Basics of Formal Methods: Sequences

1
Basics of Formal Methods Sequences

• Define a model using sequences
• Use basic sequence operations
• Compare 3 varieties of collection
• Value, Object, Equals

2
What is a sequence?

• An ordered collection of elements
• Elements may occur several times.
• A string is a sequence of characters
• A queue is a sequence of items
• A list of moves in a game is a sequence
• An array is a sequence
• Examples (in mathematical notation)
• lt2001, 2003, 1009, 5000gt
• ltthe, cat, satgt
• ltcat,the, satgt
• ltltpete, pipergt,ltjackgt, ltjillgtgt

Theres a first, a second, ...
Yes, but not sorted
Is this ordered?
3
Using Sequences

• Modeling a paragraph
• word JMLValueSequence containing JMLChar
• line JMLValueSequence containing word
• paragraph JMLValueSequence containing line
• Specifying a method
• requires pos lt para.length()
• ensures \forall (int p 0ltp
  pltpara.int_length()
• para.itemAt(pos).equals(ln) para.int_length()
  \old(para).int_length()
• p!pos gt para.itemAt(p).equals(para.itemat(p)))
• replace(int pos, line ln, paragraph para)

5. So this is true for all p
Must be a pure method
Would the following work? requires pos lt
para.length() ensures para.itemAt(pos).equals(ln)
para.int_length() \old(para).int_length()
\forall (int p 0ltp pltpara.int_length() \old(
para).itemAt(p).equals(para.itemat(p))) replace(in
t pos, line ln, paragraph para)
4. And this must be true
1. When this is true,
2. This must be true
3. To make this true
When a is false, a gt b is true Whatever the
value of b
4
Sequence Operations

• int_length()
• JMLValueSequence.EMPTY. int_length()?
• t is lt 23, 44, 42, 1, 99 gt t.int_length()?
• s is ltlta,bgt,ltc,dgt,lte,fgtgt s.int_length()?
• Accessing an element
• sq is lt 2, 19, 13, 5, 17 gt
• sq.itemAt(1)?
• if i isnt valid,
• sq(i) throws JMLSequenceException

19
5
Subsequences

• Sub-sequences
• s lta, a, d, c, a, b gt
• // include start, exclude end
• s.subsequence(0,1) evaluates to ?
• s.subsequence(0, s.length() ) evaluates to ?
• If i or j is an invalid index or i gt j
• throws JMLSequenceException
• s(1,1) evaluates to ?

6
Concatenate

• Examples
• s is lt1, 2, 3gt and t is lt4, 5, 6gt
• s.concat(t) is lt1, 2, 3, 4, 5, 6gt
• May only be used between sequences
• Concatenating with an empty sequence
• s is ltgt and t is lt1, 2gt
• s.concat(t) is?
• t.concat(s) is?

7
Collection Types

• Java Collections
• Implement the Collection interface
• add(), contains(), size(), remove(),
• iterator()
• JML Collections
• Implement JMLCollection interface
• Pure collection methods
• size(), int_size(), has(), iterator(),
• Assumes collections are immutable
• Cant be changed
• Essential for a formal condition

Returns \bigint
8
Change with Immutability?

• In a condition, collections mustnt change
• JML is used to describe a state
• Our code changes the state
• JML describes the new state
• class Stack
• //_at_ public instance model JMLObjectSequence body
• //_at_ requires body.int_size()gt0
• /_at_ ensures \old(body).trailer.equals(body)
• \result \old(body).first() /
• Object pop()

A sequence of objects!
Only available to JML expressions
One for each stack
Must be no side effects \old(body) must mean
the same each time all functions in conditions
must be pure
9
Object Collections

• Contain object references.
• Don't care about the objects values
• reference semantics
• When inserted, an object is not cloned
• collection.has uses to compare objects
• i.e. objects must be identical to be equal

This is a valid set unique objects
This is a valid set Unique objects (even though
values are duplicated)
cat
dog
cat
10
Value Collection

• Contain object values.
• When an object is inserted, it is cloned
• so the value cant change.
• collection.has uses the ob.equals
• To support cloning, elements must implement the
  JMLType interface.
• Have to use casts very messy

This isnt a valid set (values are duplicated)
cat
dog
cat
This is a valid set (no duplicated values)
11
Equal Collection

• Collections of object references,
• Use equals method to compare elements.
• Unsafe, because object values may change outside
  collection.
• Dont use to relate pre- and post-states of
  methods, unless you know elements.

This isnt a valid set values are duplicated
This is a valid set no duplicate values
cat
dog
cat
Can be modified
12
Documentation JavaDocs

• With JML installation

13
Other Sequence Methods

• JMLValueSequence replaceItemAt(int pos, JMLType
  item)
• JMLValueSequence reverse()
• JMLType toArray()
• JMLValueSet toSet()
• JMLType first()
• JMLValueSequence trailer() (whats left without
  first)
• boolean equals(nullable Object obj)

14
Specifying A Stack

• Informal Operations
• boolean isEmpty()
• void push(int v)
• int pop()
• Data Model
• Model by s, a JMLValueSequence of value
• Operations Functions
• boolean isEmpty()

requires true
ensures \result(s.equals(JMLValueSequence.EMPTY)
ensures \result(s.int_size() 0)
15
Specifying Operations pop

• What pre-condition?
• Which post condition?
• \result\old(s).first() s\old(s).trailer()
• \old(s).equals((new JMLValueSequence(\result)).con
  cat(s))
• \old(s).equals(\result.concat(s))
• \results.itemAt(0) \old(s).equals(s.trailer()
  )
• \result s.itemAt(0) s \old(s).trailer()

?
?
?
?
?
16
Messy JML Issues

• JML doesnt have templates/generics
• JML based on Java 1.4 (1.5 has generics)
• Value collection items implement JMLType
• Constantly casting converting
• Usually use .equals to compare variables
• Variables are pointers to object
• ab true if only if a b point to same object
• a.equals(b) true iff a b point to same value

Mathematical abbreviation for if and only if
17
Specifying Operations pop

• Exceptions can be used to indicate errors
• public normal_behavior
• requires s.length() gt 0
• ensures \result.equals(\old(s).first())
  
• s.equals(\old(s).trailer())
• also
• public exceptional_behavior
• requires s.length() 0
• signals (EMPTYSTACK b) s.equals(\old(s))
• int pop()

Error condition
Error post-condition
Exception class name
The exception object so you can constrain its
values
18
Stack Interface 1
Explain this

• //_at_ model import org.jmlspecs.models.
• public interface StackInterface
• //_at_ public instance model JMLObjectSequence
  body
• // ensures \result (body.int_size()0)
• //_at_ modifies \nothing
• //_at_ ensures \result
• body.equals(JMLObjectSequence.EM
  PTY)
• boolean isEmpty()
• //_at_ public normal_behavior
• //_at_ modifies body
• //_at_ ensures
• body.equals(\old(body).insertFront(it
  em))
• void push(Object item)

19
Stack Interface 2

• //_at_ public normal_behavior
• //_at_ requires body.int_size()gt0
• //_at_ modifies body
• //_at_ ensures
• \old(body).equals(body.insertFront(\result))
  
• //_at_ also
• //_at_ public exceptional_behavior
• //_at_ requires body.int_size()0
• //_at_ modifies \nothing
• //_at_ signals (Exception b) b.getMessage().equal
  s(?")
• Object pop()

20
Stack Implementation

• public class Stack implements StackInterface
• Vector theBody new Vector()
• //_at_ private represents body lt- toJMLSeq()
• public /_at_ pure / JMLObjectSequence
  toJMLSeq()
• JMLObjectSequence res new
  JMLObjectSequence()
• for (int i0 i lt theBody.size() i)
• res res.insertBack(theBody.get(i))
• return res
• public Stack()

21
Stack Implementation 2

• public boolean isEmpty()
• return theBody.isEmpty()
• public void push(Object item)
• theBody.add(0, item)
• public Object pop()
• Object res theBody.remove(0)
• res new Integer(10)
• return res

22
Summary

• JML Collections
• Set, Bag, Sequence
• 3 flavours of each value , object, equals
• Sequence
• Ordered collection of elements
• Models list, array, streams, files, strings
• JML models represent math concepts
• Like a class library
• Some methods are executable used in RAC
• Dont forget to use .equals() to compare