The Verification Corner - Specifications in Action with Spec#

Posted: Mar 01, 2010 at 7:44 AM

By: Peli de Halleux

(4)

23,791 Views

2 Comments

14 minutes, 32 seconds

Download

Right click “Save as…”

High Quality WMV (PC, Xbox, MCE)
MP3 (Audio only)
MP4 (iPod, Zune HD)
Mid Quality WMV (Lo-band, Mobile)

format
< > embed
+ queue

Sign In first to access your queue.
Close

Sorry, video was not added to the queue, an error occurred. Please Contact Us and let us know.
Close

Embed code for this video

Copy the code above to embed our video on your website/blog.

Video format

Auto
Use our suggested format for this video.
Smooth Streaming
Adaptive bitrate streaming - little buffering but lower video quality at times of low bandwidth.
Progressive
Traditional buffered video format.
HTML5
For browsers that support h264 MP4 or WebM video playback such as:
IE9+, Chrome 5+, or Safari 4+.

Note: These selections will fall back to the next best format depending upon browser capability.

In this episode of The Verification Corner, Rustan Leino gives a demonstration of specifications in action. He builds a program that chunks strings into pieces, i.e. a chunker, in Spec#. During the demo, he shows the verifier, the developer, and the specifications fit together in the development cycle. Rustan Leino is a Principal Researcher in the Research in Software Engineering (RiSE) group at Microsoft Research.

Try Spec# in your web browser at http://rise4fun/specsharp!
Find past and future episodes of the The Verification Corner!

The Verification Corner is a show on Software Verification Techniques and Tools. The show is produced by the Research in Software Engineering team (RiSE) , which coordinates Microsoft's research in Software Engineering in Redmond, USA.

That's a pretty impressive example. It makes clear how many possible bugs specifications can catch: a lot. It also makes me quite envious of Spec#. Hopefully these features will be incorporated into C# at some point in time; we do have Code Contracts for .Net but this syntax is so much better. It would also be very nice to be able to assign invariants to primitive type aliases, e.g.

alias nat = int where nat >= 1;

Maybe there's not that many use-cases for that feature though.

Non-nullness annotations is another very hot feature.

Also, since LINQ to Objects uses Dispose (as in IEnumerator extends IDisposable; the sole purpose of which is IO cleanup) can we then consider LINQ to Objects as impure and therefore not suitable for specifications?

Follow the Discussion

Subscribe to these comments

exoteric
Mar 01, 2010 at 8:52 PM quote reply
That's a pretty impressive example. It makes clear how many possible bugs specifications can catch: a lot. It also makes me quite envious of Spec#. Hopefully these features will be incorporated into C# at some point in time; we do have Code Contracts for .Net but this syntax is so much better. It would also be very nice to be able to assign invariants to primitive type aliases, e.g.
```
alias nat = int where nat >= 1;
```
Maybe there's not that many use-cases for that feature though.

Non-nullness annotations is another very hot feature.

Also, since LINQ to Objects uses Dispose (as in IEnumerator extends IDisposable; the sole purpose of which is IO cleanup) can we then consider LINQ to Objects as impure and therefore not suitable for specifications?
softwarekev

Mar 02, 2010 at 9:34 AM quote reply

Very nice, but I'd like to see the full postcondition for NextChunk. Perhaps, in your next episode, you could give an example of a postcondition containing, say, a quantified expression.

Remove this comment

Remove this thread

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.