Extended Static Checking for Java

1
Extended Static Checking for Java

• Authors
• Cormac Flanagan, K. Rustan M. Leino, Mark
  LillibridgeGreg Nelson, James B. Saxe, Raymie
  Stata
• PresenterYaping JingFall 2005, JML-Seminar by
  Professor Gary. T. Leavens

2
OUTLINE

• Introduction
• Architecture
• Annotation Languages
• Example Use of ESC/Java
• Related Work
• Summary
• References

3
Introduction

• Goals of ESC/Java

Error Coverage
ESC/Java
Type checkers
Cost
4
Architecture
A compiler for both annotation and Java code
Front End
Abstract Syntax Trees (ASTs)
Translator
Guarded Commands (GCs)
Verification Conditions (VCs)
VC Generator
UBP ? BPT ?VCR
Type specific Background Predicate
Theorem Prover
Counter Examples
e.g. (?S S ltT ? ST)if T is a final class,
then anysubtype of T is itself
PostProcessor
UBP
Warning Messages
5
Annotations General Features

• Use a subset of JML annotation language
• Annotations are written as we have seen in
  JML/_at_ . _at_///_at_ .
• Expressions contained in annotations are
  side-effect free Java Expressions

6
Annotations Routine Specification

• requires P
• modifies M
• ensures Q
• exsures (T, x) R

Seems very familiar ?
7
Annotations Overriding Routine Specification

• also_ensures Q
• also _exsures (T, x) R
• How does JML handle the overriding methods
  specification?

8
Annotations Object invariants

• Syntax //_at_ invariant E
• Semantics ?
• ESC/Java also have helper method
• How is the helper used in checking?

9
Annotations Ghost field

• Syntax //_at_ ghost M S id
• Example use Vector v new Vector() //_at_
  set v.id \type (String)
• JML also have invariants (with helper) and ghost.
  Differences?

10
Annotations Escape hatches

• //_at_ nowarn W
• //_at_ assume P (a more precise escape hatch)
• Is nowarn a really useful feature? given that we
  have assume statement.

11
An Example Use of ESC/Java
11 int extractMin() 12 int min
Integer.MAX_VALUE 13 int minIndex
0 14 for (int i0 i ltsize i) 15
if (elementsi lt min) 16 min
elementsi 17 minIndex i 18
19 20 size-- 21
elementsminIndexelementssize 22
return min 23 24

• 1 class Bag
• 2 int size
• 3 int elements
• 4
• 5 Bag(int input)
• 6 size input.length
• 7 elements new intsize
• 8 System.arraycopy(input,0, elements,0,size
  )
• 9
• 10

12
An Example Use of ESC/Java (Cont)

• Run escjava Bag.java produces 5 warnings

Bag.java6 Warning Possible null dereference
(Null) size input.length
Bag.java15 Warning Possible null dereference
(Null) if (elementsi lt min)
Bag.java15 Warning Array index
possibly too large (.. if (elementsi lt
min) Bag.java21 Warning
Possible null dereference (Null)
elementsminIndex elementssize
Bag.java21 Warning Array
index possibly too large (..
elementsminIndex elementssize

13
An Example Use of ESC/Java (Cont)

• How to interpret and handle those warnings?
• 1st warning complains that the constructor may
  deference null
• Possible Solutions
• Create an empty bag if the passed argument is
  null
• Make a contract specifying that the constructor
  only accepts non-null argument
• By picking the solution 2, we add a precondition
  before line 5//_at_ requires input ! null

14
An Example Use of ESC/Java (Cont)

• 2nd and 4th warnings complain that extractMin()
  may dereference null. Why? We already set
  elements to be non-null!
• The field elements is not declared as private, so
  clients or subclasses may modify it.
• Even if it is declared as private, it still
  generates warnings since the methods are checked
  in isolation.
• Solution
• Specify a design decision that the field elements
  is always non-null by annotating line 3 as /_at_
  non_null / int elements

15
An Example Use of ESC/Java (Cont)

• The remaining 2 warnings complain that the index
  may go beyond the boundary which may affect the
  value of size
• Solution
• Add an object invariant to line 2
• //_at_ invariant 0ltsize size lt
  elements.length

16
How does ESC/Java Relate/Compare to JML?

• ESC/Java check specifications at compile time
• jmlc check specifications at run-time
• ESC/Java proves the correctness of
  specifications
• Jml tests the correctness of specifications
• ESC/Java are often forced to specify all
  properties (precondictions, invariants, etc.)
  that this specifications relies on
• Jmlc can choose all, one, or none of the
  propertiesto specify.

JML
ESC/JAVA2
There is a plugin for ESC/Java2 now that works in
Eclipse 3.0(.2).
17
Summary

• Described a static checker that is geared toward
  easy to use with certain sacrifice of
  soundness.
• ESC/Java is not complete
• It is not sound either
• There are people working on sound approach
  for a similar tool called Spec which targets at
  C. Ask Professor Leavens for more detail ?

18
References

• "Extended static checking for Java" by Cormac
  Flanagan, K. Rustan M. Leino, Mark Lillibridge,
  Greg Nelson, James B. Saxe, and Raymie Stata. (In
  Proceedings of the 2002 ACM SIGPLAN Conference on
  Programming Language Design and Implementation
  (PLDI), volume 37(5) of SIGPLAN Notices, pages
  234-245. ACM, May 2002.)
• JML notations and tools supporting detailed
  design in Java by G.T. Leavens, K. R. M. Leino,
  E. Poll, C. Ruby, and B. Jacobs. (In OOPSLA 2000
  Companion, pages 105-106. ACM, 2000)
• The Spec Programming System Challenges and
  Directions, by Mike Barnett, Robert DeLine, Bart
  Jacobs, Manuel Fahndrich, K. Rustan M.
  Leino,Wolfram Schulte, and Herman Venter.
  (Manuscript KRML 156, 30 September 2005.)
• escjava_demo by Eric Poll, Joe kiniry, and
  David Cok. (found in escjava2 Release slides)