You are on page 1of 19

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs

Wolfram Sc ulte !icrosoft "esearc

#ormal !et ods 2$$%


Objects& references& eaps& Subtyping and dynamic binding& Pre' and postconditions& met od framing

((((((((((((((( )oint wor* wit Rustan Leino, Mike Barnett& !anuel #+ ndric & ,erman Venter& "ob -eLine& Wolfram Sc ulte .all !S"/& and Peter Mller .0T,/& Bart Jacobs .12 Leu3en/ and 4or'5u 03an C ung .4er*ley/ 1

"e3iew: 4oogie PL
Source language .eg6 Spec7/
Translate source language features using particular programming methodology Intermediate language for verification BoogiePL Translate Boogie PL code using particular VC generation Formulas
2

"e3iew 4oogie PL
8 W at components does 4oogie PL a3e& and w at does it not a3e9 8 W at is t e purpose of assert& assume and a3oc9 8 W at:s t e meaning of a procedure and its modifies clause9 8 W at do we need to translate an OO language into 4oogie PL9
3

!apping Spec7 to 4oogiePL


8 8 8 8 8 ;<iomati=ing Spec7:s class and field declarations T e storage model Translating met ods and code !et od framing .simplified/ Loop framing

;<iomati=ing t e Spec7 Type System


On notation: We use t e following C7 class
class C : object > object f ? null@ C./>A A

to describe t e result of t e a<iomati=ation6 We use t e function Tr .anslate/ to translate Spec7 statements into 4oogiePL
5

;<iomati=ing t e Spec7 Type System


Bntroduce a typename for eac Spec7 type
type C : name@

;ssert subtyping relations ip for program types


a<iom C C: System6Object@

by using a predefined partial order operation C:

;<iomati=ing C7: Type -eclarations


Bntroduce field names as constants
const C6f : name@

;ssert field properties .*ind& type etc/6


a<iom Bs"ef#ield.C6f& System6Object/@

by using t e appropriate functions


function Bs"ef#ield.field:name& type:name/ returns bool

Storage !odel
2se 4oogie:s type ref to denote runtime object references ; ,eap maps object references and field names to 3alues
3ar ,eap: Dref& nameE any@ any // Heap : ref name

;llocatedness is represented as anot er field of t e eap assert o null ! "# $ea%& o' ()f *
const allocated: name@ assert o null $ea%& o' ()f * "# !

;ccess to an instance field f declared in 8C is

;llocation
TrDD< ? new T./EE ?

>3ar o: ref@ assume o F? null G typeof.o/ ?? T@ assume ,eapDo& allocatedE ?? false@ ,eapDo& allocatedE :? true@ call T66ctor.o/@ A

!et ods
"ecall: 4oogie PL 8 as only procedures& no instance met ods -;dd this as first parameter to generated proc

8 is wea*ly typed .just int& bool& ref/ -Spec7 types must be preser3ed 3ia contracts 8 as no idea of eap properties -;llocatedness must be preser3ed 3ia contracts as no in eritance -Strengt ening of postconditions must be 1, implemented 3ia multiple procedures

Constructors and Hon'Virtual !et ods


Tr DDC./ >A EE ?
proc C66ctor.t is: ref/@ reIuires t is F? null G typeof.t is/ C: C@ modifies ,eap@ impl C66ctor.t is: ref/ > assume ,eapDt is& allocatedE ?? true@ JJfor constructors only assume ,eapDt is& C6fE ?? null@ call System6Object66ctor.t is/@ K A

Preserve t.%e information

Preserve initiali/ation semantics

11

Virtual !et ods: 0<ample


class Cell> public int <@ protected 3irtual 3oid Set.int </ modifies t is6L@ ensures t is6< ?? <@ > t is6< ? <@ A public 3oid Bnc.int </ modifies t is6L@ ensures t is6<??old.t is6</M<@ class 4ac*upCell: Cell> int b@ protected o3erride 3oid Set.int </ ensures t is6b ?? old.t is6</@ > t is6b ? t is6<@ base6Set.</@ A

12

4e a3ioral Subtyping
4e a3ioral Subtyping s ould guarantee substitutability 8 W ere3er an object of type T is e<pected an object of type S& w ere SC:T& s ould do wit out c anging t e program:s be a3ior e<pressed in wp Sufficient conditions: Let !O be a 3irtual met od and !2 be its o3erridden met od& t en 8 !2 can weaken !O:s precondition 8 !2 can strengthen !O:s postcondition
13

Virtual !et ods


Translate eac method m declared in C into a proc m6C .t is& K/ reIuires t is F? null G typeof.t is/ C: C@ K T e precondition of t e o3erriding met od is in erited from t e o3erridden met od@ additional postconditions are conjoined Translate calls of t e form o6m./ to t e met od on o:s most specific static type
14

!et od #raming
8 #or sound 3erification we assume t at e3ery met od modifies t e eap 8 Modifies clauses in Spec7 e<press w ic locations .e3aluated in t e met od:s prestate/ a met od is allowed to modify 8 !odifies clauses for an object o or array a a3e t e form:
P P P P o6f o6L aD*E aDLE allows allows allows allows modification modification modification modification of of of of o:s f field all of o:s fields a:s array location * all of 15 a:s array

!et od #raming
Let W denote all locations a met od is allowed to modify 8 T e 4oogie PL post condition for a Spec7 modifies clause
Tr DDWEE ? .Qo: ref& f: name :: old.,eapDo&allocatedE/ .o&f/ old.W/ old.,eapDo&fE/ ? ,eapDo&fE/

16

Virtual !et ods: 0<ample Translation


Spec7
protected 3irtual 3oid Set.int </ modifies t is6L@

4oogie
proc Cell6Set.t is : Cell& < : int/ reIuires t is F? null G typeof.t is/ C: Cell@ modifies ,eap@ ensures .Qo:ref& f: name :: old.,eapDo&allocatedE/ o ? t is old.,eapDo&fE/ ? ,eapDo&fE/@

17

Loop #raming
8 Loops mig t c ange t e eap6 Let W denote t e set of locations potentially c anged by t e loop 8 #or sound 3erification we a3oc t e eap6 We add as loop in3ariant t e assertion t at fields not written to dont change
Tr DDWEE ? .Qo : ref& f: name :: ,eapentryDo&allocatedE f W ,eapentryDo&fE ? ,eapcurrentDo&fE/ w ere ,eapentryJcurrent denote t e entryJcurrent incarnations of t e ,eap 3ariable in t e loop
18

Summary
Verifying object'oriented programs reIuires to 8 a<iomati=e t e declaration en3ironment
P to *eep enoug information around for 3erification

8 decide on a storage model


P to model updates and framing

8 translate t e met od bodies& paying particular attention to


P partiality of operations P 3irtual dispatc P met od and loop frames

1+

You might also like