Journal of Automated Reasoning

, Volume 61, Issue 1–4, pp 243–332 | Cite as

Mechanising a Type-Safe Model of Multithreaded Java with a Verified Compiler

  • Andreas Lochbihler


This article presents JinjaThreads, a unified, type-safe model of multithreaded Java source code and bytecode formalised in the proof assistant Isabelle/HOL. The semantics strictly separates sequential aspects from multithreading features like locks, forks and joins, interrupts, and the wait-notify mechanism. This separation yields an interleaving framework and a notion of deadlocks that are independent of the language, and makes the type safety proofs modular. JinjaThreads’s non-optimising compiler translates source code into bytecode. Its correctness proof guarantees that the generated bytecode exhibits exactly the same observable behaviours as the source code, even for infinite executions and under the Java memory model. The semantics and the compiler are executable. JinjaThreads builds on and reuses the Java formalisations Jinja, Bali, \(\mu \)Java, and Java\(^{\ell ight}\) by Nipkow’s group. Being the result of more than fifteen years of studying Java in Isabelle/HOL, it constitutes a large and long-lasting case study. It shows that fairly standard formalisation techniques scale well and highlights the challenges, benefits, and drawbacks of formalisation reuse.


Java Concurrency Type safety Compiler verification Operational semantics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.



I thank my PhD supervisor Gregor Snelting for supporting this work, Jonas Thedering and Antonio Zea for their work on Java2Jinja, Lukas Bulwahn and Florian Haftmann for their help with the code generator, Jasmin Blanchette for his Nitpick support, and Christoph Sprenger and the anonymous revierers for their suggestions how to improve the presentation.


