| KeY | |
| Developer: | Karlsruhe Institute of Technology, Technische Universität Darmstadt, Chalmers University of Technology |
| Latest Release Version: | 2.10.0 |
| Latest Release Date: | [1] |
| Operating System: | Linux, Mac, Windows, Solaris |
| Language: | English |
| Programming Language: | Java |
| Genre: | Formal verification |
| License: | GPL |
The KeY tool is used in formal verification of Java programs. It accepts specifications written in the Java Modeling Language to Java source files. These are transformed into theorems of dynamic logic and then compared against program semantics that are likewise defined in terms of dynamic logic. KeY is significantly powerful in that it supports both interactive (i.e. by hand) and fully automated correctness proofs. Failed proof attempts can be used for a more efficient debugging or verification-based testing. There have been several extensions to KeY in order to apply it to the verification of C programs or hybrid systems. KeY is jointly developed by Karlsruhe Institute of Technology, Germany; Technische Universität Darmstadt, Germany; and Chalmers University of Technology in Gothenburg, Sweden and is licensed under the GPL.
The usual user input to KeY consists of a Java source file with annotations in JML. Both are translated to KeY's internal representation, dynamic logic. From the given specifications, several proof obligations arise which are to be discharged, i.e. a proof has to be found. To this ends, the program is symbolically executed with the resulting changes to program variables stored in so-called updates. Once the program has been processed completely, there remains a first-order logic proof obligation. At the heart of the KeY system lies a first-order theorem prover based on sequent calculus, which is used to close the proof. Interference rules are captured in so called taclets which consist of an own simple language to describe changes to a sequent.
See main article: Java Card. The theoretical foundation of KeY is a formal logic called Java Card DL. DL stands for Dynamic Logic. It is a version of a first-order dynamic logic tailored to Java Card programs. As such, it for example allows statements (formulas) like
\phi → [\alpha]\psi
\psi
\alpha
\phi
\{\phi\}\alpha\{\psi\}
\phi
\psi
[\alpha]
\langle\alpha\rangle
\alpha
[\alpha]
\langle\alpha\rangle
At the heart of the KeY system lies a first-order theorem prover based on a sequent calculus. A sequent is of the form
\Gamma\vdash\Delta
\Gamma
\Delta
wedge\gamma\in\Gamma\gamma → vee\delta\in\Delta\delta
| e = |
e
During that, program modalities are eliminated by symbolic execution. For instance, the formula
| x = |
0 → [x++;]x
| = |
1
| x = |
0 → x
| = |
0
[\alpha]\psi
wp(\alpha,\psi)
wp
[\alpha]\psi
[x=3;x=x+1;]x
| = |
4
\{x:=3\}[x=x+1;]x
| = |
4
\{x:=4\}[]x
| = |
4
x
Suppose one wants to prove that the following method calculates the product of some non-negative integers
x
y
x\geq0\landy\geq0
| z = |
x ⋅ y
The Symbolic Execution Debugger visualizes the control flow of a program as a symbolic execution tree that contains all feasible execution paths through the program up to a certain point. It is provided as a plugin to the Eclipse development platform.
KeY is usable as a model-based testing tool that can generate unit tests for Java programs. The model from which test data and the test case are derived consists of a formal specification (provided in JML) and a symbolic execution tree of the implementation under test which is computed by the KeY system.
KeY is free software written in Java and licensed under GPL. It can be downloaded from the project website in source; currently there are no pre-compiled binaries available. As another possibility, KeY can be executed directly via Java web start without the need for compilation and installation.
KeY-Hoare is built on top of KeY and features a Hoare calculus with state updates. State updates are a means of describing state transitions in a Kripke structure. This calculus can be seen as a subset to the one that is used in the main branch of KeY. Due to the simplicity of the Hoare calculus, this implementation is essentially meant to exemplify formal methods in undergraduate classes.
KeYmaera http://symbolaris.com/info/KeYmaera.html (previously called HyKeY) is a deductive verification tool for hybrid systems based on a calculus for the differential dynamic logic dL http://symbolaris.com/logic/dL.html.It extends the KeY tool with computer algebra systems like Mathematica and corresponding algorithms and proof strategies such that it can be used for practical verification of hybrid systems.
KeYmaera has been developed at the University of Oldenburg and the Carnegie Mellon University. The name of the tool was chosen as a homophone to Chimera, the hybrid animal from ancient Greek mythology.
KeYmaeraX http://www.ls.cs.cmu.edu/KeYmaeraX/ developed at the Carnegie Mellon University is the successor of KeYmaera. It has been completely rewritten.
KeY for C is an adaption of the KeY System to MISRA C, a subset of the C programming language. This variant is no longer supported.
There is also an adaptation to use KeY for the symbolic execution of Abstract State Machines, that was developed at ETH Zürich. This variant is no longer supported.