Towards a Calculus of Object Programs

Abstract

Verifying properties of object-oriented software requires a method for handling references in a simple and intuitive way, closely related to how O-O programmers reason about their programs. The method presented here, a Calculus of Object Programs, combines four components: compositional logic, a framework for describing program semantics and proving program properties; negative variables to address the specifics of O-O programming, in particular qualified calls; the alias calculus, which determines whether reference expressions can ever have the same value; and the calculus of object structures, a specification technique for the structures that arise during the execution of an object-oriented program.

The article illustrates the Calculus by proving the standard algorithm for reversing a linked list.

Appendix: Using Negative Variables in Other Semantics

Here is the background for the rules involving negative variables. For the Calculus of Object Programs we only need the rule of compositional logic QC (21), allowing us to prove properties of programs involving qualified routine calls call x . r(l), the central mechanism of object-oriented computation. That rule, however, is a consequence of a more fundamental property, giving the denotational definition of qualified calls:

The two sides of the equality are functions in Object→State→State. The rule states that the effect of calling x . r(l) is obtained by calling r on arguments transposed to the context of the supplier, as expressed by prefixing them by x′, then interpreting the result transposed back to the context of the client, as expressed by prefixing it by x. In this result, no occurrences of x′ will remain as they go away through the rules on negated variables (NEG1 (15) to NP (19)).

Some technical notes on this rule:

• The value of call r(x′. l) is given by the formula for unqualified calls, which states that call r(l))(σ) is \(\underline{r} (\sigma [r^{\bullet}: l])\). This formula is the basis for the corresponding compositional logic rule UC (11).

• The rule uses “·” to distribute “.” over a function, viewed as a list of pairs.

• For a generally applicable form of DC and its unqualified counterpart it is necessary to add to the right side a term that limits the scope of the resulting function to the domain of the original state, getting rid of any temporary associations (affecting for example local variables) that only make sense in the context of the called routine. This restriction is not important for the Calculus of Object Programs.

• DC is an equation rather than a definition, since in the presence of recursion the right-side expression could expand to an expression that includes an occurrence of the left-side expression. Such fixpoint equations are routine in denotational semantics and the theory handles them properly.

• The rule does not directly use substitution, although it relies on the semantics of the unqualified call call r(x′. l) which can be defined as \(\underline{r} [r^{\bullet}: l]\) (where, following notations introduced earlier, \(\underline{r}\) is the semantics of the loop body, r ^• denotes the formal arguments, and e[x:y] denotes substitution of y for x in e).

From this denotational rule we can deduce the axiomatic semantic rule, the object-oriented variant of Hoare’s procedure rule [8]:

where x·e, for a non-reference expression e (here e is P or Q, an assertion, treated as a boolean expression), applies “.” distributively, for example x·(a=b) means x . a=x . b. In the application of this rule, P and Q may contain occurrences of x′; for example the rule enables us to deduce \(\{\mathbf{True}\} \mathbf{call}\, x{\mathrel{\boldsymbol{.}}}\mathit{set\_a} (c) \{x{\mathrel{\boldsymbol{.}}}a = c\}\) from \(\{\mathbf{True}\} \mathbf{call}\, \mathit{set\_a} (c) \{a = x'{\mathrel{\boldsymbol{.}}}c\}\).

To establish this last property, and more generally the antecedent of any application of AC, we use the ordinary Hoare procedure rule for unqualified calls call r(l). Expanding this rule (ignoring recursion) in AC gives us a directly applicable version of AC:

(where the first “·” denotes “.” distributed over the list l of actual arguments). Since the denotational rule DC (37) describes the nature of object-oriented calls at the most fundamental level, we may use it to express properties of such calls in any semantic framework. More generally, let Π be a property of program elements, such that the dot operator “.” distributes over Π. Then we may use the general rule

AC, the axiomatic rule, is just one instance of GC. Another instance appears in the alias calculus article [15], which for the various kinds of instructions i and an arbitrary relation a (a set of pairs of expressions that might become aliased to each other) defines a≫i, the alias relation resulting from executing i in a state where the alias relation was a. The rule for qualified calls (with “·” here denoting “.” distributed over a set of pairs) is

A final example of applying GC is the weakest precondition rule for qualified calls (using i wp Q to denote the weakest precondition guaranteeing that execution of the instruction i will ensure the postcondition Q):

The simplicity of these rules appears to confirm the usefulness of negative variables as a tool for reasoning about object-oriented computations.