1. 1.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

2. Slide 2 H. Schlingloff, Logical Specification 1.7.2008 Assertion Languages OCL is an assertion language for UML Similar assertian languages have been defined for various programming languages  Java Modeling Language (JML) for Java  Spec# for C#  PSL for VHDL General idea  static analysis: try to verify the assertions without running the program  dynamic supervision: use the assertions to influence the execution of the program

3. Slide 3 H. Schlingloff, Logical Specification 1.7.2008 Example: JML Reference: http://www.eecs.ucf.edu/~leavens/JML/jmlrefman/ using Hoare style pre- and postconditions and invariants specifications are added as Java annotations (comments) to the Java program  can also be stored in separate specification files //@ /*@ @*/

4. Slide 4 H. Schlingloff, Logical Specification 1.7.2008 JML Syntax assert  Defines a JML assertion requires  Defines a precondition on the method that follows ensures  Defines a postcondition on the method that follows invariant  Defines an invariant property of the class signals  Defines a condition on when a given exception can be thrown by the method that follows assignable  Defines which fields are allowed to be assigned to by the method that follows

5. Slide 5 H. Schlingloff, Logical Specification 1.7.2008 JML expressions Boolean Java expressions \result  identifier for the return value of the method that follows \old( )  modifier to refer to the value of variable at the time of entry into a method (OCL @pre!) \forall, \exists  universal and existential quantifier (for arrays etc.)  range of quantification limited! a ==> b, a b  logical implications

6. Slide 6 H. Schlingloff, Logical Specification 1.7.2008 Example public class Account { public static final int MAX_BALANCE = 1000; private int balance; private boolean isLocked = false; //@ invariant balance >= 0 && balance <= MAX_BALANCE; //@ assignable balance; //@ ensures balance == 0; public Account() { } //@ requires amount > 0; //@ ensures balance = \old(balance) + amount; public void deposit(int amount) { … } //@ ensures isLocked == true; public void lockAccount() { this.isLocked = true; } }

7. Slide 7 H. Schlingloff, Logical Specification 1.7.2008 Dynamic Analysis Generate extra code from annotations to check violations  assert: check at the given statement  requires: check before entering the method  ensures: check at the end of the method  invariant: check after each statement - obviously, only when statement might affect expression Use assertions to generate JUnit test cases  set preconditions, get postconditions

8. Slide 8 H. Schlingloff, Logical Specification 1.7.2008 Static Analysis Tools Abstract interpretation tries to calculate possible values of variables  sound approximation to the possible ranges  e.g., i  [-maxint..16], [17..21], [22..maxint] i += 1  i  [-maxint..17], [18..22], [23..maxint] Formally, an abstraction function is a mapping from a (large) concrete domain into a (small) abstract domain; e.g., int  {neg, zero, pos}  operations on concrete objects are replaced by operations on abstract objects

9. Slide 9 H. Schlingloff, Logical Specification 1.7.2008 JML Screenshot www-sop.inria.fr/.../bcwp/img/jmlCompile.jpeg

10. Slide 10 H. Schlingloff, Logical Specification 1.7.2008 Spec# and Spec Explorer Microsoft‘s Road to Specification Evolving algebras (Egon Börger et al., 1990‘s)  „Philosophical“ background ASMs and the ASML (Yuri Gurevich et al.)  Theoretical background Spec# (Wolfram Schulte et al.)  Interactive program verification Spec Explorer (Wolfgang Grieskamp et al.)  Support for model-based testing

11. Slide 11 H. Schlingloff, Logical Specification 1.7.2008 Spec# Overview Aiming at program verification Based on C# (which in turn is based on C++ and Java) Spec# is an extension of C# by non-null types, method contracts, object invariants, and checked exceptions  can be seen as a programming language of its own Tool support  compiler - statically enforces non-null types - emits run-time checks for method contracts and invariants - records the contracts as metadata for consumption by downstream tools  static program verifier „Boogie“ - generates logical verification conditions from a Spec# program - uses automatic theorem prover - analyzes the verification conditions to prove the correctness of the program or find errors in it http://www.cs.nuim.ie/~rosemary/ETAPS-SpecSharp-Tutorial.pdf

12. Slide 12 H. Schlingloff, Logical Specification 1.7.2008 Use of Spec# Write each class containing methods and their specification together in a Spec# source file  Invariants that constrain the data fields of objects may also be included Run the verifier (either from IDE or command line)  push button, wait (maybe long), get a list of compilation/verification error messages  Interaction with the verifier is done by modifying the source file

13. Slide 13 H. Schlingloff, Logical Specification 1.7.2008 Screenshot Freely available, needs MSVS.Net Wrong input Precondition not satisfied Log messages for programmer

14. Slide 14 H. Schlingloff, Logical Specification 1.7.2008 Example // non-null argument assume: not checked but taken as granted assert: statically or dynamically validated

15. Slide 15 H. Schlingloff, Logical Specification 1.7.2008 Swap Example How can the proof be performed?

16. Slide 16 H. Schlingloff, Logical Specification 1.7.2008 Spec# Verification focus on automation of verification rather than full functional correctness of specifications  No verification of liveness (termination or other temporal eventuality properties)  No arithmetic overflow checks (yet) Active research on extensions (e.g. comprehensions)

17. Slide 17 H. Schlingloff, Logical Specification 1.7.2008 Quantifiers Quantification on finite domains!  Verification can be expensive (search all values)

18. Slide 18 H. Schlingloff, Logical Specification 1.7.2008 Loop Invariants Can help the solver to reach its goal !

19. Slide 19 H. Schlingloff, Logical Specification 1.7.2008 Loop Invariants Can help the solver to reach its goal !

20. Slide 20 H. Schlingloff, Logical Specification 1.7.2008

21. Slide 21 H. Schlingloff, Logical Specification 1.7.2008 BoogiePL Simple procedural language for.Net if (condition) S else T Spec#: assume condition ; S assume ! condition ; T Then branch Else branch BoogiePL:

22. Slide 22 H. Schlingloff, Logical Specification 1.7.2008 BoogiePL syntax

23. Slide 23 H. Schlingloff, Logical Specification 1.7.2008

24. Slide 24 H. Schlingloff, Logical Specification 1.7.2008 BoogiePL Verifier Based on HP‘s „Simplify“ theorem prover  http://www.hpl.hp.com/techreports/2003/HPL-2003-148.pdf http://www.hpl.hp.com/techreports/2003/HPL-2003-148.pdf  first-order theorem prover (satisfiability)  includes complete decision procedures for the theory of equality and for linear rational arithmetic  heuristics for linear integer arithmetic  propositional connectives are solved by backtracking  handling of quantifiers by pattern-driven instantiation (incomplete) Translation from Boogie PL to Simplify  weakest precondition of each statement  each statement and each procedure gives rise to one verification condition