Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.

Slides:



Advertisements
Similar presentations
Automatic verification of summations K. Rustan M. Leino IFIP WG 2.3 meeting 46 Sydney, Australia 11 January 2007.
Advertisements

Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte Formal techniques.
Advanced programming tools at Microsoft
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Securing Java applets Erik Poll Security of Systems (SOS) group University of Nijmegen
272: Software Engineering Fall 2008 Instructor: Tevfik Bultan Lecture 3: Java Modeling Language and Extended Static Checking.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Extended Static Checking for Java Cormac Flanagan Slides courtesy of Rustan Leino.
Avoiding Exponential Explosion: Generating Compact Verification Conditions Cormac Flanagan and James B. Saxe Compaq Systems Research Center With help from.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
CS294, YelickESC, p1 CS Extended Static Checking
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Predicate Abstraction for Software Verification Shaz Qadeer Compaq Systems Research Center (joint work with Cormac Flanagan)
Predicate Abstraction for Software Verification Cormac Flanagan Shaz Qadeer Compaq Systems Research Center.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
JML TOOLS REVIEW & EVALUATION Chris Grosshans Mark Lewis-Prazen.
Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
CMPSC 272: Software Engineering Spring 2003 Instructor: Tevfik Bultan Extended Static Checking.

Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Jonathan Kuhn Robin Mange EPFL-SSC Compaq Systems Research Center Flanagan, Leino, Lillibridge, Nelson, Saxe and Stata.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Is Proof More Cost-Effective Than Testing? Presented by Yin Shi.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
Formal specification of Gemplus’ electronic purse case study Néstor Cataño & Marieke Huisman INRIA Sophia-Antipolis {ncatano,
Houdini, an annotation assistant for ESC/Java K. Rustan M. Leino Compaq SRC Joint work with Cormac Flanagan K. Rustan M. Leino Compaq SRC Joint work with.
Applications of extended static checking K. Rustan M. Leino Compaq SRC K. Rustan M. Leino Compaq SRC Systems Research Center Invited talk, SAS’01, Paris,
CIS 771: Software Specifications Lecture 18: Specifying and Checking Partial Properties of Java Code Copyright , Matt Dwyer, John Hatcliff, and.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Spec# Writing and checking.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
Correctness Correctness. Quality Perceptions  The perception of quality associated with your code is typically bound to:  Correctness  Efficiency (speed.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
ESCJ 14: ESC/Java Project Review Slides March 6th, 1997.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 10: Programming Exceptionally.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
escj 28 Compaq Confidential - Need to Know Required.
Extended Static Checking for Java
Automatic Generation of Program Specifications
Lightweight Verification of Array Indexing
Lecture 9: Exceptions in Java CS201j: Engineering Software
Hoare-style program verification
Java Modeling Language (JML)
Correctness.
Java Annotations for Invariant Specification
Presentation transcript:

Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata

What is “Static Checking”? Annotated Source Code StaticChecker Error:... type systems type systems Error: wrong number of arguments in method call lint lint Error: unreachable code full program verification full program verification Error: qsort does not yield a sorted array

Comparison of Static Checkers Quality 100% Effort fullverification lint typesystems ExtendedStaticChecking Note: Graph is not to scale ESCModula-3 ESCJava

ESC/Java  Detect common run-time errors null dereferences null dereferences array bounds array bounds type casts type casts race conditions race conditions deadlocks deadlocks  Check other properties object invariants object invariants method specifications method specifications......

Architecture of ESC/Java Annotated program Verification condition generator Automatic theorem prover Counter-example  x.  y. (x > y =>...) Error: index out of bounds on line 218 when x = 4 and y = 3

Not Full Verification  Prove absence of run-time errors, not full functional correctness Simpler method specifications Simpler method specifications Verification conditions easier to prove Verification conditions easier to prove

Example void sort2(int[] a) void sort2(int[] a) { if( a[0] < a[1] ) if( a[0] < a[1] ) { int t = a[0]; int t = a[0]; a[0] = a[ ]; a[0] = a[ ]; a[1] = t; a[1] = t; } } Error: possible null dereference at line 5 Error: possible index out of bounds at line 5 ensures a[0] <= a[1] requires a != null && a.length == 2 Error: possible index out of bounds at line 8 21 Error: postcondition not achieved No more errors detected :-( >

Under the Hood  Verification condition large but “dumb”  Proved in < 1 second (FORALL (t1) (FORALL (t2) (IMPLIES (AND (NEQ a null) (EQ (arrayLength a) 2)) (AND (NEQ a null) (AND (AND ( (select (select elem a) 0) (select (select elem a) 1)) (FORALL (t3) (AND (NEQ a null) (AND (AND ( (select (select elem a) 0) (select (select elem a) 1))) (AND (<= (select (select elem a) 0) (select (select elem a) 1)) (EQ true true)))))))))))

ESC/Java vs. Testing  Testing essential but Expensive Expensive Finds errors late Finds errors late Misses errors Misses errors  ESC/Java... ?

ESC/Java Summary  Finds more errors than type checking  Costs less than full verification  Currently working on small test programs

Comparison of Static Checkers Quality 100% Effort fullverification lint typesystems decidabilitylimit ExtendedStaticChecking Note: Graph is not to scale

Metrics for Static Checkers  Cost of using the tool  Quality Does it miss errors? Does it give spurious warnings?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.