Verifying Java Programs with KeY

Similar documents
Verifying Java Programs Verifying Java Programs with KeY

Verifying Java Programs Verifying Java Programs with KeY

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Verifying Java Programs

Specifying and Verifying Programs (Part 2)

Overview The Java Modeling Language (Part 1) Related Work

The Java Modeling Language (Part 1)

Formal Specification and Verification

Formal Systems II: Applications

Fundamentals of Software Engineering

Formal Methods in Software Development

The Java Modeling Language (Part 2)

The Java Modeling Language JML

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Verification Condition Generation

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Towards Combined Static and Runtime Verification of Distributed Software

The Prototype Verification System PVS

Formal Specification and Verification

Advances in Programming Languages

Checking Program Properties with ESC/Java

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Java Modelling Language (JML) References

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

KeY Quicktour for JML

Java Modelling Language (JML) References

JML What are model fields? Translation to JavaDL Demo. JML Model Fields. Christian Engel. ITI, Universität Karlsruhe. 08.

An Annotated Language

Advances in Programming Languages

Lecture 10 Design by Contract

Introduction to JavaCard Dynamic Logic

Overview of the KeY System

Software Engineering using Formal Methods

Fundamentals of Software Engineering

Formale Entwicklung objektorientierter Software

From OCL to Typed First-order Logic

Formal Methods for Java

Chapter 19 Verification of Counting Sort and Radix Sort

Program Verification (6EC version only)

From OCL to Propositional and First-order Logic: Part I

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Reasoning About Loops Using Vampire

Testing, Debugging, Program Verification

Towards a GUI for Program Verification with KeY. Master of Science Thesis in the Programme Software Engineering and Technology

Fundamentals of Software Engineering

The KeY System 1.0 (Deduction Component)

Fundamentals of Software Engineering

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

Specification of a transacted memory for smart cards in Java and JML

6. Hoare Logic and Weakest Preconditions

Proof-based Test Case Generation

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION

Lectures 20, 21: Axiomatic Semantics

Lecture Notes: Hoare Logic

Hoare Logic: Proving Programs Correct

COMP 507: Computer-Aided Program Design

The Java Modeling Language a Basis for Static and Dynamic Verification

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Seminar: Specification and Verification of Object-oriented Software. The KeY Tool

Formal Methods for Software Development

Lecture 5 - Axiomatic semantics

Proof Carrying Code(PCC)

Model-based Development of Web Services using Design-by-Contract

The Programming Language Core

Reasoning About Imperative Programs. COS 441 Slides 10

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Object Ownership in Program Verification

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

JML. Outline. Métodos Formais em Engenharia de Software. MI, Braga these slides were prepared by adopting/adapting teaching material

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

Formal Methods for Software Development

Java Bytecode Specification and Verification

Testing, Debugging, and Verification

Abstract Interpretation

The Why/Krakatoa/Caduceus Platform for Deductive Program Verication

Integrating verification in programming languages

Basic Verification Strategy

Why. an intermediate language for deductive program verification

Advances in Programming Languages

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

CITS5501 Software Testing and Quality Assurance Formal methods

The RISC ProgramExplorer Tutorial and Manual 1

Symbolic Execution and Verification Conditions. Review of Verification Conditions. Survey from Homework 4. Time spent: 7.1 hrs (mean), 6 hrs (median)

JML. Java Modeling Language

Computability and Complexity Sample Exam Questions

A Small Survey of Java Specification Languages *

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Abstract Data Types. Abstract Data Types

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Arrays. Arrays. Wolfgang Schreiner Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria

Introduction to Axiomatic Semantics

KeY Quicktour. 1 Introduction/Prerequisites Version Information Logical Foundations The KeY-Prover... 2

Formal Methods for Java

Advances in Programming Languages

Formal Verification. Lecture 10

Handling Integer Arithmetic in the Verification of Java Programs

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

Specifying JAVACARD API in OCL

Transcription:

Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Wolfgang Schreiner http://www.risc.jku.at 1/19

Verifying Java Programs Extended static checking of Java programs: Even if no error is reported, a program may violate its specification. Unsound calculus for verifying while loops. Even correct programs may trigger error reports: Incomplete calculus for verifying while loops. Incomplete calculus in automatic decision procedure (Simplify). Verification of Java programs: Sound verification calculus. Not unfolding of loops, but loop reasoning based on invariants. Loop invariants must be typically provided by user. Automatic generation of verification conditions. From JML-annotated Java program, proof obligations are derived. Human-guided proofs of these conditions (using a proof assistant). Simple conditions automatically proved by automatic procedure. We will now deal with an integrated environment for this purpose. Wolfgang Schreiner http://www.risc.jku.at 2/19

