Dynamic Logic for Java

errorhandleSoftware and s/w Development

Nov 18, 2013 (3 years and 6 months ago)

77 views

FormalVeri?cationofSoftware
DynamicLogicforJava
BernhardBeckert
U
NIVERSITÄT
KOBLENZ
-L
ANDAU
FormalVeri?cationofSoftware?p.1
KeYSupportsJavaCardasTargetLanguage
WhatisJavaCard?
SubsetofJava
Sun’sof?cialstandardforS
MART
C
ARDS
andembeddeddevices
WhyJavaCard?
Goodexampleforreal-worldobject-orientedlanguage
JavaCardhasno
garbagecollection
dynamicalclassloading
multi-threading
oating-pointarithmetic
ApplicationArea
securitycritical
nancialrisk
(e.g.exchangingsmartcards
isexpensive)
FormalVeri?cationofSoftware?p.2
KeYSupportsJavaCardasTargetLanguage
WhatisJavaCard?
SubsetofJava
Sun’sof?cialstandardforS
MART
C
ARDS
andembeddeddevices
WhyJavaCard?
Goodexampleforreal-worldobject-orientedlanguage
JavaCardhasno
garbagecollection
dynamicalclassloading
multi-threading
oating-pointarithmetic
ApplicationArea
securitycritical
nancialrisk
(e.g.exchangingsmartcards
isexpensive)
FormalVeri?cationofSoftware?p.2
KeYSupportsJavaCardasTargetLanguage
WhatisJavaCard?
SubsetofJava
Sun’sof?cialstandardforS
MART
C
ARDS
andembeddeddevices
WhyJavaCard?
Goodexampleforreal-worldobject-orientedlanguage
JavaCardhasno
garbagecollection
dynamicalclassloading
multi-threading
oating-pointarithmetic
ApplicationArea
securitycritical
nancialrisk
(e.g.exchangingsmartcards
isexpensive)
FormalVeri?cationofSoftware?p.2
KeYSupportsJavaCardasTargetLanguage
WhatisJavaCard?
SubsetofJava
Sun’sof?cialstandardforS
MART
C
ARDS
andembeddeddevices
WhyJavaCard?
Goodexampleforreal-worldobject-orientedlanguage
JavaCardhasno
garbagecollection
dynamicalclassloading
multi-threading
oating-pointarithmetic
ApplicationArea
securitycritical
nancialrisk
(e.g.exchangingsmartcards
isexpensive)
FormalVeri?cationofSoftware?p.2
KeYSupportsJavaCardasTargetLanguage
WhatisJavaCard?
SubsetofJava
Sun’sof?cialstandardforS
MART
C
ARDS
andembeddeddevices
WhyJavaCard?
Goodexampleforreal-worldobject-orientedlanguage
JavaCardhasno
garbagecollection
dynamicalclassloading
multi-threading
oating-pointarithmetic
ApplicationArea
securitycritical
nancialrisk
(e.g.exchangingsmartcards
isexpensive)
FormalVeri?cationofSoftware?p.2
Academicvs.Real-worldLanguages
Problemstoaddress
Pointers/objectsattributes
Modelledasnon-rigidconstantsandfunctions
Sideeffects
Expressionsinprogramshavesideeffects,forexample
Aliasing
Differentnamesmayrefertothesamelocation,forexample
o:a;
u
:a
inastate
g
where
g
j=
o
:
=
u
FormalVeri?cationofSoftware?p.3
Academicvs.Real-worldLanguages
Problemstoaddress
Pointers/objectsattributes
Modelledasnon-rigidconstantsandfunctions
Sideeffects
Expressionsinprogramshavesideeffects,forexample




 














Aliasing
Differentnamesmayrefertothesamelocation,forexample
o:a;
u
:a
inastate
g
where
g
j=
o
:
=
u
FormalVeri?cationofSoftware?p.3
Academicvs.Real-worldLanguages
Problemstoaddress
Pointers/objectsattributes
Modelledasnon-rigidconstantsandfunctions
Sideeffects
Expressionsinprogramshavesideeffects,forexample




