1. No category

An incremental appro.. - BG-JUG

An incremental approach to
Formal verification for
Java applications
Teodor Parvanov
May 26-27 ‘16, Sofia
26-27/05/2016
1
About me
• I currently work at VMware Bulgaria, working on standing up the fully
automated Software-Defined Data Center (SDDC)
• University background in Maths/Physics & Computer science “made in
France”
=> Unhealthy tendency towards modelling stuff using mathematical
equations
• Computer programs being also “stuff”, why not try and model them with
equations too (a.k.a Formal verification) ?
26-27/05/2016
2
Even deepest philosophical questions…
26-27/05/2016
3
An example from aerodynamics
• Longitudinal stability
• Required so that the pilot (and underlying electronic and mechanical
systems) can keep the aircraft stable without significant intervention
• => simulation based on the laws of mechanics and aerodynamics
26-27/05/2016
4
Mathematical equations of stability
𝜕𝑀
𝜕𝐿𝑤 𝜕𝐿𝑡
=ℎ
+
𝜕𝛼
𝜕𝛼
𝜕𝛼
𝑤ℎ𝑒𝑟𝑒:
𝑙𝑡 𝑆𝑡
ℎ = 𝑥𝑔 − 0.5
𝑆𝑤
𝑙𝑡 𝑆𝑡
𝐶𝑜𝑛𝑑𝑖𝑡𝑖𝑜𝑛 𝑓𝑜𝑟 𝑠𝑡𝑎𝑡𝑖𝑐 𝑠𝑡𝑎𝑏𝑖𝑙𝑖𝑡𝑦: 𝑥𝑔 < 0.5
𝑆𝑤
26-27/05/2016
5
So why not computer programs ?
• Formal verification is successfully applied in:
• HW industry
• Embedded SW
• Transportation systems
• Energy production
• Manufacturing
• “Mainstream” software is lagging behind:
•
•
•
•
26-27/05/2016
Banking, finance, insurance
Healthcare
Flight ticket reservations
Electronic voting
6
Java - let’s start simple !
26-27/05/2016
7
Correct ?
26-27/05/2016
8
Can we specify this in mathematical terms?
26-27/05/2016
9
Disclaimer !
• Use of mild mathematical language follows
26-27/05/2016
10
A calculus for computation?
𝑟𝑒𝑠𝑢𝑙𝑡 = |𝑎|
|𝑎| > 1 → ∀𝑖 ∈ [0, 𝑎 − 1[, 𝑟𝑒𝑠𝑢𝑙𝑡𝑖 ≤ 𝑟𝑒𝑠𝑢𝑙𝑡𝑖+1
• We need a formal system (a calculus) to reason about correctness
• Logically proven correctness provides quality guarantees far
beyond what any amount of testing can
26-27/05/2016
11
First-order logic (FOL)
• Sufficently expressive (and intuitive) to model program behavior
by representing execution state
• Syntax
•
•
•
•
•
26-27/05/2016
Variables (numbers, objects, etc): 𝑥, 𝑦, 𝑧, 𝑥1 , … , 𝑥𝑛 , 𝑦1 , … 𝑦𝑚
Functions (over the variables): 𝑓 𝑥 , 𝑔 𝑥, 𝑦 , 𝑠𝑜𝑟𝑡(𝑎) …
Predicates (evaluate to true/false): 𝑝 𝑥1 , … , 𝑥𝑛 , 𝑞(𝑦1 , … , 𝑦𝑚 )
Existential quantifier “exists”: ∃𝑥, 𝑦, 𝑞(𝑓 𝑥 , 𝑞(𝑦))
Universal quantifier “for each”: ∀𝑥, 𝑦, 𝑞(𝑓 𝑥 , 𝑞(𝑦))
12
FOL examples
• 𝑖𝑠𝑆𝑜𝑟𝑡𝑒𝑑 𝑎 ↔ ∀𝑖 ∈ [0, 𝑎 − 1[, 𝑎𝑖 ≤ 𝑎𝑖+1
• 𝑠𝑜𝑟𝑡: 𝑖𝑛𝑡[] → 𝑖𝑛𝑡[]
• ∀𝑎 ∈ 𝑖𝑛𝑡[], 𝑖𝑠𝑆𝑜𝑟𝑡𝑒𝑑(𝑠𝑜𝑟𝑡 𝑎 )
26-27/05/2016
13
Well, you know …
26-27/05/2016
14
Program correctness
• Specification
• The precise statement of the properties a program should exhibit
• Translates into a set of program annotations asserting properties over
program variables
• The language of FOL provides precision
• Partial correctness (safety properties)
• If a program halts, then its output satisfies some relation with its input
• “Nothing bad happens”
• Total correctness (progress properties)
• Certain states are eventually reached during program execution
• “Something good eventually happens”
26-27/05/2016
15
Program correctness
• Specification
• The precise statement of the properties a program should exhibit
• Translates into a set of program annotations asserting properties over
program variables
• The language of FOL provides precision
• Partial correctness (safety properties)
• If a program halts, then its output satisfies some relation with its input
• “Nothing bad happens”
• Total correctness (progress properties)
• Certain states are eventually reached during program execution
• “Something good eventually happens”
26-27/05/2016
16
Partial correctness notation
P: pre-condition over the inputs
C: S1; … Sn;
Q: post-condition over the outputs
=> Hoare triple: 𝑃 𝐶{𝑄}
26-27/05/2016
17
First-Order Logic for Java
• JML (Java Modelling Language)
• Embedded as Java comments with //@ or /*@ … @ */
• Java-like syntax extended with new keywords for specification:
• forall, exists, requires, ensures, \invariant, \loop_invariant, \pure…
• Implemented by the OpenJML library
• Supported annotations
• Method pre-/post-condition (e.g. //@ requires x >= 0)
• Class invariant (e.g. //@ this.accountBalance >= 0)
26-27/05/2016
18
Can we make all this a bit more precise ?
26-27/05/2016
19
Our first JML specification !
26-27/05/2016
20
Incrementally leveraging JML annotations
• Very precise code documentation
• Actually such a specification exists for key parts of the JDK !
• Javadoc can also be generated out of JML annotations
• Test suite generation (using JML as a test oracle)
• JMLUnitNG
• Jartege, Tobias
• Formal proof of correctness (could be justified for certain core
components)
• manual
• automated (KeY, OpenJML)
26-27/05/2016
21
Demo time !
26-27/05/2016
22
Key takeaways
• Formal specification is not that hard (and fun !)
• And Java supports it (via OpenJML)
• Formal specification can be introduced incrementally
• Possible areas of application
• Core project libraries
• Frameworks
• Mission-critical business logic (“pure” methods)
26-27/05/2016
23
Q&A
26-27/05/2016
24
THANK YOU :)
You can find me at:
[email protected]
Teodor Parvanov
May 26-27 ’16, Sofia
26-27/05/2016
25

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz