Checking correctness Checking correctness properties of object-oriented properties of object-oriented

programsprograms

K. Rustan M. LeinoK. Rustan M. LeinoMicrosoft Research, Redmond, WAMicrosoft Research, Redmond, WA

Lecture 2EEF summer school on Specification, Refinement, and Verification20 Aug 2002, Turku, Finland

Example: union-findExample: union-findclass UnionFind <: Object

field nClasses, nElements, …

method UnionFind :: init(uf, size)requires 0 <= sizemodifies uf.nClasses, uf.nElements, …ensures uf.nClasses = uf.nElements = size

method UnionFind :: find(uf, c) returns (r)requires 0 <= c < uf.nElementsensures 0 <= r < uf.nClasses

method UnionFind :: union(c, d)requires 0 <= c <= uf.nElements /\

0 <= d <= uf.nElementsmodifies uf.nClassesensures uf.nClasses = uf.nClasses0 \/

uf.nClasses = uf.nClasses0 - 1

Example, clientExample, clientvar uf, r0, r1, r2 in

uf := new(UnionFind);

uf.init(12);

uf.union(3, 8);uf.union(8, 6);uf.union(10, 11);

r0 := uf.find(3);r1 := uf.find(5);r2 := uf.find(6);

assert r0 ≠ r1;assert r0 = r2

end

Example, implementationExample, implementation

class StandardUnionFind <: UnionFind

mimpl StandardUnionFind :: find(uf, c) returns (r) is …

class FastUnionFind <: UnionFind

mimpl FastUnionFind :: find(uf, c) returns (r) is …

nullnull istype(o, T) istype(o, T)

o = null \/ typeof(o) <: To = null \/ typeof(o) <: T x.f := E x.f := E

assertassert x x ≠≠ null ; null ;f[x] := Ef[x] := E

Type castsType casts x := typecast(E, T)x := typecast(E, T)

assertassert istype(E, T) ; istype(E, T) ;x := Ex := E

Example: binary methodExample: binary methodclass T <: Object

method T :: equal(x, y) returns (b)requires typeof(x) = typeof(y)

class U <: T

mimpl U :: equal(x, y) returns b isvar yy in

yy := typecast(y, U);// compare x and yy …

end

Types of parametersTypes of parameters

method OutputStream :: putText(wr, s) …

method T :: print(t, wr)requires istype(wr, OutputStream)

Types of parametersTypes of parameters

method OutputStream :: putText(wr, s) …

method T :: print(t, wr)requires istype(wr, OutputStream)

method print(t: T, wr: OutputStream) …

Types of fieldsTypes of fields

field T :: f: U // class T { … f: U … }

( f, T, U ::isField(f, T, U)

( o ::istype(f[o], U)))

Types of fieldsTypes of fields

field T :: f: U // class T { … f: U … }

( f, T, U ::isField(f, T, U)

( o :: istype(o, T) ==>istype(f[o], U)))

Types of fieldsTypes of fields

field T :: f: U // class T { … f: U … }

( f, T, U ::isField(f, T, U)

( o :: istype(o, T) ==>istype(f[o], U)))

Initially: assume isField(f, T, U)

havoc f havoc f ;assume isField(f, T, U)

More about allocationMore about allocation initially, for every parameter x:initially, for every parameter x:

assumeassume alloc[x] alloc[x] mimplmimpl T :: m(x) T :: m(x) isis

varvar y y ininy := y := newnew(T);(T);assertassert x x ≠ y≠ y

endend

Even more about allocationEven more about allocation mimplmimpl T :: m(x) T :: m(x) isis

varvar y y ininy := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y

endend

Even more about allocationEven more about allocation mimplmimpl T :: m(x) T :: m(x) isis

varvar y y ininy := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y

endend isField(f, T, U, a) isField(f, T, U, a)

… /\… /\(( o :: a[o] ==> a[f[o]] ) o :: a[o] ==> a[f[o]] )

whenever f or alloc is changed:whenever f or alloc is changed:assumeassume isField(f, T, U, alloc) isField(f, T, U, alloc)

ExerciseExercise Prove the following program correct:Prove the following program correct:

methodmethod p(x) p(x) modifiesmodifies x.f x.fmethodmethod m(x) m(x) modifiesmodifies x.f x.f

mimplmimpl m(x) m(x) isisvarvar y y inin

x.p();x.p();y := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y

endend

Strengthening specificationsStrengthening specifications

class T <: Object

method T :: m(x, y, z) requires P modifies w ensures Q

class U <: T

method U :: m(x, y, z) requires P modifies w ensures Q /\ R

… u.m(y, z) ; assert R …

??

Strengthening specificationsStrengthening specifications

class T <: Object

method T :: m(x, y, z) returns (r)requires P modifies w ensures Q

class U <: T

method U :: n(x, y, z) returns (r)requires P modifies w ensures Q /\ R

mimpl U :: m(x, y, z) is r := x.n(y, z)

… r := u.n(y, z) ; assert R …

Modifies and objectsModifies and objects modifiesmodifies x.f x.f

modifiesmodifies f fensuresensures ( ( o :: o.f = o.f o :: o.f = o.f00 \/ o = \/ o =

x)x)

ExerciseExercise

class T <: Object

field f

method T :: m(x, y, z) requires P modifies x.f ensures Q

class U <: T

field g

method U :: m(x, y, z) requires P modifies x.f, x.g ensures Q ??

What else is missing?What else is missing? Data abstractionData abstraction Information hidingInformation hiding Programming methodologyProgramming methodology ……

ReferencesReferences K. Rustan M. Leino. K. Rustan M. Leino. Toward Reliable Modular ProgramsToward Reliable Modular Programs. .

PhD thesis, California Institute of Technology. Technical PhD thesis, California Institute of Technology. Technical Report Caltech-CS-TR-95-03, Caltech, 1995.Report Caltech-CS-TR-95-03, Caltech, 1995.

K. Rustan M. Leino. “Ecstatic: An object-oriented K. Rustan M. Leino. “Ecstatic: An object-oriented programming language with an axiomatic semantics”. In programming language with an axiomatic semantics”. In Foundations of Object-Oriented Languages (FOOL 4)Foundations of Object-Oriented Languages (FOOL 4), , http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, 1997.1997.

K. Rustan M. Leino and Greg Nelson. K. Rustan M. Leino and Greg Nelson. Data abstraction and Data abstraction and information hidinginformation hiding. Research Report 160, Compaq SRC, . Research Report 160, Compaq SRC, Nov. 2000. To appear in Nov. 2000. To appear in TOPLASTOPLAS..

K. Rustan M. Leino. “Data groups: Specifying the K. Rustan M. Leino. “Data groups: Specifying the modification of extended state”. In modification of extended state”. In OOPSLA ’98OOPSLA ’98, pp. 144-, pp. 144-153, ACM, 1998.153, ACM, 1998.