deductive verification of object oriented software
play

Deductive Verification of Object-Oriented Software Part A Bernhard - PowerPoint PPT Presentation

Feb 26, 2023 •219 likes •1.29k views

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

  1. Specific Features of the KeY Approach Part II: The Java Modeling Language Program-level specification and annotation Part III: Program Verification with Dynamic Logic Program logic, explicit J AVA in the logic, not translated away Forward symbolic execution instead of backwards wp generation Part IV: Verifying Information Flow Properties JML extended with information-flow concepts Non-interference expressed in Dynamic Logic Not covered in this tutorial Additional benefits: test case generation, symbolic debugging. Overview VTSA, 24.–28.08.2015 5/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  2. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  3. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  4. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  5. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  6. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  7. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  8. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  9. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  10. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  11. Workflow JML* annotated J AVA program fully automatic translation KeY verification browser automatic translation triggered Dynamic Logic by user KeY problem file rule-based symbolic execution FOL using KeY first-order proof obligations KeY + SMT solvers successful or failed proof attempt Language Taclet KeY rule base Overview VTSA, 24.–28.08.2015 6/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  12. KeY Verification Process Overview VTSA, 24.–28.08.2015 7/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  13. Example: JML Specification of ♠❛①✭✮ /*@ requires a != null @ ensures (\ forall int i; 0<=i && i<a.length ; @ \result >= a[i]); @ ensures a.length > 0 ==> @ (\ exists int i; 0<=i && i<a.length ; @ \result == a[i]); @*/ ♣✉❜❧✐❝ st❛t✐❝ ✐♥t max( ✐♥t [] a) { ✐❢ ( a.length == 0 ) r❡t✉r♥ 0; ✐♥t max = a[0], i = 1; /*@ loop_invariant @ i <= a.length && @ (\ forall int j; j>=0 && j<i; max >=a[j]) && @ (\ exists int j; j>=0 && j<i; max==a[j]); @ modifies i, max; @ decreases a.length - i; @*/ ✇❤✐❧❡ ( i < a.length ) { ✐❢ ( a[i] > max ) max = a[i]; ++i; } Overview r❡t✉r♥ max; } VTSA, 24.–28.08.2015 8/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  14. DEMO The KeY Tool Overview VTSA, 24.–28.08.2015 9/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  15. A Case Study: The TimSort Bug [De Gouw et al., CAV 2015] TimSort Standard algorithm: Open JDK, Android, Apache, Haskell, Python Clever combination of merge sort and insertion sort Bug found during (failed) verification attempt with KeY Throws uncaught ArrayIndexOutOfBoundsException for certain inputs Symbolic counter example generation & analysis lead to witness Interaction (understanding intermediate proof state) crucial Verification of fixed version with KeY Proof: JDK code with bug fix does not throw an exception 2,200,000 rule applications – 99.8 % automatic Overview VTSA, 24.–28.08.2015 10/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  16. A Case Study: The TimSort Bug [De Gouw et al., CAV 2015] TimSort Standard algorithm: Open JDK, Android, Apache, Haskell, Python Clever combination of merge sort and insertion sort Bug found during (failed) verification attempt with KeY Throws uncaught ArrayIndexOutOfBoundsException for certain inputs Symbolic counter example generation & analysis lead to witness Interaction (understanding intermediate proof state) crucial Verification of fixed version with KeY Proof: JDK code with bug fix does not throw an exception 2,200,000 rule applications – 99.8 % automatic Overview VTSA, 24.–28.08.2015 10/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  17. A Case Study: The TimSort Bug [De Gouw et al., CAV 2015] TimSort Standard algorithm: Open JDK, Android, Apache, Haskell, Python Clever combination of merge sort and insertion sort Bug found during (failed) verification attempt with KeY Throws uncaught ArrayIndexOutOfBoundsException for certain inputs Symbolic counter example generation & analysis lead to witness Interaction (understanding intermediate proof state) crucial Verification of fixed version with KeY Proof: JDK code with bug fix does not throw an exception 2,200,000 rule applications – 99.8 % automatic Overview VTSA, 24.–28.08.2015 10/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  18. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 11/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  19. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 12/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  20. Method Contracts JML Spec of Postincrement ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires true; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 13/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  21. Method Contracts JML Spec of Postincrement ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires true; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} JML annotation occur as special comments in source programm Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 13/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  22. Method Contracts JML Spec of Postincrement ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires true; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} precondition Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 13/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  23. Method Contracts JML Spec of Postincrement ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires true; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} postcondition Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 13/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  24. Method Contracts JML Spec of Postincrement ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires true; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} JML operator \ old(e) refers to value of e in prestate Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 13/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  25. Method Contracts JML Spec of Postincrement ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires true; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} All side-effect-free Java expressions allowed Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 13/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  26. Method Contracts JML Spec of Postincrement ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires true; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} Plus special operators ( \ . . . ) Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 13/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  27. Method Contracts Non-null default ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc /*@ nullable @*/ act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires act != ♥✉❧❧ ; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 14/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  28. Method Contracts Non-null default ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc /*@ nullable @*/ act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires act != ♥✉❧❧ ; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} By default JML assumes all fields and parameters to be non null Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 14/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  29. Method Contracts Non-null default ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc /*@ nullable @*/ act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires act != ♥✉❧❧ ; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} The default is overwritten by the keyword nullable Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 14/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  30. Method Contracts Non-null default ♣✉❜❧✐❝ ❝❧❛ss PostInc{ ♣✉❜❧✐❝ PostInc /*@ nullable @*/ act; ♣✉❜❧✐❝ ✐♥t x,y; /*@ ♣✉❜❧✐❝ normal_behavior @ requires act != ♥✉❧❧ ; @ ensures act.x == \old(act.y) && @ act.y == \old(act.y) + 1; @*/ ♣✉❜❧✐❝ ✈♦✐❞ postinc() { act.x = act.y++; }} In this case the precondition has to be adapted accordingly Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 14/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  31. Method Contracts Specification of commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0<=l && l<r && r<=a1.length && r<=a2.length; @ assignable \nothing; @ ensures ( l <= \result && \result < r && @ a1[\result] == a2[\result] ) || \result == r ; @ ensures (\forall int j; l <= j && j < \result ; @ a1[j] != a2[j]); @*/ ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r) { ... } } Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 15/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  32. Method Contracts Specification of commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0<=l && l<r && r<=a1.length && r<=a2.length; @ assignable \nothing; @ ensures ( l <= \result && \result < r && @ a1[\result] == a2[\result] ) || \result == r ; @ ensures (\forall int j; l <= j && j < \result ; @ a1[j] != a2[j]); @*/ ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r) { ... } } JML uses \ result to refer to the return value of a method Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 15/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  33. Method Contracts Specification of commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0<=l && l<r && r<=a1.length && r<=a2.length; @ assignable \nothing; @ ensures ( l <= \result && \result < r && @ a1[\result] == a2[\result] ) || \result == r ; @ ensures (\forall int j; l <= j && j < \result ; @ a1[j] != a2[j]); @*/ ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r) { ... } } Method commonEntry looks for an index within the bounds Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 15/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  34. Method Contracts Specification of commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0<=l && l<r && r<=a1.length && r<=a2.length; @ assignable \nothing; @ ensures ( l <= \result && \result < r && @ a1[\result] == a2[\result] ) || \result == r ; @ ensures (\forall int j; l <= j && j < \result ; @ a1[j] != a2[j]); @*/ ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r) { ... } } such that the two arrays have the same entry Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 15/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  35. Method Contracts Specification of commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0<=l && l<r && r<=a1.length && r<=a2.length; @ assignable \nothing; @ ensures ( l <= \result && \result < r && @ a1[\result] == a2[\result] ) || \result == r ; @ ensures (\forall int j; l <= j && j < \result ; @ a1[j] != a2[j]); @*/ ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r) { ... } } If no such index exists the return value is the upper bound Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 15/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  36. Method Contracts Specification of commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0<=l && l<r && r<=a1.length && r<=a2.length; @ assignable \nothing; @ ensures ( l <= \result && \result < r && @ a1[\result] == a2[\result] ) || \result == r ; @ ensures (\forall int j; l <= j && j < \result ; @ a1[j] != a2[j]); @*/ ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r) { ... } } Furthermore, \ result should be the first index of this kind Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 15/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  37. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 16/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  38. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 17/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  39. Quantifiers in JML Specification of commonEntry @ ... @ ensures (\forall int j; l <= j && j < \result; @ a1[j] != a2[j] ); @ ... Quantified formulas in JML consist of the quantifier the range restriction the body Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 18/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  40. Quantifiers in JML Specification of commonEntry @ ... @ ensures (\forall int j; l <= j && j < \result; @ a1[j] != a2[j] ); @ ... Quantified formulas in JML consist of the quantifier the range restriction the body Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 18/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  41. Quantifiers in JML Specification of commonEntry @ ... @ ensures (\forall int j; l <= j && j < \result; @ a1[j] != a2[j] ); @ ... Quantified formulas in JML consist of the quantifier the range restriction the body Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 18/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  42. Quantifiers in JML Specification of commonEntry @ ... @ ensures (\forall int j; l <= j && j < \result; @ a1[j] != a2[j] ); @ ... Quantified formulas in JML consist of the quantifier the range restriction the body Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 18/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  43. Quantifiers in JML Semantics \ forall T x; R; B; JML ∀ T : x ( R → B ) predicate logic \ exists T x; R; B; JML ∃ T : x ( R ∧ B ) predicate logic Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 19/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  44. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 20/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  45. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 21/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  46. Loop Invariants Loop Invariant for commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; ... commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall int i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 22/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  47. Loop Invariants Loop Invariant for commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; ... commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall int i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } The loop invariant Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 22/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  48. Loop Invariants Loop Invariant for commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; ... commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall int i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } The loop invariant is valid before entering the loop since Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 22/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  49. Loop Invariants Loop Invariant for commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; ... commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall int i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } l <= k && k <= r k==l l<r follows from and precondition Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 22/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  50. Loop Invariants Loop Invariant for commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; ... commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall int i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } l <= k && k <= r k==l l<r follows from and precondition and quantification is empty Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 22/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  51. Loop Invariants Loop Invariant for commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; ... commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall int i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } If the loop body is started in a state satisfying the invariant, it terminates in a state satisfying the invariant Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 22/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  52. Loop Invariants Loop Invariant for commonEntry ❝❧❛ss SITAPar{ ♣✉❜❧✐❝ ✐♥t [] a1,a2; ... commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall int i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } Distinguish break and non- break case! Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 22/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  53. Using a Loop Invariant On termination of the loop the invariant l <= k && k <= r && (\forall ✐♥t i; l <= i && i < k; a1[i] != a2[i]) plus \result = k plus reason for termination of the loop k == r or k < r && a1[k] == a2[k] imply the postconditions (l <= \result && \result < r && a1[\result] == a2[\result]) || \result == r and \forall ✐♥t j; l <= j && j < \result; a1[j] != a2[j] Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 23/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  54. Using a Loop Invariant On termination of the loop the invariant l <= k && k <= r && (\forall ✐♥t i; l <= i && i < k; a1[i] != a2[i]) plus \result = k plus reason for termination of the loop k == r or k < r && a1[k] == a2[k] imply the postconditions (l <= \result && \result < r && a1[\result] == a2[\result]) || \result == r and \forall ✐♥t j; l <= j && j < \result; a1[j] != a2[j] Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 23/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  55. Loop Termination commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; ♣✉❜❧✐❝ ✐♥t /*@ loop_invariant l <= k && k <= r && @ (\forall ✐♥t i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } is ≥ 0 on entering the loop strictly decreases in every loop iteration but always stays ≥ 0 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 24/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  56. Loop Termination ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; /*@ loop_invariant l <= k && k <= r && @ (\forall ✐♥t i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } The loop variant is ≥ 0 on entering the loop strictly decreases in every loop iteration but always stays ≥ 0 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 24/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  57. Loop Termination ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; /*@ loop_invariant l <= k && k <= r && @ (\forall ✐♥t i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } The loop variant is ≥ 0 on entering the loop strictly decreases in every loop iteration but always stays ≥ 0 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 24/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  58. Loop Termination ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; /*@ loop_invariant l <= k && k <= r && @ (\forall ✐♥t i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } The loop variant is ≥ 0 on entering the loop strictly decreases in every loop iteration but always stays ≥ 0 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 24/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  59. Loop Termination ♣✉❜❧✐❝ ✐♥t commonEntry( ✐♥t l, ✐♥t r){ ✐♥t k = l; /*@ loop_invariant l <= k && k <= r && @ (\forall ✐♥t i; l <= i && i < k; a1[i] != a2[i] ); @ assignable \nothing; @ decreases a1.length - k; @*/ ✇❤✐❧❡ (k < r){ ✐❢ (a1[k] == a2[k]){ ❜r❡❛❦ ;} k++;} r❡t✉r♥ k;} } The loop variant is ≥ 0 on entering the loop strictly decreases in every loop iteration but always stays ≥ 0 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 24/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  60. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 25/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  61. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 26/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  62. Assignable Clauses /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0 <= pos1 && 0 <= pos2 && @ pos1 < a.length && pos2 < a.length; @ ensures a[pos1] == \old(a[pos2]) && @ a[pos2] == \old(a[pos1]); @ assignable a[pos1], a[pos2]; @*/ swap( ✐♥t [] a, ✐♥t pos1, ✐♥t pos2) { ♣✉❜❧✐❝ ✈♦✐❞ ✐♥t temp; temp = a[pos1]; a[pos1] = a[pos2]; a[pos2] = temp;} Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 27/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  63. Assignable Clauses /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0 <= pos1 && 0 <= pos2 && @ pos1 < a.length && pos2 < a.length; @ ensures a[pos1] == \old(a[pos2]) && @ a[pos2] == \old(a[pos1]); @ assignable a[pos1], a[pos2]; @*/ swap( ✐♥t [] a, ✐♥t pos1, ✐♥t pos2) { ♣✉❜❧✐❝ ✈♦✐❞ ✐♥t temp; temp = a[pos1]; a[pos1] = a[pos2]; a[pos2] = temp;} At most the locations in the assignable clause may be changed Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 27/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  64. Assignable Clauses /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0 <= pos1 && 0 <= pos2 && @ pos1 < a.length && pos2 < a.length; @ ensures a[pos1] == \old(a[pos2]) && @ a[pos2] == \old(a[pos1]); @ assignable a[pos1], a[pos2]; @*/ swap( ✐♥t [] a, ✐♥t pos1, ✐♥t pos2) { ♣✉❜❧✐❝ ✈♦✐❞ ✐♥t temp; temp = a[pos1]; a[pos1] = a[pos2]; a[pos2] = temp;} Everything else must remain unchanged Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 27/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  65. Assignable Clauses /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0 <= pos1 && 0 <= pos2 && @ pos1 < a.length && pos2 < a.length; @ ensures a[pos1] == \old(a[pos2]) && @ a[pos2] == \old(a[pos1]); @ assignable a[pos1], a[pos2]; @*/ swap( ✐♥t [] a, ✐♥t pos1, ✐♥t pos2) { ♣✉❜❧✐❝ ✈♦✐❞ ✐♥t temp; temp = a[pos1]; a[pos1] = a[pos2]; a[pos2] = temp;} Local variables need not be included Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 27/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  66. Assignable Clauses /*@ ♣✉❜❧✐❝ normal_behaviour @ requires 0 <= pos1 && 0 <= pos2 && @ pos1 < a.length && pos2 < a.length; @ ensures a[pos1] == \old(a[pos2]) && @ a[pos2] == \old(a[pos1]); @ assignable a[pos1], a[pos2]; @*/ swap( ✐♥t [] a, ✐♥t pos1, ✐♥t pos2) { ♣✉❜❧✐❝ ✈♦✐❞ ✐♥t temp; temp = a[pos1]; a[pos1] = a[pos2]; a[pos2] = temp;} Assignable clauses are evaluated in the prestate Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 27/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  67. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 28/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  68. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 29/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  69. Using Contracts ❝❧❛ss SITA3{ ♣✉❜❧✐❝ ✐♥t [] a1, a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires a1.length == a2.length; @ ensures (\forall ✐♥t i; 0<= i && i < a1.length; @ a1[i] == a2[i] ==> @ (\forall ✐♥t j; 0<= j && j < i; a1[j] == a2[j])); @ assignable a1[*],a2[*]; @*/ ♣✉❜❧✐❝ ✈♦✐❞ rearrange(){ ✐♥t m = 0 ; ✐♥t k = 0; ✇❤✐❧❡ (m < a1.length) { m = commonEntry(m,a1.length); ✐❢ (m < a1.length) {swap(a1,m,k); ✐❢ (a1 != a2) { swap(a2,m,k);} k = k+1 ; m = m+1;}}}} Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 30/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  70. Using Contracts ❝❧❛ss SITA3{ ♣✉❜❧✐❝ ✐♥t [] a1, a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires a1.length == a2.length; @ ensures (\forall ✐♥t i; 0<= i && i < a1.length; @ a1[i] == a2[i] ==> @ (\forall ✐♥t j; 0<= j && j < i; a1[j] == a2[j])); @ assignable a1[*],a2[*]; @*/ rearrange(){ ✐♥t m = 0 ; ✐♥t k = 0; ♣✉❜❧✐❝ ✈♦✐❞ ✇❤✐❧❡ (m < a1.length) { m = commonEntry(m,a1.length); ✐❢ (m < a1.length) {swap(a1,m,k); ✐❢ (a1 != a2) { swap(a2,m,k);} k = k+1 ; m = m+1;}}}} Method rearrange Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 30/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  71. Using Contracts ❝❧❛ss SITA3{ ♣✉❜❧✐❝ ✐♥t [] a1, a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires a1.length == a2.length; @ ensures (\forall ✐♥t i; 0<= i && i < a1.length; @ a1[i] == a2[i] ==> @ (\forall ✐♥t j; 0<= j && j < i; a1[j] == a2[j])); @ assignable a1[*],a2[*]; @*/ rearrange(){ ✐♥t m = 0 ; ✐♥t k = 0; ♣✉❜❧✐❝ ✈♦✐❞ ✇❤✐❧❡ (m < a1.length) { m = commonEntry(m,a1.length); ✐❢ (m < a1.length) {swap(a1,m,k); ✐❢ (a1 != a2) { swap(a2,m,k);} k = k+1 ; m = m+1;}}}} Method rearrange uses methods commonEntry Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 30/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  72. Using Contracts ❝❧❛ss SITA3{ ♣✉❜❧✐❝ ✐♥t [] a1, a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires a1.length == a2.length; @ ensures (\forall ✐♥t i; 0<= i && i < a1.length; @ a1[i] == a2[i] ==> @ (\forall ✐♥t j; 0<= j && j < i; a1[j] == a2[j])); @ assignable a1[*],a2[*]; @*/ rearrange(){ ✐♥t m = 0 ; ✐♥t k = 0; ♣✉❜❧✐❝ ✈♦✐❞ ✇❤✐❧❡ (m < a1.length) { m = commonEntry(m,a1.length); ✐❢ (m < a1.length) {swap(a1,m,k); ✐❢ (a1 != a2) { swap(a2,m,k);} k = k+1 ; m = m+1;}}}} Method rearrange uses methods commonEntry and swap Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 30/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  73. Using Contracts ❝❧❛ss SITA3{ ♣✉❜❧✐❝ ✐♥t [] a1, a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires a1.length == a2.length; @ ensures (\forall ✐♥t i; 0<= i && i < a1.length; @ a1[i] == a2[i] ==> @ (\forall ✐♥t j; 0<= j && j < i; a1[j] == a2[j])); @ assignable a1[*],a2[*]; @*/ rearrange(){ ✐♥t m = 0 ; ✐♥t k = 0; ♣✉❜❧✐❝ ✈♦✐❞ ✇❤✐❧❡ (m < a1.length) { m = commonEntry(m,a1.length); ✐❢ (m < a1.length) {swap(a1,m,k); ✐❢ (a1 != a2) { swap(a2,m,k);} k = k+1 ; m = m+1;}}}} Verification of rearrange uses their contracts, not their implementation Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 30/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  74. Using Contracts ❝❧❛ss SITA3{ ♣✉❜❧✐❝ ✐♥t [] a1, a2; /*@ ♣✉❜❧✐❝ normal_behaviour @ requires a1.length == a2.length; @ ensures (\forall ✐♥t i; 0<= i && i < a1.length; @ a1[i] == a2[i] ==> @ (\forall ✐♥t j; 0<= j && j < i; a1[j] == a2[j])); @ assignable a1[*],a2[*]; @*/ rearrange(){ ✐♥t m = 0 ; ✐♥t k = 0; ♣✉❜❧✐❝ ✈♦✐❞ ✇❤✐❧❡ (m < a1.length) { m = commonEntry(m,a1.length); ✐❢ (m < a1.length) {swap(a1,m,k); ✐❢ (a1 != a2) { swap(a2,m,k);} k = k+1 ; m = m+1;}}}} Key to scalability Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 30/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  75. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 31/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  76. Part II The Java Modeling Language – By Example – 1 Method Contracts Quantifiers 2 3 Handling Loops Frame Conditions 4 5 Using Contracts Abstraction 6 Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 32/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  77. Model Fields /*@ model \seq seq1; model \seq seq2; @*/ /*@ represents seq1 = \dl_array2seq(a1); @ represents seq2 = \dl_array2seq(a2); @*/ /*@ public normal_behaviour @ ensures \dl_seqPerm(seq1,\old(seq1)) && @ \dl_seqPerm(seq2,\old(seq2) ) ; @*/ ♣✉❜❧✐❝ ✈♦✐❞ rearrange(){ ... } Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 33/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  78. Model Fields /*@ model \seq seq1; model \seq seq2; @*/ /*@ represents seq1 = \dl_array2seq(a1); @ represents seq2 = \dl_array2seq(a2); @*/ /*@ public normal_behaviour @ ensures \dl_seqPerm(seq1,\old(seq1)) && @ \dl_seqPerm(seq2,\old(seq2) ) ; @*/ ♣✉❜❧✐❝ ✈♦✐❞ rearrange(){ ... } model fields are only for specification Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 33/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

  79. Model Fields /*@ model \seq seq1; model \seq seq2; @*/ /*@ represents seq1 = \dl_array2seq(a1); @ represents seq2 = \dl_array2seq(a2); @*/ /*@ public normal_behaviour @ ensures \dl_seqPerm(seq1,\old(seq1)) && @ \dl_seqPerm(seq2,\old(seq2) ) ; @*/ ♣✉❜❧✐❝ ✈♦✐❞ rearrange(){ ... } \ seq is an abstract data type Method Contracts Quantifiers Handling Loops Frame Conditions Using Contracts Abstraction VTSA, 24.–28.08.2015 33/102 Bernhard Beckert – Deductive Verification of Object-Oriented Software

Recommend

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente) www.se.tu-darmstadt.de TU Darmstadt, Software Engineering Group Many challenges apply to AD in general Deductive Software Verification

165 views • 15 slides
CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of

CMSC 132: Object-Oriented Programming II Object-Oriented Programming Intro Department of Computer Science University of Maryland, College Park Object-Oriented Programming (OOP) Approach to improving software View software as a

593 views • 18 slides
Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio

Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio

Unified Static and Runtime Verification of Object-Oriented Software Wolfgang Ahrendt 1 , Mauricio Chimento 1 , Gerardo Schneider 2 , Gordon J. Pace 3 1 Chalmers University of Technology, Gothenburg, Sweden 2 University of Gothenburg, Sweden 3

449 views • 32 slides
Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Object Oriented Software Development Naufal F. Setiawan School of Computing and Information Systems University of Melbourne Workshop 2 (All images from Wikimedia Commons) Object Oriented Software

494 views • 18 slides
Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Object Oriented Software Development Naufal F. Setiawan School of Computing and Information Systems University of Melbourne Workshop 3 ( Most images from Wikimedia Commons) Object Oriented Software

438 views • 17 slides
Object-Oriented Design No SVN checkout today Software development methods Object-oriented

Object-Oriented Design No SVN checkout today Software development methods Object-oriented

Object-Oriented Design No SVN checkout today Software development methods Object-oriented design with CRC cards LayoutManagers for Java GUIs BallWorlds work time Analysis Design Software Implementation Development Testing

747 views • 30 slides
Object-Oriented Design No SVN checkout today Software development methods Object-oriented

Object-Oriented Design No SVN checkout today Software development methods Object-oriented

Object-Oriented Design No SVN checkout today Software development methods Object-oriented design with CRC cards LayoutManagers for Java GUIs BallWorlds work time Analysis Design Software Implementation Development Testing

793 views • 32 slides
Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Object Oriented Software Development Naufal F. Setiawan School of Computing and Information Systems University of Melbourne Workshop 7 Object Oriented Software Development UML Diagrams What is a UML Class

423 views • 16 slides
Object oriented Object oriented Object oriented Object oriented approach and UML approach and

Object oriented Object oriented Object oriented Object oriented approach and UML approach and

Object oriented Object oriented Object oriented Object oriented approach and UML approach and UML approach and UML approach and UML Goals The goals of this chapter are to introduce the object oriented approach to software systems

1.06k views • 92 slides
Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design (COMP 304) 7 January 2005 Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and Design Lab (MSDL) School of Computer Science, McGill University, Montr eal, Canada

279 views • 17 slides
Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Naufal F. Setiawan School of Computing and Information

Object Oriented Software Development Object Oriented Software Development Naufal F. Setiawan School of Computing and Information Systems University of Melbourne Workshop 5 Object Oriented Software Development Keywords What does it mean for a

612 views • 25 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 2:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 2:

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 2: Review of Object Orientation Lecture 2 2.1 What is Object Orientation? Procedural paradigm: Software is organized around the notion of

435 views • 14 slides
Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design (COMP 304) Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and Design Lab (MSDL) School of Computer Science, McGill University, Montr eal, Canada Hans Vangheluwe

785 views • 42 slides
Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and

Object-Oriented Software Design (COMP 304) Object-Oriented Software Design and Software Processes Hans Vangheluwe Modelling, Simulation and Design Lab (MSDL) School of Computer Science, McGill University, Montr eal, Canada Hans Vangheluwe

506 views • 22 slides
Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

4/13/2017 OOP Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object oriented Programming (Using C++) ht t p: / / www. com pgeom . com / ~pi yush/ t each/ 3330 Objects: State (fields), Behavior (member

632 views • 6 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

2k views • 171 slides
Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic Cl ement Hurlin INRIA Sophia Antipolis M editerran ee, France Universiteit Twente, The Netherlands Soutenance de th` ese Th` ese

1.68k views • 130 slides
Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u

Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u

11/14/17 CSCI-2320 Object-Oriented Paradigm: Ruby Mohammad T . Irfan Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u Imperative u Procedural decomposition u Procedures are all powerful u Data is

582 views • 45 slides
Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual Fahndrich, K. Rustan M. Leino an Wolfram Shulte 1 Overview Goal : design a sound methodology for specifying object invariants that can then be

809 views • 33 slides
Object Management Group (OMG) Object-Oriented Software adopts UML as a standard methodology

Object Management Group (OMG) Object-Oriented Software adopts UML as a standard methodology

Object Management Group (OMG) Object-Oriented Software adopts UML as a standard methodology Engineering (OOSE) Ivar Jacobson Object Modeling Jacobson joins Technique (OMT) Rational Software James Rumbaugh Rumbaugh joins Rational Software

157 views • 4 slides

More recommend