y-based in v arian ts friendship displine ariations framesnaumann/pub/ITUschool08/lect2.pdf · V...
32
Transcript of y-based in v arian ts friendship displine ariations framesnaumann/pub/ITUschool08/lect2.pdf · V...
Visibility-based invariants The friendship displine Variations Dynami framesVeri� ation of Obje t-oriented ProgramsLe ture 2: from friendship to dynami framesDave NaumannDepartment of Computer S ien eStevens Institute of Te hnologyPh.D. Fall S hool on Logi s and Semanti s of StateIT University, Copenhagen, O tober 2008Partially supported by US NSF grants CNS-0627338 and CRI-0708330.Le ture 2 1/22
Visibility-based invariants The friendship displine Variations Dynami framesOutline of le tureVisibility-based invariantsThe friendship displineVariationsDynami framesLe ture 2 2/22
Visibility-based invariants The friendship displine Variations Dynami framesInvariants for non-hierar hi al stru tures:Solver
item
where
NSIlist
ClistF
T
T
F
F
:Client
y<=w
f(x)<=z
∀p ∈ NS .next∗ | (p.next = null ∨ p.next .prev = p) ∧ . . .Invariant of Solver , owning all the nodes?Can we avoid rea hability by de entralization? lass DNode { next, prev: DNode; invar next = null ∨ next.prev = self...Le ture 2 3/22
Visibility-based invariants The friendship displine Variations Dynami framesInvariants for non-hierar hi al stru tures:Solver
item
where
NSIlist
ClistF
T
T
F
F
:Client
y<=w
f(x)<=z
∀p ∈ NS .next∗ | (p.next = null ∨ p.next .prev = p) ∧ . . .Invariant of Solver , owning all the nodes?Can we avoid rea hability by de entralization? lass DNode { next, prev: DNode; invar next = null ∨ next.prev = self...Le ture 2 3/22
Visibility-based invariants The friendship displine Variations Dynami framesVisibility-based invariants lass DNode {next, prev: DNode;invar next = null ∨ next.prev = self;meth m(DNode b) requires b 6= null {b.next:= null; b.prev:= self; next:= b; } . . . }Preserves invariant for both self and b.
Le ture 2 4/22
Visibility-based invariants The friendship displine Variations Dynami framesVisibility-based invariants lass BluNode {next, prev: PinkNode;invar next = null ∨ next.prev = self;... lass PinkNode {next, prev: BluNode;invar next = null ∨ next.prev = self;meth m(BluNode b) requires b 6= null {b.next:= null; b.prev:= self; next:= b; } . . . }Preserves PinkNode invariant for self and BluNode invariant for b.At-risk invariants must be in s ope [Müller℄.Do we have to he k �all� invariants at every �eld update?Le ture 2 5/22
Visibility-based invariants The friendship displine Variations Dynami framesVisibility-based invariants lass BluNode {next, prev: PinkNode;invar next = null ∨ next.prev = self;... lass PinkNode {next, prev: BluNode;invar next = null ∨ next.prev = self;meth m(BluNode b) requires b 6= null {b.next:= null; b.prev:= self; next:= b; } . . . }Preserves PinkNode invariant for self and BluNode invariant for b.At-risk invariants must be in s ope [Müller℄.Do we have to he k �all� invariants at every �eld update?Le ture 2 5/22
Visibility-based invariants The friendship displine Variations Dynami framesVisibility-based invariants lass BluNode {next, prev: PinkNode;invar next = null ∨ next.prev = self;... lass PinkNode {next, prev: BluNode;invar next = null ∨ next.prev = self;meth m(BluNode b) requires b 6= null {b.next:= null; b.prev:= self; next:= b; } . . . }Preserves PinkNode invariant for self and BluNode invariant for b.At-risk invariants must be in s ope [Müller℄.Do we have to he k �all� invariants at every �eld update?Le ture 2 5/22
Visibility-based invariants The friendship displine Variations Dynami framesFriendship to the res ueRe all inv/own dis ipline: assert ¬x .inv ; x .f := Eto prote t invariant of the form x .inv ⇒ I(x ), where I allowed todepend on obje ts transitively owned by x .How ensure non-owning dependants of x .f are unpa ked?� don't �and don't make invariant visible.� Tra k dependents in ghost state, and� expose transition onstraint that ensures preservation oftheir (non-exposed) invariant.Rely-guarantee �avor.Le ture 2 6/22
Visibility-based invariants The friendship displine Variations Dynami framesFriendship to the res ueRe all inv/own dis ipline: assert ¬x .inv ; x .f := Eto prote t invariant of the form x .inv ⇒ I(x ), where I allowed todepend on obje ts transitively owned by x .How ensure non-owning dependants of x .f are unpa ked?� don't �and don't make invariant visible.� Tra k dependents in ghost state, and� expose transition onstraint that ensures preservation oftheir (non-exposed) invariant.Rely-guarantee �avor.Le ture 2 6/22
Visibility-based invariants The friendship displine Variations Dynami frames lass Master {time: int; invar 0 6 self.time;friend Clo k reads time;Master() ensures inv ∧ ! om;{ time := 0 ; pa k self; }Ti k(n: int)requires inv ∧ ! om ∧ 0 6 n;ensures time > old(time);{ unpa k self; time := time + n; pa k self; }Conne t( : Clo k)requires inv;ensures ∈ self.deps ;{ unpa k self; atta h ; pa k self; }}Clo k o's invariantis allowed to dependon p.time as long aso is in ghost �eldp.deps.
