LEAVENS,G.T.AND WEIHL, W. E. 1990. Reasoning about object-oriented programs that use subtypes. In ECOOP/OOPSLA 90 Proceedings. ACM, New York.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....however, the reasoning would still hold even when the subtype is added to the program. As static assertions are not inherited by subtypes, they are not constrained by the modular verification requirements. In sum, the properties support modular reasoning of code in the presence of subtyping [84] [91]. 77 Inheritance of Specifications In JML, specification inheritance ensures that the behavior of a supertype is imposed on its subtypes, thereby supporting behavioral subtyping [40] Furthermore, a subtype may inherit specifications from more than one supertype, thus allowing multiple ....

....what is invoked is the subtype S s (down call) invariant method, because it is overridden in S. Thus, all relevant invariants are checked. The same technique works for constraint methods. The anomaly of specification inheritance a#ects modular verification of object oriented programs [84] [91] [92] 95] 114] 113] 151] as the supertype s methods, if not overridden, have to be verified again with respect to the subtype s specifications. This may mean that the supertype s implementation should be available for such re verification. However, the implications of the anomaly on ....

[Article contains additional citation context not shown here]

Gary T. Leavens and William E. Weihl. Reasoning about object-oriented programs that use subtypes (extended abstract). In N. Meyrowitz, editor, OOPSLA ECOOP '90 Proceedings, volume 25(10) of ACM SIGPLAN Notices, pages 212--223. ACM, October 1990.

....easily corrected, but the diagram also raises questions that cannot be answered by examining interfaces along. To address these, the behavior of methods must be analyzed . Behavioral specification tools based on pre and post conditions have also been adapted for use in object oriented programming [America91, LW90]. Specifications have also been used in the design of the Eiffel libraries [Meyer91] America s techniques are used to develop specifications for the classes in the Smalltalk library. Several interesting issues arise while discussing the specifications. In some cases, methods are being ....

....for the collection class protocols to investigate further the design of the collection classes. Specification techniques available for analyzing objects include America s pre post condition specifications with representation transfer functions [America91] Leaven s simulation model with traits [LW90], and Meyer s use of pre post conditions and class invariants in Eiffel [Meyer91] We use an version of America s formulation, since it is the simple and direct. The specifications for ordered collection and bag are based on America s. Each class in the library has an abstract representation, and ....

G. T. Leavens and W. E. Weihl. "Reasoning about object-oriented programs that use subtypes." In Proc. of ACM Conf. on ObjectOriented Programming Systems, Languages and Applications, 1990, pp. 212--224.

....reusing modalities to designers. In addition to single inheritance and overriding, that are usual in the object oriented context, indeed, we support extension and refinement which offer novel and useful opportunities to refine object behavior. Both correspond to the idea of behavioral subtyping [LW90] which can be achieved in object oriented programming languages by exploiting super calls or the inner mechanism. In particular, extension allows to handle additional cases specific to the inheriting object through the addition of clauses, whereas refinement allows to specialize the behavior by ....

G. Leavens and W. Weihl. Reasoning about Object-Oriented Programs that use Subtypes. In Proc. Fifth Int'l Conf. on Object-Oriented Programming: Systems, Languages, and Applications joint with Fourth European Conference on Object-Oriented Programming, pages 212--223, 1990.

....each time the overridden one would be; ii) the redefined rule does at least what the overridden one would do. A notion of behavioral refinement of triggers can be introduced, which is analogous to the notion of behavioral subtyping developed in the context of object oriented programming languages [5]. This property aims at ensuring that, if a class c is a subclass of a class c 0 , every object instance of c behaves like some object of class c 0 . Such property leads to a notion of semantic method refinement: consider as an example an init method initializing the attributes of an object, ....

G. Leavens and W. Weihl, "Reasoning about Object-Oriented Programs that use Subtypes," in Proc. Fifth Int'l Conf. on Object-Oriented Programming: Systems, Languages, and Applications joint with Fourth European Conference on ObjectOriented Programming, 1990, pp. 212--223.

....as behavioural subtyping is essentially the same to develop a specification and verification methodology for reasoning about correctness of objectoriented programs. Our work has been to a great extent inspired by works of Pierre America, Barbara Liskov, Jeannette Wing, Gary Leavens, and others [4, 5, 27, 25, 26, 16]. However, our approach di#ers in a number of ways. First of all, as was already mentioned in the introduction, we consider it essential to separate decidable syntactic properties of interface conformance or subtyping from undecidable but provable properties of behavioural conformance or ....

