Going beyond a basic ownership system in Spec

1
Going beyond a basic ownership system in Spec

• K. Rustan M. LeinoMicrosoft Research, Redmond, WA

Joint work with Peter MüllerAngela Wallenburg
ESF workshop on Java program verification,
Nijmegen, NL, 18 Oct 2006
2
Object invariants

• 0. Simple objects
• 1. Aggregate objects
• 2. Immutable types
• 3. Subclasses
• 4. Additive invariants

) previous work on Boogie methodology ) LMW
) LW
3
0. When do invariants hold?

• class Car
• int speedint windResistance
• invariant windResistance K speed speed
• public Car() speed 0 windResistance 0
  
• public void SetSpeed(int kmph) speed
  kmph windResistance K speed speed

4
0. When do invariants hold?

• class Car
• int speedint windResistance
• invariant windResistance K speed speed
• public Car() speed 0 windResistance 0
  
• public void SetSpeed(int kmph) speed
  kmph windResistance K speed speed

5
0. When do invariants hold?

• class Car
• int speedint windResistance
• invariant windResistance K speed speed
• public Car() speed 0 windResistance 0
  
• public void SetSpeed(int kmph) speed kmph
  P( ) windResistance K speed speed

Invarianttemporarilyviolatedwhat if Pcalls
back?
6
Object states

• Mutable
• Object invariant might be violated
• Field updates are allowed
• Valid
• Object invariant holds
• Field updates not allowed

7
The heap (the object store)
8
The heap (the object store)
MutableValid
9
To mutable and back expose

• class Car
• int speedint windResistance
• invariant windResistance K speed speed
• public void SetSpeed(int kmph) requires
  this.valid expose (this) speed
  kmph windResistance K speed speed

changes thisfrom valid to mutable
can update speed,because this.mutable
changes thisfrom mutable to valid
10
Summary for simple objects
(?o o.mutable ? Inv(o))
invariant this.f
check x.mutable
x.f E
o.mutable ? o.valid
11
Summary for simple objects
(?o o.mutable ? Inv(o))
x.valid false
x.valid true
expose (x)
check x.valid
check Inv(x)
o.mutable ? o.valid
12
1. Aggregate objects

• class Seat public void Move(int pos) requires
  this.valid
• class Car
• Seat s
• public void Adjust(Profile p) requires
  this.valid ? p.valid s.Move(p.SeatPosition)

13
Ownership
Points to owner
14
Ownership domains
Points to owner
15
Ownership domains
x
z
y
x owns y and z y and z are componentsin the
representation of x y and z are peers
Points to owner
16
An object is only as valid as its components
Points to ownerMutable objectValid object
17
Representation (rep) fields

• class Seat public void Move(int pos) requires
  this.Consistent
• class Car
• rep Seat s
• public void Adjust(Profile p) requires
  this.Consistent ? p.Consistent expose (this)
  s.Move(p.SeatPosition)

o.Consistent ? o.owner.mutable ? o.valid
18
Peer fields and peer validity

• class Seat public void Move(int pos) requires
  this.PeerConsistent
• class Car
• rep Seat s peer Seat s
• public void Adjust(Profile p) public void
  Adjust(Position p) requires this.PeerConsistent
  ? requires this.PeerConsistent
  ? p.PeerConsistent p.PeerConsistent
  expose (this) s.Move(p.SeatPosition)
  s.Move(p.SeatPosition)

