Technologies for finding errors in object-oriented software

1
Technologies for finding errorsin
object-oriented software

• K. Rustan M. LeinoMicrosoft Research, Redmond, WA

Lecture 2Summer school on Formal Models of
Software4 Sep 2003, Tunis, Tunisia
2
Review Procedural language constructs

• 6 primitive commands
• Many shorthands
• Arrays are variables with structure
• Procedure declarations and specification

3

• Procedural
• x E
• x T
• P(x,y,z)

• Object-oriented
• o.f E
• o T
• o.m(y,z)

4
Object types and subtyping

• D set of type names
• typeof object ? D
• lt partial order on D
• istype(o, T) typeof(o) lt T
• Note T lt U ? (istype(o, T) ? istype(o, U))

5
An object-oriented programming notation

• C w E
• assert P
• var w in C end
• C0 C1
• if P then C0 else C1 end
• o.f E
• x new(T)
• w o.m(E0, E1)

6
Object fields are maps

• Java class T extends U ... f X ...
• Here T ? D T lt U f T ? X
• x o.f x fo
• o.f E fo E f store(f, o, E)

7
Aliasing (pointer sharing)

• (o.f 12 p.g 14 assert o.f 12).true
  true
• (o.f 12 p.f 14 assert o.f 12).true
  o?p

8
Allocation

• alloc object ? bool
• x new(T) change x such that typeof(x)
  T ? ?allocx allocx true

9
Example

• (o.f 12 p new(T) p.f 14 assert
  o.f 12).true alloco

10
Methods declarations and method implementations

• method T m(x,y,z) returns (r,s,t) requires P
  modifies w ensures Q
• proc m(x,y,z) returns (r,s,t) spec assert
  istype(x, T) wP, Q
• mimpl U m(x,y,z) returns (r,s,t) is C
• impl m(x,y,z) returns (r,s,t) is assume
  istype(x, U) C

receiver parameter(this, current, self)
11
Method call

• w o.m(E0, E1) w m(o, E0, E1)

12
Example union-find
n
m
element
b
a
c
representative element
k
d
p
equivalence class
q
l
o
r
e
f
i
h
j
g
13
Example union-find
find(c) a
n
m
b
a
c
k
d
p
q
l
o
r
e
f
i
h
j
g
14
Example union-find
n
m
b
union(p, h)
a
c
k
d
p
q
l
o
r
e
f
i
h
h
j
g
15
Example, specification
class UnionFind lt Object field nClasses,
nElements, ... method UnionFind init(uf,
size) requires 0 ? size modifies uf.nClasses,
uf.nElements, ... ensures uf.nClasses
uf.nElements size method UnionFind find(uf,
c) returns (r) requires 0 ? c lt
uf.nElements ensures 0 ? r lt uf.nClasses method
UnionFind union(uf, c, d) requires 0 ? c ?
uf.nElements ? 0 ? d ? uf.nElements modifies u
f.nClasses ensures uf.nClasses uf.nClasses0
? uf.nClasses uf.nClasses0 - 1
16
Example, client
var uf, r0, r1, r2 in uf new(UnionFind)
uf.init(12) uf.union(3, 8) uf.union(8,
6) uf.union(10, 11) r0 uf.find(3) r1
uf.find(5) r2 uf.find(6) assert r0 ?
r1 assert r0 r2end
17
Example, implementation
class StandardUnionFind lt UnionFind mimpl
StandardUnionFind find(uf, c) returns (r) is
class FastUnionFind lt UnionFind mimpl
FastUnionFind find(uf, c) returns (r) is
18
What's missing?

• null
• type casts
• types of parameters
• types of fields
• properties of allocation
• ...

19
null

• New definitions
• istype(o, T) o null ? typeof(o) lt T
• o.f E assert o ? null fo E

20
Type casts

• x typecast(o, T)
• assert istype(o, T) x o

21
Example binary method
class T lt Object method T equal(x, y) returns
(b) requires typeof(x) typeof(y) class U lt
T mimpl U equal(x, y) returns (b) is var yy
in yy typecast(y, U) // compare x and yy
... end
22
Types of parameters
method OutputStream putText(wr, s) method
print(t T, wr OutputStream)
method T print(t, wr) requires istype(wr,
OutputStream)
23
Types of fields
field T f U // class T f U (?f,
T, U ? isField(f, T, U) ? (?o ? istype(fo,
U)))
24
Types of fields
field T f U // class T f U (?f,
T, U ? isField(f, T, U) ? (?o ? istype(o, T)
? istype(fo, U)))
Initially assume isField(f, T, U) Whenever f is
changed ? assume isField(f, T, U)
25
More about allocation

• initially, for every parameter x assume
  allocx
• mimpl T m(x) is var y in y new(T)
  assert x ? y end

26
Even more about allocation

• mimpl T m(x) is var y in y new(T)
  assert x.f ? y end

27
Even more about allocation

• mimpl T m(x) is var y in y new(T)
  assert x.f ? y end
• isField(f, T, U, a) ? ? (? o ? ao ?
  afo )
• Initially and whenever f or alloc is
  changed assume isField(f, T, U, alloc)

28
Exercise

• Prove the following program correct method
  p(x) modifies x.f method m(x) modifies
  x.f mimpl m(x) is var y in x.p() y
  new(T) assert x.f ? y end

29
Strengthening specifications
class T lt Object method T m(x, y, z)
requires P modifies w ensures Q class U lt
T method U m(x, y, z) requires P modifies w
ensures Q ? R ... u.m(y, z) assert R ...
?
30
Strengthening specifications
class T lt Object method T m(x, y, z)
requires P modifies w ensures Q class U lt
T method U n(x, y, z) requires P modifies w
ensures Q ? R mimpl U m(x, y, z) is x.n(y,
z) ... u.n(y, z) assert R ...
31
Two-state postconditions

• ensures x.f0 lt x.f ensures f0x lt fx
  ensures select(f0, x) lt select(f, x)

32
Modifies and objects

• modifies x.f modifies f ensures (?o ? o.f
  o.f0 ? o x)

33
Exercise
class T lt Object field f method T m(x, y, z)
requires P modifies x.f ensures Q class U lt
T field g method U m(x, y, z) requires P
modifies x.f, x.g ensures Q
?
34
What else is missing?

• Information hiding
• Correctness of data representations
• Programming methodology
• ...