Download presentation
Presentation is loading. Please wait.
1
K. Rustan M. Leino Microsoft Research, Redmond NUI Maynooth Maynooth, Ireland 8 June 2007
2
Mike Barnett Nikolaj Bjørner Evan Chang Ádám Darvas Rob DeLine Leo de Moura Manuel Fähndrich Diego Garbervetsky Bart Jacobs Francesco Logozzo Rosemary Monahan Michaŀ Moskal Peter Müller Madan Musuvathi Dave Naumann Simon Ou Arnd Poetzsch-Heffter Wolfram Schulte Herman Venter Angela Wallenburg …
3
Hoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al. “We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]
4
Spec# language Object-oriented.NET language More types Specifications (pre- and postconditions, etc.) Usage rules (methodology) Checking: Static type checking Run-time checking Static verification (optional)
5
sound modular verification focus on automation, not full functional correctness specifications no termination verification no verification of temporal properties
7
static verifier (Boogie) MSIL (“bytecode”) SMT solver V.C. generator Inference engine translator verification condition “correct” or list of errors Spec# compiler Spec# BoogiePL
8
C C Eiffel … … Java+JML Spec# Simplify Z3 CVC 3 SMT Lib Coq … … BoogiePL abstract interpreter predicate abstraction termination detector … …
9
type const function axiom var procedure implementation
10
x := E a[ i ] := E havoc x assert E assume E ; call P() if while break label: goto A, B
![x := E a[ i ] := E havoc x assert E assume E ; call P() if while break label: goto A, B](http://images.slideplayer.com./16/5113437/slides/slide_10.jpg "x := E a[ i ] := E havoc x assert E assume E ; call P() if while break label: goto A, B")
11
The code: x := 0; while (x < 0) invariant 0 ≤ x && x ≤ 10; { x := x + 1; } is equivalent to: x := 0; goto Head; Head: assert 0 ≤ x && x ≤ 10; goto Body, Done; Body: assume x < 10; x := x + 1; goto Head; Done: assume 10 ≤ x;
12
Given: procedure M(); requires P; modifies w; ensures Q; the code: call M(); is equivalent to: assert P; havoc w; assume Q; (ignoring old expressions, and not showing parameters)
14
class C : object { int x; C() { … } virtual int M(int n) { … } static void Main() { C c = new C(); c.x = 12; int y = c.M(5); } } class C : object { int x; C() { … } virtual int M(int n) { … } static void Main() { C c = new C(); c.x = 12; int y = c.M(5); } }
15
// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(o: ref) returns (t: name); // fields type field; const unique C.x: field; const unique allocated: field; // the heap var Heap: [ref, field] int; class C : object { int x; class C : object { int x;
![// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(o: ref) returns (t: name); // fields type field; const unique C.x: field; const unique allocated: field; // the heap var Heap: [ref, field] int; class C : object { int x; class C : object { int x;](http://images.slideplayer.com./16/5113437/slides/slide_15.jpg "// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(o: ref) returns (t: name); // fields type field; const unique C.x: field; const unique allocated: field; // the heap var Heap: [ref, field] int; class C : object { int x; class C : object { int x;")
16
// method declarations procedure C..ctor(this: ref); requires this != null && typeof(this) <: C; modifies Heap; procedure C.M(this: ref, n: int) returns (result: int); requires this != null && typeof(this) <: C; modifies Heap; procedure C.Main(); modifies Heap; C() { … } virtual int M(int n) static void Main() C() { … } virtual int M(int n) static void Main()
17
// method implementations implementation C.Main() { var c: ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == 0; assume typeof(c) == C; Heap[c, allocated] := 1; call C..ctor(c); assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } C c = new C(); c.x = 12; int y = c.M(5);
![// method implementations implementation C.Main() { var c: ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == 0; assume typeof(c) == C; Heap[c, allocated] := 1; call C..ctor(c); assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } C c = new C(); c.x = 12; int y = c.M(5);](http://images.slideplayer.com./16/5113437/slides/slide_17.jpg "// method implementations implementation C.Main() { var c: ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == 0; assume typeof(c) == C; Heap[c, allocated] := 1; call C..ctor(c); assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } C c = new C(); c.x = 12; int y = c.M(5);")
18
class C { int f; object g; } var f: [ref] int; var g: [ref] ref; type Field; type Value; var Heap: [ref, Field] Value; function V2I(Value) returns (int); function I2V (int) returns (Value); axiom ( v: Value I2V(V2I(v)) == v); axiom ( i: int V2I(I2V(i)) == i); type Field ; var Heap: ( [ref, Field ] ); x = c.f; x := f [ c ]; x = c.f; x := V2I(Heap[ c, f ]); x = c.f; x := Heap[ c, f ];
![class C { int f; object g; } var f: [ref] int; var g: [ref] ref; type Field; type Value; var Heap: [ref, Field] Value; function V2I(Value) returns (int); function I2V (int) returns (Value); axiom ( v: Value I2V(V2I(v)) == v); axiom ( i: int V2I(I2V(i)) == i); type Field ; var Heap: ( [ref, Field ] ); x = c.f; x := f [ c ]; x = c.f; x := V2I(Heap[ c, f ]); x = c.f; x := Heap[ c, f ];](http://images.slideplayer.com./16/5113437/slides/slide_18.jpg "class C { int f; object g; } var f: [ref] int; var g: [ref] ref; type Field; type Value; var Heap: [ref, Field] Value; function V2I(Value) returns (int); function I2V (int) returns (Value); axiom ( v: Value I2V(V2I(v)) == v); axiom ( i: int V2I(I2V(i)) == i); type Field ; var Heap: ( [ref, Field ] ); x = c.f; x := f [ c ]; x = c.f; x := V2I(Heap[ c, f ]); x = c.f; x := Heap[ c, f ];")
19
public string NextChunk() modifies this.*; ensures result.Length <= ChunkSize; public string NextChunk() modifies this.*; ensures result.Length <= ChunkSize;
20
procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
![procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];](http://images.slideplayer.com./16/5113437/slides/slide_20.jpg "procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];")
21
Instantiation via e-graph matching A matching pattern (trigger) is a set of terms that together mention all the bound variables, and none of which is just a bound variable by itself Examples: ( x { f(x) } 0 ≤ f(x)) ( x,y { g(x,y) } f(x) < g(x,y))
22
( x,y { f(x), f(y) } x ≤ y f(x) ≤ f(y)) ( x { f(x) } x ≠ null f(x) ≤ f(next(x))) ( x { f(next(x)) } x ≠ null f(x) ≤ f(next(x))) ( x,y { f(x), f(y) } f(x) = f(y) x = y) ( x { f(x) } fInv(f(x)) = x) ( x { f(x+1) } f(x) ≤ f(x+1)) ( x,y,z { x*(y+z) } x*(y+z) = x*y + x*z) ( x,y { P(x,y) } x = y P(x,y) = 10) ( x { P(x,x) } P(x,x) = 10)
24
Download Spec# and Boogie from here Spec# is an object-oriented language with specifications BoogiePL is an intermediate verification language Separates concerns Enables sharing in the verification community front ends for multiple languages benchmarks abstract interpretation VC generation multiple theorem provers predicate abstraction … http://research.microsoft.com/specsharp
Similar presentations
