Outline Introduction The Spec# language Running Spec# Tutorials on Spec# Carl Leonardsson 2/
|
|
- Bryan Short
- 6 years ago
- Views:
Transcription
1 Tutorials on Spec# Carl Leonardsson 2/
2 So far in the course: We have been looking at Hoare Logic. Specifying contracts: {Pre}Program{Post} Manually computing proof-obligations Manually proving proof obligations Showing partial/total correctness Now: Enter Spec# Integration with actual compilable program code Automation of computation of proof-obligations Automation of proof
3 So far in the course: We have been looking at Hoare Logic. Specifying contracts: {Pre}Program{Post} Manually computing proof-obligations Manually proving proof obligations Showing partial/total correctness Now: Enter Spec# Integration with actual compilable program code Automation of computation of proof-obligations Automation of proof
4 1 Outline RiSE4fun Visual Studio Commandline
5 What is Spec#? Language for software development with formal verification Extension of C# Developed by Microsoft Research Components Compiler (ssc) Verifier (boogie) Visual Studio plugin
6 What is Spec#? Language for software development with formal verification Extension of C# Developed by Microsoft Research Components Compiler (ssc) Verifier (boogie) Visual Studio plugin
7 What does Spec# provide? (Pre- and post conditions for functions.) Verified asserts Verified bounds checks for array indexing Verified freedom of null-derefencing
8 What does Spec# provide? (Pre- and post conditions for functions.) Verified asserts Verified bounds checks for array indexing Verified freedom of null-derefencing
9 What does Spec# provide? (Pre- and post conditions for functions.) Verified asserts Verified bounds checks for array indexing Verified freedom of null-derefencing
10 What does Spec# provide? (Pre- and post conditions for functions.) Verified asserts Verified bounds checks for array indexing Verified freedom of null-derefencing
11 What does Spec# provide? (Pre- and post conditions for functions.) Verified asserts Verified bounds checks for array indexing Verified freedom of null-derefencing
12 What does Spec# provide? Also... Not covered in these tutorials (and not in the labs): Class invariants for object oriented programming Support for ownership hierarchies
13 Specifying pre- and post conditions {Pre}Program{Post} Spec# example static int increase(int x, int delta) { return x + delta; }
14 Specifying pre- and post conditions {Pre}Program{Post} Spec# example static int increase(int x, int delta) ensures result > x; { return x + delta; }
15 Specifying pre- and post conditions {Pre}Program{Post} Spec# example static int increase(int x, int delta) requires delta > 0; ensures result > x; { return x + delta; }
16 requires e; Specifies pre condition e is a C# boolean expression over variables in scope May also contain quantifiers (more later) ensures e; Specifies post condition e is a C# boolean expression over variables in scope Use special variable result for return value
17 Functions with side-effects Example static void dbl(int[] a) { a[0] = a[0]*2; }
18 Functions with side-effects Example static void dbl(int[] a) ensures a[0] == 2*old(a[0]); { a[0] = a[0]*2; }
19 Functions with side-effects Example static void dbl(int[] a) requires a.length > 0; modifies a[*]; ensures a[0] == 2*old(a[0]); { a[0] = a[0]*2; }
20 old(v) Refers to the value of variable v at the start of the function call. Can be used only in ensures clause. modifies v; Functions may not modify values which are not either class members or specified in the modifies clause. Framing Spec# will produce proof obligations for array bounds checking
21 References in Spec# can be declared Null or Non-null. string! s; Non-null string string? s; String which may be a null reference string![]? a; a is either null or a string array All elements in the array are non-null. Dereferencing a possibly null reference requires a proof that it is in fact not null. Assigning a possibly null reference r to a non-null reference requires proof that r null.
22 References in Spec# can be declared Null or Non-null. string! s; Non-null string string? s; String which may be a null reference string![]? a; a is either null or a string array All elements in the array are non-null. Dereferencing a possibly null reference requires a proof that it is in fact not null. Assigning a possibly null reference r to a non-null reference requires proof that r null.
23 References in Spec# can be declared Null or Non-null. string! s; Non-null string string? s; String which may be a null reference string![]? a; a is either null or a string array All elements in the array are non-null. Dereferencing a possibly null reference requires a proof that it is in fact not null. Assigning a possibly null reference r to a non-null reference requires proof that r null.
