Engineering a Sound Assertion Semantics for the Verifying Compiler

The Verifying Compiler (VC) project is a core component of the Dependable Systems Evolution Grand Challenge. The VC offers the promise of automatically proving that a program or component is correct, where correctness is defined by program assertions. While several VC prototypes exist, all adopt a semantics for assertions that is unsound. This paper presents a consolidation of VC requirements analysis (RA) activities that, in particular, brought us to ask targeted VC customers what kind of semantics they wanted. Taking into account both practitioners' needs and current technological factors, we offer recovery of soundness through an adjusted definition of assertion validity that matches user expectations and can be implemented practically using current prover technology. For decades, there have been debates concerning the most appropriate semantics for program assertions. Our contribution here is unique in that we have applied fundamental software engineering techniques by asking primary stakeholders what they want and, based on this, proposed a means of efficiently realizing the semantics stakeholders want using standard tools and techniques. We describe how support for the new semantics has been added to ESC/Java2, one of the most fully developed VC prototypes. Case studies demonstrate the effectiveness of the new semantics at uncovering previously indiscernible specification errors.

[1]  C. A. R. Hoare,et al.  Verified Software: Theories, Tools, Experiments Vision of a Grand Challenge Project , 2005, VSTTE.

[2]  E. James Whitehead,et al.  Managerial Issues for the Consideration and Use of Formal Methods , 2003, FME.

[3]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[4]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML , 2004, CASSIS.

[5]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[6]  John Rushby,et al.  A Less Elementary Tutorial for the PVS Specification and Verification System , 1996 .

[7]  K. Kuhn,et al.  From Hospital Information Systems to Health Information Systems , 2001, Methods of Information in Medicine.

[8]  G. Winskel The formal semantics of programming languages , 1993 .

[9]  Patrice Chalin,et al.  Non-null References by Default in Java: Alleviating the Nullity Annotation Burden , 2007, ECOOP.

[10]  Bob Walraet,et al.  INTRODUCTION TO OVERTURE , 1991 .

[11]  Gary T. Leavens,et al.  A contextual interpretation of undefinedness for runtime assertion checking , 2005, AADEBUG'05.

[12]  Cliff B. Jones,et al.  A logic covering undefinedness in program proofs , 1984, Acta Informatica.

[13]  Jon A. Turner,et al.  Understanding the Process of Information Technology Implementation , 1995 .

[14]  Andrzej Tarlecki,et al.  A three-valued logic for software specification and validation , 1988, Fundam. Informaticae.

[15]  Joshua J. Bloch Effective Java : programming language guide , 2001 .

[16]  Marsha Chechik,et al.  XChek: A multi-valued model-checker , 2002 .

[17]  Patrice Chalin,et al.  Are the Logical Foundations of Verifying Compiler Prototypes Matching user Expectations? , 2007, Formal Aspects of Computing.

[18]  Jeannette M. Wing A TWO-TIERED APPROACH TO SPECIFYING PROGRAMS , 1983 .

[19]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[20]  Gary T. Leavens,et al.  Modular invariants for layered object structures , 2006, Sci. Comput. Program..

[21]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[22]  John G. P. Barnes,et al.  High Integrity Software - The SPARK Approach to Safety and Security , 2003 .

[23]  Jim Woodcock,et al.  The verified software repository: a step towards the verifying compiler , 2006, Formal Aspects of Computing.

[24]  Takeo Kanade,et al.  Unifying Theories of Programming , 2010, Lecture Notes in Computer Science.

[25]  Reiner Hähnle,et al.  Many-Valued Logic, Partiality, and Abstraction in Formal Specification Languages , 2005, Log. J. IGPL.

[26]  Marsha Chechik,et al.  A Practical Approach to Partial Functions in CVC Lite , 2005, D/PDPAR@IJCAR.

[27]  Joseph R. Kiniry,et al.  Soundness and completeness warnings in ESC/Java2 , 2006, SAVCBS '06.

[28]  Patrice Chalin,et al.  Extended static checking in JML4: benefits of multiple-prover support , 2009, SAC '09.

[29]  Andrew Taylor,et al.  IT projects: sink or swim , 2000 .

[30]  C. A. R. Hoare,et al.  The verifying compiler: A grand challenge for computing research , 2003, JACM.

[31]  Gary T. Leavens,et al.  Protective Interface Specifications , 1997, Formal Aspects of Computing.

[32]  Patrice Chalin,et al.  Are Practitioners Writing Contracts? , 2006, RODIN Book.

[33]  Joseph M. Morris,et al.  Non-Deterministic Expressions and Predicate Transformers , 1997, Inf. Process. Lett..

[34]  Dean Leffingwell,et al.  Managing Software Requirements: A Use Case Approach , 2003 .

[35]  Marsha Chechik,et al.  chi-Chek: A Multi-valued Model-Checker , 2002, CAV.

[36]  Yoonsik Cheon,et al.  A Runtime Assertion Checker for the Java Modeling Language (JML) , 2003, ICSE 2003.

[37]  Bertrand Meyer,et al.  Object-oriented software construction (2nd ed.) , 1997 .

[38]  Jim Woodcock,et al.  Verified software: a grand challenge , 2006, Computer.

[39]  Simon L. Peyton Jones,et al.  Report on the programming language Haskell: a non-strict, purely functional language version 1.2 , 1992, SIGP.

[40]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[41]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[42]  Cliff B. Jones,et al.  A typed logic of partial functions reconstructed classically , 1993, Acta Informatica.

[43]  Gary T. Leavens,et al.  Design by Contract with JML , 2006 .

[44]  Jim Grundy,et al.  Predicative Programming - A Survey , 1993, Formal Methods in Programming and Their Applications.

[45]  Gary T. Leavens,et al.  JML: notations and tools supporting detailed design in Java , 2000 .

[46]  K. Rustan M. Leino,et al.  Ecstatic: An object-oriented programming language with an axiomatic semantics , 2006 .

[47]  Patrice Chalin,et al.  Reducing the use of nullable types through non-null by default and monotonic non-null , 2008, IET Softw..

[48]  Ken Frazer,et al.  Review of "Use cases, requirements in context by Daryl Kulak and Eamon Guiney." Addison-Wesley 2004 , 2004, SOEN.

[49]  Ralf Hinze,et al.  Haskell 98 — A Non−strict‚ Purely Functional Language , 1999 .

[50]  Stephen J. Garland,et al.  Larch: Languages and Tools for Formal Specification , 1993, Texts and Monographs in Computer Science.

[51]  Daryl Kulak,et al.  Use cases: requirements in context , 2000, SOEN.

[52]  Patrice Chalin,et al.  Towards an industrial grade IVE for Java and next generation research platform for JML , 2010, International Journal on Software Tools for Technology Transfer.

[53]  Capers Jones,et al.  Applied software measurement: assuring productivity and quality , 1991 .

[54]  Patrice Chalin,et al.  JML Runtime Assertion Checking: Improved Error Reporting and Efficiency Using Strong Validity , 2008, FM.

[55]  Gary T. Leavens,et al.  How the design of JML accommodates both runtime assertion checking and formal verification , 2003, Sci. Comput. Program..

[56]  Eric C. R. Hehner,et al.  Predicative programming Part I , 1984, CACM.

[57]  David Crocker,et al.  Safe Object-Oriented Software: The Verified Design-By-Contract Paradigm , 2004 .

[58]  Keith Devlin,et al.  WHY UNIVERSITIES REQUIRE COMPUTER SCIENCE STUDENTS TO TAKE MATH , 2003 .

[59]  Farhad Mehta,et al.  Efficient Well-Definedness Checking , 2008, IJCAR.

[60]  Jeannette M. Wing Writing Larch interface language specifications , 1987, TOPL.

[61]  Fred B. Schneider,et al.  Avoiding the Undefined by Underspecification , 1995, Computer Science Today.

[62]  Gary T. Leavens,et al.  Beyond Assertions: Advanced Specification and Verification with JML and ESC/Java2 , 2005, FMCO.

[63]  Eric C. R. Hehner Predicative programming Part II , 1984, CACM.

[64]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[65]  Patrice Chalin,et al.  JML4: Towards an Industrial Grade IVE for Java and Next Generation Research Platform for JML , 2008, VSTTE.

[66]  Beata Konikowska,et al.  Two over three: a two-valued logic for software specification and validation over a three-valued predicate calculus , 1991, J. Appl. Non Class. Logics.

[67]  K. Rustan M. Leino,et al.  Checking Java Programs via Guarded Commands , 1999, ECOOP Workshops.