Verification of Safety Properties in the Presence of Transactions
Journal article, 2005

The JavaCard transaction mechanism can ensure that a sequence of statements either is executed to completion or is not executed at all. Transactions make verification of JavaCard programs considerably more difficult, because they cannot be formalised in a logic based on pre- and postconditions. The KeY system includes an interactive theorem prover for JavaCard source code that models the full JavaCard standard including transactions. Based on a case study of realistic size we show the practical difficulties encountered during verification of safety properties. We provide an assessment of current JavaCard source code verification, and we make concrete suggestions towards overcoming the difficulties by design for verification. The main conclusion is that largely automatic verification of realistic JavaCard software is possible provided that it is designed with verification in mind from the start.

safety properties


formal specification

formal verification

interactive theorem proving

Java Card


Reiner Hähnle

Chalmers, Computer Science and Engineering (Chalmers), Computing Science (Chalmers)

Wojciech Mostowski

Chalmers, Computer Science and Engineering (Chalmers), Computing Science (Chalmers)

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

03029743 (ISSN) 16113349 (eISSN)

Vol. 3362 151-171

Subject Categories

Computer and Information Science



More information