OpenJML: Software verification for Java 7 using JML, OpenJDK, and Eclipse

OpenJML is a tool for checking code and specifications of Java programs. We describe our experience building the tool on the foundation of JML, OpenJDK and Eclipse, as well as on many advances in specification-based software verification. The implementation demonstrates the value of integrating specification tools directly in the software development IDE and in automating as many tasks as possible. The tool, though still in progress, has now been used for several college-level courses on software specification and verification and for small-scale studies on existing Java programs.Comment: In Proceedings F-IDE 2014, arXiv:1404.578

The dynamic frames theory

The theory of Dynamic Frames has been invented to deal with the frame problem in the presence of encapsulation and pointers. It has proved more flexible and conceptually simpler than previous approaches that tackled the problem. It is now being actively used both for theoretical and for practical purposes related to the formal verification of program correctness. This paper presents the full theory of Dynamic Frames, together with its reasoning laws and exemplifies the use of these laws in proving correct several common design patterns. It also discusses the ongoing research on the topi

Stepwise refinement of heap-manipulating code in Chalice

Stepwise refinement is a well-studied technique for developing a program from an abstract description to a concrete implementation. This paper describes a system with automated tool support for refinement, powered by a state-of-the-art verification engine that uses an SMT solver. Unlike previous refinement systems, users of the presented system interact only via declarations in the programming language. Another aspect of the system is that it accounts for dynamically allocated objects in the heap, so that data representations in an abstract program can be refined into ones that use more objects. Finally, the system uses a language with familiar imperative features, including sequential composition, loops, and recursive calls, offers a syntax with skeletons for describing program changes between refinements, and provides a mechanism for supplying witnesses when refining non-deterministic programs

Chapter Dynamic Dispatch for Method Contracts Through Abstract Predicates

Dynamic method dispatch is a core feature of object-oriented programming by which the executed implementation for a polymorphic method is only chosen at runtime. In this paper, we present a specification and verification methodology which extends the concept of dynamic dispatch to design-by-contract specifications. The formal specification language JML has only rudimentary means for polymorphic abstraction in expressions. We promote these to fully flexible specification-only query methods called model methods that can, like ordinary methods, be overridden to give specifications a new semantics in subclasses in a transparent and modular fashion. Moreover, we allow them to refer to more than one program state which give us the possibility to fully abstract and encapsulate two-state specification contexts, i.e., history constraints and method postconditions. Finally, we provide an elegant and flexible mechanism to specify restrictions on specifications in subtypes. Thus behavioural subtyping can be enforced, yet it still allows for other specification paradigms. We provide the semantics for model methods by giving a translation into a first order logic and according proof obligations. We fully implemented this framework in the KeY program verifier and successfully verified relevant examples. We have also implemented an extension to KeY to support permission-based verification of concurrent Java programs. In this context model methods provide a modular specification method to treat code synchronisation through API methods

JML\u27s Rich, Inherited Specifications for Behavioral Subtypes

The Java Modeling Language (JML) is used to specify detailed designs for Java classes and interfaces. It has a particularly rich set of features for specifying methods. This paper describes those features, with particular emphasis on the features related to specification inheritance. It shows how specification inheritance in JML forces behavioral subtyping, through a discussion of semantics and examples. It also describes a notion of modular reasoning based on static type information, supertype abstraction, which is made valid in JML by methodological restrictions on invariants, history constraints, and initially clauses and by behavioral subtyping

Formal Semantics of Model Fields in Annotation-based Specifications

It is widely recognized that abstraction and modularization are indispensable for specification of real-world programs. In source-code level program specification and verification, model fields are a common means for those goals. However, it remains a challenge to provide a well-founded formal semantics for the general case in which the abstraction relation defining a model field is non-functional. In this paper, we discuss and compare several possibilities for defining model field semantics, and we give a complete formal semantics for the general case. Our analysis and the proposed semantics is based on a generalization of Hilbert\u27s epsilon terms

Specification Reuse using Data Refinement in Dafny

Data refinement is a technique for transforming system specifications into system implementation that differs in data types. It gives us the freedom to write specifications in a way that is independent of its implementation; moreover we can generate multiple implementations without changing the system specifications, the client does not have to worry about the underlying implementation. Abstraction Invariant is used to relate the high level abstract specification to its concrete implementation. Dafny is a research language developed by Microsoft. Its main focus is data refinement. The language provides the rich mathematical properties such as sequences, sets and multi-set, along with functions, predicates, methods and user defined data types. In Dafny the Abstraction Invariant is in the form of a function, which is added as a pre and post conditions to all of methods and functions. Given this function one can verify that the code is providing the implementation that satisfies its specifications even when the specification is defined in term of one data structure and the code is implemented in term of another data structure. Dafny works with Boogie which is a static program verifier and the SMT solver Z3. These are the main underlying technologies for verification: Dafny code is translated in to Boogie from which the verification conditions are generated for Z3 in order to verify the program. In this research the programmer over head is identified when replacing one implementation to another in terms of underlying data structure change while preserving the client specification. The motivation behind this work is to assist programmers to come up with a quick solution in situations such as “slow system performance” with new system implementation. Moreover, a semi automatic tool is developed for transforming one implementation to another without changing the client specifications. The result is the generation of a semi verified program whose implementation is in terms of a data structure other than that used in the specifications. The verification can be fully automatic through the provision of implementation details from the user

Specification and verification challenges for sequential object-oriented programs

The state of knowledge in how to specify sequential programs in object-oriented languages such as Java and C# and the state of the art in automated verification tools for such programs have made measurable progress in the last several years. This paper describes several remaining challenges and approaches to their solution

On Static Analysis for Expressive Pattern Matching

Pattern matching is a widespread programming language construct that enables definitions of values by cases, generalizing if-then-else and case statements. The cases in a pattern matching expression should be exhaustive: when the value does not match any of the cases, the expression throws a run-time exception. Similarly, each pattern should be reachable, and, if possible, patterns should be disjoint to facilitate reasoning. Current compilers use simple analyses to check patterns. Such analyses ignore pattern guards, use static types to approximate possible expression values, and do not take into account properties of user-defined functions. We present a design and implementation of a new analysis of pattern matching expressions. Our analysis detects a wider class of errors and reports fewer false alarms than previous approaches. It checks disjointness, reachability, and exhaustiveness of patterns by expressing these conditions as formulas and proving them using decision procedures and theorem provers. It achieves precision by propagating possible values through nested expressions and approximating pattern-matching guards with formulas. It supports user-defined ``extractor'' functions in patterns by relying on specifications of relationships between the domains of such functions. The result is the first analysis that enables verified, declarative pattern matching with guards in the presence of data abstraction. We have implemented our analysis and describe our experience in checking a range of pattern matching expressions in a subset of the Scala programming language