programming languages 2nd edition tucker and noonan

Copyright © 2006 The McGraw-Hill Companies, Inc.

Programming Languages2nd edition

Tucker and Noonan

Chapter 18Program Correctness

To treat programming scientifically, it must be possible to specify the required properties of programs precisely. Formality is certainly not an end in itself. The importance of formal specifications must ultimately rest in their utility - in whether or not they are used to improve the quality of software or to reduce the cost of producing and maintaining software.

J. Horning


Contents

18.1 Axiomatic Semantics18.2 Formal Methods Tools: JML18.2.1 JML Exception Handling18.3 Correctness of Object-Oriented Programs18.3.1 Design by Contract18.3.2 The Class Invariant18.3.3 Correctness of a Queue Application18.3.4 Final Observations18.4 Correctness of Functional Programs


Review JML

JML Expression Meaningrequires p; p is a precondition for the callensures p; p is a postcondition for the callsignals (E e) p; when exception e is raised by the call, p is

a postconditionloop_invariant p; p is a loop invariantinvariant p; p is a class invariant\result == e; e is the result returned by the call\old v the value of v at entry to the call(\product int x ; p(x); e(x)) the product of e(x) for all x that satisfy p(x)(\sum int x ; p(x); e(x)) the sum of e(x) for all x that satisfy p(x)p ==> q p q


18.3.1 Design by Contract

Obligations Benefits

Client (caller)

Arguments for each method/constructor call must satisfy its requires clause

The call delivers correct result, and the object keeps its integrity

Class (object)

Result for each call must satisfy both its ensures clause and INV

Called method/constructor doesn’ t need extra code to check argument validity

Note: Blame can be assigned if obligations aren’t met!


The contract for a Stack class

Obligations Benefits

Client (caller)

Arguments for every call to Stack(), push, pop, top, isEmpty, and size

must satisfy its requires clause

Every call to Stac k(), push, pop, top, is Empty, and size

delivers a correct result, and the object keeps its integrity

Class (object)

Result from each call must satisfy both its ensures clause and the class invariant n == size()

No method or constructor needs extra code to check argument validity


18.3.2 The Class Invariant

A class C is formally specified if:1. Every constructor and public method M in the classhas

preconditions and postconditions, and2. C has a special predicate called its class invariant INV

which, for every object o in C, argument x and call o.M(x), must be true both before and after the call.

Note: During a call, INV may temporarily become false.

Why are we doing this???• Formal specifications provide a foundation for rigorous

OO system design (e.g., “design by contract”).• They enable static and dynamic assertion checking of an

entire OO system.• They enable formal correctness proof of an OO system.


18.3.3 Correctness of a Stack Application

public class Stack {private class Node { } private Node theStack = null;private int n = 0; public void push(int v) { }public int pop( ) {}public int top() {}public boolean isEmpty() {}public int size() {}

}

state variableshelp define INV

publicmethods M

public constructor C = Stack()

“helper” class


Adding Class-Level Specifications

/*@ public model Node S; private represents S <- theStack; public invariant S == null || n == this.size(); @*/ private /*@ spec_public @*/ Node theStack = null; private /*@ spec_public @*/ int n = 0;

more JML

JML model variable

class invariant INV

Notes: 1) JML model variables allow a specification to distance itself from the class’s implementation details.2) spec_public allows JML specifications to treat a Java variable as public without forcing the code to do the same.


Adding Method Specifications

/*@ requires n > 0; ensures \result==\old(S).val && S==\old(S).next && n==\old(n)-1; @*/ public /*@ pure @*/ int pop( ) { int result = theStack.val; theStack = theStack.next; n = n-1; return result; }

Notes: 1) \old denotes the value of S at entry to pop.2) The ensures clause specifies that pop removes

the top element and returns it.


Similar specifications for push

//@ ensures S.next==\old(S) && S.val==v; public /*@ pure @*/ void push(int v) { theStack = new Node(v, theStack); n = n+1; }


“Pure” methods

/*@ requires n > 0; ensures \result==S.val && S == \old(S); @*/ public /*@ pure @*/ int top() { return theStack.val; }

Note: A method is pure if:1) it has no non-local side effects, and2) it is provably non-looping.


Test driving MyStack class

public class myStackTest {public static void main(String[] args) { MyStack s = new MyStack(); int val; for (int i=0; i<args.length; i++) s.push(Integer.parseInt(args[i])); System.out.println("Stack size = " + s.size()); System.out.print("Stack contents ="); for (int i=1; i<=n; i++) { System.out.print(" " + s.top( )); s.pop( ); } System.out.println( ); System.out.println("Is Stack empty? " + s.isEmpty( ));}}


Contract test 1: normal run

% jmlrac myStackTest 4 5 6Stack size = 3Stack contents = 6 5 4Is Stack empty? true%


Contract test 2: postcondition violation

Exception in thread "main" org.jmlspecs.jmlrac.runtime.JMLNormalPostconditionError: by method MyStack.top regarding specifications atFile "MyStack.java", line 31, character 26 when '\old(S)' is MyStack$Node@5ff48b '\result' is 5 'this' is MyStack@affc70 at MyStack.checkPost$top$MyStack(MyStack.java:999) at MyStack.top(MyStack.java:1078) at myStackTest.main(MyStackTest.java:15)

Note: blame is with the callee MyStack, since a postcondition has been violated.


Contract test 3: invariant errorStack size = 3Stack contents = 6Exception in thread "main" org.jmlspecs.jmlrac.runtime.JMLInvariantError: by method MyStack.pop@post<File "MyStack.java", line 16,

character 17> regarding specifications atFile "MyStack.java", line 11, character 30 when 'this' is MyStack@9664a1 at MyStack.checkInv$instance$MyStack(MyStack.java:102) at MyStack.pop(MyStack.java:525) at myStackTest.main(MyStackTest.java:21)Note: blame is again with the callee MyStack, since an invariant has been violated.


Contract test 4: precondition violation

Note: blame is with the caller MyQueueTest, since a precondition has been violated.

Stack size = 3Stack contents = 6 5 4Is Stack empty? trueException in thread "main" org.jmlspecs.jmlrac.runtime.JMLEntryPreconditionError: by method MyStack.pop regarding specifications atFile "MyStack.java", line 16, character 21 when 'this' is MyStack@9664a1 at MyStack.checkPre$pop$MyStack(MyStack.java:330) at MyStack.pop(MyStack.java:479) at myStackTest.main(MyStacktest.java:24)


Class and System Correctness

So far, we have only done testing; what about formal verification?

1. A class C is (formally) correct if:a. It is formally specified, andb. For every object o and every constructor and public

method M in the class, the Hoare triple

is valid for every argument x.

2. A system is correct if all its classes are correct.€

{P∧INV} o.M(x) {Q∧INV}


Correctness of pop()

/*@ requires n > 0; ensures \result==\old(S).val && S==\old(S).next && n==\old(n)-1; @*/ public /*@ pure @*/ int pop( ) { int result = theStack.val; theStack = theStack.next; n = n-1; return result; }

1234

INV: n = size()P INV: n > 0 n = size()Q INV: result = old(S).val

S = old(S).next n = size()


1. “Loose” because a. We assume the validity of size(), andb. We omit some details.

2. The assignments in pop(), together with ,ensure the validity of :1. Steps 1 and 4 establish \result = \old(S).val2. Step 2 establishes S = \old(S).next3. Step 3 and our assumption establish n = size():

I.e., n = \old(n) -1and size() = \old(size()) -1So, n = size(), since \old(n) = \old(size())

€

P∧INV

€

Q∧INV

A “loose” correctness proof for pop()


18.3.4 Final Observations

1. Formal verification:a. is an enormous task for large programs.b. only proves that specifications and code agree.c. only proves partial correctness (assumes termination).

2. Tools exist for:a. Statically checking certain run-time properties of Java

programs (ESC/Java2)b. formally verifying Ada programs (Spark)

3. Tools are being developed to help with formal verificationof Java programs (Diacron, LOOP)

4. What is the cost/benefit of formal methods?

programming languages 2nd edition tucker and noonan

Documents