210 likes | 444 Views
Understanding Program Verification. K. Rustan M. Leino RiSE , Microsoft Research, Redmond. PROLE 2009 09/09/2009 San Sebastian, Spain. Software quality assurance. A major software engineering concern Costly Relies heavily on testing Increasingly helped by advanced tools
E N D
UnderstandingProgram Verification K. Rustan M. Leino RiSE, Microsoft Research, Redmond PROLE 2009 09/09/2009 San Sebastian, Spain
Software quality assurance • A major software engineering concern • Costly • Relies heavily on testing • Increasingly helped by advanced tools • Verification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generation
Spectrum of verification tools • Functional correctness Examples • Safety-critical systems Praxis customers (Spark Ada) • Algorithms IEEE 1384 protocol (Event-B) • Important libraries Microsoft Hypervisor (VCC) • Bug finding • Common run-time errorsCompiler front-end (ESC/Java) • Device-driver protocols Windows drivers (SLAM) • Concurrency errorslock usage in Windows programs (HAVOC)
Pillars of program verification • Floyd, 1967 • Hoare, 1969 • {P} S {Q} • Dijkstra, 1976 • P wp(S, Q) • logic formula 0 ≤ n = N s := 1 0 ≤ n ≤ N s * n! = N! 0 < n? The most general P that satisfies { P } S { Q } is called the weakest precondition of S w.r.t. Q: wp(S, Q) { P } S { Q } Executions of S that start in P: • do not go wrong, and • terminate in Q 0 < n ≤ N s * n! = N! s = N! s := s * n 0 < n ≤ N s * (n-1)! = N! n := n - 1
Early mechanical verification systems • Gypsy • Stanford Pascal Verifier • …
Verification-condition generation Program +specifications • How to discharge verification condition? • Proof assistant • ACL2, Coq, Isabelle/HOL, PVS, … • support for complicated math, higher-order functions • Automatic decision procedures • SMT solvers like CVC3, Simplify, Z3, … • program structure gives strong proof hint Verification condition (logical formula)
Mechanical tool support • Proof assistants • User interacts at level of prover • Automatic program verifiers • User interacts at level of program • Demos • Classic interface • Chalice: dining philosophers • Integrated interaction • Spec#: numeros de telefono, busquedabinaria
Specification language • Terms of a logic • ESC/Modula-3, KeY, … • Terms are program expressions • Eiffel, JML, Spec#, … PROCEDURE M(x: MyClass) = BEGIN … ENDM; <*SPEC M(x) REQUIRES 0 <= MyClass.f[ x ] *> feature M(x: MyClass)is require 0 <= x.f do … end //@ requires 0 <= x.f; void M(MyClass x) { … } void M(MyClass x) requires 0 <= x.f; { … }
Basic verifier architecture Source language Intermediate verification language Verification condition (logical formula)
Boogie – a verification tool bus[Barnett, Jacobs, Leino, Moskal, Rümmer, et al.] Spec# C with HAVOC specifications C with VCC specifications Dafny Chalice Your language here Boogie-to-Boogie transformations: • Inference engines • Program transformations • Logic optimizers Boogie Your prover here Isabelle/HOL Simplify Z3 SMT Lib
Example translation • Source language: • Boogie: • Verification condition: p.f = x / y; assert p ≠ null;assert y ≠ 0; Heap[p,f] := x / y; (AND (NEQ p null) (NEQ y 0) (IMPLIES (EQ Heap’ (store Heap p f (/ x y))) TRUE))
Example translation • Source language: • Boogie: • Verification condition: p.f = x / y; Demo PhoneNumber.ssc assert p ≠ null;assert y ≠ 0; Heap[p,f] := x / y; (AND (NEQ p null) (NEQ y 0) (IMPLIES (EQ Heap’ (store Heap p f (/ x y))) TRUE))
Abstraction • How to specify the effect of method Play? :RockBand methodPlay() … :Organ :Guitar :Drums methodStrum() … methodGrind() … methodBang() … :GtString :GtString :DrawBar :Kick :Snare
Specification style • Demo • Spec# (ownership) • Dafny (dynamic frames)
Specification style summary • Spec# • handles common cases easily • does not support all useful programming idioms • somewhat opaque • Dafny • flexible, transparent • primitive, verbose • What is a flexible/transparent/frugal specification language?
When things verify • Modular verification goes a long way • Re-doing or re-playing proofs can be done off-line
When things do not verify which happens all too often • Quick turnaround is key • For beginners and experts alike • Example: Hypervisor verification • Want: sub-second response • Understanding complaints
Explaining errors visually[joint work with Claire Le Goues] partitions: *0 -> true *1 -> false *2 {@true} -> 8:int *3 {@false} -> 9:int *4 {intType} *5 {boolType} *6 {ClassNameType} *7 {$tokenType} *8 {cf_eventType} *9 {var_locglobType} *10 {refType} *11 {class.int} *12 {class.bool} *13 {class.object} *14 {class.set} *15 {class.seq} *16 {#loc.$Heap} *17 {alloc} *18 {conditional_moment} *19 {took_then_branch} *20 {took_else_branch} *21 {loop_register} *22 {loop_entered} *23 {loop_exited} *24 {cev_local} *25 {cev_global} *26 {cev_parameter} *27 {cev_implicit} … FieldType-> { *5 -> *51 *4 -> *52 *10 -> *53 else -> #unspecified } FieldTypeInv0 -> { *51 -> *5 *52 -> *4 *53 -> *10 else -> #unspecified } DeclType -> { *29 -> *28 *30 -> *28 else -> #unspecified } $file_name_is -> { *43 *31 -> *0 else -> #unspecified } MapType1Type -> { *10 -> *54 else -> #unspecified } MapType1TypeInv0 -> { *54 -> *10 else -> #unspecified } … MapType1Type -> { *10 -> *54 else -> #unspecified } MapType1TypeInv0 -> { *54 -> *10 else -> #unspecified } $IsGoodHeap -> { *40 -> *0 *42 -> *0 *39 -> *0 else -> #unspecified } U_2_bool -> { *56 -> *0 else -> #unspecified } MapType1Select -> { *40 *41 *17 -> *56 *40 *41 *30 -> *38 *39 *41 *30 -> *41 *42 *41 *30 -> *38 *42 *41 *17 -> *56 *39 *41 *17 -> *56 else -> #unspecified } dtype -> { *41 -> *28 … verifier Boogie source program intermediate program formula • model • tool demo • square • insert Z3 counterexample model
Verified Software Initiative • Hoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al. • “We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]
Next steps • Continue to: • improve program-verification technology • do experiments • and pay more attention to tool usage: • Rapid-response analysis • Explanation tools • Ceaselessly-analyzing programming environments
Some URLs • Boogie, Dafny, Chalice available as open source:http://boogie.codeplex.com • Spec# and VCC also available as open source under academic license:http://specsharp.codeplex.comhttp://vcc.codeplex.com • Some papers:http://research.microsoft.com/~leino