1 / 21

Understanding Program Verification

Understanding Program Verification. K. Rustan M. Leino RiSE , Microsoft Research, Redmond. PROLE 2009 09/09/2009 San Sebastian, Spain. Software quality assurance. A major software engineering concern Costly Relies heavily on testing Increasingly helped by advanced tools

teenie
Download Presentation

Understanding Program Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. UnderstandingProgram Verification K. Rustan M. Leino RiSE, Microsoft Research, Redmond PROLE 2009 09/09/2009 San Sebastian, Spain

  2. Software quality assurance • A major software engineering concern • Costly • Relies heavily on testing • Increasingly helped by advanced tools • Verification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generation

  3. Spectrum of verification tools • Functional correctness Examples • Safety-critical systems Praxis customers (Spark Ada) • Algorithms IEEE 1384 protocol (Event-B) • Important libraries Microsoft Hypervisor (VCC) • Bug finding • Common run-time errorsCompiler front-end (ESC/Java) • Device-driver protocols Windows drivers (SLAM) • Concurrency errorslock usage in Windows programs (HAVOC)

  4. Pillars of program verification • Floyd, 1967 • Hoare, 1969 • {P} S {Q} • Dijkstra, 1976 • P wp(S, Q) • logic formula 0 ≤ n = N s := 1 0 ≤ n ≤ N  s * n! = N! 0 < n? The most general P that satisfies { P } S { Q } is called the weakest precondition of S w.r.t. Q: wp(S, Q) { P } S { Q } Executions of S that start in P: • do not go wrong, and • terminate in Q 0 < n ≤ N  s * n! = N! s = N! s := s * n 0 < n ≤ N s * (n-1)! = N! n := n - 1

  5. Early mechanical verification systems • Gypsy • Stanford Pascal Verifier • …

  6. Verification-condition generation Program +specifications • How to discharge verification condition? • Proof assistant • ACL2, Coq, Isabelle/HOL, PVS, … • support for complicated math, higher-order functions • Automatic decision procedures • SMT solvers like CVC3, Simplify, Z3, … • program structure gives strong proof hint Verification condition (logical formula)

  7. Mechanical tool support • Proof assistants • User interacts at level of prover • Automatic program verifiers • User interacts at level of program • Demos • Classic interface • Chalice: dining philosophers • Integrated interaction • Spec#: numeros de telefono, busquedabinaria

  8. Specification language • Terms of a logic • ESC/Modula-3, KeY, … • Terms are program expressions • Eiffel, JML, Spec#, … PROCEDURE M(x: MyClass) = BEGIN … ENDM; <*SPEC M(x) REQUIRES 0 <= MyClass.f[ x ] *> feature M(x: MyClass)is require 0 <= x.f do … end //@ requires 0 <= x.f; void M(MyClass x) { … } void M(MyClass x) requires 0 <= x.f; { … }

  9. Basic verifier architecture Source language Intermediate verification language Verification condition (logical formula)

  10. Boogie – a verification tool bus[Barnett, Jacobs, Leino, Moskal, Rümmer, et al.] Spec# C with HAVOC specifications C with VCC specifications Dafny Chalice Your language here Boogie-to-Boogie transformations: • Inference engines • Program transformations • Logic optimizers Boogie Your prover here Isabelle/HOL Simplify Z3 SMT Lib

  11. Example translation • Source language: • Boogie: • Verification condition: p.f = x / y; assert p ≠ null;assert y ≠ 0; Heap[p,f] := x / y; (AND (NEQ p null) (NEQ y 0) (IMPLIES (EQ Heap’ (store Heap p f (/ x y))) TRUE))

  12. Example translation • Source language: • Boogie: • Verification condition: p.f = x / y; Demo PhoneNumber.ssc assert p ≠ null;assert y ≠ 0; Heap[p,f] := x / y; (AND (NEQ p null) (NEQ y 0) (IMPLIES (EQ Heap’ (store Heap p f (/ x y))) TRUE))

  13. Abstraction • How to specify the effect of method Play? :RockBand methodPlay() … :Organ :Guitar :Drums methodStrum() … methodGrind() … methodBang() … :GtString :GtString :DrawBar :Kick :Snare

  14. Specification style • Demo • Spec# (ownership) • Dafny (dynamic frames)

  15. Specification style summary • Spec# • handles common cases easily • does not support all useful programming idioms • somewhat opaque • Dafny • flexible, transparent • primitive, verbose • What is a flexible/transparent/frugal specification language?

  16. When things verify • Modular verification goes a long way • Re-doing or re-playing proofs can be done off-line

  17. When things do not verify which happens all too often • Quick turnaround is key • For beginners and experts alike • Example: Hypervisor verification • Want: sub-second response • Understanding complaints

  18. Explaining errors visually[joint work with Claire Le Goues] partitions: *0 -> true *1 -> false *2 {@true} -> 8:int *3 {@false} -> 9:int *4 {intType} *5 {boolType} *6 {ClassNameType} *7 {$tokenType} *8 {cf_eventType} *9 {var_locglobType} *10 {refType} *11 {class.int} *12 {class.bool} *13 {class.object} *14 {class.set} *15 {class.seq} *16 {#loc.$Heap} *17 {alloc} *18 {conditional_moment} *19 {took_then_branch} *20 {took_else_branch} *21 {loop_register} *22 {loop_entered} *23 {loop_exited} *24 {cev_local} *25 {cev_global} *26 {cev_parameter} *27 {cev_implicit} … FieldType-> { *5 -> *51 *4 -> *52 *10 -> *53 else -> #unspecified } FieldTypeInv0 -> { *51 -> *5 *52 -> *4 *53 -> *10 else -> #unspecified } DeclType -> { *29 -> *28 *30 -> *28 else -> #unspecified } $file_name_is -> { *43 *31 -> *0 else -> #unspecified } MapType1Type -> { *10 -> *54 else -> #unspecified } MapType1TypeInv0 -> { *54 -> *10 else -> #unspecified } … MapType1Type -> { *10 -> *54 else -> #unspecified } MapType1TypeInv0 -> { *54 -> *10 else -> #unspecified } $IsGoodHeap -> { *40 -> *0 *42 -> *0 *39 -> *0 else -> #unspecified } U_2_bool -> { *56 -> *0 else -> #unspecified } MapType1Select -> { *40 *41 *17 -> *56 *40 *41 *30 -> *38 *39 *41 *30 -> *41 *42 *41 *30 -> *38 *42 *41 *17 -> *56 *39 *41 *17 -> *56 else -> #unspecified } dtype -> { *41 -> *28 … verifier Boogie source program intermediate program formula • model • tool demo • square • insert Z3 counterexample model

  19. Verified Software Initiative • Hoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al. • “We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]

  20. Next steps • Continue to: • improve program-verification technology • do experiments • and pay more attention to tool usage: • Rapid-response analysis • Explanation tools • Ceaselessly-analyzing programming environments

  21. Some URLs • Boogie, Dafny, Chalice available as open source:http://boogie.codeplex.com • Spec# and VCC also available as open source under academic license:http://specsharp.codeplex.comhttp://vcc.codeplex.com • Some papers:http://research.microsoft.com/~leino

More Related