Method Verification Paul Ammann Verification vs Validation n

Method Verification Paul Ammann

Verification vs Validation n n Verification vs. Validation Verification n n Validation n n A given implementation is correct with respect to another description A given description is desirable We will focus on Verification in this lecture n Good news! All Verification Obligations follow the same basic model! 2

Verification of Method Contracts in Data Abstractions n First basic problem n n Contract is in Java. Doc Code is in Java How are the states related? Solution: n Abstraction Function maps n n Representation States to Abstract States 3

Key to verifying methods in isolation n Common (flawed) informal approach to analyzing a given method: n n See how other methods behave Worry about method interactions n n Interactions are reflected in representation state. This doesn’t scale! Instead, we want to analyze each method by itself We need a general description of important properties relevant to all methods n Exactly what the Rep Invariant does 4

Method Verification: Part 1 The Representation Invariant n Does the method establish/maintain the rep-invariant? n Base case for constructors n Plus any other methods that create objects n n Clone? Serialization? Inductive case for mutators 5

Method Verification Part 2: The Contract n n n Given The Rep Invariant as an Assumption Given Preconditions as Assumptions Does the Postcondition Hold? n Need to Map States Through Abstraction Function 6

Verification In Diagram Form Abstract State (Before) Method Contract Abstract State (After) ? AF() Representation State (Before) Representation State (After) Method Code 7

Verification Example n Diagram shown for method verification n n Will revisit same diagram for overridden methods Example to develop in class: public class Members { // Members is a mutable record of organization membership // AF: ? ? // rep-inv: ? ? List<Person> members; // the representation // Post: person becomes a member public void join (Person person) { members. add (person); } // Post: person is no longer a member public void leave(Person person) { members. remove(person); } } n n Exactly what is incorrect? Verification tools: n n Contract, Abstraction function, Representation Invariant Validation question: What about null values in members? 8

Verification Example - Analysis rep-inv: members != null n join() n Yes Maintain rep-inv? n n n No No Satisfy contract? n Not a meaningful question leave() n Yes Satisfy contract? Maintain rep-inv? n Yes leave() n join() n Satisfy contract? n n n Maintain rep-inv? n n rep-inv: members != null && no duplicates in members Maintain rep-inv? n n Yes Satisfy contract? n Yes 9

Verification Example – Repair 1 rep-inv: members != null n join() n n Analysis n As is join() n leave() while (members. contains(person)) { members. remove(person); } Maintain rep-inv? n n Satisfy contract? n n Yes – already analyzed leave() n Maintain rep-inv? n n Yes Satisfy contract? n Yes 10

Verification Example – Repair 2 rep-inv: members != null && no duplicates in members n join() Analysis n if (!members. contains(person)) { members. add(person); { n n As is Maintain rep-inv? n n leave() n join() Satisfy contract? n n Yes leave() n Maintain rep-inv? n n Yes – Already analyzed Satisfy contract? n Yes – Already analyzed 11

Another Verification Example public class Poly { // Polys are immutable polynomials c 0 + c 1 x + c 2 x^2 + … // AF: ci = trms[i] for appropriate values of i // rep-inv: deg = trms. length-1 // trms. length >= 1 // trms != null // if deg > 0 then trms[deg] != 0 int[] trms; int deg; // the representation // Post: Return degree of this, ie largest exponent with // coefficient != 0. Returns 0 if this is zero Poly public int degree() { return deg; } // Other methods omitted } n n How do we decide if degree() is correct? How must code change if rep-inv changes? 12