24 References in Spec# can be declared Null or Non-null. string! s; Non-null string string? s; String which may be a null reference string![]? a; a is either null or a string array All elements in the array are non-null. Dereferencing a possibly null reference requires a proof that it is in fact not null. Assigning a possibly null reference r to a non-null reference requires proof that r null.
25 Example static void dbl(int[]? a) requires a.length > 0; modifies a[*]; ensures a[0] == 2*old(a[0]); { a[0] = a[0]*2; }
26 Example static void dbl(int[]? a) /* Note order of require clauses */ requires a!= null; requires a.length > 0; modifies a[*]; ensures a[0] == 2*old(a[0]); { a[0] = a[0]*2; }
27 Example assert e - assert a boolean expression Verified at compile time! Usage: Making sure that the code does what it should Use during development to understand your code Give hints to the automatic verifier static int foo(int x, int y) requires x >= 2 && y >= x-1; { assert y*2 >= x; return y*2; }
28 Example assert e - assert a boolean expression Verified at compile time! Usage: Making sure that the code does what it should Use during development to understand your code Give hints to the automatic verifier static int foo(int x, int y) requires x >= 2 && y >= x-1; { assert y*2 >= x; return y*2; }
29 Example assert e - assert a boolean expression Verified at compile time! Usage: Making sure that the code does what it should Use during development to understand your code Give hints to the automatic verifier static int foo(int x, int y) requires x >= 2 && y >= x-1; { assert y*2 >= x; return y*2; }
30 Example assert e - assert a boolean expression Verified at compile time! Usage: Making sure that the code does what it should Use during development to understand your code Give hints to the automatic verifier static int foo(int x, int y) requires x >= 2 && y >= x-1; { assert y*2 >= x; return y*2; }
31 Example assert e - assert a boolean expression Verified at compile time! Usage: Making sure that the code does what it should Use during development to understand your code Give hints to the automatic verifier static int foo(int x, int y) requires x >= 2 && y >= x-1; { assert y*2 >= x; return y*2; }
32 assume e - assume a boolean expression Assumed true by the verifier - Not verified Usage: Introducing lemmas which can not be automatically proven Figuring out what is necessary to get a proof to go through For the labs... Assume statements are useful, but dangerous since they allow verification of completely erroneous programs. In the labs you may use assume statements (sparingly, as necessary) for the last exercise. But not for the other exercises.
33 assume e - assume a boolean expression Assumed true by the verifier - Not verified Usage: Introducing lemmas which can not be automatically proven Figuring out what is necessary to get a proof to go through For the labs... Assume statements are useful, but dangerous since they allow verification of completely erroneous programs. In the labs you may use assume statements (sparingly, as necessary) for the last exercise. But not for the other exercises.
34 assume e - assume a boolean expression Assumed true by the verifier - Not verified Usage: Introducing lemmas which can not be automatically proven Figuring out what is necessary to get a proof to go through For the labs... Assume statements are useful, but dangerous since they allow verification of completely erroneous programs. In the labs you may use assume statements (sparingly, as necessary) for the last exercise. But not for the other exercises.
35 assume e - assume a boolean expression Assumed true by the verifier - Not verified Usage: Introducing lemmas which can not be automatically proven Figuring out what is necessary to get a proof to go through For the labs... Assume statements are useful, but dangerous since they allow verification of completely erroneous programs. In the labs you may use assume statements (sparingly, as necessary) for the last exercise. But not for the other exercises.
36 In specifications we can use quantifiers forall{int i in (a:b); bexpr} i.a i < b bexpr exists{int i in (a:b); bexpr} i.a i < b bexpr sum{int i in (a:b); iexpr} a i<b iexpr product{int i in (a:b); iexpr} a i<b iexpr min{int i in (a:b); iexpr} min{iexpr a i < b} max{int i in (a:b); iexpr} max{iexpr a i < b} count{int i in (a:b); bexpr} {i a i < b bexpr}
37 In loops, we may specify invariants Invariants need to be proven to hold initially... and proven to be maintained by the loop body. Simple invariants and framing can be automatically inferred But don t count on it...
38 In loops, we may specify invariants Invariants need to be proven to hold initially... and proven to be maintained by the loop body. Simple invariants and framing can be automatically inferred But don t count on it...
39 In loops, we may specify invariants Invariants need to be proven to hold initially... and proven to be maintained by the loop body. Simple invariants and framing can be automatically inferred But don t count on it...
40 Example static int asum(int[] a) ensures result == sum{int i in (0:a.Length); a[i]}; { int i = 0; int s = 0; while(i < a.length) { s += a[i]; i++; } return s; }
41 Example static int asum(int[] a) ensures result == sum{int i in (0:a.Length); a[i]}; { int i = 0; int s = 0; while(i < a.length) invariant s == sum{int j in (0:i); a[j]}; { s += a[i]; i++; } return s; }
42 Example static int asum(int[] a) ensures result == sum{int i in (0:a.Length); a[i]}; { int i = 0; int s = 0; while(i < a.length) invariant 0 <= i && i <= a.length; invariant s == sum{int j in (0:i); a[j]}; { s += a[i]; i++; } return s; }
43 Proof of Total Correctness is not natively supported by Spec# We want variants! How to hack a proof of total correctness: 1 Declare a loop-local program variable variant 2 Initialise variant = expr; at the start of the loop body 3 At the end of loop body assert assert variant >= 0; and 4 assert expr < variant; for the same expr as above.
44 Proof of Total Correctness is not natively supported by Spec# We want variants! How to hack a proof of total correctness: 1 Declare a loop-local program variable variant 2 Initialise variant = expr; at the start of the loop body 3 At the end of loop body assert assert variant >= 0; and 4 assert expr < variant; for the same expr as above.
45 Proof of Total Correctness is not natively supported by Spec# We want variants! How to hack a proof of total correctness: 1 Declare a loop-local program variable variant 2 Initialise variant = expr; at the start of the loop body 3 At the end of loop body assert assert variant >= 0; and 4 assert expr < variant; for the same expr as above.
46 Example while(i < a.length) invariant 0 <= i && i <= a.length; invariant s == sum{int j in (0:i); a[j]}; { int variant = a.length - i; s += a[i]; i++; assert variant >= 0; assert a.length - i < variant; }
47 Can we use any boolean expression in specifications? No. Needs to be side-effect free. To be able to use your own functions in specifications they need to be declared [Pure]. Requirements for [Pure]: Example Side-effect free Well-defined (terminating) [Pure] int avg(int a, int b) ensures result == (a+b)/2; { return (a + b) / 2; }
48 Can we use any boolean expression in specifications? No. Needs to be side-effect free. To be able to use your own functions in specifications they need to be declared [Pure]. Requirements for [Pure]: Example Side-effect free Well-defined (terminating) [Pure] int avg(int a, int b) ensures result == (a+b)/2; { return (a + b) / 2; }
49 Can we use any boolean expression in specifications? No. Needs to be side-effect free. To be able to use your own functions in specifications they need to be declared [Pure]. Requirements for [Pure]: Example Side-effect free Well-defined (terminating) [Pure] int avg(int a, int b) ensures result == (a+b)/2; { return (a + b) / 2; }
50 Can we use any boolean expression in specifications? No. Needs to be side-effect free. To be able to use your own functions in specifications they need to be declared [Pure]. Requirements for [Pure]: Example Side-effect free Well-defined (terminating) [Pure] int avg(int a, int b) ensures result == (a+b)/2; { return (a + b) / 2; }
51 Can we use any boolean expression in specifications? No. Needs to be side-effect free. To be able to use your own functions in specifications they need to be declared [Pure]. Requirements for [Pure]: Example Side-effect free Well-defined (terminating) [Pure] int avg(int a, int b) ensures result == (a+b)/2; { return (a + b) / 2; }
52 Summary of commands requires ensures modifies old result assert assume invariant count{int i in (a:b); bexpr} sum{int i in (a:b); iexpr} product{int i in (a:b); iexpr} min{int i in (a:b); iexpr} max{int i in (a:b); iexpr} exists{int i in (a:b); bexpr} forall{int i in (a:b); bexpr} Pure
53 RiSE4fun Visual Studio Commandline RiSE4fun An easy way of trying out Spec# is the web interface at
54 RiSE4fun Visual Studio Commandline Create a Spec# project by File New Project Spec# Projects Console Application Important: In the project properties Configuration Properties, make sure to enable RunProgramVerifier and Treat Warnings as Errors. The Spec# plugin for Visual Studio is a bit unstable, so if unsure about the results double-check using the commandline method described next.
55 RiSE4fun Visual Studio Commandline Need to set Path environment variable. (See lab instructions.) Compile by Verify by > ssc /t:library /debug file.ssc > boogie file.dll
Program Verification Using the Spec# Programming System
Program Verification Using the Spec# Programming System Source: ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth & LERO 29 March 2008 Introducing Spec# Spec#:
More informationLecture 10 Design by Contract
CS 5959 Writing Solid Code Fall 2015 Nov-23 Lecture 10 Design by Contract Zvonimir Rakamarić University of Utah Design by Contract Also called assume-guarantee reasoning Developers annotate software components
More informationTesting, Debugging, and Verification
Testing, Debugging, and Verification Formal Specification, Part II Srinivas Pinisetty 23 November 2017 Introduction Today: Introduction to Dafny: An imperative language with integrated support for formal
More informationFormal Systems II: Applications
Formal Systems II: Applications Functional Verification of Java Programs: Java Dynamic Logic Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State
More informationFundamentals of Software Engineering
Fundamentals of Software Engineering Reasoning about Programs - Selected Features Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel,
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security 1/27 Reasoning About Code Often functions make certain assumptions about their arguments, and it is the caller s responsibility to make sure those assumptions
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationProgram Verification Using the Spec# Programming System
Program Verification Using the Spec# Programming System ETAPS Tutorial K. Rustan M. Leino, Microsoft Research, Redmond Rosemary Monahan, NUIM Maynooth & LERO 29 March 2008 Introducing Spec# Spec#: An Overview
More informationFormal Specification and Verification
Formal Specification and Verification Formal Specification, Part III Bernhard Beckert Adaptation of slides by Wolfgang Ahrendt Chalmers University, Gothenburg, Sweden Formal Specification and Verification:
More informationChecking Program Properties with ESC/Java
Checking Program Properties with ESC/Java 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich 1 ESC/Java A checker for Java programs Finds null pointers, array dereferences Checks Hoare logic
More informationMotivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken
Spec# Andreas Vida Motivation Correct and maintainable software Cost effective software production Implicit assumptions easily broken Need more formal f specification Integration into a popular language
More informationThe Java Modeling Language JML
The Java Modeling Language JML Néstor Cataño ncatano@puj.edu.co Faculty of Engineering Pontificia Universidad Javeriana The Java Modelling Language JML p.1/47 Lecture Plan 1. An Introduction to JML 2.
More informationGo Bears! IE170: Algorithms in Systems Engineering: Lecture 4
Everyone Gets an A! Go Bears! IE170: Algorithms in Systems Engineering: Lecture 4 Jeff Linderoth Department of Industrial and Systems Engineering Lehigh University January 22, 2007 Taking Stock A Canonical
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationSpark verification features
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether
More informationVerification Condition Generation
Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture
More informationAssertions & Design-by-Contract using JML Erik Poll University of Nijmegen
Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen Erik Poll - JML p.1/39 Overview Assertions Design-by-Contract for Java using JML Contracts and Inheritance Tools for JML Demo
More informationSpecification tips and pitfalls
Specification tips and pitfalls David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML
More informationOverview The Java Modeling Language (Part 1) Related Work
Overview The Java Modeling Language (Part 1) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationHoare Logic: Proving Programs Correct
Hoare Logic: Proving Programs Correct 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Reading: C.A.R. Hoare, An Axiomatic Basis for Computer Programming Some presentation ideas from a lecture
More informationProgram Verification using the Spec# Programming System
Program Verification using the Spec# Programming System ECOOP Tutorial Rosemary Monahan, NUIM, Maynooth and K. Rustan M. Leino, Microsoft Research, Redmond 9 th July 2009 Introducing Spec# Spec#: An Overview
More informationFormal Methods for Java
Formal Methods for Java Lecture 1: Introduction Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg October 26, 2011 Jochen Hoenicke (Software Engineering) Formal Methods for Java October
