CiteSeerX — Forward simulation for data refinement of classes

AnaCaval anti 1

andDavid A.Naumann 2

1

CentrodeInformati a

UniversidadeFederaldePernambu o,P.O.Box785150740-540Re ifePEBrazil

al  in.ufpe.br www. in.ufpe.br/~al

2

DepartmentofComputerS ien e

StevensInstituteofTe hnology,HobokenNJ07030USA

naumann s.stevens-te h .ed u www. s.stevens-te h.e du /~ na uma nn

Abstra t. Simulationisthemostwidelyusedte hniquetoprovedata

renement.Wedene forwardsimulationforalanguagewithre ursive

lasses,inheritan e,type asts andtests,dynami binding, lassbased

visibility,mutablestate (withoutaliasing),andspe i ation onstru ts

fromrenement al uli.ItisalanguagebasedonsequentialJava,butit

alsoin ludes spe i ationand deseignme hanismsappropriateforthe

onstru tionofprogramsbasedonrenement.Weshowsimulationtobe

soundfordatarenementof lassesinthislanguage.

Keywords: obje t-orientation, data renement, soundness of simula-

tion,programanalysisandveri ation.

1 Introdu tion

Simulationisawell-establishedte hniqueforshowingdatarenement(orequiv-

alen e)betweensystems.Its useis ubiquitous inprogram analysis, veri ation

ofhardwareandsoftwaresystems,andtheoreti alstudies.Itisalsothebasisfor

standard denitionsofbehavioralsub lassing[24,20℄.

Our ontributionistodeneandprovesoundanotionofsimulationforprov-

ingrenementof lassimplementationsinasequentialobje t-orientedlanguage.

We extendsimulationto a onsiderably ri her language thanhasbeentreated

hitherto, in luding several ore features renement al uli [26℄ and Java-like

languages: lass-orientedvisibility,inheritan e,dynami binding,mutablestate,

type astsand tests(instan eof), andspe i ationstatements.Our language

hasre ursivemethods andmutually re ursive lassde larations.

Our work is part of a proje t addressing program development, transfor-

mation, and ompilation. Weare on ernedwith renementlaws that apture

stepwise development and refa toring [13℄ of lass hierar hies. Inthis ontext,

theabilitytotreatspe i ationsasprogramfragmentsisimportant;itisuseful

in modular programanalysis [12℄, ompilation bytransformation[17℄, stepwise

development[26℄,andspe i ationof allba kpatterns[5,35,21℄.However,our

resultdoesnotdependonthepresen eofspe i ations.

For expressiveness, spe i ation statements are usually ombined with an-

geli variables (logi al onstants). Be ause these spe i ation onstru ts pre-

s ribe observable behavior without implementation, they annot be dire tly

statementsneednotbe ontinuous. Wegivea predi atetransformersemanti s,

extendingthestandardmodelofimperativerenement al uli[3,26℄.Inprevious

work[6,7℄weshowedthatthesemanti s anbedenedusingtransformersthat

a tonpredi ateformulas,whi his onvenientfordire tappli ationinprogram

development [26℄. To prove soundness of simulation,however, we needto on-

stru t indu edsimulationrelationsthat arediÆ ulttoexpress andmanipulate

as formulas. For thepresentwork, weadapted thesemanti sto one using sets

ofstatesasin,e.g.,[3℄;thisisdis ussedin depthin[9℄.

Class renement is a form of data abstra tion. Our notion is basedon the

traditionalnotionofdatarenementforimperativeprograms[15,11℄.Fora lass

de laration d tobearenementofanalternativede laration da forthesame

lass meansthat repla ing da by d in the ontext of any omplete program

yields arenementof that program.Renementof programsisalgorithmi re-

nementwithrespe ttopre-postspe i ations.Simulationprovidesameansof

proving lassrenementwithouthavingto onsiderall ontexts.

Our main result is a soundness theorem, whi h says that lass renement

followsfrom simulation,or more pre isely,from theexisten e ofa ouplingin-

variantthat isa simulationforthemethods ofthe lasses.Thus,to provethat

d improves da inall ontexts,itsuÆ estoprovesimulationforthemethods

of da and d .The ouplinginvariantisapredi ateona d obje tanda da

obje t,andsimulationfor ommandshastheusualdenition[15,11℄.

Unlike re ent work on veri ation of Java programs, our result does not

dependonbehavioralsub lassing.By ontrastwith lassrenement,behavioral

sub lassingis on ernedwithtwo oexisting lasses,onede laredtobeasub lass

of theother. As wedis uss in [7℄, theformulation ofbehavioral sub lassingin

termsof ontextsisnotobviousinthepresen eoftype astsandtests.Several

authors sidestep su h ompli ations by taking simulation, whi h we viewas a

proof te hnique, to be the denition of behavioral sub lassing [24℄. Moreover,

formaltreatmentsin theliteraturetypi allyignoretype astsandtests.

ToseethediÆ ulty,supposeCPtisade laredsub lassofPtandexpression

e hasstati typePt.A ontextin ludingthe ommand

if e isCPt ! abort [℄:(e isCPt) ! skip

pre ludesusfromusingobje tsofCPt asiftheywereof lassPt,regardlessof

how themethodsofCPt aredened.Therehasbeenextensiveworkontyping

systems thatavoidtheneedfortypetests(and asts,whi h pose similarprob-

lems); but we are interestedin orre tness ofprograms in Java-like languages.

Ourresultshowsthat astsandtestdonotposeaproblemforsimulation.

Thepre ise denition of simulation is asymmetri ; it aters for renement

byredu ingnondetermina yandfailure.Inthepresen eofnondetermina y,this

notionofsimulationisin omplete:therearerenementsforwhi hnosimulation

exists. The term forwardis used to distinguish this notion from the ba kward

simulations thatareneededfor ompleteness[25,11℄.We onsideronlyforward

simulation,althoughourlanguagein ludesnondeterministi guarded ommands

ples. Many works restri tattention to forward simulation(or even thespe ial

aseof fun tional relations[28,21℄),even taking itto bethedenition of data

renement[3℄or behavioralsub lassing[24℄.

Soundnessand ompletenessresults are known formanylanguages, in lud-

inggeneraltransitionsystems[25℄, rstorderimperativelanguages[11℄,higher

order fun tional [32℄ andimperativelanguages [36,29℄, andappli ative obje t-

orientedlanguages [22℄. For on urrent(rstorder)programs, nondetermina y

posesinteresting hallengesfor ompleteness,butformalizingthenotionofsim-

ulationisstraightforward:ea hofthetwoprogramsisinaxedstatespa e,for

whi hthe ouplinginvariant isgiven. Thesame istrueof standard treatments

of rst order imperative programs [15,11℄. By ontrast, the type onstru tors

of fun tional languages require oupling invariantsto be type-indexedfamilies

of relations, usually indu ed from given relations on the base types [30℄. The

indu tive onstru tion is more ompli ated for re ursively dened data types,

andthus,forthere ursivelydened lassesaddressed here.

Inearlywork, ouplinginvariantsarerestri tedtofun tions,andfun tional

simulations are still widely used (e.g., [12℄) due to their easeof manipulation.

Later work allowedrelations, subje tto onditions su h as totalityand surje -

tivity that were later found unne essary in some settings [15℄. Our work has

broughttolightnewhealthiness onditionsrelatedtotheindu tive onstru tion

ofrelationsaswellastheneedfortotalityandsurje tivitytotreatspe i ation

onstru ts.Surje tivityisalsousedin ourtreatmentoflo al variables,butitis

avoidableasdis ussed inSe tion5.

Asinpreviousworkondatarenement,ourlanguagedoesnotin ludepoint-

ers.We treatobje tvalues as nestedtuples (trees);assignment andparameter

passinghave opyratherthanreferen esemanti s.Inveri ation-orientedwork,

anexpli itmodeloftheheapistypi allyused,andthisworksaswellforobje t-

oriented languages [1,12,31℄. Aliasing, in general, violates en apsulation and

invalidates simulation; only re ently pra ti al restri tions have been found to

onstrain aliasing suÆ iently to a hieve en apsulation [4,23℄. Here we hoose

opy semanti s to fo us on the nontrivial hallenges posed by other features.

Se tion5 dis ussespromising prospe tsforaddingpointers.

Se tion2 des ribesthesyntaxand semanti s ofthelanguage, alled rool;

it also in ludes the denition of lass renement. Se tion 3 denes simulation

andSe tion4provesthemainresults.Se tion5givesour on lusions.Complete

denitions andproofsofallresults anbefoundin [8℄.Adetailed presentation

ofthesemanti sappearsin[9℄.

2 Syntax, Semanti s, and Renement

This se tion des ribes thesyntax of ourlanguage, in luding thetyping judge-

mentsonwhi hthesemanti sisdened.Afterwards,wedene lassrenement

and on lude withasket hofthesemanti s.

protelt:int ; empty:bool

prirest:Sta k

methpush=b(vale:int

vart:Sta k

t:=newSta k;

t:rest:=rest; t:elt:=elt; t:empty:=empty;

rest:=t; elt :=e; empty:=false

end )

methtop=b(rese:inte:[:empty;e=elt℄)

methsum=b(ress:int

if empty ! s:=0

[℄:empty ! rest:sum(s); varx :intself:top(x); s:=s+x end

)

end

lassIn Sta k extendsSta k

methtop=b(rese:intif :empty ! e:=elt+1)

end

vars:Sta ks:=newIn Sta k; s:push(x); s:push(y); s:sum(z)end

Fig.1.roolprogramexample,withglobalvariablesx;y;z:int.

2.1 Language and Typing

Aprograminrooltakestheform ds where ds isa sequen eof lassde -

larationsand isthemain ommand,whosefreevariablesrepresenttheinputs

andoutputs. Intheexamplein Figure1,themain ommandhasfreevariables

x;y;z.The lass Sta k in Figure 1 ontainsthree attributes:elt, re ordingthe

elementat the top,empty,a boolean that re ords whether thesta kis empty

ornot,andrest,re ordingtheotherelements.Thersttwoattributesarepro-

te ted:visibleinSta kandinitssub lasses;thelastattributeisprivatetoSta k.

Classes an also have publi attributes. The typeof rest is Sta k, so this is a

re ursive lass.Attributesareimpli itlyinitializedto0,false,ornullasinJava.

Themethod push in Sta k hasanintegervalueparametere.roolalsohas

result parameters, to model return values, and value-result parameters whi h

areneededforexpressiveness,asassignmenthas opysemanti s.Methodbodies

are parameterized ommands in thestyle of [2,10℄. Inpush, a lo al variablet

oftypeSta k isinitializedtoholdanewSta k anditsattributesareinitialized

to those of the urrent (Sta k) obje t. Be ause of the opy semanti s, this is

equivalentto theassignmentt :=self, wheret isinitializedwitha opyofthe

urrentobje tself.Nevertheless,weareprimarilyinterestedinreasoningabout

programsastheyarewrittenin alanguagewithreferen esemanti s.

parametere isspe iedtotakethevalueoftheelementatthetopofthesta k,

ifitisnotempty.Ifitis,thebehavior oftop isunpredi table.

Themethodsum al ulatesthesumoftheelementsofthesta k.Itisre ur-

sive,as it alls itself onthe obje t rest. Also, it alls the method top of Sta k

onthe urrentobje t.Wereferto these allsasself method alls.

ClassIn Sta k is a sub lass ofSta k,redening method top so that,ifthe

sta kisnotempty, itreturnsthrough e thevalueat thetopplus1.Thisillus-

tratesthat ourresults donotrequirebehavioralsub lassingThemethodtop of

In Sta k doesnotrenethat ofSta k,so In Sta k doesnotreneSta k.

Themain ommand onstru tsanIn Sta k andassignsittoalo alvariable

s. Therst two method alls pushthe values x and y. The inherited method

push onstru tsSta k obje ts,soshastypeIn Sta k,buts:resthastypeSta k.

The all s:sum assigns to z thevaluex +(y+1), due to dynami binding for

self:top.

Theexampleisdesignedtoillustraterool,not lassrenement.Inthenext

se tionwepresentanotherdenitionforSta k thatrenesthat inFigure 1.

Weformalize thesyntax usinga relation ;;N B : om , whi h hara -

terizesthe ommands thatarewell-typedinthe ontextdenedbytypeenvi-

ronment ,lo alsignature,and lassN.To hara terizetypingforthemain

ommands,weusea lassnamemain,distin tfromallde lared lasses.Were-

frainfromgivingthedetaileddenitionfortypeenvironments ;theyaresymbol

tables that re ordthe de lared lasses, theirattributes and methods, thetyp-

ingandvisibilityde larations,andthe lasshierar hy.Alo alsignaturere ords

methodparametersandlo alvariablesins ope,aswellasthevisibleattributesof

the urrent lassN.Thetypingjudgement ;;N B : ommeansthat an

o urinthebodyofamethodofN,whoseparametersarere ordedin,ifthe

lo alvariablesinareins ope.Asanexample,thelo alsignaturefortheinner

s opeof methodpush iselt :int; empty :bool ; rest:Sta k; e:int; t:Sta k.

Wealsohavearelation ;;N Bp :p om (pds)forwell-typedparameter-

ized ommandsp withparameterspds.Therearerelationsforexpressionsand

predi ates as well. Typing rules and denitions for auxiliary fun tions an be

foundin [7,8℄.Asanexample,wegivethetypingruleforself method alls.

;;N Bself:m:p om (pds) ;;N Be:T

norep(rvrargs pds e) aptype pds e T

;;N Bself:m(e): om

The all self:m(e) is well-typed if e is a well-typed (list of) expressions and

self:m iswell-typed:misde laredorinheritedinN withparameterde larations

pds. Resultandvalue-result arguments annot be repeated;this isenfor ed by

the onditionnorep(rvrargspds e),usingauxiliaryfun tionsnorep andrvrargs.

Thetypesoftheargumentshavetobe ompatiblewiththoseoftheparameters.

Thisisenfor ed bythe onditionaptype pds e T.

Finally,aprogram ds iswell-typedinthe ontextofasignature,writ-

tenB ds :program,providedthat istypableas ;;mainB : om

.Thetypingenvironment re ordstheinformationin ds.

Besides hara terizing well-typed programs, the typing judgements re ord

ontext information that is used in the semanti denitions. The semanti s is

dis ussedin Se tion2.3.

2.2 Renement

Thesemanti s[[ B ds :program℄℄ofa ompleteprograminthe ontextof

a signatureisthesemanti s[[ ;;mainB : om ℄℄ ofitsmain ommand ,

where isthetypingenvironmentdeterminedbythe lassde larationsin ds.

The ommand denotes a predi ate transformer. We write v for the pointwise

orderonpredi atetransformers;thismodelsalgorithmi renement.

Wealsowritevforprogramrenement,arelationwedenebelow.Itisthe

basi notionofrenementonwhi hwebaseourstudyof lassrenement.

Denition1 (ProgramRenement).Forsequen esof lassde larations ds

and ds 0

,and ommands and 0

withglobalvariables,wedene

( ds  )v( ds 0

 0

)

ifandonlyif

[[ ?;B( ds ):program℄℄ v[[?;B( ds 0

 0

):program℄℄

Onewaytoreneaprogramistoreneits ommandpart.Inthispaper,weare

on ernedwiththeotherway:rening lasses in ds.

Classrenementrequires that any ompleteprogramthat uses theoriginal

abstra t lass de laration is rened when it is repla ed with the alternative

on retede laration.Programrenement,however, omparesprogramsthata t

on the same state spa e: the same global variables. For this reason, this state

spa e annot ontainvaluesoftherened lass.

Toformalizethisrestri tionwedeneN-freetypes.Avariableofsu hatype

annot haveas value or as omponent anobje tof N or of its sub lasses.For

a value,attribute, parameter,or lo al variableofa lass type,weusetheterm

omponent forits attributes,theattributes ofits obje t-valuedattributes, and

so on.The omponentsofa lassareitsattributesandtheir omponents.

Denition2 (Class Renement). For a sequen e of lass de larations ds,

and lassde larations da and d ,thatintrodu ea lass alledN,forinstan e,

wedene dsB da 4 d ifandonlyif(a) ds da and ds d arebothwell-

formed;(b)forall ommands thatuseonlymethodsin dsand daandwhose

globalvariableshavetypesthatareN-free,if iswell-typedfor ds da;main,

then iswell-typedfor ds d ;main;and( ds da  )v( ds d  ).

Thetypingrequirementensuresthatthemethodsprovidedby d in ludethose

provided by da,withthesamesignatures.

protelt:int ; empty:bool

priothers:seqint

methpush=b(vale:intothers:=helti a

others; elt :=e; empty:=false)

methtop=b(rese:inte:[:empty;e=elt℄)

methsum=b(ress:int

if empty ! s:=0

[℄:empty ! varx :intself:top(x); s:=x+(sums others)end

)

end

Fig.2.Newdenitionfor lassSta k

To see why therestri tion to global variables that are N-free is ne essary,

onsider with aglobalvariableofsome lasswithanattributeof typeSta k.

Thesemanti sof inthe ontext ds d isdierentfromitssemanti sin ontext

ds da, so itdoesnotmakesense to omparethem byalgorithmi renement

v.Therestri tionallows,however,that sta ksappearin ( omponentsof)lo al

variables of , and also in parameters and lo al variables of methods alled

(dire tlyorindire tly)by .InSe tion5wedis ussaless restri tivetreatment.

Forsimplefun tionallanguages,itiseasytoexpressthatvaluesoftherened

lass areused only internally: the lass typedoesnotappear in theprogram's

type.Forsimpleimperativelanguages,manysour es onsideralo alvariable[26℄

or a model thereof [15,11℄for internalization. Inpra ti e,modules are used to

en apsulate datastru tures and denitions of abstra t data typesthat an be

multiplyinstantiated. Our lass onstru tisofthiskind.

Asan example,wepresent in Figure 2 a new denition forthe lass Sta k

presentedinthepreviousse tion.Ithasthesameprote tedattributesasbefore.

Itsprivateattributerest,however,isrepla edwithasequen eofintegersothers.

Themethodspush andsum are hangeda ordingly; weuseabuilt-infun tion

sums that al ulates thesum of a sequen e of integers. This new denition of

Sta k renesthepreviousone:afa twe anproveusing ourmain results.

Inthis example, the de larations are equivalent: ea h renesthe other. If,

however,we hangethedenition ofthemethodtop inFigure2 sothatitdoes

notabortwhenthesta kisempty,thenwehaveaproperrenement.Inanother

example, we an have a bounded arrayimplementation, whose push operation

abortsifthearraysizeisex eeded.Itisproperlyrenedbytheimplementations

in bothFigure1and 2,sin etheirpush methodsdonotabort.

2.3 Semanti s

Thesemanti sis basedonstatesof methods. Astateisa partial fun tionthat

gives values to attributes of the urrent obje t, and to parameters and lo al

variables; it also re ords the lass of the urrent obje t in an extra attribute

in Figure 1 hasmy lass =Sta k, and alsomaps elt,empty,rest, e,and t to

theirvalues.

For ea h type T, we dene the set V[[ ;T℄℄ of values of type T. Like the

semanti domainsdened inthesequel,thisone dependsonanenvironment

whi hisneededinthe asethatTisa lassname.Fora lasstypeN,thevalues

V[[ ;N℄℄ in lude theobje tvalues ofthat lass: nulland partial fun tions like

statesthat,however,giveonlyvaluestoattributesofN oroneofitssub lasses.

Thevaluesoftheattributesaregivenin a ordan ewiththeirtypesin .

Theset S[[ ;;N℄℄ ontainsallstatesforN and itssub lasses,and forthe

signature.ForanemptysignaturewehaveS[[ ;?;N℄℄=V[[ ;N℄℄nfnullg.Sim-

ilarly,ifthesignature ontainsonlythevisibleattributes(vattr N)ofN,but

noparametersorlo alvariables,thenS[[ ;(vattr N);N℄℄=V[[ ;N℄℄nfnullg.

Theroleoftheseattributesin thesignaturesisjusttosimplify typingrules.

Apredi ateon ;;N isanelementofPS[[ ;;N℄℄ .Theset T[[ ;;N℄℄of

predi ate transformers for , , N ontainsthe total monotoni fun tions on

su h predi ates.

For a parameterde laration pds, we dene theset PC[[ ;;N;pds℄℄ of pa-

rameterized ommand meanings by indu tion on pds, following the approa h

of [2℄. Ifpds is empty, this is T[[ ;;N℄℄. If pds has theform val x : T; pds 0

,

thenPC[[ ;;N;pds℄℄isthesetoffun tionsfromV[[ ;T℄℄toPC[[ ;;N;pds 0

℄℄ .

Finally, if pds has the form res x : T; pds 0

or vres x : T; pds 0

, the mean-

ing is the set of fun tions from names (result and value-result arguments) y

to PC[[ ;([(y:T));N;pds 0

℄℄ . This isa dependent fun tionspa e: applyinga

parameterized ommandtoaresultorvalue-resultargumenty yieldsaparame-

terized ommandmeaninginastatespa e[(y:T)thatin ludesy.Weimpose

te hni alrestri tionstoensurethat,ify alreadyo ursin,thenithastypeT

there,sotheunionyieldsawell-formedlo al ontext.In[8℄weshowthatthese-

manti susingthisdependentfun tionspa eisana uratemodelforparameter

passing, givenmildrestri tionsontheuseofnames.

Thefun tionspa es above model a multi-parameter ommand as a urried

fun tion.Nonetheless,parameterized ommandsarealwaysappliedtoalloftheir

arguments,intheform ofa list.Asshownbelow,thismismat hisre on iledin

thesemanti sofmethod allsusinganauxiliary fun tionun urry.

Due to the presen e of method alls, the semanti s of ommands depends

on that of the methods in ea h lass. The set E[[ ℄℄ ontains all the environ-

ments thatre ord, forea h lassN in , meaningsforallmethods m inher-

ited or de lared by N. Thus  N m is a parameterized ommand meaningin

PC[[ ;?;N;pds℄℄,wherepds istheparameterde larationofm.

Thesemanti sis dened by indu tion ontyping rules; there isone rule for

ea h synta ti onstru t. For  in E[[ ℄℄ , we dene [[ ;;N B : om℄℄  to

bean elementof T[[ ;;N℄℄. Most denitions areadaptations of thestandard

onesforsimpleimperativeprograms[26℄.Thesemanti sofmethod allsismore

interesting;wegivethatofself:m(e).

distinguishthevisibleattributes(vattr N)ofN from thelo alvariablesand

parameters.ForanystateinS[[ ;((vattr N); );N℄℄andsubset ofthe

same statespa e,wedene

2[[ ;((vattr N); );N Bself:m(e): om℄℄  ,

2lift vs pt ( \S[[ ;;N 0

℄℄)

where

N 0

=my lass; pds= :meth N 0

m

arglist=args ((vattr N); )N pds e 

pt =un urry ( N 0

m)arglist; rs =rvrargs pds e; vs=rsC

The lassN 0

isthedynami lassofself.Theparameterized ommandmeaning

(N 0

m)isappliedtothelistofargumentsarglisttogetanappropriatepredi ate

transformerpt;arglist isdeterminedfromebythefun tionargs,thatevaluates

theargumentspassedbyvalueandkeepsthevariablespassedbyresultorvalue-

result.Appli ationrequiresaniteratedformofun urrying,asexplainedabove.

Thepredi atetransformerpt isfora signaturethat ontainsthevisible at-

tributesofN 0

andtheparameters. Thefun tionlift extendsittothesignature

atthepointofthe all.Resultandvalue-resultargumentsrs donotneedto be

onsideredbe ausetheappli ationoftheparameterized ommandmeaningpro-

du esapredi atetransformerforthesevariables.Therefore,weliftpt tovs,the

signatureobtained byremoving rs from.The symbolCdenotes thedomain

subtra tionoperator.Finally,theinterse tionof withS[[ ;;N 0

℄℄ensuresthat

theliftedpt is appliedinitsdomain:sets ofstatesofthesub lassN 0

ofN.

Thesemanti sthus dened is, of ourse, the basis for ourmain soundness

resultpresentedlateron.

3 Forward Simulation

Weformulateforwardsimulationfor lassde larationsoftheformdenedbelow.

Two lass de larations, da and d , whi h we all the abstra t and on rete

de larations, respe tively, are involved. Both de lare the same lass Ns. The

private attributes of da in lude avs, and those of d in lude vs. For any

de larationvs,wewrite (vs)forthesetofvariablesde lared.

Denition3 (Compatible). Asequen eof lassde larations ds, lassde la-

rations da and d ,a lassnameNs,andvariablede larationsavsand vs are

ompatible if: (1) ds da and ds d are well-formed; (2) da and d de lare

lassNs,withthesame super lass;(3) (avs)\ ( vs)=?;(4)theprivateat-

tributesof da in ludeavs,andthoseof d in lude vs;(5) d in ludesatleast

thesamemethods as da,withthesame parameters.

Inthisse tion we onsider ompatible ds, da, d ,Ns,avs,and vs.Wealso

assumethat (resp.

0

)re ordsthe lassde larationsin ds da(resp. ds d ),

and(resp. 0

)themeaningsofthemethodsinthese lasses.Wedenotebyva

N

andva

N

thesignatures(vattr N)and (vattr N),respe tively, foranyN.

They ontainthevisibleattributesofN a ordingto and 0

.

A ouplinginvariant relatesstatesof a pairof lass de larations. Asanex-

ample, let da be thelinked list implementation of sta ksin Figure 1 and d

thede larationthatusesanarrayinFigure2.Foranobje toin[[ ;Sta k℄℄and

o 0

in[[ 0

;Sta k℄℄, asuitable ouplingisthefollowing.

o:elt =o 0

:elt^o:empty =o 0

:empty ^elems(o:rest)=o 0

:others

The fun tion elems givesthe sequen e of elements in a sta k. We dene it as

elems(o) = (if o:empty then hi else o:elt a

elems(o:rest)). In pra ti e the

oupling invariant isgivenby the programmeras a formula as above.For our

purposes,we onsider itasamathemati alrelationonvalues.

The soundness theorem guarantees that lass renement follows from the

fa t that the simulation property, whi h we formalize later on, holds for the

orrespondingimplementationsofthemethodsofSta k. Informally,thismeans

that,forea hofthesemethods,relatedinitialstatesleadtorelatednalstates.

Renement ensures that a lient usingonly the methods of Sta k an only be

improvedifwerepla etherstde laration ofthis lassbythese ond.

Intheproofofsoundness,weneedto omparethestatespa esofthe lients

inthepresen eof da and d .Theyaredierentfora lientthathasa ompo-

nentthatis notNs-free.To omparethem,weneedrelationsindu edfromthe

oupling invariantat alltypes. For a ouplinginvariant i, the value oupling

v i T is dened as follows. We write N

1

 N

2

when N

1

is a sub lass of N

2

a ordingto thetypingenvironment .

Denition4 (Coupling of Values). For a typeT and a relation i that is

a subsetofS[[ ;va

Ns

;Ns℄℄S[[ 0

;va 0

Ns

;Ns℄℄,wedenev i T as asubsetofthe

artesianprodu t(V[[ ;T℄℄[ferrorg)(V[[ 0

;T℄℄[ferrorg),as follows.

v i T =f(v;v)jv 2(V[[ ;T℄℄ [ferrorg)g,ifT isprimitive

v i N =f(error;error);(null;null)g[( i\S[[ ;va

N

;N℄℄S[[ 0

;va 0

N

;N℄℄ ),

ifN  Ns

v i N =f(error;error);(null;null)g [

f(; 0

)j2V[[ ;N℄℄nfnullg^ 0

2V[[ 0

;N℄℄nfnullg^

dom=dom 0

^my lass = 0

my lass^

8x:domnfmy lassg( x; 0

x)2v i T where :attr N x =T

g,if:(N  Ns)

If T isprimitive,v i T is theidentityrelation; if T is a sub lass of Ns, then

v i T is i itselfrestri tedtotheappropriatestatespa e,butalsorelateserror

andnulltothemselves;nally,ifT isnota sub lassofNs,thenv i T relates

obje tsof the same lass whose attributes are related, and errorand null to

themselves. Insummary, relatedvalues are equal ifthey have a primitivetype

ordonothave omponentsoftypeNs;thesehaveto berelatedby i.

Below,weformalizethenotionof ouplinginvariantasarelationthatsatises

a fewhealthiness onditions.

S[[ ;va

Ns

;Ns℄℄S[[ 0

;va 0

Ns

;Ns℄℄ forwhi h thefollowinghealthiness onditions

are satised: (H1) only states for the same lass are related; (H2) the initial

statesofall lassesarerelated;(H3)inrelatedstates,attributesotherthanavs

and vs arerelated byv i; (H4) ifthe ouplinginvariant relates two states,it

relates allothers thatgivethe samevalueto thesimulatedattributes andgive

relatedvaluesto theother ones;(H5)surje tive;(H6) total.

Theformalizationofthehealthiness onditionsissimpleand anbefoundin[8℄.

Most of them are intuitive: H1expresses that weare omparing dierent rep-

resentations for the same lass. The ondition H2 is standard for simulations

in any ontext. The onditions H3 and H4 are on erned with the attributes

other than those beingrened, and are needed for indu tivearguments about

re ursive lasses and sub lasses.Firstly, H3expresses thatthese attributes are

related indu tively. Se ondly, H4 is a onvexity ondition expressing the sense

in whi htherelationisindependentfromthem.

The need for surje tivity and totality ame as a surprise. Initial works on

simulation imposed this sort of restri tionon ouplingsinvariants [16,19℄, but

later developments have lifted them [15℄. However, works on imperative pro-

grammingdonotin lude stru tureddata likeobje ts,andworks onfun tional

programminglanguages donotin ludespe i ation onstru ts.

Inpra ti e,as illustratedin ourexampleabove, weexpe t the ouplingin-

varianttobegivenasarelationjustonstatesforNs,notin ludingstatesforits

propersub lasses.Forsu harelation,anindu tivedenitionsimilartothatfor

v i givesa ouplinginvariantthatsatisesH1toH6.Werefrainfromphrasing

thingsthat waybe auseitis more ompli atedandwearefo usingonfounda-

tions,notondevelopmentmethods.

Weare nowin a position to dene therelation indu edforall statespa es

froma ouplinginvariant.Therelationv i T asso iatesvaluesand i asso iates

statesofthesimulated lassNs anditssub lasses.Therelationg i N vsdened

belowrelatesstatesforanarbitrary lassN (anditssub lasses)andthesignature

determined by the de laration vs of parameters and lo al variables. It is this

relationthatisusedto omparestatesofthe lient lasses.

Denition6 (Generalized Coupling Invariant). For a lass N and pa-

rameters and lo al variables in s ope vs, we dene g i N vs as a subset of

S[[ ;(va

N

; vs);N℄℄S[[ 0

;(va 0

N

; vs);N℄℄asfollows.

(; 0

)2g i N vs,( (vs)C; (vs)C 0

)2 i ^

8x : (vs)( x; 0

x)2v i T,with ;(va

N

; vs);N Bx:T

ifN  Ns

(; 0

)2g i N vs,dom=dom 0

^my lass = 0

my lass^

8x:domnfmy lassg(x; 0

x)2v iT,with ;(va

N

;vs);N Bx:T

if:(N  Ns)

If N is a sub lass of Ns, we annot dene g i N vs to be i be ause of the

extraparametersandlo alvariablesvs.Ifweremovethem,thenwe anrequire

vs have to be related. Re all that C denotes domain subtra tion. If N is not

a sub lass ofNs,the stateshaveto be forthesame lass, and thevalues they

assignto attributes,parameters,andlo al variableshavetoberelated.

Simulation i;N;vsBpt4pt 0

oftransformerspt and pt 0

holds,ifandonly

if,forall wehaveg i N vs (jpt j)pt 0

(g i N vs (j j)).Thisis theusual

denition[14℄ ofsimulationforpredi atetransformers,butusesg i N vs. Here

(j j)denotesthedire timageofa relationona set.

Simulation i;N;vs Bf 4 f 0

of parameterized ommand meanings f and

f 0

usesa ouplingforarguments:itrelatesvalueargumentswhenv i does,and

relatesresultandvalue-resultargumentstothemselves.Simulationholdsif,when

applied to related arguments, f and f 0

yield related parameterized ommand

meaningsortransformers.

Tostru turethesoundnessproofof lasssimulation,weintrodu ethenotion

ofenvironmentsimulation.

Denition7 (Environment Simulation). For environments  2 E[[ ℄℄ and

 0

2 E[[ 0

℄℄, we dene i B 4  0

, if and only if, for all N and m we have

i;N;?B(N m)4(

0

N m).