 














Aliasing
Differentnamesmayrefertothesamelocation,forexample
o:a;
u
:a
inastate
g
where
g
j=
o
:
=
u
FormalVeri?cationofSoftware?p.3
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
OtherIssues(Later)
FurthersupportedJavaCardfeatures
I
methodinvocation,dynamicbinding
I
polymorphism
I
abrupttermination
I
checkingfornullpointerexceptions
I
objectcreationandinitialisation
I
arrays
I
?nitenessofintegerdatatypes
I
transactions
FormalVeri?cationofSoftware?p.4
HandlingObjectAttributes
Similarconcepts
Objectattributes
Arrays
Pointers
Non-rigidfunctions
Attributesareconsideredtobe
non-rigidfunctions
onobjects
Extendedtoprogramvariables
Programvariablesareconsideredtobe
non-rigidconstants
FormalVeri?cationofSoftware?p.5
HandlingObjectAttributes
Similarconcepts
Objectattributes
Arrays
Pointers
Non-rigidfunctions
Attributesareconsideredtobe
non-rigidfunctions
onobjects
Extendedtoprogramvariables
Programvariablesareconsideredtobe
non-rigidconstants
FormalVeri?cationofSoftware?p.5
HandlingObjectAttributes
Similarconcepts
Objectattributes
Arrays
Pointers
Non-rigidfunctions
Attributesareconsideredtobe
non-rigidfunctions
onobjects
Extendedtoprogramvariables
Programvariablesareconsideredtobe
non-rigidconstants
FormalVeri?cationofSoftware?p.5
SideEffects:SymbolicExecutionParadigm
Expressionsmayhavesideeffects,forexampleasimpleassignment

 






doesnotonlyevaluatetoa





value,butalsoassignsavalueto

.
Problem:
Termsinlogichavetobesideeffectfree
Solution:
Calculusrulesrealiseastepwisesymbolicexecutionofthe
programs(programtransformation)
Restrictapplicabilityofsomerules.Forexample,is
onlyapplicable,iftheguardisfreeofside-effects
FormalVeri?cationofSoftware?p.6
SideEffects:SymbolicExecutionParadigm
Expressionsmayhavesideeffects,forexampleasimpleassignment

 






doesnotonlyevaluatetoa





value,butalsoassignsavalueto

.
Problem:
Termsinlogichavetobesideeffectfree
Solution:
Calculusrulesrealiseastepwisesymbolicexecutionofthe
programs(programtransformation)
Restrictapplicabilityofsomerules.Forexample,is
onlyapplicable,iftheguardisfreeofside-effects
FormalVeri?cationofSoftware?p.6
SideEffects:SymbolicExecutionParadigm
Expressionsmayhavesideeffects,forexampleasimpleassignment

 






doesnotonlyevaluatetoa





value,butalsoassignsavalueto

.
Problem:
Termsinlogichavetobesideeffectfree
Solution:
Calculusrulesrealiseastepwisesymbolicexecutionofthe
programs(programtransformation)
Restrictapplicabilityofsomerules.Forexample,is
onlyapplicable,iftheguardisfreeofside-effects
FormalVeri?cationofSoftware?p.6
SideEffects:SymbolicExecutionParadigm
Expressionsmayhavesideeffects,forexampleasimpleassignment

 






doesnotonlyevaluatetoa





value,butalsoassignsavalueto

.
Problem:
Termsinlogichavetobesideeffectfree
Solution:
Calculusrulesrealiseastepwisesymbolicexecutionofthe
programs(programtransformation)
Restrictapplicabilityofsomerules.Forexample,










is
onlyapplicable,iftheguardisfreeofside-effects
FormalVeri?cationofSoftware?p.6
RuleApplicationfor










