Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond,...

Object Invariants in Object Invariants in Specification and Specification and Verification Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel Fähndrich, Peter Müller, Wolfram Schulte, Herman Venter, and Angela Wallenburg Invited talk, SBMF 2006, Natal, Brazil, 19 September 2006

Transcript of Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond,...

Page 1: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object Invariants in Object Invariants in Specification and Specification and VerificationVerification

K. Rustan M. LeinoMicrosoft Research, Redmond, WA

Joint work with:Mike Barnett, Ádám Darvas,Manuel Fähndrich, Peter Müller,Wolfram Schulte, Herman Venter, andAngela Wallenburg

Invited talk, SBMF 2006, Natal, Brazil, 19 September 2006

Page 2: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Software engineering Software engineering problemproblem• Building and maintaining large

software systems that are correct

Page 3: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.


• Specifications record design decisions– bridge intent and code

• Tools amplify human effort– manage detail– find inconsistencies– ensure quality

Page 4: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Research goalsResearch goals

• Build the best such system we can build today

• Experiment with the system to get a feel for what it is like to use

• Advance the state of the art

Page 5: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.


• Experimental mix of contracts and tool support

• Aimed at experienced developers who know the high cost of testing and maintenance

• Superset of C#– non-null types– pre- and postconditions– object invariants

• Tool support– more type checking– compiler-emitted run-time checks– static program verification



type checking

static verification

into the future

run-time checks

degree of checking,effort


Page 6: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Spec# demoSpec# demo

Page 7: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Spec# program verifier Spec# program verifier architecturearchitecture

V.C. generator

automatictheorem prover

verification condition


“correct” or list of errors

Spec# compiler

MSIL (“bytecode”)bytecode translator

Boogie PL

inference engine

Spec# program verifier (aka Boogie)

Page 8: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object invariantsObject invariants

0. Simple objects1. Aggregate objects2. Subclasses3. Additive invariants

Page 9: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

0. When do invariants 0. When do invariants hold?hold?class Car {int speed;int windResistance;invariant windResistance == K * speed * speed;public Car() { speed = 0; windResistance = 0; }public void SetSpeed(int kmph) {

speed = kmph;windResistance = K * speed * speed;


Page 10: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

0. When do invariants 0. When do invariants hold?hold?class Car {int speed;int windResistance;invariant windResistance == K * speed * speed;public Car() { speed = 0; windResistance = 0; }public void SetSpeed(int kmph) {

speed = kmph;windResistance = K * speed * speed;


invariant istemporarily broken here

P( );

what if P calls backinto SetSpeed?

Page 11: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object statesObject states

• Mutable– Object invariant might be violated– Field updates are allowed

• Valid– Object invariant holds– Field updates not allowed

Page 12: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

The heap (the object store)The heap (the object store)

Page 13: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

The heap (the object store)The heap (the object store)


Page 14: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

expose statementexpose statementclass Car {

int speed;int windResistance;invariant windResistance == K * speed * speed;…public void SetSpeed(int kmph)

requires this.valid;{

expose (this) {speed = kmph;windResistance = K * speed * speed;


changes objectfrom valid to mutable

changes objectfrom mutable to valid

Page 15: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Summary for simple objects:Summary for simple objects:

explicit representation of when invariants explicit representation of when invariants holdhold(o • o.mutable Inv(o))

expose (x) { … }check Inv(x)

check x.valid

x.valid := falsex.mutable :=


x.valid := truex.mutable :=


Page 16: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

1. Aggregate objects1. Aggregate objectsclass Seat { public void Move(int pos) requires

this.valid; … }class Car {

Seat s;public void Adjust(Profile p)

requires this.valid p.valid;{


Page 17: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.


Points to owner

Page 18: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Ownership domainsOwnership domains

Points to owner

Page 19: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

((o • o.mutable o • o.mutable o.owner.mutable)o.owner.mutable)

Points to ownerMutable objectValid object

Page 20: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Representation (rep) fieldsRepresentation (rep) fieldsclass Seat { public void Move(int pos) requires this.Consistent; … }

class Car {rep Seat s;public void Adjust(Profile p)

requires this.Consistent p.Consistent;{

expose (this) {s.Move(p.SeatPosition);


o.Consistent o.owner.mutable o.valid

Page 21: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Peer fields and peer validityPeer fields and peer validityclass Seat { public void Move(int pos) requires this.PeerConsistent; … }

class Car {rep Seat s; peer Seat s;public void Adjust(Profile p) public void Adjust(Position p)

requires this.PeerConsistent requires this.PeerConsistent

p.PeerConsistent; p.PeerConsistent; { {

expose (this) {s.Move(p.SeatPosition); s.Move(p.SeatPosition);

}} }o.PeerConsistent o.owner.mutable (p • p.owner = o.owner p.valid)

o.Consistent o.owner.mutable o.valid

Page 22: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Summary for aggregate objects:Summary for aggregate objects:

ownership domainsownership domains(o • o.mutable o.owner.mutable)

expose (x) { … }check (r • r.owner=x r.valid)

check x.owner.mutable

x.valid := falsex.mutable :=


x.valid := truex.mutable :=


Page 23: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

2. Subclasses2. Subclassesclass Car {

int speed;invariant 0 ≤ speed;…

}class LuxuryCar extends Car {

Radio r;invariant 6 ≤ r.CDCapacity;…


Page 24: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Owners are pairsOwners are pairs

• To support subclasses with invariants, we change owners to be pairs:

(object reference, class frame)

Page 25: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Invariants and subclassesInvariants and subclasses

class A { … }

class B extends A { … }

Points to owner




Page 26: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Summary for subclasses:Summary for subclasses:

owners are pairsowners are pairs(o,T • (o,T).mutable o.owner.mutable)

expose (x) { … }

check x.owner.mutable

(x,C).valid := false

(x,C).mutable := true

(x,C).valid := true

(x,C).mutable := false

check (r • r.owner=(x,C) r.valid)

where x has static type C

Page 27: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

3. Additive invariants3. Additive invariantsclass Car {

int speed;…

}class LuxuryCar extends Car {

Radio r;invariant speed > 60 r.SoundBooster=true;overrides void SetSpeed(int kmph) {

expose (this) {base.SetSpeed(kmph);if (speed > 60) { … }



Page 28: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Additive invariants and Additive invariants and subclassessubclasses

class A { … }

class B extends A { … }

Points to ownerMutable objectValid object




Page 29: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Summary for additive invariants:Summary for additive invariants:

consider invariant state of consider invariant state of subclassessubclasses(o,T • (o,T).mutable

( S • S <: T (o,S).mutable)

additive expose (x) { … }

check ( S • S <: C S ≠ C (o,S).mutable)

(x,C).valid := false

(x,C).mutable := true

(x,C).valid := true

(x,C).mutable := false

where x has static type C

Page 30: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object invariants in Spec#Object invariants in Spec#• Spec# syntactically checks that invariants are

admissible• Ownership is specified with the [Owned] attribute• We first supported only rep ownership relations

– peer relationships are often useful too– we now use PeerConsistent as the default method precondition– owners are set automatically on assignments of rep and peer


• We first supported only additive invariants in Spec#– non-additive invariants are easier to work with– non-additive expose is now the default– implementation restriction: no further expose allowed on an

object while a non-additive expose is in progress

• Additive methods (those that update the additive fields mentioned in additive invariants) require dynamic dispatch and use precondition Consistent

Page 31: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Summary and conclusionsSummary and conclusions• Spec# programming system• Rich object structures need

specification and verification support– simple invariants– aggregate objects– subclasses– additive invariants– visibility-based invariants– …



download Spec#from here