An Extended Static Checker for Modular-3

This paper briefly introduces the Extended Static Checker for Modula-3 (called ESC), a programming tool that will catch errors at compile time that ordinarily are not caught until runtime, and sometimes not even then. Examples are array index bounds errors , NIL-dereferences, and deadlocks and race conditions in multi-threaded programs. The tool is useful because the cost of an error is greatly reduced if it is detected early in the development process. The checker is implemented using the technology of program verification. The program is annotated with specifications; the annotated program is presented to a verification condition generator, which produces logical formulas that are provable if and only if the program is free of the particular class of errors under consideration, and these formulas are presented to an automatic theorem-prover. This sounds like program verification, but it is not: firstly because we don't try to prove that a program does what it is supposed to do, only that it is free of certain specific types of errors; secondly because we are interested in failed proofs only, not in successful ones. Failed proofs are more useful than successful ones, since they warn the programmer of possible errors. Also, failed proofs are found more quickly than successful ones. This idea of extended static checking is not new. The first Ph.D. thesis that we know of that addressed the idea was by Dick Sites thirty years ago, and the problem has held its own as a Ph.D. thesis topic ever since. But the research prototype checkers that have been implemented over the years have made too many simplifying assumptions. They may handle only sequential control structures; they may handle no data structures except integers and integer arrays; they may require that the entire program consist of a single module; they may require the user to guide the theorem-prover or to provide complicated loop invariants. These assumptions facilitate the implementation of prototype checkers, but they also destroy the engineering utility of the checker. We argue that these simplifying assumptions can be dropped; that the time has come for extended static checking to be deployed instead of studied. Our checker handles multi-threaded multi-module object-oriented programs. The theorem-proving is completely automatic. Our checker reports errors by line number and error type. Our checker works on Modula-3 programs, but the techniques would work for any language in which address arithmetic is restricted, including Oberon, Ada, Java, and …