Le ture 2 7/22
Visibility-based invariants The friendship displine Variations Dynami frames lass Master {time: int; invar 0 6 self.time;friend Clo k reads time;Master() ensures inv ∧ ! om;{ time := 0; pa k self; }Ti k(n: int)requires inv ∧ ! om ∧ 0 6 n;ensures time > old(time);{ expose(self){time := time + n; }}Conne t( : Clo k)requires inv;ensures ∈ self.deps ;{ expose(self){atta h ;}}}
lass Clo k {t: int; m: Master ;invar (m 6= null ∨ self ∈ m.deps)∧ 0 6 t 6 m.time;guard(∀α, β) α.time:=β by α.time 6 β;Clo k(mast: Master)requires mast 6= null ∧ mast.inv;ensures inv ∧ ¬ om;{ m:=mast; t:=0;m.Conne t(self); pa k self; Syn (); }Syn ()requires inv ∧ ¬ om;ensures t = m.time ;{ expose(self){ t := m.time; } }}Le ture 2 8/22
Visibility-based invariants The friendship displine Variations Dynami framesFriendship dis iplineIn Clo k:IClo k (self) depends on self.m .time , does not own m (the pivot)Admissible friendship invariant: may depend on α.f ifinvariant implies self ∈ α.deps and α's type is a friend thatexports f .Proof obligation for guard α.time:=β by α.time 6 β is that
IClo k ∧ α.time 6 β ⇒ IClo k/α.time�βIn Master (whi h exports time to friend Clo k):Proof obligation for self.time := self.time + n; is∀ | ∈ self.deps ⇒ .time 6 self.time + nand ¬self.inv as before.Le ture 2 9/22
Visibility-based invariants The friendship displine Variations Dynami framesFriendship dis iplineIn Clo k:IClo k (self) depends on self.m .time , does not own m (the pivot)Admissible friendship invariant: may depend on α.f ifinvariant implies self ∈ α.deps and α's type is a friend thatexports f .Proof obligation for guard α.time:=β by α.time 6 β is that
IClo k ∧ α.time 6 β ⇒ IClo k/α.time�βIn Master (whi h exports time to friend Clo k):Proof obligation for self.time := self.time + n; is∀ | ∈ self.deps ⇒ .time 6 self.time + nand ¬self.inv as before.Le ture 2 9/22
Visibility-based invariants The friendship displine Variations Dynami framesFriendship dis iplineIn Clo k:IClo k (self) depends on self.m .time , does not own m (the pivot)Admissible friendship invariant: may depend on α.f ifinvariant implies self ∈ α.deps and α's type is a friend thatexports f .Proof obligation for guard α.time:=β by α.time 6 β is that
IClo k ∧ α.time 6 β ⇒ IClo k/α.time�βIn Master (whi h exports time to friend Clo k):Proof obligation for self.time := self.time + n; is∀ | ∈ self.deps ⇒ .time 6 self.time + nand ¬self.inv as before.Le ture 2 9/22
Visibility-based invariants The friendship displine Variations Dynami framesRemarks on friendshipDependen y of friend (Clo k) on a �eld of granter (Master) isvisible to granter (but IClo k need not be).Friend de lares guard ondition under whi h update maintainsIClo k so friends need not be unpa ked.Granter maintains (in ghost �eld deps) referen es to dependentfriends. (Compare own .)
Le ture 2 10/22
Visibility-based invariants The friendship displine Variations Dynami framesObserver exampledependent
:Subject
:List
:Listen :View
:Listen
Cache
pointer
owner
Subje t has a version number that is in remented ea h time it isupdated, and notify brings the View ba k in syn .The View maintains a opy of the state of the Subje t, with itsversion number, in its Ca he obje t.Listener and View share Ca he obje t � f. Iterators, later.Le ture 2 11/22
Visibility-based invariants The friendship displine Variations Dynami framesObserver exampledependent
:Subject
:List
:Listen :View
:Listen
Cache
pointer
owner
Subje t has a version number that is in remented ea h time it isupdated, and notify brings the View ba k in syn .The View maintains a opy of the state of the Subje t, with itsversion number, in its Ca he obje t.Listener and View share Ca he obje t � f. Iterators, later.Le ture 2 11/22
Visibility-based invariants The friendship displine Variations Dynami framesFormal details, friend L of granter KIL(self) allowed to depend on x .f where� x in the s ope of ∀x : K | self = x .own ⇒ . . ., or� x in the s ope of ∀x : K | self ∈ x .deps ⇒ . . . and f de laredin lass K to be visible to LFriendly dependen e on self.g.deps and self.g.inv also allowed.Stipulated pre ondition for x .f := E with x : L is¬x .inv and ∀p : L | p ∈ x .deps ∧ f ∈ readsL,K ⇒ U (p, x , f ,E)where f ∈ readsL,K means granter K exports f to LU (p, x , f ,E) means the update guard holdsOblig.: ∀x ,p | IL(p) ∧U (p, x , f , v) ⇒ IL(p)/x .f�v (sem. subst.)Pa k/unpa k un hangedAtta h/deta h pre ondition ¬self.inv ; assign to self.depsLe ture 2 12/22
Visibility-based invariants The friendship displine Variations Dynami framesFormal details, friend L of granter KIL(self) allowed to depend on x .f where� x in the s ope of ∀x : K | self = x .own ⇒ . . ., or� x in the s ope of ∀x : K | self ∈ x .deps ⇒ . . . and f de laredin lass K to be visible to LFriendly dependen e on self.g.deps and self.g.inv also allowed.Stipulated pre ondition for x .f := E with x : L is¬x .inv and ∀p : L | p ∈ x .deps ∧ f ∈ readsL,K ⇒ U (p, x , f ,E)where f ∈ readsL,K means granter K exports f to LU (p, x , f ,E) means the update guard holdsOblig.: ∀x ,p | IL(p) ∧U (p, x , f , v) ⇒ IL(p)/x .f�v (sem. subst.)Pa k/unpa k un hangedAtta h/deta h pre ondition ¬self.inv ; assign to self.depsLe ture 2 12/22
Visibility-based invariants The friendship displine Variations Dynami framesFormal details, friend L of granter KIL(self) allowed to depend on x .f where� x in the s ope of ∀x : K | self = x .own ⇒ . . ., or� x in the s ope of ∀x : K | self ∈ x .deps ⇒ . . . and f de laredin lass K to be visible to LFriendly dependen e on self.g.deps and self.g.inv also allowed.Stipulated pre ondition for x .f := E with x : L is¬x .inv and ∀p : L | p ∈ x .deps ∧ f ∈ readsL,K ⇒ U (p, x , f ,E)where f ∈ readsL,K means granter K exports f to LU (p, x , f ,E) means the update guard holdsOblig.: ∀x ,p | IL(p) ∧U (p, x , f , v) ⇒ IL(p)/x .f�v (sem. subst.)Pa k/unpa k un hangedAtta h/deta h pre ondition ¬self.inv ; assign to self.depsLe ture 2 12/22
Visibility-based invariants The friendship displine Variations Dynami framesIterator and Colle tion with their own invariants lass Colle tion { ver: int; state: State;friend Enumerator reads ver, state;invar ∀o : Enumerator | o ∈ self.deps ⇒
(o.vsn 6 ver ∧ o. oll = self ∧ self ∈ o.deps);guard α.vsn := β by β 6 ver; (∀α, β)guard α. oll := β by β = self;GetEnumerator(): Enumeratorensures result in self.deps;{ result:= new Enumerator(self); }Add(i: int) requires inv ∧ ! om;{ expose(self){ ver:= ver+1; state:= . . . ; } }}Le ture 2 13/22
Visibility-based invariants The friendship displine Variations Dynami frames lass Enumerator { vsn: int; oll: Colle tion;model elts: Statefriend Colle tion reads vsn, oll;invar vsn 6 oll.ver ∧ self in oll.deps ∧(vsn = oll.ver ⇒ elts.Equals( oll.state));guard oll.ver := β by oll.ver 6 β;guard oll.state := β by oll.ver 6= vsn;Enumerator( : Colle tion)requires .inv ∧ ! . om;ensures self in .deps ∧ oll= ∧ inself.deps;{ vsn:= .ver; oll:= ; atta h ; .Atta h(self);elts:= .state; pa k self; }MoveNext(): bool requires vsn = oll.ver { . . . }}Le ture 2 14/22
Visibility-based invariants The friendship displine Variations Dynami framesHistory onstraintsHistory onstraint: two-state �invariant� imposed on every pair ofsu essive states (or dire tly su essive). E.g., version number ofa Subje t in reases monotoni ally.Instead of Friend exporting a onstraint about updates thatpreserve its invariant, the Granter an export a onstraint onwhat updates it will do. [N,Barnett℄,[Leino,S hulte℄
Le ture 2 15/22
Visibility-based invariants The friendship displine Variations Dynami framesImmutabilityFrozen obje t: transfer ownership to the �freezer�, whereupone�e tively immutable. [Leino,Manohan'08℄
Le ture 2 16/22
Visibility-based invariants The friendship displine Variations Dynami framesCreational invariantsFalsi�able by allo ation: ∀s : Singleton | s = Singleton .theOnlyExpli itly disallowed in friendship invariants.Can allow, using � reation guards� [Pierik,Clarke,deBoer℄
Le ture 2 17/22
Visibility-based invariants The friendship displine Variations Dynami framesDynami framesOwnership and friendship:� ghost state that en odes the footprint of an obje t invariant(or other predi ate)� o = p.own means I(o) may depend on p.fo ∈ p.deps means I(o) may depend on p.f� proof obligations to prevent ommands from falsifying thepredi ate� a hieve lo alized reasoning about hallenging patterns� justi�ed by meta-theoremsKassios' dynami frames: programmer de�ned ghost footprints,for invariants and other framing done expli itly in assertions.o ∈ p.rep means I(p) may depend on o.fLe ture 2 18/22
Visibility-based invariants The friendship displine Variations Dynami framesDynami framesOwnership and friendship:� ghost state that en odes the footprint of an obje t invariant(or other predi ate)� o = p.own means I(o) may depend on p.fo ∈ p.deps means I(o) may depend on p.f� proof obligations to prevent ommands from falsifying thepredi ate� a hieve lo alized reasoning about hallenging patterns� justi�ed by meta-theoremsKassios' dynami frames: programmer de�ned ghost footprints,for invariants and other framing done expli itly in assertions.o ∈ p.rep means I(p) may depend on o.fLe ture 2 18/22
Visibility-based invariants The friendship displine Variations Dynami framesDynami frames using pure methods lass ArrayList { ount: int; items: Obje t[℄;ArrayList() ensures invar() ∧ size() = 0 ∧ footprint().isFresh();add(Obje t o) {requires invar() ensures invar() ∧ ... footprint().newElemsFresh();e�e ts wr footprint()pure get(i: int): Obje t requires invar() ∧ 06i<size()e�e ts rd footprint()pure footprint(): set of lo ationsrequires invar() e�e ts rd footprint() // self-framing{ return {& ount, &items} ∪ elems(items) }pure invar(): bool. . . } lass Sta k { al: ArrayList;pure footprint(): set of lo ations {return {&al} ∪ al.footprint() }. . .Le ture 2 19/22
Visibility-based invariants The friendship displine Variations Dynami framesExer isesDo John's exer ises!
Le ture 2 20/22
Visibility-based invariants The friendship displine Variations Dynami framesSummaryEarly work on ownership: attempts at on�nement notion thatallows some design patterns, informal hope of modular reasoning.Boogie: several variations, still verbose, intri ate axiomati sdi� ult to ompare with, e.g., separation logi .Friendship: handles di� ult patterns but yet more intri a y.Pierik's diss: reation guards, soundness and ompleteness for aproof-outline logi . Prototype veri�er in luding friendship et .Kassios' diss: dynami frames (e�e ts refer to ghost state)Le ture 2 21/22
Visibility-based invariants The friendship displine Variations Dynami framesReferen es[Müller et al'06℄ Modular invariants for layered obje t stru tures[Naumann,Barnett'06℄ Towards imperative modules: reasoningabout invariants and sharing of mutable state[Kassios'06℄ Dynami framing: support for framing, dependen iesand sharing without restri tion[Smans et al'08℄ An automati veri�er for Java-like programsbased on dynami frames[Pierik'06℄ Validation te hniques for obje t-oriented proofoutlines (Dissertation, Universiteit Utre ht)Le ture 2 22/22