More informationSelf-checking software insert specifications about the intent of a system
Assertions Reading assignment A. J. Offutt, A Practical System for Mutation Testing: Help for the Common Programmer, Proceedings of the 12th International Conference on Testing Computer Software, Washington,
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationReview: Hoare Logic Rules
Review: Hoare Logic Rules wp(x := E, P) = [E/x] P wp(s;t, Q) = wp(s, wp(t, Q)) wp(if B then S else T, Q) = B wp(s,q) && B wp(t,q) Proving loops correct First consider partial correctness The loop may not
More informationAn Annotated Language
Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of
More informationLecture Notes: Hoare Logic
Lecture Notes: Hoare Logic 17-654/17-754: Analysis of Software Artifacts Jonathan Aldrich (jonathan.aldrich@cs.cmu.edu) Lecture 3 1 Hoare Logic The goal of Hoare logic is to provide a formal system for
More informationType checking. Jianguo Lu. November 27, slides adapted from Sean Treichler and Alex Aiken s. Jianguo Lu November 27, / 39
Type checking Jianguo Lu November 27, 2014 slides adapted from Sean Treichler and Alex Aiken s Jianguo Lu November 27, 2014 1 / 39 Outline 1 Language translation 2 Type checking 3 optimization Jianguo
More informationAdvances in Programming Languages
O T Y H Advances in Programming Languages APL8: ESC/Java2 David Aspinall (including slides by Ian Stark and material adapted from ESC/Java2 tutorial by David Cok, Joe Kiniry and Erik Poll) School of Informatics
More informationIntroduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen
Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/30
More informationBOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH
BOOGIE A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH Presentation by Itsik Hefez Introduction Boogie is an intermediate verification language, intended as a layer on which
More informationAnnouncements. Specifications. Outline. Specifications. HW1 is due Thursday at 1:59:59 pm
Announcements HW1 is due Thursday at 1:59:59 pm Specifications 2 Outline Specifications Benefits of specifications Specification conventions Javadoc JML PoS specifications Specifications A specification
More informationHardware versus software
Logic 1 Hardware versus software 2 In hardware such as chip design or architecture, designs are usually proven to be correct using proof tools In software, a program is very rarely proved correct Why?
More informationVerifying Java Programs Verifying Java Programs with KeY
Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationChapter 19 Verification of Counting Sort and Radix Sort
Chapter 19 Verification of Counting Sort and Radix Sort Stijn de Gouw, Frank S. de Boer, Jurriaan Rot Sorting is an important algorithmic task used in many applications. Two main aspects of sorting algorithms
More informationRethinking Automated Theorem Provers?
Rethinking Automated Theorem Provers? David J. Pearce School of Engineering and Computer Science Victoria University of Wellington @WhileyDave http://whiley.org http://github.com/whiley Background Verification:
More informationMutual Summaries: Unifying Program Comparison Techniques
Mutual Summaries: Unifying Program Comparison Techniques Chris Hawblitzel 1, Ming Kawaguchi 2, Shuvendu K. Lahiri 1, and Henrique Rebêlo 3 1 Microsoft Research, Redmond, WA, USA 2 University of California,
More informationJML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material
Métodos Formais em Engenharia de Software JML José Carlos Bacelar Almeida Departamento de Informática Universidade do Minho MI, Braga 2008 Outline Design by Contract and JML Design by Contract Java Modeling
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationJava Modelling Language (JML) References
Java Modelling Language (JML) References G. T. Leavens and Y. Cheon. Design by Contract with JML, August 2005. L. Burdy, Y. Cheon, D. Cok, M. Ernst, J. Kiniry, G. T. Leavens, K. R. M. Leino, and E. Poll.
More informationThe Java Modeling Language (Part 1)
The Java Modeling Language (Part 1) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationFormal Specification and Verification
Formal Specification and Verification Proof Obligations Bernhard Beckert Based on a lecture by Wolfgang Ahrendt and Reiner Hähnle at Chalmers University, Göteborg Formal Specification and Verification:
More informationAssertions, pre/postconditions
Programming as a contract Assertions, pre/postconditions Assertions: Section 4.2 in Savitch (p. 239) Specifying what each method does q Specify it in a comment before method's header Precondition q What
More informationassertion: A statement that is either true or false.
Logical assertions assertion: A statement that is either true or false. Examples: Java was created in 1995. The sky is purple. 23 is a prime number. 10 is greater than 20. x divided by 2 equals 7. (depends
More informationDeductive Verification in Frama-C and SPARK2014: Past, Present and Future
Deductive Verification in Frama-C and SPARK2014: Past, Present and Future Claude Marché (Inria & Université Paris-Saclay) OSIS, Frama-C & SPARK day, May 30th, 2017 1 / 31 Outline Why this joint Frama-C
More informationCode Contracts. Pavel Parízek. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics
Code Contracts http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics Pavel Parízek Code Contracts 2 Assertions Typically used as internal checks in the program
More informationPractical introduction to Frama-C (without Mathematical notations ;-) )
Practical introduction to Frama-C (without Mathematical notations ;-) ) David MENTRÉ Using content of Jochen Burghardt (Fraunhofer First), Virgile Prevosto (CEA), Julien Signoles
More informationAdvances in Programming Languages
Advances in Programming Languages Lecture 12: Practical Tools for Java Correctness Ian Stark School of Informatics The University of Edinburgh Friday 31 November 2014 Semester 1 Week 7 http://www.inf.ed.ac.uk/teaching/courses/apl
More informationThe Prototype Verification System PVS
The Prototype Verification System PVS Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at
More informationProgramming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany
Programming with Contracts Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany Contract A (formal) agreement between Method M (callee) Callers of M Rights Responsabilities Rights Responsabilities
More informationn Specifying what each method does q Specify it in a comment before method's header n Precondition q Caller obligation n Postcondition
Programming as a contract Assertions, pre/postconditions and invariants Assertions: Section 4.2 in Savitch (p. 239) Loop invariants: Section 4.5 in Rosen Specifying what each method does q Specify it in
More informationCSC Advanced Object Oriented Programming, Spring Specification
CSC 520 - Advanced Object Oriented Programming, Spring 2018 Specification Specification A specification is an unambiguous description of the way the components of the software system should be used and
More informationAdvances in Programming Languages
T O Y H Advances in Programming Languages APL4: JML The Java Modeling Language David Aspinall (slides originally by Ian Stark) School of Informatics The University of Edinburgh Thursday 21 January 2010
More informationA short manual for the tool Accumulator
A short manual for the tool Accumulator ZHAO Jianhua State Key Laboratory of Novel Software Technology Dept. of Computer Sci. and Tech. Nanjing University Nanjing, Jiangsu, P.R.China 210093 zhaojh@nju.edu.cn
More informationVerifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite
Verifying Java Programs Verifying Java Programs Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at
More informationViper A Verification Infrastructure for Permission-Based Reasoning
Viper A Verification Infrastructure for Permission-Based Reasoning Alex Summers, ETH Zurich Joint work with Uri Juhasz, Ioannis Kassios, Peter Müller, Milos Novacek, Malte Schwerhoff (and many students)
More informationHomework #1, on the class web pages later today
Assertions Reading assignment A. J. Offutt, A Practical System for Mutation Testing: Help for the Common Programmer, Proceedings of the 12th International Conference on Testing Computer Software, Washington,
More informationIncremental Proof Development in Dafny
15-414 Lecture 17 1 Instructor: Matt Fredrikson Incremental Proof Development in Dafny TA: Ryan Wagner In this discussion, we ll see in more detail how to go about proving the total correctness of imperative
More informationVerifying Java Programs
Verifying Java Programs Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.uni-linz.ac.at
More informationExercise 3 Subtyping and Behavioral Subtyping October 13, 2017
Concepts of Object-Oriented Programming AS 2017 Exercise 3 Subtyping and Behavioral Subtyping October 13, 2017 Task 1 In this question, we are in a nominal subtyping setting. Some languages have a special
More informationESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany
ESC/Java2 vs. JMLForge Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany ESC/Java2: the formula is built using Dijsktra s Weakes precondition. Automatic theorem prover: Simplify
More informationOutline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include
Outline Computer Science 331 Correctness of Algorithms Mike Jacobson Department of Computer Science University of Calgary Lectures #2-4 1 What is a? Applications 2 Recursive Algorithms 3 Final Notes Additional
More informationSemantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics
There is no single widely acceptable notation or formalism for describing semantics Operational Describe the meaning of a program by executing its statements on a machine, either simulated or actual. The
More informationOverview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions
Overview Verification with Functions and Pointers Işıl Dillig The IMP language considered so far does not have many features of realistics PLs Our goal today: Enrich IMP with two features, namely functions
More informationVerifying Java Programs Verifying Java Programs with KeY
Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at
More informationESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen
ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen David Cok, Joe Kiniry & Erik Poll - ESC/Java2 & JML Tutorial p.1/??
