specification and verification of object-oriented software
DESCRIPTION
Specification and Verification of Object-Oriented Software. K. Rustan M. Leino Research in Software Engineering ( RiSE ) Microsoft Research, Redmond, WA. part 4 International Summer School Marktoberdorf Marktoberdorf , Germany 11 August 2008. Example: Queue. Demo: Queue.dfy. :Queue. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/1.jpg)
Specification and Verification of Object-Oriented SoftwareK. Rustan M. LeinoResearch in Software Engineering (RiSE)Microsoft Research, Redmond, WA
part 4International Summer School MarktoberdorfMarktoberdorf, Germany11 August 2008
![Page 2: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/2.jpg)
Example: QueueDemo: Queue.dfy
:Queue
:Node :Node :Node :Node
head
tail
![Page 3: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/3.jpg)
Parallel field updateforeach (x in S) { x.f := E; }
Homework
![Page 4: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/4.jpg)
Capturing a parametermethod Init() {
this.g := new Guitar;}method InitFromGuitar(gt: Guitar) {
this.g := gt;}
![Page 5: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/5.jpg)
Capturing a parametermethod InitFromGuitar(gt: Guitar)
requires gt ≠ null gt.Valid();requires this gt.footprint;modifies {this};ensures Valid();ensures fresh(footprint – {this} –
gt.footprint);{
this.g := gt;this.footprint := {this} + {g} +
g.footprint;}
Does gt.Valid() holdafter InitFromGuitar?
![Page 6: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/6.jpg)
A callermethod Client() {
var kim := new Guitar; call kim.Init();
var r := new RockBand;call r.InitFromGuitar(kim);call kim.Strum();call r.Play();
}
allowed
error
![Page 7: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/7.jpg)
DemoRockBand0.dfy
![Page 8: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/8.jpg)
Borrowing a parametermethod Session(org: Organ) {
… call g.Strum(); call org.Grind(); …}
![Page 9: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/9.jpg)
Borrowing a parametermethod Session(org: Organ)
requires Valid() org ≠ null org.Valid();
modifies footprint, org.footprint;ensures Valid org.Valid();ensures fresh(footprint –
old(footprint));ensures fresh(org.footprint –
old(org.footprint));
![Page 10: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/10.jpg)
A clientmethod Client() {
var r := new RockBand; call r.Init();
var b3 := new Organ; call b3.Init();call r.Session(b3);call r.Play();call b3.Grind();
}
![Page 11: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/11.jpg)
DemoRockBand1.dfy
![Page 12: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/12.jpg)
Borrowing a parameter, variationmethod Session(org: Organ)
…ensures fresh(footprint –
old(footprint));ensures fresh(org.footprint –
old(org.footprint));ensures fresh(footprint + org.footprint
– old(footprint) – old(org.footprint));
ensures footprint !! org.footprint;requires footprint !! org.footprint;
![Page 13: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/13.jpg)
DemoRockBand1.dfy, variation
![Page 14: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/14.jpg)
Hiding a definitionfunction F(p: T) returns (U) reads R;axiom ( h0: HeapType, h1: HeapType,
this: C, p: T IsHeap(h0) IsHeap(h1) ( o,f (o,f) R h0[o,f] =
h1[o,f])
#F(h0,this,p) = #F(h1,this,p));
![Page 15: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/15.jpg)
Example: BinaryTreeIntSet.dfy
![Page 16: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/16.jpg)
Example: ListList.dfy (see pre-lecture notes for Reverse)
![Page 17: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/17.jpg)
Specifications in Spec#non-null typesValid() implicit (declared via invariant)[Rep] for components of aggregates[Captured] (“borrowed” is default)modifies this.* implicitmodifies p.* implicit for “committed” p
![Page 18: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/18.jpg)
Combining access and valueImplicit dynamic frames [Smans et al.]
Separation logic [Reynolds, O’Hearn, Parkinson, …]
![Page 19: Specification and Verification of Object-Oriented Software](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812b0a550346895d8eed60/html5/thumbnails/19.jpg)
SummaryDesign semantics in terms of an intermediate language!
can support different logics: first-order, higher-order, separation, etc.
Research problem: how to specify programsTrade-offs in specification styles:
economic (non-verbose) specificationsflexibility, expressibilityautomation
Links:http://research.microsoft.com/~leinohttp://research.microsoft.com/specsharp