Enhancing the Alloy Analyzer with Patterns of Analysis

Similar documents
ESC/Java 2. Checker for Java 2. Extended. Static. B y K ats man Andrey S oftware E ngineering S em inar

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

The Java Modeling Language JML

Java Modeling Language (JML)

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

Seminar in Software Engineering. DySy. Dynamic Symbolic Execution for Invariant Inference. April 28th Lukas Schwab

Formal Systems II: Applications

Type Hierarchy. Lecture 6: OOP, autumn 2003

Static program checking and verification

VS 3 : SMT Solvers for Program Verification

EXAMINATIONS 2009 END-OF-YEAR. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering

Conceptual modeling of entities and relationships using Alloy

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Loop Invariant Examples

Exercise 3 Subtyping and Behavioral Subtyping October 13, 2017

Specification-based Testing of Embedded Systems H. Schlingloff, SEFM 2008

The CIFF Proof Procedure for Abductive Logic Programming with Constraints

Fondamenti della Programmazione: Metodi Evoluti. Lezione 5: Invariants and Logic

CS 161 Computer Security

Program Verification (6EC version only)

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

On Search Strategies for Constraint-Based Bounded Model Checking. Michel RUEHER

Alloy: A Lightweight Object Modelling Notation

ESC/Java2 extended static checking for Java Erik Poll Radboud University Nijmegen

SWEN 224 Formal Foundations of Programming

From OCL to Propositional and First-order Logic: Part I

Decision Procedures for Equality Logic. Daniel Kroening and Ofer Strichman 1

Checking Program Properties with ESC/Java

TIME-BASED CONSTRAINTS IN THE OBJECT CONSTRAINT LANGUAGE OCL

Specification tips and pitfalls

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Reachability Analysis for Annotated Code

Lecture Notes: Hoare Logic

Advances in Programming Languages

5.5 Behavioral Subtyping

CS Bootcamp Boolean Logic Autumn 2015 A B A B T T T T F F F T F F F F T T T T F T F T T F F F

Fundamentals of Software Engineering

Formal Methods for Java

An Aspect-Oriented Approach. Henrique Rebêlo Informatics Center

CITS5501 Software Testing and Quality Assurance Formal methods

Cover Page. The handle holds various files of this Leiden University dissertation

Automated Debugging with Error Invariants

Section 2.2: Introduction to the Logic of Quantified Statements

JML and Aspects: The Benefits of

Object Oriented Issues in VDM++

Model Finder. Lawrence Chung 1

Verification Condition Generation

Logic and its Applications

Hoare Logic: Proving Programs Correct

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Introduction to Logic Programming

Research Paper on Implementation of OCL Constraints in JAVA

Query formalisms for relational model relational calculus

Spark verification features

Functor abstract domain by example

An Annotated Language

Formal Specification and Verification

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

The Java Modeling Language (Part 2)

Scalable Web Service Composition with Partial Matches

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Runtime Checking for Program Verification Systems

15-819M: Data, Code, Decisions

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

What is a Logic Program. Introduction to Logic Programming. Introductory Examples. Introductory Examples. Foundations, First-Order Language

Advances in Programming Languages

Minimum Satisfying Assignments for SMT. Işıl Dillig, Tom Dillig Ken McMillan Alex Aiken College of William & Mary Microsoft Research Stanford U.

Verification of JML Generic Types with Yices

Formal Methods. CITS5501 Software Testing and Quality Assurance

Universe Type System for Eiffel. Annetta Schaad

Constraint-Based Search Strategies For Bounded Program Verification. Michel RUEHER

Verifying JML specifications with model fields

Program Verification. Program Verification 307/434

Where Can We Draw The Line?

ESC/Java2 Use and Features

ESC/Java2 Use and Features

Specification-based Testing of Embedded Systems H. Schlingloff, SEFM 2008

Review: Hoare Logic Rules

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Software Specifications. CMSC 433 Programming Language Technologies and Paradigms Spring Specifications Help You Write Code

OO Design Principles

22c:181 / 55:181 Formal Methods in Software Engineering

Chapter 3: Propositional Languages

A short manual for the tool Accumulator

FMSE: Lecture 1. The Specification Language Z: Introduction

Java Modelling Language (JML) References

Watching Clauses in Quantified Boolean Formulae

Overview The Java Modeling Language (Part 1) Related Work

Advances in Programming Languages

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Integrating a SAT Solver with Isabelle/HOL

Syntax of Eiffel: a Brief Overview

Programming Languages Third Edition

Commands, and Queries, and Features. Syntax of Eiffel: a Brief Overview. Escape Sequences. Naming Conventions

Chapter 5 7. num = 0 repeat: if (num is Odd ) print (num is Odd) num = num + 1 until (num < 50) 11. Suppose N is the given integer.

Expressing General Problems as CSPs

Today s Lecture. Are These Theorems of POTS? RAISE. Lecture 20: Descriptive Specifications (Continued)

A Robustness Testing Approach for an Object Oriented Model

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

FORMAL METHODS IN NETWORKING COMPUTER SCIENCE 598D, SPRING 2010 PRINCETON UNIVERSITY LIGHTWEIGHT MODELING IN PROMELA/SPIN AND ALLOY

Transcription:

Enhancing the Alloy Analyzer with Patterns of Analysis William Heaven in collaboration with Alessandra Russo Imperial College London

Motivation Formal techniques not yet widely adopted by programmers. Commercial pressure to produce higher quality software is increasing.

Motivation Formal techniques not yet widely adopted by programmers. Commercial pressure to produce higher quality software is increasing. Software developers favour so-called lightweight techniques that provide immediate returns and sit comfortably with activity of implementation.

Motivation Formal techniques not yet widely adopted by programmers. Commercial pressure to produce higher quality software is increasing. Software developers favour so-called lightweight techniques that provide immediate returns and sit comfortably with activity of implementation. Existing lightweight techniques (such as JML and Alloy) still suffer shortcomings Notation Limited or misleading feedback from tools

JML Example class BadInvariant { //@ invariant x.equals (y) &&! x.equals (y); Integer x = new Integer (1); Integer y = new Integer (1); } //@ requires true; //@ ensures x!= k; void setx (Integer k) { x = k; }

JML Example class BadInvariant { //@ invariant x.equals (y) &&! x.equals (y); Integer x = new Integer (1); Integer y = new Integer (1); } //@ requires true; //@ ensures x!= k; void setx (Integer k) { x = k; } INV PRE CODE -> POST

JML Example class BadInvariant { //@ invariant x.equals (y) &&! x.equals (y); Integer x = new Integer (1); Integer y = new Integer (1); } //@ requires true; //@ ensures x!= k; void setx (Integer k) { x = k; } INV PRE CODE -> POST ESC/Java2 passes setx... implication vacuously true.

Alloy Example sig Project { } sig Employee { project : Project } sig Pool extends Employee { } { no project } fact { some Pool } pred PropertyTest () { some e : Employee e not in Pool } run PropertyTest for 4 Γ P

Alloy Example sig Project { } sig Employee { project : Project } sig Pool extends Employee { } { no project } fact { some Pool } pred PropertyTest () { some e : Employee e not in Pool } run PropertyTest for 4 Γ P Analyzer suggests that PropertyTest is inconsistent with the specification. But is this really all?

Alloy Example sig Project { } sig Employee { project : Project } sig Pool extends Employee { } { no project } fact { some Pool } pred PropertyTest () { some e : Employee e not in Pool } run PropertyTest for 4 Γ P Γ P

Aims & Approach Development of a lightweight specification environment for OO programs that provides richer analysis feedback.

Aims & Approach Development of a lightweight specification environment for OO programs that provides richer analysis feedback. Loy Lightweight specification language for OO programs built upon Alloy. Patterns of analysis For richer feedback.

Example Loy Specification class Project { manager : Manager invariant some manager } class ManagedEmployee extends Employee { manager : Manager depends manager <- project class Employee { project : Project invariant no project.manager } assign (p : Project) requires no project ensures project' = p modifies project } assign (p : Project) requires no project ensures project' = p and manager' = p.manager modifies project

Analysis Check consistency of invariants invariants and precondition invariants and postcondition precondition and postcondition postcondition and frame condition.. Check behavioural subtype properties invariants of subtype imply invariants of supertype overriding postconditions imply overridden postconditions..

Pattern Application Check that invariant and postcondition of assign in ManagedEmployee (type B) together imply postcondition of assign in Employee (type A) Φ : assign-post B INV B --> assign-post A

Pattern Application Check that invariant and postcondition of assign in ManagedEmployee (type B) together imply postcondition of assign in Employee (type A) Φ : assign-post B INV B --> assign-post A 1) Apply pattern for --> to Φ Pattern warns of vacuous satisfiability of Φ due to unsatisfiable antecedent.

Pattern Application Check that invariant and postcondition of assign in ManagedEmployee (type B) together imply postcondition of assign in Employee (type A) Φ : assign-post B INV B --> assign-post A 1) Apply pattern for --> to Φ Pattern warns of vacuous satisfiability of Φ due to unsatisfiable antecedent. 2) Apply pattern for to antecedent Pattern checks satisfiability of each combination of conjunct and identifies unsatisfiability of assign-post B INV B.

Example Loy Specification class Project { manager : Manager invariant some manager } class ManagedEmployee extends Employee { manager : Manager depends manager <- project class Employee { project : Project invariant no project.manager } assign (p : Project) requires no project ensures project' = p modifies project } assign (p : Project) requires no project ensures project' = p and manager' = p.manager modifies project

Negation and Conjunction YES apply [A] T SAT [ A] T Negation NO Q: Why is A valid? apply [A] T YES NO SAT [ (A A)] T SAT [A A] T SAT [A] T, SAT [ A] T SAT [A1.. An] T YES Q: Is Ai vacuously satisfied? apply [Ai] T, 1 i n NO Q: Why is A1.. An unsatisfiable? apply [Ai 1.. Aj k ] T, Conjunction 1 i < j n, 1 k < n

Implication SAT [A -> B] T YES NO SAT [A] T YES NO SAT [ B] T WARNING YES NO YES NO SAT [(A A) -> B] T SAT [A A] T WARNING [vacuously SAT.] apply [A] T, apply [B] T WARNING Q: Why is A valid? apply[a] T, Q: Why is B unsatisfiable? apply[b] T Implication

Universal Quantification SAT [all x : X. A (x)] T YES NO SAT [all x : X. some y : Y. P (x,y)] T NO YES X {} NO SAT [ some y : Y. P (x,y)] (x,x) + T YES Q: Is A(x) vacuously satisfiable? apply [A(x)] (x,x) + T WARNING apply [some y : Y. P (x,y)] (x,x) + T SAT [ A(x)] (x,x) + T We know formula is unsatisfiable for at least one value of x. This SAT query will provide a value. YES Q: Is A(x) satisfiable? apply [A(x)] (x,x) + T Universal Quantification

Existential Quantification SAT [some y : Y. A (y)] T YES Q: Is A(y) vacuously satisfiable? apply [A(y)] (y,y) + T NO SAT [all y : Y. P (x,y)] (x,x) + T NO Y {} NO WARNING [empty domain: vacuously unsatisfiable] Y {} YES Q: Why is A(y) unsatisfiable? apply [A(y)] (y,y) + T NO WARNING Existential Quantification

Future Work Finish work on implementing prototype tool on top of Alloy Analyzer.

Future Work Finish work on implementing prototype tool on top of Alloy Analyzer. Address main limitation that satisfiability checking is labour intensive one approach to be investigated is the implementation of a change-management system to avoid unnecessary re-analysis of satisfiability.

Future Work Finish work on implementing prototype tool on top of Alloy Analyzer. Address main limitation that satisfiability checking is labour intensive one approach to be investigated is the implementation of a change-management system to avoid unnecessary re-analysis of satisfiability. Investigate complexity and completeness issues of the approach.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback