Article

Extended static checking for Java

Authors:
Cormac Flanagan

Microsoft Research, Redmond, WA

Microsoft Research, Redmond, WA
View Profile

,
K. Rustan M. Leino

Microsoft Research, Redmond, WA

Microsoft Research, Redmond, WA
View Profile

,
Mark Lillibridge

Compaq Systems Research, Palo Alto, CA

Compaq Systems Research, Palo Alto, CA
View Profile

,
Greg Nelson

Compaq Systems Research, Palo Alto, CA

Compaq Systems Research, Palo Alto, CA
View Profile

,
James B. Saxe

Compaq Systems Research, Palo Alto, CA

Compaq Systems Research, Palo Alto, CA
View Profile

,
Raymie Stata

Compaq Systems Research, Palo Alto, CA

Compaq Systems Research, Palo Alto, CA
View Profile

PLDI '02: Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementationJune 2002Pages 234–245https://doi.org/10.1145/512529.512558

Published:17 May 2002Publication History

PLDI '02: Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementation

Pages 234–245

ABSTRACT

Software development and maintenance are costly endeavors. The cost can be reduced if more software defects are detected earlier in the development cycle. This paper introduces the Extended Static Checker for Java (ESC/Java), an experimental compile-time program checker that finds common programming errors. The checker is powered by verification-condition generation and automatic theorem-proving techniques. It provides programmers with a simple annotation language with which programmer design decisions can be expressed formally. ESC/Java examines the annotated software and warns of inconsistencies between the design decisions recorded in the annotations and the actual code, and also warns of potential runtime errors in the code. This paper gives an overview of the checker architecture and annotation language and describes our experience applying the checker to tens of thousands of lines of Java programs.

References

T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In M. B. Dwyer, editor, Proc. 8th SPIN Workshop, volume 2057 of LNCS, pages 103--122. Springer, May 2001]] Google ScholarDigital Library
J. R. Burch et al. Symbolic model checking: 1020 states and beyond. Information and Computation, 98(2):142--170, 1992]] Google ScholarDigital Library
W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. SP&E, 30(7):775--802, June 2000]] Google ScholarDigital Library
N. Cataño and M. Huisman. Formal specification of Gemplus' electronic purse case study. In Proc. of Formal Methods Europe (FME 2002). Springer-Verlag, 2002. To Appear]]Google ScholarDigital Library
J. Corbett et al. Bandera: Extracting finite-state models from Java source code. In Proc. 22nd ICSE, June 2000]] Google ScholarDigital Library
P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. 4th POPL, pages 238--252. ACM, 1977]] Google ScholarDigital Library
R. DeLine and M. Fähndrich. Enforcing high-level protocols in low-level software. In Proc. PLDI 2001, pages 59--69, 2001]] Google ScholarDigital Library
D. L. Detlefs, K. R. M. Leino, G. Nelson, and J. B. Saxe. Extended static checking. Research Report 159, Compaq SRC, Dec. 1998]]Google Scholar
D. L. Detlefs, G. Nelson, and J. B. Saxe. A theorem prover for program checking. Research Report 178, Compaq SRC, 2002. In preparation]]Google Scholar
E. W. Dijkstra. A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ, 1976]] Google ScholarDigital Library
M. Dwyer, J. Hatcliff, and R. Howell. CIS 771: Software specification. Kansas State Univ., Dept. of Comp. and Inf. Sciences, Spring 2001]]Google Scholar
D. Engler et al. Bugs as deviant behavior: A general approach to inferring errors in systems code. In Proc. 18th SOSP, pages 57--72. ACM, 2001]] Google ScholarDigital Library
M. D. Ernst et al. Dynamically discovering likely program invariants to support program evolution. In Proc. ICSE 1999, pages 213--224. ACM, 1999]] Google ScholarDigital Library
Escher Technologies, Inc. Getting started with Perfect. Available from www.eschertech.com, 2001]]Google Scholar
D. Evans, J. V. Guttag, J. J. Horning, and Y. M. Tan. LCLint: A tool for using specifications to check code. In D. S. Wile, editor, Proc. 2nd SIGSOFT FSE, pages 87--96. ACM, 1994]] Google ScholarDigital Library
C. Flanagan, R. Joshi, and K. R. M. Leino. Annotation inference for modular checkers. Inf. Process. Lett., 77(2--4):97--108, Feb. 2001]] Google ScholarDigital Library
C. Flanagan and K. R. M. Leino. Houdini, an annotation assistant for ESC/Java. In J. N. Oliveira and P. Zave, editors, FME 2001: Formal Methods for Increasing Software Productivity, volume 2021 of LNCS, pages 500--517. Springer, Mar. 2001]] Google ScholarDigital Library
C. Flanagan and S. Qadeer. Predicate abstraction for software verification. In Proc. 29th POPL, page to appear. ACM, Jan. 2002]] Google ScholarDigital Library
C. Flanagan and J. B. Saxe. Avoiding exponential explosion: Generating compact verification conditions. In Proc. 28th POPL, pages 193--205. ACM, 2001]] Google ScholarDigital Library
S. Graf and H. Saïdi. Construction of abstract state graphs via PVS. In O. Grumberg, editor, Proc. 9th CAV, volume 1254 of LNCS, pages 72--83. Springer, 1997]] Google ScholarDigital Library
A. Heydon and M. A. Najork. Mercator: A scalable, extensible web crawler. World Wide Web, 2(4):219--229, Dec. 1999]] Google ScholarDigital Library
C. A. R. Hoare. Proof of correctness of data representations. Acta Inf., 1(4):271--81, 1972]]Google ScholarDigital Library
S. C. Johnson. Lint, a C program checker. Comp. Sci. Tech. Rep. 65, Bell Laboratories, 1978]]Google Scholar
B. W. Lampson, J. J. Horning, R. L. London, J. G. Mitchell, and G. J. Popek. Report on the programming language Euclid. Technical Report CSL-81-12, Xerox PARC, Oct. 1981]]Google Scholar
G. T. Leavens, A. L. Baker, and C. Ruby. Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98-06f, Dept. of Comp. Sci., Iowa State Univ., July 1999]]Google Scholar
G. T. Leavens, K. R. M. Leino, E. Poll, C. Ruby, and B. Jacobs. JML: notations and tools supporting detailed design in Java. In OOPSLA 2000 Companion, pages 105--106. ACM, 2000]] Google ScholarDigital Library
K. R. M. Leino. Ecstatic: An object-oriented programming language with an axiomatic semantics. In FOOL 4, 1997]]Google Scholar
K. R. M. Leino. Data groups: Specifying the modification of extended state. In Proc. OOPSLA '98, pages 144--153. ACM, 1998]] Google ScholarDigital Library
K. R. M. Leino. Applications of extended static checking. In P. Cousot, editor, 8th Intl. Static Analysis Symp., volume 2126 of LNCS, pages 185--193. Springer, July 2001]] Google ScholarDigital Library
K. R. M. Leino. Extended static checking: A ten-year perspective. In R. Wilhelm, editor, Informatics---10 Years Back, 10 Years Ahead, volume 2000 of LNCS, pages 157--175. Springer, Jan. 2001]] Google ScholarDigital Library
K. R. M. Leino and R. Manohar. Joining specification statements. Theoretical Comp. Sci., 216(1--2):375--394, Mar. 1999]] Google ScholarDigital Library
K. R. M. Leino and G. Nelson. Data abstraction and information hiding. Research Report 160, Compaq SRC, Nov. 2000]]Google Scholar
K. R. M. Leino, G. Nelson, and J. B. Saxe. ESC/Java user's manual. Tech. Note 2000-002, Compaq SRC, Oct. 2000]]Google Scholar
K. R. M. Leino, A. Poetzsch-Heffter, and Y. Zhou. Using data groups to specify and check side effects. In Proc. PLDI 2002, 2002]] Google ScholarDigital Library
K. R. M. Leino, J. B. Saxe, and R. Stata. Checking Java programs via guarded commands. In B. Jacobs et al., editor, Formal Techniques for Java Programs, Tech. Report 251. Fernuniversität Hagen, May 1999]]Google Scholar
K. R. M. Leino and R. Stata. Checking object invariants. Tech. Note 1997-007, DEC SRC, Jan. 1997]]Google Scholar
B. Meyer. Object-oriented software construction. Series in Computer Science. Prentice-Hall Intl., 1988]] Google ScholarDigital Library
T. Millstein. Toward more informative ESC/Java warning messages. In J. Mason, editor, Selected 1999 SRC summer intern reports, Tech. Note 1999-003. Compaq SRC, 1999]]Google Scholar
P. Müller, A. Poetzsch-Heffter, and G. T. Leavens. Modular specification of frame properties in JML. Technical Report 02-02, Dept. of Comp. Sci., Iowa State Univ., Feb. 2002. To appear in Concurrency, Practice and Experience]]Google Scholar
J. W. Nimmer and M. D. Ernst. Automatic generation and checking of program specifications. Technical Report 823, MIT Lab for Computer Science, Aug. 2001]]Google Scholar
S. Owre, S. Rajan, J. M. Rushby, N. Shankar, and M. K. Srivas. PVS: Combining specification, proof checking, and model checking. In R. Alur and T. A. Henzinger, editors, Proc. 8th CAV, volume 1102 of LNCS, pages 411--414. Springer, 1996]] Google ScholarDigital Library
E. Poll, J. van~den Berg, and B. Jacobs. Specification of the JavaCard API in JML. In J. Domingo-Ferrer, D. Chan, and A. Watson, editors, Fourth Smart Card Research and Advanced Application Conference (CARDIS'2000), pages 135--154. Kluwer Acad. Publ., 2000]] Google ScholarDigital Library
N. Sterling. WARLOCK --- a static data race analysis tool. In Proc. Winter 1993 USENIX Conf., pages 97--106. USENIX Assoc., Jan. 1993]]Google Scholar
M. Turin, A. Deutsch, and G. Gonthier. La verification des programmes d'ariane. Pour la Science, 243:21--22, Jan. 1998. (In French)]]Google Scholar
J. van~den Berg and B. Jacobs. The LOOP compiler for Java and JML. In Proc. TACAS, volume 2031 of LNCS, pages 299--312. Springer, 2001]] Google ScholarDigital Library
W. Visser, K. Havelund, G. Brat, and S. Park. Model checking programs. In International Conference on Automated Software Engineering, Sept. 2000]] Google ScholarDigital Library
J. M. Wing. A Two-Tiered Approach to Specifying Programs. PhD thesis, MIT Laboratory for Computer Science, May 1983. (Available as MIT LCS tech. report no. 229)]] Google ScholarDigital Library
J. B. Wordsworth. Software Engineering with B. Addison-Wesley, 1996]] Google ScholarDigital Library
H. Xi. Imperative programming with dependent types. In Proc. 15th LICS, pages 375--387, June 2000]] Google ScholarDigital Library
H. Xi and F. Pfenning. Dependent types in practical programming. In Proc. 26th POPL, pages 214--227. ACM, Jan. 1999]] Google ScholarDigital Library

