Download - Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Transcript
Page 1: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Software Engineering using Formal MethodsReasoning about Programs with Dynamic Logic

Wolfgang Ahrendt & Richard Bubel & Wojciech Mostowski

5 October 2011

SEFM: Java DL /GU 111005 1 / 45

Page 2: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Dynamic Logic

(Java) Dynamic Logic

Typed FOL

I + (Java) programs p

I + modalities 〈p〉φ, [p]φ (p program, φ DL formula)

I + . . . (later)

Remark on Hoare Logic and DL

In Hoare logic {Pre} p {Post} (Pre, Post must be FOL)

In DL Pre → [p]Post (Pre, Post any DL formula)

SEFM: Java DL /GU 111005 2 / 45

Page 3: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Dynamic Logic

(Java) Dynamic Logic

Typed FOL

I + (Java) programs p

I + modalities 〈p〉φ, [p]φ (p program, φ DL formula)

I + . . . (later)

Remark on Hoare Logic and DL

In Hoare logic {Pre} p {Post} (Pre, Post must be FOL)

In DL Pre → [p]Post (Pre, Post any DL formula)

SEFM: Java DL /GU 111005 2 / 45

Page 4: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Dynamic Logic

(Java) Dynamic Logic

Typed FOL

I + (Java) programs p

I + modalities 〈p〉φ, [p]φ (p program, φ DL formula)

I + . . . (later)

Remark on Hoare Logic and DL

In Hoare logic {Pre} p {Post} (Pre, Post must be FOL)

In DL Pre → [p]Post (Pre, Post any DL formula)

SEFM: Java DL /GU 111005 2 / 45

Page 5: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Dynamic Logic

(Java) Dynamic Logic

Typed FOL

I + (Java) programs p

I + modalities 〈p〉φ, [p]φ (p program, φ DL formula)

I + . . . (later)

Remark on Hoare Logic and DL

In Hoare logic {Pre} p {Post} (Pre, Post must be FOL)

In DL Pre → [p]Post (Pre, Post any DL formula)

SEFM: Java DL /GU 111005 2 / 45

Page 6: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Proving DL Formulas

An Example

∀ int x ;(x

.= n ∧ x >= 0→[ i = 0; r = 0;while(i < n){i = i + 1; r = r + i; }r = r + r− n;

]r.

= x ∗ x)

How can we prove that the above formula is valid(i.e. satisfied in all states)?

SEFM: Java DL /GU 111005 3 / 45

Page 7: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Semantics of Sequents

Γ = {φ1, . . . , φn} and ∆ = {ψ1, . . . , ψm} sets of program formulaswhere all logical variables occur bound

Recall: s |= (Γ =⇒ ∆) iff s |= (φ1 ∧ · · · ∧ φn) → (ψ1 ∨ · · · ∨ ψm)

Define semantics of DL sequents identical to semantics of FOL sequents

Definition (Validity of Sequents over Program Formulas)

A sequent Γ =⇒ ∆ over program formulas is valid iff

s |= (Γ =⇒ ∆) in all states s

Consequence for program variables

Initial value of program variables implicitly “universally quantified”

SEFM: Java DL /GU 111005 4 / 45

Page 8: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Semantics of Sequents

Γ = {φ1, . . . , φn} and ∆ = {ψ1, . . . , ψm} sets of program formulaswhere all logical variables occur bound

Recall: s |= (Γ =⇒ ∆) iff s |= (φ1 ∧ · · · ∧ φn) → (ψ1 ∨ · · · ∨ ψm)

Define semantics of DL sequents identical to semantics of FOL sequents

Definition (Validity of Sequents over Program Formulas)

A sequent Γ =⇒ ∆ over program formulas is valid iff

s |= (Γ =⇒ ∆) in all states s

Consequence for program variables

Initial value of program variables implicitly “universally quantified”

SEFM: Java DL /GU 111005 4 / 45

Page 9: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution of Programs

Sequent calculus decomposes top-level operator in formulaWhat is “top-level” in a sequential program p; q; r; ?

Symbolic Execution (King, late 60s)

I Follow the natural control flow when analysing a program

I Values of some variables unknown: symbolic state representation

Example

Compute the final state after termination of

x=x+y; y=x-y; x=x-y;

SEFM: Java DL /GU 111005 5 / 45

Page 10: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution of Programs

Sequent calculus decomposes top-level operator in formulaWhat is “top-level” in a sequential program p; q; r; ?