  1. 1.
    Aceto, L., van Glabbeek, R.J., Fokkink, W., Ingólfsdóttir, A.: Axiomatizing prefix iteration with silent steps. Inf. Comput. 127(1), 26–40 (1996). MathSciNetCrossRefzbMATHGoogle Scholar
  2. 2.
    Alves-Foss, J. (ed.): Formal Syntax and Semantics of Java, LNCS, vol. 1523. Springer (1999).
  3. 3.
    Backes, M., Busenius, A., Hriţcu, C.: On the development and formalization of an extensible code generator for real life security protocols. In: Goodloe, A.E., Person, S. (eds.) NFM 2012, LNCS, vol. 7226, pp. 371–387. Springer (2012).
  4. 4.
    Ballarin, C.: Locales: a module system for mathematical theories. J. Autom. Reason. 52(2), 123–153 (2014). MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Barthe, G., Crégut, P., Grégoire, B., Jensen, T., Pichardie, D.: The MOBIUS proof carrying code infrastructure. In: de Boer, F., Bonsangue, M., Graf, S., de Roever, W.P. (eds.) Formal Methods for Components and Objects, LNCS, vol. 5382, pp. 1–24. Springer (2008).
  6. 6.
    Batty, M., Memarian, K., Nienhuis, K., Pichon-Pharabod, J., Sewell, P.: The problem of programming language concurrency semantics. In: Vitek, J. (ed.) ESOP 2015, LNCS, vol. 9032, pp. 283–307. Springer (2015).
  7. 7.
    Belblidia, N., Debbabi, M.: A dynamic operational semantics for JVML. J. Object Technol. 6(3), 71–100 (2007)CrossRefGoogle Scholar
  8. 8.
    Berghofer, S., Strecker, M.: Extracting a formally verified, fully executable compiler from a proof assistant. In: COCV 2003, ENTCS, vol. 82(2), pp. 377–394 (2003).
  9. 9.
    Bergstra, J.A., Klop, J.W., Olderog, E.R.: Failures without chaos: a new process semantics for fair abstraction. In: Formal Description of Programming Concepts III (IFIP 1987), pp. 77–103. Elsevier Science Publishing (1987)Google Scholar
  10. 10.
    Blanchette, J.C., Nipkow, T.: Nitpick: A counterexample generator for higher-order logic based on a relational model finder. In: Kaufmann, M., Paulson, L.C. (eds.) ITP 2010, LNCS, vol. 6172, pp. 131–146. Springer (2010).
  11. 11.
    Bogdănaş, D., Roşu, G.: K-Java: A complete semantics of Java. In: POPL 2015, pp. 445–456. ACM (2015).
  12. 12.
    Breitner, J., Graf, J., Hecker, M., Mohr, M., Snelting, G.: On improvements of low-deterministic security. In: Piessens, F., Viganò, L. (eds.) POST 2016, LNCS, vol. 9635, pp. 68–88. Springer, Berlin (2016).
  13. 13.
    Connected limited device configuration (CLDC) specification 1.1.
  14. 14.
    Czarnik, P., Schubert, A.: Extending operational semantics of the Java bytecode. In: Barthe, G., Fournet, C. (eds.) TGC 2008, LNCS, vol. 4912, pp. 57–72. Springer (2008)Google Scholar
  15. 15.
    Dave, M.A.: Compiler verification: a bibliography. SIGSOFT Softw. Eng. Notes 28(6), 2–2 (2003)CrossRefGoogle Scholar
  16. 16.
    Drossopoulou, S., Eisenbach, S.: Describing the semantics of Java and proving type soundness. In: Alves-Foss, J. (ed.) Formal Syntax and Semantics of Java, LNCS, vol. 1523, pp. 542–542. Springer (1999).
  17. 17.
    Farzan, A., Chen, F., Meseguer, J., Roşu, G.: Formal analysis of Java programs in JavaFAN. In: Alur, R., Peled, D. (eds.) CAV 2004, LNCS, vol. 3114, pp. 501–505. Springer (2004).
  18. 18.
    Farzan, A., Meseguer, J., Roşu, G.: Formal JVM code analysis in Java FAN. In: Rattray, C., Maharaj, S., Shankland, C. (eds.) AMAST 2004, LNCS, vol. 3116, pp. 132–147. Springer (2004).
  19. 19.
    Flanagan, C., Freund, S.N., Lifshin, M., Qadeer, S.: Types for atomicity: static checking and inference for Java. ACM Trans. Program. Lang. Syst. 30(4), 1–53 (2008). CrossRefGoogle Scholar
  20. 20.
    Giffhorn, D.: Slicing of concurrent programs and its application to information flow control. Ph.D. thesis, Fakultät für Informatik, Karlsruher Institut für Technologie (2012)Google Scholar
  21. 21.
    Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A.: The Java Language Specification: Java SE 8 Edition. Oracle America, Inc. (2015)Google Scholar
  22. 22.
    Goto, M., Jagadeesan, R., Pitcher, C., Riely, J.: Types for relaxed memory models. In: TLDI 2012, pp. 25–38. ACM (2012).
  23. 23.
    Grossman, D.: Type-safe multithreading in Cyclone. In: TLDI 2003, pp. 13–25. ACM (2003).
  24. 24.
    Hartel, P.H., Moreau, L.: Formalizing the safety of Java, the Java virtual machine, and Java card. ACM Comput. Surv. 33, 517–558 (2001). CrossRefGoogle Scholar
  25. 25.
    Huisman, M., Petri, G.: BicolanoMT: a formalization of multi-threaded Java at bytecode level. In: BYTECODE 2008, Electronic Notes in Theoretical Computer Science (2008)Google Scholar
  26. 26.
    Java platform, standard edition 8 API specification (2014).
  27. 27.
    Kildall, G.A.: A unified approach to global program optimization. In: POPL 1973, pp. 194–206. ACM (1973).
  28. 28.
    Klein, G.: Verified Java bytecode verification. Ph.D. thesis, Institut für Informatik, Technische Universität München (2003)Google Scholar
  29. 29.
    Klein, G., Nipkow, T.: Verified lightweight bytecode verification. Concurr. Comput. Pract. Exp. 13(13), 1133–1151 (2001)CrossRefzbMATHGoogle Scholar
  30. 30.
    Klein, G., Nipkow, T.: Verified bytecode verifiers. Theor. Comput. Sci. 298(3), 583–626 (2002). MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Klein, G., Nipkow, T.: Jinja is not Java. In: Klein, G., Nipkow, T., Paulson, L.C. (eds.) The Archive of Formal Proofs. (2005). Formal proof development. Accessed 31 Jan 2018
  32. 32.
    Klein, G., Nipkow, T.: A machine-checked model for a Java-like language, virtual machine and compiler. ACM Trans. Program. Lang. Syst. 28(4), 619–695 (2006). CrossRefGoogle Scholar
  33. 33.
    Klein, G., Nipkow, T., von Oheimb, D., Nieto, L.P., Schirmer, N., Strecker, M.: Java source and bytecode formalizations in Isabelle: Bali. Isabelle sources in Isabelle/HOL/Bali (2002)Google Scholar
  34. 34.
    Klein, G., Strecker, M.: Verified bytecode verification and type-certifying compilation. J. Log. Algebraic Program. 58(1–2), 27–60 (2004). CrossRefzbMATHGoogle Scholar
  35. 35.
    Klein, G., Wildmoser, M.: Verified bytecode subroutines. J. Autom. Reason. 30(3–4), 363–398 (2003). CrossRefzbMATHGoogle Scholar
  36. 36.
    Krebbers, R.: The C standard formalized in Coq. Ph.D. thesis, Radboud University Nijmegen (2015)Google Scholar
  37. 37.
    Kumar, R., Myreen, M.O., Norrish, M., Owens, S.: CakeML: A verified implementation of ML. In: POPL 2014, pp. 179–191. ACM, New York (2014).
  38. 38.
    Lamport, L.: How to make a multiprocessor computer that correctly executes multiprocess programs. IEEE Trans. Comput. 28(9), 690–691 (1979)CrossRefzbMATHGoogle Scholar
  39. 39.
    Leroy, X.: Formal certification of a compiler backend or: programming a compiler with a proof assistant. In: POPL 2006, pp. 42–54. ACM (2006).
  40. 40.
    Leroy, X.: A formally verified compiler back-end. J. Autom. Reason. 43(4), 363–446 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  41. 41.
    Leroy, X., Blazy, S.: Formal verification of a C-like memory model and its uses for verifying program transformations. J. Autom. Reason. 41(1), 1–31 (2008). MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Lindholm, T., Yellin, F.: The Java Virtual Machine Specification, 2nd edn. Addison-Wesley, Reading (1999)Google Scholar
  43. 43.
    Liu, H., Moore, J.S.: Executable JVM model for analytical reasoning: a study. In: IVME 2003, pp. 15–23. ACM (2003).
  44. 44.
    Liu, H., Moore, J.S.: Java program verification via a JVM deep embedding in ACL2. In: Slind, K., Bunker, A., Gopalakrishnan, G. (eds.) TPHOLs 2004, LNCS, vol. 3223, pp. 117–125. Springer (2004).
  45. 45.
