Code contracts static checker Visual Studio/Roslyn Semantic Inference. Error checking. Verified repairs. Pre/post inference. Semantic baseline.

The smart programming assistantFrancesco LogozzoResearcherMicrosoft Research, Redmond3-403

What is it?

Vision for modern programming.Developed at RiSE, Microsoft Research.

Real-time feedback.Report tricky bugs and regressions.

Code improvements.Suggest code fixes and specifications.

“Standing on the shoulders of giants”

CodeContracts.Contracts library part of .NET since v4.0.• Specify preconditions, postconditions, object-invariants.

Contracts tools: Static checker, and other tools available on VS Gallery.• Overall 100K downloads.

Roslyn CTP.C#/VB compilers as services.Open-up the compiler pipeline to expose internals.• ASTs, Refactoring…

Code contracts static checker

Visu

al S

tud

io/R

osly

n

Semantic Inference.

Error checking.

Verified repairs.

Pre/post inference.

Semantic baseline.

Stored information

Answer queries.Code

Architecture

Demo!

Questions?

Evaluate this session

Scan this QR code to evaluate this session and be automatically entered in a drawing to win a prize!

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Backup slides

CodeContracts

Contract API part of .NET since v.4.0. Tools available on VS Gallery.Almost 100K downloads overall.• Devlabs, VS Gallery.

Active user MSDN forum.7700+ messages.

Available in VS Gallery!

MoreVS 2012 integration.Runtime checking.Documentation generation.

LessPost-build static analysis.• Scale via team shared SQL DB.

No refactoring.

Static analysis

Different from FxCop, Coverity, Resharper…Those are (mostly) pattern-match based.

Perform deep semantic code analysis. For each program point, infer invariants.Invariants are properties that hold for all possible executions.

Main Idea: replace concrete values with abstract values.Example: Instead of x : {0, 2, 4, 6, 8, 10} have x : [0, 10] && x is even.

Inference

public int BinarySearch(int[] array, int value){ Contract.Requires(array != null); var inf = 0; var sup = array.Length - 1;

while (inf <= sup) {

var mid = (inf + sup) / 2; var midValue = array[mid];

if (midValue < value) inf = mid + 1; else if (midValue > value) sup = mid - 1; else return mid; }

return -1;}

inf: [0, 0], sup: [-1, MaxValue), sup < array.Length

inf ≤ sup, sup: [0, MaxValue)

mid: [0, MaxValue), mid ≤ sup, mid < array.Length

inf: [1, MaxValue], sup: [0, MaxValue)

inf:[0, 0], sup: [-1, MaxValue-1), sup < array.Length

inf: [0, MaxValue], sup: [-1, MaxValue), sup < array.Length

inf: [0, MaxValue], sup: [-1, MaxValue), sup < array.Length

array != null

MinValue ≤ (inf + sup) ≤ MaxValue

Checks





return -1;}

array != null

MinValue ≤ array.Length -1 ≤ MaxValue

0 ≤ mid array != null

mid < array.Length

MinValue ≤ mid + 1 ≤ MaxValue MinValue ≤ mid - 1 ≤ MaxValue

MinValue ≤ (inf + sup)/2 ≤ MaxValue

MinValue ≤ (inf + sup) ≤ MaxValue

Error checking





return -1;}

array != null

MinValue ≤ array.Length -1 ≤ MaxValue

0 ≤ mid

array != null

mid < array.Length

MinValue ≤ mid + 1 ≤ MaxValue MinValue ≤ mid - 1 ≤ MaxValue

inf: [0, MaxValue], sup: [0, MaxValue], sup < array.Length

array != null

MinValue ≤ (inf + sup)/2 ≤ MaxValue

mid: [0, MaxValue)

MinValue ≤(inf + sup) ≤ MaxValue

Repairing overflows

Leverage the semantic information inferred by the static analysisFor instance, assume that 0 ≤ x, 0 ≤ y, 0 ≤ z

Then x + y < z may overflowWe derive a non-overflowing expression like that

(x! + y!)? < z!

as 0 ≤ x, then –x cannot underflow

=y! < (z! +(– x!)!)?

as 0 ≤ z and 0 ≤ x, then z – x cannot underflow

=y! < (z! +(– x!)!)!

Extract method

public int Decrement(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >= 0);

while (x != 0) x--;

return x;}


x = NewMethod(x);

return x;}

private static int NewMethod(int x){ while (x != 0) x--; return x;}

And the (modular) proof?


while (x != 0) x--;

return x;}


x = NewMethod(x);

return x;}

private static int NewMethod(int x){ while (x != 0) x--; return x;}

Postcondition: okNo

overflow

Possible overflow

Postcondition

Violation?

Completeness

The verification of the callee should still go through.Counterexample: Valid and safe contract, but not complete.public int Decrement(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >=0);

x = NewMethod(x);

return x;}

private static int NewMethod(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() <= x);

while (x != 0) x--; return x;}

Can’t prove

ensuresok

Validity

The inferred contract should be valid.Counterexample:public int Decrement(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >=0);

x = NewMethod(x);

return x;}

private static int NewMethod(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>()==12345);


okInvalid ensure

s

Safety

The precondition of the extracted method should advertise possible errors.Counterexample:

public int Decrement(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >=0);

x = NewMethod(x);

return x;}

private static int NewMethod(int x){ Contract.Ensures(Contract.Result<int>() == 0);


ok Possible overflow

Generality

The inferred contract is the most general satisfying Validity, Safety, and Completeness.Counterexample: Valid, Safe, and Complete, but not General contract.public int Decrement(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >=0);

x = NewMethod(x);

return x;}

private static int NewMethod(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() == 0);


ok ok

Requires too

strong

Our solution

Valid, Safe, Complete, and General contract

public int Decrement(int x){ Contract.Requires(x >= 5); Contract.Ensures(Contract.Result<int>() >=0);

x = NewMethod(x);

return x;}

private static int NewMethod(int x){ Contract.Requires(x >= 0); Contract.Ensures(Contract.Result<int>() == 0);


ok ok

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Code contracts static checker Visual Studio/Roslyn Semantic Inference. Error checking. Verified repairs. Pre/post inference. Semantic baseline.

Documents