Symbolic Execution (King, late 60s)

I Follow the natural control flow when analysing a program

I Values of some variables unknown: symbolic state representation

Example

Compute the final state after termination of

x=x+y; y=x-y; x=x-y;

SEFM: Java DL /GU 111005 5 / 45

Page 11: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution of Programs Cont’d

General form of rule conclusions in symbolic execution calculus

〈stmt; rest〉φ, [stmt; rest]φ

I Rules symbolically execute first statement (‘active statement’)I Repeated application of such rules corresponds to

symbolic program execution

Example (updates/swap2.key, Demo , active statement)

\programVariables {

int x; int y; }

\problem {

x > y -> \<{x=x+y; y=x-y; x=x-y;}\> y > x

}

SEFM: Java DL /GU 111005 6 / 45

Page 12: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution of Programs Cont’d

General form of rule conclusions in symbolic execution calculus

〈stmt; rest〉φ, [stmt; rest]φ

I Rules symbolically execute first statement (‘active statement’)I Repeated application of such rules corresponds to

symbolic program execution

Example (updates/swap2.key, Demo , active statement)

\programVariables {

int x; int y; }

\problem {

x > y -> \<{x=x+y; y=x-y; x=x-y;}\> y > x

}

SEFM: Java DL /GU 111005 6 / 45

Page 13: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution of Programs Cont’d

Symbolic execution of conditional

ifΓ, b

.= true =⇒ 〈p; rest〉φ,∆ Γ, b

.= false =⇒ 〈q; rest〉φ,∆

Γ =⇒ 〈 if (b) { p } else { q } ; rest〉φ,∆

Symbolic execution must consider all possible execution branches

Symbolic execution of loops: unwind

unwindLoopΓ =⇒ 〈 if (b) { p; while (b) p }; rest〉φ,∆

Γ =⇒ 〈while (b) {p}; rest〉φ,∆

SEFM: Java DL /GU 111005 7 / 45

Page 14: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution of Programs Cont’d

Symbolic execution of conditional

ifΓ, b

.= true =⇒ 〈p; rest〉φ,∆ Γ, b

.= false =⇒ 〈q; rest〉φ,∆

Γ =⇒ 〈 if (b) { p } else { q } ; rest〉φ,∆

Symbolic execution must consider all possible execution branches

Symbolic execution of loops: unwind

unwindLoopΓ =⇒ 〈 if (b) { p; while (b) p }; rest〉φ,∆

Γ =⇒ 〈while (b) {p}; rest〉φ,∆

SEFM: Java DL /GU 111005 7 / 45

Page 15: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Updates for KeY-Style Symbolic Execution

Needed: a Notation for Symbolic State Changes

I symbolic execution should ‘walk’ through programin natural direction

I need a succint representation of state changeseffected by a program in one symbolic execution branch

I want to simplify effects of program execution early

I want to apply effects late (to post condition)

We use dedicated notation for simple state changes: updates

SEFM: Java DL /GU 111005 8 / 45

Page 16: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Updates for KeY-Style Symbolic Execution

Needed: a Notation for Symbolic State Changes

I symbolic execution should ‘walk’ through programin natural direction

I need a succint representation of state changeseffected by a program in one symbolic execution branch

I want to simplify effects of program execution early

I want to apply effects late (to post condition)

We use dedicated notation for simple state changes: updates

SEFM: Java DL /GU 111005 8 / 45

Page 17: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Explicit State Updates

Definition (Syntax of Updates, Updated Terms/Formulas)

If v is program variable, t FOL term type-compatible with v,t ′ any FOL term, and φ any DL formula, then

I v := t is an update

I {v := t}t ′ is DL term

I {v := t}φ is DL formula

Definition (Semantics of Updates)

State s interprets flexible symbols f with Is(f )β variable assignment for logical variables in t, ρ transition relation:

ρ({v := t})(s, β) = s ′ where s ′ identical to s except Is′(v) = vals,β(t)

SEFM: Java DL /GU 111005 9 / 45

Page 18: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Explicit State Updates Cont’d

Facts about updates {v := t}I Update semantics almost identical to that of assignment

I Value of update also depends on logical variables in t, i.e., β

I Updates are not assignments: right-hand side is FOL term

{x := n}φ cannot be turned into assignment (n logical variable)

〈x=i++;〉φ cannot directly be turned into update

I Updates are not equations: change value of flexible terms

SEFM: Java DL /GU 111005 10 / 45

Page 19: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Computing Effect of Updates (Automatic)

Rewrite rules for update followed by . . .

program variable

{{x := t}y y

{x := t}x t

logical variable {x := t}w w

complex term {x := t}f (t1, . . . , tn) f ({x := t}t1, . . . , {x := t}tn)(f rigid)

FOL formula

{x := t}(φ & ψ) {x := t}φ & {x := t}ψ

· · ·{x := t}(∀ τ y ; φ) ∀ τ y ; ({x := t}φ)

program formula No rewrite rule for {x := t}(〈p〉φ) unchanged!

Update rewriting delayed until p symbolically executed

SEFM: Java DL /GU 111005 11 / 45

Page 20: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Assignment Rule Using Updates

Symbolic execution of assignment using updates

assignΓ =⇒ {x := t}〈rest〉φ,∆Γ =⇒ 〈x = t; rest〉φ,∆

I Simple! No variable renaming, etc.

I Works as long as t has no side effects (ok in simple DL)

I Special cases needed for x =t1 + t2, etc.

Demoupdates/assignmentToUpdate.key

SEFM: Java DL /GU 111005 12 / 45

Page 21: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Parallel Updates

How to apply updates on updates?

