Upload
alexis-wagner
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Checking correctness Checking correctness properties of object-oriented properties of object-oriented
programsprograms
K. Rustan M. LeinoK. Rustan M. LeinoMicrosoft Research, Redmond, WAMicrosoft Research, Redmond, WA
Lecture 2EEF summer school on Specification, Refinement, and Verification20 Aug 2002, Turku, Finland
Example: union-findExample: union-findclass UnionFind <: Object
field nClasses, nElements, …
method UnionFind :: init(uf, size)requires 0 <= sizemodifies uf.nClasses, uf.nElements, …ensures uf.nClasses = uf.nElements = size
method UnionFind :: find(uf, c) returns (r)requires 0 <= c < uf.nElementsensures 0 <= r < uf.nClasses
method UnionFind :: union(c, d)requires 0 <= c <= uf.nElements /\
0 <= d <= uf.nElementsmodifies uf.nClassesensures uf.nClasses = uf.nClasses0 \/
uf.nClasses = uf.nClasses0 - 1
Example, clientExample, clientvar uf, r0, r1, r2 in
uf := new(UnionFind);
uf.init(12);
uf.union(3, 8);uf.union(8, 6);uf.union(10, 11);
r0 := uf.find(3);r1 := uf.find(5);r2 := uf.find(6);
assert r0 ≠ r1;assert r0 = r2
end
Example, implementationExample, implementation
class StandardUnionFind <: UnionFind
mimpl StandardUnionFind :: find(uf, c) returns (r) is …
class FastUnionFind <: UnionFind
mimpl FastUnionFind :: find(uf, c) returns (r) is …
nullnull istype(o, T) istype(o, T)
o = null \/ typeof(o) <: To = null \/ typeof(o) <: T x.f := E x.f := E
assertassert x x ≠≠ null ; null ;f[x] := Ef[x] := E
Type castsType casts x := typecast(E, T)x := typecast(E, T)
assertassert istype(E, T) ; istype(E, T) ;x := Ex := E
Example: binary methodExample: binary methodclass T <: Object
method T :: equal(x, y) returns (b)requires typeof(x) = typeof(y)
class U <: T
mimpl U :: equal(x, y) returns b isvar yy in
yy := typecast(y, U);// compare x and yy …
end
Types of parametersTypes of parameters
method OutputStream :: putText(wr, s) …
method T :: print(t, wr)requires istype(wr, OutputStream)
Types of parametersTypes of parameters
method OutputStream :: putText(wr, s) …
method T :: print(t, wr)requires istype(wr, OutputStream)
method print(t: T, wr: OutputStream) …
Types of fieldsTypes of fields
field T :: f: U // class T { … f: U … }
( f, T, U ::isField(f, T, U)
( o ::istype(f[o], U)))
Types of fieldsTypes of fields
field T :: f: U // class T { … f: U … }
( f, T, U ::isField(f, T, U)
( o :: istype(o, T) ==>istype(f[o], U)))
Types of fieldsTypes of fields
field T :: f: U // class T { … f: U … }
( f, T, U ::isField(f, T, U)
( o :: istype(o, T) ==>istype(f[o], U)))
Initially: assume isField(f, T, U)
havoc f havoc f ;assume isField(f, T, U)
More about allocationMore about allocation initially, for every parameter x:initially, for every parameter x:
assumeassume alloc[x] alloc[x] mimplmimpl T :: m(x) T :: m(x) isis
varvar y y ininy := y := newnew(T);(T);assertassert x x ≠ y≠ y
endend
Even more about allocationEven more about allocation mimplmimpl T :: m(x) T :: m(x) isis
varvar y y ininy := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y
endend
Even more about allocationEven more about allocation mimplmimpl T :: m(x) T :: m(x) isis
varvar y y ininy := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y
endend isField(f, T, U, a) isField(f, T, U, a)
… /\… /\(( o :: a[o] ==> a[f[o]] ) o :: a[o] ==> a[f[o]] )
whenever f or alloc is changed:whenever f or alloc is changed:assumeassume isField(f, T, U, alloc) isField(f, T, U, alloc)
ExerciseExercise Prove the following program correct:Prove the following program correct:
methodmethod p(x) p(x) modifiesmodifies x.f x.fmethodmethod m(x) m(x) modifiesmodifies x.f x.f
mimplmimpl m(x) m(x) isisvarvar y y inin
x.p();x.p();y := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y
endend
Strengthening specificationsStrengthening specifications
class T <: Object
method T :: m(x, y, z) requires P modifies w ensures Q
class U <: T
method U :: m(x, y, z) requires P modifies w ensures Q /\ R
… u.m(y, z) ; assert R …
??
Strengthening specificationsStrengthening specifications
class T <: Object
method T :: m(x, y, z) returns (r)requires P modifies w ensures Q
class U <: T
method U :: n(x, y, z) returns (r)requires P modifies w ensures Q /\ R
mimpl U :: m(x, y, z) is r := x.n(y, z)
… r := u.n(y, z) ; assert R …
Modifies and objectsModifies and objects modifiesmodifies x.f x.f
modifiesmodifies f fensuresensures ( ( o :: o.f = o.f o :: o.f = o.f00 \/ o = \/ o =
x)x)
ExerciseExercise
class T <: Object
field f
method T :: m(x, y, z) requires P modifies x.f ensures Q
class U <: T
field g
method U :: m(x, y, z) requires P modifies x.f, x.g ensures Q ??
What else is missing?What else is missing? Data abstractionData abstraction Information hidingInformation hiding Programming methodologyProgramming methodology ……
ReferencesReferences K. Rustan M. Leino. K. Rustan M. Leino. Toward Reliable Modular ProgramsToward Reliable Modular Programs. .
PhD thesis, California Institute of Technology. Technical PhD thesis, California Institute of Technology. Technical Report Caltech-CS-TR-95-03, Caltech, 1995.Report Caltech-CS-TR-95-03, Caltech, 1995.
K. Rustan M. Leino. “Ecstatic: An object-oriented K. Rustan M. Leino. “Ecstatic: An object-oriented programming language with an axiomatic semantics”. In programming language with an axiomatic semantics”. In Foundations of Object-Oriented Languages (FOOL 4)Foundations of Object-Oriented Languages (FOOL 4), , http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, 1997.1997.
K. Rustan M. Leino and Greg Nelson. K. Rustan M. Leino and Greg Nelson. Data abstraction and Data abstraction and information hidinginformation hiding. Research Report 160, Compaq SRC, . Research Report 160, Compaq SRC, Nov. 2000. To appear in Nov. 2000. To appear in TOPLASTOPLAS..
K. Rustan M. Leino. “Data groups: Specifying the K. Rustan M. Leino. “Data groups: Specifying the modification of extended state”. In modification of extended state”. In OOPSLA ’98OOPSLA ’98, pp. 144-, pp. 144-153, ACM, 1998.153, ACM, 1998.