Boogie: A Modular Reusable Verifier for Object-Oriented Programs

  • Mike Barnett
  • Bor-Yuh Evan Chang
  • Robert DeLine
  • Bart Jacobs
  • K. Rustan M. Leino
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4111)


A program verifier is a complex system that uses compiler technology, program semantics, property inference, verification-condition generation, automatic decision procedures, and a user interface. This paper describes the architecture of a state-of-the-art program verifier for object-oriented programs.


Theorem Prover Abstract Interpretation Proof Obligation Source Language Base Domain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [ABB+05]
    Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, P.H.: The KeY tool. Software and System Modeling 4(1), 32–54 (2005)CrossRefGoogle Scholar
  2. [Abr96]
    Jean-Raymond, A.: The B-Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996)Google Scholar
  3. [AGB+77]
    Ambler, A.L., Good, D.I., Browne, J.C., Burger, W.F., Cohen, R.M., Hoch, C.G., Wells, R.E.: GYPSY: A language for specification and implementation of verifiable programs. SIGPLAN Notices 12(3), 1–10 (1977)CrossRefGoogle Scholar
  4. [Bar03]
    Barnes, J.: High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley, Reading (2003)Google Scholar
  5. [BDF+04]
    Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. Journal of Object Technology 3(6), 27–56 (2004)CrossRefGoogle Scholar
  6. [BJ01]
    van den Berg, J., Berg, B.J.: The LOOP compiler for Java and JML. In: Margaria, T., Yi, W. (eds.) ETAPS 2001 and TACAS 2001. LNCS, vol. 2031, pp. 299–312. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. [BL05]
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. In: Workshop on Program Analysis for Software Tools and Engineering (PASTE), pp. 82–87 (2005)Google Scholar
  8. [BLM05]
    Ball, T., Lahiri, S., Musuvathi, M.: Zap: Automated theorem proving for software analysis. Technical Report MSR-TR-2005-137, Microsoft Research (October 2005)Google Scholar
  9. [BLS04]
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: An overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–60. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. [BN04]
    Barnett, M., Naumann, D.A.: Friends need a bit more: Maintaining invariants over shared state. In: Kozen, D. (ed.) MPC 2004. LNCS, vol. 3125, pp. 54–84. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. [BRL03]
    Burdy, L., Requet, A., Lanet, J.-L.: Java applet correctness: a developer-oriented approach. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 422–439. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. [Bur72]
    Burstall, R.M.: Some techniques for proving correctness of programs which alter data structures. Machine Intelligence 7, 23–50 (1972)zbMATHGoogle Scholar
  13. [BvW98]
    Back, R.-J., von Wright, J.: Refinement Calculus: A Systematic Introduction. Graduate Texts in Computer Science. Springer, Heidelberg (1998)zbMATHGoogle Scholar
  14. [CC77]
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Fourth ACM Symposium on Principles of Programming Languages (POPL), pp. 238–252 (January 1977)Google Scholar
  15. [CC79]
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Sixth ACM Symposium on Principles of Programming Languages (POPL), pp. 269–282 (January 1979)Google Scholar
  16. [CFR+91]
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13(4), 451–490 (1991)CrossRefGoogle Scholar
  17. [CH78]
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Fifth ACM Symposium on Principles of Programming Languages (POPL), pp. 84–96 (January 1978)Google Scholar
  18. [CL05]
    Bor-Yuh, E.C., Leino, K.R.M.: Abstract interpretation with alien expressions and heap structures. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 147–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. [Dij76]
    Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Englewood Cliffs (1976)zbMATHGoogle Scholar
  20. [DL05]
    DeLine, R., Leino, K.R.M.: BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research (March 2005)Google Scholar
  21. [DLNS98]
    Detlefs, D.L., Leino, K.R.M., Nelson, G., Saxe, J.B.: Extended static checking. Research Report 159, Compaq Systems Research Center (December 1998)Google Scholar
  22. [DNS05]
    Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program checking. Journal of the ACM 52(3), 365–473 (2005)CrossRefMathSciNetGoogle Scholar
  23. [Esc06]
    Escher Technologies. Perfect Developer (2006),
  24. [Fil03]
    Filliâtre, J.-C.: Verification of non-functional programs using interpretations in type theory. The Journal of Functional Programming 13(4), 709–745 (2003)zbMATHCrossRefGoogle Scholar
  25. [FKR+00]
    Fitzgerald, R., Knoblock, T.B., Ruf, E., Steensgaard, B., Tarditi, D.: Marmot: An Optimizing Compiler For Java. Software—Practice and Experience 30(3), 199–232 (2000)CrossRefGoogle Scholar
  26. [FL03]
    Fähndrich, M., Leino, K.R.M.: Declaring and checking non-null types in an object-oriented language. In: Crocker, R., Steele Jr., G.L. (eds.) Object-Oriented Programming Systems, Languages and Applications (OOPSLA), pp. 302–312. ACM, New York (2003)Google Scholar
  27. [FLL+02]
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: Programming Language Design and Implementation (PLDI), pp. 234–245 (2002)Google Scholar
  28. [FM04]
    Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 15–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. [FS01]
    Flanagan, C., Saxe, J.B.: Avoiding exponential explosion: Generating compact verification conditions. In: POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 193–205. ACM, New York (2001)CrossRefGoogle Scholar
  30. [Hoa69]
    Hoare, C.A.R.: An axiomatic basis for computer programming. Communications of the ACM 12(10), 576–580,583 (1969)zbMATHCrossRefGoogle Scholar
  31. [HW73]
    Hoare, C.A.R., Wirth, N.: An axiomatic definition of the programming language PASCAL. Acta Informatica 2(4), 335–355 (1973)CrossRefGoogle Scholar
  32. [Jac04]
    Jacobs, B.: Weakest pre-condition reasoning for Java programs with JML annotations. Journal of Logic and Algebraic Programming 58(1–2), 61–88 (2004)zbMATHCrossRefMathSciNetGoogle Scholar
  33. [JP01]
    Jacobs, B., Poll, E.: A logic for the Java Modeling Language JML. In: Hussmann, H. (ed.) ETAPS 2001 and FASE 2001. LNCS, vol. 2029, pp. 284–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  34. [JP03]
    Jacobs, B., Poll, E.: Java program verification at Nijmegen: Developments and perspective. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 134–153. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  35. [KC04]
    Cok, D.R., Kiniry, J.R.: ESC/Java2: Uniting ESC/Java and JML: Progress and issues in building and using ESC/Java2, including a case study involving the use of the tool to verify portions of an Internet voting tally system. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 108–128. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  36. [KMM00]
    Kaufmann, M., Manolios, P., Moore, J.S.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, Dordrecht (2000)Google Scholar
  37. [LBR99]
    Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Kilov, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems, pp. 175–188. Kluwer Academic Publishers, Boston (1999)Google Scholar
  38. [LBR03]
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98-06u, Iowa State University, Department of Computer Science (April 2003)Google Scholar
  39. [Lei95]
    Leino, K.R.M.: Toward Reliable Modular Programs. PhD thesis, CalTech, Available as Technical Report Caltech-CS-TR-95-03 (1995)Google Scholar
  40. [Lei00]
    Leino, K.R.M.: Extended static checking: A ten-year perspective. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, p. 157. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  41. [Lei05]
    Leino, K.R.M.: Efficient weakest preconditions. Information Processing Letters 93(6), 281–288 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  42. [LHL+81]
    Lampson, B.W., Horning, J.J., London, R.L., Mitchell, J.G., Popek, G.J.: Report on the programming language Euclid. Technical Report CSL-81-12, Xerox PARC (October 1981); An earlier version of this report appeared. SIGPLAN Notices, vol. 12(2). ACM, New York (February 1977) Google Scholar
  43. [LL05]
    Leino, K.R.M., Logozzo, F.: Loop invariants on demand. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 119–134. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  44. [LM04]
    Leino, K.R.M., Müller, P.: Object invariants in dynamic contexts. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 491–516. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  45. [LM05]
    Leino, K.R.M., Müller, P.: Modular verification of static class invariants. In: Fitzgerald, J.S., Hayes, I.J., Tarlecki, A. (eds.) FM 2005. LNCS, vol. 3582, pp. 26–42. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  46. [LM06]
    Leino, K.R.M., Müller, P.: A verification methodology for model fields. In: Sestoft, P. (ed.) ESOP 2006 and ETAPS 2006. LNCS, vol. 3924, pp. 115–130. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  47. [LMS05]
    Leino, K.R.M., Millstein, T., Saxe, J.B.: Generating error traces from verification-condition counterexamples. Science of Computer Programming 55(1–3), 209–226 (2005)zbMATHCrossRefMathSciNetGoogle Scholar
  48. [LN02]
    Leino, K.R.M., Nelson, G.: Data abstraction and information hiding. ACM Transactions on Programming Languages and Systems 24(5), 491–553 (2002)CrossRefGoogle Scholar
  49. [LPP05]
    Leinenbach, D., Paul, W., Petrova, E.: Towards the formal verification of a C0 compiler: Code generation and implementation correctness. In: Aichernig, B.K., Beckert, B. (eds.) Third IEEE International Conference on Software Engineering and Formal Methods (SEFM 2005), pp. 2–12. IEEE Computer Society, Los Alamitos (2005)CrossRefGoogle Scholar
  50. [LSS99]
    Rustan, K., Leino, M., Saxe, J.B., Stata, R.: Checking Java programs via guarded commands. Formal Techniques for Java Programs, Technical Report 251. Fernuniversität Hagen (May 1999); Also available as Technical Note 1999-002, Compaq Systems Research CenterGoogle Scholar
  51. [Mey92]
    Meyer, B.: Eiffel: The Language. Object-Oriented Series. Prentice-Hall, Englewood Cliffs (1992)zbMATHGoogle Scholar
  52. [Min01]
    Miné, A.: The octagon abstract domain. In: Working Conference on Reverse Engineering (WCRE), pp. 310–319 (2001)Google Scholar
  53. [MMPH97]
    Müller, P., Meyer, J., Poetzsch-Heffter, A.: Programming and interface specification language of Jive—specification and design rationale. Technical Report 223, Fernuniversität Hagen(1997)Google Scholar
  54. [MPMU04]
    Marché, C., Paulin-Mohring, C., Urbain, X.: The Krakatoa tool for certification of Java/JavaCard programs annotated in JML. Journal of Logic and Algebraic Programming 58(1–2), 89–106 (2004)zbMATHCrossRefGoogle Scholar
  55. [Nel89]
    Nelson, G.: A generalization of Dijkstra’s calculus. ACM Transactions on Programming Languages and Systems 11(4), 517–561 (1989)CrossRefGoogle Scholar
  56. [ORR+96]
    Owre, S., Rajan, S., Rushby, J.M., Shankar, N., Srivas, M.K.: PVS: Combining specification, proof checking, and model checking. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 411–414. Springer, Heidelberg (1996)Google Scholar
  57. [PH97]
    Poetzsch-Heffter, A.: Specification and verification of object-oriented programs. Habilitationsschrift, Technische Universität München (1997)Google Scholar
  58. [Rey78]
    Reynolds, J.C.: Syntactic control of interference. In: Fifth ACM Symposium on Principles of Programming Languages (POPL), pp. 39–46 (January 1978)Google Scholar
  59. [Ros95]
    Rosenblum, D.S.: A practical approach to programming with assertions. IEEE Transactions on Software Engineering 21(1), 19–31 (1995)CrossRefGoogle Scholar
  60. [Spe06]
  61. [Van94]
    Vandevoorde, M.T.: Exploiting Specifications to Improve Program Performance. In: PhD thesis, Massachusetts Institute of Technology (February 1994); Available as Technical Report MIT/LCS/TR-598Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Mike Barnett
    • 1
  • Bor-Yuh Evan Chang
    • 2
  • Robert DeLine
    • 1
  • Bart Jacobs
    • 3
  • K. Rustan M. Leino
    • 1
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.University of CaliforniaBerkeleyUSA
  3. 3.Katholieke Universiteit LeuvenBelgium

Personalised recommendations