codecontracts clousot

CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi - PowerPoint PPT Presentation

Oct 28, 2022 •353 likes •785 views

CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz ENS CodeContracts? Specify code with code public virtual int Calculate(object x) { Contract.Requires(x != null); Contract.Ensures(Contract.Result<int>() >=

  1. CodeContracts & Clousot Francesco Logozzo - Microsoft Mehdi Bouaziz – ENS

  2. CodeContracts? Specify code with code public virtual int Calculate(object x) { Contract.Requires(x != null); Contract.Ensures(Contract.Result<int>() >= 0); Advantages Language agnostic No new language/compiler … Leverage existing tools IDE, Compiler … Disadvantages Lost beauty

  3. CodeContracts tools Documentation generator MSDN-like documentation generation VS plugin – tooltips as you write Runtime checking Postconditions, inheritance … Via binary rewriting Static checking Based on abstract interpretation This talk!!!!

  4. CodeContracts impact API .NET standard since v4 Externally available ~100,000 downloads Active forum (>7,700 msg) Book chapters, blogs … Internal and External adoption Mainly professional A few university courses Publications, talks, tutorials Academic, Programmers conferences

  5. Let’s demo!

  6. Why abstract interpretation? Traditional verification workflow Verification tool based on Weakest preconditions Symbolic execution Model checking

  7. Fix the code? Understand the warnings Add missing specifications Pre/Post-conditions, Object/Loop invariants Assumptions Environment, external code, OS … Verifier limits Incompleteness…. Fix bugs? Tough task verifying a program with bugs… Tedious and expensive process

  8. Reality is a little bit different New features, regressions, refactoring … Help programmer, not drown her “Verification” is only one facet Should support correct SW development

  9. Why Abstract interpretation? Focus on properties of interest Few programmers interested in ∀∃∀ … Null dereferences a lot more relevant! Programmer friendly, Tunable, Precise Easy to explain what’s wrong Properties known ahead of time “Reverse engineered” by some users Infer, not deduce or search Loop invariants, contracts, code fixes …

  10. The power of inference public int Max(int[] arr) public int Max(int[] arr) { { Contract.Requires(arr != null); var max = arr[0]; Contract.Requires(arr.Length > 0); for (var i = 1; i < arr.Length; i++) Contract.Ensures(Contract.ForAll(0, arr.Length, j => arr[j] <= Contract.Result<int>())); { Contract.Ensures(Contract.Exists(0, arr.Length, j => arr[j] == Contract.Result<int>())); var el = arr[i]; if (el > max) var max = arr[0]; max = el; for (var i = 1; i < arr.Length; i++) } { Contract.Assert(1 <= i); return max; Contract.Assert(Contract.ForAll(0, i, j => arr[j] <= max)); } public int Max(int[] arr) Contract.Assert(Contract.Exists(0, i, j => arr[j] == max)); { var el = arr[i]; var max = arr[0]; if (el > max) for (var i = 1; i < arr.Length; i++) max = el; { } var el = arr[i]; if (el > max) return max; max = el; } } return max; }

  11. Code Repairs int BinarySearch(int[] array, int value) { Contract.Requires(array != null); var inf = 0; var sup = array.Length - 1; while (inf <= sup) { var index = (inf + sup) / 2; var mid = array[index]; if (value == mid) return index; if (mid < value) inf = index + 1; else sup = index - 1; } return -1; }

  12. Scaling up Real code bases are huge Turns out they were ~700K methods Overloads, automatically generated Analysis took 3h on a Xeon Output: 116Mb text file Cache file: 610Mb Found new bugs

  13. Scaling up Real code bases are huge Should cope with it Myths: “ I am modular, hence I scale up ” “I analyze in < 1sec, hence I scale up”

  14. Clousot on the huge assembly No inter-method inference Quadratic in #methods y = 14.171x 2 + 228.64x + 434.02 Why??? GC? DB? If the app runs long enough, the GC/DB complexity matters #methods Intra-method can be costly Nested loops, goto …

  15. Scaling up: Our experience Avoid complexity ∀ costly corner case, ∃ user who will hit it Be incremental Analysis time should be proportional to changes Reduce annotation overhead Avoid boredom of trivial annotations Save programmer time Prioritize Not all the warnings are the same…

  16. Clousot Overview Reporting Checking Inference

  17. Clousot Main Loop Read Bytecode, Contracts ∀ assembly, ∀ module, ∀ type, ∀ method Collect the proof obligations Analyze the method, discover facts Check the facts Report outcomes, suggestions , repairs Propagate inferred contracts

  18. Examples of Proof Obligations public int Div(int x, int y) y != 0 { return x / y; x != MinValue || y != -1 } public int Abs(int x) { Contract.Ensures(Contract.Result<int>() >= 0); return x < 0 ? -x : x; } result >= 0 x != MinValue

  19. Proof obligations collection In theory, collect all the proof obligations Language: non-null, div-by-0, bounds … User supplied: contracts, assert … In practice, too many language obligations Non-null, div-by-0, various overflows, array/buffer overruns, enums, floating point precision …. Let the user chose and focus

  20. Clousot Main Loop Read Bytecode, Contracts ∀ assembly, ∀ module, ∀ type, ∀ method Collect the proof obligations Analyze the method, discover facts Check the facts Report outcomes, suggestions , repairs Propagate inferred contracts

  21. Static Analysis Goal: Discover facts on the program Challenges: Precise analysis of IL Compilation lose structure Which properties are interesting? Which abstract domains should we use? How we make them practical enough? Performance Usability E.g. No templates

  22. Precise IL Analysis private int f; int Sum(int x) {return this.f + x;} s0 = ldarg this s0 = ldfld Bag.NonNegativeList.f s0 s1 = ldarg x s0 = s0 Add s1 nop ret s0 sv11 (13) = ldarg this sv13 (15) = ldfld Bag.NonNegativeList.f sv11 (13) sv11 (13) = ldarg this sv8 (10) = ldarg x sv13 (15) = ldfld Bag.NonNegativeList.f sv11 (13) sv22 (24) = sv13 (15) Add sv8 (10) sv8 (10) = ldarg x ret (sv13 (15) Add sv8 (10)) sv22 (24) = sv13 (15) Add sv8 (10) ret sv22 (24)

  23. Expression Recovery is lazy MDTransform in mscorlib.dll 9000 straight line instructions

  24. Which Abstract Domains? Which properties? Exploratory study inspecting BCL sources Existing parameter validation Mainly Non-null, range checking, types Types no more issue with Generics introduction Well studied problems Plenty of numerical abstract domains Intervals, Octagons, Octahedra, Polyhedra … Problem solved??

  25. Myth “ For NaN checking only one bit is required!“ public double Sub(double x, double y) { Contract.Requires(!Double.IsNaN(x)); Contract.Requires(!Double.IsNaN(y)); Contract.Ensures(!Double.IsNaN(Contract.Result<double>())); return x - y; } - ∞ - ∞ = NaN

  26. Myth (popular in types) “ I should prove x != null, so I can simply use a non-null type system ” public void NonNull() { string foo = null; for (int i = 0; i < 5; i++) { foo += "foo"; } Contract.Assert(foo != null); }

  27. Numerical domains in Clousot Numerical information needed everywhere Ranges, enums, ∀ / ∃ , contracts, code repairs … Core of Clousot Several new numerical abstract domains DisIntervals, Pentagons, SubPolyhedra … Infinite height, no finite abstraction Combined by reduced product Incremental application Validated by experience

  28. / abstract domain Instance of FunArray (POPL’11) Discover collection segments & contents public int Max(int[] arr) { var max = arr[0]; for (var i = 1; i < arr.Length; i++) { <= max, {0} {i} Top {arr.Length}? ∃ = max var el = arr[i]; Compact for: if (el > max) max = el; ∀ j. 0 ≤ j < i: arr[j] ≤ max ∧ } ∃ k. 0 ≤ k <i: a[k] = max ∧ i ≤ arr.Length ∧ return max; 1 ≤ i }

  29. Other abstract domains Heap, un-interpreted functions Optimistic parameter aliasing hypotheses Non-Null A reference is null, non-null, non-null-if-boxed Enum Precise tracking of enum variables (ints at IL) Intervals of floats, actual float types To prove NaN, comparisons Array purity …

  30. Clousot Main Loop Read Bytecode, Contracts ∀ assembly, ∀ module, ∀ type, ∀ method Collect the proof obligations Analyze the method, discover facts Check the facts Report outcomes, suggestions, repairs Propagate inferred contracts

  31. Checking For each proof obligation 〈 pc, ϕ 〉 Check if Facts@pc ⊨ ϕ Four possible outcomes True, correct False, definite error Bottom, assertion unreached Top, we do not know In the first 3 cases we are happy

  32. Why Top? The analysis is not precise enough Abstract domain not precise Re-analyze with more precise abstract domain Algorithmic properties Implementation bug Incompleteness Some contract is missing Pre/Postcondition, Assumption, Object-invariant The assertion is sometimes wrong (bug!) Can we repair the code?

  33. Dealing with Top Every static analysis has to deal with Tops a.k.a. warnings Just report warnings: overkilling Explain warnings: better Still expensive, programmer should find a fix Ex. no inter-method inference: Checked 2 147 956 assertions: 1 816 023 correct 331 904 unknown 29 false Inspecting 1 warning/sec, 24/24: 230 days Suggest code repairs: even better But, there still we be warnings: rank & filter

  34. Clousot Main Loop Read Bytecode, Contracts ∀ assembly, ∀ module, ∀ type, ∀ method Collect the proof obligations Analyze the method, discover facts Check the facts Report outcomes, suggestions, repairs Propagate inferred contracts

Recommend

Cloud ot Lifting Clousot into the Cloud Mehdi Bouaziz Clousot today Runs on a single core on

Cloud ot Lifting Clousot into the Cloud Mehdi Bouaziz Clousot today Runs on a single core on

Cloud ot Lifting Clousot into the Cloud Mehdi Bouaziz Clousot today Runs on a single core on the developer box Input: assemblies + contracts The analysis Order the methods according to the call-order Analyze bottom up

546 views • 13 slides
Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA &amp; CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA &amp; CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA &amp; CNRS &amp; ENS-Cachan (joint work with Riccardo Focardi, Matteo Bortolozzo &amp; Matteo Centenaro, Universit` a Ca Foscari, Venezia) 1/16 RSA Public

569 views • 17 slides
3 rd Parameterized Algorithms &amp; Computational Experiments Challenge Where it came from, how

3 rd Parameterized Algorithms &amp; Computational Experiments Challenge Where it came from, how

3 rd Parameterized Algorithms &amp; Computational Experiments Challenge Where it came from, how it went, who won, and whats next August 22 nd , IPEC 2018, Helsinki, Finland History of PACE PACE was conceived in Fall 2015, borne from the

966 views • 95 slides
Ensembles L eon Bottou COS 424 4/8/2010 Readings T. G. Dietterich (2000) Ensemble

Ensembles L eon Bottou COS 424 4/8/2010 Readings T. G. Dietterich (2000) Ensemble

Ensembles L eon Bottou COS 424 4/8/2010 Readings T. G. Dietterich (2000) Ensemble Methods in Machine Learning. R. E. Schapire (2003): The Boosting Approach to Machine Learning. Sections 1,2,3,4,6. L eon Bottou

676 views • 33 slides
Concurrency 557/648 G. Castagna (CNRS) Cours de Programmation Avance 557 / 648 Outline 52

Concurrency 557/648 G. Castagna (CNRS) Cours de Programmation Avance 557 / 648 Outline 52

Concurrency 557/648 G. Castagna (CNRS) Cours de Programmation Avance 557 / 648 Outline 52 Concurrency 53 Preemptive multi-threading 54 Locks, Conditional Variables, Monitors 55 Doing without mutual exclusion 56 Cooperative multi-threading 57

2.1k views • 189 slides
Affine symmetries in supergravity work with Hermann Nicolai, Martin Weidner, Thomas Ortiz IHES

Affine symmetries in supergravity work with Hermann Nicolai, Martin Weidner, Thomas Ortiz IHES

Affine symmetries in supergravity work with Hermann Nicolai, Martin Weidner, Thomas Ortiz IHES 05/2013 Henning Samtleben 1998 motivation : 2D supergravity symmetries classically integrable field theory affine symmetry group E 9

448 views • 33 slides
Norm of polynomials in Large Random Matrices Camille M ale Ecole Normale Sup erieure de

Norm of polynomials in Large Random Matrices Camille M ale Ecole Normale Sup erieure de

Norm of polynomials in Large Random Matrices Camille M ale Ecole Normale Sup erieure de Lyon T el ecom-Paris Tech, 12 October 2010 Camille M ale (ENS de Lyon) Norm of Polynomials in large RM 1 / 25 Introduction

827 views • 44 slides
Relational reasoning via probabilistic coupling Gilles Barthe, Thomas Espitau, Benjamin Grgoire,

Relational reasoning via probabilistic coupling Gilles Barthe, Thomas Espitau, Benjamin Grgoire,

Relational reasoning via probabilistic coupling Gilles Barthe, Thomas Espitau, Benjamin Grgoire, Justin Hsu, Lo Stefanesco, Pierre-Yves Strub IMDEA Software, ENS Cachan, ENS Lyon, Inria, University of Pennsylvania November 28, 2015 1

799 views • 52 slides
The Classical Relative Error Bounds for Computing a 2 + b 2 and c / a 2 + b 2 in Binary

The Classical Relative Error Bounds for Computing a 2 + b 2 and c / a 2 + b 2 in Binary

The Classical Relative Error Bounds for Computing a 2 + b 2 and c / a 2 + b 2 in Binary Floating-Point Arithmetic are Asymptotically Optimal Claude-Pierre Jeannerod Jean-Michel Muller Antoine Plet Inria, CNRS, ENS Lyon, Universit e

464 views • 23 slides
Ethereum Name Service Nick Johnson &lt;nick@notdot.net&gt; Why do we need another name service?

Ethereum Name Service Nick Johnson &lt;nick@notdot.net&gt; Why do we need another name service?

Ethereum Name Service Nick Johnson &lt;nick@notdot.net&gt; Why do we need another name service? Aspects of a name system 1. Name lookup 2. Name registration 3. Governance What makes a good name system? Separation of concerns

443 views • 12 slides
Introduc:on protocol ? Iden:fica:on based on payload Payload

Introduc:on protocol ? Iden:fica:on based on payload Payload

Protocol Iden:fica:on Elie Bursztein eb@lsv.ens-cachan.fr WISTP 2008 Probabilis:c Iden:fica:on for Hard to classify Protocol Elie Bursztein PhD Student

729 views • 33 slides
Kleene Algebra with Converse Talk at RAMICS 14 Paul Brunet &amp; Damien Pous LIP, CNRS, ENS

Kleene Algebra with Converse Talk at RAMICS 14 Paul Brunet &amp; Damien Pous LIP, CNRS, ENS

Kleene Algebra with Converse Talk at RAMICS 14 Paul Brunet &amp; Damien Pous LIP, CNRS, ENS de Lyon, INRIA, Universit de Lyon, UMR 5668 April 28 th , 2014 April 28 th , 2014 Paul Brunet (ENS de Lyon, Universit de Lyon) Kleene Algebra

864 views • 73 slides
European Nuclear Society Dan planeta Young Generation Network Zemlja Career development in

European Nuclear Society Dan planeta Young Generation Network Zemlja Career development in

European Nuclear Society Dan planeta Young Generation Network Zemlja Career development in a challenging environment Why Young Generation Networks are essential Vienna, August 17, 2015 Eileen Langegger ENS YGN Chair Whom/What

363 views • 10 slides
T Teaching Quanti hi Q ti Pierre Merckl (France, ENS de Lyon, Centre Max Weber) (France, ENS

T Teaching Quanti hi Q ti Pierre Merckl (France, ENS de Lyon, Centre Max Weber) (France, ENS

T Teaching Quanti hi Q ti Pierre Merckl (France, ENS de Lyon, Centre Max Weber) (France, ENS de Lyon, Centre Max Weber) Claire Zalc (France, CNRS, Institut dhistoire moderne et contemporaine) SSHA Annual Conference Chicago (Ill ) Friday 22

507 views • 19 slides
NO DISCLOSURES Annette Stralovich-Romani, RD, CNSC Adult Critical Care Nutritionist UCSF

NO DISCLOSURES Annette Stralovich-Romani, RD, CNSC Adult Critical Care Nutritionist UCSF

5/9/2015 NO DISCLOSURES Annette Stralovich-Romani, RD, CNSC Adult Critical Care Nutritionist UCSF Medical Center Incidence &amp; consequences of malnutrition On hospital admission: 30-50% On ICU admission: 50-55% Underfeeding

83 views • 7 slides
Applica'on: Diagnosis Daphne Koller Medical Diagnosis: Pathfinder (1992) Help

Applica'on: Diagnosis Daphne Koller Medical Diagnosis: Pathfinder (1992) Help

Representa'on Probabilis'c Graphical Bayesian Networks Models Applica'on: Diagnosis Daphne Koller Medical Diagnosis: Pathfinder (1992) Help pathologist diagnose lymph node pathologies (60 different

207 views • 9 slides
Unit4Day3-LaBrake Monday, November 11, 2013 1:15 PM Vanden Bout/LaBrake/Crawford CH301

Unit4Day3-LaBrake Monday, November 11, 2013 1:15 PM Vanden Bout/LaBrake/Crawford CH301

Unit4Day3-LaBrake Monday, November 11, 2013 1:15 PM Vanden Bout/LaBrake/Crawford CH301 THERMODYNAMICS Quantifying Heat Flow Chemical Change UNIT 4 Day 3 CH301 Vanden Bout/LaBrake Fall 2013 Important Information HW10 DUE T 9AM CH302

471 views • 11 slides
MASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Department 8.044 Statistical Physics I Spring Term

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Department 8.044 Statistical Physics I Spring Term

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Physics Department 8.044 Statistical Physics I Spring Term 20 1 3 Maxwell Relations: A Wealth of Partial Derivatives Comment On Notation In most textbooks the internal energy is indicated by the symbol U and

73 views • 6 slides
Entropy as a tool for crystal discovery Pablo Piaggi (EPFL and USI, Switzerland) Workshop on

Entropy as a tool for crystal discovery Pablo Piaggi (EPFL and USI, Switzerland) Workshop on

Entropy as a tool for crystal discovery Pablo Piaggi (EPFL and USI, Switzerland) Workshop on Crystal Structure Prediction, ICTP, Trieste January 14-18, 2019 Some substances have more than one crystal structure Carbon polymorphs

372 views • 35 slides
A new model for polythermal ice incorporating gravity-driven meltwater drainage Ian Hewitt,

A new model for polythermal ice incorporating gravity-driven meltwater drainage Ian Hewitt,

A new model for polythermal ice incorporating gravity-driven meltwater drainage Ian Hewitt, University of Oxford Christian Schoof, University of British Columbia From EGU: I. What do models tell us about how subglacial discharge is delivered

318 views • 17 slides
Low Enthalpy Cycles - Power Plant Concepts warm reservoir Q in heat engine W Q out cold

Low Enthalpy Cycles - Power Plant Concepts warm reservoir Q in heat engine W Q out cold

Low Enthalpy Cycles - Power Plant Concepts warm reservoir Q in heat engine W Q out cold reservoir Silke Khler 1 , Felix Ziegler 2 1 GeoForschungsZentrum Potsdam (GFZ) 2 Technical University of Berlin (TUB) Engine workshop 5 Strassbourg 14.

270 views • 25 slides
for Sustainable Cooling Lekha Patmanathan 1 Nexergy 2019 - Confidential Please Do Not

for Sustainable Cooling Lekha Patmanathan 1 Nexergy 2019 - Confidential Please Do Not

Automating Thermodynamics for Sustainable Cooling Lekha Patmanathan 1 Nexergy 2019 - Confidential Please Do Not Circulate This Photo by Unknown Author is licensed under CC BY-NC-ND Nexergy 2019 - Confidential Please Do Not

429 views • 17 slides
Introduction to Modelica Michael Wetter and Thierry S. Nouidui Simulation Research Group June

Introduction to Modelica Michael Wetter and Thierry S. Nouidui Simulation Research Group June

Introduction to Modelica Michael Wetter and Thierry S. Nouidui Simulation Research Group June 23, 2015 1 Purpose and approach The purpose is to have basic understanding of Modelica and be able to develop simple models. The slides follow

723 views • 58 slides
GROMACS Tutorial Free Energy Calculations: Methane in Water Based on the tutorial created by

GROMACS Tutorial Free Energy Calculations: Methane in Water Based on the tutorial created by

Free Energy Calculations: Methane in Water 1/24 GROMACS Tutorial Free Energy Calculations: Methane in Water Based on the tutorial created by Justin A. Lemkul, Ph.D. Department of Pharmaceutical Sciences University of Maryland, Baltimore Adapted

477 views • 24 slides

More recommend