The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research,...
-
Upload
jared-cultice -
Category
Documents
-
view
216 -
download
1
Transcript of The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research,...
![Page 1: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/1.jpg)
The Dafny program verifier
K. Rustan M. LeinoResearch in Software EngineeringMicrosoft Research, Redmond
Victoria University of WellingtonWellington, NZ13 April 2010
![Page 2: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/2.jpg)
Some RiSE tools at Microsoft
SLAM, Static Driver Verifier (SDV)SageCode Contracts for .NET
ClousotPex
Z3
![Page 3: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/3.jpg)
Static Driver Verifier
Applied regularly to all Microsoft device drivers of the support device models~300 bugs foundAvailable in Windows DDK to third parties
![Page 4: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/4.jpg)
error message
Predicate abstraction and refinement
C program
predicates
boolean program
modelchecker
correct
concrete trace
feasible?
abstract trace
no yes
e.g.: Graf & Saïdi, SLAM, BLAST, …
predicateabstraction
predicaterefinement
![Page 5: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/5.jpg)
Symbolic-powered testingSage [Godefroid, Levin, et al.]
White-box fuzzing for C programs
Applied regularly100s of people doing various kinds of fuzzing
Seed input
New generation of symbolically derived input
![Page 6: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/6.jpg)
StringBuilder.Append Method (Char[ ], Int32, Int32)Appends the string representation of a specified subarray of Unicode characters to the end of this instance.
public StringBuilder Append(char[] value, int startIndex, int charCount);
Parameters
valueA character array.
startIndexThe starting position in value.
charCountThe number of characters append.
Return Value
A reference to this instance after the append operation has occurred.
Exceptions
Exception Type Condition
ArgumentNullException value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.
Specifications: .NET today
![Page 7: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/7.jpg)
Specifications in Spec#public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this;
![Page 8: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/8.jpg)
Specifications with Code Contractspublic StringBuilder Append(char[] value, int startIndex, int charCount ){ Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this);
// method implementation...}
Note that postcondition is declared at top of method body, which is not where
it should be executed.A rewriter tool moves
these.
![Page 9: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/9.jpg)
Code Contracts[Barnett, Fähndrich, Grunkemeyer, Logozzo, et al.]
Declarative contractsLanguage independentLibrary to ship in .NET 4.0Tools available on DevLabs
Code Contracts Rewriter (for run-time checking)Clousot abstract interpreterPex automated testing tool [de Halleux, Tillman, et al.]
![Page 10: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/10.jpg)
Clousot [Fähndrich, Logozzo]
Abstract interpreter for .NETVerifies Code Contracts at compile timeSome key technology:
Heap-aware abstractionIterative application of numerical domains:
PentagonsSubpolyhedraothers
![Page 11: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/11.jpg)
PentagonsSome common abstract domains:
Intervals x [A,B]Octagons x y ≤ K
Polyhedra Σi xi ≤ K
Observation:Checking array accessesinvolves constraints like0 ≤ x < a.LengthThese can be representedby intervals plus variableorderings y ≤ x
Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html
Pentagon:
![Page 12: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/12.jpg)
Z3 [Bjørner, de Moura]
Satisfiability Modulo Theories (SMT) solver9 first places and 6 second places atSMT-COMP’08Used in all tools mentioned, except Clousot
![Page 13: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/13.jpg)
Deductive verificaton tools
HAVOCHas been applied to 100s of KLOC~40 bugs in resource leaks, lock usage, use-after-free
VCCBeing applied to Microsoft Hypervisor
…
![Page 14: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/14.jpg)
a language and verifier
Dafny
![Page 15: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/15.jpg)
Program verification
functional correctnes
s
limited checking
automaticdecision procedures(SMT solvers)
interactiveproof assistants
traditional mechanic
al program
verification
extended static
checking
Dafny
![Page 16: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/16.jpg)
Dafny language
Sequential programsGeneric classesBuilt-in specificationsSimple yet flexible framingSets, sequences, algebraic datatypesUser-defined functionsGhost variablesTermination specifications
![Page 17: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/17.jpg)
Dafny demos
CubesQueueSchorr-Waite
![Page 18: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/18.jpg)
Verification architecture
Simplify
Z3SMT Lib
…
CSpec# DafnyChalice …
Boogie
![Page 19: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/19.jpg)
Boogie language overviewMathematical features
type T;const x: T;function f(A, B): T;axiom E;
Imperative featuresvar y: T;procedure P(a: A, b: B) returns (x: T, y: U);
requires pre; modifies w; ensures post;implementation P(a: A, b: B) returns (x: T, y: U)
{ … }
![Page 20: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/20.jpg)
Boogie statements
x := Ea[ i ] := Ehavoc xassert Eassume E;call P()
ifwhilebreaklabel:goto A, B
![Page 21: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/21.jpg)
Example: Defining OO semantics by translation into Boogie
class C {var x: int;method M(n: int) returns (r: int)
{ … } static method Main() {
var c := new C;c.x := 12;call y := c.M(5);
}}
![Page 22: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/22.jpg)
Example: Boogie translation (0)
// class typestype ClassName;const unique C: ClassName;
type Ref;function dtype(Ref): CName;const null: Ref;
// fieldstype Field α;const unique C.x: Field int;const unique allocated: Field bool;
// memoryvar Heap: <α>[Ref, Field α] α;
class C {
var x: int;
![Page 23: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/23.jpg)
Example: Boogie translation (1)
// method declarations
procedure C.M(this: Ref, n: int) returns (r: int); requires this != null && dtype(this) == C; modifies Heap;
procedure C.Main(); modifies Heap;
method M(n: int) returns (r: int)
static method Main()
![Page 24: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/24.jpg)
Example: Boogie translation (2)
// method implementations
implementation C.Main(){ var c: Ref, y: int;
havoc c; assume c != null; assume Heap[c, allocated] ==
false; assume dtype(c) == C; Heap[c, allocated] := true;
assert c != null; Heap[c, C.x] := 12;
call y := C.M(c,
5);
}
var c := new C;
c.x := 12;
call y := c.M(5);
![Page 25: The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,](https://reader036.fdocuments.in/reader036/viewer/2022062511/551b0e70550346cf5a8b4f05/html5/thumbnails/25.jpg)
Conclusions
Tools and specifications are useful in software developmentFull functional-correctness verification is becoming more automaticTo build a verifier, use an intermediate verification language
Dafny and Boogie boogie.codeplex.comCode Contracts research.microsoft.com/contracts
Projects and videos research.microsoft.com/riseVarious papers research.microsoft.com/~leino
/papers.html