Presentation is loading. Please wait.

Presentation is loading. Please wait.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009."— Presentation transcript:

1 K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009

2 Goal Better build, maintain, and understand programs How do we do it? Specifications Tools, tools, tools Program semantics Verification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generation Satisfiability Modulo Theories (SMT)

3 Static Driver Verifier (SDV) Applied regularly to all Microsoft device drivers of the supported device models, ~300 bugs found Available to third parties in Windows DDK Sage Applied regularly 100s of people doing various kinds of fuzzing HAVOC Has been applied to 100s of KLOC ~40 bugs in resource leaks, lock usage, use-after-free Pex Test generation, uses Code Contracts Applied to various libraries components VCC Being applied to Microsoft Hypervisor …

4 Research prototype Spec# language C# 2.0 + non-null types + contracts Checking: Static type checking Run-time checking Static verification

5 Spec#

6 Hoare triple{ P } S { Q } says that every terminating execution trace of program S that starts in a state satisfying P does not go wrong, and terminates in a state satisfying Q

7 { } x := E { Q } Examples: { } x := y { x is even } { } x := x + 1 { x < 100 } { } x := 3*y { x*x + 5*x = 721 } Q[E/x] y is even x < 99 9*y*y + 15*y = 721

8 To prove: { P } while B do S end { Q } find a loop invariant J and prove: invariant holds initially: P  J invariant is maintained: { J  B } S { J } invariant is strong enough to establish postcondition: J   B  Q

9 Spec#

10 Experimental language with focus on: Shared-memory concurrency Static verification Key features Memory access governed by a model of permissions Sharing via locks with monitor invariants Deadlock checking, dynamic lock re-ordering Channels Other features Classes; Mutual exclusion and readers/writers locks; Fractional permissions;Two-state monitor invariants; Asynchronous method calls; Memory leak checking; Logic predicates and functions; Ghost and prophecy variables

11 Chalice

12 method Main() { var c := new Counter; call c.Inc(); } method Main() { var c := new Counter; call c.Inc(); } method Inc() requires acc(y) ensures acc(y) { y := y + 1; } method Inc() requires acc(y) ensures acc(y) { y := y + 1; } acc(c.y)

13 What if two threads want write access to the same location? method A() … { y := y + 21; } method A() … { y := y + 21; } method B() … { y := y + 34; } method B() … { y := y + 34; } class Fib { var y: int; method Main() { var c := new Fib; fork c.A(); fork c.B(); } class Fib { var y: int; method Main() { var c := new Fib; fork c.A(); fork c.B(); } acc(c.y)

14 method A() … { acquire this; y := y + 21; release this; } method A() … { acquire this; y := y + 21; release this; } method B() … { acquire this; y := y + 34; release this; } method B() … { acquire this; y := y + 34; release this; } class Fib { var y: int; invariant acc(y); method Main() { var c := new Fib; share c; fork c.A(); fork c.B(); } class Fib { var y: int; invariant acc(y); method Main() { var c := new Fib; share c; fork c.A(); fork c.B(); } acc(c.y) acc(y)

15 Like other specifications, can hold both permissions and conditions Example: invariant acc(y) && 0 <= y acc(y)

16 Spec#Spec# C with HAVOC specifications DafnyDafny C with VCC specifications ChaliceChalice Z3Z3SimplifySimplify SMT Lib BoogieBoogie Isabelle/ HOL

17 Boogie

18 StringBuilder.Append Method (Char[ ], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. public StringBuilder Append(char[] value, int startIndex, int charCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions Exception TypeCondition ArgumentNullExceptionvalue is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeExceptioncharCount is less than zero. -or- startIndex is less than zero. -or- startIndex + charCount is less than the length of value.

19 public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value != null ==> startIndex + charCount <= value.Length; ensures result == this;

20 public StringBuilder Append(char[] value, int startIndex, int charCount ) { Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result () == this); // method implementation... } Note that postcondition is declared at top of method body, which is not where it should be executed. A rewriter tool moves these.

21 Code Contracts and Pex [Tillman & de Halleux]

22 Spec# (open source): http://specsharp.codeplex.com http://specsharp.codeplex.com VCC (open source): http://vcc.codeplex.com http://vcc.codeplex.com Boogie, Chalice, Dafny (open source): http://boogie.codeplex.com http://boogie.codeplex.com Code Contracts: http://research.microsoft.com/contracts http://research.microsoft.com/contracts Pex: http://research.microsoft.com/pexhttp://research.microsoft.com/pex RiSE: http://research.microsoft.com/risehttp://research.microsoft.com/rise

Download ppt "K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Caltech Pasadena, CA 12 November 2009."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
The Dafny program verifier

The Dafny program verifier
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 15 January 2009 Séminaire Digiteo Orsay, France.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 15 January 2009 Séminaire Digiteo Orsay, France.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz – ENS.

CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz – ENS.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

A simple sequential reasoning approach for sound modular verification of mainstream multithreaded programs Wolfram Schulte & Bart Jacobs Microsoft Research.

Similar presentations

Ads by Google