Modular Verification of Higher-Order Methods in JML Gary T. Leavens, Steve Shaner, and David A. Naumann Support from US NSF grant CCF-0429567.

Slides:



Advertisements
Similar presentations
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Advertisements

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 6 Disclaimer. These notes are derived from notes originally.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Modules Program is built out of components. Each component defines a set of logically related entities (strong internal coupling) A component has a public.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
Verifying Executable Object-Oriented Specifications with Separation Logic Stephan van Staden, Cristiano Calcagno, Bertrand Meyer.
The Java Modeling Language JML Erik Poll Digital Security Radboud University Nijmegen.
Error Management with Design Contracts Karlstad University Computer Science Error Management with Design Contracts Eivind J. Nordby, Martin Blom, Anna.
ISBN Chapter 3 Describing Syntax and Semantics.
Dept. of Computer Science A Runtime Assertion Checker for the Java Modeling Language (JML) Yoonsik Cheon and Gary T. Leavens SERP 2002, June 24-27, 2002.
COMP171 Data Structure & Algorithm Tutorial 1 TA: M.Y.Chan.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
An overview of JML tools and applications Lilian Burdy Gemplus Yoonsik Cheon, Gary Leavens Iowa Univ. David Cok Kodak Michael Ernst MIT Rustan Leino Microsoft.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
Software Testing and Quality Assurance
JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Feb. 23, 2004CS WPI1 CS 509 Design of Software Systems Lecture #5 Monday, Feb. 23, 2004.
Describing Syntax and Semantics
Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.
Mathematics throughout the CS Curriculum Support by NSF #
A Formal Model of Modularity in Aspect-Oriented Programming Jonathan Aldrich : Objects and Aspects Carnegie Mellon University.
TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.
Ranga Rodrigo. Class is central to object oriented programming.
Procedure specifications CSE 331. Outline Satisfying a specification; substitutability Stronger and weaker specifications - Comparing by hand - Comparing.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
4 Dec 2001Kestrel1 From Patterns to Programming Languages Matthias Felleisen Northeastern University.
Model Programs for Preserving Composite Invariants SAVCBS 2008 Challenge Problem Solution by Steve Shaner, Hridesh Rajan, Gary T. Leavens Iowa State and.
1 Total Correctness of Recursive Functions Using JML4 FSPV George Karabotsos, Patrice Chalin, Perry R. James, Leveda Giannas Dependable Software Research.
Design by Contract in Java Concept and Comparison.
111 Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract,
More About Classes Ranga Rodrigo. Information hiding. Copying objects.
JCMP: Linking Architecture with Component Building Guoqing Xu, Zongyuan Yang and Haitao Huang Software Engineering Lab, East China Normal University SACT-01,
Synthesis with the Sketch System D AY 1 Armando Solar-Lezama.
Computer Science School of Computing Clemson University Discrete Math and Reasoning about Software Correctness Joseph E. Hollingsworth
An Ontological Framework for Web Service Processes By Claus Pahl and Ronan Barrett.
Today’s Agenda  Quick Review  Continue on JML Formal Methods in Software Engineering1.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
Applying Translucid Contracts for Modular Reasoning about Aspect and Object Oriented Events Mehdi Bagherzadeh Gary T. Leavens Robert Dyer Foundations of.
Modularly Typesafe Interface Dispatch in JPred Christopher Frost and Todd Millstein University of California, Los Angeles
Protocols Software Engineering II Wirfs Brock et al, Designing Object-Oriented Software, Prentice Hall, Mitchell, R., and McKim, Design by Contract,
Design Patterns SE464 Derek Rayside images from NetObjectives.com & Wikipedia.
ANU COMP2110 Software Design in 2003 Lecture 10Slide 1 COMP2110 Software Design in 2004 Lecture 12 Documenting Detailed Design How to write down detailed.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Quick Review of OOP Constructs Classes:  Data types for structured data and behavior  fields and methods Objects:  Variables whose data type is a class.
CSSE501 Object-Oriented Development. Chapter 10: Subclasses and Subtypes  In this chapter we will explore the relationships between the two concepts.
Overview of C++ Polymorphism
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Lecture 12 Implementation Issues with Polymorphism.
Interface specifications At the core of each Larch interface language is a model of the state manipulated by the associated programming language. Each.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 17 – Specifications, error checking & assert.
Accessible Formal Methods A Study of the Java Modeling Language
Stateful Manifest Contracts
Lecture 5 Floyd-Hoare Style Verification
Programming Languages 2nd edition Tucker and Noonan
Hoare-style program verification
Semantics In Text: Chapter 3.
Verified Subtyping with Traits and Mixins
Protocols CS 4311 Wirfs Brock et al., Designing Object-Oriented Software, Prentice Hall, (Chapter 8) Meyer, B., Applying design by contract, Computer,
Overview of C++ Polymorphism
Java Modeling Language (JML)
Assertions References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 4/25/2019.
Programming Languages 2nd edition Tucker and Noonan
Software Specifications
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

Modular Verification of Higher-Order Methods in JML Gary T. Leavens, Steve Shaner, and David A. Naumann Support from US NSF grant CCF

Summary Problem How to reason about higher-order methods? Approach Greybox [Büchi-Weck97,99] specifications, Copy rule / substitution [Morgan88], Structurally-restricted refinement Contribution Structural matching for refinement Integration with JMLJML

Setting JML Pre- and postcondition specifications Several verification tools: ESC/Java2 Jack, LOOP, … Java Libraries: Swing I/O frameworks Jakarta Commons

Background: Higher-Order Methods A higher-order method (HOM) makes mandatory calls to weakly-specified methods

Example (part 1) Class with a `method parameter public class Counter { protected int count = 0; protected Listener lnr; assignable this.lnr; ensures this.lnr == lnr; public Counter(Listener lnr) { // parameter this.lnr = lnr; }

Example (part 2): HOM public void bump() { this.count = this.count + 1; this.lnr.actionPerformed(this.count); }

Mandatory Calls are Weakly Specified public interface Listener { assignable this.objectState; void actionPerformed(int x); }

Subtype of Listener public class LastVal implements Listener { private int val = 0; in objectState; ensures \result == this.val; public int getVal() { return this.val; } also assignable objectState; ensures this.val == x; public void actionPerformed(int x) { this.val = x; } }

Subtype of Listener public class LastVal implements Listener { private int val = 0; in objectState; ensures \result == this.val; public int getVal() { return this.val; } also assignable objectState; ensures this.val == x; public void actionPerformed(int x) { this.val = x; } }

Reasoning Problem: Want strong conclusions LastVal lv = new LastVal(); assert lv.val == 0; Counter c = new Counter(lv); assert c.lnr == lv && c.count == 0; c.bump(); assert lv.val == 1;

Why is strong conclusion valid? Copy rule and substitutions LastVal lv = new LastVal(); assert lv.val == 0; Counter c = new Counter(lv); assert c.lnr == lv && c.count == 0; c.count = c.count+1; c.lnr.actionPerformed(c.count); assert lv.val == 1;

Problem Summary Specification of higher-order methods (challenge 8 in [Leavens-Leino-Müller06]) Abstract Specifies mandatory calls Suppress other details Allows strong conclusions (challenge 9) Copy rule and substitution Soundness Must make mandatory calls

Use of Higher-Order Methods Key in design patterns [Gamma-etal95]: Observer Template Method Chain of Responsibility Clients of design patterns: Interpreter Command State Strategy Visitor

How to Specify HOMs? Standard Pre/Post … assignable this.count, ensures this.count public void bump() { this.count = this.count + 1; this.lnr.actionPerformed(this.count); }

… Is Not Enough LastVal lv = new LastVal(); assert lv.val == 0; Counter c = new Counter(lv); assert c.lnr == lv && c.count == 0; c.bump(); assume c.count == 1; hence_by (* ??? *); assert lv.val == 1;

Higher-Order Specifications? E.g., [Ernst-Navlakhla-Ogden82]: forall int requires assignable ensures this.count public void bump() { /* … */ }

Problems with Higher-Order Specifications Often longer and more complex than code Harder to learn and teach Harder for tools to work with? Calls are not mandatory

Greybox (Ref. Calc.) Approach [Büchi–Weck97, 99] vs. Better: lnr.actionPerformed() c.count++

public model_program assignable ensures public void bump() { /* … */ } Greybox Approach in JML: Model Program Specification

Reasoning About HOM Calls LastVal lv = new LastVal(); assert lv.val == 0; Counter c = new Counter(lv); assert c.lnr == lv && c.count == 0; c.bump(); assert lv.val == 1;

Approach: Model Program Copy Rule and Substitution LastVal lv = new LastVal(); assert lv.val == 0; Counter c = new Counter(lv); assert c.lnr == lv && c.count == 0; assignable ensures c.count == c.lnr.actionPerformed(c.count); assert lv.val == 1;

Rule for HOM Calls (Copy Rule + Substitution) P { y.m(z); } Q y: T, methType(T,m) = x:S -> void, specFor(T,m) = C, C = C [y,z/this,x], P { C } Q

Rule for Higher-Order Calls (Copy Rule + Substitution) P A { y.m(z); } Q y: T, methType(T,m) = x:S -> void, SpecFor(T,m) = C, C = C [y,z/this,x], P A { C } Q

Strong Conclusions from Copy + Contextual Knowledge assert c.lnr == lv; c.bump(); Copy/Substitute model program assignable ensures c.count == c.lnr.actionPerformed(c.count); Context lv.actionPerformed(c.count); +

Soundness from Restricting Implementations For soundness of HOM call rule: (copy rule) body refines model program (use of context) restrict refinement so mandatory calls must happen in specified states

Notion of Refinement with Mandatory Calls in Given States Need to define structure-preserving refinement Approach: Restrict implementations Pattern matching Model program vs. Implementation

Kinds of Patterns Refinable (holes, wildcards) Specification statements (normal_behavior) Mandatory Calls Everything else

Pattern Matching normal_behavior … following normal_behavior … { C } Model program Method implementation m();

Implementing Higher-Order Methods public model_program assignable ensures this.count == public void bump() { following assignable ensures this.count == { this.count = this.count+1; } this.lnr.actionPerformed(this.count); }

Refinement P C iff C pattern matches against P The resulting following statements are provable

Rule for following P { following normal_behavior requires P; ensures Q; C } Q P ==> P, Q ==> Q, P { C } Q

Rule for following P A { following normal_behavior requires P; assignable A; ensures Q; C } Q P ==> P, locs(A) locs(A), Q ==> Q, P { C } Q

Future Work Soundness argument Connection to Büchi and Wecks work (refinement of traces) Case studies Implementation in JML tools Exceptions Concurrency

Related Work Büchi and Weck (1997, 99): Idea of greybox approach Trace semantics Doesnt focus on reasoning about calls Needs definition of structure preservation Morgan (1988): Uses adaptation and substitution for procedures

Related Work Ernst, Navlakhla, and Ogden (1982): Higher-order logic specifications Harder to write and use Mandatory calls might not be made Soundarajan and Fridella (2004): Higher-order trace-based specifications Can ensure mandatory calls are made Harder to write and use

Conclusions Greybox (refinement-style) model programs Clear specification of HOMs Allow strong conclusions Soundness: Restrictions on refinement Use of pattern matching

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.