the dafny program verifier k. rustan m. leino research in software engineering microsoft research,...
TRANSCRIPT
The Dafny program verifier
K. Rustan M. LeinoResearch in Software EngineeringMicrosoft Research, Redmond
Victoria University of WellingtonWellington, NZ13 April 2010
Some RiSE tools at Microsoft
SLAM, Static Driver Verifier (SDV)SageCode Contracts for .NET
ClousotPex
Z3
Static Driver Verifier
Applied regularly to all Microsoft device drivers of the support device models~300 bugs foundAvailable in Windows DDK to third parties
error message
Predicate abstraction and refinement
C program
predicates
boolean program
modelchecker
correct
concrete trace
feasible?
abstract trace
no yes
e.g.: Graf & Saïdi, SLAM, BLAST, …
predicateabstraction
predicaterefinement
Symbolic-powered testingSage [Godefroid, Levin, et al.]
White-box fuzzing for C programs
Applied regularly100s of people doing various kinds of fuzzing
Seed input
New generation of symbolically derived input
StringBuilder.Append Method (Char[ ], Int32, Int32)Appends the string representation of a specified subarray of Unicode characters to the end of this instance.
public StringBuilder Append(char[] value, int startIndex, int charCount);
Parameters
valueA character array.
startIndexThe starting position in value.
charCountThe number of characters append.
Return Value
A reference to this instance after the append operation has occurred.
Exceptions
Exception Type Condition
ArgumentNullException value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.
Specifications: .NET today
Specifications in Spec#public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this;
Specifications with Code Contractspublic StringBuilder Append(char[] value, int startIndex, int charCount ){ Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this);
// method implementation...}
Note that postcondition is declared at top of method body, which is not where
it should be executed.A rewriter tool moves
these.
Code Contracts[Barnett, Fähndrich, Grunkemeyer, Logozzo, et al.]
Declarative contractsLanguage independentLibrary to ship in .NET 4.0Tools available on DevLabs
Code Contracts Rewriter (for run-time checking)Clousot abstract interpreterPex automated testing tool [de Halleux, Tillman, et al.]
Clousot [Fähndrich, Logozzo]
Abstract interpreter for .NETVerifies Code Contracts at compile timeSome key technology:
Heap-aware abstractionIterative application of numerical domains:
PentagonsSubpolyhedraothers
PentagonsSome common abstract domains:
Intervals x [A,B]Octagons x y ≤ K
Polyhedra Σi xi ≤ K
Observation:Checking array accessesinvolves constraints like0 ≤ x < a.LengthThese can be representedby intervals plus variableorderings y ≤ x
Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html
Pentagon:
Z3 [Bjørner, de Moura]
Satisfiability Modulo Theories (SMT) solver9 first places and 6 second places atSMT-COMP’08Used in all tools mentioned, except Clousot
Deductive verificaton tools
HAVOCHas been applied to 100s of KLOC~40 bugs in resource leaks, lock usage, use-after-free
VCCBeing applied to Microsoft Hypervisor
…
a language and verifier
Dafny
Program verification
functional correctnes
s
limited checking
automaticdecision procedures(SMT solvers)
interactiveproof assistants
traditional mechanic
al program
verification
extended static
checking
Dafny
Dafny language
Sequential programsGeneric classesBuilt-in specificationsSimple yet flexible framingSets, sequences, algebraic datatypesUser-defined functionsGhost variablesTermination specifications
Dafny demos
CubesQueueSchorr-Waite
Verification architecture
Simplify
Z3SMT Lib
…
CSpec# DafnyChalice …
Boogie
Boogie language overviewMathematical features
type T;const x: T;function f(A, B): T;axiom E;
Imperative featuresvar y: T;procedure P(a: A, b: B) returns (x: T, y: U);
requires pre; modifies w; ensures post;implementation P(a: A, b: B) returns (x: T, y: U)
{ … }
Boogie statements
x := Ea[ i ] := Ehavoc xassert Eassume E;call P()
ifwhilebreaklabel:goto A, B
Example: Defining OO semantics by translation into Boogie
class C {var x: int;method M(n: int) returns (r: int)
{ … } static method Main() {
var c := new C;c.x := 12;call y := c.M(5);
}}
Example: Boogie translation (0)
// class typestype ClassName;const unique C: ClassName;
type Ref;function dtype(Ref): CName;const null: Ref;
// fieldstype Field α;const unique C.x: Field int;const unique allocated: Field bool;
// memoryvar Heap: <α>[Ref, Field α] α;
class C {
var x: int;
Example: Boogie translation (1)
// method declarations
procedure C.M(this: Ref, n: int) returns (r: int); requires this != null && dtype(this) == C; modifies Heap;
procedure C.Main(); modifies Heap;
method M(n: int) returns (r: int)
static method Main()
Example: Boogie translation (2)
// method implementations
implementation C.Main(){ var c: Ref, y: int;
havoc c; assume c != null; assume Heap[c, allocated] ==
false; assume dtype(c) == C; Heap[c, allocated] := true;
assert c != null; Heap[c, C.x] := 12;
call y := C.M(c,
5);
}
var c := new C;
c.x := 12;
call y := c.M(5);
Conclusions
Tools and specifications are useful in software developmentFull functional-correctness verification is becoming more automaticTo build a verifier, use an intermediate verification language
Dafny and Boogie boogie.codeplex.comCode Contracts research.microsoft.com/contracts
Projects and videos research.microsoft.com/riseVarious papers research.microsoft.com/~leino
/papers.html