Jonathan KuhnRobin MangeEPFL-SSC

Compaq Systems Research CenterFlanagan, Leino, Lillibridge, Nelson, Saxe and Stata

Software developement and maintenance are expensive tasks

Detecting errors at early stage using static checkers can improve productivity

This paper discusses about one of those, called ESC/Java

ESC/Java is a compile time checker featuring VC generation and automatic TP techniques

It provides a simple annotation language to users

It is a « static » and « extended » checker

Objectives:

To produce a cost-effective tool that catches as many errors as possible

In between common type checkers and full program verifiers

Providing Modular Checking

Modular Checking allows checking of single pieces of code

Annotations are required to provide specifications

Ideal Static Checker attributes:SoundnessCompleteness

Trade-off on both to remain cost-effective

1: class Bag { 2: int size ;3: Int[ ] elements;4:5: Bag(int[ ] input) { 6: size = input .length ;7: elements = new int[size] ;8: System.arraycopy(input , 0, elements, 0, size) ;9: } 10:11: int extractMin() { 12: int min = Integer.MAX VALUE ;13: int minIndex = 0;14: for (int i= 1; i <= size ; i++) { 15: if (elements[i ] < min) { 16: min = elements[i] ;17: minIndex = i ;18: } 19: } 20: size−−;21: elements[minIndex]= elements[size] ;22: return min ;23: } 24: }

1: class Bag { 2: int size ;3: Int[ ] elements;4:5: Bag(int[ ] input) { 6: size = input .length ;7: elements = new int[size] ;8: System.arraycopy(input , 0, elements, 0, size) ;9: } 10:11: int extractMin() { 12: int min = Integer.MAX VALUE ;13: int minIndex = 0;14: for (int i= 1; i <= size ; i++) { 15: if (elements[i ] < min) { 16: min = elements[i] ;17: minIndex = i ;18: } 19: } 20: size−−;21: elements[minIndex]= elements[size] ;22: return min ;23: } 24: }

6: Warning: Possible null deference

15: Warning: Possible null deference / Array index possibly too large

21: Warning: Possible null deference / Possible negative Array index

1: class Bag { 2: int size ;3: Int[ ] elements;4:5: Bag(int[ ] input) { 6: size = input .length ;7: elements = new int[size] ;8: System.arraycopy(input , 0, elements, 0, size) ;9: } 10:11: int extractMin() { 12: int min = Integer.MAX VALUE ;13: int minIndex = 0;14: for (int i= 1; i <= size ; i++) { 15: if (elements[i ] < min) { 16: min = elements[i] ;17: minIndex = i ;18: } 19: } 20: size−−;21: elements[minIndex]= elements[size] ;22: return min ;23: } 24: }

//@ invariant 0<=size && size<=elements.length/*@non_null*/ int[] elements;

//@requires input!=null6: Warning: Possible null deference

15: Warning: Possible null deference / Array index possibly too large

21: Warning: Possible null deference / Possible negative Array index

Here is a schema of the steps performed by ESC/Java

Front End: act like normal compiler

Translator: AST => guarded commands(modular checking, loop unrolling)

VC Generator: generate verification conditions for each guarder commands.

Theorem Prover: TP is invoked for each routine using UBP & SBP

Design Made as Java-like as possible Captures design decision of the user Similar as JML annotations

Work similary as Jahob specification (ghost vars, routine specifications, invariant, …)

Potential problem: Could be too slow for interactive usage

Annoting appropriately during developpement saves time and catches errors earlier

Optimization made its use satisfactory and sufficient

Require about 50-100 annotations per thousand lines of code

Mercator: A part of the code failed on a null pointer array. This was missed during code review and took 6h for ESC/Java to catch it.

JavaFE: 3 weeks spent annoting the code permited to catch dozens of previouly undetected errors.

Can be extended static checker made automatic?

How simple can the annotation language be?

ESC/Java is easy to use and can detect significant software errors

The concept and the usage is similar to jahob

Thomas Wies (Software Engineering) Albert-Ludwigs-University Freiburg