Fundamentals of Software Engineering

Transcription

1 Fundamentals of Software Engineering Reasoning about Programs with Dynamic Logic - Part II Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner Hähnle (Chalmers University of Technology, Gothenburg, Sweden) Ina Schaefer FSE 1

2 Repetition: Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p Ina Schaefer FSE 2

3 Repetition: Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p + modalities p φ, [p]φ (p program, φ DL formula) Ina Schaefer FSE 3

4 Repetition: Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p + modalities p φ, [p]φ (p program, φ DL formula) +... (later) Ina Schaefer FSE 4

5 Repetition: Dynamic Logic (Java) Dynamic Logic Typed FOL + programs p + modalities p φ, [p]φ (p program, φ DL formula) +... (later) Remark on Hoare Logic and DL In Hoare logic {Pre} p {Post} In DL Pre [p]post (Pre, Post must be FOL) (Pre, Post any DL formula) Ina Schaefer FSE 5

6 Proving DL Formulas An Example int x; (x. = n x >= 0 [ i = 0; r = 0; while(i < n){i = i + 1; r = r + i; } r = r + r n; ]r. = x x) How can we prove that the above formula is valid (i.e. satisfied in all states)? Ina Schaefer FSE 6

7 Semantics of Sequents Γ = {φ 1,..., φ n } and = {ψ 1,..., ψ m } sets of program formulas where all logical variables occur bound Recall: s = (Γ = ) iff s = (φ 1 φ n ) (ψ 1 ψ m ) Define semantics of DL sequents identical to semantics of FOL sequents Definition (Validity of Sequents over Program Formulas) A sequent Γ = over program formulas is valid iff s = (Γ = ) in all states s Ina Schaefer FSE 7

8 Semantics of Sequents Γ = {φ 1,..., φ n } and = {ψ 1,..., ψ m } sets of program formulas where all logical variables occur bound Recall: s = (Γ = ) iff s = (φ 1 φ n ) (ψ 1 ψ m ) Define semantics of DL sequents identical to semantics of FOL sequents Definition (Validity of Sequents over Program Formulas) A sequent Γ = over program formulas is valid iff s = (Γ = ) in all states s Consequence for program variables Initial value of program variables implicitly universally quantified Ina Schaefer FSE 8

9 Symbolic Execution of Programs Sequent calculus decomposes top-level operator in formula What is top-level in a sequential program p; q; r;? Symbolic Execution (King, late 60s) Follow the natural control flow when analysing a program Values of some variables unknown: symbolic state representation Ina Schaefer FSE 9

10 Symbolic Execution of Programs Sequent calculus decomposes top-level operator in formula What is top-level in a sequential program p; q; r;? Symbolic Execution (King, late 60s) Follow the natural control flow when analysing a program Values of some variables unknown: symbolic state representation Example Compute the final state after termination of int x; int y; x=x+y; y=x-y; x=x-y; Ina Schaefer FSE 10

11 Symbolic Execution of Programs Cont d General form of rule conclusions in symbolic execution calculus stmt; rest φ, [stmt; rest]φ Rules symbolically execute first statement ( active statement ) Repeated application of such rules corresponds to symbolic program execution Ina Schaefer FSE 11

12 \problem { x > y -> \<{x=x+y; y=x-y; x=x-y;}\> y > x } Ina Schaefer FSE 12 Symbolic Execution of Programs Cont d General form of rule conclusions in symbolic execution calculus stmt; rest φ, [stmt; rest]φ Rules symbolically execute first statement ( active statement ) Repeated application of such rules corresponds to symbolic program execution Example (updates/swap2.key, \programvariables { int x; int y; } Demo, active statement)

13 Symbolic Execution of Programs Cont d Symbolic execution of conditional if Γ, b. = true = p; rest φ, Γ, b. = false = q; rest φ, Γ = if (b) { p } else { q } ; rest φ, Symbolic execution must consider all possible execution branches Ina Schaefer FSE 13

14 Symbolic Execution of Programs Cont d Symbolic execution of conditional if Γ, b. = true = p; rest φ, Γ, b. = false = q; rest φ, Γ = if (b) { p } else { q } ; rest φ, Symbolic execution must consider all possible execution branches Symbolic execution of loops: unwind unwindloop Γ = if (b) { p; while (b) p}; rest φ, Γ = while (b) {p}; rest φ, Ina Schaefer FSE 14

