Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
JML and ESC/Java2: An Introduction Karl Meinke School of Computer Science and Communication, KTH.
Securing Java applets Erik Poll Security of Systems (SOS) group University of Nijmegen
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
1 Automatic Software Model Checking via Constraint Logic Programming Cormac Flanagan Systems Research Center HP Labs.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer (Nadia Polikarpova) Verification tools.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
VIDE Integrated Environment for Development and Verification of Programs.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Toward enforceable contracts.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Chair of Software Engineering Automatic Verification of Computer Programs.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
Jonathan Kuhn Robin Mange EPFL-SSC Compaq Systems Research Center Flanagan, Leino, Lillibridge, Nelson, Saxe and Stata.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
COSO 1030 Section 2 Software Engineering Concepts and Computation Complexity.
1 Total Correctness of Recursive Functions Using JML4 FSPV George Karabotsos, Patrice Chalin, Perry R. James, Leveda Giannas Dependable Software Research.
Extended Static Checking for Java  ESC/Java finds common errors in Java programs: null dereferences, array index bounds errors, type cast errors, race.
111 Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract,
Houdini, an annotation assistant for ESC/Java K. Rustan M. Leino Compaq SRC Joint work with Cormac Flanagan K. Rustan M. Leino Compaq SRC Joint work with.
Applications of extended static checking K. Rustan M. Leino Compaq SRC K. Rustan M. Leino Compaq SRC Systems Research Center Invited talk, SAS’01, Paris,
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Spec# Writing and checking.
Extended Static Checking for Java or Light-weight formal methods: from objects to components Joint work with Cormac Flanagan, Mark Lillibridge, Greg Nelson,
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata.
Verificare şi Validarea Sistemelor Soft Tem ă Laborator 1 ESC/Java2 Extended Static Checker for Java Dat ă primire laborator: Lab 1 Dat ă predare laborator:
Specifying and verifying programs in Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Invited talk, PSI 2006 Novosibirsk, Russia 27 June 2006.
Early Detection of JML Specification Errors using ESC/Java2 Patrice Chalin Dependable Software Research Group (DSRG) Computer Science and Software Engineering.
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Institute for Applied Information Processing and Communications (IAIK) – Secure & Correct Systems 1 Static Checking  note for.
Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
1 Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte ECOOP 2003.
ESCJ 14: ESC/Java Project Review Slides March 6th, 1997.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Extended Static Checking for Java
Programming Languages 2nd edition Tucker and Noonan
Hoare-style program verification
The Zoo of Software Security Techniques
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based on KSE06 – With kind permission of Peter Müller

Software Engineering, lecture 20: Static program checking and verification 2 Correctness class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } Syntax Rules Context Conditions Semantic Rules Behavioral Specification

Software Engineering, lecture 20: Static program checking and verification 3 Aspects of correctness Syntax Rules Context Conditions Semantic Rules Behavioral Specification Syntax Semantics Scanning, Parsing Test, Verification Semantic Analysis, Type Checking

Software Engineering, lecture 20: Static program checking and verification 4 Test and verification Test Objective  Detect bugs Examples  White box test  Black box test Problems  Successful test does not guarantee correctness Verification Objective  Prove correctness Examples  Formal verification based on a logic  Symbolic execution Problems  Expensive  Formal specification of behavior is required

Software Engineering, lecture 20: Static program checking and verification 5 Levels of coverage Effort Coverage Type checking Program verification Extended static checking Decidability ceiling

Software Engineering, lecture 20: Static program checking and verification 6 Extended static checking ESC/Java developed at DEC, Compaq, and HP Research Fully automated tool Tries to verify  Absence of runtime exceptions and common mistakes e.g. null dereference, array bounds, type cast errors, deadlocks  Simple user-specified contracts invariants, pre/postconditions, loop invariants, assertions Program with specifications Error messages Bag.java:18: Array index possibly too large Program Checker/Verifier

Software Engineering, lecture 20: Static program checking and verification 7 Program checker design tradeoffs Objectives  Fully automated reasoning  As little annotation overhead as possible  Performance Not sound  Errors may be missed Not complete  Warnings do not always report errors (false alarms) Goal  Cost-effective tool  Find source of possible bugs quickly Main reason why it’s called checker and not verifier

Software Engineering, lecture 20: Static program checking and verification 8 Tool architecture Translator Annotated Java program Verification condition Counterexample context Warning messages Automatic Theorem Prover Post Processor Valid Resource exhausted

Software Engineering, lecture 20: Static program checking and verification 9 Theorem prover: “Simplify” Automatic: No user interaction Refutation based: To prove  it will attempt to satisfy ¬   If this is possible, a counterexample is found, and we know a reason why  is invalid  If it fails to satisfy ¬  then  is considered to be valid

Software Engineering, lecture 20: Static program checking and verification 10 Time limits Logic used in Simplify is semi-decidable  Each procedure that proves all valid formulas loops forever on some invalid ones Simplify works with a time limit  When time limit is reached, counterexample is returned  Longer computation might show that returned counterexample is inconsistent Time limits are a source of incompleteness  Spurious counterexamples lead to spurious warnings

Software Engineering, lecture 20: Static program checking and verification 11 ESC/Java2 Successor of ESC/Java Eclipse integration Made specification language compatible with JML Made open source Give it a try!

Software Engineering, lecture 20: Static program checking and verification 12 Spec# Program verification tool developed at MS Research Superset of C#  non-null types  pre- and postconditions  object invariants Tool support  more type checking  compiler-emitted run-time checks  static program verification  fully integrated into Visual Studio.NET 2005 type checking static verification run-time checks degree of checking, effort into the future C# contracts everywhere

Software Engineering, lecture 20: Static program checking and verification 13 Spec# vs. ESC/Java(2) Similarities  Architecture  Full automation (even theorem prover is the same)  Essential contract language Differences  Spec# is sound  Spec# does modular reasoning price to pay: need to understand methodology

Software Engineering, lecture 20: Static program checking and verification 14 Non-null types T x; The value of x is - null or - reference to object whose type is a subtype of T. T! y; The value of y is - reference to object whose type is a subtype of T, and not null.

Software Engineering, lecture 20: Static program checking and verification 15 Types versus assertions Without non-null types: Person(string name) requires name != null; With non-null types: Person(string! name)

Software Engineering, lecture 20: Static program checking and verification 16 Comparing against null public void M(T x){ if (x == null) { … } else { T! y = x; … } Spec# performs a data-flow analysis to allow this

Spec# DEMO

Software Engineering, lecture 20: Static program checking and verification 18 References ESC/Java  Flanagan et al.: Extended Static Checking for Java ESC/Java2  Spec#  Barnett et al.: Boogie: A Modular Reusable Verifier for Object-Oriented Programs  Rustan Leino’s lectures 