Formal Systems II: Applications

Similar documents
Fundamentals of Software Engineering

Formal Specification and Verification

Software Engineering using Formal Methods

Verifying Java Programs Verifying Java Programs with KeY

Verifying Java Programs Verifying Java Programs with KeY

Hoare Logic: Proving Programs Correct

Verifying Java Programs with KeY

Introduction to JavaCard Dynamic Logic

Fundamentals of Software Engineering

An Annotated Language

Fundamentals of Software Engineering

A Short Introduction to First-Order Theorem Proving with KeY

From OCL to Propositional and First-order Logic: Part I

Lecture Notes: Hoare Logic

Dynamic Logic with Non-rigid Functions

Abstract Interpretation

Induction and Semantics in Dafny

Program Verification (6EC version only)

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

Review: Hoare Logic Rules

Software Verification for Java 5

Lecture 5 - Axiomatic semantics

Verification of Memory Performance Contracts with KeY

Lecture 10 Design by Contract

Incremental Proof Development in Dafny

Lectures 20, 21: Axiomatic Semantics

Introduction to Axiomatic Semantics

Dynamic Logic for Java

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Introduction to Axiomatic Semantics (1/2)

Spark verification features

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

The Java Modeling Language JML

6. Hoare Logic and Weakest Preconditions

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

From OCL to Typed First-order Logic

Fundamentals of Software Engineering

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

KeY Quicktour for JML

Towards a GUI for Program Verification with KeY. Master of Science Thesis in the Programme Software Engineering and Technology

Introduction to Axiomatic Semantics (1/2)

Overview The Java Modeling Language (Part 1) Related Work

Logic-Flow Analysis of Higher-Order Programs

Testing, Debugging, Program Verification

Applications of Formal Verification

The Prototype Verification System PVS

Dynamic Frames in Java Dynamic Logic

Typed First-order Logic

A Logic of Proofs for Differential Dynamic Logic

Static semantics. Lecture 3-6: Semantics. Attribute grammars (2) Attribute grammars. Attribute grammars example. Dynamic semantics

15-819M: Data, Code, Decisions

Proof-based Test Case Generation

Reasoning About Loops Using Vampire

Compositional Software Model Checking

Specifying and Verifying Programs (Part 2)

The Java Modeling Language a Basis for Static and Dynamic Verification

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Verification Condition Generation

Handling Integer Arithmetic in the Verification of Java Programs

Outline Introduction The Spec# language Running Spec# Tutorials on Spec# Carl Leonardsson 2/

Program Verification. Program Verification 307/434

Formal Methods. CITS5501 Software Testing and Quality Assurance

1.3. Conditional expressions To express case distinctions like

Formal Specification and Verification

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

CMSC 330: Organization of Programming Languages

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Proof Carrying Code(PCC)

Testing, Debugging, and Verification

Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

Inferring Invariants by Symbolic Execution

Lee Pike. June 3, 2005

COMP 507: Computer-Aided Program Design

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

Programming Languages Third Edition

Finite Model Generation for Isabelle/HOL Using a SAT Solver

Formale Entwicklung objektorientierter Software

Checking Program Properties with ESC/Java

Hoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic

VS 3 : SMT Solvers for Program Verification

The Rule of Constancy(Derived Frame Rule)

Hoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18

Chapter 19 Verification of Counting Sort and Radix Sort

Application: Programming Language Semantics

Backward Reasoning: Rule for Assignment. Backward Reasoning: Rule for Sequence. Simple Example. Hoare Logic, continued Reasoning About Loops

CS 314 Principles of Programming Languages

The Java Modeling Language (Part 1)

COSC252: Programming Languages: Semantic Specification. Jeremy Bolton, PhD Adjunct Professor

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

ALGOL 48 AND ALGOL 50 ALGOLIC LANGUAGES IN MATHE- MATICS

Formally Certified Satisfiability Solving

Symbolic Execution and Proof of Properties

Towards a Logical Reconstruction of Relational Database Theory

Abstract Object Creation in Dynamic Logic

Applications of Formal Verification

Extended Static Checking for Java

Transcription:

Formal Systems II: Applications Functional Verification of Java Programs: Java Dynamic Logic Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State of Baden-Württemberg and National Large-scale Research Center of the Helmholtz Association

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 2/39

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 3/39

Syntax and Semantics Syntax Basis: Typed first-order predicate logic Modal operators p and [p] for each (JAVA CARD) program p Class definitions in background (not shown in formulas) Semantics (Kripke) Modal operators allow referring to the final state of p: [p]f: p F: If p terminates normally, then F holds in the final state ( partial correctness ) p terminates normally, and F holds in the final state ( total correctness ) Beckert, Ulbrich Formal Systems II: Applications SS 2017 4/39

Syntax and Semantics Syntax Basis: Typed first-order predicate logic Modal operators p and [p] for each (JAVA CARD) program p Class definitions in background (not shown in formulas) Semantics (Kripke) Modal operators allow referring to the final state of p: [p]f: p F: If p terminates normally, then F holds in the final state ( partial correctness ) p terminates normally, and F holds in the final state ( total correctness ) Beckert, Ulbrich Formal Systems II: Applications SS 2017 4/39

Syntax and Semantics Syntax Basis: Typed first-order predicate logic Modal operators p and [p] for each (JAVA CARD) program p Class definitions in background (not shown in formulas) Semantics (Kripke) Modal operators allow referring to the final state of p: [p]f: p F: If p terminates normally, then F holds in the final state ( partial correctness ) p terminates normally, and F holds in the final state ( total correctness ) Beckert, Ulbrich Formal Systems II: Applications SS 2017 4/39

