An Improved Rule for While Loops in Deductive Program Verification - - PowerPoint PPT Presentation

An Improved Rule for While Loops in Deductive Program Verification

Bernhard Beckert1 Steffen Schlager2 Peter H. Schmitt2

1Universit¨

at Koblenz-Landau

2Universit¨

at Karlsruhe

ICFEM 2005, Manchester

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 1 / 18

Outline

1

Preliminaries & Definitions Program logic: Dynamic Logic for Java Programs frames: Modifier Sets State transitions: Updates

2

(Improved) Invariant Rule

3

An Invariant Rule for Total Correctness

4

An Invariant Rule for JavaCard

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 2 / 18

Program Logic – Dynamic Logic for Java

Syntax

Basis: typed first-order logic Modal operators [p] and p for each sequential Java program p

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 3 / 18

Program Logic – Dynamic Logic for Java

Syntax

Basis: typed first-order logic Modal operators [p] and p for each sequential Java program p

Semantics

Semantics of p is a partial function Modal operators say something about the final state of p [p] φ: If p terminates, then in its final state φ holds (partial correctness) p φ: p terminates and in its final state φ holds (total correctness) ψ → [p] φ the same as Hoare triple {ψ} p {φ}

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 3 / 18

Signature

Signature

Signature Σ contains rigid and non-rigid function symbols.

◮ Rigid functions are e.g. +, −, 0, 1, . . . ◮ Non-rigid functions are used to model program variables and arrays

that are modified by programs, e.g. program variables, arrays, etc.

A location is a non-rigid ground term that can be modified by a program, e.g. a[0] = 5;

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 4 / 18

Modifier Sets

Specify locations that might be changed by a program

Definition (Modifier Set)

Let f j a non-rigid function symbol, and tj

1, . . . , tj nj terms (j ≥ 1).

Then, the set { f 1(t1

1 . . . , t1 n1) , . . . ,

f k(tk

1 . . . , tk nk) }

• f pairs is a modifier set.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 5 / 18

Modifier Sets

Specify locations that might be changed by a program

Definition (Modifier Set)

Let gj be a Dynamic Logic formula, f j a non-rigid function symbol, and tj

1, . . . , tj nj terms (j ≥ 1).

Then, the set { g1, f 1(t1

1 . . . , t1 n1), . . . , gk, f k(tk 1 . . . , tk nk) }

• f pairs is a modifier set.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 5 / 18

Example

Example

i=0; j=0; while ( i<length(a)) { a[ i]=0; i=i+1; } Modifier sets for the loop correct: {true, i, true, j, 0 ≤ x < length(a), a[x]}

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 6 / 18

Example

Example

i=0; j=0; while ( i<length(a)) { a[ i]=0; i=i+1; } Modifier sets for the loop correct: {true, i, true, j, 0 ≤ x < length(a), a[x]} not correct: {0 ≤ x < length(a), a[x]}

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 6 / 18

State Updates

Classical DL: state changes represented by substitutions

Example

i=0; φ ↔ φ0

i

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 7 / 18

State Updates

Classical DL: state changes represented by substitutions

Example

i=0; φ ↔ φ0

i

Aliasing in object-oriented languages causes case distinctions

Example

a[i] . = 0 → a[j]=1;a[i] . = a[j] Case 1: i . = j Case 2: i . = j

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 7 / 18

State Updates

Classical DL: state changes represented by substitutions

Example

i=0; φ ↔ φ0

i

Aliasing in object-oriented languages causes case distinctions

Example

a[i] . = 0 → a[j]=1;a[i] . = a[j] Case 1: i . = j Case 2: i . = j Case distinction not always necessary

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 7 / 18

State Updates

Classical DL: state changes represented by substitutions

Example

i=0; φ ↔ φ0

i

Aliasing in object-oriented languages causes case distinctions

Example

a[i] . = 0 → a[j]=1;a[i] . = a[j] Case 1: i . = j Case 2: i . = j Case distinction not always necessary Idea: collect updates and do not apply until program has disappeared

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 7 / 18

State Updates

Classical DL: state changes represented by substitutions

Example

i=0; φ ↔ φ0

i

Aliasing in object-oriented languages causes case distinctions

Example

a[i] . = 0 → a[j]=1;a[i] . = a[j] Case 1: i . = j Case 2: i . = j Case distinction not always necessary Idea: collect updates and do not apply until program has disappeared Allows simplification before application, updates sometimes cancel

• ut previous ones

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 7 / 18

State Updates

Definition (Syntax of Updates)

For all non-rigid ground terms l, and all terms v, if φ is a formula, then {l := v}φ is a formula as well. The expressions {l := v} are called updates.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 8 / 18

State Updates

Definition (Syntax of Updates)

For all non-rigid ground terms l, and all terms v, if φ is a formula, then {l := v}φ is a formula as well. The expressions {l := v} are called updates.

Definition (Semantics of Updates)

s | = {l := v}φ iff s′ | = φ where s′ coincides with s except for the interpretation of l, which in s′ has the same value as v in s.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 8 / 18

Quantified Updates

Definition (Syntax of Quantified Updates)

Let {f (t1, . . . , tn) := v} be an update and g a DL formula Then {g, f (t1, . . . , tn) := v}φ is a DL formula as well. The expression {g, f (t1, . . . , tn) := v} is called quantified update.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 9 / 18

Invariant Rule for DL

Sequent Calculus Loop Invariant Rule

Γ ⊢ UInv, ∆ Inv ∧ ǫ ⊢ [α]Inv Inv ∧ ¬ǫ ⊢ [β]φ Γ ⊢ U[while (ǫ) {α}β]φ, ∆

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 10 / 18

Invariant Rule for DL

Sequent Calculus Loop Invariant Rule

Γ ⊢ UInv, ∆ Inv ∧ ǫ ⊢ [α]Inv Inv ∧ ¬ǫ ⊢ [β]φ Γ ⊢ U[while (ǫ) {α}β]φ, ∆ Inv holds in the beginning

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 10 / 18

Invariant Rule for DL

Sequent Calculus Loop Invariant Rule

Γ ⊢ UInv, ∆ Inv ∧ ǫ ⊢ [α]Inv Inv ∧ ¬ǫ ⊢ [β]φ Γ ⊢ U[while (ǫ) {α}β]φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 10 / 18

Invariant Rule for DL

Sequent Calculus Loop Invariant Rule

Γ ⊢ UInv, ∆ Inv ∧ ǫ ⊢ [α]Inv Inv ∧ ¬ǫ ⊢ [β]φ Γ ⊢ U[while (ǫ) {α}β]φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body Inv implies the postcondition if loop terminates

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 10 / 18

Invariant Rule for DL

Sequent Calculus Loop Invariant Rule

Γ ⊢ UInv, ∆ Inv ∧ ǫ ⊢ [α]Inv Inv ∧ ¬ǫ ⊢ [β]φ Γ ⊢ U[while (ǫ) {α}β]φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body Inv implies the postcondition if loop terminates Context Γ, ∆, U must be omitted in 2nd and 3rd premiss

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 10 / 18

Invariant Rule for DL

Sequent Calculus Loop Invariant Rule

Γ ⊢ UInv, ∆ Inv ∧ ǫ ⊢ [α]Inv Inv ∧ ¬ǫ ⊢ [β]φ Γ ⊢ U[while (ǫ) {α}β]φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body Inv implies the postcondition if loop terminates Context Γ, ∆, U must be omitted in 2nd and 3rd premiss Context contains (parts of) precondition of the operation and global system invariant

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 10 / 18

Invariant Rule for DL

Sequent Calculus Loop Invariant Rule

Γ ⊢ UInv, ∆ Inv ∧ ǫ ⊢ [α]Inv Inv ∧ ¬ǫ ⊢ [β]φ Γ ⊢ U[while (ǫ) {α}β]φ, ∆ Inv holds in the beginning Inv is in fact an invariant of the loop body Inv implies the postcondition if loop terminates Context Γ, ∆, U must be omitted in 2nd and 3rd premiss Context contains (parts of) precondition of the operation and global system invariant Required context information must be added to invariant Inv

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 10 / 18

Example

Example

Precondition: ¬a . = null int i=0; while ( i<length(a)) { a[ i]=0; i=i+1; } Postcondition: ∀x : int.(0 ≤ x ≤ length(a) → a[x] . = 0) Loop Invariant:

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 11 / 18

Example

Example

Precondition: ¬a . = null int i=0; while ( i<length(a)) { a[ i]=0; i=i+1; } Postcondition: ∀x : int.(0 ≤ x ≤ length(a) → a[x] . = 0) Loop Invariant: i ≤ length(a) ∧ ∀x : int.(0 ≤ x < i → a[x] . = 0)

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 11 / 18

Example

Example

Precondition: ¬a . = null int i=0; while ( i<length(a)) { a[ i]=0; i=i+1; } Postcondition: ∀x : int.(0 ≤ x ≤ length(a) → a[x] . = 0) Loop Invariant: i ≤ length(a) ∧ ∀x : int.(0 ≤ x < i → a[x] . = 0) ∧ ¬a . = null

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 11 / 18

Example

Example

Precondition: ¬a . = null ∧ φInv int i=0; while ( i<length(a)) { a[ i]=0; i=i+1; } Postcondition: ∀x : int.(0 ≤ x ≤ length(a) → a[x] . = 0) ∧ φInv Loop Invariant: i ≤ length(a) ∧ ∀x : int.(0 ≤ x < i → a[x] . = 0) ∧ ¬a . = null

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 11 / 18

Example

Example

Precondition: ¬a . = null ∧ φInv int i=0; while ( i<length(a)) { a[ i]=0; i=i+1; } Postcondition: ∀x : int.(0 ≤ x ≤ length(a) → a[x] . = 0) ∧ φInv Loop Invariant: i ≤ length(a) ∧ ∀x : int.(0 ≤ x < i → a[x] . = 0) ∧ ¬a . = null ∧φ′

Inv

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 11 / 18

Improved Invariant Rule – Motivation

We would like to have a rule that allows keeping as much context as possible! It is sound to keep parts of context that are not modified by the loop.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 12 / 18

How keeping unmodified Context?

Simply deleting affected formulas not possible for object-oriented languages due to aliasing!

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 13 / 18

How keeping unmodified Context?

Simply deleting affected formulas not possible for object-oriented languages due to aliasing!

Example

a[i] . = 0 ∧ a[j] . = 0

• context

, a[i] ≥ 0

invariant

⊢ [ a[i]++;

loop body

] a[i] ≥ 0

invariant

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 13 / 18

How keeping unmodified Context?

Simply deleting affected formulas not possible for object-oriented languages due to aliasing!

Example

a[i] . = 0 ∧ a[j] . = 0

• context

, a[i] ≥ 0

invariant

⊢ [ a[i]++;

loop body

] a[i] ≥ 0

invariant

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 13 / 18

How keeping unmodified Context?

Simply deleting affected formulas not possible for object-oriented languages due to aliasing!

Example

a[i] . = 0 ∧ a[j] . = 0

• context

, a[i] ≥ 0

invariant

⊢ [ a[i]++;

loop body

] a[i] ≥ 0

invariant

Anonymous updates wipe out context information about locations that are modified

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 13 / 18

How keeping unmodified Context?

Simply deleting affected formulas not possible for object-oriented languages due to aliasing!

Example

a[i] . = 0 ∧ a[j] . = 0

• context

, a[i] ≥ 0

invariant

⊢ [ a[i]++;

loop body

] a[i] ≥ 0

invariant

Anonymous updates wipe out context information about locations that are modified

Example

a[i] . = 0 ∧ a[j] . = 0, {a[i] := c}a[i] ≥ 0 ⊢ {a[i] := c}[a[i]++; ]a[i] ≥ 0

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 13 / 18

Improved Invariant Rule

Definition (Improved Invariant Rule)

Γ ⊢ UInv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UV[α]Inv, ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UV[ω]φ, ∆ Γ ⊢ U[while (ǫ) {α}ω]φ, ∆ where V is an anonymous update w.r.t. to a correct modifier set for the loop body α.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 14 / 18

Improved Invariant Rule

Definition (Improved Invariant Rule)

Γ ⊢ UInv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UV[α]Inv, ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UV[ω]φ, ∆ Γ ⊢ U[while (ǫ) {α}ω]φ, ∆ where V is an anonymous update w.r.t. to a correct modifier set for the loop body α.

Advantages of this rule

Context can be kept as far as possible Modifier set optional Usually loops modify only few locations Separating aspects of which locations change (modifier set) and how they change (invariant)

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 14 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness Invariant rule only considers partial correctness

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness Invariant rule only considers partial correctness Idea: Proof that some integer term v (called variant) decreases with each loop iteration

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness Invariant rule only considers partial correctness Idea: Proof that some integer term v (called variant) decreases with each loop iteration More precisely:

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness Invariant rule only considers partial correctness Idea: Proof that some integer term v (called variant) decreases with each loop iteration More precisely:

◮ v ≥ 0 in the beginning Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness Invariant rule only considers partial correctness Idea: Proof that some integer term v (called variant) decreases with each loop iteration More precisely:

◮ v ≥ 0 in the beginning ◮ v strictly decreases with each execution of the loop body Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness Invariant rule only considers partial correctness Idea: Proof that some integer term v (called variant) decreases with each loop iteration More precisely:

◮ v ≥ 0 in the beginning ◮ v strictly decreases with each execution of the loop body ◮ If v ≥ 0 then v ≥ 0 after each execution of the loop body Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

A Version for Total Correctness

Induction proofs guarantee total correctness Invariant rule only considers partial correctness Idea: Proof that some integer term v (called variant) decreases with each loop iteration More precisely:

◮ v ≥ 0 in the beginning ◮ v strictly decreases with each execution of the loop body ◮ If v ≥ 0 then v ≥ 0 after each execution of the loop body

Termination follows from the well-foundedness of the natural numbers N, i.e. there is no infinite descending chain n0 > n1 > n2 > · · · because every non-empty subset has a minimal element (namely 0 in this particular case).

