deductive verification of java programs
play

Deductive Verification of Java programs Introduction with Algebraic - PowerPoint PPT Presentation

Nov 29, 2023 •316 likes •636 views

Krakatoa Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover Overview of Krakatoa Algebraic models Backend: the Why/Krakatoa platform Conclusions Claude March e Christine Paulin Jean-Christophe

  1. Krakatoa Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover Overview of Krakatoa Algebraic models Backend: the Why/Krakatoa platform Conclusions Claude March´ e Christine Paulin Jean-Christophe Filliˆ atre Nicolas Rousset Xavier Urbain ProVal project - http://proval.lri.fr INRIA-Futurs & Universit´ e Paris-Sud 11 Orsay, France January 20th, 2007

  2. Krakatoa Outline Introduction Overview of Krakatoa Introduction 1 Algebraic models Context Conclusions JML: Introductory example Overview of Krakatoa 2 Demo Platform overview Why intermediate language Contributions 3 Algebraic models Principles Example Demo Conclusions 4

  3. Krakatoa Outline Introduction Context JML: Introductory example Introduction 1 Overview of Context Krakatoa JML: Introductory example Algebraic models Conclusions Overview of Krakatoa 2 Demo Platform overview Why intermediate language Contributions 3 Algebraic models Principles Example Demo Conclusions 4

  4. Krakatoa Context Introduction Context JML: Introductory example Overview of Krakatoa Algebraic models • ProVal research group develops tools for Deduction Conclusions Verification of Java and C source code • Requirements: specified as annotations in the source • For Java (Card): specifications given in JML (Java Modeling Language) � Krakatoa tool • For C: home-made specification language � Caduceus tool • Generation of Verification Conditions , to be discharged by theorem provers • Originality: common platform for C and Java

  5. Krakatoa JML toy example Introduction Context JML: Introductory example Overview of • JML class invariants Krakatoa Algebraic models • JML method behaviors: pre- and post-conditions Conclusions class Purse { int balance; //@ invariant balance >= 0; /*@ normal_behavior @ requires s >= 0; @ assigns balance; @ ensures balance == \old(balance)+s; @*/ public void credit(int s) { balance += s; }

  6. Krakatoa Toy example (cont.) Introduction Context JML: Introductory example Overview of Krakatoa • JML exceptional behaviors Algebraic models Conclusions /*@ behavior @ requires s >= 0; @ assigns balance; @ ensures s <= \old(balance) && @ balance == \old(balance) - s; @ signals (NoCreditException) @ s > \old(balance) && @ balance == \old(balance); @*/ public void withdraw(int s) throws NoCreditException { if (balance >= s) balance -= s; else throw new NoCreditException(); }

  7. Krakatoa JML tools Introduction Context JML: Introductory example Overview of Krakatoa Algebraic models Conclusions • Runtime assertion checking : JML RAC • Static verification : • ESC/Java • Several others: LOOP , Jack, KeY, Jive, Bogor. . . Krakatoa • Common goal: prove advanced functional behaviors • Why so many tools ? hard problems, many challenges: http://www.cs.ru.nl/ ∼ woj/esfws06/ • Other tools: testing, symbolic execution. . .

  8. Krakatoa Outline Introduction Overview of Krakatoa Introduction 1 Demo Platform overview Context Why intermediate language JML: Introductory example Contributions Algebraic models Overview of Krakatoa 2 Conclusions Demo Platform overview Why intermediate language Contributions 3 Algebraic models Principles Example Demo Conclusions 4

  9. Krakatoa Demo: toy example (cont.) Introduction Overview of Krakatoa Demo Platform overview Why intermediate • A buggy example language Contributions Algebraic models /*@ normal_behavior Conclusions @ requires p1.balance == 100; @ ensures \result == 150; @*/ public static int test(Purse p1, Purse p2) { p1.credit(50); p2.withdraw(100); return p1.balance; } Demo

  10. Krakatoa Remarks Introduction Overview of Krakatoa Demo Platform overview Why intermediate language Contributions • Krakatoa generates VCs for both Algebraic models Conclusions • Safety properties : no NullPointerException, no ArrayIndexOutOfBounds, no DivisionByZero • Method calls: precondition is satisfied • Methods post-conditions are valid • Class invariants are preserved (beware: challenging issues) • Modular Approach : • for each method call: only its specification is seen

  11. Krakatoa Platform Architecture Introduction Overview of Krakatoa Demo Platform overview Annotated programs Why intermediate language Java+JML Contributions Annotated C Algebraic models Conclusions Krakatoa Caduceus Why provers Coq,PVS,Isabelle. . . Simplify, CVS-lite, haRVey, Ergo SMT provers (Yices. . . )

  12. Krakatoa Platform characteristics Introduction Overview of Krakatoa Demo Platform overview Why intermediate language Contributions Algebraic models • Shared intermediate language : Why language Conclusions • Only one VCG (Verification Condition Generator) : Why tool • Several provers as output: • allows both • automatic proving and • interactive proof contruction for discharging VCs

  13. Krakatoa Why tool Introduction Overview of Krakatoa Demo Platform overview • Multi-prover output Why intermediate language • Why language : Contributions • programming language: a WHILE language, tailored to VC Algebraic models generation generation, with Conclusions • limited side-effects: only mutable variables • no data types • basic control statements + throw, try/catch • program = set of functions, annotated with pre- and post-conditions • specification language: multi-sorted (polymorphic) first-order logic , with built-in arithmetic • VC generation based on a Weakest Precondition calculus , incorporating exceptional post-conditions , and computation of effects over mutable variables .

  14. Krakatoa Why as intermediate language Introduction Overview of Krakatoa Demo Platform overview Why intermediate language Contributions • Common approach to Java and C: Algebraic models translation into Why programs Conclusions • Why specification language used both for • translation of input annotations • modeling Java objects (resp. C pointers/structures) and heap memory. • Modeling in Why: algebraic specifications • introducing functions and predicates • stating axioms

  15. Krakatoa Heap memory model Introduction Overview of Principle: Burstall-Bornat ‘component-as-array’ model Krakatoa Demo Platform overview Java Why Why intermediate language balance := upd (balance,this, balance += s; Contributions Algebraic models acc (balance,this)+s) Conclusions • Each Java field becomes a Why mutable variable of type ‘functional array’ • acc ( f , o ) denotes f at index o → encodes o . f • upd ( f , o , v ) denotes functional update • Theory of arrays: acc ( upd ( f , o , v ) , o ) = v o � = o ′ → acc ( upd ( f , o , v ) , o ′ ) = acc ( f , o ′ )

  16. Krakatoa Heap memory model in Introduction Krakatoa Overview of Krakatoa Demo Platform overview Why intermediate language Contributions Algebraic models • Similar encoding for Java arrays Conclusions • Objects hierarchy modeled by a predicate instanceof with axioms. • • A theory for modeling assigns clauses [TPHOLs’05] • Approximately 500 lines of Why specifications, + additional axioms generated on-the-fly for each Java program

  17. Krakatoa Java: contributions Introduction Overview of Krakatoa Demo Platform overview Why intermediate language • Krakatoa tool publicly available Contributions Algebraic models • A specific modeling of Java/JML, in particular for assigns Conclusions clauses [TPHOLs’05] • Java Card transactions [SEFM’06] • on-the-fly generation of interpretation of beginTransaction() , commitTransaction() . . . • Case studies: • PSE applet provided by Axalto [AMAST’04] • Demoney Applet provided by Trusted Logic

  18. Krakatoa C programs: contributions Introduction Overview of Krakatoa Demo Platform overview Why intermediate language Contributions • Caduceus tool publicly available Algebraic models • An original modeling of heap memory and pointer arithmetic Conclusions [ICFEM’04] • Original support of floating-point programs [ARITH’07] • Case studies: • Schorr-Waite graph-marking algorithm [SEFM’05], • Avionics embedded code provided by Dassault aviation company � A original analysis of memory separation [submitted]

  19. Krakatoa Outline Introduction Overview of Krakatoa Introduction 1 Algebraic models Context Principles Example JML: Introductory example Demo Conclusions Overview of Krakatoa 2 Demo Platform overview Why intermediate language Contributions 3 Algebraic models Principles Example Demo Conclusions 4

  20. Krakatoa Design choices Introduction Overview of Krakatoa Algebraic models Principles Example Demo • Krakatoa, 2003: Conclusions • ad-hoc interpretation of pure methods • Underlying Why logic: • multi-sorted first order logic • one may declare sorts, logical functions, predicates, axioms. • Idea: • use this logic for describing models of programs • � algebraic specifications of models

  21. Krakatoa Design choices Introduction Overview of Krakatoa Algebraic models Principles Example Demo • Caduceus, 2004: Conclusions • allow first-order modeling at C source level • used for: • linked-list in-place reversal in C [Filliˆ atre & March´ e, ICFEM 2004] • Schorr-Waite graph traversal in C [Hubert & March´ e, SEFM 2005] • Krakatoa, 2006: • allow first-order modeling similarly • but JML models are OO, not algebraic • so Krakatoa now diverges from JML : allows algebraic models (recent work, still in progress)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische Universit at Darmstadt Department of Computer Science, Software Engineering Group Dagstuhl Seminar 16131: Language Based Verification Tools for

1.01k views • 68 slides
Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische

The KeY Platform for Verification and Analysis of Java Programs Reiner H ahnle Technische Universit at Darmstadt Department of Computer Science, Software Engineering Group 25 April 2016 Joint Work with. . . Wolfgang Ahrendt, Bernhard

1.06k views • 55 slides
Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente) www.se.tu-darmstadt.de TU Darmstadt, Software Engineering Group Many challenges apply to AD in general Deductive Software Verification

165 views • 15 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

2k views • 171 slides
Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

Methods of Assessing Model Behavior Testing spot checks aspects of real system Simulation spot checks aspects of abstract (model) system Deductive verification Uses axioms and proofs on a mathematical model of

596 views • 21 slides
Programs, and Java 1 Objectives To Know the basics To write a simple Java program To

Programs, and Java 1 Objectives To Know the basics To write a simple Java program To

Chapter 1 Introduction to Computers, Programs, and Java 1 Objectives To Know the basics To write a simple Java program To know error types To Know basic syntax of a Java program 2 Programs Computer programs , known as software

473 views • 36 slides
Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.29k views • 106 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values,

Verification of a Java Compiler in Isabelle Martin Strecker 7.1.2002 Java: Types, values, terms, ... Typing and operational semantics JVM Compiler Definition Proof Techniques Compilation and Bytecode Verification

643 views • 18 slides
Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG

Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG

Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG 1.9/2.15 Leuven, Belgium May 1112, 2017 context Universit e Paris Sud participates to a programme called Les Apprentis Chercheurs (the research

707 views • 42 slides
An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth Summer School on Formal Techniques May 2016 http://why3.lri.fr/ssft-16/ 1 / 145 Software is hard. Don Knuth why? wrong interpretation of

1.97k views • 145 slides
Todays topics Java Syntax and Grammars Sample Programs Upcoming More

Todays topics Java Syntax and Grammars Sample Programs Upcoming More

Todays topics Java Syntax and Grammars Sample Programs Upcoming More Java Reading Great Ideas , Chapter 2 Java! Java is a buzzword-enabled language From Sun (the developers of Java), Java is a simple,

582 views • 28 slides
Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan

Towards Secure Things, or How to Verify IoT Software with Frama-C Tutorial at ZINC 2018 Allan Blanchard, Nikolai Kosmatov, Fr ed eric Loulergue some slides authored by Julien Signoles Email: allan.blanchard@inria.fr,

1.79k views • 151 slides
Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the

Proof Technology for High-Assurance Runtime Systems Andrew Tolmach, Andrew McCreight, and the Programatica team WG2.8 08 1 Functional Languages for High- Assurance Applications Goal: rely on properties of functional languages to

774 views • 59 slides
Queens on a Chessboard an exercise in program verification Jean-Christophe Filli atre

Queens on a Chessboard an exercise in program verification Jean-Christophe Filli atre

Queens on a Chessboard an exercise in program verification Jean-Christophe Filli atre Krakatoa/Caduceus working group December 15th, 2006 Jean-Christophe Filli atre Queens on a Chessboard Krakatoa/Caduceus WG Introduction challenge for

569 views • 35 slides
The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli

The Why/Krakatoa/Caduceus Platform for Deductive Program Verification Jean-Christophe Filli atre CNRS Universit e Paris Sud TYPES Summer School August 30th, 2007 TYPES Summer School August 30th, 2007 Jean-Christophe Filli

2.04k views • 181 slides
Ownership, Pointer Arithmetic and Memory Separation Romain Bardou INRIA Saclay, France

Ownership, Pointer Arithmetic and Memory Separation Romain Bardou INRIA Saclay, France

Ownership, Pointer Arithmetic and Memory Separation Romain Bardou INRIA Saclay, France FTfJP2008 Ownership, Pointer Arithmetic, and Memory Separation 1 / 32 Introduction Jessie Ownership and Invariants Problems Our Approach Core Language

497 views • 32 slides
Formal proof of SCHUR conjugate function Toumazet Objectives and tools SCHUR Micaela Mayero 1

Formal proof of SCHUR conjugate function Toumazet Objectives and tools SCHUR Micaela Mayero 1

Formal Proof of conjugate function Butelle Hivert Mayero Formal proof of SCHUR conjugate function Toumazet Objectives and tools SCHUR Micaela Mayero 1 Frama-C Franck Butelle 1 Florent Hivert 2 Some combi- Frdric Toumazet 3 natorial

403 views • 28 slides
From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou

From Program Verification to Certified Binaries Angelos Manousaridis Michalis A. Papakyriakou Nikolaos S. Papaspyrou National Technical University of Athens School of Electrical and Computer Engineering Software Engineering Laboratory

360 views • 32 slides
program extraction type theory week 5 2006 03 13 0 why intuitionism? foundational crisis

program extraction type theory week 5 2006 03 13 0 why intuitionism? foundational crisis

program extraction type theory week 5 2006 03 13 0 why intuitionism? foundational crisis Russell, start 20th century: { x | x x } { x | x x } ? shows that naive set theory / type theory is inconsistent 1 Brouwer three

971 views • 40 slides

More recommend