K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden.

K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden

Mike Barnett Nikolaj Bjørner Leonardo de Moura Manuel Fähndrich Bart Jacobs Ronald Middelkoop Michał Moskal Peter Müller Ralf Sasse Wolfram Schulte Jan Smans Herman Venter Angela Wallenburg

Problem Building and maintaining programs that are correct Approach Specifications record design decisions bridge intent and code Tools amplify human effort manage details find inconsistencies ensure quality

Hoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al. “We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]

Spec# language Object-oriented.NET language Superset of C#, adding: more types specifications (pre- and postconditions, etc.) Usage rules (methodology) Checking: Static type checking Run-time checking Static verification (optional)

Sound modular verification Focus on automation, not full functional correctness specifications No termination verification No verification of temporal properties

static verifier (Boogie) MSIL (“bytecode”) SMT solver V.C. generator Inference engine Translator verification condition “correct” or list of errors Spec# compiler Spec# BoogiePL

C HAVOC and VerifiedC (vcc) C HAVOC and VerifiedC (vcc) Eiffel …? Java bytecode + BML Spec# Z3 Simplify Zap 2 SMT Lib Fx7 SMT Lib Fx7 Isabelle/ HOL …? BoogiePL abstract interpreter predicate abstraction? termination detector? …?

C C Spec# Z3 BoogiePL 0: specifications 1: specifications 3: translation 4: translation 5: V.C. generation 2: BoogiePL overview

Multi-variable invariants Multi-object invariants

dict: :Chunker:Chunker :Dictionary:Dictionary n: 84 Count: 21 :Chunker:Chunker dict: n: 20 inv dict.Count ≤ n; :Classroom:Classroom studentGrades: inv studentGrades.Count ≤ 20; reprep inv dict.Count ≤ n; owner

Based on dynamic frames [Yannis Kassios, FM 2006] class C { int x; int y; Dictionary d; … frame f  { x, y, d, … }  d.fr; predicate Valid reads f  x ≤ y  d.Valid  … ; method M() requires Valid; modifies f; ensures Valid; }

Top-level declarations Statements

type T; const x: T; function f(A, B) returns (T); axiom E; var y: T; procedure P(a: A, b: B) returns (x: T, y: U); requires pre; modifies w; ensures Q; implementation P(a: A, b: B) returns (x: T, y: U) { … }

x := E a[ i ] := E havoc x assert E assume E ; call P() if while break label: goto A, B

class C : object { int x; C( ) { … } virtual int M(int n) { … } static void Main() { C c = new C( ); c.x = 12; int y = c.M(5); } } class C : object { int x; C( ) { … } virtual int M(int n) { … } static void Main() { C c = new C( ); c.x = 12; int y = c.M(5); } } Example source program

// class types const unique System.Object: name; const unique C: name; axiom C <: System.Object; function typeof(ref) returns (name); // fields type Field; const unique C.x: Field; const unique allocated: Field; // the heap var Heap: [ref, Field] int; class C : object { int x; class C : object { int x;

// method declarations procedure C..ctor(this: ref); requires this != null && typeof(this) <: C; modifies Heap; procedure C.M(this: ref, n: int) returns (result: int); requires this != null && typeof(this) <: C; modifies Heap; procedure C.Main(); modifies Heap; C() { … } virtual int M(int n) static void Main() C() { … } virtual int M(int n) static void Main()

// method implementations implementation C.Main() { var c: ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == 0; assume typeof(c) == C; Heap[c, allocated] := 1; call C..ctor(c); assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } C c = new C(); c.x = 12; int y = c.M(5);

type Field; var Heap: [ref, Field] int; type Field; var HeapInt: [ref, Field] int; var HeapBool: [ref, Field] bool; … type Field; type Value; var Heap: [ref, Field] Value; and conversion functions between Value and other types type Field ; var Heap: .[ref, Field ] ;

A pointer in C can go to any byte location in a segment A pointer is a (segment, offset) pair base(ptr) gives the segment offset(ptr) gives the offset within the segment Each segment has a fixed length length(seg)

Consider the translation of:*p = k; m = *p; type Ptr; type Segment; function base(Ptr) returns (Segment); function offset(Ptr) returns (int); var Mem: [Segment, int] int; assert 0 ≤ offset(p); assert offset(p) + 4 ≤ length(base(p)); Mem[base(p), offset(p)] := B3(k); Mem[base(p), offset(p)+1] := B2(k); Mem[base(p), offset(p)+2] := B1(k); Mem[base(p), offset(p)+3] := B0(k); assert 0 ≤ offset(p); assert offset(p) + 4 ≤ length(base(p)); m := Word(Mem[base(p), offset(p)+3], Mem[base(p), offset(p)+2], Mem[base(p), offset(p)+1], Mem[base(p), offset(p)]);

Define custom functions to access memory type MType; type Ptr; type ByteSeq; function rd(MType, Ptr, int) returns (ByteSeq); function wr(MType, Ptr, int, ByteSeq) returns (Mtype); axiom ( m: MType, p: Ptr, q: Ptr, plen: int, qlen: int, val: ByteSeq  base(p) = base(q)  offset(p) = offset(q)  0 < plen  plen = qlen rd(wr(m,p,plen,val), q, qlen) = val); axiom ( m: MType, p: Ptr, q: Ptr, plen: int, qlen: int, val: ByteSeq  base(p)  base(q)  offset(p) + plen ≤ offset(q)  offset(q) + qlen ≤ offset(p) rd(wr(m,p,plen,val), q, qlen) = rd(m, q, qlen)); axiom …

Use of quantifiers Matching triggers, available already in BoogiePL Reducing redundancy Paths across conditional statements But also splitting VCs into smaller ones wp versus sp

{ P } S { Q } Started in a state satisfying P, no execution of S will go wrong, and every terminating execution of S will end in a state satisfying Q P  wp(S, Q) or perhaps: sp(P, S)  Q ?

wp( x := E, Q) = Q[E/x] wp( S;T, Q) = wp( S, wp( T, Q)) wp( assume E, Q) = E  Q wp( assert E, Q) = E  Q sp(P, x := E ) = (  y  P[y/x]  x = E[y/x]) sp(P, S;T ) = sp(sp(P, S ), T ) sp(P, assume E ) = E  P sp(P, assert E ) = E  P but one would also like to check that E actually holds in P

f(x) ≤ y ≡ x ≤ g(y) sp(S, P)  Q ≡ P  wlp(S, Q) ? ≡ P  wp(S, Q)

Prove more programs Extend structuring methodologies Improve performance Raise level of abstraction, e.g.: Alloy Meta programming B method

Download Spec# and Boogie from here Verification for Spec#, C, and BoogiePL To verify, use an intermediate language Separates concerns Promotes sharing in verification community Front ends for multiple languages Multiple theorem provers Shared benchmarks Build your own verifier using Boogie Hardest part in designing VCs: programming methodology that Fits common programming idioms and Can be handled well by automatic prover Education Teach using Spec# Teach verification using BoogiePL http://research.microsoft.com/specsharp

K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden.

Similar presentations

Presentation on theme: "K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden.

Similar presentations

Presentation on theme: "K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 15 Nov 2007 Chalmers Göteborg, Sweden."— Presentation transcript:

Similar presentations

About project

Feedback