Formal Methods: Three suggestions for rapid adoption

Wolfram SchulteRiSE, MSR

Workshop on Usable Verification 11/15/2010

Build on the shoulder of giants:Unify and leverage tool chains

First

From Program analysis tools in 2000-2003…

Slam

Model-checker

SimpleDecisionProcedure

Fugue

Dataflow Analyzer

AbstractDomains

Prefix/Prefast

SymbolicInterpret.

CustomDecisionProcedure

ESP

Dataflow Analyzer

AbstractDomains

… to formal methods tools in 2004-2010…

Z3

Boogie

Havoc

SymDiff Formula

Rex

Pex CodeContracts

Fine

Sym Autom

VCC Poirot

SimplifyIsabelle

Spec#

Bek

Chalice SageDaphne

….to…

Specifications for free:Embrace developer languages

Second

CodeContracts

• Use a language agnostic library to author contracts• Enables runtime and compile-time checking based on AI• Supports full scenario: author, check, view, doc• Authoring ships in VS 2010, > 50k downloads for tools, key feature

CodeContracts: Code as Specifications

• Use a language agnostic library to author contracts• Enables static and dynamic checking• Contracts support “squiggles”, views, doc.- generation• Authoring ships in VS 2010, > 50k downloads for tools

static int MinIndex(int[] data) { Contract.Requires(data != null); Contract.Ensures(Contract.Result<int>() >= -1); Contract.Ensures(Contract.Result<int>() < data.Length);

var result = -1; for (int i = 0; i < data.Length; i++) result = (result<0 || data[i]<data[result]) i: result; return result; }

Pex: Tests as Specifications

• Embrace Unit Tests/Test Driven Development• Supports auto. test case gen./environment isolation (Moles) • Uses extended reflection and dynamic symbolic execution• Pex as powertools for VS 2010, Moles for VS 2012, >70k downloads

void ReadWrite(string name, string data) { Assume.IsTrue(name != null && data != null); Write(name, data); var readData = Read(name); Assert.AreEqual(data, readData);}

string name, string data: name ≠ null data ≠ null ⋀ ⇒ equals( ReadResource(name,WriteResource(name,data)),data)

SymDiff: Programs as Specifications

• Addresses AppCompat/Versioning problem• Performs static semantic diff of closely related programs • Uses boogie, etc to check where programs are different

Pex4Fun: Programs as Puzzles

Catch flaws early:from code to design analysis

Third

Module system for composing specs and crossing abstraction

boundaries

Formal descriptions of design spaces and

reachability problems (in progress)

Use-case:Formalize domain-

specific abstractions

Use-case:Combine/relate specs with help

from the language

Use-case:Design-space

exploration / model synthesis

Provide a general/intermediate language for capturing model-based abstractions, and support automated model synthesis in any direction.

Core formal specification language

(CLP with negation over regular types)

Formula for Modeling

Formula Specification

Symbolic Execution SMT Formula

Infer Cardinality bounds on data type instances

Add symmetry breaking Z3 Solver

Reconstruct FO

RMULA m

odel

Pick next region

Encode solution region

Try something new

Given a spec and a partial model, then symbolic execution constructs a formula representing the design space.

Formula’s Model Synthesis

Formula: Applications

Translate your logic/configuration/constraint /… problem into Formula:

• Software/Hardware Mappings: Autozar/Muscle controller

• Architectures for the cloud: ECM• Policy management and generic policy engines: Dkal,

SecPal, etc • VM provisioning for the cloud: Systemcenter• UML/DSL mappings…

Summary: Usable Verification

• Build on the shoulder of giants:Unify and leverage tool chains

• Specifications for free:Embrace developer languages

• Catch flaws early:From code to design analysis

And

use

mod

ern

med

ia to

tell

abou

tsu

cces

s st

orie

s u

sabl

e ve

rifica

tion