Checking: An Empirical Evaluation

CS 161 Computer Security

Cover Page. The handle holds various files of this Leiden University dissertation

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

Combined Static and Dynamic Mutability Analysis 1/31

Advances in Programming Languages

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Program Verification using Templates over Predicate Abstraction. Saurabh Srivastava and Sumit Gulwani

Assertions. Assertions - Example

Operational Semantics of Cool

Automatic Extraction of Abstract- Object-State Machines Based on Branch Coverage

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

Safety Checks and Semantic Understanding via Program Analysis Techniques

Data Structures. BSc in Computer Science University of New York, Tirana. Assoc. Prof. Marenglen Biba 1-1

Testing Library Specifications by Verifying Conformance Tests

Quickly Detecting Relevant Program Invariants

Efficient Incremental Dynamic Invariant Detection

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Exploiting Synergy Between Testing and Inferred Partial Specifications

David Glasser Michael D. Ernst CSAIL, MIT

Static and dynamic analysis: synergy and duality

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

COS 320. Compiling Techniques

Runtime Checking for Program Verification Systems

Javarifier: inference of reference immutability

Automatic Verification of Loop Invariants

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

Where are we going? EEC 421/521: Software Engineering. What is Design? A Note on Quality. Introduction to Design. Many levels of design: Our focus

The Daikon system for dynamic detection of likely invariants

Principles of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Runtime Checking and Test Case Generation for Python

JPred-P 2. Josh Choi, Michael Welch {joshchoi,

Christoph Csallner, University of Texas at Arlington (UTA)

Code verification. CSE 331 University of Washington. Michael Ernst

Seminar in Software Engineering Presented by Dima Pavlov, November 2010

Extended Static Checking for Java

Simulating Critical Software Engineering

Program Verification. Aarti Gupta

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

JML and ESC/Java2 Homework Exercises

Verification and Test with Model-Based Design

DySy: Dynamic Symbolic Execution for Invariant Inference

Where are we going? EEC 521: Software Engineering. A Note on Quality. What is Design? Introduction to Design. Our focus

DSD-Crasher: A Hybrid Analysis Tool for Bug Finding

Adam Chlipala University of California, Berkeley ICFP 2006

Analysis of Software Artifacts

Specification and verification of a simple machine

Bounded Verification of Voting Software

Differential program verification

DSD-Crasher: A Hybrid Analysis Tool for Bug Finding

Lightweight Verification of Array Indexing

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Lecture 10 Design by Contract

A Practical Approach to Programming With Assertions

IODINE: A Tool to Automatically Infer Dynamic Invariants for Hardware Designs

Selecting Predicates for Implications in Program Analysis

Design by Contract: An Overview

HeapMD: Identifying Heap-based Bugs using Anomaly Detection

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Advances in Programming Languages

Regression testing. Whenever you find a bug. Why is this a good idea?

Code Contracts. Pavel Parízek. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics

DSD-Crasher: A Hybrid Analysis Tool for Bug Finding

Formale Entwicklung objektorientierter Software

The Checker Framework: pluggable static analysis for Java

Improving Test Suites via Generated Specifications. Michael Harder

Automatic Software Verification

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)

0/38. Detecting Invariants. Andreas Zeller + Andreas Gross. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Tool-Assisted Unit Test Selection Based on Operational Violations

Language Techniques for Provably Safe Mobile Code

Program Analysis. CSCE Lecture 16-03/03/2016

A comparative study of programmer-written and automatically inferred contracts

ESC/Java2 Use and Features

Automated Documentation Inference to Explain Failed Tests

Transcription:

Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science http://pag.lcs.mit.edu/ Joint work with Michael Ernst Jeremy Nimmer, page 1

Synopsis Specifications are useful for many tasks Use of specifications has practical difficulties Dynamic analysis can capture specifications Recover from existing code Infer from traces Results are accurate (90%+) Specification matches implementation Jeremy Nimmer, page 2

Outline Motivation Approach: Generate and check specifications Evaluation: Accuracy experiment Conclusion Jeremy Nimmer, page 3

Advantages of specifications Describe behavior precisely Permit reasoning using summaries Can be verified automatically Jeremy Nimmer, page 4

Problems with specifications Describe behavior precisely Tedious and difficult to write and maintain Permit reasoning using summaries Must be accurate if used in lieu of code Can be verified automatically Verification may require uninteresting annotations Jeremy Nimmer, page 5

Solution Automatically generate and check specifications from the code Code mystack.push(elt); Generator Checker Specification mystack.isempty() = false Proof Q.E.D. Jeremy Nimmer, page 6

Solution scope Generate and check complete specifications Very difficult Generate and check partial specifications Nullness, types, bounds, modification targets,... Need not operate in isolation User might have some interaction Goal: decrease overall effort Jeremy Nimmer, page 7

Outline Motivation Approach: Generate and check specifications Evaluation: Accuracy experiment Conclusion Jeremy Nimmer, page 8

Previous approaches Generation: By hand Static analysis Checking Code mystack.push(elt); By hand Non-executable models Generator Checker Specification mystack.isempty() = false Proof Q.E.D. Jeremy Nimmer, page 9

Our approach Code mystack.push(elt); Generator Checker Specification mystack.isempty() = false Proof Q.E.D. Dynamic detection proposes likely properties Static checking verifies properties Combining the techniques overcomes the weaknesses of each Ease annotation Guarantee soundness Jeremy Nimmer, page 10

Daikon: Dynamic invariant detection Original program Instrument Instrumented program Run Data trace database Detect invariants Invariants Test suite Look for patterns in values the program computes: Instrument the program to write data trace files Run the program on a test suite Invariant detector reads data traces, generates potential invariants, and checks them Jeremy Nimmer, page 11

ESC/Java: Invariant checking ESC/Java: Extended Static Checker for Java Lightweight technology: intermediate between type-checker and theorem-prover; unsound Intended to detect array bounds and null dereference errors, and annotation violations /*@ requires x!= null */ /*@ ensures this.a[this.top] == x */ void push(object x); Modular: checks, and relies on, specifications Jeremy Nimmer, page 12

Integration approach Code mystack.push(elt); Daikon ESC/Java Specification mystack.isempty() = false Proof Q.E.D. Run Daikon over target program Insert results into program as annotations Run ESC/Java on the annotated program All steps are automatic. Jeremy Nimmer, page 13

Stack object invariants public class StackAr { Object[] thearray; int topofstack; thearray A E I O U Y topofstack /*@ invariant thearray!= null; invariant \typeof(thearray) == \type(object[]); invariant topofstack >= -1; invariant topofstack < thearray.length; invariant thearray[0..topofstack]!= null; invariant thearray[topofstack+1..] == null; */... Jeremy Nimmer, page 14

Stack push method thearray A E I O U Y W /*@ requires x!= null; topofstack requires topofstack < thearray.length - 1; modifies topofstack, thearray[*]; ensures topofstack == \old(topofstack) + 1; ensures x == thearray[topofstack]; ensures thearray[0..\old(topofstack)]; == \old(thearray[0..topofstack]); */ public void push( Object x ) {... } Jeremy Nimmer, page 15

Stack summary ESC/Java verified all 25 Daikon invariants Reveal properties of the implementation (e.g., garbage collection of popped elements) No runtime errors if callers satisfy preconditions Implementation meets generated specification Jeremy Nimmer, page 16

Outline Motivation Approach: Generate and check specifications Evaluation: Accuracy experiment Conclusion Jeremy Nimmer, page 17

Accuracy experiment Dynamic generation is potentially unsound How accurate are its results in practice? Combining static and dynamic analyses should produce benefits But perhaps their domains are too dissimilar? Jeremy Nimmer, page 18

Programs studied 11 programs from libraries, assignments, texts Total 2449 NCNB LOC in 273 methods Test suites Used program s test suite if provided (9 did) If just example calls, spent <30 min. enhancing ~70% statement coverage Jeremy Nimmer, page 19

Accuracy measurement Compare generated specification to a verifiable specification invariant thearray!= null; invariant topofstack >= -1; invariant topofstack < thearray.length; invariant thearray[0..length-1] == null; invariant thearray[0..topofstack]!= null; invariant thearray[topofstack+1..] == null; Standard measures from info ret [Sal68, vr79] Precision (correctness) : 3 / 4 = 75% Recall (completeness) : 3 / 5 = 60% Jeremy Nimmer, page 20

Experiment results Daikon reported 554 invariants Precision: 96% of reported invariants verified Recall: 91% of necessary invariants were reported Jeremy Nimmer, page 21

Causes of inaccuracy Limits on tool grammars Daikon: May not propose relevant property ESC: May not allow statement of relevant property Incompleteness in ESC/Java Always need programmer judgment Insufficient test suite Shows up as overly-strong specification Verification failure highlights problem; helpful in fixing System tests fared better than unit tests Jeremy Nimmer, page 22

Experiment conclusions Our dynamic analysis is accurate Recovered partial specification Even with limited test suites Enabled verifying lack of runtime exceptions Specification matches the code Results should scale Larger programs dominate results Approach is class- and method-centric Jeremy Nimmer, page 23

Value to programmers Generated specifications are accurate Are the specifications useful? How much does accuracy matter? How does Daikon compare with other annotation assistants? Answers at FSE'02 Jeremy Nimmer, page 24

Outline Motivation Approach: Generate and check specifications Evaluation: Accuracy experiment Conclusion Jeremy Nimmer, page 25

Conclusion Specifications via dynamic analysis Accurately produced from limited test suites Automatically verifiable (minor edits) Specification characterizes the code Unsound techniques useful in program development Jeremy Nimmer, page 26

Questions? Jeremy Nimmer, page 27

Formal specifications Precise, mathematical desc. of behavior [LG01] (Another type of spec: requirements documents) Standard definition; novel use Generated after implementation Still useful to produce [PC86] Many specifications for a program Depends on task e.g. runtime performance Jeremy Nimmer, page 28

Effect of bugs Case 1: Bug is exercised by test suite Falsifies one or more invariants Weaker specification May cause verification to fail Case 2: Bug is not exercised by test suite Not reflected in specification Code and specification disagree Verifier points out inconsistency Jeremy Nimmer, page 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback