1 / 27

Ensuring Correctness in Object-Oriented Programs: A Specification Approach

This lecture by K. Rustan M. Leino from Microsoft Research focuses on the principles of verifying the correctness of object-oriented programs. It explores object specifications and refinements through practical examples such as union-find algorithms. The lecture emphasizes the significance of requires and ensures clauses in defining method behavior, and showcases various implementations in programming, including client usage and type checks.

coralie
Télécharger la présentation

Ensuring Correctness in Object-Oriented Programs: A Specification Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Checking correctness properties of object-oriented programs K. Rustan M. LeinoMicrosoft Research, Redmond, WA Lecture 2EEF summer school on Specification, Refinement, and Verification20 Aug 2002, Turku, Finland

  2. Example: union-find class UnionFind <: Object field nClasses, nElements, … method UnionFind :: init(uf, size)requires 0 <= sizemodifies uf.nClasses, uf.nElements, …ensures uf.nClasses = uf.nElements = size method UnionFind :: find(uf, c) returns (r)requires 0 <= c < uf.nElementsensures 0 <= r < uf.nClasses method UnionFind :: union(c, d)requires 0 <= c <= uf.nElements /\ 0 <= d <= uf.nElementsmodifies uf.nClassesensures uf.nClasses = uf.nClasses0 \/ uf.nClasses = uf.nClasses0 - 1

  3. Example, client var uf, r0, r1, r2 in uf := new(UnionFind); uf.init(12); uf.union(3, 8); uf.union(8, 6); uf.union(10, 11); r0 := uf.find(3); r1 := uf.find(5); r2 := uf.find(6); assert r0 ≠ r1;assert r0 = r2 end

  4. Example, implementation class StandardUnionFind <: UnionFind mimpl StandardUnionFind :: find(uf, c) returns (r) is … class FastUnionFind <: UnionFind mimpl FastUnionFind :: find(uf, c) returns (r) is …

  5. null • istype(o, T)  o = null \/ typeof(o) <: T • x.f := E assert x ≠ null ; f[x] := E

  6. Type casts • x := typecast(E, T)assert istype(E, T) ; x := E

  7. Example: binary method class T <: Object method T :: equal(x, y) returns (b)requires typeof(x) = typeof(y) class U <: T mimpl U :: equal(x, y) returns b isvar yy in yy := typecast(y, U); // compare x and yy …end

  8. Types of parameters method OutputStream :: putText(wr, s) … method T :: print(t, wr)requires istype(wr, OutputStream)

  9. Types of parameters method OutputStream :: putText(wr, s) … method T :: print(t, wr)requires istype(wr, OutputStream) method print(t: T, wr: OutputStream) …

  10. Types of fields field T :: f: U // class T { … f: U … } ( f, T, U :: isField(f, T, U)  ( o :: istype(f[o], U)))

  11. Types of fields field T :: f: U // class T { … f: U … } ( f, T, U :: isField(f, T, U)  ( o :: istype(o, T) ==> istype(f[o], U)))

  12. Types of fields field T :: f: U // class T { … f: U … } ( f, T, U :: isField(f, T, U)  ( o :: istype(o, T) ==> istype(f[o], U))) Initially: assume isField(f, T, U) havoc f havoc f ;assume isField(f, T, U)

  13. More about allocation • initially, for every parameter x:assume alloc[x] • mimpl T :: m(x) isvar y in y := new(T);assert x ≠ yend

  14. Even more about allocation • mimpl T :: m(x) isvar y in y := new(T);assert x.f ≠ yend

  15. Even more about allocation • mimpl T :: m(x) isvar y in y := new(T);assert x.f ≠ yend • isField(f, T, U, a)  … /\ ( o :: a[o] ==> a[f[o]] ) • whenever f or alloc is changed:assume isField(f, T, U, alloc)

  16. Exercise • Prove the following program correct:method p(x) modifies x.fmethod m(x) modifies x.fmimpl m(x) isvar y in x.p(); y := new(T);assert x.f ≠ yend

  17. Strengthening specifications class T <: Object method T :: m(x, y, z) requires P modifies w ensures Q class U <: T method U :: m(x, y, z) requires P modifies w ensures Q /\ R … u.m(y, z) ; assert R … ?

  18. Strengthening specifications class T <: Object method T :: m(x, y, z) returns (r)requires P modifies w ensures Q class U <: T method U :: n(x, y, z) returns (r)requires P modifies w ensures Q /\ R mimpl U :: m(x, y, z) is r := x.n(y, z) … r := u.n(y, z) ; assert R …

  19. Modifies and objects • modifies x.f modifies fensures ( o :: o.f = o.f0 \/ o = x)

  20. Exercise class T <: Object field f method T :: m(x, y, z) requires P modifies x.f ensures Q class U <: T field g method U :: m(x, y, z) requires P modifies x.f, x.g ensures Q ?

  21. What else is missing? • Data abstraction • Information hiding • Programming methodology • …

  22. References • K. Rustan M. Leino. Toward Reliable Modular Programs. PhD thesis, California Institute of Technology. Technical Report Caltech-CS-TR-95-03, Caltech, 1995. • K. Rustan M. Leino. “Ecstatic: An object-oriented programming language with an axiomatic semantics”. In Foundations of Object-Oriented Languages (FOOL 4), http://www.cis.upenn.edu/~bcpierce/FOOL//index.html, 1997. • K. Rustan M. Leino and Greg Nelson. Data abstraction and information hiding. Research Report 160, Compaq SRC, Nov. 2000. To appear in TOPLAS. • K. Rustan M. Leino. “Data groups: Specifying the modification of extended state”. In OOPSLA ’98, pp. 144-153, ACM, 1998.

More Related