Research interests

My work focuses on formal verification, programming languages, and and software-correctness tools for software engineers.

Research projects

Dafny Dafny is a programming language designed with verification in mind, and its compiler includes a state-of-the-art program verifier.  The language offers forms of both imperative and functional programming and can also be used to express some mathematics.  The verifier runs in the background of the development environment.  Dafny has been used to verify challenging algorithms, is used in teaching at several universities, and has been used by award-winning teams at program verification competitions.  Dafny excels at providing an accessible integrated verification experience.
Joint work with Reza Ahmadi, Nada Amin, Chris Hawblitzel, Jason Koenig, Jay R. Lorch, Dan Matichuk, Michał Moskal, Peter Müller, Clément Pit--Claudel, Bryan Parno, Nadia Polikarpova, Tiark Rompf, Dan Rosén, Valentin Wüstholz, and others.
Jennisys Jennisys ("this is where programs begin") is a program synthesizer.
Joint work with Aleksandar Milicevic.
Chalice Chalice is an experimental language for concurrency.  Its specifications are based on Implicit Dynamic Frames with fractional permissions.
Joint work with Stefan Heule, Peter Müller, Jan Smans, Alex J. Summers, Kuat Yessenov, and others.
Boogie Boogie is an Intermediate Verification Language and a verification engine for that language.  It is used by more than a dozen verifiers for different languages.
Joint work with Mike Barnett, Sascha Böhme, Bor-Yuh Evan Chang, Robert DeLine, Bart Jacobs, Michał Moskal, Shaz Qadeer, Philipp Rümmer, and others.
Spec# Spec# is a superset of the language C# 2.0, adding contracts and non-null types.  It includes a static verifier for the contracts.
Joint work with Mike Barnett, Ádám Darvas, Manuel Fähndrich, Bart Jacobs, Ronald Middelkoop, Peter Müller, Wolfram Schulte, Herman Venter, Angela Wallenburg, and others.
Houdini Houdini is a specification wizard, originally for ESC/Java.  The technique infers specifications by guessing candidate specifications and then running an underlying checker to refute bad guesses.
Joint work with Cormac Flanagan, Rajeev Joshi, Michael Y. Levin, and others.
ESC/Java ESC/Java (which won the Most Influential 2002 PLDI Paper award) is a formal-methods based tool for statically finding software defects in Java programs.
Joint work with Cormac Flanagan, Gary T. Leavens, Mark Lillibridge, Todd Millstein, Greg Nelson, James B. Saxe, Raymie Stata, and others.
ESC/Modula-3 ESC is the original Extended Static Checker for the Modula-3 language.
Joint work with David L. Detlefs, Greg Nelson, and James B. Saxe.
Modula-3D A variant of the Modula-3 language for programming multicomputers.


PhD Computer Science, California Institute of Technology, 1995.
Advisor:  Prof. Dr. K. Mani Chandy
MS Computer Science, California Institute of Technology, 1993.
Advisor:  Prof. Dr. Jan L. A. van de Snepscheut
BA with Special Honors in Computer Science, The University of Texas at Austin, 1989.
Honors research advisor:  Prof. Dr. Louis E. Rosier


Seattle, WA, USA
Senior Principal Engineer (2017-present)
Redmond, WA, USA
Principal Researcher (2007-2017)
Senior Researcher (2006-2007)
Researcher (2001-2006)
Software design engineer, technical lead (1989-1991)
Imperial College London
London, UK
Visiting Professor (honorary post, 2012-2017)
Systems Research Center
Palo Alto, CA, USA
Computer science researcher (Jan 1995-Nov 2001)
Research intern (summer 1994)
Research intern (summer 1992)
Pasadena, CA, USA
Co-instructor, Mathematics of Program Construction (Fall 1994)
Co-instructor, Mathematics of Program Construction (Spring 1994)
Teaching assistant, Computation, Computers, Programs (Fall 1991-Spring 1994)
Graduate research assistant (Fall 1991-Fall 1994)
Austin, TX, USA
President, consultant (Feb 1988-May 1989)
UT Austin
Informal Classes
Austin, TX, USA
Instructor of various computer classes (Sep 1987-May 1989)
One-Eleven, Inc.
Austin, TX, USA
Programmer (Aug 1987-May 1989)


