720 likes | 891 Views
Proof Obligation Generator for Jive/JML. Ghislain Fourny March 11 th , 2005. Proof Obligation Generator. Introduction The new version of Jive: why JML Environment of the PO Generator Data Flow Interfaces How it works: an animated example Structure of a JML document
E N D
Proof Obligation Generator for Jive/JML Ghislain Fourny March 11th, 2005
Proof Obligation Generator • Introduction • The new version of Jive: why JML • Environment of the PO Generator • Data Flow • Interfaces • How it works: an animated example • Structure of a JML document • The Proof Obligation Accumulator • The example • Complements • Sugars • Variable declarations • Nested Specifications Proof Obligations Generator for Jive/JML
1.1. Why JML? Proof Obligations Generator for Jive/JML
A comment in natural language /* o should not be null @returns true of o already was in the set. Ensures that the final set is the former one with o as member and that none of the members is modified. */ boolean add(Object o) Proof Obligations Generator for Jive/JML
And what a computer understands… • boolean add(Obje • ct o)o should not • set. Ensures that • the final set is • theFormer one wit • o as member andth • at none of the Me • mbers is Proof Obligations Generator for Jive/JML
First-order logic boolean add(Object o) pre o≠null post result=(o aSet(this,$^)) aSet(this,$) = {0} aSet(this,$^) Object X: inRepSet(X,this,$^) unchanged(X,$,$^) Proof Obligations Generator for Jive/JML
What you actually want a non-mathematician programmer to write… • boolean add(Obje • ct o)o should not • set. Ensures that • the final set is • theFormer one wit • o as member andth • at none of the Me • mbers is Proof Obligations Generator for Jive/JML
JML as excellent compromise First-order logic Java English JML German Assembly Proof Obligations Generator for Jive/JML
A comment in JML //@invariant modelSet!=null; /*@public normal_behavior @requires o!=null; @assignable o,modelSet; @ensures \result == \old(modelSet.contains(o)); @ensures modelSet == \old(modelSet.add(o)); @*/ public boolean add(Object o); All invariants of all classes in INV($) Proof Obligations Generator for Jive/JML
1.2. External architecture Proof Obligations Generator for Jive/JML
POG Environment: Data Flow JML-Annotated Program Abstract Syntax Tree JML Parser (and Checker) Expression Tree Proof Obligation Generator Katja Term or Formula Expression Transformer Triples Logical Variable Registry Old expressions Hashmap Proof Obligation Accumulator Proof Obligations Generator for Jive/JML
POG Environment: External Interfaces MJ and JML Abstract Syntax Tree Expression Transformer Proof Obligation Generator Katja Term, Formula Old Expressions Hashmap Proof Obligation Accumulator Logical Variable Registry Triples Proof Obligations Generator for Jive/JML
2.1. An animated example Proof Obligations Generator for Jive/JML
Iterating on types Proof Obligations Generator for Jive/JML
Iterating on types Proof Obligations Generator for Jive/JML
Iterating on methods Class C { __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ } Proof Obligations Generator for Jive/JML
Iterating on methods Class C { __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ } Proof Obligations Generator for Jive/JML
Class C { __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ } Iterating on methods Proof Obligations Generator for Jive/JML
Iterating on specifications /*@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ /*@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/ @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } public static int isqrt(int y) { return (int) Math.sqrt(y); } public static int isqrt(int y) { return (int) Math.sqrt(y); } Iterating on specifications Proof Obligations Generator for Jive/JML
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } Specification: A closer look Proof Obligations Generator for Jive/JML
Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ • Markers: • Java compiler considers it a comment • JML parser identifies this as a specification public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
/*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } The method reference An external method computes a method reference, here IntMathOps:isqrt. Proof Obligations Generator for Jive/JML
2.2. The Proof Obligation Accumulator Proof Obligations Generator for Jive/JML
The Proof Obligation Accumulator Generation of a brand new Proof Obligation on which we can then work. true IntMathOps:isqrt true Proof Obligations Generator for Jive/JML
The Proof Obligation Accumulator Hoare Triple true IntMathOps:isqrt true Proof Obligations Generator for Jive/JML
Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ The precondition public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
Expression Transformer IntMathOps:isqrt true Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ AND public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ • This is a sequence of clauses. • We always, in this order: • Add the invariants (or not…) • Handle assignable locations • Process postconditions public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ The frame conditions No location may be modified by this method. public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
S Store S Store current S=$ current S=$ IntMathOps:isqrt IntMathOps:isqrt Nothing assignable true current current S Store IntMathOps:isqrt IntMathOps:isqrt true true No assignable locations S=$ loc.alive(ref(loc),S) $(loc)=S(loc) Proof Obligations Generator for Jive/JML
S Store S Store current current IntMathOps:isqrt IntMathOps:isqrt current current!=Exc Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ This is a normal specification The method cannot throw an exception. public static int isqrt(int y) { return (int) Math.sqrt(y); } !=Exc Proof Obligations Generator for Jive/JML
Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ The normal postcondition public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
Expression Transformer S Store S Store current current IntMathOps:isqrt IntMathOps:isqrt current current postcond Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ =Normal public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
Expression Transformer S Store current Name Type Tree IntMathOps:isqrt current postcond !x0 JInt Old expressions Expression What we want to compute in the prestate • A \old expression has been found! • Either \old(…) • Or parameter y Proof Obligations Generator for Jive/JML
Expression Transformer S Store current Name Type Tree IntMathOps:isqrt current postcond !x0 JInt Old expressions Logical Variable How we can recall this value in the poststate. y Proof Obligations Generator for Jive/JML
Expression Transformer S Store current Name Type Tree IntMathOps:isqrt current postcond !x0 JInt Old expressions !x0 is used here y Proof Obligations Generator for Jive/JML
S Store current Name Type Tree IntMathOps:isqrt current !x0 JInt Old expressions = !x0 Proof Obligations Generator for Jive/JML
S Store current IntMathOps:isqrt S Store !x0 Jint current !x0=y current = !x0 IntMathOps:isqrt current Old expressions Proof Obligations Generator for Jive/JML
S Store !x0 Jint Precondition IntMathOps:isqrt Postcondition We are done! /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ Commiting… public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML
2.3. Signal clauses Proof Obligations Generator for Jive/JML
Expression Transformer Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ (ExcV)<:EClass1 [ExcV/e] public void method(Iterator i); Proof Obligations Generator for Jive/JML
Expression Transformer Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ (ExcV)<:EClass1 [ExcV/e] (ExcV)<:EClass2 [ExcV/e] public void method(Iterator i); Proof Obligations Generator for Jive/JML
(ExcV)<:EClass1 [ExcV/e] (ExcV)<:EClass2 [ExcV/e] Expression Transformer current current current current IntMathOps:isqrt IntMathOps:isqrt current currentExceptional postcond Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ public void method(Iterator i); =Exc Proof Obligations Generator for Jive/JML
Expression Transformer current current IntMathOps:isqrt currentExceptional postcond Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ public void method(Iterator i); Proof Obligations Generator for Jive/JML
3.1. Some sugars Proof Obligations Generator for Jive/JML
Some sugars /*@ … @ @ @ @ … @*/ public /*@ non_null @*/ Integer isqrt(int y); Proof Obligations Generator for Jive/JML
Some sugars /*@ … @ @ ensures \result!=null @ @ … @*/ public /*@ non_null @*/ Integer isqrt(int y); Proof Obligations Generator for Jive/JML
Some sugars /*@ … @ @ @ @ … @*/ public int isqrt(/*@ non_null @*/ Integer y); Proof Obligations Generator for Jive/JML