Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Published byMelinda Reeves Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based."— Presentation transcript:

1 Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based on KSE06 – With kind permission of Peter Müller

2 Software Engineering, lecture 20: Static program checking and verification 2 Correctness class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } class ArraySet implements Set { private int[ ] array; private int next; … public void insert( int i ) { for ( int j = 0; j < next; j-- ) if array[ j ] == i then return true; return false; } Syntax Rules Context Conditions Semantic Rules Behavioral Specification

3 Software Engineering, lecture 20: Static program checking and verification 3 Aspects of correctness Syntax Rules Context Conditions Semantic Rules Behavioral Specification Syntax Semantics Scanning, Parsing Test, Verification Semantic Analysis, Type Checking

4 Software Engineering, lecture 20: Static program checking and verification 4 Test and verification Test Objective  Detect bugs Examples  White box test  Black box test Problems  Successful test does not guarantee correctness Verification Objective  Prove correctness Examples  Formal verification based on a logic  Symbolic execution Problems  Expensive  Formal specification of behavior is required

5 Software Engineering, lecture 20: Static program checking and verification 5 Levels of coverage Effort Coverage Type checking Program verification Extended static checking Decidability ceiling

6 Software Engineering, lecture 20: Static program checking and verification 6 Extended static checking ESC/Java developed at DEC, Compaq, and HP Research Fully automated tool Tries to verify  Absence of runtime exceptions and common mistakes e.g. null dereference, array bounds, type cast errors, deadlocks  Simple user-specified contracts invariants, pre/postconditions, loop invariants, assertions Program with specifications Error messages Bag.java:18: Array index possibly too large Program Checker/Verifier

7 Software Engineering, lecture 20: Static program checking and verification 7 Program checker design tradeoffs Objectives  Fully automated reasoning  As little annotation overhead as possible  Performance Not sound  Errors may be missed Not complete  Warnings do not always report errors (false alarms) Goal  Cost-effective tool  Find source of possible bugs quickly Main reason why it’s called checker and not verifier

8 Software Engineering, lecture 20: Static program checking and verification 8 Tool architecture Translator Annotated Java program Verification condition Counterexample context Warning messages Automatic Theorem Prover Post Processor Valid Resource exhausted

9 Software Engineering, lecture 20: Static program checking and verification 9 Theorem prover: “Simplify” Automatic: No user interaction Refutation based: To prove  it will attempt to satisfy ¬   If this is possible, a counterexample is found, and we know a reason why  is invalid  If it fails to satisfy ¬  then  is considered to be valid

10 Software Engineering, lecture 20: Static program checking and verification 10 Time limits Logic used in Simplify is semi-decidable  Each procedure that proves all valid formulas loops forever on some invalid ones Simplify works with a time limit  When time limit is reached, counterexample is returned  Longer computation might show that returned counterexample is inconsistent Time limits are a source of incompleteness  Spurious counterexamples lead to spurious warnings

11 Software Engineering, lecture 20: Static program checking and verification 11 ESC/Java2 Successor of ESC/Java Eclipse integration Made specification language compatible with JML Made open source Give it a try! http://secure.ucd.ie/products/opensource/escjava2

12 Software Engineering, lecture 20: Static program checking and verification 12 Spec# Program verification tool developed at MS Research Superset of C#  non-null types  pre- and postconditions  object invariants Tool support  more type checking  compiler-emitted run-time checks  static program verification  fully integrated into Visual Studio.NET 2005 type checking static verification run-time checks degree of checking, effort into the future C# contracts everywhere

13 Software Engineering, lecture 20: Static program checking and verification 13 Spec# vs. ESC/Java(2) Similarities  Architecture  Full automation (even theorem prover is the same)  Essential contract language Differences  Spec# is sound  Spec# does modular reasoning price to pay: need to understand methodology

14 Software Engineering, lecture 20: Static program checking and verification 14 Non-null types T x; The value of x is - null or - reference to object whose type is a subtype of T. T! y; The value of y is - reference to object whose type is a subtype of T, and not null.

15 Software Engineering, lecture 20: Static program checking and verification 15 Types versus assertions Without non-null types: Person(string name) requires name != null; With non-null types: Person(string! name)

16 Software Engineering, lecture 20: Static program checking and verification 16 Comparing against null public void M(T x){ if (x == null) { … } else { T! y = x; … } Spec# performs a data-flow analysis to allow this

17 Spec# DEMO

18 Software Engineering, lecture 20: Static program checking and verification 18 References ESC/Java  Flanagan et al.: Extended Static Checking for Java ESC/Java2  http://secure.ucd.ie/products/opensource/ESCJava2 Spec#  Barnett et al.: Boogie: A Modular Reusable Verifier for Object-Oriented Programs  http://research.microsoft.com/specsharp Rustan Leino’s lectures  http://research.microsoft.com/~leino/talks.html

Download ppt "Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.

Software Engineering & Automated Deduction Willem Visser Stellenbosch University With Nikolaj Bjorner (Microsoft Research, Redmond) Natarajan Shankar (SRI.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.

Similar presentations

Ads by Google