Abstract
Verifying properties of object-oriented software requires a method for handling references in a simple and intuitive way, closely related to how O-O programmers reason about their programs. The method presented here, a Calculus of Object Programs, combines four components: compositional logic, a framework for describing program semantics and proving program properties; negative variables to address the specifics of O-O programming, in particular qualified calls; the alias calculus, which determines whether reference expressions can ever have the same value; and the calculus of object structures, a specification technique for the structures that arise during the execution of an object-oriented program.
The article illustrates the Calculus by proving the standard algorithm for reversing a linked list.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bornat, R.: Proving pointer programs in Hoare logic. In: Backhouse, R., Oliviera, J. (eds.) MPC ‘00 (Mathematics of Program Construction). Lecture Notes in Computer Science, vol. 1837, pp. 102–126. Springer, Berlin (2000)
Clarke, D., Potter, J., Noble, J.: Ownership types for flexible alias protection. In: OOPSLA 1998. ACM SIGPLAN Notices, vol. 33, no. 10, pp. 48–64 (1998)
Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction of approximations of fixed points. In: POPL 77 (ACM Symposium on Principles of Programming Languages), pp. 232–245 (1997)
Distefano, D., Parkinson, M.: jStar: Towards practical verication for Java. In: OOPSLA ’08, Proceedings of the 23rd ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications, pp. 213–226 (2008)
ECMA International: Standard ECMA-367: Eiffel: Analysis, Design and Programming Language, 2nd edn. (June 2006), ed. B. Meyer; also International Standards Organization standard ISO/IEC 25436:2006. Text available online at www.ecma-international.org/publications/standards/Ecma-367.htm
Eiffel Software: EiffelStudio documentation (in particular on contract monitoring), at docs.eiffel.com
Hoare, C.A.R.: An axiomatic basis for computer programming. In: Communications of the ACM, vol. 12, no. 10, pp. 576–580 (1969)
Hoare, C.A.R.: Procedures and parameters: An axiomatic approach. In: Engeler, E. (ed.) Symposium on Semantics of Algorithmic Languages. Springer Lecture Notes in Mathematics, vol. 188, pp. 102–116 (1971)
Hoare, C.A.R., He, J.: A trace model for pointers and objects. In: Guerraoui, R. (ed.) ECOOP 1999 (13th European Conference on Object-Oriented Programming). Springer Lecture Notes in Computer Science, vol. 1628, pp. 1–17 (1999)
Kassios, I.: Dynamic frames: support for framing, dependencies and sharing without restrictions. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) Formal Methods 2006. Lecture Notes in Computer Science, vol. 4085, pp. 268–283. Springer, Berlin (2006)
Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: A behavioral interface specification language for Java. In: ACM SIGSOFT Software Engineering Notes, vol. 31, pp. 1–38 (2006), no. 3. Additional JML documentation at www.eecs.ucf.edu/~leavens/JML/
Loginov, A., Reps, T., Sagiv, M.: Automated verification of the Deutsch-Schorr-Waite tree-traversal algorithm. In: Static Analysis Symposium, pp. 261–269 (2006)
Meyer, B.: Object-Oriented Software Construction, 2nd edn. Prentice Hall, New York (1998)
Meyer, B.: Touch of Class: Learning to Program Well, Using Objects and Contracts. Springer, Berlin (2009)
Meyer, B.: Towards a theory and calculus of aliasing. Int. J. Softw. Inform. (July 2011, to appear). Slightly updated version available at se.ethz.ch/~meyer/publications/aliasing/alias-revised.pdf
Meyer, B.: Publish no loop without its invariant. Blog entry at bertrandmeyer.com/2011/05/12/publish-no-loop-without-its-invariant/, 12 May 2011
Meyer, B.: If I’m not pure, at least my functions are. Blog entry at bertrandmeyer.com/2011/07/04/if-im-not-pure-at-least-my-functions-are/, 4 July 2011 (intended as a first step to an actual article on language conventions to specify purity and, more generally, frame properties)
Meyer, B., Kogtenkov, A., Stapf, E.: Avoid a void: The eradication of null dereferencing. In: Jones, C.B., Roscoe, A.W., Wood, K.R. (eds.) Reflections on the Work of C.A.R. Hoare, pp. 189–211. Springer, Berlin (2010)
Morris, J.M.: A general axiom of assignment; Assignment and linked data structure; A proof of the Schorr-Waite algorithm (three articles). In: Broy, M., Schmidt, G. (eds.) Theoretical Foundations of Programming Methodology, Proceedings of the 1981 Marktoberdorf Summer School, pp. 25–61. Reidel, Dordrecht (1982)
Müller, P.: Modular Specification and Verification of Object-Oriented Programs. Springer, Berlin (2002)
Parkinson, M., Bierman, G.: Separation logic and abstraction. In: POPL ‘05 (ACM Symposium on Principles of Programming Languages), January, pp. 247–258 (2005)
Parkinson, M., Bierman, G.: Separation logic, abstraction and inheritance. In: POPL ‘08 (ACM Symposium on Principles of Programming Languages), January, pp. 75–86 (2008)
Polikarpova, N., Furia, C., Meyer, B.: Specifying reusable components. In: Verified Software: Theories, Tools, Experiments (VSTTE ’10), Edinburgh, UK, 16–19 August 2010. Lecture Notes in Computer Science. Springer, Berlin (2010)
Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: Logic in Computer Science, 17th Annual IEEE Symposium, pp. 55–74 (2002)
Sagiv, M., Reps, T., Wilhelm, R.: Solving shape-analysis problems in languages with destructive updating. ACM Trans. Program. Lang. Syst. 20(1), 1–50 (1998)
Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24(3), 217–298 (2002)
Sagiv, M., et al.: TVLA home page, at www.math.tau.ac.il/~tvla/
Schoeller, B.: Making classes provable through contracts, models and frames. PhD thesis, ETH, Zurich (2007). se.inf.ethz.ch/old/people/schoeller/pdfs/schoeller-diss.pdf
Schoeller, B., Widmer, T., Meyer, B.: Making specifications complete through models. In: Reussner, R., Stafford, J., Szyperski, C. (eds.) Architecting Systems with Trustworthy Components. Lecture Notes in Computer Science. Springer, Berlin (2006)
Tschannen, J., Furia, C.A., Nordio, M., Meyer, B.: Verifying Eiffel programs with Boogie. In: Boogie 2011, First International Workshop on Intermediate Verification Languages, Wroclaw, August 2011 (to appear). See documentation about the EVE project at eve.origo.ethz.ch
van Staden, S., Calcagno, C., Meyer, B.: Verifying executable object-oriented specifications with separation logic. In: ECOOP 2010, 24th European Conference on Object-Oriented Programming, Maribor (Slovenia), 21–25 June 2010. Lecture Notes in Computer Science. Springer, Berlin (2010)
Acknowledgements
The software verification work of the Chair of Software Engineering at ETH Zurich has been supported by a generous grant from the Hasler Foundation as part of the MANCOM program, by several grants from the Swiss National Science Foundation (FNS/SNF), and by two internal research grants (TH-Gesuch, now ETHIIRA) from ETH Zurich. While not directly performed in response to any of these grants, the work reported here would not have been possible without them.
Part of the work was carried out in the Software Engineering Laboratory of ITMO State University in Saint Petersburg, which also provides an excellent environment.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Appendix: Using Negative Variables in Other Semantics
Appendix: Using Negative Variables in Other Semantics
Here is the background for the rules involving negative variables. For the Calculus of Object Programs we only need the rule of compositional logic QC (21), allowing us to prove properties of programs involving qualified routine calls call x . r(l), the central mechanism of object-oriented computation. That rule, however, is a consequence of a more fundamental property, giving the denotational definition of qualified calls:
The two sides of the equality are functions in Object→State→State. The rule states that the effect of calling x . r(l) is obtained by calling r on arguments transposed to the context of the supplier, as expressed by prefixing them by x′, then interpreting the result transposed back to the context of the client, as expressed by prefixing it by x. In this result, no occurrences of x′ will remain as they go away through the rules on negated variables (NEG1 (15) to NP (19)).
Some technical notes on this rule:
-
The value of call r(x′. l) is given by the formula for unqualified calls, which states that call r(l))(σ) is \(\underline{r} (\sigma [r^{\bullet}: l])\). This formula is the basis for the corresponding compositional logic rule UC (11).
-
The rule uses “·” to distribute “.” over a function, viewed as a list of pairs.
-
For a generally applicable form of DC and its unqualified counterpart it is necessary to add to the right side a term that limits the scope of the resulting function to the domain of the original state, getting rid of any temporary associations (affecting for example local variables) that only make sense in the context of the called routine. This restriction is not important for the Calculus of Object Programs.
-
DC is an equation rather than a definition, since in the presence of recursion the right-side expression could expand to an expression that includes an occurrence of the left-side expression. Such fixpoint equations are routine in denotational semantics and the theory handles them properly.
-
The rule does not directly use substitution, although it relies on the semantics of the unqualified call call r(x′. l) which can be defined as \(\underline{r} [r^{\bullet}: l]\) (where, following notations introduced earlier, \(\underline{r}\) is the semantics of the loop body, r • denotes the formal arguments, and e[x:y] denotes substitution of y for x in e).
From this denotational rule we can deduce the axiomatic semantic rule, the object-oriented variant of Hoare’s procedure rule [8]:
where x·e, for a non-reference expression e (here e is P or Q, an assertion, treated as a boolean expression), applies “.” distributively, for example x·(a=b) means x . a=x . b. In the application of this rule, P and Q may contain occurrences of x′; for example the rule enables us to deduce \(\{\mathbf{True}\} \mathbf{call}\, x{\mathrel{\boldsymbol{.}}}\mathit{set\_a} (c) \{x{\mathrel{\boldsymbol{.}}}a = c\}\) from \(\{\mathbf{True}\} \mathbf{call}\, \mathit{set\_a} (c) \{a = x'{\mathrel{\boldsymbol{.}}}c\}\).
To establish this last property, and more generally the antecedent of any application of AC, we use the ordinary Hoare procedure rule for unqualified calls call r(l). Expanding this rule (ignoring recursion) in AC gives us a directly applicable version of AC:
(where the first “·” denotes “.” distributed over the list l of actual arguments). Since the denotational rule DC (37) describes the nature of object-oriented calls at the most fundamental level, we may use it to express properties of such calls in any semantic framework. More generally, let Π be a property of program elements, such that the dot operator “.” distributes over Π. Then we may use the general rule
AC, the axiomatic rule, is just one instance of GC. Another instance appears in the alias calculus article [15], which for the various kinds of instructions i and an arbitrary relation a (a set of pairs of expressions that might become aliased to each other) defines a≫i, the alias relation resulting from executing i in a state where the alias relation was a. The rule for qualified calls (with “·” here denoting “.” distributed over a set of pairs) is
A final example of applying GC is the weakest precondition rule for qualified calls (using i wp Q to denote the weakest precondition guaranteeing that execution of the instruction i will ensure the postcondition Q):
The simplicity of these rules appears to confirm the usefulness of negative variables as a tool for reasoning about object-oriented computations.
Rights and permissions
Copyright information
© 2012 Springer-Verlag London
About this chapter
Cite this chapter
Meyer, B. (2012). Towards a Calculus of Object Programs. In: Breitman, K., Horspool, R. (eds) Patterns, Programming and Everything. Springer, London. https://doi.org/10.1007/978-1-4471-2350-7_8
Download citation
DOI: https://doi.org/10.1007/978-1-4471-2350-7_8
Publisher Name: Springer, London
Print ISBN: 978-1-4471-2349-1
Online ISBN: 978-1-4471-2350-7
eBook Packages: Computer ScienceComputer Science (R0)