An Object-Oriented Dynamic Logic with Updates André Platzer University of Karlsruhe André Platzer. ODL Updates – p.1/29
Motivation ✬ ✩ J AVA C ARD DL ✫ ✪ André Platzer. ODL Updates – p.2/29
Motivation ✬ ✩ J AVA C ARD DL ✬ ✩ ODL ✫ ✪ ✫ ✪ André Platzer. ODL Updates – p.2/29
Motivation ✬ ✩ J AVA C ARD DL ✬ ✩ ✬ ✩ ODL W HILE ✫ ✪ ✫ ✪ ✫ ✪ André Platzer. ODL Updates – p.2/29
Overview • What’s an Object-Oriented Dynamic Logic (ODL ) • Objective • The language ODL • J AVA � ODL • Calculus • Summary André Platzer. ODL Updates – p.3/29
Object-Oriented DL • ODL is a dynamic logic. • “Natural” representation of OOP . • ODL only contains essentials of OO. André Platzer. ODL Updates – p.4/29
Objective • Characterise logical essentials of OO. • Simple proofs within calculus and about calculus. • Prove sound & rel. complete. • Theoretical foundation of KeY and updates. KeY completeness? André Platzer. ODL Updates – p.5/29
The Language ODL • Type-lattice with integers Z • Formulas φ ◮ ¬ , ∧ , ∨ , → , ↔ , ∃ , ∀ , . = ◮ [ α ] φ, � α � φ ◮ if φ then s else t fi , t instanceof C • Programs α = s ( also simultaneous ) ◮ f ( t ): ◮ if( φ ) { α } else { γ } , while( φ ) { α } , α ; γ André Platzer. ODL Updates – p.6/29
J AVA � ODL Software-Engineering features to ignore • Coupling of state and behaviour • Encapsulation • Information hiding & visibility André Platzer. ODL Updates – p.7/29
J AVA � ODL Non-essentials to discard • Inner classes • Field overriding • Associations • Events • Side-effects & evaluation order • Exceptions Simple translation ⇒ syntactic sugar André Platzer. ODL Updates – p.7/29
J AVA � ODL Essentials to dispose • Implementation inheritance • Object creation • Dynamic dispatch & polymorphism Simple translation ⇒ syntactic sugar André Platzer. ODL Updates – p.7/29
J AVA ≈ ODL Features to keep • Field access (functions) • Subtyping ( � = inheritance) ≈ “object = state + behaviour” especially ◮ Modifiable state ◮ Dynamic types André Platzer. ODL Updates – p.8/29
J AVA � ODL (create) Object creation has to support • Dynamic type checks • Object identity “ new � = new ” • Extension for varying domain André Platzer. ODL Updates – p.9/29
J AVA � ODL (create) Object creation has to support • Dynamic type checks • Object identity “ new � = new ” • Extension for varying domain • Ex: x : =obj C ( next C ) , x : =new C () � next C : = next C +1 André Platzer. ODL Updates – p.9/29
Calculus: object creation • Dynamic type checks � ⇐ A subty. of C true obj A ( n ) instanceof C = false otherwise André Platzer. ODL Updates – p.10/29
Calculus: object creation • Dynamic type checks � ⇐ A subty. of C true obj A ( n ) instanceof C = false otherwise • Ex: obj Car ( n ) instanceof Vehicle = true obj Vehicle ( k ) instanceof Car = false f ( a ) instanceof Car = ? André Platzer. ODL Updates – p.10/29
Calculus: object creation • Object identity “ new � = new ” Γ , i � = j ⊢ ∆ , obj C ( i ) � = obj C ( j ) André Platzer. ODL Updates – p.11/29
Calculus: object creation • Object identity “ new � = new ” Γ , i � = j ⊢ ∆ , obj C ( i ) � = obj C ( j ) • Ex: x : =new C (); x : =obj C (1); � y : =new C (); y : =obj C (2); � if( x . 1 � =2 = y ) { α } else { γ } � γ André Platzer. ODL Updates – p.11/29
Calculus: object creation • Extension for varying domain � � ∀ n n < next C → φ (obj C ( n )) “All objects created so far satisfy φ ” André Platzer. ODL Updates – p.12/29
Example: updates � f ( s ): = t � g ( f ( s )) � � � f ( s ): = t � f ( s ) � g “ � ” g ( t ) André Platzer. ODL Updates – p.13/29
Example: updates (alias) � f ( s ): = t � g ( f ( r )) � � � f ( s ): = t � f ( r ) � g if s . � � = r then t else f ( r ) fi � g s . � � = r → g ( t ) ∧ “ � ” � � s � = r → g ( f ( r )) André Platzer. ODL Updates – p.14/29
Calculus: updates • update (match) � f ( s ): = t � f ( u ) � if s . � � = � f ( s ): � f ( s ): = t � u = t � u then t else f fi • conditional term split Γ ⊢ ∆ , ( e → φ ( s )) ∧ ( ¬ e → φ ( t )) Γ ⊢ ∆ , φ ( if e then s else t fi ) admissible André Platzer. ODL Updates – p.15/29
