jonathan kuhn robin mange epfl-ssc compaq systems research center flanagan, leino, lillibridge,...
TRANSCRIPT
Jonathan KuhnRobin MangeEPFL-SSC
Compaq Systems Research CenterFlanagan, Leino, Lillibridge, Nelson, Saxe and Stata
Software developement and maintenance are expensive tasks
Detecting errors at early stage using static checkers can improve productivity
This paper discusses about one of those, called ESC/Java
ESC/Java is a compile time checker featuring VC generation and automatic TP techniques
It provides a simple annotation language to users
It is a « static » and « extended » checker
Objectives:
To produce a cost-effective tool that catches as many errors as possible
In between common type checkers and full program verifiers
Providing Modular Checking
Modular Checking allows checking of single pieces of code
Annotations are required to provide specifications
Ideal Static Checker attributes:SoundnessCompleteness
Trade-off on both to remain cost-effective
1: class Bag { 2: int size ;3: Int[ ] elements;4:5: Bag(int[ ] input) { 6: size = input .length ;7: elements = new int[size] ;8: System.arraycopy(input , 0, elements, 0, size) ;9: } 10:11: int extractMin() { 12: int min = Integer.MAX VALUE ;13: int minIndex = 0;14: for (int i= 1; i <= size ; i++) { 15: if (elements[i ] < min) { 16: min = elements[i] ;17: minIndex = i ;18: } 19: } 20: size−−;21: elements[minIndex]= elements[size] ;22: return min ;23: } 24: }
1: class Bag { 2: int size ;3: Int[ ] elements;4:5: Bag(int[ ] input) { 6: size = input .length ;7: elements = new int[size] ;8: System.arraycopy(input , 0, elements, 0, size) ;9: } 10:11: int extractMin() { 12: int min = Integer.MAX VALUE ;13: int minIndex = 0;14: for (int i= 1; i <= size ; i++) { 15: if (elements[i ] < min) { 16: min = elements[i] ;17: minIndex = i ;18: } 19: } 20: size−−;21: elements[minIndex]= elements[size] ;22: return min ;23: } 24: }
6: Warning: Possible null deference
15: Warning: Possible null deference / Array index possibly too large
21: Warning: Possible null deference / Possible negative Array index
1: class Bag { 2: int size ;3: Int[ ] elements;4:5: Bag(int[ ] input) { 6: size = input .length ;7: elements = new int[size] ;8: System.arraycopy(input , 0, elements, 0, size) ;9: } 10:11: int extractMin() { 12: int min = Integer.MAX VALUE ;13: int minIndex = 0;14: for (int i= 1; i <= size ; i++) { 15: if (elements[i ] < min) { 16: min = elements[i] ;17: minIndex = i ;18: } 19: } 20: size−−;21: elements[minIndex]= elements[size] ;22: return min ;23: } 24: }
//@ invariant 0<=size && size<=elements.length/*@non_null*/ int[] elements;
//@requires input!=null6: Warning: Possible null deference
15: Warning: Possible null deference / Array index possibly too large
21: Warning: Possible null deference / Possible negative Array index
Here is a schema of the steps performed by ESC/Java
Front End: act like normal compiler
Translator: AST => guarded commands(modular checking, loop unrolling)
VC Generator: generate verification conditions for each guarder commands.
Theorem Prover: TP is invoked for each routine using UBP & SBP
Design Made as Java-like as possible Captures design decision of the user Similar as JML annotations
Work similary as Jahob specification (ghost vars, routine specifications, invariant, …)
Potential problem: Could be too slow for interactive usage
Annoting appropriately during developpement saves time and catches errors earlier
Optimization made its use satisfactory and sufficient
Require about 50-100 annotations per thousand lines of code
Mercator: A part of the code failed on a null pointer array. This was missed during code review and took 6h for ESC/Java to catch it.
JavaFE: 3 weeks spent annoting the code permited to catch dozens of previouly undetected errors.
ESC/Java is easy to use and can detect significant software errors
The concept and the usage is similar to jahob