Γ
`
h
if((y
=
3)
+
y
<
0)fg
elsefgi
Φ
;
Δ
FormalVeri?cationofSoftware?p.7
RuleApplicationfor










Γ
`
h
booleanguard
=
(y
=
3)
+
y
<
0;if(guard)fg
elsefg
i
Φ
;
Δ
Γ
`
h
if((y
=
3)
+
y
<
0)fg
elsefgi
Φ
;
Δ
FormalVeri?cationofSoftware?p.7
RuleApplicationfor










Γ
`
*
intval0
=
(y
=
3)
+
y;
booleanguard
=
val0
<
0;
if(guard)fg
elsefg
+
Φ
;
Δ
Γ
`
hbooleanguard
=
(y
=
3)
+
y
<
0;if(guard)fg
elsefg
i
Φ;
Δ
Γ
`
hif((y
=
3)
+
y
<
0)fg
elsefgi
Φ;
Δ
FormalVeri?cationofSoftware?p.7
RuleApplicationfor










Γ
`
*
intval1
=
y
=
3;
intval0
=
val1
+
y
:::
+
Φ;
Δ
Γ
`
*
intval0
=
(y
=
3)
+
y;
booleanguard
=
val0
<
0;
if(guard)fg
elsefg
+
Φ;
Δ
Γ
`
hbooleanguard
=
(y
=
3)
+
y
<
0;if(guard)fg
elsefg
i
Φ;
Δ
Γ
`
hif((y
=
3)
+
y
<
0)fg
elsefgi
Φ;
Δ
FormalVeri?cationofSoftware?p.7
RuleApplicationfor










Γ
`
*
y
=
3;
intval1
=
y;
intval0
=
val1
+
y
:::
+
Φ
;
Δ
Γ
`
*
intval1
=
y
=
3;
intval0
=
val1
+
y
:::
+
Φ
;
Δ
Γ
`
*
intval0
=
(y
=
3)
+
y;
booleanguard
=
val0
<
0;
if(guard)fg
elsefg
+
Φ;
Δ
Γ
`
hbooleanguard
=
(y
=
3)
+
y
<
0;if(guard)fg
elsefg
i
Φ;
Δ
Γ
`
hif((y
=
3)
+
y
<
0)fg
elsefgi
Φ;
Δ
FormalVeri?cationofSoftware?p.7
AssignmentintheClassicalVersion
Classicalruleforassignment
Gx y
;
x
:
=
tx y
`
F;
Dx y
G
`hx
=
tiF
;
D
(ynewvariable)
Problems:
cannotbehandledassubstitution
aliasing:
?
o:
a
:
=
3
`hu
:a
=
5;
i
Requirestosplittheproofforthecases
o
=
u
and
o
6=
u.
FormalVeri?cationofSoftware?p.8
AssignmentintheClassicalVersion
Classicalruleforassignment
Gx y
;
x
:
=
tx y
`
F;
Dx y
G
`hx
=
tiF
;
D
(ynewvariable)
Problems:
cannotbehandledassubstitution
aliasing:
?
o:
a
:
=
3
`hu
:a
=
5;
i
Requirestosplittheproofforthecases
o
=
u
and
o
6=
u.
FormalVeri?cationofSoftware?p.8
AssignmentintheClassicalVersion
Classicalruleforassignment
Gx y
;
x
:
=
tx y
`
F;
Dx y
G
`hx
=
tiF
;
D
(ynewvariable)
Problems:
cannotbehandledassubstitution
aliasing:
?
o:
a
:
=
3
`hu
:a
=
5;
i
Requirestosplittheproofforthecases
o
=
u
and
o
6=
u.
FormalVeri?cationofSoftware?p.8
TheActiveStatementinaProgram
Example





|
{z
}
















 



