Towards Support for Non-null Types and Non-null-by-default in by xny14254

VIEWS: 9 PAGES: 44

									Towards Support for
Non-null Types and
Non-null-by-default in Java

  Patrice Chalin
  Dependable Software Research Group (DSRG)
  Computer Science and Software Engineering Department
  Concordia University
  Montreal, Canada


   Formal Techniques for Java-like Programs (FTfJP’06)
  July 3-7, 2006 at ECOOP 2006, Nantes, France
Research Context
• For languages with pointers and null
  Null Pointer Exceptions are far too common.
• Increasingly tools can detect them statically
       – (not practical without nullity annotations)




2006-07-04                                     FTfJP'06 - P.Chalin,   p. 2
Detecting NPEs
• To do so requires support for non-null
       – Non-null annotations, or
       – Non-null types
• JML
       – Supports non-null annotations which are desugared
• Spec#
       – Declaring and Checking Non-null Types in an Object-
         Oriented Language, Fähndrich & Leino OOPSLA’03
• What of other languages … ?
2006-07-04                                       FTfJP'06 - P.Chalin,   p. 3
Languages without explicit pointers
• … or with a disciplined use of pointers
• Functional languages
       – No pointers
       – A “nullable” type can still be defined
         type 'a pointer = Null | Pointer of 'a ref;
• ML, Ocaml, …
       – Reference types; safe, i.e.
       – Created from a value of base type
• Unfortunately, C-like languages have pointers
2006-07-04                                    FTfJP'06 - P.Chalin,   p. 4
  Non-null Support (imperative PL)

               Type /                 modifier (prefix) for
Lang.                   Default
               Anno                  non-null                nullable
Splint         anno.    non-null   /*@notnull*/              /*@null*/
Eiffel          type    non-null           !                       ?
Spec#           type    nullable       ! (suffix)               ? (suffix)
Nice            type    non-null          !                       ?
 JML           anno.    non-null   /*@non_null*/         /*@nullable*/


  2006-07-04                                        FTfJP'06 - P.Chalin,     p. 5
Non-null Support, remarks
• Tendancy is towards
       – Non-null types
       – Non-null by default, i.e. …




2006-07-04                             FTfJP'06 - P.Chalin,   p. 7
Non-null By Default
• Splint
       – Earliest imperative language with pointers to support non-
         null by default
• Eiffel (ECMA Std, 2005)
       – Attached/detachable types
       – Attached by default
• JML
       – Non-null by default (Chalin, Rioux 2005)
• Spec#
       – Command line option to turn on non-null by default (2006)
2006-07-04                                          FTfJP'06 - P.Chalin,   p. 8
Non-null Support for Java
• Increased support due to Java 5 annotation
  feature
• Unfortunately
       – Unnecessary minor variability in annotation names
       – Inconsistency w.r.t.
             • Types of decl. supported
             • Type variance permitted for overriding methods
       –…

2006-07-04                                           FTfJP'06 - P.Chalin,   p. 9
     Non-null Support (Java, except. JML)

                                   Type /                  modifier (prefix) for
  Lang/Tool                                  Default
                                   Anno                  non-null        nullable
IntelliJ IDEA                      anno.    nullable   @NotNull         @Nullable
Nully (IDEA plug-in)               anno.    nullable   @NonNull            N/A
  FindBugs                         anno.    nullable   @NonNull      @CheckForNull
JastAdd           + Non-null Ext   anno.    nullable   [NotNull]        [MayBeNull]
 Eclipse JDT                       anno.    nullable   @NotNull         @Nullable

     2006-07-04                                                     FTfJP'06 - P.Chalin, p. 10
Non-null Support (full table)




2006-07-04                 FTfJP'06 - P.Chalin, p. 11
Check Point
• Summary of support for non-null
• Demonstration of tendency towards
       – Non-null by default
       – Non-null types
• Where does JML stand?
       – Non-null default (2005)
       – Non-null types (2006)


2006-07-04                         FTfJP'06 - P.Chalin, p. 12
JML Support for Non-null
• Nullity declaration modifiers
       – non_null
       – nullable
• Class-level modifiers
       – non_null_by_default
       – nullable_by_default
• Non-null by default
       – Command line option to enable nullable-by-default

2006-07-04                                  FTfJP'06 - P.Chalin, p. 13
Why Non-null By Default in JML
• Better matches general practice
• Lightens annotation burden of developers
• Safer
       – Visual warning: explicit nullable annotation.
       – Forgetting a nullable annotation isn’t too bad.




2006-07-04                                    FTfJP'06 - P.Chalin, p. 14
Changes to JML (due to default+types)
Outline:
• Scope of new default.
• Impact w.r.t. specs of overriding methods.
• Specification refinement.
• Constructors
• Arrays.


