en>Rschwieb: /* Definition */

2012-03-08T11:39:17Z

Definition

New page

{{Infobox software
| name = KeY
| logo = [[File:KeY logo.svg|150px]]
| screenshot = [[Image:Key-tool.jpg|250px]]
| caption = Screenshot of KeY 1.4
| developer = [[Karlsruhe Institute of Technology]], [[Technische Universität Darmstadt]], [[Chalmers University of Technology]]
| year = 2001
| latest release version = 2.0.1
| latest release date = {{release date|2013|06|20}}
| latest preview version = 2.1.4244
| latest preview date = {{release date|2013|05|10}}
| operating system = Linux, Mac, Windows, Solaris
| language = English
| programming language = [[Java (programming language)|Java]]
| status = Active
| genre = [[Formal verification]]
| license = [[GNU General Public License|GPL]]
| website = [http://www.key-project.org/ www.key-project.org]
}}

The '''KeY''' tool is used in [[formal verification]] of [[Java (programming language)|Java]] programs. It accepts both specifications written in [[Java Modeling Language|JML]] or [[Object Constraint Language|OCL]] to Java source files. These are transformed into theorems of [[dynamic logic]] and then compared against program semantics which are likewise defined in terms of dynamic logic. KeY is significantly powerful in that it supports both interactive (i.e. by hand) and fully automated correctness proofs. Failed proof attempts can be used for a more efficient [[debugging]] or [[Model-based testing#Test case generation by theorem proving|verification-based testing]]. It can be integrated into [[CASE tool]]s to extract specifications. There have been several extensions to KeY in order to apply it to the verification of [[C (programming language)|C]] programs or [[hybrid system]]s. KeY is jointly developed by [[Karlsruhe Institute of Technology]], Germany; [[Technische Universität Darmstadt]], Germany; and [[Chalmers University of Technology]] in Gothenburg, Sweden and is licensed under the [[GNU General Public License |GPL]].

== Overview ==
The usual user input to KeY consists of a Java source file with annotations in either JML or OCL. Both, they are translated to KeY's internal representation, [[KeY#Java Card DL|dynamic logic]]. From the given specifications, several proof obligations arise which are to be discharged, i.e. a proof has to be found. To this ends, the program is [[symbolic execution|symbolically executed]] with the resulting changes to program variables stored in so-called ''updates''. Once the program has been processed completely, there remains a [[first-order logic]] proof obligation. At the heart of the KeY system lies a first-order [[Automated theorem prover|theorem prover]] based on [[sequent calculus]], which is used to close the proof. Interference rules are captured in so called ''taclets'' which consist of an own simple language to describe changes to a sequent.

== Java Card DL ==
{{main|Java Card}}
The theoretical foundation of KeY is a [[formal logic]] called Java Card DL. DL stands for Dynamic Logic. It is a version of a first-order [[dynamic logic (modal logic)|dynamic logic]] tailored to Java Card programs. As such, it for example allows statements (formulas) like <math>\phi \rightarrow [\alpha]\psi</math>, which intuitively says that the post-condition <math>\psi</math> must hold in all program states reachable by executing the Java Card program <math>\alpha</math> in any state that satisfies the pre-condition <math>\phi</math>. This is equivalent to <math>\{\phi\}\alpha\{\psi\}</math> in [[Hoare calculus]] if <math>\phi</math> and <math>\psi</math> are purely first order. Dynamic logic, however, extends Hoare logic in that formulas may contain nested program modalities such as <math>[\alpha]</math>, or that quantification over formulas which contain modalities is possible. There is also a [[Duality (mathematics)|dual]] modality <math>\langle\alpha\rangle</math> which includes [[Termination analysis|termination]]. This dynamic logic can be seen as a special multi-modal logic (with an infinite number of modalities) where for each Java block <math>\alpha</math> there are modalities <math>[\alpha]</math> and <math>\langle\alpha\rangle</math>.

== Deduction component ==
At the heart of the KeY system lies a first-order theorem prover based on a [[sequent calculus]]. A sequent is of the form <math>\Gamma \vdash \Delta</math> where <math>\Gamma</math> (assumptions) and <math>\Delta</math> (propositions) are sets of formulas with the intuitive meaning that <math>\bigwedge_{\gamma\in\Gamma} \gamma \rightarrow \bigvee_{\delta\in\Delta}\delta</math> holds true. By means of [[Deductive reasoning|deduction]], an initial sequent representing the proof obligation is shown to be constructible from just fundamental first-order axioms (such as equality <math>e\ \dot{=}\ e</math>).

=== Symbolic execution of Java code ===
During that, program modalities are eliminated by [[symbolic execution]]. For instance, the formula <math>x\ \dot{=}\ 0 \rightarrow [x++;]x\ \dot{=}\ 1</math> is logically equivalent to <math>x\ \dot{=}\ 0 \rightarrow x\ \dot{=}\ 0</math>. As this example shows, symbolic execution in dynamic logic is very similar to calculating [[weakest precondition]]s. Both <math>[\alpha]\psi</math> and <math>wp(\alpha,\psi)</math> essentially denote the same thing – with two exceptions: Firstly, <math>wp</math> is a function of some meta-calculus while <math>[\alpha]\psi</math> really is a formula of the given calculus. Secondly, symbolic execution runs through the program ''forward'' just as an actual execution would. To save intermediate results of assignments, KeY introduces a concept called ''updates'', which are similar to substitutions but are only applied once the program modality has been fully eliminated. Syntactically, updates are consist of parallel (side-effect free) assignments written in curly braces in front of a modality. An example of symbolic execution with updates: <math>[x= 3; x=x+1;]x\ \dot{=}\ 4</math> is transformed to <math>\{x:= 3\}[x=x+1;]x\ \dot{=}\ 4</math> in the first step and to <math>\{x:= 4\}[]x\ \dot{=}\ 4</math> in the second step. The modality then is empty and "backwards application" of the update to the postcondition yields a precondition where <math>x</math> could take any value.

=== Example ===
Suppose one wants to prove that the following method calculates the product of some non-negative integers <math>x</math> and <math>y</math>.
<source lang="c">
int foo (int x, int y) {
int z = 0;
while (y > 0)
if (y % 2 == 0) {
x = x*2;
y = y/2;
} else {
y = y/2;
z = z+x;
x = x*2;
}
return z;
}
</source>
One thus starts the proof with the premise <math>x \geq 0 \land y \geq 0</math> and the to-be-shown conclusion <math>z\ \dot{=}\ x \cdot y</math>. Note that tableaux of sequent calculi are usually written "upside-down", i.e., the starting sequent appears at the bottom and deduction steps go upwards. The proof can be seen in the figure on the right.
[[File:Dynamic_logic_proof.png|thumb|right|A resulting proof tree]]

== Additional features ==
=== Symbolic Execution Debugger ===
The ''Symbolic Execution Debugger'' visualizes the [[control flow]] of a program as a [[symbolic execution]] tree that contains all feasible execution paths through the program up to a certain point. It is provided as a plugin to the [[Eclipse (software)|Eclipse]] development platform.

=== Test Case Generator ===
KeY is usable as a [[model-based testing]] tool that can generate [[unit tests]] for Java programs. The model from which test data and the test case are derived consists of a formal specification (provided in [[Java Modeling Language|JML]] or [[Object Constraint Language|OCL]]) and a symbolic execution tree of the implementation under test which is computed by the KeY system.

== Distribution and Variants of the KeY System ==
KeY is free software written in Java and licensed under [[GNU General Public License|GPL]]. It can be downloaded from the project website in source; currently there are no pre-compiled binaries available. As another possibility, KeY can be executed directly via [[Java web start]] without the need for compilation and installation.

=== KeY-Hoare ===
''KeY-Hoare'' is built on top of KeY and features a [[Hoare calculus]] with state updates. State updates are a means of describing state transitions in a [[Kripke structure]]. This calculus can be seen as a subset to the one that is used in the main branch of KeY. Due to the simplicity of the Hoare calculus, this implementation is essentially meant to exemplify formal methods in undergraduate classes.

=== KeYmaera ===
''KeYmaera'' [http://symbolaris.com/info/KeYmaera.html] (previously called HyKeY) is a deductive verification tool for hybrid systems based on a calculus for the differential dynamic logic dL [http://symbolaris.com/logic/dL.html].
It extends the KeY tool with computer algebra systems like [[Mathematica]] and corresponding algorithms and proof strategies such that it can be used for practical verification of [[hybrid systems]].

KeYmaera has been developed at the [[University of Oldenburg]] and the [[Carnegie Mellon University]]. The name of the tool was chosen as a [[homophone]] to [[Chimera (mythology)|Chimera]], the hybrid animal from ancient Greek mythology.

=== KeY for C ===
''KeY for C'' is an adaption of the KeY System to [[MISRA C]], a subset of the [[C programming language]]. This variant is no longer supported.

=== ASMKeY ===
There is also an adaptation to use KeY for the symbolic execution of [[Abstract State Machine]]s, that was developed at [[ETH Zürich]]. This variant is no longer supported; more information can be found on the weblink below.

== Sources ==
* [http://www.springer.com/east/home/generic/search/results?SGWID=5-40109-22-173712406-0 Verification of Object-Oriented Software: The KeY Approach]. Bernhard Beckert, Reiner Hähnle, Peter H. Schmitt (Eds.). [[Springer Science+Business Media|Springer]], 2007. ISBN 978-3-540-68977-5.
* [http://www.springerlink.com/content/6230tv724um20302/ A comparison of tools for teaching formal software verification]. Ingo Feinerer and Gernot Salzer. [[Springer Science+Business Media|Springer]], 2008
* [http://cl.cse.wustl.edu/papers/vstte05.pdf Programming With Proofs: Language Based Approaches To Totally Correct Software]. Aaron Stump. Verified Software: Theories, Tools, and Experiments, 2005.
* [http://www.dwheeler.com/essays/high-assurance-floss.html High Assurance (for Security or Safety) and Free-Libre / Open Source Software (FLOSS)]. David Wheeler, 2009

== External links ==
* [http://www.key-project.org Home page of the KeY project]
* [http://symbolaris.com/info/KeYmaera.html KeYmaera home page]

[[Category:Formal methods tools]]
[[Category:Theorem proving software systems]]
[[Category:Free theorem provers]]

Chief series - Revision history

en>Rschwieb: /* Definition */