Syntax and Semantics Syntax Basis: Typed first-order predicate logic Modal operators p and [p] for each (JAVA CARD) program p Class definitions in background (not shown in formulas) Semantics (Kripke) Modal operators allow referring to the final state of p: [p]f: p F: If p terminates normally, then F holds in the final state ( partial correctness ) p terminates normally, and F holds in the final state ( total correctness ) Beckert, Ulbrich Formal Systems II: Applications SS 2017 4/39

Why Dynamic Logic? Transparency wrt target programming language Encompasses Hoare Logic More expressive and flexible than Hoare logic Symbolic execution is a natural interactive proof paradigm Programs are first-class citizens Real Java syntax Beckert, Ulbrich Formal Systems II: Applications SS 2017 5/39

Why Dynamic Logic? Transparency wrt target programming language Encompasses Hoare Logic More expressive and flexible than Hoare logic Symbolic execution is a natural interactive proof paradigm Hoare triple {ψ} α {φ} equiv. to DL formula ψ > [α]φ Beckert, Ulbrich Formal Systems II: Applications SS 2017 5/39

Why Dynamic Logic? Transparency wrt target programming language Encompasses Hoare Logic More expressive and flexible than Hoare logic Symbolic execution is a natural interactive proof paradigm Not merely partial/total correctness: can employ programs for specification (e.g., verifying program transformations) can express security properties (two runs are indistinguishable) extension-friendly (e.g., temporal modalities) Beckert, Ulbrich Formal Systems II: Applications SS 2017 5/39

Why Dynamic Logic? Transparency wrt target programming language Encompasses Hoare Logic More expressive and flexible than Hoare logic Symbolic execution is a natural interactive proof paradigm Beckert, Ulbrich Formal Systems II: Applications SS 2017 5/39

Dynamic Logic Example Formulas (balance >= c & amount > 0) > charge(amount); balance > c x = 1; ([while (true) {}]false) Program formulas can appear nested \forall int val; ( ( p x. = val) < > ( q x. = val) ) p, q equivalent relative to computation state restricted to x Beckert, Ulbrich Formal Systems II: Applications SS 2017 6/39

Dynamic Logic Example Formulas (balance >= c & amount > 0) > charge(amount); balance > c x = 1; ([while (true) {}]false) Program formulas can appear nested \forall int val; ( ( p x. = val) < > ( q x. = val) ) p, q equivalent relative to computation state restricted to x Beckert, Ulbrich Formal Systems II: Applications SS 2017 6/39

Dynamic Logic Example Formulas (balance >= c & amount > 0) > charge(amount); balance > c x = 1; ([while (true) {}]false) Program formulas can appear nested \forall int val; ( ( p x. = val) < > ( q x. = val) ) p, q equivalent relative to computation state restricted to x Beckert, Ulbrich Formal Systems II: Applications SS 2017 6/39

Dynamic Logic Example Formulas (balance >= c & amount > 0) > charge(amount); balance > c x = 1; ([while (true) {}]false) Program formulas can appear nested \forall int val; ( ( p x. = val) < > ( q x. = val) ) p, q equivalent relative to computation state restricted to x Beckert, Ulbrich Formal Systems II: Applications SS 2017 6/39

Dynamic Logic Example Formulas (balance >= c & amount > 0) > charge(amount); balance > c x = 1; ([while (true) {}]false) Program formulas can appear nested \forall int val; ( ( p x. = val) < > ( q x. = val) ) p, q equivalent relative to computation state restricted to x Beckert, Ulbrich Formal Systems II: Applications SS 2017 6/39

Dynamic Logic Example Formulas a!= null -> < int max = 0; if ( a.length > 0 ) max = a[0]; int i = 1; while ( i < a.length ) { if ( a[i] > max ) max = a[i]; ++i; } >( \forall int j; (j >= 0 & j < a.length -> max >= a[j]) & (a.length > 0 -> \exists int j; (j >= 0 & j < a.length & max = a[j])) ) Beckert, Ulbrich Formal Systems II: Applications SS 2017 7/39

Variables Logical variables disjoint from program variables No quantification over program variables Programs do not contain logical variables Program variables actually non-rigid functions Beckert, Ulbrich Formal Systems II: Applications SS 2017 8/39

Validity A JAVA CARD DL formula is valid iff it is true in all states. We need a calculus for checking validity of formulas Beckert, Ulbrich Formal Systems II: Applications SS 2017 9/39

Validity A JAVA CARD DL formula is valid iff it is true in all states. We need a calculus for checking validity of formulas Beckert, Ulbrich Formal Systems II: Applications SS 2017 9/39

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 10/39

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 11/39

Sequents and their Semantics Syntax ψ 1,..., ψ m }{{} Antecedent = φ 1,..., φ n }{{} Succedent where the φ i, ψ i are formulae (without free variables) Semantics Same as the formula (ψ 1 & & ψ m ) > (φ 1 φ n ) Beckert, Ulbrich Formal Systems II: Applications SS 2017 12/39

Sequents and their Semantics Syntax ψ 1,..., ψ m }{{} Antecedent = φ 1,..., φ n }{{} Succedent where the φ i, ψ i are formulae (without free variables) Semantics Same as the formula (ψ 1 & & ψ m ) > (φ 1 φ n ) Beckert, Ulbrich Formal Systems II: Applications SS 2017 12/39

