Practical Verification for the Working Programmer with CodeContracts and Abstract Interpretation - (Invited Talk)

CodeContracts provide a language agnostic way to specify and check preconditions , postconditions and object invariants (collectively called contracts [17]). Specifications take the form of calls to static methods of a Contract library [7]. The authoring library is available out-of-the-box to all .NET programmers from v4. An example of CodeContracts usage is reported in Fig. 1. The code illustrates the specification and the implementation of a simple string sanitizer, which filters only ASCII letters and converts all the upper cases into lower cases. The sanitizer also returns the number of lower case and upper case letters in the original string. Strings are represented as char arrays. The precondition requires the input string to be not null. The postcondition specifies that the counters are non-negative, that the total number of letters is no larger than the length of the original string and the length of returned string is exactly that size. Furthermore the postcondition also promises the caller that all the elements in the result string are lower case ASCII characters. The implementation of the sanitizer is pretty straightforward. The original string is systematically traversed, and when an ASCII letter is encountered it is copied into a buffer as it is or if it is upper case, converted to a lower case and then stored into the buffer. A priori we do not know the number of non-ASCII characters, thus the temporary buffer is made as large as the original string. However, on loop exit, we exactly know the length of the sanitized string (it is lower + upper), so a buffer of the right size is allocated, all the sanitized elements are copied into it, and then it is returned. The CodeContracts static checker (codename Clousot [9]), performs an abstract interpretation of Sanitize to verify that the implementation meets its contract (specification). Clousot analyzes methods in isolation using a classical assume/guarantee reasoning. Clousot directly analyzes bytecode, so it is independent of the particular source language [15]. As a matter of fact Clousot users include C# as well as VB programmers. All the internals of the analyzer are hidden to the user, to whom the Clousot is exposed as an extension of the usual development environment (Fig. 2). From a high point of view, Clousot has three main phases: inference, checking and inter-module propagation. In the inference phase the program is analyzed to infer facts. In the checking phase the facts …