Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Slides:



Advertisements
Similar presentations
1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
Advertisements

Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte Formal techniques.
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Design Patterns.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Bor-Yuh Evan Chang Daan Leijen Peter Müller David A. Naumann The Spec# programming system Mike Barnett Rob DeLine Manuel Fähndrich Bart Jacobs K. Rustan.
Demand-driven inference of loop invariants in a theorem prover
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 4 EEF summer school on Specification,
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
0 - 0.
ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts
1 Refactoring with Contracts Shmuel Tyszberowicz School of Computer Science The Academic College of Tel Aviv Yaffo Maayan Goldstein School of Computer.
Shape Analysis with Structural Invariant Checkers Bor-Yuh Evan Chang Xavier Rival George C. Necula May 10, 2007 OSQ Retreat.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Addition 1’s to 20.
25 seconds left…...
Test B, 100 Subtraction Facts
Week 1.
We will resume in: 25 Minutes.
Chapter 11 Component-Level Design
Techniques for proving programs with pointers A. Tikhomirov.
Chapter 9: Using Classes and Objects. Understanding Class Concepts Types of classes – Classes that are only application programs with a Main() method.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.
K. Rustan M. Leino Microsoft Research Peter Müller ETH Zurich Angela Wallenburg Chalmers University.
KATHOLIEKE UNIVERSITEIT LEUVEN 1Secure Software - (C) F. Piessens Preventing Software Vulnerabilities by Static Verification and Run Time Checking.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA Invited talk Informatics Education in Europe (IEE III’08)
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 3 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.
K. Rustan M. Leino Microsoft Research, Redmond NUI Maynooth Maynooth, Ireland 8 June 2007.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Toward enforceable contracts.
Going beyond a basic ownership system in Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Peter Müller Angela Wallenburg ESF workshop.
Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Corporation Joint work with: Mike Barnett, Robert DeLine, Manuel.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Reasoning about object structures with Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel Fähndrich,
Verification of Programs with Inspector Methods Bart Jacobs and Frank Piessens Dept. CS, K.U.Leuven, Belgium.
A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods Alexander J Summers Sophia Drossopoulou Imperial College London Peter.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Spec# Writing and checking.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
K. Rustan M. Leino Principal Researcher Microsoft Research, Redmond, WA, USA 14 Nov 2007 Øredev Malmö, Sweden.
K. Rustan M. Leino and Wolfram Schulte Microsoft Research, Redmond ESOP 2007 Braga, Portugal 28 March 2007.
Specifying and verifying programs in Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Invited talk, PSI 2006 Novosibirsk, Russia 27 June 2006.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden.
Spec# John Lefor Program Manager Developer Division, Microsoft.
1 Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte ECOOP 2003.
Faithful mapping of model classes to mathematical structures Ádám Darvas ETH Zürich Switzerland Peter Müller Microsoft Research Redmond, WA, USA SAVCBS.
Reasoning about object structures with Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel Fähndrich,
Extended Static Checking for Java
Specification techniques for verifying object-oriented software
Hoare-style program verification
Presentation transcript:

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________ Joint work with Rustan Leino, Mike Barnett, Manuel Fähndrich, Herman Venter, Rob DeLine, Wolfram Schulte (all MSR), and Peter Müller (ETH), Bart Jacobs (KU Leuven) and Bor-Yuh Evan Chung (Berkley). Slides based on a presentation of Peter Müller given at MSR 5/2006

2 Review: Verification of OO Programs with Invariants What were the 2 major tricks to support invariants? Which programs can we verify? What are the limitations?

3 class Rectangle implements Shape { int x1; y1; x2; y2; void DoubleWidth( ) ensures x2 – x1 == old( x2 – x1 ) * 2; { … } } class Rectangle: Shape { int x1; y1; x2; y2; pure int Width( ) private ensures result == x2 – x1; { … } void DoubleWidth( ) ensures Width( ) == old( Width( ) ) * 2; { … } } Needed for Subtyping Information hiding interface Shape { void DoubleWidth( ) ensures ??; } Data Abstraction using Methods interface Shape { pure int Width( ); void DoubleWidth( ) ensures Width( ) == old( Width( ) ) * 2; }

4 Encoding of Pure Methods Pure methods are encoded as functions Functions are axiomatized based on specifications M: Value Value Heap Value this,par,Heap: Requires M ( this,par,Heap ) Ensures M (this,par,Heap) [ M(this,par,Heap ) / result ]

5 Problem 1: Inconsistent Specifications Flawed specifications potentially lead to inconsistent axioms How to guarantee consistency? class Inconsistent { pure int Wrong( ) ensures result == 1; ensures result == 0; { … } } class List { List next; pure int Len( ) ensures result == Len( ) + 1; { … } … }

6 Problem 2: Weak Purity Weak purity can be observed through reference equality How to prevent tests for reference equality? class C { pure C Alloc( ) ensures fresh( result ); { return new C( ); } void Foo( ) ensures Alloc( )==Alloc( ); {... } } Alloc( this, H ) = Alloc( this, H )

