Object Invariants in Object Invariants in Specification and Specification and VerificationVerification

K. Rustan M. LeinoMicrosoft Research, Redmond, WA

Joint work with:Mike Barnett, Ádám Darvas,Manuel Fähndrich, Peter Müller,Wolfram Schulte, Herman Venter, andAngela Wallenburg

Invited talk, SBMF 2006, Natal, Brazil, 19 September 2006

Software engineering Software engineering problemproblem• Building and maintaining large

software systems that are correct

ApproachApproach

• Specifications record design decisions– bridge intent and code

• Tools amplify human effort– manage detail– find inconsistencies– ensure quality

Research goalsResearch goals

• Build the best such system we can build today

• Experiment with the system to get a feel for what it is like to use

• Advance the state of the art

Spec#Spec#

• Experimental mix of contracts and tool support

• Aimed at experienced developers who know the high cost of testing and maintenance

• Superset of C#– non-null types– pre- and postconditions– object invariants

• Tool support– more type checking– compiler-emitted run-time checks– static program verification

C#contracts

everywhere

type checking

static verification

into the future

run-time checks

degree of checking,effort

familiar

Spec# demoSpec# demo

Spec# program verifier Spec# program verifier architecturearchitecture

V.C. generator

automatictheorem prover

verification condition

Spec#

“correct” or list of errors

Spec# compiler

MSIL (“bytecode”)bytecode translator

Boogie PL

inference engine

Spec# program verifier (aka Boogie)

Object invariantsObject invariants

0. Simple objects1. Aggregate objects2. Subclasses3. Additive invariants

0. When do invariants 0. When do invariants hold?hold?class Car {int speed;int windResistance;invariant windResistance == K * speed * speed;public Car() { speed = 0; windResistance = 0; }public void SetSpeed(int kmph) {

speed = kmph;windResistance = K * speed * speed;

}

0. When do invariants 0. When do invariants hold?hold?class Car {int speed;int windResistance;invariant windResistance == K * speed * speed;public Car() { speed = 0; windResistance = 0; }public void SetSpeed(int kmph) {

speed = kmph;windResistance = K * speed * speed;

}

invariant istemporarily broken here

P( );

what if P calls backinto SetSpeed?

Object statesObject states

• Mutable– Object invariant might be violated– Field updates are allowed

• Valid– Object invariant holds– Field updates not allowed

The heap (the object store)The heap (the object store)

The heap (the object store)The heap (the object store)

MutableValid

expose statementexpose statementclass Car {

int speed;int windResistance;invariant windResistance == K * speed * speed;…public void SetSpeed(int kmph)

requires this.valid;{

expose (this) {speed = kmph;windResistance = K * speed * speed;

}}

changes objectfrom valid to mutable

changes objectfrom mutable to valid

Summary for simple objects:Summary for simple objects:

explicit representation of when invariants explicit representation of when invariants holdhold(o • o.mutable Inv(o))

expose (x) { … }check Inv(x)

check x.valid

x.valid := falsex.mutable :=

true

x.valid := truex.mutable :=

false

1. Aggregate objects1. Aggregate objectsclass Seat { public void Move(int pos) requires

this.valid; … }class Car {

Seat s;public void Adjust(Profile p)

requires this.valid p.valid;{

s.Move(p.SeatPosition);}

OwnershipOwnership

Points to owner

Ownership domainsOwnership domains

Points to owner

((o • o.mutable o • o.mutable o.owner.mutable)o.owner.mutable)

Points to ownerMutable objectValid object

Representation (rep) fieldsRepresentation (rep) fieldsclass Seat { public void Move(int pos) requires this.Consistent; … }

class Car {rep Seat s;public void Adjust(Profile p)

requires this.Consistent p.Consistent;{

expose (this) {s.Move(p.SeatPosition);

}}

o.Consistent o.owner.mutable o.valid

Peer fields and peer validityPeer fields and peer validityclass Seat { public void Move(int pos) requires this.PeerConsistent; … }

class Car {rep Seat s; peer Seat s;public void Adjust(Profile p) public void Adjust(Position p)

requires this.PeerConsistent requires this.PeerConsistent

p.PeerConsistent; p.PeerConsistent; { {

expose (this) {s.Move(p.SeatPosition); s.Move(p.SeatPosition);

}} }o.PeerConsistent o.owner.mutable (p • p.owner = o.owner p.valid)

o.Consistent o.owner.mutable o.valid

Summary for aggregate objects:Summary for aggregate objects:

ownership domainsownership domains(o • o.mutable o.owner.mutable)

expose (x) { … }check (r • r.owner=x r.valid)

check x.owner.mutable

x.valid := falsex.mutable :=

true

x.valid := truex.mutable :=

false

2. Subclasses2. Subclassesclass Car {

int speed;invariant 0 ≤ speed;…

}class LuxuryCar extends Car {

Radio r;invariant 6 ≤ r.CDCapacity;…

}

Owners are pairsOwners are pairs

• To support subclasses with invariants, we change owners to be pairs:

(object reference, class frame)

Invariants and subclassesInvariants and subclasses

class A { … }

class B extends A { … }

Points to owner

Object

A

B

Summary for subclasses:Summary for subclasses:

owners are pairsowners are pairs(o,T • (o,T).mutable o.owner.mutable)

expose (x) { … }

check x.owner.mutable

(x,C).valid := false

(x,C).mutable := true

(x,C).valid := true

(x,C).mutable := false

check (r • r.owner=(x,C) r.valid)

where x has static type C

3. Additive invariants3. Additive invariantsclass Car {

int speed;…

}class LuxuryCar extends Car {

Radio r;invariant speed > 60 r.SoundBooster=true;overrides void SetSpeed(int kmph) {

expose (this) {base.SetSpeed(kmph);if (speed > 60) { … }

}}

}

Additive invariants and Additive invariants and subclassessubclasses

class A { … }

class B extends A { … }

Points to ownerMutable objectValid object

Object

A

B

Summary for additive invariants:Summary for additive invariants:

consider invariant state of consider invariant state of subclassessubclasses(o,T • (o,T).mutable

( S • S <: T (o,S).mutable)

additive expose (x) { … }

check ( S • S <: C S ≠ C (o,S).mutable)

(x,C).valid := false

(x,C).mutable := true

(x,C).valid := true

(x,C).mutable := false

where x has static type C

Object invariants in Spec#Object invariants in Spec#• Spec# syntactically checks that invariants are

admissible• Ownership is specified with the [Owned] attribute• We first supported only rep ownership relations

– peer relationships are often useful too– we now use PeerConsistent as the default method precondition– owners are set automatically on assignments of rep and peer

fields

• We first supported only additive invariants in Spec#– non-additive invariants are easier to work with– non-additive expose is now the default– implementation restriction: no further expose allowed on an

object while a non-additive expose is in progress

• Additive methods (those that update the additive fields mentioned in additive invariants) require dynamic dispatch and use precondition Consistent

Summary and conclusionsSummary and conclusions• Spec# programming system• Rich object structures need

specification and verification support– simple invariants– aggregate objects– subclasses– additive invariants– visibility-based invariants– …

http://research.microsoft.com/~leino

http://research.microsoft.com/specsharp

download Spec#from here