More informationFrama-C WP Tutorial. Virgile Prevosto, Nikolay Kosmatov and Julien Signoles. June 11 th, 2013
Frama-C WP Tutorial Virgile Prevosto, Nikolay Kosmatov and Julien Signoles June 11 th, 2013 Motivation Main objective: Rigorous, mathematical proof of semantic properties of a program functional properties
More informationEXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS
T E W H A R E W Ā N A N G A O T E Ū P O K O O T E I K A A M Ā U I VUW V I C T O R I A UNIVERSITY OF WELLINGTON Time Allowed: 90 minutes EXAMINATIONS 2009 MID-TERM TEST COMP 202 / SWEN 202 Formal Methods
More informationAssertions & Verification & Example Loop Invariants Example Exam Questions
2014 November 27 1. Assertions & Verification & Example Loop Invariants Example Exam Questions 2. A B C Give a general template for refining an operation into a sequence and state what questions a designer
More informationESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen
ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen Erik Poll - JML p.1/19 Extended static checker for Java ESC/Java by Rustan Leino et.al. Extension ESC/Java2 by David Cok
More informationCSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 2 1/ 221
CSC313 High Integrity Systems/CSCM13 Critical Systems CSC313/CSCM13 Chapter 2 1/ 221 CSC313 High Integrity Systems/ CSCM13 Critical Systems Course Notes Chapter 2: SPARK Ada Sect. 2 (f) Anton Setzer Dept.
More informationFormale Entwicklung objektorientierter Software
Formale Entwicklung objektorientierter Software Praktikum im Wintersemester 2008/2009 Prof. P. H. Schmitt Christian Engel, Benjamin Weiß Institut für Theoretische Informatik Universität Karlsruhe 5. November
More informationLecture 5. Towards a Verifying Compiler: Multithreading
Lecture 5 Towards a Verifying Compiler: Multithreading W olfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants, Locklevels Access Sets Joint work with Rustan
More informationSome notes about Event-B and Rodin
Some notes about Event-B and Rodin Résumé This document briefly presents the language event-b and the tool Rodin. For a comprehensive presentation, refer to the event-b page http://www.event-b.org/, the
More informationFreePascal changes: user documentation
FreePascal changes: user documentation Table of Contents Jochem Berndsen February 2007 1Introduction...1 2Accepted syntax...2 Declarations...2 Statements...3 Class invariants...3 3Semantics...3 Definitions,
More informationELEC 377 C Programming Tutorial. ELEC Operating Systems
ELE 377 Programming Tutorial Outline! Short Introduction! History & Memory Model of! ommon Errors I have seen over the years! Work through a linked list example on the board! - uses everything I talk about
More informationhttps://www.lri.fr/ linaye/gl.html
Software Engineering https://www.lri.fr/ linaye/gl.html lina.ye@centralesupelec.fr Sequence 3, 2017-2018 1/61 Software Engineering Plan 1 2 3 4 5 2/61 Software Engineering Software Testing 3/61 Software
More informationTesting Library Specifications by Verifying Conformance Tests
Testing Library Specifications by Verifying Conformance Tests Joseph R. Kiniry, Daniel M. Zimmerman, Ralph Hyland ITU Copenhagen, UW Tacoma, UCD Dublin 6th International Conference on Tests & Proofs Prague,
More informationSoftwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24
Softwaretechnik Program verification Albert-Ludwigs-Universität Freiburg June 28, 2012 Softwaretechnik June 28, 2012 1 / 24 Road Map Program verification Automatic program verification Programs with loops
More informationFAKULTÄT FÜR INFORMATIK
FAKULTÄT FÜR INFORMATIK DER TECHNISCHEN UNIVERSITÄT MÜNCHEN Master-Seminar Software Verification Author: Lukas Erlacher Advisor: Prof. Andrey Rybalchenko, Dr. Corneliu Popeea Submission: April, 2013 Contents
