Formal Aspects of Computing

, Volume 25, Issue 3, pp 405–437 | Cite as

A Dynamic Logic for deductive verification of multi-threaded programs

  • Bernhard Beckert
  • Vladimir Klebanov
Original Article


We present MODL, a Dynamic Logic and a deductive verification calculus for a core Java-like language that includes multi-threading. The calculus is based on symbolic execution. Even though we currently do not handle non-atomic loops, employing the technique of symmetry reduction allows us to verify systems without limits on state space or thread number. We have instantiated our logic for (restricted) multi-threaded Java programs and implemented the verification calculus within the KeY system. We demonstrate our approach by verifying a central method of the StringBuffer class from the Java standard library in the presence of unbounded concurrency.


Multi-threading Deductive verification Symbolic execution Symmetry reduction Input/ output reasoning 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. AdBdRS05.
    Ábrahám E., de Boer FS., de Roever W-P., Steffen M (2005) An assertion-based proof system for multithreaded Java. Theor Comput Sci 331(2–3): 251–290zbMATHCrossRefGoogle Scholar
  2. AFF06.
    Abadi M., Flanagan C., Freund SN (2006) Types for safe locking: static race detection for Java. ACM Trans Program Lang Syst 28(2): 207–255CrossRefGoogle Scholar
  3. Ash75.
    Ashcroft EA (1975) Proving assertions about parallel programs. J Comput Syst Sci 10(1): 110–135MathSciNetzbMATHCrossRefGoogle Scholar
  4. BDRS02.
    Balser M., Duelli C., Reif W., Schellhorn G (2002) Verifying concurrent systems with symbolic execution. J Logic Comput 12(4): 549–560MathSciNetzbMATHCrossRefGoogle Scholar
  5. BHS07.
    Beckert B, Hähnle R, Schmitt PH (eds) (2007) Verification of object-oriented software: the KeY approach. LNCS, vol 4334. Springer, BerlinGoogle Scholar
  6. BJ09.
    Bradbury JS, Jalbert K (2009) Defining a catalog of programming anti-patterns for concurrent Java. In: Proceedings of the 3rd international workshop on software patterns and quality (SPAQu’09), pp 6–11Google Scholar
  7. BP06.
    Beckert B, Platzer A (2006) Dynamic logic with non-rigid functions: a basis for object-oriented program verification. In: Furbach U, Shankar N (eds) Proceedings of international joint conference on automated reasoning, Seattle, USA. LNCS, vol 4130, pp 266–280. Springer, BerlinGoogle Scholar
  8. BS05.
    Beckert B., Schlager S (2005) Refinement and retrenchment for programming language data types. Form Asp Comput 17(4): 423–442zbMATHCrossRefGoogle Scholar
  9. dB07.
    de Boer FS (2007) A sound and complete shared-variable concurrency model for multi-threaded Java programs. In: Bonsangue MM, Johnsen EB (eds) Formal methods for open object-based distributed systems. Proceedings of 9th IFIP WG 6.1 International Conference, FMOODS 2007, Paphos, Cyprus, June 6–8, 2007. LNCS, vol 4468. Springer, Berlin, pp 252–268Google Scholar
  10. DRB02.
    Delzanno G, Raskin J-F, Van Begin L (2002) Towards the automated verification of multithreaded Java programs. In: Katoen J-P, Stevens P (eds) Proceedings of 8th international conference on tools and algorithms for the construction and analysis of systems (TACAS). LNCS, vol 2280. Springer, Berlin, pp 173–187Google Scholar
  11. EU04.
    Eytani Y, Ur S (2004) Compiling a benchmark of documented multi-threaded bugs. In: Proceedings of 18th international parallel and distributed processing symposium (IPDPS 2004). IEEE Computer SocietyGoogle Scholar
  12. FF04.
    Flanagan C, Freund SN (2004) Atomizer: a dynamic atomicity checker for multithreaded programs. In: POPL ’04: Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on principles of programming languages. ACM, New York, pp 256–267Google Scholar
  13. FLL+02.
    Flanagan C, Leino KRM, Lillibridge M, Nelson G, Saxe JB, Stata R (2002) Extended static checking for Java. In: Proceedings of ACM SIGPLAN 2002 conference on programming language design and implementation. ACM Press, Berlin, pp 234–245Google Scholar
  14. GS02.
    Greenhouse A, Scherlis WL (2002) Assuring and evolving concurrent programs: annotations and policy. In: ICSE ’02: Proceedings of the 24th international conference on software engineering, pp 453–463Google Scholar
  15. HP00.
    Havelund K., Pressburger T (2000) Model checking Java programs using Java PathFinder. Int J Softw Tools Technol Transfer 2(4): 366–381zbMATHCrossRefGoogle Scholar
  16. Jac.
    Jacks is an automated compiler killing suite.
  17. Jon81.
    Jones CB (1981) Development methods for computer programs including a notion of interference. PhD thesis, Oxford UniversityGoogle Scholar
  18. JP01.
    Jacobs B, Poll E (2001) A logic for the Java modeling language JML. In: Proceedings of 4th international conference on fundamental approaches to software engineering (FASE). Springer, Berlin, pp 284–299Google Scholar
  19. JSPS06.
    Jacobs B, Smans J, Piessens F, Schulte W (2006) A statically verifiable programming model for concurrent object-oriented programs. In: Liu Z, He J (eds) Proceedings of 8th international conference on formal engineering methods, ICFEM, Macao, China. LNCS, vol 4260. Springer, Berlin, pp 420–439Google Scholar
  20. Kel76.
    Keller RM (1976) Formal verification of parallel programs. Commun ACM 19(7): 371–384zbMATHCrossRefGoogle Scholar
  21. Kin76.
    King JC (1976) Symbolic execution and program testing. Commun ACM 19(7): 385–394zbMATHCrossRefGoogle Scholar
  22. Kle04.
    Klebanov V (2004) A JMM-faithful non-interference calculus for Java. In: Proceedings of 4th international workshop on Scientific engineering of distributed Java applications, Luxembourg-Kirchberg. LNCS, vol 3409. Springer, Berlin, pp 101–111Google Scholar
  23. Kle09.
    Klebanov V (2009) Extending the reach and power of deductive program verification. PhD thesis, Department of Computer Science, Universität Koblenz-LandauGoogle Scholar
  24. KPV03.
    Khurshid S, Pasareanu CS, Visser W (2003) Generalized symbolic execution for model checking and testing. In: Garavel H, Hatcliff J (eds) Proceedings of 9th international conference on tools and algorithms for the construction and analysis of systems (TACAS). LNCS, vol 2619. Springer, Berlin, pp 553–568Google Scholar
  25. MP91.
    Manna Z, Pnueli A (1991) Completing the temporal picture. In: Selected papers of the 16th international colloquium on automata, languages, and programming. Elsevier, Amsterdam, pp 97–130Google Scholar
  26. MPMU04.
    Marché C., Paulin-Mohring C., Urbain X (2004) The Krakatoa tool for certification of Java/Java Card programs annotated in JML. J Log Algebr Program 58(1–2): 89–106zbMATHCrossRefGoogle Scholar
  27. OG76.
    Owicki SS, Gries D (1976) An axiomatic proof technique for parallel programs I. Acta Inf 6: 319–340MathSciNetzbMATHCrossRefGoogle Scholar
  28. Pel87a.
    Peleg D (1987) Communication in concurrent dynamic logic. J Comput Syst Sci 35(1): 23–58MathSciNetzbMATHCrossRefGoogle Scholar
  29. Pel87b.
    Peleg D (1987) Concurrent dynamic logic. J ACM 34(2): 450–479MathSciNetzbMATHCrossRefGoogle Scholar
  30. PHM99.
    Poetzsch-Heffter A, Müller P (1999) A programming logic for sequential Java. In: Swierstra D (ed) Proceedings of ESOP ’99. LNCS, vol 1576. Springer, BerlinGoogle Scholar
  31. RDF+05.
    Rodríguez E, Dwyer MB, Flanagan C, Hatcliff J, Leavens GT, Robby (2005) Extending JML for modular specification and verification of multi-threaded programs. In: ECOOP. LNCS, vol 3586. Springer, Berlin, pp 551–576Google Scholar
  32. RDH03.
    Robby, Dwyer MB, Hatcliff J (2003) Bogor: an extensible and highly-modular software model checking framework. In: ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on foundations of software engineering. ACM, New York, pp 267–276Google Scholar
  33. RDHI03.
    Robby, Dwyer MB, Hatcliff J, Iosif R (2003) Space-reduction strategies for model checking dynamic software. In: Proceedings SoftMC 2003, workshop on software model checking, ENTCS 89Google Scholar
  34. vO01.
    von Oheimb D (2001) Hoare logic for Java in Isabelle/HOL. Concurrency Comput Pract Exp 13(13): 1173–1214zbMATHCrossRefGoogle Scholar
  35. VP07.
    Vafeiadis V, Parkinson MJ (2007) A marriage of Rely/Guarantee and Separation Logic. In: Caires L, Vasconcelos VT (eds) Proceedings 18th international conference on concurrency theory (CONCUR 2007), Lisbon, Portugal. LNCS, vol 4703. Springer, Berlin, pp 256–271Google Scholar
  36. Yah01.
    Yahav E (2001) Verifying safety properties of concurrent Java programs using 3-valued logic. In: POPL ’01: Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on principles of programming languages. ACM Press, New York, pp 27–40Google Scholar
  37. ZKR08.
    Zee K, Kuncak V, Rinard MC (2008) Full functional verification of linked data structures. In: Gupta R, Amarasinghe SP (eds) Proceedings of the ACM SIGPLAN 2008 conference on programming language design and implementation, Tucson, AZ, USA, June 7–13, 2008. ACM, New York, pp 349–361Google Scholar

Copyright information

© British Computer Society 2012

Authors and Affiliations

  1. 1.Institute for Theoretical InformaticsKarlsruhe Institute of TechnologyKarlsruheGermany

Personalised recommendations