![Page 1: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/1.jpg)
Introduction to JavaCard Dynamic Logic
Prof. P. H. Schmitt, Christian Engel, Benjamin Weiß
December 10, 2008
Introduction to JavaCard Dynamic Logic December 10, 2008 1 / 13
![Page 2: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/2.jpg)
Some Java Features
Assignments, complex expressions with side effectsint i = 0; if ((i=2) >= 2) {i++;} // value of i?
Abrupt termination
Exceptions (try− catch− finally)Local jumps return, break, continue
AliasingDifferent navigation expressions may be same object reference
I |= o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age ?
Depends on whether I |= o.= u
Method calls, blocks
Solution within KeY to be discussed in detail
Introduction to JavaCard Dynamic Logic December 10, 2008 2 / 13
![Page 3: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/3.jpg)
Some Java Features
Assignments, complex expressions with side effectsint i = 0; if ((i=2) >= 2) {i++;} // value of i?
Abrupt termination
Exceptions (try− catch− finally)Local jumps return, break, continue
AliasingDifferent navigation expressions may be same object reference
I |= o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age ?
Depends on whether I |= o.= u
Method calls, blocks
Solution within KeY to be discussed in detail
Introduction to JavaCard Dynamic Logic December 10, 2008 2 / 13
![Page 4: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/4.jpg)
Some Java Features
Assignments, complex expressions with side effectsint i = 0; if ((i=2) >= 2) {i++;} // value of i?
Abrupt termination
Exceptions (try− catch− finally)
Local jumps return, break, continue
AliasingDifferent navigation expressions may be same object reference
I |= o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age ?
Depends on whether I |= o.= u
Method calls, blocks
Solution within KeY to be discussed in detail
Introduction to JavaCard Dynamic Logic December 10, 2008 2 / 13
![Page 5: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/5.jpg)
Some Java Features
Assignments, complex expressions with side effectsint i = 0; if ((i=2) >= 2) {i++;} // value of i?
Abrupt termination
Exceptions (try− catch− finally)Local jumps return, break, continue
AliasingDifferent navigation expressions may be same object reference
I |= o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age ?
Depends on whether I |= o.= u
Method calls, blocks
Solution within KeY to be discussed in detail
Introduction to JavaCard Dynamic Logic December 10, 2008 2 / 13
![Page 6: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/6.jpg)
Some Java Features
Assignments, complex expressions with side effectsint i = 0; if ((i=2) >= 2) {i++;} // value of i?
Abrupt termination
Exceptions (try− catch− finally)Local jumps return, break, continue
AliasingDifferent navigation expressions may be same object reference
I |= o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age ?
Depends on whether I |= o.= u
Method calls, blocks
Solution within KeY to be discussed in detail
Introduction to JavaCard Dynamic Logic December 10, 2008 2 / 13
![Page 7: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/7.jpg)
Some Java Features
Assignments, complex expressions with side effectsint i = 0; if ((i=2) >= 2) {i++;} // value of i?
Abrupt termination
Exceptions (try− catch− finally)Local jumps return, break, continue
AliasingDifferent navigation expressions may be same object reference
I |= o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age ?
Depends on whether I |= o.= u
Method calls, blocks
Solution within KeY to be discussed in detail
Introduction to JavaCard Dynamic Logic December 10, 2008 2 / 13
![Page 8: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/8.jpg)
Some Java Features
Assignments, complex expressions with side effectsint i = 0; if ((i=2) >= 2) {i++;} // value of i?
Abrupt termination
Exceptions (try− catch− finally)Local jumps return, break, continue
AliasingDifferent navigation expressions may be same object reference
I |= o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age ?