Sequent Rules General form rule name (r = 0 possible: closing rules) Premisses {}}{ Γ 1 = 1 Γ r = r Γ = }{{} Conclusion Soundness If all premisses are valid, then the conclusion is valid Use in practice Goal is matched to conclusion Beckert, Ulbrich Formal Systems II: Applications SS 2017 13/39

Sequent Rules General form rule name (r = 0 possible: closing rules) Premisses {}}{ Γ 1 = 1 Γ r = r Γ = }{{} Conclusion Soundness If all premisses are valid, then the conclusion is valid Use in practice Goal is matched to conclusion Beckert, Ulbrich Formal Systems II: Applications SS 2017 13/39

Sequent Rules General form rule name (r = 0 possible: closing rules) Premisses {}}{ Γ 1 = 1 Γ r = r Γ = }{{} Conclusion Soundness If all premisses are valid, then the conclusion is valid Use in practice Goal is matched to conclusion Beckert, Ulbrich Formal Systems II: Applications SS 2017 13/39

Sequent Rules General form rule name (r = 0 possible: closing rules) Premisses {}}{ Γ 1 = 1 Γ r = r Γ = }{{} Conclusion Soundness If all premisses are valid, then the conclusion is valid Use in practice Goal is matched to conclusion Beckert, Ulbrich Formal Systems II: Applications SS 2017 13/39

Some Simple Sequent Rules not left Γ = A, Γ,! A = imp left Γ = A, Γ, B = Γ, A > B = close goal Γ, A = A, close by true Γ = true, Γ, \forall t x; φ, {x/e}φ = all left Γ, \forall t x; φ = where e var-free term of type t t Beckert, Ulbrich Formal Systems II: Applications SS 2017 14/39

Some Simple Sequent Rules not left Γ = A, Γ,! A = imp left Γ = A, Γ, B = Γ, A > B = close goal Γ, A = A, close by true Γ = true, Γ, \forall t x; φ, {x/e}φ = all left Γ, \forall t x; φ = where e var-free term of type t t Beckert, Ulbrich Formal Systems II: Applications SS 2017 14/39

Some Simple Sequent Rules not left Γ = A, Γ,! A = imp left Γ = A, Γ, B = Γ, A > B = close goal Γ, A = A, close by true Γ = true, Γ, \forall t x; φ, {x/e}φ = all left Γ, \forall t x; φ = where e var-free term of type t t Beckert, Ulbrich Formal Systems II: Applications SS 2017 14/39

Some Simple Sequent Rules not left Γ = A, Γ,! A = imp left Γ = A, Γ, B = Γ, A > B = close goal Γ, A = A, close by true Γ = true, Γ, \forall t x; φ, {x/e}φ = all left Γ, \forall t x; φ = where e var-free term of type t t Beckert, Ulbrich Formal Systems II: Applications SS 2017 14/39

Some Simple Sequent Rules not left Γ = A, Γ,! A = imp left Γ = A, Γ, B = Γ, A > B = close goal Γ, A = A, close by true Γ = true, Γ, \forall t x; φ, {x/e}φ = all left Γ, \forall t x; φ = where e var-free term of type t t Beckert, Ulbrich Formal Systems II: Applications SS 2017 14/39

Sequent Calculus Proofs Proof tree Proof is tree structure with goal sequent as root Rules are applied from conclusion (old goal) to premisses (new goals) Rule with no premiss closes proof branch Proof is finished when all goals are closed Beckert, Ulbrich Formal Systems II: Applications SS 2017 15/39

Sequent Calculus Proofs Proof tree Proof is tree structure with goal sequent as root Rules are applied from conclusion (old goal) to premisses (new goals) Rule with no premiss closes proof branch Proof is finished when all goals are closed Beckert, Ulbrich Formal Systems II: Applications SS 2017 15/39

Sequent Calculus Proofs Proof tree Proof is tree structure with goal sequent as root Rules are applied from conclusion (old goal) to premisses (new goals) Rule with no premiss closes proof branch Proof is finished when all goals are closed Beckert, Ulbrich Formal Systems II: Applications SS 2017 15/39

Sequent Calculus Proofs Proof tree Proof is tree structure with goal sequent as root Rules are applied from conclusion (old goal) to premisses (new goals) Rule with no premiss closes proof branch Proof is finished when all goals are closed Beckert, Ulbrich Formal Systems II: Applications SS 2017 15/39

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 16/39

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 17/39

Proof by Symbolic Program Execution Sequent rules for program formulas? What corresponds to top-level connective in a program? The Active Statement in a Program Sequent rules execute symbolically the active statement Beckert, Ulbrich Formal Systems II: Applications SS 2017 18/39

Proof by Symbolic Program Execution Sequent rules for program formulas? What corresponds to top-level connective in a program? The Active Statement in a Program l:{try{ i=0; j=0; } finally{ k=0; }} Sequent rules execute symbolically the active statement Beckert, Ulbrich Formal Systems II: Applications SS 2017 18/39

Proof by Symbolic Program Execution Sequent rules for program formulas? What corresponds to top-level connective in a program? The Active Statement in a Program l:{try{ i=0; j=0; } finally{ k=0; }} Sequent rules execute symbolically the active statement Beckert, Ulbrich Formal Systems II: Applications SS 2017 18/39

Proof by Symbolic Program Execution Sequent rules for program formulas? What corresponds to top-level connective in a program? The Active Statement in a Program l:{try{ }{{} π passive prefix active statement rest i=0; j=0; } finally{ k=0; }} }{{} ω π i=0; ω Sequent rules execute symbolically the active statement Beckert, Ulbrich Formal Systems II: Applications SS 2017 18/39

Proof by Symbolic Program Execution Sequent rules for program formulas? What corresponds to top-level connective in a program? The Active Statement in a Program l:{try{ }{{} π passive prefix active statement rest i=0; j=0; } finally{ k=0; }} }{{} ω π i=0; ω Sequent rules execute symbolically the active statement Beckert, Ulbrich Formal Systems II: Applications SS 2017 18/39

Rules for Symbolic Program Execution If-then-else rule Γ, B = true = p ω φ, Γ, B = false = q ω φ, Γ = if (B) { p } else { q } ω φ, Complicated statements/expressions are simplified first, e.g. Simple assignment rule Γ = v=y; y=y+1; x=v; ω φ, Γ = x=y++; ω φ, Γ = {loc := val} ω φ, Γ = loc=val; ω φ, Beckert, Ulbrich Formal Systems II: Applications SS 2017 19/39

Rules for Symbolic Program Execution If-then-else rule Γ, B = true = p ω φ, Γ, B = false = q ω φ, Γ = if (B) { p } else { q } ω φ, Complicated statements/expressions are simplified first, e.g. Simple assignment rule Γ = v=y; y=y+1; x=v; ω φ, Γ = x=y++; ω φ, Γ = {loc := val} ω φ, Γ = loc=val; ω φ, Beckert, Ulbrich Formal Systems II: Applications SS 2017 19/39

Rules for Symbolic Program Execution If-then-else rule Γ, B = true = p ω φ, Γ, B = false = q ω φ, Γ = if (B) { p } else { q } ω φ, Complicated statements/expressions are simplified first, e.g. Simple assignment rule Γ = v=y; y=y+1; x=v; ω φ, Γ = x=y++; ω φ, Γ = {loc := val} ω φ, Γ = loc=val; ω φ, Beckert, Ulbrich Formal Systems II: Applications SS 2017 19/39

Treating Assignment with Updates Updates syntactic elements in the logic (explicit substitutions) Elementary Updates where loc is a program variable {loc := val} φ val is an expression type-compatible with loc Parallel Updates {loc 1 := t 1 loc n := t n } φ no dependency between the n components (but last wins semantics) Beckert, Ulbrich Formal Systems II: Applications SS 2017 20/39

Treating Assignment with Updates Updates syntactic elements in the logic (explicit substitutions) Elementary Updates where loc is a program variable {loc := val} φ val is an expression type-compatible with loc Parallel Updates {loc 1 := t 1 loc n := t n } φ no dependency between the n components (but last wins semantics) Beckert, Ulbrich Formal Systems II: Applications SS 2017 20/39

Treating Assignment with Updates Updates syntactic elements in the logic (explicit substitutions) Elementary Updates where loc is a program variable {loc := val} φ val is an expression type-compatible with loc Parallel Updates {loc 1 := t 1 loc n := t n } φ no dependency between the n components (but last wins semantics) Beckert, Ulbrich Formal Systems II: Applications SS 2017 20/39

Why Updates? Updates are aggregations of state change eagerly parallelised + simplified lazily applied (i.e., substituted into postcondition) Advantages no renaming required (compared to another forward proof technique: strongest-postcondition calculus) delayed/minimised proof branching efficient aliasing treatment) Beckert, Ulbrich Formal Systems II: Applications SS 2017 21/39

Why Updates? Updates are aggregations of state change eagerly parallelised + simplified lazily applied (i.e., substituted into postcondition) Advantages no renaming required (compared to another forward proof technique: strongest-postcondition calculus) delayed/minimised proof branching efficient aliasing treatment) Beckert, Ulbrich Formal Systems II: Applications SS 2017 21/39

Symbolic Execution with Updates (by Example) x < y = x < y. x < y = {x:=y y:=x} y < x. x < y = {t:=x x:=y y:=x} y < x. x < y = {t:=x x:=y}{y:=t} y < x. x < y = {t:=x}{x:=y} y=t; y < x. x < y = {t:=x} x=y; y=t; y < x. = x < y > int t=x; x=y; y=t; y < x Beckert, Ulbrich Formal Systems II: Applications SS 2017 22/39

Symbolic Execution with Updates (by Example) x < y = x < y. x < y = {x:=y y:=x} y < x. x < y = {t:=x x:=y y:=x} y < x. x < y = {t:=x x:=y}{y:=t} y < x. x < y = {t:=x}{x:=y} y=t; y < x. x < y = {t:=x} x=y; y=t; y < x. = x < y > int t=x; x=y; y=t; y < x Beckert, Ulbrich Formal Systems II: Applications SS 2017 22/39

Symbolic Execution with Updates (by Example) x < y = x < y. x < y = {x:=y y:=x} y < x. x < y = {t:=x x:=y y:=x} y < x. x < y = {t:=x x:=y}{y:=t} y < x. x < y = {t:=x}{x:=y} y=t; y < x. x < y = {t:=x} x=y; y=t; y < x. = x < y > int t=x; x=y; y=t; y < x Beckert, Ulbrich Formal Systems II: Applications SS 2017 22/39

Symbolic Execution with Updates (by Example) x < y = x < y. x < y = {x:=y y:=x} y < x. x < y = {t:=x x:=y y:=x} y < x. x < y = {t:=x x:=y}{y:=t} y < x. x < y = {t:=x}{x:=y} y=t; y < x. x < y = {t:=x} x=y; y=t; y < x. = x < y > int t=x; x=y; y=t; y < x Beckert, Ulbrich Formal Systems II: Applications SS 2017 22/39

Symbolic Execution with Updates (by Example) x < y = x < y. x < y = {x:=y y:=x} y < x. x < y = {t:=x x:=y y:=x} y < x. x < y = {t:=x x:=y}{y:=t} y < x. x < y = {t:=x}{x:=y} y=t; y < x. x < y = {t:=x} x=y; y=t; y < x. = x < y > int t=x; x=y; y=t; y < x Beckert, Ulbrich Formal Systems II: Applications SS 2017 22/39

Symbolic Execution with Updates (by Example) x < y = x < y. x < y = {x:=y y:=x} y < x. x < y = {t:=x x:=y y:=x} y < x. x < y = {t:=x x:=y}{y:=t} y < x. x < y = {t:=x}{x:=y} y=t; y < x. x < y = {t:=x} x=y; y=t; y < x. = x < y > int t=x; x=y; y=t; y < x Beckert, Ulbrich Formal Systems II: Applications SS 2017 22/39

Symbolic Execution with Updates (by Example) x < y = x < y. x < y = {x:=y y:=x} y < x. x < y = {t:=x x:=y y:=x} y < x. x < y = {t:=x x:=y}{y:=t} y < x. x < y = {t:=x}{x:=y} y=t; y < x. x < y = {t:=x} x=y; y=t; y < x. = x < y > int t=x; x=y; y=t; y < x Beckert, Ulbrich Formal Systems II: Applications SS 2017 22/39

The theory of arrays An abstract datatype Array(I, V) Types: Indices I, Values V Function symbols: select : Array(I, V) I V store : Array(I, V) I V Array(I, V) Axioms a, i, v. select(store(a, i, v), i) = v a, i, j, v. i j select(store(a, i, v), j) = select(a, j) Intuition D(Array(I, V)) represents the set of functions D(I) D(V) Beckert, Ulbrich Formal Systems II: Applications SS 2017 23/39

The theory of arrays An abstract datatype Array(I, V) Types: Indices I, Values V Function symbols: select : Array(I, V) I V store : Array(I, V) I V Array(I, V) Axioms a, i, v. select(store(a, i, v), i) = v a, i, j, v. i j select(store(a, i, v), j) = select(a, j) Intuition D(Array(I, V)) represents the set of functions D(I) D(V) Beckert, Ulbrich Formal Systems II: Applications SS 2017 23/39

The theory of arrays An abstract datatype Array(I, V) Types: Indices I, Values V Function symbols: select : Array(I, V) I V store : Array(I, V) I V Array(I, V) Axioms a, i, v. select(store(a, i, v), i) = v a, i, j, v. i j select(store(a, i, v), j) = select(a, j) Intuition D(Array(I, V)) represents the set of functions D(I) D(V) Beckert, Ulbrich Formal Systems II: Applications SS 2017 23/39

The theory of arrays An abstract datatype Array(I, V) Types: Indices I, Values V Function symbols: select : Array(I, V) I V store : Array(I, V) I V Array(I, V) Axioms a, i, v. Photo by null0 (www.flickr.com/photos/null0/272015955) John McCarthy (1927 2011): Theory select(store(a, of arrays is i, v), decidable i) = v a, i, j, v. i j select(store(a, i, v), j) = select(a, j) Intuition D(Array(I, V)) represents the set of functions D(I) D(V) Beckert, Ulbrich Formal Systems II: Applications SS 2017 23/39

Program State Representation Local program variables Modeled as non-rigid constants Heap Modeled with theory of arrays: I = Object Field, V = Any heap : Heap (the heap in the current state) select : Heap Object Field Any store : Heap Object Field Any Heap Some special program variables self the current receiver object (this in Java) exc the currently active exception (null if none thrown) result the result of the method invocation Beckert, Ulbrich Formal Systems II: Applications SS 2017 24/39

Program State Representation Local program variables Modeled as non-rigid constants Heap Modeled with theory of arrays: I = Object Field, V = Any heap : Heap (the heap in the current state) select : Heap Object Field Any store : Heap Object Field Any Heap Some special program variables self the current receiver object (this in Java) exc the currently active exception (null if none thrown) result the result of the method invocation Beckert, Ulbrich Formal Systems II: Applications SS 2017 24/39

Program State Representation Local program variables Modeled as non-rigid constants Heap Modeled with theory of arrays: I = Object Field, V = Any heap : Heap (the heap in the current state) select : Heap Object Field Any store : Heap Object Field Any Heap Some special program variables self the current receiver object (this in Java) exc the currently active exception (null if none thrown) result the result of the method invocation Beckert, Ulbrich Formal Systems II: Applications SS 2017 24/39

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 25/39

1 JAVA CARD DL 2 Sequent Calculus 3 Rules for Programs: Symbolic Execution 4 A Calculus for 100% JAVA CARD 5 Loop Invariants Beckert, Ulbrich Formal Systems II: Applications SS 2017 26/39

Supported Java Features method invocation with polymorphism/dynamic binding object creation and initialisation arrays abrupt termination throwing of NullPointerExceptions, etc. bounded integer data types transactions All JAVA CARD language features are fully addressed in KeY Beckert, Ulbrich Formal Systems II: Applications SS 2017 27/39

Supported Java Features method invocation with polymorphism/dynamic binding object creation and initialisation arrays abrupt termination throwing of NullPointerExceptions, etc. bounded integer data types transactions All JAVA CARD language features are fully addressed in KeY Beckert, Ulbrich Formal Systems II: Applications SS 2017 27/39

Java A Language of Many Features Ways to deal with Java features Program transformation, up-front Local program transformation, done by a rule on-the-fly Modeling with first-order formulas Special-purpose extensions of program logic Pro: Feature needs not be handled in calculus Contra: Modified source code Example in KeY: Very rare: treating inner classes Beckert, Ulbrich Formal Systems II: Applications SS 2017 28/39

Java A Language of Many Features Ways to deal with Java features Program transformation, up-front Local program transformation, done by a rule on-the-fly Modeling with first-order formulas Special-purpose extensions of program logic Pro: Flexible, easy to implement, usable Contra: Not expressive enough for all features Example in KeY: Complex expression eval, method inlining, etc., etc. Beckert, Ulbrich Formal Systems II: Applications SS 2017 28/39

Java A Language of Many Features Ways to deal with Java features Program transformation, up-front Local program transformation, done by a rule on-the-fly Modeling with first-order formulas Special-purpose extensions of program logic Pro: No logic extensions required, enough to express most features Contra: Creates difficult first-order POs, unreadable antecedents Example in KeY: Dynamic types and branch predicates Beckert, Ulbrich Formal Systems II: Applications SS 2017 28/39

Java A Language of Many Features Ways to deal with Java features Program transformation, up-front Local program transformation, done by a rule on-the-fly Modeling with first-order formulas Special-purpose extensions of program logic Pro: Arbitrarily expressive extensions possible Contra: Increases complexity of all rules Example in KeY: Method frames, updates Beckert, Ulbrich Formal Systems II: Applications SS 2017 28/39

Components of the Calculus 1 Non-program rules first-order rules rules for data-types first-order modal rules induction rules 2 Rules for reducing/simplifying the program (symbolic execution) Replace the program by case distinctions (proof branches) and sequences of updates 3 Rules for handling loops using loop invariants using induction 4 Rules for replacing a method invocations by the method s contract 5 Update simplification Beckert, Ulbrich Formal Systems II: Applications SS 2017 29/39

Components of the Calculus 1 Non-program rules first-order rules rules for data-types first-order modal rules induction rules 2 Rules for reducing/simplifying the program (symbolic execution) Replace the program by case distinctions (proof branches) and sequences of updates 3 Rules for handling loops using loop invariants using induction 4 Rules for replacing a method invocations by the method s contract 5 Update simplification Beckert, Ulbrich Formal Systems II: Applications SS 2017 29/39

Components of the Calculus 1 Non-program rules first-order rules rules for data-types first-order modal rules induction rules 2 Rules for reducing/simplifying the program (symbolic execution) Replace the program by case distinctions (proof branches) and sequences of updates 3 Rules for handling loops using loop invariants using induction 4 Rules for replacing a method invocations by the method s contract 5 Update simplification Beckert, Ulbrich Formal Systems II: Applications SS 2017 29/39

Components of the Calculus 1 Non-program rules first-order rules rules for data-types first-order modal rules induction rules 2 Rules for reducing/simplifying the program (symbolic execution) Replace the program by case distinctions (proof branches) and sequences of updates 3 Rules for handling loops using loop invariants using induction 4 Rules for replacing a method invocations by the method s contract 5 Update simplification Beckert, Ulbrich Formal Systems II: Applications SS 2017 29/39

Components of the Calculus 1 Non-program rules first-order rules rules for data-types first-order modal rules induction rules 2 Rules for reducing/simplifying the program (symbolic execution) Replace the program by case distinctions (proof branches) and sequences of updates 3 Rules for handling loops using loop invariants using induction 4 Rules for replacing a method invocations by the method s contract 5 Update simplification Beckert, Ulbrich Formal Systems II: Applications SS 2017 29/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Symbolic execution of loops: unwind unwindloop Γ = U[π if(b) { p; while(b) p} ω]φ, Γ = U[π while(b) p ω]φ, How to handle a loop with... 0 iterations? Unwind 1 10 iterations? Unwind 11 10000 iterations? Unwind 10001 (and don t make any plans for the rest of the day) an unknown number of iterations? We need an invariant rule (or some other form of induction) Beckert, Ulbrich Formal Systems II: Applications SS 2017 30/39

Loop Invariants Cont d Idea behind loop invariants A formula Inv whose validity is preserved by loop guard and body Consequence: if Inv was valid at start of the loop, then it still holds after arbitrarily many loop iterations If the loop terminates at all, then Inv holds afterwards Encode the desired postcondition after loop into Inv Basic Invariant Rule loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Beckert, Ulbrich Formal Systems II: Applications SS 2017 31/39

Loop Invariants Cont d Idea behind loop invariants A formula Inv whose validity is preserved by loop guard and body Consequence: if Inv was valid at start of the loop, then it still holds after arbitrarily many loop iterations If the loop terminates at all, then Inv holds afterwards Encode the desired postcondition after loop into Inv Basic Invariant Rule loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Beckert, Ulbrich Formal Systems II: Applications SS 2017 31/39

Loop Invariants Cont d Idea behind loop invariants A formula Inv whose validity is preserved by loop guard and body Consequence: if Inv was valid at start of the loop, then it still holds after arbitrarily many loop iterations If the loop terminates at all, then Inv holds afterwards Encode the desired postcondition after loop into Inv Basic Invariant Rule loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Beckert, Ulbrich Formal Systems II: Applications SS 2017 31/39

Loop Invariants Cont d Idea behind loop invariants A formula Inv whose validity is preserved by loop guard and body Consequence: if Inv was valid at start of the loop, then it still holds after arbitrarily many loop iterations If the loop terminates at all, then Inv holds afterwards Encode the desired postcondition after loop into Inv Basic Invariant Rule loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Beckert, Ulbrich Formal Systems II: Applications SS 2017 31/39

Loop Invariants Cont d Idea behind loop invariants A formula Inv whose validity is preserved by loop guard and body Consequence: if Inv was valid at start of the loop, then it still holds after arbitrarily many loop iterations If the loop terminates at all, then Inv holds afterwards Encode the desired postcondition after loop into Inv Basic Invariant Rule loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Beckert, Ulbrich Formal Systems II: Applications SS 2017 31/39

Loop Invariants Cont d Basic Invariant Rule: Problem loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Context Γ,, U must be omitted in 2nd and 3rd premise But: context contains (part of) precondition and class invariants Required context information must be added to loop invariant Inv Beckert, Ulbrich Formal Systems II: Applications SS 2017 32/39

Loop Invariants Cont d Basic Invariant Rule: Problem loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Context Γ,, U must be omitted in 2nd and 3rd premise But: context contains (part of) precondition and class invariants Required context information must be added to loop invariant Inv Beckert, Ulbrich Formal Systems II: Applications SS 2017 32/39

Loop Invariants Cont d Basic Invariant Rule: Problem loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Context Γ,, U must be omitted in 2nd and 3rd premise But: context contains (part of) precondition and class invariants Required context information must be added to loop invariant Inv Beckert, Ulbrich Formal Systems II: Applications SS 2017 32/39

Loop Invariants Cont d Basic Invariant Rule: Problem loopinvariant Γ = UInv, Inv, b =. TRUE = [p]inv Inv, b =. FALSE = [π ω]φ Γ = U[π while(b) p ω]φ, (initially valid) (preserved) (use case) Context Γ,, U must be omitted in 2nd and 3rd premise But: context contains (part of) precondition and class invariants Required context information must be added to loop invariant Inv Beckert, Ulbrich Formal Systems II: Applications SS 2017 32/39

Example int i = 0; while(i < a.length) { a[i] = 1; i++; } Beckert, Ulbrich Formal Systems II: Applications SS 2017 33/39

Example. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Beckert, Ulbrich Formal Systems II: Applications SS 2017 33/39

Example. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Beckert, Ulbrich Formal Systems II: Applications SS 2017 33/39

Example. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length Beckert, Ulbrich Formal Systems II: Applications SS 2017 33/39

Example. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length & int x; (0 x < i a[x]. = 1) Beckert, Ulbrich Formal Systems II: Applications SS 2017 33/39

Example. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length & int x; (0 x < i a[x] =. 1). & a = null Beckert, Ulbrich Formal Systems II: Applications SS 2017 33/39

Example. Precondition: a = null & ClassInv int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length & int x; (0 x < i a[x] =. 1). & a = null & ClassInv Beckert, Ulbrich Formal Systems II: Applications SS 2017 33/39

Keeping the Context Want to keep part of the context that is unmodified by loop assignable clauses for loops can tell what might be modified @ assignable i, a[*]; Beckert, Ulbrich Formal Systems II: Applications SS 2017 34/39

Keeping the Context Want to keep part of the context that is unmodified by loop assignable clauses for loops can tell what might be modified @ assignable i, a[*]; Beckert, Ulbrich Formal Systems II: Applications SS 2017 34/39

Example with Improved Invariant Rule int i = 0; while(i < a.length) { a[i] = 1; i++; } Beckert, Ulbrich Formal Systems II: Applications SS 2017 35/39

Example with Improved Invariant Rule. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Beckert, Ulbrich Formal Systems II: Applications SS 2017 35/39

Example with Improved Invariant Rule. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Beckert, Ulbrich Formal Systems II: Applications SS 2017 35/39

Example with Improved Invariant Rule. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length Beckert, Ulbrich Formal Systems II: Applications SS 2017 35/39

Example with Improved Invariant Rule. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length & int x; (0 x < i a[x]. = 1) Beckert, Ulbrich Formal Systems II: Applications SS 2017 35/39

Example with Improved Invariant Rule. Precondition: a = null int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length & int x; (0 x < i a[x]. = 1) Beckert, Ulbrich Formal Systems II: Applications SS 2017 35/39

Example with Improved Invariant Rule. Precondition: a = null & ClassInv int i = 0; while(i < a.length) { a[i] = 1; i++; } Postcondition: int x; (0 x < a.length a[x]. = 1) Loop invariant: 0 i & i a.length & int x; (0 x < i a[x]. = 1) Beckert, Ulbrich Formal Systems II: Applications SS 2017 35/39

Example in JML/Java Loop.java public int[] a; /*@ public normal_behavior @ ensures (\forall int x; 0<=x && x<a.length; a[x]==1); @ diverges true; @*/ public void m() { int i = 0; /*@ loop_invariant @ (0 <= i && i <= a.length && @ (\forall int x; 0<=x && x<i; a[x]==1)); @ assignable i, a[*]; @*/ while(i < a.length) { a[i] = 1; i++; } } Beckert, Ulbrich Formal Systems II: Applications SS 2017 36/39

Example int x; (n. = x x >= 0 [ i = 0; r = 0; while (i<n) { i = i + 1; r = r + i;} r=r+r-n; ]r. =?) Solution: How can we prove that the above formula is valid (i.e., satisfied in all states)? @ loop_invariant @ i>=0 && 2*r == i*(i + 1) && i <= n; @ assignable i, r; File: Loop2.java Beckert, Ulbrich Formal Systems II: Applications SS 2017 37/39

Example int x; (n. = x x >= 0 [ i = 0; r = 0; while (i<n) { i = i + 1; r = r + i;} r=r+r-n; ]r. = x x) Solution: How can we prove that the above formula is valid (i.e., satisfied in all states)? @ loop_invariant @ i>=0 && 2*r == i*(i + 1) && i <= n; @ assignable i, r; File: Loop2.java Beckert, Ulbrich Formal Systems II: Applications SS 2017 37/39

Example int x; (n. = x x >= 0 [ i = 0; r = 0; while (i<n) { i = i + 1; r = r + i;} r=r+r-n; ]r. = x x) Solution: How can we prove that the above formula is valid (i.e., satisfied in all states)? @ loop_invariant @ i>=0 && 2*r == i*(i + 1) && i <= n; @ assignable i, r; File: Loop2.java Beckert, Ulbrich Formal Systems II: Applications SS 2017 37/39

Example int x; (n. = x x >= 0 [ i = 0; r = 0; while (i<n) { i = i + 1; r = r + i;} r=r+r-n; ]r. = x x) Solution: How can we prove that the above formula is valid (i.e., satisfied in all states)? @ loop_invariant @ i>=0 && 2*r == i*(i + 1) && i <= n; @ assignable i, r; File: Loop2.java Beckert, Ulbrich Formal Systems II: Applications SS 2017 37/39

Hints Proving assignable The invariant rule assumes that assignable is correct E.g., with assignable \nothing; one can prove nonsense Invariant rule of KeY generates proof obligation that ensures correctness of assignable Setting in the KeY Prover when proving loops Loop treatment: Invariant Quantifier treatment: No Splits with Progs If program contains *, /: Arithmetic treatment: DefOps Is search limit high enough (time out, rule apps.)? When proving partial correctness, add diverges true; Beckert, Ulbrich Formal Systems II: Applications SS 2017 38/39

Hints Proving assignable The invariant rule assumes that assignable is correct E.g., with assignable \nothing; one can prove nonsense Invariant rule of KeY generates proof obligation that ensures correctness of assignable Setting in the KeY Prover when proving loops Loop treatment: Invariant Quantifier treatment: No Splits with Progs If program contains *, /: Arithmetic treatment: DefOps Is search limit high enough (time out, rule apps.)? When proving partial correctness, add diverges true; Beckert, Ulbrich Formal Systems II: Applications SS 2017 38/39

Total Correctness Find a decreasing integer term v (called variant) Add the following premisses to the invariant rule: v 0 is initially valid v 0 is preserved by the loop body v is strictly decreased by the loop body Proving termination in JML/Java Remove directive diverges true; Add directive decreasing v; to loop invariant KeY creates suitable invariant rule and PO (with... φ) Example: The array loop @ decreasing Beckert, Ulbrich Formal Systems II: Applications SS 2017 39/39

Total Correctness Find a decreasing integer term v (called variant) Add the following premisses to the invariant rule: v 0 is initially valid v 0 is preserved by the loop body v is strictly decreased by the loop body Proving termination in JML/Java Remove directive diverges true; Add directive decreasing v; to loop invariant KeY creates suitable invariant rule and PO (with... φ) Example: The array loop @ decreasing Beckert, Ulbrich Formal Systems II: Applications SS 2017 39/39

Total Correctness Find a decreasing integer term v (called variant) Add the following premisses to the invariant rule: v 0 is initially valid v 0 is preserved by the loop body v is strictly decreased by the loop body Proving termination in JML/Java Remove directive diverges true; Add directive decreasing v; to loop invariant KeY creates suitable invariant rule and PO (with... φ) Example: The array loop @ decreasing Beckert, Ulbrich Formal Systems II: Applications SS 2017 39/39

Total Correctness Find a decreasing integer term v (called variant) Add the following premisses to the invariant rule: v 0 is initially valid v 0 is preserved by the loop body v is strictly decreased by the loop body Proving termination in JML/Java Remove directive diverges true; Add directive decreasing v; to loop invariant KeY creates suitable invariant rule and PO (with... φ) Example: The array loop @ decreasing a.length - i; Beckert, Ulbrich Formal Systems II: Applications SS 2017 39/39

Total Correctness Find a decreasing integer term v (called variant) Add the following premisses to the invariant rule: v 0 is initially valid v 0 is preserved by the loop body v is strictly decreased by the loop body Proving termination in JML/Java Remove directive diverges true; Add directive decreasing v; to loop invariant KeY creates suitable invariant rule and PO (with... φ) Example: The array loop @ decreasing a.length - i; Files: LoopT.java Loop2T.java Beckert, Ulbrich Formal Systems II: Applications SS 2017 39/39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback