Abstract
Software development and maintenance are costly endeavors. The cost can be reduced if more software defects are detected earlier in the development cycle. This paper introduces the Extended Static Checker for Java (ESC/Java), an experimental compile-time program checker that finds common programming errors. The checker is powered by verification-condition generation and automatic theorem-proving techniques. It provides programmers with a simple annotation language with which programmer design decisions can be expressed formally. ESC/Java examines the annotated software and warns of inconsistencies between the design decisions recorded in the annotations and the actual code, and also warns of potential runtime errors in the code. This paper gives an overview of the checker architecture and annotation language and describes our experience applying the checker to tens of thousands of lines of Java programs.
- T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In M. B. Dwyer, editor, Proc. 8th SPIN Workshop, volume 2057 of LNCS, pages 103--122. Springer, May 2001]] Google ScholarDigital Library
- J. R. Burch et al. Symbolic model checking: 1020 states and beyond. Information and Computation, 98(2):142--170, 1992]] Google ScholarDigital Library
- W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. SP&E, 30(7):775--802, June 2000]] Google ScholarDigital Library
- N. Cataño and M. Huisman. Formal specification of Gemplus' electronic purse case study. In Proc. of Formal Methods Europe (FME 2002). Springer-Verlag, 2002. To Appear]]Google ScholarDigital Library
- J. Corbett et al. Bandera: Extracting finite-state models from Java source code. In Proc. 22nd ICSE, June 2000]] Google ScholarDigital Library
- P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. 4th POPL, pages 238--252. ACM, 1977]] Google ScholarDigital Library
- R. DeLine and M. Fähndrich. Enforcing high-level protocols in low-level software. In Proc. PLDI 2001, pages 59--69, 2001]] Google ScholarDigital Library
- D. L. Detlefs, K. R. M. Leino, G. Nelson, and J. B. Saxe. Extended static checking. Research Report 159, Compaq SRC, Dec. 1998]]Google Scholar
- D. L. Detlefs, G. Nelson, and J. B. Saxe. A theorem prover for program checking. Research Report 178, Compaq SRC, 2002. In preparation]]Google Scholar
- E. W. Dijkstra. A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ, 1976]] Google ScholarDigital Library
- M. Dwyer, J. Hatcliff, and R. Howell. CIS 771: Software specification. Kansas State Univ., Dept. of Comp. and Inf. Sciences, Spring 2001]]Google Scholar
- D. Engler et al. Bugs as deviant behavior: A general approach to inferring errors in systems code. In Proc. 18th SOSP, pages 57--72. ACM, 2001]] Google ScholarDigital Library
- M. D. Ernst et al. Dynamically discovering likely program invariants to support program evolution. In Proc. ICSE 1999, pages 213--224. ACM, 1999]] Google ScholarDigital Library
- Escher Technologies, Inc. Getting started with Perfect. Available from www.eschertech.com, 2001]]Google Scholar
- D. Evans, J. V. Guttag, J. J. Horning, and Y. M. Tan. LCLint: A tool for using specifications to check code. In D. S. Wile, editor, Proc. 2nd SIGSOFT FSE, pages 87--96. ACM, 1994]] Google ScholarDigital Library
- C. Flanagan, R. Joshi, and K. R. M. Leino. Annotation inference for modular checkers. Inf. Process. Lett., 77(2--4):97--108, Feb. 2001]] Google ScholarDigital Library
- C. Flanagan and K. R. M. Leino. Houdini, an annotation assistant for ESC/Java. In J. N. Oliveira and P. Zave, editors, FME 2001: Formal Methods for Increasing Software Productivity, volume 2021 of LNCS, pages 500--517. Springer, Mar. 2001]] Google ScholarDigital Library
- C. Flanagan and S. Qadeer. Predicate abstraction for software verification. In Proc. 29th POPL, page to appear. ACM, Jan. 2002]] Google ScholarDigital Library
- C. Flanagan and J. B. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Proc. 28th POPL, pages 193--205. ACM, 2001]] Google ScholarDigital Library
- S. Graf and H. Saïdi. Construction of abstract state graphs via PVS. In O. Grumberg, editor, Proc. 9th CAV, volume 1254 of LNCS, pages 72--83. Springer, 1997]] Google ScholarDigital Library
- A. Heydon and M. A. Najork. Mercator: A scalable, extensible web crawler. World Wide Web, 2(4):219--229, Dec. 1999]] Google ScholarDigital Library
- C. A. R. Hoare. Proof of correctness of data representations. Acta Inf., 1(4):271--81, 1972]]Google ScholarDigital Library
- S. C. Johnson. Lint, a C program checker. Comp. Sci. Tech. Rep. 65, Bell Laboratories, 1978]]Google Scholar
- B. W. Lampson, J. J. Horning, R. L. London, J. G. Mitchell, and G. J. Popek. Report on the programming language Euclid. Technical Report CSL-81-12, Xerox PARC, Oct. 1981]]Google Scholar
- G. T. Leavens, A. L. Baker, and C. Ruby. Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98-06f, Dept. of Comp. Sci., Iowa State Univ., July 1999]]Google Scholar