Depends on whether I |= o.= u
Method calls, blocks
Solution within KeY to be discussed in detail
Introduction to JavaCard Dynamic Logic December 10, 2008 2 / 13
![Page 9: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/9.jpg)
More Java Features
Addressed in KeY
Java’s rules for localisation of attributes andmethod implementations (polymorphism, dynamic binding)
Scope (class/instance)Context (static/runtime)Visibilitysuper
Solution: branch proof if implementation not uniquely determined
Run time errors (null pointer exceptions)Functions that model attributes are partially definedSolution: optional rule set enforces proof of !(o
.= null)
(whenever object reference o accessed)
Introduction to JavaCard Dynamic Logic December 10, 2008 3 / 13
![Page 10: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/10.jpg)
More Java Features
Addressed in KeY
Java’s rules for localisation of attributes andmethod implementations (polymorphism, dynamic binding)
Scope (class/instance)Context (static/runtime)Visibilitysuper
Solution: branch proof if implementation not uniquely determined
Run time errors (null pointer exceptions)Functions that model attributes are partially definedSolution: optional rule set enforces proof of !(o
.= null)
(whenever object reference o accessed)
Introduction to JavaCard Dynamic Logic December 10, 2008 3 / 13
![Page 11: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/11.jpg)
More Java Features
Addressed in KeY
Java’s rules for localisation of attributes andmethod implementations (polymorphism, dynamic binding)
Scope (class/instance)Context (static/runtime)Visibilitysuper
Solution: branch proof if implementation not uniquely determined
Run time errors (null pointer exceptions)Functions that model attributes are partially definedSolution: optional rule set enforces proof of !(o
.= null)
(whenever object reference o accessed)
Introduction to JavaCard Dynamic Logic December 10, 2008 3 / 13
![Page 12: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/12.jpg)
More Java Features
Addressed in KeY
Java’s rules for localisation of attributes andmethod implementations (polymorphism, dynamic binding)
Scope (class/instance)Context (static/runtime)Visibilitysuper
Solution: branch proof if implementation not uniquely determined
Run time errors (null pointer exceptions)Functions that model attributes are partially defined
Solution: optional rule set enforces proof of !(o.= null)
(whenever object reference o accessed)
Introduction to JavaCard Dynamic Logic December 10, 2008 3 / 13
![Page 13: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/13.jpg)
More Java Features
Addressed in KeY
Java’s rules for localisation of attributes andmethod implementations (polymorphism, dynamic binding)
Scope (class/instance)Context (static/runtime)Visibilitysuper
Solution: branch proof if implementation not uniquely determined
Run time errors (null pointer exceptions)Functions that model attributes are partially definedSolution: optional rule set enforces proof of !(o
.= null)
(whenever object reference o accessed)
Introduction to JavaCard Dynamic Logic December 10, 2008 3 / 13
![Page 14: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/14.jpg)
More Java Features
Java Card data typesboolean, char, Stringint, byte, long (cyclic!)ArraysSolution: optional rule sets IN/int, rules for built-ins
Object creation and initialisationTrick to keep same universe U in all states:all objects exist anytime, use attributes o.created, o.initialized
Introduction to JavaCard Dynamic Logic December 10, 2008 4 / 13
![Page 15: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/15.jpg)
More Java Features
Java Card data typesboolean, char, Stringint, byte, long (cyclic!)ArraysSolution: optional rule sets IN/int, rules for built-ins
Object creation and initialisationTrick to keep same universe U in all states:all objects exist anytime, use attributes o.created, o.initialized
Introduction to JavaCard Dynamic Logic December 10, 2008 4 / 13
![Page 16: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/16.jpg)
Side Effects and Complex Expressions
int i = 0; if ((i=2) >= 2) {i++;} // value of i?
Java expressions can assign values (assignment operators)FOL/DL terms have no side effects
Decomposition of complex terms following symbolic execution as definedfor expressions Java language specificationLocal program transformations
iterated-assignmentΓ ==> 〈π y = t; x = y; ω〉φ,∆
Γ ==> 〈π x = y = t; ω〉φ,∆t simple
Temporary program variables ‘ var<n>’ store intermediate results
if-evalΓ ==> 〈π boolean vnew; vnew= b; if (vnew) {α}; ω〉φ,∆
Γ ==> 〈π if (b) {α}; ω〉φ,∆where b complex
Introduction to JavaCard Dynamic Logic December 10, 2008 5 / 13
![Page 17: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/17.jpg)
Side Effects and Complex Expressions
int i = 0; if ((i=2) >= 2) {i++;} // value of i?