Example

Symbolic execution of

x=x+y; y=x-y; x=x-y;

yields:

{x := x+y}{y := x-y}{x := x-y}

Need to compose three sequential state changes into a single one!

SEFM: Java DL /GU 111005 13 / 45

Page 22: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Parallel Updates Cont’d

Definition (Parallel Update)

A parallel update is expression of the form {l1 := v1|| · · · ||ln := vn} whereeach {li := vi} is simple update

I All vi computed in old state before update is applied

I Updates of all locations li executed simultaneously

I Upon conflict li = lj , vi 6= vj later update (max{i , j}) wins

Definition (Composition Sequential Updates/Conflict Resolution)

{l1 := r1}{l2 := r2} = {l1 := r1||l2 := {l1 := r1}r2}

{l1 := v1|| · · · ||ln := vn}x =

{x if x 6∈ {l1, . . . , ln}vk if x = lk , x 6∈ {lk+1, . . . , ln}

SEFM: Java DL /GU 111005 14 / 45

Page 23: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Parallel Updates Cont’d

Definition (Parallel Update)

A parallel update is expression of the form {l1 := v1|| · · · ||ln := vn} whereeach {li := vi} is simple update

I All vi computed in old state before update is applied

I Updates of all locations li executed simultaneously

I Upon conflict li = lj , vi 6= vj later update (max{i , j}) wins

Definition (Composition Sequential Updates/Conflict Resolution)

{l1 := r1}{l2 := r2} = {l1 := r1||l2 := {l1 := r1}r2}

{l1 := v1|| · · · ||ln := vn}x =

{x if x 6∈ {l1, . . . , ln}vk if x = lk , x 6∈ {lk+1, . . . , ln}

SEFM: Java DL /GU 111005 14 / 45

Page 24: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Parallel Updates Cont’d

Example

({x := x+y}{y := x-y}){x := x-y} =

{x := x+y || y := (x+y)-y}{x := x-y} =

{x := x+y || y := (x+y)-y || x := (x+y)-((x+y)-y)} =

{x := x+y || y := x || x := y} =

{y := x || x := y}

KeY automatically deletes overwritten (unnecessary) updates

Demoupdates/swap2.key

Parallel updates to store intermediate state of symbolic computation

SEFM: Java DL /GU 111005 15 / 45

Page 25: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Parallel Updates Cont’d

Example

({x := x+y}{y := x-y}){x := x-y} =

{x := x+y || y := (x+y)-y}{x := x-y} =

{x := x+y || y := (x+y)-y || x := (x+y)-((x+y)-y)} =

{x := x+y || y := x || x := y} =

{y := x || x := y}

KeY automatically deletes overwritten (unnecessary) updates

Demoupdates/swap2.key

Parallel updates to store intermediate state of symbolic computation

SEFM: Java DL /GU 111005 15 / 45

Page 26: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution with Updates (by Example)

x < y =⇒ x < y...

x < y =⇒ {x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y}{y:=t}〈〉 y < x...

x < y =⇒ {t:=x}{x:=y}〈y=t;〉 y < x...

x < y =⇒ {t:=x}〈x=y; y=t;〉 y < x...

=⇒ x < y −> 〈int t=x; x=y; y=t;〉 y < x

SEFM: Java DL /GU 111005 16 / 45

Page 27: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution with Updates (by Example)

x < y =⇒ x < y...

x < y =⇒ {x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y}{y:=t}〈〉 y < x...

x < y =⇒ {t:=x}{x:=y}〈y=t;〉 y < x...

x < y =⇒ {t:=x}〈x=y; y=t;〉 y < x...

=⇒ x < y −> 〈int t=x; x=y; y=t;〉 y < x

SEFM: Java DL /GU 111005 16 / 45

Page 28: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution with Updates (by Example)

x < y =⇒ x < y...

x < y =⇒ {x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y}{y:=t}〈〉 y < x...

x < y =⇒ {t:=x}{x:=y}〈y=t;〉 y < x...

x < y =⇒ {t:=x}〈x=y; y=t;〉 y < x...

=⇒ x < y −> 〈int t=x; x=y; y=t;〉 y < x

SEFM: Java DL /GU 111005 16 / 45

Page 29: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution with Updates (by Example)

x < y =⇒ x < y...

x < y =⇒ {x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y}{y:=t}〈〉 y < x...

x < y =⇒ {t:=x}{x:=y}〈y=t;〉 y < x...

x < y =⇒ {t:=x}〈x=y; y=t;〉 y < x...

=⇒ x < y −> 〈int t=x; x=y; y=t;〉 y < x

SEFM: Java DL /GU 111005 16 / 45

Page 30: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution with Updates (by Example)

x < y =⇒ x < y...

x < y =⇒ {x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y}{y:=t}〈〉 y < x...

x < y =⇒ {t:=x}{x:=y}〈y=t;〉 y < x...

x < y =⇒ {t:=x}〈x=y; y=t;〉 y < x...

=⇒ x < y −> 〈int t=x; x=y; y=t;〉 y < x

SEFM: Java DL /GU 111005 16 / 45

Page 31: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution with Updates (by Example)

x < y =⇒ x < y...

x < y =⇒ {x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y}{y:=t}〈〉 y < x...

x < y =⇒ {t:=x}{x:=y}〈y=t;〉 y < x...

x < y =⇒ {t:=x}〈x=y; y=t;〉 y < x...

=⇒ x < y −> 〈int t=x; x=y; y=t;〉 y < x

SEFM: Java DL /GU 111005 16 / 45

Page 32: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Symbolic Execution with Updates (by Example)

x < y =⇒ x < y...

x < y =⇒ {x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y || y:=x}〈〉 y < x...

x < y =⇒ {t:=x || x:=y}{y:=t}〈〉 y < x...

x < y =⇒ {t:=x}{x:=y}〈y=t;〉 y < x...

x < y =⇒ {t:=x}〈x=y; y=t;〉 y < x...

=⇒ x < y −> 〈int t=x; x=y; y=t;〉 y < x

SEFM: Java DL /GU 111005 16 / 45

Page 33: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Another use of Updates

If you would like to quantify over a program variable ...

Not allowed: ∀ τ i; 〈...i...〉φ (program 6= logical variable)

Instead

Quantify over value, and assign it to program variable:

∀ τ i0; {i := i0}〈...i...〉φ

SEFM: Java DL /GU 111005 17 / 45

Page 34: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Another use of Updates

If you would like to quantify over a program variable ...

Not allowed: ∀ τ i; 〈...i...〉φ (program 6= logical variable)

Instead

Quantify over value, and assign it to program variable:

∀ τ i0; {i := i0}〈...i...〉φ

SEFM: Java DL /GU 111005 17 / 45

Page 35: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Another use of Updates

If you would like to quantify over a program variable ...

Not allowed: ∀ τ i; 〈...i...〉φ (program 6= logical variable)

Instead

Quantify over value, and assign it to program variable:

∀ τ i0; {i := i0}〈...i...〉φ

SEFM: Java DL /GU 111005 17 / 45

Page 36: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Titlepage

Symbolic Execution

Updates

Parallel Updates

Modeling OO Programs

Self

Object Creation

Round TourJava ProgramsArraysSide EffectsAbrupt TerminationAliasingMethod CallsNull PointersInitializationAPI

Summary

LiteratureSEFM: Java DL /GU 111005 18 / 45

Page 37: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Type Hierarchy

Signature based on Java’s type hierarchy

any

booleanint Object

API, user-defined classes

Null

Each class referenced in API and target program is in signaturewith appropriate partial order

SEFM: Java DL /GU 111005 19 / 45

Page 38: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Modelling Attributes

Modeling instance attributes

Personint ageint id

int setAge(int i)int getId()

I Each o ∈ DPerson has associated age value

I I(age) is function from Person to int

I Attribute values can be changed

I For each class C with attribute a of type τ :FSymnr declares flexible function τ a(C );

Attribute Access

Signature FSymnr : int age(Person); Person p;

Java/JML expression p.age >= 0

Typed FOL age(p)>=0

KeY postfix notation p.age >= 0

Navigation expressions in typed FOL look exactly as in Java/JML

SEFM: Java DL /GU 111005 20 / 45

Page 39: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Modelling Attributes

Modeling instance attributes

Personint ageint id

int setAge(int i)int getId()

I Each o ∈ DPerson has associated age value

I I(age) is function from Person to int

I Attribute values can be changed

I For each class C with attribute a of type τ :FSymnr declares flexible function τ a(C );

Attribute Access

Signature FSymnr : int age(Person); Person p;

Java/JML expression p.age >= 0

Typed FOL age(p)>=0

KeY postfix notation p.age >= 0

Navigation expressions in typed FOL look exactly as in Java/JML

SEFM: Java DL /GU 111005 20 / 45

Page 40: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Modeling Attributes in FOL Cont’d

Resolving Overloading

Overloading resolved by qualifying with class name: p.age@(Person)

Changing the value of attributes

How to translate assignment to attribute p.age=17;?

assignΓ =⇒ {l := t}〈rest〉φ,∆Γ =⇒ 〈l = t; rest〉φ,∆

Admit on left-hand side of update program location expressions

SEFM: Java DL /GU 111005 21 / 45

Page 41: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Modeling Attributes in FOL Cont’d

Resolving Overloading

Overloading resolved by qualifying with class name: p.age@(Person)

Changing the value of attributes

How to translate assignment to attribute p.age=17;?

assignΓ =⇒ {p.age := 17}〈rest〉φ,∆Γ =⇒ 〈p.age = 17; rest〉φ,∆

Admit on left-hand side of update program location expressions

SEFM: Java DL /GU 111005 21 / 45

Page 42: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Generalise Definition of Updates

Definition (Syntax of Updates, Updated Terms/Formulas)

If l is program location (e.g., o.a), t FOL term type-compatible with l ,t ′ any FOL term, and φ any DL formula, then

