The usual user input to KeY consists of a Java source file with annotations in JML. Both are translated to KeY's internal representation, dynamic logic. From the given specifications, several proof obligations arise which are to be discharged, i.e. a proof has to be found. To this ends, the program is symbolically executed with the resulting changes to program variables stored in so-called updates. Once the program has been processed completely, there remains a first-order logic proof obligation. At the heart of the KeY system lies a first-order theorem prover based on sequent calculus, which is used to close the proof. Interference rules are captured in so called taclets which consist of an own simple language to describe changes to a sequent.

The theoretical foundation of KeY is a formal logic called Java Card DL. DL stands for Dynamic Logic. It is a version of a first-order dynamic logic tailored to Java Card programs. As such, it for example allows statements (formulas) like ${\displaystyle \phi \rightarrow [\alpha ]\psi }$ , which intuitively says that the post-condition ${\displaystyle \psi }$  must hold in all program states reachable by executing the Java Card program ${\displaystyle \alpha }$  in any state that satisfies the pre-condition ${\displaystyle \phi }$ . This is equivalent to ${\displaystyle \{\phi \}\alpha \{\psi \}}$  in Hoare calculus if ${\displaystyle \phi }$  and ${\displaystyle \psi }$  are purely first order. Dynamic logic, however, extends Hoare logic in that formulas may contain nested program modalities such as ${\displaystyle [\alpha ]}$ , or that quantification over formulas which contain modalities is possible. There is also a dual modality ${\displaystyle \langle \alpha \rangle }$  which includes termination. This dynamic logic can be seen as a special multi-modal logic (with an infinite number of modalities) where for each Java block ${\displaystyle \alpha }$  there are modalities ${\displaystyle [\alpha ]}$  and ${\displaystyle \langle \alpha \rangle }$ .

At the heart of the KeY system lies a first-order theorem prover based on a sequent calculus. A sequent is of the form ${\displaystyle \Gamma \vdash \Delta }$  where ${\displaystyle \Gamma }$  (assumptions) and ${\displaystyle \Delta }$  (propositions) are sets of formulas with the intuitive meaning that ${\displaystyle \bigwedge _{\gamma \in \Gamma }\gamma \rightarrow \bigvee _{\delta \in \Delta }\delta }$  holds true. By means of deduction, an initial sequent representing the proof obligation is shown to be constructible from just fundamental first-order axioms (such as equality ${\displaystyle e\ {\dot {=}}\ e}$ ).

Symbolic execution of Java code Edit

During that, program modalities are eliminated by symbolic execution. For instance, the formula ${\displaystyle x\ {\dot {=}}\ 0\rightarrow [x++;]x\ {\dot {=}}\ 1}$  is logically equivalent to ${\displaystyle x\ {\dot {=}}\ 0\rightarrow x\ {\dot {=}}\ 0}$ . As this example shows, symbolic execution in dynamic logic is very similar to calculating weakest preconditions. Both ${\displaystyle [\alpha ]\psi }$  and ${\displaystyle wp(\alpha ,\psi )}$  essentially denote the same thing – with two exceptions: Firstly, ${\displaystyle wp}$  is a function of some meta-calculus while ${\displaystyle [\alpha ]\psi }$  really is a formula of the given calculus. Secondly, symbolic execution runs through the program forward just as an actual execution would. To save intermediate results of assignments, KeY introduces a concept called updates, which are similar to substitutions but are only applied once the program modality has been eliminated. Syntactically, updates are consist of parallel (side-effect free) assignments written in curly braces in front of a modality. An example of symbolic execution with updates: ${\displaystyle [x=3;x=x+1;]x\ {\dot {=}}\ 4}$  is transformed to ${\displaystyle \{x:=3\}[x=x+1;]x\ {\dot {=}}\ 4}$  in the first step and to ${\displaystyle \{x:=4\}[]x\ {\dot {=}}\ 4}$  in the second step. The modality then is empty and "backwards application" of the update to the postcondition yields a precondition where ${\displaystyle x}$  could take any value.

Example Edit

Suppose one wants to prove that the following method calculates the product of some non-negative integers ${\displaystyle x}$  and ${\displaystyle y}$ .

int foo (int x, int y) {  int z = 0;  while (y > 0)  if (y % 2 == 0) {  x = x*2;  y = y/2;  } else {  y = y/2;  z = z+x;  x = x*2;  }  return z; } 

One thus starts the proof with the premise ${\displaystyle x\geq 0\land y\geq 0}$  and the to-be-shown conclusion ${\displaystyle z\ {\dot {=}}\ x\cdot y}$ . Note that tableaux of sequent calculi are usually written "upside-down", i.e., the starting sequent appears at the bottom and deduction steps go upwards. The proof can be seen in the figure on the right.

Symbolic Execution Debugger Edit

The Symbolic Execution Debugger visualizes the control flow of a program as a symbolic execution tree that contains all feasible execution paths through the program up to a certain point. It is provided as a plugin to the Eclipse development platform.

Test Case Generator Edit

KeY is usable as a model-based testing tool that can generate unit tests for Java programs. The model from which test data and the test case are derived consists of a formal specification (provided in JML) and a symbolic execution tree of the implementation under test which is computed by the KeY system.

KeY is free software written in Java and licensed under GPL. It can be downloaded from the project website in source; currently there are no pre-compiled binaries available. As another possibility, KeY can be executed directly via Java web start without the need for compilation and installation.

KeY-Hoare Edit

KeY-Hoare is built on top of KeY and features a Hoare calculus with state updates. State updates are a means of describing state transitions in a Kripke structure. This calculus can be seen as a subset to the one that is used in the main branch of KeY. Due to the simplicity of the Hoare calculus, this implementation is essentially meant to exemplify formal methods in undergraduate classes.

KeYmaera/KeYmaeraX Edit

KeYmaera [1] (previously called HyKeY) is a deductive verification tool for hybrid systems based on a calculus for the differential dynamic logic dL [2]. It extends the KeY tool with computer algebra systems like Mathematica and corresponding algorithms and proof strategies such that it can be used for practical verification of hybrid systems.

KeYmaera has been developed at the University of Oldenburg and the Carnegie Mellon University. The name of the tool was chosen as a homophone to Chimera, the hybrid animal from ancient Greek mythology.

KeYmaeraX [3] developed at the Carnegie Mellon University is the successor of KeYmaera. It has been completely rewritten.

KeY for C Edit

KeY for C is an adaption of the KeY System to MISRA C, a subset of the C programming language. This variant is no longer supported.

ASMKeY Edit

There is also an adaptation to use KeY for the symbolic execution of Abstract State Machines, that was developed at ETH Zürich. This variant is no longer supported.

• Verification of Object-Oriented Software: The KeY Approach. Bernhard Beckert, Reiner Hähnle, Peter H. Schmitt (Eds.). Springer, 2007. ISBN 978-3-540-68977-5.
• Deductive Software Verification – The KeY Book: From Theory to Practice. Wolfgang Ahrendt, Bernhard Beckert, Richard Bubel, Reiner Hähnle, Peter H. Schmitt, Mattias Ulbrich (Eds.). Springer, 2016. ISBN 978-3-319-49812-6
• A comparison of tools for teaching formal software verification. Ingo Feinerer and Gernot Salzer. Springer, 2008
• Programming With Proofs: Language Based Approaches To Totally Correct Software. Aaron Stump. Verified Software: Theories, Tools, and Experiments, 2005.
• High Assurance (for Security or Safety) and Free-Libre / Open Source Software (FLOSS). David Wheeler, 2009

• Home page of the KeY project
• KeYmaera home page
• KeYmaeraX home page