Re: "\created" primitive expression for JML

> Hi all,
>
> Matias Ulbrich sent the message below to me on July 21, and I have now
> made an appropriate link on the JML Wiki for this proposal, which is:
>
>   https://sourceforge.net/apps/trac/jmlspecs/wiki/ObjectCreated
>
> Please let us know any objection to this proposal.
>
> One simplification that I've been considering is whether we should be
> default consider quantifiers to only range over created objects.

>
>         Gary T. Leavens
>         439C Harris Center (Bldg. 116)
>         School of EECS, University of Central Florida
>         4000 Central Florida Blvd., Orlando, FL 32816-2362 USA
>         http://www.eecs.ucf.edu/~leavens  phone: +1-407-823-4758
>         leavens@...
>
> ---------- Forwarded message ----------
> Date: Tue, 21 Jul 2009 10:26:00 +0200
> From: Mattias Ulbrich <mulbrich@...>
> To: Gary T. Leavens <leavens@...>, Richard Bubel
> <bubel@...>
> Subject: "\created" into the manual
>
> Dear Gary,
>
> on Friday we have talked about how we can manifest the "\created"
> feature in the reference manual. I said I'd mail to you my sourceforge
> account name, it is "mattze".
>
> I intend to add after 11.4.21 the following section:
>
> ---
>
> The syntax of a \created expression is as follows:
>
> created-expression ::= \created ( spec-expression )
>
> The argument to \created can have any reference type, and the type of
> the overall expression is boolean. \created(e) asserts that
> spec-expression e specifies an object which is created according to
> §12.5 and §10.3 of the JLS. This implies that e is not null.
>
> The point at which \created changes from false to true lies within the
> constructor of the object. This state is therefore not visible to the
> created object before its constructor has finished.
>
> The \created predicate can be used to limit a quantification over a
> reference type to those elements that have already been created, for
> instance:
>
> (\forall Node node; \created(node); node.number <= Node.counter)
>
> The state of \created can never change from true to false. We consider
> even a garbage collected object to still be created.
>
> ---
>
> By the way: \fresh can be expressed in terms of \created since
> (\forall Object o; \fresh(o) <==> \old(\created(o)) != \created(o))
>
>
> Thanks again for a very interesting week!
> Hope this week is as interesting as last week.
>
> Kind regards,
>
>     Mattias
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Jmlspecs-interest mailing list
> Jmlspecs-interest@...
> https://lists.sourceforge.net/lists/listinfo/jmlspecs-interest

>> While it seems possible to cook up artificial examples, it would seem
>> that most practical examples of quantifiers want to work on created
>> objects anyway, so we could (a) have the created field in objects and
>> (b) have a default range restriction to created objects, which would
>> simplify things from the proposal.  I had a conversation with Peter
>> Mueller about this at Dagstuhl and he seems to favor that alternative.
> In that case, the description would also need a use case for \created
> outside of a quantifier.
>
> In Dagstuhl we discussed that there was a problem with for example
> Integer objects in this case: a quantification over Integer objects
> would typically be over all possible integers, not only over those that
> happen to be created at that point in the program. I think we realised
> that for mutable objects quantification over created objects seems to be
> the default behaviour, while for immutable objects quantification over
> all objects would have to be the default.
>
> And, if the default would be to quantify over created objects only,
> there should be a way to range over all objects as well.

