This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino * Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq Systems Research Center 130 Lytton Ave. Palo Alto, CA 94301, USA ABSTRACT Software development and maintenance are costly endeav- ors. The cost can be reduced if more software defects are detected earlier in the development cycle. This paper in- troduces the Extended Static Checker for Java (ESC/Java), an experimental compile-time program checker that finds common programming errors. The checker is powered by verification-condition generation and automatic theorem- proving techniques. It provides programmers with a sim- ple annotation language with which programmer design de- cisions can be expressed formally. ESC/Java examines the annotated software and warns of inconsistencies between the design decisions recorded in the annotations and the actual code, and also warns of potential runtime errors in the code. This paper gives an overview of the checker architecture and annotation language and describes our experience applying the checker to tens of thousands of lines of Java programs. Categories and Subject Descriptors D.2.1 [ Software Engineering ]: Requirements/Specifications; D.2.4 [ Software Engineering ]: Program Verification General Terms Design, Documentation, Verification Keywords Compile-time program checking 1. INTRODUCTION Over the last decade, our group at the Systems Research Center has built and experimented with two realizations of a new program checking technology that we call extended * Current address: Microsoft Research, One Microsoft Way, Redmond, WA 98052. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proFt or commercial advantage and that copies bear this notice and the full citation on the Frst page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior speciFc permission and/or a fee. PLDI02, June 17-19, 2002, Berlin, Germany. Copyright 2002 ACM 1-58113-463-0/02/0006 ... $ 5.00. coverage effort type checking extended static checking program verification decidability ceiling Figure 1: Static checkers plotted along the two di- mensions coverage and effort (not to scale). static checking (ESC): static because the checking is per- formed without running the program, and extended be- cause ESC catches more errors than are caught by conven- tional static checkers such as type checkers. ESC uses an automatic theorem-prover to reason about the semantics of programs, which allows ESC to give static warnings about many errors that are caught at runtime by modern program- ming languages (null dereferences, array bounds errors, type cast errors, etc. ). It also warns about synchronization er- rors in concurrent programs (race conditions, deadlocks)....
View Full Document
- Spring '08