Solidifying Software Solidifying Software Interfaces: Interfaces: Checkable Contracts Checkable Contracts Thomas Ball Thomas Ball Testing, Verification and Testing, Verification and Measurement Measurement Microsoft Research Microsoft Research http:// http:// research.microsoft.com/ research.microsoft.com/ ~tball/ ~tball/
31
Embed
Solidifying Software Interfaces: Checkable Contracts Thomas Ball Testing, Verification and Measurement Microsoft Research tball
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCT, SOFTWARE PRODUCT, THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
Microsoft Powerpoint EULA Microsoft Powerpoint EULA Point 11Point 11
• 1111. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND . EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVERDAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INFORMATION, FOR BUSINESS INTERRUPTION, FOR PERSONAL INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY INJURY, FOR LOSS OF PRIVACY, FOR FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR FOR NEGLIGENCE, AND FOR ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) OTHER LOSS WHATSOEVER) ARISING OUT OF OR IN ANY WAY ARISING OUT OF OR IN ANY WAY RELATED TO THE USE OF OR INABILITY TO USE THE RELATED TO THE USE OF OR INABILITY TO USE THE SOFTWARE PRODUCTSOFTWARE PRODUCT, , THE PROVISION OF OR FAILURE TO THE PROVISION OF OR FAILURE TO PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN PROVIDE SUPPORT SERVICES, OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN CONNECTION WITH ANY PROVISION OF THIS EULA, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF WARRANTY OF MICROSOFT OR ANY SUPPLIER, AND EVEN IF MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
The GPLThe GPL• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE
IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
• 11.11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOUQUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. . SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
• 12.12. IN NO EVENTIN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAMPROGRAM AS PERMITTED ABOVE, AS PERMITTED ABOVE, BE LIABLE TO YOU FOR BE LIABLE TO YOU FOR DAMAGESDAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR , INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAMINABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. POSSIBILITY OF SUCH DAMAGES.
the "communication domain" in which communication is to takethe "communication domain" in which communication is to takeplace; see protocols(5).place; see protocols(5).
Sockets of type SOCK_STREAM are full-duplex byte streams,Sockets of type SOCK_STREAM are full-duplex byte streams,similar to pipes. similar to pipes. A stream socket must be in a connectedA stream socket must be in a connectedstate before any data may be sent or received on it. A con-state before any data may be sent or received on it. A con-nection to another socket is created with a connect(2) call.nection to another socket is created with a connect(2) call.Once connected, data may be transferred using read(2V) andOnce connected, data may be transferred using read(2V) andwrite(2V) callswrite(2V) calls or some variant of the send(2) and recv(2) or some variant of the send(2) and recv(2)calls. When a session has been completed a close(2V), maycalls. When a session has been completed a close(2V), maybe performed. Out-of-band data may also be transmitted asbe performed. Out-of-band data may also be transmitted asdescribed in send(2) and received as described in recv(2).described in send(2) and received as described in recv(2).
The communications protocols used to implement a SOCK_STREAMThe communications protocols used to implement a SOCK_STREAMinsure that data is not lost or duplicated. If a piece ofinsure that data is not lost or duplicated. If a piece of
What is an API Contract?What is an API Contract?
• Pre-conditionsPre-conditions– the conditions a client must establish the conditions a client must establish
before calling an APIbefore calling an API– ““A filehandle must be in an open state A filehandle must be in an open state
before you call before you call freadfread””• Post-conditionsPost-conditions
– the conditions an implementation (of an the conditions an implementation (of an API) must establish upon its terminationAPI) must establish upon its termination
– ““If the file is present, If the file is present, fopenfopen returns a returns a filehandle in the open state”filehandle in the open state”
Formalizing ContractsFormalizing Contracts
• Pre/post conditionsPre/post conditions– Eiffel: “design by contract”, integrated Eiffel: “design by contract”, integrated
into languageinto language– JML: pre/post language (in comments)JML: pre/post language (in comments)
• MonitorsMonitors– security automatasecurity automata– SLIC - SLAM’s API rule languageSLIC - SLAM’s API rule language
• ModelsModels– ASML: separate modeling languageASML: separate modeling language
Why are Contracts Why are Contracts Useful?Useful?
