Download presentation
Presentation is loading. Please wait.
1
K. Rustan M. Leino Microsoft Research, Redmond Invited talk, TACAS 2007 ETAPS, Braga, Portugal 28 March 2007
2
Dave Detlefs Cormac Flanagan Rajeev Joshi Gary Leavens Mark Lillibridge Todd Millstein Greg Nelson Jim Saxe Raymie Stata Mike Barnett Nikolaj Bjørner Evan Chang Ádám Darvas Rob DeLine Leo de Moura Manuel Fähndrich Diego Garbervetsky Bart Jacobs Francesco Logozzo Rosemary Monahan Michaŀ Moskal Peter Müller Madan Musuvathi Dave Naumann Simon Ou Arnd Poetzsch-Heffter Wolfram Schulte Herman Venter Angela Wallenburg …
3
Hoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al. “We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]
4
Spec# language Object-oriented.NET language More types Specifications (pre- and postconditions, etc.) Usage rules (methodology) Checking: Static type checking Run-time checking Static verification (optional)
5
sound modular verification focus on automation, not full functional correctness specifications no termination verification no verification of temporal properties
7
static verifier (Boogie) MSIL (“bytecode”) SMT solver V.C. generator Inference engine translator verification condition “correct” or list of errors Spec# compiler Spec# BoogiePL
8
Language design Specifications VC generation Inference and decision procedures Error messages
9
non-null types control flow if, loops, exceptions, gotos by default, put base-constructor call last include pre- and postconditions constructs à la Gypsy, Eiffel superset of full language is challenging
10
public void M( T? x ) { if (x == null) { … } else { int y = ((T!)x).f; … } }
11
public void M( T? x ) { if (x == null) { … } else { int y = ((!)x).f; … } }
12
public void M( T? x ) { if (x == null) { … } else { int y = x.f; … } } Spec# performs a data-flow analysis to allow this (similar to definite assignment)
13
class C : B { T ! x; public C(T ! y) { base(); this.x = y; this.P(); } public override int M() { return x.f; } } Is this code type safe? No! abstract class B { public B() { this.M(); } public abstract int M(); } null dereference
14
class C : B { T ! x; public C(T ! y) { this.x = y; base(); this.P(); } public override int M() { return x.f; } } Spec# allows x to be assigned before base constructor is called.
15
specifying consistency of data (invariants) organizing the heap (ownership, …) abstraction and information hiding (model fields, pure methods, …) frame conditions (modifies clauses) support for useful programming idioms Spec# has a numerous attributes—what is a small, usable set?
16
x x.M(); exposed valid
17
modifies p.x; modifies Heap; ensures (forall o: ref, f: field :: Heap[o,f] == old(Heap)[o,f] (o == p f == x) old(Heap)[o,allocated] old(Heap)[o,committed] );
![modifies p.x; modifies Heap; ensures (forall o: ref, f: field :: Heap[o,f] == old(Heap)[o,f] (o == p f == x) old(Heap)[o,allocated] old(Heap)[o,committed] );](http://images.slideplayer.com./16/5143432/slides/slide_17.jpg "modifies p.x; modifies Heap; ensures (forall o: ref, f: field :: Heap[o,f] == old(Heap)[o,f] (o == p f == x) old(Heap)[o,allocated] old(Heap)[o,committed] );")
18
use an intermediate language BoogiePL, Why [Filliâtre et al.] a common verification toolbus challenge: how to take advantage of special features/theories of the underlying provers? loop invariants simple inference helps applying method frame conditions to loops functions and quantifiers encode theories extensible, convenient
![use an intermediate language BoogiePL, Why [Filliâtre et al.] a common verification toolbus challenge: how to take advantage of special features/theories of the underlying provers.](http://images.slideplayer.com./16/5143432/slides/slide_18.jpg "loop invariants simple inference helps applying method frame conditions to loops functions and quantifiers encode theories extensible, convenient.")
19
C C Eiffel … … Java+JML Spec# Simplify Z3 CVC 3 SMT Lib Coq … … BoogiePL abstract interpreter predicate abstraction termination detector … …
20
class C : object { int x; C() { … } virtual int M(int n) { … } static void Main() { C c = new C(); c.x = 12; int y = c.M(5); } } class C : object { int x; C() { … } virtual int M(int n) { … } static void Main() { C c = new C(); c.x = 12; int y = c.M(5); } }
21
// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(o: ref) returns (t: name); // fields type field; const unique C.x: field; const unique allocated: field; // the heap var Heap: [ref, field] α ; class C : object { int x; class C : object { int x;
![// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(o: ref) returns (t: name); // fields type field; const unique C.x: field; const unique allocated: field; // the heap var Heap: [ref, field] α ; class C : object { int x; class C : object { int x;](http://images.slideplayer.com./16/5143432/slides/slide_21.jpg "// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(o: ref) returns (t: name); // fields type field; const unique C.x: field; const unique allocated: field; // the heap var Heap: [ref, field] α ; class C : object { int x; class C : object { int x;")
22
// method declarations procedure C..ctor(this: ref); requires this != null && typeof(this) <: C; modifies Heap; procedure C.M(this: ref, n: int) returns (result: int); requires this != null && typeof(this) <: C; modifies Heap; procedure C.Main(); modifies Heap; C() { … } virtual int M(int n) static void Main() C() { … } virtual int M(int n) static void Main()
23
// method implementations implementation C.Main() { var c: ref, y: int; start: havoc c; assume c != null; assume ! Heap[c, allocated]; assume typeof(c) == C; Heap[c, allocated] := true; call C..ctor(c); assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); return; } C c = new C(); c.x = 12; int y = c.M(5);
24
public string NextChunk() modifies this.*; ensures result.Length <= ChunkSize; public string NextChunk() modifies this.*; ensures result.Length <= ChunkSize;
25
procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];
![procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];](http://images.slideplayer.com./16/5143432/slides/slide_25.jpg "procedure Chunker.NextChunk(this: ref where $IsNotNull(this, Chunker)) returns ($result: ref where $IsNotNull($result, System.String)); // in-parameter: target object free requires $Heap[this, $allocated]; requires ($Heap[this, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[this, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // out-parameter: return value free ensures $Heap[$result, $allocated]; ensures ($Heap[$result, $ownerFrame] == $PeerGroupPlaceholder || !($Heap[$Heap[$result, $ownerRef], $inv] $Heap[$pc, $inv] == $typeof($pc) && $Heap[$pc, $localinv] == $typeof($pc)); // user-declared postconditions ensures $StringLength($result) <= $Heap[this, Chunker.ChunkSize]; // frame condition modifies $Heap; free ensures (forall $o: ref, $f: name :: { $Heap[$o, $f] } $f != $inv && $f != $localinv && $f != $FirstConsistentOwner && (!IsStaticField($f) || !IsDirectlyModifiableField($f)) && $o != null && old($Heap)[$o, $allocated] && (old($Heap)[$o, $ownerFrame] == $PeerGroupPlaceholder || !(old($Heap)[old($Heap)[$o, $ownerRef], $inv] old($Heap)[$o, $f] == $Heap[$o, $f]); // boilerplate free requires $BeingConstructed == null; free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } $o != null && !old($Heap)[$o, $allocated] && $Heap[$o, $allocated] ==> $Heap[$o, $inv] == $typeof($o) && $Heap[$o, $localinv] == $typeof($o)); free ensures (forall $o: ref :: { $Heap[$o, $FirstConsistentOwner] } old($Heap)[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] == $Heap[old($Heap)[$o, $FirstConsistentOwner], $exposeVersion] ==> old($Heap)[$o, $FirstConsistentOwner] == $Heap[$o, $FirstConsistentOwner]); free ensures (forall $o: ref :: { $Heap[$o, $localinv] } { $Heap[$o, $inv] } old($Heap)[$o, $allocated] ==> old($Heap)[$o, $inv] == $Heap[$o, $inv] && old($Heap)[$o, $localinv] == $Heap[$o, $localinv]); free ensures (forall $o: ref :: { $Heap[$o, $allocated] } old($Heap)[$o, $allocated] ==> $Heap[$o, $allocated]) && (forall $ot: ref :: { $Heap[$ot, $ownerFrame] } { $Heap[$ot, $ownerRef] } old($Heap)[$ot, $allocated] && old($Heap)[$ot, $ownerFrame] != $PeerGroupPlaceholder ==> old($Heap)[$ot, $ownerRef] == $Heap[$ot, $ownerRef] && old($Heap)[$ot, $ownerFrame] == $Heap[$ot, $ownerFrame]) && old($Heap)[$BeingConstructed, $NonNullFieldsAreInitialized] == $Heap[$BeingConstructed, $NonNullFieldsAreInitialized];")
26
most useful features in theorem prover: functions and equality, boolean connectives, quantifiers, arithmetic, … counterexamples good performance benchmarks very different from, say, TTA (time-triggered architecture) protocols wish: combine inference and theorem proving
27
non-chronological backtracking avoid “exponential splitting” incremental matching -- Leonardo de Moura, on Z3 for Boogie
28
SMT solver V.C. generator Inference engine verification condition BoogiePL Precision Unique variables names Functions, equality Arithmetic Heap operations Quantifiers Abstraction Computes fix-points Arithmetic Unique variables names Functions, equality Heap operations Spec# …
29
error location and execution trace to error can easily be reconstructed from simple/limited prover output better: concrete values, more explanation e.g., “an object allocated by method M and is later changed by the call to P might violate ownership invariant”
30
Download Spec# from here Spec#, C, functional languages, dynamically typed languages, … allow correctness features to drive language design use intermediate language separation of concern let us share as a community (abstract interpretation, VC generation, multiple theorem provers, predicate abstraction, …) theorem prover must be good with quantifiers exciting prospect: combine abstract interpretation and SMT solving mine counterexamples for more detailed error messages http://research.microsoft.com/specsharp
Similar presentations