Relative Completeness • Arithmetic is incomplete. • How much worse is ODL calculus? • Relatively complete: ≈ “in addition to domain of computation, program verification calculus ODL is complete” André Platzer. ODL Updates – p.16/29
Relative Completeness • Arithmetic is incomplete. • How much worse is ODL calculus? • Relatively complete: ≈ “in addition to domain of computation, program verification calculus ODL is complete” ⇒ KeY is relatively complete, “suitable” J AVA transformations provided. André Platzer. ODL Updates – p.16/29
Summary • ODL is an object-oriented dynamic logic. • ODL only contains essentials of OO. • “Natural” translation J AVA � ODL . • Updates for object aliasing. • Calculus is sound. ◮ Plan: prove calculus rel. complete. André Platzer. ODL Updates – p.17/29
Repository • The end of the presentation André Platzer. ODL Updates – p.18/29
Terminology: Admissible • [ s �→ t ] is admissible for φ : ⇐ ⇒ s, t do not trespass modalities for which they are not rigid during the formation of φ [ s �→ t ] . • wary substitution � [ s �→ t ] works like [ s �→ t ] but quits in front of modalities for which s or t are not rigid. André Platzer. ODL Updates – p.19/29
J AVA � ODL (throw) (I) t r y { while ( x >= y ) { x = x − y ; i f ( no progress ) { throw new DivByZero ( x , y ) ; } z = z + 1 ; } } catch ( DivByZero r ) { h } André Platzer. ODL Updates – p.20/29
J AVA � ODL (throw) (II) while ( e == n u l l && x >= y ) { x = x − y ; i f ( no progress ) { e = new DivByZero ( x , y ) ; } i f ( e == n u l l ) { z = z + 1 ; } } i f ( e instanceof DivByZero ) { h } else { . . . } André Platzer. ODL Updates – p.21/29
J AVA � ODL (dispatch) • C extends B • C and B provide m(String arg) • Transformation of x.m(arg): i f ( x instanceof C ) { ( (C) x ) .m( arg ) ; } else i f ( x instanceof B ) { ( (B) x ) .m( arg ) ; } André Platzer. ODL Updates – p.22/29
Example: updates (alias) � f ( s ): = t � g ( f ( r )) � � � f ( s ): = t � f ( r ) � g if s . � � = r � f ( s ): = t � then t else f ( � f ( s ): = t � r ) fi � g André Platzer. ODL Updates – p.23/29
Example: updates (alias) � f ( s ): = t � g ( f ( r )) � � � f ( s ): = t � f ( r ) � g if s . � � = � f ( s ): = t � r then t else f ( � f ( s ): = t � r ) fi � g if s . � � = r then t else f ( r ) fi � g s . � � = r → g ( t ) ∧ “ � ” � � s � = r → g ( f ( r )) André Platzer. ODL Updates – p.23/29
Example: updates � f ( s ): = s � g ( f ( f ( r ))) � � � f ( s ): = s � f ( f ( r )) g � if s . � � � � = � f ( s ): � f ( s ): = s � f ( r ) g = s � f ( r ) then s else f fi � if s . � if s . � � = g then = � f ( s ): = s � r then s else f ( � f ( s ): = s � r ) fi � s else if s . � � = � f ( s ): = s � r then s else f ( � f ( s ): = s � r ) fi f � fi André Platzer. ODL Updates – p.24/29
Example: updates if s . � if s . � � = g then = r then s else f ( r ) fi � s else if s . � � = r then s else f ( r ) fi f � fi s . if s . � �� � = r → g = s then s else f ( s ) fi ∧ “ � ” if s . � �� � s � = r → g = f ( r ) then s else f ( f ( r )) fi s . � � = r → g ( s ) ∧ “ � ” if s . � �� � s � = r → g = f ( r ) then s else f ( f ( r )) fi André Platzer. ODL Updates – p.24/29
Example: updates (quick) � f ( s ): = s � g ( f ( f ( s ))) � � � f ( s ): = s � f ( f ( s )) g � if s . � � � � = � f ( s ): � f ( s ): = s � f ( s ) g = s � f ( s ) then s else f fi � if s . � = ( if s . � g then = � f ( s ): = s � s then s else f ( � f ( s ): = s � s ) fi � s else if s . � � = � f ( s ): = s � s then s else f ( � f ( s ): = s � s ) fi f � fi André Platzer. ODL Updates – p.25/29
Example: updates (quick) if s . � = ( if s . � g then = � f ( s ): = s � s then s else f ( � f ( s ): = s � s ) fi s else if s . � � = � f ( s ): = s � s then s else f ( � f ( s ): = s � s ) fi f � fi if s . � � � � = s then s else f g s fi � g ( s ) “ � ” André Platzer. ODL Updates – p.25/29
Calculus: update promotion • update (match) � f ( s ): = t � f ( u ) � if s . � � = � f ( s ): � f ( s ): = t � u = t � u then t else f fi • update (promote) � � � f ( s ): = t � Υ ( u ) � Υ � f ( s ): = t � u ⇐ f � = Υ André Platzer. ODL Updates – p.26/29
Recommend
More recommend