The KeY Tool http://www.key-project.org KeY: environment for verification of JavaCard programs. Subset of Java for smartcard applications and embedded systems. Universities of Karlsruhe, Koblenz, Chalmers, 1998 Beckert et al: Verification of Object-Oriented Software: The KeY Approach, Springer, 2007. (book) Ahrendt et al: The KeY Tool, 2005. (paper) Engel and Roth: KeY Quicktour for JML, 2006. (short paper) Specification languages: OCL and JML. Original: OCL (Object Constraint Language), part of UML standard. Later added: JML (Java Modeling Language). Logical framework: Dynamic Logic (DL). Successor/generalization of Hoare Logic. Integrated prover with interfaces to external decision procedures. Simplify, CVC3, Yices, Z3. We will only deal with the tool s JML interface JMLKeY. Wolfgang Schreiner http://www.risc.jku.at 3/19

Dynamic Logic Further development of Hoare Logic to a modal logic. Hoare logic: two separate kinds of statements. Formulas P, Q constraining program states. Hoare triples {P}C{Q} constraining state transitions. Dynamic logic: single kind of statement. Predicate logic formulas extended by two kinds of modalities. [C]Q ( C Q) Every state that can be reached by the execution of C satisfies Q. The statement is trivially true, if C does not terminate. C Q ( [C] Q) There exists some state that can be reached by the execution of C and that satisfies Q. The statement is only true, if C terminates. States and state transitions can be described by DL formulas. Wolfgang Schreiner http://www.risc.jku.at 4/19

Dynamic Logic versus Hoare Logic Hoare triple {P}C{Q} can be expressed as a DL formula. Partial correctness interpretation: P [C]Q If P holds in the current state and the execution of C reaches another state, then Q holds in that state. Equivalent to the partial correctness interpretation of {P}C{Q}. Total correctness interpretation: P C Q If P holds in the current state, then there exists another state that can be reached by the execution of C in which Q holds. If C is deterministic, there exists at most one such state; then equivalent to the total correctness interpretation of {P}C{Q}. For deterministic programs, the interpretations coincide. Wolfgang Schreiner http://www.risc.jku.at 5/19

Advantages of Dynamic Logic Modal formulas can also occur in the context of quantifiers. Hoare Logic: {x = a} y:=x*x {x = a y = a 2 } Use of free mathematical variable a to denote the old value of x. Dynamic logic: a : x = a [y:=x*x] x = a y = a 2 Quantifiers can be used to restrict the scopes of mathematical variables across state transitions. Set of DL formulas is closed under the usual logical operations. Wolfgang Schreiner http://www.risc.jku.at 6/19

A Calculus for Dynamic Logic A core language of commands (non-deterministic): X := T...assignment C 1 ;C 2...sequential composition C 1 C 2...non-deterministic choice C...iteration (zero or more times) F?...test (blocks if F is false) A high-level language of commands (deterministic): skip = true? abort = false? X := T C 1 ;C 2 if F then C 1 else C 2 = (F?;C 1 ) (( F)?;C 2 ) if F then C = (F?;C) ( F)? while F do C = (F?;C) ;( F)? A calculus is defined for dynamic logic with the core command language. Wolfgang Schreiner http://www.risc.jku.at 7/19

A Calculus for Dynamic Logic Basic rules: Rules for predicate logic extended by general rules for modalities. Command-related rules: Γ F[T/X] Γ [X := T]F Γ [C 1 ][C 2 ]F Γ [C 1 ;C 2 ]F Γ [C 1 ]F Γ [C 2 ]F Γ [C 1 C 2 ]F Γ F Γ F [C]F Γ [C ]F Γ F G Γ [F?]G From these, Hoare-like rules for the high-level language can be derived. Wolfgang Schreiner http://www.risc.jku.at 8/19

Objects and Updates Calculus has to deal with the pointer semantics of Java objects. Aliasing: two variables o,o may refer to the same object. Field assignment o.a := T may also affect the value of o.a. Update formulas: {o.a T}F Truth value of F in state after the assignment o.a := T. Field assignment rule: Γ {o.a T}F Γ [o.a := T]F Field access rule: Γ,o = o F(T) Γ,o o F(o.a) Γ {o.a T}F(o.a) Case distinction depending on whether o and o refer to same object. Only applied as last resort (after all other rules of the calculus). Considerable complication of verifications. Wolfgang Schreiner http://www.risc.jku.at 9/19

