K Rustan M Leino RiSE Microsoft Research Redmond PROLE 2009 09092009 San Sebastian Spain Software quality assurance A major software engineering concern Costly Relies heavily on testing ID: 1003075
Download Presentation The PPT/PDF document "Understanding Program Verification" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. UnderstandingProgram VerificationK. Rustan M. LeinoRiSE, Microsoft Research, RedmondPROLE 200909/09/2009San Sebastian, Spain
2. Software quality assuranceA major software engineering concernCostlyRelies heavily on testingIncreasingly helped by advanced toolsVerification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generation
3. Spectrum of verification toolsFunctional correctness ExamplesSafety-critical systems Praxis customers (Spark Ada)Algorithms IEEE 1384 protocol (Event-B)Important libraries Microsoft Hypervisor (VCC)Bug findingCommon run-time errors Compiler front-end (ESC/Java)Device-driver protocols Windows drivers (SLAM)Concurrency errors lock usage in Windows programs (HAVOC)
4. { P } S { Q }Executions of S that start in P:do not go wrong, andterminate in QPillars of program verificationFloyd, 1967Hoare, 1969{P} S {Q}Dijkstra, 1976P wp(S, Q)logic formulas := 10 < n?s := s * nn := n - 1s = N!0 ≤ n ≤ N s * n! = N!0 < n ≤ N s * n! = N!0 < n ≤ N s * (n-1)! = N!0 ≤ n = NThe most general P that satisfies { P } S { Q }is called the weakest precondition of S w.r.t. Q:wp(S, Q)
5. Early mechanical verification systemsGypsyStanford Pascal Verifier…
6. Verification condition (logical formula)Program +specificationsVerification-condition generationHow to discharge verification condition?Proof assistantACL2, Coq, Isabelle/HOL, PVS, …support for complicated math, higher-order functionsAutomatic decision proceduresSMT solvers like CVC3, Simplify, Z3, …program structure gives strong proof hint
7. Mechanical tool supportProof assistantsUser interacts at level of proverAutomatic program verifiersUser interacts at level of programDemosClassic interfaceChalice: dining philosophersIntegrated interactionSpec#: numeros de telefono, busqueda binaria
8. PROCEDURE M(x: MyClass) = BEGIN … END M;<*SPEC M(x) REQUIRES 0 <= MyClass.f[ x ]*>Specification languageTerms of a logicESC/Modula-3, KeY, …Terms are program expressionsEiffel, JML, Spec#, …void M(MyClass x) requires 0 <= x.f;{ …}//@ requires 0 <= x.f;void M(MyClass x){ …}feature M(x: MyClass) is require 0 <= x.f do … end
9. Verification condition (logical formula)Source languageIntermediate verification languageBasic verifier architecture
10. Boogie – a verification tool bus[Barnett, Jacobs, Leino, Moskal, Rümmer, et al.]Spec#C with HAVOC specificationsDafnyC with VCC specificationsChaliceZ3SimplifySMT LibBoogieBoogie-to-Boogie transformations:Inference enginesProgram transformationsLogic optimizersYour language hereYour prover hereIsabelle/HOL
11. Example translationSource language:Boogie:Verification condition:p.f = x / y; assert p ≠ null; assert y ≠ 0; Heap[p,f] := x / y; (AND (NEQ p null) (NEQ y 0) (IMPLIES (EQ Heap’ (store Heap p f (/ x y))) TRUE))
12. Example translationSource language:Boogie:Verification condition:p.f = x / y; assert p ≠ null; assert y ≠ 0; Heap[p,f] := x / y; (AND (NEQ p null) (NEQ y 0) (IMPLIES (EQ Heap’ (store Heap p f (/ x y))) TRUE))DemoPhoneNumber.ssc
13. AbstractionHow to specify the effect of method Play?:RockBand:Guitar:GtString:GtString:Organ:DrawBar:Drums:Kick:Snaremethod Play() …method Bang() …method Strum() …method Grind() …
14. Specification styleDemoSpec# (ownership)Dafny (dynamic frames)
15. Specification style summarySpec#handles common cases easilydoes not support all useful programming idiomssomewhat opaqueDafnyflexible, transparentprimitive, verboseWhat is a flexible/transparent/frugal specification language?
16. When things verifyModular verification goes a long wayRe-doing or re-playing proofs can be done off-line
17. When things do not verifyQuick turnaround is keyFor beginners and experts alikeExample: Hypervisor verificationWant: sub-second responseUnderstanding complaintswhich happens all too often
18. Explaining errors visually[joint work with Claire Le Goues] model tool demosquareinsertverifiersource programintermediate programBoogieformulaZ3counterexample modelpartitions:*0 -> true*1 -> false*2 {@true} -> 8:int*3 {@false} -> 9:int*4 {intType} *5 {boolType} *6 {ClassNameType} *7 {$tokenType} *8 {cf_eventType} *9 {var_locglobType} *10 {refType} *11 {class.int} *12 {class.bool} *13 {class.object} *14 {class.set} *15 {class.seq} *16 {#loc.$Heap} *17 {alloc} *18 {conditional_moment} *19 {took_then_branch} *20 {took_else_branch} *21 {loop_register} *22 {loop_entered} *23 {loop_exited} *24 {cev_local} *25 {cev_global} *26 {cev_parameter} *27 {cev_implicit} …FieldType -> { *5 -> *51 *4 -> *52 *10 -> *53 else -> #unspecified}FieldTypeInv0 -> { *51 -> *5 *52 -> *4 *53 -> *10 else -> #unspecified}DeclType -> { *29 -> *28 *30 -> *28 else -> #unspecified}$file_name_is -> { *43 *31 -> *0 else -> #unspecified}MapType1Type -> { *10 -> *54 else -> #unspecified}MapType1TypeInv0 -> { *54 -> *10 else -> #unspecified} …MapType1Type -> { *10 -> *54 else -> #unspecified}MapType1TypeInv0 -> { *54 -> *10 else -> #unspecified}$IsGoodHeap -> { *40 -> *0 *42 -> *0 *39 -> *0 else -> #unspecified}U_2_bool -> { *56 -> *0 else -> #unspecified}MapType1Select -> { *40 *41 *17 -> *56 *40 *41 *30 -> *38 *39 *41 *30 -> *41 *42 *41 *30 -> *38 *42 *41 *17 -> *56 *39 *41 *17 -> *56 else -> #unspecified}dtype -> { *41 -> *28 …
19. Verified Software InitiativeHoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al.“We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]
20. Next stepsContinue to:improve program-verification technologydo experimentsand pay more attention to tool usage:Rapid-response analysisExplanation toolsCeaselessly-analyzing programming environments
21. Some URLsBoogie, Dafny, Chalice available as open source:http://boogie.codeplex.com Spec# and VCC also available as open source under academic license:http://specsharp.codeplex.com http://vcc.codeplex.com Some papers:http://research.microsoft.com/~leino