Principles of Object-Oriented Software Development Behavioral refinement
Introduction Types as behavior Verifying behavioral properties On the notion of behavior Objects as behavioral types Specifying behavioral compositions Summary Q/A Literature
Behavioral refinement types as behavior verification abstraction and representation behavioral compositions Additional keywords and phrases: behavioral subtypes, state transformers, correctness formulae, assertion logic, transition systems, invariants, formal specification
Types as behavior
Subtype requirements -- signature and behavior preservation of behavioral properties Safety properties -- nothing bad invariant properties -- true of all states history properties -- true of all execution sequences Subtyping and behavior
Example -- IntSet \not<= FatSet FatSet -- insert, select, size IntSet -- insert, delete, select, size History property -- not satisfied by IntSet History properties -- example
Types and behavioral constraints
Verifying behavioral properties Subsections: State transformers Assertion logic
State transformers
The verification of state transformations
Assertion logic
The correctness calculus
On the notion of behavior The syntax of a simple OO language
Transition system -- rules
Transition system -- compound statement
Transitions -- example
Objects as behavioral types Subsections: Abstraction and representation Correspondence
Abstraction and representation
Abstract Data Types representation function Representation function
The specification of a stack
template implementation class as { int t; T a[MAX]; public: as() { t = 0; } void push(T e) { require(t0); return a[--t]; } invariant: 0 <= t && t < MAX; }; The realization of a stack
Abstraction function and representation invariant
The correspondence relation The subtype correspondence mapping
Behavioral subtyping constraints
Behavioral subtypes -- example
Behavioral subtypes -- correspondence
Behavioral subtypes -- proof obligations
Specifying behavioral compositions
Problem -- dynamic aliasing
class A { public: A() { forward = 0; } attach(B* b) { forward = b; b->attach(this); } bool invariant() { return !forward || forward->backward == this; } private: B* forward; }; class B { public: B() { backward = 0; } attach(A* a) { backward = a; } bool invariant() { return !backward || backward->forward == this; } private: A* backward; };
A a1, a2; B b; a1.attach(b); a2.attach(b); // violates invariant a1
Contracts -- behavioral compositions interaction specification, refinement, conformance declarations Scripts -- cooperation by enrollment roles, initialization/termination protocols, critical role set Multiparty interactions -- communication primitive frozen state, fault-tolerance, weakening synchrony Joint action systems -- action-oriented state charts, refinement, superposition Specifying interactions
Joint action systems action service() by client c; server s is when c.requesting && s.free do Specifying actions -- example
The Model-View contract
Summary
Types as behavior subtype requirements -- preservation of behavioral properties behavioral properties -- invariance, history duality -- static versus dynamic constraints 1
Verifying behavioral properties states -- transformations verification -- correctness formulae axioms -- consequence rules, abstraction 2
On the notion of behavior syntax -- expressions, statements rules -- assignment, object creation, method call compound rules -- composition, conditional, iteration 3
Objects as behavioral types abstract data types -- representation function correspondence -- abstraction, renaming, extension behavioral subtypes -- correspondence 4
Specifying behavioral compositions global invariants -- dynamic aliasing model-based specification -- state and operations compositions -- contracts, scripts, interaction, joint actions 5
Questions 1.How would you characterize the conformance requirements for subtyping? Explain what properties are involved. 2. Give an example of signature compatible types not satisfying the history property. 3. Explain the duality between imposing constraints statically and dynamically. 4. How would you formally characterize program states and state transformations? 5. Explain how you may verify the behavior of a program by means of correctness formulae. 6. Characterize how the behavior of objects may be modeled by means of a transition system and specify a transition system for a simple object- oriented language. 7. How would you characterize the relation between an abstract data type and its realizations?
8. Give an example of an abstract specification of a stack. Define a realization and show that the realization is correct with respect to its abstract specification. 9. Explain the notion of correspondence for behavioral subtypes. 10. Show that a stack is a behavioral subtype of a bag by defining an appropriate correspondence relation. What proof obligations must be met? 11. Discuss the problems involved in satisfying global invariance properties. 12. What formal methods do you know that deal with specifying the behavior of collections of objects?
Further reading As further reading with respect to the verification of programs, I recommend [AptO] and [Dahl92]. An assertion logic for a parallel object-oriented language is presented in [AmBo93].