technologies for finding errors in object oriented software l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Technologies for finding errors in object-oriented software PowerPoint Presentation
Download Presentation
Technologies for finding errors in object-oriented software

Loading in 2 Seconds...

play fullscreen
1 / 39

Technologies for finding errors in object-oriented software - PowerPoint PPT Presentation


  • 218 Views
  • Uploaded on

Technologies for finding errors in object-oriented software. K. Rustan M. Leino Microsoft Research, Redmond, WA. Lecture 0 Summer school on Formal Models of Software 1 Sep 2003, Tunis, Tunisia. Motivation. Software development problem. Software construction and maintenance are expensive

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Technologies for finding errors in object-oriented software' - benjamin


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
technologies for finding errors in object oriented software

Technologies for finding errorsin object-oriented software

K. Rustan M. LeinoMicrosoft Research, Redmond, WA

Lecture 0Summer school on Formal Models of Software1 Sep 2003, Tunis, Tunisia

software development problem
Software development problem
  • Software construction and maintenance are expensive
  • Reliability is costly and difficult to achieve
vision
Vision
  • Increased programmer productivity and program reliability through increased rigor

Record design decisions

+ Utilize automatic checking= Detect errors and improve maintainability

user s view
User's view

Error messages

Program with specifications

Program checker

public class Bag {

private /*@non_null*/ int[] a; private int n; //@ invariant 0 <= n && n <= a.length;

public Bag(/*@non_null*/ int[] initialElements) { n = initialElements.length; a = new int[n]; System.arraycopy(initialElements, 0, a, 0, n); } public void add(int x) { if (n == a.length) { int[] b = new int[2*(a.length+1)]; System.arraycopy(a, 0, b, 0, n); a = b; } a[n] = x; n++; }

public int extractMin() { int m = Integer.MAX_VALUE; int mindex = 0; for (int i = 0; i < n; i++) { if (a[i] < m) { mindex = i; m = a[i]; } } if (0 < n) { n--; a[mindex] = a[n]; } return m; }

// The program text continues down here, but if you’re // reading this, you probably aren’t paying attention to // the talk.

Bag.java:18: Array index possibly too large

extended static checker for java esc java
Extended Static Checker for Java (ESC/Java)
  • Built at Compaq SRC
  • Input: Java + user-supplied annotations
  • Annotation language captures programmer design decisions
  • Powered by program semantics and automatic theorem proving
  • Performs modular checking
program checker design tradeoffs
Program checker design tradeoffs
  • Missed errors
  • Spurious warnings
  • Annotation overhead
  • Performance
tool architecture
Tool architecture

Annotated Java program

Translator

Verification condition

Valid

Automatic theorem prover

Resource exhausted

Counterexample context

Post processor

Warning messages

tool architecture detail
Tool architecture, detail

Annotated Java program

Sugared command

Translator

Primitive command

Passive command

Verification condition

Automatic theorem prover

Counterexample context

Post processor

Warning messages

tool architecture detail11

Annotated Java program

Annotated Java program

Sugared command

Sugared command

Primitive command

Translator

Translator

Primitive command

Passive command

Passive command

Verification condition

Verification condition

Automatictheorem prover

Automatic theorem prover

Counterexample context

Counterexample context

Post processor

Post processor

Warning messages

Warning messages

Tool architecture, detail
annotation language
Annotation language

Annotated Java program

  • Simple
    • non_null
  • Method annotations
    • requires E;
    • modifies w;
    • ensures E;
    • exsures (T x) E;
  • Object invariants
    • invariantE;

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language13
Annotation language

Annotated Java program

  • Simple
    • non_null
  • Method annotations
    • requires E;
    • modifies w;
    • ensures E;
    • exsures (T x) E;
  • Object invariants
    • invariantE;

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language14
Annotation language

Annotated Java program

  • Specification expressions
    • side-effect free Java expressions
      • no ++, no method calls
    • result, old(E)
      • ensuresresult == old(x);
    • ==>
    • (forall T x; E), (exists T x; E)
      • (forallint j; 0 <= j && j < n ==> a[j] > 0);
    • typeof(E), type(T), <:
      • requirestypeof(x) == typeof(this);

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language15
Annotation language

Annotated Java program

  • Specification expressions
    • side-effect free Java expressions
      • no ++, no method calls
    • result, old(E)
      • ensuresresult == old(x);
    • ==>
    • (forall T x; E), (exists T x; E)
      • (forallint j; 0 <= j && j < n ==> a[j] > 0);
    • typeof(E), type(T), <:
      • requirestypeof(x) == typeof(this);

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language16
Annotation language

Annotated Java program

  • Concurrency
    • monitored_by lock
      • /*@ monitored_bythis */ long x;
    • lockset[lock]
      • requireslockset[this];
    • lock0 < lock1
    • max(lockset)
      • requiresmax(lockset) < this;

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language17
Annotation language

Annotated Java program

  • Concurrency
    • monitored_by lock
      • /*@ monitored_bythis */ long x;
    • lockset[lock]
      • requireslockset[this];
    • lock0 < lock1
    • max(lockset)
      • requiresmax(lockset) < this;

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language18
Annotation language

Annotated Java program

  • Ghost variables
    • ghostpublic T x;
      • ghostpublicint objectState;
      • ghostpublicTYPE elementType;
    • set x = E;
      • set objectState = Open;
      • set elementType = type(T);

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language19
Annotation language

Annotated Java program

  • Ghost variables
    • ghostpublic T x;
      • ghostpublicint objectState;
      • ghostpublicTYPE elementType;
    • set x = E;
      • set objectState = Open;
      • set elementType = type(T);

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

annotation language20
Annotation language

Annotated Java program

  • Miscellaneous
    • assert E;
    • assume E;
      • assume x >= 0; // because x == y*y
    • nowarn
      • x = a[j]; //@ nowarn
    • axiom E;
      • axiom (forallint x; x ≫ 2 >= 0);

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

sugared commands
Sugared commands

Annotated Java program

  • S,T ::= assert E

| assume E

| x = E

| raise

| S ; T

| S ! T

| S [] T

| loop {inv E} S  T end

| call x = t.m(E)

| …

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

sugared commands22
Sugared commands

Annotated Java program

  • x = t.f.g;

assert t ≠ null;

tmp = select(f, t);

assert tmp ≠ null;

x = select(g, tmp)

  • if (x < 0) { x = -x; }/*@ assert x >= 0; */

( assume x < 0; x = -x

[] assume¬(x < 0)

);

assert x >= 0

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

sugared commands23
Sugared commands

Annotated Java program

  • x = t.f.g;

assert lblneg(“Null@58.9”, t ≠ null);

tmp = select(f, t);

assert lblneg(“Null@58.11”, tmp ≠ null);

x = select(g, tmp)

  • if (x < 0) { x = -x; }/*@ assert x >= 0; */

( assume x < 0;assume lblpos(“Then^280:7”, true); x = -x

[] assume ¬ (x < 0);assume lblpos(“Else^280:7”, true)

);

assert x >= 0

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

primitive commands
Primitive commands

Annotated Java program

  • S,T ::= assert E

| assume E

| x = E

| raise

| S ; T

| S ! T

| S [] T

| loop {inv E} S  T end

| call x = t.m(E)

| …

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

primitive commands25
Primitive commands

Annotated Java program

  • //@ requires Pre; modifies w; ensures Post;X m(U u);
  • call x = t.m(E)

var u in

u = E;

assert Pre;

var w0in

w0 = w;

havoc w;

assume Post;

x = result

end

end

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

passive commands

| raise

| S ; T

| S ! T

| S [] T

Passive commands

Annotated Java program

  • S,T ::= assert E

| assume E

| x = E

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

passive commands27
Passive commands

Annotated Java program

  • if (x < 0) { x= -x; }/*@ assert x >= 0; */

( assume x0 < 0; x1 = -x0;x2 = x1

[] assume ¬(x0 < 0);x2 = x0

);

assert x2 >= 0

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

passive commands28
Passive commands

Annotated Java program

  • if (x < 0) { x= -x; }/*@ assert x >= 0; */

( assume x0 < 0; assume x1 == -x0;assume x2 == x1

[] assume ¬(x0 < 0);assume x2 == x0

);

assert x2 >= 0

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

weakest preconditions
Weakest preconditions

Annotated Java program

  • A Hoare triple{P}S{Q}says that if command S is started in a state satisfying P, then S terminates without error in a state satisfying Q
  • The weakest precondition of a command S with respect to a postcondition Q, written wp(S,Q), is the weakest P such that{P}S{Q}

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

weakest preconditions30
Weakest preconditions

Annotated Java program

  • wp(assert E, Q) = E && Q
  • wp(assume E, Q) = E ==> Q
  • wp(S;T, Q) = wp(S, wp(T,Q))
  • wp(S [] T, Q) = wp(S, Q) && wp(T, Q)
  • wp(S, Q) = wp(S, true) && wlp(S, Q)
  • wlp(S, Q) = wlp(S, false) || Q

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

verification condition
Verification condition

Annotated Java program

  • Universal background predicate
    • (∀t ・ t <: t)
  • Type-specific background predicate
    • Bag <: java.lang.Object
  • Verification condition:BPUniv && BPT ==> VCmethod

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

verification condition32

(BG_PUSH

(AND

(<: T_T |T_java.lang.Object|)

(EQ T_T (asChild T_T |T_java.lang.Object|))

(DISTINCT arrayType |T_boolean| |T_char| |T_byte| |T_short| |T_int|

|T_long| |T_float| |T_double| |T_.TYPE|

T_T |T_java.lang.Object|)))

(EXPLIES

(LBLNEG |vc.T.abs.2.2|

(IMPLIES

(AND

(EQ |elems@pre| elems)

(EQ elems (asElems elems))

(< (eClosedTime elems) alloc)

(EQ LS (asLockSet LS))

(EQ |alloc@pre| alloc))

(NOT

(AND

(EQ |@true| (is |x:2.21| T_int))

(OR

(AND

(OR

(AND

(< |x:2.21| 0)

(LBLPOS |trace.Then^0,3.15| (EQ |@true| |@true|))

(EQ |x:3.17| (- 0 |x:2.21|))

(EQ |x:2.21<1>| |x:3.17|))

(AND

(NOT (< |x:2.21| 0))

(LBLPOS |trace.Else^1,3.4| (EQ |@true| |@true|))

(EQ |x:2.21<1>| |x:2.21|)))

(NOT (LBLNEG |Assert@4.8| (>= |x:2.21<1>| 0))))

(AND

(OR

(AND

(< |x:2.21| 0)

(LBLPOS |trace.Then^0,3.15| (EQ |@true| |@true|))

(EQ |x:3.17| (- 0 |x:2.21|))

(EQ |x:2.21<1>| |x:3.17|))

(AND

(NOT (< |x:2.21| 0))

(LBLPOS |trace.Else^1,3.4| (EQ |@true| |@true|))

(EQ |x:2.21<1>| |x:2.21|)))

(LBLNEG |Assert@4.8| (>= |x:2.21<1>| 0))

(NOT (LBLNEG |Exception@5.2| (EQ |ecReturn| |ecReturn|)))))))))

(AND

(DISTINCT |ecReturn|)))

Verification condition

Annotated Java program

  • class T {

staticint abs(int x) {

if (x < 0) { x = -x; }

//@ assert x >= 0;

}

}

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

theorem prover simplify
Theorem prover: “Simplify”

Annotated Java program

  • Nelson-Oppen cooperating decision procedures
    • conguence closure
    • linear arithmetic
    • partial orders
    • quantifiers
  • Key features:
    • automatic: no user interaction
    • refutation based: searches for counterexamples
    • heuristics tuned for program checking
    • labels
    • time limit

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

counterexamples and warnings
Counterexamples and warnings

Annotated Java program

  • Counterexample: labels: (|IndexTooBig@26.5| |vc.Bag.add.20.2| |trace.Then^0,21.23|) context: (AND (NEQ |tmp1!a:23.23| null) (NEQ this null) (EQ |alloc@pre| alloc) (EQ |tmp4!n:26.6| 0) … (<= alloc (vAllocTime |tmp3!a:26.4|)) )
  • Bag: add(int) ...-----------------------------------------------------------Bag.java:26: Warning: Array index possibly too large (IndexTooBig) a[n] = x;^Execution trace information: Executed then branch in "Bag.java", line 21, col 23.-----------------------------------------------------------

Sugared command

Primitive command

Translator

Passive command

Verification condition

Automatictheorem prover

Counterexample context

Post processor

Warning messages

experience annotations
Experience: annotations
  • Capture common design decisions
  • Suggested immediately by warnings
  • Overhead: 4-10% of source code
  • ~1 annotation per field or parameter
  • Most common annotations:
    • non_null
    • container element types
experience performance
Experience: performance
  • 50% of all methods: < 0.5 s
  • 80% of all methods: < 1 s
  • time limit: 300 s
  • total time for Javafe (~40kloc): 65 min.
related work
Related work
  • ESC/Modula-3
  • Full functional specification and verification
    • JML, LOOP, B, Penelope, ...
  • Languages and language features
    • Euclid, Eiffel, Escher, Guava, Vault, Cqual, ...
    • LCLint, refinement types, Types against races, ...
  • Other checking techniques
    • Abstract interpretation, PREfix, SLAM, Bandera,Java PathFinder 2, Canvas, ESP, AST Toolkit, Metal,…
conclusions
Conclusions
  • Using program semantics and automatic decision procedures for program analysis works!
  • Cost effective?
what s needed
What's needed?
  • Semantics of programming language
  • Specification language
  • Programming methodology and disciplines
  • Decision procedures
  • Property inference

Download ESC/Java (tool, documentation, sources):http://research.compaq.com/SRC/esc

http://research.compaq.com