Extended Static Checking for JAVA

1
Extended StaticChecking for JAVA
Compaq Systems Research Center Flanagan, Leino,
Lillibridge, Nelson, Saxe and Stata

• Jonathan Kuhn
• Robin Mange
• EPFL-SSC

2
Introduction

• Software developement and maintenance are
  expensive tasks
• Detecting errors at early stage using static
  checkers can improve productivity
• This paper discusses about one of those,
  called ESC/Java

3
Introduction

• ESC/Java is a compile time checker featuring
  VC generation and automatic TP techniques
• It provides a simple annotation language to
  users
• It is a  static  and  extended  checker

4
Introduction

• Objectives
• To produce a cost-effective tool that catches
  as many errors as possible
• In between common type checkers and full program
  verifiers
• Providing Modular Checking

5
Introduction

• Modular Checking allows checking of single
  pieces of code
• Annotations are required to provide
  specifications
• Ideal Static Checker attributes
• Soundness
• Completeness

• Trade-off on both to remain cost-effective

6
Example

• 1 class Bag
• 2 int size
• 3 Int elements
• 4
• 5 Bag(int input)
• 6 size input .length
• 7 elements new intsize
• 8 System.arraycopy(input , 0, elements, 0,
  size)
• 9
• 10
• 11 int extractMin()
• 12 int min Integer.MAX VALUE
• 13 int minIndex 0
• 14 for (int i 1 i lt size i)
• 15 if (elementsi lt min)
• 16 min elementsi
• 17 minIndex i
• 18
• 19

7
Example

• 1 class Bag
• 2 int size
• 3 Int elements
• 4
• 5 Bag(int input)
• 6 size input .length
• 7 elements new intsize
• 8 System.arraycopy(input , 0, elements, 0,
  size)
• 9
• 10
• 11 int extractMin()
• 12 int min Integer.MAX VALUE
• 13 int minIndex 0
• 14 for (int i 1 i lt size i)
• 15 if (elementsi lt min)
• 16 min elementsi
• 17 minIndex i
• 18
• 19

• 6 Warning Possible null deference
• 15 Warning Possible null deference / Array
  index possibly too large

8
Example

• 1 class Bag
• 2 int size
• 3 Int elements
• 4
• 5 Bag(int input)
• 6 size input .length
• 7 elements new intsize
• 8 System.arraycopy(input , 0, elements, 0,
  size)
• 9
• 10
• 11 int extractMin()
• 12 int min Integer.MAX VALUE
• 13 int minIndex 0
• 14 for (int i 1 i lt size i)
• 15 if (elementsi lt min)
• 16 min elementsi
• 17 minIndex i
• 18
• 19

• //_at_ invariant 0ltsize sizeltelements.length
• /_at_non_null/ int elements
• //_at_requires input!null
• 6 Warning Possible null deference
• 15 Warning Possible null deference / Array
  index possibly too large

9
Architecture
Front End act like normal compiler Translator
AST gt guarded commands (modular checking, loop
unrolling) VC Generator generate verification
conditions for each guarder commands. Theorem
Prover TP is invoked for each routine using UBP
SBP

• Here is a schema of the steps performed by
  ESC/Java

10
Annotation Language

• Design
• Made as Java-like as possible
• Captures design decision of the user
• Similar as JML annotations

• Work similary as Jahob specification (ghost
  vars, routine specifications, invariant, )

11
Performance

• Potential problem Could be too slow for
  interactive usage
• Annoting appropriately during developpement
  saves time and catches errors earlier
• Optimization made its use satisfactory and
  sufficient
• Require about 50-100 annotations per thousand
  lines of code

12
Experiences

• Mercator A part of the code failed on a null
  pointer array. This was missed during code
  review and took 6h for ESC/Java to catch it.
• JavaFE 3 weeks spent annoting the code permited
  to catch dozens of previouly undetected
  errors.

13
Related Work

• Can be extended static checker made automatic?
• How simple can the annotation language be?

14
Conclusion

• ESC/Java is easy to use and can detect
  significant software errors
• The concept and the usage is similar to jahob

15
Comparison of ESC/Java and Jahob
Thomas Wies (Software Engineering)
Albert-Ludwigs-University Freiburg