- G. T. Leavens, K. R. M. Leino, E. Poll, C. Ruby, and B. Jacobs. JML: notations and tools supporting detailed design in Java. In OOPSLA 2000 Companion, pages 105--106. ACM, 2000]] Google ScholarDigital Library
- K. R. M. Leino. Ecstatic: An object-oriented programming language with an axiomatic semantics. In FOOL 4, 1997]]Google Scholar
- K. R. M. Leino. Data groups: Specifying the modification of extended state. In Proc. OOPSLA '98, pages 144--153. ACM, 1998]] Google ScholarDigital Library
- K. R. M. Leino. Applications of extended static checking. In P. Cousot, editor, 8th Intl. Static Analysis Symp., volume 2126 of LNCS, pages 185--193. Springer, July 2001]] Google ScholarDigital Library
- K. R. M. Leino. Extended static checking: A ten-year perspective. In R. Wilhelm, editor, Informatics---10 Years Back, 10 Years Ahead, volume 2000 of LNCS, pages 157--175. Springer, Jan. 2001]] Google ScholarDigital Library
- K. R. M. Leino and R. Manohar. Joining specification statements. Theoretical Comp. Sci., 216(1--2):375--394, Mar. 1999]] Google ScholarDigital Library
- K. R. M. Leino and G. Nelson. Data abstraction and information hiding. Research Report 160, Compaq SRC, Nov. 2000]]Google Scholar
- K. R. M. Leino, G. Nelson, and J. B. Saxe. ESC/Java user's manual. Tech. Note 2000-002, Compaq SRC, Oct. 2000]]Google Scholar
- K. R. M. Leino, A. Poetzsch-Heffter, and Y. Zhou. Using data groups to specify and check side effects. In Proc. PLDI 2002, 2002]] Google ScholarDigital Library
- K. R. M. Leino, J. B. Saxe, and R. Stata. Checking Java programs via guarded commands. In B. Jacobs et al., editor, Formal Techniques for Java Programs, Tech. Report 251. Fernuniversität Hagen, May 1999]]Google Scholar
- K. R. M. Leino and R. Stata. Checking object invariants. Tech. Note 1997-007, DEC SRC, Jan. 1997]]Google Scholar
- B. Meyer. Object-oriented software construction. Series in Computer Science. Prentice-Hall Intl., 1988]] Google ScholarDigital Library
- T. Millstein. Toward more informative ESC/Java warning messages. In J. Mason, editor, Selected 1999 SRC summer intern reports, Tech. Note 1999-003. Compaq SRC, 1999]]Google Scholar
- P. Müller, A. Poetzsch-Heffter, and G. T. Leavens. Modular specification of frame properties in JML. Technical Report 02-02, Dept. of Comp. Sci., Iowa State Univ., Feb. 2002. To appear in Concurrency, Practice and Experience]]Google Scholar
- J. W. Nimmer and M. D. Ernst. Automatic generation and checking of program specifications. Technical Report 823, MIT Lab for Computer Science, Aug. 2001]]Google Scholar
- S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. K. Srivas. PVS: Combining specification, proof checking, and model checking. In R. Alur and T. A. Henzinger, editors, Proc. 8th CAV, volume 1102 of LNCS, pages 411--414. Springer, 1996]] Google ScholarDigital Library
- E. Poll, J. van~den Berg, and B. Jacobs. Specification of the JavaCard API in JML. In J. Domingo-Ferrer, D. Chan, and A. Watson, editors, Fourth Smart Card Research and Advanced Application Conference (CARDIS'2000), pages 135--154. Kluwer Acad. Publ., 2000]] Google ScholarDigital Library
- N. Sterling. WARLOCK --- a static data race analysis tool. In Proc. Winter 1993 USENIX Conf., pages 97--106. USENIX Assoc., Jan. 1993]]Google Scholar
- M. Turin, A. Deutsch, and G. Gonthier. La verification des programmes d'ariane. Pour la Science, 243:21--22, Jan. 1998. (In French)]]Google Scholar
- J. van~den Berg and B. Jacobs. The LOOP compiler for Java and JML. In Proc. TACAS, volume 2031 of LNCS, pages 299--312. Springer, 2001]] Google ScholarDigital Library
- W. Visser, K. Havelund, G. Brat, and S. Park. Model checking programs. In International Conference on Automated Software Engineering, Sept. 2000]] Google ScholarDigital Library
- J. M. Wing. A Two-Tiered Approach to Specifying Programs. PhD thesis, MIT Laboratory for Computer Science, May 1983. (Available as MIT LCS tech. report no. 229)]] Google ScholarDigital Library
- J. B. Wordsworth. Software Engineering with B. Addison-Wesley, 1996]] Google ScholarDigital Library
- H. Xi. Imperative programming with dependent types. In Proc. 15th LICS, pages 375--387, June 2000]] Google ScholarDigital Library
- H. Xi and F. Pfenning. Dependent types in practical programming. In Proc. 26th POPL, pages 214--227. ACM, Jan. 1999]] Google ScholarDigital Library
Index Terms
- Extended static checking for Java
Recommendations
Extended static checking for Java
PLDI '02: Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementationSoftware development and maintenance are costly endeavors. The cost can be reduced if more software defects are detected earlier in the development cycle. This paper introduces the Extended Static Checker for Java (ESC/Java), an experimental compile-...
Faster and More Complete Extended Static Checking for the Java Modeling Language
Extended Static Checking (ESC) is a fully automated formal verification technique. Verification in ESC is achieved by translating programs and their specifications into verification conditions (VCs). Proof of a VC establishes the correctness of the ...
Comments