Weak Arithmetic Completeness of Object-Oriented

First-Order Assertion Networks

1

28-01-2013

Stijn de Gouw, Frank S. de Boer, Richard Bubel, Wolfgang Ahrendt

Completeness: Hoare Logic

Example Hoare triple: {x=0} x := x+3 {x>0}

Completeness

if S |= {p} Stmt {q}

then {p} Stmt {q} is provable

1.Proof system (rules + axioms) for statements

2.Proof system (rules + axioms) for assertions

3.Expressiveness: strongest postcondition (in the example: x=3)

2

Existing Results

Harel: completeness for arithmetical structures (incl. finite ADTs)

Assertion language: first-order, addition and multiplication

Tucker & Zucker: completeness for arbitrary structures

Assertion language: (weak) second-order

Apt: decidable assertions suffice, but only with auxiliary variables

2

Our result

3

z.val := 2

Arrays as Objects

4

Semantics: many-sorted structure

S = (N, D1, …, Dn, I) where I(op) is a function/relation and op is a function/relation symbol

Proof sketch of our result

• Uniform instrumentation with auxiliary variables• For each computation step, record if and how the state changes

Example: field assignment e.x := e’. Add array variables• pc[i] = j if line j was executed in i-th computation step• x’’[i]=true if in the i-th step, the field x of some object was changed• x’[i]= <o,v> if in the i-th step, the value v was assigned to field x of object o

j: pc[|pc|] := j; x’[|pc] := <e, e’>; e.x := e’; x’’[|pc|] := true; |pc| := |pc| + 1

Instrumentation allows ‘recovering’ computation in an assertion,

and consequently can define ‘reachable states’

5

Conclusion

• Express heap properties with auxiliary variables, only Presburger needed (decidable)

• Uniform instrumentation, but ‘heavy’:can do better in special cases (example)

• KeY Java theorem prover available, reasoning of object creation at abstraction level of prog language: http://keyaoc.hats-project.eu

6