Program Verification / Automated Theorem Proving
-
Upload
lokeshwer2 -
Category
Technology
-
view
1.806 -
download
0
description
Transcript of Program Verification / Automated Theorem Proving
Program Verification Using Spec#
Motivation
• Prove correctness of the program
• Cost effective way to develop and maintain high-quality software.
Road Map• Design by Contract• Spec# Architecture• Demo
Design by Contract• First appeared in Eiffel• formal, precise and
verifiable interface
Pre Conditions
class ArrayList {public virtual void Insert( int index , object value)
requires 0 <= index && index <= Count; //Pre condition{ }
Post Conditions
class ArrayList {public virtual void Insert( int index , object value)requires 0 <= index && index <= Count; ensures Count == old(Count) + 1; //Post conditionsensures value == this[index];{ }
Not Enough
• Method Constructs not enough
• Enforce constraints on private members?
• Abstraction Violation?• How to ensure object’s
state?
Object Invariants
class SortOrder {ItemsList[ ]! randomList;ItemsList[ ]! sortedList;invariant randomList.Length == sortedList .Length;
Blame Game• Require failure =>
Blame the method caller (Client)
Ensure failure => Blame the method implementor (Provider)
Spec# Architecture
Spec# Compiler
Verification Code Generator (Boogie)
Automatic Theorem Prover (Boogie)
Why extend C#???
• Non Null Types• Method Contracts• Checked / Unchecked
Exceptions
Non Nullable Typespublic class Program{
public static void Main(string![]! args) {
for (int i=0; i< args.Length; i++){ Console.WriteLine(arg[i]);}Console.ReadLine();
}}
Exceptions
Failures
Provider
AdmissibleObserved Program
Errors
Client
Assertions???
• Why just simple assertions can’t help?• Callbacks, Multi Threads, Inheritance
Code Comparison
C#public class SomeClass { public SomeClass() { } public int SomeMethod(int i) { return 50/i; } }
Spec#public class SomeClass { public SomeClass() { } public int SomeMethod(int i) requires i != 0; { return 50/i; } }
IL (C#).method public hidebysig instance int32 SomeMethod(int32 i) cil managed{ // Code size 5 (0x5) .maxstack 8 IL_0000: ldc.i4.s 50 IL_0002: ldarg.1 IL_0003: div IL_0004: ret} // end of method SomeClass::SomeMethod
IL (Spec#).method public hidebysig instance int32 SomeMethod(int32 i) cil managed{ .custom instance void
[System.Compiler.Runtime]Microsoft.Contracts.EnsuresAttribute::.ctor(string) = smthng .locals init (int32 V_0, class
[System.Compiler.Runtime]Microsoft.Contracts.ContractMarkerException V_1, int32 V_2)// Some Usual Operations .try { …. IL_0016: ldstr "Postcondition 'i != 0' violated from method
classLibrary1.SomeClass.SomeMethod(System.Int32)'" IL_001b: newobj instance void
[System.Compiler.Runtime]Microsoft.Contracts.EnsuresException::.ctor(string) IL_0020: throw ….} // end .try….IL_002e: ret} // end of method SomeClass::SomeMethod
Runtime Checks
• Preconditions and postconditions are turned into inlined code
• Performance • Extra methods and
fields in the compiled code
Automated Theorem Prover
• BoogiePL• Simplify Theorem Prover • Propositional Calculus
Demo