Handling Integer Arithmetic in the Verification of Java Programs

Size: px

Start display at page:

Download "Handling Integer Arithmetic in the Verification of Java Programs"

Garey Park
5 years ago
Views:

1 Handling Integer Arithmetic in the Verification of Java Programs Steffen Schlager 1st Swedish-German KeY Workshop Göteborg, Sweden, June 2002 KeY workshop, June 2002 p.1

2 Introduction UML/OCL specification JAVA implementation Dynamic Logic proof obligations OCL-DL translation KeY workshop, June 2002 p.2

3 Specification OCL-type INTEGER KeY workshop, June 2002 p.3

4 Specification OCL-type INTEGER infinite range KeY workshop, June 2002 p.3

5 Specification OCL-type INTEGER infinite range arithmetical operations have same semantics as in mathematics KeY workshop, June 2002 p.3

6 Implementation Primitive integer JAVA types,,, KeY workshop, June 2002 p.4

7 Implementation Primitive integer JAVA types,,, different finite ranges KeY workshop, June 2002 p.4

8 Implementation Primitive integer JAVA types,,, different finite ranges Semantics of arithmetical operators as in UML/OCL with following restriction: KeY workshop, June 2002 p.4

9 Implementation Primitive integer JAVA types,,, different finite ranges Semantics of arithmetical operators as in UML/OCL with following restriction: If result exceeds range overflow occurs! KeY workshop, June 2002 p.4

10 Overflow Calculation of overflow: x + ( MIN_T)mod 2 ( MIN_T) ( MIN_T) Examples: 1111B 0000B 0001 B 1110 B B 1101B B 1100B B 1011B B 1010B B 1001 B 0111B 1000 B KeY workshop, June 2002 p.5

11 Overflow Calculation of overflow: x + ( MIN_T)mod 2 ( MIN_T) ( MIN_T) Examples: 1111B 0000B 0001 B B 1101B B 0011 B 1100B B 1011B B 1010B B 1001 B 0111B 1000 B KeY workshop, June 2002 p.5

12 Overflow Calculation of overflow: x + ( MIN_T)mod 2 ( MIN_T) ( MIN_T) Examples: 1111B 0000B 0001 B B 1101B B 0011 B 1100B B 1011B B 1010B B 1001 B 0111B 1000 B KeY workshop, June 2002 p.5

13 Overflow Calculation of overflow: x + ( MIN_T)mod 2 ( MIN_T) ( MIN_T) Examples: 1111B 0000B 0001 B B 1101B B 0011 B B 1011B B 0101 B 1010B B 1001 B 0111B 1000 B KeY workshop, June 2002 p.5

14 Overflow Calculation of overflow: x + ( MIN_T)mod 2 ( MIN_T) ( MIN_T) Examples: 1111B 0000B 0001 B B 1101B B 0011 B in general: 1100B 1011B B 0101 B B B 1001 B 0111B 1000 B KeY workshop, June 2002 p.5

15 Proof Obligations Proof obliagations are JavaDL formulas generated from specification and implementation (discussed in Uwe Keller s talk) KeY workshop, June 2002 p.6

16 Proof Obligations Proof obliagations are JavaDL formulas generated from specification and implementation (discussed in Uwe Keller s talk) OCL-DL translation. = 2 x := x} x { KeY workshop, June 2002 p.6

17 Proof Obligations Proof obliagations are JavaDL formulas generated from specification and implementation (discussed in Uwe Keller s talk) OCL-DL translation. = 2 x := x} x { type of x? KeY workshop, June 2002 p.6

18 Problems JavaDL integer semantics should correspond to the behaviour of arithmetic in UML/OCL KeY workshop, June 2002 p.7

19 Problems JavaDL integer semantics should correspond to the behaviour of arithmetic in UML/OCL JavaDL integer semantics must reflect the Java semantics KeY workshop, June 2002 p.7

20 Problems JavaDL integer semantics should correspond to the behaviour of arithmetic in UML/OCL which semantics for integer arithmetic??? JavaDL integer semantics must reflect the Java semantics KeY workshop, June 2002 p.7

21 Semantics S OCL First semantics S OCL : KeY workshop, June 2002 p.8

22 Semantics S OCL First semantics S OCL : motivated by the OCL KeY workshop, June 2002 p.8

23 Semantics S OCL First semantics S OCL : motivated by the OCL primitive JAVA types,,, and are interpreted like OCL-INTEGER infinite range! KeY workshop, June 2002 p.8

24 Semantics S OCL First semantics S OCL : motivated by the OCL primitive JAVA types,,, and are interpreted like OCL-INTEGER infinite range! arithmetical JAVA operations,,... are interpreted like the OCL operators no overflow! KeY workshop, June 2002 p.8

25 Semantics S OCL Advantages: x y(y > x) is valid for type KeY workshop, June 2002 p.9

26 Semantics S OCL Advantages: x y(y > x) is valid for type Problems: incorrect programs may be verified E. g.:. = + 1 KeY workshop, June 2002 p.9

27 Semantics S Java Second semantics S Java : KeY workshop, June 2002 p.10

28 Semantics S Java Second semantics S Java : primitive JAVA types,,, and are interpreted as defined in lang-spec different finite ranges! KeY workshop, June 2002 p.10

29 Semantics S Java Second semantics S Java : primitive JAVA types,,, and are interpreted as defined in lang-spec different finite ranges! arithmetical JAVA operations,,... are interpreted as defined in lang-spec overflow! KeY workshop, June 2002 p.10

30 Semantics S Java Advantages: no incorrect programs can be verified KeY workshop, June 2002 p.11

31 Semantics S Java Advantages: no incorrect programs can be verified Problems: x y(y > x) not valid for type might be confusing in proving incidentally correct programs! KeY workshop, June 2002 p.11

32 Incidentally Correct Programs What does it mean? KeY workshop, June 2002 p.12

33 Incidentally Correct Programs What does it mean? overflow not intended by modeler and/or programmer E. g.: even( ) even( ) behaviour of program differs from the modeler s and programmer s understanding KeY workshop, June 2002 p.12

34 Incidentally Correct Programs What does it mean? overflow not intended by modeler and/or programmer E. g.: even( ) even( ) behaviour of program differs from the modeler s and programmer s understanding Problems of incidentally correct programs: occuring mostly if specification is incomplete or inadequate KeY workshop, June 2002 p.12

35 Incidentally Correct Programs What does it mean? overflow not intended by modeler and/or programmer E. g.: even( ) even( ) behaviour of program differs from the modeler s and programmer s understanding Problems of incidentally correct programs: occuring mostly if specification is incomplete or inadequate source of error in ongoing software development process KeY workshop, June 2002 p.12

36 Incidentally Correct Programs What does it mean? overflow not intended by modeler and/or programmer E. g.: even( ) even( ) behaviour of program differs from the modeler s and programmer s understanding Problems of incidentally correct programs: occuring mostly if specification is incomplete or inadequate source of error in ongoing software development process incidentally correct programs should be detected KeY workshop, June 2002 p.12

37 Our Approach Goals: Combining advantages of S OCL and S Java Avoiding disadvantages of S OCL and S Java KeY workshop, June 2002 p.13

38 Our Approach Goals: Combining advantages of S OCL and S Java Avoiding disadvantages of S OCL and S Java Approach: Extension of JAVA syntax by additional data types KeY workshop, June 2002 p.13

39 Our Approach Goals: Combining advantages of S OCL and S Java Avoiding disadvantages of S OCL and S Java Approach: Extension of JAVA syntax by additional data types JavaDL integer semantics S KeY KeY workshop, June 2002 p.13

40 Our Approach Extension of JAVA syntax additional integer types,,, and (called arithmetical types ) KeY workshop, June 2002 p.14

41 Our Approach Extension of JAVA syntax additional integer types,,, and (called arithmetical types ) Semantics S KeY arithmetical types have infinite range KeY workshop, June 2002 p.14

42 Our Approach Extension of JAVA syntax additional integer types,,, and (called arithmetical types ) Semantics S KeY arithmetical types have infinite range semantics of arith. operators as in OCL with one restriction: If the arguments are in valid range, the result must be in valid range. KeY workshop, June 2002 p.14

43 Our Approach unreal state real state KeY workshop, June 2002 p.15

44 Our Approach unreal state real state KeY workshop, June 2002 p.15

45 Our Approach unreal state real state KeY workshop, June 2002 p.15

46 Our Approach unreal state real state KeY workshop, June 2002 p.15

47 Our Approach unreal state real state KeY workshop, June 2002 p.15

48 Some Theory well-typedness is preserved by program transformation ptransf KeY workshop, June 2002 p.16

49 Some Theory well-typedness is preserved by program transformation ptransf If Γ ψ is derivable and startet in a real state, then no overflow occurs in ptransf ( ) ptransf ( ) terminates in a virtual machine state that is isomorphic to the final JavaDL state KeY workshop, June 2002 p.16

50 Steps in Software Development Software development following our approach: Specification: use of OCL type INTEGER KeY workshop, June 2002 p.17

51 Steps in Software Development Software development following our approach: Specification: use of OCL type INTEGER Implementation: use of arithmetical types (e. g. ) KeY workshop, June 2002 p.17

52 Steps in Software Development Software development following our approach: Specification: use of OCL type INTEGER Implementation: use of arithmetical types (e. g. ) Verification: if all proof obligations are derivable in our calculus specified properties hold no overflow occurs KeY workshop, June 2002 p.17

53 A Sequent Calculus Calculus contains about 40 rules. Example: Multiplication rule for arithmetical types 1. Γ, in 1 ( 1), in 2 ( 2) in ( 1 2), 2. Γ ({ 1 2}U) π ω φ, Γ U π 1 2 ω φ, KeY workshop, June 2002 p.18

54 Example PIN-check example (see diploma thesis): KeY workshop, June 2002 p.19

55 Example PIN-check example (see diploma thesis): UML/OCL specification Spec UML incomplete, does not reflect the informal specification Spec lang KeY workshop, June 2002 p.19

56 Example PIN-check example (see diploma thesis): UML/OCL specification Spec UML incomplete, does not reflect the informal specification Spec lang Impl. I 1 using built-in type correct with resp. to Spec UML I 1 not correct with resp. to Spec lang due to overflow KeY workshop, June 2002 p.19

57 Example PIN-check example (see diploma thesis): UML/OCL specification Spec UML incomplete, does not reflect the informal specification Spec lang Impl. I 1 using built-in type correct with resp. to Spec UML I 1 not correct with resp. to Spec lang due to overflow Impl. I 2 ( replaced by ) not correct with resp. to Spec UML Impl. must be changed so that no overflow occurs Specification error uncovered using arithmetical types KeY workshop, June 2002 p.19

58 Summary Conclusion Extension of JAVA syntax JavaDL integer semantics S KeY Sequent calculus for JAVA integer arithmetic based on S KeY KeY workshop, June 2002 p.20

59 Summary Conclusion Extension of JAVA syntax JavaDL integer semantics S KeY Sequent calculus for JAVA integer arithmetic based on S KeY Future work Extension of OCL with additional types KeY workshop, June 2002 p.20

Software Verification with Integrated Data Type Refinement for Integer Arithmetic

Software Verification with Integrated Data Type Refinement for Integer Arithmetic Bernhard Beckert 1 and Steffen Schlager 2 1 University of Koblenz-Landau, Institute for Computer Science D-56072 Koblenz,