I l := t is an update

I {l := t}t ′ is DL term

I {l := t}φ is DL formula

Definition (Semantics of Updates, Attribute Case)

State s interprets attribute a with Is(a)β variable assignment for logical variables in t

ρ({o.a := t})(s, β) = s ′ where s ′ identical to s exceptIs′(a)(o) = vals,β(t)

SEFM: Java DL /GU 111005 22 / 45

Page 43: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Dynamic Logic - KeY input file

KeY

\javaSource "path to source code ";

\programVariables { Person p; }

\problem {

\<{ p.age = 18; }\> p.age = 18

}

KeY

KeY reads in all source files and creates automatically the necessarysignature (sorts, attribute functions)

Demo updates/firstAttributeExample.key

SEFM: Java DL /GU 111005 23 / 45

Page 44: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Dynamic Logic - KeY input file

KeY

\javaSource "path to source code ";

\programVariables { Person p; }

\problem {

\<{ p.age = 18; }\> p.age = 18

}

KeY

KeY reads in all source files and creates automatically the necessarysignature (sorts, attribute functions)

Demo updates/firstAttributeExample.key

SEFM: Java DL /GU 111005 23 / 45

Page 45: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Refined Semantics of Program Modalities

Does abrupt termination count as ‘normal’ termination?No! Need to distinguish ‘normal’ and exceptional termination

I 〈p〉φ: p terminates normally and formula φ holds in final state(total correctness)

I [p]φ: If p terminates normally then formula φ holds in final state(partial correctness)

Abrupt termination counts as non-termination!

SEFM: Java DL /GU 111005 24 / 45

Page 46: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Refined Semantics of Program Modalities

Does abrupt termination count as ‘normal’ termination?No! Need to distinguish ‘normal’ and exceptional termination

I 〈p〉φ: p terminates normally and formula φ holds in final state(total correctness)

I [p]φ: If p terminates normally then formula φ holds in final state(partial correctness)

Abrupt termination counts as non-termination!

SEFM: Java DL /GU 111005 24 / 45

Page 47: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Refined Semantics of Program Modalities

Does abrupt termination count as ‘normal’ termination?No! Need to distinguish ‘normal’ and exceptional termination

I 〈p〉φ: p terminates normally and formula φ holds in final state(total correctness)

I [p]φ: If p terminates normally then formula φ holds in final state(partial correctness)

Abrupt termination counts as non-termination!

SEFM: Java DL /GU 111005 24 / 45

Page 48: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Refined Semantics of Program Modalities

Does abrupt termination count as ‘normal’ termination?No! Need to distinguish ‘normal’ and exceptional termination

I 〈p〉φ: p terminates normally and formula φ holds in final state(total correctness)

I [p]φ: If p terminates normally then formula φ holds in final state(partial correctness)

Abrupt termination counts as non-termination!

SEFM: Java DL /GU 111005 24 / 45

Page 49: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Dynamic Logic - KeY input file

KeY

\javaSource "path to source code ";

\programVariables {

...

}

\problem {

p != null -> \<{ p.age = 18; }\> p.age = 18

}

KeY

Only provable when no top-level exception thrown

SEFM: Java DL /GU 111005 25 / 45

Page 50: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Warning on Updates

Computing the effect of updates with attribute locations is complex

Example

C

C aC b

I Signature FSymnr : C a(C); C b(C); C o;

I Consider {o.a := o}{o.b := o.a}I First update may affect left side of second update

I o.a and o.b might refer to same object (be aliases)

KeY applies rules automatically, you don’t need to worry about details

SEFM: Java DL /GU 111005 26 / 45

Page 51: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Warning on Updates

Computing the effect of updates with attribute locations is complex

Example

C

C aC b

I Signature FSymnr : C a(C); C b(C); C o;

I Consider {o.a := o}{o.b := o.a}

I First update may affect left side of second update

I o.a and o.b might refer to same object (be aliases)

KeY applies rules automatically, you don’t need to worry about details

SEFM: Java DL /GU 111005 26 / 45

Page 52: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Warning on Updates

Computing the effect of updates with attribute locations is complex

Example

C

C aC b

I Signature FSymnr : C a(C); C b(C); C o;

I Consider {o.a := o}{o.b := o.a}I First update may affect left side of second update

I o.a and o.b might refer to same object (be aliases)

KeY applies rules automatically, you don’t need to worry about details

SEFM: Java DL /GU 111005 26 / 45

Page 53: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Warning on Updates

Computing the effect of updates with attribute locations is complex

Example

C

C aC b

I Signature FSymnr : C a(C); C b(C); C o;

I Consider {o.a := o}{o.b := o.a}I First update may affect left side of second update

I o.a and o.b might refer to same object (be aliases)

KeY applies rules automatically, you don’t need to worry about details

SEFM: Java DL /GU 111005 26 / 45

Page 54: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Warning on Updates

Computing the effect of updates with attribute locations is complex

Example

C

C aC b

I Signature FSymnr : C a(C); C b(C); C o;

I Consider {o.a := o}{o.b := o.a}I First update may affect left side of second update

I o.a and o.b might refer to same object (be aliases)

KeY applies rules automatically, you don’t need to worry about details

SEFM: Java DL /GU 111005 26 / 45

Page 55: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Modeling Static Attributes in FOL

Modeling class (static) attributes

For each class C with static attribute a of type τ :FSymnr declares flexible constant τ a;

I Value of a is I(a) for all instances of C

I If necessary, qualify with class (path):byte java.lang.Byte.MAX_VALUE

I Standard values are predefined in KeY:I(java.lang.Byte.MAX_VALUE) = 127

SEFM: Java DL /GU 111005 27 / 45

Page 56: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

The Self Reference

Modeling reference this to the receiving object

Special name for the object whose Java code is currently executed:

in JML: Object this;

in Java: Object this;

in KeY: Object self;

Default assumption in JML-KeY translation: self != null

SEFM: Java DL /GU 111005 28 / 45

Page 57: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Which Objects do Exist?

How to model object creation with new ?

Constant Domain Assumption

Assume that domain D is the same in all states of LTS K = (S , ρ)

Desirable consequence:Validity of rigid FOL formulas unaffected by programs containing new()

|= ∀ τ x ; φ −> [p](∀ τ x ; φ) is valid for rigid φ

Realizing Constant Domain Assumption

I Flexible function boolean <created>(Object);

I Equal to true iff argument object has been created

I Initialized as I(<created>)(o) = F for all o ∈ DI Object creation modeled as {o.<created> := true} for next “free” o

SEFM: Java DL /GU 111005 29 / 45

Page 58: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Which Objects do Exist?

How to model object creation with new ?

Constant Domain Assumption

Assume that domain D is the same in all states of LTS K = (S , ρ)

Desirable consequence:Validity of rigid FOL formulas unaffected by programs containing new()

|= ∀ τ x ; φ −> [p](∀ τ x ; φ) is valid for rigid φ

Realizing Constant Domain Assumption

I Flexible function boolean <created>(Object);

I Equal to true iff argument object has been created

I Initialized as I(<created>)(o) = F for all o ∈ DI Object creation modeled as {o.<created> := true} for next “free” o

SEFM: Java DL /GU 111005 29 / 45

Page 59: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Which Objects do Exist?

How to model object creation with new ?

Constant Domain Assumption

Assume that domain D is the same in all states of LTS K = (S , ρ)

Desirable consequence:Validity of rigid FOL formulas unaffected by programs containing new()

|= ∀ τ x ; φ −> [p](∀ τ x ; φ) is valid for rigid φ

Realizing Constant Domain Assumption

I Flexible function boolean <created>(Object);

I Equal to true iff argument object has been created

I Initialized as I(<created>)(o) = F for all o ∈ DI Object creation modeled as {o.<created> := true} for next “free” o

SEFM: Java DL /GU 111005 29 / 45

Page 60: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Titlepage

Symbolic Execution

Updates

Parallel Updates

Modeling OO Programs

Self

Object Creation

Round TourJava ProgramsArraysSide EffectsAbrupt TerminationAliasingMethod CallsNull PointersInitializationAPI

Summary

LiteratureSEFM: Java DL /GU 111005 30 / 45

Page 61: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Extending Dynamic Logic to Java

KeY admits any syntactically correct Java with some extensions:

I Needs not be compilable unit

I Permit externally declared, non-initialized variables

I All referenced class definitions loaded in background

And some limitations . . .

I Limited concurrency

I No generics

I No I/O

I No floats

I No dynamic class loading or reflexion

I API method calls: need either JML contract or implementation

SEFM: Java DL /GU 111005 31 / 45

Page 62: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 63: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 64: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 65: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 66: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 67: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 68: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 69: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Arrays

Arrays

any

Object

Object[]

Object[][]

I Java type hierarchy includes array typesthat occur in given program (for finiteness)

I Types ordered according to Java subtyping rules

I The flexible functions that model attributes can havean array result type

I Value of entry in array T[] ar; defined in class C

depends on reference ar to array in C and index

I Model array with flexible function T [](C,int)

I Instead of [](ar,i) write ar[i]

I Arrays a and b can refer to same object (aliases)

I KeY implements update application and simplificationrules for array locations

SEFM: Java DL /GU 111005 32 / 45

Page 70: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic:Complex Expressions

Complex expressions with side effects

I Java expressions may contain assignment operator with side effect

I Java expressions can be complex, nested, have method calls

I FOL terms have no side effect on the state

Example (Complex expression with side effects in Java)

int i = 0; if ((i=2)>= 2) i++; value of i ?

