Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aditya Mangipudi Niharika Pamu Srikanth Polisetty

Published byMax Overgaard Modified over 5 years ago

Similar presentations

Presentation on theme: "Aditya Mangipudi Niharika Pamu Srikanth Polisetty"— Presentation transcript:

1 Aditya Mangipudi Niharika Pamu Srikanth Polisetty
Spec# CSE 6323 Aditya Mangipudi Niharika Pamu Srikanth Polisetty

2 The Verifying Compiler
“A verifying compiler uses automated reasoning to check the correctness of the program that it compiles. Correctness is specified by types, assertions, .. and other redundant annotations that accompany the program.” [Hoare, 2004] 4/24/2019 FMSE 2010

3 Program verifiers: A brief History
Since the late 60’s people are searching for solutions to prove correctness of software A Program Verifier, 1969 In Proceedings of the international conference on Reliable software, 1975 GYPSY, 1977 Eiffel, 1986 We find contract definitions in abstraction levels, like Object Constraint Language (OCL) 4/24/2019 FMSE 2010

4 Outline Spec# Introduction Contracts
Spec# Programming Language Specifications Spec# Tools Comparison with other verification languages Summary Observations 4/24/2019 FMSE 2010

5 Spec# Pronounced as “Spec Sharp”. Microsoft Research project.
By Mike Barnett, K. Rustan, M. Leino, Wolfram Schulte. Superset of C#. Is available for development environment VS 2003,VS 2005 and VS 2008. Its all about contracts. 4/24/2019 FMSE 2010

6 Simplified Spec# process
Boogie Language independent Creates BoogiePL from MSIL + meta data Analyses the BoogiePL MSIL + Meta data Platform independent Injected with extra code for runtime verification Contains extra meta data about the contract Spec# compiler Compiles into MSIL Injects extra code for runtime checks Adds extra meta data about the contracts Spec# programming language Superset of C# 4/24/2019 FMSE 2010

7 Contracts (I) A contract between callers and implementation
What the implementation can expect from the caller What the caller can expect from the implementation You don't break contracts, that's illegal! 4/24/2019 FMSE 2010

8 Contracts (II) Method signature Method body Documentation
/// <summary>Divides <i>x</i> by <i>y</i>.</summary> /// <param name="x">The value to divide.</param> /// <param name="y">The value to divide by.</param> /// <exception cref="ArgumentOutOfRangeException"> /// Occurs if <i>y</i> is zero. </exception> /// <returns>The result of dividing /// <i>x</i> by <i>y</i>.</returns> public int Divide(int x, int y) { if (y == 0) throw new ArgumentOutOfRangeException("y"); return x / y; } Method signature Method body Documentation What we expect What then can expect Check pre conditions Document pre conditions 4/24/2019 FMSE 2010

9 Contracts (III) Method signature Method body Documentation
/// <summary>Divides <i>x</i> by <i>y</i>.</summary> /// <param name="x">The value to divide.</param> /// <param name="y">The value to divide by.</param> /// <exception cref="ArgumentOutOfRangeException"> /// Occurs if <i>y</i> is zero. </exception> /// <returns>The result of dividing /// <i>x</i> by <i>y</i>.</returns> public int Divide(int x, int y) { if (y == 0) throw new ArgumentOutOfRangeException("y"); return x / y; } Method signature Method body Documentation What we expect What they can expect Check pre conditions Document pre conditions 4/24/2019 FMSE 2010

10 Contracts (IV) Method signature Method body Documentation
/// <summary>Divides <i>x</i> by <i>y</i>.</summary> /// <param name="x">The value to divide.</param> /// <param name="y">The value to divide by.</param> /// <exception cref="ArgumentOutOfRangeException"> /// Occurs if <i>y</i> is zero. </exception> /// <returns>The result of dividing /// <i>x</i> by <i>y</i>.</returns> public int Divide(int x, int y) { if (y == 0) throw new ArgumentOutOfRangeException("y"); return x / y; } Method signature Method body Documentation What we expect What they can expect Check pre conditions Document pre conditions 4/24/2019 FMSE 2010

11 Result!!! Method signature Method body Documentation What we expect
/// <summary>Divides <i>x</i> by <i>y</i>.</summary> /// <param name="x">The value to divide.</param> /// <param name="y">The value to divide by.</param> /// <exception cref="ArgumentOutOfRangeException"> /// Occurs if <i>y</i> is zero. </exception> /// <returns>The result of dividing /// <i>x</i> by <i>y</i>.</returns> public int Divide(int x, int y) { if (y == 0) throw new ArgumentOutOfRangeException("y"); return x / y; } Method signature Method body Documentation What we expect What they can expect Check preconditions Document pre conditions 4/24/2019 FMSE 2010

12 Spec# Specifications C# Spec# Reference types Non-null Type
Preconditions Postconditions Invariants 4/24/2019 FMSE 2010

13 Null references Errors
Assumptions are a serious problem. We trust argument inputs. Many errors in modern programs manifest themselves as null-reference errors. 4/24/2019 FMSE 2010

14 Non-Null Types Spec# tries to eradicate all null reference errors.
In C#, each reference type T includes the value null. In Spec#, type T! contains only references to objects of type T (not null). int[]! xs; declares an array called xs which cannot be null 4/24/2019 FMSE 2010

15 Non-Null by Default Without /nn /nn Possibly-null T T T? Non-null T T!
From Visual Studio, right-click Properties on the project, then Configuration Properties, and set ReferenceTypesAreNonNullByDefault to true 4/24/2019 FMSE 2010

16 Spec# Specifications C# Spec# Reference types Non-null Type Requires
Preconditions Postconditions Invariants 4/24/2019 FMSE 2010

17 Preconditions Describes the circumstances in which the method can be invoked. It is the callers responsibility to make sure that the preconditions are met. 4/24/2019 FMSE 2010

18 Spec# Specifications C# Spec# Reference types Non-null Type
Preconditions Requires Postconditions Ensures Invariants 4/24/2019 FMSE 2010

19 Postconditions Describes the states in which the method is allowed to return. It is a two state predicate: It relates to the method’s pre and post states. To refer to pre state: use old(…) 4/24/2019 FMSE 2010

20 Spec# Specifications C# Spec# Reference types Non-null Type
Preconditions Requires Postconditions Ensures Object Invariants Invariants Frame conditions 4/24/2019 FMSE 2010

21 Object Invariants Specifications for the steady state of an object
Each object’s data fields must satisfy the invariant at all stable times. 4/24/2019 FMSE 2010

22 Spec# Specifications C# Spec# Reference types Non-null Type
Preconditions Requires Postconditions Ensures Object Invariants Invariants Modifies Frame conditions 4/24/2019 FMSE 2010

23 Frame Conditions Used to restrict which pieces of the program state a method implementation is allowed to modify. Ex: class C { int x , y; void M() modifies x ; { } } Here modifies specifies that only x can be modified. 4/24/2019 FMSE 2010

24 Swap Example: static void Swap(int[]a, inti, intj)
requires 0 <= i&&i<a.Length; requires 0 <= j&&j<a.Length; modifies a[i], a[j]; ensures a[i] == old(a[j]); ensures a[j] == old(a[i]); { int temp; temp = a[i]; a[i] = a[j]; a[j] = temp; } Preconditions Frame conditions Post conditions 4/24/2019 FMSE 2010

25 Spec# quickies 4/24/2019 FMSE 2010

26 Immutable types Immutable types cannot be changed.
Their member values are frozen. [Immutable] public class Foo { // … } 4/24/2019 FMSE 2010

27 Purity Methods are pure if they have no 'side-effect'
Great for optimization Purity of the method is checked Public class XYZ { int inc; int dec; [Pure] public int Getx() return (inc – dec) ; } 4/24/2019 FMSE 2010

28 Assume (Keyword) With the assume keyword you can say 'ignore' negative checks at compile time. Assume generates a run time check but is taken on faith by the program verifier. It trades static checking for dynamic checking. 4/24/2019 FMSE 2010

29 Inline Assertions Assert statement can be used in code to indicate a condition that is expected to hold at that program point. It’s a bit redundant. assert x<0; 4/24/2019 FMSE 2010

30 Exceptions Checked Exceptions:
Admissible Failures:  when method is unable to complete for reasons outside of its boundaries such as network  errors or socket problems. Signaled using an ICheckedException. Unchecked Exceptions: Program Errors Client Failures: conditions for getting to the method are  not met 4/24/2019 FMSE 2010

31 Exceptions Contd… Failure Reason Client Failure
When is method is invoked under an illegal condition(Precondition is not satisfied) Provider Failure When procedure is unable to complete the task it is supposed to perform. Provider Failure Reason Admissible Failure Method unable to complete : Either at all After some effort Observed Program Error Either an intrinsic error in the program or a global failure (e.g. Out of memory error) 4/24/2019 FMSE 2010

32 Exceptional Postconditions
Limit which exceptions can be thrown by the method and for each such exception, describe the resulting state. Void ReadToken(ArrayList a) throws EndOfFileException ensures a.Count == old(a.Count); { …..} 4/24/2019 FMSE 2010

33 Exposing Objects Invariant checked to hold at the end of constructor public class A { int x,y,p; /*^ invariant p==10; ^*/ public A (){ x=6; y=4; p=x+y; } public void add () { /*^ expose (this) { x--; y++; } ^*/ Invariant temporarily broken here Invariant restored here Invariant checked to hold at exit of expose block 4/24/2019 FMSE 2010

34 Inheritance of Specifications (I)
Method's contracts of the Super Class are inherited by the Sub Classes Thus Preconditions, Post Conditions and Invariants are inherited as well. A Method Contract of the Sub Class can add more post conditions by declaring additional ensures clauses. Preconditions and the modifies clauses are not allowed to be added in the method’s overrides and preconditions on the overridden method cannot be even weakened in the subclass. 4/24/2019 FMSE 2010

35 Inheritance of Specifications (II)
Multiple inheritance is supported in Spec# through Interfaces, interface I { void M(int x ) requires x <= 10; } interface J { void M(int x ) requires x >= 10; } Spec# does not allow C to provide one shared implementation for I .M and J .M . class C needs to give explicit interface method implementations for M : class C : I , J { void I .M(int x ) { } void J .M(int x ) { } } 4/24/2019 FMSE 2010

36 Spec# Tools Compiler Runtime Library Static Verifier 4/24/2019
FMSE 2010

37 Spec# compiler Emits run-time checks for:
Contracts Invariants Records the contracts as metadata for consumption by downstream tools. 4/24/2019 FMSE 2010

38 Spec# static program verifier
It’s called Boogie. A component that generates logical verification conditions from a Spec# program. Read MSIL + Meta Data to create BoogiePL Language independent. 4/24/2019 FMSE 2010

39 Static Verifier Producing the executable code Spec# (annotated C#)
Spec# Compiler Translator Verification Condition Generator Boogie Procedural Language Automatic Theorem Prover 4/24/2019 FMSE 2010

40 Static Verifier Transformation into a Language neutral format
Spec# (annotated C#) Spec# Compiler Language Neutral Format Translator Verification Condition Generator Boogie Procedural Language Automatic Theorem Prover 4/24/2019 FMSE 2010

41 Static Verifier Generation of BoogiePL Spec# Program
Spec# (annotated C#) Spec# Compiler Language Neutral Format Translator Boogie PL Program Verification Condition Generator Boogie Procedural Language Automatic Theorem Prover 4/24/2019 FMSE 2010

42 Static Verifier Conversion of Boogie PL code into logical expressions(in formulas) Spec# (annotated C#) Spec# Compiler Language Neutral Format Translator Boogie PL Program Verification Condition Generator Boogie Procedural Language Formulas Automatic Theorem Prover 4/24/2019 FMSE 2010

43 Static Verifier Review and demonstrate the correctness of expressions
Spec# (annotated C#) Spec# Compiler Language Neutral Format Translator Boogie PL Program Verification Condition Generator Boogie Procedural Language Formulas Automatic Theorem Prover 4/24/2019 FMSE 2010

