Verifying OpenJDK’s Sort Method for Generic Collections

Abstract: TimSort is the main sorting algorithm provided by the Java standard library and many other programming frameworks. Our original goal was functional verification of TimSort with mechanical proofs. However, during our verification attempt we discovered a bug which causes the implementation to crash by an uncaught exception. In this paper, we identify conditions under which the bug occurs, and from this we derive a bug-free version that does not compromise performance. We formally specify the new version and veri… Show more

“…This raises the question: how to specify behavior of interface methods? 7 Verifiable code revisions. We fixed the LinkedList class by explicitly bounding its maximum size to Integer.MAX_VALUE elements, but other solutions are possible.…”

“…Therefore, their correctness is of the utmost importance. The importance and potential of formal software verification as a means of rigorously validating state-of-the-art, real software and improving it, is convincingly illustrated by its application to TimSort, the default sorting library in many widely used programming languages, including Java and Python, and platforms like Android (see [7,9]): a crashing implementation bug was found.…”

Verifying OpenJDK’s LinkedList using KeY

“…This raises the question: how to specify behavior of interface methods? 7 Verifiable code revisions. We fixed the LinkedList class by explicitly bounding its maximum size to Integer.MAX_VALUE elements, but other solutions are possible.…”

“…Therefore, their correctness is of the utmost importance. The importance and potential of formal software verification as a means of rigorously validating state-of-the-art, real software and improving it, is convincingly illustrated by its application to TimSort, the default sorting library in many widely used programming languages, including Java and Python, and platforms like Android (see [7,9]): a crashing implementation bug was found.…”

Verifying OpenJDK’s LinkedList using KeY

“…When it comes to formal verification, it thus makes sense to start with the verification of such libraries. This observation has motivated efforts in the deductive verification community to verify programming libraries [11,31]. OCaml is a programming language that lends itself particularly well to formal verification, in particular thanks to its simple semantics.…”

GOSPEL—Providing OCaml with a Formal Specification Language

“…TimSort is the default sorting library in many widely-used programming languages such as Java and Python, and platforms like Android. A fixed version, which is now used in all these platforms, was derived and has been proven correct [10] using KeY, a stateof-the-art theorem proving technology [1]. Use of formal methods further led to the discovery of some major flaws in the LinkedList implementation provided by Java's Collection Framework-erratic behavior caused by an integer overflow.…”

“…It can be empirically established that Java libraries, and Java's Collection Framework in particular, are heavily used and have many implementations [8]. Recently, several issues with parts of the Collection Framework were revealed [10,11]. Such issues are hard to discover at run-time due to their heap size requirements, necessitating a static approach to analysis.…”

History-Based Specification and Verification of Java Collections in KeY