Lecture 10 Design by Contract

Similar documents
Testing, Debugging, and Verification

Program Verification (6EC version only)

Overview The Java Modeling Language (Part 1) Related Work

Static program checking and verification

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

The Java Modeling Language (Part 1)

Integrating verification in programming languages

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

Assertions. Assertions - Example

COMP 507: Computer-Aided Program Design

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

An Annotated Language

Announcements. Specifications. Outline. Specifications. HW1 is due Thursday at 1:59:59 pm

Self-checking software insert specifications about the intent of a system

The Eiffel language. Slides partly based on :

Outline Introduction The Spec# language Running Spec# Tutorials on Spec# Carl Leonardsson 2/

Advances in Programming Languages

Verifying Java Programs Verifying Java Programs with KeY

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Motivation. Correct and maintainable software Cost effective software production Implicit assumptions easily broken

Chapter 3 (part 3) Describing Syntax and Semantics

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

The JML Tool. Faculty of Engineering Pontificia Universidad Javeriana. The JML Tool p.1/23

Runtime Checking for Program Verification Systems

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Korat: Automated Testing Based on Java Predicates. Jeff Stuckman

Formal Systems II: Applications

Java Modeling Language (JML)

Spark verification features

OOP Design by Contract. Carsten Schuermann Kasper Østerbye IT University Copenhagen

Fundamentals of Software Engineering

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Hoare Logic: Proving Programs Correct

Separation Logic 2: project: Annotation Assistant for Partially Specified Programs plus some high-level observations. Hengle Jiang & John-Paul Ore

Recap. Juan Pablo Galeotti,Alessandra Gorla, Software Engineering Chair Computer Science Saarland University, Germany

Incremental Proof Development in Dafny

Reasoning about programs

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Correctness of specifications. Correctness. Correctness of specifications (2) Example of a Correctness Proof. Testing versus Correctness Proofs

BOOGIE. Presentation by Itsik Hefez A MODULAR REUSABLE VERIFIER FOR OBJECT-ORIENTED PROGRAMS MICROSOFT RESEARCH

Verifying Java Programs Verifying Java Programs with KeY

The Java Modeling Language JML

CS 161 Computer Security

FreePascal changes: user documentation

Verification Condition Generation

CMSC 631 Program Analysis and Understanding. Dynamic Typing, Contracts, and Gradual Typing

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

CSC Advanced Object Oriented Programming, Spring Specification

Formal Specification and Verification

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Java Modelling Language (JML) References

Lecture Notes: Hoare Logic

Checking Program Properties with ESC/Java

Testing, Debugging, and Verification exam DIT082/TDA567. Day: 9 January 2016 Time: Will be published mid February or earlier

Runtime Checking and Test Case Generation for Python

Testing, Debugging, Program Verification

JML in Feature-Oriented Programming

Abstract Interpretation

Verifying Java Programs with KeY

Dafny: An Automatic Program Verifier for Functional Correctness Paper by K. Rustan M. Leino (Microsoft Research)

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Program Verification Using the Spec# Programming System

Lectures 20, 21: Axiomatic Semantics

CITS5501 Software Testing and Quality Assurance Formal methods

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

Automatic Verification of Computer Programs

Lecture Notes on Linear Search

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Case study: compare and swap

Formal Methods. CITS5501 Software Testing and Quality Assurance

Memory Safety (cont d) Software Security

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company

Lecture 5 - Axiomatic semantics

Symbolic Execution and Proof of Properties

The Contract Pattern. Design by contract

Formal Specification and Verification

Assertions, pre/postconditions

Exercise 3 Subtyping and Behavioral Subtyping October 13, 2017

Foundations of Software Engineering

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

JML. Java Modeling Language

Asserting Expectations. Your Submissions. Oral Exams

CSC313 High Integrity Systems/CSCM13 Critical Systems. CSC313/CSCM13 Chapter 2 1/ 221

Design by Contract: An Overview

15-122: Principles of Imperative Computation (Section G)

Basic Verification Strategy

Formale Entwicklung objektorientierter Software

Exercises: program verification using SAT/SMT

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Code Contracts in C#

Logic-Flow Analysis of Higher-Order Programs

Today s Lecture. Are These Theorems of POTS? RAISE. Lecture 20: Descriptive Specifications (Continued)

Verifying Java Programs

Advances in Programming Languages

Transcription:

CS 5959 Writing Solid Code Fall 2015 Nov-23 Lecture 10 Design by Contract Zvonimir Rakamarić University of Utah

Design by Contract Also called assume-guarantee reasoning Developers annotate software components with contracts (formal specifications) Document developer s intent Complex system verification broken down into compositional verification of each component Typical contracts Annotations on procedure boundaries Preconditions Postconditions Annotations on loop boundaries Loop invariants

Design by Contract cont. First used in Eiffel [Bertrand Meyer] Native support: Eiffel, Racket, SPARK Ada, Spec#, Dafny, Third-party support: Frama-C Code Contracts project for.net Java Modeling Language Contracts for Python (PyContracts) contracts.ruby Runtime or static checking of contracts

Design by Contract cont. Used when developing high assurance systems for rigorous testing, documentation, and verification Avionics Cars Space Railways Used when developing traditional software to formally and conveniently write specifications Turned into assertions during runtime

Code Contracts Example static int BinarySearch(int[] array, int value) { Contract.Requires(array!= null);

PyContracts @contract def foo(a:'int,>0', b:'list[n],n>0') -> 'list[n]': # Requires b to be a nonempty list, # and the return value to have the # same length

Spec# Example static int BinarySearch(int[] a, int key) requires forall{int i in (0: a.length), int j in (i: a.length); a[i] <= a[j]; ensures 0 <= result ==> a[result] == key; ensures result < 0 ==> forall{int i in (0: a.length); a[i]!= key; {

Java Modeling Languge (JML) Example class BankingExample { public static final int MAX_BAL = 1000; private int balance; //@ invariant balance >= 0 && balance <= MAX_BAL; //@ ensures balance == 0; public BankingExample() { this.balance = 0; //@ requires 0 < amount && amount+balance < MAX_BAL; //@ ensures balance == \old(balance) + amount; public void credit(int amount) { this.balance += amount;

Assume-Guarantee Reasoning Example foo() { bar() { foo(); How to verify/check bar?

Assume-Guarantee Reasoning cont. Solution 1 Inline foo Solution 2 Write contract/specification P of foo Assume P when checking bar bar() { assume P; Guarantee P when checking foo foo() { assert P; Pros/cons?

Procedure procedure M(x,y,z) returns (r,s,t) requires P ensures Q {S requires is a precondition Predicate P has to hold at procedure entry ensures is a postcondition Predicate Q has to hold at procedure exit S is procedure body

Procedure Example procedure abs(x) returns (abs_x) requires -1000 < x && x < 1000 ensures abs_x >= 0 { if (x >= 0) { abs_x := x; else { abs_x := -x;

Dafny Simple verifying compiler Proves procedure contracts statically for all possible inputs Uses theory of weakest preconditions Input Annotated program written in simple imperative language Preconditions Postconditions Loop invariants Output Correct or list of failed annotations

Dafny Architecture Program with specifications Verification condition generator Verification conditions Theorem prover Program correct or list of errors

Exercise 1 procedure abs(x) returns (abs_x) requires -1000 < x && x < 1000 ensures abs_x >= 0 { if (x >= 0) { abs_x := x; else { abs_x := -x;

Exercise 2 Write a method Max that takes two integer parameters and returns their maximum Add appropriate annotations and make sure your code verifies

Exercise 3 Write a test method that calls your Max method from Exercise 2 and then asserts something about the result

While Loop with Invariant while E invariant J do S end loop body loop condition loop invariant Loop body S executed as long as loop condition E holds Loop invariant J must hold on every iteration J must hold initially and is evaluated before E J must hold even on final iteration when E is false Provided by a user or inferred automatically

Exercise 4 method m(n: int) { var i := 0; while i < n invariant 0 <= i { i := i + 1; assert i == n;

(Dumb) Example: Multiply by 2 method Multiply2(n:int) returns (r:int) { r := 0; var i:int := 0; while (i < n) { r := r + 2; i := i + 1; Specification: Given a non-negative integer n, function Multiply2 multiplies it by 2

Arrays in Dafny var a: array<int> Can be null Have a built in length field (a.length) All array accesses must be proven to be within bounds

Simple Array Example method CreateArray(length:int) requires length >= 0; { var a := new int[length]; a[5] := 10;

Modifies Annotations Dafny has to know what heap locations every procedure modifies Related to how proof is being constructed Modifies annotations are used for that Simple example: method InitializeArray(a:array<int>, e:int) modifies a; { var i := 0; while (i < a.length) { a[i] := e; i := i + 1;

Quantifiers Forall Exists

Example: Initialize Array Signature: InitializeArray(a:array<int>, e:int) Specification: Initializes elements of array a to e

Example: Linear Search Signature: LinearSearch(a:array<int>, l:int, u:int, e:int) returns (r:bool) Specification: Returns true if e is found in array a between l and u, otherwise returns false

Useful Links https://en.wikipedia.org/wiki/design_by_contrac t http://rise4fun.com/dafny/tutorial/guide http://research.microsoft.com/enus/projects/dafny/ https://www.youtube.com/watch?v=spcfzbisbv4 http://research.microsoft.com/enus/projects/contracts/ https://pypi.python.org/pypi/pycontracts

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback