Proof Obligation Generator for Jive/JML
72
Proof Obligation Proof Obligation Generator for Generator for Jive/JML Jive/JML Ghislain Fourny Ghislain Fourny March 11 March 11 th th , 2005 , 2005
description
Proof Obligation Generator for Jive/JML. Ghislain Fourny March 11 th , 2005. Proof Obligation Generator. Introduction The new version of Jive: why JML Environment of the PO Generator Data Flow Interfaces How it works: an animated example Structure of a JML document - PowerPoint PPT Presentation
Transcript of Proof Obligation Generator for Jive/JML
-
Proof Obligation Generator for Jive/JMLGhislain FournyMarch 11th, 2005
-
Proof Obligation GeneratorIntroductionThe new version of Jive: why JMLEnvironment of the PO GeneratorData Flow InterfacesHow it works: an animated exampleStructure of a JML documentThe Proof Obligation AccumulatorThe exampleComplementsSugarsVariable declarationsNested Specifications
-
1.1. Why JML?
-
A comment in natural language/* o should not be null@returnstrue of o already was in the set.Ensures that the final set is the formerone with o as member and that noneof the members is modified. */boolean add(Object o)
-
And what a computer understands
boolean add(Object o)o should not set. Ensures that the final set is theFormer one wito as member andthat none of the Members is
-
First-order logic
boolean add(Object o)pre onullpost result=(o aSet(this,$^)) aSet(this,$) = {0} aSet(this,$^) Object X: inRepSet(X,this,$^) unchanged(X,$,$^)
-
What you actually want a non-mathematician programmer to write
boolean add(Object o)o should not set. Ensures that the final set is theFormer one wito as member andthat none of the Members is
-
JML as excellent compromiseJavaJMLFirst-order logicAssemblyEnglishGerman
-
A comment in JML//@invariant modelSet!=null;
/*@public normal_behavior @requires o!=null; @assignable o,modelSet; @ensures \result == \old(modelSet.contains(o)); @ensures modelSet == \old(modelSet.add(o)); @*/public boolean add(Object o);All invariants of all classes in INV($)
-
1.2. External architecture
-
POG Environment: Data FlowJML-AnnotatedProgramAbstract SyntaxTreeJML Parser(and Checker)Proof ObligationGeneratorExpressionTreeKatjaTerm or FormulaProof ObligationAccumulatorOld expressionsHashmapLogicalVariableRegistryTriplesExpressionTransformer
-
POG Environment: External InterfacesProof ObligationGeneratorKatjaTerm, FormulaMJ and JMLAbstract Syntax TreeOld ExpressionsHashmapProof ObligationAccumulatorLogical VariableRegistryTriplesExpressionTransformer
-
2.1. An animated example
-
Iterating on types
-
Iterating on types
-
Iterating on methods____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
Class C {}
-
Iterating on methods____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
____________________________________________________________________________________________
Class C {}
-
Iterating on methods
-
Iterating on specifications/*@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ----------------------------------------------------------------------------------------------------
@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ----------------------------------------------------------------------------------------------------
@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/
public static int isqrt(int y) {return (int) Math.sqrt(y);}
-
Iterating on specifications
-
Specification: A closer look
- Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
The method referenceAn external method computesa method reference, hereIntMathOps:isqrt.
-
2.2. The Proof Obligation Accumulator
-
The Proof Obligation AccumulatorGeneration of a brand new Proof Obligation on which we can then work.IntMathOps:isqrttruetrue
-
The Proof Obligation AccumulatorHoare TripleIntMathOps:isqrttruetrue
- Specification: A closer look/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
- Specification: A closer look/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
No assignable locationsloc.alive(ref(loc),S) $(loc)=S(loc)S=$
- Specification: A closer look/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
Specification: A closer lookpublic static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
Old expressionsyExpressionWhat we want to compute in the prestateA \old expression has been found!Either \old()Or parameter
-
Old expressionsyLogical VariableHow we can recall this value in the poststate.
-
Old expressionsy!x0 is used here
-
Old expressions=!x0
-
Old expressions
-
We are done!public static int isqrt(int y) {return (int) Math.sqrt(y);}
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0
-
2.3. Signal clauses
-
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/(ExcV)
-
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/(ExcV)
-
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/=Exc
-
Signalspublic void method(Iterator i);
/*@ @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/
-
3.1. Some sugars
-
Some sugarspublic /*@ non_null @*/ Integer isqrt(int y);/*@ @ @ @ @ @*/
-
Some sugarspublic /*@ non_null @*/ Integer isqrt(int y);/*@ @ @ ensures \result!=null @ @ @*/
-
Some sugarspublic int isqrt(/*@ non_null @*/ Integer y);/*@ @ @ @ @ @*/
-
Some sugarspublic int isqrt(/*@ non_null @*/ Integer y);/*@ @ @ requires y!=null @ @ @*/
-
Some sugarspublic /*@ pure @*/ int isqrt(int y);/*@ @ @ @ @ @*/
-
Some sugarspublic /*@ pure @*/ int isqrt(int y);/*@ @ requires true; @ assignable \nothing; @*/Additional and independentSpecification
-
3.2. Variable declaration
-
Old variable declarationpublic void method(Iterator i);
/*@ @ @ old int alter_i= expr; @ @ @*/alter_i =
-
Forall variable declarationpublic void method(Iterator i);
/*@ @ @ forall int var; @ @ @*/
-
3.2. Nested Specification
-
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
-
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
-
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
-
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
-
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
-
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
-
Nested Specificationpublic void method(Iterator i);
/*@ @ requires i!=null; @ {| @ requires i.hasNext(); @ensures expr; @ also @ requires !i.hasNext(); @ ensures expr2; @|} @... @*/
-
ConclusionPOG implementedDebugging phase (JUnit testing)Formatted outputProof obligation Visualizer
-
Thank you for your attention!dm: ksznm!
-
Assignable locations
-
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
-
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
-
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
-
Assignable locationsint y;public void isqrt() { y = (int) Math.sqrt(y);}
/*@ model int value; @ represents value
-
To add or not to add class invariants?
