Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,

Similar presentations


Presentation on theme: "The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,"— Presentation transcript:

1 The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington, NZ 13 April 2010

2 SLAM, Static Driver Verifier (SDV) Sage Code Contracts for.NET Clousot Pex Z3

3 Applied regularly to all Microsoft device drivers of the support device models ~300 bugs found Available in Windows DDK to third parties

4 error message C program predicates boolean program model checker correct concrete trace feasible? abstract trace no yes e.g.: Graf & Saïdi, SLAM, BLAST, … predicate abstraction predicate refinement

5 Sage [Godefroid, Levin, et al.] White-box fuzzing for C programs Applied regularly 100s of people doing various kinds of fuzzing Seed input New generation of symbolically derived input

6 StringBuilder.Append Method (Char[ ], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. public StringBuilder Append(char[] value, int startIndex, int charCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions Exception TypeCondition ArgumentNullExceptionvalue is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeExceptioncharCount is less than zero. -or- startIndex is less than zero. -or- startIndex + charCount is less than the length of value.

7 public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this;

8 public StringBuilder Append(char[] value, int startIndex, int charCount ) { Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result () == this); // method implementation... } Note that postcondition is declared at top of method body, which is not where it should be executed. A rewriter tool moves these.

9 Declarative contracts Language independent Library to ship in.NET 4.0 Tools available on DevLabs Code Contracts Rewriter (for run-time checking) Clousot abstract interpreter Pex automated testing tool [de Halleux, Tillman, et al.]

10 Abstract interpreter for.NET Verifies Code Contracts at compile time Some key technology: Heap-aware abstraction Iterative application of numerical domains: Pentagons Subpolyhedra others

11 Some common abstract domains: Intervalsx  [A,B] Octagons  x  y ≤ K PolyhedraΣ i x i ≤ K Observation: Checking array accesses involves constraints like 0 ≤ x < a.Length These can be represented by intervals plus variable orderings y ≤ x Picture source: Robert Webb's Great Stella software, Pentagon:

12 Satisfiability Modulo Theories (SMT) solver 9 first places and 6 second places at SMT-COMP’08 Used in all tools mentioned, except Clousot

13 HAVOC Has been applied to 100s of KLOC ~40 bugs in resource leaks, lock usage, use-after-free VCC Being applied to Microsoft Hypervisor …

14 a language and verifier

15 functional correctness limited checking automatic decision procedures (SMT solvers) interactive proof assistants

16 Sequential programs Generic classes Built-in specifications Simple yet flexible framing Sets, sequences, algebraic datatypes User-defined functions Ghost variables Termination specifications

17 Cubes Queue Schorr-Waite

18

19 Mathematical features type T; const x: T; function f(A, B): T; axiom E; Imperative features var y: T; procedure P(a: A, b: B) returns (x: T, y: U); requires pre; modifies w; ensures post; implementation P(a: A, b: B) returns (x: T, y: U) { … }

20 x := E a[ i ] := E havoc x assert E assume E ; call P() if while break label: goto A, B

21 class C { var x: int; method M(n: int) returns (r: int) { … } static method Main() { var c := new C; c.x := 12; call y := c.M(5); } } class C { var x: int; method M(n: int) returns (r: int) { … } static method Main() { var c := new C; c.x := 12; call y := c.M(5); } }

22 // class types type ClassName; const unique C: ClassName; type Ref; function dtype(Ref): CName; const null: Ref; // fields type Field α; const unique C.x: Field int; const unique allocated: Field bool; // memory var Heap: [Ref, Field α] α; class C { var x: int; class C { var x: int;

23 // method declarations procedure C.M(this: Ref, n: int) returns (r: int); requires this != null && dtype(this) == C; modifies Heap; procedure C.Main(); modifies Heap; method M(n: int) returns (r: int) static method Main() method M(n: int) returns (r: int) static method Main()

24 // method implementations implementation C.Main() { var c: Ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == false; assume dtype(c) == C; Heap[c, allocated] := true; assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } var c := new C; c.x := 12; call y := c.M(5);

25 Tools and specifications are useful in software development Full functional-correctness verification is becoming more automatic To build a verifier, use an intermediate verification language Dafny and Boogieboogie.codeplex.comboogie.codeplex.com Code Contractsresearch.microsoft.com/contractsresearch.microsoft.com/contracts Projects and videosresearch.microsoft.com/riseresearch.microsoft.com/rise Various papersresearch.microsoft.com/~leino/papers.htmlresearch.microsoft.com/~leino/papers.html Dafny and Boogieboogie.codeplex.comboogie.codeplex.com Code Contractsresearch.microsoft.com/contractsresearch.microsoft.com/contracts Projects and videosresearch.microsoft.com/riseresearch.microsoft.com/rise Various papersresearch.microsoft.com/~leino/papers.htmlresearch.microsoft.com/~leino/papers.html


Download ppt "The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington,"

Similar presentations


Ads by Google