The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington, NZ 13 April 2010 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Some RiSE tools at Microsoft SLAM, Static Driver Verifier (SDV) Sage Code Contracts for .NET Clousot Pex Z3

Static Driver Verifier Applied regularly to all Microsoft device drivers of the support device models ~300 bugs found Available in Windows DDK to third parties

Predicate abstraction and refinement e.g.: Graf & Saïdi, SLAM, BLAST, … correct model checker boolean program abstract trace predicate abstraction concrete trace C program predicates feasible? no yes error message predicate refinement

Symbolic-powered testing Sage [Godefroid, Levin, et al.] White-box fuzzing for C programs Applied regularly 100s of people doing various kinds of fuzzing Seed input New generation of symbolically derived input

Specifications: .NET today StringBuilder.Append Method (Char[ ], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. public StringBuilder Append(char[] value, int startIndex, int charCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions Exception Type Condition ArgumentNullException value is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeException charCount is less than zero. -or- startIndex is less than zero. startIndex + charCount is less than the length of value.

Specifications in Spec# public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this;

Specifications with Code Contracts public StringBuilder Append(char[] value, int startIndex, int charCount ) { Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this); // method implementation... } Note that postcondition is declared at top of method body, which is not where it should be executed. A rewriter tool moves these.

Code Contracts [Barnett, Fähndrich, Grunkemeyer, Logozzo, et al.] Declarative contracts Language independent Library to ship in .NET 4.0 Tools available on DevLabs Code Contracts Rewriter (for run-time checking) Clousot abstract interpreter Pex automated testing tool [de Halleux, Tillman, et al.]

Clousot [Fähndrich, Logozzo] Abstract interpreter for .NET Verifies Code Contracts at compile time Some key technology: Heap-aware abstraction Iterative application of numerical domains: Pentagons Subpolyhedra others

Pentagons Some common abstract domains: Observation: Intervals x  [A,B] Octagons  x  y ≤ K Polyhedra Σi xi ≤ K Observation: Checking array accesses involves constraints like 0 ≤ x < a.Length These can be represented by intervals plus variable orderings y ≤ x Pentagon: Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html

Z3 [Bjørner, de Moura] Satisfiability Modulo Theories (SMT) solver 9 first places and 6 second places at SMT-COMP’08 Used in all tools mentioned, except Clousot

Deductive verificaton tools HAVOC Has been applied to 100s of KLOC ~40 bugs in resource leaks, lock usage, use-after-free VCC Being applied to Microsoft Hypervisor …

a language and verifier Dafny a language and verifier

Program verification Dafny functional correctness limited checking traditional mechanical program verification extended static checking limited checking automatic decision procedures (SMT solvers) interactive proof assistants

Dafny language Sequential programs Generic classes Built-in specifications Simple yet flexible framing Sets, sequences, algebraic datatypes User-defined functions Ghost variables Termination specifications

Dafny demos Cubes Queue Schorr-Waite

Verification architecture Spec# C Dafny Chalice … Boogie Simplify Z3 SMT Lib …

Boogie language overview Mathematical features type T; const x: T; function f(A, B): T; axiom E; Imperative features var y: T; procedure P(a: A, b: B) returns (x: T, y: U); requires pre; modifies w; ensures post; implementation P(a: A, b: B) returns (x: T, y: U) { … }

Boogie statements x := E a[ i ] := E label: ; if while break havoc x assert E assume E ; call P() if while break label: goto A, B

Example: Defining OO semantics by translation into Boogie class C { var x: int; method M(n: int) returns (r: int) { … } static method Main() { var c := new C; c.x := 12; call y := c.M(5); } }

Example: Boogie translation (0) class C { var x: int; // class types type ClassName; const unique C: ClassName; type Ref; function dtype(Ref): CName; const null: Ref; // fields type Field α; const unique C.x: Field int; const unique allocated: Field bool; // memory var Heap: <α>[Ref, Field α] α;

Example: Boogie translation (1) method M(n: int) returns (r: int) static method Main() // method declarations procedure C.M(this: Ref, n: int) returns (r: int); requires this != null && dtype(this) == C; modifies Heap; procedure C.Main();

Example: Boogie translation (2) // method implementations implementation C.Main() { var c: Ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == false; assume dtype(c) == C; Heap[c, allocated] := true; assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } c.x := 12; var c := new C; call y := c.M(5);

Conclusions Tools and specifications are useful in software development Full functional-correctness verification is becoming more automatic To build a verifier, use an intermediate verification language Dafny and Boogie boogie.codeplex.com Code Contracts research.microsoft.com/contracts Projects and videos research.microsoft.com/rise Various papers research.microsoft.com/~leino/papers.html