Академический Документы
Профессиональный Документы
Культура Документы
((((((((((((((( )oint wor* wit Rustan Leino, Mike Barnett& !anuel #+ ndric & ,erman Venter& "ob -eLine& Wolfram Sc ulte .all !S"/& and Peter Mller .0T,/& Bart Jacobs .12 Leu3en/ and 4or'5u 03an C ung .4er*ley/ 1
"e3iew: 4oogie PL
Source language .eg6 Spec7/
Translate source language features using particular programming methodology Intermediate language for verification BoogiePL Translate Boogie PL code using particular VC generation Formulas
2
"e3iew 4oogie PL
8 W at components does 4oogie PL a3e& and w at does it not a3e9 8 W at is t e purpose of assert& assume and a3oc9 8 W at:s t e meaning of a procedure and its modifies clause9 8 W at do we need to translate an OO language into 4oogie PL9
3
to describe t e result of t e a<iomati=ation6 We use t e function Tr .anslate/ to translate Spec7 statements into 4oogiePL
5
Storage !odel
2se 4oogie:s type ref to denote runtime object references ; ,eap maps object references and field names to 3alues
3ar ,eap: Dref& nameE any@ any // Heap : ref name
;llocatedness is represented as anot er field of t e eap assert o null ! "# $ea%& o' ()f *
const allocated: name@ assert o null $ea%& o' ()f * "# !
;llocation
TrDD< ? new T./EE ?
>3ar o: ref@ assume o F? null G typeof.o/ ?? T@ assume ,eapDo& allocatedE ?? false@ ,eapDo& allocatedE :? true@ call T66ctor.o/@ A
!et ods
"ecall: 4oogie PL 8 as only procedures& no instance met ods -;dd this as first parameter to generated proc
8 is wea*ly typed .just int& bool& ref/ -Spec7 types must be preser3ed 3ia contracts 8 as no idea of eap properties -;llocatedness must be preser3ed 3ia contracts as no in eritance -Strengt ening of postconditions must be 1, implemented 3ia multiple procedures
11
12
4e a3ioral Subtyping
4e a3ioral Subtyping s ould guarantee substitutability 8 W ere3er an object of type T is e<pected an object of type S& w ere SC:T& s ould do wit out c anging t e program:s be a3ior e<pressed in wp Sufficient conditions: Let !O be a 3irtual met od and !2 be its o3erridden met od& t en 8 !2 can weaken !O:s precondition 8 !2 can strengthen !O:s postcondition
13
!et od #raming
8 #or sound 3erification we assume t at e3ery met od modifies t e eap 8 Modifies clauses in Spec7 e<press w ic locations .e3aluated in t e met od:s prestate/ a met od is allowed to modify 8 !odifies clauses for an object o or array a a3e t e form:
P P P P o6f o6L aD*E aDLE allows allows allows allows modification modification modification modification of of of of o:s f field all of o:s fields a:s array location * all of 15 a:s array
!et od #raming
Let W denote all locations a met od is allowed to modify 8 T e 4oogie PL post condition for a Spec7 modifies clause
Tr DDWEE ? .Qo: ref& f: name :: old.,eapDo&allocatedE/ .o&f/ old.W/ old.,eapDo&fE/ ? ,eapDo&fE/
16
4oogie
proc Cell6Set.t is : Cell& < : int/ reIuires t is F? null G typeof.t is/ C: Cell@ modifies ,eap@ ensures .Qo:ref& f: name :: old.,eapDo&allocatedE/ o ? t is old.,eapDo&fE/ ? ,eapDo&fE/@
17
Loop #raming
8 Loops mig t c ange t e eap6 Let W denote t e set of locations potentially c anged by t e loop 8 #or sound 3erification we a3oc t e eap6 We add as loop in3ariant t e assertion t at fields not written to dont change
Tr DDWEE ? .Qo : ref& f: name :: ,eapentryDo&allocatedE f W ,eapentryDo&fE ? ,eapcurrentDo&fE/ w ere ,eapentryJcurrent denote t e entryJcurrent incarnations of t e ,eap 3ariable in t e loop
18
Summary
Verifying object'oriented programs reIuires to 8 a<iomati=e t e declaration en3ironment
P to *eep enoug information around for 3erification
1+