1 / 72

Proof Obligation Generator for Jive/JML

Proof Obligation Generator for Jive/JML. Ghislain Fourny March 11 th , 2005. Proof Obligation Generator. Introduction The new version of Jive: why JML Environment of the PO Generator Data Flow Interfaces How it works: an animated example Structure of a JML document

rafiki
Download Presentation

Proof Obligation Generator for Jive/JML

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Proof Obligation Generator for Jive/JML Ghislain Fourny March 11th, 2005

  2. Proof Obligation Generator • Introduction • The new version of Jive: why JML • Environment of the PO Generator • Data Flow • Interfaces • How it works: an animated example • Structure of a JML document • The Proof Obligation Accumulator • The example • Complements • Sugars • Variable declarations • Nested Specifications Proof Obligations Generator for Jive/JML

  3. 1.1. Why JML? Proof Obligations Generator for Jive/JML

  4. A comment in natural language /* o should not be null @returns true of o already was in the set. Ensures that the final set is the former one with o as member and that none of the members is modified. */ boolean add(Object o) Proof Obligations Generator for Jive/JML

  5. And what a computer understands… • boolean add(Obje • ct o)o should not • set. Ensures that • the final set is • theFormer one wit • o as member andth • at none of the Me • mbers is Proof Obligations Generator for Jive/JML

  6. First-order logic boolean add(Object o) pre o≠null post result=(o  aSet(this,$^))  aSet(this,$) = {0}  aSet(this,$^)    Object X: inRepSet(X,this,$^) unchanged(X,$,$^) Proof Obligations Generator for Jive/JML

  7. What you actually want a non-mathematician programmer to write… • boolean add(Obje • ct o)o should not • set. Ensures that • the final set is • theFormer one wit • o as member andth • at none of the Me • mbers is Proof Obligations Generator for Jive/JML

  8. JML as excellent compromise First-order logic Java English JML German Assembly Proof Obligations Generator for Jive/JML

  9. A comment in JML //@invariant modelSet!=null; /*@public normal_behavior @requires o!=null; @assignable o,modelSet; @ensures \result == \old(modelSet.contains(o)); @ensures modelSet == \old(modelSet.add(o)); @*/ public boolean add(Object o); All invariants of all classes in INV($) Proof Obligations Generator for Jive/JML

  10. 1.2. External architecture Proof Obligations Generator for Jive/JML

  11. POG Environment: Data Flow JML-Annotated Program Abstract Syntax Tree JML Parser (and Checker) Expression Tree Proof Obligation Generator Katja Term or Formula Expression Transformer Triples Logical Variable Registry Old expressions Hashmap Proof Obligation Accumulator Proof Obligations Generator for Jive/JML

  12. POG Environment: External Interfaces MJ and JML Abstract Syntax Tree Expression Transformer Proof Obligation Generator Katja Term, Formula Old Expressions Hashmap Proof Obligation Accumulator Logical Variable Registry Triples Proof Obligations Generator for Jive/JML

  13. 2.1. An animated example Proof Obligations Generator for Jive/JML

  14. Iterating on types Proof Obligations Generator for Jive/JML

  15. Iterating on types Proof Obligations Generator for Jive/JML

  16. Iterating on methods Class C { __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ } Proof Obligations Generator for Jive/JML

  17. Iterating on methods Class C { __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ } Proof Obligations Generator for Jive/JML

  18. Class C { __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ __________________________ __________________________ __________________________ ______________ } Iterating on methods Proof Obligations Generator for Jive/JML

  19. Iterating on specifications /*@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  20. /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ /*@ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/ @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ ---------------------------------------------------------------------------------------------------- @ --------------------------------------------------------------------------------------------------- @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } public static int isqrt(int y) { return (int) Math.sqrt(y); } public static int isqrt(int y) { return (int) Math.sqrt(y); } Iterating on specifications Proof Obligations Generator for Jive/JML

  21. /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } Specification: A closer look Proof Obligations Generator for Jive/JML

  22. Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ • Markers: • Java compiler considers it a comment • JML parser identifies this as a specification public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  23. /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } The method reference An external method computes a method reference, here IntMathOps:isqrt. Proof Obligations Generator for Jive/JML

  24. 2.2. The Proof Obligation Accumulator Proof Obligations Generator for Jive/JML

  25. The Proof Obligation Accumulator Generation of a brand new Proof Obligation on which we can then work. true IntMathOps:isqrt true Proof Obligations Generator for Jive/JML

  26. The Proof Obligation Accumulator Hoare Triple true IntMathOps:isqrt true Proof Obligations Generator for Jive/JML

  27. Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  28. Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ The precondition public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  29. Expression Transformer IntMathOps:isqrt true Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ AND public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  30. Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ • This is a sequence of clauses. • We always, in this order: • Add the invariants (or not…) • Handle assignable locations • Process postconditions public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  31. Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ The frame conditions No location may be modified by this method. public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  32. S Store S Store current  S=$ current  S=$ IntMathOps:isqrt IntMathOps:isqrt Nothing assignable true current current S Store IntMathOps:isqrt IntMathOps:isqrt true true No assignable locations S=$ loc.alive(ref(loc),S) $(loc)=S(loc) Proof Obligations Generator for Jive/JML

  33. S Store S Store current current IntMathOps:isqrt IntMathOps:isqrt current current!=Exc Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ This is a normal specification The method cannot throw an exception. public static int isqrt(int y) { return (int) Math.sqrt(y); } !=Exc Proof Obligations Generator for Jive/JML

  34. Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ The normal postcondition public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  35. Expression Transformer S Store S Store current current IntMathOps:isqrt IntMathOps:isqrt current current  postcond Specification: A closer look /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ =Normal public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  36. Expression Transformer S Store current Name Type Tree IntMathOps:isqrt current  postcond !x0 JInt Old expressions Expression What we want to compute in the prestate • A \old expression has been found! • Either \old(…) • Or parameter y Proof Obligations Generator for Jive/JML

  37. Expression Transformer S Store current Name Type Tree IntMathOps:isqrt current  postcond !x0 JInt Old expressions Logical Variable How we can recall this value in the poststate. y Proof Obligations Generator for Jive/JML

  38. Expression Transformer S Store current Name Type Tree IntMathOps:isqrt current  postcond !x0 JInt Old expressions !x0 is used here y Proof Obligations Generator for Jive/JML

  39. S Store current Name Type Tree IntMathOps:isqrt current !x0 JInt Old expressions = !x0 Proof Obligations Generator for Jive/JML

  40. S Store current IntMathOps:isqrt S Store !x0 Jint current !x0=y current = !x0 IntMathOps:isqrt current Old expressions Proof Obligations Generator for Jive/JML

  41. S Store !x0 Jint Precondition IntMathOps:isqrt Postcondition We are done! /*@ public normal_behavior @ requires y >= 0; @ assignable \nothing; @ ensures 0 <= \result @ && \result * \result <= y @ && y < ((\result+1) * (\result+1)); @*/ Commiting… public static int isqrt(int y) { return (int) Math.sqrt(y); } Proof Obligations Generator for Jive/JML

  42. 2.3. Signal clauses Proof Obligations Generator for Jive/JML

  43. Expression Transformer Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ (ExcV)<:EClass1 [ExcV/e] public void method(Iterator i); Proof Obligations Generator for Jive/JML

  44. Expression Transformer Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ (ExcV)<:EClass1 [ExcV/e] (ExcV)<:EClass2 [ExcV/e] public void method(Iterator i); Proof Obligations Generator for Jive/JML

  45. (ExcV)<:EClass1 [ExcV/e] (ExcV)<:EClass2 [ExcV/e] Expression Transformer current current current current IntMathOps:isqrt IntMathOps:isqrt current currentExceptional postcond Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ public void method(Iterator i); =Exc Proof Obligations Generator for Jive/JML

  46. Expression Transformer current current IntMathOps:isqrt currentExceptional postcond Signals /*@ … @ @ signals (EClass1 e) expr1 @ signals (EClass2 e) expr2 @*/ public void method(Iterator i); Proof Obligations Generator for Jive/JML

  47. 3.1. Some sugars Proof Obligations Generator for Jive/JML

  48. Some sugars /*@ … @ @ @ @ … @*/ public /*@ non_null @*/ Integer isqrt(int y); Proof Obligations Generator for Jive/JML

  49. Some sugars /*@ … @ @ ensures \result!=null @ @ … @*/ public /*@ non_null @*/ Integer isqrt(int y); Proof Obligations Generator for Jive/JML

  50. Some sugars /*@ … @ @ @ @ … @*/ public int isqrt(/*@ non_null @*/ Integer y); Proof Obligations Generator for Jive/JML

More Related