o.Consistent ? o.owner.mutable ? o.valid
o.PeerConsistent ? o.owner.mutable ?
(?p p.owner o.owner ? p.valid)
19
Summary for aggregate objects
(?o o.mutable ? Inv(o))
(?o o.mutable ? o.owner.mutable)
rep T tinvariant this.t.f
check x.mutable
x.f E
20
Summary for aggregate objects
(?o o.mutable ? Inv(o))
(?o o.mutable ? o.owner.mutable)
x.valid false
x.valid true
expose (x)
check x.validcheck x.owner.mutable
check (?r r.ownerx ? r.valid)check Inv(x)
21
2. Immutable types
class String String SubString(int st, int len)
requires this.PeerConsistent class Car
String serialNumber public String
Year() requires this.PeerConsistent return
serialNumber.Substring(12, 4)
Note cannotuse rep,since Carcannot expectto
be thesole owner
22
Ever-peer-consistent (immutable) objects
Points to ownerMutable objectValid
objectImmutable object
23
Summary for immutable types
(?o Immutable(typeof(o)) ? o.PeerConsistent)
Immutable class M T f class C M
m invariant this.m.f
check x.mutable
x.f E
24
Summary for immutable types
(?o Immutable(typeof(o)) ? o.PeerConsistent)
x.valid false
x.valid true
expose (x)
check Immutable(typeof(x))check
check
25
Immutable is determined from static type (except
for object)

• Immutable class C extends B
• Immutable allowed on C if either
• B is Immutable or
• B is object
• Immutable required on C if
• B is Immutable

26
3. Subclasses

• class Car
• int speed invariant 0 speed
• class LuxuryCar extends Car Radio
  r invariant 6 r.CDCapacity

27
Owners are pairs

• To support subclasses with invariants, we change
  owners to be pairs
• (object reference, class frame)

28
Invariants and subclasses
class B extends A
B
class A
A
Object
Points to owner
29
Summary for subclasses
(?o,T (o,T).mutable ? InvT(o))
(?o,T (o,T).mutable ? o.owner.mutable)
class C extends B F f invariant this.f

check (x,C).mutable
x.f E
30
Summary for subclasses
(?o,T (o,T).mutable ? InvT(o))
(?o,T (o,T).mutable ? o.owner.mutable)
C x expose (x)
(x,C).valid false
(x,C).valid true
check (x,C).validcheck x.owner.mutable
check (?r r.owner(x,C) ? (?R
(r,R).valid))check InvC(x)
31
4. Additive invariants

• class Car
• int speed
• class LuxuryCar extends Car Radio
  r invariant speed gt 60 ? r.SoundBoostertrue
• overrides void SetSpeed(int kmph) expose
  (this) base.SetSpeed(kmph) if (speed gt
  60)

32
An additive frame is only as valid as its
subclass frames
class B extends A
B
class A
A
Object
Points to ownerMutable objectValid object
33
Summary for additive invariants
(?o,T (o,T).mutable ? InvT(o))
(?o,T (o,T).mutable ? o.owner.mutable)
class B extends A additive F f class C
extends B invariant this.f
check (?U U lt B ? (o,U).mutable)
x.f E
34
Summary for additive invariants
(?o,T (o,T).mutable ? InvT(o))
(?o,T (o,T).mutable ? o.owner.mutable)
(?o,T (o,T).transmut ? (o,T).mutable ? (?U
U lt T ? (o,U).transmut))
?
(x,C).valid true (x,C).transmut false
(x,C).valid false (x,C).transmut true
C x additive expose (x)
check (x,C).valid ? (?U U lt C ?
(x,U).transmut) check x.owner.mutable
?
check (?r r.owner(x,C) ? (?R
(r,R).valid))check InvC(x)
35
Object invariants in Spec

• Spec syntactically checks that invariants are
  admissible
• Ownership is specified with the Owned attribute
• We first supported only rep ownership relations
• peer relationships are often useful too
• we now use PeerConsistent as the default method
  precondition
• owners are set automatically on assignments of
  rep and peer fields
• An immutable class/interface is specified with
  Immutable
• We first supported only additive invariants in
  Spec
• non-additive invariants are easier to work with
• non-additive expose is now the default
• implementation restriction no further expose
  allowed on an object while a non-additive expose
  is in progress
• Additive methods (those that update the additive
  fields mentioned in additive invariants) require
  dynamic dispatch and use precondition Consistent

36
Summary and conclusions

• Rich object structures need specification and
  verification support
• simple invariants
• aggregate objects
• subclasses
• additive invariants
• visibility-based invariants
• observer invariants
• static class invariants