    Lochbihler, A.: Jinja with threads. In: Klein, G., Nipkow, T., Paulson, L.C. (eds.) The Archive of Formal Proofs. (2007). Formal proof development
  46. 46.
    Lochbihler, A.: Type safe nondeterminism—a formal semantics of Java threads. In: Proceedings of the 2008 International Workshop on Foundations of Object-Oriented Languages (FOOL 2008) (2008)Google Scholar
  47. 47.
    Lochbihler, A.: Verifying a compiler for Java threads. In: Gordon, A.D. (ed.) ESOP 2010, LNCS, vol. 6012, pp. 427–447. Springer (2010).
  48. 48.
    Lochbihler, A.: Java and the Java memory model–a unified, machine-checked formalisation. In: Seidl, H. (ed.) ESOP 2012, LNCS, vol. 7211, pp. 497–517. Springer (2012)Google Scholar
  49. 49.
    Lochbihler, A.: A machine-checked, type-safe model of Java concurrency: language, virtual machine, memory model, and verified compiler. Ph.D. thesis, Karlsruher Institut für Technologie, Fakultät für Informatik (2012).
  50. 50.
    Lochbihler, A.: Making the Java memory model safe. ACM Trans. Program. Lang. Syst. 35(4), 12:1–12:65 (2014). Google Scholar
  51. 51.
    Lochbihler, A., Bulwahn, L.: Animating the formalised semantics of a Java-like language. In: van Eekelen, M., Geuvers, H., Schmalz, J., Wiedijk, F. (eds.) ITP 2011, LNCS, vol. 6898, pp. 216–232. Springer (2011).
  52. 52.
    McLean, J.: A general theory of composition for a class of “possibilistic” properties. IEEE Trans. Softw. Eng. 22(1), 53–67 (1996). CrossRefGoogle Scholar
  53. 53.
    Milner, R.: A modal characterisation of observable machine-behaviour. In: Astesiano, E., Böhm, C. (eds.) CAAP 1981, LNCS, vol. 112, pp. 25–34. Springer (1981).
  54. 54.
    Milner, R.: Communication and Concurrency. Prentice Hall, New York (1989)zbMATHGoogle Scholar
  55. 55.
    Mobius consortium. Deliverable D3.1. Byte code level specification language and program logic (2006)Google Scholar
  56. 56.
    Moore, J.S., Porter, G.: The apprentice challenge. ACM Trans. Program. Lang. Syst. 24(3), 193–216 (2002). CrossRefGoogle Scholar
  57. 57.
    Moser, G., Schaper, M.: From Jinja bytecode to term rewriting: a complexity reflecting transformation. Inf. Comput. (to appear).
  58. 58.
    Nipkow, T.: Verified bytecode verifiers. In: Honsell, F., Miculan, M. (eds.) FOSSACS 2001, LNCS, vol. 2030, pp. 347–363. Springer (2001).
  59. 59.
    Nipkow, T., von Oheimb, D.: Java\(_{{\ell }ight}\) is type-safe—definitely. In: POPL 1998, pp. 161–170. ACM (1998).
  60. 60.
    Nipkow, T., von Oheimb, D., Pusch, C.: \(\mu \)Java: embedding a programming language in a theorem prover. In: Bauer, F.L., Steinbrüggen, R. (eds.) Foundations of Secure Computation, NATO Science Series F: Computer and Systems Sciences, vol. 175, pp. 117–144. IOS Press (2000)Google Scholar
  61. 61.
    Norrish, M.: A formal semantics for C++. Tech. rep., NICTA (2008). Available from
  62. 62.
    Oheimb, D.v.: Analyzing Java in Isabelle/HOL. formalization, type safety and hoare logic. Ph.D. thesis, Fakultät für Informatik, Technische Universität München (2000).
  63. 63.
    Oheimb, D.v.: Hoare logic for Java in Isabelle/HOL. Concurr. Comput. Pract. Exp. 13(13), 1173–1214 (2001).Google Scholar
  64. 64.
    Oheimb, D.v., Nipkow, T.: Machine-checking the Java specification: proving type-safety. In: Alves-Foss, J. (ed.) Formal Syntax and Semantics of Java, LNCS, vol. 1523, pp. 119–156. Springer (1999)Google Scholar
  65. 65.
    Oheimb, D.v., Nipkow, T.: Hoare logic for NanoJava: Auxiliary variables, side effects and virtual methods revisited. In: Eriksson, L.H., Lindsay, P. (eds.) FME 2002, LNCS, vol. 2391, pp. 89–105. Springer (2002).
  66. 66.
    Owens, S., Myreen, M.O., Kumar, R., Tan, Y.K.: Functional big-step semantics. In: Thiemann, P. (ed.) ESOP 2016, LNCS, vol. 9632, pp. 589–615. Springer (2016).
  67. 67.
