1. Principles of Object-Oriented Software Development Behavioral refinement

2. Introduction Types as behavior Verifying behavioral properties On the notion of behavior Objects as behavioral types Specifying behavioral compositions Summary Q/A Literature

3. Behavioral refinement types as behavior verification abstraction and representation behavioral compositions Additional keywords and phrases: behavioral subtypes, state transformers, correctness formulae, assertion logic, transition systems, invariants, formal specification

4. Types as behavior

5. Subtype requirements -- signature and behavior preservation of behavioral properties Safety properties -- nothing bad invariant properties -- true of all states history properties -- true of all execution sequences Subtyping and behavior

6. Example -- IntSet \not<= FatSet FatSet -- insert, select, size IntSet -- insert, delete, select, size History property -- not satisfied by IntSet History properties -- example

7. Types and behavioral constraints

8. Verifying behavioral properties Subsections: State transformers Assertion logic

9. State transformers

10. The verification of state transformations

11. Assertion logic

12. The correctness calculus

13. On the notion of behavior The syntax of a simple OO language

14. Transition system -- rules

15. Transition system -- compound statement

16. Transitions -- example

17. Objects as behavioral types Subsections: Abstraction and representation Correspondence

18. Abstraction and representation

19. Abstract Data Types representation function Representation function

20. The specification of a stack

21. template implementation class as { int t; T a[MAX]; public: as() { t = 0; } void push(T e) { require(t0); return a[--t]; } invariant: 0 <= t && t < MAX; }; The realization of a stack

22. Abstraction function and representation invariant

23. The correspondence relation The subtype correspondence mapping

24. Behavioral subtyping constraints

25. Behavioral subtypes -- example

27. Behavioral subtypes -- correspondence

28. Behavioral subtypes -- proof obligations

29. Specifying behavioral compositions

30. Problem -- dynamic aliasing

31. class A { public: A() { forward = 0; } attach(B* b) { forward = b; b->attach(this); } bool invariant() { return !forward || forward->backward == this; } private: B* forward; }; class B { public: B() { backward = 0; } attach(A* a) { backward = a; } bool invariant() { return !backward || backward->forward == this; } private: A* backward; };

32. A a1, a2; B b; a1.attach(b); a2.attach(b); // violates invariant a1

33. Contracts -- behavioral compositions interaction specification, refinement, conformance declarations Scripts -- cooperation by enrollment roles, initialization/termination protocols, critical role set Multiparty interactions -- communication primitive frozen state, fault-tolerance, weakening synchrony Joint action systems -- action-oriented state charts, refinement, superposition Specifying interactions

34. Joint action systems action service() by client c; server s is when c.requesting && s.free do Specifying actions -- example

35. The Model-View contract

36. Summary

37. Types as behavior subtype requirements -- preservation of behavioral properties behavioral properties -- invariance, history duality -- static versus dynamic constraints 1

38. Verifying behavioral properties states -- transformations verification -- correctness formulae axioms -- consequence rules, abstraction 2

39. On the notion of behavior syntax -- expressions, statements rules -- assignment, object creation, method call compound rules -- composition, conditional, iteration 3

40. Objects as behavioral types abstract data types -- representation function correspondence -- abstraction, renaming, extension behavioral subtypes -- correspondence 4

41. Specifying behavioral compositions global invariants -- dynamic aliasing model-based specification -- state and operations compositions -- contracts, scripts, interaction, joint actions 5

42. Questions 1.How would you characterize the conformance requirements for subtyping? Explain what properties are involved. 2. Give an example of signature compatible types not satisfying the history property. 3. Explain the duality between imposing constraints statically and dynamically. 4. How would you formally characterize program states and state transformations? 5. Explain how you may verify the behavior of a program by means of correctness formulae. 6. Characterize how the behavior of objects may be modeled by means of a transition system and specify a transition system for a simple object- oriented language. 7. How would you characterize the relation between an abstract data type and its realizations?

43. 8. Give an example of an abstract specification of a stack. Define a realization and show that the realization is correct with respect to its abstract specification. 9. Explain the notion of correspondence for behavioral subtypes. 10. Show that a stack is a behavioral subtype of a bag by defining an appropriate correspondence relation. What proof obligations must be met? 11. Discuss the problems involved in satisfying global invariance properties. 12. What formal methods do you know that deal with specifying the behavior of collections of objects?

44. Further reading As further reading with respect to the verification of programs, I recommend [AptO] and [Dahl92]. An assertion logic for a parallel object-oriented language is presented in [AmBo93].