....statements with method calls. Mark Utting in his PhD thesis [37] extends the refinement calculus to support a variety of object oriented programming styles. One of the main contributions of [37] is a formal definition in the refinement calculus of modular reasoning advocated by Leavens in [25]. It is assumed that all objects are ordered by a substitution relation # which must be a preorder but otherwise is unrestricted. An object oriented system is defined to support modular reasoning if methods of an object a, such that a # b, are refined by the corresponding methods of b. Clearly ....

G. T. Leavens and W. E. Weihl. Reasoning about object-oriented programs that use subtypes (extended abstract). In Proceedings of OOPSLA /ECOOP'90, volume 25(10) of ACM SIGPLAN Notices, pages 212--223, 1990. 33

....P defined in terms of T , the behavior of P is unchanged when o 1 is substituted for o 2 , then S is a subtype of T . 14] Behavioral notions of subtyping that attempt to capture this substitutability property have since been defined by many, including America [1] Leavens and his colleagues [12, 13, 3], Meyer [18] and Liskov and Wing [15] There are subtle differences between all these subtype definitions, but common to all is the use of pre post condition specifications (1) to describe the behavior of types and (2) to determine whether one type is a subtype of another. Let m T be a method of ....

Leavens, G. T., and Weihl, W. E. Reasoning about object-oriented programs that use subtypes. In ECOOP/OOPSLA '90 Proceedings (1990).

....T is used, we should be able to substitute an object of type S, where S is a subtype of T , and still have the same observable behavior of the program. 25 There are a number of definitions of behavioral subtyping that attempt to capture this substitutability property [DL96, LW94, DL92, Ame91, LW90, Lea89, Mey88] There are subtle differences between all these subtype definitions, but common to all is the use of pre post condition specifications both to describe the behavior of types and to determine whether one type is a subtype of another. Let m T be a method of supertype T , and m S be ....

Gary T. Leavens and William E. Weihl. Reasoning about object-oriented programs that use subtypes. In ECOOP/OOPSLA '90 Proceedings, 1990.

....binding in some way. The major goal of the work described in this thesis is to extend the refinement calculus to allow object oriented programming in a way that supports modular reasoning. There are a few existing formal methods that allow modular reasoning about programs that use late binding [LW90] Ame89] but none based on the refinement calculus. There are a number of potential benefits that may arise from this, both for users of the refinement calculus and for programmers who use object oriented languages. Users of the refinement calculus will benefit from the encapsulation facilities ....

....for reasoning about late binding, since it allows supertype specifications to be used as approximations to the actual behaviour of an object whose precise class is not known. 3.3. 3 NOAL Another approach to reasoning about programs that use subtyping has been developed by Gary Leavens [Lea89] LW90] Lea91] His verification rules for object oriented programs that use late binding were the first to be proven sound. Leavens uses an object oriented functional language called NOAL to illustrate verification techniques for subtyping. NOAL is a hybrid of Trellis Owl [S 86] an ....

[Article contains additional citation context not shown here]

Gary T. Leavens and William E. Weihl. Reasoning about object-oriented programs that use subtypes. SIGPLAN Notices, 25(10):212--223, October 1990. Proceedings of OOPSLA '90. Ref. on pages 3, 27, 39, 92, 135, 137.

No context found.

Gary T. Leavens and William E. Weihl. Reasoning about Object-oriented Programs that use Subtypes (extended abstract). In N. Meyrowitz (ed.), OOPSLA ECOOP '90 Proceedings (ACM SIGPLAN Notices, 25(10):212-223, Oct., 1990).

No context found.

Gary T. Leavens and William E. Weihl. Reasoning about Object-oriented Programs that use Subtypes (extended abstract). In N. Meyrowitz (ed.), OOPSLA ECOOP '90 Proceedings (ACM SIGPLAN Notices, 25(10):212-223, Oct., 1990).

....equivalence implies behavioral equivalence of environments in a natural sense. However, Theorem 7.1 and Corollary 7.2 suggest that behavioral equivalence of environments is the more natural of the two. Techniques for proving correct object behavioral subtyping have been studied by several authors [2, 5, 9, 10, 21, 24, 25, 26]. While most of these authors have studied the soundness of their techniques, to the best of our knowledge none have studied their completeness. In earlier work [21] we showed that the use of nominal standard simulations as described above is sound for correct behavioral subtyping based on ....