>> > > Hi all,
>> > >
>> > > Matias Ulbrich sent the message below to me on July 21, and I have now
>> > > made an appropriate link on the JML Wiki for this proposal, which is:
>> > >
>> > >   https://sourceforge.net/apps/trac/jmlspecs/wiki/ObjectCreated
>> > >
>> > > Please let us know any objection to this proposal.
>> > >
>> > > One simplification that I've been considering is whether we should be
>> > > default consider quantifiers to only range over created objects.
>> > > While it seems possible to cook up artificial examples, it would seem
>> > > that most practical examples of quantifiers want to work on created
>> > > objects anyway, so we could (a) have the created field in objects and
>> > > (b) have a default range restriction to created objects, which would
>> > > simplify things from the proposal.  I had a conversation with Peter
>> > > Mueller about this at Dagstuhl and he seems to favor that alternative.
>> > >
>> > >         Gary T. Leavens
>> > >         439C Harris Center (Bldg. 116)
>> > >         School of EECS, University of Central Florida
>> > >         4000 Central Florida Blvd., Orlando, FL 32816-2362 USA
>> > >         http://www.eecs.ucf.edu/~leavens  phone: +1-407-823-4758
>> > >         leavens@...
>> > >
>> > > ---------- Forwarded message ----------
>> > > Date: Tue, 21 Jul 2009 10:26:00 +0200
>> > > From: Mattias Ulbrich <mulbrich@...>
>> > > To: Gary T. Leavens <leavens@...>, Richard Bubel
>> > > <bubel@...>
>> > > Subject: "\created" into the manual
>> > >
>> > > Dear Gary,
>> > >
>> > > on Friday we have talked about how we can manifest the "\created"
>> > > feature in the reference manual. I said I'd mail to you my sourceforge
>> > > account name, it is "mattze".
>> > >
>> > > I intend to add after 11.4.21 the following section:
>> > >
>> > > ---
>> > >
>> > > The syntax of a \created expression is as follows:
>> > >
>> > > created-expression ::= \created ( spec-expression )
>> > >
>> > > The argument to \created can have any reference type, and the type of
>> > > the overall expression is boolean. \created(e) asserts that
>> > > spec-expression e specifies an object which is created according to
>> > > §12.5 and §10.3 of the JLS. This implies that e is not null.
>> > >
>> > > The point at which \created changes from false to true lies within the
>> > > constructor of the object. This state is therefore not visible to the
>> > > created object before its constructor has finished.
>> > >
>> > > The \created predicate can be used to limit a quantification over a
>> > > reference type to those elements that have already been created, for
>> > > instance:
>> > >
>> > > (\forall Node node; \created(node); node.number <= Node.counter)
>> > >
>> > > The state of \created can never change from true to false. We consider
>> > > even a garbage collected object to still be created.
>> > >
>> > > ---
>> > >
>> > > By the way: \fresh can be expressed in terms of \created since
>> > > (\forall Object o; \fresh(o) <==> \old(\created(o)) != \created(o))

> 1) As Marieke pointed out, when quantifying over objects like Strings,
>    Integers, Booleans, etc, a which are more like "values" than proper
>    "objects", quantification over all possible objects seems more
>    intuitive.
>
>     Eg, the natural way to specify one string being a prefix of  
> another
>
>     //@ ensures \result <==> (\exists String t;  
> s.concat(t).equals(this));
>     boolean isPrefix(String s)
>
>     is incorrect if the quantification is only over created objects.

>> 1) As Marieke pointed out, when quantifying over objects like Strings,
>>    Integers, Booleans, etc, a which are more like "values" than proper
>>    "objects", quantification over all possible objects seems more
>>    intuitive.
>>
>>     Eg, the natural way to specify one string being a prefix of
>> another
>>
>>     //@ ensures \result <==> (\exists String t;
>> s.concat(t).equals(this));
>>     boolean isPrefix(String s)
>>
>>     is incorrect if the quantification is only over created objects.
>
>  first, please excuse if my question has been answered earlier, does
> not add anything new or is completely of the track. Just to help my
> understanding of immutable or value-like objects in JML:
>
> Have value-like objects an implicit invariant that states that e.g.
> for each int value i there is an Integer object io such that
> io.intValue() == i resp. that for any finite character sequence there
> is a String object with matching content?

> 1) As Marieke pointed out, when quantifying over objects like Strings,
>    Integers, Booleans, etc, a which are more like "values" than proper
>    "objects", quantification over all possible objects seems more
>    intuitive.
>
>     Eg, the natural way to specify one string being a prefix of  
> another
>
>     //@ ensures \result <==> (\exists String t;  
> s.concat(t).equals(this));
>     boolean isPrefix(String s)
>
>     is incorrect if the quantification is only over created objects.

>  So there's a fairly straightforward
> semantics, in possible worlds style, along these lines:
>
>   state s satisfies (all x :: P)
>   iff
>   for all extensions t of s and (allocated) refs o in t,  t satisfies P[o/x]
>
> For t to be an extension means it contains all of s untouched, and is well
> formed (type-correct and no dangling refs).  I paused for a moment
> worrying about Kripke semantics, but methinks this and the Boogie model
> get used in such a way that they're isomorphic.  We are not using possible
> worlds to interpret implication.

> 2009/8/21 David Naumann <naumann@...>:
>>  So there's a fairly straightforward
>> semantics, in possible worlds style, along these lines:
>>
>>   state s satisfies (all x :: P)
>>   iff
>>   for all extensions t of s and (allocated) refs o in t,  t satisfies P[o/x]
>>
>> For t to be an extension means it contains all of s untouched, and is well
>> formed (type-correct and no dangling refs).  I paused for a moment
>> worrying about Kripke semantics, but methinks this and the Boogie model
>> get used in such a way that they're isomorphic.  We are not using possible
>> worlds to interpret implication.
>
> This is a nice way of formulating the idea. I wonder, however, whether the heap
> extensions could establish the invariants of their created objects
> (which, I assume,
> would be the desired semantics). The problem is that invariants may make use
> of quantifiers themselves, leading to not well-founded definitions.
>
> Consider
> class IntTest {
>   //@ ghost \bigint value;
>   //@ invariant (\exists IntTest it; it.value > value);
> }
>
> Evaluating the invariant for the first instance of IntTest would
> require to check the
> invariant in an extended state, which, again, would require to check it in an
> extension of that state, ... an infinite chain of states would have to
> be evaluated to
> check the invariant.
>
> Does it hold? Does it hold when replacing "\bigint" by "int"?
>
> I reckon therefore we can probably *not* assume that the elements of
> the extension
> of the heap over which we quantify have their invariants fulfilled.
> That would be strange
> also.

> On Sat, 22 Aug 2009, Mattias Ulbrich wrote:
>> 2009/8/21 David Naumann <naumann@...>:
>>>  So there's a fairly straightforward
>>> semantics, in possible worlds style, along these lines:
>>>
>>>   state s satisfies (all x :: P)
>>>   iff
>>>   for all extensions t of s and (allocated) refs o in t,  t satisfies P[o/x]
>>>
>>> For t to be an extension means it contains all of s untouched, and is well
>>> formed (type-correct and no dangling refs).  I paused for a moment
>>> worrying about Kripke semantics, but methinks this and the Boogie model
>>> get used in such a way that they're isomorphic.  We are not using possible
>>> worlds to interpret implication.
>>
>> This is a nice way of formulating the idea. I wonder, however, whether the heap
>> extensions could establish the invariants of their created objects
>> (which, I assume,
>> would be the desired semantics). The problem is that invariants may make use
>> of quantifiers themselves, leading to not well-founded definitions.
>>
>> Consider
>> class IntTest {
>>   //@ ghost \bigint value;
>>   //@ invariant (\exists IntTest it; it.value > value);
>> }
>>
>> Evaluating the invariant for the first instance of IntTest would
>> require to check the
>> invariant in an extended state, which, again, would require to check it in an
>> extension of that state, ... an infinite chain of states would have to
>> be evaluated to
>> check the invariant.
>>
>> Does it hold? Does it hold when replacing "\bigint" by "int"?
>>
>> I reckon therefore we can probably *not* assume that the elements of
>> the extension
>> of the heap over which we quantify have their invariants fulfilled.
>> That would be strange
>> also.
>
> Thanks, that's a very nice example!  For purposes of formalizing a
> semantics, dependency on an infinite number of entities does not seem to
> be a show-stopper, although it might be a bit too fun for RAC.  I agree we
> should seek a notion in which invariants hold (keeping in mind that there
> are many unsettled issues about invariantst).
>
> Your example seems to refute my claim that the two semantics are
> isomorphic.  The first one I described treats the heap as an array indexed
> by the infinite set of references together with fields including one
> called 'alloc'.  In an infinite heap it's quite possible that every
> instance of IntSet satisfies its invariant - provided there are infinitely
> many instances.
>
> Here's a variation on the invariant
>  this.\alloc ==> (\exists IntTest it; it.value > value && it.\alloc)
>
> If one IntSet is allocated, and all instances satisfy the invariant, then
> there must be infinitely many allocated.  Perhaps this is compatible with
> the axiomatizatic semantics of some verifiers based on this heap model.
>
> In the second semantics I described, I intend to model only the allocated
> objects so the heap is finite and the only way for all instances of
> IntTest to satisfy their invariant is for there to be no instances.  One
> lesson of the example is that an invariant can be unsatisfiable for
> nonobvious reasons concerning the language semantics.
>
> In several published methodologies for invariants there are restrictions
> on the declarations of object invariants, in particular disallowing or
> restricting the use of quantifiers.  Quantifying over allocated objects
> already has hazards (e.g., see Pierik, Clarke, and deBoer in FM'05).
>
> cheers, dave
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Jmlspecs-interest mailing list
> Jmlspecs-interest@...
> https://lists.sourceforge.net/lists/listinfo/jmlspecs-interest
>
>