checking correctness properties of object oriented programs n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Checking correctness properties of object-oriented programs PowerPoint Presentation
Download Presentation
Checking correctness properties of object-oriented programs

Loading in 2 Seconds...

play fullscreen
1 / 27

Checking correctness properties of object-oriented programs - PowerPoint PPT Presentation


  • 93 Views
  • Uploaded on

Checking correctness properties of object-oriented programs. K. Rustan M. Leino Microsoft Research, Redmond, WA. Lecture 2 EEF summer school on Specification, Refinement, and Verification 20 Aug 2002, Turku, Finland. Example: union-find. class UnionFind <: Object

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Checking correctness properties of object-oriented programs' - coralie


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
checking correctness properties of object oriented programs

Checking correctness properties of object-oriented programs

K. Rustan M. LeinoMicrosoft Research, Redmond, WA

Lecture 2EEF summer school on Specification, Refinement, and Verification20 Aug 2002, Turku, Finland

example union find
Example: union-find

class UnionFind <: Object

field nClasses, nElements, …

method UnionFind :: init(uf, size)requires 0 <= sizemodifies uf.nClasses, uf.nElements, …ensures uf.nClasses = uf.nElements = size

method UnionFind :: find(uf, c) returns (r)requires 0 <= c < uf.nElementsensures 0 <= r < uf.nClasses

method UnionFind :: union(c, d)requires 0 <= c <= uf.nElements /\ 0 <= d <= uf.nElementsmodifies uf.nClassesensures uf.nClasses = uf.nClasses0 \/ uf.nClasses = uf.nClasses0 - 1

example client
Example, client

var uf, r0, r1, r2 in

uf := new(UnionFind);

uf.init(12);

uf.union(3, 8); uf.union(8, 6); uf.union(10, 11);

r0 := uf.find(3); r1 := uf.find(5); r2 := uf.find(6);

assert r0 ≠ r1;assert r0 = r2

end

example implementation
Example, implementation

class StandardUnionFind <: UnionFind

mimpl StandardUnionFind :: find(uf, c) returns (r) is …

class FastUnionFind <: UnionFind

mimpl FastUnionFind :: find(uf, c) returns (r) is …

slide10
null
  • istype(o, T)  o = null \/ typeof(o) <: T
  • x.f := E assert x ≠ null ; f[x] := E
type casts
Type casts
  • x := typecast(E, T)assert istype(E, T) ; x := E
example binary method
Example: binary method

class T <: Object

method T :: equal(x, y) returns (b)requires typeof(x) = typeof(y)

class U <: T

mimpl U :: equal(x, y) returns b isvar yy in yy := typecast(y, U); // compare x and yy …end

types of parameters
Types of parameters

method OutputStream :: putText(wr, s) …

method T :: print(t, wr)requires istype(wr, OutputStream)

types of parameters1
Types of parameters

method OutputStream :: putText(wr, s) …

method T :: print(t, wr)requires istype(wr, OutputStream)

method print(t: T, wr: OutputStream) …

types of fields
Types of fields

field T :: f: U // class T { … f: U … }

( f, T, U :: isField(f, T, U)  ( o :: istype(f[o], U)))

types of fields1
Types of fields

field T :: f: U // class T { … f: U … }

( f, T, U :: isField(f, T, U)  ( o :: istype(o, T) ==> istype(f[o], U)))

types of fields2
Types of fields

field T :: f: U // class T { … f: U … }

( f, T, U :: isField(f, T, U)  ( o :: istype(o, T) ==> istype(f[o], U)))

Initially: assume isField(f, T, U)

havoc f havoc f ;assume isField(f, T, U)

more about allocation
More about allocation
  • initially, for every parameter x:assume alloc[x]
  • mimpl T :: m(x) isvar y in y := new(T);assert x ≠ yend
even more about allocation
Even more about allocation
  • mimpl T :: m(x) isvar y in y := new(T);assert x.f ≠ yend
even more about allocation1
Even more about allocation
  • mimpl T :: m(x) isvar y in y := new(T);assert x.f ≠ yend
  • isField(f, T, U, a)  … /\ ( o :: a[o] ==> a[f[o]] )
  • whenever f or alloc is changed:assume isField(f, T, U, alloc)
exercise
Exercise
  • Prove the following program correct:method p(x) modifies x.fmethod m(x) modifies x.fmimpl m(x) isvar y in x.p(); y := new(T);assert x.f ≠ yend
strengthening specifications
Strengthening specifications

class T <: Object

method T :: m(x, y, z) requires P modifies w ensures Q

class U <: T

method U :: m(x, y, z) requires P modifies w ensures Q /\ R

… u.m(y, z) ; assert R …

?

strengthening specifications1
Strengthening specifications

class T <: Object

method T :: m(x, y, z) returns (r)requires P modifies w ensures Q

class U <: T

method U :: n(x, y, z) returns (r)requires P modifies w ensures Q /\ R

mimpl U :: m(x, y, z) is r := x.n(y, z)

… r := u.n(y, z) ; assert R …

modifies and objects
Modifies and objects
  • modifies x.f modifies fensures ( o :: o.f = o.f0 \/ o = x)
exercise1
Exercise

class T <: Object

field f

method T :: m(x, y, z) requires P modifies x.f ensures Q

class U <: T

field g

method U :: m(x, y, z) requires P modifies x.f, x.g ensures Q

?

what else is missing
What else is missing?
  • Data abstraction
  • Information hiding
  • Programming methodology
references
References
  • K. Rustan M. Leino. Toward Reliable Modular Programs. PhD thesis, California Institute of Technology. Technical Report Caltech-CS-TR-95-03, Caltech, 1995.
  • K. Rustan M. Leino. “Ecstatic: An object-oriented programming language with an axiomatic semantics”. In Foundations of Object-Oriented Languages (FOOL 4), http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, 1997.
  • K. Rustan M. Leino and Greg Nelson. Data abstraction and information hiding. Research Report 160, Compaq SRC, Nov. 2000. To appear in TOPLAS.
  • K. Rustan M. Leino. “Data groups: Specifying the modification of extended state”. In OOPSLA ’98, pp. 144-153, ACM, 1998.