1. Extended Static Checking for Java
Authors:
Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge Greg Nelson, James B. Saxe, Raymie Stata
Presenter: Yaping Jing Fall 2005, JML-Seminar by Professor Gary. T. Leavens

2. OUTLINE Introduction Architecture Annotation Languages
Example Use of ESC/Java
Related Work
Summary
References

3. Introduction Goals of ESC/Java Error Coverage
Full-functional program verifier
ESC/Java
Type checkers
Cost

4. Architecture A compiler for both annotation and Java code Front End
Abstract Syntax Trees (ASTs)
Translator
Guarded Commands (GCs)
Verification Conditions (VCs)
VC Generator
UBP  BPT VCR
Type specific Background Predicate
Theorem Prover
Counter Examples
e.g. (S :: S <:T  S=T) if T is a final class, then any subtype of T is itself
PostProcessor
UBP
Warning Messages

5. Annotations – General Features
Use a subset of JML annotation language
Annotations are written as we have seen in JML ….
Expressions contained in annotations are side-effect free Java Expressions

6. Annotations – Routine Specification
requires P
modifies M
ensures Q
exsures (T, x) R
Seems very familiar 

7. Annotations – Overriding Routine Specification
also_ensures Q
also _exsures (T, x) R
How does JML handle the overriding methods specification?

8. Annotations – Object invariants
Syntax: invariant E
Semantics ?
ESC/Java also have helper method
How is the helper used in checking?

9. Annotations – Ghost field
Syntax: ghost M S id
Example use: Vector v = new Vector(); set v.id = \type (String);
JML also have invariants (with helper) and ghost. Differences?

10. Annotations – Escape hatches
nowarn W
assume P (a more precise escape hatch)
Is nowarn a really useful feature? given that we have assume statement.

11. An Example Use of ESC/Java
11: int extractMin() {
12: int min =Integer.MAX_VALUE;
13: int minIndex = 0;
14: for (int i=0; i <size; i++) {
15: if (elements[i] < min) {
16: min = elements[i];
17: minIndex = i;
18: }
19: }
20: size--;
21: elements[minIndex]=elements[size];
22: return min;
23: }
24: }
1: class Bag {
2: int size;
3: int[] elements; 4:
5: Bag(int[] input) {
6: size = input.length;
7: elements = new int[size];
8: System.arraycopy(input,0, elements,0,size);
9: }
10:

12. An Example Use of ESC/Java (Cont’)
Run escjava Bag.java produces 5 warnings:
Bag.java:6: Warning: Possible null dereference (Null)
size = input.length; ^
Bag.java:15: Warning: Possible null dereference (Null)
if (elements[i] < min) {
Bag.java:15: Warning: Array index possibly too large (..
Bag.java:21: Warning: Possible null dereference (Null)
elements[minIndex] = elements[size];
Bag.java:21: Warning: Array index possibly too large (..

13. An Example Use of ESC/Java (Cont’)
How to interpret and handle those warnings?
1st warning complains that the constructor may deference null;
Possible Solutions:
Create an empty bag if the passed argument is null
Make a contract specifying that the constructor only accepts non-null argument
By picking the solution #2, we add a precondition before line 5: requires input != null

14. An Example Use of ESC/Java (Cont’)
2nd and 4th warnings complain that extractMin() may dereference null. Why? We already set elements to be non-null!
The field elements is not declared as private, so clients or subclasses may modify it.
Even if it is declared as private, it still generates warnings since the methods are checked in isolation.
Solution:
Specify a design decision that the field elements is always non-null by annotating line 3 as non_null */ int[] elements;

15. An Example Use of ESC/Java (Cont’)
The remaining 2 warnings complain that the index may go beyond the boundary which may affect the value of size
Solution:
Add an object invariant to line 2:
invariant 0<=size && size <= elements.length

16. How does ESC/Java Relate/Compare to JML?
ESC/Java check specifications at compile time;
jmlc check specifications at run-time
ESC/Java proves the correctness of specifications;
Jml tests the correctness of specifications
ESC/Java are often forced to specify all properties (precondictions, invariants, etc.) that this specifications relies on;
Jmlc can choose all, one, or none of the properties to specify.
JML
ESC/JAVA2
There is a plugin for ESC/Java2 now that works in Eclipse 3.0(.2).

17. Summary
Described a static checker that is geared toward “easy to use” with certain sacrifice of soundness.
ESC/Java is not complete
It is not sound either
There are people working on sound approach for a similar tool called Spec# which targets at C#. Ask Professor Leavens for more detail 

18. References
"Extended static checking for Java" by Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. (In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), volume 37(5) of SIGPLAN Notices, pages ACM, May 2002.)
“JML: notations and tools supporting detailed design in Java” by G.T. Leavens, K. R. M. Leino, E. Poll, C. Ruby, and B. Jacobs. (In OOPSLA 2000 Companion, pages ACM, 2000)
“The Spec# Programming System: Challenges and Directions”, by Mike Barnett, Robert DeLine, Bart Jacobs, Manuel F¨ahndrich, K. Rustan M. Leino,Wolfram Schulte, and Herman Venter. (Manuscript KRML 156, 30 September 2005.)
“escjava_demo” by Eric Poll, Joe kiniry, and David Cok. (found in escjava2 Release slides)