Behavioral Subtyping is Equivalent to Modular Reasoning for Object-oriented Programs

Behavioral subtyping is an established idea that enables modular reasoning about behavioral properties of object-oriented programs. It requires that syntactic subtypes are behavioral refinements. It validates reasoning about a dynamically-dispatched method call, say E .m(), using the specification associated with the static type of the receiver expression E . For languages with references and mutable objects the idea of behavioral subtyping has not been rigorously formalized as such and the standard informal notion has inadequacies. This paper formalizes behavioral subtyping and introduces a new formalization of modular reasoning, called supertype abstraction. A Java-like sequential language is considered, with classes and interfaces, recursive types, first-class exceptions and handlers, and dynamically allocated mutable heap objects; the semantics is designed to serve as foundation for the Java Modeling Language (JML), a widely used specification language. Behavioral subtyping is characterized as sound and semantically complete for reasoning with supertype abstraction.

[1]  Alan Wills Specification in Fresco , 1992, Object Orientation in Z.

[2]  Pierre America,et al.  Designing an Object-Oriented Programming Language with Behavioural Subtyping , 1990, REX Workshop.

[3]  Gary T. Leavens,et al.  JML's Rich, Inherited Specifications for Behavioral Subtypes , 2006, ICFEM.

[4]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[5]  John C. Reynolds,et al.  Definitional Interpreters for Higher-Order Programming Languages , 1972, ACM '72.

[6]  Mike Barnett,et al.  Towards imperative modules: reasoning about invariants and sharing of mutable state , 2004, LICS 2004.

[7]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[8]  Peter W. O'Hearn,et al.  Program logic and equivalence in the presence of garbage collection , 2003, Theor. Comput. Sci..

[9]  Frank S. de Boer,et al.  A proof outline logic for object-oriented programming , 2005, Theor. Comput. Sci..

[10]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[11]  Suad Alagic,et al.  Behavioral Compatibility of Self-Typed Theories , 2002, ECOOP.

[12]  Barbara Liskov,et al.  Data Abstraction and Hierarchy , 1987 .

[13]  Todd Leavens Gary Verifying object-oriented programs that use subtypes , 1989 .

[14]  Thomas Kleymann,et al.  Hoare Logic and Auxiliary Variables , 1999, Formal Aspects of Computing.

[15]  Kim B. Bruce,et al.  An algebraic model of sybtypes in object-oriented languages (draft) , 1986, OOPWORK '86.

[16]  Lars Birkedal,et al.  BI-hyperdoctrines, higher-order separation logic, and abstraction , 2007, TOPL.

[17]  Gordon D. Plotkin,et al.  Notions of Computation Determine Monads , 2002, FoSSaCS.

[18]  C. A. R. Hoare,et al.  Procedures and parameters: An axiomatic approach , 1971, Symposium on Semantics of Algorithmic Languages.

[19]  Michael Barnett,et al.  Towards imperative modules: reasoning about invariants and sharing of mutable state , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[20]  Erik Poll,et al.  A Coalgebraic Semantics of Subtyping , 2001, RAIRO Theor. Informatics Appl..

[21]  Gary T. Leavens,et al.  Forcing behavioral subtyping through specification inheritance , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[22]  K. Rustan M. Leino,et al.  Data abstraction and information hiding , 2002, TOPL.

[23]  Bernhard Reus,et al.  Modular Semantics and Logics of Classes , 2003, CSL.

[24]  Gary T. Leavens,et al.  Specification and verification of object-oriented programs using supertype abstraction , 1995, Acta Informatica.

[25]  Kim B. Bruce,et al.  An algebraic model of sybtypes in object-oriented languages (draft) , 1986, OOPWORK '86.

[26]  Arnd Poetzsch-Heffter,et al.  A Programming Logic for Sequential Java , 1999, ESOP.

[27]  K. Rustan M. Leino,et al.  Object Invariants in Dynamic Contexts , 2004, ECOOP.

[28]  John Power,et al.  Semantics for Local Computational Effects , 2006, MFPS.

[29]  Bart Jacobs,et al.  Reasoning about Java classes: preliminary report , 1998, OOPSLA '98.

[30]  C. Pierik,et al.  Validation techniques for object-oriented proof outlines , 2006 .

