Verification tools at Microsoft
K. Rustan M. LeinoResearch in Software Engineering (RiSE)Microsoft Research, Redmond, WA, USA
15 January 2009Séminaire DigiteoOrsay, France
RiSEResearch in Software EngineeringMicrosoft Research,Redmond
http://research.microsoft.com/riseRelated groups: PPT (MSR Cambridge) and RSE (MSR India)
Software engineering researchGoal
Better build, maintain, and understand programs
How?SpecificationsTools, tools, tools
Program semanticsVerification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generationSatisfiability Modulo Theories (SMT)
Verified Software InitiativeHoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al.
“We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]
Structure of talkSpec# demoVarious techniques and RiSE toolsUse/effectiveness of tools at Microsoft
Spec# programming system[Barnett, Fähndrich, Leino, Müller, Schulte, Venter, et al.]
Research prototypeSpec# language
Object-oriented .NET languageSuperset of C# 2.0, adding:
more types (e.g., non-null types)specifications (e.g., pre- and postconditions)
Usage rules (methodology)Checking:
Static type checkingRun-time checkingStatic verification (optional)
Spec# demo
StringBuilder.Append Method (Char[ ], Int32, Int32)Appends the string representation of a specified subarray of Unicode characters to the end of this instance.
public StringBuilder Append(char[] value, int startIndex, int charCount);
Parameters
valueA character array.
startIndexThe starting position in value.
charCountThe number of characters append.
Return Value
A reference to this instance after the append operation has occurred.
Exceptions
Exception Type Condition
ArgumentNullException value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.
Specifications: .NET today
Specifications in Spec#public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this;
Exception Type Condition
ArgumentNullException value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.
Specifications with Code Contractspublic StringBuilder Append(char[] value, int startIndex, int charCount ){ Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this);
// method implementation...}
Note that postcondition is declared at top of method body, which is not where
it should be executed.A rewriter tool moves
these.
Code Contracts [Barnett, Fähndrich, Grunkemeyer, et al.]
Declarative contractsLanguage independentLibrary to ship in .NET 4.0Tools to be released via DevLabs
Code Contracts Rewriter (for run-time checking)Clousot abstract interpreterPex automated testing tool
MSIL (“bytecode”)
SMT solver
V.C. generator
Inference engine
Translator
verification condition
“correct” or list of errors
Spec# compiler
Spec#
Boogie
Spec# verifier architecture
Boogie – a verification tool bus[Barnett, Jacobs, Leino, Moskal, Rümmer, et al.]Spec#
C with HAVOC
specifications
DafnyC with vcc specificatio
nsChalice
Z3Simplif
ySMT Lib
Boogie
Boogie-to-Boogie transformations:• Inference engines• Program transformations• Logic optimizers
Your
language
here
Your
prover
hereIsabelle/HOL
Verification-condition generation
Verification conditions computed by weakest preconditions (wp)wp( Prog, Q ) yields a formula that describes the pre-states from which Prog correctly establishes QExample:wp( if (B) { S } else { T }, Q ) =
(B wp(S, Q)) (¬B wp(T, Q))
Traditional VC generation
Example program (Prog): p := new C(); if (x < 0) { x := -x; } assert p ≠ null;wp( Prog, true )= ((x<0 (p≠null)[-x/x])
(¬(x<0) p≠null))[newC()/p]= ((x<0 newC()≠null)
(¬(x<0) newC()≠null)
Improved VC generation[Flanagan, Saxe, Barnett, Leino]
Rewrite Prog into Prog’: assume p0 = newC(); if (x0 < 0) {
assume x1 = -x0; assume x2 = x1; } else {
assume x2 = x0; } assert p0 ≠ null; wp( Prog’, true ) =
p0=newC() ((x0<0 x1= -x0 x2 = x1) (¬(x0<0) x2 =
x0)) p0 ≠ null
Problem with improved schemes
Works well when the if branches modify variables that the downstream assertion does not depend onBut when encoding the heap as one variable, almost every branch modifies that variable
… room for new solutions
Multi-object invariants[Barnett, Fähndrich, Leino, Müller, et al.]
Demo: Chunker.dict
dict:
Multi-object invariants
:Chunker
:Dictionary
n: 84
Count: 21
:Chunker
dict:
n: 20
inv dict.Count ≤ n;
:Classroom
studentGrades:
inv studentGrades.Count ≤
20;
rep
inv dict.Count ≤ n;ow
ner
Other heap methodologiesSpec#/Boogie methodologyDynamic framesImplicit dynamic framesSeparation logic
… room for improved encodings and methodologies
Clousot [Fähndrich, Logozzo]
Abstract interpreter for .NETVerifies Code Contracts at compile timeSome key technology:
Heap-aware abstractionIterative application of numerical domains:
PentagonsSubpolyhedraothers
PentagonsSome common abstract domains:
Intervals x [A,B]Octagons x y ≤ K
Polyhedra Σi xi ≤ K
Observation:Checking array accessesinvolves constraints like0 ≤ x < a.LengthThese can be representedby intervals plus variableorderings y ≤ x
Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html
Pentagon:
Symbolic-powered testingSage [Godefroid, Levin, et al.]
White-box fuzzing for C programs
Pex [de Halleux, Tillman, et al.]
Automatic white-box testing for .NET
Seed input
New generation of symbolically derived input
Z3 [Bjørner, de Moura]
Satisfiability Modulo Theories (SMT) solver9 first places and 6 second places atSMT-COMP’08Used in all tools mentioned, except Clousot
Effectiveness of toolsStatic Driver Verifier (SDV)
Applied regularly to all Microsoft device drivers of the support device models~300 bugs foundAvailable to third parties in Windows DDK
SageApplied regularly100s of people doing various kinds of fuzzing
HAVOCHas been applied to 100s of KLOC~40 bugs in resource leaks, lock usage, use-after-free
vccBeing applied to Microsoft Hypervisor
…
ConclusionsMachine-processable specifications are being used increasinglyTools are useful and necessary
Provide useful checkingBoth validate and drive research
SMT solving is a key technologyTrend: user input is moving toward program textMany research challenges
http://research.microsoft.com/rise
Top Related