An assertion-based proof system for multithreaded Java

Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread classes, allowing for a multithreaded flow of control. The concurrency model includes synchronous message passing, dynamic thread creation, shared-variable concurrency via instance variables, and coordination via reentrant synchronization monitors.To reason about safety properties of multithreaded Java programs, we introduce an assertional proof method for a multithreaded sublanguage of Java, covering the mentioned concurrency issues as well as the object-based core of Java. The verification method is formulated in terms of proof-outlines, where the assertions are layered into local ones specifying the behavior of a single instance, and global ones taking care of the connections between objects. We establish the soundness and the relative completeness of the proof system. From an annotated program, a number of verification conditions are generated and handed over to the interactive theorem prover PVS.

[1]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[2]  Egon Börger,et al.  Java and the Java Virtual Machine: Definition, Verification, Validation , 2001 .

[3]  Martín Abadi,et al.  A Theory of Objects , 1996, Monographs in Computer Science.

[4]  Martin Wirsing,et al.  Formal Syntax and Semantics of Java , 1999 .

[5]  Willem P. de Roever,et al.  A Proof System for Communicating Sequential Processes , 1980, ACM Trans. Program. Lang. Syst..

[6]  Gregory R. Andrews,et al.  Foundations of Multithreaded, Parallel, and Distributed Programming , 1999 .

[7]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[8]  Frank S. de Boer,et al.  A Syntax-Directed Hoare Logic for Object-Oriented Programming Concepts , 2003, FMOODS.

[9]  Frank S. de Boer,et al.  Inductive Proof Outlines for Monitors in Java , 2003, FMOODS.

[10]  Frank S. de Boer,et al.  A WP-calculus for OO , 1999, FoSSaCS.

[11]  FrancezNissim,et al.  A Proof System for Communicating Sequential Processes , 1980 .

[12]  Bart Jacobs,et al.  Reasoning about Java classes: preliminary report , 1998, OOPSLA '98.

[13]  Peter A. Buhr,et al.  Monitor classification , 1995, CSUR.

[14]  Arnd Poetzsch-Heffter,et al.  Specification and verification of object-oriented programs , 1997 .

[15]  F. S. Boer,et al.  A Hoare Logic for Monitors in Java , 2002 .

[16]  Martin Hofmann,et al.  Generation of verification conditions for Abadi and Leino's Logic of Objects (Extended Abstract) , 1910 .

[17]  Frank S. de Boer,et al.  Verification for Java's Reentrant Multithreading Concept , 2002, FoSSaCS.

[18]  Tobias Nipkow,et al.  Hoare Logic for NanoJava: Auxiliary Variables, Side Effects, and Virtual Methods Revisited , 2002, FME.

[19]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[20]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[21]  Bart Jacobs,et al.  Java Program Verification Challenges , 2002, FMCO.

[22]  Arnd Poetzsch-Heffter,et al.  A Programming Logic for Sequential Java , 1999, ESOP.

[23]  Martín Abadi,et al.  A Logic of Object-Oriented Programs , 1997, Verification: Theory and Practice.

[24]  Pieter H. Hartel,et al.  Formalizing the safety of Java, the Java virtual machine, and Java card , 2001, CSUR.

[25]  Gary T. Leavens,et al.  How the design of JML accommodates both runtime assertion checking and formal verification , 2003, Sci. Comput. Program..

[26]  David von Oheimb Hoare logic for Java in Isabelle/HOL , 2001, Concurr. Comput. Pract. Exp..

[27]  Gary T. Leavens,et al.  Reasoning about object-oriented programs that use subtypes , 1990, OOPSLA/ECOOP '90.

[28]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[29]  Martin Wirsing,et al.  A Hoare Calculus for Verifying Java Realizations of OCL-Constrained Design Models , 2001, FASE.

[30]  Gary T. Leavens,et al.  Specification and verification of object-oriented programs using supertype abstraction , 1995, Acta Informatica.

[31]  David A. Basin,et al.  Verified Bytecode Model Checkers , 2002, TPHOLs.

[32]  J. V. Tucker,et al.  Program correctness over abstract data types, with error-state semantics , 1988, CWI monographs.

[33]  P. America,et al.  A behavioural approach to subtyping in object-oriented programming languages , 1991 .

[34]  Arnd Poetzsch-Heffter,et al.  Logical foundations for typed object-oriented languages , 1998, PROCOMET.

[35]  David Gries,et al.  A proof technique for communicating sequential processes , 1981, Acta Informatica.

[36]  Xavier Leroy Java Bytecode Verification: An Overview , 2001, CAV.

[37]  Frank S. de Boer,et al.  A Compositional Operational Semantics for JavaMT , 2003, Verification: Theory and Practice.

[38]  Cees Pierik,et al.  Towards an environment for the verification of annotated object-oriented programs , 2003 .

[39]  Frank S. de Boer,et al.  Inductive Proof Outlines for Multithreaded Java with Exceptions — Extended , 2004 .

[40]  Frank S. de Boer,et al.  Proof-Outlines for Threads in Java , 2000, CONCUR.

[41]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[42]  Martin Wirsing,et al.  An Event-Based Structural Operational Semantics of Multi-Threaded Java , 1999, Formal Syntax and Semantics of Java.

[43]  Frank S. de Boer,et al.  Computer-aided Specification and Verification of Annotated Object-Oriented Programs , 2002, FMOODS.

[44]  Erika Ábrahám,et al.  An Assertional Proof System for Multithreaded Java - Theory and Tool Support , 2005 .