program verification k. rustan m. leino research in software engineering (rise) microsoft research,...
TRANSCRIPT
![Page 1: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/1.jpg)
Program Verification
K. Rustan M. LeinoResearch in Software Engineering (RiSE)Microsoft Research, Redmond
University of WashingtonCSE P 50312 January 2012
![Page 2: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/2.jpg)
Reasoning about programsCentral to any programming task
From safety critical applications to scriptingFrom initial development to maintenance to debugging
Minimizes faults, security problems, time/cost to marketThinking skill
![Page 3: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/3.jpg)
Formal reasoning
Specifications record the intended program behaviorTools verify the consistency of program and its specifications
![Page 4: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/4.jpg)
DafnyClass-based language
generic classes, no subclassingobject references, dynamic allocationsequential control
Built-in specificationspre- and postconditionsframingloop invariants, inline assertionstermination
Specification supportSets, sequences, inductive datatypes, …User-defined recursive functionsGhost variables
![Page 5: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/5.jpg)
Using Dafny on the web
Dafny tutorial
![Page 6: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/6.jpg)
Basics(assert, ensures, BVD, assume, requires, call, testing specs, debugging specs)
Swap (parameters, globals, fields)
demo
![Page 7: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/7.jpg)
Reasoning about loopsA loop invariant
holds at the top of every iterationis the only thing the verifier remembers from one iteration to another (about the variables being modified)
It is as if the loop body were not available
while (B){ S;}
Loop invariant holds here
![Page 8: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/8.jpg)
Loops
Iterative Fibonacci
demo
![Page 9: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/9.jpg)
TerminationA variant function is an expression whose values goes down (in some well-founded ordering) with every iteration/call
while (B){ S;}
At the time a loop back-edge is taken, the value of the variant function must be less than at the beginning of the iteration
method M(){ P();}
At the time of the call, the callee’s variant function must be less than the caller’s
![Page 10: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/10.jpg)
Proving termination
Termination
demo
![Page 11: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/11.jpg)
ReviewMethods specifications have pre- and postconditionsLoops are specified with loop invariantsTermination is specified used variant functionsDebugging
Verification debugger gives a way to inspect values in a trace of a counterexampleAssert statements check that a condition is known to hold and can be used as lemmasAssume statements restrict attention to certain executions and are useful for verification debugging
![Page 12: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/12.jpg)
Abstraction and invariants
TimeSpan
demo
![Page 13: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/13.jpg)
Abstraction, frames
Counter
demo
![Page 14: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/14.jpg)
Dynamic frames, recapConceptually:
class C { invariant J; … }
Explicitly in Dafny:class C {function Valid(): bool … { J }ghost var Repr: set<object>;constructor Init()modifies this;ensures Valid() && fresh(Repr –
{this});method Mutate()requires Valid();modifies Repr;ensures Valid() && fresh(Repr –
old(Repr));}
![Page 15: Program Verification K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond University of Washington CSE P 503 12 January](https://reader030.vdocuments.us/reader030/viewer/2022020417/56649f175503460f94c2e856/html5/thumbnails/15.jpg)
LinksDafny
General information and Quick Reference:research.microsoft.com/dafny
Tutorial:rise4fun.com/Dafny/tutorial/guide
rise4funrise4fun.com
Verification Cornerresearch.microsoft.com/verificationcorner