Usable Verification of Object-Oriented Programs by Combining Static and Dynamic Techniques

Verified Software: Theories, Tools, Experiments

Nordio

et al. 2014

Self Cite

Abstract. The simple and often imprecise specifications that programmers may write are a significant limit to a wider application of rigorous program verification techniques. Part of the reason why non-specialists find writing good specification hard is that, when verification fails, they receive little guidance as to what the causes might be, such as implementation errors or inaccurate specifications. To address these limitations, this paper presents two-step verification, a technique that combines implicit specifications, inlining, and loop unrolling to provide improved user feedback when verification fails. Two-step verification performs two independent verification attempts for each program element: one using standard modular reasoning, and another one after inlining and unrolling; comparing the outcomes of the two steps suggests which elements should be improved. Two-step verification is implemented in AutoProof, our static verifier for Eiffel programs integrated in EVE (the Eiffel Verification Environment) and available online. The Trouble with SpecsThere was a time when formal verification required heroic efforts and was the exclusive domain of a small group of visionaries. That time is now over; but formal techniques still seem a long way from becoming commonplace. If formal verification techniques are to become a standard part of the software development process-and they are-we have to understand and remove the obstacles that still prevent non-specialists from using them.A crucial issue is specification. Program correctness is a relative notion, in that a program is correct not in absolute terms but only relative to a given specification of its expected behavior; in other words, verified programs are only as good as their specification. Unfortunately, many programmers are averse to writing specifications, especially formal ones, for a variety of reasons that mostly boil down a benefit-to-effort ratio perceived as too low. Writing formal specifications may require specialized skills and experience; and the concrete benefits are dubious in environments that value productivity, assessed through simple quantitative measures, more than quality. Why should programmers subject themselves to the taxing exercise of writing specifications in addition to implementations, if there is not much in it for them other than duplicated work?

“…AutoProof is integrated in EVE [33], the research branch of the EiffelStudio development environment, and is freely available online:…”

Section: The Trouble With Specsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Program Checking with Less Hassle

Tschannen

Verified Software: Theories, Tools, Experiments

Nordio

et al. 2014

Self Cite

“…Another line of research in testing is the combination with static techniques, with the goal of complementing each other's strengths to search the input state space more efficiently. In [25], we combined testing with program proving at a high level. A different array of techniques combines testing with symbolic execution; see the recent survey [2].…”

Section: Related Workmentioning

confidence: 99%

To Run What No One Has Run Before: Executing an Intermediate Verification Language

Polikarpova

West

2013

Runtime Verification

Self Cite

Abstract. When program verification fails, it is often hard to understand what went wrong in the absence of concrete executions that expose parts of the implementation or specification responsible for the failure. Automatic generation of such tests would require "executing" the complex specifications typically used for verification (with unbounded quantification and other expressive constructs), something beyond the capabilities of standard testing tools. This paper presents a technique to automatically generate executions of programs annotated with complex specifications, and its implementation for the Boogie intermediate verification language. Our approach combines symbolic execution and SMT constraint solving to generate small tests that are easy to read and understand. The evaluation on several program verification examples demonstrates that our test case generation technique can help understand failed verification attempts in conditions where traditional testing is not applicable, thus making formal verification techniques easier to use in practice.

“…Program 1 is a collection of small JavaScript applets from http: //www.jsworkshop.com; program 2 is one single larger application, a poker game, from the same source. Programs 3-6 are JavaScript implementations of object-oriented standard examples also used in previous work of ours [7,6], each equipped with functional specifications (pre-and postcondition) for each method. In this case, verification also required intermediate assertions, but these were much fewer than in [7,6] …”

Section: Case Studymentioning

confidence: 99%

Javanni: A Verifier for JavaScript

Nordio

Calcagno

Fundamental Approaches to Software Engineering

2013

Self Cite

Abstract. JavaScript ranks among the most popular programming languages for the web, yet its highly dynamic type system and occasionally unintuitive semantics make programming particularly error-prone. This paper presents Javanni, a verifier for JavaScript programs that can statically detect many common programming errors. Javanni checks the absence of standard type-related errors (such as accessing undefined fields) without requiring user-written annotations, and it can also verify full functional-correctness specifications. Several experiments with JavaScript applications reported in the paper demonstrate that Javanni is flexibly usable on programs with non-trivial specifications. Javanni is available online within the CloudStudio web integrated environment.