Deductive Software Verification – The

KeY Book: From Theory to Practice 1st

Edition Wolfgang Ahrendt
Visit to download the full and correct content document:
https://textbookfull.com/product/deductive-software-verification-the-key-book-from-the
ory-to-practice-1st-edition-wolfgang-ahrendt/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Genetic Programming Theory and Practice XV Wolfgang

Banzhaf

https://textbookfull.com/product/genetic-programming-theory-and-
practice-xv-wolfgang-banzhaf/

Iceland from the West to the South Wolfgang Fraedrich

https://textbookfull.com/product/iceland-from-the-west-to-the-
south-wolfgang-fraedrich/

C from Theory to Practice George S. Tselikis

https://textbookfull.com/product/c-from-theory-to-practice-
george-s-tselikis/

Research Methods: From Theory to Practice Ben Gorvine

https://textbookfull.com/product/research-methods-from-theory-to-
practice-ben-gorvine/
Contemporary Feminist Research from Theory to Practice
Patricia Leavy

https://textbookfull.com/product/contemporary-feminist-research-
from-theory-to-practice-patricia-leavy/

Occupational Health Ethics From Theory to Practice

Jacques Tamin

https://textbookfull.com/product/occupational-health-ethics-from-
theory-to-practice-jacques-tamin/

Advanced MR Neuroimaging: From Theory to Clinical

Practice 1st Edition Ioannis Tsougos

https://textbookfull.com/product/advanced-mr-neuroimaging-from-
theory-to-clinical-practice-1st-edition-ioannis-tsougos/

Computing in Communication Networks: From Theory to

Practice 1st Edition Frank Fitzek

https://textbookfull.com/product/computing-in-communication-
networks-from-theory-to-practice-1st-edition-frank-fitzek/

How to Solve Real-world Optimization Problems: From

Theory to Practice 1st Edition Zak

https://textbookfull.com/product/how-to-solve-real-world-
optimization-problems-from-theory-to-practice-1st-edition-zak/
 Wolfgang Ahrendt · Bernhard Beckert
Richard Bubel · Reiner Hähnle
Peter H. Schmitt · Mattias Ulbrich (Eds.)

Deductive
LNCS 10001

Software Verification –
The KeY Book
From Theory to Practice

123
Lecture Notes in Computer Science 10001
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7408
Wolfgang Ahrendt Bernhard Beckert
•

Richard Bubel Reiner Hähnle

•

Peter H. Schmitt Mattias Ulbrich (Eds.)

•

Deductive
Software Verification –
The KeY Book
From Theory to Practice

123
Editors
Wolfgang Ahrendt Reiner Hähnle
Chalmers University of Technology Technische Universität Darmstadt
Gothenburg Darmstadt
Sweden Germany
Bernhard Beckert Peter H. Schmitt
Karlsruher Institut für Technologie (KIT) Karlsruher Institut für Technologie (KIT)
Karlsruhe Karlsruhe
Germany Germany
Richard Bubel Mattias Ulbrich
Technische Universität Darmstadt Karlsruher Institut für Technologie (KIT)
Darmstadt Karlsruhe
Germany Germany

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-49811-9 ISBN 978-3-319-49812-6 (eBook)
DOI 10.1007/978-3-319-49812-6

Library of Congress Control Number: 2016957483

LNCS Sublibrary: SL2 – Programming and Software Engineering

© Springer International Publishing AG 2016

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Authors’ Affiliations

Wolfgang Ahrendt (Chalmers University of Technology, Gothenburg, Sweden,

email: ahrendt@chalmers.se)

Bernhard Beckert (Karlsruher Institut für Technologie (KIT), Germany,

email: beckert@kit.edu)

Richard Bubel (Technische Universität Darmstadt, Germany,

email: bubel@cs.tu-darmstadt.de)

Frank S. de Boer (Centrum voor Wiskunde en Informatica, Amsterdam,

The Netherlands, email: f.s.de.boer@cwi.nl)

Stijn de Gouw (Open University, Heerlen, The Netherlands,

email: stijn.degouw@ou.nl)

Christoph Gladisch (Karlsruher Institut für Technologie (KIT), Germany,

email: gladisch@ira.uka.de)

Daniel Grahl (Karlsruher Institut für Technologie (KIT), Germany,

email: daniel.grahl@alumni.kit.edu)

Sarah Grebing (Karlsruher Institut für Technologie (KIT), Germany,

email: grebing@ira.uka.de)

Simon Greiner (Karlsruher Institut für Technologie (KIT), Germany,

email: simon.greiner@kit.edu)

Reiner Hähnle (Technische Universität Darmstadt, Germany,

email: haehnle@cs.tu-darmstadt.de)

Martin Hentschel (Technische Universität Darmstadt, Germany,

email: hentschel@cs.tu-darmstadt.de)

Mihai Herda (Karlsruher Institut für Technologie (KIT), Germany,

email: herda@kit.edu)

Marieke Huisman (University of Twente, The Netherlands,

email: m.huisman@utwente.nl)

Ran Ji (Technische Universität Darmstadt, Germany,

email: rj82cnus@cs.cmu.edu)
VI Authors’ Affiliations

Vladimir Klebanov (Karlsruher Institut für Technologie (KIT), Germany,

email: klebanov@kit.edu)

Wojciech Mostowski (Halmstad University, Sweden,

email: wojciech.mostowski@hh.se)

Jurriaan Rot (Radboud University, Nijmegen, The Netherlands,

email: jrot@cs.ru.nl)

Philipp Rümmer (Uppsala University, Sweden,

email: philipp.ruemmer@it.uu.se)

Christoph Scheben (Karlsruher Institut für Technologie (KIT), Germany,

email: scheben@ira.uka.de)

Peter H. Schmitt (Karlsruher Institut für Technologie (KIT), Germany,

email: pschmitt@ira.uka.de)

Mattias Ulbrich (Karlsruher Institut für Technologie (KIT), Germany,

email: ulbrich@kit.edu)

Nathan Wasser (Technische Universität Darmstadt, Germany,

email: nate@sharpmind.de)

Benjamin Weiß (Karlsruher Institut für Technologie (KIT), Germany,

email: benjamin.weiss@alumni.uni-karlsruhe.de)
Foreword

Program verification has a long and distinguished history in computer science. As early
as 1949, Alan Turing, in a technical report titled On Checking a Large Routine, raised
the question of how to verify computer programs. Ever since that time, this problem
has been investigated by several researchers. Some of them earned the ACM Turing
Award for their work on the subject.
With this concerted effort of several scientists in mind, one would think that the
“problem” of software correctness has been “solved” by now, whatever the qualifi-
cation “solved” is supposed to mean. Nothing is further from the truth.
In books on algorithms, for example, those covering the standard material on
algorithms on data structures, the correctness of the presented algorithms is ignored or
glossed over. At best a justification of the selected algorithms is given by presenting a
mathematical argument without a rigorous explanation of why this argument can be
applied to the program in question. The point is that a program is just a piece of text,
while the presented mathematical argument refers to the program execution. The rea-
soning then tacitly presupposes an implementation that conforms to the informal
description of the program meaning given in English. This subtle gap in reasoning is
especially acute if one deals with recursive programs or programs involving dynamic
data structures.
An alternative is to rely on a large body of literature on program verification and use
one of the formal systems developed to provide rigorous correctness proofs using
axioms and proof rules. Unfortunately, formal correctness proofs are very tedious and
hence error prone. This raises a natural question: If we do not trust the correctness of a
program, why should we trust its correctness proof?
A possible answer lies in relying on mechanized verification that provides a pro-
gramming environment allowing us to check the correctness proof of a program in the
sense that each step of the proof is mechanically verified. Such a programming envi-
ronment, when properly built, allows us to treat the underlying proof system as a
parameter, just as the program that is to be verified.
Mechanized verification has a distinguished history as well, and this is not the place
to trace it. It suffices to say that the KeY project, the subject of this book, is possibly the
most ambitious endeavor in this area. It started in 1998 and gradually evolved into,
what the authors call, the KeY framework.
This framework goes beyond mechanized verification by also providing a means of
program specification, a test case generation, a teaching tool for a number of courses on
software engineering, and a debugging tool. The current book is a substantial revision
and extension of the previous edition that takes into account this evolution of the KeY
system. It systematically explains several facets of the KeY framework, starting with
the theoretical underpinning and ending with a presentation of nontrivial case studies.
VIII Foreword

I would like to congratulate the authors not only for the outcome but also for their
persistence and their vision. The current scientific climate aiming at maximizing your
number of publications and your H-index does not bode well with long-term projects.
It is refreshing to see that not everybody has yielded to it.

October 2016 Krzysztof R. Apt

Preface

Wer hat an der Uhr gedreht? Ist es wirklich schon so spät?—Every child growing up
in the 1970s in Germany (like the author of this text) is familiar with these lines. They
are from a theme song played during the closing credits of the German version of the
Pink Panther Show. The ditty conveys the utter bafflement (“Who advanced the
clock?”) of the listener about 30 minutes of entertainment having passed in what
seemed to be mere seconds. And it is exactly this feeling that we editors have now:
What? Ten years since the first book about KeY [Beckert et al., 2007] was published?
Impossible! But of course it is possible, and there are good reasons for a new book
about KeY, this time simply called The KeY Book.

What Is New in The KeY Book?

In short: almost everything! This is not merely an overhaul of the previous book, but a
completely different volume: only eight of 15 chapters from the previous edition are
still around with a roughly similar function, while there are 11 completely new
chapters. But even most of the chapters retained were rewritten from scratch. Only
three chapters more or less kept their old structure. What happened?
First of all, there were some major technical developments in the KeY system that
required coverage as well as changes in the theoretical foundations:
• With KeY 2.x we moved from a memory model with an implicit heap to one with
explicit heaps, i.e., heaps have a type in our logic, can be quantified over, etc. As a
consequence, it was possible to:
• Implement better support for reasoning about programs with heaps [Weiß, 2011,
Schmitt et al., 2010], essentially with a variant of dynamic frames [Kassios, 2011].
• We dropped support for specification with the Object Constraint Language
(OCL) and drastically improved support for the Java Modeling Language
(JML) [Leavens et al., 2013].
• Rules and automation heuristics for a number of logical theories were added,
including finite sequences, strings [Bubel et al., 2011], and bitvectors.
• Abstract interpretation was tightly integrated with logic-based symbolic execution
[Bubel et al., 2009].
In addition, the functionality of the KeY was considerably extended. This concerns
not merely the kind of analyses that are possible, but also usability.
• Functional verification is now only one of many analyses that can be performed
with the KeY system. In addition, there is support for debugging and visualization
[Hentschel et al., 2014a,b], test case generation [Engel and Hähnle, 2007, Gladisch,
2008], information flow analysis [Darvas et al., 2005, Grahl, 2015, Do et al., 2016],
program transformation [Ji et al., 2013], and compilation [Ji, 2014].
X Preface

• There are IDEs for KeY, including an Eclipse extension, that make it easy to keep
track of proof obligations in larger projects [Hentschel et al., 2014c].
• A stripped down version of KeY, specifically developed for classroom exercises
with Hoare logic, was provided [Hähnle and Bubel, 2008].
Finally, the increased maturity and coverage of the KeY system permitted us to
include much more substantial case studies than in the first edition.
Inevitably, some of the research strands documented in the first edition did not reach
the maturity or importance we hoped for and, therefore, were dropped. This is the case
for specification patterns, specification in natural language, induction, and proof reuse.
There is also no longer a dedicated chapter about Java integers: The relevant material is
now, in much condensed form, part of the ‘chapters on “First-Order Logic” and
“Theories.”’
A number of topics that are actively researched have not yet reached sufficient
maturity to be included: merging nodes in symbolic execution proof trees, KeY for Java
bytecode, certification, runtime verification, regression verification, to name just a few.
Also left out is a variant of the KeY system for the concurrent modeling language ABS
called KeY-ABS, which allows one to prove complex properties about unbounded
programs and data structures. We are excited about all these developments, but we feel
that they have not yet reached the maturity to be documented in the KeY book. We refer
the interested reader to the research articles available from the KeY website at www.
key-project.org.
Also not covered in this book is KeYmaera, a formal verification tool for hybrid,
cyber-physical systems developed in André Platzer’s research group at CMU and that
has KeY as an ancestor. It deserves a book in its own right, which in fact has been
written [Platzer, 2010].

The Concept Behind This Book

Most books on foundations of formal specification and verification orient their pre-
sentation along traditional lines in logic. This results in a gap between the foundations
of verification and its application that is too wide for most readers. The main pre-
sentation principles of the KeY book is something that has not been changed between
the first book about KeY and this volume:
• The material is presented on an advanced level suitable for graduate (MSc level)
courses, and, of course, active researchers with an interest in verification.
• The dependency graph on the chapters in the book is not deep, such that the reader
does not have to read many chapters before the one (s)he is most interested in.
Moreover, the dependencies are not all too strong. More advanced readers may not
have to strictly follow the graph, and less advanced readers may decide to follow up
prerequisites on demand. The graph shows that the chapters on First-Order Logic,
the Java Modeling Language, and Using the KeY Prover are entirely self-contained.
The same holds for each chapter not appearing in the following graph.
Preface XI

02 FOL

03 DL 07 JML
04 Taclets 18 Voting

06 Abstr. Int. 19 Sorting

10 Java Card 08 Proof Obl. 13 Inf. Flow

12 Test Gen. 09 Modularity 15 Using KeY

14 Compilation 16 Tutorial

• The underlying verification paradigm is deductive verification in an expressive

program logic.
• As a rule, the proofs of theoretical results are not contained here, but we give
pointers on where to find them.
• The logic used for reasoning about programs is not a minimalist version suitable for
theoretical investigations, but an industrial-strength version. The first-order part is
equipped with a type system for modeling of object hierarchies, with underspeci-
fication, and with various built-in theories. The program logic covers full Java Card
and substantial parts of Java. The main omissions are: generics (a transformation
tool is available), floating-point types, threads, lambda expressions.
• Much emphasis is on specification, including the widely used JML. The generation
of proof obligations from annotated source code is discussed at length.
• Two substantial case studies are included and presented in detail.
Nevertheless, we cannot and do not claim to have fully covered formal reasoning
about (object-oriented) software in this book. One reason is that the choice of topics is
dependent on our research agenda. As a consequence, important topics in formal
verification, such as specification refinement or model checking, are out of our scope.

Typographic Conventions

We use a number of typesetting conventions to give the text a clearer structure.

Occasionally, we felt that a historical remark, a digression, or a reference to material
outside the scope of this book is required. In order to not interrupt the text flow we use
gray boxes, such as the one on page 40, whenever this is the case.
In this book a considerable number of specification and programming languages are
referred to and used for illustration. To avoid confusion we usually typeset multiline
expressions from concrete languages in a special environment that is set apart from the
XII Preface

main text with horizontal lines and that specifies the source language as, for example,
on page 14.
Expressions from concrete languages are written in typewriter font with keywords
highlighted in boldface, the exception being UML class and feature names. These are
set in sans serif, unless class names correspond to Java types. Mathematical meta
symbols are set in math font and the rule names of logical calculi in sans serif.

Companion Website

This book has its own website at www.key-project.org/thebook2, where additional

material is provided: most importantly, the version of the KeY tool that was used to run
all the examples in the book (except for Chaps. 10,19) including all source files, for
example, programs and specifications (unless excluded for copyright reasons), various
teaching materials such as slides and exercises, and the electronic versions of papers on
KeY.

Acknowledgments We are very grateful to all researchers and students who con-
tributed with their time and expertise to the KeY project. We would like to acknowl-
edge in particular the editorial help of Dr. Daniel Grahl and Dr. Vladimir Klebanov
during the production of this book.
Many current and former KeY project members made valuable contributions to the
KeY project, even though they are not directly involved as chapter authors: Prof.
Thomas Baar (HTW Berlin), Dr. Thorsten Bormer, Dr. Ádám Darvas, Dr. Crystal Din,
Huy Qouc Do, Dr. Christian Engel, Dr. Tobias Gedell, Dr. Elmar Habermalz, Dr.
Kristofer Johannisson, Michael Kirsten, Daniel Larsson, Prof. Wolfram Menzel (KIT;
emeritus, co-founder of the KeY project), Gabriele Paganelli, Prof. Aarne Ranta
(Gothenburg University), Dr. Andreas Roth, Prof. Ina Schaefer (TU Braunschweig),
Dominic Scheurer, Prof. Steffen Schlager (HS Offenburg), Prof. Shmuel Tyszberowicz
(The Academic College Tel Aviv-Yaffo), Dr. Bart van Delft, Dr. Isabel Tonin, Angela
Wallenburg, and Dr. Dennis Walter.
Besides the current and former project members and the chapter authors of this
book, many students helped with implementing the KeY system, to whom we extend
our sincere thanks: Gustav Andersson, Dr. Marcus Baum, Hans-Joachim Daniels,
Marco Drebing, Marius Hillenbrand, Eduard Kamburjan, Stefan Käsdorf, Dr. Bastian
Katz, Uwe Keller, Stephan Könn, Achim Kuwertz, Denis Lohner, Moritz von Looz,
Martin Möller, Dr. Ola Olsson, Jing Pan, Sonja Pieper, Prof. André Platzer (CMU
Pittsburgh), Friedemann Rößler, Bettina Sasse, Dr. Ralf Sasse, Prof. Gabi Schmithüsen
(Universität des Saarlandes), Max Schröder, Muhammad Ali Shah, Alex Sinner,
Hubert Schmid, Holger Stenger, Kai Wallisch, Claus Wonnemann, and Zhan
Zengrong.
The authors acknowledge support by the Deutsche Forschungsgemeinschaft
(DFG) under projects “Program-level Specification and Deductive Verification of
Security Properties” (DeduSec) and “ Fully Automatic Logic-Based Information Flow”
within Priority Programme 1496 “Reliably Secure Software Systems – RS3” and under
Preface XIII

project “Deductive Regression Verification for Evolving Object-Oriented Software”

within Priority Programme 1593 “Design for Future: Managed Software Evolution,” as
well as support by the German Federal Ministry of Education and Research (Bun-
desministerium für Bildung und Forschung, BMBF) for project “Formale Informa-
tionsflussspezifikation und -analyse in komponentenbasierten Systemen” as part of
Software Campus. We also acknowledge support by the European Commission
(EC) under FP7 Integrated Project “Highly Adaptable & Trustworthy Software using
Formal Methods” and STREP “Engineering Virtualized Services.”

The authors have done their job. The success of the result of their toil will now be
judged by the readers. We hope they will find the text easily accessible, illuminating,
stimulating and, yes, fun to read. What can be more fun than gaining insight into what
was nebulous before or solving a problem at hand that defied a solution so far? We will
not fail to admit that besides all the labor, writing this book was fun. Putting in words
often helped us reach a better understanding of what we were writing about. Thus, it is
not easy to say who profits more, the authors in writing the book or the readers from
reading it. In the end this may be irrelevant, authors and readers together constitute the
scientific community and together they advance the state of the art. It would be the
greatest reward for us to see this happening and perhaps after another ten years, or even
earlier, a return of the pink panther.

August 2016 Wolfgang Ahrendt

Bernhard Beckert
Richard Bubel
Reiner Hähnle
Peter H. Schmitt
Mattias Ulbrich
Contents

List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXV

List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIX

List of Listings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXXI

1 Quo Vadis Formal Verification? . . . . . . . . . . . . . . . . . . . . 1

1.1 What KeY Is . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Challenges To Formal Verification . . . . . . . . . . . . . . . . 2
1.3 Roles of Deductive Verification . . . . . . . . . . . . . . . . . 4
1.3.1 Avoid the Need for Formal Specification . . . . . . . . 4
1.3.2 Restricted Target Language . . . . . . . . . . . . . . . 5
1.3.3 Formal Verification in Teaching . . . . . . . . . . . . . 6
1.3.4 Avoid the Need for Fully Specified Formal Semantics . 8
1.3.5 Where Are We Now? . . . . . . . . . . . . . . . . . . 8
1.4 The Architecture of KeY . . . . . . . . . . . . . . . . . . . . . 10
1.4.1 Prover Core . . . . . . . . . . . . . . . . . . . . . . . 10
1.4.2 Reasoning About Programs . . . . . . . . . . . . . . . 12
1.4.3 Proof Obligations . . . . . . . . . . . . . . . . . . . . 14
1.4.4 The Frontends . . . . . . . . . . . . . . . . . . . . . . 15
1.5 The Next Ten Years . . . . . . . . . . . . . . . . . . . . . . . 16
1.5.1 Modular Architecture . . . . . . . . . . . . . . . . . . 16
1.5.2 Relational Properties Are Everywhere . . . . . . . . . 17
1.5.3 Learning from Others . . . . . . . . . . . . . . . . . . 18
1.5.4 Code Reviews . . . . . . . . . . . . . . . . . . . . . . 18
1.5.5 Integration . . . . . . . . . . . . . . . . . . . . . . . . 18
XVI Contents

Part I Foundations
2 First-Order Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 Basic First-Order Logic . . . . . . . . . . . . . . . . . . . . . 23
2.2.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.2 Calculus . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.3 Semantics . . . . . . . . . . . . . . . . . . . . . . . . 31
2.3 Extended First-Order Logic . . . . . . . . . . . . . . . . . . . 35
2.3.1 Variable Binders . . . . . . . . . . . . . . . . . . . . . 36
2.3.2 Undefinedness . . . . . . . . . . . . . . . . . . . . . . 37
2.4 First-Order Logic for Java . . . . . . . . . . . . . . . . . . . . 37
2.4.1 Type Hierarchy and Signature . . . . . . . . . . . . . . 38
2.4.2 Axioms for Integers . . . . . . . . . . . . . . . . . . . 39
2.4.3 Axioms for Heap . . . . . . . . . . . . . . . . . . . . 40
2.4.4 Axioms for Location Sets . . . . . . . . . . . . . . . . 43
2.4.5 Semantics . . . . . . . . . . . . . . . . . . . . . . . . 44
3 Dynamic Logic for Java . . . . . . . . . . . . . . . . . . . . . . . . 49
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.2 Syntax of JavaDL . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2.1 Type Hierarchies . . . . . . . . . . . . . . . . . . . . . 51
3.2.2 Signatures . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2.3 Syntax of JavaDL Program Fragments . . . . . . . . . 52
3.2.4 Syntax of JavaDL Terms and Formulas . . . . . . . . . 54
3.3 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3.1 Kripke Structures . . . . . . . . . . . . . . . . . . . . 55
3.3.2 Semantics of JavaDL Terms and Formulas . . . . . . . 56
3.4 Describing Transitions between States: Updates . . . . . . . . 57
3.4.1 Syntax and Semantics of JavaDL Updates . . . . . . . 57
3.4.2 Update Simplification Rules . . . . . . . . . . . . . . . 59
3.5 The Calculus for JavaDL . . . . . . . . . . . . . . . . . . . . . 60
3.5.1 JavaDL Rule Schemata and First-Order Rules . . . . . 60
3.5.2 Nonprogram Rules for Modalities . . . . . . . . . . . . 63
3.5.3 Soundness and Completeness of the Calculus . . . . . 63
3.5.4 Schema Variables for Program Constructs . . . . . . . 66
3.5.5 The Active Statement in a Modality . . . . . . . . . . . 67
3.5.6 The Essence of Symbolic Execution . . . . . . . . . . 67
3.5.7 Components of the Calculus . . . . . . . . . . . . . . 68
3.6 Rules for Symbolic Execution of Java Programs . . . . . . . . 69
3.6.1 The Basic Assignment Rule . . . . . . . . . . . . . . . 69
3.6.2 Rules for Handling General Assignments . . . . . . . . 70
3.6.3 Rules for Conditionals . . . . . . . . . . . . . . . . . . 75
3.6.4 Unwinding Loops . . . . . . . . . . . . . . . . . . . . 76
3.6.5 Replacing Method Calls by their Implementation . . . 77
3.6.6 Instance Creation and Initialization . . . . . . . . . . . 87
3.6.7 Handling Abrupt Termination . . . . . . . . . . . . . . 93
Contents XVII

3.7 Abstraction and Modularization Rules . . . . . . . . . . . . . 97

3.7.1 Replacing Method Calls by Specifications: Contracts . 98
3.7.2 Reasoning about Unbounded Loops: Loop Invariants . 101
4 Proof Search with Taclets . . . . . . . . . . . . . . . . . . . . . . . 107
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.1.1 Purpose and Organization of this Chapter . . . . . . . . 108
4.2 A Taclet Tutorial . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.2.1 A Basic Theory of Lists . . . . . . . . . . . . . . . . . 109
4.2.2 The List Theory in Concrete Syntax . . . . . . . . . . 111
4.2.3 Definitional Extension of the List Theory . . . . . . . . 114
4.2.4 Derivation of Lemmas . . . . . . . . . . . . . . . . . . 117
4.3 A Reference Manual of Taclets . . . . . . . . . . . . . . . . . 121
4.3.1 The Taclet Language . . . . . . . . . . . . . . . . . . 121
4.3.2 Schema Variables . . . . . . . . . . . . . . . . . . . . 130
4.3.3 Application of Taclets . . . . . . . . . . . . . . . . . . 136
4.4 Reflection and Reasoning about Soundness of Taclets . . . . . 138
4.4.1 Soundness in Sequent Calculi . . . . . . . . . . . . . . 139
4.4.2 Meaning Formulas of Sequent Taclets . . . . . . . . . 140
4.4.3 Meaning Formulas for Rewriting Taclets . . . . . . . . 142
4.4.4 Elimination of Schema Variables . . . . . . . . . . . . 143
5 Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
5.2 Finite Sequences . . . . . . . . . . . . . . . . . . . . . . . . . 149
5.3 Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
5.3.1 Sequences of Characters . . . . . . . . . . . . . . . . . 156
5.3.2 Regular Expressions for Sequences . . . . . . . . . . . 158
5.3.3 Relating Java String Objects to Sequences of Characters 159
5.3.4 String Literals and the String Pool . . . . . . . . . . . 160
5.3.5 Specification of the Java String API . . . . . . . . . . . 161
5.4 Integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.4.1 Core Integer Theory . . . . . . . . . . . . . . . . . . . 162
5.4.2 Variable Binding Integer Operations . . . . . . . . . . 163
5.4.3 Symbolic Execution of Integer Expressions in Programs 164
6 Abstract Interpretation . . . . . . . . . . . . . . . . . . . . . . . . 167
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
6.2 Integrating Abstract Interpretation . . . . . . . . . . . . . . . . 168
6.2.1 Abstract Domains . . . . . . . . . . . . . . . . . . . . 168
6.2.2 Abstractions for Integers . . . . . . . . . . . . . . . . 170
6.2.3 Abstracting States . . . . . . . . . . . . . . . . . . . . 170
6.3 Loop Invariant Generation . . . . . . . . . . . . . . . . . . . . 171
6.4 Abstract Domains for Heaps . . . . . . . . . . . . . . . . . . . 174
6.5 Abstract Domains for Objects . . . . . . . . . . . . . . . . . . 178
6.5.1 Null/Not-null Abstract Domain . . . . . . . . . . . . . 179
XVIII Contents

6.5.2 Length Abstract Domain . . . . . . . . . . . . . . . . 179

6.6 Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
6.6.1 Abstractions for Arrays . . . . . . . . . . . . . . . . . 184
6.6.2 Loop Invariant Rule with Value and Array Abstraction . 184
6.6.3 Computation of the Abstract Update and Invariants . . 186
6.6.4 Symbolic Pivots . . . . . . . . . . . . . . . . . . . . . 187
6.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Part II Specification and Verification

7 Formal Specification with the Java Modeling Language . . . . . . 193
7.1 Introduction to Method Contracts . . . . . . . . . . . . . . . . 196
7.1.1 Clauses of a Contract . . . . . . . . . . . . . . . . . . 196
7.1.2 Defensive Versus Offensive Method Implementations . 199
7.1.3 Specifications and Implementations . . . . . . . . . . . 200
7.2 Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.2.1 Quantified Boolean Expressions . . . . . . . . . . . . 201
7.2.2 Numerical Comprehensions . . . . . . . . . . . . . . . 203
7.2.3 Evaluation in the Prestate . . . . . . . . . . . . . . . . 204
7.3 Method Contracts in Detail . . . . . . . . . . . . . . . . . . . 205
7.3.1 Visibility of Specifications . . . . . . . . . . . . . . . 205
7.3.2 Specification Cases . . . . . . . . . . . . . . . . . . . 206
7.3.3 Semantics of Normal Behavior Specification Cases . . 208
7.3.4 Specifications for Constructors . . . . . . . . . . . . . 209
7.3.5 Notions of Purity . . . . . . . . . . . . . . . . . . . . 209
7.4 Class Level Specifications . . . . . . . . . . . . . . . . . . . . 210
7.4.1 Invariants . . . . . . . . . . . . . . . . . . . . . . . . 211
7.4.2 Initially Clauses . . . . . . . . . . . . . . . . . . . . . 216
7.4.3 History Constraints . . . . . . . . . . . . . . . . . . . 217
7.4.4 Initially Clauses and History Constraints: Static
vs. Instance . . . . . . . . . . . . . . . . . . . . . . . 218
7.4.5 Inheritance of Specifications . . . . . . . . . . . . . . 218
7.5 Nonnull Versus Nullable Object References . . . . . . . . . . . 220
7.6 Exceptional Behavior . . . . . . . . . . . . . . . . . . . . . . 222
7.7 Specification-Only Class Members . . . . . . . . . . . . . . . 225
7.7.1 Model Fields and Model Methods . . . . . . . . . . . 225
7.7.2 Ghost Variables . . . . . . . . . . . . . . . . . . . . . 229
7.7.3 Ghost Variables Versus Model Fields . . . . . . . . . . 229
7.8 Integer Semantics . . . . . . . . . . . . . . . . . . . . . . . . 230
7.9 Auxiliary Specification for Verification . . . . . . . . . . . . . 233
7.9.1 Framing . . . . . . . . . . . . . . . . . . . . . . . . . 233
7.9.2 Loop Invariants . . . . . . . . . . . . . . . . . . . . . 234
7.9.3 Assertions and Block Contracts . . . . . . . . . . . . . 238
Contents XIX

7.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

7.10.1 Tool Support for JML . . . . . . . . . . . . . . . . . . 239
7.10.2 Comparison to Other Program Annotation Languages . 240
8 From Specification to Proof Obligations . . . . . . . . . . . . . . . 243
8.1 Formal Semantics of JML Expressions . . . . . . . . . . . . . 244
8.1.1 Types in JML . . . . . . . . . . . . . . . . . . . . . . 245
8.1.2 Translating JML Expressions to JavaDL . . . . . . . . 246
8.1.3 Abstract Data Types in JML . . . . . . . . . . . . . . . 252
8.1.4 Well-Definedness of Expressions . . . . . . . . . . . . 253
8.2 From JML Contract Annotations to JavaDL Contracts . . . . . 254
8.2.1 Normalizing JML Contracts . . . . . . . . . . . . . . . 255
8.2.2 Constructor Contracts . . . . . . . . . . . . . . . . . . 264
8.2.3 Model Methods and Model Fields . . . . . . . . . . . 265
8.2.4 JavaDL Contracts . . . . . . . . . . . . . . . . . . . . 268
8.2.5 Loop Specifications . . . . . . . . . . . . . . . . . . . 271
8.3 Proof Obligations for JavaDL Contracts . . . . . . . . . . . . . 272
8.3.1 Proof Obligations for Functional Correctness . . . . . . 272
8.3.2 Dependency Proof Obligations . . . . . . . . . . . . . 278
8.3.3 Well-Definedness Proof Obligations . . . . . . . . . . 279

9 Modular Specification and Verification . . . . . . . . . . . . . . . . 289

9.1 Modular Verification with Contracts . . . . . . . . . . . . . . . 291
9.1.1 Historical and Conceptual Background . . . . . . . . . 291
9.1.2 Example: Implementing a List . . . . . . . . . . . . . 294
9.1.3 Modular Program Correctness . . . . . . . . . . . . . 296
9.1.4 Verification of Recursive Methods . . . . . . . . . . . 298
9.2 Abstract Specification . . . . . . . . . . . . . . . . . . . . . . 300
9.2.1 Model Fields . . . . . . . . . . . . . . . . . . . . . . . 302
9.2.2 Model Methods . . . . . . . . . . . . . . . . . . . . . 311
9.3 The Frame Problem . . . . . . . . . . . . . . . . . . . . . . . 319
9.3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . 320
9.3.2 Dynamic Frames . . . . . . . . . . . . . . . . . . . . 322
9.3.3 Proof Obligations for Dynamic Frames Specifications . 324
9.3.4 Example Specification with Dynamic Frames . . . . . 325
9.4 Calculus Rules for Modular Reasoning . . . . . . . . . . . . . 328
9.4.1 Anonymizing Updates . . . . . . . . . . . . . . . . . . 329
9.4.2 An Improved Loop Invariant Rule . . . . . . . . . . . 330
9.4.3 A Rule for Method Contracts . . . . . . . . . . . . . . 336
9.4.4 A Rule for Dependency Contracts . . . . . . . . . . . . 339
9.4.5 Rules for Class Invariants . . . . . . . . . . . . . . . . 341
9.5 Verifying the List Example . . . . . . . . . . . . . . . . . . . 343
9.6 Related Methodologies for Modular Verification . . . . . . . . 347
9.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
XX Contents

10 Verifying Java Card Programs . . . . . . . . . . . . . . . . . . . . 353

10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
10.2 Java Card Technology . . . . . . . . . . . . . . . . . . . . . . 354
10.3 Java Card Transactions on Explicit Heaps . . . . . . . . . . . . 357
10.3.1 Basic Transaction Roll-Back . . . . . . . . . . . . . . 358
10.3.2 Transaction Marking and Balancing . . . . . . . . . . 359
10.3.3 Object Creation and Deletion . . . . . . . . . . . . . . 360
10.3.4 Persistent and Transient Arrays . . . . . . . . . . . . . 361
10.3.5 Nonatomic Updates . . . . . . . . . . . . . . . . . . . 363
10.4 Taclets for the New Rules . . . . . . . . . . . . . . . . . . . . 364
10.5 Modular Reasoning with Multiple Heaps . . . . . . . . . . . . 367
10.6 Java Card Verification Samples . . . . . . . . . . . . . . . . . 368
10.6.1 Conditional Balance Updating . . . . . . . . . . . . . 369
10.6.2 Reference Implementation of a Library Method . . . . 370
10.6.3 Transaction Resistant PIN Try Counter . . . . . . . . . 374
10.7 Summary and Discussion . . . . . . . . . . . . . . . . . . . . 376
10.7.1 Related Work . . . . . . . . . . . . . . . . . . . . . . 377
10.7.2 On-going and Future Research . . . . . . . . . . . . . 377
10.7.3 Multiple Heaps for Concurrent Reasoning . . . . . . . 377

Part III From Verification to Analysis

11 Debugging and Visualization . . . . . . . . . . . . . . . . . . . . . 383
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
11.2 Symbolic Execution . . . . . . . . . . . . . . . . . . . . . . . 385
11.3 Symbolic Execution Debugger . . . . . . . . . . . . . . . . . . 390
11.3.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . 390
11.3.2 Basic Usage . . . . . . . . . . . . . . . . . . . . . . . 391
11.3.3 Debugging with Symbolic Execution Trees . . . . . . . 395
11.3.4 Debugging with Memory Layouts . . . . . . . . . . . 397
11.3.5 Help Program and Specification Understanding . . . . 398
11.3.6 Debugging Meets Verification . . . . . . . . . . . . . . 399
11.3.7 Architecture . . . . . . . . . . . . . . . . . . . . . . . 401
11.4 A Symbolic Execution Engine based on KeY . . . . . . . . . . 403
11.4.1 Symbolic Execution Tree Generation . . . . . . . . . . 403
11.4.2 Branch and Path Conditions . . . . . . . . . . . . . . . 407
11.4.3 Hiding the Execution of Query Methods . . . . . . . . 408
11.4.4 Symbolic Call Stack . . . . . . . . . . . . . . . . . . . 409
11.4.5 Method Return Values . . . . . . . . . . . . . . . . . . 409
11.4.6 Current State . . . . . . . . . . . . . . . . . . . . . . . 410
11.4.7 Controlled Execution . . . . . . . . . . . . . . . . . . 411
11.4.8 Memory Layouts . . . . . . . . . . . . . . . . . . . . 411
11.5 Conclusion And Future Work . . . . . . . . . . . . . . . . . . 412
Contents XXI

12 Proof-based Test Case Generation . . . . . . . . . . . . . . . . . . 415

12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
12.2 A Quick Tutorial . . . . . . . . . . . . . . . . . . . . . . . . . 416
12.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
12.2.2 Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 417
12.2.3 Options and Settings . . . . . . . . . . . . . . . . . . . 419
12.3 Test Cases, Test Suites, and Test Criteria . . . . . . . . . . . . 421
12.4 Application Scenarios and Variations of the Test Generator . . 426
12.4.1 KeYTestGen for Test Case Generation . . . . . . . . . 426
12.4.2 KeYTestGen for Formal Verification . . . . . . . . . . 427
12.5 Architecture of KeYTestGen . . . . . . . . . . . . . . . . . . . 428
12.6 Proof-based Constraint Construction for Test Input Data . . . . 430
12.6.1 Symbolic Execution for Test Constraint Generation . . 430
12.6.2 Implicit Case Distinctions . . . . . . . . . . . . . . . . 431
12.6.3 Infeasible Path Filtering . . . . . . . . . . . . . . . . . 432
12.6.4 Using Loop Unwinding and Method Inlining . . . . . . 433
12.6.5 Using Loop Invariants and Method Contracts . . . . . . 434
12.7 From Constraints to Test Input Data . . . . . . . . . . . . . . . 437
12.7.1 The Type System . . . . . . . . . . . . . . . . . . . . 439
12.7.2 Preserving the Semantics of Interpreted Functions . . . 440
12.7.3 Preventing Integer Overflows . . . . . . . . . . . . . . 441
12.7.4 Model Extraction . . . . . . . . . . . . . . . . . . . . 442
12.8 Specification-based Test Oracle Generation . . . . . . . . . . . 442
12.8.1 Generating a Test Oracle from the Postcondition . . . . 442
12.8.2 Using a Runtime Assertion Checker . . . . . . . . . . 445
12.9 Synthesizing Executable Test Cases . . . . . . . . . . . . . . . 445
12.10 Perspectives and Related Work . . . . . . . . . . . . . . . . . 448
12.11 Summary and Conclusion . . . . . . . . . . . . . . . . . . . . 450
13 Information Flow Analysis . . . . . . . . . . . . . . . . . . . . . . 453
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
13.2 Specification and the Attacker Model . . . . . . . . . . . . . . 455
13.3 Formal Definition of Secure Information Flow . . . . . . . . . 457
13.4 Specifying Information Flow in JML . . . . . . . . . . . . . . 458
13.5 Information Flow Verification with KeY . . . . . . . . . . . . . 460
13.5.1 Efficient Double Symbolic Execution . . . . . . . . . . 461
13.5.2 Using Efficient Double Symbolic Execution in KeY . . 469
13.6 Summary and Conclusion . . . . . . . . . . . . . . . . . . . . 470
14 Program Transformation and Compilation . . . . . . . . . . . . . 473
14.1 Interleaving Symbolic Execution and Partial Evaluation . . . . 474
14.1.1 General Idea . . . . . . . . . . . . . . . . . . . . . . . 474
14.1.2 The Program Specialization Operator . . . . . . . . . . 478
14.1.3 Specific Specialization Actions . . . . . . . . . . . . . 479
14.1.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . 481
14.2 Verified Correct Compilation . . . . . . . . . . . . . . . . . . 482
XXII Contents

14.3 Implementation and Evaluation . . . . . . . . . . . . . . . . . 491

14.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

Part IV The KeY System in Action

15 Using the KeY Prover . . . . . . . . . . . . . . . . . . . . . . . . . 495
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
15.2 Exploring KeY Artifacts and Prover Simultaneously . . . . . . 498
15.2.1 Exploring Basic Notions And Usage . . . . . . . . . . 499
15.2.2 Exploring Terms, Quantification, and Instantiation . . . 511
15.2.3 Exploring Programs in Formulas . . . . . . . . . . . . 515
15.3 Understanding Proof Situations . . . . . . . . . . . . . . . . . 532
15.4 Further Features . . . . . . . . . . . . . . . . . . . . . . . . . 537
15.5 What Next? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
16 Formal Verification with KeY: A Tutorial . . . . . . . . . . . . . . 541
16.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
16.2 A Program without Loops . . . . . . . . . . . . . . . . . . . . 543
16.3 A Brief Primer on Loop Invariants . . . . . . . . . . . . . . . . 546
16.3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . 546
16.3.2 Why Are Loop Invariants Needed? . . . . . . . . . . . 547
16.3.3 What Is A Loop Invariant? . . . . . . . . . . . . . . . 547
16.3.4 Goal-Oriented Derivation of Loop Invariants . . . . . . 549
16.3.5 Generalization . . . . . . . . . . . . . . . . . . . . . . 550
16.3.6 Recovering the Context . . . . . . . . . . . . . . . . . 551
16.3.7 Proving Termination . . . . . . . . . . . . . . . . . . . 553
16.3.8 A More Complex Example . . . . . . . . . . . . . . . 555
16.3.9 Invariants: Concluding Remarks . . . . . . . . . . . . 557
16.4 A Program with Loops . . . . . . . . . . . . . . . . . . . . . . 558
16.5 Data Type Properties of Programs . . . . . . . . . . . . . . . . 562
16.6 KeY and Eclipse . . . . . . . . . . . . . . . . . . . . . . . . . 565
16.6.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . 566
16.6.2 Proof Management with KeY Projects . . . . . . . . . 566
16.6.3 Proof Results via Marker . . . . . . . . . . . . . . . . 567
16.6.4 The Overall Verification Status . . . . . . . . . . . . . 568

17 KeY-Hoare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
17.2 The Programming Language . . . . . . . . . . . . . . . . . . . 572
17.3 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
17.3.1 First-Order Logic . . . . . . . . . . . . . . . . . . . . 573
17.3.2 Hoare Calculus . . . . . . . . . . . . . . . . . . . . . 574
17.4 Hoare Logic with Updates . . . . . . . . . . . . . . . . . . . . 575
17.4.1 State Updates . . . . . . . . . . . . . . . . . . . . . . 576
17.4.2 Hoare Triples with Update . . . . . . . . . . . . . . . 577
Contents XXIII

17.4.3 Hoare Style Calculus with Updates . . . . . . . . . . . 577

17.4.4 Rules for Updates . . . . . . . . . . . . . . . . . . . . 579
17.5 Using KeY-Hoare . . . . . . . . . . . . . . . . . . . . . . . . 580
17.6 Variants of the Hoare Logic with Updates . . . . . . . . . . . . 582
17.6.1 Total Correctness . . . . . . . . . . . . . . . . . . . . 582
17.6.2 Worst-Case Execution Time . . . . . . . . . . . . . . . 582
17.7 A Brief Reference Manual for KeY-Hoare . . . . . . . . . . . 584
17.7.1 Installation . . . . . . . . . . . . . . . . . . . . . . . . 584
17.7.2 Formula Syntax . . . . . . . . . . . . . . . . . . . . . 585
17.7.3 Input File Format . . . . . . . . . . . . . . . . . . . . 585
17.7.4 Loading and Saving Problems and Proofs . . . . . . . 587
17.7.5 Proving . . . . . . . . . . . . . . . . . . . . . . . . . 588
17.7.6 Automation . . . . . . . . . . . . . . . . . . . . . . . 589

Part V Case Studies

18 Verification of an Electronic Voting System . . . . . . . . . . . . . 593
18.1 Electronic Voting . . . . . . . . . . . . . . . . . . . . . . . . . 593
18.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
18.2.1 Verification of Cryptographic Software . . . . . . . . . 595
18.2.2 Verification Approach . . . . . . . . . . . . . . . . . . 595
18.2.3 System Description . . . . . . . . . . . . . . . . . . . 596
18.3 Specification and Verification . . . . . . . . . . . . . . . . . . 599
18.3.1 Specification . . . . . . . . . . . . . . . . . . . . . . . 599
18.3.2 Verification . . . . . . . . . . . . . . . . . . . . . . . 603
18.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
18.4.1 A Hybrid Approach to Information Flow Analysis . . . 605
18.4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . 606
18.4.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . 607

19 Verification of Counting Sort and Radix Sort . . . . . . . . . . . . 609

19.1 Counting Sort and Radix Sort Implementation . . . . . . . . . 609
19.2 High-Level Correctness Proof . . . . . . . . . . . . . . . . . . 612
19.2.1 General Auxiliary Functions . . . . . . . . . . . . . . 613
19.2.2 Counting Sort Proof . . . . . . . . . . . . . . . . . . . 614
19.2.3 Radix Sort Proof . . . . . . . . . . . . . . . . . . . . . 615
19.3 Experience Report . . . . . . . . . . . . . . . . . . . . . . . . 617

Part VI Appendices
A Java Modeling Language Reference . . . . . . . . . . . . . . . . . 621
A.1 JML Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
A.2 JML Expression Semantics . . . . . . . . . . . . . . . . . . . 625
A.3 JML Expression Well-Definedness . . . . . . . . . . . . . . . 628
XXIV Contents

B KeY File Reference . . . . . . . . . . . . . . . . . . . . . . . . . . 631

B.1 Predefined Operators in JavaDL . . . . . . . . . . . . . . . . . 631
B.1.1 Arithmetic Functions . . . . . . . . . . . . . . . . . . 631
B.1.2 Arithmetic Functions with Modulo Semantics . . . . . 632
B.1.3 Predicates for Arithmetics and Equality . . . . . . . . . 634
B.1.4 Integer Semantics Dependent Functions . . . . . . . . 634
B.1.5 Integer Semantics Dependent Predicate Symbols . . . . 636
B.1.6 Heap Related Function and Predicate Symbols . . . . . 636
B.1.7 Location Sets Related Function and Predicate Symbols 637
B.1.8 Finite Sequence Related Function and Predicate Symbols 638
B.1.9 Map Related Function and Predicate Symbols . . . . . 639
B.2 The KeY Syntax . . . . . . . . . . . . . . . . . . . . . . . . . 640
B.2.1 Notation, Keywords, Identifiers, Numbers, Strings . . . 641
B.2.2 Terms and Formulas . . . . . . . . . . . . . . . . . . . 643
B.2.3 Rule Files . . . . . . . . . . . . . . . . . . . . . . . . 651
B.2.4 User Problem and Proof Files . . . . . . . . . . . . . . 659
B.2.5 Schematic Java Syntax . . . . . . . . . . . . . . . . . 662
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
List of Figures

1.1 Architecture of the KeY tool set . . . . . . . . . . . . . . . . 11

1.2 GUI of the KeY system with a loaded proof obligation . . . . 15

2.1 First-order rules for the logic FOL . . . . . . . . . . . . . . . 28

2.2 Equality rules for the logic FOL . . . . . . . . . . . . . . . . 30
2.3 Mandatory JFOL type hierarchy . . . . . . . . . . . . . . . . 38
2.4 Mandatory JFOL vocabulary . . . . . . . . . . . . . . . . . . 39
2.5 Integer axioms and rules . . . . . . . . . . . . . . . . . . . . 39
2.6 Rules for the theory of arrays. . . . . . . . . . . . . . . . . . 41
2.7 Rules for the predicate wellFormed . . . . . . . . . . . . . . 42
2.8 Axioms for functions related to Java types . . . . . . . . . . . 43
2.9 Rules for data type LocSet . . . . . . . . . . . . . . . . . . . 44
2.10 Semantics on type domains . . . . . . . . . . . . . . . . . . . 45
2.11 Semantics for the mandatory JFOL vocabulary . . . . . . . . 46
2.12 Semantics for the predicate wellFormed . . . . . . . . . . . . 47

3.1 An example program with method overriding . . . . . . . . . 82

3.2 Initialization part in a schematic class . . . . . . . . . . . . . 88
3.3 Mapping of a class declaration to initialization schema . . . . 89
3.4 Implicit method <prepare>() . . . . . . . . . . . . . . . . . 91
3.5 Example for constructor normal form . . . . . . . . . . . . . 92
3.6 Building the constructor normal form . . . . . . . . . . . . . 93
3.7 Method contract rule . . . . . . . . . . . . . . . . . . . . . . 100
3.8 Basic loop invariant rule . . . . . . . . . . . . . . . . . . . . 102
3.9 Invariant rule for loops with side effects in the loop condition 104
3.10 Invariant rule for loops with abrupt termination . . . . . . . . 106

4.1 Vocabulary and induction axiom for a simplified theory of lists 111
4.2 Inductive example proof . . . . . . . . . . . . . . . . . . . . 114
4.3 Vocabulary and axioms for defined list functions . . . . . . . 115
XXVI List of Figures

4.4 Derived taclets for the list theory . . . . . . . . . . . . . . . . 118

4.5 The taclet syntax . . . . . . . . . . . . . . . . . . . . . . . . 122

5.1 The vocabulary of finite sequences . . . . . . . . . . . . . . . 150

5.2 Axioms of the core theory of finite sequences . . . . . . . . . 150
5.3 Definition of seqDepth . . . . . . . . . . . . . . . . . . . . . 152
5.4 Definition for noncore vocabulary in mathematical notation . 153
5.5 Some derived rules for finite sequences . . . . . . . . . . . . 154
5.6 Some derived rules for permutations . . . . . . . . . . . . . . 155
5.7 Axioms for clIndexOfChar and clContains . . . . . . . . . . 158

6.1 Example abstract domain for vehicles . . . . . . . . . . . . . 168

6.2 Sign Domain: An abstract domain for integers . . . . . . . . 170
6.3 Instantiation of the heap abstract domain for fields . . . . . . 177
6.4 Instantiation of the heap abstract domain for arrays . . . . . . 177
6.5 Abstract domain for objects . . . . . . . . . . . . . . . . . . 179
6.6 Length-based abstract domain for objects . . . . . . . . . . . 180
6.7 Family of abstract domains for object based on exact type . . 181
6.8 Galois connection for object abstract domain based on types . 181
6.9 Example instantiation of abstract domain for objects . . . . . 182
6.10 Galois connection for combining object abstract domains . . . 183
6.11 Combined object abstract domain . . . . . . . . . . . . . . . 183

8.1 Flattening a nested JML specification . . . . . . . . . . . . . 256

8.2 The type hierarchy of exceptions in Java . . . . . . . . . . . . 261

9.1 A list interface and its implementations . . . . . . . . . . . . 294

9.2 Listings of Cell/Recell example . . . . . . . . . . . . . . . 315
9.3 Listings of Cell/Recell example annotated with model methods 317
9.4 Proof structure for Client method m . . . . . . . . . . . . . 345

11.1 Symbolic execution tree of method min . . . . . . . . . . . . 386

11.2 Symbolic execution tree of method sum . . . . . . . . . . . . 387
11.3 Symbolic execution tree of method sum using a loop invariant 388
11.4 Symbolic execution tree of method run . . . . . . . . . . . . 389
11.5 Symbolic execution tree of method average using contracts . 391
11.6 SED: Interactive symbolic execution . . . . . . . . . . . . . . 393
11.7 SED: Collapsed frame . . . . . . . . . . . . . . . . . . . . . 394
11.8 SED: Possible memory layouts of a symbolic state . . . . . . 395
11.9 Symbolic execution tree of mergesort . . . . . . . . . . . . . 396
11.10 Initial symbolic object diagram: AVL rotate left . . . . . . . . 398
11.11 Current symbolic object diagram: AVL rotate left . . . . . . . 399
11.12 Symbolic execution tree of method indexOf . . . . . . . . . 401
11.13 Architecture of the Symbolic Execution Debugger (SED) . . . 402
List of Figures XXVII

12.1 The Test Suite Generation window . . . . . . . . . . . . . . . 419

12.2 TestGen macro and Finish symbolic execution macro . . . . . 420
12.3 Use-cases of KeYTestGen . . . . . . . . . . . . . . . . . . . 427
12.4 Components and workflow of KeYTestGen . . . . . . . . . . 428
12.5 SMT solver options . . . . . . . . . . . . . . . . . . . . . . . 438
12.6 OpenJML output for array copy . . . . . . . . . . . . . . . . 446

13.1 Program declassifying the sum of an array . . . . . . . . . . . 459

13.2 Program with multiple information flow contracts . . . . . . . 459
13.3 Example of a secure program . . . . . . . . . . . . . . . . . 461
13.4 Control flow graphs: Original vs. self-composition . . . . . . 462
13.5 Reducing verification overhead by compositional reasoning . 463
13.6 Proof tree of information flow example . . . . . . . . . . . . 468

14.1 Simple control circuit: Source and control flow graph . . . . . 475
14.2 Symbolic execution tree of the control circuit program . . . . 475
14.3 Partial evaluation of a simple control circuit program . . . . . 476
14.4 Symbolic execution with interleaved partial evaluation . . . . 477
14.5 Type hierarchy for the GUI example . . . . . . . . . . . . . . 482
14.6 Work flow of synthesizing loop . . . . . . . . . . . . . . . . 487
14.7 Symbolic execution tree until conditional . . . . . . . . . . . 488
14.8 Symbolic execution tree of then branch . . . . . . . . . . . . 488
14.9 Symbolic execution tree of else branch . . . . . . . . . . . . 489
14.10 Source code of the Power example . . . . . . . . . . . . . . . 492

15.1 Verification process using the KeY system . . . . . . . . . . . 496

16.1 The KeY verification workflow . . . . . . . . . . . . . . . . . 542

16.2 Mapping loop execution into a well-founded order . . . . . . 554
16.3 Condensed finished proof tree . . . . . . . . . . . . . . . . . 561
16.4 Strategy macros . . . . . . . . . . . . . . . . . . . . . . . . . 564
16.5 Sequent after application of rule seqPermFromSwap . . . . . 565
16.6 KeY project with example content . . . . . . . . . . . . . . . 567
16.7 Closed and open proof marker . . . . . . . . . . . . . . . . . 568
16.8 Recursive specification marker . . . . . . . . . . . . . . . . . 569
16.9 The overall verification status . . . . . . . . . . . . . . . . . 569

17.1 Rules of standard Hoare calculus. . . . . . . . . . . . . . . . 575

17.2 Rules of Hoare calculus with updates. . . . . . . . . . . . . . 578
17.3 Rewrite rules for update computation. . . . . . . . . . . . . . 579
17.4 Loop invariant rule for total correctness. . . . . . . . . . . . . 582
17.5 Loop invariant rule for execution time reasoning . . . . . . . 583
17.6 Worst-case execution time specification . . . . . . . . . . . . 583
17.7 Input file for the searchMax example. . . . . . . . . . . . . . 586
17.8 Input file grammar . . . . . . . . . . . . . . . . . . . . . . . 587
17.9 Screen shot of KeY-Hoare system . . . . . . . . . . . . . . . 588
XXVIII List of Figures

18.1 UML class diagram of the e-voting system . . . . . . . . . . 597

18.2 The overall protocol of the e-voting system . . . . . . . . . . 598

19.1 Iterations of the last loop in Counting sort . . . . . . . . . . . 611

19.2 Successive iterations of the Radix sort loop . . . . . . . . . . 611
List of Tables

3.1 Simplification rules for updates . . . . . . . . . . . . . . . . . 59

3.2 Names of schema variables and their kinds . . . . . . . . . . . 66
3.3 Components of rule assignmentSaveLocation for fields . . . . 72
3.4 Components of rule assignmentSaveLocation for arrays . . . 72
3.5 Implicit object repository and status fields . . . . . . . . . . . 87
3.6 Implicit methods for object creation and initialization . . . . . 88

4.1 Matrix of different taclet modes and different find patterns . . 126
4.2 Most important rule sets in KeY . . . . . . . . . . . . . . . . 131
4.3 Kinds of schema variables in the context of a type hierarchy . 132
4.4 Examples of schematic expressions and their instantiations . . 135

5.1 The additional vocabulary for the theory of Strings . . . . . . 157

5.2 Pattern expressions . . . . . . . . . . . . . . . . . . . . . . . 158
5.3 Core and extension functions for the int data type . . . . . . 162
5.4 Functions for Java arithmetics . . . . . . . . . . . . . . . . . 162

8.1 Defined operations on the \seq in JML . . . . . . . . . . . . 253

8.2 Default values for absent clauses and operators . . . . . . . . 260
8.3 Clauses in JML loop specifications . . . . . . . . . . . . . . . 271

11.1 Symbolic execution tree nodes . . . . . . . . . . . . . . . . . 392

11.2 Views of perspective Symbolic Debug . . . . . . . . . . . . . 393
11.3 Classification of proof nodes for SE trees . . . . . . . . . . . 405

12.1 MC/DC coverage example . . . . . . . . . . . . . . . . . . . 425

A.1 Additional class members in JML . . . . . . . . . . . . . . . 622

A.2 Contract grammar in JML . . . . . . . . . . . . . . . . . . . . 622
A.3 Modifiers in JML . . . . . . . . . . . . . . . . . . . . . . . . 623
A.4 JML annotation grammar . . . . . . . . . . . . . . . . . . . . 623
Another random document with
no related content on Scribd:
said for the children, probably.”
It certainly was. Never had a photographer a more hard-working
morning. No blame to the weather, which (alas, for the salmon-
fishers!) was perfect as ever; but the difficulty of catching the sitters
and arranging them, and keeping them steady, was enormous.
First the servants all wished to be taken; some separately, and then
in a general group, which was arranged beside the kitchen door, the
scullery being converted into a “dark room” for the occasion. One
after the other, the maids disappeared, and re-appeared full-dressed,
in the most wonderful crinolines and chignons, but looking not half so
picturesque as a Highland farm-girl, who, in her woollen striped
petticoat and short gown, with her dark red hair knotted up behind,
sat on the wall of the yard contemplating the proceedings.
The children ran hither and thither, highly delighted, except Franky
and Austin Thomas, who were made to suffer a good deal, the latter
being put into a stiff white piqué frock, braided with black braid,
which looked exactly as if some one had mistaken him for a sheet of
letter-paper and begun to write upon him; while Franky, dressed in
his Sunday’s best, with his hair combed and face clean, was in an
aggravating position for his ordinary week-day amusements. He
consoled himself by running in and out among the servants, finally
sticking himself in the centre of the group, and being depicted there,
as natural as life.
A very grand picture it was, the men-servants being in front,—
Highland men always seem to consider themselves superior beings,
and are seen lounging about and talking, while the women are
shearing, or digging, or hoeing potatoes. The maids stood in a row
behind, bolt upright, smiling as hard as they could, and little Franky
occupied the foreground, placed between the gardener’s knees. A
very successful photograph, and worthy of going down to posterity,
as doubtless it will.
Now for the children. The baby, passive in an embroidered muslin
frock, came out, of course, as a white mass with something
resembling a face at the top; but Austin Thomas was a difficult
subject. He wouldn’t sit still, no, not for a minute, but kept wriggling
about on the kitchen chair that was brought for him, and looked so
miserable in his stiff frock, that his expression was just as if he were
going to be whipped, and didn’t like it at all.
In vain Franky, who always patronised and protected his next
youngest brother in the tenderest way, began consoling him: “Never
mind, sonnie,”—that was Franky’s pet name for Austin,—“they
sha’n’t hurt you. I’ll take care they don’t hurt you.”
Still the great black thing, with the round glass eye fixed upon him,
was too much for Austin’s feelings. He wriggled, and wriggled, and
never would this likeness have been taken at all,—at least that
morning,—if somebody had not suggested “a piece.” Off flew Mary,
the cook, and brought back the largest “piece”—bread with lots of
jam upon it—that ever little Scotchman revelled in. Austin took it, and
being with great difficulty made to understand that he must pause in
eating now and then, the photographer seized the happy moment,
and took him between his mouthfuls, with Franky keeping guard over
him the while, lest anybody did him any harm. And a very good
picture it is, though neither boy is quite handsome enough, of
course. No photographs ever are.
Little Sunshine, meanwhile, had been deeply interested in the whole
matter. She was quite an old hand at it, having herself sat for her
photograph several times.
“Would you like to see my likenesses?” she kept asking anybody or
everybody; and brought down the whole string of them, describing
them one by one: “Sunny in her mamma’s arms, when she was a
little baby, very cross;” “Sunny just going to cry;” “Sunny in a boat;”
“Sunny sitting on a chair;” “Sunny with her shoes and stockings off,
kicking over a basket;” and lastly (the little show-woman always
came to this with a scream of delight), “That’s my papa and mamma,
Sunny’s own papa and mamma, both together!”
Though then she had not been in the least afraid of the camera, but,
when the great glass eye looked at her, looked steadily at it back,
still she did not seem to like it now. She crept beside her mamma
and her Lizzie, looking on with curiosity, but keeping a long way off,
till the groups were done.
There were a few more taken, in one of which Sunny stood in the
doorway in her Lizzie’s arms.
And her papa and mamma, who meanwhile had taken a good long
walk up the hill-road, came back in time to figure in two rows of black
dots on either side of a shady road, which were supposed to be
portraits of the whole party. The mountains opposite also sat for their
likenesses,—which must have been a comfort to the photographer,
as they at least could not “move.” But, on the whole, the honest man
made a good morning’s work, and benefited considerably thereby.
Which was more than the household did. For, as was natural, the
cook being dressed so beautifully, the dinner was left pretty much to
dress itself. Franky and Austin Thomas suffered so much from
having on their best clothes that they did not get over it for ever so
long. And Sunny, too, upset by these irregular proceedings, when
taking a long-promised afternoon walk with her papa, was as cross
as such a generally good little girl could be, insisting on being carried
the whole way, and carried only by her mamma. And though, as
mamma often says, “she wouldn’t sell her for her weight in gold,” she
is a pretty considerable weight to carry on a warm afternoon.
Still the day had passed pleasantly away, the photographs were all
done, to remain as memorials of the holiday, long after it was ended.
In years to come, when the children are all men and women, they
may discover them in some nook or other, and try to summon up
faint recollections of the time. Oh, if Little Sunshine might never cry
except to be carried in mamma’s arms! and Austin Thomas find no
sorer affliction in life than sitting to be photographed in stiff white
clothes!
But that cannot be. They must all bear their burdens, as their parents
did. May God take care of them when we can do it no more!
The week had rolled by,—weeks roll by so fast!—and it was again
Sunday, the last Sunday at the glen, and just such another as
before: calm, still, sunshiny; nothing but peace on earth and sky.
Peace! when far away beyond the circle of mountains within which
parents and children were enjoying such innocent pleasures, such
deep repose, there was going on, for other parents and children, the
terrible siege of Paris. Week by week, and day by day, the Germans
were closing in round the doomed city, making ready to destroy by
fire, or sword, or famine,—all sent by man’s hand, not God’s,—
hundreds, thousands of innocent enemies. Truly, heaven will have
been well filled, and earth well emptied during the year 1870.
What a glorious summer it was, as to weather, will long be
remembered in Scotland. Even up to this Sunday, the 2d of October,
the air was balmy and warm as June. Everybody gathered outside
on the terrace, including the forlorn salmon-fishers, whose last hope
was now extinguished; for the patient gentleman, and Sunny’s papa,
too, were to leave next morning. And the fish jumped up in the
glassy loch, livelier than ever, as if they were having a special jubilee
in honour of their foe’s departure.
He sat resigned and cheerful, smoking his cigar, and protesting that,
with all his piscatory disappointments, this was the loveliest place he
had ever been in, and that he had spent the pleasantest of holidays!
There he was left to enjoy his last bit of the mountains and loch in
quiet content, while everybody else went to church.
Even Little Sunshine. For her mamma and papa had taken counsel
together whether it was not possible for her to be good there, so as
at least to be no hindrance to other people’s going, which was as
much as could be expected for so small a child. Papa doubted this,
but mamma pleaded for her little girl, and promised to keep her good
if possible. She herself had a great desire that the first time ever
Sunny went to church should be in this place.
So they had a talk together, mamma and Sunny, in which mamma
explained that Sunny might go to church, as Maurice and Eddie did,
if she would sit quite quiet, as she did at prayers, and promise not to
speak one word, as nobody ever spoke in church excepting the
minister. She promised, this little girl who has such a curious feeling
about keeping a promise, and allowed herself to be dressed without
murmuring—nay, with a sort of dignified pride—to “go to church.”
She even condescended to have her gloves put on, always a severe
trial; and never was there a neater little figure, all in white from top to
toe, with a white straw hat, as simple as possible, and the yellow
curls tumbling down from under it. As she put her little hand in her
mamma’s and they two started together, somewhat in advance of the
rest, for it was a long half-mile for such baby feet, her mamma
involuntarily thought of a verse in a poem she learnt when she
herself was a little girl:
“Thy dress was like the lilies,
And thy heart was pure as they;
One of God’s holy angels
Did walk with me that day.”
Only Sunny was not an angel, but an ordinary little girl. A good little
girl generally, but capable of being naughty sometimes. She will
have to try hard to be good every day of her life, as we all have. Still,
with her sweet, grave face, and her soft, pretty ways, there was
something of the angel about her this day.
Her mamma tried to make her understand, in a dim way, what
“church” meant,—that it was saying “thank you” to God, as mamma
did continually; especially for His giving her her little daughter. How
He lived up in the sky, and nobody saw Him, but He saw everybody;
how He loved Little Sunshine, just as her papa and mamma loved
her, and was glad when she was good, and grieved when she was
naughty. This was all the child could possibly take in, and even thus
much was doubtful; but she listened, seeming as if she
comprehended a small fragment of the great mystery which even we
parents understand so little. Except that when we look at our
children, and feel how dearly we love them, how much we would
both do and sacrifice for them, how if we have to punish them it is
never in anger but in anguish and pain, suffering twice as much
ourselves the while,—then we can faintly understand how He who
put such love into us, must Himself love infinitely more, and meant
us to believe this, when He called Himself our Father. Therefore it
was that through her papa’s and mamma’s love Sunny could best be
taught her first dim idea of God.
She walked along very sedately, conversing by the way, and not
attempting to dart from side to side, after one object or another, as
this butterfly child always does on a week-day. But Sunday, and
Sunday clothes, conduced exceedingly to proper behaviour.
Besides, she felt that she was her mamma’s companion, and was
proud accordingly. Until, just before reaching the church, came a
catastrophe which certainly could not have happened in any other
church-going walk than this.
A huge, tawny-coloured bull stood in the centre of the road, with half
a dozen cows and calves behind him. They moved away, feeding
leisurely on either side the road, but the bull held his ground, looking
at mamma and Sunny from under his shaggy brows, as if he would
like to eat them up.
“Mamma, take her!” whispered the poor little girl, rather frightened,
but neither crying nor screaming.
Mamma popped her prayer-book in her pocket, dropped her parasol
on the ground, and took up her child on her left arm, leaving the right
arm free. A fortnight ago she would have been alarmed, but now she
understood the ways of these Highland cattle, and that they were not
half so dangerous as they looked. Besides, the fiercest animal will
often turn before a steady, fearless human eye. So they stood still,
and faced the bull, even Sunny meeting the creature with a gaze as
firm and courageous as her mamma’s. He stood it for a minute or so,
then he deliberately turned tail, and walked up the hillside.
“The big bull didn’t hurt Sunny! He wouldn’t hurt little Sunny, would
he, mamma?” said she, as they walked on together. She has the
happiest conviction that no creature in the world would ever be so
unkind as to hurt Sunny. How should it, when she is never unkind to
any living thing? When the only living thing that ever she saw hurt—a
wasp that crept into the carriage, and stung Sunny on her poor little
leg, and her nurse was so angry that she killed it on the spot—
caused the child a troubled remembrance. She talked, months
afterward, with a grave countenance, of “the wasp that was obliged
to be killed, because it stung Sunny.”
She soon looked benignly at the big bull, now standing watching her
from the hillside, and wanted to play with the little calves, who still
stayed feeding near. She was also very anxious to know if they were
going to church too? But before the question—a rather puzzling one
—could be answered, she was overtaken by the rest of the
congregation, including Maurice and Eddie with their parents. The
two boys only smiled at her, and walked into church, so good and
grave that Sunny was impressed into preternatural gravity too. When
the rest were seated, she, holding her mamma’s hand, walked
quietly in as if accustomed to it all and joined the congregation.
The seat they chose was, for precaution, the one nearest the door,
and next to “the pauper,” an old man who alone of all the inhabitants
of the glen did not work, but received parish relief. He was just able
to come to church, but looked as if he had “one foot in the grave,” as
people say (whither, indeed, the other foot soon followed, for the
poor old man died not many weeks after this Sunday). He had a
wan, weary, but uncomplaining face; and as the rosy child, with her
bright curls, her fair, fresh cheeks, and plump, round limbs, sat down
upon the bench beside him, the two were a strange and touching
contrast.
 Two little churchgoers.
Never did any child behave better than Little Sunshine, on this her
first going to church. Yes, even though she soon caught sight of her
own papa, sitting a few benches off, but afraid to look at her lest she
should misbehave. Also of Maurice’s papa and mamma, and of
Maurice and Eddie themselves, not noticing her at all, and behaving
beautifully. She saw them, but, faithful to her promise, she did not
speak one word, not even in a whisper to mamma. She allowed
herself to be lifted up and down, to sit or stand as the rest did, and
when the music began she listened with an ecstasy of pleasure on
her little face; but otherwise she conducted herself as well as if she
had been thirteen instead of not quite three years old. Once only,
when the prayers were half through, and the church was getting
warm, she gravely took off her hat and laid it on the bench before
her,—sitting the rest of the service with her pretty curls bare,—but
that was all.
During the sermon she was severely tried. Not by its length, for it
was fortunately short, and she sat on her mamma’s lap, looking
fixedly into the face of the minister, as pleased with him in his new
position as when he was rowing her in the boat, or gathering nuts for
her along the canal bank. All were listening, as attentive as possible,
for everybody loved him, Sundays and week-days; and even Sunny
herself gazed as earnestly as if she were taking in every word he
said,—when her quick little eyes were caught by a new interest,—a
small, shaggy Scotch terrier, who put his wise-looking head
inquiringly in at the open door.
Oh, why was the church door left open? No doubt, so thought the
luckless master of that doggie! He turned his face away; he kept as
quiet as possible, hoping not to be discovered; but the faithful animal
was too much for him. In an ecstasy of joy, the creature rushed in
and out and under several people’s legs, till he got to the young man
who owned him, and then jumped upon him in unmistakable
recognition. Happily, he did not bark; indeed, his master, turning red
as a peony, held his hand over the creature’s mouth.
What was to be done? If he scolded the dog, or beat him, there
would be a disturbance immediately; if he encouraged or caressed
him, the loving beast would have begun—in fact, he did slightly
begin—a delighted whine. All the perplexed master could do was to
keep him as quiet as circumstances allowed, which he managed
somehow by setting his foot on the wildly wagging tail, and twisting
his fingers in one of the long ears, the dog resisting not at all. Quite
content, if close to his master, the faithful beast snuggled down,
amusing himself from time to time by gnawing first a hat and then an
umbrella, and giving one small growl as an accidental footstep
passed down the road; but otherwise behaving as well as anybody in
church. The master, too, tried to face out his difficulty, and listen as if
nothing was the matter; but I doubt he rather lost the thread of the
sermon.
So did Sunny’s mamma for a few minutes. Sunny is so fond of little
doggies, that she fully expected the child to jump from her lap, and
run after this one; or, at least, to make a loud remark concerning it,
for the benefit of the congregation generally. But Sunny evidently
remembered that “nobody spoke in church;” and possibly she
regarded the dog’s entrance as a portion of the service, for she
maintained the most decorous gravity. She watched him, of course,
with all her eyes; and once she turned with a silent appeal to her
mamma to look too, but said not a word. The little terrier himself did
not behave better than she, to the very end of the service.
It ended with a beautiful hymn,—“O Thou from whom all goodness
flows.” Everybody knows it, and the tune too; which I think was
originally one of those sweet litanies to the Virgin which one hears in
French churches, especially during the month of May. The little
congregation knew it well, and sang it well, too. When Sunny saw
them all stand up, she of her own accord stood up likewise,
mounting the bench beside the old pauper, who turned half round,
and looked on the pleasant child with a faint, pathetic sort of smile.
Strange it was to stand and watch the different people who stood
singing, or listening to, that hymn; Maurice and Eddie, with their
papa and mamma; other papas and mammas with their little ones;
farmers and farm-servants who lived in the glen, with a chance
tourist or two who happened to be passing through; several old
Highland women, grim and gaunt with long, hard-working lives; the
poor old pauper, who did not know that his life was so nearly over;
and lastly, the little three-year-old child, with her blue eyes wide open
and her rosy lips parted, not stirring a foot or a finger, perfectly
motionless with delight. Verse after verse rose the beautiful hymn,
not the less beautiful because so familiar:

“O Thou from whom all goodness flows,

I lift my soul to Thee;
In all my sorrows, conflicts, woes,
O Lord, remember me!

“When on my aching, burdened heart,

My sins lie heavily,
Thy pardon grant, Thy peace impart,
In love, remember me!

“When trials sore obstruct my way,

And ills I cannot flee,
Oh I let my strength be as my day,
For good, remember me!

“When worn with pain, disease, and grief,

This feeble body see,
Give patience, rest, and kind relief,
Hear, and remember me!

“When in the solemn hour of death

I wait Thy just decree,
Be this the prayer of my last breath,
‘O Lord, remember me!’”

As Little Sunshine stood there, unconsciously moving her baby lips

to the pretty tune,—ignorant of all the words and their meaning,—her
mother, not ignorant, took the tiny soft hand in hers and said for her
in her heart, “Amen.”
When the hymn was done, the congregation passed slowly out of
church, most of them stopping to speak or shake hands, for of
course all knew one another, and several were neighbours and
friends. Then at last Sunny’s papa ventured to take up his little girl,
and kiss her, telling her what a very good little girl she had been, and
how pleased he was to see it. The minister, walking home between
Maurice and Eddie, who seized upon him at once, turned round to
say that he had never known a little girl, taken to church for the first
time, behave so remarkably well. And though she was too young to
understand anything except that she had been a good girl, and
everybody loved her and was pleased with her, still Sunny also
looked pleased, as if satisfied that church-going was a sweet and
pleasant thing.
 CHAPTER X.
Little Sunshine’s delicious holiday—equally delicious to her papa
and mamma, too—was now fast drawing to a close. This Sunday
sunset, more gorgeous perhaps than ever, was the last that the
assembled party of big and little people watched together from the
terrace. By the next Sunday, they knew, all of them would be
scattered far and wide, in all human probability never again to meet,
as a collective party, in this world. For some of them had come from
the “under world,” the Antipodes, and were going back thither in a
few months, and all had their homes and fortunes widely dispersed,
so as to make their chances of future reunion small.
They were sorry to part, I think,—even those who were nearly
strangers to one another,—and those who were friends were very
sorry indeed. The children, of course, were not sorry at all, for they
understood nothing about the matter. For instance, it did not occur in
the least to Sunny or to Austin Thomas (still viewing one another
with suspicious eyes, and always on the brink of war, though Sunny
kept her promise, and did not attack again), that the next time they
met might be as big boy and girl, learning lessons, and not at all
disposed to fight; or else as grown young man and woman, obliged
to be polite to one another whether they liked it or not.
But the elders were rather grave, and watched the sun set, or rather
not the sun,—for he was always invisible early in the afternoon, the
house being placed on the eastern slope of the hill,—but the sunset
glow on the range of mountains opposite. Which, as the light
gradually receded upward, the shadow pursuing, had been, evening
after evening, the loveliest sight imaginable. This night especially,
the hills seemed to turn all colours, fading at last into a soft gray, but
keeping their outlines distinct long after the loch and valley were left
dark.
So, good-bye, sun! When he rose again, two of the party would be
on board a steamboat,—the steamboat, for there was but one,—
sailing away southward, where there were no hills, no lochs, no
salmon-fishing, no idle, sunshiny days,—nothing but work, work,
work. For “grown-ups,” as Sunny calls them, do really work; though,
as a little girl once observed pathetically to Sunny’s mamma, “Oh, I
wish I was grown up, and then I might be idle! We children have to
work so hard! while you and my mamma do nothing all day long.”
(Oh, dear!)
Well, work is good, and pleasant too; though perhaps Sunny’s papa
did not exactly think so, when he gave her her good-night kiss, which
was also good-bye. For he was to start so early in the morning that it
was almost the middle of the night, in order to catch the steamer
which should touch at the pier ten miles off, between six and seven
a. m. Consequently, there was breakfast by candle-light, and hasty
adieux, and a dreary departure of the carriage under the misty
morning starlight; everybody making an effort to be jolly, and not
quite accomplishing it. Then everybody, or as many as had had
courage to rise, went to bed again, and tried to sleep, with varied
success, Sunny’s mamma with none at all.
It recurred to her, as a curious coincidence, that this very day,
twenty-five years before, after sitting up all night, she had watched,
solemnly as one never does it twice in a lifetime, a glorious sunrise.
She thought she would go out and watch another, from the hillside,
over the mountains.
My children, did you ever watch a sunrise? No? Then go and do it as
soon as ever you can. Not lazily from your bedroom window, but out
in the open air, where you seem to hear and see the earth gradually
waking up, as she does morning after morning, each waking as
wonderful and beautiful as if she had not done the same for
thousands of years, and may do it for thousands more.
When the carriage drove off, it was still starlight,—morning starlight,
pale, dreary, and excessively cold; but now a faint coloured streak of
dawn began to put the stars out, and creep up and up behind the
curves of the eastern hills. Gradually the daylight increased,—it was
clear enough to see things, though everything looked cheerless and
gray. The grass and heather were not merely damp, but soaking wet,
and over the loch and its low-lying shores was spread a shroud of
white mist. There was something almost painful in the intense
stillness; it felt as if all the world were dead and buried, and when
suddenly a cock crew from the farm, he startled one as if he had
been a ghost.
But the mountains,—the mountains! Turning eastward, to look at
them, all the dullness, solitude, and dreariness of the lower world
vanished. They stood literally bathed in light, as the sun rose up
behind them, higher and higher, brighter and brighter, every minute.
Suddenly an arrow of light shot across the valley, and touched the
flat granite boulder on which, after a rather heavy climb, Sunny’s
mamma had succeeded in perching herself like a large bird, tucking
her feet under her, and wrapping herself up as tightly as possible in
her plaid, as some slight protection against the damp cold. But when
the sunshine came, chilliness and cheerlessness vanished. And as
the beam broadened, it seemed to light up the whole world.
How she longed for her child, not merely for company, though that
would have been welcome in the extreme solitude, but that she
might show her, what even such baby eyes could not but have seen,
—the exceeding beauty of God’s earth, and told her how it came out
of the love of God, who loved the world and all that was in it. How He
loved Sunny, and would take care of her all her life, as He had taken
care of her, and of her mamma, too. How, if she were good and
loved Him back again, He would be sure to make for her, through all
afflictions, a happy life; since, like the sunrise, “His mercies are new
every morning, and His compassions fail not.”
Warmer and warmer the cold rock grew; a few birds began to twitter,
the cocks crowed from the farmyard, and from one of the cottages a
slender line of blue peat smoke crept up, showing that somebody
else was awake besides Sunny’s mamma; which was rather a
comfort,—she was getting tired of having the world all to herself.
Presently an old woman came out of a cottage-door, and went to the
burn for water, probably to make her morning porridge. A tame
sheep followed her, walking leisurely to the burn and back again,
perhaps with an eye to the porridge-pot afterward. And a lazy pussy-
cat also crept out, and climbed on the roof of the cottage, for a little
bit of sunshine before breakfast. Sunny’s mamma also began to feel
that it was time to see about breakfast, for sunrise on the mountains
makes one very hungry.
Descending the hill was worse than ascending, there being no
regular track, only some marks of where the sheep were in the habit
of climbing. And the granite rocks presented a flat, sloping surface,
sometimes bare, sometimes covered with slippery moss, which was
not too agreeable. Elsewhere, the ground was generally boggy with
tufts of heather between, which one might step or jump. But as soon
as one came to a level bit it was sure to be bog, with little streams
running through it, which had to be crossed somehow, even without
the small convenience of stepping-stones.
Once, when her stout stick alone saved her from a sprained ankle,
she amused herself with thinking how in such a case she might have
shouted vainly for help, and how bewildered the old woman at the
cottage would have been on finding out that the large creature, a
sheep as she had probably supposed, sitting on the boulder
overhead, which she had looked up at once or twice, was actually a
wandering lady!
It was now half-past seven, and the usual breakfast party on the
door-step was due at eight. Welcome was the sound of little voices,
and the patter of small eager feet along the gravel walk. Sunny’s
mamma had soon her own child in her arms and the other children
around her, all eating bread and butter and drinking milk with the
greatest enjoyment. The sun was now quite warm, and the mist had
furled off the loch, leaving it clear and smooth as ever.
Suddenly Eddie’s sharp eyes caught something there which quite
interrupted his meal. It was a water-fowl, swimming in and out
among the island of water-lilies, and even coming as close inshore
as the pier. Not one of the nine geese, certainly; this bird was dark
coloured, and small, yet seemed larger than the water-hens, which
also were familiar to the children. Some one suggested it might
possibly be a wild duck.
Eddie’s eyes brightened. “Then might I ‘low’ in a boat, with papa’s
gun, and go and shoot it?”
This being a too irregular proceeding, Sunny’s mamma proposed a
medium course, namely, that Eddie should inform his papa that there
was a bird supposed to be a wild duck, and then he might do as he
thought best about shooting it.
Maurice and Eddie were accordingly off like lightning; three of
Maurice’s worms which had taken the opportunity of crawling out of
his pocket and on to the tray, being soon afterward found leisurely
walking over the bread and butter plate. Franky and Austin Thomas
took the excitement calmly, the one thinking it a good chance of
eating up his brothers’ rejected shares, and the other proceeding
unnoticed to his favourite occupation of filling the salt-cellar with
sand from the walk.
Soon Donald, who had also seen the bird, appeared, with his
master’s gun all ready, and the master, having got into his clothes in
preternaturally quick time, hurried down to the loch, his boys
accompanying him. Four persons, two big and two little, after one
unfortunate bird! which still kept swimming about, a tiny black dot on
the clear water, as happy and unconscious as possible.
The ladies, too, soon came out and watched the sport from the
terrace; wondering whether the duck was within range of the gun,
and whether it really was a wild duck, or not. A shot, heard from
behind the trees, deepened the interest; and when, a minute after, a
boat containing Maurice, Eddie, their papa, and Donald, was seen to
pull off from the pier, the excitement was so great that nobody
thought about breakfast.
“It must be a wild duck; they have shot it; it will be floating on the
water, and they are going after it in the boat.”
“I hope Eddie will not tumble into the water, in his eagerness to pull
the bird out.”
“There,—the gun is in the boat with them! Suppose Maurice
stumbles over it, and it goes off and shoots somebody!”
Such were the maternal forebodings, but nothing of the sort
happened, and by and by, when breakfast was getting exceedingly
cold, a little procession, all unharmed, was seen to wind up from the
loch, Eddie and Maurice on either side of their papa.
He walked between them, shouldering his gun, so that, loaded or
not, it could not possibly hurt his little boys. But he looked extremely
dejected, and so did Donald, who followed, bearing “the body”—of a
poor little dripping, forlorn-looking bird.
“Is that the wild duck?” asked everybody at once.
“Pooh! It wasn’t a wild duck at all. It was only a large water-hen. Not
worth the trouble of shooting, certainly not of cooking. And then we
had all the bother of getting out the gun, and tramping over the wet
grass to get a fair shot, and, after we shot it, of rowing after it, to fish
it up out of the loch. Wretched bird!”
Donald, imitating his master, regarded the booty with the utmost
contempt, even kicking it with his foot as it lay, poor little thing! But
no kicks could harm it now. Sunny only went up and touched it
timidly, stroking its pretty, wet feathers with her soft little hand.
“Mamma, can’t it fly? why doesn’t it get up and fly away? And it is so
cold. Might Sunny warm it?” as she had once tried to warm the only
dead thing she ever saw,—a little field mouse lying on the garden
walk at home, which she put in her pinafore and cuddled up to her
little “bosie,” and carried about with her for half an hour or more.
Quite puzzled, she watched Donald carrying off the bird, and only
half accepted mamma’s explanation that “there was no need to
warm it,—it was gone to its bye-bye, and would not wake up any
more.”
Though she was living at a shooting-lodge, this was the only dead
thing Sunny had yet chanced to see, for there was so little game
about that the gentlemen rarely shot any. But this morning one of
them declared that if he walked his legs off over the mountains, he
must go and have a try at something. So off he set, guided by
Donald, while the rest of the party fished meekly for trout, or went
along the hill-road on a still more humble hunt after blackberries.
Sometimes they wondered about the stray sportsman, and listened
for gun-shots from the hills,—the sound of a gun could be heard for
so very far in this still, bright weather.
And when, at the usual dinner-hour, he did not appear, they waited a
little while for him. They were going at length to begin the meal,
when he was seen coming leisurely along the garden walk.
Eager were the inquiries of the master.
“Well,—any grouse?”
“No.”
“Partridges?”
“No.”
“I knew it. There has not been a partridge seen here for years.
Snipes, perhaps?”
“Never saw one.”
“Then what have you been about? Have you shot nothing at all?”
“Not quite nothing. A roe-deer. The first I ever killed in my life. Here,
Donald.”
With all his brevity, the sportsman could not hide the sparkle of his
eye. Donald, looking equally delighted, unloosed the creature, which
he had been carrying around his neck in the most affectionate
manner, its fore legs clasped over one shoulder, and its hind legs
over the other, and laid it down on the gravel walk.
What a pretty creature it was, with its round, slender, shapely limbs,
its smooth satin skin, and its large eyes, that in life would have been
so soft and bright! They were dim and glazed now, though it was
scarcely cold yet.
Everybody gathered around to look at it, and the sportsman told the
whole story of his shot.
“She is a hind, you see; most likely has a fawn somewhere not far
off. For I shot her close by the farm here. I was coming home, not
over-pleased at coming so empty-handed, when I saw her standing
on the hill top, just over that rock there: a splendid shot she was, but
so far off that I never thought I should touch her. However, I took
aim, and down she dropped. Just feel her. She is an admirable
creature, so fat! Quite a picture!”
So it was, but a rather sad one. The deer lay, her graceful head
hopelessly dangling, and bloody drops beginning to ooze from her
open mouth.
Otherwise she might have been asleep,—as innocent. Sunny, who
had run with the boys to see the sight, evidently thought she was.
“Mamma, look at the little baa-lamb, the dear little baa-lamb. Won’t it
wake up?”
Mamma explained that it was not a baa-lamb, but a deer, and there
stopped, considering how to make her child understand that solemn
thing, death; which no child can be long kept in ignorance of, and yet
which is so difficult to explain. Meantime, Sunny stood looking at the
deer, but did not attempt to touch it as she had touched the water-
hen. It was so large a creature to lie there so helpless and
motionless. At last she looked up, with trouble in her eyes.
“Mamma, it won’t wake up. Make it wake up, please!”
“I can’t, my darling!” And there came a choke in mamma’s throat,—
this foolish mamma, who dislikes “sport,”—who looks upon soldiers
as man-slayers, “glory” as a great delusion, and war a heinous
crime. “My little one, the pretty deer has gone to sleep, and nobody
can wake it up again. But it does not suffer. Nothing hurts it now.
Come away, and mamma will tell you more about this another day.”
The little fingers contentedly twined themselves in her mamma’s,
and Sunshine came away, turning back now and then a slightly
regretful look on the poor hind that lay there, the admiration of
everybody, and especially of the gentleman who had shot it.
“The first I ever shot,” he repeated, with great pride. “I only wish I
could stay and eat her. But the rest of you will.” (Except Sunny’s