1. Hoare-style� program verification K. Rustan M. Leino�Guest lecturer
2. Programming language skip
x := E
assert B
S ; T
if B then S else T end
while B do S end
3. Procedural abstraction Procedure declaration
procedure Find(int[] a, int m, int n, int x): int
Procedure call
call r := Find(scores, 0, numStudents, 100)
Procedure implementation
impl Find(int[] a, int m, int n, int x): int� {� � }
4. Procedure specifications Procedure declaration
procedure Find(int[] a, int m, int n, int x): int� specification
Procedure call
call r := Find(scores, 0, numStudents, 100)
Procedure implementation
impl Find(int[] a, int m, int n, int x): int� {� � }
5. Contracts Caller obligations
Precondition
Implementation obligations
Postcondition
6. Informal contract
7. Formal contract
8. A bogus implementation? procedure Sum()� requires 0?N;� ensures s = (Si | 0?i<N ? a[i]);
impl Sum()� {� N := 0;� s := 0� }
9. More about postconditions Often relate pre-state and post-state
ensures x > old(x);
Must say what goes unchanged
ensures N = old(N);
modifies only s;
10. Information hiding and�data abstraction class Counter {� model n: int;����� method Increment()� modifies only n;� ensures old(n) + 1 = n;�� method Decrement()� modifies only n;� ensures old(n) = n + 1;��}
11. Information hiding and�data abstraction class Counter {� model n: int;� private a: int;� private b: int;� representation n is a b;�� method Increment()� modifies only n;� ensures old(n) + 1 = n;� { a := a + 1 }� method Decrement()� modifies only n;� ensures old(n) = n + 1;� { b := b + 1 }�}
12. Data invariants class Counter {� model n: int;� private a: int;� private b: int;� representation n is a b;� invariant 0 ? a ? 0 ? b;� method Increment()� modifies only n;� ensures old(n) + 1 = n;� { a := a + 1 }� method Decrement()� modifies only n;� ensures old(n) = n + 1;� { b := b + 1 }�}
13. Vision Increased programmer productivity and program reliability through increased rigor
14. Extended Static Checker for Java (ESC/Java) Built at Compaq SRC
ESC/Java 2 built by Joe Kiniry (U. Nijmegen) and David Cok (Kodak)
Input: Java + user-supplied annotations
annotations are subset of JML (Java Modeling LanguageGary Leavens, et al., Iowa State U.)
Annotation language captures programmer design decisions
Powered by program semantics and automatic theorem proving
Performs modular checking
15. ESC/Java demo
16. Program checker design tradeoffs Missed errors
Spurious warnings
Annotation overhead
Performance
17. ESC/Java experience: annotations Capture common design decisions
Suggested immediately by warnings
Overhead: 4-10% of source code
~1 annotation per field or parameter
Most common annotations:
preconditions
invariants
Most common things to specify:
non nullity
container element types
18. ESC/Java experience: performance 50% of all methods: < 0.5 s
80% of all methods: < 1 s
time limit: 300 s
total time for Javafe (~40kloc): 65 min.
19. Tool architecture
20. Spec# and Boogie
21. Spec# is C# extended with: Non-null types
Preconditions
Postconditions
Object invariants
Checked exceptions
...
22. Boogie: Under the hood
23. Spec#: Object invariants class C {� int x, y;� invariant x < y;
� �
� �
�
24. Spec#: Object invariants class C {� int x, y;� invariant x < y;
public void M(T! o) {� � expose (this) {
this.x = this.y;� o.P();� this.y++;
}�
}
25. Spec#: Object invariants class C {� int x, y;� invariant x < y;
public void M(T! o) {� � expose (this) {
this.x = this.y;� o.P();� this.y++;
}�
}
26. Evolution C# managed code� ? Spec# non-null types, parameter validation� ? Boogie verification
27. Summary of lectures Hoare triples and weakest preconditions give a way to prove a program correct
Invariants are everywhere
Procedure specifications
Tool support for software engineering