• Precision in specification & designPrecision in specification & design• Separation of concernsSeparation of concerns• DocumentationDocumentation• Checking/TestingChecking/Testing
• Specifications are (still) a good idea!Specifications are (still) a good idea!– focus shifted to critical properties rather than focus shifted to critical properties rather than
full correctnessfull correctness• Bug economicsBug economics• Test automation wallTest automation wall• Moore’s lawMoore’s law
– abundant computational resourcesabundant computational resources• Advances in research and technologyAdvances in research and technology
– model checkingmodel checking– program analysisprogram analysis– theorem provingtheorem proving– analysis infrastructuresanalysis infrastructures
OverviewOverview
• SLAM analysis engine SLAM analysis engine – Static Driver VerifierStatic Driver Verifier
SLAM – Software Model SLAM – Software Model CheckingChecking
• SLAM innovationsSLAM innovations– boolean programs: a new model for boolean programs: a new model for
softwaresoftware– model creation (c2bp)model creation (c2bp)– model checking (bebop)model checking (bebop)– model refinement (newton)model refinement (newton)
• SLAM toolkitSLAM toolkit– built on MSR program analysis built on MSR program analysis
infrastructureinfrastructure
SLICSLIC
• Finite state language for stating rulesFinite state language for stating rules– monitors behavior of C codemonitors behavior of C code– temporal safety properties (security temporal safety properties (security
automata)automata)– familiar C syntaxfamiliar C syntax
• Suitable for expressing control-dominated Suitable for expressing control-dominated properties properties – e.g. proper sequence of eventse.g. proper sequence of events– can encode data values inside statecan encode data values inside state
– papers in CAV, PLDI, POPL, papers in CAV, PLDI, POPL, SPIN, TACASSPIN, TACAS
• March 2002March 2002– Bill Gates reviewBill Gates review
• May 2002May 2002– Windows committed to hire Windows committed to hire
two Ph.D.s in model two Ph.D.s in model checking to support Static checking to support Static Driver VerifierDriver Verifier
• July 2002July 2002– running SLAM on 100+ running SLAM on 100+
drivers, 20+ propertiesdrivers, 20+ properties
• September 3, 2002September 3, 2002– made initial release of SDV to made initial release of SDV to
Windows (friends and family)Windows (friends and family)
• April 1, 2003April 1, 2003– made wide release of SDV to made wide release of SDV to
Windows (any internal driver Windows (any internal driver developer)developer)
• September, 2003September, 2003– team of six in Windows team of six in Windows
working on SDVworking on SDV– researchers moving into researchers moving into
“consultant” role“consultant” role
• November, 2003November, 2003– demonstration at Driver demonstration at Driver
Developer ConferenceDeveloper Conference
SLAM ResultsSLAM Results
• Boolean program model has proved itselfBoolean program model has proved itself
• Successful for device driver contractsSuccessful for device driver contracts– control-dominated safety propertiescontrol-dominated safety properties– few boolean variables needed to do proof or few boolean variables needed to do proof or
find real errorsfind real errors
• Counterexample-driven refinementCounterexample-driven refinement– terminates in practiceterminates in practice– incompleteness of theorem prover not an issueincompleteness of theorem prover not an issue
Other Ways to Check Other Ways to Check ContractsContracts
• Type systemsType systems– Vault programming languageVault programming language– type system extended to allow simple pre/posttype system extended to allow simple pre/post
• Theorem provingTheorem proving– ESC/Java checkerESC/Java checker– uses JML specification language (rich pre/post uses JML specification language (rich pre/post
conditions)conditions)
• Dataflow analysisDataflow analysis– ESPESP– uses SLIC-like state machine languageuses SLIC-like state machine language
ConclusionsConclusions
• The technology now exists for The technology now exists for enforcing simple API contracts using enforcing simple API contracts using static analysisstatic analysis
• Rollout/adoptionRollout/adoption– first as out-of-band tools (i.e., SLAM, first as out-of-band tools (i.e., SLAM,
ESP, Fugue)ESP, Fugue)– next as in-band tools (part of next as in-band tools (part of
language/compiler)language/compiler)
Thanks ToThanks ToSoftware Productivity Tools group membersSoftware Productivity Tools group members
– Sriram Rajamani (SLAM)Sriram Rajamani (SLAM)– Rob DeLine, Manuel Fahndrich (Vault/Fugue)Rob DeLine, Manuel Fahndrich (Vault/Fugue)
SLAM summer internsSLAM summer interns– Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)Sagar Chaki, Todd Millstein, Rupak Majumdar (2000)– Satyaki Das, Wes Weimer, Robby (2001)Satyaki Das, Wes Weimer, Robby (2001)– Jakob Lichtenberg, Mayur Naik (2002)Jakob Lichtenberg, Mayur Naik (2002)– Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie Jakob Lichtenberg, Shuvendu Lahiri, Georg Weissenbacher, Fei Xie
(2003)(2003)
SLAM VisitorsSLAM Visitors– Giorgio Delzanno, Andreas Podelski, Stefan SchwoonGiorgio Delzanno, Andreas Podelski, Stefan Schwoon
Static Driver Verifier: Windows PartnersStatic Driver Verifier: Windows Partners– Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus Byron Cook, John Henry, Vladimir Levin, Con McGarvey, Bohus
Ondrusek, Abdullah UstunerOndrusek, Abdullah Ustuner