Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Class Analysis with a Proof Environment
An Assertion Calculus for Program Analysis
The Analysis Operations of the Assertion Calculus
Related Work
Conclusion
References
All Topics
Computer Science
Software Engineering

Lazy Behavioral Subtyping

Profile image of Olaf OweOlaf Owe

2008, Springer eBooks

Abstract

Late binding allows flexible code reuse but complicates formal reasoning significantly, as a method call's receiver class is not statically known. This is especially true when programs are incrementally developed by extending class hierarchies. This report develops a novel method to reason about late bound method calls. In contrast to traditional behavioral subtyping, reverification is avoided without restricting method overriding to fully behavior-preserving redefinition. The approach ensures that when analyzing the methods of a class, it suffices to consider that class and its superclasses. Thus, the full class hierarchy is not needed, and incremental reasoning is supported. We formalize this approach as a calculus which lazily imposes context-dependent subtyping constraints on method definitions. The calculus ensures that all method specifications required by late bound calls remain satisfied when new classes extend a class hierarchy. The calculus does not depend on a specific program logic, but the examples in the report use a Hoare-style proof system. We show soundness of the analysis method.

Related papers

A Type-Theoretic Basis for an Object-Oriented Refinement Calculus
Emil Sekerinski

1996

This paper addresses the issue of giving a formal semantics to an object-oriented programming and specification language. Object-oriented constructs considered are objects with attributes and methods, encapsulation of attributes, subtyping, bounded type parameters, classes, and inheritance. Classes are distinguished from object types. Besides usual imperative statements, specification statements are included. Specification statements allow changes of variables to be described by a predicate. They are abstract in the sense that they are non-executable. Specification statements may appear in method bodies of classes, leading to abstract classes. The motivation for this approach is that abstract classes can be used for problem-oriented specification in early stages and later refined to efficient implementations. Various refinement calculi provide laws for procedural and data refinement, which can be used here for class refinement. This paper, however, focuses on the semantics of object-oriented programs and specifications and gives some examples of abstract and concrete classes. The semantics is given by a translation of the constructs into the type system F≤, an extension of the simple typed λ-calculus by subtyping and parametric polymorphism: The state of a program is represented by a record. A state predicate is a Boolean valued function from states. Statements, both abstract and concrete, are represented by predicate transformers, i. e. higher order functions mapping state predicates (postconditions) to state predicates (preconditions). Objects are represented by records of statements (the methods) operating on a record of attributes, where the attributes are hidden by existential quantification. Classes are understood as templates for the creation of objects. Classes are represented by records. Inheritance amounts to record overwriting. Subtyping and parametric polymorphism, e. g. for the parameterization of classes by types, are already present in F≤. The advantage of this semantic by translation is that it builds on the features already provided by F≤ (which are all used). Hence no direct reference to the model underlying F≤ needs to be made; a summary of the syntax and rules of F≤ is given.

View PDFchevron_right
Half & Half: Multiple dispatch and retroactive abstraction for Java
Gerald Baumgartner

2002

Software often goes through a variety of extensions during its lifetime: adding new fields or new variants to a data structure, retroactively creating new type abstractions, and adding new operations on a data structure. As characterized by the extensibility problem, it should be possible to apply any combination of these types of extensions in any order. Mainstream object-oriented languages, however, do not well support the latter two. This paper proposes two language mechanisms that facilitate extending existing type hierarchies: multimethod dispatch and retroactive abstraction. For these two mechanisms to coexist, it is necessary to allow method dispatch on parameters of interface types, which presents problems with static type-checking. We present a type-safe solution that combines the two mechanisms by limiting multimethod type checks to package boundaries and by compiling certain packages with multimethods into sealed Jar files. † Java is a registered trademark of Sun Microsystems, Inc.

View PDFchevron_right
Dynamic inheritance and static analysis can be reconciled
Erik Ernst

1998

In the area of object-orientation there is a long-standing schism between the rigid but safe statically typed languages, and the expressive and exible but less safe \typeless" languages. Many e orts have aimed at combining the best of both. This paper presents a language mechanism which enhances the exibility and expressivity of static languages while preserving the safety properties. It is an inheritance mechanism, with standard single inheritance as a special case. It allows both compile-time and run-time construction of new classes. Moreover, it supports specialization of existing objects at run-time. This helps avoiding the combinatorial explosion in the number of classes associated with multiple inheritance, and it supports a better separation of concerns in large systems. Pre-methoding|inheritance applied to behavioral descriptors|has been used for the construction of control structures for many years, in Beta. With dynamic inheritance, pre-methoding becomes more expressive, supporting control structures as rst class values which may be constructed and combined dynamically. Even though the concept of pre-methoding is missing from most other languages, the basic idea could be applied to any statically typed object-oriented language.

View PDFchevron_right
An effective theory of type refinements
Yitzhak Mandelbaum

ACM SIGPLAN Notices, 2003

We develop an explicit two level system that allows programmers to reason about the behavior of effectful programs. The first level is an ordinary ML-style type system, which confers standard properties on program behavior. The second level is a conservative extension of the first that uses a logic of type refinements to check more precise properties of program behavior. Our logic is a fragment of intuitionistic linear logic, which gives programmers the ability to reason locally about changes of program state. We provide a generic resource semantics for our logic as well as a sound, decidable, syntactic refinement-checking system. We also prove that refinements give rise to an optimization principle for programs. Finally, we illustrate the power of our system through a number of examples.

View PDFchevron_right
Enabledness-based program abstractions for behavior validation
Diego Garbervetsky

ACM Transactions on Software Engineering and Methodology, 2013

Code artifacts that have nontrivial requirements with respect to the ordering in which their methods or procedures ought to be called are common and appear, for instance, in the form of API implementations and objects. This work addresses the problem of validating if API implementations provide their intended behavior when descriptions of this behavior are informal, partial, or nonexistent. The proposed approach addresses this problem by generating abstract behavior models which resemble typestates. These models are statically computed and encode all admissible sequences of method calls. The level of abstraction at which such models are constructed has shown to be useful for validating code artifacts and identifying findings which led to the discovery of bugs, adjustment of the requirements expected by the engineer to the requirements implicit in the code, and the improvement of available documentation.

View PDFchevron_right
A Formal Framework with Late Binding
Elena Zucca

Lecture Notes in Computer Science, 1999

We de ne a speci cation formalism (formally, an institution) which provides a notion of dynamic type (the type which is associated to a term by a particular evaluation) and late binding (the fact that the function version to be invoked in a function application depends on the dynamic type of one or more arguments). Hence, it constitutes a natural formal framework for modeling object-oriented and other dynamicallytyped languages and a basis for adding to them a speci cation level. In this respect, the main novelty is the capability of writing axioms related to a given type which are not required to hold for subtypes, hence can be \overridden" in further re nements, thus lifting at the speci cation level the possibility of reusing code which is o ered by the object-oriented approach.

View PDFchevron_right
Object-oriented refinement and proof using behaviour functions.
Tony Clark

2000

This paper proposes a new calculus for expressing the behaviour of object-oriented systems. The semantics of the calculus is given in terms of operators from computational category theory. The calculus aims to span the gulf between abstract specification and concrete implementation of object-oriented systems using mathematically verifiable properties and transformations. The calculus is compositional and can be used to express the behaviour of partial system views.

View PDFchevron_right
A paradigmatic object-oriented programming language: Design, static typing and semantics
Kim B Bruce

Journal of Functional Programming, 1994

To illuminate the fundamental concepts involved in object-oriented programming languages, we describe the design of TOOPL, a paradigmatic, statically-typed, functional, object-oriented programming language which supports classes, objects, methods, hidden instance variables, subtypes and inheritance. It has proven to be quite difficult to design such a language which has a secure type system. A particular problem with statically type checking object-oriented languages is designing typechecking rules which ensure that methods provided in a superclass will continue to be type correct when inherited in a subclass. The type-checking rules for TOOPL have this feature, enabling library suppliers to provide only the interfaces of classes with actual executable code, while still allowing users to safely create subclasses. To achieve greater expressibility while retaining type-safety, we choose to separate the inheritance and subtyping hierarchy in the language. The design of TOOPL has been guided by an analysis of the semantics of the language, which is given in terms of a model of the F-bounded second-order lambda calculus with fixed points at both the element and type level. This semantics supports the language design by providing a means to prove that the type-checking rules are sound, thus guaranteeing that the language is type-safe. While the semantics of our language is rather complex, involving fixed points at both the element and type level, we believe that this reflects the inherent complexity of the basic features of object-oriented programming languages. Particularly complex features include the implicit recursion inherent in the use of the keyword, self, to refer to the current object, and its corresponding type, MyType. The notions of subclass and inheritance introduce the greatest semantic complexities, whereas the notion of subtype is more straightforward to deal with. Our semantic investigations lead us to recommend caution in the use of inheritance, since small changes to method definitions in subclasses can result in major changes to the meanings of the other methods of the class.

View PDFchevron_right
Program abstractions for behaviour validation
Guido de Caso

Proceeding of the 33rd international conference on Software engineering - ICSE '11, 2011

Code artefacts that have non-trivial requirements with respect to the ordering in which their methods or procedures ought to be called are common and appear, for instance, in the form of API implementations and objects. This work addresses the problem of validating if API implementations provide their intended behaviour when descriptions of this behaviour are informal, partial or non-existent. The proposed approach addresses this problem by generating abstract behaviour models which resemble typestates. These models are statically computed and encode all admissible sequences of method calls. The level of abstraction at which such models are constructed has shown to be useful for validating code artefacts and identifying findings which led to the discovery of bugs, adjustment of the requirements expected by the engineer to the requirements implicit in the code, and the improvement of available documentation.

View PDFchevron_right
Automatic Reuse through Implied Methods: The Design and Implementation of an Abstraction Mechanism for Implied Interfaces
Patrick Rein

Companion to the first International Conference on the Art, Science and Engineering of Programming, 2017

View PDFchevron_right

References (27)

  1. M. Abadi and K. R. M. Leino. A logic of object-oriented programs. In N. Dershowitz, editor, Verification: Theory and Practice, Essays Dedicated to Zohar Manna, volume 2772 of LNCS, pages 11-41. Springer, 2003.
  2. P. America. Designing an object-oriented programming language with behavioural sub- typing. In J. W. de Bakker, W.-P. de Roever, and G. Rozenberg, editors, Foundations of Object-Oriented Languages, pages 60-90. Springer, 1991.
  3. K. R. Apt. Ten years of Hoare's logic: A survey -Part I. ACM Transactions on Program- ming Languages and Systems, 3(4):431-483, Oct. 1981.
  4. K. R. Apt and E.-R. Olderog. Verification of Sequential and Concurrent Systems. Texts and Monographs in Computer Science. Springer, 1991.
  5. M. Barnett, K. R. M. Leino, and W. Schulte. The Spec# programming system: An overview. In G. Barthe, L. Burdy, M. Huisman, J.-L. Lanet, and T. Muntean, editors, Intl. Workshop on Construction and Analysis of Safe, Secure, and Interoperable Smart Devices (CASSIS'04), volume 3362 of LNCS, pages 49-69. Springer, 2005.
  6. B. Beckert, R. Hähnle, and P. H. Schmitt, editors. Verification of Object-Oriented Software. The KeY Approach, volume 4334 of LNAI. Springer, 2007.
  7. L. Burdy, Y. Cheon, D. R. Cok, M. Ernst, J. Kiniry, G. T. Leavens, K. R. M. Leino, , and E. Poll. An overview of JML tools and applications. In T. Arts and W. Fokkink, editors, Proceedings of FMICS '03, volume 80 of ENTCS. Elsevier Science Publishers, 2003.
  8. O.-J. Dahl, B. Myhrhaug, and K. Nygaard. (Simula 67) Common Base Language. Technical Report S-2, Norsk Regnesentral (Norwegian Computing Center), Oslo, Norway, May 1968.
  9. F. S. de Boer. A WP-calculus for OO. In W. Thomas, editor, Proceedings of Foundations of Software Science and Computation Structure, (FOSSACS'99), volume 1578 of LNCS, pages 135-149. Springer, 1999.
  10. F. S. de Boer, D. Clarke, and E. B. Johnsen. A complete guide to the future. In R. de Nicola, editor, Proc. 16th European Symposium on Programming (ESOP'07), volume 4421 of LNCS, pages 316-330. Springer-Verlag, Mar. 2007.
  11. E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Reading, Mass., 1995.
  12. C. A. R. Hoare. An Axiomatic Basis of Computer Programming. Communications of the ACM, 12:576-580, 1969.
  13. C. A. R. Hoare. Procedures and parameters: An axiomatic approach. In E. Engeler, ed- itor, Symposium On Semantics of Algorithmic Languages, volume 188 of Lecture Notes in Mathematics, pages 102-116. Springer, 1971.
  14. M. Huisman. Java Program Verification in Higher-Order Logic with PVS and Isabelle. PhD thesis, University of Nijmegen, 2001.
  15. A. Igarashi, B. C. Pierce, and P. Wadler. Featherweight Java: a minimal core calculus for Java and GJ. ACM Transactions on Programming Languages and Systems, 23(3):396-450, 2001.
  16. B. Jacobs and E. Poll. A logic for the Java Modelling Language JML. In H. Hussmann, editor, Fundamental Approaches to Software Engineering, volume 2029 of LNCS, pages 284-299. Springer, 2001.
  17. E. B. Johnsen and O. Owe. An asynchronous communication model for distributed concur- rent objects. Software and Systems Modeling, 6(1):35-58, Mar. 2007.
  18. G. T. Leavens, K. R. M. Leino, and P. Müller. Specification and verification challenges for sequential object-oriented programs. Formal Aspects of Computing, 19(2):159-189, 2007.
  19. G. T. Leavens and D. A. Naumann. Behavioral subtyping, specification inheritance, and modular reasoning. Technical Report 06-20a, Department of Computer Science, Iowa State University, Ames, Iowa, 2006.
  20. B. H. Liskov and J. M. Wing. A behavioral notion of subtyping. ACM Transactions on Programming Languages and Systems, 16(6):1811-1841, Nov. 1994.
  21. L. Mikhajlov and E. Sekerinski. A study of the fragile base class problem. In E. Jul, editor, 12th European Conference on Object-Oriented Programming (ECOOP), volume 1445 of LNCS, pages 355-382. Springer, 1998.
  22. D. v. Oheimb. Analysing Java in Isabelle/HOL: Formalization, Type Safety, and Hoare- Logics. PhD thesis, Technische Universität München, 2001.
  23. D. v. Oheimb and T. Nipkow. Hoare logic for NanoJava: Auxiliary variables, side effects, and virtual methods revisited. In L.-H. Eriksson and P. A. Lindsay, editors, Formal Methods Europe (FME 2002), volume 2391 of LNCS, pages 89-105. Springer, 2002.
  24. S. Owicki and D. Gries. An axiomatic proof technique for parallel programs I. Acta Inform- atica, 6(4):319-340, 1976.
  25. C. Pierik and F. S. de Boer. A proof outline logic for object-oriented programming. Theor- etical Computer Science, 343(3):413-442, 2005.
  26. A. Poetzsch-Heffter and P. Müller. A programming logic for sequential Java. In S. D. Swier- stra, editor, 8th European Symposium on Programming Languages and Systems (ESOP'99), volume 1576 of LNCS, pages 162-176. Springer, 1999.
  27. N. Soundarajan and S. Fridella. Inheritance: From code reuse to reasoning reuse. In P. Devanbu and J. Poulin, editors, Proc. Fifth International Conference on Software Reuse (ICSR5), pages 206-215. IEEE Computer Society Press, 1998.

Related papers

Lazy behavioral subtyping: Single inheritance and interfaces
Olaf Owe

2009

Late binding allows exible code reuse but complicates formal reasoning signicantly, as a method call's receiver class is not statically known. This is especially true when programs are incrementally developed by extending class hierarchies. This paper develops a novel method to reason about late bound method calls. In contrast to traditional behavioral subtyping, reverication is avoided without restricting method overriding to fully behavior-preserving redenition. The approach ensures that when analyzing the methods of a class, it suces to consider that class and its superclasses. Thus, the full class hierarchy is not needed, and incremental reasoning is supported. We formalize this approach as a calculus which lazily imposes context-dependent subtyping constraints on method denitions. The calculus ensures that all method specications required by late bound calls remain satised when new classes extend a class hierarchy. The calculus does not depend on a specic program logic, but the examples in the paper use a Hoare style proof system. We show soundness of the analysis method. The paper nally demonstrates how lazy behavioral subtyping can be combined with interface specications to produce an incremental and modular reasoning system for object-oriented class hierarchies. * This work was done the context of the EU project IST-33826 CREDO: Modeling and analysis of evolutionary structures for distributed services (http://credo.cwi.nl).

View PDFchevron_right
Encapsulating Lazy Behavioral Subtyping⋆
Olaf Owe

Object-orientation supports incremental program development by grad-ually extending the class hierarchy. Subclassing and late bound method calls al-low very flexible reuse of code, thereby avoiding code duplication. Combined with incremental program development, this flexibility poses a challenge for pro-gram analysis. The dominant solution to this problem is behavioral subtyping, which avoids re-verification of verified code but requires that all properties of a method are preserved in subclasses. Program analysis becomes incremental, but behavioral subtyping severely restricts code reuse. Lazy behavioral subtyping re-laxes this restriction to the preservation of properties that are required by the call-site usage of methods. Previous work developed corresponding inference systems for languages with single-and multiple-inheritance hierarchies, but although in-cremental the approach could make it necessary to revisit previously analyzed classes in order to establish new properties. ...

View PDFchevron_right
Behavioral subtyping through typed assertions
Herbert Toth

arXiv (Cornell University), 2010

This paper presents a critical discussion of popular approaches to ensure the Liskov substitution principle in class hierarchies (e.g. Design by Contract™, specification inheritance). It will be shown that they have some deficiencies which are due to the way how effective constraints are calculated for subclass methods. A new mechanism, called client conformance, is introduced that takes the client's view on the program state into account more properly: The client's static type determines the context in which reasoning about program state is to be done. This is the context to which the runtime assertion checking (RAC) of server methods must be adapted appropriately. In a stepwise argumentation we show the improvements for RAC that can be reached following this approach in a natural way, preserving the percolation pattern mechanism: Clients will neither be confronted with unsafe or surprising executions, nor with surprising failures of server methods.

View PDFchevron_right
Incremental Reasoning for Multiple Inheritance
Martin Steffen, Johan Dovland, Olaf Owe

Lecture Notes in Computer Science, 2009

Object-orientation supports code reuse and incremental programming. Multiple inheritance increases the power of code reuse, but complicates the binding of method calls and thereby program analysis. Behavioral subtyping allows program analysis under an open world assumption; i.e., under the assumption that class hierarchies are extensible. However, method redefinition is severely restricted by behavioral subtyping, and multiple inheritance often leads to conflicting restrictions from independently designed superclasses. This paper presents an approach to incremental reasoning for multiple inheritance under an open world assumption. The approach, based on a notion of lazy behavioral subtyping, is less restrictive than behavioral subtyping and fits well with multiple inheritance, as it incrementally imposes context-dependent behavioral constraints on new subclasses. We formalize the approach as a calculus, for which we show soundness. P ::= L {t} L ::= class C extends C { f M} M ::= m (x){t} e ::= new C | b | v | this | e.m(e) | m(e) | m(e)@C v ::= f | f @C t ::= v := e | return e | skip | if b then t else t fi | t;t

View PDFchevron_right
Forcing behavioral subtyping through specification inheritance
Gary Leavens

Proceedings of IEEE 18th International Conference on Software Engineering, 1996

A common change to object-oriented software is to add a new type of data that is a subtype of some existing type in the program. However, due to message passing unchanged parts of the program may n o w call operations of the new type. To a void reveri cation of unchanged code such operations should have speci cations that are related to the speci cations of the appropriate operations in their supertypes. This paper presents a speci cation technique that uses inheritance of speci cations to force the appropriate behavior on the subtype objects. This technique is simple, requires little e ort by the speci er, and avoids reveri cation of unchanged code. We present t wo notions of such behavioral subtyping, one of which is new. We show how to use these techniques to specify examples in C++.

View PDFchevron_right

Related topics

  • Computer Science
  • Code Reuse
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved