USING BOOGIE 2 IN THE VERIFICATION OF SPEC# PROGRAMS

K. Rustan M. Leino - Microsoft Research
Rosemary Monahan - National University of Ireland

8, November

In this workshop we present the Spec# Programming System, the verifier for Spec# programs. Throughout our presentation we illustrate how the Spec# Programming System can be used to verify programs in an object-oriented environment. The effect will be two-fold: participants will be given the practical experience of using the Spec# Programming System and they will learn about Boogie 2, the intermediate representation language that Spec# programs are translated to before verification. Through this knowledge participants will develop an understanding of how logical verification conditions are generated in program verification tools.

In recent work we have encoded some verification benchmark programs in the languages Dafny (a language that explores the dynamic frames style of specifications) and Spec#. Both of these languages use Boogie 2 as their intermediate representation language. We use these benchmark programs to demonstrate the contributions of Boogie 2 to program verification.

The intended audience includes any researchers or lecturers who are interested in program verification. In particular, it will appeal to educators who are considering using Spec# for teaching and to programmers who wish to learn about the Spec# verification methodology. Participants should havean understanding of object oriented programming languages such as C#, C++ or Java and a basic understanding of method preconditions and post-conditions.

Participants will be expected to bring their own laptops for use during the Event.

TOPICS COVERED DURING THE WORKSHOP:

The Spec# Programming System consists of the Spec# programming language which is an extension of C#, the Spec# compiler which is integrated into the Microsoft Visual Studio development environment and the Spec# static program verifier which translates Spec# programs into logical verification conditions. The result is an automatic verification environment which establishes the correctness of a program before allowing it to be executed. In addition to the run-time checking traditionally found in the design by contract approach, Spec# offers the possibility to verify contracts statically. The goal of this analysis is to help programmers to detect errors more quickly than they might be found by traditional methods, hence providing an opportunity to correct the errors when they are still relatively cheap to fix. A unique feature of the Spec# Programming System is its guarantee of maintaining invariants in object-oriented programs in the presence of callbacks, threads and inter-object relationships. In addition, the Spec# Programming System has been extended so that programs that involve the mathematical domains that are so familiar to textbook examples (such as sum, count, product, min, and max) may be verified.

Boogie 2 is an intermediate verification language, intended as a layer on which to build program verifiers for other languages. Several program verifiers have been built in this way, including one for the object-oriented .NET language Spec#, the HAVOC and vcc verifiers for C, the Dafny language and verifier, and the concurrent language Chalice. Experience with some automatic program verifiers suggests that the complex task of generating verification conditions for modern programming languages can be managed by separating the task into two steps: a transformation of the program and its proof obligations into an intermediate language, and then a transformation of that intermediate-language program into logical formulae. If the verification conditions can be proved correct (with the help of an automated theorem prover) the program is verified as correct. If the verification conditions cannot be proved correct, it is possible that errors occur in the program.

The presentation involving both of these languages will provide a detailed description of one of the most successful systems for the static and dynamic analysis of object-oriented programs. More precisely, topics discussed at the event will be as follows:

PART 1: THE SPEC# PROGRAMMING SYSTEM:

  • An overview of Spec#: Explaining what is Spec# and what is its tool suite.
  • Programming in the small: Worked examples that show the use of preconditions, postconditions, loop invariants, and assert and assume statements.
  • Programming in the large: We introduce multi-method and multi-class examples. We explain object invariants and how they can be maintained in the presence of callbacks, threads, and inter-object relationships. We start with simple single-object invariants and then go into ownership-based invariants and visibility-based invariants.

PART 2: BOOGIE 2 AS AN INTERMEDIATE REPRESENTATION LANGUAGE

  • An overview of Boogie 2:We give an overview of Boogie 2 using worked examples to show its language constructs, types, expressions and statements.
  • Generating Boogie 2 programs from Spec# programs: We show the Boogie 2 programs that are generated by translating Spec# programs to its intermediate representation.
    In particular, we discuss important decisions (such as how to model memory) that must be considered when translating a source language like Spec# into Boogie 2.
  • Verifying benchmark programs in Spec# and Dafny: We use these benchmark programs to compare the languages the features of these languages and their capability for program verification.