44 From Spec#... static int Abs(int x)
ensures 0 <= x ==> result == x; ensures x < 0 ==> result == -x; { if (x < 0) x = -x; return x; } 4/24/2019 FMSE 2010

45 …to BoogiePL procedure Abs(x$in: int) returns ($result: int);
ensures 0 <= x$in ==> $result == x$in; ensures x$in < 0 ==> $result == -x$in; { var x1, x2: int, b: bool; entry: x1 := x$in; b := x < 0; goto t, f; t: assume b; x := -x; goto end; f: assume !b; goto end; end: $result := x; return; } 4/24/2019 FMSE 2010

46 Theorem Provers HP Simplify
Developed as part of the Extended Static Checking project to check Java and Modula-3 programs Microsoft Z3 Utilizes the Satisfiability Modulo Theories (SMT) 4/24/2019 FMSE 2010

47 Tool support: Spec Explorer (I)
Spec Explorer Model-Based Test Development 4/24/2019 FMSE 2010

48 Spec Explorer (II) Spec Explorer is a software development tool for model-based specification and testing. Discrepancies between actual and expected results are called conformance failures and may indicate : Implementation Bugs, Modeling errors, Specification errors, Design errors. 4/24/2019 FMSE 2010

49 Configuring Spec# in VS 2008
Download & Install Spec# for VS Create a new Project user Spec#. Configure the project settings as shown. 4/24/2019 FMSE 2010

50 Comparison: JML & Spec#
requires requires (precondition) assignable modifies (frame condition) ensures ensures (normal postcondition) signals, exceptional_behavior otherwise, throw diverges, accessible, callable doesn’t support so far 4/24/2019 FMSE 2010

51 Spec# & other verification languages
The design space of Spec# is somewhat less constrained than JML, since JML does not seek to alter the underlying programming language (which, for example, has let Spec# introduce field initializers and expose blocks). AsmL has many of the same aspirations as Spec#: to be an accessible, widely-used specification language tailored for object-oriented .NET systems. However, AsmL is oriented toward supporting model-based development with its facilities for model programs, test-case generation, and meta-level state exploration . Compared to ESC/Java2, Spec# saves good amount of annotation overhead. 4/24/2019 FMSE 2010

52 Summary (I) Spec# extends c#
Integrates well with new keywords & syntax. The learning curve for c# programmers is very low. Make it easier to record detailed design decisions Help prevent and detect bugs Reduce cost of software lifecycle Reduces defensive checking with help from Non Null types. So removal of safety checking code. Code with specification can be optimized! ( e.g. int with invariant >= 0 can become a uint) 4/24/2019 FMSE 2010

53 Summary (II) Verifier can be customized to various levels of verification ranging from warnings to errors. The Static Verifier helps in detecting errors while coding. The compile, Boogie are integrated into Visual Studio providing a comprehensive set of tools. 4/24/2019 FMSE 2010

54 Observations Spec# works better if you have small concrete methods.
Preconditions and Postconditions can contain errors. Subclasses cannot weaken the preconditions. Can verify all linear assertions but non-linear expressions are not completely handled so some explicit invariants need to be declared. Gives timeouts in such undecidable cases. 4/24/2019 FMSE 2010

55 Vision of the Spec# project team
“Program development would be improved if more assumptions were recorded and enforced.” - Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte in Manuscript KRML 136, 12 October 2004 Questions 4/24/2019 FMSE 2010

56 Demo 4/24/2019 FMSE 2010

57 Null Dereference Error
4/24/2019 FMSE 2010

58 Preconditions Test 4/24/2019 FMSE 2010

59 Postconditions Test 4/24/2019 FMSE 2010

60 Object Invariants Test
4/24/2019 FMSE 2010

61 References Using Spec Explorer for Model-Based Test Development - 4/24/2019 FMSE 2010

Download ppt "Aditya Mangipudi Niharika Pamu Srikanth Polisetty"

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Exceptions CSE301 University of Sunderland Harry Erwin, PhD.

Exceptions CSE301 University of Sunderland Harry Erwin, PhD.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 3 December 2008 U. Lugano Lugano, Switzerland.
1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.

Similar presentations

Ads by Google