K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 3 International Summer School Marktoberdorf Marktoberdorf,

Slides:



Advertisements
Similar presentations
Advanced programming tools at Microsoft
Advertisements

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 4 EEF summer school on Specification,
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Program synthesis with Jennisys K. Rustan M. Leino Research in Software Engineering (RiSE), Microsoft Research, Redmond Aleksandar Milicevic MIT IFIP Working.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 2 Marktoberdorf.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
Leonardo de Moura Microsoft Research. Verification/Analysis tools need some form of Symbolic Reasoning.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 International Summer School Marktoberdorf Marktoberdorf,
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
Leonardo de Moura and Nikolaj Bjørner Microsoft Research.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 4 International Summer School Marktoberdorf Marktoberdorf,
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
K. Rustan M. Leino RiSE, Microsoft Research Typing, Analysis and Verification of Heap-Manipulating Programs Dagstuhl, Germany 20 July 2009.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 0 LASER.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 3 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.
K. Rustan M. Leino Microsoft Research, Redmond NUI Maynooth Maynooth, Ireland 8 June 2007.
XTEAM: Architecture-Based Modeling and Analysis Tools with Metamodeling Nenad Medvidovic George Edwards
K. Rustan M. Leino Microsoft Research, Redmond Invited talk, TACAS 2007 ETAPS, Braga, Portugal 28 March 2007.
Nikolaj Bjørner Microsoft Research FSE &. *Title of Bradley & Manna’s book At the core of every software analysis engine is invariably a component using.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 4 LASER.
Well-cooked Spaghetti: Weakest-Precondition of Unstructured Programs Mike Barnett and Rustan Leino Microsoft Research Redmond, WA, USA.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 5 LASER.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 3 LASER.
K. Rustan M. Leino Microsoft Research, Redmond, WA 10 Oct 2007 IFIP WG 2.3 meeting Santa Fe, NM.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Corporation Joint work with: Mike Barnett, Robert DeLine, Manuel.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 1 Summer School on Logic and Theorem-Proving in Programming.
K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 0 1 September 2009 FOSAD 2009, Bertinoro, Italy.
Refinement, reusable libraries, instantiable classes K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Joint work.
K. Rustan M. Leino RiSE, Microsoft Research 1 Dec 2008 Invited talk, working group meeting COST Action IC0701, Formal Verification of Object-Oriented Software.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 19 July 2007 Invited talk, CADE-21 Bremen, Germany.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 3 Marktoberdorf.
Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P January.
Verification of Programs with Inspector Methods Bart Jacobs and Frank Piessens Dept. CS, K.U.Leuven, Belgium.
K. Rustan M. Leino RiSE, Microsoft Research 17 July 2009 JML seminar Dagstuhl, Germany.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 0 Marktoberdorf.
K. Rustan M. Leino Principal Researcher Microsoft Research, Redmond, WA, USA 14 Nov 2007 Øredev Malmö, Sweden.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 2 International Summer School Marktoberdorf Marktoberdorf,
K. Rustan M. Leino RiSE, Microsoft Research, Redmond joint work with Peter Müller and Jan Smans Lecture 1 2 September 2009 FOSAD 2009, Bertinoro, Italy.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden.
K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 8 Nov 2007 Invited talk, ASE 2007 Atlanta, GA.
George Edwards Computer Science Department Center for Systems and Software Engineering University of Southern California
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
Leonardo de Moura and Nikolaj Bjørner Microsoft Research
Dafny An automatic program verifier for functional correctness
Specification techniques for verifying object-oriented software
Auto-active verification
Using and Building an Automatic Program Verifier
Class-local object invariants
Program Verification via an Intermediate Verification Language
Auto-active verification
Hoare-style program verification
Dafny An automatic program verifier for functional correctness
Presentation transcript:

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 3 International Summer School Marktoberdorf Marktoberdorf, Germany 9 August 2008

method M(x: X) returns (y: Y) { Stmt } procedure M(this: Ref, x: Ref) returns (y: Ref); requires this ≠ null; implementation M(this: Ref, x: Ref) returns (y: Ref) { Tr[[ Stmt ]] }

method M(x: X) returns (y: Y) requires P; ensures Q; procedure M(this: Ref, x: Ref) returns (y: Ref); requires Df[[ P ]]  Tr[[ P ]]; ensures Df[[ Q ]]  Tr[[ Q ]];

method M(x: X) returns (y: Y) modifies S; procedure M(this: Ref, x: Ref) returns (y: Ref); requires Df[[ S ]]; modifies Heap; ensures (  o: Ref, f: Field   o ≠ null  old(Heap)[o,alloc]  Heap[o,f] = old(Heap)[o,f]  (o,f)  old( Tr[[ S ]] ) );

method M(x: X) returns (y: Y) modifies this.*, x.s, this.p.t; procedure M(this: Ref, x: Ref) returns (y: Ref); requires Df[[ S ]]; modifies Heap; ensures (  o: Ref, f: Field   o ≠ null  old(Heap)[o,alloc]  Heap[o,f] = old(Heap)[o,f]  o = this  (o = x  f = s)  (o = old(Heap)[this,p]  f = t));

method M(x: X) returns (y: Y) procedure M(this: Ref, x: Ref) returns (y: Ref); requires IsHeap(Heap); requires this ≠ null  Heap[this, alloc]; requires x = null  Heap[x, alloc]; ensures IsHeap(Heap); ensures y = null  Heap[y, alloc]; ensures (  o: Ref  old(Heap)[o,alloc]  Heap[o,alloc]);

The source language offers no way to violate these conditions procedure M(this: Ref, x: Ref) returns (y: Ref); free requires IsHeap(Heap); free requires this ≠ null  Heap[this, alloc]; free requires x = null  Heap[x, alloc]; free ensures IsHeap(Heap); free ensures y = null  Heap[y, alloc]; free ensures (  o: Ref  old(Heap)[o,alloc]  Heap[o,alloc]);

method M(x: X) returns (y: Y) requires P; modifies S; ensures Q; { Stmt } procedure M(this: Ref, x: Ref) returns (y: Ref); free requires IsHeap(Heap); free requires this ≠ null  Heap[this, alloc]; free requires x = null  Heap[x, alloc]; requires Df[[ P ]]  Tr[[ P ]]; requires Df[[ S ]]; modifies Heap; ensures Df[[ Q ]]  Tr[[ Q ]]; ensures (  o: Ref, f: Field   o ≠ null  old(Heap)[o,alloc]  Heap[o,f] = old(Heap)[o,f]  (o,f)  old( Tr[[ S ]] )); free ensures IsHeap(Heap); free ensures y = null  Heap[y, alloc]; free ensures (  o: Ref  old(Heap)[o,alloc]  Heap[o,alloc]);

procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];

Program ::= Class* Class ::= class C { Field* Method* Function* } S, T ::= var x; x := E; x := new C; E.f := F; assert E; S T if (E) { S } else { T } while (E) invariant J; { S } call a,b,c := E.M(F, G);

class Chunker { var src: String; var n: int; method Init(source: String) requires source ≠ null; modifies {this}; { this.src := source; this.n := 0; } In Spec#:c = new Chunker(source); In Dafny:c := new Chunker; call c.Init(source); In Spec#:c = new Chunker(source); In Dafny:c := new Chunker; call c.Init(source); For simplicity, in Dafny, modifies clauses are done at the object granularity, not the (object,field) granularity. In Spec#: this.* In Dafny: {this} For simplicity, in Dafny, modifies clauses are done at the object granularity, not the (object,field) granularity. In Spec#: this.* In Dafny: {this} Dynamic frames: [Kassios]

method NextChunk() returns (s: String) modifies {this}; ensures s ≠ null; { if (this.n + 5 ≤ s.Length) { call s := this.src.Substring(this.n, this.n + 5); } else { call s := this.src.Substring(this.n, s.Length); } this.n := this.n + s.Length; } correctness relies on: this.src ≠ null  0 ≤ this.n ≤ this.src.Length correctness relies on: this.src ≠ null  0 ≤ this.n ≤ this.src.Length

Chunker0.dfy

function Valid() returns (bool) { this.src ≠ null  0 ≤ this.n  this.n ≤ this.src.Length } method Init(…) … ensures this.Valid(); method NextChunk(…) … requires this.Valid(); ensures this.Valid();

function F( ) returns (T) { E } function #F(HeapType, Ref) returns (T); Tr[[ o.F( ) ]] = #F(Heap, o) axiom (  h: HeapType, this: Ref  #F(h, this) = Tr[[ E ]]);

Bad! function F( ) returns (int) { F( ) + 1 } function #F(HeapType, Ref) returns (int); axiom (  h: HeapType, this: Ref  #F(h, this) = #F(h, this) + 1);

function F(p: T) returns (U) reads R; { E } procedure CheckWellDefined_F (this: Ref, p: T) returns (result: U) { assert Df R [[ E ]]; } Df R [[ O.M(E) ]] = Df R [[ O ]]  Tr[[ O ]] ≠ null  Df R [[ E ]]  S[ Tr[[ O ]] / this, Tr[[ E ]] / p ]  R where M has reads clause S can allow  if M returns bool and occurs in a positive position in the definition of a bool function

Chunker1.dfy

class C { var footprint: set ; function Valid() returns (bool) reads this.footprint; method Init() modifies {this}; ensures this.Valid(); method Mutate() requires this.Valid(); modifies this.footprint; ensures this.Valid();

class C { var footprint: set ; function Valid() returns (bool) reads this.footprint; { this  this.footprint  this.x < this.p.y  … } …

class C { var footprint: set ; function Valid() returns (bool) reads {this}, footprint; {this  this.footprint  this.p  this.footprint  this.x < this.p.y  … } …

method Client0() { var c := new C; call c.Init(); call c.Mutate(); } Error: unsatisfied modifies clause

method Init() modifies {this}; ensures Valid(); ensures fresh(footprint – {this});

method Client1() { var c := new C; call c.Init(); call c.Mutate(); call c.Mutate(); } Error: unsatisfied modifies clause

method Mutate() requires Valid(); modifies footprint; ensures Valid(); ensures fresh(footprint – old(footprint));

class C { var footprint: set ; function Valid() returns (bool) reads {this}, footprint; { this  footprint  … } method Init() modifies {this}; ensures Valid(); ensures fresh(footprint – {this}); method Mutate() requires Valid(); modifies footprint; ensures Valid(); ensures fresh(footprint – old(footprint));

class RockBand { var footprint: set ; var g: Guitar; function Valid() returns (bool) reads {this}, footprint; {this  footprint  g ≠ null  g  footprint  g.footprint  footprint  ¬ (this  g.footprint)  g.Valid()  … }

RockBand0.dfy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.