To Be or Not To Be Created Abstract Object Creation in Dynamic Logic - PowerPoint PPT Presentation

To Be or Not To Be Created Abstract Object Creation in Dynamic Logic Wolfgang Ahrendt 1 Frank S. de Boer 2 Immo Grabe 3 1 Chalmers University, G¨ oteborg, Sweden 2 CWI, Amsterdam, The Netherlands 3 Christian-Albrechts-University Kiel, Germany Tallinn, 22/08/2012 Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Part I Motivation and Outline Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Modeling Object Creation in Program Logics Object-oriented programming languages (like Java): ◮ high-level way of creating objects ◮ abstract away from memory allocation ◮ programmer has no access to non-created (pre-)objects This abstraction not matched by program logics: ◮ constant domain assumption ◮ non-created objects included in quantification ◮ additional artifacts (ghost fields) to distinguish created objects ◮ consistency conditions on reachable states Because of mismatch: ◮ logics loose full abstraction property ◮ additional complexity in formulas and proofs ◮ symbolic state bloated by createdness information Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Approach Taken ◮ a logic that can only ‘talk about’ created objects ◮ problem: calculus cannot ‘substitute’ new objects into pre-conditions ◮ solution: non-standard substitution using meta-knowledge about ‘newness’ ◮ carry over to symbolic execution paradigm Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Simplifications for Presentation ◮ we examine object creation in simplified setting ◮ simplifications orthogonal to object creation ◮ scalable to full languages with abstract object creation Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Part II Syntax and Semantics Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

A Simple Object-Oriented While Language ◮ only one class: Object ◮ 3 types: Object, Integer, Boolean ◮ no methods ◮ variables (e.g. u , v , w ) distinct from fields (e.g. x , y , z ) statements: s ::= while e do s od | s 1 ; s 2 | u := e | e 1 . x := e 2 | u := new expressions: e ::= u | e . x | null | e 1 = e 2 | op ( e 1 , ..., e n ) to separate issues object creation and aliasing: ◮ no native statement e . x := new ◮ can be simulated by u := new; e . x := u ( u fresh) Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Hoare Logic dynamic logic (DL) + updates ◮ DL extends FOL by Hoare logic modalities ◮ { φ } p { ψ } [ p ] ψ , � p � ψ ◮ backward calculus: ◮ we add an “update” { φ } p { ψ e x } modality: { x := e } φ { φ } p ; x := e { ψ } (explicit substitution) ◮ forward calculus: Γ ⊢ { x := e } [ p ] ψ Γ ⊢ [ x := e ; p ] ψ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

The Logic: Dynamic Logic with Updates ◮ expressions e , {U} e ◮ logical connectives ∧ , ∨ , → , ¬ ◮ quantified formulas ∀ l .φ , ∃ l .φ ◮ modal formulas (base cases): � s � φ , [ s ] φ , {U} φ ◮ U update of form: ◮ u := e ◮ e 1 . x := e 2 ◮ u := new Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Semantics informal in this talk ◮ [ [ u := new] ] σ : create new object and assign it to u ◮ [ [ e ] ] σ ∈ set of objects existing in σ ◮ [ [ ∀ o .φ ] ] σ : φ holds for all objects existing in σ ◮ [ [ ∃ o .φ ] ] σ : φ holds for some object existing in σ e , o of type Object examples: ∀ o . � u := new �¬ ( u = o ) true in all states � u := new �∀ o . ¬ ( u = o ) false in all states Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Part III Calculus Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Dynamic Logic Rules � s 1 �� s 2 � φ ( e →� s 1 � φ ) ∧ ( ¬ e →� s 2 � φ ) split if � s 1 ; s 2 � φ � if e then s 1 else s 2 fi � φ � if e then s ; while e do s od else skip fi � φ unwind � while e do s od � φ { u := e } φ { e 1 . x := e 2 } φ assignVar assignField � u := e � φ � e 1 . x := e 2 � φ { u := new } φ createObj � u := new � φ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Update Application Rule for certain formulas {U} φ , and expressions {U} e , the U can be ‘applied’ (resolved) using rewrite relation � following slides: big-step definition of � Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Part IV Update Application Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Update Application: Standard Cases I ¬{U} φ � φ ′ {U} φ 1 ∗ {U} φ 2 � φ ′ {U} ( ¬ φ ) � φ ′ {U} ( φ 1 ∗ φ 2 ) � φ ′ with ∗ ∈ {∧ , ∨ , →} op ( {U} e 1 , ..., {U} e n ) � e ′ {U} α � α with α ∈ { true , false , null , l } {U} op ( e 1 , ..., e n ) � e ′ this slide: U matches all updates Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Update Application: Standard Cases II { u := e } u � e { u := e } v � v ( { u := e 1 } e 2 ) . x � e ′ { u := e 1 } ( e 2 . x ) � e ′ u �≡ v ( ( { e . x := e 1 } e 2 ) = e ? e 1 : ( { e . x := e 1 } e 2 ) . x ) � e ′ { e . x := e 1 } ( e 2 . x ) � e ′ ( { e . x := e 1 } e 2 ) . y � e ′ { e . x := e 1 } ( e 2 . y ) � e ′ x �≡ y Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Update Application: Restricted Standard Cases The standard rules for quantifiers and equality are restricted to non-creating updates U nc of the forms ‘ u := e ’ , ‘ e 1 . x := e 2 ’ . ( ‘ u := new’ excluded from these rules.) ∀ l . {U nc } φ � φ ′ {U nc } ( ∀ l . φ ) � φ ′ ∃ l . {U nc } φ � φ ′ {U nc } ( ∃ l . φ ) � φ ′ {U nc } e 1 = {U nc } e 2 � e ′ {U nc } ( e 1 = e 2 ) � e ′ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Object Creating Updates: the Issue note: ◮ ‘ {U} φ ’ is the (explicit) weakest precondition wp ( U , φ ) problem: ◮ result of { u := new } φ , i.e., wp ( { u := new } , φ ), cannot talk about the new object because it does not exist in pre-state ◮ in particular: { u := new } u � ? basic approach: ◮ totally avoid ‘ { u := new } u ’ ◮ observation: the only operations on objects are ◮ de-referencing fields ◮ test for equality ◮ quantification ◮ in all cases, wp computation can employ meta knowledge Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Object Creating Update Application: Field Access ( { u := new } e ) . x � e ′ { u := new } ( e . x ) � e ′ e �≡ u { u := new } u . x � init T ( x ) init T ( x ) ≡ null | 0 | false Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Object Creating Update Application: Equality ( { u := new } e 1 ) = ( { u := new } e 2 ) � e ′ { u := new } ( e 1 = e 2 ) � e ′ e 1 �≡ u , e 2 �≡ u { u := new } ( u = e ) � false e �≡ u { u := new } ( u = u ) � true Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Object Creating Update Application: Quantifiers ( { u := new } φ ( u )) ∧ ∀ o . ( { u := new } φ ( o )) � φ ′ { u := new }∀ o .φ ( o ) � φ ′ ( { u := new } φ ( u )) ∨ ∃ o . ( { u := new } φ ( o )) � φ ′ { u := new }∃ o .φ ( o ) � φ ′ Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Example Proof 1 ∗ closeFalse false = ⇒ notRight = ⇒ ¬ false � = ⇒ { u := new }¬ ( u = c ) assignVar = ⇒ � u := new �¬ ( u = c ) allRight = ⇒ ∀ o . � u := new �¬ ( u = o ) Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Example Proof 2 ∗ closeTrue ∀ o . ¬ false = ⇒ true notLeft ¬ true , ∀ o . ¬ false = ⇒ andLeft ¬ true ∧ ∀ o . ¬ false = ⇒ � { u := new }∀ o . ¬ ( u = o ) = ⇒ assignVar � u := new �∀ o . ¬ ( u = o )) = ⇒ notRight = ⇒ ¬� u := new �∀ o . ¬ ( u = o ) Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

(applyUpd step in Example Proof 2) { u := new } ( u = o ) � false { u := new } ( u = u ) � true { u := new }¬ ( u = o ) � ¬ false { u := new }¬ ( u = u ) � ¬ true ∀ o . { u := new }¬ ( u = o ) � ∀ o . ¬ false { u := new }¬ ( u = u ) ∧ ∀ o . { u := new }¬ ( u = o ) � ¬ true ∧ ∀ o . ¬ false { u := new }∀ o . ¬ ( u = o ) � ¬ true ∧ ∀ o . ¬ false Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

Part V Abstract Object Creation in Symbolic Execution Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created

KeY-style Symbolic Execution up to here, backwards reasoning only KeY approach: forward symbolic execution using update parallelisation * close u < v = ⇒ u < v applyUpd u < v = ⇒ { w := u | u := v | v := u } v < u mergeUpd u < v = ⇒ { w := u | u := v }{ v := w } v < u assignVar u < v = ⇒ { w := u | u := v }� v := w � v < u mergeUpd,assignVar u < v = ⇒ { w := u }{ u := v }� v := w � v < u split,assignVar u < v = ⇒ { w := u }� u := v ; v := w � v < u split,assignVar u < v = ⇒ � w := u ; u := v ; v := w � v < u Wolfgang Ahrendt, Frank S. de Boer, Immo Grabe To Be or Not To Be Created