Omnibus

1
Omnibus
Department of Computing Science and Mathematics

• Supporting software component reuse through
  Contracts and Certificates

Thomas Wilson
2
Structure of the presentation

• Four parts
• State of the art
• Omnibus My approach
• Translation of a simple Omnibus example
• Requirements verification in Omnibus

3
State of practice for reuse

• Different reuse technologies
• Java, JavaBeans, Enterprise JavaBeans
• CORBA, COM, EiffelCOM
• .NET
• ActiveX
• All based upon the same principles

4
Reuse in Java
Component
Interface
Interface documentation
Type signature interface
Client
Implementation
5
What is needed

• A specification, implementation and verification
  framework which is
• Not unnecessarily complicated to reason about
• Capable of modelling interesting systems
• Accessible to everyday programmers with minimal
  training
• A basis for trust

6
What we have

• Formal methods based research of relevance
• Specification, implementation and verification
  frameworks
• JML (LOOP, Jive, JACK)
• PerfectDeveloper
• B
• RESOLVE
• SPARK
• Trust
• Proof Carrying Code

7
Limitations of what we have

• Language requirements
• (1) Not unnecessarily complicated to reason about
• (2) Capable of modelling interesting systems
• (3) Accessible to everyday programmers with
  minimal training

8
Formal reasoning with Jive

• The following example illustrates the accidental
  difficulties in reasoning with Jive

Jive
9
Omnibus My approach

• Object-Oriented specification, implementation and
  verification framework
• Simple to formally reason about
• Simple to generate Java code from
• Conjectures
• Capable of modelling relatively interesting
  systems
• Relatively accessible to everyday programmers

10
Reuse in Omnibus
Component
Contract
Requirements specification
Certificate
Behaviour specification
Implementation
Client
11
Basics of Omnibus

• Types
• classes, objects, primitive types
• Methods
• constructors, functions, operations
• Requirements
• initials, invariants, constraints ( properties)

12
BankAccount example

• class BankAccount
• attribute balanceinteger
• constructor open()
• ensures balance 0
• operation deposit(amountinteger)
• requires amount gt 0
• changes balance
• ensures balance old balance amount
• operation withdraw(amountinteger)
• requires amount gt 0 balance gt amount
  amount lt 500
• changes balance
• ensures balance old balance - amount
• initial balance 0
• invariant balance gt 0
• constraint balance gt old balance - 500

13
Types

• The Omnibus PVS prelude defines Class and Object
  types and a number of functions relating them
• Class TYPE
• Object TYPE
• classOf Object -gt Class
• valid Object, Class -gt bool

14
Hierarchy of PVS theories

• Each Omnibus class is translated to a hierarchy
  of PVS theories
• Not possible to have a one-to-one translation
  scheme since PVS requires declaration before use
• LOOP, Jive etc have to deal with this too
• Hierarchy
• Type, Signature, Semantics
• Obligations

15
BankAccount Type

• The type file defines the class constant and
  object types
• BankAccountClass Class
• BankAccount TYPE thisObject classOf(this)
  BankAccountClass
• valid(this, BankAccountClass)

16
BankAccount Signature

• The signature file defines the methods in terms
  of the pre- and post-conditions
• BankAccount_balance
• thisBankAccount -gt int
• BankAccount_open_ensures(thisBankAccount)bool
• BankAccount_open
• this BankAccount BankAccount_open_ensures(t
  his)

17
BankAccount Signature (2)

• BankAccount_deposit_requires(thisBankAccount,
  amountint)bool
• BankAccount_deposit_ensures(old_thisBankAccount,
  amountint, thisBankAccount)bool
• BankAccount_deposit
• input input old_thisBankAccount,
  amountint
• BankAccount_deposit_requires(inputold_this,
  inputamount)
• -gt
• this BankAccount
• BankAccount_deposit_ensures(inputold_this,
  inputamount, this)
• BankAccount_withdraw_requires(thisBankAccount,
  amountint)bool
• BankAccount_withdraw_ensures(old_thisBankAccount,
  amountint, thisBankAccount)bool
• BankAccount_withdraw
• input input old_thisBankAccount,
  amountint
• BankAccount_withdraw_requires(inputold_this,
  inputamount)
• -gt
• thisBankAccount
• BankAccount_withdraw_ensures(inputold_this,
  inputamount, this)

18
BankAccount Semantics

• The semantics file axiomatically defines the pre-
  and post-condition predicates
• BankAccount_open_ensures_ax AXIOM FORALL
  (thisBankAccount)
• BankAccount_open_ensures(this)
• gt BankAccount_balance(this) 0

19
BankAccount Semantics (2)

• BankAccount_deposit_requires_ax AXIOM FORALL
  (thisBankAccount), (amountint)
• amount gt 0
• gt BankAccount_deposit_requires(this, amount)
• BankAccount_deposit_ensures_ax AXIOM FORALL
  (old_thisBankAccount),
• (amountint), (thisBankAccount)
• BankAccount_deposit_ensures(old_this, amount,
  this)
• gt BankAccount_balance(this)
  BankAccount_balance(old_this) amount
• BankAccount_withdraw_requires_ax AXIOM FORALL
  (thisBankAccount), (amountint)
• amount gt 0 BankAccount_balance(this) gt
  amount amount lt 500
• gt BankAccount_withdraw_requires(this, amount)
• BankAccount_withdraw_ensures_ax AXIOM FORALL
  (old_thisBankAccount),
• (amountint), (thisBankAccount)
• BankAccount_withdraw_ensures(old_this, amount,
  this)
• gt BankAccount_balance(this)
  BankAccount_balance(old_this) - amount

20
BankAccount Semantics (3)

• It also defines some helper rewrite rules
• BankAccount_open_ax AXIOM FORALL (thisObject)
• this BankAccount_open
• gt
• classOf(this) BankAccountClass
• valid(this, BankAccountClass)
• BankAccount_open_ensures(this)
• BankAccount_inits(this)

21
BankAccount Semantics (4)

• BankAccount_deposit_ax AXIOM FORALL
  (old_thisBankAccount), (amountint),
• (thisObject)
• this BankAccount_deposit( ( old_this
  old_this, amount amount ) )
• gt
• classOf(this) BankAccountClass
• valid(this, BankAccountClass)
• BankAccount_deposit_ensures(old_this, amount,
  this)
• BankAccount_cons(old_this, this)
• BankAccount_withdraw_ax AXIOM FORALL
  (old_thisBankAccount), (amountint),
• (thisObject)
• this BankAccount_withdraw( ( old_this
  old_this, amount amount ) )
• gt
• classOf(this) BankAccountClass
• valid(this, BankAccountClass)
• BankAccount_withdraw_ensures(old_this,
  amount, this)
• BankAccount_cons(old_this, this)

22
BankAccount Tests

• Let us consider some conjectures about
  BankAccounts in Omnibus and PVS
• test tester1 BankAccount.open().balance() 0
• tester1 CONJECTURE
• BankAccount_balance( ( this BankAccount_open
  ) ) 0
• test tester2 BankAccount.open().deposit(50).balan
  ce() 50
• tester2 CONJECTURE
• BankAccount_balance( ( this
• BankAccount_deposit(
• ( old_this BankAccount_open, amount 50
  ) ) ) )
• 50

23
BankAccount Tests (2)

• test tester3 forall thisBankAccount (
• this.deposit(50).balance() this.balance()
  50
• )
• tester3 CONJECTURE FORALL (thisBankAccount)
• BankAccount_balance( ( this
• BankAccount_deposit(
• ( old_this this, amount 50 ) ) ) )
• BankAccount_balance( ( this this ) ) 50

24
Requirements verification

• We also need to verify that the behaviour
  specification satisfies the requirements
• Initials should be established by constructors
• Constraints should hold over operations
• Invariants should be established by constructors
  and maintained by operations
• Proof by induction

25
Constructor checks

• constructor con(params)
• requires pre
• ensures post
• Constructor invariant establishment and initial
  satisfaction check
• forall params, this
• pre(params) post(params, this)
• gt
• init(this) inv(this)

26
Constructor checks example

• constructor open()
• ensures balance 0
• initial balance 0
• invariant balance gt 0
• Constructor invariant establishment and initial
  satisfaction check
• BankAccount_open_check CONJECTURE
• FORALL (thisBankAccount)
• ((TRUE))
• ((BankAccount_balance(this) 0))
• gt
• ((BankAccount_balance(this) 0))
• ((BankAccount_balance(this) gt 0))

27
Operation checks

• operation op(params)
• requires r
• changes c
• ensures e
• let pre r
• let post e ? a ? this.attributes - c (a old
  a)
• Operation invariant maintainment and constraint
  satisfaction law
• forall old_this, params, this
• inv(old_this) pre(old_this, params)
  post(old_this, params, this)
• gt
• inv(this) con(old_this, this)

28
Operation checks example

• operation withdraw(amountinteger)
• requires amount gt 0 balance gt amount
  amount lt 500
• changes balance
• ensures balance old balance - amount
• invariant balance gt 0
• constraint balance gt old balance - amount
• Operation invariant maintainment and constraint
  satisfaction law
• BankAccount_withdraw_check CONJECTURE
• FORALL (old_thisBankAccount), (amountint),
  (thisBankAccount)
• ((BankAccount_balance(old_this) gt 0))
• ((amount gt 0 BankAccount_balance(old_this)
  gt amount amount lt 500))
• ((BankAccount_balance(this)
  BankAccount_balance(old_this) amount))
• gt
• ((BankAccount_balance(this) gt 0))
• ((BankAccount_balance(this) gt
  BankAccount_balance(old_this) 500))

29
Current work

• Formal modelling of inheritance
• Efficient modelling of basic data structures
• Modelling of standard I/O, networking,
  pseudo-random number generation, GUIs
• Implementations and refinement

30
Questions?