1 / 14

How tool-based verification can be incorporated in teaching

How tool-based verification can be incorporated in teaching. K. Rustan M. Leino Research in Software Engineering ( RiSE ) Microsoft Research, Redmond, WA, USA. Invited talk Informatics Education in Europe (IEE III’08) Venice, Italy 4 Dec 2008. Acknowledgments.

hye
Download Presentation

How tool-based verification can be incorporated in teaching

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How tool-based verification can be incorporated in teaching K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA Invited talk Informatics Education in Europe (IEE III’08) Venice, Italy 4 Dec 2008

  2. Acknowledgments • Spec# developed jointly with many others, including: • Mike Barnett • Manuel Fähndrich • Peter Müller • Wolfram Schulte • Herman Venter • Educational hints from: • Rosemary Monahan

  3. Why program verification is important • Safety critical software • No crashes • Security issues • Time to market • Program maintenance • Testing is expensive, too

  4. What it would be good if all programmers did • Constantly wonder: • What am I assuming here? • Am I documenting this assumption? • How can I mentally convince myself that my program is correct? • How can I ask tools for help?

  5. Issues in teaching specification and verification • Instant feedback to hammer home concepts and check understanding • Lack of connection between theory (paper homework) and practice (sitting at a terminal)

  6. How does one reason about programs? • Hoare triple: { P } S { Q } Postcondition Program Precondition • Started in any state satisfying P,the program S does not crash and terminates in a state satisfying Q

  7. Examples • { x+1 < 100 } x := x + 1 { x < 100 } • { P } if B then S else T { Q } follows from: • { P  B } S { Q } and • { P  ¬B } T { Q } • { P } while B do S { Q } follows from: • P  J • { J  B } S { J } • J  ¬B  Q

  8. A traditional homework assignment TrianArder, HW #6 Prove { x = X } x := 2*x { x > X } Proof: x > X = { axiom of := } 2*x > X •  { > and ≥ } 2*x + 1 ≥ X • { arithmetic: x+1 ≥ x } x = X

  9. A week later… 3/10 TrianArder, HW #6 Prove { x = X } x := 2*x { x > X } Proof: x > X = { axiom of := } 2*x > X •  { > and ≥ } 2*x + 1 ≥ X • { arithmetic: x+1 ≥ x } x = X axiom of := involves a substitution – the expresions are not equal the property you mention holds in the direction, not  so what?

  10. Spec# programming system • Spec# language • Object-oriented .NET language • Superset of C# 2.0, adding: • more types (e.g., non-null types) • specifications (e.g., pre- and postconditions) • Usage rules (methodology) • Checking: • Static type checking • Run-time checking • Static verification (optional)

  11. Demos • Inc • Swap • BinarySearch • Sum • Append • Schorr-Waite • Assume

  12. Some other specification-based tools • .NET CodeContract library (.NET 4.0) • Clousot abstract interpreter for .NET • PEX testing tool for .NET • Java+JML • Eiffel • Krakatoa/Caduceus/Why • Boogie • Dafny

  13. Conclusion • Teach specification and verification • Use tools • Try things out before giving assignments • http://research.microsoft.com/specsharp • http://research.microsoft.com/rise

  14. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related