Informatics pp 157-175 | Cite as

Extended Static Checking: A Ten-Year Perspective

  • K. Rustan M. Leino
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2000)


A powerful approach to finding errors in computer software is to translate a given program into a verification condition, a logical formula that is valid if and only if the program is free of the classes of errors under consideration. Finding errors in the program is then done by mechanically searching for counterexamples to the verification condition. This paper gives an overview of the technology that goes into such program checkers, reports on some of the progress and lessons learned in the past ten years, and identifies some remaining challenges.


Formal Semantic Source Language Static Check Warning Message Type Checker 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 0.
    Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 1986.Google Scholar
  2. 1.
    Paulo Sérgio Almeida. Balloon types: Controlling sharing of state in data types. In Mehmet Aksc,it and Satoshi Matsuoka, editors, ECOOP’97—Object-oriented Programming: 11th European Conference, volume 1241 of Lecture Notes in Computer Science, pages 32–59. Springer, June 1997.Google Scholar
  3. 2.
    Lennart Augustsson. Cayenne — a language with dependent types. In Proceedings of the 1998 ACM SIGPLAN International Conference on Functional Programming (ICFP’ 98), volume 34, number 1 in SIGPLAN Notices, pages 239–250. ACM, January 1999.Google Scholar
  4. 3.
    John Boyland. Alias burying: Unique variables without destructive reads. Software—Practice & Experience. To appear.Google Scholar
  5. 4.
    Edmund Clark. Language constructs for which it is impossible to obtain good Hoare-like axioms. Journal of the ACM, 26(1):129–147, January 1979.CrossRefGoogle Scholar
  6. 5.
    Patrick Cousot. Progress on abstract interpretation based formal methods and future challenges. In Informatics—10 Years Back, 10 Years Ahead, volume 2000 of Lecture Notes in Computer Science. Springer-Verlag, 2000.Google Scholar
  7. 6.
    Patrick Cousot and Radhia Cousot. Abstract interpretation: a uni.ed lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the Fourth Annual ACM Symposium on Principles of Programming Languages, pages 238–252, January 1977.Google Scholar
  8. 7.
    Patrick Cousot and Nicolas Halbwachs. Automatic discovery of linear restraints among variables of a program. In Conference Record of the Fifth Annual ACM Symposium on Principles of Programming Languages, pages 84–96, January 1978.Google Scholar
  9. 8.
    David L. Detlefs, K. Rustan M. Leino, and Greg Nelson. Wrestling with rep exposure. Research Report 156, Digital Equipment Corporation Systems Research Center, July 1998.Google Scholar
  10. 9.
    David L. Detlefs, K. Rustan M. Leino, Greg Nelson, and James B. Saxe. Extended static checking. Research Report 159, Compaq Systems Research Center, December 1998.Google Scholar
  11. 10.
    Edsger W. Dijkstra. A Discipline of Programming. Prentice Hall, Englewood Cliffs, NJ, 1976.Google Scholar
  12. 11.
    Michael D. Ernst, Adam Czeisler, William G. Griswold, and David Notkin. Quickly detecting relevant program invariants. In ICSE 2000, Proceedings of the 22nd International Conference on on Software Engineering, pages 449–458, 2000.Google Scholar
  13. 12.
    Extended Static Checking for Java home page, Compaq Systems Research Center. On the web at
  14. 13.
    Cormac Flanagan, Rajeev Joshi, and K. Rustan M. Leino. Annotation inference for modu lar checkers. Information Processing Letters. To appear.Google Scholar
  15. 14.
    Cormac Flanagan and K. Rustan M. Leino. Houdini, an annotation assistant for ESC/Java. Technical Note 2000-003, Compaq Systems Research Center, 2000.Google Scholar
  16. 15.
    Steven M. German. Automating proofs of the absence of common runtime errors. In Conference Record of the Fifth Annual ACM Symposium on Principles of Programming Languages, pages 105–118, 1978.Google Scholar
  17. 16.
    John Hogg. Islands: Aliasing protection in object-oriented languages. In Andreas Paepcke, editor, Object-Oriented Programming Systems, Languages, and Applications (OOPSLA’91), pages 271–285. ACM Press, October 1991.Google Scholar
  18. 17.
    S. C. Johnson. Lint, a C program checker. Computer Science Technical Report 65, Bell Laboratories, Murray Hill, NJ 07974, 1978.Google Scholar
  19. 18.
    K. Rustan M. Leino. Toward Reliable Modular Programs. PhD thesis, California Institute of Technology, 1995. Technical Report Caltech-CS-TR-95-03.Google Scholar
  20. 19.
    K. Rustan M. Leino. Ecstatic: An object-oriented programming language with an axiomatic semantics. In The Fourth International Workshop on Foundations of Object-Oriented Languages, January 1997. Proceedings available from
  21. 20.
    K. Rustan M. Leino. Data groups: Specifying the modi.cation of extended state. In Proceedings of the 1998 ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’ 98), volume 33, number 10 in SIGPLAN Notices, pages 144–153. ACM, October 1998.CrossRefGoogle Scholar
  22. 21.
    K. Rustan M. Leino and Greg Nelson. Data abstraction and information hiding. Research Report 160, Compaq Systems Research Center, 2000.Google Scholar
  23. 22.
    K. Rustan M. Leino, Greg Nelson, and James B. Saxe. ESC/Java user’s manual. Technical Note 2000-002, Compaq Systems Research Center, October 2000.Google Scholar
  24. 23.
    K. Rustan M. Leino, James B. Saxe, and Raymie Stata. Checking Java programs via guarded commands. In Bart Jacobs, Gary T. Leavens, Peter Müller, and Arnd Poetzsch-Heffter, editors, Formal Techniques for Java Programs, Technical Report 251. Fernuniversität Hagen, May 1999. Also available as Technical Note 1999–002, Compaq Systems Research Center.Google Scholar
  25. 24.
    K. Rustan M. Leino and Raymie Stata. Checking object invariants. Technical Note 1997–007, Digital Equipment Corporation Systems Research Center, January 1997.Google Scholar
  26. 25.
    Barbara Liskov and John Guttag. Abstraction and Specification in Program Development. MIT Electrical Engineering and Computer Science Series. MIT Press, 1986.Google Scholar
  27. 26.
    David C. Luckham. Programming with Specifications: An Introduction to ANNA, a Language for Specifying Ada Programs. Texts and Monographs in Computer Science. Springer-Verlag, 1990.Google Scholar
  28. 27.
    Bertrand Meyer. Object-oriented Software Construction. Series in Computer Science. Prentice-Hall International, New York, 1988.Google Scholar
  29. 28.
    Todd Millstein. Toward more informative ESC/Java warning messages. In James Mason, editor, Selected 1999 SRC Summer Intern Reports, Technical Note 1999–003. Compaq Systems Research Center, 1999.Google Scholar
  30. 29.
    Naftaly H. Minsky. Towards alias-free pointers. In Pierre Cointe, editor, ECOOP’96—Object-Oriented Programming: 10th European Conference, volume 1098 of Lecture Notes in Computer Science, pages 189–209. Springer, July 1996.Google Scholar
  31. 30.
    Greg Nelson. Combining satisfiability procedures by equality-sharing. In W. W. Bledsoe and D. W. Loveland, editors, Automated Theorem Proving: After 25 Years, volume 29 of Contemporary Mathematics, pages 201–211. American Mathematical Society, 1984.Google Scholar
  32. 31.
    Greg Nelson and Derek C. Oppen. Simplification by cooperating decision procedures. ACM Transactions on Programming Languages and Systems, 1(2):245–257, October 1979.zbMATHCrossRefGoogle Scholar
  33. 32.
    James Noble, Jan Vitek, and John Potter. Flexible alias protection. In Eric Jul, editor, ECOOP’98—Object-oriented Programming: 12th European Conference, volume 1445 of Lecture Notes in Computer Science, pages 158–185. Springer, July 1998.Google Scholar
  34. 33.
    D. L. Parnas. A technique for software module specification with examples. Communications of the ACM, 15(5):330–336, May 1972.CrossRefGoogle Scholar
  35. 34.
    PRE.x. Intrinsa, Mountain View, CA, 1999.Google Scholar
  36. 35.
    E. Satterthwaite. Debugging tools for high level languages. Software—Practice & Experience, 2(3):197–217, July-September 1972.zbMATHCrossRefGoogle Scholar
  37. 36.
    Fred B. Schneider, Greg Morrisett, and Robert Harper. A language-based approach to security. In Informatics—10 Years Back, 10 Years Ahead, volume 2000 of Lecture Notes in Computer Science. Springer-Verlag, 2000.Google Scholar
  38. 37.
    Richard L. Sites. Proving that Computer Programs Terminate Cleanly. PhDthesis, Stanford University, Stanford, CA 94305, May 1974. Technical Report STAN-CS-74-418.Google Scholar
  39. 38.
    Mark Utting. Reasoning about aliasing. In Proceedings of the Fourth Australasian Refinement Workshop (ARW-95), pages 195–211. School of Computer Science and Engineering, The University of New South Wales, April 1995.Google Scholar
  40. 39.
    Hongwei Xi and Frank Pfenning. Dependent types in practical programming. In Conference Record of POPL’99: The 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 214–227, January 1999.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • K. Rustan M. Leino
    • 1
  1. 1.Compaq Systems Research CenterPalo AltoUSA

Personalised recommendations