Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Published byAaliyah Fitzgerald Modified over 10 years ago

Similar presentations

Presentation on theme: "Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino."— Presentation transcript:

1 Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Computer Science Colloquium ETH Zurich 24 Nov 2003

2 Vision Record design decisions +Utilize automatic checking =Detect errors and improve maintainability

3 A# and Boogie: Programmer's view Boogie C# compiler A# compiler A# C# MSIL Warnings Other.NET compilers

4 Boogie: under the hood Theorem prover weakest-precondition generator translator MSIL BoogiePL verification condition Warnings Inference engine

5 Boogie technology and research Programming methodology – model for writing code and specifications Inference – abstract domains over heap structures Verification-condition generation – formulas that are efficient for theorem prover

6 Invariants: straw man class T { // field declarations... invariant J ; T(...) requires P modifies v ensures Q { … } method m(...) requires R modifies w ensures T { … } … class T { // field declarations... T(...) requires P modifies v ensures Q J { … } method m(...) requires R J modifies w ensures T J { … } … Object invariants hold on public method boundaries and are shorthands for pre/post-conditions

7 Invariants, example class T { private int x, y ; invariant 0 x < y ; public T() { x = 0 ; y = 1 ; } public method m() modifies x, y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … class T { private int x, y ; public T() ensures 0 x < y { x = 0 ; y = 1 ; } public method m() requires 0 x < y modifies x, y ensures 0 x < y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } …

8 Invariants, problems class T { private int x, y ; invariant 0 x < y ; public T() { x = 0 ; y = 1 ; } public method m() modifies x, y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … class T { private int x, y ; public T() ensures 0 x < y { x = 0 ; y = 1 ; } public method m() requires 0 x < y modifies x, y ensures 0 x < y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … callers are expected to establish property about internal data structure

9 Invariants, problems class T { private int x, y ; invariant 0 x < y ; public T() { x = 0 ; y = 1 ; } public method m() modifies x, y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … class T { private int x, y ; public T() ensures 0 x < y { x = 0 ; y = 1 ; } public method m() requires 0 x < y modifies x, y ensures 0 x < y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … possible solution (?): callers dont need to be checked for this precondition it holds automatically!

10 Invariants, problems class T { private int x, y ; invariant 0 x < y ; public T() { x = 0 ; y = 1 ; } public method m() modifies x, y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … class T { private int x, y ; public T() ensures 0 x < y { x = 0 ; y = 1 ; } public method m() requires 0 x < y modifies x, y ensures 0 x < y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … invariant does not hold here

11 Invariants, problems class T { private int x, y ; invariant 0 x < y ; public T() { x = 0 ; y = 1 ; } public method m() modifies x, y { assert y-x 0 ; x = x + 3 ; y = 4 * y ; } … class T { private int x, y ; public T() ensures 0 x < y { x = 0 ; y = 1 ; } public method m() requires 0 x < y modifies x, y ensures 0 x < y { assert y-x 0 ; x = x + 3 ; p(...) ; y = 4 * y ; } … invariant does not hold here, so what if p calls m?!

12 The problem of specifying modifications class Kitchen { private Dishes d ; private bool hasGarbage ; private Stove s ; private Light l ;... public method SpiffUp() modifies hasGarbage, s.foodPieces, s.big.sufaceColor, … { d.Clean() ; hasGarbage = false ; s.Wipe() ; l.TurnOff() ;... } class Stove { private Burner big ; private Burner small ; private int foodPieces ; private Knob[] knobs ;... public method Wipe() modifies foodPieces, big.surfaceColor, … { big.Polish() ; small.Polish() ; foodPieces = 0 ;... } these lists are long, and they mention private state

13 The problem of specifying modifications class Kitchen { private Dishes d ; private bool hasGarbage ; private Stove s ; private Light l ;... public method SpiffUp() modifies hasGarbage, s.foodPieces, s.big.sufaceColor, … { d.Clean() ; hasGarbage = false ; s.Wipe() ; l.TurnOff() ;... } class Stove { private Burner big ; private Burner small ; private int foodPieces ; private Knob[] knobs ;... public method Wipe() modifies foodPieces, big.surfaceColor, … { big.Polish() ; small.Polish() ; foodPieces = 0 ;... } possible solution (?): dont need to declare modifications of private state it cant be observed anyhow

14 The problem of specifying modifications class Kitchen { private Dishes d ; private bool hasGarbage ; private Stove s ; private Light l ;... public method SpiffUp() modifies { d.Clean() ; hasGarbage = false ; s.Wipe() ; assert hasGarbage ; l.TurnOff() ;... } class Stove { private Burner big ; private Burner small ; private int foodPieces ; private Knob[] knobs ;... public method Wipe() modifies { big.Polish() ; small.Polish() ; foodPieces = 0 ;... } SpiffUp treats Wipe as if Wipe modified nothing, so what if Wipe calls a method in Kitchen that sets hasGarbage to true?!

15 Soundness of verification Soundness = verification finds all errors Soundness follows from: – pre- and postconditions are the same for caller and callee Note: In addition to soundness, we want something usable

16 Methodology object invariant declaration – class T { int x, y ; invariant x < y ; special variable st: {Invalid, Valid} Idea: program invariant (o o.st = Invalid Inv(o)) st is changed by commands pack and unpack holds at every program point! for any o: T, we write Inv(o) o.x < o.y

17 pack and unpack pack o assert o.st = Invalid ; assert Inv(o) ; o.st := Valid unpack o assert o.st = Valid ; o.st := Invalid

18 Example class T { int x, y ; invariant 0 x < y ; method init(t) requires t.st = Invalid modifies t.st, t.x, t.y ensures t.st = Valid { t.x := 0 ; t.y := 1 ; pack t } method m(t) requires t.st = Valid modifies t.x, t.y { unpack t ; t.x := t.x + 3 ; t.y := 4 * t.y ; pack t } receiver parameter (this, self, current)

19 Program invariant (o o.st = Invalid Inv(o)) x := new(T)... ; assume x.st = Invalid pack o... ; assert Inv(o) ; o.st := Valid unpack o... ; o.st := Invalid o.f := E assert o.st = Invalid ;... Inv(o) can mention only the fields of o

20 Methodology, summary invariant... st: {Invalid, Valid} pack, unpack modifications of o.f require o.st=Invalid Inv(o) can mention only the fields of o (o o.st = Invalid Inv(o))

21 Methodology, extended component declarations – class Kitchen { component Stove s ; st: {Invalid, Valid, Committed} Idea: program invariant (o o.st=Invalid (Inv(o) (pComp(o) p.st=Committed))) pack o and unpack o change st for o and o's components for any k: Kitchen, we have k.s Comp(k)

22 pack and unpack, extended pack o assert o.st = Invalid Inv(o) ; assert (p Comp(o) p.st=Valid) ; o.st := Valid ; foreach p Comp(o) do p.st :=Committed ; unpack o assert o.st = Valid ; foreach p Comp(o) do p.st=Valid ; o.st := Invalid ;

23 Example class Kitchen { method SpiffUp(k) requires k.st=Valid … { unpack k ; k.d.Clean() ; k.s.Wipe() ; pack k } class Stove { method Wipe(s) requires s.st=Valid … s d Kitchen k Stove Dishes Valid Committed

24 Valid Invalid Example class Kitchen { method SpiffUp(k) requires k.st=Valid … { unpack k ; k.d.Clean() ; k.s.Wipe() ; pack k } class Stove { method Wipe(s) requires s.st=Valid … s d Kitchen k Stove Dishes Committed Valid

25 Program invariant (o o.st=Invalid (Inv(o) (pComp(o) p.st=Committed))) x := new(T)... ; assume x.st=Invalid pack o, unpack o o.f := E assert o.st=Invalid ;... Inv(o) can mention only the fields of o and of o.p for any component field p

26 Extended methodology, summary invariant... component... st: {Invalid, Valid, Committed} pack, unpack modifications of o.f require o.st=Invalid Inv(o) can mention only the fields of o and of o.p for any component field p (o o.st=Invalid (Inv(o) (pComp(o) p.st=Committed)))

27 Verification system We let st be used in method specifications (requires, modifies, ensures) We must address the Problem of Specifying Modifications

28 A heap model Heap is a two-dimensional array class T { f: U; g: V;... } x := o.f= x := Heap[o, f] o.f := E= Heap[o, f] := E

29 Meaning of modifies modifies w = modifies Heap ensures (o,f Heap[o,f] = Heap 0 [o,f] (o,f) w 0 ) viewed as set of object/field-name pairs

30 Meaning of modifies modifies w = modifies Heap ensures (o,f Heap[o,f] = Heap 0 [o,f](o,f) w 0Heap 0 [o,alloc] )

31 Meaning of modifies modifies w = modifies Heap ensures (o,f Heap[o,f] = Heap 0 [o,f](o,f) w 0Heap 0 [o,alloc]Heap 0 [o,st]=Committed )

32 Example class Kitchen { method SpiffUp(k) requires k.st=Valid modifies k.hasGarbage { unpack k ; k.d.Clean() ; k.hasGarbage := false ; k.s.Wipe() ; assert k.hasGarbage ; pack k } class Stove { method Wipe(s) requires s.st=Valid modifies s.foodPieces

33 Another example method m(p) requires p.st=Committed { var y, z in y := p.x ; z := sqrt(49) ; assert y = p.x end }

34 Soundness Pre- and postconditions are the same for callers and callees, so verification system is sound!

35 Related work rep types in CLU dynamically checked invariants in Eiffel valid idiom in ESC/Modula-3 universe types and invariants in Muller's thesis invariant declarations in ESC/Java and JML (implicit) pack/unpack operations in Vault and Fugue capability calculus ownership types locking and monitor disciplines in concurrent programming

36 Conclusions Invariants different from pre/post-conditions Resulting program invariants hold at every program point Uses pack/unpack commands, but good defaults can be constructed for these No linear type system Components are not unique references objects (pointers) can freely be copied Fields can freely be read No additional features of abstraction needed to support the specification of modifications Sound

37 Further research challenges experience, understanding of limits extensions to support more good programs (joint work with Peter Muller)

Download ppt "Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino."

Similar presentations

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte Formal techniques.

Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte Formal techniques.
Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Lunch seminar, Praxis Bath, UK 6 Dec 2005 joint work with Mike Barnett,
Bor-Yuh Evan Chang Daan Leijen Peter Müller David A. Naumann The Spec# programming system Mike Barnett Rob DeLine Manuel Fähndrich Bart Jacobs K. Rustan.

Bor-Yuh Evan Chang Daan Leijen Peter Müller David A. Naumann The Spec# programming system Mike Barnett Rob DeLine Manuel Fähndrich Bart Jacobs K. Rustan.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 4 EEF summer school on Specification,

Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 4 EEF summer school on Specification,
Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,

Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,
Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.

Object Invariants in Specification and Verification K. Rustan M. Leino Microsoft Research, Redmond, WA Joint work with: Mike Barnett, Ádám Darvas, Manuel.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.

Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Similar presentations

Ads by Google