Transcript K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA, USA 15 January 2009 Séminaire Digiteo Orsay, France.

K. Rustan M. Leino
Research in Software Engineering (RiSE)
Microsoft Research, Redmond, WA, USA
15 January 2009
Séminaire Digiteo
Orsay, France
Research in Software Engineering
Microsoft Research,
Redmond
http://research.microsoft.com/rise
Related groups: PPT (MSR Cambridge)
and RSE (MSR India)
Goal
Better build, maintain, and understand
programs
How?
Specifications
Tools, tools, tools
Program semantics
Verification-condition generation, symbolic
execution, model checking, abstract
interpretation, fuzzing, test generation
Satisfiability Modulo Theories (SMT)
Hoare, Joshi, Leavens, Misra, Naumann,
Shankar, Woodcock, et al.
“We envision a world in which computer
programs are always the most reliable
component of any system or device that
contains them” [Hoare & Misra]
Spec# demo
Various techniques and RiSE tools
Use/effectiveness of tools at Microsoft
Research prototype
Spec# language
Object-oriented .NET language
Superset of C# 2.0, adding:
more types (e.g., non-null types)
specifications (e.g., pre- and postconditions)
Usage rules (methodology)
Checking:
Static type checking
Run-time checking
Static verification (optional)
StringBuilder.Append Method (Char[ ], Int32, Int32)
Appends the string representation of a specified subarray of Unicode characters to the end of this
instance.
public StringBuilder Append(char[] value, int startIndex, int charCount);
Parameters
value
A character array.
startIndex
The starting position in value.
charCount
The number of characters append.
Return Value
A reference to this instance after the append operation has occurred.
Exceptions
Exception Type
Condition
ArgumentNullException
value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException
charCount is less than zero.
-orstartIndex is less than zero.
-orstartIndex + charCount is less than the length of value.
public StringBuilder Append(char[] value,
int charCount
requires value == null ==> startIndex
requires 0 <= startIndex;
requires 0 <= charCount;
requires value == null ||
startIndex + charCount
ensures result == this;
int startIndex,
);
== 0 && charCount == 0;
<= value.Length;
Exception Type
Condition
ArgumentNullException
value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException
charCount is less than zero.
-orstartIndex is less than zero.
-orstartIndex + charCount is less than the length of value.
public StringBuilder Append(char[] value, int startIndex,
int charCount )
{
Contract.Requires(value != null ||
(startIndex == 0 && charCount == 0));
Contract.Requires(0 <= startIndex);
Contract.Requires(0 <= charCount);
Contract.Requires(value == null ||
startIndex + charCount <= value.Length);
Contract.Ensures(Contracts.Result<StringBuilder>() == this);
// method implementation...
}
Note that postcondition is
declared at top of method
body, which is not where it
should be executed.
A rewriter tool moves these.
Declarative contracts
Language independent
Library to ship in .NET 4.0
Tools to be released via DevLabs
Code Contracts Rewriter (for run-time
checking)
Clousot abstract interpreter
Pex automated testing tool
Spec#
Spec# compiler
MSIL (“bytecode”)
Translator
Inference engine
Boogie
V.C. generator
verification condition
SMT solver
“correct” or list of errors
Spec#
C with
HAVOC
specifications
C with vcc
specifications
Dafny
Chalice
Boogie
Simplify
Z3
SMT Lib
Isabelle/
HOL
Verification conditions computed by
weakest preconditions (wp)
wp( Prog, Q ) yields a formula that
describes the pre-states from which Prog
correctly establishes Q
Example:
wp( if (B) { S } else { T }, Q ) =
(B  wp(S, Q))  (¬B  wp(T, Q))
Example program (Prog):
p := new C();
if (x < 0) { x := -x; }
assert p ≠ null;
wp( Prog, true )
= ((x<0  (p≠null)[-x/x]) 
(¬(x<0)  p≠null))[newC()/p]
= ((x<0  newC()≠null) 
(¬(x<0)  newC()≠null)
Rewrite Prog into Prog’:
assume p0 = newC();
if (x0 < 0) {
assume x1 = -x0; assume x2 = x1;
} else {
assume x2 = x0;
}
assert p0 ≠ null;
wp( Prog’, true ) =
p0=newC() 
((x0<0  x1= -x0  x2 = x1)  (¬(x0<0)  x2 = x0)) 
p0 ≠ null
Works well when the if branches modify
variables that the downstream assertion
does not depend on
But when encoding the heap as one
variable, almost every branch modifies that
variable
… room for new solutions
Demo: Chunker.dict
:Chunker
:Chunker
n: 84
n: 20
inv dict.Count ≤ n;
rep
:Classroom
dict:
inv dict.Count ≤ n;
dict:
:Dictionary
Count: 21
inv studentGrades.Count
≤ 20;
studentGrades:
Spec#/Boogie methodology
Dynamic frames
Implicit dynamic frames
Separation logic
… room for improved encodings and
methodologies
Abstract interpreter for .NET
Verifies Code Contracts at compile time
Some key technology:
Heap-aware abstraction
Iterative application of numerical domains:
Pentagons
Subpolyhedra
others
Some common abstract domains:
Intervals x  [A,B]
Octagons  x  y ≤ K
Polyhedra Σi xi ≤ K
Observation:
Checking array accesses
involves constraints like
0 ≤ x < a.Length
These can be represented
by intervals plus variable
orderings y ≤ x
Pentagon:
Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html
Sage
[Godefroid, Levin, et al.]
White-box fuzzing for C programs
Seed input
Pex
[de Halleux, Tillman, et al.]
Automatic white-box testing for .NET
Satisfiability Modulo Theories (SMT) solver
9 first places and 6 second places at
SMT-COMP’08
Used in all tools mentioned, except Clousot
Static Driver Verifier (SDV)
Applied regularly to all Microsoft device drivers of the
support device models
~300 bugs found
Available to third parties in Windows DDK
Sage
Applied regularly
100s of people doing various kinds of fuzzing
HAVOC
Has been applied to 100s of KLOC
~40 bugs in resource leaks, lock usage, use-after-free
vcc
Being applied to Microsoft Hypervisor
…
Machine-processable specifications are
being used increasingly
Tools are useful and necessary
Provide useful checking
Both validate and drive research
SMT solving is a key technology
Trend: user input is moving toward
program text
Many research challenges
http://research.microsoft.com/rise