7 Problem 3: Frame Properties Result of pure methods depends on the heap How to relate invocations that refer to different heaps? Has( list, o, H ) class List { pure bool Has( object o ) { … } void Remove( object o ) requires Has( o ); { … } … } void Foo( List list, object o ) requires list.Has( o ); { log.Log( Message ); list.Remove( o ); }

8 class Rectangle implements Shape { int x1; y1; x2; y2; void DoubleWidth( ) ensures x2 – x1 == old( x2 – x1 ) * 2; { … } } class Rectangle implements Shape { int x1; y1; x2; y2; model int width | width == x2 – x1; void DoubleWidth( ) ensures width == old( width ) * 2; { … } } Data Abstraction using Model Fields Specification-only fields Value is determined by a mapping from concrete state Similar to parameterless pure methods interface Shape { void DoubleWidth( ) ensures ??; } interface Shape { model int width; void DoubleWidth( ) ensures width == old( width ) * 2; }

9 Variant of Problem 3: Frame Properties Assignment might change model fields of client objects Analogous problem for subtypes How to synchronize values of model fields with concrete fields? class Rectangle { model int width | width == x2 – x1; void DoubleWidth( ) modifies x2, width; ensures width = old( width ) * 2; { x2 := (x2 - x1) * 2 + x1; } } class Legend { Rectangle box; int font; model int mc | mc==box.width / font; … }

10 class List { List next; invariant list is acyclic; model int len | len == (next == null) ? 1 : next.len + 1; … } Validity Principle Only model fields of valid objects have to satisfy their constraints Avoids inconsistencies due to invalid objects X, m: X.inv = valid R m ( X, X.m )

11 Decoupling Principle Decoupling: Model fields are not updated instantly when dependee fields are modified –Values of model fields are stored in the heap –Updated when object is being packed class Rectangle { model int width | width == x2 – x1; void DoubleWidth( ) requires inv==valid; { unpack this; x2 := (x2 – x1) * 2 + x1; pack this; } : Rectangle x1: 0 x2: 10 width: 10 : Rectangle x1: 0 x2: 10 width: 10 : Rectangle x1: 0 x2: 20 width: 10 : Rectangle x1: 0 x2: 20 width: 20

12 Mutable Dependent Principle Mutable Dependent: If a model field o.m depends on a field x.f, then o must be mutable whenever x is mutable : Legend box: font: 5 mc: 2 : Rectangle x1: 0 x2: 20 width: 20

13 The Methodology in Action class Legend { rep Rectangle box; model int mc | mc == box.width / font; … } class Rectangle { void DoubleWidth( ) requires inv == valid && owner.inv == mutable; modifies width, x2; { expose(this) { x2 := (x2 – x1) * 2 + x1; } : Rectangle x1: 0 x2: 10 width: 10 : Legend mc: 2 : Rectangle x1: 0 x2: 10 width: 10 : Rectangle x1: 0 x2: 20 width: 10 : Rectangle x1: 0 x2: 20 width: 20 : Legend mc: 4

14 Automatic Updates of Model Fields pack X assert X null X.inv = mutable; assert Inv( X ); assert p: p.owner = X p.inv = valid; … X.inv := valid; foreach m of X: assert r: R m ( X, r ); X.m := choose r such that R m ( X, r ); end

15 Soundness Theorem: Proof sketch –Object creation new: new object is initially mutable –Field update X.f := E; Model fields of X: asserts X.inv = mutable Model fields of Xs owners: mutable dependent principle –unpack X: changes X.inv to mutable –pack X: updates model fields of X X,m: X.inv = valid R m ( X, X.m )

16 Problem 1 Revisited: Inconsistent Specifications Witness requirement for non-recursive specifications Ownership for traversal of object structures Termination measures for recursive specs pure int Wrong( ) ensures result == 1; ensures result == 0; pure int Len( ) ensures result == Len( ) + 1; pure static int Fac( int n ) requires n >= 0; ensures result == ( n==0 ) ? 1 : Fac( n-1 ) * n; pure int Len( ) ensures result == Len( ) + 1; measured_by height( this ); pure static int Fac( int n ) requires n >= 0; ensures result == ( n==0 ) ? 1 : Fac( n-1 ) * n; measured_by n;

17 Problem 2 Revisited: Restricted Weak Purity pure C Alloc( ) { return new C( ); } Pure methods must not return references to new objects (Compile time effect analysis) Provide value types for sets, sequences, etc.

18 Problem 3 Revisited: Frame Properties Model field solution does not work for methods with parameters Caching of values not possible for runtime checking Mutable dependent principle too strict class List { pure bool Has( object o ) { … } void Remove( object o ) requires Has( o ); { … } … } void Foo( List list, object o ) requires list.Has( o ); { log.Log( Message ); list.Remove( o ); }

19 Summary Data abstraction is crucial to express functional correctness properties Verification methodology for model fields –Supports subtyping –Is modular and sound –Key insight: model fields are reduced to ordinary fields with automatic updates Verification methodology for methods (not yet ready) –Partial solution: encoding, weak purity, consistency –Future work: frame properties based on effects

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.