Verifying Java Programs Verifying Java Programs with KeY

Similar documents
Verifying Java Programs Verifying Java Programs with KeY

Verifying Java Programs with KeY

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Verifying Java Programs

Specifying and Verifying Programs (Part 2)

Overview The Java Modeling Language (Part 1) Related Work

The Java Modeling Language (Part 1)

Formal Methods in Software Development

Formal Systems II: Applications

Verification Condition Generation

Fundamentals of Software Engineering

Formal Specification and Verification

The Prototype Verification System PVS

Checking Program Properties with ESC/Java

The Java Modeling Language (Part 2)

JML Class Specifications The Java Modeling Language (Part 2) A Java Class

Verification Conditions. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

Advances in Programming Languages

Lecture 10 Design by Contract

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

An Annotated Language

Towards Combined Static and Runtime Verification of Distributed Software

Overview of the KeY System

Reasoning About Loops Using Vampire

Programming with Contracts. Juan Pablo Galeotti, Alessandra Gorla Saarland University, Germany

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Advances in Programming Languages

Formal Specification and Verification

From OCL to Propositional and First-order Logic: Part I

COMP 507: Computer-Aided Program Design

Lecture 5 - Axiomatic semantics

JML tool-supported specification for Java Erik Poll Radboud University Nijmegen

Lectures 20, 21: Axiomatic Semantics

Reasoning About Imperative Programs. COS 441 Slides 10

The Java Modeling Language JML

Computability and Complexity Sample Exam Questions

Contents. Program 1. Java s Integral Types in PVS (p.4 of 37)

The KeY System 1.0 (Deduction Component)

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Introduction to JavaCard Dynamic Logic

Program Verification (6EC version only)

Chapter 19 Verification of Counting Sort and Radix Sort

Hoare Logic: Proving Programs Correct

Lecture Notes: Hoare Logic

From OCL to Typed First-order Logic

Specification of a transacted memory for smart cards in Java and JML

A Short Introduction to First-Order Theorem Proving with KeY

Fundamentals of Software Engineering

6. Hoare Logic and Weakest Preconditions

Formal Methods for Java

Abstract Interpretation

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Advances in Programming Languages

Why. an intermediate language for deductive program verification

Deductive Program Verification with Why3, Past and Future

The Why/Krakatoa/Caduceus Platform for Deductive Program Verication

Towards a GUI for Program Verification with KeY. Master of Science Thesis in the Programme Software Engineering and Technology

ESC/Java2 Warnings David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Testing, Debugging, and Verification

Arrays. Arrays. Wolfgang Schreiner Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria

Handling Integer Arithmetic in the Verification of Java Programs

Static program checking and verification

Formale Entwicklung objektorientierter Software

Introduction to JML David Cok, Joe Kiniry, and Erik Poll Eastman Kodak Company, University College Dublin, and Radboud University Nijmegen

Integrating verification in programming languages

Object Ownership in Program Verification

Java Bytecode Specification and Verification

The Programming Language Core

The RISC ProgramExplorer Tutorial and Manual 1

Assertions & Design-by-Contract using JML Erik Poll University of Nijmegen

Abstract Data Types. Abstract Data Types

EXAMINATIONS 2009 MID-TERM TEST. COMP 202 / SWEN 202 Formal Methods of Computer Science / Formal Foundations of Software Engineering WITH ANSWERS

Proof Carrying Code(PCC)

Introduction to Axiomatic Semantics

Numerical Computations and Formal Methods

Testing, Debugging, Program Verification

Review: Hoare Logic Rules

Software Engineering using Formal Methods

VS 3 : SMT Solvers for Program Verification

Analysis of Software Artifacts

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Formal Verification. Lecture 10

CS2104 Prog. Lang. Concepts

ESC/Java2 vs. JMLForge. Juan Pablo Galeotti, Alessandra Gorla, Andreas Rau Saarland University, Germany

COMBINING PARTIAL EVALUATION AND SYMBOLIC EXECUTION

SWEN 224 Formal Foundations of Programming

Chapter 3 (part 3) Describing Syntax and Semantics

Symbolic Execution and Proof of Properties

Advances in Programming Languages

Fundamentals of Software Engineering

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

Proofs and Proof Certification in the TLA + Proof System

Fundamentals of Software Engineering

Inferring Invariants by Symbolic Execution

Model-based Development of Web Services using Design-by-Contract

Basic Verification Strategy

A Small Survey of Java Specification Languages *

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

CITS5501 Software Testing and Quality Assurance Formal methods

Transcription:

Verifying Java Programs Verifying Java Programs with KeY Wolfgang Schreiner Wolfgang.Schreiner@risc.jku.at Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria http://www.risc.jku.at Wolfgang Schreiner http://www.risc.jku.at 1/19 Extended static checking of Java programs: Even if no error is reported, a program may violate its specification. Unsound calculus for verifying while loops. Even correct programs may trigger error reports: Incomplete calculus for verifying while loops. Incomplete calculus in automatic decision procedure (Simplify). Verification of Java programs: Sound verification calculus. Not unfolding of loops, but loop reasoning based on invariants. Loop invariants must be typically provided by user. Automatic generation of verification conditions. From JML-annotated Java program, proof obligations are derived. Human-guided proofs of these conditions (using a proof assistant). Simple conditions automatically proved by automatic procedure. We will now deal with an integrated environment for this purpose. Wolfgang Schreiner http://www.risc.jku.at 2/19 The KeY Tool Dynamic Logic http://www.key-project.org KeY: environment for verification of JavaCard programs. Subset of Java for smartcard applications and embedded systems. Universities of Karlsruhe, Koblenz, Chalmers, 1998 Beckert et al: Deductive Software Verification The KeY Book: From Theory to Practice, Springer, 2016. Chapter 16: Formal Verification with KeY: A Tutorial Specification languages: OCL and JML. Original: OCL (Object Constraint Language), part of UML standard. Later added: JML (Java Modeling Language). Logical framework: Dynamic Logic (DL). Successor/generalization of Hoare Logic. Integrated prover with interfaces to external decision procedures. Simplify, CVC3, CVC4, Yices, Z3. Now only JML is supported as a specification language. Wolfgang Schreiner http://www.risc.jku.at 3/19 Further development of Hoare Logic to a modal logic. Hoare logic: two separate kinds of statements. Formulas P, Q constraining program states. Hoare triples {P}C{Q} constraining state transitions. Dynamic logic: single kind of statement. Predicate logic formulas extended by two kinds of modalities. [C]Q ( C Q) Every state that can be reached by the execution of C satisfies Q. The statement is trivially true, if C does not terminate. C Q ( [C] Q) There exists some state that can be reached by the execution of C and that satisfies Q. The statement is only true, if C terminates. States and state transitions can be described by DL formulas. Wolfgang Schreiner http://www.risc.jku.at 4/19

Dynamic Logic versus Hoare Logic Advantages of Dynamic Logic Hoare triple {P}C{Q} can be expressed as a DL formula. Partial correctness interpretation: P [C]Q If P holds in the current state and the execution of C reaches another state, then Q holds in that state. Equivalent to the partial correctness interpretation of {P}C{Q}. Total correctness interpretation: P C Q If P holds in the current state, then there exists another state that can be reached by the execution of C in which Q holds. If C is deterministic, there exists at most one such state; then equivalent to the total correctness interpretation of {P}C{Q}. For deterministic programs, the interpretations coincide. Modal formulas can also occur in the context of quantifiers. Hoare Logic: {x = a} y:=x*x {x = a y = a 2 } Use of free mathematical variable a to denote the old value of x. Dynamic logic: a : x = a [y:=x*x] x = a y = a 2 Quantifiers can be used to restrict the scopes of mathematical variables across state transitions. Set of DL formulas is closed under the usual logical operations. Wolfgang Schreiner http://www.risc.jku.at 5/19 Wolfgang Schreiner http://www.risc.jku.at 6/19 A Calculus for Dynamic Logic A Calculus for Dynamic Logic A core language of commands (non-deterministic): X := T... assignment C 1 ; C 2... sequential composition C 1 C 2... non-deterministic choice C... iteration (zero or more times) F?... test (blocks if F is false) A high-level language of commands (deterministic): skip = true? abort = false? X := T C 1 ; C 2 if F then C 1 else C 2 = (F?; C 1 ) (( F )?; C 2 ) if F then C = (F?; C) ( F )? while F do C = (F?; C) ; ( F )? A calculus is defined for dynamic logic with the core command language. Wolfgang Schreiner http://www.risc.jku.at 7/19 Basic rules: Rules for predicate logic extended by general rules for modalities. Command-related rules: Γ F [T /X ] Γ [X := T ]F Γ [C 1 ][C 2 ]F Γ [C 1 ; C 2 ]F Γ [C 1 ]F Γ [C 2 ]F Γ [C 1 C 2 ]F Γ F Γ F [C]F Γ [C ]F Γ F G Γ [F?]G From these, Hoare-like rules for the high-level language can be derived. Wolfgang Schreiner http://www.risc.jku.at 8/19

Objects and Updates The JMLKeY Prover Calculus has to deal with the pointer semantics of Java objects. Aliasing: two variables o, o may refer to the same object. Field assignment o.a := T may also affect the value of o.a. Update formulas: {o.a T }F Truth value of F in state after the assignment o.a := T. Field assignment rule: Γ {o.a T }F Γ [o.a := T ]F Field access rule: Γ, o = o F (T ) Γ, o o F (o.a) Γ {o.a T }F (o.a) Case distinction depending on whether o and o refer to same object. Only applied as last resort (after all other rules of the calculus). Considerable complication of verifications. Wolfgang Schreiner http://www.risc.jku.at 9/19 > KeY & Wolfgang Schreiner http://www.risc.jku.at 10/19 A Simple Example A Simple Example (Contd) File/Load Example/Getting Started/Sum and Max class SumAndMax { int sum; int max; /*@ requires (\forall int i; @ @ assignable sum, max; @ ensures (\forall int i; @ @ ensures (a.length > 0 ==> @ (\exists int i; @ 0 <= i && i < a.length; @ max == a[i])); @ ensures sum == (\sum int i; /*@ loop_invariant @ 0 <= k && k <= a.length @ && (\forall int i; 0 <= i && i < a.length; 0 <= a[i]); @ 0 <= i && i < k; a[i] <= max) @ && (k == 0 ==> max == 0) @ && (k > 0 ==> (\exists int i; 0 <= i && i < a.length; a[i] <= max); @ 0 <= i && i < k; max == a[i])) @ && sum == (\sum int i; @ 0 <= i && i< k; a[i]) @ 0 <= i && i < a.length; a[i]); @ ensures sum <= a.length * max; void sumandmax(int[] a) { sum = 0; max = 0; int k = 0; @ && sum <= k * max; @ assignable sum, max; @ decreases a.length - k; while (k < a.length) { if (max < a[k]) max = a[k]; sum += a[k]; k++; } } } Wolfgang Schreiner http://www.risc.jku.at 11/19 Generate the proof obligations and choose one for verification. Wolfgang Schreiner http://www.risc.jku.at 12/19

A Simple Example (Contd 2) A Simple Example (Contd 3) The proof obligation in Dynamic Logic. Wolfgang Schreiner http://www.risc.jku.at 13/19 wellformed(heap) ==> true &!self=null &... & (\forall int i; (0 <= i & i < a.length & inint(i) -> 0 <= a[i]) &(self.<inv> &!a = null)) -> {heapatpre:=heap _a:=a} \<{ exc=null;try { self.sumandmax(_a)@sumandmax; } catch (java.lang.throwable e){ exc=e; } }\>(\forall int i; (0 <= i & i < a.length & inint(i) -> a[i] <= self.max) & (( a.length > 0 -> \exists int i; (0 <= i & i < a.length & inint(i) & self.max = a[i])) & ( self.sum = javacastint(bsum{int i;}(0, a.length, a[i])) & (self.sum <= javamulint(a.length, self.max) & self.<inv>))) & exc = null & \forall Field f; \forall java.lang.object o; ( (o, f) \in {(self,sumandmax::$sum)} \cup {(self,sumandmax::$max)}!o = null &!o.<created>@heapatpre = TRUE o.f = o.f@heapatpre)) Press button Start (green arrow). Wolfgang Schreiner http://www.risc.jku.at 14/19 A Simple Example (Contd 4) Proof runs through automatically. Wolfgang Schreiner http://www.risc.jku.at 15/19 Linear Search /*@ requires a!= null; @ assignable \nothing; @ ensures @ (\result == -1 && @ (\forall int j; 0 <= j && j < a.length; a[j]!= x)) @ (0 <= \result && \result < a.length && a[\result] == x && @ (\forall int j; 0 <= j && j < \result; a[j]!= x)); public static int search(int[] a, int x) { int n = a.length; int i = 0; int r = -1; /*@ loop_invariant @ a!= null && n == a.length && 0 <= i && i <= n && @ (\forall int j; 0 <= j && j < i; a[j]!= x) && @ (r == -1 (r == i && i < n && a[r] == x)); @ decreases r == -1? n-i : 0; @ assignable r, i; // required by KeY, not legal JML while (r == -1 && i < n) { if (a[i] == x) r = i; else i = i+1; } return r; } Wolfgang Schreiner http://www.risc.jku.at 16/19

Linear Search (Contd) Proof Structure Also this verification is completed automatically. Wolfgang Schreiner http://www.risc.jku.at 17/19 Multiple conditions: Invariant initially valid. Body preserves invariant. Use case (invariant implies postcondition). If proof fails, elaborate which part causes trouble and potentially correct program, specification, loop annotations. For a successful proof, in general multiple iterations of automatic proof search (button Start ) and invocation of separate SMT solvers required (button Run Z3, Yices, CVC3, Simplify ). Wolfgang Schreiner http://www.risc.jku.at 18/19 Summary Various academic approaches to verifying Java(Card) programs. Jack: http://www-sop.inria.fr/everest/soft/jack/jack.html Jive: http://www.pm.inf.ethz.ch/research/jive Mobius: http://kindsoftware.com/products/opensource/mobius/ Do not yet scale to verification of full Java applications. General language/program model is too complex. Simplifying assumptions about program may be made. Possibly only special properties may be verified. Nevertheless very helpful for reasoning on Java in the small. Much beyond Hoare calculus on programs in toy languages. Probably all examples in this course can be solved automatically by the use of the KeY prover and its integrated SMT solvers. Enforce clearer understanding of language features. Perhaps constructs with complex reasoning are not a good idea... In a not too distant future, customers might demand that some critical code is shipped with formal certificates (correctness proofs)... Wolfgang Schreiner http://www.risc.jku.at 19/19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback