skip to main content
research-article
Free Access

Behavioral Subtyping, Specification Inheritance, and Modular Reasoning

Published:13 August 2015Publication History
Skip Abstract Section

Abstract

Verification of a dynamically dispatched method call, E.m(), seems to depend on E’s dynamic type. To avoid case analysis and allow incremental development, object-oriented program verification uses supertype abstraction. In other words, one reasons about E.m() using m’s specification for E’s static type. Supertype abstraction is valid when each subtype in the program is a behavioral subtype. This article semantically formalizes supertype abstraction and behavioral subtyping for a Java-like sequential language with mutation and proves that behavioral subtyping is both necessary and sufficient for the validity of supertype abstraction. Specification inheritance, as in JML, is also formalized and proved to entail behavioral subtyping.

References

  1. Suad Alagic and Svetlana Kouznetsova. 2002. Behavioral compatibility of self-typed theories. In ECOOP 2002—Object-Oriented Programming. Lecture Notes in Computer Science, Vol. 2374. Springer, 585--608. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Pierre America. 1987. Inheritance and subtyping in a parallel object-oriented language. In ECOOP’87 European Conference on Object-Oriented Programming. Lecture Notes in Computer Science, Vol. 276. Springer, 234--242. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Pierre America. 1991. Designing an object-oriented programming language with behavioural subtyping. In Foundations of Object-Oriented Languages. Lecture Notes in Computer Science, Vol. 489. Springer, 60--90. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Pierre America and Frank de Boer. 1990. Proving total correctness of recursive procedures. Information and Computation 84, 2, 129--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Krzysztof R. Apt. 1981. Ten years of Hoare’s logic: A survey—part I. ACM Transactions on Programming Languages and Systems 3, 4, 431--483. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Krzysztof R. Apt and Gordon D. Plotkin. 1986. Countable nondeterminism and random assignment. Journal of the ACM 33, 4, 724--767. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Krzysztof R. Apt, Frank S. de Boer, and Ernst-Rüdiger Olderog. 2009. Verification of Sequential and Concurrent Programs (3rd ed.). Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Krzysztof R. Apt, Frank S. de Boer, Ernst-Rüdiger Olderog, and Stijn de Gouw. 2012. Verification of object-oriented programs: A transformational approach. Journal of Computer and System Sciences 78, 3, 823--852. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Ralph-Johan Back. 1988. A calculus of refinements for program derivations. Acta Informatica 25, 593--624. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ralph-Johan Back and Joakim von Wright. 1998. Refinement Calculus: A Systematic Introduction. Springer-Verlag. Google ScholarGoogle ScholarCross RefCross Ref
  11. Anindya Banerjee, Nevin Heintze, and Jon G. Riecke. 2001. Design and correctness of program transformations based on control-flow analysis. In Theoretical Aspects of Computer Science. Lecture Notes in Computer Science, Vol. 2215. Springer, 420--447. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Anindya Banerjee and David A. Naumann. 2005. Ownership confinement ensures representation independence for object-oriented programs. Journal of the ACM 52, 6, 894--960. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Anindya Banerjee and David A. Naumann. 2013. Local reasoning for global invariants, part II: Dynamic boundaries. Journal of the ACM 60, 3, Article No. 19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Mike Barnett, Robert DeLine, Manuel Fähndrich, K. Rustan M. Leino, and Wolfram Schulte. 2004. Verification of object-oriented programs with invariants. Journal of Object Technology 3, 6, 27--56.Google ScholarGoogle ScholarCross RefCross Ref
  15. Mike Barnett, Robert DeLine, Bart Jacobs, Manuel Fähndrich, K. Rustan M. Leino, Wolfram Schulte, and Herman Venter. 2005a. The Spec# programming system: Challenges and directions. In Verified Software: Theories, Tools, Experiments. Lecture Notes in Computer Science, Vol. 4171. Springer, 144--152.Google ScholarGoogle Scholar
  16. Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte. 2005b. The Spec# programming system: An overview. In Construction and Analysis of Safe, Secure, and Interoperable Smart Devices. Lecture Notes in Computer Science, Vol. 3362. Springer, 49--69. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Bernhard Beckert, Reiner Hähnle, and Peter H. Schmitt. 2007. Verification of Object-Oriented Software. The KeY Approach. Lecture Notes in Artificial Intelligence, Vol. 4334. Springer-Verlag, Berlin. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Bodil Biering, Lars Birkedal, and Noah Torp-Smith. 2005. BI hyperdoctrines and higher-order separation logic. In Programming Languages and Systems. Lecture Notes in Computer Science, Vol. 3444. Springer, 233--247. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Gavin Bierman and Matthew Parkinson. 2005. Separation logic and abstraction. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL’05). 247--258. http://dx.doi.org/10.1145/1047659.1040326 Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Paulo Borba, Augusto Sampaio, Ana Cavalcanti, and Márcio Cornélio. 2004. Algebraic reasoning for object-oriented programming. Science of Computer Programming 52, 1--3, 53--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Kim B. Bruce and Peter Wegner. 1986. An algebraic model of subtypes in object-oriented languages (Draft). ACM SIGPLAN Notices 21, 10, 163--172. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Luca Cardelli. 1988. A semantics of multiple inheritance. Information and Computation 76, 2--3, 138--164. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Yonghao Chen and Betty H. C. Cheng. 2000. A semantic foundation for specification matching. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman (Eds.). Cambridge University Press, New York, NY, 91--109. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Yoonsik Cheon, Gary T. Leavens, Murali Sitaraman, and Stephen Edwards. 2005. Model variables: Cleanly supporting abstraction in design by contract. Software—Practice and Experience 35, 6, 583--599. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Wei-Ngan Chin, Cristina David, Huu Hai Nguyen, and Shengchao Qin. 2008. Enhancing modular OO verification with separation logic. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL’08). ACM, New York, NY, 87--99. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Willem-Paul de Roever and Kai Engelhardt. 1998. Data Refinement: Model-Oriented Proof Methods and Their Comparison. Cambridge University Press. Google ScholarGoogle ScholarCross RefCross Ref
  27. Krishna Kishore Dhara and Gary T. Leavens. 1996. Forcing behavioral subtyping through specification inheritance. In Proceedings of the 18th International Conference on Software Engineering. IEEE, Los Alamitos, CA, 258--267. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Edsger W. Dijkstra. 1976. A Discipline of Programming. Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Johan Dovland, Einar Broch Johnsen, Olaf Owe, and Martin Steffen. 2008. Lazy behavioral subtyping. In FM 2008: Formal Methods. Lecture Notes in Computer Science, Vol. 5014. Springer, 52--67. DOI:http://dx.doi.org/10.1007/978-3-540-68237-0_6 Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Johan Dovland, Einar Broch Johnsen, Olaf Owe, and Martin Steffen. 2010. Lazy behavioral subtyping. Journal of Logic and Algebraic Programming 79, 7, 578--607. DOI:http://dx.doi.org/10.1016/j.jlap.2010.07.008Google ScholarGoogle ScholarCross RefCross Ref
  31. Johan Dovland, Einar Broch Johnsen, Olaf Owe, and Martin Steffen. 2011. Incremental reasoning with lazy behavioral subtyping for multiple inheritance. Science of Computer Programming 76, 10, 915--941. DOI:http://dx.doi.org/10.1016/j.scico.2010.09.006 Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. ECMA International. 2006. Eiffel: Analysis, Design, and Programming Language (2nd ed.). ECMA International, Rue du Rhone 114, CH-1204, Geneva. Available at http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-367.pdf.Google ScholarGoogle Scholar
  33. Ivana Filipovic, Peter W. O’Hearn, Noam Rinetzky, and Hongseok Yang. 2010. Abstraction for concurrent objects. Theoretical Computer Science 411, 51--52, 4379--4398. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Robert Bruce Findler and Matthias Felleisen. 2001. Contract soundness for object-oriented languages. In Proceedings of the 2001 Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA’01). 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Robert Bruce Findler, Mario Latendresse, and Matthias Felleisen. 2001. Behavioral contracts and behavioral subtyping. In Proceedings of the 8th European Software Engineering Conference Held Jointly with the 9th ACM SIGSOFT International Symposium on Foundations of Software Engineering (ESEC/FSE-9). ACM, New York, NY, 229--236. DOI:http://dx.doi.org/10.1145/503209.503240 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and Raymie Stata. 2002. Extended static checking for Java. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’02). 234--245. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. David Harel, Amir Pnueli, and Jonathan Stavi. 1977. A complete axiomatic system for proving deductions about recursive programs. In Proceedings of the 9th Annual Symposium on Theory of Computing (STOC’77). 249--260. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Wim Hesselink. 1993. Programs, Recursion, and Unbounded Choice. Cambridge.Google ScholarGoogle Scholar
  39. Charles A. R. Hoare. 1972. Proofs of correctness of data representations. Acta Informatica 1, 4, 271--281. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Atsushi Igarashi, Benjamin Pierce, and Philip Wadler. 2001. Featherweight Java: A minimal core calculus for Java and GJ. ACM Transactions on Programming Languages and Systems 23, 3, 396--459. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Thomas Kleymann. 1999. Hoare logic and auxiliary variables. Formal Aspects of Computing 11, 541--566. Google ScholarGoogle ScholarCross RefCross Ref
  42. Gary T. Leavens. 1989. Verifying Object-Oriented Programs That Use Subtypes. Technical Report 439. Laboratory for Computer Science, Massachusetts Institute of Technology, Cambridge, MA.Google ScholarGoogle Scholar
  43. Gary T. Leavens. 1990. Modular Verification of Object-Oriented Programs with Subtypes. Technical Report 90-09. Department of Computer Science, Iowa State University, Ames, IA.Google ScholarGoogle Scholar
  44. Gary T. Leavens. 2006. JML’s rich, inherited specifications for behavioral subtypes. In Formal Methods and Software Engineering. Lecture Notes in Computer Science, Vol. 4260. Springer, 2--34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Gary T. Leavens, Albert L. Baker, and Clyde Ruby. 2006a. Preliminary design of JML: A behavioral interface specification language for Java. ACM SIGSOFT Software Engineering Notes 31, 3, 1--38. http://doi.acm.org/10.1145/1127878.11 Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Gary T. Leavens and Krishna Kishore Dhara. 2000. Concepts of behavioral subtyping and a sketch of their extension to component-based systems. In Foundations of Component-Based Systems, G. T. Leavens and M. Sitaraman (Eds.). Cambridge University Press, 113--135. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Gary T. Leavens, David A. Naumann, and Stan Rosenberg. 2006b. Preliminary Definition of Core JML. CS Report 2006-07. Stevens Institute of Technology. Available at http://www.cs.stevens.edu/naumann/publications/SIT-TR-2006-07.pdf.Google ScholarGoogle Scholar
  48. Gary T. Leavens and William E. Weihl. 1995. Specification and verification of object-oriented programs using supertype abstraction. Acta Informatica 32, 8, 705--778. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. K. Rustan M. Leino. 1995. Toward Reliable Modular Programs. Technical Report Caltech-CS-TR-95-03. California Institute of Technology, Pasedena, CA. Google ScholarGoogle Scholar
  50. K. Rustan M. Leino. 2005. Efficient weakest preconditions. Information Processing Letters 93, 6, 281--288. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. K. Rustan M. Leino and Peter Müller. 2006. A verification methodology for model fields. In Programming Languages and Systems. Lecture Notes in Computer Science, Vol. 3924. Springer, 115--130. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. K. Rustan M. Leino and Greg Nelson. 2002. Data abstraction and information hiding. ACM Transactions on Programming Languages and Systems 24, 5, 491--553. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. Barbara Liskov. 1988. Data abstraction and hierarchy. ACM SIGPLAN Notices 23, 5, 17--34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Barbara H. Liskov and Jeannette M. Wing. 1994. A behavioral notion of subtyping. ACM Transactions on Programming Languages and Systems 16, 6, 1811--1841. Google ScholarGoogle ScholarDigital LibraryDigital Library
  55. Bertrand Meyer. 1985. Eiffel: A Langauge for Software Engineering. Technical Report TR-CS-85-19. University of California, Santa Barbara, CA.Google ScholarGoogle Scholar
  56. Bertrand Meyer. 1997. Object-Oriented Software Construction (2nd ed.). Prentice Hall, New York, NY. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Carroll Morgan. 1988. The specification statement. ACM Transactions on Programming Languages and Systems 10, 3, 403--419. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. Carroll Morgan. 1994. Programming from Specifications (2nd ed.). Prentice Hall. Google ScholarGoogle ScholarDigital LibraryDigital Library
  59. Peter Müller. 2002. Modular Specification and Verification of Object-Oriented Programs. Lecture Notes in Computer Science, Vol. 2262. Springer-Verlag.Google ScholarGoogle ScholarCross RefCross Ref
  60. Peter Müller, Arnd Poetzsch-Heffter, and Gary T. Leavens. 2006. Modular invariants for layered object structures. Science of Computer Programming 62, 3, 253--286. http://dx.doi.org/10.1016/j.scico.2006.03.001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. David A. Naumann. 2001. Calculating sharp adaptation rules. Information Processing Letters 77, 2--4, 201--208. Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. David A. Naumann. 2005. Verifying a secure information flow analyzer. In Theorem Proving in Higher Order Logics. Lecture Notes in Computer Science, Vol. 3603. Springer, 211--226. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. David A. Naumann and Mike Barnett. 2006. Towards imperative modules: Reasoning about invariants and sharing of mutable state. Theoretical Computer Science 365, 1--2, 143--168. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. James Noble, Jan Vitek, and John Potter. 1998. Flexible alias protection. In ECOOP’98—Object-Oriented Programming. Lecture Notes in Computer Science, Vol. 1445. Springer, 158--185. Google ScholarGoogle ScholarDigital LibraryDigital Library
  65. Peter W. O’Hearn, John C. Reynolds, and Hongseok Yang. 2001. Local reasoning about programs that alter data structures. In Computer Science Logic. Lecture Notes in Computer Science, Vol. 2142. Springer, 1--19. Google ScholarGoogle ScholarDigital LibraryDigital Library
  66. Peter W. O’Hearn, Hongseok Yang, and John C. Reynolds. 2009. Separation and information hiding. ACM Transactions on Programming Languages and Systems 31, 3, 1--50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  67. David von Oheimb and Tobias Nipkow. 2002. Hoare logic for NanoJava: Auxiliary variables, side effects and virtual methods revisited. In FME 2002: Formal Methods—Getting IT Right. Lecture Notes in Computer Science, Vol. 2391. Springer, 89--105. Google ScholarGoogle ScholarDigital LibraryDigital Library
  68. Ernst-Rüdiger Olderog. 1983. On the notion of expressiveness and the rule of adaptation. Theoretical Computer Science 24, 337--347.Google ScholarGoogle ScholarCross RefCross Ref
  69. Matthew Parkinson. 2005. Local Reasoning for Java. Technical Report 654. University of Cambridge Computer Laboratory.Google ScholarGoogle Scholar
  70. Matthew Parkinson and Gavin Bierman. 2008. Separation logic, abstraction and inheritance. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL’08). ACM, New York, NY, 75--86. Google ScholarGoogle ScholarDigital LibraryDigital Library
  71. Cees Pierik. 2006. Validation Techniques for Object-Oriented Proof Outlines. Ph.D. Dissertation, Universiteit Utrecht.Google ScholarGoogle Scholar
  72. Cees Pierik and Frank S. de Boer. 2005a. On behavioral subtyping and completeness. In Proceedings of the ECOOP Workshop on Formal Techniques for Java-Like Programs.Google ScholarGoogle Scholar
  73. Cees Pierik and Frank S. de Boer. 2005b. A proof outline logic for object-oriented programming. Theoretical Computer Science 343, 3, 413--442. Google ScholarGoogle ScholarDigital LibraryDigital Library
  74. Arnd Poetzsch-Heffter and Peter Müller. 1999. A programming logic for sequential Java. In Programming Languages and Systems. Lecture Notes in Computer Science, Vol. 1576. Springer, 162--176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  75. Nadia Polikarpova, Julian Tschannen, Carlo A. Furia, and Bertrand Meyer. 2014. Flexible invariants through semantic collaboration. In FM 2014: Formal Methods. Lecture Notes in Computer Science, Vol. 8442. Springer, 514--530.Google ScholarGoogle Scholar
  76. Erik Poll. 2000. A coalgebraic semantics of subtyping. In CMCS 2000: Coalgebraic Methods in Computer Science. Electronic Notes in Theoretical Computer Science, Vol. 33. Elsevier, 276--293.Google ScholarGoogle ScholarCross RefCross Ref
  77. Bernhard Reus. 2003. Modular semantics and logics of classes. In Computer Science Logic. Lecture Notes in Computer Science, Vol. 2803. Springer, 456--469.Google ScholarGoogle ScholarCross RefCross Ref
  78. John C. Reynolds. 1972. Definitional interpreters for higher-order programming languages. In Proceedings of the ACM Annual Conference. Vol. 2. ACM, New York, NY, 717--740. Google ScholarGoogle ScholarDigital LibraryDigital Library
  79. John C. Reynolds. 1982. Idealized ALGOL and its specification logic. In Tools and Notions for Program Construction, D. Néel (Ed.). Cambridge University Press, 121--161. Reprinted in ALGOL-Like Languages, Vol. 1. Birkhauser, Boston, MA, 125--156. Google ScholarGoogle ScholarDigital LibraryDigital Library
  80. Peter Van Roy and Seif Haridi. 2004. Concepts, Techniques, and Models of Computer Programming. MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  81. Alan Wills. 1992. Specification in Fresco. In Object Orientation in Z, S. Stepney, R. Barden, and D. Cooper (Eds.). Springer-Verlag, Cambridge, UK, 127--135. Google ScholarGoogle ScholarDigital LibraryDigital Library
  82. Jeannette Marie Wing. 1983. A Two-Tiered Approach to Specifying Programs. Technical Report TR-299. MIT Laboratory for Computer Science, Cambridge, MA. Google ScholarGoogle Scholar
  83. Job Zwiers, Ulrich Hannemann, Yassine Lakhnech, Willem P. de Roever, and Frank A. Stomp. 1996. Modular completeness: Integrating the reuse of specified software in top-down program development. In Proceedings of the 3rd International Symposium of Formal Methods Europe on Industrial Benefit and Advances in Formal Methods (FME’96). 595--608. http://dl.acm.org/citation.cfm?id=647537.729693. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Behavioral Subtyping, Specification Inheritance, and Modular Reasoning

                                        Recommendations

                                        Reviews

                                        Donald J. Bagert

                                        This is a long paper: 67 pages plus a 21-page appendix. It describes the verification of a dynamically dispatched method call of an object-oriented program by using supertype abstraction. The authors maintain that such abstraction is only valid when each subtype in the program is a behavioral subtype. The goal of this paper is to prove that behavioral subtyping is both necessary and sufficient for the validity of supertype abstraction. In order to do this, the authors semantically formalize supertype abstraction and behavioral subtyping for a Java-like sequential language. The paper first provides a detailed formal definition of supertype abstraction and behavioral subtyping, followed by a section on related work. The Java-like language is then presented, followed by an overview of formal method specification, modular verification, and modular correctness, which is subsequently used to develop predicate transformer semantics. Finally, behavioral subtyping and its equivalence to supertype abstraction are presented, along with how behavioral subtyping is ensured through specification inheritance and an adaption of the results to partial correctness. The appendix provides additional proofs and ancillary definitions. The paper is well organized and presented with more than 80 references. It is intended for those doing serious object-oriented programming language research. The authors have at least 40 years of experience in this area and appear to be primarily addressing their peers (to which I can definitely recommend this work). However, graduate students should probably seek guidance from their advisors before attempting to read an advanced paper of this type. Online Computing Reviews Service

                                        Access critical reviews of Computing literature here

                                        Become a reviewer for Computing Reviews.

                                        Comments

                                        Login options

                                        Check if you have access through your login credentials or your institution to get full access on this article.

                                        Sign in

                                        Full Access

                                        PDF Format

                                        View or Download as a PDF file.

                                        PDF

                                        eReader

                                        View online with eReader.

                                        eReader
                                        About Cookies On This Site

                                        We use cookies to ensure that we give you the best experience on our website.

                                        Learn more

                                        Got it!