Deductive Verification of Java programs Introduction with Algebraic - - PowerPoint PPT Presentation

deductive verification of java programs
SMART_READER_LITE
LIVE PREVIEW

Deductive Verification of Java programs Introduction with Algebraic - - PowerPoint PPT Presentation

Nov 29, 2023 316 likes •638 views

Krakatoa Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover Overview of Krakatoa Algebraic models Backend: the Why/Krakatoa platform Conclusions Claude March e Christine Paulin Jean-Christophe

slide-1
SLIDE 1

Krakatoa Introduction Overview of Krakatoa Algebraic models Conclusions

Deductive Verification of Java programs with Algebraic Modeling and Multi-Prover Backend: the Why/Krakatoa platform

Claude March´ e Christine Paulin Jean-Christophe Filliˆ atre Nicolas Rousset Xavier Urbain ProVal project - http://proval.lri.fr INRIA-Futurs & Universit´ e Paris-Sud 11 Orsay, France January 20th, 2007

slide-2
SLIDE 2

Krakatoa Introduction Overview of Krakatoa Algebraic models Conclusions

Outline

1

Introduction Context JML: Introductory example

2

Overview of Krakatoa

Demo

Platform overview Why intermediate language Contributions

3

Algebraic models Principles Example

Demo

4

Conclusions

slide-3
SLIDE 3

Krakatoa Introduction

Context JML: Introductory example

Overview of Krakatoa Algebraic models Conclusions

Outline

1

Introduction Context JML: Introductory example

2

Overview of Krakatoa

Demo

Platform overview Why intermediate language Contributions

3

Algebraic models Principles Example

Demo

4

Conclusions

slide-4
SLIDE 4

Krakatoa Introduction

Context JML: Introductory example

Overview of Krakatoa Algebraic models Conclusions

Context

  • ProVal research group develops tools for Deduction

Verification of Java and C source code

  • Requirements: specified as annotations in the source
  • For Java (Card): specifications given in JML (Java Modeling

Language) Krakatoa tool

  • For C: home-made specification language Caduceus tool
  • Generation of Verification Conditions, to be discharged by

theorem provers

  • Originality: common platform for C and Java
slide-5
SLIDE 5

Krakatoa Introduction

Context JML: Introductory example

Overview of Krakatoa Algebraic models Conclusions

JML toy example

  • JML class invariants
  • JML method behaviors: pre- and post-conditions

class Purse { int balance; //@ invariant balance >= 0; /*@ normal_behavior @ requires s >= 0; @ assigns balance; @ ensures balance == \old(balance)+s; @*/ public void credit(int s) { balance += s; }

slide-6
SLIDE 6

Krakatoa Introduction

Context JML: Introductory example

Overview of Krakatoa Algebraic models Conclusions

Toy example (cont.)

  • JML exceptional behaviors

/*@ behavior @ requires s >= 0; @ assigns balance; @ ensures s <= \old(balance) && @ balance == \old(balance) - s; @ signals (NoCreditException) @ s > \old(balance) && @ balance == \old(balance); @*/ public void withdraw(int s) throws NoCreditException { if (balance >= s) balance -= s; else throw new NoCreditException(); }

slide-7
SLIDE 7

Krakatoa Introduction

Context JML: Introductory example

Overview of Krakatoa Algebraic models Conclusions

JML tools

  • Runtime assertion checking: JML RAC
  • Static verification:
  • ESC/Java
  • Several others: LOOP

, Jack, KeY, Jive, Bogor. . . Krakatoa

  • Common goal: prove advanced functional behaviors
  • Why so many tools ? hard problems, many challenges:

http://www.cs.ru.nl/∼woj/esfws06/

  • Other tools: testing, symbolic execution. . .
slide-8
SLIDE 8

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Outline

1

Introduction Context JML: Introductory example

2

Overview of Krakatoa

Demo

Platform overview Why intermediate language Contributions

3

Algebraic models Principles Example

Demo

4

Conclusions

slide-9
SLIDE 9

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Demo: toy example (cont.)

  • A buggy example

/*@ normal_behavior @ requires p1.balance == 100; @ ensures \result == 150; @*/ public static int test(Purse p1, Purse p2) { p1.credit(50); p2.withdraw(100); return p1.balance; }

Demo

slide-10
SLIDE 10

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Remarks

  • Krakatoa generates VCs for both
  • Safety properties: no NullPointerException, no

ArrayIndexOutOfBounds, no DivisionByZero

  • Method calls: precondition is satisfied
  • Methods post-conditions are valid
  • Class invariants are preserved (beware: challenging issues)
  • Modular Approach:
  • for each method call: only its specification is seen
slide-11
SLIDE 11

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Platform Architecture

Java+JML Annotated programs Annotated C Krakatoa Caduceus Why provers

Coq,PVS,Isabelle. . . Simplify, CVS-lite, haRVey, Ergo SMT provers (Yices. . . )

slide-12
SLIDE 12

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Platform characteristics

  • Shared intermediate language: Why language
  • Only one VCG (Verification Condition Generator): Why tool
  • Several provers as output:
  • allows both
  • automatic proving and
  • interactive proof contruction

for discharging VCs

slide-13
SLIDE 13

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Why tool

  • Multi-prover output
  • Why language :
  • programming language: a WHILE language, tailored to VC

generation generation, with

  • limited side-effects: only mutable variables
  • no data types
  • basic control statements + throw, try/catch
  • program = set of functions, annotated with pre- and

post-conditions

  • specification language: multi-sorted (polymorphic) first-order

logic, with built-in arithmetic

  • VC generation based on a Weakest Precondition calculus,

incorporating exceptional post-conditions, and computation

  • f effects over mutable variables.
slide-14
SLIDE 14

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Why as intermediate language

  • Common approach to Java and C:

translation into Why programs

  • Why specification language used both for
  • translation of input annotations
  • modeling Java objects (resp. C pointers/structures) and heap

memory.

  • Modeling in Why: algebraic specifications
  • introducing functions and predicates
  • stating axioms
slide-15
SLIDE 15

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Heap memory model

Principle: Burstall-Bornat ‘component-as-array’ model Java Why balance += s; balance := upd(balance,this, acc(balance,this)+s)

  • Each Java field becomes a Why mutable variable of type

‘functional array’

  • acc(f, o) denotes f at index o →encodes o.f
  • upd(f, o, v) denotes functional update
  • Theory of arrays:

acc(upd(f, o, v), o) = v

  • = o′ → acc(upd(f, o, v), o′)

= acc(f, o′)

slide-16
SLIDE 16

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Heap memory model in Krakatoa

  • Similar encoding for Java arrays
  • Objects hierarchy modeled by a predicate instanceof with

axioms.

  • A theory for modeling assigns clauses [TPHOLs’05]
  • Approximately 500 lines of Why specifications, + additional

axioms generated on-the-fly for each Java program

slide-17
SLIDE 17

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

Java: contributions

  • Krakatoa tool publicly available
  • A specific modeling of Java/JML, in particular for assigns

clauses [TPHOLs’05]

  • Java Card transactions [SEFM’06]
  • on-the-fly generation of interpretation of beginTransaction(),

commitTransaction(). . .

  • Case studies:
  • PSE applet provided by Axalto [AMAST’04]
  • Demoney Applet provided by Trusted Logic
slide-18
SLIDE 18

Krakatoa Introduction Overview of Krakatoa

Demo Platform overview Why intermediate language Contributions

Algebraic models Conclusions

C programs: contributions

  • Caduceus tool publicly available
  • An original modeling of heap memory and pointer arithmetic

[ICFEM’04]

  • Original support of floating-point programs [ARITH’07]
  • Case studies:
  • Schorr-Waite graph-marking algorithm [SEFM’05],
  • Avionics embedded code provided by Dassault aviation

company A original analysis of memory separation [submitted]

slide-19
SLIDE 19

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Outline

1

Introduction Context JML: Introductory example

2

Overview of Krakatoa

Demo

Platform overview Why intermediate language Contributions

3

Algebraic models Principles Example

Demo

4

Conclusions

slide-20
SLIDE 20

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Design choices

  • Krakatoa, 2003:
  • ad-hoc interpretation of pure methods
  • Underlying Why logic:
  • multi-sorted first order logic
  • one may declare sorts, logical functions, predicates, axioms.
  • Idea:
  • use this logic for describing models of programs
  • algebraic specifications of models
slide-21
SLIDE 21

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Design choices

  • Caduceus, 2004:
  • allow first-order modeling at C source level
  • used for:
  • linked-list in-place reversal in C [Filliˆ

atre & March´ e, ICFEM 2004]

  • Schorr-Waite graph traversal in C [Hubert & March´

e, SEFM 2005]

  • Krakatoa, 2006:
  • allow first-order modeling similarly
  • but JML models are OO, not algebraic
  • so Krakatoa now diverges from JML: allows algebraic models

(recent work, still in progress)

slide-22
SLIDE 22

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Example

  • General-purpose class for finite sets of integers
  • Basic interface :

class IntSet { // checks whether n belongs to this public boolean mem(int n); // adds n to this public void add(int n); }

slide-23
SLIDE 23

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Algebraic model (1)

  • Sort, functions, predicates:

/*@ logic type intset; @ logic intset emptyset(); @ logic intset singleton(int n); @ logic intset union(intset s1, intset s2); @ predicate in(int n,intset s); @*/

slide-24
SLIDE 24

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Algebraic model (2)

  • Axiomatization:

/*@ axiom in_empty : @ (\forall int n; !in(n,emptyset())); @ @ axiom in_singleton : @ (\forall int n,k; @ in(n,singleton(k)) <==> n==k; @ @ axiom in_union : @ (\forall int n; \forall intset s1,s2 ; @ in(n,union(s1,s2)) <==> @ in(n,s1) || in(n,s2); @ @ axiom intset_ext : @ (\forall intset s1,s2 ; @ (\forall int n ; in(n,s1) <==> in(n,s2)) @ ==> s1==s2) ; @*/

slide-25
SLIDE 25

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Specification of IntSet class

Introducing a model field:

class IntSet { //@ model intset my_model;

Methods’ behaviors:

//@ ensures \result <==> in(n,my_model)) ; public boolean mem(int n); /*@ assigns my_model; @ model ensures @ my_model == union(\old(my_model),singleton(n)) ; @*/ public void add(int n); }

slide-26
SLIDE 26

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

An implementation

By a sorted array

class IntSet { int size; int t[]; /*@ invariant @ t != null && @ 0 <= size && size <= t.length && @ (\forall int i,j; @ 0 <= i && i <= j && j < size; @ t[i] <= t[j]); @*/ }

slide-27
SLIDE 27

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Relating models and implementation

/*@ predicate IntSet_models(intset s, IntSet this) { @ this != null && @ array_models(s,this.t,0,this.size-1) @ } @ @ predicate array_models(intset s, int t[], @ int i, int j) { @ t != null && @ 0 <= i && j < t.length && @ (\forall int n; in(n,s) <==> @ (\exists int k; @ i <= k && k <= j ; n==t[k])) @ } @*/ //@ invariant IntSet_models(my_model,this);

Demo

slide-28
SLIDE 28

Krakatoa Introduction Overview of Krakatoa Algebraic models

Principles Example Demo

Conclusions

Refinement property

  • Proof of add post-condition: closure of the diagram

abstract level: my model →add my model’ I I concrete level: t,size →add t’,size’

  • It is a refinement property.
  • Comparison with the B approach in progress.
slide-29
SLIDE 29

Krakatoa Introduction Overview of Krakatoa Algebraic models Conclusions

Outline

1

Introduction Context JML: Introductory example

2

Overview of Krakatoa

Demo

Platform overview Why intermediate language Contributions

3

Algebraic models Principles Example

Demo

4

Conclusions

slide-30
SLIDE 30

Krakatoa Introduction Overview of Krakatoa Algebraic models Conclusions

Summary

  • Prototype tools, available for experimentation (open source):

http://krakatoa.lri.fr http://why.lri.fr

  • Tailored to the proof of advanced behaviors
  • Originality: intermediate first-order specification language for:
  • modeling Java memory heap
  • modeling Java Card transactions
  • user-defined abstract models of programs
  • Versatility: multi-prover output, multi-source input, allows
  • n-the-fly generation of model
slide-31
SLIDE 31

Krakatoa Introduction Overview of Krakatoa Algebraic models Conclusions

Perspectives

  • GUI in the Eclipse framework
  • Improved support for abstract modeling: refinement,

higher-level models (UML)

  • Automatic annotation generation
  • Analysis of memory separation

Long term:

  • Contribute to Grand Challenge 6, Verified Software

Repository

  • Key goal: libraries of verified software