Modular Specification of Encapsulated Object-Oriented Components

fields may only depend on the fields of the box. interface SimpleGameObserver { Position observedPos; Game obsGame; } interface Game { Position currentPos; Color player; void move( MoveDescr md ) void swapPlayers() } Example: 3. Specification Technique: Invariants (1) Problems with invariant: • Where should they hold? • What are the fields they may depend on? • Invariants cause a modularity problem: Invariants of all classes have to hold in the prestate of a call! Specification invariant for GamingSystem: invariant forall o in obs: o.observedPos == o.obsGame.currentPos Example: class C { void me( D x ) { ... x.foo(); } } 3. Specification Technique: Invariants (2) • Invariants may only depend on the fields of the box. • Invariants have to hold whenever the thread is outside the box. • This helps to solve the modularity problem. Approach to invariants: • Implicit unpack/pack mechanism whenever box boundary is crossed. • Invariant may depend on execution state (type states). Discussion: 3. Specification Technique: Method Behavior (1) Method specification: • Changes to local state and result • Changes to the environment • What is left unchanged • Reentrance behavior Frame problem Example: box interface ObservableGame { references Observer* gameObs; ObservableGame() void move( MoveDescr md ) void register( external Observer go ) ... } interface Observer { void stateChanged() } 3. Specification Technique: Method Behavior (2) Existing approach to frame problem: • Describe what is allowed to be modified (modifies clause) • What is not mentioned in the modifies clause may not change • Loose coupling, information hiding, and abstraction is difficult to handle Box-based approach to frame problem: • Specify what is left unchanged in the box • Specify calls on external objects allows for modular verification 3. Specification Technique: Method Behavior (3) Technique for specifying outgoing calls: • Refinement calculi / grey box specifications (R. Back / M. Büchi) • ( Process calculi ) box interface ObservableGame { ... void move( MoveDescr md ) requires legal(md,currentPos) behavior currentPos = doMove(md,currentPos); forall o in gameObs { o.stateChanged() } any( cmd :: legal(cmd,currentPos) ) { currentPos = doMove(md,currentPos); forall o in gameObs { o.stateChanged() } } ensures unchanged([player,state,gameObs]) ... } Example: Problem: Reentrance DR AF T 3. Specification Technique: Method Behavior (4) Approach to reentrance: • Grey box specifications • Type states to restrict callable methods void move( MoveDescr md ) requires legal(md,currentPos) && state == VALID behavior state = OBSERVABLE; currentPos = doMove(md,currentPos); forall o in gameObs { o.stateChanged() } any( cmd :: legal(cmd,currentPos) ) { currentPos = doMove(md,currentPos); forall o in gameObs {o.stateChanged() } } state = VALID; } ensures unchanged([player,state,gameObs]) Example: Only readPos is executable if state == OBSERVABLE