260 likes | 357 Vues
Discover the power of CodeContracts and deep semantic code analysis for bug detection, refactoring, and code improvement. Learn how to leverage static analysis for error checking and repairing overflows in your codebase. Explore modern programming tools developed at Microsoft Research to elevate your coding practices.
 
                
                E N D
The smart programming assistant Francesco Logozzo Researcher Microsoft Research, Redmond 3-403
What is it? • Vision for modern programming. • Developed at RiSE, Microsoft Research. • Real-time feedback. • Report tricky bugs and regressions. • Code improvements. • Suggest code fixes and specifications.
“Standing on the shoulders of giants” • CodeContracts. • Contracts library part of .NET since v4.0. • Specify preconditions, postconditions, object-invariants. • Contracts tools: Static checker, and other tools available on VS Gallery. • Overall 100K downloads. • Roslyn CTP. • C#/VB compilers as services. • Open-up the compiler pipeline to expose internals. • ASTs, Refactoring…
Architecture Code contracts static checker Code Error checking. Semantic Inference. Answer queries. Visual Studio/Roslyn Verified repairs. Pre/post inference. Semantic baseline. Stored information
Required Slide *delete this box when your slide is finalized Your MS Tag will be inserted here during the final scrub. Evaluate this session • Scan this QR codeto evaluate this session and be automatically entered in a drawing to win a prize!
CodeContracts • Contract API part of .NET since v.4.0. • Tools available on VS Gallery. • Almost 100K downloads overall. • Devlabs, VS Gallery. • Active user MSDN forum. • 7700+ messages.
Available in VS Gallery! • More • VS 2012 integration. • Runtime checking. • Documentation generation. • Less • Post-build static analysis. • Scale via team shared SQL DB. • No refactoring.
Static analysis • Different from FxCop, Coverity, Resharper… • Those are (mostly) pattern-match based. • Perform deep semantic code analysis. • For each program point, infer invariants. • Invariants are properties that hold for all possible executions. • Main Idea: replace concrete values with abstract values. • Example: Instead of x : {0, 2, 4, 6, 8, 10} have x : [0, 10] && x is even.
Inference publicint BinarySearch(int[] array, int value) { Contract.Requires(array != null); varinf = 0; var sup = array.Length - 1; while (inf <= sup) { var mid = (inf + sup) / 2; varmidValue = array[mid]; if (midValue < value) inf = mid + 1; elseif (midValue > value) sup = mid - 1; else return mid; } return -1; } array != null inf: [0, MaxValue], sup: [-1, MaxValue), sup < array.Length inf: [0, 0], sup: [-1, MaxValue), sup < array.Length inf ≤ sup, sup: [0, MaxValue) mid: [0, MaxValue), mid ≤ sup, mid < array.Length inf: [1, MaxValue], sup: [0, MaxValue) inf:[0, 0], sup: [-1, MaxValue-1), sup < array.Length inf: [0, MaxValue], sup: [-1, MaxValue), sup < array.Length
Checks publicint BinarySearch(int[] array, int value) { Contract.Requires(array != null); varinf = 0; var sup = array.Length - 1; while (inf <= sup) { var mid = (inf + sup) / 2; varmidValue = array[mid]; if (midValue < value) inf = mid + 1; elseif (midValue > value) sup = mid - 1; else return mid; } return -1; } array != null MinValue ≤ array.Length -1 ≤ MaxValue MinValue ≤ (inf + sup)/2 ≤ MaxValue MinValue ≤ (inf + sup) ≤ MaxValue array != null 0 ≤ mid mid < array.Length MinValue ≤ mid + 1 ≤ MaxValue MinValue ≤ mid - 1 ≤ MaxValue
Error checking publicint BinarySearch(int[] array, int value) { Contract.Requires(array != null); varinf = 0; var sup = array.Length - 1; while (inf <= sup) { var mid = (inf + sup) / 2; varmidValue = array[mid]; if (midValue < value) inf = mid + 1; elseif (midValue > value) sup = mid - 1; else return mid; } return -1; } array != null array != null MinValue ≤ array.Length -1 ≤ MaxValue inf: [0, MaxValue], sup: [0, MaxValue], sup < array.Length MinValue ≤ (inf + sup) ≤ MaxValue MinValue ≤ (inf + sup)/2 ≤ MaxValue MinValue ≤(inf + sup) ≤ MaxValue array != null 0 ≤ mid mid < array.Length mid: [0, MaxValue) MinValue ≤ mid + 1 ≤ MaxValue MinValue ≤ mid - 1 ≤ MaxValue
Repairing overflows Leverage the semantic information inferred by the static analysis For instance, assume that 0 ≤ x, 0 ≤ y, 0 ≤ z Then x + y < z may overflow We derive a non-overflowing expression like that
Extract method publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); while (x != 0) x--; return x; } publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); x = NewMethod(x); return x; } privatestaticintNewMethod(int x) { while (x != 0) x--; return x; }
And the (modular) proof? publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); while (x != 0) x--; return x; } publicint Decrement(int x) { Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0); x = NewMethod(x); return x; } privatestaticint NewMethod(int x) { while (x != 0) x--; return x; } Postcondition: ok Postcondition Violation? No overflow Possible overflow
Completeness ok Can’t prove ensures The verification of the callee should still go through. Counterexample: Valid and safe contract, but not complete.
Validity ok Invalid ensures The inferred contract should be valid. Counterexample:
Safety ok Possible overflow The precondition of the extracted method should advertise possible errors. Counterexample:
Generality Requires too strong ok ok The inferred contract is the most general satisfying Validity, Safety, and Completeness. Counterexample: Valid, Safe, and Complete, but not General contract.
Our solution ok ok Valid, Safe, Complete, and General contract