1 / 22

Model Programs for Preserving Composite Invariants

A solution using JML model programs for specifying and verifying invariants in composite objects, based on a grey-box approach. Supported by US NSF grants CNS-06-27354 and CNS-08-0891.

fennell
Download Presentation

Model Programs for Preserving Composite Invariants

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Programs for Preserving CompositeInvariants SAVCBS 2008 Challenge Problem Solution by Steve Shaner, Hridesh Rajan, Gary T. LeavensIowa State and University of Central FloridaSupport from US NSF grants CNS-06-27354 and CNS-08-0891

  2. Summary Problem • Specify and verify invariants for composite, which extend outside an object. Approach: JML model programs • Grey-box [Büchi-Weck97,99] specification • Verification modular by: • Copy rule / substitution [Morgan88] • Structurally-restricted refinement Contribution • Exposes only code for maintaining invariant

  3. Grey-Box (Ref. Calc.) Approach[Büchi–Weck97, 99] c.count++ lnr.actionPerformed() Pre vs. Post c.count == 0 c.count > 0 lnr.actionPerformed()

  4. Grey-Box Specifications in JML[Shaner-Leavens-Naumann07] c.count == 0 c.count > 0 lnr.actionPerformed() Specification Code /*@ normal_behavior@ requiresc.count == 0;@ensuresc.count > 0;@*/ lnr.actionPerformed(); /*@ refining @ normal_behavior@ requiresc.count == 0;@ensuresc.count > 0;@*/{ c.count++; } lnr.actionPerformed();

  5. Soundness of JML’s Approach [Shaner-Leavens-Naumann07] Structural Refinement: • Exposed code appears exactly as shown • Specification statements refinedby refining statements • Cannot call methods with exposed calls Behavioral Subtyping: • Overriding methods must structurally refine

  6. Composite Design Pattern Component parent total Composite components[]count addComponent(Component)

  7. Sample Assertion to Prove Composite root = new Composite(); Composite child = new Composite(); Component comp = new Component(); //@ assumeroot.total == 1 && child.total == 1;//@ assumecomp.total == 1; //@ assumeroot.parent == null && child.parent == null; //@ assumecomp.parent == null; root.addComponent(child); child.addComponent(comp); //@ assertroot.total == 3;

  8. Specification of Component class Component { protected/*@ spec_public nullable @*/ Composite parent; protected/*@ spec_public @*/ int total = 1; //@ protected invariant 1 <= total; }

  9. Specification of Composite(Data and Invariant) class Composite extends Component { private/*@ spec_public @*/ Component[] components = new Component[5]; private/*@ spec_public @*/ int count = 0; /*@ protected invariant @ total== 1 + (\sum inti; @ 0 <= i && i < count; @ components[i].total); @*/

  10. Composite’s Specification (addComponent) /*@ public model_program{ normal_behavior requiresc != this && c.parent == null; assignablethis.components; ensuresthis.components.length > this.count; normal_behavior assignablec.parent, this.objectState; ensuresc.parent == this; ensuresthis.hasComponent(c); this.addToTotal(c.total); } @*/public void addComponent(Component c)

  11. Composite’s Specification (addToTotal) /*@ private model_program{ normal_behavior requires0 <= p; assignablethis.total; ensuresthis.total == \old(this.total) + p; Component aParent = this.parent;while (aParent != null) { normal_behavior assignableaParent.total, aParent; ensuresaParent.total == \old(aParent.total) + p; ensuresaParent == \old(aParent.parent);} } @*/private /*@ helper @*/ voidaddToTotal(intp)

  12. Verification Using Copy Rule [Morgan88] To verify method call: • Substitute model program specification • Replace formals with actuals • Avoid capture Usual rules for other statements

  13. Rule for Method Calls(Copy Rule + Substitution) specFor(T’, m) = mp(S’), methType(T’, m) = y:U -> void, this:T’, z:U |-S’, T ≤ T’,S’ doesn’t assign to y,S = S’ [x,z/this,y], Γ, x:T’ |- P { S } Q Γ, x:T |- P && x instanceofT’{ x.m(z); } Q

  14. Verification of Sample Composite root = new Composite(); Composite child = new Composite(); Component comp = new Component(); //@ assumeroot.total == 1 && child.total == 1;//@ assumecomp.total == 1; //@ assumeroot.parent == null && child.parent == null; //@ assumecomp.parent == null; root.addComponent(child); child.addComponent(comp); //@ assertroot.total == 3;

  15. Copy Rule Applied root.addComponent(child);  normal_behavior requireschild != root && child.parent == null; assignableroot.components; ensuresroot.components.length > root.count; normal_behavior assignablechild.parent, root.objectState; ensureschild.parent == root; ensuresroot.hasComponent(child); root.addToTotal(child.total);

  16. Copy Rule Applied root.addToTotal(child.total);  { normal_behavior requires0 <= child.total; assignableroot.total; ensuresroot.total == \old(root.total) + child.total; Component aParent = root.parent;while (aParent != null) { normal_behavior assignableaParent.total, aParent; ensuresaParent.total == \old(aParent.total) + child.total; ensuresaParent == \old(aParent.parent);} }

  17. Discussion Argument exposure in invariant: • Exposed code shows how total is updated • Precondition of addComponent==> no cycles • Special case of visibility technique Subtypes and overriding methods: • Inherit model program specifications • So implementations must refine Subtypes and new methods: • Inherit invariant • Must not make cycles (not specified!)

  18. Conclusions • Simple specification technique • Exposing code needed for invariant • Hiding rest of the code • Simple verification technique • Copy rule • Limited depth of recursion can be handled

  19. Questions? jmlspecs.org Thanks to David Naumann.

  20. Other Solutions Hallstrom and Soundarajan: • Requires calls to operation()like our calls to addToTotal() • Can’t specify states in which calls made • other specs like JML’s history constraints • More sophisticated mathematics

  21. Other Solutions Bierhoff and Aldrich: • Abstraction of functional behavior • Careful treatment of aliasing issues

  22. Other Solutions Jacobs, Smans, Piessens: • Doesn’t expose any code • More mathematically sophisticated • Specifies effects on parents using context • Only treats binary trees

More Related