Presentation is loading. Please wait.

Presentation is loading. Please wait.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center."— Presentation transcript:

1 Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center

2 Software QA via Testing u Useful (the dominant methodology), but.. u Costly l half of development cost is testing l finds errors late in development cycle u Incomplete l often fails to ensure needed reliability l hard to test all configurations

3 Software QA via Static Checking u Statically verify many correctness properties u Type systems catch many errors l e.g. “Cannot multiply a number and a string” u Would like to catch additional errors l e.g. “Array index out of bounds at line 10” u And verify other correctness properties l assertions l object invariants l lightweight method specifications

4 Extended Static Checker Architecture The translator “understands” the semantics of Java. A verification condition is a logical formula that, ideally, is valid if and only if the program is free of the kinds of error under consideration. The automatic theorem prover is invisible to users. Counterexamples are turned into precise warning messages. ESC/Java Java method + annotations Translator Verification conditions Automatic theorem prover Counterexamples Post-processor Warning messages Index out of bounds on line 218 Method does not preserve object invariant on line 223

5 ESC/Java Example class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); print( r.getDouble() ); }... } Warning: possible division by zero Warning: invariant possibly not established //@ invariant denom != 0; //@ requires d != 0; Warning: precondition possibly not established

6 ESC/Java Experience u Tested on 40 KLOC, caught a variety of defects u Ready for educational/research use? Yes! l http://research.compaq.com/SRC/esc/ u Ready for software engineering use? Not really. l annotation overhead significant l annotations increase program size by 10% l requires 1 programmer-hour to annotate 300 lines of code u Need annotation inference for ESC/Java!

7 Houdini Architecture Class A { String s; … } Generate set of candidate annotations Class A { String s; //@ … … … } Annotation Refutation Loop

8 Generating Candidate Annotations u Invariants generated heuristically from program text For fields int i,j guess //@ invariant i cmp j; //@ invariant i cmp 0; where cmp  {, >= } For field Object[] a guess //@ invariant a != null; //@ invariant a.length cmp i; //@ invariant (forall int k; 0 <= k && k a[k] != null); u Similar heuristics for preconditions and postconditions

9 Removing Invalid Annotations State Space Powerset Lattice Initial states... G  Refute some annotations Fixpoint Reachable states Candidate set

10 Houdini Architecture Class A { String s; … } Generate set of candidate annotations ESC/Java Warning: Invariant not established Warning:... Annotation remover Class A { String s; //@ … … … } Annotation Refutation Loop

11 Houdini Example class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); print( r.getDouble() ); }... } Warning: invariant possibly not established Warning: precondition possibly not established //@ invariant num != 0; //@ requires d != 0; //@ invariant denom != 0; //@ requires n != 0; u No warnings refuting annotations l Remaining annotations are valid l Houdini algorithm terminates Warning: possible division by zero

12 Houdini Architecture Class A { String s; … } Generate set of candidate annotations ESC/Java Warning: Invariant not established Warning:... Annotation remover web page generator /#* */ Class A... } NETSCAPE Class A { String s; //@ … … … }

13 Finding the cause of a warning class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(d,n); print( r.getDouble() ); }... } //@ invariant num != 0; //@ requires d != 0; //@ invariant denom != 0; //@ requires n != 0; Warning: possible division by zero Hyperlink

14 Houdini Example (corrected) class Rational { int num, denom; Rational(int n, int d) { num = n; denom = d; } double getDouble() { return ((double)num)/denom; } public static void main(String[] a) { int n = readInt(), d = readInt(); if( d == 0 ) return; Rational r = new Rational(n,d); print( r.getDouble() ); }... } Warning: invariant possibly not established Warning: precondition possibly not established //@ invariant num != 0; //@ requires d != 0; //@ invariant denom != 0; //@ requires n != 0; u No warnings refuting annotations l Remaining annotations are valid l Houdini algorithm terminates u No warnings about primitive operations l Division by zero error is impossible

15 Houdini Architecture Class A { String s; … } Generate set of candidate annotations ESC/Java Warning: Invariant not established Warning:... Annotation remover web page generator /#* */ Class A... } NETSCAPE Library Spec Class L { //@ … … … } Class A { String s; //@ … … … }

16 Houdini is a Two-Level Analysis u Interprocedural analysis l Uses ESC/Java (weakest preconditions, theorem proving) l Precise, not scalable u Intraprocedural analysis l Abstract interpretation based on powerset lattice l Less precise, but more scalable l Can add annotations manually l Houdini’s heuristics are extensible Eg. to reason about whether int[][] a is rectangular, guess (forall int i,j; 0 <= i && i < a.length && 0 <= j && j < a.length ==> a[i].length == a[j].length);

17 Evaluation

18 Houdini for Other Modular Checkers u Houdini originally designed for ESC/Java u But could be ported to other modular checkers Ported to rccjava (Race Condition Checker for Java) Requires new heuristics for guessing annotations Straightforward port Infers useful locking annotations u Houdini for your favorite modular checker?

19 Conclusions u Houdini is an effective annotation assistant l Infers many useful annotations l Significantly reduces number of ESC/Java warnings u Future work l Refine guessing heuristics Guess fewer “useless” annotations Guess additional properties (aliasing, container classes) l Refine user interface l Check 500,000 LOC

Download ppt "Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.

Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.

JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Similar presentations

Ads by Google