Advanced Aspects of Object-Oriented Programming Prof. Dr. Arnd Poetzsch-Heffter — AG Software Technology
winter semester 02/03
Contents
3
Contents 1. 2. 3. 4. 5. 6.
Introduction Foundations of Object-Oriented Languages Techniques for Checking Object-Oriented Programs Specification of Object-Oriented Programs Verification of Specified Properties Perspectives
A. Poetzsch-Heffter: AASOOP winter semester 02/03
1. Introduction
5
1. Introduction
1.1 Overview 1.2 Formal and Notational Foundations
A. Poetzsch-Heffter: AASOOP winter semester 02/03
1.1 Overview
6
1.1 Overview
A. Poetzsch-Heffter: AASOOP winter semester 02/03
1.1 Overview
Starting point: • knowledge of object-oriented programming (e.g. Java) Learning targets: • in-depth technical understanding of: ◦ semantics ◦ typing . better parametrization . expression of further properties ◦ specification of program properties ◦ checking and verification
Semantics Two central aspects: • specification of program properties • specification of programming languages Example(Semantics for program properties): public class List { int length; ListElems le; //@ invariant length == le.leng(); ... } A. Poetzsch-Heffter: AASOOP winter semester 02/03
1.1 Overview
Example(Semantics of programming languages): class IntPair { private int a; private int b; IntPair( int ai, int bi ){ a = ai; b = bi; } int sum(){ return this.add(); } private int add(){ return a+b; } } class IntTriple extends IntPair { private int a; IntTriple( int ai,int bi,int ci ){ super(ai,bi); a = ci; } int sum(){ return this.add(); } private int add(){ return super.sum() + a; } }
A. Poetzsch-Heffter: AASOOP winter semester 02/03
10
1.1 Overview
public class PrivateTest { public static void main( String[] arg ) { IntPair ip = new IntPair(3,9); IntTriple it = new IntTriple(1,2,27); System.out.println( ""+ip.sum()+" "+it.sum() ); } }
A. Poetzsch-Heffter: AASOOP winter semester 02/03
11
1.1 Overview
12
Typing Typing: Description of simple properties • in the context of programming languages • with automatic checking by the compiler
A. Poetzsch-Heffter: AASOOP winter semester 02/03
1.1 Overview
Example(Parametric polymorphism): class LinkedList { Entry header = new Entry(null, null, null); int size = 0; LinkedList() { ... } ET getLast() { ... } ET removeLast() { ... } void addLast(ET e) { ... } int size() { return size; } }
class Test { public static void main( String[] args ) { LinkedList ls = new LinkedList(); ls.addLast("first element"); ls.addLast("last element"); ls.getLast().indexOf("Elem"); // returns 8 LinkedList lo = new LinkedList(); lo.addLast( new Object() ); lo.addLast( new Object() ); lo.getLast().indexOf("Elem"); // programming error } // which is automatically detected by the compiler }
A. Poetzsch-Heffter: AASOOP winter semester 02/03
1.1 Overview
Specification of Program Properties Specification: • Description of significant properties ◦ of program parts or interfaces ◦ with additional language features
• Checking with various techniques
A. Poetzsch-Heffter: AASOOP winter semester 02/03
16
1.1 Overview
Example(Method specification): public class IntMathOps { /*@ public normal_behavior @ requires y >= 0 @ modifiable \nothing @ ensures \result * \result = 0.0 && y >= 0.0 ; @ assignable dist ; @ also @ public exceptional_behavior @ requires x < 0.0 || y < 0.0 ; @ signals (IllegalArgumentException) @*/ public Point ( float x, float y ) { ...} ...
A. Poetzsch-Heffter: AASOOP winter semester 02/03
351
4.1 Specification of Types
/*@ public normal_behavior @ ensures \result == this.x ; @*/ public float getX() { ... } ... /*@ public normal_behavior @ requires x+dx >= 0.0 && y+dy >= 0.0; @ assignable x, y ; @ ensures x == \old(x)+dx && y == \old(y)+dy ; @ private normal_behavior @ requires x+dx >= 0.0 && y+dy >= 0.0; @ assignable dist ; @ also @ public exceptional_behavior @ requires x+dx < 0.0 || y+dy < 0.0 ; @ signals (IllegalArgumentException) @*/ public void move( float dx, float dy ){ ...} }
A. Poetzsch-Heffter: AASOOP winter semester 02/03
352
4.1 Specification of Types
Remark: Private modifies clauses are not relevant for the documentation of the public interface, but they are needed by the checking tool.
A. Poetzsch-Heffter: AASOOP winter semester 02/03
353
4.1 Specification of Types
4.1.3 Specification with Abstract Variables
A. Poetzsch-Heffter: AASOOP winter semester 02/03
354
4.1 Specification of Types
355
Abstract variables/attributes are needed for the specification if • no concrete attributes are declared or • the access rules don’t allow the use of concrete attributes in specifications or • the implementation should be interchangeable. Syntax: In JML, abstract variables/attributes are declared in the same way as attributes, but with the additional key word model as modifier. In JML, abstract attributes have a Java type.
A. Poetzsch-Heffter: AASOOP winter semester 02/03
4.1 Specification of Types
Meaning: Abstract attributes depend on concrete attributes or on other abstract attributes. The dependency must be specified in a depends clause. The value of an abstract attribute a of an object results from the values of the attributes on which a depends. The represents clause describes how it is calculated.
A. Poetzsch-Heffter: AASOOP winter semester 02/03
356
4.1 Specification of Types
Example(Abstract attributes): public class Point { /** Coordinates */ //@ public model float x, y; //@ public invariant x >= 0.0 && y >= 0.0; private double dist, angle ; /*@ private invariant dist >= 0.0 @ && 0.0
