Abstract Object Creation in Dynamic Logic

Size: px

Start display at page:

Download "Abstract Object Creation in Dynamic Logic"

Joella Lucas
6 years ago
Views:

1 to be or not to be created Wolfgang Ahrendt 1 Frank S. de Boer 2 Immo Grabe 3 1 Chalmers University, Göteborg, Sweden 2 CWI, Amsterdam, The Netherlands 3 Christian-Albrechts-University Kiel, Germany KeY Symposium Speyer, 2009

2 Part I Motivation and Outline

3 Modeling Object Creation in Program Logics object-oriented programming languages (like Java): high-level way of creating objects abstract away from memory allocation programmer has no access to non-created (pre-)objects

4 Modeling Object Creation in Program Logics object-oriented programming languages (like Java): high-level way of creating objects abstract away from memory allocation programmer has no access to non-created (pre-)objects this abstraction not matched by program logics (incl. KeY): non-created objects can be referred to in the logic additional artifacts (ghost fields) to distinguish created objects consistency conditions on reachable states

5 Modeling Object Creation in Program Logics object-oriented programming languages (like Java): high-level way of creating objects abstract away from memory allocation programmer has no access to non-created (pre-)objects this abstraction not matched by program logics (incl. KeY): non-created objects can be referred to in the logic additional artifacts (ghost fields) to distinguish created objects consistency conditions on reachable states because of mismatch: loose full abstraction property additional complexity in formulas and proofs symbolic state bloated by createdness information

6 Approach Taken a logic that can only talk about created objects

7 Approach Taken a logic that can only talk about created objects problem: calculus cannot substitute new objects into pre-conditions

8 Approach Taken a logic that can only talk about created objects problem: calculus cannot substitute new objects into pre-conditions solution: non-standard substitution using meta-knowledge about newness

9 Approach Taken a logic that can only talk about created objects problem: calculus cannot substitute new objects into pre-conditions solution: non-standard substitution using meta-knowledge about newness carry over to symbolic execution paradigm

10 In the Following simple object-oriented while-language dynamic logic for that language abstract object creation semantics backwards reasoning calculus (wp-style) symbolic execution with abstract object creation

11 Relevance we examine object creation in simplified setting but: keep simplifications orthogonal to object creation issue

12 Relevance we examine object creation in simplified setting but: keep simplifications orthogonal to object creation issue applicable to full languages featuring abstract object creation (including Java)

13 Part II Syntax and Semantics

14 A Simple Object-Oriented While Language only one class: Object 3 types: Object, Integer, Boolean no methods variables (e.g. u, v, w) distinct from fields (e.g. x, y, z)

15 A Simple Object-Oriented While Language only one class: Object 3 types: Object, Integer, Boolean no methods variables (e.g. u, v, w) distinct from fields (e.g. x, y, z) statements: s ::= while e do s od if e 1 then s 2 else s 3 fi s 1 ; s 2 u := e e 1.x := e 2 u := new

16 A Simple Object-Oriented While Language only one class: Object 3 types: Object, Integer, Boolean no methods variables (e.g. u, v, w) distinct from fields (e.g. x, y, z) statements: s ::= while e do s od if e 1 then s 2 else s 3 fi s 1 ; s 2 u := e e 1.x := e 2 u := new expressions: e ::= u e.x null e 1 = e 2 (e 1? e 2 : e 3 ) op(e 1,..., e n )

17 A Simple Object-Oriented While Language only one class: Object 3 types: Object, Integer, Boolean no methods variables (e.g. u, v, w) distinct from fields (e.g. x, y, z) statements: s ::= while e do s od if e 1 then s 2 else s 3 fi s 1 ; s 2 u := e e 1.x := e 2 u := new expressions: e ::= u e.x null e 1 = e 2 (e 1? e 2 : e 3 ) op(e 1,..., e n ) to separate issues object creation and aliasing: no native statement e.x := new

18 A Simple Object-Oriented While Language only one class: Object 3 types: Object, Integer, Boolean no methods variables (e.g. u, v, w) distinct from fields (e.g. x, y, z) statements: s ::= while e do s od if e 1 then s 2 else s 3 fi s 1 ; s 2 u := e e 1.x := e 2 u := new expressions: e ::= u e.x null e 1 = e 2 (e 1? e 2 : e 3 ) op(e 1,..., e n ) to separate issues object creation and aliasing: no native statement e.x := new can be simulated by u := new; e.x := u (u fresh)

19 The Logic expressions may also contain logical variables (e.g., l) boolean expressions are formulas true, false are formulas logical connectives,,, quantified formulas l.φ, l.φ modal formulas (base cases): s φ, [s]φ, {U}φ, with s a statement and U (singular) update of form: u := e e 1.x := e 2 u := new

20 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u

21 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null

22 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null [[e]] σ current references

23 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null [[e]] σ current references [[ l.φ]] σ : φ holds for all current references l

24 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null [[e]] σ current references [[ l.φ]] σ : φ holds for all current references l [[ l.φ]] σ : φ holds for some current reference l e, l of type Object

25 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null [[e]] σ current references [[ l.φ]] σ : φ holds for all current references l [[ l.φ]] σ : φ holds for some current reference l e, l of type Object examples: l. u := new (u = l)

26 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null [[e]] σ current references [[ l.φ]] σ : φ holds for all current references l [[ l.φ]] σ : φ holds for some current reference l e, l of type Object examples: l. u := new (u = l) true in all states

27 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null [[e]] σ current references [[ l.φ]] σ : φ holds for all current references l [[ l.φ]] σ : φ holds for some current reference l e, l of type Object examples: l. u := new (u = l) u := new l. (u = l) true in all states

28 Semantics informal in this talk [[u := new]] σ : create new object and assign it to u terminology: in a state σ: current references = created objects plus null [[e]] σ current references [[ l.φ]] σ : φ holds for all current references l [[ l.φ]] σ : φ holds for some current reference l e, l of type Object examples: l. u := new (u = l) true in all states u := new l. (u = l) false in all states

29 Part III Calculus

30 Sequent Calculus rules triggered by top-level formulas only: propositional rules, first-order rules, induction all these are standard!

31 Sequent Calculus rules triggered by top-level formulas only: propositional rules, first-order rules, induction all these are standard! in particular: quantifier rules are standard!

32 Sequent Calculus rules triggered by top-level formulas only: propositional rules, first-order rules, induction all these are standard! in particular: quantifier rules are standard! rules triggered also by sub-formulas: program rules, update application rule notation used: φ φ meaning: premis obtained from conclusion by replacing any φ with φ

33 Sequent Calculus rules triggered by top-level formulas only: propositional rules, first-order rules, induction all these are standard! in particular: quantifier rules are standard! rules triggered also by sub-formulas: program rules, update application rule notation used: φ φ meaning: premis obtained from conclusion by replacing any φ with φ ( \find(φ) \replacewith(φ ) )

34 Dynamic Logic Rules split [s 1 ] [s 2 ] φ [s 1 ; s 2 ] φ if (e [s 1 ] φ) ( e [s 2 ] φ) [if e then s 1 else s 2 fi] φ unwind [if e then s; while e do s od else skip fi] φ [while e do s od] φ assignvar {u := e}φ [u := e] φ assignfield {e 1.x := e 2 }φ [e 1.x := e 2 ] φ createobj {u := new}φ [u := new] φ

35 Update Application Rule for certain formulas {U}φ, the U can be applied (resovled)

36 Update Application Rule for certain formulas {U}φ, the U can be applied (resovled) φ applyupd {U}φ if {U}φ φ

37 Update Application Rule for certain formulas {U}φ, the U can be applied (resovled) φ applyupd {U}φ if {U}φ φ now define relation, resolving updates in a single step following slides: big-step definition of

38 Part IV Update Application

39 Update Application: Standard Cases I {U}φ φ {U}φ 1 {U}φ 2 φ {U}( φ) φ {U}(φ 1 φ 2 ) φ with {,, } op({u}e 1,..., {U}e n ) e ({U}e 1? {U}e 2 : {U}e 3 ) e {U}op(e 1,..., e n ) e {U}(e 1? e 2 : e 3 ) e {U}α α with α {true, false, null, l} this slide: U matches all updates

40 Update Application: Standard Cases II {u := e}u e {u := α}v v u v α e new ({u := e 1 }e 2 ).x e {u := e 1 }(e 2.x) e ( ({e.x := e 1 }e 2 ) = e? e 1 : ({e.x := e 1 }e 2 ).x ) e {e.x := e 1 }(e 2.x) e ({e.x := e 1 }e 2 ).y e {e.x := e 1 }(e 2.y) e x y

41 Update Application: Restricted Standard Cases The standard rules for quantifiers and equality are restricted to non-creating updates U nc of the forms u := e, e 1.x := e 2. ( u := new excluded from these rules.) l. {U nc }φ φ {U nc }( l. φ) φ l. {U nc }φ φ {U nc }( l. φ) φ {U nc }e 1 = {U nc }e 2 e {U nc }(e 1 = e 2 ) e

42 Object Creating Update Application: the Issue recall: {U}φ is the (explicit) weakest precondition wp(u, φ) applying U to φ (via ) computes weakest precondition

43 Object Creating Update Application: the Issue recall: {U}φ is the (explicit) weakest precondition wp(u, φ) applying U to φ (via ) computes weakest precondition problem: result of {u := new}φ, i.e., wp({u := new}, φ), cannot talk about new object because it does not exist in pre-state in particular: {u := new}u?

44 Object Creating Update Application: the Issue recall: {U}φ is the (explicit) weakest precondition wp(u, φ) applying U to φ (via ) computes weakest precondition problem: result of {u := new}φ, i.e., wp({u := new}, φ), cannot talk about new object because it does not exist in pre-state in particular: {u := new}u? basic approach: totally avoid {u := new}u

45 Object Creating Update Application: the Issue recall: {U}φ is the (explicit) weakest precondition wp(u, φ) applying U to φ (via ) computes weakest precondition problem: result of {u := new}φ, i.e., wp({u := new}, φ), cannot talk about new object because it does not exist in pre-state in particular: {u := new}u? basic approach: totally avoid {u := new}u observation: the only operations on objects are de-referencing fields test for equality

46 Object Creating Update Application: the Issue recall: {U}φ is the (explicit) weakest precondition wp(u, φ) applying U to φ (via ) computes weakest precondition problem: result of {u := new}φ, i.e., wp({u := new}, φ), cannot talk about new object because it does not exist in pre-state in particular: {u := new}u? basic approach: totally avoid {u := new}u observation: the only operations on objects are de-referencing fields test for equality quantification

47 Object Creating Update Application: the Issue recall: {U}φ is the (explicit) weakest precondition wp(u, φ) applying U to φ (via ) computes weakest precondition problem: result of {u := new}φ, i.e., wp({u := new}, φ), cannot talk about new object because it does not exist in pre-state in particular: {u := new}u? basic approach: totally avoid {u := new}u observation: the only operations on objects are de-referencing fields test for equality quantification in all cases, wp computation can employ meta knowledge

48 Object Creating Update Application: Field Access ({u := new}e).x e {u := new}(e.x) e e neither u nor conditional {u := new}u.x init T (x) init T (x) null 0 false ({u := new}b? {u := new}(e 1.x) : {u := new}(e 2.x)) e {u := new}((b? e 1 : e 2 ).x) e

49 Object Creating Update Application: Equality ({u := new}e 1 ) = ({u := new}e 2 ) e {u := new}(e 1 = e 2 ) e e 1, e 2 neither u nor conditional {u := new}(u = e) false e neither u nor conditional {u := new}(u = u) true ({u := new}b? {u := new}(e 1 = e 3 ) : {u := new}(e 2 = e 3 )) e {u := new}((b? e 1 : e 2 ) = e 3 ) e

50 Object Creating Update Application: Quantifiers ({u := new}φ[l/u]) l.({u := new}φ) φ {u := new} l.φ φ

51 Object Creating Update Application: Quantifiers ({u := new}φ[l/u]) l.({u := new}φ) φ {u := new} l.φ φ ({u := new}φ[l/u]) l.({u := new}φ) φ {u := new} l.φ φ

52 Example Proof 1 closefalse notright false = applyupd = false = {u := new} (u = c) assignvar = u := new (u = c) allright = l.( u := new (u = l))

53 Example Proof 2 closetrue notleft l. false = true (true), l. false = andleft (true) l. false = applyupd {u := new} l. (u = l) = assignvar u := new l. (u = l)) = notright = u := new l. (u = l)

54 (applyupd step in Example Proof 2) {u := new}(u = u) true {u := new} (u = u) (true) {u := new}(u = l) false {u := new} (u = l) false l.{u := new} (u = l) l. false {u := new} (u = u) l.{u := new} (u = l) (true) l. false {u := new} l. (u = l) (true) l. false

55 Part V Abstract Object Creation in Symbolic Execution

56 KeY-style Symbolic Execution up to here, backwards reasoning only KeYapproach: forward symbolic execution using update parallelisation

57 KeY-style Symbolic Execution up to here, backwards reasoning only KeYapproach: forward symbolic execution using update parallelisation * close applyupd u < v = u < v u < v = {w := u u := v v := u}v < u mergeupd u < v = {w := u u := v}{v := w}v < u assignvar u < v = {w := u u := v} v := w v < u mergeupd,assignvar u < v = {w := u}{u := v} v := w v < u split,assignvar u < v = {w := u} u := v; v := w v < u split,assignvar u < v = w := u; u := v; v := w v < u

58 Problem: Parallelising Object Creating Updates no natural way of merging {u := new} with other updates consider the two formulas (one true, one false): u := new; v := u (u = v) u := new; v := new (u = v) symbolic execution generates: {u := new}{v := u}(u = v) {u := new}{v := new}(u = v) merging updates, both result in: {u := new v := new}(u = v) cannot be true and false

59 Solution not merge object creation with other updates

60 Solution not merge object creation with other updates split {u := new} into creation and (mergable) assignment to u

61 Solution not merge object creation with other updates split {u := new} into creation and (mergable) assignment to u new object creation rule: createobj {a := new}{u := a}φ u := new φ a a fresh program variable

62 Solution not merge object creation with other updates split {u := new} into creation and (mergable) assignment to u new object creation rule: createobj {a := new}{u := a}φ u := new φ a a fresh program variable facilitate merging of all non-creating updates by shifting creation shiftcreation {u := new}{u nc}φ {U nc }{u := new}φ u not appearing in (non-creating) U nc

63 Symbolic Execuion Proof notright, closefalse * applyupd = false = {a := new} (v = a) applyupd = {a := new}{u := v v := a w := u} (w = v) assignvar,mergeupd = {a := new}{u := v v := a} w := u (w = v) mergeupd = {a := new}{u := v}{v := a} w := u (w = v) shiftcreation = {u := v}{a := new}{v := a} w := u (w = v) createobj = {u := v} v := new w := u (w = v) split,assignvar,split = u := v; v := new; w := u (w = v)

64 Part VI Object Creation vs. Object Activation

65 Abstract Object Creation Proof reconsider proof from above closefalse notright false = applyupd = false = {u := new} (u = c) assignvar = u := new (u = c) allright = l.( u := new (u = l))

66 Object Activation Proof close c.cre, obj(next)=c = c.cre equality c.cre, obj(next)=c = obj(next).cre notleft obj(next).cre, c.cre, obj(next) = c = ( 2 rules) (obj(next).cre next < next), c.cre, obj(next)=c = allleft n.(obj(n).cre n < next), c.cre, obj(next)=c = inreachablestate c.cre, obj(next)=c = notright c.cre = (obj(next) = c) applyupd c.cre = {u :=obj(next); u.cre:=true; next:=next+1} (u =c) createobj c.cre = u :=new (u =c) impright = c.cre u :=new (u =c) allright = l. (l.cre u :=new (u =l))

67 Part VII Reflections

68 Reflections abstraction level of logic matches programming language changes to standard treatment very local additional update type, not mergable with others, but shiftable to the front update application differs only in few cases formulas and proofs are simpler symbolic state representation: not diluted by createdness bookkeeping separates out 1. newly created objects (shifted forward) 2. symbolic value of fields and variables

Formal Systems II: Applications

Formal Systems II: Applications Functional Verification of Java Programs: Java Dynamic Logic Bernhard Beckert Mattias Ulbrich SS 2017 KIT INSTITUT FÜR THEORETISCHE INFORMATIK KIT University of the State