Boogie: A Modular Reusable Verifier for Object-Oriented Programs



Similar documents
Rigorous Software Engineering Hoare Logic and Design by Contracts

Regression Verification: Status Report

Automated Theorem Proving - summary of lecture 1

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Unified Static and Runtime Verification of Object-Oriented Software

Rigorous Software Development CSCI-GA

Towards practical reactive security audit using extended static checkers 1

Design by Contract beyond class modelling

Formal Verification of Software

Specification and Analysis of Contracts Lecture 1 Introduction

Translating to Java. Translation. Input. Many Level Translations. read, get, input, ask, request. Requirements Design Algorithm Java Machine Language

CSCI 3136 Principles of Programming Languages

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

Software Engineering Techniques

Programming Languages

Thomas Jefferson High School for Science and Technology Program of Studies Foundations of Computer Science. Unit of Study / Textbook Correlation

Introducing Formal Methods. Software Engineering and Formal Methods

Chapter 4: Design Principles I: Correctness and Robustness

Java 6 'th. Concepts INTERNATIONAL STUDENT VERSION. edition

Programming Languages

Probabilistic Assertions

JavaScript as a compilation target Making it fast

Topics. Introduction. Java History CS 146. Introduction to Programming and Algorithms Module 1. Module Objectives

CSE 130 Programming Language Principles & Paradigms

First Java Programs. V. Paúl Pauca. CSC 111D Fall, Department of Computer Science Wake Forest University. Introduction to Computer Science

Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers

VDM vs. Programming Language Extensions or their Integration

Termination Checking: Comparing Structural Recursion and Sized Types by Examples

Chapter 1. Dr. Chris Irwin Davis Phone: (972) Office: ECSS CS-4337 Organization of Programming Languages

Stacks. Linear data structures

Advanced compiler construction. General course information. Teacher & assistant. Course goals. Evaluation. Grading scheme. Michel Schinz

Lecture 9 verifying temporal logic

1. What are Data Structures? Introduction to Data Structures. 2. What will we Study? CITS2200 Data Structures and Algorithms

JavaScript: Control Statements I

Semantic Analysis: Types and Type Checking

Verification of Imperative Programs in Theorema

Object Invariants in Dynamic Contexts

Overview presentation, CIEL, Bordeaux, 9 June Means Eidgenösische Technische Hochschule (German)

Sources: On the Web: Slides will be available on:

02 B The Java Virtual Machine

Course Title: Software Development

How To Write A Program Verification And Programming Book

Logistics. Software Testing. Logistics. Logistics. Plan for this week. Before we begin. Project. Final exam. Questions?

1.1 WHAT IS A PROGRAMMING LANGUAGE?

Teaching Non-majors Computer Programming Using Games as Context and Flash ActionScript 3.0 as the Development Tools

Chapter 5 Names, Bindings, Type Checking, and Scopes

InvGen: An Efficient Invariant Generator

Integration of Application Business Logic and Business Rules with DSL and AOP

C++ Programming Language

Obfuscation of Abstract Data-Types

Chapter 12 Programming Concepts and Languages

Language Evaluation Criteria. Evaluation Criteria: Readability. Evaluation Criteria: Writability. ICOM 4036 Programming Languages

Model-Based Quality Assurance of The SMB2 Protocol Documentation

Network (Tree) Topology Inference Based on Prüfer Sequence

CSC Software II: Principles of Programming Languages

C# and Other Languages

Computing Concepts with Java Essentials

Runtime Verification of Computer Programs and its Application in Programming Education

Software Component Specification Using Design by Contract

Construct by Contract: Construct by Contract: An Approach for Developing Reliable Software

A Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation

LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS

C Compiler Targeting the Java Virtual Machine

How To Write A Test Engine For A Microsoft Microsoft Web Browser (Php) For A Web Browser For A Non-Procedural Reason)

Lecture 1: Introduction

The C Programming Language course syllabus associate level

The Designer's Guide to VHDL

Binary Multiplication

[Refer Slide Time: 05:10]

Certifying the Security of Android Applications with Cassandra

Static Program Transformations for Efficient Software Model Checking

Applications of obfuscation to software and hardware systems

Dsc+Mock: A Test Case + Mock Class Generator in Support of Coding Against Interfaces

WOLLONGONG COLLEGE AUSTRALIA. Diploma in Information Technology

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Model Checking: An Introduction

BUSINESS RULES CONCEPTS... 2 BUSINESS RULE ENGINE ARCHITECTURE By using the RETE Algorithm Benefits of RETE Algorithm...

Semester Review. CSC 301, Fall 2015

Web Programming Step by Step

Integration of Application Business Logic and Business Rules with DSL and AOP

The Boogie Verification Debugger (Tool Paper)

Moving from CS 61A Scheme to CS 61B Java

Chapter 6: Programming Languages

Transcription:

Boogie: A Modular Reusable Verifier for Object-Oriented Programs M. Barnett, B.E. Chang, R. DeLine, B. Jacobs, K.R.M. Leino Lorenzo Baesso ETH Zurich

Motivation Abstract Domains Modular Architecture Automatic Decision Procedures User Interface Source Programming Language Program Verifier Logical Encoding 2

Boogie: An Intermediate Verification Language intended as a layer on which to build program verifiers for other languages Microsoft Research 3

Boogie Novel Aspects Nice integration into Visual Studio and design-time feedback. Well defined interfaces and modular architecture. Distinct proof obligation and verification phases. Abstract interpretation and verification condition generation. 4

From Spec# to the Common Intermediate Language public class Example { int x ; string! s; invariant s.length >= 12; public Example(int y) requires y > 0; {... public static void M (int n) { Example e = new Example(100/n); int k = e.s.length; for (int i = 0; i < n; i++) { e.x += i; assert k == e.s.length;.class public Example {....method public static void M(int32) cil managed {.maxstack 1 ldarg.0... ldc.i4.x newobj instance void Example::.ctor(int) stloc.0... 5

Boogie Bytecode Translation (1/2) CIL Object code with a bytecode-style format Abstract Syntax Tree Assert, assume, goto statements Loop and object invariants... BoogiePL Supports: procedures, pre- and postconditions, etc. Lacks: expressions with side effects, heap, classes and interfaces, call-by-reference parameter passing and structured control-flow. 6

Boogie Bytecode Translation (2/2) Main Functionalities: Encoding the heap, object allocation and fields 2D array named Heap, allocation bit, fields into Heap. Translating call-by-reference parameters Variables are passed as in-parameters, copied into local variables, used, copied into out-parameters, updated with out-parameters values. Translating methods and method calls Method declaration/implementation -> BoogiePL procedure/implementation Method call -> associated procedure/additional BoogiePL procedure Generating frame conditions for methods and loops Postconditions on the procedures (modifies clauses) Loop invariants (havoc clauses) 7

BoogiePL: Theory Spec# BoogiePL public class Example { int x ; string! s; invariant s.length >= 12; public Example(int y) requires y > 0; {... public static void M (int n) { Example e = new Example(100/n); int k = e.s.length; for (int i = 0; i < n; i++) { e.x += i; assert k == e.s.length; const System.Object : name; const Example : name; axiom Example <: System.Object; function typeof(obj : ref) returns (class : name); const allocated : name; const Example.x : name; const Example.s : name; function StringLength(s : ref ) returns (len : int); 8

BoogiePL: Imperative Part (1/2) Spec# BoogiePL public class Example { int x ; string! s; invariant s.length >= 12; public Example(int y) requires y > 0; {... var Heap : [ref, name]any; procedure Example..ctor(this : ref, y : int); requires... y > 0; modifies Heap; ensures...; public static void M (int n) { Example e = new Example(100/n); int k = e.s.length; for (int i = 0; i < n; i++) { e.x += i; assert k == e.s.length; procedure Example.M(n : int); requires...; modifies Heap; ensures...; 9

BoogiePL: Imperative Part (2/2) Spec# public class Example { int x ; string! s; invariant s.length >= 12; public Example(int y) requires y > 0; {... public static void M (int n) { Example e = new Example(100/n); int k = e.s.length; for (int i = 0; i < n; i++) { e.x += i; assert k == e.s.length; BoogiePL implementation Example.M(n : int) { var e : ref where e = null typeof(e) <: Example; var k : int, i : int, tmp : int, PreLoopHeap : [ref, name]any; Start : assert n 0; tmp := 100/n; havoc e; assume e null typeof(e)=example Heap[e,allocated]=false; Heap[e, allocated] := true; call Example..ctor(e, tmp); assert e null; k := StringLength(cast(Heap[e, Example.s], ref)); i := 0; PreLoopHeap := Heap; goto LoopHead; LoopHead : goto LoopBody, AfterLoop : LoopBody : assume i < n; assert e null; Heap[e, Example.x] := cast(heap[e, Example.x], int) + i; i := i+ 1; goto LoopHead; AfterLoop : assume (i < n); assert e null; assert k = StringLength(cast(Heap[e, Example.s], ref)); return; 10

Boogie: Invariant Inference General idea: An abstract interpreter is used to infer invariants (assume statements) and plug them into the original BoogiePL code. Things to consider: Expressiveness (variables and function symbols). Exploration strategies (trade-off precision for efficiency). Well known abstract domains (base domains). Combination of abstract domains (coordination abstract domain). 11

Boogie: Verification Condition Generation Characteristics: Requires the proof obligations to be declared in BoogiePL. One VC for every BoogiePL procedure implementation. Standard weakest-precondition calculus: Aok = wp(s, R). BoogiePL Procedure Implementation Loop-Free BoogiePL Code Passive Code Aok 12

Boogie: Theorem Proving Several alternatives: Simplify (http://kindsoftware.com/products/opensource/simplify/) Zap (under development) Z3 (http://z3.codeplex.com/) CVC3/CVC4, E-prover, SPASS, verit, etc. 13

Conclusion Features: Design-time feedback (nicely integreted). Wide support of source programming languages. Modularity (well defined inner/outer interfaces). Future Work: Verification results could be used to optimize the code (higher performance). Combination of abstract interpreter and theorem prover. More detailed error messages. 14

15

References Boogie: A Modular Reusable Verifier for Object-Oriented Programs M. Barnett, B.E. Chang, R. DeLine, B. Jacobs, K.R.M. Leino (2005) BoogiePL: A typed procedural language for checking object-oriented programs R. DeLine, K.R.M. Leino (2005) Translating Java Bytecode to BoogiePL Alex Suzuki (2006) This is Boogie 2 K.R.M. Leino (2008) 16

Boogie Example (1/2) http://rise4fun.com/boogie 17

Boogie Example (2/2) http://rise4fun.com/boogie 18

Other Verifiers Javanni - a Verifier for JavaScript http://cloudstudio.ethz.ch/comcom/#javanni Boogaloo - the Boogie Interpreter http://cloudstudio.ethz.ch/comcom/#boogaloo 19

Abstract Syntax Tree Example Euclidean Algorithm (GCD): while b 0 if a > b a := a b else b := b a return a 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information