Verification of Safety Properties in the Presence of Transactions
Artikel i vetenskaplig tidskrift, 2005
The JavaCard transaction mechanism can ensure that a sequence of statements either is executed to completion or is not executed at all. Transactions make verification of JavaCard programs considerably more difficult, because they cannot be formalised in a logic based on pre- and postconditions. The KeY system includes an interactive theorem prover for JavaCard source code that models the full JavaCard standard including transactions. Based on a case study of realistic size we show the practical difficulties encountered during verification of safety properties. We provide an assessment of current JavaCard source code verification, and we make concrete suggestions towards overcoming the difficulties by design for verification. The main conclusion is that largely automatic verification of realistic JavaCard software is possible provided that it is designed with verification in mind from the start.
interactive theorem proving