Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of."— Presentation transcript:

1 Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of Computer Systems University of Washington Seattle, WA

2 Spec# research goals Build the best such system we can build today Experiment with the system to get a feel for what it is like to use Advance the state of the art

3 Spec# demo: Chunker

4 Basic architecture of a verifier verification condition generator theorem prover verification condition program with specifications “correct” or list of errors

5 Spec# verifier architecture V.C. generator automatic theorem prover verification condition Spec# “correct” or list of errors Spec# compiler MSIL (“bytecode”) translator Boogie PL inference engine Spec# program verifier

6 Core language Program outcomes: –terminate –go wrong –block –diverge

7 Core language x := E –evaluate E and change x to that value havoc x –change x to an arbitrary value assert E –if E holds, terminate; otherwise, go wrong assume E –if E holds, terminate; otherwise, block S ; T –execute S, then T S [] T or goto A or B; –execute either S or T, choosing blindly –change point of control to block A or block B, choosing blindly

8 Example translation: if Tr[[ if P then S else T end ]] = Start:goto Then or Else Then:assume P ; Tr[[ S ]] ; goto After Else:assume ¬P ; Tr[[ T ]] ; goto After After:…

9 Example translation: loop Tr[[ while { invariant J } B do S end ]] = LoopHead:assert J ; goto LoopBody or AfterLoop LoopBody:assume B ; Tr[[ S ]] ; goto LoopHead AfterLoop:assume ¬B ; …

10 Example translation: partial expressions Tr[[ x = a / b ; ]] = assert b ≠ 0 ; x := a / b Tr[[ x = (T) y ; ]] = // type cast assert y = null  typeof(y) <: T ; x := y

11 Example translation: fields of objects Tr[[ x = o.f; ]] = assert o ≠ null ; x := Heap[ o, f ] Tr[[ o.f = x; ]] = assert o ≠ null ; Heap[ o, f ] := x x := Select(Heap, (o,f)) Heap := Update(Heap, (o,f), x)

12 Example translation: OO things class C : Object { int x; C() { … } virtual int M(int n) { … } static void Main() { C c = new C(); c.x = 12; int y = c.M(5); } }

13 BoogiePL translation of OO things (0) // types const Object: name; const C: name; axiom C <: Object; function typeof(o: ref) returns (t: name); // fields const C.x: name; const allocated: name; // the heap var Heap: [ref,name]int;

14 BoogiePL translation of OO things (1) // method declarations procedure C..ctor(this: ref); requires this != null && typeof(this) <: C; modifies Heap; procedure C.M(this: ref, n: int) returns (result: int); requires this != null && typeof(this) <: C; modifies Heap; procedure C.Main(); modifies Heap;

15 BoogiePL translation of OO things (2) // method implementations implementation C.Main() { var c: ref, y: int; start: // C c = new C(); havoc c; assume c != null; assume Heap[c, allocated] == 0; assume typeof(c) == C; Heap[c, allocated] := 1; call C..ctor(c); // c.x = 12; assert c != null; Heap[c, C.x] := 12; // int y = c.M(5); call y := C.M(c, 5); return; }

16 Verification-condition generation 0. passive features: assert, assume, ; 1. control flow: goto (no loops) 2. state changes: :=, havoc 3. loops

17 Weakest preconditions The weakest precondition of a statement S with respect to a predicate Q on the post-state of S, denoted wp(S,Q), is the set of pre-states from which execution: –does not go wrong, and –if it terminates, terminates in Q

18 VC generation: passive features wp( assert E, Q ) = E  Q wp( assume E, Q ) = E  Q wp( S; T, Q ) = wp( S, wp( T, Q ))

19 VC generation: acyclic control flow For each block A, introduce a variable A ok with the meaning: A ok is true iff every program execution starting in the current state from block A does not go wrong The verification condition for the program: A: S; goto B or C … is: ( A ok  wp( S, B ok  C ok ) )  …  A ok

20 VC generation: state changes Replace definitions and uses of variables by definitions and uses of different incarnations of the variables {x  x0, y  y0} x := E(x,y) x1 := E(x0,y0) {x  x1, y  y0} {x  x0, y  y0} havoc x skip {x  x1, y  y0}

21 VC generation: state changes (cont.) Given: {x  x0,y  y0} SS’ {x  x1, y  y0} {x  x0, y  y0} TT’ {x  x2, y  y0} then we have: {x  x0, y  y0} if E(x,y) then S else T end if E(x0,y0) then S’ ; x3 := x1 else T’ ; x3 := x2 end {x  x3, y  y0}

22 VC generation: state changes (cont.) Replace every assignment x := E with assume x = E

23 VC generation: loops loop head: loop body: assert LoopInv( x ) ; assume Guard( x ) ; x := … assume ¬Guard( x ) ; after loop:

24 VC generation: loops loop head: loop body: assert LoopInv( x ) ; assume LoopInv( x ); assume Guard( x ) ; x := … assume ¬Guard( x ) ; after loop: assert P = assert P ; assume P

25 VC generation: loops loop head: loop body: assert LoopInv( x ) ; assume LoopInv( x ); assume Guard( x ) ; x := … assume ¬Guard( x ) ; after loop: assert LoopInv( x ) ;

26 VC generation: loops loop head: loop body: assume LoopInv( x ); assume Guard( x ) ; x := … assert LoopInv( x ); assume ¬Guard( x ) ; after loop: assert LoopInv( x ) ; havoc x ; loop target

27 VC generation: loops loop head: loop body: assume LoopInv( x ); assume Guard( x ) ; x := … assert LoopInv( x ); assume false; assume ¬Guard( x ) ; after loop: assert LoopInv( x ) ; havoc x ;

28 Programming methodology light-weight rules for simpler reasoning

29 Object invariants class C { private int x; private int y; invariant x < y; public void M() { int t := 100 / (y – x); x := x + 1; P(t); y := y + 1; } … }

30 When do object invariants hold? class C { private int x; private int y; invariant x < y; public C() { x := 0; y := 1; } public void M() { int t := 100 / (y – x); x := x + 1; P(t); y := y + 1; } … } invariant assumed to hold on entry to method invariant checked to hold on exit from method invariant checked to hold at end of constructor invariant may be temporarily broken here invariant is restored here what if P calls back into M?

31 Object states Mutable –Object invariant may not hold –Field updates allowed Valid –Object invariant holds –Field updates not allowed

32 Valid vs. mutable objects class C { private int x; private int y; invariant x < y; public void M() requires this.inv = Valid; { expose (this) { x := x + 1; P(…); y := y + 1; } } … } represent explicitly that invariant holds (without revealing what the invariant is) change this.inv from Valid to Mutable check invariant; then, change this.inv from Mutable to Valid field updates allowed only on Mutable objects

33 Aggregate objects class Set { Hashtable h; invariant …; public void Add(Element e) requires this.inv = Valid; { expose (this) { h.Add(e, e);} … } class Hashtable { invariant …; public void Add(object key, object val) requires this.inv = Valid; … } how do we know h is Valid here?

34 Aggregate objects class Set { Hashtable h; invariant …; public void Add(Element e) requires this.inv = Valid; { expose (this) { h.Add(e, e);} public Hashtable Leak() { return h; } } class Hashtable { invariant …; public void Add(object key, object val) requires this.inv = Valid; … } how do we know h is Valid here? Perhaps it isn’t! void Violation(Set s) requires s.inv = Valid; { Hashtable g := s.Leak(); expose (g) { g.x := …; s.Add(…); } }

35 Object states Mutable –Object invariant may not hold –Field updates allowed Valid –Object invariant holds –Field updates not allowed Committed –Valid and owned –Cannot be exposed—owner must be exposed first, which makes this object Valid

36 Ownership class Set { owned Hashtable h; invariant …; public void Add(Element e) requires this.inv = Valid; { expose (this) { h.Add(e, e);} … } class Hashtable { invariant …; public void Add(object key, object val) requires this.inv = Valid; … } For any s: Set, s uniquely owns s.h validity of s implies validity of s.h ownership of h temporarily relinquished here ownership of h re-obtained here

37 Object states: a picture of the heap Mutable Valid Committed s: Set Hashtable ownership h expose (s) { … }

38 Object states: a picture of the heap Mutable Valid Committed s: Set Hashtable ownership h expose (s) { … }

39 Object states: a picture of the heap Mutable Valid Committed s: Set Hashtable ownership h expose (s) { … }

40 Object states: a picture of the heap Mutable Valid Committed s: Set Hashtable ownership h expose (s) { … }

41 Summary of object invariants invariant … owned T f; inv : { Mutable, Valid, Committed } expose updates of o.f require o.inv = Mutable Inv (o) can mention only the fields of o and the fields of owned fields –example: invariant this.n = this.h.Count; (  o ・ o.inv = Mutable  Inv (o)) (  o ・ o.inv = Mutable  o.f.inv = Committed)

42 Summary Programming/specification language Programming/specification methodology –object invariants –frame conditions Semantics in terms of core language VC generation –VCs for good prover performance

Download ppt "Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of."

Similar presentations

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,

A SAT characterization of boolean-program correctness K. Rustan M. Leino Microsoft Research, Redmond, WA 14 Nov 2002 IFIP WG 2.4 meeting, Schloβ Dagstuhl,
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

Similar presentations

Ads by Google