K. Rustan M. Leino and Wolfram Schulte Microsoft Research, Redmond ESOP 2007 Braga, Portugal 28 March 2007

Specify and statically verify programs Use modular verification (local reasoning) These require: Invariants of data structures Support for common programming patterns

Subject Observer

Collection Iterator or: Collection / Iterator pattern

class C { int x, y; invariant x ≤ y; void M() { expose (this) { x++; P(); y++; } } Object is valid Object is mutable Invariant checked here Program invariant: (  o  o.valid  Inv(o))

class FastDictionary { rep Dictionary d; rep Cache c; invariantcontents = d.contents  c.keys  contents; Program invariant, for any rep field d: (  o  o.valid  o.d.valid)

class Node { Node next, prev; invariant(next = null  next.prev = this)  (prev = null  prev.next = this);

class Subject { int data; List observers; … } interface Observer { void Update(); } class MyObserver : Observer { Subject s; int d; invariant d = s.data; … } class YourObserver : Observer { Subject s; int d; invariant d ≤ s.data; … } Note that s cannot be a rep field, because one observer cannot be the sole owner of the subject

class Subject { int data; List observers; void Inc() { expose (this) { data++; foreach (o in observers) { o.Update(); }} }} interface Observer { void Update(); } Program invariant: (  o  o.valid  Inv(o))

class Subject { int data; List observers; void Inc() { expose (this) { expose (all o in observers) { data++; foreach (o in observers) { o.Update(); }}} }} interface Observer { void Update(); } How to check invariants of the observers here? … or check the observer “update guards” here?

class Subject { int data; history invariant old(data) ≤ data; Declare (monotonic) evolution of the subject data: … and let observer invariants depend on the subject data, provided these invariants are automatically maintained under the evolution of the subject data: class SomeObserver : Observer { subject Subject s; int data; invariant data ≤ s.data;

2-state predicates history invariant R(this) σ,τ ; Holds of ordered pairs of states: Program invariant: (  σ, τ  σ ≤ τ  (  o  [o.valid] σ  [o.valid] τ  R(o) σ,τ )) Program invariant: (  σ, τ  σ ≤ τ  (  o  R(o) σ,τ ))  valid

Checked to be reflexive and transitive Checked in the states that bracket expose statements: expose (o) { … } Check R(o) σ, τ here σ τ

class Subject { history invariant R(this) σ,τ ; … } class Observer { subject Subject s; invariant Inv(this); expose (o) { … } check o.s.valid  Inv(o) here Program invariant: (  o  o.valid  o.s.valid  Inv(o))

class Subject { history invariant R(this) σ,τ ; … } class Observer { subject Subject s; invariant Inv(this); Checked to satisfy: (  σ, τ  σ ≤ τ  (  o  [o.valid] σ  (  f  [o.f] σ = [o.f] τ )  [o.s.valid] σ  [o.s.valid] τ  R(o.s) σ,τ  [Inv(o)] τ ))

Proofs: see paper Program invariant, for any object invariant Inv: (  o  o.valid  o.s.valid  Inv(o)) Program invariant, for any history invariant R: (  σ, τ  σ ≤ τ  (  o  [o.valid] σ  [o.valid] τ  R(o) σ,τ ))

class Subject { int ver; T data; history invariant old(ver) = ver  old(data)  data; class Observer { subject Subject s; int ver; T data; invariant s.ver = ver  s.data  data; temporal relation spatial relation

class Iterator { int ver; subject Collection c; invariant... c...; T Next() requiresthis.valid  c.valid  this.ver == c.ver; {... }

History invariants are used elsewhere assume / guarantee constraints [Liskov & Wing 1994] … Visibility-based invariants [e.g., Leino & Müller 2004] Update guards [Barnett & Naumann 2004] Separation logic [e.g., Parkinson & Bierman 2005] could also benefit from history invariants Static class invariants [Leino & Müller 2005] multiple-”owner” situation

Local reasoning for observer invariants Future work: implementation (in Spec#)