the spec# programming system k. rustan m. leino microsoft research, redmond, wa, usa distinguished...
TRANSCRIPT
![Page 1: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/1.jpg)
The Spec# programming system
K. Rustan M. LeinoMicrosoft Research, Redmond, WA, USA
Distinguished Lecture SeriesMax Planck Institute for Software SystemsKaiserslautern, Germany20 March 2006
joint work withMike Barnett, Robert DeLine, Manuel Fähndrich, Wolfram Schulte, Herman Venter,
Bor-Yuh Evan Chang, Bart Jacobs, Daan Leijen,
Francesco Logozzo, Peter Müller, David A. Naumann
![Page 2: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/2.jpg)
Software engineering problem
Building and maintaining large systems that are correct
![Page 3: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/3.jpg)
Approach
• Specifications record design decisions– bridge intent and code
• Tools amplify human effort– manage details– find inconsistencies– ensure quality
![Page 4: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/4.jpg)
Research goals
• Build the best such system we can build today• Experiment with the system to get a feel for
what it is like to use• Advance the state of the art
![Page 5: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/5.jpg)
Spec#• Experimental mix of contracts and tool
support• Aimed at experienced developers who know
the high cost of testing and maintenance• Superset of C#
– non-null types– pre- and postconditions– object invariants
• Tool support– more type checking– compiler-emitted run-time checks– static program verification
C#contracts
everywhere
type checking
static verification
into the future
run-time checks
degree of checking,effort
familiar
![Page 6: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/6.jpg)
Spec# demo
![Page 7: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/7.jpg)
Some design issues
0. Non-null types1. C# compatibility2. Preconditions3. Object invariants4. Program verifier architecture5. Verification-condition generation
![Page 8: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/8.jpg)
• T x; The value of x is null ora reference to an object whose type is a subtype of T.
• T ! y; The value of y isa reference to an object whose type is a subtype of T,not null.
0. Non-null types
![Page 9: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/9.jpg)
Non-null escape hatch: cast
object o;string s;…string! a = (string!)o;string! b = (!)s;
![Page 10: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/10.jpg)
Comparing against null
public void M( T x ) {if (x == null) {
…} else {
int y = ((!)x).f;…
}}
![Page 11: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/11.jpg)
Comparing against null
public void M( T x ) {if (x == null) {
…} else {
int y = x.f;…
}}
Spec# performs a data-flow analysis to allow this (similar to definite assignment)
![Page 12: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/12.jpg)
Non-null instance fields
class C : B {T ! x;public C(T ! y): base(){
this.x = y;}public override int M() { return
x.f; }}
Is this code type safe?No!
abstract class B {public B()
{ this.M(); } public abstract int M();
}
null dereference
![Page 13: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/13.jpg)
Non-null instance fields
class C : B {T ! x;public C(T ! y){
this.x = y;base();
}public override int M() { return
x.f; }}
Spec# allows x to beassigned before baseconstructor is called.
![Page 14: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/14.jpg)
Other non-null issues• Comparing a field against null
if (this.f != null) {// …this.f.M(…);
}
• Static fieldsstatic T g = new T();
• ArraysT![ ] a = new T![100];
• GenericsList<T!> myList = new List<T!>();
![Page 15: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/15.jpg)
• Spec# is superset of C#• From C# to Spec#:
– accept every C# program– compile it to have the same behavior
• Consequences– “Possible null dereference” is just a
warning– “Must initialize non-null fields before
calling base constructor” is an error– Support for out-of-band contracts
1. C# compatibility
![Page 16: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/16.jpg)
From Spec# to C#or: Leveraging wiz-bang features of Visual Studio 2005
class B : A {string! src;public B(string! source, int x)
requires 0 <= x;{
this.src = source;base(x);
}
![Page 17: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/17.jpg)
From Spec# to C#or: Leveraging wiz-bang features of Visual Studio 2005
class B : A {string! src;public B(string! source, int x)
//^ requires 0 <= x;{
this.src = source;base(x);
}
![Page 18: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/18.jpg)
From Spec# to C#or: Leveraging wiz-bang features of Visual Studio 2005
class B : A {string/*!*/ src;public B(string/*!*/ source, int x)
//^ requires 0 <= x;{
this.src = source;base(x);
}
![Page 19: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/19.jpg)
From Spec# to C#or: Leveraging wiz-bang features of Visual Studio 2005
class B : A {string/*!*/ src;public B(string/*!*/ source, int x)
//^ requires 0 <= x; : base(x){
this.src = source;//^ base;
}
![Page 20: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/20.jpg)
2. Preconditions
![Page 21: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/21.jpg)
StringBuilder.Append Method (Char[ ], Int32, Int32)Appends the string representation of a specified subarray of Unicode characters to the end of this instance.
public StringBuilder Append(char[] value, int startIndex, int charCount);
Parameters
valueA character array.
startIndexThe starting position in value.
charCountThe number of characters append.
