1 / 27

Checking correctness properties of object-oriented programs

Checking correctness properties of object-oriented programs. K. Rustan M. Leino Microsoft Research, Redmond, WA. Lecture 2 EEF summer school on Specification, Refinement, and Verification 20 Aug 2002, Turku, Finland. Example: union-find. class UnionFind <: Object

lakeshan
Download Presentation

Checking correctness properties of object-oriented programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Checking correctness properties of object-oriented programs K. Rustan M. LeinoMicrosoft Research, Redmond, WA Lecture 2EEF summer school on Specification, Refinement, and Verification20 Aug 2002, Turku, Finland

  2. Example: union-find class UnionFind <: Object field nClasses, nElements, … method UnionFind :: init(uf, size)requires 0 <= sizemodifies uf.nClasses, uf.nElements, …ensures uf.nClasses = uf.nElements = size method UnionFind :: find(uf, c) returns (r)requires 0 <= c < uf.nElementsensures 0 <= r < uf.nClasses method UnionFind :: union(c, d)requires 0 <= c <= uf.nElements /\ 0 <= d <= uf.nElementsmodifies uf.nClassesensures uf.nClasses = uf.nClasses0 \/ uf.nClasses = uf.nClasses0 - 1

  3. Example, client var uf, r0, r1, r2 in uf := new(UnionFind); uf.init(12); uf.union(3, 8); uf.union(8, 6); uf.union(10, 11); r0 := uf.find(3); r1 := uf.find(5); r2 := uf.find(6); assert r0 ≠ r1;assert r0 = r2 end

  4. Example, implementation class StandardUnionFind <: UnionFind mimpl StandardUnionFind :: find(uf, c) returns (r) is … class FastUnionFind <: UnionFind mimpl FastUnionFind :: find(uf, c) returns (r) is …

  5. null • istype(o, T)  o = null \/ typeof(o) <: T • x.f := E assert x ≠ null ; f[x] := E

  6. Type casts • x := typecast(E, T)assert istype(E, T) ; x := E

  7. Example: binary method class T <: Object method T :: equal(x, y) returns (b)requires typeof(x) = typeof(y) class U <: T mimpl U :: equal(x, y) returns b isvar yy in yy := typecast(y, U); // compare x and yy …end

  8. Types of parameters method OutputStream :: putText(wr, s) … method T :: print(t, wr)requires istype(wr, OutputStream)

  9. Types of parameters method OutputStream :: putText(wr, s) … method T :: print(t, wr)requires istype(wr, OutputStream) method print(t: T, wr: OutputStream) …

  10. Types of fields field T :: f: U // class T { … f: U … } ( f, T, U :: isField(f, T, U)  ( o :: istype(f[o], U)))

  11. Types of fields field T :: f: U // class T { … f: U … } ( f, T, U :: isField(f, T, U)  ( o :: istype(o, T) ==> istype(f[o], U)))

  12. Types of fields field T :: f: U // class T { … f: U … } ( f, T, U :: isField(f, T, U)  ( o :: istype(o, T) ==> istype(f[o], U))) Initially: assume isField(f, T, U) havoc f havoc f ;assume isField(f, T, U)

  13. More about allocation • initially, for every parameter x:assume alloc[x] • mimpl T :: m(x) isvar y in y := new(T);assert x ≠ yend

  14. Even more about allocation • mimpl T :: m(x) isvar y in y := new(T);assert x.f ≠ yend

  15. Even more about allocation • mimpl T :: m(x) isvar y in y := new(T);assert x.f ≠ yend • isField(f, T, U, a)  … /\ ( o :: a[o] ==> a[f[o]] ) • whenever f or alloc is changed:assume isField(f, T, U, alloc)

  16. Exercise • Prove the following program correct:method p(x) modifies x.fmethod m(x) modifies x.fmimpl m(x) isvar y in x.p(); y := new(T);assert x.f ≠ yend

  17. Strengthening specifications class T <: Object method T :: m(x, y, z) requires P modifies w ensures Q class U <: T method U :: m(x, y, z) requires P modifies w ensures Q /\ R … u.m(y, z) ; assert R … ?

  18. Strengthening specifications class T <: Object method T :: m(x, y, z) returns (r)requires P modifies w ensures Q class U <: T method U :: n(x, y, z) returns (r)requires P modifies w ensures Q /\ R mimpl U :: m(x, y, z) is r := x.n(y, z) … r := u.n(y, z) ; assert R …

  19. Modifies and objects • modifies x.f modifies fensures ( o :: o.f = o.f0 \/ o = x)

  20. Exercise class T <: Object field f method T :: m(x, y, z) requires P modifies x.f ensures Q class U <: T field g method U :: m(x, y, z) requires P modifies x.f, x.g ensures Q ?

  21. What else is missing? • Data abstraction • Information hiding • Programming methodology • …

  22. References • K. Rustan M. Leino. Toward Reliable Modular Programs. PhD thesis, California Institute of Technology. Technical Report Caltech-CS-TR-95-03, Caltech, 1995. • K. Rustan M. Leino. “Ecstatic: An object-oriented programming language with an axiomatic semantics”. In Foundations of Object-Oriented Languages (FOOL 4), http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, 1997. • K. Rustan M. Leino and Greg Nelson. Data abstraction and information hiding. Research Report 160, Compaq SRC, Nov. 2000. To appear in TOPLAS. • K. Rustan M. Leino. “Data groups: Specifying the modification of extended state”. In OOPSLA ’98, pp. 144-153, ACM, 1998.

More Related