Towards feasible, machine-assisted verification of object-oriented programs

This thesis provides an account of a development of tools towards making verification of object-oriented programs more feasible. We note that proofs in program verification logics are typically long, yet, mathematically, not very deep; these observations suggest the thesis that computers can significantly ease the burden of program verification. We give evidence supporting this by applying computers to (1) automatically check and (2) automatically infer large parts of proofs. Taking the logic (AL) of Abadi and Leino as our starting point, we initially show how the logic can be embedded into a higher-order logic theorem prover, by way of introducing axioms, using a mix of both higher-order abstract syntax (HOAS) and a direct embedding of the assertion logic. The tenacity and exactness of the theorem prover ensures that no proof obligation is inadvertently lost during construction of a proof; we inherit any automatic facilities such as tactics which take us part way towards goal (2); and moreover, we achieve goal (1), since we inherit machine proofs which can be checked automatically. We present some extended examples in AL that have been proved using this embedding. Since we use a mix of HOAS and the underlying logic, justification of the axioms is no longer trivial. In particular, because we use a HOAS-style encoding of the program syntax, using a standard interpretation, the set of programs does not correspond to that defined using the first-order syntax. Thus, we construct a non-standard model of higher-order logic using categorical constructs, and show, in this interpretation (i.e. model), that the axioms are sound. Further towards goal (2), we consider a verification condition generator (VCG) algorithm which automatically infers large parts of a proof. The VCG takes, as input, a program c—possibly with annotations—and a specification S, and outputs a logical sentence called a verification condition (VC). The intention is that to prove c satisfies S, it suffices to prove the VC; or equivalently, the VCG automatically proves c satisfies S, modulo validity of the VC. The VC resulting from the algorithm is, in general, a first-order formula with fix-points. In particular cases, it is known that there exist brute force checking algorithms for such formulae which are much more efficient than those for checking

[1]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[2]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[3]  Thomas Kleymann,et al.  Hoare logic and VDM : machine-checked soundness and completeness proofs , 1998 .

[4]  Peter V. Homeier Trustworthy Tools for Trustworthy Programs: A Mechanically Verified Verification Condition Generator , 1995 .

[5]  Bart Jacobs,et al.  Java Program Verification via a Hoare Logic with Abrupt Termination , 2000, FASE.

[6]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[7]  Giuseppe F. Italiano,et al.  Amortized Efficiency of a Path Retrieval Data Structure , 1986, Theor. Comput. Sci..

[8]  Xavier Leroy The objective caml system release 3 , 2001 .

[9]  Stephen A. Cook,et al.  Soundness and Completeness of an Axiom System for Program Verification , 1978, SIAM J. Comput..

[10]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[11]  Peter W. O'Hearn,et al.  The Logic of Bunched Implications , 1999, Bulletin of Symbolic Logic.

[12]  Bart Jacobs,et al.  The LOOP Compiler for Java and JML , 2001, TACAS.

[13]  Martín Abadi,et al.  A Theory of Objects , 1996, Monographs in Computer Science.

[14]  Tobias Nipkow,et al.  Hoare Logic for NanoJava: Auxiliary Variables, Side Effects, and Virtual Methods Revisited , 2002, FME.

[15]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[17]  Reinhard Wilhelm,et al.  Shape Analysis , 2000, CC.

[18]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[19]  Ken Arnold,et al.  The Java Programming Language , 1996 .

[20]  David von Oheimb Hoare Logic for Mutual Recursion and Local Variables , 1999, FSTTCS.

[21]  Luca Cardelli,et al.  Subtyping recursive types , 1991, POPL '91.

[22]  Martin Hofmann,et al.  Implementing a Program Logic of Objects in a Higher-Order Logic Theorem Prover , 2000, TPHOLs.

[23]  Martín Abadi,et al.  A Logic of Object-Oriented Programs , 1997, Verification: Theory and Practice.

[24]  John C. Reynolds,et al.  Idealized ALGOL and its specification logic , 1997 .

[25]  Cormac Flanagan,et al.  Avoiding exponential explosion: generating compact verification conditions , 2001, POPL '01.

[26]  Tomasz Kowaltowski Axiomatic approach to side effects and general jumps , 2004, Acta Informatica.

[27]  K. Rustan M. Leino Recursive Object Types in a Logic of Object-Oriented Programs , 1998, Nord. J. Comput..

[29]  Peter V. Homeier,et al.  Trustworthy Tools for Trustworthy Programs: A Verified Verification Condition Generator , 1994, TPHOLs.

[30]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[31]  David von Oheimb,et al.  Mujava: embedding a programming language in a theorem prover , 1999 .

[32]  Andrew M. Pitts Tripos Theory in Retrospect , 2002, Math. Struct. Comput. Sci..

[33]  Marieke Huisman,et al.  Reasoning about Java programs in higher order logic using PVS and Isabelle , 2001 .

[34]  J. Palsberg Efficient Inference of Object Types , 1996 .

[35]  Jens Palsberg,et al.  Type Inference with Simple Selftypes is NP-complete , 1997, Nord. J. Comput..

[36]  Fritz Henglein,et al.  Breaking Through the n3 Barrier: Faster Object Type Inference , 1999, Theory Pract. Object Syst..

[37]  F. S. deBoer Reasoning about Dynamically Evolving Process Structures; a proof theory for the parallel object-oriented language pool , 1991 .

[38]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[39]  Arnd Poetzsch-Heffter,et al.  A Programming Logic for Sequential Java , 1999, ESOP.

[40]  David von Oheimb Analyzing Java in Isabelle-HOL: formalization, type safety and Hoare logic , 2001 .

[41]  Bart Jacobs,et al.  A Logic for the Java Modeling Language JML , 2001, FASE.

[42]  M. Hofmann A Type System for Bounded Space and Functional In-Place Update , 2000, Nord. J. Comput..

[43]  Gary T. Leavens Modular specification and verification of object-oriented programs , 1991, IEEE Software.

[44]  M. Hoffman Semantical analysis of higher-order abstract syntax , 1999 .

[45]  Frank S. de Boer,et al.  A WP-calculus for OO , 1999, FoSSaCS.