Handling Javas Abrupt Termination in a Sequent Calculus for Dynamic - - PowerPoint PPT Presentation

Handling Java’s Abrupt Termination in a Sequent Calculus for Dynamic Logic

Bernhard Beckert Bettina Sasse

UNIVERSITY OF KARLSRUHE INSTITUTE FOR LOGIC, COMPLEXITY AND DEDUCTION SYSTEMS i12www.ira.uka.de/ ˜key

VerifiCard Workshop Marseille, January 2002

VerifiCard Workshop, Marseille, January 2002 – p.1

Reasons for Limited Use of Verification

No support for programming languages that are used in practice

VerifiCard Workshop, Marseille, January 2002 – p.2

Reasons for Limited Use of Verification

No support for programming languages that are used in practice Verification requires knowledge in higher-order logic, tactic languages, etc. Verification is not integrated into standard CASE tools and software development processes

VerifiCard Workshop, Marseille, January 2002 – p.2

Reasons for Limited Use of Verification

No support for programming languages that are used in practice Verification requires knowledge in higher-order logic, tactic languages, etc. Verification is not integrated into standard CASE tools and software development processes Verifier and software developer speak different languages

VerifiCard Workshop, Marseille, January 2002 – p.2

Central Paradigm of the KeY Project

Formal methods must – and can – be integrated into commercially used methodologies, tools, and languages for software development

VerifiCard Workshop, Marseille, January 2002 – p.3

Central Paradigm of the KeY Project

Formal methods must – and can – be integrated into commercially used methodologies, tools, and languages for software development Integrated tool for modelling formal specification verification

• f object-oriented programs (Java Card)

VerifiCard Workshop, Marseille, January 2002 – p.3

The KeY System

UML OCL Java Dynamic Logic CASE Tool specification extension

Verification Component

Deduction Component for formal automated

counter examples

interactive

VerifiCard Workshop, Marseille, January 2002 – p.4

Dynamic Logic

Transparency of rules and proofs Formulas contain programs Basic rules for each programming construct Rule application corresponds to symbolic execution

VerifiCard Workshop, Marseille, January 2002 – p.5

Dynamic Logic

Transparency of rules and proofs Formulas contain programs Basic rules for each programming construct Rule application corresponds to symbolic execution Handling “real” object-oriented language Java Requires extensions and new concepts

VerifiCard Workshop, Marseille, January 2002 – p.5

Verification of Java Card: Difficulties

Program state depends on the objects and their attributes Aliasing Polymorphism (dynamic binding) Evaluation of Java expressions may have side effects Programming constructs such as – abrupt termination (e.g. exceptions) – built-in data types (incl. arrays and strings) – initialisation of objects

VerifiCard Workshop, Marseille, January 2002 – p.6

Dynamic Logic

Syntax Modal operators [p] and

• p
• for each program p

Refer to the final state of p

VerifiCard Workshop, Marseille, January 2002 – p.7

Dynamic Logic

Syntax Modal operators [p] and

• p
• for each program p

Refer to the final state of p Semantics

[p] F:

If p terminates, then F holds in the final state (partial correctness)

• p
• F:

p terminates and F holds in the final state

(total correctness)

VerifiCard Workshop, Marseille, January 2002 – p.7

Expressivity of Dynamic Logic

Hoare triple

F →

→ → [p] G

the same as

{F} p {G}

VerifiCard Workshop, Marseille, January 2002 – p.8

Expressivity of Dynamic Logic

Hoare triple

F →

→ → [p] G

the same as

{F} p {G}

Simple example

∀ ∀ ∀n(

• ✁

n

• =

= =

→ → →

• ✁

n

• =

= =

)

VerifiCard Workshop, Marseille, January 2002 – p.8

Rule for if-else

premisses

Γ, b =

= =

• ✁

⊢ ⊢ ⊢

• p
• F

Γ, b =

= =

⊢ ⊢ ⊢

• q
• F

Γ ⊢

⊢ ⊢

• ✡

b

p

q

• F

conclusion

VerifiCard Workshop, Marseille, January 2002 – p.9

Rule for if-else

premisses new proof obligation

Γ, b =

= =

• ✁

⊢ ⊢ ⊢

• p
• F

Γ, b =

= =

⊢ ⊢ ⊢

• q
• F

Γ ⊢

⊢ ⊢

• ✡

b

p

q

• F

conclusion

• ld proof obligation

VerifiCard Workshop, Marseille, January 2002 – p.9

Abrupt Termination in Java

Reasons for abrupt termination

• ✁

• ✡

(with or w/o label)

}

loop (current iteration)

(with or w/o label)

}

loop,

• ✝

, labelled block exception

}

• ✁

• ✆
• ✝

statement (also: block, loop, method)

• ✂

}

method (also:

• ✁

• ✆
• ✝

, block, loop)

VerifiCard Workshop, Marseille, January 2002 – p.10

Abrupt Termination in Java: Examples

Loop terminated by

• ✁

VerifiCard Workshop, Marseille, January 2002 – p.11

Abrupt Termination in Java: Examples

• ✁

• ✆
• ✝
• ☎

with exception

• ✄
• ✁
• ✁✄✂

• ☎

• ✁

• ✄

VerifiCard Workshop, Marseille, January 2002 – p.12

Integrating Abrupt Termination into DL

New semantics for

• p
• F:

p terminates normally (not abruptly) and F holds in the final state

There is no “return value” describing the reason for termination

VerifiCard Workshop, Marseille, January 2002 – p.13

Possible Contexts of an Abrupt Termination

method block

• ✝

statement

,

• ✁
• ✆

,

loops

• ✁

• ✆
• ✝
• ☎

statement

VerifiCard Workshop, Marseille, January 2002 – p.14

Rule for while Loops

Symbolic execution of one loop iteration

Γ ⊢

⊢ ⊢

• ✡

b

p

b

p

• F

Γ ⊢

⊢ ⊢

• ✆

b

p

• F

VerifiCard Workshop, Marseille, January 2002 – p.15

Rule for while Loops

Symbolic execution of one loop iteration target

• ✁

• ✡

Γ ⊢

⊢ ⊢

• ✡

b

l1

• ✌

l2

• ✌

p

b

p

• F

Γ ⊢

⊢ ⊢

• ✆

b

p

• F

target

Construction of p’:

→

l1

• ✁

• ✡

→

l2

VerifiCard Workshop, Marseille, January 2002 – p.15

Rule for while Loops: Example

• ✁

   p

VerifiCard Workshop, Marseille, January 2002 – p.16

Rule for while Loops: Example

• ✁

   p

Γ ⊢

⊢ ⊢

• ✡

• ✁

• ✌

• ✌

• ✄

• ☎

• ✁

p

• F

Γ ⊢

⊢ ⊢

• ✆

• ✁

• ✄

• F

VerifiCard Workshop, Marseille, January 2002 – p.16

Rule for Exception that is Caught

Γ ⊢

⊢ ⊢ instanceof (exc, T)

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

e

exc

q

• ✄

r

• F

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• exc

p

T e

q

• ✄

r

• F

VerifiCard Workshop, Marseille, January 2002 – p.17

Rule for Exception that is Caught: Example

• ✁

• ✝

• ☎

• ✂

• ✆
• ✝

• ✄

• ✡

• ✂

• ✂

VerifiCard Workshop, Marseille, January 2002 – p.18

Rule for Exception that is Caught: Example

• ✁

• ✝

• ☎

• ✂

• ✆
• ✝

• ✄

• ✡

• ✂

• ✂

Γ ⊢

⊢ ⊢ instanceof (

• ☎

,

• ☎

) Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ☎

• ☛

• ✄

• F

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ✝
• ☎

• ☎

• ☛

• ✄

• F

VerifiCard Workshop, Marseille, January 2002 – p.18

Rule for Exception that is Caught: Example

Γ ⊢

⊢ ⊢ ...

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ☎

• ☛

• ✄

• F

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ✝
• ☎

• ☎

• ☛

• ✄

• F

VerifiCard Workshop, Marseille, January 2002 – p.19

Rule for Exception that is Caught: Example

Γ ⊢

⊢ ⊢ ...

Γ,

= = =

• ☎

⊢ ⊢ ⊢

• ✄

• ☛

• ✄

F

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ☎

• ☛

• ✄

• F

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ✝
• ☎

• ☎

• ☛

• ✄

• F

VerifiCard Workshop, Marseille, January 2002 – p.19

Rule for Exception that is Caught: Example

Γ ⊢

⊢ ⊢ ...

Γ,

= = =

• ☎

⊢ ⊢ ⊢

• ☛

F

Γ,

= = =

• ☎

⊢ ⊢ ⊢

• ✄

• ☛

• ✄

F

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ☎

• ☛

• ✄

• F

Γ ⊢

⊢ ⊢

• ✌✎✍
• ✄

• ✝
• ☎

• ☎

• ☛

• ✄

• F

VerifiCard Workshop, Marseille, January 2002 – p.19

Example

Proof obligation

• ✁

            

p

terminates with

= = = 10 if started with 0 ≤ ≤ ≤

≤ ≤ ≤ 10

Formal

0 ≤

≤ ≤

,

≤ ≤ ≤ 10 ⊢ ⊢ ⊢

• p
• ✂

= = = 10

VerifiCard Workshop, Marseille, January 2002 – p.20

Example

0 ≤

≤ ≤

,

≤ ≤ ≤ 10 ⊢ ⊢ ⊢

• p
• ✂

= = = 10

choice of induction hypothesis

⊢ ⊢ ⊢ (∀ ∀ ∀n)((n ≤ ≤ ≤ 10∧ ∧ ∧

= = = 10 − n) → → →

• p
• ✂

= = = 10)

induction

n =

= = 0

while if if break break empty prog.

= = = 10 ⊢ ⊢ ⊢

= = = 10

n → n + 1

while if if

n ≤

≤ ≤ 9,

= = = 10 − n ⊢ ⊢ ⊢

• p
• ✂

= = = 10

induction hypothesis

• ✁

VerifiCard Workshop, Marseille, January 2002 – p.21