K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 15 January 2009 Séminaire Digiteo Orsay, France.

Slides:



Advertisements
Similar presentations
A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Advertisements

Hoare-style program verification K. Rustan M. Leino Guest lecturer Rob DeLines CSE 503, Software Engineering University of Washington 26 Apr 2004.
Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte Formal techniques.
Advanced programming tools at Microsoft
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Bor-Yuh Evan Chang Daan Leijen Peter Müller David A. Naumann The Spec# programming system Mike Barnett Rob DeLine Manuel Fähndrich Bart Jacobs K. Rustan.
Demand-driven inference of loop invariants in a theorem prover
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 4 EEF summer school on Specification,
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.
The Dafny program verifier
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Formal Language, chapter 4, slide 1Copyright © 2007 by Adam Webber Chapter Four: DFA Applications.
Air Force Institute of Technology Electrical and Computer Engineering
Component Oriented Programming 1 Chapter 2 Theory of Components.
Satisfiability Modulo Theories (An introduction)
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Finding bugs: Analysis Techniques & Tools Comparison of Program Analysis Techniques CS161 Computer Security Cho, Chia Yuan.
CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz – ENS.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
K. Rustan M. Leino Microsoft Research Peter Müller ETH Zurich Angela Wallenburg Chalmers University.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA Invited talk Informatics Education in Europe (IEE III’08)
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
Contracts, tools, verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Keynote, ASWEC 2010; Auckland, NZ;
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
Static and Dynamic Contract Verifiers For Java Hongming Liu.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
K. Rustan M. Leino Microsoft Research, Redmond NUI Maynooth Maynooth, Ireland 8 June 2007.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Toward enforceable contracts.
Software Quality: Testing and Verification II. 2 1.A failure is an unacceptable behaviour exhibited by a system — The frequency of failures measures software.
1 Advanced Material The following slides contain advanced material and are optional.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 3 LASER.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Corporation Joint work with: Mike Barnett, Robert DeLine, Manuel.
Refinement, reusable libraries, instantiable classes K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Joint work.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
The string data type String. String (in general) A string is a sequence of characters enclosed between the double quotes "..." Example: Each character.
Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P January.
© 2004 Pearson Addison-Wesley. All rights reserved ComS 207: Programming I Instructor: Alexander Stoytchev
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Spec# Writing and checking.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 0 Marktoberdorf.
String String Builder. System.String string is the alias for System.String A string is an object of class string in the System namespace representing.
K. Rustan M. Leino Principal Researcher Microsoft Research, Redmond, WA, USA 14 Nov 2007 Øredev Malmö, Sweden.
Specifying and verifying programs in Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Invited talk, PSI 2006 Novosibirsk, Russia 27 June 2006.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden.
Spec# John Lefor Program Manager Developer Division, Microsoft.
Dafny An automatic program verifier for functional correctness
Specification techniques for verifying object-oriented software
Class-local object invariants
Verification of concurrent object-oriented programs
Spec# Writing and checking contracts in a .NET language
Hoare-style program verification
Dafny An automatic program verifier for functional correctness
The Zoo of Software Security Techniques
Presentation transcript:

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 15 January 2009 Séminaire Digiteo Orsay, France

Research in Software Engineering Microsoft Research, Redmond Related groups: PPT (MSR Cambridge) and RSE (MSR India)

Goal Better build, maintain, and understand programs How? Specifications Tools, tools, tools Program semantics Verification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generation Satisfiability Modulo Theories (SMT)

Hoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al. “We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]

Spec# demo Various techniques and RiSE tools Use/effectiveness of tools at Microsoft

Research prototype Spec# language Object-oriented.NET language Superset of C# 2.0, adding: more types (e.g., non-null types) specifications (e.g., pre- and postconditions) Usage rules (methodology) Checking: Static type checking Run-time checking Static verification (optional)

StringBuilder.Append Method (Char[ ], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. public StringBuilder Append(char[] value, int startIndex, int charCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions Exception TypeCondition ArgumentNullExceptionvalue is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeExceptioncharCount is less than zero. -or- startIndex is less than zero. -or- startIndex + charCount is less than the length of value.

public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this; Exception TypeCondition ArgumentNullExceptionvalue is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeExceptioncharCount is less than zero. -or- startIndex is less than zero. -or- startIndex + charCount is less than the length of value.

public StringBuilder Append(char[] value, int startIndex, int charCount ) { Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result () == this); // method implementation... } Note that postcondition is declared at top of method body, which is not where it should be executed. A rewriter tool moves these.

