Analyzing Java in Isabelle/HOL

This thesis deals with machine-checking a large sublanguage of sequential Java, covering nearly all features, in particular the object-oriented ones. It shows that embedding such a language in a theorem prover and deducing practically important properties is meanwhile possible and explains in detail how this can be achieved. We formalize the abstract syntax, and the static semantics including the type system and well-formedness conditions, as well as an operational (evaluation) semantics of the language. Based on these definitions, we can express soundness of the type system, an important design goal claimed to be reached by the designers of Java, and prove that type safety holds indeed. Moreover, we give an axiomatic semantics of partial correctness for both statements and (side-effecting) expressions. We prove the soundness of this semantics relative to the operational semantics, and even prove completeness. We further give a small but instructive application example. A direct outcome of this work is the confirmation that the design and specification of Java (or at least the subset considered) is reasonable, yet some omissions in the language specification and possibilities for generalizing the design can be pointed out. The second main contribution is a sound and complete Hoare logic, where the soundness proof for our Hoare logic gives new insights into the role of type safety. To our knowledge, this logic is the first one for an object-oriented language that has been proved complete. By-products of this work are a new general technique for handling side-effecting expressions and their results, the discovery of the strongest possible rule of consequence, and a new rule for flexible handling of mutual recursion. All definitions and proofs have been done fully formally with the interactive theorem prover Isabelle/HOL, representing one of its major applications. This approach guarantees not only rigorous definitions, but also gives maximal confidence in the results obtained. Thus this thesis demonstrates that machine-checking the design of an important non-trivial programming language and conducting meta-theory on it entirely within a theorem proving system has become a reality.

[1]  Tobias Nipkow,et al.  Winskel is (almost) Right: Towards a Mechanized Semantics Textbook , 1996, Formal Aspects of Computing.

[2]  Egon Börger,et al.  A Programmer Friendly Modular Definition of the Semantics of Java , 1999, Formal Syntax and Semantics of Java.

[3]  David von Oheimb,et al.  Java - formal fundiert , 1998, Java-Informations-Tage.

[4]  Richard J. Boulton,et al.  Experience with Embedding Hardware Description Languages in HOL , 1992, TPCD.

[5]  Tobias Nipkow,et al.  Veried Bytecode Veriers , 2002 .

[6]  Frank S. de Boer,et al.  A WP-calculus for OO , 1999, FoSSaCS.

[7]  Sophia Drossopoulou,et al.  Describing the Semantics of Java and Proving Type Soundness , 1999, Formal Syntax and Semantics of Java.

[8]  Michael J. C. Gordon,et al.  Edinburgh LCF: A mechanised logic of computation , 1979 .

[9]  Michael Norrish,et al.  Deterministic Expressions in C , 1999, ESOP.

[10]  David Aspinall,et al.  Proof General: A Generic Tool for Proof Development , 2000, TACAS.

[11]  Stephen N. Freund,et al.  Adding type parameterization to the Java language , 1997, OOPSLA '97.

[12]  David von Oheimb Hoare logic for Java in Isabelle/HOL , 2001, Concurr. Comput. Pract. Exp..

[13]  Christopher Strachey,et al.  Fundamental Concepts in Programming Languages , 2000, High. Order Symb. Comput..

[14]  Rance Cleaveland,et al.  Implementing mathematics with the Nuprl proof development system , 1986 .

[15]  Kim B. Bruce,et al.  Safe and decidable type checking in an object-oriented language , 1993, OOPSLA '93.

[16]  Konrad Slind,et al.  Function Definition in Higher-Order Logic , 1996, TPHOLs.

[17]  Kim B. Bruce Safe type checking in a statically-typed object-oriented programming language , 1993, POPL '93.

[18]  Martin Wirsing,et al.  From Sequential to Multi-Threaded Java: An Event-Based Operational Semantics , 1997, AMAST.

[19]  Donald Robert Syme Declarative theorem proving for operational semantics , 1999 .

[20]  M. Gordon,et al.  Introduction to HOL: a theorem proving environment for higher order logic , 1993 .

[21]  David von Oheimb Hoare Logic for Mutual Recursion and Local Variables , 1999, FSTTCS.

[22]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[23]  Sophia Drossopoulou,et al.  Java is Type Safe - Probably , 1997, ECOOP.

[24]  Bart Jacobs,et al.  Reasoning about Java classes: preliminary report , 1998, OOPSLA '98.

[25]  Peter B. Andrews An introduction to mathematical logic and type theory - to truth through proof , 1986, Computer science and applied mathematics.

[26]  Wolfgang Thomas Semantik und Verifikation , 1993, Perspektiven der Informatik.

[27]  Gilles Kahn,et al.  Natural Semantics , 1987, STACS.

[28]  Peter V. Homeier,et al.  A Mechanically Verified Verification Condition Generator , 1995, Comput. J..

[29]  William R. Cook,et al.  A Proposal for Making Eiffel Type-Safe , 1989, Comput. J..

[30]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[31]  Markus Wenzel,et al.  Isar - A Generic Interpretative Approach to Readable Formal Proof Documents , 1999, TPHOLs.

[32]  David A. Karp Windows 98 Annoyances , 2002 .

[33]  Cornelia Pusch,et al.  Proving the Soundness of a Java Bytecode Verifier Specification in Isabelle/HOL , 1999, TACAS.

[34]  Amy P. Felty,et al.  The Coq proof assistant user's guide : version 5.6 , 1990 .

[35]  M. Gordon HOL : A machine oriented formulation of higher order logic , 1985 .

[36]  Bart Jacobs,et al.  Java Program Verification via a Hoare Logic with Abrupt Termination , 2000, FASE.

[37]  Thomas Schreiber,et al.  Auxiliary Variables and Recursive Procedures , 1997, TAPSOFT.

[38]  Alonzo Church,et al.  A formulation of the simple theory of types , 1940, Journal of Symbolic Logic.

[39]  Arnd Poetzsch-Heffter,et al.  A Programming Logic for Sequential Java , 1999, ESOP.

[40]  Michael J. C. Gordon,et al.  Mechanizing programming logics in higher order logic , 1989 .

[41]  Anneke Kleppe,et al.  The object constraint language: precise modeling with UML , 1998 .

[42]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[43]  David Aspinall Protocols for Interactive e-Proof , 2000 .

[44]  Thomas Kleymann,et al.  Hoare logic and VDM : machine-checked soundness and completeness proofs , 1998 .

[45]  Lawrence C. Paulson,et al.  Logic and computation - interactive proof with Cambridge LCF , 1987, Cambridge tracts in theoretical computer science.

[46]  Marieke Huisman,et al.  A Comparison of PVS and Isabelle/HOL , 1998, TPHOLs.

[47]  Don Syme,et al.  Proving Java Type Soundness , 1999, Formal Syntax and Semantics of Java.

[48]  Flemming Nielson,et al.  Semantics with applications - a formal introduction , 1992, Wiley professional computing.

[49]  Martin Odersky,et al.  Pizza into Java: translating theory into practice , 1997, POPL '97.

[50]  Lawrence C. Paulson,et al.  Isabelle: The Next 700 Theorem Provers , 2000, ArXiv.

[51]  Chuan Yi Tang,et al.  A 2.|E|-Bit Distributed Algorithm for the Directed Euler Trail Problem , 1993, Inf. Process. Lett..

[52]  Michael Norrish C formalised in HOL , 1998 .

[53]  Bart Jacobs,et al.  A Logic for the Java Modeling Language JML , 2001, FASE.

[54]  Kim B. Bruce,et al.  PolyTOIL: A Type-Safe Polymorphic Object-Oriented Language , 1995, ECOOP.

[55]  Sarfraz Khurshid,et al.  Is the Java Type System Sound? , 1999, Theory Pract. Object Syst..

[56]  Bernhard Rumpe,et al.  The UML as a formal modeling notation , 1998, Comput. Stand. Interfaces.

[57]  Robin Milner,et al.  Definition of standard ML , 1990 .

[58]  Lawrence C. Paulson Introduction to Isabelle , 1999 .

[59]  Matthias Felleisen,et al.  A Syntactic Approach to Type Soundness , 1994, Inf. Comput..

[60]  Zhenyu Qian,et al.  Toward a provably-correct implementation of the JVM bytecode verifier , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[61]  Andrew C. Myers,et al.  Parameterized types for Java , 1997, POPL '97.

[62]  Wolfgang Weck,et al.  Java Needs Compound Types , 1998 .

[63]  Stefan Berghofer,et al.  Inductive Datatypes in HOL - Lessons Learned in Formal-Logic Engineering , 1999, TPHOLs.

[64]  Tobias Nipkow,et al.  Verified lightweight bytecode verification , 2001, Concurr. Comput. Pract. Exp..

[65]  Peter V. Homeier,et al.  Mechanical Verification of Mutually Recursive Procedures , 1996, CADE.

[66]  Wolfgang Naraschewski,et al.  Object-Oriented Verification Based on Record Subtyping in Higher-Order Logic , 1998, TPHOLs.

[67]  Stephen A. Cook,et al.  Soundness and Completeness of an Axiom System for Program Verification , 1978, SIAM J. Comput..

[68]  Tobias Nipkow,et al.  Machine-Checking the Java Specification: Proving Type-Safety , 1999, Formal Syntax and Semantics of Java.

[69]  Martín Abadi,et al.  A Logic of Object-Oriented Programs , 2003, Verification: Theory and Practice.