    Pusch, C.: Proving the soundness of a Java bytecode verifier specification in Isabelle/HOL. In: Cleaveland, R. (ed.) TACAS 1999, LNCS, vol. 1579, pp. 89–103. Springer (1999).
  68. 68.
    Quis custodiet—machine-checked software security analyses.
  69. 69.
    Ramananandro, T., Dos Reis, G., Leroy, X.: Formal verification of object layout for C++ multiple inheritance. In: POPL 2011, pp. 67–80. ACM (2011).
  70. 70.
    Rittri, M.: Proving the correctness of a virtual machine by a bisimulation. Licentiate thesis, Göteborg University (1988)Google Scholar
  71. 71.
    Roşu, G., Şerbănuţă, T.F.: An overview of the K semantic framework. J. Log. Algebraic Program. 79(6), 397–434 (2010). MathSciNetCrossRefzbMATHGoogle Scholar
  72. 72.
    Rushby, J.: Formal methods and the certification of critical systems. Tech. Rep. SRI-CSL-93-7, Computer Science Laboratory, SRI International (1993).
  73. 73.
    Sampson, J., Boehm, H., Otenko, O., Levart, P., Holmes, D., Haley, A., Buchholz, M., Lea, D., Davidovich, V., Terekhov, A., Diestelhorst, S.: Varieties of CAS semantics (another doc fix request). Thread the on concurrency-interest mailing list, first post at (2015). Accessed 17 Oct 2017
  74. 74.
    Schirmer, N.: Java definite assignment in Isabelle/HOL. In: Proceedings of ECOOP Workshop on Formal Techniques for Java-like Programs. Technical Report 408, ETH Zurich (2003)Google Scholar
  75. 75.
    Schirmer, N.: Analysing the Java package/access concepts in Isabelle/HOL. Concurr. Comput. Pract. Exp–Form. Tech. Java Program. 16, 689–706 (2004). CrossRefGoogle Scholar
  76. 76.
    Schirmer, N.: A verification environment for sequential imperative programs in Isabelle/HOL. In: Baader, F., Voronkov, A. (eds.) LPAR 2004, Lecture Notes in Artificial Intelligence, vol. 3452, pp. 398–414. Springer (2005)Google Scholar
  77. 77.
    Schirmer, N.: Verification of sequential imperative programs in Isabelle/HOL. Ph.D. thesis, Technische Universität München (2006)Google Scholar
  78. 78.
    Ševčík, J., Vafeiadis, V., Zappa Nardelli, F., Jagannathan, S., Sewell, P.: CompCertTSO: a verified compiler for relaxed-memory concurrency. J. ACM 60(3), 22:1–22:50 (2013). MathSciNetzbMATHGoogle Scholar
  79. 79.
    Stärk, R., Schmid, J., Börger, E.: Java and the Java Virtual Machine. Springer, Berlin (2001)CrossRefzbMATHGoogle Scholar
  80. 80.
    Strecker, M.: Formal verification of a Java compiler in Isabelle. In: CADE 2002, LNCS, vol. 2392, pp. 63–77. Springer (2002)Google Scholar
  81. 81.
    Strecker, M.: Investigating type-certifying compilation with Isabelle. In: Baaz, M., Voronkov, A. (eds.) LPAR 2002, LNCS, vol. 2514, pp. 403–417. Springer (2002).
  82. 82.
    Tool-assisted specification and verification of javacard programmes: Verificard.
  83. 83.
    Wagner, D., et al. (eds.): Ausgezeichnete Informatik. Dissertation (2003), LNI, vol. D-3. Köllen Verlag (2003)Google Scholar
  84. 84.
    Wand, M.: Compiler correctness for parallel languages. In: FPCA 1995, pp. 120–134. ACM (1995)Google Scholar
  85. 85.
    Wasserrab, D.: From formal semantics to verified slicing—a modular framework with applications in language based security. Ph.D. thesis, Karlsruher Institut für Technologie, Fakultät für Informatik (2010)Google Scholar
  86. 86.
    Wasserrab, D., Lohner, D.: Proving information flow noninterference by reusing a machine-checked correctness proof for slicing. In: 6th International Verification Workshop (VERIFY 2010), 2010Google Scholar
  87. 87.
    Wright, A.K., Felleisen, M.: A syntactic approach to type soundness. Inf. Comput. 115(1), 38–94 (1994)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer Science+Business Media B.V., part of Springer Nature 2018

Authors and Affiliations

  1. 1.Institut für Informationssicherheit, Departement für InformatikETH ZürichZurichSwitzerland

Personalised recommendations