The Dafny program verifier

K. Rustan M. LeinoResearch in Software EngineeringMicrosoft Research, Redmond

Victoria University of WellingtonWellington, NZ13 April 2010

Some RiSE tools at Microsoft

SLAM, Static Driver Verifier (SDV)SageCode Contracts for .NET

ClousotPex

Z3

Static Driver Verifier

Applied regularly to all Microsoft device drivers of the support device models~300 bugs foundAvailable in Windows DDK to third parties

error message

Predicate abstraction and refinement

C program

predicates

boolean program

modelchecker

correct

concrete trace

feasible?

abstract trace

no yes

e.g.: Graf & Saïdi, SLAM, BLAST, …

predicateabstraction

predicaterefinement

Symbolic-powered testingSage [Godefroid, Levin, et al.]

White-box fuzzing for C programs

Applied regularly100s of people doing various kinds of fuzzing

Seed input

New generation of symbolically derived input

StringBuilder.Append Method (Char[ ], Int32, Int32)Appends the string representation of a specified subarray of Unicode characters to the end of this instance.

public StringBuilder Append(char[] value, int startIndex, int charCount);

Parameters

valueA character array.

startIndexThe starting position in value.

charCountThe number of characters append.

Return Value

A reference to this instance after the append operation has occurred.

Exceptions

Exception Type Condition

ArgumentNullException value is a null reference, and startIndex and charCount are not zero.

ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.

Specifications: .NET today

Specifications in Spec#public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value == null || startIndex + charCount <= value.Length; ensures result == this;

Specifications with Code Contractspublic StringBuilder Append(char[] value, int startIndex, int charCount ){ Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this);

// method implementation...}

Note that postcondition is declared at top of method body, which is not where

it should be executed.A rewriter tool moves

these.

Code Contracts[Barnett, Fähndrich, Grunkemeyer, Logozzo, et al.]

Declarative contractsLanguage independentLibrary to ship in .NET 4.0Tools available on DevLabs

Code Contracts Rewriter (for run-time checking)Clousot abstract interpreterPex automated testing tool [de Halleux, Tillman, et al.]

Clousot [Fähndrich, Logozzo]

Abstract interpreter for .NETVerifies Code Contracts at compile timeSome key technology:

Heap-aware abstractionIterative application of numerical domains:

PentagonsSubpolyhedraothers

PentagonsSome common abstract domains:

Intervals x [A,B]Octagons x y ≤ K

Polyhedra Σi xi ≤ K

Observation:Checking array accessesinvolves constraints like0 ≤ x < a.LengthThese can be representedby intervals plus variableorderings y ≤ x

Picture source: Robert Webb's Great Stella software, http://www.software3d.com/Stella.html

Pentagon:

Z3 [Bjørner, de Moura]

Satisfiability Modulo Theories (SMT) solver9 first places and 6 second places atSMT-COMP’08Used in all tools mentioned, except Clousot

Deductive verificaton tools

HAVOCHas been applied to 100s of KLOC~40 bugs in resource leaks, lock usage, use-after-free

VCCBeing applied to Microsoft Hypervisor

…

a language and verifier

Dafny

Program verification

functional correctnes

s

limited checking

automaticdecision procedures(SMT solvers)

interactiveproof assistants

traditional mechanic

al program

verification

extended static

checking

Dafny

Dafny language

Sequential programsGeneric classesBuilt-in specificationsSimple yet flexible framingSets, sequences, algebraic datatypesUser-defined functionsGhost variablesTermination specifications

Dafny demos

CubesQueueSchorr-Waite

Verification architecture

Simplify

Z3SMT Lib

…

CSpec# DafnyChalice …

Boogie

Boogie language overviewMathematical features

type T;const x: T;function f(A, B): T;axiom E;

Imperative featuresvar y: T;procedure P(a: A, b: B) returns (x: T, y: U);

requires pre; modifies w; ensures post;implementation P(a: A, b: B) returns (x: T, y: U)

{ … }

Boogie statements

x := Ea[ i ] := Ehavoc xassert Eassume E;call P()

ifwhilebreaklabel:goto A, B

Example: Defining OO semantics by translation into Boogie

class C {var x: int;method M(n: int) returns (r: int)

{ … } static method Main() {

var c := new C;c.x := 12;call y := c.M(5);

}}

Example: Boogie translation (0)

// class typestype ClassName;const unique C: ClassName;

type Ref;function dtype(Ref): CName;const null: Ref;

// fieldstype Field α;const unique C.x: Field int;const unique allocated: Field bool;

// memoryvar Heap: <α>[Ref, Field α] α;

class C {

var x: int;

Example: Boogie translation (1)

// method declarations

procedure C.M(this: Ref, n: int) returns (r: int); requires this != null && dtype(this) == C; modifies Heap;

procedure C.Main(); modifies Heap;

method M(n: int) returns (r: int)

static method Main()

Example: Boogie translation (2)

// method implementations

implementation C.Main(){ var c: Ref, y: int;

havoc c; assume c != null; assume Heap[c, allocated] ==

false; assume dtype(c) == C; Heap[c, allocated] := true;

assert c != null; Heap[c, C.x] := 12;

call y := C.M(c,

5);

}

var c := new C;

c.x := 12;

call y := c.M(5);

Conclusions

Tools and specifications are useful in software developmentFull functional-correctness verification is becoming more automaticTo build a verifier, use an intermediate verification language

Dafny and Boogie boogie.codeplex.comCode Contracts research.microsoft.com/contracts

Projects and videos research.microsoft.com/riseVarious papers research.microsoft.com/~leino

/papers.html