The core feature of KeY is a theorem prover for Java Dynamic Logic based on a sequent calculus. It allows for full functional verification of sequential Java (without floats, garbage collection and multithreading, see the section below) and Java Card 2.2.x programs. Properties can be specified in the Java Modelling Language (JML) or in Java Dynamic Logic directly.
To try out KeY for program verification, go to the download page and follow the instructions. Upon start of KeY, you can select among several examples in menu “File > Load Examples”. Read the corresponding descriptions and try out what looks most interesting to you. Alternatively, have a look at our tutorials section.
Supported Java Features
Java is a very complex language which massively evolved over the time. KeY does not support all Java features. Some of those, like floating-point arithmetic, are in principle hard to handle from a theorem-proving point of view; others, like Generics and Lambdas, could be considered in future versions of the system.
The following (incomplete) table gives an overview about the state of selected Java features in the current KeY version. Features shaded in green are supported, those in red are unsupported; features in yellow are in principle not supported, but can be treated with restrictions by a workaround supplied by KeY.
|Basic Java 1.2 features||KeY supports Integer arithmetic (for both mathematical Integers and actual Integer types with overflows), Strings, inheritance, dynamic dispatch, loops, recursion, …|
|Enhanced “for” loops||Supported.|
|Library methods||KeY will throw an error when you use libraries the code of which is not in KeY’s classpath. However, we have a plugin in our eclipse extension which can create stubs with default contracts for library methods such that you can directly start proving properties about your code, or manually refine the stub specifications before.|
|Generics||Unsupported; However, the eclipse extension comes along with a plugin to statically remove Generics from the code. In Eclipse with KeY installed, open the context menu on a project in the package explorer and select Remove Generics.|
|Floating point types||Unsupported.|
|try-with-resources and multi-catch (both Java 7)||Unsupported.|
|Java 8 features (lambdas etc.)||Unsupported.|
Video Tutorial: Interactive Verification with the Symbolic Execution Debugger (SED)
Video Tutorial: Proof Attempt Inspection with the Symbolic Execution Debugger
Formal Verification with KeY:
A Tutorial (2016)
By Bernhard Beckert, Reiner Hähnle, Martin Hentschel and Peter H. Schmitt
Book chapter of the KeY book. This chapter gives a systematic tutorial introduction on how to perform formal program verification with the KeY system. It illustrates a number of complications and pitfalls, notably programs with loops, and shows how to deal with them. After working through this tutorial, you should be able to formally verify with KeY the correctness of simple Java programs, such as standard sorting algorithms, gcd, etc.
Note: The following tutorials may require older versions of KeY.
Verifying Object-Oriented Programs with KeY: A Tutorial (2007)
By Wolfgang Ahrendt, Bernhard Beckert, Reiner Hähnle, Philipp Rümmer, and Peter H. Schmitt.
Abstract. This paper is a tutorial on performing formal specification and semi-automatic verification of Java programs with the formal software development tool KeY. This tutorial aims to fill the gap between elementary introductions using toy examples and state-of-art case studies by going through a self-contained, yet non-trivial, example. It is hoped that this contributes to explain the problems encountered in verification of imperative, object-oriented programs to a readership outside the limited community of active researchers.
Relevant blog posts
Implementation-level Verification of Algorithms with KeY Journal Article
In: Software Tools for Technology Transfer, 17 (6), pp. 729–744, 2015, ISSN: 1433-2779.
In: Fournet, Cédric; Hicks, Michael (Ed.): 28th IEEE Computer Security Foundations Symposium (CSF 2015), pp. 305-319, 2015.
A Hybrid Approach for Proving Noninterference of Java Programs Journal Article
In: IACR Cryptology ePrint Archive, 2015 , pp. 438, 2015.
Generating Specifications for Recursive Methods by Abstracting Program States Inproceedings
In: SETTA, pp. 243–257, Springer, 2015.
In: NASA Formal Methods - 6th International Symposium, NFM 2014, Houston, TX, USA, April 29 - May 1, 2014. Proceedings, pp. 173–187, 2014.
In: Giannakopoulou, Dimitra; Kroening, Daniel (Ed.): Verified Software: Theories, Tools, and Experiments (VSTTE 2014), pp. 1–17, Springer-Verlag, 2014, ISBN: 978-3-642-54107-0.
Proving Well-Definedness of JML Specifications with KeY Masters Thesis
ITI Schmitt, Karlsruhe Institute of Technology, 2013.
In: Glimm, Birte; Krüger, Antonio (Ed.): KI 2012: Advances in Artificial Intelligence, pp. 13–24, Springer-Verlag, 2012, ISBN: 978-3-642-33346-0.
Dynamic Trace Logic: Definition and Proofs Technical Report
Department of Informatics, Karlsruhe Institute of Technology (2012,10), 2012, ISSN: 2190-4782, (A revised version replacing an unsound rule is available at http://formal.iti.kit.edu/~bruns/papers/trace-tr.pdf).
On Proving Alloy Specifications using KeY Technical Report
Karlsruhe Institute of Technology (2011-37), 2011.