An Object-Oriented Dynamic Logic with Updates Andr Platzer - - PowerPoint PPT Presentation

An Object-Oriented Dynamic Logic with Updates

André Platzer University of Karlsruhe

André Platzer. ODL Updates – p.1/29

Motivation

✬ ✫ ✩ ✪

JAVACARDDL

André Platzer. ODL Updates – p.2/29

Motivation

✬ ✫ ✩ ✪

ODL

✬ ✫ ✩ ✪

JAVACARDDL

André Platzer. ODL Updates – p.2/29

Motivation

✬ ✫ ✩ ✪

WHILE

✬ ✫ ✩ ✪

ODL

✬ ✫ ✩ ✪

JAVACARDDL

André Platzer. ODL Updates – p.2/29

Overview

• What’s an Object-Oriented Dynamic

Logic (ODL )

• Objective
• The language ODL
• JAVA ODL
• Calculus
• Summary

André Platzer. ODL Updates – p.3/29

Object-Oriented DL

• ODL is a dynamic logic.
• “Natural” representation of OOP

.

• ODL only contains essentials of OO.

André Platzer. ODL Updates – p.4/29

Objective

• Characterise logical essentials of OO.
• Simple proofs within calculus and

about calculus.

• Prove sound & rel. complete.
• Theoretical foundation of KeY and
• updates. KeY completeness?

André Platzer. ODL Updates – p.5/29

The Language ODL

• Type-lattice with integers Z
• Formulas φ

◮ ¬, ∧, ∨, →, ↔, ∃ , ∀ , . = ◮ [α]φ, αφ ◮ if φ then s else t fi, t instanceof C

• Programs α

◮ f(t): =s (also simultaneous) ◮ if(φ) {α} else{γ}, while(φ) {α}, α; γ

André Platzer. ODL Updates – p.6/29

JAVA ODL

Software-Engineering features to ignore

• Coupling of state and behaviour
• Encapsulation
• Information hiding & visibility

André Platzer. ODL Updates – p.7/29

JAVA ODL

Non-essentials to discard

• Inner classes
• Field overriding
• Associations
• Events
• Side-effects & evaluation order
• Exceptions

Simple translation ⇒ syntactic sugar

André Platzer. ODL Updates – p.7/29

JAVA ODL

Essentials to dispose

• Implementation inheritance
• Object creation
• Dynamic dispatch & polymorphism

Simple translation ⇒ syntactic sugar

André Platzer. ODL Updates – p.7/29

JAVA ≈ ODL

Features to keep

• Field access (functions)
• Subtyping (= inheritance)

≈ “object = state + behaviour”

especially

◮ Modifiable state ◮ Dynamic types

André Platzer. ODL Updates – p.8/29

JAVA ODL (create)

Object creation has to support

• Dynamic type checks
• Object identity “new = new”
• Extension for varying domain

André Platzer. ODL Updates – p.9/29

JAVA ODL (create)

Object creation has to support

• Dynamic type checks
• Object identity “new = new”
• Extension for varying domain
• Ex:

x: =new C()

• x:

=objC (nextC), nextC: =nextC+1

André Platzer. ODL Updates – p.9/29

Calculus: object creation

• Dynamic type checks
• bjA (n) instanceof C =
• true

⇐ A subty. of C false otherwise

André Platzer. ODL Updates – p.10/29

Calculus: object creation

• Dynamic type checks
• bjA (n) instanceof C =
• true

⇐ A subty. of C false otherwise

• Ex:
• bjCar (n) instanceof Vehicle = true
• bjVehicle (k) instanceof Car

= false f(a) instanceof Car = ?

André Platzer. ODL Updates – p.10/29

Calculus: object creation

• Object identity “new = new”

Γ, i = j ⊢ ∆, objC (i) = objC (j)

André Platzer. ODL Updates – p.11/29

Calculus: object creation

• Object identity “new = new”

Γ, i = j ⊢ ∆, objC (i) = objC (j)

• Ex:

x: =new C();

• x:

=objC (1); y: =new C();

• y:

=objC (2); if(x . = y) {α} else{γ}

1=2

• γ

André Platzer. ODL Updates – p.11/29

Calculus: object creation

• Extension for varying domain

∀n

• n < nextC → φ(objC (n))
• “All objects created so far satisfy φ”

André Platzer. ODL Updates – p.12/29

Example: updates

f(s): =tg(f(s))

• g
• f(s):

=tf(s)

• “ ” g(t)

André Platzer. ODL Updates – p.13/29

Example: updates (alias)

f(s): =tg(f(r))

• g
• f(s):

=tf(r)

• g
• if s .

= r then t else f(r) fi

• “ ”
• s .

= r → g(t)

• ∧
• s = r → g(f(r))
• André Platzer. ODL Updates – p.14/29

Calculus: updates

• update (match)

f(s): =tf(u) if s . = f(s):

=tu then t else f

• f(s):

=tu

• fi
• conditional term split

Γ ⊢ ∆, (e → φ(s)) ∧ (¬e → φ(t)) Γ ⊢ ∆, φ(if e then s else t fi)

admissible

André Platzer. ODL Updates – p.15/29

Relative Completeness

• Arithmetic is incomplete.
• How much worse is ODL calculus?
• Relatively complete:

≈ “in addition to domain of

computation, program verification calculus ODL is complete”

André Platzer. ODL Updates – p.16/29

Relative Completeness

• Arithmetic is incomplete.
• How much worse is ODL calculus?
• Relatively complete:

≈ “in addition to domain of

computation, program verification calculus ODL is complete”

⇒ KeY is relatively complete, “suitable”

JAVA transformations provided.

André Platzer. ODL Updates – p.16/29

Summary

• ODL is an object-oriented dynamic

logic.

• ODL only contains essentials of OO.
• “Natural” translation JAVA ODL .
• Updates for object aliasing.
• Calculus is sound.

◮ Plan: prove calculus rel. complete.

André Platzer. ODL Updates – p.17/29

Repository

• The end of the presentation

André Platzer. ODL Updates – p.18/29

Terminology: Admissible

• [s → t] is admissible for φ :⇐

⇒ s, t do

not trespass modalities for which they are not rigid during the formation of

φ[s → t].

• wary substitution

[s → t] works like [s → t] but quits in front of modalities

for which s or t are not rigid.

André Platzer. ODL Updates – p.19/29

JAVA ODL (throw) (I)

t r y { while ( x >= y ) { x = x − y ; i f ( no progress ) { throw new DivByZero ( x , y ) ; } z = z + 1 ; } } catch ( DivByZero r ) { h }

André Platzer. ODL Updates – p.20/29

JAVA ODL (throw) (II)

while ( e == n u l l && x >= y ) { x = x − y ; i f ( no progress ) { e = new DivByZero ( x , y ) ; } i f ( e == n u l l ) { z = z + 1 ; } } i f ( e instanceof DivByZero ) { h } else { . . . }

André Platzer. ODL Updates – p.21/29

JAVA ODL (dispatch)

• C extends B
• C and B provide m(String arg)
• Transformation of x.m(arg):

i f ( x instanceof C ) { ( (C) x ) .m( arg ) ; } else i f ( x instanceof B ) { ( (B) x ) .m( arg ) ; }

André Platzer. ODL Updates – p.22/29

Example: updates (alias)

f(s): =tg(f(r))

• g
• f(s):

=tf(r)

• g
• if s .

= rf(s):

=t then t else f(f(s):

=tr) fi

• André Platzer. ODL Updates – p.23/29

Example: updates (alias)

f(s): =tg(f(r))

• g
• f(s):

=tf(r)

• g
• if s .

= f(s):

=tr then t else f(f(s):

=tr) fi

• g
• if s .

= r then t else f(r) fi

• “ ”
• s .

= r → g(t)

• ∧
• s = r → g(f(r))
• André Platzer. ODL Updates – p.23/29

Example: updates

f(s): =sg(f(f(r)))

• g
• f(s):

=sf(f(r))

• g
• if s .

= f(s):

=sf(r) then s else f

• f(s):

=sf(r)

• fi
• g
• if s .

=

• if s .

= f(s): =sr then s else f(f(s): =sr) fi

• then

s else f

• if s .

= f(s): =sr then s else f(f(s): =sr) fi

• fi
• André Platzer. ODL Updates – p.24/29

Example: updates

• g
• if s .

=

• if s .

= r then s else f(r) fi

• then

s else f

• if s .

= r then s else f(r) fi

• fi
• “ ”
• s .

= r → g

• if s .

= s then s else f(s) fi

• ∧
• s = r → g
• if s .

= f(r) then s else f(f(r)) fi

• “ ”
• s .

= r → g(s)

• ∧
• s = r → g
• if s .

= f(r) then s else f(f(r)) fi

• André Platzer. ODL Updates – p.24/29

Example: updates (quick)

f(s): =sg(f(f(s)))

• g
• f(s):

=sf(f(s))

• g
• if s .

= f(s):

=sf(s) then s else f

• f(s):

=sf(s)

• fi
• g
• if s .

= (if s .

= f(s): =ss then s else f(f(s): =ss) fi

• then

s else f

• if s .

= f(s):

=ss then s else f(f(s):

=ss) fi

• fi
• André Platzer. ODL Updates – p.25/29

Example: updates (quick)

g

• if s .

= (if s .

= f(s): =ss then s else f(f(s): =ss) fi

• then

s else f

• if s .

= f(s):

=ss then s else f(f(s):

=ss) fi

• fi
• g
• if s .

= s then s else f

• s
• fi
• “ ”

g(s)

André Platzer. ODL Updates – p.25/29

Calculus: update promotion

• update (match)

f(s): =tf(u) if s . = f(s):

=tu then t else f

• f(s):

=tu

• fi
• update (promote)

f(s): =tΥ(u) Υ

• f(s):

=tu

• ⇐ f = Υ

André Platzer. ODL Updates – p.26/29

Calculus: merge (last-win)

• update merge

Uf(s): =tφ U, f(Us): =Ut

André Platzer. ODL Updates – p.27/29

Calculus parallel updates

• Simultaneous parallel update

f1(s1): =t1, . . . , fn(sn): =tn

• U
• update (match)

Uf(u) if sir . = Uu then tir else . . . if si1 . = Uu then ti1 else f(Uu) fi fi ⇐ {i1, . . . , ir} = {i : fi = f}

André Platzer. ODL Updates – p.28/29

Relative Completeness

• Rel. Complete:

for each φ ∈ Fml(Σ ∪ V )

( for each arithmetic struct. ℓ ℓ φ)

implies

⊢ φ

assuming oracle for first-order arithmetic.

André Platzer. ODL Updates – p.29/29