formal verification of memory performance contracts · formal verification of memory performance...
TRANSCRIPT
![Page 1: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/1.jpg)
Formal Verification of Memory PerformanceContracts
Christian Engel
Universitat Karlsruhe (TH)
6th International KeY Symposium
Verification of Performance Contracts 14.06.2007 1 / 16
![Page 2: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/2.jpg)
Outline
Motivation
Realtime Java
JML WCMU Specifications
Java DL and Memory Usage
Demo
Verification of Performance Contracts 14.06.2007 2 / 16
![Page 3: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/3.jpg)
Motivation
Is formal verification of performance constraints really necessary?
No
Usually bad performance is not an issue of software correctness.
But . . .
Real-time applications have to meet certain performance constraints,otherwise they are erroneous.
Verification of Performance Contracts 14.06.2007 3 / 16
![Page 4: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/4.jpg)
Motivation
Is formal verification of performance constraints really necessary?
No
Usually bad performance is not an issue of software correctness.
But . . .
Real-time applications have to meet certain performance constraints,otherwise they are erroneous.
Verification of Performance Contracts 14.06.2007 3 / 16
![Page 5: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/5.jpg)
Motivation
Is formal verification of performance constraints really necessary?
No
Usually bad performance is not an issue of software correctness.
But . . .
Real-time applications have to meet certain performance constraints,otherwise they are erroneous.
Verification of Performance Contracts 14.06.2007 3 / 16
![Page 6: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/6.jpg)
Motivation
Is formal verification of performance constraints really necessary?
No
Usually bad performance is not an issue of software correctness.
But . . .
Real-time applications have to meet certain performance constraints,otherwise they are erroneous.
Verification of Performance Contracts 14.06.2007 3 / 16
![Page 7: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/7.jpg)
RTSJ – The Real-Time Specification for Java
One obstacle for writting real-time Java applications: Garbage Collection
New Types of Heap Memory . . .
I Immortal Memory
I Scoped Memory
I Both are not subject to garbage collection
. . . and Threads
I Realtime Thread
I No-Heap Realtime Thread
Verification of Performance Contracts 14.06.2007 4 / 16
![Page 8: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/8.jpg)
RTSJ – The Real-Time Specification for Java
One obstacle for writting real-time Java applications: Garbage Collection
New Types of Heap Memory . . .
I Immortal Memory
I Scoped Memory
I Both are not subject to garbage collection
. . . and Threads
I Realtime Thread
I No-Heap Realtime Thread
Verification of Performance Contracts 14.06.2007 4 / 16
![Page 9: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/9.jpg)
RTSJ – The Real-Time Specification for Java
One obstacle for writting real-time Java applications: Garbage Collection
New Types of Heap Memory . . .
I Immortal Memory
I Scoped Memory
I Both are not subject to garbage collection
. . . and Threads
I Realtime Thread
I No-Heap Realtime Thread
Verification of Performance Contracts 14.06.2007 4 / 16
![Page 10: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/10.jpg)
RTSJ – The Real-Time Specification for Java
One obstacle for writting real-time Java applications: Garbage Collection
New Types of Heap Memory . . .
I Immortal Memory
I Scoped Memory
I Both are not subject to garbage collection
. . . and Threads
I Realtime Thread
I No-Heap Realtime Thread
Verification of Performance Contracts 14.06.2007 4 / 16
![Page 11: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/11.jpg)
RTSJ – The Real-Time Specification for Java
One obstacle for writting real-time Java applications: Garbage Collection
New Types of Heap Memory . . .
I Immortal Memory
I Scoped Memory
I Both are not subject to garbage collection
. . . and Threads
I Realtime Thread
I No-Heap Realtime Thread
Verification of Performance Contracts 14.06.2007 4 / 16
![Page 12: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/12.jpg)
RTSJ – The Real-Time Specification for Java
One obstacle for writting real-time Java applications: Garbage Collection
New Types of Heap Memory . . .
I Immortal Memory
I Scoped Memory
I Both are not subject to garbage collection
. . . and Threads
I Realtime Thread
I No-Heap Realtime Thread
Verification of Performance Contracts 14.06.2007 4 / 16
![Page 13: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/13.jpg)
RTSJ – The Real-Time Specification for Java
One obstacle for writting real-time Java applications: Garbage Collection
New Types of Heap Memory . . .
I Immortal Memory
I Scoped Memory
I Both are not subject to garbage collection
. . . and Threads
I Realtime Thread
I No-Heap Realtime Thread
Verification of Performance Contracts 14.06.2007 4 / 16
![Page 14: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/14.jpg)
JML Performance Specifications
Worst Case Execution Time (WCET)
I duration clause: part of the method contract
I \duration function: \duration(o.m())
Worst Case Memory Usage (WCMU)
I working_space clause:I part of the method contractI specifies the WCMU of a method
I \working_space function: \working_space(o.m())I \space function: \space(new int[3])
Verification of Performance Contracts 14.06.2007 5 / 16
![Page 15: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/15.jpg)
JML Performance Specifications
Worst Case Execution Time (WCET)
I duration clause: part of the method contract
I \duration function: \duration(o.m())
Worst Case Memory Usage (WCMU)
I working_space clause:I part of the method contractI specifies the WCMU of a method
I \working_space function: \working_space(o.m())I \space function: \space(new int[3])
Verification of Performance Contracts 14.06.2007 5 / 16
![Page 16: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/16.jpg)
JML Performance Specifications
Worst Case Execution Time (WCET)
I duration clause: part of the method contract
I \duration function: \duration(o.m())
Worst Case Memory Usage (WCMU)
I working_space clause:I part of the method contractI specifies the WCMU of a method
I \working_space function: \working_space(o.m())I \space function: \space(new int[3])
Verification of Performance Contracts 14.06.2007 5 / 16
![Page 17: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/17.jpg)
JML Performance Specifications
Worst Case Execution Time (WCET)
I duration clause: part of the method contract
I \duration function: \duration(o.m())
Worst Case Memory Usage (WCMU)
I working_space clause:I part of the method contractI specifies the WCMU of a method
I \working_space function: \working_space(o.m())I \space function: \space(new int[3])
Verification of Performance Contracts 14.06.2007 5 / 16
![Page 18: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/18.jpg)
JML Performance Specifications
Worst Case Execution Time (WCET)
I duration clause: part of the method contract
I \duration function: \duration(o.m())
Worst Case Memory Usage (WCMU)
I working_space clause:I part of the method contractI specifies the WCMU of a method
I \working_space function: \working_space(o.m())
I \space function: \space(new int[3])
Verification of Performance Contracts 14.06.2007 5 / 16
![Page 19: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/19.jpg)
JML Performance Specifications
Worst Case Execution Time (WCET)
I duration clause: part of the method contract
I \duration function: \duration(o.m())
Worst Case Memory Usage (WCMU)
I working_space clause:I part of the method contractI specifies the WCMU of a method
I \working_space function: \working_space(o.m())I \space function: \space(new int[3])
Verification of Performance Contracts 14.06.2007 5 / 16
![Page 20: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/20.jpg)
Shortcomings of JML Memory Specs
This specification can be incorrect:
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear()) +@ \working_space(getInstance()); @*/public SomeClass freshInstance(){
clear();return getInstance();
}
JAVA + JML
I working_space clauses are evaluated in the post state.
I no access to intermediate program states in \working_spaceexpressions
Verification of Performance Contracts 14.06.2007 6 / 16
![Page 21: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/21.jpg)
Shortcomings of JML Memory Specs
This specification can be incorrect:
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear()) +@ \working_space(getInstance()); @*/public SomeClass freshInstance(){
clear();return getInstance();
}
JAVA + JML
I working_space clauses are evaluated in the post state.
I no access to intermediate program states in \working_spaceexpressions
Verification of Performance Contracts 14.06.2007 6 / 16
![Page 22: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/22.jpg)
Shortcomings of JML Memory Specs
This specification can be incorrect:
JAVA + JML
static SomeClass instance;
public static clear(){ instance = null; }
public static getInstance(){if(instance==null) instance = new SomeClass();return instance;
}
JAVA + JML
I working_space clauses are evaluated in the post state.
I no access to intermediate program states in \working_spaceexpressions
Verification of Performance Contracts 14.06.2007 6 / 16
![Page 23: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/23.jpg)
Shortcomings of JML Memory Specs
This specification can be incorrect:
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear()) +@ \working_space(getInstance()); @*/public SomeClass freshInstance(){
clear();return getInstance();
}
JAVA + JML
I working_space clauses are evaluated in the post state.
I no access to intermediate program states in \working_spaceexpressions
Verification of Performance Contracts 14.06.2007 6 / 16
![Page 24: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/24.jpg)
Shortcomings of JML Memory Specs
This specification can be incorrect:
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear()) +@ \working_space(getInstance()); @*/public SomeClass freshInstance(){
clear(); // instance == null
return getInstance();}
JAVA + JML
I working_space clauses are evaluated in the post state.
I no access to intermediate program states in \working_spaceexpressions
Verification of Performance Contracts 14.06.2007 6 / 16
![Page 25: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/25.jpg)
Shortcomings of JML Memory Specs
This specification can be incorrect:
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear()) +@ \working_space(getInstance()); @*/public SomeClass freshInstance(){
clear(); // instance == null
return getInstance(); // instance != null
}
JAVA + JML
I working_space clauses are evaluated in the post state.
I no access to intermediate program states in \working_spaceexpressions
Verification of Performance Contracts 14.06.2007 6 / 16
![Page 26: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/26.jpg)
working_space in KeYJML
Alternative Approach
State in which the target method is executed is specified within\working_space expressions: \working_space(method, cond)
\working_space(method, cond) is a rigid expression.
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear(), true) +@ \working_space(getInstance(), instance==null);@*/public SomeClass freshInstance(){
clear();return getInstance();
}
JAVA + JML
Verification of Performance Contracts 14.06.2007 7 / 16
![Page 27: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/27.jpg)
working_space in KeYJML
Alternative Approach
State in which the target method is executed is specified within\working_space expressions: \working_space(method, cond)\working_space(method, cond) is a rigid expression.
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear(), true) +@ \working_space(getInstance(), instance==null);@*/public SomeClass freshInstance(){
clear();return getInstance();
}
JAVA + JML
Verification of Performance Contracts 14.06.2007 7 / 16
![Page 28: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/28.jpg)
working_space in KeYJML
Alternative Approach
State in which the target method is executed is specified within\working_space expressions: \working_space(method, cond)\working_space(method, cond) is a rigid expression.
JAVA + JML
static SomeClass instance;
/*@ working_space \working_space(clear(), true) +@ \working_space(getInstance(), instance==null);@*/public SomeClass freshInstance(){
clear();return getInstance();
}
JAVA + JML
Verification of Performance Contracts 14.06.2007 7 / 16
![Page 29: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/29.jpg)
Loop Specs in KeYJML
/*@ requires a!=null;@ working_space a.length*\space(new Object()) +@ \working_space(new ArrayStoreException(), true);@*/public void initArr(Object[] a){
int i=0;/*@ loop_invariant i>=0;
@ assignable a[*];@ decreasing a.length-i;@ working_space_single_iteration \space(new Object());@*/
while(i<a.length){a[i++] = new Object();
}}
Verification of Performance Contracts 14.06.2007 8 / 16
![Page 30: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/30.jpg)
Proof Obligations
JAVA + JML
/*@ public normal_behavior@ requires PRE;@ working_space S;@*/public void doSth(){ ...
JAVA + JML
Idea
Use a program variable to log the memory allocation of Java programs.
PRE → {hold := h}〈doSth();〉h ≤ hold + S
Verification of Performance Contracts 14.06.2007 9 / 16
![Page 31: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/31.jpg)
Proof Obligations
JAVA + JML
/*@ public normal_behavior@ requires PRE;@ working_space S;@*/public void doSth(){ ...
JAVA + JML
Idea
Use a program variable to log the memory allocation of Java programs.
PRE → {hold := h}〈doSth();〉h ≤ hold + S
Verification of Performance Contracts 14.06.2007 9 / 16
![Page 32: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/32.jpg)
Object Creation Rule
Symbolic execution of constructors increases h by the heap spaceconsumed by the created object.
arrayCreationΓ ⇒ {U ;h := h + spacearr (e, l1)}〈π ACω〉φ, ∆
Γ ⇒ {U}〈π v=new T[l1]);ω〉φ, ∆
objectCreationΓ ⇒ {U ;h := h + spaceT}〈π OCω〉φ, ∆
Γ ⇒ {U}〈π v=new T(a1,...,an);ω〉φ, ∆
Verification of Performance Contracts 14.06.2007 10 / 16
![Page 33: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/33.jpg)
Contract Rule
JAVA + JML
/*@ public normal_behavior@ requires Pre;@ ensures Post;@ assignable Mod;@ working_space S; @*/public void m(){ ...
