Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research,...
-
Upload
alexis-wagner -
Category
Documents
-
view
213 -
download
0
Transcript of Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research,...
![Page 1: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/1.jpg)
Checking correctness Checking correctness properties of object-oriented properties of object-oriented
programsprograms
K. Rustan M. LeinoK. Rustan M. LeinoMicrosoft Research, Redmond, WAMicrosoft Research, Redmond, WA
Lecture 2EEF summer school on Specification, Refinement, and Verification20 Aug 2002, Turku, Finland
![Page 2: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/2.jpg)
![Page 3: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/3.jpg)
![Page 4: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/4.jpg)
![Page 5: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/5.jpg)
![Page 6: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/6.jpg)
![Page 7: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/7.jpg)
Example: union-findExample: union-findclass UnionFind <: Object
field nClasses, nElements, …
method UnionFind :: init(uf, size)requires 0 <= sizemodifies uf.nClasses, uf.nElements, …ensures uf.nClasses = uf.nElements = size
method UnionFind :: find(uf, c) returns (r)requires 0 <= c < uf.nElementsensures 0 <= r < uf.nClasses
method UnionFind :: union(c, d)requires 0 <= c <= uf.nElements /\
0 <= d <= uf.nElementsmodifies uf.nClassesensures uf.nClasses = uf.nClasses0 \/
uf.nClasses = uf.nClasses0 - 1
![Page 8: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/8.jpg)
Example, clientExample, clientvar uf, r0, r1, r2 in
uf := new(UnionFind);
uf.init(12);
uf.union(3, 8);uf.union(8, 6);uf.union(10, 11);
r0 := uf.find(3);r1 := uf.find(5);r2 := uf.find(6);
assert r0 ≠ r1;assert r0 = r2
end
![Page 9: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/9.jpg)
Example, implementationExample, implementation
class StandardUnionFind <: UnionFind
mimpl StandardUnionFind :: find(uf, c) returns (r) is …
class FastUnionFind <: UnionFind
mimpl FastUnionFind :: find(uf, c) returns (r) is …
![Page 10: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/10.jpg)
nullnull istype(o, T) istype(o, T)
o = null \/ typeof(o) <: To = null \/ typeof(o) <: T x.f := E x.f := E
assertassert x x ≠≠ null ; null ;f[x] := Ef[x] := E
![Page 11: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/11.jpg)
Type castsType casts x := typecast(E, T)x := typecast(E, T)
assertassert istype(E, T) ; istype(E, T) ;x := Ex := E
![Page 12: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/12.jpg)
Example: binary methodExample: binary methodclass T <: Object
method T :: equal(x, y) returns (b)requires typeof(x) = typeof(y)
class U <: T
mimpl U :: equal(x, y) returns b isvar yy in
yy := typecast(y, U);// compare x and yy …
end
![Page 13: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/13.jpg)
Types of parametersTypes of parameters
method OutputStream :: putText(wr, s) …
method T :: print(t, wr)requires istype(wr, OutputStream)
![Page 14: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/14.jpg)
Types of parametersTypes of parameters
method OutputStream :: putText(wr, s) …
method T :: print(t, wr)requires istype(wr, OutputStream)
method print(t: T, wr: OutputStream) …
![Page 15: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/15.jpg)
Types of fieldsTypes of fields
field T :: f: U // class T { … f: U … }
( f, T, U ::isField(f, T, U)
( o ::istype(f[o], U)))
![Page 16: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/16.jpg)
Types of fieldsTypes of fields
field T :: f: U // class T { … f: U … }
( f, T, U ::isField(f, T, U)
( o :: istype(o, T) ==>istype(f[o], U)))
![Page 17: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/17.jpg)
Types of fieldsTypes of fields
field T :: f: U // class T { … f: U … }
( f, T, U ::isField(f, T, U)
( o :: istype(o, T) ==>istype(f[o], U)))
Initially: assume isField(f, T, U)
havoc f havoc f ;assume isField(f, T, U)
![Page 18: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/18.jpg)
