Download ESC/Java User's Manual

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
Transcript 
methodological reasons (see, for example, the discussion of unchecked exceptions in section 4.5).
The .spec files, the JDK files, or both may simply contain errors.
(See also the disclaimers near the beginning of this manual.)
C.0.11 Shared variables
ESC/Java depends on programmers to supply monitored and monitored_by pragmas telling which locks
protect which shared variables. In the absence of such annotations, ESC/Java will not produce a warning when a
routine might access a variable without holding the appropriate lock. Even when the user does specify which
locks protect which variables, there is another potential source of unsoundness: ESC/Java assumes that the value
of a shared variable stays unchanged if a routine releases and then reacquires the lock that protects it, ignoring the
possibility that some other thread might have acquired the lock and modified the variable in the interim.
C.0.12 Initialization of fields declared non_null
There is an unsoundness in ESC/Java's checking that constructors assign non-null values to fields declared
non_null. Consider the following program:
1:
2:
class C {
/*@ non_null */ Object f;
3:
C() {
m();
}
4:
5:
6:
7:
//@ modifies this.f;
void m() {
8:
9:
...
}
}
When checking the implementation of the constructor for C, ESC/Java will assume (based solely on the pragmas
on lines 2 and 8) that the method m returns with this.f set to a non-null value. While checking the body of m,
ESC/Java will check that any assignments to f indeed assign non-null values. However, if the body of m can
complete normally without assigning to this.f, then ESC/Java's assumption that this.f is always non-null after
line 6 will be unsound.
C.0.13 String literals
Java's treatment of string concatenation (see [JLS, 3.10.5]) is not accurately modeled by ESC/Java. This is a
source both of unsoundness and of incompleteness.
C.0.14 Search limits in Simplify
If Simplify cannot find a proof or a (potential) counterexample for the verification condition (see appendix A) for
a routine within a set time limit, then ESC/Java issues no warnings for the method, even though it might have
issued a warning if given a longer time limit. If Simplify reaches its time limit after reporting one or more
91 of 95
Related documents
(ESCJ 27:\240 ESC/Java User`s Manual)
(ESCJ 27:\240 ESC/Java User`s Manual)
ESC/Java Quick Reference
ESC/Java Quick Reference
Escjava2-Implementat..
Escjava2-Implementat..
ESC/Java2 Implementation Notes
ESC/Java2 Implementation Notes
Automatic Soundness and Completeness Warnings
Automatic Soundness and Completeness Warnings
CMSC 420 - University of Maryland at College Park
CMSC 420 - University of Maryland at College Park
Houdini, an Annotation Assistant for ESC/Java
Houdini, an Annotation Assistant for ESC/Java
Houdini, an Annotation Assistant for ESC/Java
Houdini, an Annotation Assistant for ESC/Java
Formal Specification and Static Checking of Gemplus` Electronic
Formal Specification and Static Checking of Gemplus` Electronic
This paper
This paper