K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 8 Nov 2007 Invited talk, ASE 2007 Atlanta, GA

Mike Barnett Nikolaj Bjørner Leonardo de Moura Manuel Fähndrich Bart Jacobs Ronald Middelkoop Michał Moskal Peter Müller Ralf Sasse Wolfram Schulte Jan Smans Herman Venter Angela Wallenburg

Problem Building and maintaining programs that are correct Approach Specifications record design decisions bridge intent and code Tools amplify human effort manage details find inconsistencies ensure quality

Hoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al. “We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]

Spec# language Object-oriented.NET language Superset of C#, adding: more types specifications (pre- and postconditions, etc.) Usage rules (methodology) Checking: Static type checking Run-time checking Static verification (optional)

Sound modular verification Focus on automation, not full functional correctness specifications No termination verification No verification of temporal properties

static verifier (Boogie) MSIL (“bytecode”) SMT solver V.C. generator Inference engine Translator verification condition “correct” or list of errors Spec# compiler Spec# BoogiePL

C HAVOC and VerifiedC (vcc) C HAVOC and VerifiedC (vcc) Eiffel …? Java bytecode + BML Spec# Z3 Simplify Zap 2 SMT Lib Fx7 SMT Lib Fx7 Isabelle/ HOL …? BoogiePL abstract interpreter predicate abstraction? termination detector? …?

C C Spec# Z3 BoogiePL 0: specifications 1: specifications 3: translation 4: translation 5: V.C. generation 2: BoogiePL overview

Multi-variable invariants Multi-object invariants

Demo

dict: :Chunker:Chunker :Dictionary:Dictionary n: 84 Count: 21 :Chunker:Chunker dict: n: 20 inv dict.Count ≤ n; :Classroom:Classroom studentGrades: inv studentGrades.Count ≤ 20; reprep inv dict.Count ≤ n; owner

Based on dynamic frames [Yannis Kassios, FM 2006] class C { int x; int y; Dictionary d; … frame f  { x, y, d, … }  d.fr; predicate Valid reads f  x ≤ y  d.Valid  … ; method M() requires Valid; modifies f; ensures Valid; }

Top-level declarations Statements

type T; const x: T; function f(A, B) returns (T); axiom E; var y: T; procedure P(a: A, b: B) returns (x: T, y: U); requires pre; modifies w; ensures Q; implementation P(a: A, b: B) returns (x: T, y: U) { … }

x := E a[ i ] := E havoc x assert E assume E ; call P() if while break label: goto A, B

F

Queue :Queue:Queue :Node:Node:Node:Node:Node:Node:Node:Node … head: next: tail: next: frame

class C : object { int x; C( ) { … } virtual int M(int n) { … } static void Main() { C c = new C( ); c.x = 12; int y = c.M(5); } } class C : object { int x; C( ) { … } virtual int M(int n) { … } static void Main() { C c = new C( ); c.x = 12; int y = c.M(5); } } Example source program

// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(ref) returns (name); // fields type Field; const unique C.x: Field; const unique allocated: Field; // the heap var Heap: [ref, Field] int; class C : object { int x; class C : object { int x;

// method declarations procedure C..ctor(this: ref); requires this != null && typeof(this) <: C; modifies Heap; procedure C.M(this: ref, n: int) returns (result: int); requires this != null && typeof(this) <: C; modifies Heap; procedure C.Main(); modifies Heap; C() { … } virtual int M(int n) static void Main() C() { … } virtual int M(int n) static void Main()

// method implementations implementation C.Main() { var c: ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == 0; assume typeof(c) == C; Heap[c, allocated] := 1; call C..ctor(c); assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } C c = new C(); c.x = 12; int y = c.M(5);

type Field; var Heap: [ref, Field] int; type Field; var HeapInt: [ref, Field] int; var HeapBool: [ref, Field] bool; … type Field; type Value; var Heap: [ref, Field] Value; and conversion functions between Value and other types type Field ; var Heap: .[ref, Field ] ;

public string NextChunk() modifies this.*; ensures result.Length <= ChunkSize; public string NextChunk() modifies this.*; ensures result.Length <= ChunkSize;

procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];

A pointer in C can go to any byte location in a segment A pointer is a (segment, offset) pair base(ptr) gives the segment offset(ptr) gives the offset within the segment Each segment has a fixed length length(seg)

Consider the translation of:*p = k; m = *p; type Ptr; type Segment; function base(Ptr) returns (Segment); function offset(Ptr) returns (int); var Mem: [Segment, int] int; assert 0 ≤ offset(p); assert offset(p) + 4 ≤ length(base(p)); Mem[base(p), offset(p)] := B3(k); Mem[base(p), offset(p)+1] := B2(k); Mem[base(p), offset(p)+2] := B1(k); Mem[base(p), offset(p)+3] := B0(k); assert 0 ≤ offset(p); assert offset(p) + 4 ≤ length(base(p)); m := Word(Mem[base(p), offset(p)+3], Mem[base(p), offset(p)+2], Mem[base(p), offset(p)+1], Mem[base(p), offset(p)]);

Define custom functions to access memory type MType; type Ptr; type ByteSeq; function rd(MType, Ptr, int) returns (ByteSeq); function wr(MType, Ptr, int, ByteSeq) returns (Mtype); axiom ( m: MType, p: Ptr, q: Ptr, plen: int, qlen: int, val: ByteSeq  base(p) = base(q)  offset(p) = offset(q)  0 < plen  plen = qlen rd(wr(m,p,plen,val), q, qlen) = val); axiom ( m: MType, p: Ptr, q: Ptr, plen: int, qlen: int, val: ByteSeq  base(p)  base(q)  offset(p) + plen ≤ offset(q)  offset(q) + qlen ≤ offset(p) rd(wr(m,p,plen,val), q, qlen) = rd(m, q, qlen)); axiom …

Use of quantifiers Matching triggers, available already in BoogiePL Reducing redundancy Paths across conditional statements But also splitting VCs into smaller ones wp versus sp

{ P } S { Q } Started in a state satisfying P, no execution of S will go wrong, and every terminating execution of S will end in a state satisfying Q P  wp(S, Q) or perhaps: sp(P, S)  Q ?

wp( x := E, Q) = Q[E/x] wp( S;T, Q) = wp( S, wp( T, Q)) wp( assume E, Q) = E  Q wp( assert E, Q) = E  Q sp(P, x := E ) = (  y  P[y/x]  x = E[y/x]) sp(P, S;T ) = sp(sp(P, S ), T ) sp(P, assume E ) = E  P sp(P, assert E ) = E  P but one would also like to check that E actually holds in P

Prove more programs Extend structuring methodologies Improve performance Raise level of abstraction, e.g.: Alloy Meta programming B method

Download Spec# and Boogie from here Verification for Spec#, C, and BoogiePL To verify, use an intermediate language Separates concerns Promotes sharing in verification community Front ends for multiple languages Multiple theorem provers Shared benchmarks Build your own verifier using Boogie Hardest part in designing VCs: programming methodology that Fits common programming idioms and Can be handled well by automatic prover Education Teach using Spec# Teach verification using BoogiePL