260 likes | 352 Views
The smart programming assistant. Francesco Logozzo Researcher Microsoft Research, Redmond 3-403. What is it?. Vision for modern programming. Developed at RiSE, Microsoft Research. Real-time feedback. Report tricky bugs and regressions. Code improvements.
E N D
The smart programming assistant Francesco Logozzo Researcher Microsoft Research, Redmond 3-403
What is it? • Vision for modern programming. • Developed at RiSE, Microsoft Research. • Real-time feedback. • Report tricky bugs and regressions. • Code improvements. • Suggest code fixes and specifications.
“Standing on the shoulders of giants” • CodeContracts. • Contracts library part of .NET since v4.0. • Specify preconditions, postconditions, object-invariants. • Contracts tools: Static checker, and other tools available on VS Gallery. • Overall 100K downloads. • Roslyn CTP. • C#/VB compilers as services. • Open-up the compiler pipeline to expose internals. • ASTs, Refactoring…
Architecture Code contracts static checker Code Error checking. Semantic Inference. Answer queries. Visual Studio/Roslyn Verified repairs. Pre/post inference. Semantic baseline. Stored information
Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session • Scan this QR codeto evaluate this session and be automatically entered in a drawing to win a prize!
CodeContracts • Contract API part of .NET since v.4.0. • Tools available on VS Gallery. • Almost 100K downloads overall. • Devlabs, VS Gallery. • Active user MSDN forum. • 7700+ messages.
Available in VS Gallery! • More • VS 2012 integration. • Runtime checking. • Documentation generation. • Less • Post-build static analysis. • Scale via team shared SQL DB. • No refactoring.
Static analysis • Different from FxCop, Coverity, Resharper… • Those are (mostly) pattern-match based. • Perform deep semantic code analysis. • For each program point, infer invariants. • Invariants are properties that hold for all possible executions. • Main Idea: replace concrete values with abstract values. • Example: Instead of x : {0, 2, 4, 6, 8, 10} have x : [0, 10] && x is even.
Inference publicint BinarySearch(int[] array, int value) { Contract.Requires(array != null); varinf = 0; var sup = array.Length - 1; while (inf <= sup) { var mid = (inf + sup) / 2; varmidValue = array[mid]; if (midValue < value) inf = mid + 1; elseif (midValue > value) sup = mid - 1; else return mid; } return -1; } array != null inf: [0, MaxValue], sup: [-1, MaxValue), sup < array.Length inf: [0, 0], sup: [-1, MaxValue), sup < array.Length inf ≤ sup, sup: [0, MaxValue) mid: [0, MaxValue), mid ≤ sup, mid < array.Length inf: [1, MaxValue], sup: [0, MaxValue) inf:[0, 0], sup: [-1, MaxValue-1), sup < array.Length inf: [0, MaxValue], sup: [-1, MaxValue), sup < array.Length
Checks publicint BinarySearch(int[] array, int value) { Contract.Requires(array != null); varinf = 0; var sup = array.Length - 1; while (inf <= sup) { var mid = (inf + sup) / 2; varmidValue = array[mid]; if (midValue < value) inf = mid + 1; elseif (midValue > value) sup = mid - 1; else return mid; } return -1; } array != null MinValue ≤ array.Length -1 ≤ MaxValue MinValue ≤ (inf + sup)/2 ≤ MaxValue MinValue ≤ (inf + sup) ≤ MaxValue array != null 0 ≤ mid mid < array.Length MinValue ≤ mid + 1 ≤ MaxValue MinValue ≤ mid - 1 ≤ MaxValue
Error checking publicint BinarySearch(int[] array, int value) { Contract.Requires(array != null); varinf = 0; var sup = array.Length - 1; while (inf <= sup) { var mid = (inf + sup) / 2; varmidValue = array[mid]; if (midValue < value) inf = mid + 1; elseif (midValue > value) sup = mid - 1; else return mid; } return -1; } array != null array != null MinValue ≤ array.Length -1 ≤ MaxValue inf: [0, MaxValue], sup: [0, MaxValue], sup < array.Length MinValue ≤ (inf + sup) ≤ MaxValue MinValue ≤ (inf + sup)/2 ≤ MaxValue MinValue ≤(inf + sup) ≤ MaxValue array != null 0 ≤ mid mid < array.Length mid: [0, MaxValue) MinValue ≤ mid + 1 ≤ MaxValue MinValue ≤ mid - 1 ≤ MaxValue
Repairing overflows Leverage the semantic information inferred by the static analysis For instance, assume that 0 ≤ x, 0 ≤ y, 0 ≤ z Then x + y < z may overflow We derive a non-overflowing expression like that
Extract method publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); while (x != 0) x--; return x; } publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); x = NewMethod(x); return x; } privatestaticintNewMethod(int x) { while (x != 0) x--; return x; }
And the (modular) proof? publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); while (x != 0) x--; return x; } publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); x = NewMethod(x); return x; } privatestaticint NewMethod(int x) { while (x != 0) x--; return x; } Postcondition: ok Postcondition Violation? No overflow Possible overflow
Completeness ok Can’t prove ensures The verification of the callee should still go through. Counterexample: Valid and safe contract, but not complete.
Validity ok Invalid ensures The inferred contract should be valid. Counterexample:
Safety ok Possible overflow The precondition of the extracted method should advertise possible errors. Counterexample:
Generality Requires too strong ok ok The inferred contract is the most general satisfying Validity, Safety, and Completeness. Counterexample: Valid, Safe, and Complete, but not General contract.
Our solution ok ok Valid, Safe, Complete, and General contract