Generating Verifiable Java Code from Verified PVS Specifications

  • Leonard Lensink
  • Sjaak Smetsers
  • Marko van Eekelen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7226)


The use of verification tools to produce formal specifications of digital systems is commonly recommended, especially when dealing with safety-critical systems. These formal specifications often consist of segments which can automatically be translated into executable code.

We propose to generate both code and assertions in order to support verification at the generated code level. This is essential (and possible) when making modifications to the implemented code without revering to the verification tool, as the formal verification can be performed directly at the level of the adjusted code.

As a result of a feasibility study on this approach, we present a prototype of a code generator for the Prototype Verification System (PVS) that translates a subset of PVS functional specifications into Java annotated with JML assertions. To illustrate the tool’s functionality a verified communication protocol from the NASA AirStar project is taken and a reference implementation in Java is generated. Subsequently, we experiment with verification on the Java level in order to show the feasibility of proving the generated JML annotations. In this paper we report on our experiences in this feasibility study.


Proof Obligation Symbolic Execution Java Code Abstract Data Type Functional Programming Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abrial, J.-R.: The B-Book: Assigning Programs to Meanings. Cambridge University Press (1996)Google Scholar
  2. 2.
    Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, P.H.: The KeY tool. Software and System Modeling (2005)Google Scholar
  3. 3.
    Bailey, R., Hostetler, R., Barnes, K., Belcastro, C., Belcastro, C.: Experimental validation subscale aircraft ground facilities and integrated test capability. In: Proceedings of the AIAA Guidance Navigation, and Control Conference and Exhibit 2005, San Francisco, California (2005)Google Scholar
  4. 4.
    Berghofer, S., Nipkow, T.: Executing Higher Order Logic. In: Callaghan, P., Luo, Z., McKinna, J., Pollack, R. (eds.) TYPES 2000. LNCS, vol. 2277, pp. 24–40. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Bertot, Y., Castéran, P.: Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions. Texts in Theoretical Computer Science (2004)Google Scholar
  6. 6.
    Burdy, L., Cheon, Y., Cok, D.R., Ernst, M.D., Kiniry, J.R., Leavens, G.T., Leino, K.R.M., Poll, E.: An overview of JML tools and applications. Int. J. Softw. Tools Technol. Transf. 7(3), 212–232 (2005)CrossRefGoogle Scholar
  7. 7.
    Crow, J., Owre, S., Rushby, J., Shankar, N., Stringer-Calvert, D.: Evaluating, testing, and animating PVS specifications. Technical report, Computer Science Laboratory. SRI International, Menlo Park, CA (March 2001)Google Scholar
  8. 8.
    Filliâtre, J.-C., Marché, C.: The Why/Krakatoa/Caduceus Platform for Deductive Program Verification. In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 173–177. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Filliâtre, J.-C.: Why: a multi-language multi-prover verification tool. Research Report 1366, LRI, Universit Paris Sud (March 2003)Google Scholar
  10. 10.
    Haftmann, F., Nipkow, T.: A code generator framework for Isabelle/HOL. In: Schneider, K., Brandt, J. (eds.) Theorem Proving in Higher Order Logics: Emerging Trends Proceedings, number 364/07 (August 2007)Google Scholar
  11. 11.
    Jacobs, B., Smetsers, S., Wichers Schreur, R.: Code-carrying theories. Formal Asp. Comput. 19(2), 191–203 (2007)zbMATHCrossRefGoogle Scholar
  12. 12.
    Jones, C.B.: Systematic Software Development using VDM, 2nd edn. Prentice Hall (1990)Google Scholar
  13. 13.