[31]  C. A. R. Hoare,et al.  Proof of Correctness of Data Representations (Reprint) , 2002, Software Pioneers.

[32]  Jeannette M. Wing A TWO-TIERED APPROACH TO SPECIFYING PROGRAMS , 1983 .

[33]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[34]  Gary T. Leavens,et al.  Modular invariants for layered object structures , 2006, Sci. Comput. Program..

[35]  Luca Cardelli,et al.  A Semantics of Multiple Inheritance , 1984, Information and Computation.

[36]  Matthew J. Parkinson,et al.  Local reasoning for Java , 2005 .

[37]  David A. Naumann,et al.  Observational purity and encapsulation , 2005, Theor. Comput. Sci..

[38]  David A. Naumann From Coupling Relations to Mated Invariants for Checking Information Flow , 2006, ESORICS.

[39]  P. A. Matthews,et al.  A sharp proof rule for procedures in wp semantics , 2004, Acta Informatica.

[40]  Anindya Banerjee,et al.  Design and Correctness of Program Transformations Based on Control-Flow Analysis , 2001, TACS.

[41]  Jean-Louis Lanet,et al.  Java Applet Correctness: A Developer-Oriented Approach , 2003, FME.

[42]  Anindya Banerjee,et al.  Ownership confinement ensures representation independence for object-oriented programs , 2002, JACM.

[43]  Bernhard Beckert,et al.  The KeY tool , 2005, Software & Systems Modeling.

[44]  Anindya Banerjee,et al.  Representation independence, confinement and access control [extended abstract] , 2002, POPL '02.

[45]  David A. Naumann,et al.  A categorical model for higher order imperative programming , 1998, Mathematical Structures in Computer Science.

[46]  David A. Naumann Verifying a Secure Information Flow Analyzer , 2005, TPHOLs.

[47]  Peter Müller,et al.  Modular Specification and Verification of Object-Oriented Programs , 2002, Lecture Notes in Computer Science.

[48]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[49]  Gary T. Leavens,et al.  Concepts of behavioral subtyping and a sketch of their extension to component-based systems , 2000 .

[50]  Yonghao Chen,et al.  A semantic foundation for specification matching , 2000 .

[51]  Matthias Felleisen,et al.  Contract Soundness for object-oriented languages , 2001, OOPSLA '01.

[52]  Benjamin C. Pierce,et al.  A bisimulation for type abstraction and recursion , 2005, POPL '05.

[53]  Martin Hofmann,et al.  Reading, Writing and Relations , 2006, APLAS.

[54]  K. Rustan M. Leino,et al.  Efficient weakest preconditions , 2005, Inf. Process. Lett..

[55]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 2001, TOPL.

[56]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[57]  David A. Naumann,et al.  Calculating sharp adaptation rules , 2001, Inf. Process. Lett..

[58]  Amal Ahmed,et al.  Step-Indexed Syntactic Logical Relations for Recursive and Quantified Types , 2006, ESOP.

[59]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[60]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[61]  Frank S. de Boer,et al.  Proving Total Correctness of Recursive Procedures , 1990, Inf. Comput..

[62]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[63]  Amr Sabry,et al.  Reasoning about programs in continuation-passing style , 1992, LFP '92.

[64]  Ernst-Rüdiger Olderog,et al.  On the Notion of Expressiveness and the Rule of Adaption , 1983, Theor. Comput. Sci..

[65]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[66]  Gary T. Leavens Modular specification and verification of object-oriented programs , 1991, IEEE Software.

[67]  David A. Naumann,et al.  On assertion-based encapsulation for object invariants and simulations , 2007, Formal Aspects of Computing.

[68]  Andrew W. Appel,et al.  A very modal model of a modern, major, general type system , 2007, POPL '07.

[69]  Tobias Nipkow,et al.  Hoare Logic for NanoJava: Auxiliary Variables, Side Effects, and Virtual Methods Revisited , 2002, FME.

[70]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[71]  Pierre America,et al.  Inheritance and Subtyping in a Parallel Object-Oriented Language , 1987, ECOOP.

[72]  Clare E. Martin,et al.  An Algebraic Construction of Predicate Transformers , 1994, Sci. Comput. Program..