Professional distinctions

  • IFIP Fellow, 2022
  • CAV Award, 2019, received jointly with Jean-Christophe Filliâtre
  • ACM Fellow, 2016
  • Tool Used by Most Teams Award (for Dafny), VerifyThis @ ETAPS 2015 program verification competition
  • ACM SIGPLAN Most Influential 2002 PLDI Paper Award, 2012.  For the paper "Extended Static Checking for Java" by Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata.
  • Shared Tool Used by Most Teams Award (for Dafny), VerifyThis @ FM 2012 program verification competition
  • Silver Medal (with Peter Müller), VSTTE 2012 Program Verification Competition
  • Best Paper Award, FM 2011 for the paper "Software Competition: Experience Report" by Vladimir Klebanov, et al.
  • IFIP Silver Core Award, 2010, awarded for outstanding service
  • Member, IFIP Working Group 2.3 "Programming Methodology", 2000-present.  (Secretary, 2003-2012.) (Vice Chair, 2014-2020.) (Chair, 2020-present.)

Graduate school awards and distinctions

  • Research supported by Digital Equipment Corporation Systems Research Center, Palo Alto, CA, 1992-93 and 1994-95.
  • American Scandinavian Foundation of Los Angeles. Scholarship, 1994.
  • One of about 75 computer science students selected worldwide to attend the International Summer School on Program Design Calculi, Marktoberdorf, Germany, 1992.

Undergraduate awards and distinctions

  • Upsilon Pi Epsilon, Computer Science Honors Society (elected officer, UT Austin, 1988-89).
  • College of Natural Sciences, College Scholar, UT Austin, 1988 and 1989.
  • The Honor Society of Phi Kappa Phi.
  • Phi Beta Kappa.
  • Golden Key National Honor Society.
  • Angus G. and Erna H. Pearson Endowed Scholarship, UT Austin, 1988.
  • Alpha Lambda Delta, Freshman Honor Society.
  • Phi Eta Sigma, Freshman Honor Society.

High school awards and distinctions

  • Among numerous other academic high school awards, won 1st place Advanced Level, Kentucky Council Teachers of Mathematics High School Math Contest, 1985-86.
  • Among other high school programming contests first places, tied 5th place in the 1986 International Computer Program Solving Contest, in which 2500 teams from 13 countries participated. (With team mates Robert S. French and Dean Brooks.)
  • Among several other musical awards in high school, selected to play in the 1986 Kentucky All-State Symphonic Band. (Bass saxophone and baritone saxophone.)

Advisory committees

Thesis committees

  • Habilitation thesis committees:
    • Jean-Christophe Filliâtre, Université Paris Sud 11 (December 2011).
    • Claude Marché, University Paris 11 (2005).
  • PhD thesis committees:
    • Jatin Arora, CMU (August 2024).  Advisor: Umut A. Acar.
    • Tim Woods, Imperial College London (December 2016).  Internal reviewer.  Advisor: Sophia Drossopoulou.
    • Martin Hentschel, TU Darmstadt (March 2016).  External reviewer.  Advisor:  Reiner Hähnle.
    • Nadia Polikarpova, ETH Zurich (April 2014).  External reviewer.  Advisor:  Bertrand Meyer.
    • Nicholas Smallbone, Chalmers Technical University (May 2013).  Opponent.  Advisor:  Koen Claessen.
    • Ronald Middelkoop, Technical University Eindhoven (November 2011).  External reviewer.  Advisor: Ruurd Kuiper and Kees Huizing.  Professor:  Mark G. J. van den Brand.
    • Aliaksei Ttsitovich, University of Lugano (February 2011).  Advisor: Natasha Sharygina.
    • Radu Grigore, University College Dublin (August 2010).  External reviewer.  Advisor:  Joe Kiniry.
    • Yannick Moy, Université Paris 11 (2009).  External reviewer.  Advisor: Claude Marché.
    • Cristina Cerschi Seceleanu, Åbo Akademi University (2005).  External reviewer and Opponent.  Advisor:  Academy Prof. Dr. Ralph-Johan Back.
    • Rajeev Joshi, The University of Texas at Austin (1999).  Advisor:  Prof. Dr. Jayadev Misra.

Editorial boards

  • Editorial board, Journal of Automated Reasoning, 2007-present.