15 Updates for KeY-Style Symbolic Execution Needed: a Notation for Symbolic State Changes symbolic execution should walk through program in natural direction need a succint representation of state changes effected by a program in one symbolic execution branch want to simplify effects of program execution early want to apply effects late (to post condition) Ina Schaefer FSE 15

16 Updates for KeY-Style Symbolic Execution Needed: a Notation for Symbolic State Changes symbolic execution should walk through program in natural direction need a succint representation of state changes effected by a program in one symbolic execution branch want to simplify effects of program execution early want to apply effects late (to post condition) We use dedicated notation for simple state changes: updates Ina Schaefer FSE 16

17 Explicit State Updates Definition (Syntax of Updates, Updated Terms/Formulas) If v is program variable, t FOL term type-compatible with v, t any FOL term, and φ any DL formula, then v := t is an update {v := t}t is DL term {v := t}φ is DL formula Definition (Semantics of Updates) State s interprets flexible symbols f with I s (f ) β variable assignment for logical variables in t, ρ transition relation: ρ({v := t})(s) = s where s identical to s except I s (v) = val s,β (t) Ina Schaefer FSE 17

18 Explicit State Updates Cont d Facts about updates {v := t} Update semantics identical to that of assignment Value of update depends on logical variables in t: use β Updates as lazy assignments (no term substitution done) Updates are not assignments: right-hand side is FOL term {x := n}φ cannot be turned into assignment (n logical variable) x=i++; φ cannot directly be turned into update Updates are not equations: change value of flexible terms Ina Schaefer FSE 18

19 Computing Effect of Updates (Automatic) Rewrite rules for update followed by... { {x := t}y y program variable {x := t}x t logical variable {x := t}w w complex term {x := t}f (t 1,..., t n ) f ({x := t}t 1,..., {x := t}t n ) (f rigid) {x := t}(φ & ψ) {x := t}φ & {x := t}ψ FOL formula {x := t}( τ y; φ) τ y; ({x := t}φ) program formula {x := t}( p φ) {x := t}( p φ) unchanged! Update computation delayed until p symbolically executed Ina Schaefer FSE 19

20 Assignment Rule Using Updates Symbolic execution of assignment using updates assign Γ = {x := t} rest φ, Γ = x = t; rest φ, Simple! No variable renaming, etc. Works as long as t has no side effects (ok in simple DL) Special cases needed for x =t 1 + t 2, etc. Demo updates/assignmenttoupdate.key Ina Schaefer FSE 20

21 Parallel Updates How to apply updates on updates? Example Symbolic execution of int x; int y; x=x+y; y=x-y; x=x-y; yields: {x := x+y}{y := x-y}{x := x-y} Need to compose three sequential state changes into a single one! Ina Schaefer FSE 21

22 Parallel Updates Cont d Definition (Parallel Update) A parallel update is expression of the form {l 1 := v 1 l n := v n } where each {l i := v i } is simple update All v i computed in old state before update is applied Updates of all locations l i executed simultaneously Upon conflict l i = l j, v i v j later update (max{i, j}) wins Ina Schaefer FSE 22

23 Parallel Updates Cont d Definition (Parallel Update) A parallel update is expression of the form {l 1 := v 1 l n := v n } where each {l i := v i } is simple update All v i computed in old state before update is applied Updates of all locations l i executed simultaneously Upon conflict l i = l j, v i v j later update (max{i, j}) wins Definition (Composition Sequential Updates/Conflict Resolution) {l 1 := r 1 }{l 2 := r 2 } = {l 1 := r 1 l 2 := {l 1 := r 1 }r 2 } { x if x {l1,..., l {l 1 := v 1 l n := v n }x = n } v k if x = l k, x {l k+1,..., l n } Ina Schaefer FSE 23

24 Parallel Updates Cont d Example ({x := x+y}{y := x-y}){x := x-y} = {x := x+y y := (x+y)-y}{x := x-y} = {x := x+y y := (x+y)-y x := (x+y)-((x+y)-y)} = {x := x+y y := x x := y} = {y := x x := y} KeY automatically deletes overwritten (unnecessary) updates Demo updates/swap2.key Ina Schaefer FSE 24

25 Parallel Updates Cont d Example ({x := x+y}{y := x-y}){x := x-y} = {x := x+y y := (x+y)-y}{x := x-y} = {x := x+y y := (x+y)-y x := (x+y)-((x+y)-y)} = {x := x+y y := x x := y} = {y := x x := y} KeY automatically deletes overwritten (unnecessary) updates Demo updates/swap2.key Parallel updates to store intermediate state of symbolic computation Ina Schaefer FSE 25

26 Another use of Updates If you would like to quantify over a program variable... Ina Schaefer FSE 26

27 Another use of Updates If you would like to quantify over a program variable... Not allowed: τ i;...i... φ (program logical variable) Ina Schaefer FSE 27

28 Another use of Updates If you would like to quantify over a program variable... Not allowed: τ i;...i... φ (program logical variable) Instead Quantify over value, and assign it to program variable: τ i 0 ; {i := i 0 }...i... φ Ina Schaefer FSE 28

29 Java Type Hierarchy Signature based on Java s type hierarchy any int boolean Object API, user-defined classes Null Each class referenced in API and target program is in signature with appropriate partial order Ina Schaefer FSE 29

30 Modelling Attributes Modeling instance attributes Person int age int id int setage(int i) int getid() Each o D Person has associated age value I(age) is function from Person to int Attribute values can be changed For each class C with attribute a of type τ: FSym nr declares flexible function τ a(c); Ina Schaefer FSE 30

31 Modelling Attributes Modeling instance attributes Person int age int id int setage(int i) int getid() Attribute Access Each o D Person has associated age value I(age) is function from Person to int Attribute values can be changed For each class C with attribute a of type τ: FSym nr declares flexible function τ a(c); Signature FSym nr : int age(person); Person p; Java/JML expression p.age >= 0 Typed FOL age(p)>=0 KeY postfix notation p.age >= 0 Navigation expressions in typed FOL look exactly as in Java/JML Ina Schaefer FSE 31

32 Modeling Attributes in FOL Cont d Resolving Overloading Overloading resolved by qualifying with class name: p.age@(person) Changing the value of attributes How to translate assignment to attribute p.age=17;? assign Γ = {l := t} rest φ, Γ = l = t; rest φ, Admit on left-hand side of update program location expressions Ina Schaefer FSE 32

33 Modeling Attributes in FOL Cont d Resolving Overloading Overloading resolved by qualifying with class name: p.age@(person) Changing the value of attributes How to translate assignment to attribute p.age=17;? assign Γ = {p.age := 17} rest φ, Γ = p.age = 17; rest φ, Admit on left-hand side of update program location expressions Ina Schaefer FSE 33

34 Generalise Definition of Updates Definition (Syntax of Updates, Updated Terms/Formulas) If l is program location (e.g., o.a), t FOL term type-compatible with l, t any FOL term, and φ any DL formula, then l := t is an update {l := t}t is DL term {l := t}φ is DL formula Definition (Semantics of Updates, Attribute Case) State s interprets attribute a with I s (a) β variable assignment for logical variables in t ρ({o.a := t})(s) = s where s identical to s except I s (a)(o) = val s,β (t) Ina Schaefer FSE 34

35 Dynamic Logic - KeY input file KeY \javasource "path to source code "; \programvariables {... } \problem { \<{ p.age = 18; }\> p.age = 18 } // Is this provable? KeY KeY reads in all source files and creates automatically the necessary signature (sorts, attribute functions) Ina Schaefer FSE 35

36 Refined Semantics of Program Modalities Does abrupt termination count as normal termination? No! Need to distinguish normal and exceptional termination Ina Schaefer FSE 36

37 Refined Semantics of Program Modalities Does abrupt termination count as normal termination? No! Need to distinguish normal and exceptional termination p φ: p terminates normally and formula φ holds in final state (total correctness) Ina Schaefer FSE 37

38 Refined Semantics of Program Modalities Does abrupt termination count as normal termination? No! Need to distinguish normal and exceptional termination p φ: p terminates normally and formula φ holds in final state (total correctness) [p]φ: If p terminates normally then formula φ holds in final state (partial correctness) Ina Schaefer FSE 38

