Методы формальнойверификации
Методы формальнойверификации… в Java 8
Методы формальнойверификации… в Java 8… да и вообще...
Владимир ИвановРазработчик HotSpot JVMАлександр ИльинАрхитектор тестирования Oracle JDKPолевыеигрыХардкорный девелоперТрол...
Program testing can be used to show thepresence of bugs, but never to show theirabsence.[“Structured programming”, Dahl O....
TestingisRunning the tested software– in different environment– with different datain an attempt to– Certify conformance– ...
Just a few years after “Structured programming” ...We prove … that properly structured tests arecapable of demonstrating t...
Fundamental Test TheoremCOMPLETE(T ,C)=(∀d ∈T OK (d )⇒∀d ∈DOK (d ))∨(∀d ∈T ¬OK (d )⇒∀d ∈D¬OK (d ))SUCCESSFUL(T )=∀t∈T OK (...
But wait! Its not over yet!I hope to have convinced you that by its very natureresponsible system design and development m...
But wait! Its not over yet!"Arrogance in computer science is measured innano-Dijkstras."Alan Kay
But wait! Its not over yet!"Arrogance in computer science is measured innano-Dijkstras."Alan Kay"… and micro-Kays".Unknown...
TestingisRunning the tested software– in different environment– with different datain an attempt to– Certify conformance– ...
Static testingisAnalysis of artifacts– source code– binaries– data filesin an attempt to– discover errors– identify suspic...
Static testingincludes● Using static analyzers– Big number of false positives● Code reviews– Tedious manual work– Many err...
What defectscould by found by dynamic testingAny defect!You just need to invent enough test :)only ...It may take an indef...
What defectscould by found by static testingAny defect!You just need to look on the whole source longenoughonly ...You can...
What defectsare hard to find by dynamic testing● Intermittent problems– You may just missed it● Platform/environment speci...
What defectsare hard to find by static analysis● Bugs in deep and wide class inheritance– Virtual methods are resolved in ...
Formal verificationisFormal verifi cation is the act of proving ordisproving the correctness of intended algorithmsunderly...
Formal verification vs Testing● Testing– Upper bound for program quality● Passed test says nothing about quality● What mat...
Formal verificationrequires● Correctness of– Language– Compiler– “Core” of the program● The specification is self-consistent
Formal verificationappliedboolean isPowerOfTwo(int a) {return (a&(a-1)) == 0;}
Formal verificationapplied(a1…ak)10....0Lets take a binary representation of a:m >= 0a > 0 => binary presentation of a has...
Formal verificationisFormal verifi cation is the act of proving ordisproving the correctness of intended algorithmsunderly...
Deductive VerificationTheorem proving● Four color theorem (proved in 1976)● Curry-Howard isomorphism– (Theorem, Proof) <=>...
Using toolshow about ...● We create a program– Is capable of proving something about anotherprogram– Is itself proven (yea...
Formal verificationcompiler is a prover on its own● Formal verification for Java is performed byJava compiler– Types– Unin...
Annotations in Java@Stateless @LocalBeanpublic class GalleryFacade {@EJBprivate GalleryEAO galleryEAO;@TransactionAttribut...
Annotations in Java● Introduced in Java 5● Metadata● May be reflective– SOURCE, CLASS, RUNTIME● Standard (e.g. @Override) ...
Annotations: pre-Java 8● Allowed on declarations only– Class declaration@A public class Test {@B private int a = 0;@C publ...
Annotations: pre-Java 8● Allowed on declarations only– Field declaration@A public class Test {@B private int a = 0;@C publ...
Annotations: pre-Java 8● Allowed on declarations only– Method declaration@A public class Test {@B private int a = 0;@C pub...
Annotations: pre-Java 8● Allowed on declarations only– Method parameter declaration@A public class Test {@B private int a ...
Annotations: pre-Java 8● Allowed on declarations only– Local variable declaration@A public class Test {@B private int a = ...
Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?
Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?@NonNull Map<K,V>?
Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?@NonNull Map<K,V>?NO!
Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?@NonNull Map<K,V>?NO!● Map<@N...
Type annotations in Java 8● Allowed anywhere you would write a type… including generics and casts… for array levels and re...
Type annotations in Java 8:Examples● Class inheritanceclass UnmodifiableList<T>implements @ReadOnly List<T> { ... }● Casts...
Type annotations in Java 8:Examples● GenericsList<@Interned String> messages;● Type parameter boundsCollection<? super @Ex...
Pluggable types● User-defined (pluggable) type system● Extend built-in type system– express extra information about types ...
Checker Framework● Collection of compiler plugins (“checkers”)● Relies on Pluggable types and TypeAnnotations in Java 8● F...
Example: Nullness Checker● Annotations– @NonNull– @Nullable● Partial type hierarchy
Example: Nullness Checker● Annotations– @NonNull– @Nullable● Example:@Nullable Object o1; // might be null@NonNull Object ...
Example: Nullness Checker● Annotations– @NonNull– @Nullable● Example:public <@NonNull T> T process(T);
Example: Tainting Checker● Use case:– Trusted vs untrusted data– Verify before use● Examples– SQL injection attack● valida...
Example: Tainting Checker● Annotations– @Untainted● A type that includes only untainted, trusted values– @Tainted● A type ...
Example: Tainting Checker● Annotations– @Untainted– @Tainted● Examplevoid execute(@Untainted String sql)throws SQLExceptio...
Credit card numberAnnotation@Documented@Retention(RetentionPolicy.RUNTIME)@Target({ElementType.TYPE_USE,ElementType.TYPE_P...
Credit card numberChecker@TypeQualifiers(CreditCard.class)@SuppressWarningsKey("credit.card")public class CreditCardChecke...
Credit card numberUsagepublic class Account {private final @CreditCard String cardNumber;public Account(@CreditCard String...
Credit card numberSources@SuppressWarnings("credit.card")@CreditCard String convert(String input) {if(checkLuhn(input))ret...
Credit card numberConclusion● A card number in an account is always validated● That is guaranteed at compile time● You do ...
More real life examplesString getProperty(@PropertyKey String key);HashMap <@Adult Person, @NonNull Address>findSobutylnik...
Checkers Framework:Advanced features● Linear checker– Implements linear types (based on linear logic)– control aliasing an...
How to start using● No need to wait Java 8 release– modified compiler already available● Incremental program annotation– P...
Links● Type Annotations Specification (JSR-308)http://types.cs.washington.edu/jsr308/specification/java-● Checker Framewor...
Q&A
Владимир ИвановАлександр Ильинvladimir.x.ivanov@oracle.comalexandre.iline@oracle.com
Formal verification vs Testingb02 b03 b04 b05 b06 b07 b08b01Defects
Upcoming SlideShare
Loading in …5
×

"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013, Kiev, Ukraine

1,202
-1

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,202
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

"Formal Verification in Java" by Shura Iline, Vladimir Ivanov @ JEEConf 2013, Kiev, Ukraine

  1. 1. Методы формальнойверификации
  2. 2. Методы формальнойверификации… в Java 8
  3. 3. Методы формальнойверификации… в Java 8… да и вообще...
  4. 4. Владимир ИвановРазработчик HotSpot JVMАлександр ИльинАрхитектор тестирования Oracle JDKPолевыеигрыХардкорный девелоперТролль из отдела тестирования
  5. 5. Program testing can be used to show thepresence of bugs, but never to show theirabsence.[“Structured programming”, Dahl O.J., Dijkstra E.W. and Hoare C.A.R.][When] you have given the proof of [aprograms] correctness, … [you] candispense with testing altogether.[“Software engineering”, Naur P., Randell B.](1972)(1969)
  6. 6. TestingisRunning the tested software– in different environment– with different datain an attempt to– Certify conformance– Prove program correctness– Prove incorrectness
  7. 7. Just a few years after “Structured programming” ...We prove … that properly structured tests arecapable of demonstrating the absence oferrors in a program.[“Toward a Theory of Test Data Selection”, John B. Goodenough, Susan L.Gerhart] (1975)Fundamental Test Theorem
  8. 8. Fundamental Test TheoremCOMPLETE(T ,C)=(∀d ∈T OK (d )⇒∀d ∈DOK (d ))∨(∀d ∈T ¬OK (d )⇒∀d ∈D¬OK (d ))SUCCESSFUL(T )=∀t∈T OK (t)RELIABLE(C)=(∀T1 ,T2⊂D)COMLPETE (T1 ,C)∧COMPLETE (T2 ,C)⇒(SUCCESSFUL(T1)≡SUCCESSFUL(T2))VALID(C)=∀d ∈D¬OK (d)⇒(∃T ⊆D)(COMPLETE (T ,C)∧¬SUCCESSFUL(T ))∃T⊆D ,∃C(COMPLETE(T ,C)∧RELIABLE(C)∧VALID(C)∧SUCCESSFUL(T ))⇒∀d ∈DOK (d)Program F(d) for domain DRequirements: OUT(d, F(d)) = OK(d)Data selection criteria: C
  9. 9. But wait! Its not over yet!I hope to have convinced you that by its very natureresponsible system design and development mustbe an activity of an undeniably mathematical nature.… programming became an industrial activity at amoment that the American manager was extremelyfearful of relying on the education and theintelligence of his companys employees. Andmanagement tried to organize the industrialprogramming task in such a way that eachindividual programmer would need to think as littleas possible.[“Why correctness must be a mathematical concern” E. W Dijkstra] (1979)
  10. 10. But wait! Its not over yet!"Arrogance in computer science is measured innano-Dijkstras."Alan Kay
  11. 11. But wait! Its not over yet!"Arrogance in computer science is measured innano-Dijkstras."Alan Kay"… and micro-Kays".Unknown source ;-)
  12. 12. TestingisRunning the tested software– in different environment– with different datain an attempt to– Certify conformance– Prove program correctness (requires formal proof)– Prove program incorrectness (practically)Dynamic
  13. 13. Static testingisAnalysis of artifacts– source code– binaries– data filesin an attempt to– discover errors– identify suspicious patterns– verify conformance of the artifacts
  14. 14. Static testingincludes● Using static analyzers– Big number of false positives● Code reviews– Tedious manual work– Many errors missed– Non formalizable
  15. 15. What defectscould by found by dynamic testingAny defect!You just need to invent enough test :)only ...It may take an indefinite amount of testsSo, the testing is, effectively, endless
  16. 16. What defectscould by found by static testingAny defect!You just need to look on the whole source longenoughonly ...You can not know which ones you are detectingandYou never know how many are left
  17. 17. What defectsare hard to find by dynamic testing● Intermittent problems– You may just missed it● Platform/environment specific problem– You just may not have the environment
  18. 18. What defectsare hard to find by static analysis● Bugs in deep and wide class inheritance– Virtual methods are resolved in runtime● Bugs in modular system– Many modules implement the same features,modules are registered somewhere, etc.– Same reason – modules are registered as runtime
  19. 19. Formal verificationisFormal verifi cation is the act of proving ordisproving the correctness of intended algorithmsunderlying a system with respect to a certainformal specifi cation or property, usingformal methods of mathematics.
  20. 20. Formal verification vs Testing● Testing– Upper bound for program quality● Passed test says nothing about quality● What matters is when test fails● Formal verification– Lower bound for program quality● Passed test guarantees absence of some type offailures in a program
  21. 21. Formal verificationrequires● Correctness of– Language– Compiler– “Core” of the program● The specification is self-consistent
  22. 22. Formal verificationappliedboolean isPowerOfTwo(int a) {return (a&(a-1)) == 0;}
  23. 23. Formal verificationapplied(a1…ak)10....0Lets take a binary representation of a:m >= 0a > 0 => binary presentation of a has a least one 1 bita-1 = (a1…ak)01....1 => a&(a-1) = (a1…ak)00....0m ma&(a-1) = 0 => a1,...,ak= 0 => a = 2ma = 2n=> m=n, a1,...,ak= 0 => a&(a-1) = 0∀0<a∈N :a &(a−1)=0⇔∃n∈N :a=2n
  24. 24. Formal verificationisFormal verifi cation is the act of proving ordisproving the correctness of intended algorithmsunderlying a system with respect to a certainformal specifi cation or property, usingformal methods of mathematics.Another approach is deductive verifi cation. Itconsists of generating from the system and itsspecifi cations (and possibly other annotations) acollection of mathematical proof obligations,the truth of which imply conformance of thesystem to its specifi cation.
  25. 25. Deductive VerificationTheorem proving● Four color theorem (proved in 1976)● Curry-Howard isomorphism– (Theorem, Proof) <=> (Type, Program)● Theorem provers– Interactive environments for constructing proofs– Coq, Agda, Isabelle, HOL● Real-world example– COMPCERT: C Verified Compiler
  26. 26. Using toolshow about ...● We create a program– Is capable of proving something about anotherprogram– Is itself proven (yeah, yeah, a recursion)● Use the program to prove something aboutanother program● Lets call it a “prover”Is this still a formal verification?Sure!
  27. 27. Formal verificationcompiler is a prover on its own● Formal verification for Java is performed byJava compiler– Types– Uninitialized variable– Missing of return statement– Uncaught exceptions– etc.– etc.
  28. 28. Annotations in Java@Stateless @LocalBeanpublic class GalleryFacade {@EJBprivate GalleryEAO galleryEAO;@TransactionAttribute(SUPPORTS)public Gallery findById(Long id) { ... }@TransactionAttribute(REQUIRED)public void create(String name) { … }
  29. 29. Annotations in Java● Introduced in Java 5● Metadata● May be reflective– SOURCE, CLASS, RUNTIME● Standard (e.g. @Override) & custom annotations● Extensively used nowadays– JavaEE 6, IoC containers, test harnesses, etc
  30. 30. Annotations: pre-Java 8● Allowed on declarations only– Class declaration@A public class Test {@B private int a = 0;@C public void m(@D Object o) {@E int a = 1;...}}
  31. 31. Annotations: pre-Java 8● Allowed on declarations only– Field declaration@A public class Test {@B private int a = 0;@C public void m(@D Object o) {@E int a = 1;...}}
  32. 32. Annotations: pre-Java 8● Allowed on declarations only– Method declaration@A public class Test {@B private int a = 0;@C public void m(@D Object o) {@E int a = 1;...}}
  33. 33. Annotations: pre-Java 8● Allowed on declarations only– Method parameter declaration@A public class Test {@B private int a = 0;@C public void m(@D Object o) {@E int a = 1;...}}
  34. 34. Annotations: pre-Java 8● Allowed on declarations only– Local variable declaration@A public class Test {@B private int a = 0;@C public void m(@D Object o) {@E int a = 1;...}}
  35. 35. Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?
  36. 36. Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?@NonNull Map<K,V>?
  37. 37. Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?@NonNull Map<K,V>?NO!
  38. 38. Limitations● Consider @NonNull annotation● How to declare a Map with non-null keys andvalues?@NonNull Map<K,V>?NO!● Map<@NonNull K, @NonNull V>… but incorrect in Java 7 and earlierType annotations in Java 8 for the rescue!
