Boogie: A Modular Reusable Verifier for Object-Oriented Programs

  • Mike Barnett
  • Bor-Yuh Evan Chang
  • Robert DeLine
  • Bart Jacobs
  • K. Rustan M. Leino
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4111)

Abstract

A program verifier is a complex system that uses compiler technology, program semantics, property inference, verification-condition generation, automatic decision procedures, and a user interface. This paper describes the architecture of a state-of-the-art program verifier for object-oriented programs.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [ABB+05]
    Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, P.H.: The KeY tool. Software and System Modeling 4(1), 32–54 (2005)CrossRefGoogle Scholar
  2. [Abr96]
    Jean-Raymond, A.: The B-Book: Assigning Programs to Meanings. Cambridge University Press, Cambridge (1996)Google Scholar
  3. [AGB+77]
    Ambler, A.L., Good, D.I., Browne, J.C., Burger, W.F., Cohen, R.M., Hoch, C.G., Wells, R.E.: GYPSY: A language for specification and implementation of verifiable programs. SIGPLAN Notices 12(3), 1–10 (1977)CrossRefGoogle Scholar
  4. [Bar03]
    Barnes, J.: High Integrity Software: The SPARK Approach to Safety and Security. Addison-Wesley, Reading (2003)Google Scholar
  5. [BDF+04]
    Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. Journal of Object Technology 3(6), 27–56 (2004)CrossRefGoogle Scholar
  6. [BJ01]
    van den Berg, J., Berg, B.J.: The LOOP compiler for Java and JML. In: Margaria, T., Yi, W. (eds.) ETAPS 2001 and TACAS 2001. LNCS, vol. 2031, pp. 299–312. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. [BL05]
    Barnett, M., Leino, K.R.M.: Weakest-precondition of unstructured programs. In: Workshop on Program Analysis for Software Tools and Engineering (PASTE), pp. 82–87 (2005)Google Scholar
  8. [BLM05]
    Ball, T., Lahiri, S., Musuvathi, M.: Zap: Automated theorem proving for software analysis. Technical Report MSR-TR-2005-137, Microsoft Research (October 2005)Google Scholar
  9. [BLS04]
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: An overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–60. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. [BN04]
    Barnett, M., Naumann, D.A.: Friends need a bit more: Maintaining invariants over shared state. In: Kozen, D. (ed.) MPC 2004. LNCS, vol. 3125, pp. 54–84. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. [BRL03]
    Burdy, L., Requet, A., Lanet, J.-L.: Java applet correctness: a developer-oriented approach. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 422–439. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. [Bur72]
    Burstall, R.M.: Some techniques for proving correctness of programs which alter data structures. Machine Intelligence 7, 23–50 (1972)MATHGoogle Scholar
  13. [BvW98]
    Back, R.-J., von Wright, J.: Refinement Calculus: A Systematic Introduction. Graduate Texts in Computer Science. Springer, Heidelberg (1998)MATHGoogle Scholar
  14. [CC77]
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Fourth ACM Symposium on Principles of Programming Languages (POPL), pp. 238–252 (January 1977)Google Scholar
  15. [CC79]
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Sixth ACM Symposium on Principles of Programming Languages (POPL), pp. 269–282 (January 1979)Google Scholar
  16. [CFR+91]
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Transactions on Programming Languages and Systems 13(4), 451–490 (1991)CrossRefGoogle Scholar
  17. [CH78]
    Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Fifth ACM Symposium on Principles of Programming Languages (POPL), pp. 84–96 (January 1978)Google Scholar
  18. [CL05]
    Bor-Yuh, E.C., Leino, K.R.M.: Abstract interpretation with alien expressions and heap structures. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 147–163. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. [Dij76]
    Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Englewood Cliffs (1976)MATHGoogle Scholar
  20. [DL05]
    DeLine, R., Leino, K.R.M.: BoogiePL: A typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research (March 2005)Google Scholar
  21. [DLNS98]
    Detlefs, D.L., Leino, K.R.M., Nelson, G., Saxe, J.B.: Extended static checking. Research Report 159, Compaq Systems Research Center (December 1998)Google Scholar
  22. [DNS05]
    Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: a theorem prover for program checking. Journal of the ACM 52(3), 365–473 (2005)CrossRefMathSciNetGoogle Scholar
  23. [Esc06]
    Escher Technologies. Perfect Developer (2006), http://eschertech.com/
  24. [Fil03]
    Filliâtre, J.-C.: Verification of non-functional programs using interpretations in type theory. The Journal of Functional Programming 13(4), 709–745 (2003)MATHCrossRefGoogle Scholar
  25. [FKR+00]
    Fitzgerald, R., Knoblock, T.B., Ruf, E., Steensgaard, B., Tarditi, D.: Marmot: An Optimizing Compiler For Java. Software—Practice and Experience 30(3), 199–232 (2000)CrossRefGoogle Scholar
  26. [FL03]
    Fähndrich, M., Leino, K.R.M.: Declaring and checking non-null types in an object-oriented language. In: Crocker, R., Steele Jr., G.L. (eds.) Object-Oriented Programming Systems, Languages and Applications (OOPSLA), pp. 302–312. ACM, New York (2003)Google Scholar
  27. [FLL+02]
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: Programming Language Design and Implementation (PLDI), pp. 234–245 (2002)Google Scholar
  28. [FM04]
    Filliâtre, J.-C., Marché, C.: Multi-prover verification of C programs. In: Davies, J., Schulte, W., Barnett, M. (eds.) ICFEM 2004. LNCS, vol. 3308, pp. 15–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  29. [FS01]
    Flanagan, C., Saxe, J.B.: Avoiding exponential explosion: Generating compact verification conditions. In: POPL 2001: The 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 193–205. ACM, New York (2001)CrossRefGoogle Scholar
  30. [Hoa69]
    Hoare, C.A.R.: An axiomatic basis for computer programming. Communications of the ACM 12(10), 576–580,583 (1969)MATHCrossRefGoogle Scholar
  31. [HW73]
    Hoare, C.A.R., Wirth, N.: An axiomatic definition of the programming language PASCAL. Acta Informatica 2(4), 335–355 (1973)CrossRefGoogle Scholar
  32. [Jac04]
    Jacobs, B.: Weakest pre-condition reasoning for Java programs with JML annotations. Journal of Logic and Algebraic Programming 58(1–2), 61–88 (2004)MATHCrossRefMathSciNetGoogle Scholar
  33. [JP01]
    Jacobs, B., Poll, E.: A logic for the Java Modeling Language JML. In: Hussmann, H. (ed.) ETAPS 2001 and FASE 2001. LNCS, vol. 2029, pp. 284–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  34. [JP03]
    Jacobs, B., Poll, E.: Java program verification at Nijmegen: Developments and perspective. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 134–153. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  35. [KC04]
    Cok, D.R., Kiniry, J.R.: ESC/Java2: Uniting ESC/Java and JML: Progress and issues in building and using ESC/Java2, including a case study involving the use of the tool to verify portions of an Internet voting tally system. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 108–128. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  36. [KMM00]
    Kaufmann, M., Manolios, P., Moore, J.S.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, Dordrecht (2000)Google Scholar
  37. [LBR99]
    Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Kilov, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems, pp. 175–188. Kluwer Academic Publishers, Boston (1999)Google Scholar
  38. [LBR03]
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98-06u, Iowa State University, Department of Computer Science (April 2003)Google Scholar
  39. [Lei95]
    Leino, K.R.M.: Toward Reliable Modular Programs. PhD thesis, CalTech, Available as Technical Report Caltech-CS-TR-95-03 (1995)Google Scholar
  40. [Lei00]
    Leino, K.R.M.: Extended static checking: A ten-year perspective. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, p. 157. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  41. [Lei05]
    Leino, K.R.M.: Efficient weakest preconditions. Information Processing Letters 93(6), 281–288 (2005)MATHCrossRefMathSciNetGoogle Scholar
  42. [LHL+81]
    Lampson, B.W., Horning, J.J., London, R.L., Mitchell, J.G., Popek, G.J.: Report on the programming language Euclid. Technical Report CSL-81-12, Xerox PARC (October 1981); An earlier version of this report appeared. SIGPLAN Notices, vol. 12(2). ACM, New York (February 1977) Google Scholar
  43. [LL05]
    Leino, K.R.M., Logozzo, F.: Loop invariants on demand. In: Yi, K. (ed.) APLAS 2005. LNCS, vol. 3780, pp. 119–134. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  44. [LM04]
    Leino, K.R.M., Müller, P.: Object invariants in dynamic contexts. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 491–516. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  45. [LM05]
    Leino, K.R.M., Müller, P.: Modular verification of static class invariants. In: Fitzgerald, J.S., Hayes, I.J., Tarlecki, A. (eds.) FM 2005. LNCS, vol. 3582, pp. 26–42. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  46. [LM06]
    Leino, K.R.M., Müller, P.: A verification methodology for model fields. In: Sestoft, P. (ed.) ESOP 2006 and ETAPS 2006. LNCS, vol. 3924, pp. 115–130. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  47. [LMS05]
    Leino, K.R.M., Millstein, T., Saxe, J.B.: Generating error traces from verification-condition counterexamples. Science of Computer Programming 55(1–3), 209–226 (2005)MATHCrossRefMathSciNetGoogle Scholar
  48. [LN02]
    Leino, K.R.M., Nelson, G.: Data abstraction and information hiding. ACM Transactions on Programming Languages and Systems 24(5), 491–553 (2002)CrossRefGoogle Scholar
  49. [LPP05]
    Leinenbach, D., Paul, W., Petrova, E.: Towards the formal verification of a C0 compiler: Code generation and implementation correctness. In: Aichernig, B.K., Beckert, B. (eds.) Third IEEE International Conference on Software Engineering and Formal Methods (SEFM 2005), pp. 2–12. IEEE Computer Society, Los Alamitos (2005)CrossRefGoogle Scholar
  50. [LSS99]
    Rustan, K., Leino, M., Saxe, J.B., Stata, R.: Checking Java programs via guarded commands. Formal Techniques for Java Programs, Technical Report 251. Fernuniversität Hagen (May 1999); Also available as Technical Note 1999-002, Compaq Systems Research CenterGoogle Scholar
  51. [Mey92]
    Meyer, B.: Eiffel: The Language. Object-Oriented Series. Prentice-Hall, Englewood Cliffs (1992)MATHGoogle Scholar
  52. [Min01]
    Miné, A.: The octagon abstract domain. In: Working Conference on Reverse Engineering (WCRE), pp. 310–319 (2001)Google Scholar
  53. [MMPH97]
    Müller, P., Meyer, J., Poetzsch-Heffter, A.: Programming and interface specification language of Jive—specification and design rationale. Technical Report 223, Fernuniversität Hagen(1997)Google Scholar
  54. [MPMU04]
    Marché, C., Paulin-Mohring, C., Urbain, X.: The Krakatoa tool for certification of Java/JavaCard programs annotated in JML. Journal of Logic and Algebraic Programming 58(1–2), 89–106 (2004)MATHCrossRefGoogle Scholar
  55. [Nel89]
    Nelson, G.: A generalization of Dijkstra’s calculus. ACM Transactions on Programming Languages and Systems 11(4), 517–561 (1989)CrossRefGoogle Scholar
  56. [ORR+96]
    Owre, S., Rajan, S., Rushby, J.M., Shankar, N., Srivas, M.K.: PVS: Combining specification, proof checking, and model checking. In: Alur, R., Henzinger, T.A. (eds.) CAV 1996. LNCS, vol. 1102, pp. 411–414. Springer, Heidelberg (1996)Google Scholar
  57. [PH97]
    Poetzsch-Heffter, A.: Specification and verification of object-oriented programs. Habilitationsschrift, Technische Universität München (1997)Google Scholar
  58. [Rey78]
    Reynolds, J.C.: Syntactic control of interference. In: Fifth ACM Symposium on Principles of Programming Languages (POPL), pp. 39–46 (January 1978)Google Scholar
  59. [Ros95]
    Rosenblum, D.S.: A practical approach to programming with assertions. IEEE Transactions on Software Engineering 21(1), 19–31 (1995)CrossRefGoogle Scholar
  60. [Spe06]
  61. [Van94]
    Vandevoorde, M.T.: Exploiting Specifications to Improve Program Performance. In: PhD thesis, Massachusetts Institute of Technology (February 1994); Available as Technical Report MIT/LCS/TR-598Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Mike Barnett
    • 1
  • Bor-Yuh Evan Chang
    • 2
  • Robert DeLine
    • 1
  • Bart Jacobs
    • 3
  • K. Rustan M. Leino
    • 1
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.University of CaliforniaBerkeleyUSA
  3. 3.Katholieke Universiteit LeuvenBelgium

Personalised recommendations