mic and data re nement rules is given, for instance, in 7, 17]. Let us brie y .... Dynamic creation of an object of type (C) and association of a pointer p : pointer to ...
Class Re nement as Semantics of Correct Subclassing Ralph Back, Anna Mikhajlova, Joakim von Wright
Turku Centre for Computer Science TUCS Technical Report No 147 December 1997 ISBN 952-12-0114-2 ISSN 1239-1891
Abstract Constructing new classes from existing ones by inheritance or subclassing is a characteristic feature of object-oriented development. Imposing semantic constraints on subclassing allows us to ensure that subclass instances may be substituted for the corresponding superclass instances without invalidating the clients. We de ne the class re nement relation which captures these semantic constraints. Clients of class instances are modeled as programs making an iterative choice over invocation of class methods, and we prove that when a subclass re nes its superclass, substituting subclass instances for superclass instances is re nement for the clients.
Keywords: correctness, class re nement, subclassing, code inheritance, substitutability, semantics of object-oriented constructs
TUCS Research Group
Programming Methodology Research Group
1 Introduction The issue of correctness of object-oriented programs deserves close consideration in view of the popularity of this programming style and the necessity to enhance reliability of programs. We consider here correctness of the class construction mechanism known as subclassing or inheritance. We formalize classes and relationships between them in a logic framework known as the re nement calculus [4, 17, 7], which is used for reasoning about correctness of programs and their re nement in a rigorous, mathematically precise manner. Re nement calculus is particularly suited for describing object-oriented programs because it allows us to describe classes at various abstraction levels, using speci cation statements along with ordinary executable statements. The notion of an abstract class, specifying behaviour common to its subclasses, can be fully elaborated in this formalization, since the state of class instances can be given using abstract mathematical constructions, like sets and sequences, and class methods can be described as nondeterministic statements, abstractly but precisely specifying the intended behaviour. Our formalization of classes is based on the simply typed lambda calculus; yet it is powerful enough to model subtyping polymorphism and dynamic binding of methods. For modeling subtyping polymorphism we employ sum types as suggested in [8] and further developed in [16]. Using summations allows us to model contravariance and covariance on method parameters in a simple way. Reasoning about method calls with dynamic binding is also quite simple in this model. Behaviour of subclass instances must be consistent with that of superclass instances to allow polymorphic substitutability, which is central to the object-oriented approach. Subclass instances are guaranteed to behave as expected from instances of the corresponding superclass if the subclass is a re nement of the superclass. We give a de nition of class re nement, which we regard as semantics of correct subclassing, and relate it to substitutability of subclass instances for superclass instances in clients. Namely, we prove that when a class C 0 re nes a class C , substituting instances of C 0 for instances of C is re nement for the clients.
2 Re nement Calculus Basics We formalize objects, classes, and relationships between them in the re nement calculus, which is a logic framework for reasoning about correctness and re nement of imperative programs. Let us brie y introduce the main concepts of this formalism. 1
2.1 Predicates, Relations, and Predicate Transformers
A program state with components is modeled by a tuple of values, and a set of states (type) � is a product space, � = �1 : : : �n . A predicate over � is a boolean function p : � Bool which assigns a truth value to each state. The set of predicates on � is denoted �. The entailment ordering on predicates is de ned by pointwise extension, so that for p; q : �, p q = b ( � : � p � q �) Conjunction and disjunction of (similarly-typed) predicates are also de ned pointwise. A relation from � to ? is a function of type � ? that maps each state � to a predicate on ?. We write � ? to denote a set of all relations from � to ?. This view of relations is isomorphic to viewing them as predicates on the cartesian space � ?. A function f : � ? can always be lifted to a (deterministic) relation f : � ?: �
�
!
P
P
�
8
\
�
)
[
! P
$
�
!
j
j
j
$
f j� = b f� =
Functional and relational compositions are de ned in a standard way. For functions f : � ? and g : ? �, their composition (f ; g) is equal to �� g (f �). For relations P : � ? and Q : ? �, we have !
!
�
$
$
(P ; Q) � � =b P � 9
�
^
Q �
A predicate transformer is a function S : ? � from predicates to predicates. We write � ? =b ? � to denote a set of all predicate transformers from � to ?. The re nement ordering on predicate transformers is de ned by pointwise extension from predicates. For S; T : � ?, P
7!
P
! P
! P
7!
S
v
T = b (8q : P ? � S q
�
T q)
2.2 Product Operators
Product operators combine predicates, relations, and predicate transformers by forming cartesian products of their state spaces. For predicates p : � and q : ?, their product p q is a predicate of type (� ?) de ned by P
P
�
P
(p q) (�; ) =b p � �
^
�
q
A product f g of two functions f : �1 ?1 and g : �2 function of type (�1 �2 ) (?1 ?2 ) de ned by �
!
�
!
�
(f g) (�1 ; �2 ) =b (f �1 ; g �2 ) �
2
!
