K. Rustan M. Leino Microsoft Research, Redmond, WA, USA with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Toward enforceable contracts for.NET ¨ CASSIS 2004 Marseille, France 12 March 2004

.NET primer for Java programmers Type-safe programming language Managed code Java bytecode Java Virtual Machine (JVM) Common Language Runtime (CLR) C# Visual Basic Managed C++ Spec# Common Intermediate Language (CIL) also known as Microsoft Intermediate Language (MSIL) obj.myMethod() obj.MyMethod()

Software engineering problem Building and maintaining large systems that are correct

Approach Specifications record design decisions – bridge intent and code Tools amplify human effort – manage details – find inconsistencies – ensure quality

Design decisions – examples and trends procedural abstraction int x; assert(x < a.Length); finite-state protocols SpecStrings Pre- and postconditions, and object invariants Acquire() Release() int strlen(pre notnull char * str); void Copy(int[] a, int start, int count) requires start+count <= a.Length; Contracts

StringBuilder.Append Method (Char[], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. public StringBuilder Append(char[] value, int startIndex, int charCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions Exception TypeCondition ArgumentNullExceptionvalue is a null reference, and startIndex and charCount are not zero. ArgumentOutOfRangeExceptioncharCount is less than zero. -or- startIndex is less than zero. -or- startIndex + charCount is less than the length of value. Contracts today

Spec# contracts Precondition Callers are expected to establish precondition before invoking method Implementations can assume precondition holds on entry Postcondition Implementations are expected to establish postcondition on exit Callers can assume postcondition upon return from method invocation public StringBuilder Append( char[] value, int startIndex, int charCount); requires value != null || (charCount == 0 && startIndex == 0); requires 0 <= charCount && 0 <= startIndex; requires startIndex + charCount <= value.Length; ensures result == this;

Code + contracts in Spec# Boogie Spec# compiler Compile-time error messages Run-time exceptions Spec# and Boogie

Boogie demo

Spec# is C# extended with: Non-null types Preconditions Postconditions Object invariants Checked exceptions...

Spec#: Non-null types T x; The value of x is null or a reference to an object whose type is a subtype of T. T! y; The value of y is a reference to an object whose type is a subtype of T, not null.

Non-null instance fields class C : B { T! x; public C(T! y) :base() { this.x = y; } public overrides int M() { return x.f; } Is this code type safe? No! The base constructor can invoke the virtual method M and C.M would then find x to be null.

Non-null instance fields class C : B { T! x; public C(T! y) :x(y), base() { } public overrides int M() { return x.f; } Need to allow x to be assigned before base constructor is called.

requires 0 <= startIndex otherwise ArgumentException; Spec#: Parameter validation public virtual StringBuilder Append(char[] value, int startIndex, int charCount) Parameters … startIndex The starting position in value. … Exceptions Exception TypeCondition ArgumentExceptionstartIndex is less than zero. -or- … ; requires 0 <= startIndex;

Parameter-validation exceptions requires 0 <= startIndex; requires 0 <= startIndex otherwise ArgumentException; requires 0 <= startIndex otherwise new ArgumentException(“startIndex”, Resource.Load(Resource. Description_StringBuilder_Append_arg_startIndex)); precondition – caller obligation or postcondition – implementation promise ? Complications for no good reason. E.g.: name no good without stack trace; name superfluous given stack trace precondition – caller obligation

Spec#: Taming exceptions Introduce checked exceptions An exception is checked if it implements interface ICheckedException JavaSpec# Throwable Exception RuntimeException Error Checked exceptionsUnchecked exceptions ICheckedException CheckedException

Spec#: Taming exceptions Introduce checked exceptions An exception is checked if it implements interface ICheckedException Methods must declare which checked exceptions they may throw int MyMethod() throws MyException; int MyMethod() throws MyException ensures state==Closed;

Spec#: Taming exceptions Introduce checked exceptions An exception is checked if it implements interface ICheckedException Methods must declare which checked exceptions they may throw Soundness of throw statement Exception x = new MyCheckedException(); throw x; If static type of x is not an ICheckedException, then check: !( x is ICheckedException ) at run time.

Spec#: Object invariants class C { int x, y; invariant x < y; Joint work also with Peter Müller (ETH Zurich) and David Naumann (Stevens Institute of Technology) Object invariant always holds, except possibly when the object is exposed

Spec#: Object invariants class C { int x, y; invariant x < y; public void M(T! o) { … expose (this) { this.x = this.y; o.P(); this.y++; } … } The object invariant may be temporarily violated here The object invariant is checked to hold here Joint work also with Peter Müller (ETH Zurich) and David Naumann (Stevens Institute of Technology)

Spec#: Object invariants class C { int x, y; invariant x < y; public void M(T! o) { … expose (this) { this.x = this.y; o.P(); this.y++; } … } The exposed/unexposed state of the object is recorded, so as to detect possible bad re-entrancy Joint work also with Peter Müller (ETH Zurich) and David Naumann (Stevens Institute of Technology)

Boogie: Under the hood Theorem prover weakest-precondition generator translator MSIL BoogiePL verification condition Warnings Inference engine Boogie

Inference Abstract interpretation standard abstract domains: s+x < len object fields: o.f < p.g uninterpreted functions: i < Length(a) combinations of abstract domains special disjunctions: o.exposed ∨ o.f < o.g quantifications: (∀o: T ･ o.f < o.g) (∀o: T ･ o.f = o.f 0 ∨ o=x)

Summary Spec# adds contracts to C# Compiler inserts dynamic checks to enforce contracts Boogie enforces contracts statically Evolution C# managed code  Spec# non-null types, parameter validation  Boogie verification