The JMLKeY Prover /zvol/formal/bin/startprover & Wolfgang Schreiner http://www.risc.jku.at 10/19

A Simple Example Engel et al: KeY Quicktour for JML, 2005. package paycard; public class PayCard { /*@ public invariant log.\inv; @ public invariant balance >= 0; @ public invariant limit > 0; @ public invariant unsucc >= 0; @ public invariant log!= null; @*/ /*@ spec_public @*/ int limit=1000; /*@ spec_public @*/ int unsucc; /*@ spec_public @*/ int id; /*@ spec_public @*/ int balance=0; /*@ spec_public @*/ protected LogFile log;... /*@ public normal_behavior @ requires amount>0; @ requires amount+balance<limit && isvalid() @ ensures \result == true; @ ensures balance == amount+\old(balance); @ ensures unsucc == \old(unsucc); @ assignable balance, unsucc; @ also... @*/ public boolean charge(int amount) throws IllegalArgumentException { if (amount <= 0) throw new IllegalArgumentException(); if (balance+amount<limit && isvalid()) { balance=balance+amount; return true; }... } Wolfgang Schreiner http://www.risc.jku.at 11/19

A Simple Example (Contd) Generate the proof obligations and choose one for verification. Wolfgang Schreiner http://www.risc.jku.at 12/19

A Simple Example (Contd 2) The proof obligation in Dynamic Logic. Wolfgang Schreiner http://www.risc.jku.at 13/19

A Simple Example (Contd 3) ==> wellformed(heap) &!self = null &... & ( amount > 0 & ( javaaddint(amount, self.balance) < self.limit & self.isvalid() = TRUE & self.<inv>)) -> {heapatpre:=heap _amount:=amount} \<{ exc=null;try {result=self.charge(_amount)@paycard.paycard; }catch (java.lang.exception e) {exc=e;} }\> ( result = TRUE & amount = amount & ( self.balance = javaaddint(amount, int::select(heapatpre, self, balance)) & ( self.unsucc = int::select(heapatpre, self, unsucc) & self.<inv>)) & exc = null &... Press button Start (green arrow). Wolfgang Schreiner http://www.risc.jku.at 14/19

A Simple Example (Contd 4) Proof runs through automatically. Wolfgang Schreiner http://www.risc.jku.at 15/19

A Loop Example /*@ requires a!= null; @ assignable \nothing; @ ensures @ (\result == -1 && @ (\forall int j; 0 <= j && j < a.length; a[j]!= x)) @ (0 <= \result && \result < a.length && a[\result] == x && @ (\forall int j; 0 <= j && j < \result; a[j]!= x)); @*/ public static int search(int[] a, int x) { int n = a.length; int i = 0; int r = -1; /*@ loop_invariant @ a!= null && n == a.length && 0 <= i && i <= n && @ (\forall int j; 0 <= j && j < i; a[j]!= x) && @ (r == -1 (r == i && i < n && a[r] == x)); @ decreases r == -1? n-i : 0; @ assignable r, i; // required by KeY, not legal JML @*/ while (r == -1 && i < n) { if (a[i] == x) r = i; else i = i+1; } return r; } Wolfgang Schreiner http://www.risc.jku.at 16/19

A Loop Example (Contd) Also this verification is completed automatically. Wolfgang Schreiner http://www.risc.jku.at 17/19

Proof Structure Multiple conditions: Invariant initially valid. Body preserves invariant. Use case (invariant implies postcondition). If proof fails, elaborate which part causes trouble and potentially correct program, specification, loop annotations. For a successful proof, in general multiple iterations of automatic proof search (button Start ) and invocation of separate SMT solvers required (button Run Z3, Yices, CVC3, Simplify ). Wolfgang Schreiner http://www.risc.jku.at 18/19

Summary Various academic approaches to verifying Java(Card) programs. Jack: http://www-sop.inria.fr/everest/soft/jack/jack.html Jive: http://www.pm.inf.ethz.ch/research/jive Mobius: http://kindsoftware.com/products/opensource/mobius/ Do not yet scale to verification of full Java applications. General language/program model is too complex. Simplifying assumptions about program may be made. Possibly only special properties may be verified. Nevertheless very helpful for reasoning on Java in the small. Much beyond Hoare calculus on programs in toy languages. Probably all examples in this course can be solved automatically by the use of the KeY prover and its integrated SMT solvers. Enforce clearer understanding of language features. Perhaps constructs with complex reasoning are not a good idea... In a not too distant future, customers might demand that some critical code is shipped with formal certificates (correctness proofs)... Wolfgang Schreiner http://www.risc.jku.at 19/19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback