• A heap resolution calculus, that normalizes relational JavaDL proof obligations over composed heaps to relational expression over constant heaps. The calculus is equipped with a rule application strategy that, after performing symbolic execution, automatically achieves the relational heap resolution task.
• An override simplification calculus, that eases the verification process in JKelloy, by reducing the need for expanding the definitions of relational operators, especially of those that are applied to override expressions.
1.6 Outline
The thesis is divided into nine chapters.
Chapter 2, the foundation chapter, provides general introductions to the Alloy specification language and its analysis, the satisfiability modulo theories problem and its analysis, and the KeY system and its Java dynamic logic. Further needed details are introduced in the chapters where they are used.
Chapter 3 gives an example-driven overview of the automatic proof process of Al-loyPF. The details of the individual techniques used in the proof process are described in the next four chapters.
In Chapter 4, the syntax and semantics of our first-order relational logic RFOL are defined.
Chapter 5 defines the underling proof obligations of Alloy specifications and presents their translation to RFOL proof obligations. It shows proofs of correctness and completeness of the Alloy to RFOL translation and reports on the experimental results of proving Alloy specifications using the translation, without any further simplification.
Chapter 6 introduces our extended semantics blasting simplification technique SB+. It presents the SB+procedure rules and defines its completeness fragment together with a cost effective testing system for the inclusion of RFOL formulas in the fragment.
The chapter also reports on the experimental results of proving Alloy specifications using the Alloy to RFOL translation together with the SB+simplification technique and compares them with the experimental results of Chapter 5 and of the bounded analysis of the Alloy Analyzer.
Chapter 7 introduces our sufficient ground term sets technique SufGT. It presents the SufGT procedure rules and an algorithm that uses the computed sufficient ground terms for an efficient elimination of quantified variables. The chapter also provides a proof of correctness and completeness of the technique with respect to the elimination of quantified variables and reports on the experimental results on applying the SufGT technique to simplify general SMT benchmarks.
Chapter 8 introduces our path-invariants based transitive closure reasoning tech-nique TCPInv. It proves the existence of effective path-invariants for each essential path in a refutable RFOL formula and presents procedures for the detection of the essential paths and their path-invariants. The chapter also reports on the
experimen-8 Chapter 1 Introduction
tal results of applying the TCPInv reasoning technique to prove Alloy specifications, including those which could not be proved in Chapter 6.
Chapter 9 introduces our tool for the deductive verification of Java programs against Alloy specifications JKelloy. It also reports on using JKelloy to prove three Java programs with relational specifications.
The thesis ends with a conclusion and discussion of future work in Chapter 10.
9
Chapter 2
Foundations: Alloy, SMT, KeY
This chapter provides a general introduction of the frameworks and tools used in this dissertation. More detailed information are introduced in the chapters where they are used.
2.1 Alloy
Alloy [47] is a modeling language based on a same named first-order relational logic with built-in operators for transitive closure, set cardinality, integer arithmetic, and comprehension. In this dissertation, we investigate the automatic verification of Alloy problems as well as the verification of Java program with Alloy annotations. For both tasks we address a subset of Alloy version 4.x1. This subset, called core Alloy, represents all commonly used Alloy constructors. Almost other constructors not present in core Alloy can be desugared to core Alloy.
2.1.1 Alloy Problem
As shown in Figure 2.1, an Alloy problem consists of a collection of type declarations, relation declarations, relational first order formulas marked as fact, and possibly an other formula marked as assertion to check or as predicate to run.
The type declarations introduce the global types (called signatures) which represent sets of atoms. The signature declaration
sig A{. . .} declares a top-level type named A whereas
sigB(in|extend)A{. . .}
declares a subtype of A named B. The keyword extend additionally constraints B to be an interface of A —i.e, a type T is the union of all its interfaces.
1We started the investigation with version 4.1 and ended up with version 4.2
10 Chapter 2 Foundations: Alloy, SMT, KeY
problem ::=typeDcl*relDcl* f act*(assertion|predicate) typeDcl ::=sig identifier[(in|extends)type]
relDcl ::=rel : type[[mult]→ [mult]type]* mult ::=lone|some|one|set
f act ::= f ormula assertion ::= f ormula predicate ::= f ormula
exp ::=type|var|rel|none|iden|exp+exp
|exp & exp|exp−exp|exp.exp|exp→exp
|exp <: exp|~exp|^exp|Int intExp intExp ::= number|#exp|int var
|intExp intOp intExp| (sum[var : exp]+|intExp) f ormula ::=exp in exp|exp=exp
|intExp intComp intExp
|not f ormula| f ormula and f ormula
| f ormula or f ormula
|all var: exp| f ormula
|some var: exp| f ormula intOp ::=+ |
-intComp ::=<|>|= type ::=identifier|Int rel ::=identifier var ::=identifier
Figure 2.1: Abstract syntax for the core Alloy logic
The relation declarations introduce global relations (called fields of signatures) which represent sets of n-ary tuples depending of the relation arity. That is,
sig A{r : B m→n C}
declares a ternary relation named r⊆A×B×C with the restriction that for each a∈A the binary relation a.r maps each tuple in B to n tuples of C, and each tuple in C to n tuples of B. Note that the expression B and C can be arbitrary relational expressions, and that the multiplicity keyword m and n are restricted to{lone, some, one, set}(see Figure 2.1).
The fact formulas are usually used to express (further) global —assertion (respec-tively predicate) independent— constraints on the declared types and relations. The assertion (respectively predicate) formula express a property about the so far defined
2.1 Alloy 11
system. The goal of the analysis is to check whether the property holds in the system, within a given scope.
2.1.2 Expressions
Alloy expressions represent the basic buildings blocks of Alloy formula; they always evaluate to relations2. Basic Alloy expressions are constant relations, this includes all declared signatures and relations as well as the built-in constants: none for the unary empty set, univ for atom set, and iden⊆univ×univ for the identity relation.
Complex expressions are built, recursively, from basic expressions using Alloy’s relational operators. This are: r + s, r++ s, r & s, r - s for union, override, intersection, and difference of same arity relations r and s, respectively; r.s, r→s for Cartesian product, and relational join of arbitrary relations r and s, respectively; ∼r, ˆ r for transposition, and transitive closure of a binary relation r, respectively; s <: r for domain restriction of an arbitrary relation r to a set (unary relation) s. The semantics of this operators, except of domain restriction, is shown in Figure 5.4. A domain restriction application of the form s<: r where r is an n-ary relation can be, however, desugared to (s→univ→...→univ
| {z }
n−1
)& r.
Integer expressions denote primitive integers. The built-in type Int represents the set of all atoms carrying primitive integers. The expression Int ie denotes the atom carrying the integer denoted by the integer expression ie, whereas int v denotes the integer value of the atom represented by the variable v. Integer expressions are obtained from constant numbers (. . . , -1, 0, 1, . . . ), and set cardinality expressions
#exp where exp is an arbitrary relational expression, and combined using arithmetic operators ( + , - ). The arithmetic operators are distinguished from relational operators using the type information3.
2.1.3 Multiplicity Constraints
Alloy supports the following multiplicity keywords:
• set: any number
• one: exactly one
• lone: at most one
• some: at lest one
Depending on where multiplicity keywords are placed they induce different con-straints. If applied outside declarations, like in lone r, it constraints the relation r to have at most one tuple —with other words|r| ≤1. If applied within declarations, like
2Since version 4.2, integer expressions can also be seen as relational expressions (cf. [48, page 82])
3Since version 4.2, the distinction between relational and arithmetic operators is made syntactically.
12 Chapter 2 Foundations: Alloy, SMT, KeY
in x: lone r, it constrains the variable x to be a subset of r that contains at most one tu-ple. If applied within relation declarations, like r: A→B some→one C, it constrains for each a: A the expression a.r to associate each tuple in B with exactly one tuple in C and each tuple in C with at least one tuple in B. The default multiplicity keyword for unary relations is one and for multiple-arity relations is set.
2.1.4 Formulas
Basic Alloy formulas are formed from Alloy expressions using the subset operator in, the equality operator=and the integer comparison operators less than <, greater than
>, and the integer equality =. Basic formulas can be combined using (usual) logical connectivities including conjunction (and or && ), disjunction (or or||), implication (implies or⇒), and negation (not or !). Complex Alloy formulas are build using quantifiers. Quantified Alloy formulas take the form Q x: exp| F where Q is one of the Alloy quantifier: all, some, no, one, lone, x a variable (usually) occurring in F and bounded by the Alloy expression exp. The semantics of the standard all and some quantifiers are shown in Figure 5.4. All other quantifiers can be desugared using standard quantifiers as shown in Table 2.1.
no x: exp| F ≡ all x: exp| !F
one x: exp| F ≡ some x: exp| F and (all y: exp | y != x⇒!F) lone x: exp| F ≡ some x: exp| F and (all y: exp | y != x⇒!F) or
all x: exp| !F
Table 2.1: Desugaring of non standard Alloy quantifiers
2.1.5 Analysis
The Alloy Analyzer —the original analysis tool for Alloy— provides two major analy-sis. The first (called predicate-running) analysis is applied to Alloy problems with a predicate and results in showing, if exists, satisfying structures (called instances) that satisfies the predicate together and the Alloy model —the Alloy problem without its predicate (respectively assertion). The second analysis form (called assertion-checking) is applied to Alloy problems with an assertion and results in showing, if exists, a structure (called counterexample (CE)) that falsifies the implication of the assertion from the Alloy model.
However, the Alloy Analyzer, reduces both analysis forms to the same analysis problem, namely, finding a satisfying structure (an assignment of the problem relations to values) that makes a given Alloy formula (also called constraint) true. Having such a tool, one can serve (1) the predicate-running analysis by analysing the conjunction of all formula induced by the Alloy model and the predicate formula, and (2) the assertion-checking analysis by analysing the conjunction of all formula induced by the Alloy model and the negation of assertion formula.