JAVA + JML
applyContract
Γ ⇒ {U}Pre, ∆Γ ⇒ {U}(wsnr
m() = {V (Mod)}S →{V (Mod)||h := h + wsnr
m()}(Post → 〈π ω〉φ)), ∆
Γ ⇒ {U}〈π m();ω〉φ, ∆
Verification of Performance Contracts 14.06.2007 11 / 16
![Page 34: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/34.jpg)
How wsnr relates to \working_space
wsnrm is a nonrigid constant denoting the WCMU of m in a certain set of
states S .
wsrm,cond is the Java Card DL counterpart of the JML expression
\working_space(m, cond).
If cond holds in every state in S , {U}wsnrm cannot exceed
\working_space(m, cond).
wsNonRigid
Γ ⇒ {U}cond , ∆Γ, {U}wsnr
m ≤ wsrm,cond ⇒ ∆
Γ ⇒ ∆
Verification of Performance Contracts 14.06.2007 12 / 16
![Page 35: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/35.jpg)
How wsnr relates to \working_space
wsnrm is a nonrigid constant denoting the WCMU of m in a certain set of
states S .
wsrm,cond is the Java Card DL counterpart of the JML expression
\working_space(m, cond).
If cond holds in every state in S , {U}wsnrm cannot exceed
\working_space(m, cond).
wsNonRigid
Γ ⇒ {U}cond , ∆Γ, {U}wsnr
m ≤ wsrm,cond ⇒ ∆
Γ ⇒ ∆
Verification of Performance Contracts 14.06.2007 12 / 16
![Page 36: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/36.jpg)
How wsnr relates to \working_space
wsnrm is a nonrigid constant denoting the WCMU of m in a certain set of
states S .
wsrm,cond is the Java Card DL counterpart of the JML expression
\working_space(m, cond).
If cond holds in every state in S , {U}wsnrm cannot exceed
\working_space(m, cond).
wsNonRigid
Γ ⇒ {U}cond , ∆Γ, {U}wsnr
m ≤ wsrm,cond ⇒ ∆
Γ ⇒ ∆
Verification of Performance Contracts 14.06.2007 12 / 16
![Page 37: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/37.jpg)
How wsnr relates to \working_space
wsnrm is a nonrigid constant denoting the WCMU of m in a certain set of
states S .
wsrm,cond is the Java Card DL counterpart of the JML expression
\working_space(m, cond).
If cond holds in every state in S , {U}wsnrm cannot exceed
\working_space(m, cond).
wsNonRigid
Γ ⇒ {U}cond , ∆Γ, {U}wsnr
m ≤ wsrm,cond ⇒ ∆
Γ ⇒ ∆
Verification of Performance Contracts 14.06.2007 12 / 16
![Page 38: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/38.jpg)
Memory Usage Contract Rule
JAVA + JML
/*@ public behavior@ requires Pre;@ ensures Post;@ working_space t;@*/
public int m(){ ...
JAVA + JML
wsContract1
Γ ⇒ {∗ := ∗}(ϕ → Pre), ∆Γ, {∗ := ∗}(Post ∧ wsr
m,ϕ = t) ⇒ ∆
Γ ⇒ ∆
Verification of Performance Contracts 14.06.2007 13 / 16
![Page 39: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/39.jpg)
Demo
Demo
Verification of Performance Contracts 14.06.2007 14 / 16
![Page 40: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/40.jpg)
Thank you for your Attention!
Verification of Performance Contracts 14.06.2007 15 / 16
![Page 41: Formal Verification of Memory Performance Contracts · Formal Verification of Memory Performance Contracts Christian Engel Universit¨at Karlsruhe (TH) 6th International KeY Symposium](https://reader030.vdocuments.us/reader030/viewer/2022041019/5ece7d2a3f11100e20750350/html5/thumbnails/41.jpg)
Questions
Questions?
Verification of Performance Contracts 14.06.2007 16 / 16