Index Terms

Extended static checking for Java

Recommendations

Extended static checking for Java

Software development and maintenance are costly endeavors. The cost can be reduced if more software defects are detected earlier in the development cycle. This paper introduces the Extended Static Checker for Java (ESC/Java), an experimental compile-...
Read More
Faster and More Complete Extended Static Checking for the Java Modeling Language

Extended Static Checking (ESC) is a fully automated formal verification technique. Verification in ESC is achieved by translating programs and their specifications into verification conditions (VCs). Proof of a VC establishes the correctness of the ...
Read More
Extended static checking in JML4: benefits of multiple-prover support
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

The implementations of many seemingly simple algorithms are beyond the ability of traditional Extended Static Checking (ESC) tools to verify. Not being able to verify toy examples is often enough to turn users off of the idea of using formal methods. ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLDI '02: Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementation
June 2002
338 pages
ISBN:1581134630
DOI:10.1145/512529
General Chair:
Jens Knoop
Universität Dortmund, Germany
,
Program Chair:
Laurie J. Hendren
McGill University, Canada
ACM SIGPLAN Notices Volume 37, Issue 5
May 2002
326 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/543552
Issue’s Table of Contents
Copyright © 2002 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 May 2002
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
compile-time program checking
Qualifiers
- Article
Conference

Acceptance Rates
PLDI '02 Paper Acceptance Rate28of169submissions,17%Overall Acceptance Rate406of2,067submissions,20%
More
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 1,007
  Total Citations
  View Citations
- 3,804
  Total Downloads
- Downloads (Last 12 months)96
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Extended static checking for Java

PLDI '02: Proceedings of the ACM SIGPLAN 2002 conference on Programming language design and implementation

ABSTRACT

References

Cited By

Index Terms

Recommendations

Extended static checking for Java

Faster and More Complete Extended Static Checking for the Java Modeling Language

Extended static checking in JML4: benefits of multiple-prover support