?2 is a
A product P Q of two relations P : �1 ?1 and Q : �2 ?2 is a relation of type (�1 �2 ) (?1 ?2 ) de ned by (P Q) (�1 ; �2 ) ( 1 ; 2 ) =b P �1 1 Q �2 2 For predicate transformers S1 : �1 ?1 and S2 : �2 ?2 , their product S1 S2 is a predicate transformer of type �1 �2 ?1 ? 2 whose execution has the same e�ect as simultaneous execution of S1 and S2 : (S1 S2 ) q =b ( q1 ; q2 q1 q2 q S1 q1 S2 q2 ) In addition to many other useful properties, presented e.g., in [8, 6], the product operator preserves re nement: S1 S10 S2 S20 (S1 S2 ) (S10 S20 ) For S : � � we de ne lifting to a product predicate transformer of type � ? � ? as S skip. Similarly, lifting S to a product predicate transformer of type ? � ? � is de ned by skip S . �
$
�
$
$
�
�
^
7!
7!
�
�
�
v
[
^
j
v
�
)
�
�
�
7!
�
�
v
�
7!
�
7!
�
�
�
7!
�
�
2.3 Sum Types and Operators
For modeling subtyping polymorphism and dynamic binding we employ sum types. The sum or disjoint union of two types � and ? is written � + ?. The types � and ? are called base types of the sum in this case. Sum types, as well as product types, associate to the right, so that �1 + �2 + �3 = �1 + (�2 + �3 ). Associated with the sum types, are the injection functions which map elements of the base type to elements of the summation �1 : � � + ? �2 : ? � + ? and projection relations which relate elements of the summation with elements of its base types �1 : � + ? � �2 : � + ? ? The projection is the inverse of the injection, so that �1?1 = �1 , where �1 is the injection function lifted to a relation. Since any element of � + ? comes either from � or from ?, but not both, the ranges of the injections ran �1 and ran �2 partition �+?. For � : �+?, the projection �1 will relate it to a unique �0 : � only if � ran �1 , and similarly for �2 . We de ne the type � to be a subtype of �0 , written � demonic update of a functional relation f is equal to > > < a functional update of a function f : [ f ] = f , = > distribution of sequential composition through functional updates, > > de nition > : ; of functional composition, logic [�u �(x0 ; u0 ) x0 = e u = u0 ]; K skip; �((self ; x0 ); u) (self ; (self ; x0 ); u) ; �(c; (self ; x0 ); u) (c; u) ; S ; �(c; u) u n o focus on a subexpression [�u �(x0 ; u0 ) x0 = e u = u0 ]; K skip; n o general rule skip [R?1 ]; R [�u �(x0 ; u0 ) x0 = e u = u0 ]; [(�?0 Id )?1 ]; �?0 Id ; K skip ( ) distribution of sequential composition through demonic updates, de nition of relational composition, logic [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; �?0 Id ; K skip ( ) product distribution through angelic updates, then product distribution through sequential composition (b) [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; ( �?0 ; K ) skip n o assumption [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; (K 0 ; R �?0 ) skip ( ) product distribution through sequential composition (b), then product distribution through angelic updates [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; K 0 skip; (R �?0 ) Id �
�
�
�
�
�
�
^
�
�
�
h
�
h
�
^
i
i
h
�
i j
j
�
�
�
h
^
j
h
i
�
�
h
j
i
�
i
h
�
i
v
�
�
v
^
v
�
f
�
�
f
�
g
^
�
g
�
�
�
�
^
�
�
^
�
�
^
�
�
^
f
�
g
�
�
f
g
�
v
f
g
�
�
�
26
�
f
�
�
g
�
[�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; K 0 skip; (R �?0 ) Id ; �((self ; x0 ); u) (self ; (self ; x0 ); u) ; �(c; (self ; x0 ); u) (c; u) ; S ; �(c; u) u ( ) de nition of sequential composition, de nitions of angelic and functional updates, logic [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; K 0 skip; �((self 0 ; x00 ); u) (self 0 ; (self 0 ; x00 ); u) ; R (R �?0 ) Id ; �(c; (self ; x0 ); u) (c; u) ; S ; �(c; u) u n o de nitions, logic [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; K 0 skip; �((self 0 ; x00 ); u) (self 0 ; (self 0 ; x00 ); u) ; �(c0 ; (self 0 ; x00 ); u) (c0 ; u) ; R Id ; S ; �(c; u) u n o general rule skip [R?1 ]; R , de nition of [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; K 0 skip; �((self 0 ; x00 ); u) (self 0 ; (self 0 ; x00 ); u) ; �(c0 ; (self 0 ; x00 ); u) (c0 ; u) ; S (R Id ); R Id ; �(c; u) u n o de nitions, logic [�u �(x00 ; u0 ) x00 = �?0 e u = u0 ]; K 0 skip; �((self 0 ; x00 ); u) (self 0 ; (self 0 ; x00 ); u) ; �(c0 ; (self 0 ; x00 ); u) (c0 ; u) ; S (R Id ); �(c0 ; u) u n o de nitions create var c0:C 0(e); S (R Id ); end ^
�
�
f
�
�
h
�
h
v
i
�
f
�
�
g
�
�
i
i
f
g
#
^
�
�
i
�
h
�
h
#
i
i
v
i
�
�
�
h
�
g
�
g h
�
i
^
�
�
i
�
�
i
#
2
h
^
�
�
h
�
i
�
h
h
�
�
f
i
i
�
�
f
�
^
�
h
v
h
�
h
v
i
�
�
h
v
�
g
#
�
h
�
i
�
Lemma 2 Let classes C and C 0 have methods Mi : �(� ?i �i) and �
�
Mi0 : �(�0 � ?0i � �0i ) with ?i