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 15 / 18

Improved Invariant Rule with Termination

Improved Invariant Rule with Termination

Γ ⊢ U(Inv ∧ v ≥ 0), ∆ Γ, UV(Inv ∧ ǫ ∧ v ≥ 0) ⊢ UV{v′ := v}α(Inv ∧ v ≥ 0 ∧ v < v′), ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UVωφ, ∆ Γ ⊢ Uwhile (ǫ) {α}ωφ, ∆

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 16 / 18

Improved Invariant Rule with Termination

Improved Invariant Rule with Termination

Γ ⊢ U(Inv ∧ v ≥ 0), ∆ Γ, UV(Inv ∧ ǫ ∧ v ≥ 0) ⊢ UV{v′ := v}α(Inv ∧ v ≥ 0 ∧ v < v′), ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UVωφ, ∆ Γ ⊢ Uwhile (ǫ) {α}ωφ, ∆ Inv holds in the beginning and v is non-negativ

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 16 / 18

Improved Invariant Rule with Termination

Improved Invariant Rule with Termination

Γ ⊢ U(Inv ∧ v ≥ 0), ∆ Γ, UV(Inv ∧ ǫ ∧ v ≥ 0) ⊢ UV{v′ := v}α(Inv ∧ v ≥ 0 ∧ v < v′), ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UVωφ, ∆ Γ ⊢ Uwhile (ǫ) {α}ωφ, ∆ Inv holds in the beginning and v is non-negativ Inv is in fact an invariant of the loop body, v stricly decreases, and the property “v is non-negativ” is preserved

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 16 / 18

Improved Invariant Rule with Termination

Improved Invariant Rule with Termination

Γ ⊢ U(Inv ∧ v ≥ 0), ∆ Γ, UV(Inv ∧ ǫ ∧ v ≥ 0) ⊢ UV{v′ := v}α(Inv ∧ v ≥ 0 ∧ v < v′), ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UVωφ, ∆ Γ ⊢ Uwhile (ǫ) {α}ωφ, ∆ Inv holds in the beginning and v is non-negativ Inv is in fact an invariant of the loop body, v stricly decreases, and the property “v is non-negativ” is preserved Inv implies the postcondition if loop terminates

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 16 / 18

Problems with JavaCard

JavaCard is a real programming language with features that make verification more difficult. Invariant rule not sound for loops causing abrupt termination.

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 17 / 18

Problems with JavaCard

JavaCard is a real programming language with features that make verification more difficult. Invariant rule not sound for loops causing abrupt termination.

Example

i = 0 ⊢ U[while (true) {break;}]i = 1

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 17 / 18

Problems with JavaCard

JavaCard is a real programming language with features that make verification more difficult. Invariant rule not sound for loops causing abrupt termination.

Example

i = 0 ⊢ Utrue i = 0 ⊢ U[while (true) {break;}]i = 1

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 17 / 18

Problems with JavaCard

JavaCard is a real programming language with features that make verification more difficult. Invariant rule not sound for loops causing abrupt termination.

Example

i = 0 ⊢ Utrue i = 0, UV(true ∧ true) ⊢ UV[break;]true i = 0 ⊢ U[while (true) {break;}]i = 1

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 17 / 18

Problems with JavaCard

JavaCard is a real programming language with features that make verification more difficult. Invariant rule not sound for loops causing abrupt termination.

Example

i = 0 ⊢ Utrue i = 0, UV(true ∧ true) ⊢ UV[break;]true i = 0, UV(true ∧ ¬true) ⊢ UV[]i = 1 i = 0 ⊢ U[while (true) {break;}]i = 1

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 17 / 18

Solution

Definition (Improved Invariant Rule for JavaCard)

Γ ⊢ UInv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UV[α]Inv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UV[α]continueInv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UVαabruptly,not continuetrue → UV[παω]φ, ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UV[πω]φ, ∆ Γ ⊢ U[π while (ǫ) {α} ω]φ, ∆

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 18 / 18

Solution

Definition (Improved Invariant Rule for JavaCard)

Γ ⊢ UInv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UV[α]Inv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UV[α]continueInv, ∆ Γ, UV(Inv ∧ ǫ) ⊢ UVαabruptly,not continuetrue → UV[παω]φ, ∆ Γ, UV(Inv ∧ ¬ǫ) ⊢ UV[πω]φ, ∆ Γ ⊢ U[π while (ǫ) {α} ω]φ, ∆ In KeY we have no additional modalities [ ]continue, abruptly,not continue, rather the loop body α is transformed (see example).

Beckert, Schlager, Schmitt ( Universit¨ at Koblenz-Landau, Universit¨ at Karlsruhe) An Improved Rule for While Loops ICFEM 2005 18 / 18