Return Value
A reference to this instance after the append operation has occurred.
ExceptionsException Type Condition
ArgumentNullException value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException charCount is less than zero.
-or-
startIndex is less than zero.
-or-
startIndex + charCount is less than the length of value.
Contracts today
![Page 22: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/22.jpg)
Contract in Spec#
public StringBuilder Append( char[ ] value, int startIndex,
int charCount ); requires 0 <= startIndex; …
![Page 23: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/23.jpg)
Otherwise clauses
public StringBuilder Append( char[ ] value, int startIndex,
int charCount ); requires 0 <= startIndex otherwise ArgumentOutOfRangeException; …
![Page 24: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/24.jpg)
Inheriting contracts
• interface J {void M(int x); requires P;
}• class A {
public abstract void M(int x); requires Q;}
• class B : A, J {public override void M(int x){ … }
}
![Page 25: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/25.jpg)
3. Object invariants
![Page 26: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/26.jpg)
When do object invariants hold?
class C {private int x;private int y;invariant x < y;
public C() { x = 0; y = 1; }
public void M(){
int t = 100 / (y – x);x = x + 1;P(t);y = y + 1;
}…
}
invariant assumed to holdon entry to method
invariant checked to holdon exit from method
invariant checked to holdat end of constructor
invariant may betemporarily broken here
invariant is restored here
what if P calls back into M?
![Page 27: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/27.jpg)
Object states
• Mutable– Object invariant may not hold– Field updates allowed
• Valid– Object invariant holds– Field updates not allowed
![Page 28: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/28.jpg)
Valid vs. mutable objectsclass C {
private int x;private int y;invariant x < y;
public void M()requires this.inv == Valid;
{expose (this) {
int t = 100 / (y – x);x = x + 1;P(t);y = y + 1;
}}…
}
represent explicitlythat invariant holds(without revealing
what the invariant is)
change this.invfrom Valid to Mutable
check invariant;then, change this.invfrom Mutable to Valid
field updates allowedonly on Mutable objects
![Page 29: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/29.jpg)
Summary of object invariants
• invariant …• inv : { Mutable, Valid }• expose• updates of o.f require o.inv =
Mutable
• (o ・ o.inv = Mutable Inv (o))
![Page 30: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/30.jpg)
4. Spec# verifier architecture
V.C. generator
automatictheorem prover
verification condition
Spec#
“correct” or list of errors
Spec# compiler
MSIL (“bytecode”)bytecode translator
Boogie PL
inference engine
Spec# program verifier (aka Boogie)
![Page 31: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/31.jpg)
BoogiePL
• Intermediate language– theory part– imperative part
• Semantics of Spec# is encoded in BoogiePL
• Can be used for other program-verification tasks, like verifying other source languages
![Page 32: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/32.jpg)
Example BoogiePL (0)var $Heap: [ref,name]any where IsHeap($Heap);function IsHeap(h: [ref,name]any) returns (bool);
const Chunker: name;axiom Chunker <: System.Object;
const Chunker.n: name;function DeclType(field: name) returns (class: name);axiom DeclType(Chunker.n) = Chunker;
const $allocated: name;axiom ( h: [ref,name]any, o: ref, f: name •
IsHeap(h) h[o, $allocated] h[h[o, f],$allocated]);
const $inv: name;axiom ( $oi: ref, $h: [ref,name]any •
IsHeap($h) $h[$oi, $inv] <: Chunker0 < $h[$oi, Chunker.ChunkSize] 0 ≤ $h[$oi, Chunker.n] $h[$oi, Chunker.n] ≤ $Length($h[$oi, Chunker.src]));
![Page 33: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/33.jpg)
Example BoogiePL (1)procedure Chunker.NextChunk(this: ref) returns ($result: ref); requires $Heap[this, $inv] = Chunker; requires $Heap[this, $ownerFrame] = $PeerGroupPlaceholder
¬($Heap[$Heap[this, $ownerRef], $inv] <: $Heap[this, $ownerFrame]); free requires $Heap[this, $allocated] = true $IsNotNull(this, Chunker); modifies $Heap; ensures $Length($result) ≤ $Heap[this, Chunker.ChunkSize]; ensures ( $pc: ref • $pc ≠ null $Heap[$pc, $allocated] = true
$Heap[$pc, $ownerRef] = $Heap[$result, $ownerRef] $Heap[$pc, $ownerFrame] = $Heap[$result, $ownerFrame]($Heap[$pc, $ownerFrame] = $PeerGroupPlaceholder
¬($Heap[$Heap[$pc, $ownerRef], $inv] <: $Heap[$pc, $ownerFrame])) $Heap[$pc, $inv] = $typeof($pc));
free ensures $Heap[$result, $allocated] = true $IsNotNull($result, System.String); free ensures ( $o: ref • $o ≠ null ¬old($Heap)[$o, $allocated] $Heap[$o, $allocated]
$Heap[$o, $inv] = $typeof($o)); ensures ( $o: ref • $o ≠ null old($Heap)[$o, $allocated] = true
old($Heap)[$Heap[$o, $ownerRef], $allocated] = trueold($Heap)[$o, $ownerRef] = $Heap[$o, $ownerRef] old($Heap)[$o, $ownerFrame] = $Heap[$o, $ownerFrame]);
free ensures ( $o: ref, $f: name • $f ≠ $inv $o ≠ null old($Heap)[$o, $allocated] = true (old($Heap)[$o, $ownerFrame] = $PeerGroupPlaceholder
¬(old($Heap)[old($Heap)[$o, $ownerRef], $inv] <: old($Heap)[$o, $ownerFrame])) (¬IsStaticField($f) ¬IsDirectlyModifiableField($f)) old($Heap)[$o, $f] = $Heap[$o, $f]);
free ensures ( $o: ref • old($Heap)[$o, $inv] = $Heap[$o, $inv] old($Heap)[$o, $allocated] ≠ true);
free ensures ( $o: ref • old($Heap)[$o, $allocated] $Heap[$o, $allocated]);
![Page 34: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/34.jpg)
Example BoogiePL (2)implementation Chunker.NextChunk(this: ref) returns ($result: ref){ var temp0: ref, local4: ref, stack0i: int, stack1i: int, stack1o: ref,
stack0b: bool, stack0o: ref, stack2i: int, s: ref, return.value: ref,SS$Display.Return.Local: ref;
entry: // … // ----- load field ----- Chunker.ssc(14,7) assert this ≠ null; stack1o := $Heap[this, Chunker.src]; // … // ----- binary operator ----- Chunker.ssc(14,7) stack0b := stack0i > stack1i; // ----- branch ----- Chunker.ssc(14,7) goto true5814to5848, false5814to5831;
true5814to5848: assume stack0b = true; …
![Page 35: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/35.jpg)
Example BoogiePL (3)
// ----- call ----- Chunker.ssc(17,9) assert stack0o ≠ null; call s := System.String.Substring$System.Int32(stack0o,
stack1i); // … // ----- store field ----- Chunker.ssc(19,7) assert this ≠ null; assert ¬($Heap[this, $inv] <: Chunker); $Heap[this, Chunker.n] := stack0i; // … // ----- return $result := stack0o; return;}
![Page 36: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/36.jpg)
5. Verification conditions
• Automatic theorem prover– can be hidden from programmer– generates counterexamples
• Interactive theorem prover– requires gurus– not limited by built-in decision
procedures
![Page 37: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/37.jpg)
Performance considerations• Generate verification conditions that
the theorem prover can handle quickly– “Efficient” encodings of axioms– “Efficient” weakest preconditions
![Page 38: The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems](https://reader036.vdocument.in/reader036/viewer/2022062511/551b0ed755034607418b51dc/html5/thumbnails/38.jpg)
download Spec#from here
Conclusions• Because of tool support, we’re ready for
programming at the next level of rigor• Current work
– Specification/programming/verification methodology
– Performance– Technology transfer– Engineering effort
• Technology sharing– Teaching– Case studies– BoogiePL as common intermediate logic
http://research.microsoft.com/~leino
http://research.microsoft.com/specsharp