|
{z
}
!
?rstactivecommand



non-activepre?x

rest
!
FormalVeri?cationofSoftware?p.9
Updates:DelayedSubstitutions
Syntax
:Updatesaresyntacticalelements
floc:=
valgF
or
floc:=
valgt
where
loceithera
-programvariablex
-anattributeo:attror
-anarrayaccessa[i]
valalogicalterm(nosideeffects)
Semantic:
g
j=floc:=
valgF
iff
g
0
j=
F
where
g0
=
g
val
loc
FormalVeri?cationofSoftware?p.10
Updates:DelayedSubstitutions
Syntax
:Updatesaresyntacticalelements
floc:=
valgF
or
floc:=
valgt
where
loceithera
-programvariablex
-anattributeo:attror
-anarrayaccessa[i]
valalogicalterm(nosideeffects)
Semantic:
g
j=floc:=
valgF
iff
g0
j=
F
where
g0
=
g
val
loc
FormalVeri?cationofSoftware?p.10
AssignmentRuleinKeY
G
`f
loc
:=
val
gh!iF;
D
G
`h
loc
=
val
;
!iF;
D
,where
loc;
val
sideeffectfree
Advantages:
norenamingasintheclassicalversion
delayedproofbranching
G
`hx
=
3;
x
=
4;
iF
or
G
`ho:a
=
3;
o:a
=
4;
iF
FormalVeri?cationofSoftware?p.11
AssignmentRuleinKeY
G
`f
loc
:=
val
gh!iF;
D
G
`h
loc
=
val
;
!iF;
D
,where
loc;
val
sideeffectfree
Advantages:
norenamingasintheclassicalversion
delayedproofbranching
G
`hx
=
3;
x
=
4;
iF
or
G
`ho:a
=
3;
o:a
=
4;
iF
FormalVeri?cationofSoftware?p.11
AssignmentRuleinKeY
G
`f
loc
:=
val
gh!iF;
D
G
`h
loc
=
val
;
!iF;
D
,where
loc;
val
sideeffectfree
Advantages:
norenamingasintheclassicalversion
delayedproofbranching
G
`hx
=
3;
x
=
4;
iF
or
G
`ho:a
=
3;
o:a
=
4;
iF
FormalVeri?cationofSoftware?p.11
ConditionalTerms
Useconditionaltermstodelaysplittingfurther
(s[t1
?
=
t2
]
7!
e)I;
=
8
>
<
>
:
eI
;
tI
;
1
=
t
I;
2
(s[t1
])I
;
otherwise
FormalVeri?cationofSoftware?p.12
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Applicationstopsbeforemodaloperators,e.g.
fo:a:=
tghiF
;
fo:
a:=
tghiF
Applicationisshovedoveroperatorstothesubformulas(terms)
fo:a:=
tg
F
^
Y
;
fo:a:=
tgF
^fo
:a:=
tgY
Example
fo:a:=
ogo
:a
:a
:b
;
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
fo:
a
:=
ogo:
a:
a:
b
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
(fo:
a
:=
ogo:a:
a
):b
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
((f
o
:a
:=
og
o
:a
?
=
o):
a
7!
o):b
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
((o?
=
o):a
7!
o):b
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
((
o
?
=
o
):a
7!
o)
:b
FormalVeri?cationofSoftware?p.13
Applicationofupdates
U
Applicationon
programvariable
fx:=
tg
y
;
y
fx:=
tg
x
;
t
fo:a:=
tg
y
;
y
Applicationonattribute
fo:a:=
tg
o:a
;
t
fo:a:=
tg
u:
a
;
(fo
:a:=
tgu?
=
o):
a
7!
t
Example
fo:a:=
ogo
:a
:a
:b
;
o:b
FormalVeri?cationofSoftware?p.13
ParallelUpdates
Computingupdatefollowedbyupdate
fl1
:=
r1
g
fl2
:=
r2
g=f
fl1
:=
r1
g
;f
fl1
:=
r1
g
#
l2
:=
fl
1
:=
r1
g
r2
gg
where
U
#
l
=
8
<
:
xifl
=
xisaprogramvariable
(
U
u):aifl
=
u:a
Resultsinparallelupdate:
fl1
:=
v1
;:::;
ln
:=
vn
g
Semantics
All
li
and
vi
computedinoldstate
Allupdatesdonesimultaneously
Ifcon?ict
li
=
lj
,
vi
6=
vj
laterupdatewins
FormalVeri?cationofSoftware?p.14
ParallelUpdates
Computingupdatefollowedbyupdate
fl1
:=
r1
g
fl2
:=
r2
g=f
fl1
:=
r1
g
;f
fl1
:=
r1
g
#
l2
:=
fl
1
:=
r1
g
r2
gg
where
U
#
l
=
8
<
:
xifl
=
xisaprogramvariable
(
U
u):aifl
=
u:a
Resultsinparallelupdate:
fl1
:=
v1
;:::;
ln
:=
vn
g
Semantics
All
li
and
vi
computedinoldstate
Allupdatesdonesimultaneously
Ifcon?ict
li
=
lj
,
vi
6=
vj
laterupdatewins
FormalVeri?cationofSoftware?p.14
QuantifyingoverProgramVariables
Cannotquantifyoverprogramvariables(non-ridigconstants)
Nonallowed:
8
i:int
(h(i)iF)
Nonallowed:
8
n(h(n)iF)
Solution
8
n
fi:=
ngh(i)iF)
FormalVeri?cationofSoftware?p.15
QuantifyingoverProgramVariables
Cannotquantifyoverprogramvariables(non-ridigconstants)
Nonallowed:
8
i:int
(h(i)iF)
Nonallowed:
8
n(h(n)iF)
Solution
8
n
fi:=
ngh(i)iF)
FormalVeri?cationofSoftware?p.15
AbruptChangesoftheControlFlow
AbruptTermination:
Redirectionofthecontrol?owby








 








or


 





htryf
a
=
a
=b;
a
=
a
+
1;
g
catch(Exceptione)
f:::g
finally
f:::gi
F
DecompositionRule
notapplicable
Solution:
Therulesworkonthe?rstactivestatement
G
`h

stmnt
0
;
!
iF;
D
G
`h

stmnt;
!
iF;
D
FormalVeri?cationofSoftware?p.16
AbruptChangesoftheControlFlow
AbruptTermination:
Redirectionofthecontrol?owby








 








or


 





htryf
a
=
a
=b;
a
=
a
+
1;
g
catch(Exceptione)
f:::g
finally
f:::gi
F
DecompositionRule
notapplicable
Solution:
Therulesworkonthe?rstactivestatement
G
`h

stmnt
0
;
!
iF;
D
G
`h

stmnt;
!
iF;
D
FormalVeri?cationofSoftware?p.16
AbruptChangesoftheControlFlow
AbruptTermination:
Redirectionofthecontrol?owby








 








or


 





h
tryf
a
=
a
=b;
a
=
a
+
1;
g
catch(Exceptione)
f:::g
finally
f:::g
i
F
DecompositionRule
notapplicable
Solution:
Therulesworkonthe?rstactivestatement
G
`h

stmnt
0
;
!
iF;
D
G
`h

stmnt;
!
iF;
D
FormalVeri?cationofSoftware?p.16
CatchThrownException
Rule
G
`hif
(exc
instanceofException
)
f
tryf
e
=
exc;q
g
finallyfr
g
g
else
f
r
throwexc;
giF;
D
G
`htryf
throwexc;pg
catch
(Exceptione)
f
qg
finallyfrg
i
F;
D
FormalVeri?cationofSoftware?p.17
CatchThrownException
Rule
G
`hif
(exc
instanceofException
)
f
tryf
e
=
exc;q
g
finallyfr
g
g
else
f
r
throwexc;
giF;
D
G
`htryf
throwexc;pg
catch
(Exceptione)
f
qg
finallyfrg
i
F;
D
FormalVeri?cationofSoftware?p.17