160 likes | 257 Views
Formal Methods: Three suggestions for rapid adoption. Wolfram Schulte RiSE, MSR Workshop on Usable Verification 11/15/2010 . First. Build on the shoulder of giants: Unify and leverage tool chains. From Program analysis tools in 2000-2003…. Slam Model- checker Simple Decision
E N D
Formal Methods: Three suggestions for rapid adoption Wolfram Schulte RiSE, MSR Workshop on Usable Verification 11/15/2010
First Build on the shoulder of giants:Unify and leverage tool chains
From Program analysis tools in 2000-2003… Slam Model-checker SimpleDecision Procedure Fugue Dataflow Analyzer Abstract Domains Prefix/Prefast SymbolicInterpret. CustomDecision Procedure ESP Dataflow Analyzer Abstract Domains
… to formal methods tools in 2004-2010… Formula Fine Bek SymDiff VCC Spec# Poirot Havoc Pex CodeContracts Sage Daphne Chalice Rex Boogie SymAutom Z3 Isabelle Simplify
Second Specifications for free: Embrace developer languages
CodeContracts: Code as Specifications • Use a language agnostic library to author contracts • Enables static and dynamic checking • Contracts support “squiggles”, views, doc.- generation • Authoring ships in VS 2010, > 50k downloads for tools static intMinIndex(int[] data) { Contract.Requires(data != null); Contract.Ensures(Contract.Result<int>() >= -1); Contract.Ensures(Contract.Result<int>() < data.Length); var result = -1; for (int i = 0; i < data.Length; i++) result = (result<0 || data[i]<data[result]) i: result; return result; }
Pex: Tests as Specifications • Embrace Unit Tests/Test Driven Development • Supports auto. test case gen./environment isolation (Moles) • Uses extended reflection and dynamic symbolic execution • Pex as powertoolfor VS 2010, Moles for VS 2012, >70k downloads void ReadWrite(string name, string data) {Assume.IsTrue(name != null && data != null); Write(name, data);varreadData = Read(name); Assert.AreEqual(data, readData); } string name, string data: name ≠ null ⋀ data ≠ null ⇒ equals( ReadResource(name,WriteResource(name,data)),data)
SymDiff: Programs as Specifications • Addresses AppCompat/Versioning problem • Performs static semantic diff of closely related programs • Uses boogie, etc to check where programs are different
Third Catch flaws early:from code to design analysis
Formulafor Modeling Provide a general/intermediate language for capturing model-based abstractions, and support automated model synthesis in any direction. Formal descriptions of design spaces and reachability problems (in progress) Module system for composing specs and crossing abstraction boundaries Core formal specification language (CLP with negation over regular types) Use-case: Formalize domain-specific abstractions Use-case: Combine/relate specs with help from the language Use-case: Design-space exploration / model synthesis
Formula’s Model Synthesis Given a spec and a partial model, then symbolic execution constructs a formula representing the design space. Formula Specification Add symmetry breaking Symbolic Execution Z3 Solver SMT Formula Reconstruct FORMULA model Infer Cardinality bounds on data type instances Encode solution region Try something new Pick next region
Formula: Applications Translate your logic/configuration/constraint /… problem into Formula: • Platform mappings: Autozsar/Muscle controller • Specifying architectures: Edge content for the cloud • Policy management: Dkal, SecPal, SystemCenter • VM provisioning for the cloud: Azure • UML/DSL mappings…
Summary: Usable Verification • Build on the shoulder of giants: Unify and leverage tool chains • Specifications for free: Embrace developer languages • Catch flaws early: From code to design analysis
And use modern media to tell aboutsuccess stories usable verification