Handling Javas Abrupt Termination in a Sequent Calculus for Dynamic - PowerPoint PPT Presentation

Handling Java’s Abrupt Termination in a Sequent Calculus for Dynamic Logic Bernhard Beckert Bettina Sasse U NIVERSITY OF K ARLSRUHE I NSTITUTE FOR L OGIC , C OMPLEXITY AND D EDUCTION S YSTEMS i12www.ira.uka.de/ ˜key VerifiCard Workshop Marseille, January 2002 VerifiCard Workshop, Marseille, January 2002 – p.1

Reasons for Limited Use of Verification No support for programming languages that are used in practice VerifiCard Workshop, Marseille, January 2002 – p.2

Reasons for Limited Use of Verification No support for programming languages that are used in practice Verification requires knowledge in higher-order logic, tactic languages, etc. Verification is not integrated into standard CASE tools and software development processes VerifiCard Workshop, Marseille, January 2002 – p.2

Reasons for Limited Use of Verification No support for programming languages that are used in practice Verification requires knowledge in higher-order logic, tactic languages, etc. Verification is not integrated into standard CASE tools and software development processes Verifier and software developer speak different languages VerifiCard Workshop, Marseille, January 2002 – p.2

Central Paradigm of the KeY Project Formal methods must – and can – be integrated into commercially used methodologies, tools, and languages for software development VerifiCard Workshop, Marseille, January 2002 – p.3

Central Paradigm of the KeY Project Formal methods must – and can – be integrated into commercially used methodologies, tools, and languages for software development Integrated tool for modelling formal specification verification of object-oriented programs (Java Card) VerifiCard Workshop, Marseille, January 2002 – p.3

The KeY System extension for formal CASE Tool specification UML OCL Java Verification Component Dynamic Logic Deduction Component automated interactive counter examples VerifiCard Workshop, Marseille, January 2002 – p.4

Dynamic Logic Transparency of rules and proofs Formulas contain programs Basic rules for each programming construct Rule application corresponds to symbolic execution VerifiCard Workshop, Marseille, January 2002 – p.5

Dynamic Logic Transparency of rules and proofs Formulas contain programs Basic rules for each programming construct Rule application corresponds to symbolic execution Handling “real” object-oriented language Java Requires extensions and new concepts VerifiCard Workshop, Marseille, January 2002 – p.5

Verification of Java Card: Difficulties Program state depends on the objects and their attributes Aliasing Polymorphism (dynamic binding) Evaluation of Java expressions may have side effects Programming constructs such as – abrupt termination (e.g. exceptions) – built-in data types (incl. arrays and strings) – initialisation of objects VerifiCard Workshop, Marseille, January 2002 – p.6

Dynamic Logic Syntax � � Modal operators [ p ] and � � p � � for each program p Refer to the final state of p VerifiCard Workshop, Marseille, January 2002 – p.7

Dynamic Logic Syntax � � Modal operators [ p ] and � � p � � for each program p Refer to the final state of p Semantics [ p ] F : If p terminates, then F holds in the final state (partial correctness) � � � p � � � F : p terminates and F holds in the final state (total correctness) VerifiCard Workshop, Marseille, January 2002 – p.7

Expressivity of Dynamic Logic Hoare triple F → → → [ p ] G { F } p { G } the same as VerifiCard Workshop, Marseille, January 2002 – p.8

✏ � � ✠ ✟ ✝ ✞ ✝ ✆ ✁ ✁ ✆ � ✝ ✞ ✝ ✟ ✠ ✑ ✒ � ✏ ✝ ✝ Expressivity of Dynamic Logic Hoare triple F → → → [ p ] G { F } p { G } the same as Simple example ∀ ∀ n ( � ∀ � � � � � → → → n = ✡☞☛ = = ✂☎✄ ✌✎✍ � � � � � � ) n = = = ✡☞☛ ✂☎✄ ✌✎✍ VerifiCard Workshop, Marseille, January 2002 – p.8

✞ ✄ ✄ ☞ ☛ ✄ ✟ ☎ ✄ ✍ ✂ ✁ � ✌ ✍ ✡ ✌ Rule for if-else premisses Γ , b = Γ , b = ⊢ � � ⊢ � � ⊢ ⊢ � � p � � F ⊢ ⊢ � � q � � F ☎✝✆ ✞✠✟ = = = = Γ ⊢ ⊢ � ⊢ � � � � � F b p q conclusion VerifiCard Workshop, Marseille, January 2002 – p.9

✄ ✄ ✡ ✞ ✌ ✟ ☎ ✄ ✂ ✍ ✁ � ✌ ✍ ☞ ☛ ✄ Rule for if-else premisses new proof obligation Γ , b = Γ , b = ⊢ � � ⊢ � � ⊢ ⊢ � � p � � F ⊢ ⊢ � � q � � F ☎✝✆ ✞✠✟ = = = = Γ ⊢ ⊢ � ⊢ � � � � � F b p q conclusion old proof obligation VerifiCard Workshop, Marseille, January 2002 – p.9

✁ ✝ ✞ ✝ � ✁ ✞ � ✆ � � � � ✁ ✄ � ✂ ✁ ✂ � ✆ � � � ✝ ✡ ✁ � ✁ ✂ � ✡ ✂ ✂ ✄ ✆ ✄ ✄ ✆ ✟ ☎ Abrupt Termination in Java Reasons for abrupt termination } (with or w/o label) loop (current iteration) loop, , } (with or w/o label) labelled block - statement } exception (also: block, loop, method) method } (also: - , block, loop) VerifiCard Workshop, Marseille, January 2002 – p.10

✂ ☎ ✄ ✂ ☛ ✠ ✝ ✟ ✍ ✞ ✡ ✆✝ ✁ ✁ ✂ ✠ ☛ ✡ ✑ ✝ ✏ ✡ ✠ ✝ ✂ ✂ ✁ � ☎ ✆ ✄ ✁ ✄ ✑ Abrupt Termination in Java: Examples Loop terminated by ✌✎✍ VerifiCard Workshop, Marseille, January 2002 – p.11

✆ ✝ ✡ ✝ ✟ ✡ ✌ ✠ ☎ � � ✟ ☎ ✂ ✌ ✝ ✄ ✁ ✌ ✂ ✑ ✂ ✁ ✂ ✄ � ✂ ✝ ✟ ✟ ✂ ☎ ✡ ☛ � ✂ ☛ � � ✝ � ☎ ✡ ✂ ✆ ✞ ✞ ✞ ✍ ✞ ✄ ✆ � ✁ � ✁ ☛ ✡ ☎ ✟ ✌ ☎ ✁ ✠ ✆ � Abrupt Termination in Java: Examples - - with exception ✌✎✍ ✁✄✂ ✁ ✞✝ ✂ ✞✡ VerifiCard Workshop, Marseille, January 2002 – p.12

Integrating Abrupt Termination into DL � � New semantics for � � p � � F : p terminates normally (not abruptly) and F holds in the final state There is no “return value” describing the reason for termination VerifiCard Workshop, Marseille, January 2002 – p.13

✂ ✞ ✄ ☎ ✁ ✁ ✞ � ✁ ✞ ✆ � ✆ � � ✝ ✞ ☎ ✡ ✞ ✡ ✝ ✆ ✟ ✆ ✡ � � ✝ ✆ ✝ ✡ ✞ ✄ � ✁ Possible Contexts of an Abrupt Termination method block statement , - , loops - - statement VerifiCard Workshop, Marseille, January 2002 – p.14

✍ ✡ ☞ ✝ ☛ ✄ ✞ ✡ ✝ ✆ ☞ ✆ ✞ ☛ ☎ ✡ ✄ ☛ ☞ ✌ ✍ ✌ Rule for while Loops Symbolic execution of one loop iteration Γ ⊢ ⊢ � � ⊢ � � � � F b p b p Γ ⊢ ⊢ � � ⊢ � � � � F b p VerifiCard Workshop, Marseille, January 2002 – p.15

� ✆ ☛ ☎ ☞ ✌ ✆ ✍ ✍ ✄ ✡ ✁ ✄ ✄ ☎ ✄ ✞ ✆ ✝ ✡ ✞ ✄ ☛ ☎ ☞ ✌ ✆ ✍ ✄ ✁ ✁ ✄ ✡ ✄ ✆ ✂ � ✁ ✂ � ✡ ✂ ✂ ✄ ✁ � ✂ ☎ ✡ ✝ ☎ ☛ ✄ ☞ ✁ � ✌ ✄ � ✌ ✂ ✁ ✍ ✆ ✄ Rule for while Loops Symbolic execution of one loop iteration target Γ ⊢ ⊢ � � ⊢ � � � � F b l 1 l 2 p b p Γ ⊢ ⊢ � � ⊢ � � � � F b p target Construction of p ’ : l 1 → → l 2 VerifiCard Workshop, Marseille, January 2002 – p.15

✁ ✂ ✑ ✂ ☛ ✠ ✝ ✟ ✍ ✞ ✡ ✆✝ � ✁ ✠ ☛ ✂ ☎ ✄ ✡ ✝ ✏ ✡ ✠ ✝ ✂ ✂ ✁ ✑ Rule for while Loops: Example ✌✎✍    p VerifiCard Workshop, Marseille, January 2002 – p.16

✞ ✡ � ☛ ✄ ✞ ✡ ✝ ✆ ✍ ☎ ✆ ✆ ☎ ✂ � � ☎ ✆ ✄ ✁ ✄ ☞ ✄ � ✂ ✁ ✄ ✡ ✆ ✌ ☞ ✄ ✂ ✁ � ☛ ✄ ✞ ✡ ✝ ☛ ☞ ✡ ✂ ✂ � ✄ ☞ ✄ ✍ ✍ ✁ ✌ ✂ ☛ ☎ ✂ ✑ ✂ ☛ ✠ ✝ ✟ ✍ ✞ ✡ ✆✝ ✁ ✁ ✠ ☛ ✂ ☎ ✄ ✡ ✝ ✏ ✍ ✠ ✝ ✂ ✂ ✁ ✑ ☎ ☎ ✂ ✡ ✌ � ✁ ✞ ✌ � � ✞ ☞ ✄ ✁ ✆ � ☛ ☎ ✡ ✄ ✆ ☎ ☎ ✡ ✡ ✆ ✡ VerifiCard Workshop, Marseille, January 2002 – p.16 � F � � � F � � p Rule for while Loops: Example  p   � � ⊢ � ⊢ Γ ⊢ ✌✎✍ � � ⊢ � Γ ⊢ ⊢

✟ ✟ ✂ � ✄ ☎ ✟ ✡ ✡ � ☛ ✟ ✄ � ✡ ✡ ✍ � ✄ ✂ ✟ ✁ ✠ ✂ ☎ ✡ ✂ ✄ ✡ ✂ � ✂ ✄ ✁ ✁ ☎ ☛ ✌ ✡ ☎ ✌ Rule for Exception that is Caught Γ ⊢ Γ ⊢ ⊢ ⊢ instanceof ( exc , T ) ⊢ ⊢ � � � � � F � e exc q r ✌✎✍ Γ ⊢ ⊢ ⊢ � � � � � � F exc p T e q r ✌✎✍ VerifiCard Workshop, Marseille, January 2002 – p.17