Leavens, G. T. Modular verification of object-oriented programs with subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990. Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....an increasing body of work about the semantic foundations of object oriented programming, notably in the area of typed functional calculi (see [GM94] there are still only a few investigations about verification of specific objectoriented programs. Leavens and Wheil in a series of papers [Lea88, Lea90, Lea91, LW94, Lea93] investigate modular specification and verification of object oriented programs featuring subtype polymorphism and late binding. Modular verification in their setting means: adding a new type to a program must not call for recoding, respecification or reverification of old ....

Gary T. Leavens. Modular verification of object-oriented programs with subtypes. Technical Report 90-09, Iowa State University, Department of Computer Science, July 1990.

....object oriented analysis and design techniques and state charts to give a diagrammatic specification for object oriented systems. ObjectCharts can be well suited to describe general structure and behavior of object systems. However, it has neither subtype nor subclass mechanisms at all. Leavens [32, 31] proposed a modular way of specifying and verifying object oriented programs using subtyping relationships. He argues that if subtype relationships satisfy cer 15 tain semantic constraints (referred to as simulation relationships) a new type can be added to a program without respecifying or ....

....T. Any property that holds for T objects would also hold for S objects; messages understood by T objects will be understood by S objects and will have a similar effect. To provide this property, the subtype relationships must satisfy certain semantic constraints (called simulation relationships in [31, 32]) However, these semantic constraints cannot be easily enforced by machines, so we adopt the traditional syntactic constraints, called syntactic subtyping rules, listed in item 2 below. The syntactic subtyping rules are weaker than the semantic constraints. The following rules are applied to ....

[Article contains additional citation context not shown here]

Leavens, G. T., Modular Verification of Object-Oriented Programs with Subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990.

....[LW93a] LW93b] 1.3 Plan In the following we discuss inheritance of specifications in ISLs. Our ideas come from our work on the ISLs Larch Smalltalk (for Smalltalk) Che91] and Larch C (for C ) LC93b] CL93] LC93a] and our work on the semantics of subtyping in OOPLs [Lea89] LW90] Lea90] LP91] LW92] 2 Inheritance of Specifications For an example, consider the types BankAccount and PlusAccount. The supertype, BankAccount, has just a savings account. The subtype, PlusAccount, also has a ( free ) checking account. We want to specify instance operations such as balance and pay ....

....can avoid the inconvenience described in the previous paragraph. However the disadvantage of homomorphic relations is that there is much to prove before one is convinced that assertion evaluation is well defined, because of the possible ambiguity in dealing with sets of abstract values [Lea89] Lea90] 2.2.4 Overloading the Trait Functions This approach attacks the problem of how to interpret the parent type s specification directly. It is clearly more general than the approaches above, because the others also, in effect, overload the trait functions so that they are defined on abstract ....

Gary T. Leavens. Modular Verification of Object-Oriented Programs with Subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990. Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu.

....language (LIL) Interface languages are used to specify the interfaces between system components. This interface specification is most precise when the specification language reflects the programming language. LIL s have been developed for various programming languages, such as C [10] C [13][14] Modula 3 [11] and Smalltalk [4] For a complete discussion of the Larch specification languages, see [9] The Larch shared language is used to create auxiliary specifications, providing semantics for the ADTs used by the software components. The ADT and its operators are described using LSL ....

....int numOfNodes( f ensures result = size(self.nodes) g g; Figure 3. An LCCL Specification 2.2 The Larch ToolKit Syntax checkers and a debugger are available to support verification of the syntax and semantics of Larch specifications. The syntax checkers for LSL [9] LCL [9] 10] and LCCL [5][13][14] support the static checking of syntax. The LSL syntax checker also generates a list of operators and sorts defined and used in LSL traits. The LSL syntax checker will automatically check the syntax of all included and assumed traits. It expects the directories containing the necessary traits ....

Gary T. Leavens. Modular Verification of Object-Oriented Programs with Subtypes. IEEE Software. July 1991. pp. 72-80.

....der Linden) in ECOOP OOPSLA 90 [AvdL90] is interesting in its attempt to make behavioral subtyping statically checkable by using keywords to stand for behavioral properties. 6.3.1 Model Theory 6.3.2 For Types with Immutable Objects Also in the late 1980s Leavens, in his Ph.D. thesis [Lea88, Lea90] showed how to use the notion of behavioral subtyping to do modular verification of OO programs [Lea91, LW90, LW95] Leavens s definition of behavioral subtyping is modeltheoretic. The basic notion is that of a coercion relation between models of abstract values [LP92] which has led to a ....

Leavens, G. T. Modular verification of object-oriented programs with subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990. Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu.

....and semantics, and to programming environment issues. The above goals are directed at making Larch C practical. In addition, we have some other goals which should help make Larch C useful, but which are motivated by a particular view of object oriented programming [Ame87] Mey88] LW90] Lea90] Lea91] This view centers around supertype abstraction, which is the ability to reason about a program based on nominal (i.e. static) type information by letting supertypes stand for all their subtypes. Informally, a subtype is an abstract data type such that each object of the subtype acts ....

....of Smalltalk and Modula 3. Since message passing causes special difficulties in program verification it is worth taking extra trouble in specification if that will make the job of verification easier. One way to make such verification easier is by the use of legal subtype relationships [LW90] Lea90] Lea91] 2.2.1 Distinguish Subtypes and Subclasses In software engineering it is important to distinguish between the notions of type and class and the relationships of subtype and subclass. A type (i.e. an abstract data type) is a behavioral notion, and may be implemented by many different ....

