Hoare logic for Java in Isabelle/HOL

SUMMARY This article presents a Hoare-style calculus for a substantial subset of Java Card, which we call Java . In particular, the language includes side-effecting expressions, mutual recursion, dynamic method binding, full exception handling, and static class initialization. The Hoare logic of partial correctness is proved not only sound (w.r.t. our operational semantics of Java , described in detail elsewhere) but even complete. It is the first logic for an object-oriented language that is provably complete. The completeness proof uses a refinement of the Most General Formula approach. The proof of soundness gives new insights into the role of type safety. Further by-products of this work are a new general methodology for handling side-effecting expressions and their results, the discovery of the strongest possible rule of consequence, and a flexible Call rule for mutual recursion. We also give a small but non-trivial application example. All definitions and proofs have been done formally with the interactive theorem prover Isabelle/HOL. This guarantees not only rigorous definitions, but also gives maximal confidence in the results obtained.

[1]  Richard J. Boulton,et al.  Experience with Embedding Hardware Description Languages in HOL , 1992, TPCD.

[2]  Frank S. de Boer,et al.  A WP-calculus for OO , 1999, FoSSaCS.

[3]  Arnd Poetzsch-Heffter,et al.  An Architecture for Interactive Program Provers , 2000, TACAS.

[4]  Michael J. C. Gordon,et al.  Edinburgh LCF: A mechanised logic of computation , 1979 .

[5]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[6]  Bart Jacobs,et al.  Java Program Verification via a Hoare Logic with Abrupt Termination , 2000, FASE.

[7]  David Lorge Parnas,et al.  A technique for software module specification with examples , 1972, CACM.

[8]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.

[9]  Alonzo Church,et al.  A formulation of the simple theory of types , 1940, Journal of Symbolic Logic.

[10]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[11]  Krzysztof R. Apt,et al.  Ten Years of Hoare's Logic: A Survey—Part I , 1981, TOPL.

[12]  Stephen A. Cook,et al.  Soundness and Completeness of an Axiom System for Program Verification , 1978, SIAM J. Comput..

[13]  Tobias Nipkow,et al.  Machine-Checking the Java Specification: Proving Type-Safety , 1999, Formal Syntax and Semantics of Java.

[14]  Peter M Uller,et al.  Universes: a type system for controlling representation exposure , 1999 .

[15]  Bart Jacobs,et al.  Reasoning about Java classes: preliminary report , 1998, OOPSLA '98.

[16]  Peter V. Homeier,et al.  A Mechanically Verified Verification Condition Generator , 1995, Comput. J..

[17]  Sophia Drossopoulou,et al.  Describing the Semantics of Java and Proving Type Soundness , 1999, Formal Syntax and Semantics of Java.

[18]  Thomas Schreiber,et al.  Auxiliary Variables and Recursive Procedures , 1997, TAPSOFT.

[19]  Pierre America,et al.  A proof theory for a sequential version of POOL , 1990 .

[20]  Thomas Kleymann,et al.  Hoare logic and VDM : machine-checked soundness and completeness proofs , 1998 .

[21]  Christopher Strachey,et al.  Fundamental Concepts in Programming Languages , 2000, High. Order Symb. Comput..

[22]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[23]  David von Oheimb,et al.  Axiomatic Semantics for Java^light in Isabelle/HOL , 2000 .

[24]  Arnd Poetzsch-Heffter,et al.  A Programming Logic for Sequential Java , 1999, ESOP.

[25]  Wolfgang Thomas Semantik und Verifikation , 1993, Perspektiven der Informatik.

[26]  David von Oheimb Analyzing Java in Isabelle-HOL: formalization, type safety and Hoare logic , 2001 .

[27]  Gary T. Leavens,et al.  Subtyping, Modular Specification, and Modular Verification for Applicative Object-Oriented Programs , 1994 .

[28]  Bart Jacobs,et al.  A Logic for the Java Modeling Language JML , 2001, FASE.

[29]  Martin Hofmann,et al.  Implementing a Program Logic of Objects in a Higher-Order Logic Theorem Prover , 2000, TPHOLs.

[30]  Martín Abadi,et al.  A Logic of Object-Oriented Programs , 1997, Verification: Theory and Practice.

[31]  David von Oheimb Hoare Logic for Mutual Recursion and Local Variables , 1999, FSTTCS.

[32]  Tobias Nipkow,et al.  Isabelle HOL - The Tutorial , 2000 .

[33]  Peter Müller,et al.  Modular Specification and Verification of Object-Oriented Programs , 2002, Lecture Notes in Computer Science.

[34]  Sophia Drossopoulou,et al.  Formal Techniques for Java Programs , 2000, ECOOP Workshops.

[35]  K. R Leino,et al.  Towards Reliable Modular Programs , 1995 .

[36]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[37]  Peter V. Homeier,et al.  Mechanical Verification of Mutually Recursive Procedures , 1996, CADE.

[38]  Hans-Juergen Boehm,et al.  Side effects and aliasing can have simple axiomatic descriptions , 1985, TOPL.