KeY

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (August 2016) (Learn how and when to remove this message) This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (March 2019) (Learn how and when to remove this message) (Learn how and when to remove this message)

KeY

Screenshot of KeY 1.4
Developer(s)	Karlsruhe Institute of Technology, Technische Universität Darmstadt, Chalmers University of Technology
Stable release	2.10.0 / December 23, 2021 (2021-12-23)[1]
Written in	Java
Operating system	Linux, Mac, Windows, Solaris
Available in	English
Type	Formal verification
License	GPL
Website	www.key-project.org

The KeY tool is used in formal verification of Java programs. It accepts specifications written in the Java Modeling Language to Java source files. These are transformed into theorems of dynamic logic and then compared against program semantics that are likewise defined in terms of dynamic logic. KeY is significantly powerful in that it supports both interactive (i.e. by hand) and fully automated correctness proofs. Failed proof attempts can be used for a more efficient debugging or verification-based testing. There have been several extensions to KeY in order to apply it to the verification of C programs or hybrid systems. KeY is jointly developed by Karlsruhe Institute of Technology, Germany; Technische Universität Darmstadt, Germany; and Chalmers University of Technology in Gothenburg, Sweden and is licensed under the GPL.

Overview

The usual user input to KeY consists of a Java source file with annotations in JML. Both are translated to KeY's internal representation, dynamic logic. From the given specifications, several proof obligations arise which are to be discharged, i.e. a proof has to be found. To this ends, the program is

The theoretical foundation of KeY is a

tailored to Java Card programs. As such, it for example allows statements (formulas) like ${\displaystyle \phi \rightarrow [\alpha ]\psi }$, which intuitively says that the post-condition ${\displaystyle \psi }$ must hold in all program states reachable by executing the Java Card program ${\displaystyle \alpha }$ in any state that satisfies the pre-condition ${\displaystyle \phi }$. This is equivalent to ${\displaystyle \{\phi \}\alpha \{\psi \}}$ in

Hoare calculus

if ${\displaystyle \phi }$ and ${\displaystyle \psi }$ are purely first order. Dynamic logic, however, extends Hoare logic in that formulas may contain nested program modalities such as ${\displaystyle [\alpha ]}$, or that quantification over formulas which contain modalities is possible. There is also a

${\displaystyle \langle \alpha \rangle }$

${\displaystyle \alpha }$

${\displaystyle [\alpha ]}$

${\displaystyle \langle \alpha \rangle }$

Deduction component

At the heart of the KeY system lies a first-order theorem prover based on a sequent calculus. A sequent is of the form ${\displaystyle \Gamma \vdash \Delta }$ where ${\displaystyle \Gamma }$ (assumptions) and ${\displaystyle \Delta }$ (propositions) are sets of formulas with the intuitive meaning that ${\displaystyle \bigwedge _{\gamma \in \Gamma }\gamma \rightarrow \bigvee _{\delta \in \Delta }\delta }$ holds true. By means of deduction, an initial sequent representing the proof obligation is shown to be constructible from just fundamental first-order axioms (such as equality ${\displaystyle e\ {\dot {=}}\ e}$).

Symbolic execution of Java code

During that, program modalities are eliminated by symbolic execution. For instance, the formula ${\displaystyle x\ {\dot {=}}\ 0\rightarrow [x++;]x\ {\dot {=}}\ 1}$ is logically equivalent to ${\displaystyle x\ {\dot {=}}\ 0\rightarrow x\ {\dot {=}}\ 0}$. As this example shows, symbolic execution in dynamic logic is very similar to calculating

${\displaystyle [\alpha ]\psi }$

${\displaystyle wp(\alpha ,\psi )}$

${\displaystyle wp}$

${\displaystyle [\alpha ]\psi }$

${\displaystyle [x=3;x=x+1;]x\ {\dot {=}}\ 4}$

${\displaystyle \{x:=3\}[x=x+1;]x\ {\dot {=}}\ 4}$

${\displaystyle \{x:=4\}[]x\ {\dot {=}}\ 4}$

${\displaystyle x}$

Example

Suppose one wants to prove that the following method calculates the product of some non-negative integers ${\displaystyle x}$ and ${\displaystyle y}$.

int foo (int x, int y) {
    int z = 0;
    while (y > 0)
        if (y % 2 == 0) {
            x = x*2;
            y = y/2;
        } else {
            y = y/2;
            z = z+x;
            x = x*2;
        }
    return z;
}

One thus starts the proof with the premise ${\displaystyle x\geq 0\land y\geq 0}$ and the to-be-shown conclusion ${\displaystyle z\ {\dot {=}}\ x\cdot y}$. Note that tableaux of sequent calculi are usually written "upside-down", i.e., the starting sequent appears at the bottom and deduction steps go upwards. The proof can be seen in the figure on the right.

Additional features

Symbolic Execution Debugger

The Symbolic Execution Debugger visualizes the control flow of a program as a symbolic execution tree that contains all feasible execution paths through the program up to a certain point. It is provided as a plugin to the Eclipse development platform.

Test Case Generator

KeY is usable as a

KeYmaera [1] (previously called HyKeY) is a deductive verification tool for hybrid systems based on a calculus for the differential dynamic logic dL [2]. It extends the KeY tool with computer algebra systems like

KeYmaera has been developed at the University of Oldenburg and the Carnegie Mellon University. The name of the tool was chosen as a homophone to Chimera, the hybrid animal from ancient Greek mythology.

KeYmaeraX [3] developed at the Carnegie Mellon University is the successor of KeYmaera. It has been completely rewritten.

KeY for C

KeY for C is an adaption of the KeY System to

ASMKeY

There is also an adaptation to use KeY for the symbolic execution of

References

Sources

• Verification of Object-Oriented Software: The KeY Approach. Bernhard Beckert, Reiner Hähnle, Peter H. Schmitt (Eds.).
  ISBN 978-3-540-68977-5
  .
• Deductive Software Verification – The KeY Book: From Theory to Practice. Wolfgang Ahrendt, Bernhard Beckert, Richard Bubel, Reiner Hähnle, Peter H. Schmitt, Mattias Ulbrich (Eds.).
  ISBN 978-3-319-49812-6
• A comparison of tools for teaching formal software verification. Ingo Feinerer and Gernot Salzer. Springer, 2008
• Programming With Proofs: Language Based Approaches To Totally Correct Software. Aaron Stump. Verified Software: Theories, Tools, and Experiments, 2005.
• High Assurance (for Security or Safety) and Free-Libre / Open Source Software (FLOSS). David Wheeler, 2009

External links

Wikimedia Commons has media related to KeY program verification tool.

• Home page of the KeY project
• KeYmaera home page
• KeYmaeraX home page