Project advice

  • Project evaluator, Research theme: Proof and Verification, INRIA, 2015.
  • Project evaluator, Research theme A: Symbolic systems, INRIA, 2006.
  • Scientific advisory board, Mobius project, 2005-2007.
  • Project retreat external visitor, Open Software Quality project, UC Berkeley, May 2001.

Steering committees

  • Programming Languages meet Program Verification (PLPV) workshop (2011-2015)
  • ETAPS steering committee (2011-2012)
  • BOOGIE workshop on intermediate verification languages (2011-2012)
  • Formal Techniques for Java-like Programs (FTfJP) workshop (2004-present)

Program committees

  • 13th International Conference on integrated Formal Methods (iFM 2017), Torino, Italy (September 2017).
  • 29th International Conference on Computer-Aided Verification (CAV 2017), Heidelberg, Germany (July 2017).
  • Formal Methods (FM 2016), Limassol, Cyprus (November 2016).
  • 3rd Workshop on Formal Integrated Development Environment (F-IDE 2016), at FM 2016, Limassol, Cyprus (November 2016).
  • 8th Working Conference on Verified Software: Theories, Tools, and Experiments (VSTTE 2016), Toronto, ON, Canada (July 2016).
  • Co-chair, International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI 2016), St Petersburg, FL, USA (January 2016).
  • 20th International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR-20), Suva, Fiji (November 2015).
  • Formal Methods (FM 2015), Oslo, Norway (June 2015).
  • 7th NASA Formal Methods Symposium (NFM 2015), Pasadena, CA, USA (April 2015).
  • 2nd Workshop on Formal Integrated Development Environment (F-IDE 2015), at FM 2015, Oslo, Norway (June 2015).
  • 1st Workshop on Formal Integrated Development Environment (F-IDE 2014), at ETAPS 2014, Grenoble, France (April 2014).
  • Workshop on Formal Techniques for Java-like Programs (FTfJP 2013), at ECOOP 2013, Montpellier, France (2013).
  • ESEC/FSE 2013 Tool Demos (ESEC/FSE Tools), Saint Petersburg, Russia (August 2013).
  • 24th International Conference on Automated Deduction (CADE-24), Lake Placid, NY (June 2013).
  • 27th European Conference on Object-Oriented Programming (ECOOP 2013), Montpellier, France (June 2013).
  • Formal Methods (FM 2012), Paris, France (August 2012).
  • 26th European Conference on Object-Oriented Programming (ECOOP 2012), Beijing, China (June 2012).
  • Eighteenth International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2012), Tallinn, Estonia (March 2012).
  • Verified Software: Theories, Tools and Experiments (VSTTE 2012), Philadelphia, PA (January 2012).
  • Co-chair, First International Workshop on Intermediate Verification Languages (BOOGIE 2011), Wrocław, Poland (August 2011).
  • Workshop on Formal Techniques for Java-like Programs (FTfJP 2011), Lancaster UK (July 2011).
  • Co-chair, Seventeenth International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2011), Saarbrücken, Germany (March-April 2011).
  • Verified Software: Theories, Tools and Experiments (VSTTE 2010), Edinburgh, Scotland (August 2010).
  • International Joint Conference on Automated Reasoning (IJCAR 2010), Edinburgh, Scotland (July 2010).
  • Programming Languages meets Program Verification (PLPV 2010), Madrid, Spain (January 2010).
  • Verification, Model Checking, and Abstract Interpretation (VMCAI 2010), Madrid, Spain (January 2010).
  • 11th International Conference on Formal Engineering Methods (ICFEM 2009), Rio de Janeiro, Brazil (December 2009).
  • International Workshop on Aliasing, Confinement and Ownership in object-oriented programming (IWACO 2009) (July 2009).
  • Seventh International Andrei Ershov Memorial Conference, Perspectives of System Informatics (PSI 2009), Novosibirsk, Russia (June 2009).
  • Programming Languages meets Program Verification (PLPV 2009), Savannah, Georgia (January 2009).
  • 15th International Symposium on Formal Methods (FM 2008), Turku, Finland (May 2008).