39 Refined Semantics of Program Modalities Does abrupt termination count as normal termination? No! Need to distinguish normal and exceptional termination p φ: p terminates normally and formula φ holds in final state (total correctness) [p]φ: If p terminates normally then formula φ holds in final state (partial correctness) Abrupt termination counts as non-termination! Ina Schaefer FSE 39

40 Dynamic Logic - KeY input file KeY \javasource "path to source code "; \programvariables {... } \problem { p!= null -> \<{ p.age = 18; }\> p.age = 18 } Only provable when no top-level exception thrown KeY Ina Schaefer FSE 40

41 A Warning on Updates Computing the effect of updates with attribute locations is complex Example C a C b C Signature FSym nr : C a(c); C b(c); C o; Ina Schaefer FSE 41

42 A Warning on Updates Computing the effect of updates with attribute locations is complex Example C a C b C Signature FSym nr : C a(c); C b(c); C o; Consider {o.a := o}{o.b := o.a} Ina Schaefer FSE 42

43 A Warning on Updates Computing the effect of updates with attribute locations is complex Example C a C b C Signature FSym nr : C a(c); C b(c); C o; Consider {o.a := o}{o.b := o.a} First update may affect left side of second update Ina Schaefer FSE 43

44 A Warning on Updates Computing the effect of updates with attribute locations is complex Example C a C b C Signature FSym nr : C a(c); C b(c); C o; Consider {o.a := o}{o.b := o.a} First update may affect left side of second update o.a and o.b might refer to same object (be aliases) Ina Schaefer FSE 44

45 A Warning on Updates Computing the effect of updates with attribute locations is complex Example C a C b C Signature FSym nr : C a(c); C b(c); C o; Consider {o.a := o}{o.b := o.a} First update may affect left side of second update o.a and o.b might refer to same object (be aliases) KeY applies rules automatically, you don t need to worry about details Ina Schaefer FSE 45

46 Modeling Static Attributes in FOL Modeling class (static) attributes For each class C with static attribute a of type τ: FSym nr declares flexible constant τ a; Value of a is I(a) for all instances of C If necessary, qualify with class (path): byte java.lang.byte.max_value Standard values are predefined in KeY: I(java.lang.Byte.MAX_VALUE) = 127 Ina Schaefer FSE 46

47 The Self Reference Modeling reference this to the receiving object Special name for the object whose Java code is currently executed: in JML: Object this; in Java: Object this; in KeY: Object self; Default assumption in JML-KeY translation: self! = null Ina Schaefer FSE 47

48 Which Objects do Exist? How to model object creation with new? Ina Schaefer FSE 48

49 Which Objects do Exist? How to model object creation with new? Constant Domain Assumption Assume that domain D is the same in all states of LTS K = (S, ρ) Desirable consequence: Validity of rigid FOL formulas unaffected by programs containing new() = τ x; φ > [p]( τ x; φ) is valid for rigid φ Ina Schaefer FSE 49

50 Which Objects do Exist? (2) Realizing Constant Domain Assumption Flexible function boolean <created>(object); Equal to true iff argument object has been created Initialized as I(<created>)(o) = F for all o D Object creation modeled as {o.<created> := true} for next free o Ina Schaefer FSE 50

51 Extending Dynamic Logic to Java KeY admits any syntactically correct Java with some extensions: Needs not be compilable unit Permit externally declared, non-initialized variables All referenced class definitions loaded in background And some limitations... Limited concurrency No generics No I/O No floats No dynamic class loading or reflexion API method calls: need either JML contract or implementation Ina Schaefer FSE 51

52 Java Features in Dynamic Logic: Arrays Arrays any Java type hierarchy includes array types that occur in given program (for finiteness) Object Object[] Object[][] Ina Schaefer FSE 52

53 Java Features in Dynamic Logic: Arrays Arrays any Object Java type hierarchy includes array types that occur in given program (for finiteness) Types ordered according to Java subtyping rules Object[] Object[][] Ina Schaefer FSE 53

54 Java Features in Dynamic Logic: Arrays Arrays any Object Java type hierarchy includes array types that occur in given program (for finiteness) Types ordered according to Java subtyping rules The flexible functions that model attributes can have an array result type Object[] Object[][] Ina Schaefer FSE 54

55 Java Features in Dynamic Logic: Arrays Arrays any Object Object[] Java type hierarchy includes array types that occur in given program (for finiteness) Types ordered according to Java subtyping rules The flexible functions that model attributes can have an array result type Value of entry in array T[] ar; defined in class C depends on reference ar to array in C and index Object[][] Ina Schaefer FSE 55

56 Java Features in Dynamic Logic: Arrays Arrays any Object Object[] Object[][] Java type hierarchy includes array types that occur in given program (for finiteness) Types ordered according to Java subtyping rules The flexible functions that model attributes can have an array result type Value of entry in array T[] ar; defined in class C depends on reference ar to array in C and index Model array with flexible function T [](C,int) Ina Schaefer FSE 56

57 Java Features in Dynamic Logic: Arrays Arrays any Object Object[] Object[][] Java type hierarchy includes array types that occur in given program (for finiteness) Types ordered according to Java subtyping rules The flexible functions that model attributes can have an array result type Value of entry in array T[] ar; defined in class C depends on reference ar to array in C and index Model array with flexible function T [](C,int) Instead of [](ar,i) write ar[i] Ina Schaefer FSE 57

58 Java Features in Dynamic Logic: Arrays Arrays any Object Object[] Object[][] Java type hierarchy includes array types that occur in given program (for finiteness) Types ordered according to Java subtyping rules The flexible functions that model attributes can have an array result type Value of entry in array T[] ar; defined in class C depends on reference ar to array in C and index Model array with flexible function T [](C,int) Instead of [](ar,i) write ar[i] Arrays a and b can refer to same object (aliases) Ina Schaefer FSE 58

59 Java Features in Dynamic Logic: Arrays Arrays any Object Object[] Object[][] Java type hierarchy includes array types that occur in given program (for finiteness) Types ordered according to Java subtyping rules The flexible functions that model attributes can have an array result type Value of entry in array T[] ar; defined in class C depends on reference ar to array in C and index Model array with flexible function T [](C,int) Instead of [](ar,i) write ar[i] Arrays a and b can refer to same object (aliases) KeY implements update application and simplification rules for array locations Ina Schaefer FSE 59

60 Java Features in Dynamic Logic: Complex Expressions Complex expressions with side effects Java expressions may contain assignment operator with side effect Java expressions can be complex, nested, have method calls FOL terms have no side effect on the state Example (Complex expression with side effects in Java) int i = 0; if ((i=2)>= 2) i++; value of i? Ina Schaefer FSE 60

61 Complex Expressions Cont d Decomposition of complex terms by symbolic execution Follow the rules laid down in Java Language Specification Local code transformations evalorderiteratedassgnmt Γ = y = t; x = y; rest φ, Γ = x = y = t; rest φ, t simple Temporary variables store result of evaluating subexpression ifeval Γ = boolean v0; v0 = b; if (v0) p; r φ, Γ = if (b) p; r φ, b complex Guards of conditionals/loops always evaluated (hence: side effect-free) before conditional/unwind rules applied Ina Schaefer FSE 61

62 Java Features in Dynamic Logic: Abrupt Termination Abrupt Termination: Exceptions and Jumps Redirection of control flow via return, break, continue, exceptions π try {p} catch(e) {q} finally {r} ω φ Rules ignore inactive prefix, work on active statement, leave postfix Ina Schaefer FSE 62

63 Java Features in Dynamic Logic: Abrupt Termination Abrupt Termination: Exceptions and Jumps Redirection of control flow via return, break, continue, exceptions π try {p} catch(e) {q} finally {r} ω φ Rules ignore inactive prefix, work on active statement, leave postfix Rule trythrow matches try catch in pre-/postfix and active throw = π if (e instanceof T){try{x=e;q} finally{r}}else{r;throw e;} ω φ = π try {throw e; p} catch(t x) {q} finally {r} ω φ Demo: exceptions/try-catch.key Ina Schaefer FSE 63

64 Java Features in Dynamic Logic: Aliasing Form of Java program locations Program variable x Attribute access o.a Array access ar[i] Reference Aliasing Naive alias resolution causes proof split (on o =. u) at each access = o.age =. 1 > u.age = 2; o.age = 2; o.age =. u.age = o.age =. 1 > u.age = 2; u.age =. 2 Ina Schaefer FSE 64

65 Aliasing Cont d Assignment rule for arbitrary Java locations assign Γ = U{l := t} π ω φ, Γ = U πl = t; ω φ, Updates in front of program formula (= current state) carried over Rules for applying updates complex for reference types Aliasing analysis causes case split: delayed using conditional terms {o.a := t}u.a \if ({o.a := t}u. = o) \then (t) \else ({o.a := t}u).a Ina Schaefer FSE 65

66 Java Features in Dynamic Logic: Method Calls Method Call with actual parameters arg 0,..., arg n {arg 0 := t 0 arg n := t n c := t c } c.m(arg 0,..., arg n ); φ where m declared as void m(τ 0 p 0,..., τ n p n ) Actions of rule methodcall type conformance of arg i to τ i guaranteed by Java compiler for each formal parameter p i of m: declare and initialize new local variable τ i p#i =arg i ; look up implementation class C of m and split proof if implementation cannot be uniquely determined create concrete method invocation c.m(p#0,..., p#n)@c Ina Schaefer FSE 66

67 Method Calls Cont d Method Body Expand 1. Execute code that binds actual to formal parameters τ i p#i =arg i ; 2. Call rule methodbodyexpand Γ = π method-frame(source=c, this=c){ body } ω φ, Γ = π c.m(p#0,...,p#n)@c; ω φ, Ina Schaefer FSE 67

68 Method Calls Cont d Method Body Expand 1. Execute code that binds actual to formal parameters τ i p#i =arg i ; 2. Call rule methodbodyexpand Γ = π method-frame(source=c, this=c){ body } ω φ, Γ = π c.m(p#0,...,p#n)@c; ω φ, Symbolic Execution Only static information available, proof splitting Ina Schaefer FSE 68

69 Method Calls Cont d Method Body Expand 1. Execute code that binds actual to formal parameters τ i p#i =arg i ; 2. Call rule methodbodyexpand Γ = π method-frame(source=c, this=c){ body } ω φ, Γ = π c.m(p#0,...,p#n)@c; ω φ, Symbolic Execution Runtime infrastructure required in calculus Ina Schaefer FSE 69

70 Method Calls Cont d Method Body Expand 1. Execute code that binds actual to formal parameters τ i p#i =arg i ; 2. Call rule methodbodyexpand Γ = π method-frame(source=c, this=c){ body } ω φ, Γ = π c.m(p#0,...,p#n)@c; ω φ, Symbolic Execution Runtime infrastructure required in calculus Demo methods/instancemethodinlinesimple.key, argumentevaluationorder.key, inlinedynamicdispatch.key Ina Schaefer FSE 70

71 A Round Tour of Java Features in DL Cont d Localisation of Fields and Method Implementation Java has complex rules for localisation of attributes and method implementations Polymorphism Late binding Scoping (class vs. instance) Context (static vs. runtime) Visibility (private, protected, public) Use information from semantic analysis of compiler framework Proof split into cases when implementation not statically determined Ina Schaefer FSE 71

72 A Round Tour of Java Features in DL Cont d Null pointer exceptions There are no exceptions in FOL: I total on FSym Need to model possibility that o =. null in o.a KeY creates PO for o!= null upon each field access Ina Schaefer FSE 72

73 A Round Tour of Java Features in DL Cont d Object initialization Java has complex rules for object initialization Chain of constructor calls until Object Implicit calls to super() Visbility issues Initialization sequence Coding of initialization rules in methods <createobject>(), <init>(),... which are then symbolically executed Ina Schaefer FSE 73

74 Summary Most Java features covered in KeY Several of remaining features available in experimental version Simplified multi-threaded JMM Floats Degree of automation for loop-free programs is very high Proving loops requires user to provide invariant Automatic invariant generation sometimes possible Symbolic execution paradigm lets you use KeY w/o understanding details of logic Ina Schaefer FSE 74

75 Literature for this Lecture Essential KeY Book Verification of Object-Oriented Software (see course web page), Chapter 10: Using KeY KeY Book Verification of Object-Oriented Software (see course web page), Chapter 3: Dynamic Logic, Sections 3.1, 3.2, 3.4, 3.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, Ina Schaefer FSE 75