The slides presented at the lecture are available here

The program verification tool ESC/Java2

ESC/Java2 is an automated program verification tool (aka extended static checker) for Java programs. It implements a Hoare logic for reasoning over Java programs that have been annotated with JML specifications. These specifications express for instance preconditions, postconditions, and invariants, and can be added as assertions to the program code. Essentially, ESC/Java2 computes weakest preconditions of methods, and then sends the resulting proof obligiations to the automated theorem prover Simplify. The user never get to see these proof obligiations or the back-end theorem prover; instead, the tool gives feedback over which assertions it could not prove.

Running ESC/Java2

• central UNIX machines

  ESC/Java2 is installed in /vol/practica/softwaresecurity. To run the tool on some file A.java, give the command

     /vol/practica/softwaresecurity/ESCJava/escjava2 A.java

• Windows PCs in terminal rooms

  ESC/Java2 is installed in T:\softwaresecurity. To run the tool on some file A.java, open a command window by selecting

     Start -> Programs -> Accessories -> Command Prompt

  then go to the directory where A.java is (using cd) and type in the command

     T:\softwaresecurity\ESC\escj.bat A.java

• Installing on your own machine

  If you prefer running the tool on your own computer, ESC/Java2 can be downloaded here. (Don't be scared to give your email address; we won't use it to spam you.) You should get the latest version, 2.0a9, and it is probably easiest to get the binary zip file, i.e. ESCJava-2.0a9-01-10-05-binary.zip. The tool runs on just about any platform: Windows, Mac, Linux and UNIX, and comes with lots of documentation.

  NB ESC/Java2 only runs under Java 1.4, and not under Java 1.5. So you might have to download Java 1.4 here.

  If you're using Windows, you will have to edit escj.bat to provide the correct path names: the last line of escj.bat should be

     "C:\j2sdk1.4.2_12\bin\Java.exe" -Dsimplify="C:\ESCJava 2\Simplify-1.5.4.exe"
     -classpath "C:\ESCJava 2\esctools2.jar" escjava.Main -classpath
     "C:\ESCJava 2\jmlspecs.jar" -classpath . %ESCJ_STDARGS% %ESCJ_ARGS%

  if you installed ESC/Java2 in "C:\ESCJava 2" and Java in "C:\j2sdk1.4.2_12"

  If you're using Linux or MacOS, use the script escjava2 to run the tool.

  I would warn against using any Eclipse plugins for ESC/Java2 you might find on the web, as these are not really stable.

The assignment

1. Bag.java
2. Amount.java

• either add annotation to the code (eg to document invariants, preconditions, or postconditions)
• or fix bugs in the code

For Amount.java you must also try to formalise the informal invariant that is discussed in the file in JML, which should reveal some problems in the code.

In the end, ESC/Java2 should run without any complaints on the annotated code. ESC/Java2 complains (among other things) if it thinks a runtime exception may occur, say a NullPointerException, so if ESC/Java2 runs without complaints this means it has verified that no runtime exceptions can occur.

More detailed instructions are given in the Java files. Read these!

The only JML keywords you'll need to use for this are requires, invariant, and ensures. If you want, you can also use non_null as an abbreviation and experiment with other features.

Inleveren via email naar Erik Poll (erikpoll@cs.ru. etc) of laat het gewoon even zien dat je een opgave afhebt tijdens het practicum op maandag. Gelieve de oplossingen - de geannoteerde Java files - gewoon direct als attachment aan je email te plakken, en niet te zippen, tarren oid, of nog ergeer, door diffs op te sturen. Dat scheelt veel gedoe met de afhandeling.

Some hints to keep you out of trouble with the tool:

• Only look at the first warning that ESC/Java2 produces, and ignore the others, until you've managed to get rid of this first one.
• The only JML keywords you'll need are requires, invariant, and ensures. If you want, you can also use non_null as an abbreviation and experiment with other features.
• Don't use the Java shorthand x+=10 for x = x+10.
• Whenever possible, split invariants than contain conjunctions into several smaller invariants. The tool then provides better feedback. So instead of
     //@ invariant A && B;
  write
     //@ invariant A;
     //@ invariant B;
  The same goes for preconditions (aka requires clauses).
• If the tool complains of invariant violations, it produces a lot of information that is hard to interpret. The crucial information to look at is
  • the line number saying which invariant is violated, and
  • the line number saying where this invariant is violated.
  NB beware that calling a method on some object may break the invariant of another object. For instance, in the taxpayer exercise, calling a method on a TaxPayer may break the invariant of his or her spouse.

Reflection

1. In the end, do you think that you found all problems? Are you certain now that the code is correct?
2. Can you think of ways in which the tool or the specification language could be improved?
3. Instead of the tool we used, can you think of other ways (formal or informal, tool-supported or not) to find the problems that the tool found? If so, would these alternatives
   • find fewer of the problems, the same, or more?
   • find problems sooner or later than the current approach?
   • require more work or less work?
   • provide you with more confidence or less confidence that the code is correct?