[Article contains additional citation context not shown here]

Gary T. Leavens. Modular Verification of Object-Oriented Programs with Subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990.

....Along with the promise of reuse, object oriented (OO) techniques bring several challenges. A key problem that our research addresses is how to verify (or reason about) code that uses message passing and subtype polymorphism. Our research on such questions has been mostly model theoretic [18, 29, 30, 31, 32, 33, 34, 35, 36]. However, the models we use may seem, at first glance, to have little to do with standard OO programming languages, such as Smalltalk80 [24] C [50] Eiffel [42] and Java [2, 25] Such single dispatching languages seem to be better modeled by models in which objects resemble records, and ....

Gary T. Leavens. Modular verification of object-oriented programs with subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990. Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu.

....Sets of type specifications written in Larch LOAL all have the same set of visible (i.e. built in) types. Thus we will assume from now on that the visible types are the same in all algebras. To state this assumption precisely requires the notion of the reduct of an algebra [18, Section 6. 8] [34]. Briefly, the reduct A ( Sigma 0 ) has as its carrier sets the carrier sets of the sorts in A that appear in Sigma 0 , and as its trait functions and methods those named in Sigma 0 . For Larch LOAL, there is a fixed signature SigmaB and a fixed SigmaB algebra, B, that defines the ....

....empty IntSet object. LOAL programs and functions may be nondeterministic, since the operations of an abstract type may be nondeterministic. Although there are no facilities in LOAL itself for introducing nondeterminism, the addition of such facilities does not invalidate the results of this paper [34]. LOAL uses lazy evaluation for evaluating function arguments [56, Page 181] 4] Because of lazy evaluation, functions need not be strict. However, each actual parameter is only evaluated once; hence formal parameters are not sources of nondeterminism. That is, if a formal argument is mentioned ....

[Article contains additional citation context not shown here]

Leavens, G. T. Modular verification of object-oriented programs with subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990. Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu.

....with aliasing, we plan to require that the verifier verify a method for each possible case of aliases among the names it uses. Often some of these cases can be ruled out by preconditions. To deal with subtyping and dynamic dispatch, we plan to use behavioral subtyping and supertype abstraction [1, 5, 17, 18, 24, 25, 29, 30, 41]. Since JML forces subtypes to be behavioral subtypes [6] this allows one to reason about Java programs using the static types of variables and expressions, ignoring dynamic dispatch. 4 Future Work and Conclusions One area of future work for JML is concurrency. Our current plan is to use when ....

Gary T. Leavens. Modular verification of object-oriented programs with subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990. Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu.

....ADTs. Because there is nothing analogous to a multi sorted algebra in the semantics of such programming languages, it is difficult to apply ideas from multi sorted algebras (such as behavioral subtyping for immutable objects) In our previous model theoretic work on behavioral subtyping [34] [27] [33] 13] we have tried to use algebraic structures as the denotations of ADT specifications, while at the same time working with a denotational semantics. This combination was achieved by only using half of a programming language, the part that used objects to do things, and leaving out the ....

Gary T. Leavens. Modular verification of object-oriented programs with subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990. Available by anonymous ftp from ftp.cs.iastate.edu, and by e-mail from almanac@cs.iastate.edu.

....observable objects are called simulation relations. Simulation relations are used to define when one abstract data type is a subtype of another. Applications of such relations to the problems of specifying and verifying objectoriented programming languages are discussed in [LW90] Lea91] and [Lea90] Verification is based on supertype abstraction, where functions are verified using properties of the supertype s specification, including datatype induction, as if the supertype had no subtypes. The specification of a purported subtype must be shown to satisfy certain semantic constraints that ....

.... cannot preserve the meaning of choose for Interval objects and IntSet, since in B max applying choose to an Interval has the least element of the interval as its only possible result, and applying choose to a nonempty IntSet has the set s maximum element as its only possible result (see [Lea90] for a detailed proof of a similar statement) The following lemma is the key property of simulation relations. Lemma 2.5. Let H be a sort context. Let C and A be 6 algebras such that there is a 6 simulation R from C to A. Then for all H environments ae C over C , there is some nominal ....

[Article contains additional citation context not shown here]

Gary T. Leavens. Modular Verification of Object-Oriented Programs with Subtypes. Technical Report 90-09, Department of Computer Science, Iowa State University, Ames, Iowa, 50011, July 1990.

....in the presence of mutation and aliasing In this paper we define a behavioral notion of subtyping to answer these questions. 3 Related Work Bruce and Wegner [2] define subtyping in terms of binary relations on an algebra. They do not deal with incompletely specified data types. Leavens in [11], 14] defines subtyping using relations between algebras. These simulation relations were also extended to handle non determinism. It was shown that no surprising results can occur when subtype objects are used in place of supertype objects. However, none of these deal with mutation. In contrast ....

....America uses a proof theoretic approach to subtyping [1] America defines subtyping with a transfer function and using pre and post conditions of the subtype and supertype operations. In this paper we approach subtyping from a model theoretic point of view. Simulation relations between algebras [11] are extended to deal with mutable types. This extension is not trivial as it also handles aliasing. 4 Algebraic Model Our models of abstract types with mutable objects are somewhat nonstandard from the standpoint of denotational semantics, because they do not describe objects in terms of a few ....

[Article contains additional citation context not shown here]

Gary T. Leavens. Modular Verification of Object-Oriented Programs with Subtypes. Technical Report, Iowa State University, 90-09, July 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC