1. The Dafny program verifier
K. Rustan M. Leino
Research in Software Engineering
Microsoft Research, Redmond
Victoria University of Wellington
Wellington, NZ
13 April 2010
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Some RiSE tools at Microsoft
SLAM, Static Driver Verifier (SDV)
Sage
Code Contracts for .NET
Clousot
Pex Z3

3. Static Driver Verifier
Applied regularly to all Microsoft device drivers of the support device models
~300 bugs found
Available in Windows DDK to third parties

4. Predicate abstraction and refinement
e.g.: Graf & Saïdi, SLAM, BLAST, …
correct
model checker
boolean program
abstract trace
predicate abstraction
concrete trace
C program
predicates
feasible? no
yes
error message
predicate refinement

5. Symbolic-powered testing
Sage [Godefroid, Levin, et al.]
White-box fuzzing for C programs
Applied regularly
100s of people doing various kinds of fuzzing
Seed input
New generation of symbolically derived input

6. Specifications: .NET today
StringBuilder.Append Method (Char[ ], Int32, Int32)
Appends the string representation of a specified subarray of Unicode characters to the end of this instance.
public StringBuilder Append(char[] value, int startIndex, int charCount);
Parameters
value A character array.
startIndex The starting position in value.
charCount The number of characters append.
Return Value
A reference to this instance after the append operation has occurred.
Exceptions
Exception Type
Condition
ArgumentNullException
value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException
charCount is less than zero.
-or-
startIndex is less than zero.
startIndex + charCount is less than the length of value.

7. Specifications in Spec#
public StringBuilder Append(char[] value, int startIndex, int charCount );
requires value == null ==> startIndex == 0 && charCount == 0;
requires 0 <= startIndex;
requires 0 <= charCount;
requires value == null || startIndex + charCount <= value.Length; ensures result == this;

8. Specifications with Code Contracts
public StringBuilder Append(char[] value, int startIndex, int charCount ) {
Contract.Requires(value != null || (startIndex == 0 && charCount == 0));
Contract.Requires(0 <= startIndex);
Contract.Requires(0 <= charCount);
Contract.Requires(value == null || startIndex + charCount <= value.Length);
Contract.Ensures(Contracts.Result<StringBuilder>() == this);
// method implementation... }
Note that postcondition is declared at top of method body, which is not where it should be executed. A rewriter tool moves these.

9. Code Contracts [Barnett, Fähndrich, Grunkemeyer, Logozzo, et al.]
Declarative contracts
Language independent
Library to ship in .NET 4.0
Tools available on DevLabs
Code Contracts Rewriter (for run-time checking)
Clousot abstract interpreter
Pex automated testing tool [de Halleux, Tillman, et al.]

10. Clousot [Fähndrich, Logozzo]
Abstract interpreter for .NET
Verifies Code Contracts at compile time
Some key technology:
Heap-aware abstraction
Iterative application of numerical domains:
Pentagons
Subpolyhedra
others

11. Pentagons Some common abstract domains: Observation:
Intervals x  [A,B]
Octagons  x  y ≤ K
Polyhedra Σi xi ≤ K
Observation:
Checking array accesses involves constraints like 0 ≤ x < a.Length
These can be represented by intervals plus variable orderings y ≤ x
Pentagon:
Picture source: Robert Webb's Great Stella software,

12. Z3 [Bjørner, de Moura] Satisfiability Modulo Theories (SMT) solver
9 first places and 6 second places at SMT-COMP’08
Used in all tools mentioned, except Clousot

13. Deductive verificaton tools
HAVOC
Has been applied to 100s of KLOC
~40 bugs in resource leaks, lock usage, use-after-free
VCC
Being applied to Microsoft Hypervisor …

14. a language and verifier
Dafny
a language and verifier

15. Program verification Dafny functional correctness limited checking
traditional mechanical program verification
extended static checking
limited checking
automatic decision procedures
(SMT solvers)
interactive proof assistants

16. Dafny language Sequential programs Generic classes
Built-in specifications
Simple yet flexible framing
Sets, sequences, algebraic datatypes
User-defined functions
Ghost variables
Termination specifications

17. Dafny demos
Cubes
Queue
Schorr-Waite

18. Verification architecture
Spec# C
Dafny
Chalice …
Boogie
Simplify Z3
SMT Lib …

19. Boogie language overview
Mathematical features
type T;
const x: T;
function f(A, B): T;
axiom E;
Imperative features
var y: T;
procedure P(a: A, b: B) returns (x: T, y: U); requires pre; modifies w; ensures post;
implementation P(a: A, b: B) returns (x: T, y: U) { … }

20. Boogie statements x := E a[ i ] := E label: ; if while break havoc x
assert E
assume E ;
call P() if
while
break
label:
goto A, B

21. Example: Defining OO semantics by translation into Boogie
class C { var x: int; method M(n: int) returns (r: int) { … } static method Main() { var c := new C; c.x := 12; call y := c.M(5); } }

22. Example: Boogie translation (0)
class C {
var x: int;
// class types
type ClassName;
const unique C: ClassName;
type Ref;
function dtype(Ref): CName;
const null: Ref;
// fields
type Field α;
const unique C.x: Field int;
const unique allocated: Field bool;
// memory
var Heap: <α>[Ref, Field α] α;

23. Example: Boogie translation (1)
method M(n: int) returns (r: int)
static method Main()
// method declarations
procedure C.M(this: Ref, n: int)
returns (r: int);
requires this != null &&
dtype(this) == C;
modifies Heap;
procedure C.Main();

24. Example: Boogie translation (2)
// method implementations implementation C.Main() { var c: Ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == false; assume dtype(c) == C; Heap[c, allocated] := true;
assert c != null;
Heap[c, C.x] := 12;
call y := C.M(c, 5); }
c.x := 12;
var c := new C;
call y := c.M(5);

25. Conclusions
Tools and specifications are useful in software development
Full functional-correctness verification is becoming more automatic
To build a verifier, use an intermediate verification language
Dafny and Boogie boogie.codeplex.com
Code Contracts research.microsoft.com/contracts
Projects and videos research.microsoft.com/rise
Various papers research.microsoft.com/~leino/papers.html