Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond,...
-
Upload
isaac-gallagher -
Category
Documents
-
view
212 -
download
0
Transcript of Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond,...
![Page 1: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/1.jpg)
Object Invariants in Object Invariants in Specification and Specification and VerificationVerification
K. Rustan M. LeinoMicrosoft Research, Redmond, WA
Joint work with:Mike Barnett, Ádám Darvas,Manuel Fähndrich, Peter Müller,Wolfram Schulte, Herman Venter, andAngela Wallenburg
Invited talk, SBMF 2006, Natal, Brazil, 19 September 2006
![Page 2: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/2.jpg)
Software engineering Software engineering problemproblem• Building and maintaining large
software systems that are correct
![Page 3: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/3.jpg)
ApproachApproach
• Specifications record design decisions– bridge intent and code
• Tools amplify human effort– manage detail– find inconsistencies– ensure quality
![Page 4: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/4.jpg)
Research goalsResearch goals
• Build the best such system we can build today
• Experiment with the system to get a feel for what it is like to use
• Advance the state of the art
![Page 5: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/5.jpg)
Spec#Spec#
• Experimental mix of contracts and tool support
• Aimed at experienced developers who know the high cost of testing and maintenance
• Superset of C#– non-null types– pre- and postconditions– object invariants
• Tool support– more type checking– compiler-emitted run-time checks– static program verification
C#contracts
everywhere
type checking
static verification
into the future
run-time checks
degree of checking,effort
familiar
![Page 6: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/6.jpg)
Spec# demoSpec# demo
![Page 7: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/7.jpg)
Spec# program verifier Spec# program verifier architecturearchitecture
V.C. generator
automatictheorem prover
verification condition
Spec#
“correct” or list of errors
Spec# compiler
MSIL (“bytecode”)bytecode translator
Boogie PL
inference engine
Spec# program verifier (aka Boogie)
![Page 8: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/8.jpg)
Object invariantsObject invariants
0. Simple objects1. Aggregate objects2. Subclasses3. Additive invariants
![Page 9: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/9.jpg)
0. When do invariants 0. When do invariants hold?hold?class Car {int speed;int windResistance;invariant windResistance == K * speed * speed;public Car() { speed = 0; windResistance = 0; }public void SetSpeed(int kmph) {
speed = kmph;windResistance = K * speed * speed;
}
![Page 10: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/10.jpg)
0. When do invariants 0. When do invariants hold?hold?class Car {int speed;int windResistance;invariant windResistance == K * speed * speed;public Car() { speed = 0; windResistance = 0; }public void SetSpeed(int kmph) {
speed = kmph;windResistance = K * speed * speed;
}
invariant istemporarily broken here
P( );
what if P calls backinto SetSpeed?
![Page 11: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/11.jpg)
Object statesObject states
• Mutable– Object invariant might be violated– Field updates are allowed
• Valid– Object invariant holds– Field updates not allowed
![Page 12: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/12.jpg)
The heap (the object store)The heap (the object store)
![Page 13: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/13.jpg)
The heap (the object store)The heap (the object store)
MutableValid
![Page 14: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/14.jpg)
expose statementexpose statementclass Car {
int speed;int windResistance;invariant windResistance == K * speed * speed;…public void SetSpeed(int kmph)
requires this.valid;{
expose (this) {speed = kmph;windResistance = K * speed * speed;
}}
changes objectfrom valid to mutable
changes objectfrom mutable to valid
![Page 15: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/15.jpg)
Summary for simple objects:Summary for simple objects:
explicit representation of when invariants explicit representation of when invariants holdhold(o • o.mutable Inv(o))
expose (x) { … }check Inv(x)
check x.valid
x.valid := falsex.mutable :=
true
x.valid := truex.mutable :=
false
![Page 16: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/16.jpg)
1. Aggregate objects1. Aggregate objectsclass Seat { public void Move(int pos) requires
this.valid; … }class Car {
Seat s;public void Adjust(Profile p)
requires this.valid p.valid;{
s.Move(p.SeatPosition);}
![Page 17: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/17.jpg)
OwnershipOwnership
Points to owner
![Page 18: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/18.jpg)
Ownership domainsOwnership domains
Points to owner
![Page 19: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/19.jpg)
((o • o.mutable o • o.mutable o.owner.mutable)o.owner.mutable)
Points to ownerMutable objectValid object
![Page 20: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/20.jpg)
Representation (rep) fieldsRepresentation (rep) fieldsclass Seat { public void Move(int pos) requires this.Consistent; … }
class Car {rep Seat s;public void Adjust(Profile p)
requires this.Consistent p.Consistent;{
expose (this) {s.Move(p.SeatPosition);
}}
o.Consistent o.owner.mutable o.valid
![Page 21: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/21.jpg)
Peer fields and peer validityPeer fields and peer validityclass Seat { public void Move(int pos) requires this.PeerConsistent; … }
class Car {rep Seat s; peer Seat s;public void Adjust(Profile p) public void Adjust(Position p)
requires this.PeerConsistent requires this.PeerConsistent
p.PeerConsistent; p.PeerConsistent; { {
expose (this) {s.Move(p.SeatPosition); s.Move(p.SeatPosition);
}} }o.PeerConsistent o.owner.mutable (p • p.owner = o.owner p.valid)
o.Consistent o.owner.mutable o.valid
![Page 22: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/22.jpg)
Summary for aggregate objects:Summary for aggregate objects:
ownership domainsownership domains(o • o.mutable o.owner.mutable)
expose (x) { … }check (r • r.owner=x r.valid)
check x.owner.mutable
x.valid := falsex.mutable :=
true
x.valid := truex.mutable :=
false
![Page 23: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/23.jpg)
2. Subclasses2. Subclassesclass Car {
int speed;invariant 0 ≤ speed;…
}class LuxuryCar extends Car {
Radio r;invariant 6 ≤ r.CDCapacity;…
}
![Page 24: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/24.jpg)
Owners are pairsOwners are pairs
• To support subclasses with invariants, we change owners to be pairs:
(object reference, class frame)
![Page 25: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/25.jpg)
Invariants and subclassesInvariants and subclasses
class A { … }
class B extends A { … }
Points to owner
Object
A
B
![Page 26: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/26.jpg)
Summary for subclasses:Summary for subclasses:
owners are pairsowners are pairs(o,T • (o,T).mutable o.owner.mutable)
expose (x) { … }
check x.owner.mutable
(x,C).valid := false
(x,C).mutable := true
(x,C).valid := true
(x,C).mutable := false
check (r • r.owner=(x,C) r.valid)
where x has static type C
![Page 27: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/27.jpg)
3. Additive invariants3. Additive invariantsclass Car {
int speed;…
}class LuxuryCar extends Car {
Radio r;invariant speed > 60 r.SoundBooster=true;overrides void SetSpeed(int kmph) {
expose (this) {base.SetSpeed(kmph);if (speed > 60) { … }
}}
}
![Page 28: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/28.jpg)
Additive invariants and Additive invariants and subclassessubclasses
class A { … }
class B extends A { … }
Points to ownerMutable objectValid object
Object
A
B
![Page 29: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/29.jpg)
Summary for additive invariants:Summary for additive invariants:
consider invariant state of consider invariant state of subclassessubclasses(o,T • (o,T).mutable
( S • S <: T (o,S).mutable)
additive expose (x) { … }
check ( S • S <: C S ≠ C (o,S).mutable)
(x,C).valid := false
(x,C).mutable := true
(x,C).valid := true
(x,C).mutable := false
where x has static type C
![Page 30: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/30.jpg)
Object invariants in Spec#Object invariants in Spec#• Spec# syntactically checks that invariants are
admissible• Ownership is specified with the [Owned] attribute• We first supported only rep ownership relations
– peer relationships are often useful too– we now use PeerConsistent as the default method precondition– owners are set automatically on assignments of rep and peer
fields
• We first supported only additive invariants in Spec#– non-additive invariants are easier to work with– non-additive expose is now the default– implementation restriction: no further expose allowed on an
object while a non-additive expose is in progress
• Additive methods (those that update the additive fields mentioned in additive invariants) require dynamic dispatch and use precondition Consistent
![Page 31: Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475ac550346494e8b62b8/html5/thumbnails/31.jpg)
Summary and conclusionsSummary and conclusions• Spec# programming system• Rich object structures need
specification and verification support– simple invariants– aggregate objects– subclasses– additive invariants– visibility-based invariants– …
http://research.microsoft.com/~leino
http://research.microsoft.com/specsharp
download Spec#from here