Download presentation
Presentation is loading. Please wait.
1
K. Rustan M. Leino and Wolfram Schulte Microsoft Research, Redmond ESOP 2007 Braga, Portugal 28 March 2007
2
Specify and statically verify programs Use modular verification (local reasoning) These require: Invariants of data structures Support for common programming patterns
3
Subject Observer
4
Collection Iterator or: Collection / Iterator pattern
5
class C { int x, y; invariant x ≤ y; void M() { expose (this) { x++; P(); y++; } } Object is valid Object is mutable Invariant checked here Program invariant: ( o o.valid Inv(o))
6
class FastDictionary { rep Dictionary d; rep Cache c; invariantcontents = d.contents c.keys contents; Program invariant, for any rep field d: ( o o.valid o.d.valid)
7
class Node { Node next, prev; invariant(next = null next.prev = this) (prev = null prev.next = this);
8
class Subject { int data; List observers; … } interface Observer { void Update(); } class MyObserver : Observer { Subject s; int d; invariant d = s.data; … } class YourObserver : Observer { Subject s; int d; invariant d ≤ s.data; … } Note that s cannot be a rep field, because one observer cannot be the sole owner of the subject
9
class Subject { int data; List observers; void Inc() { expose (this) { data++; foreach (o in observers) { o.Update(); }} }} interface Observer { void Update(); } Program invariant: ( o o.valid Inv(o))
10
class Subject { int data; List observers; void Inc() { expose (this) { expose (all o in observers) { data++; foreach (o in observers) { o.Update(); }}} }} interface Observer { void Update(); } How to check invariants of the observers here? … or check the observer “update guards” here?
11
class Subject { int data; history invariant old(data) ≤ data; Declare (monotonic) evolution of the subject data: … and let observer invariants depend on the subject data, provided these invariants are automatically maintained under the evolution of the subject data: class SomeObserver : Observer { subject Subject s; int data; invariant data ≤ s.data;
12
2-state predicates history invariant R(this) σ,τ ; Holds of ordered pairs of states: Program invariant: ( σ, τ σ ≤ τ ( o [o.valid] σ [o.valid] τ R(o) σ,τ )) Program invariant: ( σ, τ σ ≤ τ ( o R(o) σ,τ )) valid
![2-state predicates history invariant R(this) σ,τ ; Holds of ordered pairs of states: Program invariant: ( σ, τ σ ≤ τ ( o [o.valid] σ [o.valid] τ R(o) σ,τ )) Program invariant: ( σ, τ σ ≤ τ ( o R(o) σ,τ )) valid](http://images.slideplayer.com/26/8860648/slides/slide_12.jpg "2-state predicates history invariant R(this) σ,τ ; Holds of ordered pairs of states: Program invariant: ( σ, τ σ ≤ τ ( o [o.valid] σ [o.valid] τ R(o) σ,τ )) Program invariant: ( σ, τ σ ≤ τ ( o R(o) σ,τ )) valid")
13
Checked to be reflexive and transitive Checked in the states that bracket expose statements: expose (o) { … } Check R(o) σ, τ here σ τ
14
class Subject { history invariant R(this) σ,τ ; … } class Observer { subject Subject s; invariant Inv(this); expose (o) { … } check o.s.valid Inv(o) here Program invariant: ( o o.valid o.s.valid Inv(o))
15
class Subject { history invariant R(this) σ,τ ; … } class Observer { subject Subject s; invariant Inv(this); Checked to satisfy: ( σ, τ σ ≤ τ ( o [o.valid] σ ( f [o.f] σ = [o.f] τ ) [o.s.valid] σ [o.s.valid] τ R(o.s) σ,τ [Inv(o)] τ ))
![class Subject { history invariant R(this) σ,τ ; … } class Observer { subject Subject s; invariant Inv(this); Checked to satisfy: ( σ, τ σ ≤ τ ( o [o.valid] σ ( f [o.f] σ = [o.f] τ ) [o.s.valid] σ [o.s.valid] τ R(o.s) σ,τ [Inv(o)] τ ))](http://images.slideplayer.com/26/8860648/slides/slide_15.jpg "class Subject { history invariant R(this) σ,τ ; … } class Observer { subject Subject s; invariant Inv(this); Checked to satisfy: ( σ, τ σ ≤ τ ( o [o.valid] σ ( f [o.f] σ = [o.f] τ ) [o.s.valid] σ [o.s.valid] τ R(o.s) σ,τ [Inv(o)] τ ))")
16
Proofs: see paper Program invariant, for any object invariant Inv: ( o o.valid o.s.valid Inv(o)) Program invariant, for any history invariant R: ( σ, τ σ ≤ τ ( o [o.valid] σ [o.valid] τ R(o) σ,τ ))
![Proofs: see paper Program invariant, for any object invariant Inv: ( o o.valid o.s.valid Inv(o)) Program invariant, for any history invariant R: ( σ, τ σ ≤ τ ( o [o.valid] σ [o.valid] τ R(o) σ,τ ))](http://images.slideplayer.com/26/8860648/slides/slide_16.jpg "Proofs: see paper Program invariant, for any object invariant Inv: ( o o.valid o.s.valid Inv(o)) Program invariant, for any history invariant R: ( σ, τ σ ≤ τ ( o [o.valid] σ [o.valid] τ R(o) σ,τ ))")
17
class Subject { int ver; T data; history invariant old(ver) = ver old(data) data; class Observer { subject Subject s; int ver; T data; invariant s.ver = ver s.data data; temporal relation spatial relation
18
class Iterator { int ver; subject Collection c; invariant... c...; T Next() requiresthis.valid c.valid this.ver == c.ver; {... }
19
History invariants are used elsewhere assume / guarantee constraints [Liskov & Wing 1994] … Visibility-based invariants [e.g., Leino & Müller 2004] Update guards [Barnett & Naumann 2004] Separation logic [e.g., Parkinson & Bierman 2005] could also benefit from history invariants Static class invariants [Leino & Müller 2005] multiple-”owner” situation
![History invariants are used elsewhere assume / guarantee constraints [Liskov & Wing 1994] … Visibility-based invariants [e.g., Leino & Müller 2004] Update guards [Barnett & Naumann 2004] Separation logic [e.g., Parkinson & Bierman 2005] could also benefit from history invariants Static class invariants [Leino & Müller 2005] multiple- owner situation](http://images.slideplayer.com/26/8860648/slides/slide_19.jpg "History invariants are used elsewhere assume / guarantee constraints [Liskov & Wing 1994] … Visibility-based invariants [e.g., Leino & Müller 2004] Update guards [Barnett & Naumann 2004] Separation logic [e.g., Parkinson & Bierman 2005] could also benefit from history invariants Static class invariants [Leino & Müller 2005] multiple- owner situation")
20
Local reasoning for observer invariants Future work: implementation (in Spec#)
Similar presentations