2006-07-04                          FTfJP'06 - P.Chalin, p. 15
Changes to JML:
Scope of new default
• All declarations are assumed to be non-null by
  default except for local variables. Why?
• Not required, hence no need to burden dev.
       – static analysis can easily determine if a local
         variable is non-null
• Nullity annotations can still be applied to local
  variables.


2006-07-04                                      FTfJP'06 - P.Chalin, p. 16
Declarations by Kind
• Field of a class or interface
       (normal, model, ghost)
• Method or constructor (normal, model)
       – Parameters
       – Return type (methods only)
• Bound variables (JML expressions, clauses)
       – \forall, \exists, \max, \min, etc.
       – Method constracts: forall and old statements.
• Local variable (normal, ghost)
2006-07-04                                    FTfJP'06 - P.Chalin, p. 17
Changes to JML:
Overriding Methods
• Return Types
       – A bit more involved
• Parameter Types




2006-07-04                     FTfJP'06 - P.Chalin, p. 18
 Method Parameters (diff. nullity)
 Method         PARAMETER type declared as …
supertype         non-null          nullable
 subtype          nullable          non-null
new sem.      ERROR: contrav.       ERROR: covar.

    jmlc      param. can be null   param. can be null

ESC/Java2     param. can be null   Caution, but null

 2006-07-04                             FTfJP'06 - P.Chalin, p. 19
 Method Return Types (diff. nullity)
 Method            RETURN type declared as …
supertype          non-null           nullable
 subtype           nullable           non-null
new sem.      ERROR: contrav.       OK, covar (Java 5)

    jmlc        like new sem.        can return null

ESC/Java2     subtype is non-null     like new sem.

 2006-07-04                              FTfJP'06 - P.Chalin, p. 20
Method Return Types:
Nullity Covariance
public class A {
  //@ requires i >= 0;
  //@ ensures Qa;
  /*@ nullable @*/
  String m(int i) { … }
}
public class B extends A {
  /*@ also
    @ requires i <= 0;
    @ ensures Qb;
    @*/ /*@ non_null @*/
    String m(int i) { … }
}
2006-07-04                   FTfJP'06 - P.Chalin, p. 21
Method Return Types:
Nullity Covariance – Old Semantics
public class A {             Partial desugaring of B.m():
  //@ requires i >= 0;       /*@ requires i >= 0;
  //@ ensures Qa;              @ ensures Qa;
  /*@ nullable @*/             .
  String m(int i) { … }        .
}                              .
public class B extends A {     .
  /*@ also                     @ also
    @ requires i <= 0;         @ requires i <= 0;
    @ ensures Qb;              @ ensures Qb;
    @*/ /*@ non_null @*/       @ ensures \result != null;
    String m(int i) { … }      @*/ String m(int i) { … }
}
2006-07-04                                FTfJP'06 - P.Chalin, p. 22
Method Return Types:
Nullity Covariance – New Semantics
public class A {             Partial desugaring of B.m():
  //@ requires i >= 0;       /*@ requires i >= 0;
  //@ ensures Qa;              @ ensures Qa;
  /*@ nullable @*/ String      @ ensures \result != null;
    m(int i) { … }
}
public class B extends A {
  /*@ also                    @ also
    @ requires i <= 0;        @ requires i <= 0;
    @ ensures Qb;             @ ensures Qb;
    @*/ /*@ non_null @*/      @ ensures \result != null;
    String m(int i) { … }     @*/ String m(int i) { … }
}
2006-07-04                                FTfJP'06 - P.Chalin, p. 23
Changes to JML:
Specification refinement
• JML supports specification refinement chains.
• Permits specifications to be developed and
  presented incrementally
• E.g.
       – .java contains method preconditions only
       – .refines-java contains full method contracts
       As illustrated next …


2006-07-04                                   FTfJP'06 - P.Chalin, p. 24
Changes to JML:
Specification Refinement - Example
public class C {
   //@ requires i > j;
   public int m(int i, int j) { return i-j; }
}
                  And its refinement
//@ refines "C.java";
public class C {
   //@ also
   //@ requires i > j;
   //@ ensures \result == i - j;
   public int m(int i, int j); …
2006-07-04                                      FTfJP'06 - P.Chalin, p. 25
Changes to JML:
Spec. Refinement – Nullity Must Match
• Generally, method signatures that appear in
  two or more files of a refinement chain must be
  identical.
• We generalize this constraint to nullity
  modifiers.




2006-07-04                          FTfJP'06 - P.Chalin, p. 26
Changes to JML: Constructors
• “Raw types upto”
• Fähndrich & Leino
             Declaring and Checking Non-null Types in an
             Object-Oriented Language, OOPSLA’03




2006-07-04                                     FTfJP'06 - P.Chalin, p. 27
Changes to JML: Arrays
• Non-null default applies to
       – Array variable.
       – Array components
             • Intermediate components
             • Array elements.




2006-07-04                               FTfJP'06 - P.Chalin, p. 28
Changes to JML: Arrays - Example
ComplexNumber matrix[][];
                … with non-null default is equivalent to
/@ invariant
 @ matrix != null &&
 @ (\forall int i; 0 <= i && i < matrix.length;
 @ matrix[i] != null &&
 @ (\forall int j;
 @         0 <= j && j < matrix[i].length;
 @         matrix[i][j] != null);
 @*/
2006-07-04                               FTfJP'06 - P.Chalin, p. 29
Changes to JML: Arrays - New
• Positional nullity modifiers that can be applied
  to any array component.
• Modifiers as prefix.




2006-07-04                           FTfJP'06 - P.Chalin, p. 30
Modifiers: non-arrays
Object o;            //@ o != null

nullable Object o;   //@ o can be null




2006-07-04                  FTfJP'06 - P.Chalin, p. 31
Modifiers: arrays (part of the story)
Object[] a;          //@ a != null &&

nullable Object[] a; //@ a can be null




2006-07-04                  FTfJP'06 - P.Chalin, p. 32
Modifiers: arrays
Object[] a;          //@ a != null &&
                      //@ a[i] != null
nullable Object[] a; //@ a can be null
                      //@ a[i] != null



2006-07-04                  FTfJP'06 - P.Chalin, p. 33
Modifiers: arrays and components
Object[] a;           //@ a != null &&
                       //@ a[i] != null
nullable Object[] a; //@ a can be null
                       //@ a[i] != null
nullable Object nullable []a;
             //@ a and a[i] can be null
2006-07-04                   FTfJP'06 - P.Chalin, p. 34
Modifiers: arrays and components


mod Object mod [] mod [] … mod [] a;



mod Object a mod [] mod [] … mod [];

2006-07-04                FTfJP'06 - P.Chalin, p. 35
Non-null Support for Java
• JML offers most complete / developed
  solution.
       –     Non-null by default
       –     Non-null types
       –     Annotated libraries
       –     Non intrusive (annotation in comments), though
             “non-standard”
• Maybe consider recognizing Java 5 annotations
  as well.
2006-07-04                                      FTfJP'06 - P.Chalin, p. 36
JML: Remaining Issues
• Conform: Java 5 variance (overriding methods)
• Rename class-level modifiers; i.e. use non_null
  and nullable.
• Notation for “raw upto”?




2006-07-04                          FTfJP'06 - P.Chalin, p. 37
JML Status
• Non-null by default:
       – JML checker, JMLc : done
       – ESC/Java2: pending.
• Non-null types
       – JML checker: +50% complete
       – ESC/Java2: future work




2006-07-04                            FTfJP'06 - P.Chalin, p. 38
La Fin
• Thank you!

• Questions / remarks?




2006-07-04               FTfJP'06 - P.Chalin, p. 39
===Extra===




2006-07-04    FTfJP'06 - P.Chalin, p. 40
Non-null Types & Initialization
(excerpt from Fähndrich & Leino OOPSLA’03)

class A {                         class B : A {
  String! name;                     String! path;
  public A(string! s) {             public B(string! p, string! s)
    this.name = s;                    : base(s) {
    this.m(55);                       this.path = p;
  }                                 }
  virtual void m(int x) {...}       override void m(int x) {
}                                     ... this.path ...
                                    }
                                  }

2006-07-04                                      FTfJP'06 - P.Chalin, p. 41
Non-null-by-default




2006-07-04            FTfJP'06 - P.Chalin, p. 42
Empirical study (Chalin, Rioux 2005)
• Over 50% of declarations are meant to be non-
  null.




2006-07-04                         FTfJP'06 - P.Chalin, p. 43
Study Subjects: Overall Project
                 ISU Tools   ESC Tools   SoenEA         Koa           Total

    # of files         831         455        52            459          1797
    LOC (K)            243         124            3           87           457

   SLOC (K)            140          75            2           62           278

  Study                       ESC/
           Checker                   SoenEA Koa TS Total
  subject                      Java2
# of files     217               216      52    29   514
LOC (K)         86                63       3    10   161
SLOC (K)        58                41       2     4   104
2006-07-04                                            FTfJP'06 - P.Chalin, p. 44
Results: Summary

                  JML       ESC/                          Sum or
                  Checker
                                   Soen-EA Koa TS
                             Java2                          Av.
     n                35       35      41        29                140
     N               217      216      41        29                503
   ∑ di              376      807     231     564                1978
   ∑ mi              210      499     177     368                1254
∑di / ∑mi           56%       62%     77%     65%                 63%
mean (x)            59%       60%     72%     64%                 64%
std.dev.(s)         0.24      0.31    0.37    0.32                         -
E (a=5%)            7.4%     9.3%        -          -                      -
  m min             52%       51%     72%     64%                 60%
     2006-07-04                               FTfJP'06 - P.Chalin, p. 45

								
To top