1. Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 2 Summer school on Formal Models of Software 4 Sep 2003, Tunis, Tunisia

2. Review: Procedural language constructs 6 primitive commands Many shorthands Arrays are variables with structure Procedure declarations and specification

3. Procedural x := E x: T P(x,y,z) Object-oriented o.f := E o: T o.m(y,z)

4. Object types and subtyping D set of type names typeof : object D <:partial order on D istype(o, T) = typeof(o) <: T Note: T <: U (istype(o, T) istype(o, U))

5. An object-oriented programming notation C::=w := E |assert P |var w in C end |C 0 ; C 1 |if P then C 0 else C 1 end |o.f := E |x := new(T) |w := o.m(E 0, E 1 )

6. Object fields are maps Java: class T extends U {... f: X... } Here:T D T <: U f: T X x := o.f= x := f[o] o.f := E= f[o] := E = f := store(f, o, E)

7. Aliasing (pointer sharing) (o.f := 12 ; p.g := 14 ; assert o.f = 12).true true (o.f := 12 ; p.f := 14 ; assert o.f = 12).true op

8. Allocation alloc : object bool x := new(T) = change x such that typeof(x) = T alloc[x] ; alloc[x] := true

9. Example (o.f := 12 ; p := new(T); p.f := 14 ; assert o.f = 12).true alloc[o]

10. receiver parameter (this, current, self) Methods declarations and method implementations method T :: m(x,y,z) returns (r,s,t) requires P modifies w ensures Q =proc m(x,y,z) returns (r,s,t) spec assert istype(x, T) ; w:[P, Q] mimpl U :: m(x,y,z) returns (r,s,t) is C =impl m(x,y,z) returns (r,s,t) is assume istype(x, U) ; C

11. Method call w := o.m(E 0, E 1 ) = w := m(o, E 0, E 1 )

12. Example: union-find c f g d o a p h e q i k r l j b m n equivalence class element representative element

13. Example: union-find c f g d o a p h e q i k r l j b m n find(c) = a

14. Example: union-find c f g d o a p h e q i k r l j b m n union(p, h): h

15. Example, specification class UnionFind <: Object field nClasses, nElements,... method UnionFind :: init(uf, size) requires0 size modifiesuf.nClasses, uf.nElements,... ensuresuf.nClasses = uf.nElements = size method UnionFind :: find(uf, c) returns (r) requires0 c < uf.nElements ensures0 r < uf.nClasses method UnionFind :: union(uf, c, d) requires0 c uf.nElements 0 d uf.nElements modifiesuf.nClasses ensuresuf.nClasses = uf.nClasses 0 uf.nClasses = uf.nClasses 0 - 1

16. Example, client var uf, r0, r1, r2 in uf := new(UnionFind) ; uf.init(12) ; uf.union(3, 8) ; uf.union(8, 6) ; uf.union(10, 11) ; r0 := uf.find(3) ; r1 := uf.find(5) ; r2 := uf.find(6) ; assert r0 r1 ; assert r0 = r2 end

17. Example, implementation class StandardUnionFind <: UnionFind mimpl StandardUnionFind :: find(uf, c) returns (r) is … class FastUnionFind <: UnionFind mimpl FastUnionFind :: find(uf, c) returns (r) is …

18. What's missing? null type casts types of parameters types of fields properties of allocation...

19. null New definitions: istype(o, T) = o = null typeof(o) <: T o.f := E = assert o null ; f[o] := E

20. Type casts x := typecast(o, T) = assert istype(o, T) ; x := o

21. Example: binary method class T <: Object method T :: equal(x, y) returns (b) requires typeof(x) = typeof(y) class U <: T mimpl U :: equal(x, y) returns (b) is var yy in yy := typecast(y, U) ; // compare x and yy... end

22. Types of parameters method OutputStream :: putText(wr, s) … method print(t: T, wr: OutputStream) … method T :: print(t, wr) requires istype(wr, OutputStream)

23. Types of fields field T :: f: U// class T { … f: U … } (f, T, U isField(f, T, U) (o istype(f[o], U)))

24. Types of fields field T :: f: U// class T { … f: U … } (f, T, U isField(f, T, U) (o istype(o, T) istype(f[o], U))) Initially: assume isField(f, T, U) Whenever f is changed: assume isField(f, T, U)

25. More about allocation initially, for every parameter x: assume alloc[x] mimpl T :: m(x) is var y in y := new(T) ; assert x y end

26. Even more about allocation mimpl T :: m(x) is var y in y := new(T) ; assert x.f y end

27. Even more about allocation mimpl T :: m(x) is var y in y := new(T) ; assert x.f y end isField(f, T, U, a) … ( o a[o] a[f[o]] ) Initially and whenever f or alloc is changed: assume isField(f, T, U, alloc)

28. Exercise Prove the following program correct: method p(x) modifies x.f method m(x) modifies x.f mimpl m(x) is var y in x.p() ; y := new(T) ; assert x.f y end

29. Strengthening specifications class T <: Object method T :: m(x, y, z) requires P modifies w ensures Q class U <: T method U :: m(x, y, z) requires P modifies w ensures Q R... u.m(y, z) ; assert R... ?

30. class T <: Object method T :: m(x, y, z) requires P modifies w ensures Q class U <: T method U :: n(x, y, z) requires P modifies w ensures Q R mimpl U :: m(x, y, z) is x.n(y, z)... u.n(y, z) ; assert R... Strengthening specifications

31. Two-state postconditions ensures x.f 0 < x.f = ensures f 0 [x] < f[x] = ensures select(f 0, x) < select(f, x)

32. Modifies and objects modifies x.f = modifies f ensures (o o.f = o.f 0 o = x)

33. Exercise class T <: Object field f method T :: m(x, y, z) requires P modifies x.f ensures Q class U <: T field g method U :: m(x, y, z) requires P modifies x.f, x.g ensures Q ?

34. What else is missing? Information hiding Correctness of data representations Programming methodology...