Verification tools at Microsoft

K. Rustan M. LeinoResearch in Software Engineering (RiSE)Microsoft Research, Redmond, WA, USA

15 January 2009Séminaire DigiteoOrsay, France

RiSEResearch in Software EngineeringMicrosoft Research,Redmond

http://research.microsoft.com/riseRelated groups: PPT (MSR Cambridge) and RSE (MSR India)

Software engineering researchGoal

Better build, maintain, and understand programs

How?SpecificationsTools, tools, tools

Program semanticsVerification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generationSatisfiability Modulo Theories (SMT)

Verified Software InitiativeHoare, Joshi, Leavens, Misra, Naumann, Shankar, Woodcock, et al.

“We envision a world in which computer programs are always the most reliable component of any system or device that contains them” [Hoare & Misra]

Structure of talkSpec# demoVarious techniques and RiSE toolsUse/effectiveness of tools at Microsoft

Spec# programming system[Barnett, Fähndrich, Leino, Müller, Schulte, Venter, et al.]

Research prototypeSpec# language

Object-oriented .NET languageSuperset of C# 2.0, adding:

more types (e.g., non-null types)specifications (e.g., pre- and postconditions)

Usage rules (methodology)Checking:

Static type checkingRun-time checkingStatic verification (optional)

Spec# demo

StringBuilder.Append Method (Char[ ], Int32, Int32)Appends the string representation of a specified subarray of Unicode characters to the end of this instance.

public StringBuilder Append(char[] value, int startIndex, int charCount);

Parameters

valueA character array.

startIndexThe starting position in value.

charCountThe number of characters append.

Return Value

A reference to this instance after the append operation has occurred.

Exceptions

Exception Type Condition

ArgumentNullException value is a null reference, and startIndex and charCount are not zero.

ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.

Specifications: .NET today

Specifications in Spec#public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this;

Exception Type Condition

ArgumentNullException value is a null reference, and startIndex and charCount are not zero.

ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.

Specifications with Code Contractspublic StringBuilder Append(char[] value, int startIndex, int charCount ){ Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this);

// method implementation...}

Note that postcondition is declared at top of method body, which is not where

it should be executed.A rewriter tool moves

these.

Code Contracts [Barnett, Fähndrich, Grunkemeyer, et al.]

Declarative contractsLanguage independentLibrary to ship in .NET 4.0Tools to be released via DevLabs

Code Contracts Rewriter (for run-time checking)Clousot abstract interpreterPex automated testing tool

MSIL (“bytecode”)

SMT solver

V.C. generator

Inference engine

Translator

verification condition

“correct” or list of errors

Spec# compiler

Spec#

Boogie

Spec# verifier architecture

Boogie – a verification tool bus[Barnett, Jacobs, Leino, Moskal, Rümmer, et al.]Spec#

C with HAVOC

specifications

DafnyC with vcc specificatio

nsChalice

Z3Simplif

ySMT Lib

Boogie

Boogie-to-Boogie transformations:• Inference engines• Program transformations• Logic optimizers

Your

language

here

Your

prover

hereIsabelle/HOL

Verification-condition generation

Verification conditions computed by weakest preconditions (wp)wp( Prog, Q ) yields a formula that describes the pre-states from which Prog correctly establishes QExample:wp( if (B) { S } else { T }, Q ) =

(B wp(S, Q)) (¬B wp(T, Q))

Traditional VC generation

Example program (Prog): p := new C(); if (x < 0) { x := -x; } assert p ≠ null;wp( Prog, true )= ((x<0 (p≠null)[-x/x])

(¬(x<0) p≠null))[newC()/p]= ((x<0 newC()≠null)

(¬(x<0) newC()≠null)

Improved VC generation[Flanagan, Saxe, Barnett, Leino]

Rewrite Prog into Prog’: assume p0 = newC(); if (x0 < 0) {

assume x1 = -x0; assume x2 = x1; } else {

assume x2 = x0; } assert p0 ≠ null; wp( Prog’, true ) =

p0=newC() ((x0<0 x1= -x0 x2 = x1) (¬(x0<0) x2 =

x0)) p0 ≠ null

Problem with improved schemes

Works well when the if branches modify variables that the downstream assertion does not depend onBut when encoding the heap as one variable, almost every branch modifies that variable

… room for new solutions

Multi-object invariants[Barnett, Fähndrich, Leino, Müller, et al.]

Demo: Chunker.dict

dict:

Multi-object invariants

:Chunker

:Dictionary

n: 84

Count: 21

:Chunker

dict:

n: 20

inv dict.Count ≤ n;

:Classroom

studentGrades:

inv studentGrades.Count ≤

20;

rep

inv dict.Count ≤ n;ow

ner

Other heap methodologiesSpec#/Boogie methodologyDynamic framesImplicit dynamic framesSeparation logic

… room for improved encodings and methodologies

Clousot [Fähndrich, Logozzo]

Abstract interpreter for .NETVerifies Code Contracts at compile timeSome key technology:

Heap-aware abstractionIterative application of numerical domains:

PentagonsSubpolyhedraothers

PentagonsSome common abstract domains:

Intervals x [A,B]Octagons x y ≤ K

Polyhedra Σi xi ≤ K

Observation:Checking array accessesinvolves constraints like0 ≤ x < a.LengthThese can be representedby intervals plus variableorderings y ≤ x

Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html

Pentagon:

Symbolic-powered testingSage [Godefroid, Levin, et al.]

White-box fuzzing for C programs

Pex [de Halleux, Tillman, et al.]

Automatic white-box testing for .NET

Seed input

New generation of symbolically derived input

Z3 [Bjørner, de Moura]

Satisfiability Modulo Theories (SMT) solver9 first places and 6 second places atSMT-COMP’08Used in all tools mentioned, except Clousot

Effectiveness of toolsStatic Driver Verifier (SDV)

Applied regularly to all Microsoft device drivers of the support device models~300 bugs foundAvailable to third parties in Windows DDK

SageApplied regularly100s of people doing various kinds of fuzzing

HAVOCHas been applied to 100s of KLOC~40 bugs in resource leaks, lock usage, use-after-free

vccBeing applied to Microsoft Hypervisor

…

ConclusionsMachine-processable specifications are being used increasinglyTools are useful and necessary

Provide useful checkingBoth validate and drive research

SMT solving is a key technologyTrend: user input is moving toward program textMany research challenges

http://research.microsoft.com/rise