1. Specifying and verifying programs in Spec# K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Invited talk, PSI 2006 Novosibirsk, Russia 27 June 2006 joint work with Mike Barnett, Robert DeLine, Manuel Fähndrich, Wolfram Schulte, Herman Venter, Bor-Yuh Evan Chang, Ádám Darvas, Bart Jacobs, Daan Leijen, Angela Wallenburg, Francesco Logozzo, Peter Müller, David A. Naumann, Arnd Poetzsch-Heffter

2. Software engineering problem Building and maintaining large systems that are correct

3. Approach Specifications record design decisions –bridge intent and code Tools amplify human effort –manage details –find inconsistencies –ensure quality

4. StringBuilder.Append Method (Char[ ], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. public StringBuilder Append(char[] value, int startIndex, int charCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions Exception TypeCondition ArgumentNullExceptionvalue is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeExceptioncharCount is less than zero. -or- startIndex is less than zero. -or- startIndex + charCount is less than the length of value. Specifications today

5. Specifications in program text public StringBuilder Append(char[ ] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; Exception TypeCondition ArgumentNullExceptionvalue is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeExceptioncharCount is less than zero. -or- startIndex is less than zero. -or- startIndex + charCount is less than the length of value.

6. Research goals Build the best such system we can build today Experiment with the system to get a feel for what it is like to use Advance the state of the art

7. Spec# Experimental mix of contracts and tool support Aimed at experienced developers who know the high cost of testing and maintenance Superset of C# –non-null types –pre- and postconditions –object invariants Tool support –more type checking –compiler-emitted run-time checks –static program verification C# contracts everywhere type checking static verification into the future run-time checks degree of checking, effort familiar

8. Spec# demo

9. Verification 0.Program verifier architecture 1.Semantics 2.Verification-condition generation

10. 0. Basic architecture of a verifier verification condition generator theorem prover verification condition program with specifications “correct” or list of errors

11. Spec# verifier architecture V.C. generator automatic theorem prover verification condition Spec# “correct” or list of errors Spec# compiler MSIL (“bytecode”) translator Boogie PL inference engine Spec# program verifier (aka Boogie)

12. 1. Semantics Program outcomes: –terminate –go wrong –block –diverge

13. Core language x := E –evaluate E and change x to that value havoc x –change x to an arbitrary value assert E –if E holds, terminate; otherwise, go wrong assume E –if E holds, terminate; otherwise, block S ; T –execute S, then T S [] T or goto A or B; –execute either S or T, choosing blindly –change point of control to block A or block B, choosing blindly

14. Example translation: if Tr[[ if P then S else T end ]] = Start:goto Then or Else Then:assume P ; Tr[[ S ]] ; goto After Else:assume ¬P ; Tr[[ T ]] ; goto After After:…

15. Example translation: loop Tr[[ while { invariant J } B do S end ]] = LoopHead:assert J ; goto LoopBody or AfterLoop LoopBody:assume B ; Tr[[ S ]] ; goto LoopHead AfterLoop:assume ¬B ; …

16. Example translation: partial expressions Tr[[ x = a / b ; ]] = assert b ≠ 0 ; x := a / b Tr[[ x = (T) y ; ]] = // type cast assert y = null  typeof(y) <: T ; x := y

17. Example translation: fields of objects Tr[[ x = o.f; ]] = assert o ≠ null ; x := Heap[ o, f ] Tr[[ o.f = x; ]] = assert o ≠ null ; Heap[ o, f ] := x x := Select(Heap, (o,f)) Heap := Update(Heap, (o,f), x)

18. Example translation: call Given procedure M requires Pre modifies w ensures Post Tr[[ call M; ]] = assert Pre ; havoc w ; assume Post ;

19. Example translation: object construction Tr[[ x = new C(); ]] = havoc x ; assume x ≠ null; assume Heap[ x, allocated ] = false; assume typeof(x) = C; Heap[ x, allocated ] := true; Tr[[ call C..ctor(x); ]]

20. 2. Verification-condition generation Maps core language into first-order formulas –loops Concern about prover performance –redundancy and formula size wp(S [] T, Q) = wp(S, Q)  wp(T, Q) –goto statements

21. Verification-condition generation 0. passive features: assert, assume, ; 1. control flow: goto (no loops) 2. state changes: :=, havoc 3. loops

22. Weakest preconditions The weakest precondition of a statement S with respect to a predicate Q on the post-state of S, denoted wp(S,Q), is the set of pre-states from which execution: –does not go wrong, and –if it terminates, terminates in Q

23. VC generation: passive features wp( assert E, Q ) = E  Q wp( assume E, Q ) = E  Q wp( S; T, Q ) = wp( S, wp( T, Q ))

24. VC generation: acyclic control flow For each block A, introduce a variable A ok with the meaning: A ok is true iff every program execution starting in the current state from block A does not go wrong The verification condition for the program: A: S; goto B or C … is: ( A ok  wp( S, B ok  C ok ) )  …  A ok

25. VC generation: state changes Replace definitions and uses of variables by definitions and uses of different incarnations of the variables {x  x0, y  y0} x := E(x,y) x1 := E(x0,y0) {x  x1, y  y0} {x  x0, y  y0} havoc x skip {x  x1, y  y0}

26. VC generation: state changes (cont.) Given: {x  x0,y  y0} SS’ {x  x1, y  y0} {x  x0, y  y0} TT’ {x  x2, y  y0} then we have: {x  x0, y  y0} if E(x,y) then S else T end if E(x0,y0) then S’ ; x3 := x1 else T’ ; x3 := x2 end {x  x3, y  y0}

27. VC generation: state changes (cont.) Replace every assignment x := E with assume x = E

28. VC generation: loops loop head: loop body: assert LoopInv( x ) ; assume Guard( x ) ; x := … assume ¬Guard( x ) ; after loop:

29. VC generation: loops loop head: loop body: assert LoopInv( x ) ; assume LoopInv( x ); assume Guard( x ) ; x := … assume ¬Guard( x ) ; after loop: assert P = assert P ; assume P

30. VC generation: loops loop head: loop body: assert LoopInv( x ) ; assume LoopInv( x ); assume Guard( x ) ; x := … assume ¬Guard( x ) ; after loop: assert LoopInv( x ) ;

31. VC generation: loops loop head: loop body: assume LoopInv( x ); assume Guard( x ) ; x := … assert LoopInv( x ); assume ¬Guard( x ) ; after loop: assert LoopInv( x ) ; havoc x ; loop target

32. VC generation: loops loop head: loop body: assume LoopInv( x ); assume Guard( x ) ; x := … assert LoopInv( x ); assume false; assume ¬Guard( x ) ; after loop: assert LoopInv( x ) ; havoc x ;

34. download Spec# from here Conclusions Because of tool support, we’re ready for programming at the next level of rigor Current work –Specification/programming/verification methodology –Performance –Technology transfer –Engineering effort Technology sharing –Teaching –Case studies –BoogiePL as common intermediate logic http://research.microsoft.com/~leino http://research.microsoft.com/specsharp