Gary T. Leavens and William E. Weihl, Reasoning about Object-oriented Programs that Use Subtypes (extended abstract), ECOOP/OOPSLA '90 Proceedings (M. Meyrowitz, ed.), ACM SIGPLAN Notices, vol. 25, ACM, October, 1990, 212-223.

....has a method m that takes a RODirectory as an argument. If the implementation of m is correct with respect to its specification, then it should work correctly for Directory arguments. This is the notion of modular reasoning , which can be seen as a criteria for goodness of verification techniques [LW90, LW95, Lei95] The basic idea for modular reasoning about OO programs is to: Assign to each expression in a program a static type that is an upper bound on the dynamic type of the expression s value. That is, if the static type is T , then the value must have a dynamic type that is a subtype ....

....checkable by using keywords to stand for behavioral properties. 6.3.1 Model Theory 6.3.2 For Types with Immutable Objects Also in the late 1980s Leavens, in his Ph.D. thesis [Lea88, Lea90] showed how to use the notion of behavioral subtyping to do modular verification of OO programs [Lea91, LW90, LW95] Leavens s definition of behavioral subtyping is modeltheoretic. The basic notion is that of a coercion relation between models of abstract values [LP92] which has led to a precise model theoretic characterization of behavioral subtyping for types with immutable objects [LP96] Leavens s ....

Leavens, G. T. and Weihl, W. E. Reasoning about object-oriented programs that use subtypes (extended abstract). In Meyrowitz, N., editor, OOPSLA ECOOP '90 Proceedings, volume 25(10) of ACM SIGPLAN Notices, pages 212--223. ACM, October 1990.

....of IntSet. Hence Interval is a subtype of IntSet. A modular specification and verification technique for reasoning about message passing programs can be based on the concepts of subtype relationships and nominal type, as pioneered in my dissertation [Lea89] and further developed in [LW90]. Informally, the reasoning technique can be summarized as follows. ffl One specifies the data types to be used in the program along with their subtype relationships . ffl Procedures are specified by describing their effects on actual arguments whose types are the same as the types of the ....

Gary T. Leavens and William E. Weihl. Reasoning about Object-oriented Programs that use Subtypes (extended abstract). Technical Report 90-03, Iowa State University, Department of Computer Science, March 1990. To appear in ECOOP/OOPSLA '90.

....references. Subsumption in Java allows a reference to a subtype object to be substituted for a supertype reference. The requirements of behavioral subtyping [2,3,19,57,59,63,69] guarantee that all such substituted objects will obey the specifications inherited from the static type of the reference [19,60,61]. Because of the benefits of modular reasoning to programmers and verifiers, we favor specification inheritance over the conflicting goal of being able to document existing designs that do not follow behavioral subtyping. In any case, it is possible to work around the requirements of behavioral ....

Gary T. Leavens and William E. Weihl. Reasoning about object-oriented programs that use subtypes (extended abstract). In N. Meyrowitz, editor, OOPSLA ECOOP '90 Proceedings, volume 25(10) of ACM SIGPLAN Notices, pages 212--223. ACM, October 1990.

No context found.

G. T. Leavens and W. E. Weihl. Reasoning about object-oriented programs that use subtypes (extended abstract). In N. Meyrowitz, editor, OOPSLA ECOOP '90 Proceedings, volume 25(10) of ACM SIGPLAN Notices, pages 212-223. ACM, Oct. 1990.

No context found.

G. T. Leavens and W. E. Weihl. Reasoning about object-oriented programs that use subtypes (extended abstract). In N. Meyrowitz, editor, OOPSLA ECOOP '90 Proceedings, volume 25(10) of ACM SIGPLAN Notices, pages 212--223. ACM, Oct. 1990.

....supertypes, when manipulated as if they were supertype objects, by comparing the speci cations of the supertypes and the new subtypes. Various authors have proposed conditions that ensure behavioral subtyping, some using proof theory [2, 3, 12, 30, 33, 34, 46, 45] and others using model theory [7, 11, 22, 23, 24, 30]. One common feature of these de nitions is that there should be away to map the state of subtype objects to the state space of their supertypes; another common feature is that the behavior of the subtype s methods that are also presentinthe supertype must simulate the behavior of the ....

G. T. Leavens and W. E. Weihl. Reasoning about object-oriented programs that use subtypes (extended abstract). In N. Meyrowitz, editor, OOPSLA ECOOP '90 Proceedings,volume 25(10) of ACM SIGPLAN Notices, pages 212-223. ACM, Oct. 1990.

....as syntax and semantics, and to programming environment issues. The above goals are directed at making Larch C practical. In addition, we have some other goals which should help make Larch C useful, but which are motivated by a particular view of object oriented programming [Ame87] Mey88] LW90] Lea90] Lea91] This view centers around supertype abstraction, which is the ability to reason about a program based on nominal (i.e. static) type information by letting supertypes stand for all their subtypes. Informally, a subtype is an abstract data type such that each object of the subtype ....

.... of C programs (so that when new modules are added to a program, unchanged modules should not have to be reverified) For example, one must be able to specify enough information about the relationships between subtypes and supertypes so that one can verify programs using static type information [LW90] Another example: one must be able to verify a subclass using the specification of the public and protected interfaces of its superclasses, independent of the implementation of the superclasses. 2 1.3 Related Work The most closely related work are other interface specification languages in ....

[Article contains additional citation context not shown here]

Gary T. Leavens and William E. Weihl. Reasoning about Object-oriented Programs that use Subtypes (extended abstract). ACM SIGPLAN Notices, 25(10):212--223, October 1990. OOPSLA ECOOP '90 Proceedings, N. Meyrowitz (editor). 20

....Along with the promise of reuse, object oriented (OO) techniques bring several challenges. A key problem that our research addresses is how to verify (or reason about) code that uses message passing and subtype polymorphism. Our research on such questions has been mostly model theoretic [18, 29, 30, 31, 32, 33, 34, 35, 36]. However, the models we use may seem, at first glance, to have little to do with standard OO programming languages, such as Smalltalk80 [24] C [50] Eiffel [42] and Java [2, 25] Such single dispatching languages seem to be better modeled by models in which objects resemble records, and ....

Gary T. Leavens and William E. Weihl. Reasoning about object-oriented programs that use subtypes (extended abstract). In N. Meyrowitz, editor, OOPSLA ECOOP '90 Proceedings, volume 25(10) of ACM SIGPLAN Notices, pages 212--223. ACM, October 1990.

....of objects without knowledge of their exact run time types. This causes difficulties in verification, because many different operations may be invoked by a single message at different times, and these operations may have different specifications. The technique of supertype abstraction [40] [38] [35] overcomes this problem by reasoning using static (what we call nominal) type information, and restricting the run time types of the objects denoted by expressions to be subtypes of their nominal types. That is, supertype abstraction means using supertypes to stand for all their subtypes. ....

....of their nominal types. That is, supertype abstraction means using supertypes to stand for all their subtypes. Supertype abstraction has the advantage of modularity : one does not have to respecify or reverify unchanged program parts when new subtypes of existing types are added to a program [38] [39] Our results can thus provide formal support for the common informal practice of object oriented programming, as it shows conditions under which programmers do not have to rethink unchanged code, and those which might be dangerous. The danger comes when a new type is not a legal subtype of ....

[Article contains additional citation context not shown here]

Leavens, G. T. and Weihl, W. E. Reasoning about object-oriented programs that use subtypes (extended abstract). ACM SIGPLAN Notices, 25(10):212--223, October 1990. OOPSLA ECOOP '90 Proceedings, N. Meyrowitz (editor).

No context found.

LEAVENS,G.T.AND WEIHL, W. E. 1990. Reasoning about object-oriented programs that use subtypes. In ECOOP/OOPSLA 90 Proceedings. ACM, New York.

No context found.

Gary T. Leavens and William E. Weihl. Reasoning about Object-Oriented Programs that use Subtypes. In ECOOP/OOPSLA '90 Proceedings. 1990.

No context found.

Gary Leavens, William Weihl. Reasoning about Object-Oriented Programs that Use Subtypes (Extended Abstract). In Proceedings of the European Conference on Object-Oriented Programming/Conference on Object-Oriented Programming, Systems, Languages, and Applications (ECOOP/OOPSLA), pages 212-223, Ottawa, October 1990. Published as ACM SIGPLAN Notices 25(10), October 1990.

No context found.

G. Leavens and W.E. Wiehl. Reasoning about object-oriented programs that use subtypes. In

No context found.

Gary T. Leavens and William E. Weihl. Reasoning about Object-Oriented Programs that use Subtypes. In OOPSLA/ECOOP '90 Conference Proceedings, pp. 212-223, Ottawa, Canada, October, 1990. Published as SIGPLAN Notices 25(10), October, 1990. 92

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC