Principles of Object-Oriented Software Development Behavioral refinement

Introduction Types as behavior Verifying behavioral properties On the notion of behavior Objects as behavioral types Specifying behavioral compositions Summary Q/A Literature

Behavioral refinement types as behavior verification abstraction and representation behavioral compositions Additional keywords and phrases: behavioral subtypes, state transformers, correctness formulae, assertion logic, transition systems, invariants, formal specification

Types as behavior

Subtype requirements -- signature and behavior preservation of behavioral properties Safety properties -- nothing bad invariant properties -- true of all states history properties -- true of all execution sequences Subtyping and behavior

Example -- IntSet \not<= FatSet FatSet -- insert, select, size IntSet -- insert, delete, select, size History property -- not satisfied by IntSet History properties -- example

Types and behavioral constraints

Verifying behavioral properties Subsections: State transformers Assertion logic

State transformers

The verification of state transformations

Assertion logic

The correctness calculus

On the notion of behavior The syntax of a simple OO language

Transition system -- rules

Transition system -- compound statement

Transitions -- example

Objects as behavioral types Subsections: Abstraction and representation Correspondence

Abstraction and representation

Abstract Data Types representation function Representation function

The specification of a stack

template implementation class as { int t; T a[MAX]; public: as() { t = 0; } void push(T e) { require(t0); return a[--t]; } invariant: 0 <= t && t < MAX; }; The realization of a stack

Abstraction function and representation invariant

The correspondence relation The subtype correspondence mapping

Behavioral subtyping constraints

Behavioral subtypes -- example

Behavioral subtypes -- correspondence

Behavioral subtypes -- proof obligations

Specifying behavioral compositions

Problem -- dynamic aliasing

class A { public: A() { forward = 0; } attach(B* b) { forward = b; b->attach(this); } bool invariant() { return !forward || forward->backward == this; } private: B* forward; }; class B { public: B() { backward = 0; } attach(A* a) { backward = a; } bool invariant() { return !backward || backward->forward == this; } private: A* backward; };

A a1, a2; B b; a1.attach(b); a2.attach(b); // violates invariant a1

Contracts -- behavioral compositions interaction specification, refinement, conformance declarations Scripts -- cooperation by enrollment roles, initialization/termination protocols, critical role set Multiparty interactions -- communication primitive frozen state, fault-tolerance, weakening synchrony Joint action systems -- action-oriented state charts, refinement, superposition Specifying interactions

Joint action systems action service() by client c; server s is when c.requesting && s.free do Specifying actions -- example

The Model-View contract

Summary

Types as behavior subtype requirements -- preservation of behavioral properties behavioral properties -- invariance, history duality -- static versus dynamic constraints 1

Verifying behavioral properties states -- transformations verification -- correctness formulae axioms -- consequence rules, abstraction 2

On the notion of behavior syntax -- expressions, statements rules -- assignment, object creation, method call compound rules -- composition, conditional, iteration 3

Objects as behavioral types abstract data types -- representation function correspondence -- abstraction, renaming, extension behavioral subtypes -- correspondence 4

Specifying behavioral compositions global invariants -- dynamic aliasing model-based specification -- state and operations compositions -- contracts, scripts, interaction, joint actions 5

Questions 1.How would you characterize the conformance requirements for subtyping? Explain what properties are involved. 2. Give an example of signature compatible types not satisfying the history property. 3. Explain the duality between imposing constraints statically and dynamically. 4. How would you formally characterize program states and state transformations? 5. Explain how you may verify the behavior of a program by means of correctness formulae. 6. Characterize how the behavior of objects may be modeled by means of a transition system and specify a transition system for a simple object- oriented language. 7. How would you characterize the relation between an abstract data type and its realizations?

8. Give an example of an abstract specification of a stack. Define a realization and show that the realization is correct with respect to its abstract specification. 9. Explain the notion of correspondence for behavioral subtypes. 10. Show that a stack is a behavioral subtype of a bag by defining an appropriate correspondence relation. What proof obligations must be met? 11. Discuss the problems involved in satisfying global invariance properties. 12. What formal methods do you know that deal with specifying the behavior of collections of objects?

Further reading As further reading with respect to the verification of programs, I recommend [AptO] and [Dahl92]. An assertion logic for a parallel object-oriented language is presented in [AmBo93].