SEFM: Java DL /GU 111005 33 / 45

Page 71: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Complex Expressions Cont’d

Decomposition of complex terms by symbolic execution

Follow the rules laid down in Java Language Specification

Local code transformations

evalOrderIteratedAssgnmtΓ =⇒ 〈y = t; x = y; ω〉φ,∆

Γ =⇒ 〈x = y = t; ω〉φ,∆t simple

Temporary variables store result of evaluating subexpression

ifEvalΓ =⇒ 〈boolean v0; v0 = b; if (v0) p; ω〉φ,∆

Γ =⇒ 〈if (b) p; ω〉φ,∆b complex

Guards of conditionals/loops always evaluated (hence: side effect-free)before conditional/unwind rules applied

SEFM: Java DL /GU 111005 34 / 45

Page 72: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic:Abrupt Termination

Abrupt Termination: Exceptions and Jumps

Redirection of control flow via return, break, continue, exceptions

〈π try {p} catch(e) {q} finally {r} ω〉φ

Rules ignore inactive prefix, work on active statement, leave postfix

Rule tryThrow matches try–catch in pre-/postfix and active throw

=⇒〈π if(e instanceof T){try{x=e;q}finally{r}}else{r;throw e;}ω〉φ=⇒ 〈π try {throw e; p} catch(T x) {q} finally {r} ω〉φ

Demo: exceptions/try-catch.key, try-catch-dispatch.key,

try-catch-finally.key

SEFM: Java DL /GU 111005 35 / 45

Page 73: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic:Abrupt Termination

Abrupt Termination: Exceptions and Jumps

Redirection of control flow via return, break, continue, exceptions

〈π try {p} catch(e) {q} finally {r} ω〉φ

Rules ignore inactive prefix, work on active statement, leave postfix

Rule tryThrow matches try–catch in pre-/postfix and active throw

=⇒〈π if(e instanceof T){try{x=e;q}finally{r}}else{r;throw e;}ω〉φ=⇒ 〈π try {throw e; p} catch(T x) {q} finally {r} ω〉φ

Demo: exceptions/try-catch.key, try-catch-dispatch.key,

try-catch-finally.key

SEFM: Java DL /GU 111005 35 / 45

Page 74: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic:Abrupt Termination

Abrupt Termination: Exceptions and Jumps

Redirection of control flow via return, break, continue, exceptions

〈π try {p} catch(e) {q} finally {r} ω〉φ

Rules ignore inactive prefix, work on active statement, leave postfix

Rule tryThrow matches try–catch in pre-/postfix and active throw

=⇒〈π if(e instanceof T){try{x=e;q}finally{r}}else{r;throw e;}ω〉φ=⇒ 〈π try {throw e; p} catch(T x) {q} finally {r} ω〉φ

Demo: exceptions/try-catch.key, try-catch-dispatch.key,

try-catch-finally.keySEFM: Java DL /GU 111005 35 / 45

Page 75: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Aliasing

Demo

aliasing/attributeAlias1.key

Reference Aliasing

Naive alias resolution causes proof split (on o.

= u) at each access

=⇒ o.age.

= 1 −> 〈u.age = 2;〉o.age .= u.age

SEFM: Java DL /GU 111005 36 / 45

Page 76: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Aliasing

Demo

aliasing/attributeAlias1.key

Reference Aliasing

Naive alias resolution causes proof split (on o.

= u) at each access

=⇒ o.age.

= 1 −> 〈u.age = 2;〉o.age .= u.age

SEFM: Java DL /GU 111005 36 / 45

Page 77: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Aliasing

Unnecessary case analyses

=⇒ o.age.

= 1 −> 〈u.age = 2; o.age = 2;〉o.age .= u.age

=⇒ o.age.

= 1 −> 〈u.age = 2;〉u.age .= 2

Updates avoid case analyses— Demo

aliasing/avoidingCaseAnalysis2.key

I Delayed state computation until clear what is required

I Eager simplification of updates

SEFM: Java DL /GU 111005 37 / 45

Page 78: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Aliasing

Unnecessary case analyses

=⇒ o.age.

= 1 −> 〈u.age = 2; o.age = 2;〉o.age .= u.age

=⇒ o.age.

= 1 −> 〈u.age = 2;〉u.age .= 2

Updates avoid case analyses— Demo

aliasing/avoidingCaseAnalysis2.key

I Delayed state computation until clear what is required

I Eager simplification of updates

SEFM: Java DL /GU 111005 37 / 45

Page 79: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Java Features in Dynamic Logic: Method Calls

Method Call with actual parameters arg0, . . . , argn

{arg0 := t0 || · · · || argn := tn || c := tc}〈c .m(arg0, . . . , argn);〉φ

where m declared as void m(τ0 p0, . . . , τn pn)

Actions of rule methodCall

I (type conformance of argi to τi guaranteed by Java compiler)

I for each formal parameter pi of m:declare and initialize new local variable τi p#i =argi ;

I look up implementation class C of m and split proofif implementation cannot be uniquely determined

I create concrete method invocation c .m(p#0, . . . , p#n)@C

SEFM: Java DL /GU 111005 38 / 45

Page 80: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Method Calls Cont’d

Method Body Expand

1. Execute code that binds actual to formal parameters τi p#i =argi ;

2. Call rule methodBodyExpand

Γ =⇒ 〈π method-frame(source=C, this=c){ body } ω〉φ,∆Γ =⇒ 〈π c.m(p#0,...,p#n)@C; ω〉φ,∆

Demomethods/

instanceMethodInlineSimple.key,argumentEvaluationOrder.key

SEFM: Java DL /GU 111005 39 / 45

Page 81: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Method Calls Cont’d

Method Body Expand

1. Execute code that binds actual to formal parameters τi p#i =argi ;

2. Call rule methodBodyExpand

Γ =⇒ 〈π method-frame(source=C, this=c){ body } ω〉φ,∆Γ =⇒ 〈π c.m(p#0,...,p#n)@C; ω〉φ,∆

Demomethods/

instanceMethodInlineSimple.key,argumentEvaluationOrder.key

SEFM: Java DL /GU 111005 39 / 45

Page 82: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Method Calls Cont’d

Method Body Expand

1. Execute code that binds actual to formal parameters τi p#i =argi ;

2. Call rule methodBodyExpand

Γ =⇒ 〈π method-frame(source=C, this=c){ body } ω〉φ,∆Γ =⇒ 〈π c.m(p#0,...,p#n)@C; ω〉φ,∆

Demomethods/

instanceMethodInlineSimple.key,argumentEvaluationOrder.key

SEFM: Java DL /GU 111005 39 / 45

Page 83: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Method Calls Cont’d

Method Body Expand

1. Execute code that binds actual to formal parameters τi p#i =argi ;

2. Call rule methodBodyExpand

Γ =⇒ 〈π method-frame(source=C, this=c){ body } ω〉φ,∆Γ =⇒ 〈π c.m(p#0,...,p#n)@C; ω〉φ,∆

Demomethods/

instanceMethodInlineSimple.key,argumentEvaluationOrder.key

SEFM: Java DL /GU 111005 39 / 45

Page 84: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Round Tour of Java Features in DL Cont’d

Localisation of Fields and Method Implementation

Java has complex rules for localisation ofattributes and method implementations

I Polymorphism

I Late binding

I Scoping (class vs. instance)

I Context (static vs. runtime)

I Visibility (private, protected, public)

Proof split into cases when implementation not statically determined

SEFM: Java DL /GU 111005 40 / 45

Page 85: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Round Tour of Java Features in DL Cont’d

Null pointer exceptions

There are no “exceptions” in FOL: I total on FSym

Need to model possibility that o.

= null in o.a

I KeY branches over o != null upon each field access

SEFM: Java DL /GU 111005 41 / 45

Page 86: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Round Tour of Java Features in DL Cont’d

Object initialization

Java has complex rules for object initialization

I Chain of constructor calls until Object

I Implicit calls to super()

I Visbility issues

I Initialization sequence

Coding of initialization rules in methods <createObject>(), <init>(),. . .which are then symbolically executed

SEFM: Java DL /GU 111005 42 / 45

Page 87: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Round Tour of Java Features in DL Cont’d

Formal specification of Java API

How to perform symbolic execution when Java API method is called?

1. API method has reference implementation in JavaCall method and execute symbolically

Problem Reference implementation not always availableProblem Breaks modularity

2. Use JML contract of API method:

2.1 Show that requires clause is satisfied2.2 Obtain postcondition from ensures clause2.3 Delete updates with modifiable locations from symbolic state

Java Card API in JML or DL

DL version available in KeY, JML work in progress See W. Mostowski

http://limerick.cost-ic0701.org/home/

verifying-java-card-programs-with-key

SEFM: Java DL /GU 111005 43 / 45

Page 88: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

A Round Tour of Java Features in DL Cont’d

Formal specification of Java API

How to perform symbolic execution when Java API method is called?

1. API method has reference implementation in JavaCall method and execute symbolically

Problem Reference implementation not always availableProblem Breaks modularity

2. Use JML contract of API method:

2.1 Show that requires clause is satisfied2.2 Obtain postcondition from ensures clause2.3 Delete updates with modifiable locations from symbolic state

Java Card API in JML or DL

DL version available in KeY, JML work in progress See W. Mostowski

http://limerick.cost-ic0701.org/home/

verifying-java-card-programs-with-key

SEFM: Java DL /GU 111005 43 / 45

Page 89: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Summary

I Most Java features covered in KeYI Several of remaining features available in experimental version

I Simplified multi-threaded JMMI Floats

I Degree of automation for loop-free programs is very highI Proving loops requires user to provide invariant

I Automatic invariant generation sometimes possible

I Symbolic execution paradigm lets you use KeYw/o understanding details of logic

SEFM: Java DL /GU 111005 44 / 45

Page 90: Software Engineering using Formal Methods€¦ · Software Engineering using Formal Methods Reasoning about Programs with Dynamic Logic Wolfgang Ahrendt & Richard Bubel & Wojciech

Literature for this Lecture

Essential

KeY Book Verification of Object-Oriented Software (see course webpage), Chapter 10: Using KeY

KeY Book Verification of Object-Oriented Software (see course webpage), Chapter 3: Dynamic Logic, Sections 3.1, 3.2, 3.4,3.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.7

SEFM: Java DL /GU 111005 45 / 45