Java2 Platform Micro Edition (ME) Benedek Balázs [email protected].
Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software...
-
Upload
marilyn-spencer -
Category
Documents
-
view
216 -
download
0
Transcript of Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software...
![Page 1: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/1.jpg)
Early Detection of JML Specification Errorsusing ESC/Java2
Patrice Chalin
Dependable Software Research Group (DSRG)Computer Science and Software Engineering Department
Concordia UniversityMontreal, Canada
Specification and Verification of Component-Based Systems (SAVCBS’06)November 10-11, 2006 held in conjunction with FSE-14, Portland, Oregon, USA
![Page 2: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/2.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 2
Static Program Verifiers (SPV)
• Significant advances in technology.
• Integration with modern IDEs:– Spec#– JML (well, soon)
![Page 3: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/3.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 3
Static Program Verifiers (SPV)
• Two kinds of error detected by SPV:– Precondition violations (for methods or operators).– Correctness violations (of method bodies).
• Order.
![Page 4: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/4.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 4
SPV: Detection of Errors in …
• Can be routinely used to detect errors in code relative to specifications.
• Unfortunately, no error detection in specs.– … beyond conventional type checking. – (maybe because specifiers do not make mistakes?)
![Page 5: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/5.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 5
Failing to Detect Errors in Spec’s
Is a serious problem because such errors
• More difficult to detect.
• More costly to fix (… when identified later).
Motivating example …
![Page 6: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/6.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 7
Example: MyUtil Class
![Page 7: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/7.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 8
Example: MyUtil Class + Specs
![Page 8: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/8.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 9
PairSum Class and Method
public class PairSum {
public static int pairSum(int[] a, int[] b) {/* returns (a[0] + b[0]) + … + (a[n] + b[n]);
* where n is the min length of a and b.
*/
}
![Page 9: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/9.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 10
PairSum code
public class PairSum {
public static int pairSum(int[] a, int[] b) { int n = MyUtil.minLen(a, b); return MyUtil.sumUpTo(a, n) +
MyUtil.sumUpTo(b, n); // by commutativity.
}
![Page 10: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/10.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 11
Using PairSum
int[] a = readFromFile(…); int[] b = readFromFile(…);int sum = pairSum(a, b); ...
• readFromFile is declared to return null on read error.
• JML tools reports no errors for this code, yet …
![Page 11: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/11.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 12
Simple test case: PairSum read error
• Call trace
pairSum(null,null)MyUtil.sumUpTo(null,null) NullPointerEx
![Page 12: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/12.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 13
PairSum called with null
public static int pairSum(int[] a, int[] b) { int n = MyUtil.minLen(a null, b null); return …
}
![Page 13: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/13.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 14
ESC/Java
• Why did it fail to report a problem?
• Examine the code annotated with assertions …
![Page 14: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/14.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 15
PairSum code + assertions
public static int pairSum(int[] a, int[] b) {int n = MyUtil.minLen(a, b);//@ assume (* postcondition of minLen *)//@ assert (* precondition of sumUpTo *)return MyUtil.sumUpTo(a, n) +
MyUtil.sumUpTo(b, n); }
![Page 15: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/15.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 16
Example: MyUtil Class + Specs
![Page 16: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/16.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 17
PairSum code + assertions
public static int pairSum(int[] a, int[] b) {int n = MyUtil.minLen(a, b);//@ assume n = min(a.length, b.length);//@ assert n <= a.length && …;return MyUtil.sumUpTo(a, n) +
MyUtil.sumUpTo(b, n); }
![Page 17: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/17.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 18
PairSum assertions
assume n = min( a.length, b.length);
assert n <= a.length && …;
![Page 18: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/18.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 19
PairSum assertions, trace null …
assume n = min(null.length, null.length);
assert n <= null.length && …;
![Page 19: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/19.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 20
PairSum, trace null & simplifying (1)
assume n = null.length;assert n <= null.length && …;
![Page 20: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/20.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 21
PairSum, trace null & simplifying (2)
assume n = null.length;assert null.length <= null.length &&
…;
![Page 21: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/21.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 22
PairSum, trace null & simplifying (3)
assume n = null.length;assert true && true;
![Page 22: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/22.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 23
Cause: precond. violation in contract
![Page 23: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/23.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 24
SPV Detection of Errors In Specs
• Two kinds of coding error detected by SPV:– Precondition violations (for methods or operators).– Correctness violations (of method bodies).
• New ESC/Java2 feature: – definedness checking– “Is-defined checks”, or IDC.
![Page 24: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/24.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 25
ESC/Java2 run with IDC
MyUtil: minLen(int[], int[]) ...-----------------------------------------MyUtil.jml:3: Warning: Possible null deref… //@ java.lang.Math.min(a1.length,…); ^-----------------------------------------[0.062 s 12135232 bytes] failed
![Page 25: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/25.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 27
Another Motivating Example
• Consider the following method + contract:
![Page 26: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/26.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 28
Another Motivating Example
• Postconditions are false, hence contract is unimplementable and yet ... ESC/Java2 proves method “correct”.
![Page 27: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/27.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 29
Inconsistency in Arrays.sort contract
• ESC/Java2 IDC points out …
![Page 28: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/28.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 31
Supporting Definedness Checking
• JML’s current assertion semantics – based on classical logic– Partial functions modeled by underspecified total
functions
![Page 29: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/29.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 32
Newly proposed semantics
• Based on Strong Validity: an assertion expression is taken to hold iff it is – Defined and– True.
![Page 30: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/30.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 33
“Is-Defined” Operator
• D(e)
![Page 31: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/31.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 34
“Is-Defined” Operator
• In general (for strict functions):
D(f(e1, …, en)) = D(e1) … D(en) p(e1,…,en)
e.g. – D(e1 / e2) = D(e1) D(e2) e2 0
![Page 32: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/32.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 35
“Is-Defined” Operator
• Non-strict operators, e.g.
D(e1 && e2) = D(e1) (e1 D(e2))
![Page 33: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/33.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 36
ESC/Java2 Redesign
• Current / previous architecture
![Page 34: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/34.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 37
Guarded Command Language
C ::= Id := Expr
| ASSUME Expr
| ASSERT Expr
| C ; C’
| C C’
![Page 35: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/35.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 38
Supporting the New Semantics (IDC)
• Inline assertions
〚 assert R 〛 = ASSERT 〚 D(R) 〛 ;
ASSERT 〚 R 〛
![Page 36: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/36.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 39
IDC: Basic Method Contracts
Without IDC〚 {P}B{Q} 〛 = ASSUME 〚 P 〛 ;
〚 B 〛 ; ASSERT 〚 Q 〛
With IDC〚 {P}B{Q} 〛 = ASSERT 〚 D(P) 〛 ;
ASSUME 〚 P 〛 ; 〚 B 〛 ; ASSERT 〚 D(Q) 〛 ; ASSERT 〚 Q 〛
![Page 37: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/37.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 40
Checking Methods Without Bodies
〚 {P}_{Q} 〛 = ASSERT 〚 D(I(this)) 〛 ;
ASSUME 〚 o:C . I(o) 〛 ;
ASSERT 〚 D(P) 〛 ;
ASSUME 〚 P 〛 ;
〚 return _ 〛 [] 〚 throw … 〛 ;
ASSERT 〚 D(Q) 〛 ;
ASSERT 〚 D(I(this)) 〛 ;
![Page 38: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/38.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 41
If life we this simple, we wouldn’t need …
• Unfortunately, previous translation gives poor error reporting.
• ESC will report errors only for GCs:
ASSERT Label(L, E).• But this gives coarse grained report:
〚 assert R 〛 = ASSERT Label(I, 〚 D(R) 〛 );
ASSERT 〚 R 〛• We want ESC to pinpoint the errors in D(R).
![Page 39: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/39.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 42
Better Diagnostics
• Need to expand
ASSERT 〚 D(e) 〛
![Page 40: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/40.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 43
Expanded GC for strict functions
• Recall that
D(f(e1, …, en)) = D(e1) … D(en) p(e1,…,en)
• Expanded GC form, E 〚 D(f(e1, …, en)) 〛 , would be:
E 〚 D(e1) 〛 ;
... ;
E 〚 D(en) 〛 ;
ASSERT Label(L, 〚 p(e1,…,en) 〛 )
![Page 41: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/41.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 44
Expanded GC for non-strict functions
• E.g. for conditional operatorD(e1 ? e2 : e3) = D(e1) (e1 D(e2)) (e1 D(e3))
• Expanded GC form would beE 〚 D(e1) 〛 ;{ ASSUME 〚 e1 〛 ; E 〚 D(e2) 〛 ; [] ASSUME 〚 e1 〛 ; E 〚 D(e3) 〛 ;}
![Page 42: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/42.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 46
ESC/Java2 Definedness Checking: Preliminary Results
• Tested on 90+KLOC code + specs.
• 50+ errors detected in java.* API specs.
• Negligible overhead (preliminary).
• Did not overwhelm Simplify.– Could prove no less than before.
• Looking forward to using CVC3 backend: offers native support for new semantics.
![Page 43: Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.](https://reader035.fdocuments.net/reader035/viewer/2022081603/5697c0091a28abf838cc733f/html5/thumbnails/43.jpg)
2006-11-10 SAVCBS'06 - P.Chalin, p. 47
Questions?