  • Verification, Model Checking, and Abstract Interpretation (VMCAI 2008), San Francisco, CA (January 2008).
  • Ninth International Conference on Formal Engineering Methods (ICFEM 2007), Boca Raton, FL, USA (November 2007).
  • International Workshop on Aliasing, Confinement and Ownership in Object-Oriented Programming (IWACO 2007), at ECOOP 2007, Berlin, Germany (July 2007).
  • Workshop on Programming Languages and Analysis for Security (PLAS 2007), at PLDI 2007, San Diego, CA, USA (June 2007).
  • International Conference TOOLS EUROPE 2007 - Objects, Models, Components, Patterns, Zurich, Switzerland (June 2007).
  • Foundations and Developments of Object-Oriented Languages (FOOL/WOOD 2007), at POPL 2007, Nice, France (January 2007).
  • Co-chair, Workshop on Verified Software: Theories, Tools, and Experiments (VSTTE 2006), at FLoC 2006, Seattle, WA, USA (August 2006).
  • Formal Methods (FM 2006), Hamilton, Canada (August 2006).
  • 15th International Conference on Compiler Construction (CC 2006), Vienna, Austria (March 2006).
  • Workshop on Formal Techniques for Java-like Programs (FTfJP 2006), at ECOOP, Nantes, France (July 2006).
  • Fourth workshop on Specification and Verification of Component-Based Systems (SAVCBS 2005), at ESEC/FSE 2005, Lisbon, Portugal (September 2005).
  • 3rd International Conference on Software Engineering and Formal Methods (SEFM 2005), Koblenz, Germany (September 2005).
  • 1st International Workshop on Abstract Interpretation of Object-Oriented Languages (AIOOL), at VMCAI 2005, Paris, France (January 2005).
  • 14th International Conference on Compiler Construction (CC 2005), Edinburgh, Scotland (April 2005).
  • Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), at ACM SIGSOFT 2004/FSE-12, Newport Beach, California (October/November 2004).
  • 2nd International Conference on Software Engineering and Formal Methods (SEFM 2004), Beijing, China (September 2004).
  • Mathematics of Program Construction (MPC 2004), Stirling, Scotland, UK (July 2004).
  • 2nd International Workshop on .NET Technologies'2004, University of West Bohemia, Campus-Bory Plzen, Czech Republic (31 May - 2 June 2004).
  • Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2003), at ESEC/FSE, Helsinki, Finland (September 2003).
  • Workshop on Formal Techniques for Java-like Programs (FTfJP 2003), at ECOOP, Darmstadt, Germany (July 2003).
  • Prato workshop on Trusted Components, Prato, Italy (January 2003).
  • Workshop on Formal Techniques for Java-like Programs (FTfJP 2002), at ECOOP, Málaga, Spain (June 2002).
  • Workshop on Foundations of Aspect-oriented Languages (FOAL), at AOSD, Enschede, The Netherlands (April 2002).
  • Mathematics of Program Construction (MPC 2002), Schloss Dagstuhl, Germany (July 2002).
  • ACM Symposium on Principles of Programming Languages (POPL'02), Portland, Oregon (January 2002).
  • Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2001), at OOPSLA, October 2001.
  • Workshop on Formal Techniques for Java Programs (FTfJP 2001), at ECOOP, Budapest, Hungary (June 2001).
  • The Second International Workshop on Automated Program Analysis, Testing and Verification (WAPATV), at ICSE, Toronto, Canada (May 2001).
  • Mathematics of Program Construction (MPC 2000), Ponte de Lima, Portugal, July 2000.
  • The First International Workshop on Automated Program Analysis, Testing and Verification (WAPATV), at ICSE, University of Limerick, Ireland, June 2000.
  • Intercontinental Workshop on Aliasing in Object-Oriented Systems (IWAOOS'99), in conjunction with ECOOP, Lisbon, Portugal, June 1999.
  • The Sixth International Workshop on Foundations of Object-Oriented Languages (FOOL 6), at POPL, San Antonio, TX, January 1999.

External Review Committees

  • 40th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2013), External Review Committee, Rome, Italy.


  • Intern mentor, Amazon Web Services:
    • Tabea Bordis (KIT), 2023.
    • Gaurav Parthasarathy (ETH Zurich), 2022.
    • Stefan Zetzsche (University College London), 2021.
    • Jatin Arora (CMU), 2021.
    • Wouter Schols (Eindhoven University of Technology), 2020.
    • Marianna Rapoport (U. Waterloo), 2019.
    • Sam Gruetter (MIT), 2019.
    • Vihang Patel (Texas A&M), 2019.
    • Jared Lim (Cornell), 2019.
    • Joshua Gancher (Cornell), 2019.
    • Matthias Schlaipfer (TU Vienna), 2019.
    • Daniel Schoepe (Chalmers), 2018.
    • Steven S. Lyubomirsky (U. Washington), 2018.
    • James Bornholt (U. Washington), 2018.
  • Research intern mentor, Microsoft Research:
    • James Wilcox (U. Washington), shared intern with Jay Lorch, 2017.
    • Daniel Matichuk (Software Systems Research Group at Data61), 2016.
    • Kenny Foner (U. Penn), 2016.
    • Clément Pit--Claudel (MIT), 2015.
    • Dan Rosén (Chalmers), 2014.
    • Maria Christakis (ETH Zurich), 2013.
    • Valentin Wüstholz (ETH Zurich), 2013.
    • Jason Koenig (CMU), 2011, 2012.
    • Aleksandar Milicevic (MIT), 2011.
    • Kuat Yessenov (MIT), 2010.
    • Claire Le Goues (U. Virginia), 2009.
    • Philipp Rümmer (Chalmers), 2008, 2009.
    • Ronald Middelkoop (TU Eindhoven), 2007.
    • Ralf Sasse (UI Urbana-Champaign), 2007.
    • Ádám Darvas (ETH Zurich), 2006.
    • Angela Wallenburg (Chalmers), 2006.
    • Bor-Yuh Evan Chang (UC Berkeley), 2004, 2005.
    • Xinming Ou (Princeton), 2004.
    • Rob Klapper (Washington University in St. Louis), 2003.
    • Viktor Kuncak (MIT), 2002.
  • Mentor, Compaq SRC:
    • Stephen N. Freund, 2000-2001.
    • Rajeev Joshi, 1999-2001.
    • Cormac Flanagan, 1997-2001.
    • Raymie Stata, 1996-2000.
  • Research intern host, Compaq SRC:
    • Todd Millstein (University of Washington), 1999.
    • Rajeev Joshi (The University of Texas at Austin), 1997.

Other professional activities

  • Delegate, National Academy of Engineering / UK Royal Academy of Engineering / Chinese Academy of Engineering Global Grand Challenges Summit, Washington, DC, USA, 2018.
  • Delegate, National Academy of Engineering / UK Royal Academy of Engineering / Chinese Academy of Engineering Global Grand Challenges Summit, Beijing, China, 2016.
  • Microsoft Achievement Award (awarded 2011, used Aug-Oct 2013)
  • Delegate, National Academy of Engineering / UK Royal Academy of Engineering / Chinese Academy of Engineering Global Grand Challenges Summit, London, UK, 2013.
  • National Academy of Engineering Japan-America Frontiers of Engineering symposium, Irvine, CA, Nov 2009.
  • National Academy of Engineering Frontiers of Engineering symposium, Redmond, WA, 2007.
  • Summer intern czar (program coordinator), Compaq SRC, 1998.
  • Graduate Admissions Committee, Computer Science, Caltech, 1994.
  • Contributing editor to Cobb Journal on Microsoft Word for the PC, 1990-1991.
  • Contributor to the LAN Manager Programming Reference, Microsoft Press, 1990.
  • Member of the Association for Computing Machinery, 1989-present.


  • Cormac Andrias Flanagan and K. Rustan M. Leino.  Method and apparatus for automatically inferring annotations.  U.S. Patent 7,120,902, October 2006.
  • K. Rustan M. Leino, Todd David Millstein, and James B. Saxe.  System and method for verifying computer program correctness and providing recoverable execution trace information.  U.S. Patent 7,024,661, April 2006.
  • Cormac Andrias Flanagan and K. Rustan M. Leino.  Method and apparatus for organizing warning messages.  U.S. Patent 6,978,443, December 2005.
  • Raymond Paul Stata, Cormac Flanagan, K. Rustan M. Leino, Mark D. Lillibridge, and James Benjamin Saxe.  System and method for lexing and parsing program annotations.  U.S. Patent 6,353,925, March 2002.
  • K. Rustan M. Leino, Mark David Lillibridge, and Raymond Paul Stata. Method and apparatus for statically analyzing a computer program for data dependencies. U.S. Patent 5,987,252, November 1999.