Java expressions can assign values (assignment operators)FOL/DL terms have no side effects
Decomposition of complex terms following symbolic execution as definedfor expressions Java language specificationLocal program transformations
iterated-assignmentΓ ==> 〈π y = t; x = y; ω〉φ,∆
Γ ==> 〈π x = y = t; ω〉φ,∆t simple
Temporary program variables ‘ var<n>’ store intermediate results
if-evalΓ ==> 〈π boolean vnew; vnew= b; if (vnew) {α}; ω〉φ,∆
Γ ==> 〈π if (b) {α}; ω〉φ,∆where b complex
Introduction to JavaCard Dynamic Logic December 10, 2008 5 / 13
![Page 18: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/18.jpg)
Side Effects and Complex Expressions
int i = 0; if ((i=2) >= 2) {i++;} // value of i?
Java expressions can assign values (assignment operators)FOL/DL terms have no side effects
Decomposition of complex terms following symbolic execution as definedfor expressions Java language specificationLocal program transformations
iterated-assignmentΓ ==> 〈π y = t; x = y; ω〉φ,∆
Γ ==> 〈π x = y = t; ω〉φ,∆t simple
Temporary program variables ‘ var<n>’ store intermediate results
if-evalΓ ==> 〈π boolean vnew; vnew= b; if (vnew) {α}; ω〉φ,∆
Γ ==> 〈π if (b) {α}; ω〉φ,∆where b complex
Introduction to JavaCard Dynamic Logic December 10, 2008 5 / 13
![Page 19: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/19.jpg)
Side Effects and Complex Expressions, Cont’d
Applying rule to statement including guard with side effect isincorrectRestrict applicability of if-then and other rules with guards:Guard expression needs to be simple (ie, side effect-free)
if-splitΓ, b
.= TRUE ==> 〈π α; ω〉φ,∆ Γ, b
.= FALSE ==> 〈π ω〉φ,∆
Γ ==> 〈π if (b) {α}; ω〉φ,∆where b simple
Demo
javaDL/complex.key
Introduction to JavaCard Dynamic Logic December 10, 2008 6 / 13
![Page 20: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/20.jpg)
Abrupt Termination
Redirection of control flow via return, break, continue, exceptions
〈π try {ξα} catch(e) {γ} finally {ε}; ω〉φ
Solution: rules work on first active statement, try part of prefix
try-throw (exc simple)
Γ ==>
⟨π if (exc instanceOf Exception) {
try {e = exc; γ} finally {ε}} else {ε throw exc}; ω
⟩φ,∆
Γ ==> 〈π try {throw exc; α} catch(e) {γ} finally {ε}; ω〉φ,∆
Introduction to JavaCard Dynamic Logic December 10, 2008 7 / 13
![Page 21: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/21.jpg)
Abrupt Termination
Redirection of control flow via return, break, continue, exceptions
〈π try {ξα} catch(e) {γ} finally {ε}; ω〉φ
Solution: rules work on first active statement, try part of prefix
try-throw (exc simple)
Γ ==>
⟨π if (exc instanceOf Exception) {
try {e = exc; γ} finally {ε}} else {ε throw exc}; ω
⟩φ,∆
Γ ==> 〈π try {throw exc; α} catch(e) {γ} finally {ε}; ω〉φ,∆
Introduction to JavaCard Dynamic Logic December 10, 2008 7 / 13
![Page 22: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/22.jpg)
Abrupt Termination
Redirection of control flow via return, break, continue, exceptions
〈π try {ξα} catch(e) {γ} finally {ε}; ω〉φ
Solution: rules work on first active statement, try part of prefix
try-throw (exc simple)
Γ ==>
⟨π if (exc instanceOf Exception) {
try {e = exc; γ} finally {ε}} else {ε throw exc}; ω
⟩φ,∆
Γ ==> 〈π try {throw exc; α} catch(e) {γ} finally {ε}; ω〉φ,∆
Introduction to JavaCard Dynamic Logic December 10, 2008 7 / 13
![Page 23: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/23.jpg)
Aliasing
Naive alias resolution causes proof split (on o.= u) at each access
Γ ==> o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age,∆
Unnecessary in many cases!
Γ ==> o.age.= 1 -> 〈u.age = 2; o.age = 2; 〉o.age .
= u.age,∆
Γ ==> o.age.= 1 -> 〈u.age = 2;〉u.age .
