AutoProof: auto-active functional verification of object-oriented programs

Abstract

Auto-active verifiers provide a level of automation intermediate between fully automatic and interactive: users supply code with annotations as input while benefiting from a high level of automation in the back-end. This paper presents AutoProof, a state-of-the-art auto-active verifier for object-oriented sequential programs with complex functional specifications. AutoProof fully supports advanced object-oriented features and a powerful methodology for framing and class invariants, which make it applicable in practice to idiomatic object-oriented patterns. The paper focuses on describing AutoProof ’s interface, design, and implementation features, and demonstrates AutoProof ’s performance on a rich collection of benchmark problems. The results attest AutoProof ’s competitiveness among tools in its league on cutting-edge functional verification of object-oriented programs.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Notes

  1. 1.

    Although inter-matic would be as good a name.

  2. 2.

    Maintaining invariants is the default, which can be overridden; see Sect. 4.5 for details.

  3. 3.

    Overflow checking can be disabled to treat integers as mathematical integers.

  4. 4.

    As usual, modulo bugs in the implementation.

  5. 5.

    Somewhat similarly to other verification techniques like bounded model checking [9].

  6. 6.

    Even though class

    figurecd

    does not explicitly define any other model attributes, such attributes might be added in descendant classes; in addition, the invariant methodology described below equips each class with implicit model attributes

    figurece

    ,

    figurecf

    , and

    figurecg

    .

  7. 7.

    While the names are inspired by the observer pattern, they are applicable also to many other collaboration patterns, as we extensively demonstrated in related work [41, 42].

  8. 8.

    This default is inspired by VCC’s static owns [10].

  9. 9.

    Since they are immutable, logic classes do not include state-modifying commands.

  10. 10.

    In accordance with common practices in verification competitions, we count tokens for the s/c ratio; but we provide other measures in lines, which are more naturally understandable.

  11. 11.

    See the course’s homepage at http://se.inf.ethz.ch/courses/2014b_fall/sv/.

  12. 12.

    A simple way to implement support of this kind could build atop Boogie’s smoke testing functionality.

References

  1. 1.

    Ahrendt, W., Beckert, B., Bruns, D., Bubel, R., Gladisch, C., Grebing, S., Hähnle, R., Hentschel, M., Herda, M., Klebanov, V., Mostowski, W., Scheben, C., Schmitt, P.H., Ulbrich, M.: The KeY platform for verification and analysis of Java programs. In: Verified Software: Theories, Tools, and Experiments (VSTTE 2014). Lecture Notes in Computer Science, no. 8471. Springer, Berlin (2014)

  2. 2.

    Barnett, M., Fähndrich, M., Leino, K.R.M., Müller, P., Schulte, W., Venter, H.: Specification and verification: the Spec# experience. Commun. ACM 54(6), 81–91 (2011). http://specsharp.codeplex.com/

  3. 3.

    Barnett, M., Naumann, D.A.: Friends need a bit more: maintaining invariants over shared state. In: Mathematics of Program Construction. Springer, Berlin (2004)

  4. 4.

    Beckert, B., Bruns, D., Klebanov, V., Scheben, C., Schmitt, P.H., Ulbrich, M.: Information flow in object-oriented software. In: Logic-Based Program Synthesis and Transformation, 23rd International Symposium, LOPSTR. Lecture Notes in Computer Science, vol. 8901. Springer, Berlin (2014)

  5. 5.

    Beckert, B., Hähnle, R., Schmitt, P.H., (eds.) Verification of object-oriented software: the KeY Approach. In: LNCS, vol. 4334. Springer, Berlin (2007)

  6. 6.

    Bormer, T., et al.: The COST IC0701 verification competition 2011. In: FoVeOOS. LNCS, vol. 7421. Springer, Berlin (2012). http://foveoos2011.cost-ic0701.org/verification-competition

  7. 7.

    Chalin, P., Kiniry, J.R., Leavens, G.T., Poll, E.: Beyond assertions: Advanced specification and verification with JML and ESC/Java2. In: FMCO, LNCS. Springer, Berlin. http://kindsoftware.com/products/opensource/ESCJava2/ (2006)

  8. 8.

    Chimento, J.M., Ahrendt, W., Pace, G.J., Schneider, G.: StaRVOOrS: a tool for combined static and runtime verification of Java. In: Bartocci, E., Majumdar, R. (eds.) Runtime Verification—6th International Conference, RV 2015. Lecture Notes in Computer Science, vol. 9333. Springer, Berlin (2015)

  9. 9.

    Clarke, E.M., Biere, A., Raimi, R., Zhu, Y.: Bounded model checking using satisfiability solving. Form. Methods. Syst. Des. 19(1), 7–34 (2001)

    Article  MATH  Google Scholar 

  10. 10.

    Cohen, E., Dahlweid, M., Hillebrand, M.A., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., Tobies, S.: VCC: a practical system for verifying concurrent C. In: TPHOLs. LNCS, vol. 5674. Springer, Berlin (2009)

  11. 11.

    Cok, D.: The OpenJML toolset. In: NASA Formal Methods, vol. 6617. (2011)

  12. 12.

    Darvas, Á., Müller, P.: Faithful mapping of model classes to mathematical structures. IET Softw. 2(6), 477–499 (2008)

    Article  Google Scholar 

  13. 13.

    Dijkstra, E.W.: A Discipline of Programming. Prentice Hall, Upper Saddle River (1976)

  14. 14.

    EiffelBase2: A Fully Verified Container Library. https://github.com/nadia-polikarpova/eiffelbase2 (2015)

  15. 15.

    Ernst, G., Pfähler, J., Schellhorn, G., Haneberg, D., Reif, W.: KIV: overview and VerifyThis competition. Int. J. Softw. Tools Technol. Transf. 17(6), 677–694 (2015)

  16. 16.

    Filliâtre, J.C., Marché, C.L.: The Why/Krakatoa/Caduceus platform for deductive program verification. In: CAV. LNCS, vol. 4590. Springer, Berlin. http://krakatoa.lri.fr/ (2007)

  17. 17.

    Filliâtre, J.C., Paskevich, A.: Why3—where programs meet provers. In: ESOP. LNCS, vol. 7792. Springer, Berlin. http://why3.lri.fr/ (2013)

  18. 18.

    Filliâtre, J.-C., Paskevich, A., Stump, A.: The 2nd verified software competition: experience report. In: COMPARE. CEUR Workshop Proceedings, vol. 873. CEUR-WS.org, 2012. https://sites.google.com/site/vstte2012/compet (2012)

  19. 19.

    Furia, C.A.: Rotation of sequences: algorithms and proofs. http://arxiv.org/abs/1406.5453 (2014)

  20. 20.

    Furia, C.A., Poskitt, C.M., Tschannen, J.: The AutoProof verifier: Usability by non-experts and on standard code. In: Dubois, C., Masci, P., Mery, D. (eds.) Proceedings of the 2nd Workshop on Formal Integrated Development Environment (F-IDE). Electronic Proceedings in Theoretical Computer Science, vol. 187, pp. 42–55. EPTCS, June 2015. Workshop co-located with FM (2015)

  21. 21.

    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns. Addison-Wesley, Boston (1995)

  22. 22.

    Huisman, M., Klebanov, V., Monahan, R.: VerifyThis verification competition. http://verifythis2012.cost-ic0701.org (2012)

  23. 23.

    Huisman, M., Klebanov, V., Monahan, R.: VerifyThis verification competition. http://etaps2015.verifythis.org/ (2015)

  24. 24.

    Jacobs, B., Smans, J., Piessens, F.: A quick tour of the VeriFast program verifier. In: APLAS. LNCS, vol. 6461. Springer, Berlin. http://people.cs.kuleuven.be/~bart.jacobs/verifast/ (2010)

  25. 25.

    Jacobs, B., Smans, J., Piessens, F.: VeriFast: Imperative programs as proofs. In: VS-Tools Workshop at VSTTE (2010)

  26. 26.

    Kassios, I.T.: Dynamic frames: Support for framing, dependencies and sharing without restrictions. In: FM. Springer, Berlin (2006)

  27. 27.

    Kiniry, J.R., Morkan, A.E., Cochran, D., Fairmichael, F., Chalin, P., Oostdijk, M., Hubbers, E.: The KOA remote voting system: a summary of work to date. In: TGC. LNCS, vol. 4661. Springer, Berlin (2007)

  28. 28.

    Klebanov, V., et al.: The 1st verified software competition: experience report. In: FM. LNCS, vol. 6664. Springer, Berlin. https://sites.google.com/a/vscomp.org/main/ (2011)

  29. 29.

    Leavens, G.T., Cheon, Y., Clifton, C., Ruby, C., Cok, D.R.: How the design of JML accommodates both runtime assertion checking and formal verification. Sci. Comput. Program. 55(1–3), 185–208 (2005)

    MathSciNet  Article  MATH  Google Scholar 

  30. 30.

    Leavens, G.T., Leino, K.R.M., Müller, P.: Specification and verification challenges for sequential object-oriented programs. Form. Aspects Comput. 19(2), 159–189 (2007)

    Article  MATH  Google Scholar 

  31. 31.

    Leino, K.R.M.: This is boogie 2. Technical Report, Microsoft Research. http://research.microsoft.com/apps/pubs/default.aspx?id=147643 (2008)

  32. 32.

    Dafny: An automatic program verifier for functional correctness. In: LPAR-16. LNCS, vol. 6355. Springer, Berlin. http://research.microsoft.com/en-us/projects/dafny/ (2010)

  33. 33.

    Leino, K.R.M., Moskal, M.: Usable auto-active verification. In: Usable Verification Workshop. http://fm.csl.sri.com/UV10/ (2010)

  34. 34.

    Leino, K.R.M., Müller, P.: Object invariants in dynamic contexts. In: ECOOP 2004—Object-Oriented Programming, 18th European Conference, Oslo, Norway, June 14–18, 2004, Proceedings. Lecture Notes in Computer Science, vol. 3086. Springer, Berlin (2004)

  35. 35.

    Leino, K.R.M., Müller, P.: Object invariants in dynamic contexts. In: ECOOP. Springer, Berlin (2004)

  36. 36.

    Leino, K.R.M., Poetzsch-Heffter, A., Zhou, Y.: Using data groups to specify and check side effects. In: Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Berlin, Germany, June 17–19, 2002, pp. 246–257 (2002)

  37. 37.

    Logozzo, F.: Our experience with the CodeContracts static checker. In: 241 VSTTE. LNCS, vol. 7152. Springer, Berlin. http://msdn.microsoft.com/en-us/devlabs/dd491992.aspx (2012)

  38. 38.

    The OpenJML Toolset. http://openjml.org/ (2013)

  39. 39.

    Pek, E., Qiu, X., Madhusudan, P.: Natural proofs for data structure manipulation in C using separation logic. In: ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI ’14, Edinburgh, United Kingdom, June 09–11, 2014, p. 46 (2014)

  40. 40.

    Polikarpova, N., Furia, C.A., Meyer, B.: Specifying reusable components. In: VSTTE. LNCS, vol. 6217. Springer, Berlin (2010)

  41. 41.

    Polikarpova, N., Tschannen, J., Furia, C.A.: A fully verified container library. In: FM LNCS. Springer, Berlin (2015)

  42. 42.

    Polikarpova, N., Tschannen, J., Furia, C.A., Meyer, B.: Flexible invariants through semantic collaboration. In: FM. LNCS, vol. 8442. Springer, Berlin (2014)

  43. 43.

    SAVCBS workshop series. http://www.eecs.ucf.edu/~leavens/SAVCBS/ (2010)

  44. 44.

    Summers, A.J., Drossopoulou, S., Müller, P.: The need for flexible object invariants. In: IWACO, pp. 1–9. ACM, New York (2009)

  45. 45.

    Suter, P., Köksal, A.S., Kuncak, V.: Satisfiability modulo recursive programs. In: SAS. LNCS, vol. 6887. Springer, Berlin. http://leon.epfl.ch/ (2011)

  46. 46.

    Tschannen, J., Furia, C.A., Nordio, M.: AutoProof meets some verification challenges. Int. J. Softw. Tools Technol. Transf. 17(6), 745–755 (2015)

  47. 47.

    Tschannen, J., Furia, C.A., Nordio, M., Meyer, B.: Usable verification of object-oriented programs by combining static and dynamic techniques. In: SEFM. LNCS, vol. 7041. Springer, Berlin (2011)

  48. 48.

    Tschannen, J., Furia, C.A., Nordio, M., Meyer, B.: Automatic verification of advanced object-oriented features: the AutoProof approach. In: Tools for Practical Software Verification. LNCS, vol. 7682. Springer, Berlin (2012)

  49. 49.

    Tschannen, J., Furia, C.A., Nordio, M., Meyer, B.: Program checking with less hassle. In: VSTTE 2013, vol. 8164. Springer, Berlin (2014)

  50. 50.

    Tschannen, J., Furia, C.A., Nordio, M., Polikarpova, N.: AutoProof: auto-active functional verification of object-oriented programs. In: Baier, C., Tinelli, C., et al. (eds.) Proceedings of the 21st International Conference on Tools and Algorithms for the Construction and Analysis of systems (TACAS). Lecture Notes in Computer Science, vol. 9035, pp. 566–580. Springer, Berlin (2015)

  51. 51.

    Weide, B.W., Sitaraman, M., Harton, H.K., Adcock, B., Bucci, P., Bronish, D., Heym, W.D., Kirschenbaum, J., Frazier, D.: Incremental benchmarks for software verification tools and techniques. In: VSTTE. LNCS, no. 5295, pp. 84–98. Springer, Berlin (2008)

  52. 52.

    West, S., Nanz, S., Meyer, B.: Efficient and reasonable object-oriented concurrency. In Proceedings of the 10th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE ’15). ACM, New York (2015)

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Nadia Polikarpova.

Additional information

A preliminary version of this work appeared in the 21st International Conference on Tools and Algorithms for the Construction and Analysis of Systems in 2015 [50].

Julian Tschannen: work mainly done while all the authors were affiliated with ETH Zurich.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Furia, C.A., Nordio, M., Polikarpova, N. et al. AutoProof: auto-active functional verification of object-oriented programs. Int J Softw Tools Technol Transfer 19, 697–716 (2017). https://doi.org/10.1007/s10009-016-0419-0

Download citation

Keywords

  • Functional verification
  • Auto-active verification
  • Object-oriented verification
  • Verification benchmarks