    Kaufmann, M., Moore, J.S., Manolios, P.: Computer-Aided Reasoning: An Approach. Kluwer Academic Publishers, Norwell (2000)CrossRefGoogle Scholar
  14. 14.
    Koser, J., Larsen, H., Vaughan, J.: SML2Java: a source to source translator. In: Proceedings of DP-Cool, PLI 2003, Uppsala,Sweden (2003)Google Scholar
  15. 15.
    Leitao, A.M.: Migration of Common Lisp programs to the Java platform -the Linj approach. In: CSMR 2007: Proceedings of the 11th European Conference on Software Maintenance and Reengineering, pp. 243–251. IEEE Computer Society, Washington, DC (2007)CrossRefGoogle Scholar
  16. 16.
    Lensink, L., Muñoz, C.A., Goodloe, A.E.: From verified models to verifiable code. Technical Report NASA/TM2009-215943, NASA Langley Research Center (2009)Google Scholar
  17. 17.
    Letouzey, P.: A New Extraction for Coq. In: Geuvers, H., Wiedijk, F. (eds.) TYPES 2002. LNCS, vol. 2646, pp. 200–219. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Miner, P., Geser, A., Pike, L., Maddalon, J.: A Unified Fault-Tolerance Protocol. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS/FTRTFT 2004. LNCS, vol. 3253, pp. 167–182. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Muñoz, C.: Rapid prototyping in PVS. Report NIA Report No. 2003-03, NASA/CR-2003-212418, NIA-NASA Langley, National Institute of Aerospace, Hampton, VA (May 2003)Google Scholar
  20. 20.
    Muñoz, C., Goodloe, A.E.: Design and verification of a distributed communication protocol. Technical Report NASA/CR-2009-215703 (2008)Google Scholar
  21. 21.
    Necula, G.: Proof-Carrying Code. In: Proc. of POPL 1997, pp. 106–119. ACM Press (1997)Google Scholar
  22. 22.
    Owre, S., Rushby, J.M., Shankar, N.: PVS: A Prototype Verification System. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992)Google Scholar
  23. 23.
    Paulin-Mohring, C., Werner, B.: Synthesis of ML programs in the system Coq. J. Symb. Comput. 15(5/6), 607–640 (1993)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Pike, L., Maddalon, J., Miner, P., Geser, A.: Abstractions for Fault-Tolerant Distributed System Verification. In: Slind, K., Bunker, A., Gopalakrishnan, G.C. (eds.) TPHOLs 2004. LNCS, vol. 3223, pp. 257–270. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Ray, S.: Attaching Efficient Executability to Partial Functions in ACL2. In: Kaufmann, M., Moore, J.S. (eds.) Fifth International Workshop on the ACL2 Theorem Prover and Its Applications (ACL2 2004), Austin, TX (November 2004)Google Scholar
  26. 26.
    Rushby, J., Owre, S., Shankar, N.: Subtypes for specifications: Predicate subtyping in PVS. IEEE Transactions on Software Engineering 24(9), 709–720 (1998)CrossRefGoogle Scholar
  27. 27.
    Rushby, J., von Henke, F.: Formal verification of algorithms for critical systems. IEEE Transactions on Software Engineering 19(1), 13–23 (1993)CrossRefGoogle Scholar
  28. 28.
    Shankar, N.: Efficiently executing PVS. Technical report, Menlo Park, CA (1999)Google Scholar
  29. 29.
    Shankar, N.: Static analysis for safe destructive updates in a functional language (2002)Google Scholar
  30. 30.
    Tolmach, A.P., Oliva, D.: From ML to Ada: Strongly-typed language interoperability via source translation. Journal of Functional Programming 8(4), 367–412 (1998)zbMATHCrossRefGoogle Scholar
  31. 31.
    Urribarrí, W.: A module system for Why. Personal Communication (2008) manuscriptGoogle Scholar
  32. 32.
    Wordsworth, J.: Software Development with Z. Addison-Wesley (1992)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Leonard Lensink
    • 1
  • Sjaak Smetsers
    • 1
  • Marko van Eekelen
    • 1
    • 2
  1. 1.Institute for Computing and Information SciencesRadboud University NijmegenThe Netherlands
  2. 2.School of Computer ScienceOpen University of the NetherlandsThe Netherlands

Personalised recommendations