Java’s Integral Types in PVS

Abstract: This paper presents an extension of the standard bitvector library of the theorem prover PVS with multiplication, division and remainder operations, together with associated results. This extension is needed to give correct semantics to Java's integral types in program verification. Special emphasis is put on Java's widening and narrowing functions in relation to the newly defined operations on bitvectors.

“…Im p o rta n t issues a t th is stage were th e underlying m em ory m odel [1] and th e sem antics of inheritance [14]. T his sem antics is fairly stable since ab o u t 2000, an d has undergone only relatively m inor, m odular changes such as th e move from u n b ounded to b o unded sem antics for integral types [17], see Sect. 3.5.…”

“…T his was ju s t done to keep things simple; our m ain in terest was th e sem antics of Jav a features such as object-orientation, inheritance, exceptions, etc., and in te rp re ta tio n of th e base types is orthogonal to th e sem antics of these. L ater, w hen th is becam e relevant for th e Jav a C ard sm art card program s we w anted to verify, a correct form alisation of th e sem antics of Java num eric types, w ith all th e peculiarities of th e p o te n tia l overflow during arith m etic operations, was included [17]. It is used in th e verification exam ple in Section 2.…”

Java Program Verification at Nijmegen: Developments and Perspective

“…Im p o rta n t issues a t th is stage were th e underlying m em ory m odel [1] and th e sem antics of inheritance [14]. T his sem antics is fairly stable since ab o u t 2000, an d has undergone only relatively m inor, m odular changes such as th e move from u n b ounded to b o unded sem antics for integral types [17], see Sect. 3.5.…”

“…T his was ju s t done to keep things simple; our m ain in terest was th e sem antics of Jav a features such as object-orientation, inheritance, exceptions, etc., and in te rp re ta tio n of th e base types is orthogonal to th e sem antics of these. L ater, w hen th is becam e relevant for th e Jav a C ard sm art card program s we w anted to verify, a correct form alisation of th e sem antics of Java num eric types, w ith all th e peculiarities of th e p o te n tia l overflow during arith m etic operations, was included [17]. It is used in th e verification exam ple in Section 2.…”

Java Program Verification at Nijmegen: Developments and Perspective

“…The erroneous nature of a specification involving potential overflows should become clear when one verifies the method using an appropriate bit-level repre sentation of integral types [18]. Unfortunately, such errors are not at all apparent, even when performing extensive unit testing, because the boundary conditions for arithmetic expressions, like the third term of the postcondition of is q r t Q in Figure 11, are rarely automatically derivable, and full state-space coverage is simply too computationally expensive.…”

Java Program Verification Challenges

Formal Program Development with Approximations