Technologies for finding errorsTechnologies for finding errorsin object-oriented softwarein object-oriented software

Technologies for finding errorsTechnologies for finding errorsin object-oriented softwarein object-oriented software

K. Rustan M. LeinoMicrosoft Research, Redmond, WA

Lecture 2Summer school on Formal Models of Software4 Sep 2003, Tunis, Tunisia

Review: Procedural language constructs

• 6 primitive commands• Many shorthands• Arrays are variables with structure• Procedure declarations and

specification

Procedural

• x := E• x: T• P(x,y,z)

Object-oriented

• o.f := E• o: T• o.m(y,z)

Object types and subtyping

• D set of type names• typeof : object D• <: partial order on D• istype(o, T) = typeof(o) <: T

Note: T <: U ⇒ (istype(o, T) ⇒ istype(o, U))

An object-oriented programming notation

C ::= w := E| assert P| var w in C end| C0 ; C1

| if P then C0 else C1 end| o.f := E| x := new(T)| w := o.m(E0, E1)

Object fields are maps

• Java: class T extends U { ... f: X ... }

• Here: T ∈ DT <: Uf: T X

• x := o.f = x := f[o]• o.f := E = f[o] := E

= f := store(f, o, E)

Aliasing (pointer sharing)

• (o.f := 12 ; p.g := 14 ; assert o.f = 12).true ≡ true

• (o.f := 12 ; p.f := 14 ; assert o.f = 12).true ≡ o≠p

Allocation

• alloc : object bool

• x := new(T) =

change x such that

typeof(x) = T ∧ ￢alloc[x] ;

alloc[x] := true

Example

• (o.f := 12 ; p := new(T); p.f := 14 ; assert o.f = 12).true ≡ alloc[o]

receiver parameter(“this”, “current”, “self”)

Methods declarations and method implementationsmethod T :: m(x,y,z) returns (r,s,t)

requires P modifies w ensures Q=proc m(x,y,z) returns (r,s,t)

spec assert istype(x, T) ; w:[P, Q]

mimpl U :: m(x,y,z) returns (r,s,t) is C=impl m(x,y,z) returns (r,s,t) is

assume istype(x, U) ; C

Method call

• w := o.m(E0, E1) =

w := m(o, E0, E1)

Example: union-find

c

f

g

d

o

a

p

h

e

q

i

k

r

l

j

b

mn

equivalence class

element

representative element

Example: union-find

c

f

g

d

o

a

p

h

e

q

i

k

r

l

j

b

mnfind(c) = a

Example: union-find

c

f

g

d

o

a

p

h

e

q

i

k

r

l

j

b

mn

union(p, h):

h

Example, specificationclass UnionFind <: Object

field nClasses, nElements, ...

method UnionFind :: init(uf, size)requires 0 ≦ sizemodifies uf.nClasses, uf.nElements, ... ensures uf.nClasses = uf.nElements = size

method UnionFind :: find(uf, c) returns (r)requires 0 ≦ c < uf.nElementsensures 0 ≦ r < uf.nClasses

method UnionFind :: union(uf, c, d)requires 0 ≦ c ≦ uf.nElements ∧

0 ≦ d ≦ uf.nElementsmodifies uf.nClassesensures uf.nClasses = uf.nClasses0 ∨

uf.nClasses = uf.nClasses0 - 1

Example, clientvar uf, r0, r1, r2 in

uf := new(UnionFind) ;

uf.init(12) ;

uf.union(3, 8) ;uf.union(8, 6) ;uf.union(10, 11) ;

r0 := uf.find(3) ;r1 := uf.find(5) ;r2 := uf.find(6) ;

assert r0 ≠ r1 ;assert r0 = r2

end

Example, implementation

class StandardUnionFind <: UnionFind

mimpl StandardUnionFind :: find(uf, c) returns (r) is …

class FastUnionFind <: UnionFind

mimpl FastUnionFind :: find(uf, c) returns (r) is …

What's missing?• null• type casts• types of parameters• types of fields• properties of allocation• ...

null

New definitions:

• istype(o, T) =o = null ∨ typeof(o) <: T

• o.f := E =assert o ≠ null ;f[o] := E

Type casts

• x := typecast(o, T) =assert istype(o, T) ;x := o

Example: binary method

class T <: Object

method T :: equal(x, y) returns (b)requires typeof(x) = typeof(y)

class U <: T

mimpl U :: equal(x, y) returns (b) isvar yy in

yy := typecast(y, U) ;// compare x and yy ...

end

Types of parameters

method OutputStream :: putText(wr, s) …

method print(t: T, wr: OutputStream) …

method T :: print(t, wr)requires istype(wr, OutputStream)

Types of fields

field T :: f: U // class T { … f: U … }

(∀f, T, U ･ isField(f, T, U)

(∀o ･ istype(f[o], U)))

Types of fields

field T :: f: U // class T { … f: U … }

(∀f, T, U ･ isField(f, T, U)

(∀o ･ istype(o, T) ⇒istype(f[o], U)))

Initially: assume isField(f, T, U)Whenever f is changed:

assume isField(f, T, U)

More about allocation

• initially, for every parameter x:assume alloc[x]

• mimpl T :: m(x) isvar y in

y := new(T) ;assert x ≠ y

end

Even more about allocation

• mimpl T :: m(x) isvar y in

y := new(T) ;assert x.f ≠ y

end

Even more about allocation• mimpl T :: m(x) is

var y iny := new(T) ;assert x.f ≠ y

end• isField(f, T, U, a)

… ∧ (∀ o ･ a[o] ⇒ a[f[o]] )• Initially and whenever f or alloc is changed:

assume isField(f, T, U, alloc)

Exercise• Prove the following program correct:

method p(x) modifies x.fmethod m(x) modifies x.f

mimpl m(x) isvar y in

x.p() ;y := new(T) ;assert x.f ≠ y

end

Strengthening specifications

class T <: Object

method T :: m(x, y, z) requires P modifies w ensures Q

class U <: T

method U :: m(x, y, z) requires P modifies w ensures Q ∧

R

... u.m(y, z) ; assert R ...

?

class T <: Object

method T :: m(x, y, z) requires P modifies w ensures Q

class U <: T

method U :: n(x, y, z) requires P modifies w ensures Q ∧ R

mimpl U :: m(x, y, z) is x.n(y, z)

... u.n(y, z) ; assert R ...

Strengthening specifications

Two-state postconditions

• ensures x.f0 < x.f= ensures f0[x] < f[x]= ensures select(f0, x) <

select(f, x)

Modifies and objects

• modifies x.f =modifies fensures (∀o ･ o.f = o.f0 ∨ o = x)

Exerciseclass T <: Object

field f

method T :: m(x, y, z) requires P modifies x.f ensures Q

class U <: T

field g

method U :: m(x, y, z) requires P modifies x.f, x.g ensures

Q?

What else is missing?• Information hiding • Correctness of data

representations• Programming methodology• ...