= 2,∆
Updates avoid such proof splits:
Delayed state computation until clear what actually required
Simplification of updates
Introduction to JavaCard Dynamic Logic December 10, 2008 8 / 13
![Page 24: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/24.jpg)
Aliasing
Naive alias resolution causes proof split (on o.= u) at each access
Γ ==> o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age,∆
Unnecessary in many cases!
Γ ==> o.age.= 1 -> 〈u.age = 2; o.age = 2; 〉o.age .
= u.age,∆
Γ ==> o.age.= 1 -> 〈u.age = 2;〉u.age .
= 2,∆
Updates avoid such proof splits:
Delayed state computation until clear what actually required
Simplification of updates
Introduction to JavaCard Dynamic Logic December 10, 2008 8 / 13
![Page 25: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/25.jpg)
Aliasing
Naive alias resolution causes proof split (on o.= u) at each access
Γ ==> o.age.= 1 -> 〈u.age = 2;〉o.age .
= u.age,∆
Unnecessary in many cases!
Γ ==> o.age.= 1 -> 〈u.age = 2; o.age = 2; 〉o.age .
= u.age,∆
Γ ==> o.age.= 1 -> 〈u.age = 2;〉u.age .
= 2,∆
Updates avoid such proof splits:
Delayed state computation until clear what actually required
Simplification of updates
Introduction to JavaCard Dynamic Logic December 10, 2008 8 / 13
![Page 26: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/26.jpg)
Updates for Java
Let loc be either one of
program variable x
attribute access o.attr (o has object type)
array access a[i] (a has array type, not discussed here)
assignΓ ==> {loc := val}〈π ω〉φ,∆
Γ ==> 〈π loc=val ; ω〉φ,∆
where
loc and val satisfy above restrictions
val is a side-effect free term,
{loc := val} is DL update (usage and semantics as in simple DL)
Introduction to JavaCard Dynamic Logic December 10, 2008 9 / 13
![Page 27: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/27.jpg)
Updates for Java
Let loc be either one of
program variable x
attribute access o.attr (o has object type)
array access a[i] (a has array type, not discussed here)
assignΓ ==> {loc := val}〈π ω〉φ,∆
Γ ==> 〈π loc=val ; ω〉φ,∆
where
loc and val satisfy above restrictions
val is a side-effect free term,
{loc := val} is DL update (usage and semantics as in simple DL)
Introduction to JavaCard Dynamic Logic December 10, 2008 9 / 13
![Page 28: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/28.jpg)
Updates for Java
Let loc be either one of
program variable x
attribute access o.attr (o has object type)
array access a[i] (a has array type, not discussed here)
assignΓ ==> {loc := val}〈π ω〉φ,∆
Γ ==> 〈π loc=val ; ω〉φ,∆
where
loc and val satisfy above restrictions
val is a side-effect free term,
{loc := val} is DL update (usage and semantics as in simple DL)
Introduction to JavaCard Dynamic Logic December 10, 2008 9 / 13
![Page 29: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/29.jpg)
Updates for Java
Let loc be either one of
program variable x
attribute access o.attr (o has object type)
array access a[i] (a has array type, not discussed here)
assignΓ ==> {loc := val}〈π ω〉φ,∆
Γ ==> 〈π loc=val ; ω〉φ,∆
where
loc and val satisfy above restrictions
val is a side-effect free term,
{loc := val} is DL update (usage and semantics as in simple DL)
Introduction to JavaCard Dynamic Logic December 10, 2008 9 / 13
![Page 30: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/30.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).aExample{o.a := o}o.a.a.b ;
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 31: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/31.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).a
Example{o.a := o}o.a.a.b ;
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 32: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/32.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).aExample{o.a := o}o.a.a.b
;
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 33: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/33.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).aExample{o.a := o}o.a.a.b ; {o.a := o}o.a.a.b
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 34: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/34.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).aExample{o.a := o}o.a.a.b ; ({o.a := o}o.a.a).b
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 35: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/35.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).aExample
{o.a := o}o.a.a.b ;( \if (({o.a := o}o.a) = o)\then o\else ({o.a := o}o.a).a ).b
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 36: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/36.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).aExample
{o.a := o}o.a.a.b ;( \if (o = o)\then o\else o.a ).b
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 37: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/37.jpg)
Computing Effect of Updates: Attributes
Use conditional terms to delay splitting further
(\if (t1 = t2) \then t \else e)I ,β =
{t I ,β t I ,β
1 = t I ,β2
e I ,β otherwise
Computing update followed by attribute access
{o.a := t}o.a ; t{o.a := t}u.b ; ({o.a := t}u).b{o.a := t}u.a ;
\if (({o.a:=t}u)=o) \then t \else ({o.a:=t}u).aExample{o.a := o}o.a.a.b ; o.b
Introduction to JavaCard Dynamic Logic December 10, 2008 10 / 13
![Page 38: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/38.jpg)
Parallel Updates
Computing update followed by update results in parallel update:
{l1 := r1}{l2 := r2} = {{l1 := r1}, {{l1 := r1} ↓ l2 := {l1 := r1}r2}}
where {l := r} ↓ f (t1, . . . , tn) = f ({l := r}t1, . . . , {l := r}tn)
Syntax{l1 := v1, . . . , ln := vn}
Semantics
All li and vi computed in old state
All updates done simultaneously
If conflict li = lj , vi 6= vj later update wins
Introduction to JavaCard Dynamic Logic December 10, 2008 11 / 13
![Page 39: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/39.jpg)
Parallel Updates
Computing update followed by update results in parallel update:
{l1 := r1}{l2 := r2} = {{l1 := r1}, {{l1 := r1} ↓ l2 := {l1 := r1}r2}}
where {l := r} ↓ f (t1, . . . , tn) = f ({l := r}t1, . . . , {l := r}tn)
Syntax{l1 := v1, . . . , ln := vn}
Semantics
All li and vi computed in old state
All updates done simultaneously
If conflict li = lj , vi 6= vj later update wins
Introduction to JavaCard Dynamic Logic December 10, 2008 11 / 13
![Page 40: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/40.jpg)
Parallel Updates
Computing update followed by update results in parallel update:
{l1 := r1}{l2 := r2} = {{l1 := r1}, {{l1 := r1} ↓ l2 := {l1 := r1}r2}}
where {l := r} ↓ f (t1, . . . , tn) = f ({l := r}t1, . . . , {l := r}tn)
Syntax{l1 := v1, . . . , ln := vn}
Semantics
All li and vi computed in old state
All updates done simultaneously
If conflict li = lj , vi 6= vj later update wins
Introduction to JavaCard Dynamic Logic December 10, 2008 11 / 13
![Page 41: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/41.jpg)
Method Call
Method call with actual parameters arg1, . . . , argn
{arg1 := t1, . . . , argn := tn, o := to}〈o.m(arg1, . . . , argn); 〉φ
Where method declaration is: void m(T1 p1, . . . ,Tn pn)
What the rule method-call does:
(type conformance of argi to Ti guaranteed by Java compiler)
for each formal parameter pi of m declare & initialize new localvariable ’Ti pi = argi ;’
look up implementation class C of m split proof, if implementationnot determinable
make concrete call o.C ::m(p1, . . . , pn)
Introduction to JavaCard Dynamic Logic December 10, 2008 12 / 13
![Page 42: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/42.jpg)
Method Call
Method call with actual parameters arg1, . . . , argn
{arg1 := t1, . . . , argn := tn, o := to}〈o.m(arg1, . . . , argn); 〉φ
Where method declaration is: void m(T1 p1, . . . ,Tn pn)
What the rule method-call does:
(type conformance of argi to Ti guaranteed by Java compiler)
for each formal parameter pi of m declare & initialize new localvariable ’Ti pi = argi ;’
look up implementation class C of m split proof, if implementationnot determinable
make concrete call o.C ::m(p1, . . . , pn)
Introduction to JavaCard Dynamic Logic December 10, 2008 12 / 13
![Page 43: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/43.jpg)
Method Call
Method call with actual parameters arg1, . . . , argn
{arg1 := t1, . . . , argn := tn, o := to}〈o.m(arg1, . . . , argn); 〉φ
Where method declaration is: void m(T1 p1, . . . ,Tn pn)
What the rule method-call does:
(type conformance of argi to Ti guaranteed by Java compiler)
for each formal parameter pi of m declare & initialize new localvariable ’Ti pi = argi ;’
look up implementation class C of m split proof, if implementationnot determinable
make concrete call o.C ::m(p1, . . . , pn)
Introduction to JavaCard Dynamic Logic December 10, 2008 12 / 13
![Page 44: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/44.jpg)
Method Call
Method call with actual parameters arg1, . . . , argn
{arg1 := t1, . . . , argn := tn, o := to}〈o.m(arg1, . . . , argn); 〉φ
Where method declaration is: void m(T1 p1, . . . ,Tn pn)
What the rule method-call does:
(type conformance of argi to Ti guaranteed by Java compiler)
for each formal parameter pi of m declare & initialize new localvariable ’Ti pi = argi ;’
look up implementation class C of m split proof, if implementationnot determinable
make concrete call o.C ::m(p1, . . . , pn)
Introduction to JavaCard Dynamic Logic December 10, 2008 12 / 13
![Page 45: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/45.jpg)
Method Call
Method call with actual parameters arg1, . . . , argn
{arg1 := t1, . . . , argn := tn, o := to}〈o.m(arg1, . . . , argn); 〉φ
Where method declaration is: void m(T1 p1, . . . ,Tn pn)
What the rule method-call does:
(type conformance of argi to Ti guaranteed by Java compiler)
for each formal parameter pi of m declare & initialize new localvariable ’Ti pi = argi ;’
look up implementation class C of m split proof, if implementationnot determinable
make concrete call o.C ::m(p1, . . . , pn)
Introduction to JavaCard Dynamic Logic December 10, 2008 12 / 13
![Page 46: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/46.jpg)
Method Body Expand
After processing code that binds actual to formal parameters (symbolicexecution of ’Ti pi = argi ;’)
method-body-expandΓ ==> 〈π method-frame(C (o)){ b } ω〉φ,∆
Γ ==> 〈π o.C ::m(p1, . . . , pn); ω〉φ,∆
Symbolic ExecutionOnly static information available, proof splittingRuntime infrastructure required in calculus
Introduction to JavaCard Dynamic Logic December 10, 2008 13 / 13
![Page 47: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/47.jpg)
Method Body Expand
After processing code that binds actual to formal parameters (symbolicexecution of ’Ti pi = argi ;’)
method-body-expandΓ ==> 〈π method-frame(C (o)){ b } ω〉φ,∆
Γ ==> 〈π o.C ::m(p1, . . . , pn); ω〉φ,∆
Symbolic Execution
Symbolic ExecutionOnly static information available, proof splittingRuntime infrastructure required in calculus
Introduction to JavaCard Dynamic Logic December 10, 2008 13 / 13
![Page 48: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/48.jpg)
Method Body Expand
After processing code that binds actual to formal parameters (symbolicexecution of ’Ti pi = argi ;’)
method-body-expandΓ ==> 〈π method-frame(C (o)){ b } ω〉φ,∆
Γ ==> 〈π o.C ::m(p1, . . . , pn); ω〉φ,∆
Symbolic Execution
Symbolic Execution
Only static information available, proof splitting
Only static informationavailable, proof splittingRuntime infrastructure required in calculus
Introduction to JavaCard Dynamic Logic December 10, 2008 13 / 13
![Page 49: Introduction to JavaCard Dynamic Logiclfm.iti.kit.edu/download/javaDL.pdfIntroduction to JavaCard Dynamic Logic December 10, 2008 5 / 13 Side Effects and Complex Expressions, Cont’d](https://reader030.vdocuments.mx/reader030/viewer/2022040400/5e6c2f6be5d17812a06a3505/html5/thumbnails/49.jpg)
Method Body Expand
After processing code that binds actual to formal parameters (symbolicexecution of ’Ti pi = argi ;’)
method-body-expandΓ ==> 〈π method-frame(C (o)){ b } ω〉φ,∆
Γ ==> 〈π o.C ::m(p1, . . . , pn); ω〉φ,∆
Symbolic ExecutionOnly static information available, proof splittingRuntime infrastructure required in calculus
Introduction to JavaCard Dynamic Logic December 10, 2008 13 / 13