More about allocationMore about allocation initially, for every parameter x:initially, for every parameter x:
assumeassume alloc[x] alloc[x] mimplmimpl T :: m(x) T :: m(x) isis
varvar y y ininy := y := newnew(T);(T);assertassert x x ≠ y≠ y
endend
![Page 19: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/19.jpg)
Even more about allocationEven more about allocation mimplmimpl T :: m(x) T :: m(x) isis
varvar y y ininy := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y
endend
![Page 20: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/20.jpg)
Even more about allocationEven more about allocation mimplmimpl T :: m(x) T :: m(x) isis
varvar y y ininy := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y
endend isField(f, T, U, a) isField(f, T, U, a)
… /\… /\(( o :: a[o] ==> a[f[o]] ) o :: a[o] ==> a[f[o]] )
whenever f or alloc is changed:whenever f or alloc is changed:assumeassume isField(f, T, U, alloc) isField(f, T, U, alloc)
![Page 21: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/21.jpg)
ExerciseExercise Prove the following program correct:Prove the following program correct:
methodmethod p(x) p(x) modifiesmodifies x.f x.fmethodmethod m(x) m(x) modifiesmodifies x.f x.f
mimplmimpl m(x) m(x) isisvarvar y y inin
x.p();x.p();y := y := newnew(T);(T);assertassert x.f x.f ≠ y≠ y
endend
![Page 22: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/22.jpg)
Strengthening specificationsStrengthening specifications
class T <: Object
method T :: m(x, y, z) requires P modifies w ensures Q
class U <: T
method U :: m(x, y, z) requires P modifies w ensures Q /\ R
… u.m(y, z) ; assert R …
??
![Page 23: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/23.jpg)
Strengthening specificationsStrengthening specifications
class T <: Object
method T :: m(x, y, z) returns (r)requires P modifies w ensures Q
class U <: T
method U :: n(x, y, z) returns (r)requires P modifies w ensures Q /\ R
mimpl U :: m(x, y, z) is r := x.n(y, z)
… r := u.n(y, z) ; assert R …
![Page 24: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/24.jpg)
Modifies and objectsModifies and objects modifiesmodifies x.f x.f
modifiesmodifies f fensuresensures ( ( o :: o.f = o.f o :: o.f = o.f00 \/ o = \/ o =
x)x)
![Page 25: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/25.jpg)
ExerciseExercise
class T <: Object
field f
method T :: m(x, y, z) requires P modifies x.f ensures Q
class U <: T
field g
method U :: m(x, y, z) requires P modifies x.f, x.g ensures Q ??
![Page 26: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/26.jpg)
What else is missing?What else is missing? Data abstractionData abstraction Information hidingInformation hiding Programming methodologyProgramming methodology ……
![Page 27: Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 EEF summer school on Specification,](https://reader035.fdocuments.in/reader035/viewer/2022070305/551475b1550346494e8b62bc/html5/thumbnails/27.jpg)
ReferencesReferences K. Rustan M. Leino. K. Rustan M. Leino. Toward Reliable Modular ProgramsToward Reliable Modular Programs. .
PhD thesis, California Institute of Technology. Technical PhD thesis, California Institute of Technology. Technical Report Caltech-CS-TR-95-03, Caltech, 1995.Report Caltech-CS-TR-95-03, Caltech, 1995.
K. Rustan M. Leino. “Ecstatic: An object-oriented K. Rustan M. Leino. “Ecstatic: An object-oriented programming language with an axiomatic semantics”. In programming language with an axiomatic semantics”. In Foundations of Object-Oriented Languages (FOOL 4)Foundations of Object-Oriented Languages (FOOL 4), , http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, 1997.1997.
K. Rustan M. Leino and Greg Nelson. K. Rustan M. Leino and Greg Nelson. Data abstraction and Data abstraction and information hidinginformation hiding. Research Report 160, Compaq SRC, . Research Report 160, Compaq SRC, Nov. 2000. To appear in Nov. 2000. To appear in TOPLASTOPLAS..
K. Rustan M. Leino. “Data groups: Specifying the K. Rustan M. Leino. “Data groups: Specifying the modification of extended state”. In modification of extended state”. In OOPSLA ’98OOPSLA ’98, pp. 144-, pp. 144-153, ACM, 1998.153, ACM, 1998.