  39. 39. Type annotations in Java 8● Allowed anywhere you would write a type… including generics and casts… for array levels and receivers
  40. 40. Type annotations in Java 8:Examples● Class inheritanceclass UnmodifiableList<T>implements @ReadOnly List<T> { ... }● CastsmyDate = (@ReadOnly Date) roDate;● Type testsmyString instanceof @NonNull String;● ArraysString @NonNull [] messages;
  41. 41. Type annotations in Java 8:Examples● GenericsList<@Interned String> messages;● Type parameter boundsCollection<? super @Exists File>● Generic type arguments in a generic methodo.<@NonNull String>toString("...");
  42. 42. Pluggable types● User-defined (pluggable) type system● Extend built-in type system– express extra information about types viatype qualifiers● Permit more expressive compile-time checkingand guarantee the absence of additional errors
  43. 43. Checker Framework● Collection of compiler plugins (“checkers”)● Relies on Pluggable types and TypeAnnotations in Java 8● Find different sorts of bugs or verify theirabsence– 14 checkers are already provided● Supports custom compiler plugins (providesAPI)– 5 third-party checkers
  44. 44. Example: Nullness Checker● Annotations– @NonNull– @Nullable● Partial type hierarchy
  45. 45. Example: Nullness Checker● Annotations– @NonNull– @Nullable● Example:@Nullable Object o1; // might be null@NonNull Object o2; // never nullo1.toString(); // warningo2 = o1; // warningif (o2 == null) // warning: redundant test
  46. 46. Example: Nullness Checker● Annotations– @NonNull– @Nullable● Example:public <@NonNull T> T process(T);
  47. 47. Example: Tainting Checker● Use case:– Trusted vs untrusted data– Verify before use● Examples– SQL injection attack● validate SQL query before executing it– information leakage● secret data vs data displayed to a user
  48. 48. Example: Tainting Checker● Annotations– @Untainted● A type that includes only untainted, trusted values– @Tainted● A type that includes only tainted, untrusted values
  49. 49. Example: Tainting Checker● Annotations– @Untainted– @Tainted● Examplevoid execute(@Untainted String sql)throws SQLException;@Untainted String validate(@Tainted String)throws SQLException;
  50. 50. Credit card numberAnnotation@Documented@Retention(RetentionPolicy.RUNTIME)@Target({ElementType.TYPE_USE,ElementType.TYPE_PARAMETER})@TypeQualifier@SubtypeOf(Unqualified.class)public @interface CreditCard {}
  51. 51. Credit card numberChecker@TypeQualifiers(CreditCard.class)@SuppressWarningsKey("credit.card")public class CreditCardCheckerextends BaseTypeChecker {…}
  52. 52. Credit card numberUsagepublic class Account {private final @CreditCard String cardNumber;public Account(@CreditCard String number) {this.cardNumber = number;}public @CreditCard String getCardNumber() {return cardNumber;}}
  53. 53. Credit card numberSources@SuppressWarnings("credit.card")@CreditCard String convert(String input) {if(checkLuhn(input))return input;elsethrow IllegalArgumentException("...")}new Account("4111111111111111");new Account("4111111111111110");
  54. 54. Credit card numberConclusion● A card number in an account is always validated● That is guaranteed at compile time● You do not need to test with invalid numbers● You do need to test– All @SuppressWarnings("credit.card")– checkLuhn(String cardNum)● Better all … prove it!
  55. 55. More real life examplesString getProperty(@PropertyKey String key);HashMap <@Adult Person, @NonNull Address>findSobutylnik(@NonNull Location);void monitorTemperature()throws @Critical TemperatureException;
  56. 56. Checkers Framework:Advanced features● Linear checker– Implements linear types (based on linear logic)– control aliasing and prevent re-use– Single ownership abstraction● Prevents absence of ownership and multiple owners● Dependent types– @Dependent annotation– Changes the type depending on qualified type ofthe receiver (this)– ExampleList[N] – list with its length encoded into its type
  57. 57. How to start using● No need to wait Java 8 release– modified compiler already available● Incremental program annotation– Partial program checking– Warnings during compilation– Easily convertible into compilation errors● -Werror flag to javac– Default annotations for types w/o annotations● Ability to annotate external libraries
  58. 58. Links● Type Annotations Specification (JSR-308)http://types.cs.washington.edu/jsr308/specification/java-● Checker Frameworkhttp://types.cs.washington.edu/checker-framework/curre
  59. 59. Q&A
  60. 60. Владимир ИвановАлександр Ильинvladimir.x.ivanov@oracle.comalexandre.iline@oracle.com
  61. 61. Formal verification vs Testingb02 b03 b04 b05 b06 b07 b08b01Defects

×