Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,

Checking correctness Checking correctness properties of object-oriented properties of object-oriented

programsprograms

K. Rustan M. LeinoK. Rustan M. LeinoMicrosoft Research, Redmond, WAMicrosoft Research, Redmond, WA

Lecture 3EEF summer school on Specification, Refinement, and Verification23 Aug 2002, Turku, Finland

Review of methodsReview of methods classclass T { T {

method method m(this, x, y) m(this, x, y)requiresrequires Pre Pre modifiesmodifies w w ensuresensures

PostPost}}

classclass U <: T { U <: T { mimpl mimpl m(this, x, y) m(this, x, y) isis

BodyBody}}

Review of methodsReview of methodsTurku triviaTurku trivia

This SideThis Side

The Other The Other SideSide

classclass T { T { method method m(this, x, y) m(this, x, y)

requiresrequires Pre Pre modifiesmodifies w w ensuresensures PostPost}}


BodyBody}}

this

“self”

Review of methodsReview of methods classclass T { T {

method method m(this, x, y) m(this, x, y)requiresrequires Pre Pre modifiesmodifies w w ensuresensures

PostPost}}


BodyBody}}

class Counter {method inc(this) …method dec(this) ……

}

class SimpleCounter <: Counter {field x: intmimpl inc(this) is this.x := this.x + 1mimpl dec(this) is this.x := this.x – 1…

}

class OpCounter <: Counter {field i: intfield d: intmimpl inc(this) is this.i := this.i + 1mimpl dec(this) is this.d := this.d + 1…

}

SubtypingSubtyping

What should be the specifications of methods inc and dec?

Abstract variablesAbstract variablesclass Counter {

abstract field n: intmethod inc(this) requires true modifies this.n ensures this.n =

this.n0 + 1method dec(this) requires true modifies this.n ensures this.n =

this.n0 - 1… }

class SimpleCounter <: Counter {field x: intrep this.n this.xmimpl inc(this) is this.x := this.x + 1mimpl dec(this) is this.x := this.x – 1

… }

class OpCounter <: Counter {field i: intfield d: intrep this.n this.i – this.dmimpl inc(this) is this.i := this.i + 1mimpl dec(this) is this.d := this.d + 1

… }

Two questions:

• How do we reason about the abstract expressions?

• What do modifies clauses with abstract variables mean?

Shape of verification Shape of verification conditioncondition

UnivBackPred /\ BackPred(Program)UnivBackPred /\ BackPred(Program)

==>==>

VC(MethodImpl)VC(MethodImpl)

2-dimensional heap2-dimensional heap $ denotes current value of heap$ denotes current value of heap (o,f) denotes a heap location(o,f) denotes a heap location tr[ o.f ] = get($, o, f)tr[ o.f ] = get($, o, f) tr[ o.ftr[ o.f00 ] = get($ ] = get($00, o, f), o, f)

get($, o, f) =get($, o, f) =select($, o, f)select($, o, f) if f is concreteif f is concreteabsfun(o, f)($)absfun(o, f)($) if f is abstractif f is abstract

Meaning of repMeaning of rep classclass T { T { reprep this.a this.a E } E }

gives rise to the following program-specific axiom:gives rise to the following program-specific axiom:

(( this :: this :: this ≠ null /\ typeof(this) <: T ==>this ≠ null /\ typeof(this) <: T ==>absfun(this, a) = (absfun(this, a) = (λλ $ :: tr[ E ])) $ :: tr[ E ]))

Example:Example:

classclass OpCounter { OpCounter { reprep this.n this.n this.i – this.d } this.i – this.d }

gives rise to:gives rise to:

(( this :: this :: this ≠ null /\ typeof(this) <: OpCounter this ≠ null /\ typeof(this) <: OpCounter ==>==>

absfun(this, n) =absfun(this, n) = ( (λλ $ :: get($,this,i) – get($,this,d))) $ :: get($,this,i) – get($,this,d)))

Proving postconditionsProving postconditionsclass Counter {



this.n0 - 1… }


… }


… }

Modifies clausesModifies clausesclass Counter {



this.n0 - 1… }


… }


… }

Dependency declarationsDependency declarationsclass Counter {



this.n0 - 1… }

class SimpleCounter <: Counter {field x: int in nrep this.n this.xmimpl inc(this) is this.x := this.x + 1mimpl dec(this) is this.x := this.x – 1

… }

class OpCounter <: Counter {field i: int in nfield d: int in nrep this.n this.i – this.dmimpl inc(this) is this.i := this.i + 1mimpl dec(this) is this.d := this.d + 1

… }

Dependency relationDependency relation Relation (o,a) –SRelation (o,a) –S (p,b) (p,b)

states that in heap S,states that in heap S,the value at location (o,a) may depend onthe value at location (o,a) may depend onthe value at location (p,b) the value at location (p,b)

––SS is a reflexive, transitive, and is a reflexive, transitive, and antisymmetricantisymmetric

For every concrete field f:For every concrete field f:(( o, S, S’, E, p, x :: o, S, S’, E, p, x :: S’ = store(S, o, f, E) ==> S’ = store(S, o, f, E) ==>

get(S, p, x) = get(S’, p, x)get(S, p, x) = get(S’, p, x)\/\/ (p,x) –S(p,x) –S (o,f)) (o,f))

Dependency axiomsDependency axioms Declaration Declaration fieldfield f f inin a a

allows this.a to be a function of this.f, allows this.a to be a function of this.f, andand

gives rise to the following program-gives rise to the following program-specific axiom:specific axiom:

(( o, S :: (o,a) –S o, S :: (o,a) –S (o,f)) (o,f))

More dependenciesMore dependenciesclass BigOpCounter <: Counter {

field i: BigNumber maps x into nfield d: BigNumber maps x into nrep this.n this.i.x – this.d.xmimpl inc(this) is this.i.add(1) mimpl dec(this) is this.d.add(1) …

}

class BigNumber {abstract field x: Z method add(this, v)

requires true modifies this.x ensures this.x = this.x0 + v…

}

More dependency axiomsMore dependency axioms Declaration Declaration fieldfield f f mapsmaps x x intointo a a

allows this.a to be a function of this.f.x, allows this.a to be a function of this.f.x, andand

gives rise to the following program-gives rise to the following program-specific axiom:specific axiom:

(( o, S :: (o,a) –S o, S :: (o,a) –S (get(S,o,f), x)) (get(S,o,f), x))

Meaning of modifiesMeaning of modifies modifiesmodifies this.a, … this.a, …

means:means:

modifiesmodifies $ $ensuresensures ( ( o, f :: o, f :: get($,o,f) = get($get($,o,f) = get($00,o,f),o,f)

\/\/ (this,a) –$(this,a) –$00 (o,f) (o,f)\/\/ (o,f) –$(o,f) –$00 (this,a) (this,a)\/\/ …)…)

Negative dependency Negative dependency informationinformation

For any concrete field f:For any concrete field f:(( o, X, S, p :: (o,f) –S o, X, S, p :: (o,f) –S (p,X) (p,X) o=p /\ f=X) o=p /\ f=X)

Each declaration Each declaration fieldfield f f inin a, b, c a, b, cgives rise to the following program-specific gives rise to the following program-specific axiom:axiom:

(( o, X, S, p :: (o,X) –S o, X, S, p :: (o,X) –S (p,f) ==> (p,f) ==>(o=p /\ X=f)(o=p /\ X=f)

\/\/ (o,X) –S(o,X) –S (p,a) (p,a) \/\/ (o,X) –S(o,X) –S (p,b) (p,b) \/\/ (o,X) –S(o,X) –S (p,c)) (p,c))

Similar axioms are added for Similar axioms are added for mapsmaps intointo

Proving modifies clausesProving modifies clausesclass Counter {



this.n0 - 1… }


… }


… }

Alias confinementAlias confinement It seems that to support maps into It seems that to support maps into

soundly, one needs some form of soundly, one needs some form of alias confinementalias confinement

(For details, see “Using data groups to specify and check (For details, see “Using data groups to specify and check side effects”, Leino, Poetzsch-Heffter, Zhou, PLDI’02.)side effects”, Leino, Poetzsch-Heffter, Zhou, PLDI’02.)

ExerciseExercise Prove the following program correct:Prove the following program correct:

class Counter {abstract field n: intmethod inc(this)

requires true modifies this.n ensures this.n = this.n0 + 1method adjust(this, v)

requires 0 ≤ v modifies this.n ensures this.n = this.n0 + vmimpl adjust(this, v) is

if n=0 thenskip

elsethis.inc(); this.adjust(n-1)

end }

Example: valid/state Example: valid/state paradigmparadigmclass T {

abstract field valid: boolabstract field state: unit

method init(this, x, y, z)requires P(x,y,z) modifies this.valid, this.state ensures

this.valid

method operation0(this, x, y, z)requires this.valid /\ R0(x,y,z) modifies this.state ensures

truemethod operation1(this, x, y, z)

requires this.valid /\ R1(x,y,z) modifies this.state ensures true

…method close(this)

requires this.valid modifies this.valid, this.state ensures true

field f: int in valid, statefield g: int in valid, statefield h: int in state

rep this.valid this.f < this.g

… }

Example: visitorExample: visitorclass Container {

field x: intfield y: intmethod put(this, z)

requires true modifies this.x, this.yensures (this.x = z /\ this.y = this.y0) \/ (this.x = this.x0 /\

this.y = z)method pick(this) returns (z)

requires true modifies ε ensures z = this.x \/ z = this.ymethod map(this, visitor) …mimpl map(this, visitor) is

visitor.apply(this.x);visitor.apply(this.y)

}

class Visitor {method apply(this, z) …

}

Example: visitorExample: visitorclass Container {

field x: intfield y: int…method map(this, visitor)

requires visitor.valid modifies visitor.state ensures truemimpl map(this, visitor) is

visitor.apply(this.x);visitor.apply(this.y)

}

class Visitor {abstract field valid: boolabstract field state: unitmethod apply(this, z)

requires this.valid modifies this.state ensures true}

Information hiding andInformation hiding andmodular verificationmodular verification

Instead of proving Verif(Method, Instead of proving Verif(Method, Program):Program):

UnivBackPred /\ BackPred(Program)UnivBackPred /\ BackPred(Program)==> VC(MethodImpl)==> VC(MethodImpl)

prove Verif(Method, Module):prove Verif(Method, Module):UnivBackPred /\ BackPred(Module)UnivBackPred /\ BackPred(Module)==> VC(MethodImpl)==> VC(MethodImpl)

where MethodImpl where MethodImpl Module Module Program Program

Modular soundnessModular soundness Well-formed(Module) /\Well-formed(Module) /\

Verif(Method, Module)Verif(Method, Module)==> Verif(Method, Program)==> Verif(Method, Program)

SummarySummary Method specifications apply Method specifications apply

unchanged to all method overridesunchanged to all method overrides Data abstraction (abstract variables, Data abstraction (abstract variables,

abstraction dependencies, rep abstraction dependencies, rep functions) gives subclasses the ability functions) gives subclasses the ability to operate differentlyto operate differently

Information hiding poses restrictions Information hiding poses restrictions on formal system for data abstraction, on formal system for data abstraction, likely including alias confinementlikely including alias confinement

ReferencesReferences C.A.R. Hoare. “Proof of correctness of data representations”. C.A.R. Hoare. “Proof of correctness of data representations”.

In In Acta Informatica Acta Informatica 1(4), pp. 271-281, Springer, 1972.1(4), pp. 271-281, Springer, 1972. K. Rustan M. Leino. K. Rustan M. Leino. Toward Reliable Modular ProgramsToward Reliable Modular Programs. PhD . PhD

thesis, California Institute of Technology. Technical Report thesis, California Institute of Technology. Technical Report Caltech-CS-TR-95-03, Caltech, 1995.Caltech-CS-TR-95-03, Caltech, 1995.

K. Rustan M. Leino and Greg Nelson. K. Rustan M. Leino and Greg Nelson. Data abstraction and Data abstraction and information hidinginformation hiding. Research Report 160, Compaq SRC, Nov. . Research Report 160, Compaq SRC, Nov. 2000. To appear in 2000. To appear in TOPLASTOPLAS..

Peter MPeter Müüller. ller. Modular Specification and Verification of Object-Modular Specification and Verification of Object-Oriented ProgramsOriented Programs. PhD thesis, FernUniversit. PhD thesis, FernUniversität Hagenät Hagen. . Volume 2262 of LNCS, Springer, 2002.Volume 2262 of LNCS, Springer, 2002.

K. Rustan M. Leino. “Data groups: Specifying the modification K. Rustan M. Leino. “Data groups: Specifying the modification of extended state”. In of extended state”. In OOPSLA ’98OOPSLA ’98, pp. 144-153, ACM, 1998., pp. 144-153, ACM, 1998.

K. Rustan M. Leino, Arnd Poetzsch-Heffter, and Yunhong Zhou. K. Rustan M. Leino, Arnd Poetzsch-Heffter, and Yunhong Zhou. “Using data groups to specify and check side effects”. In “Using data groups to specify and check side effects”. In PLDI PLDI ’02’02, SIGPLAN Notices 37(5), pp. 246-257, ACM, May 2002., SIGPLAN Notices 37(5), pp. 246-257, ACM, May 2002.

Checking correctness properties of object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 EEF summer school on Specification,

Documents

data groups

data representations

abstraction dependencies

leino microsoft research

method mthis

modular specification

phd thesis

reliable modular programs