1 / 25

The Dafny program verifier

The Dafny program verifier. K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond. Victoria University of Wellington Wellington, NZ 13 April 2010. Some RiSE tools at Microsoft. SLAM, Static Driver Verifier (SDV) Sage Code Contracts for .NET Clousot Pex Z3.

jalen
Download Presentation

The Dafny program verifier

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Dafny program verifier K. Rustan M. Leino Research in Software Engineering Microsoft Research, Redmond Victoria University of Wellington Wellington, NZ 13 April 2010

  2. Some RiSE tools at Microsoft • SLAM, Static Driver Verifier (SDV) • Sage • Code Contracts for .NET • Clousot • Pex • Z3

  3. Static Driver Verifier • Applied regularly to all Microsoft device drivers of the support device models • ~300 bugs found • Available in Windows DDK to third parties

  4. Predicate abstraction and refinement e.g.: Graf & Saïdi, SLAM, BLAST, … correct modelchecker boolean program abstract trace predicateabstraction concrete trace predicates C program feasible? no yes error message predicaterefinement

  5. Symbolic-powered testing • Sage [Godefroid, Levin, et al.] • White-box fuzzing for C programs • Applied regularly • 100s of people doing various kinds of fuzzing Seed input New generation of symbolically derived input

  6. Specifications: .NET today StringBuilder.Append Method (Char[], Int32, Int32) Appends the string representation of a specified subarray of Unicode characters to the end of this instance. publicStringBuilderAppend(char[] value, intstartIndex, intcharCount); Parameters value A character array. startIndex The starting position in value. charCount The number of characters append. Return Value A reference to this instance after the append operation has occurred. Exceptions

  7. Specifications in Spec# publicStringBuilderAppend(char[] value, intstartIndex,intcharCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null ||startIndex + charCount <= value.Length;ensuresresult == this;

  8. Specifications with Code Contracts publicStringBuilderAppend(char[] value, intstartIndex,intcharCount){ Contract.Requires(value != null|| (startIndex== 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null ||startIndex+ charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this); // method implementation...} Note that postcondition is declared at top of method body, which is not where it should be executed.A rewriter tool moves these.

  9. Code Contracts[Barnett, Fähndrich, Grunkemeyer, Logozzo, et al.] • Declarative contracts • Language independent • Library to ship in .NET 4.0 • Tools available on DevLabs • Code Contracts Rewriter (for run-time checking) • Clousot abstract interpreter • Pex automated testing tool [de Halleux, Tillman, et al.]

  10. Clousot[Fähndrich, Logozzo] • Abstract interpreter for .NET • Verifies Code Contracts at compile time • Some key technology: • Heap-aware abstraction • Iterative application of numerical domains: • Pentagons • Subpolyhedra • others

  11. Pentagons • Some common abstract domains: • Intervals x  [A,B] • Octagons  x  y ≤ K • PolyhedraΣi xi≤ K • Observation: • Checking array accessesinvolves constraints like0 ≤ x < a.Length • These can be representedby intervals plus variableorderings y ≤ x Pentagon: Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html

  12. Z3 [Bjørner, de Moura] • Satisfiability Modulo Theories (SMT) solver • 9 first places and 6 second places atSMT-COMP’08 • Used in all tools mentioned, except Clousot

  13. Deductive verificaton tools • HAVOC • Has been applied to 100s of KLOC • ~40 bugs in resource leaks, lock usage, use-after-free • VCC • Being applied to Microsoft Hypervisor • …

  14. Dafny a language and verifier

  15. Program verification functional correctness Dafny traditional mechanical program verification extended static checking limited checking automaticdecision procedures (SMT solvers) interactiveproof assistants

  16. Dafny language • Sequential programs • Generic classes • Built-in specifications • Simple yet flexible framing • Sets, sequences, algebraic datatypes • User-defined functions • Ghost variables • Termination specifications

  17. Dafny demos • Cubes • Queue • Schorr-Waite

  18. Verification architecture Spec# C Dafny Chalice … Boogie Simplify Z3 SMT Lib …

  19. Boogie language overview Mathematical features • type T; • const x: T; • functionf(A, B): T; • axiom E; Imperative features • var y: T; • procedureP(a: A, b: B) returns(x: T, y: U);requirespre;modifies w; ensurespost; • implementation P(a: A, b: B) returns(x: T, y: U) { … }

  20. Boogie statements • x := E • a[ i ] := E • havoc x • assert E • assume E • ; • call P() • if • while • break • label: • goto A, B

  21. Example: Defining OO semantics by translation into Boogie class C {var x: int; method M(n: int) returns (r: int) { … } staticmethodMain() {var c := new C;c.x:= 12;cally := c.M(5); }}

  22. // class types typeClassName; constuniqueC: ClassName; type Ref; functiondtype(Ref): CName; const null: Ref; // fields typeField α; constuniqueC.x: Field int; constuniqueallocated: Field bool; // memory var Heap: <α>[Ref, Field α] α; Example: Boogie translation (0) classC { var x: int;

  23. // method declarations procedureC.M(this: Ref, n: int) returns(r: int); requires this != null && dtype(this) == C; modifies Heap; procedureC.Main(); modifies Heap; Example: Boogie translation (1) method M(n: int)returns (r: int) staticmethod Main()

  24. // method implementations implementationC.Main() { var c: Ref, y: int; havoc c; assume c != null; assume Heap[c, allocated] == false; assumedtype(c) == C; Heap[c, allocated] := true; assert c != null; Heap[c, C.x] := 12; call y := C.M(c, 5); } Example: Boogie translation (2) c.x:= 12; varc := new C; cally := c.M(5);

  25. Conclusions • Tools and specifications are useful in software development • Full functional-correctness verification is becoming more automatic • To build a verifier, use an intermediate verification language Dafny and Boogie boogie.codeplex.com Code Contracts research.microsoft.com/contracts Projects and videos research.microsoft.com/rise Various papers research.microsoft.com/~leino/papers.html

More Related