Declarative contracts Language independent Library to ship in.NET 4.0 Tools to be released via DevLabs Code Contracts Rewriter (for run-time checking) Clousot abstract interpreter Pex automated testing tool

MSIL (“bytecode”) SMT solver V.C. generator Inference engine Translator verification condition “correct” or list of errors Spec# compiler Spec# Boogie

Spec#Spec# C with HAVOC specifications DafnyDafny C with vcc specifications ChaliceChalice Z3Z3SimplifySimplify SMT Lib BoogieBoogie Boogie-to-Boogie transformations: Inference enginesInference engines Program transformationsProgram transformations Logic optimizersLogic optimizers Boogie-to-Boogie transformations: Inference enginesInference engines Program transformationsProgram transformations Logic optimizersLogic optimizers Your language here Your prover here Isabelle/ HOL

Verification conditions computed by weakest preconditions (wp) wp( Prog, Q ) yields a formula that describes the pre-states from which Prog correctly establishes Q Example: wp( if (B) { S } else { T }, Q ) = ( B  wp( S, Q))  ( ¬ B  wp( T, Q))

Example program ( Prog ): p := new C(); if (x < 0) { x := -x; } assert p ≠ null; wp( Prog, true ) =((x<0  (p≠null)[-x/x])  ( ¬ (x<0)  p≠null))[newC()/p] = ((x<0  newC()≠null)  ( ¬ (x<0)  newC()≠null)

Rewrite Prog into Prog’ : assume p 0 = newC(); if (x 0 < 0) { assume x 1 = -x 0 ; assume x 2 = x 1 ; } else { assume x 2 = x 0 ; } assert p 0 ≠ null; wp( Prog’, true ) = p 0 =newC()  ((x 0 <0  x 1 = -x 0  x 2 = x 1 )  ( ¬ (x 0 <0)  x 2 = x 0 ))  p 0 ≠ null

Works well when the if branches modify variables that the downstream assertion does not depend on But when encoding the heap as one variable, almost every branch modifies that variable … room for new solutions

Demo: Chunker.dict

dict: :Chunker:Chunker :Dictionary:Dictionary n: 84 Count: 21 :Chunker:Chunker dict: n: 20 inv dict.Count ≤ n; :Classroom:Classroom studentGrades: inv studentGrades.Count ≤ 20; reprep inv dict.Count ≤ n; owner

Spec#/Boogie methodology Dynamic frames Implicit dynamic frames Separation logic … room for improved encodings and methodologies

Abstract interpreter for.NET Verifies Code Contracts at compile time Some key technology: Heap-aware abstraction Iterative application of numerical domains: Pentagons Subpolyhedra others

Some common abstract domains: Intervalsx  [A,B] Octagons  x  y ≤ K PolyhedraΣ i x i ≤ K Observation: Checking array accesses involves constraints like 0 ≤ x < a.Length These can be represented by intervals plus variable orderings y ≤ x Picture source: Robert Webb's Great Stella software, Pentagon:

Sage [Godefroid, Levin, et al.] White-box fuzzing for C programs Pex [de Halleux, Tillman, et al.] Automatic white-box testing for.NET Seed input New generation of symbolically derived input

Satisfiability Modulo Theories (SMT) solver 9 first places and 6 second places at SMT-COMP’08 Used in all tools mentioned, except Clousot

Static Driver Verifier (SDV) Applied regularly to all Microsoft device drivers of the support device models ~300 bugs found Available to third parties in Windows DDK Sage Applied regularly 100s of people doing various kinds of fuzzing HAVOC Has been applied to 100s of KLOC ~40 bugs in resource leaks, lock usage, use-after-free vcc Being applied to Microsoft Hypervisor …

Machine-processable specifications are being used increasingly Tools are useful and necessary Provide useful checking Both validate and drive research SMT solving is a key technology Trend: user input is moving toward program text Many research challenges