More informationAssertions & Verification Example Exam Questions
2009 November 23 Assertions & Verification Example Exam Questions 1. 2. A B C Give a general template for refining an operation into a sequence and state what questions a designer must answer to verify
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationFrama-C A Collaborative Framework for C Code Verification
Frama-C A Collaborative Framework for C Code Verification Tutorial at ISSRE 2017 Nikolai Kosmatov, Julien Signoles Toulouse, October 26 th, 2017 N. Kosmatov, J. Signoles (CEA LIST) Frama-C 2017-10-26 1
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationThe Contract Pattern. Design by contract
The Contract Pattern Copyright 1997, Michel de Champlain Permission granted to copy for PLoP 97 Conference. All other rights reserved. Michel de Champlain Department of Computer Science University of Canterbury,
More informationLecture 5: Methods CS2301
Lecture 5: Methods NADA ALZAHRANI CS2301 1 Opening Problem Find the sum of integers from 1 to 10, from 20 to 30, and from 35 to 45, respectively. 2 Solution public static int sum(int i1, int i2) { int
More informationVerifying Java Programs with KeY
Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Wolfgang
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications
More informationIncremental Reasoning for Multiple Inheritance
Incremental Reasoning for Multiple Inheritance Johan Dovland and Einar Broch Johnsen Olaf Owe and Martin Steffen Institutt for Informatikk Universitet i Oslo ifm, Düsseldorf 17. February 2009 Context Late
More informationCodeContracts & Clousot. Francesco Logozzo - Microsoft Mehdi Bouaziz ENS
CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz ENS CodeContracts? Specify code with code Advantages Language agnostic No new language/compiler Leverage existing tools IDE, Compiler
More informationESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company
ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - JML p.1/?? ESC/Java Extended static checker by Rustan Leino et.al.
More informationCSI33 Data Structures
Outline Department of Mathematics and Computer Science Bronx Community College October 25, 2017 Outline Outline 1 Chapter 8: A C++ Introduction For Python Programmers Function Details Assert Statements
More informationJML Class Specifications The Java Modeling Language (Part 2) A Java Class
JML Class Specifications The Java Modeling Language (Part 2) Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria
More informationInspector Methods for State Abstraction
Vol. 6, No. 5, Special Issue: Workshop on FTfJP, ECOOP 2006, Juni 2007 Inspector Methods for State Abstraction Bart Jacobs, Frank Piessens, Katholieke Universiteit Leuven, Belgium Most classes in an object-oriented
More informationINITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS
INITIALISING POINTER VARIABLES; DYNAMIC VARIABLES; OPERATIONS ON POINTERS Pages 792 to 800 Anna Rakitianskaia, University of Pretoria INITIALISING POINTER VARIABLES Pointer variables are declared by putting
More information5 Exercise Formal Specification winter term 2010/11
5 Exercise Formal Specification winter term 2010/11 Dipl.-Wirt.-Inf. Ulrich Wolffgang Department of Information Systems, University of Münster January 12, 2011 Agenda Exercise 12 Exercise 13 Next exercise
More informationFormal Methods for Java
Formal Methods for Java Lecture 30: Conclusion Jochen Hoenicke Software Engineering Albert-Ludwigs-University Freiburg Feb 17, 2012 Jochen Hoenicke (Software Engineering) FM4J Feb 17, 2012 1 / 21 Topics
More informationCSE 307: Principles of Programming Languages
CSE 307: Principles of Programming Languages Advanced Topics R. Sekar Topics 1 / 14 1. 2 / 14 Section 1 3 / 14 Semantics of Programs Syntax defines what programs are valid. Semantics defines what the valid
More information