Inthedenitionof lasssimulation,werequirethatthemeaningre ordedin

 forea h methodof da and d issimulatedbythemeaningre ordedin 0

.

Denition8 (ClassSimulation).Wedene i B da 4 d ifandonlyiffor

ea hmethodm of da and d ,wehavethat i;Ns;?B(Ns m)4(

0

Ns m).

Forea h method,therearenoparametersor lo alvariablesins ope.

Soundnessestablishesthatiftwo lassde larationsarerelatedbysimulation

as denedabove,then theyarealsorelatedbyrenement(Denition 2).

4 Soundness

The proof of soundness relies on preservation and identity extension. We ex-

plain these in terms of the sta k example. The oupling invariant presented

previouslyis a simulation forthe orrespondingbodies ofpush, top, andsum.

Preservation impliesthatitis alsoa simulationfor allsto thesemethods, and

forany ommand orparameterized ommandthat a tsonthesta kusingonly

thesemethod alls: ontrol onstru tsandparameterizationpreservesimulation.

Morespe i ally,the lientprogramspreservetheindu ed ouplinginvariants.

Theidentityextensionlemma saysthattheindu ed ouplinginvariantsare

the identity on state spa es that do not ontain values of the simulated type.

Foridentity ouplinginvariants,thesimulationpropertyredu estoalgorithmi

renement.

To prove lass renement, weneed to ompareonly programsthat usethe

rened lassinternally. Theirmain ommandisa lientwhosestatespa edoes

in lude obje tsof therened lass, and so algorithmi renementfollows.The

details ofthisproofarepresentedinthisse tion.

vationbyexpressions,predi ates,and ommands.Wegiveea hresultseparately.

Expressions Thesemanti sofexpressionsisafun tionfromstatestovalues.For

2S[[ ;;N℄℄ ,andderivable ;;N Be:T,wedene[[ ;;N Be :T℄℄ ,the

valueofe instate.ItisanelementofV[[ ;T℄℄[ferrorg.Weassumethatfor

every built-in fun tion f :T !U, a semanti s is given. It should be a total

fun tion V[[ ;T℄℄!(V[[ ;U℄℄[ferrorg). The denition of [[ ;;N Be :T℄℄

issimple and anbefoundin [7,8℄.

Lemma 1 (Preservationby expressions). Fora lassN dierentfromNs,

parameters andlo al variablesvs, anexpressione oftypeT,and states and

 0

,

(; 0

)2g i N vs)

([[ ;(va

N

; vs);N Be:T℄℄;[[ 0

;(va 0

N

; vs);N Be:T℄℄  0

)2v i T

Proof By indu tion onthe stru ture of e. Wepresent a few ases;the others

an befoundin[8℄.

Case new N 0

We havethat [[ ;(va

N

; vs);N Bnew N 0

: N 0

℄℄  = init N 0

,

the initial state of N 0

. If N 0

is a sub lass of Ns, by the healthiness ondition

H2,(init N 0

;init 0

N 0

)2 i.IfN 0

is notasub lass ofNs, weobservethat

init N 0

=init 0

N 0

be ausetheatributes ofN 0

arethesame in and 0

.

Wehavethatinit N 0

andinit N 0

areelementsof V[[ ;N 0

℄℄ andV[[ 0

;N 0

℄℄ ,

respe tively,havethesame domain,andasso iatemy lass to N 0

.Moreover,for

ea h attributex ofN 0

,ifitstypeisprimitive,theninit N 0

x =init 0

N 0

x.

Ifthetypeofx isa lassN 00

,theninit N 0

x =init 0

N 0

x =null.

Casef(e) Bytheindu tionhypothesis,wehavethat[[ ;(va

N

; vs);N Be:T℄℄

and[[ 0

;(va 0

N

; vs);N Be:T℄℄  0

arerelatedbyv i T.Sin e,byassumption,T

is aprimitivetype,thesevalues area tually equal.Therefore,theresultofthe

appli ationofthesemanti soff tothemisthesame.Sin ewealsoassumethat

thetypeofthisresultisprimitive,theyarealsorelated.

Case e is N 00

By the indu tion hypothesis, [[ ;(va

N

; vs);N Be : N 0

℄℄  and

[[ 0

;(va 0

N

; vs);N Be:N 0

℄℄

0

arerelatedbyv i N 0

.Sothesevaluesmaybeboth

error,bothnull,orbothdierentfrom errorand null.Inthersttwo ases,

the values are equal and related be ausethey are primitive(booleans). Inthe

third ase,wehaveto onsider whetherthetypeN 0

ofe isasub lass ofNs or

not.Ifit is,then [[ ;(va

N

; vs);N Be:N 0

℄℄ and [[ 0

;(va 0

N

; vs);N Be:N 0

℄℄

0

are related by i and the healthiness onditionH1 guarantees that theyhave

thesame valueat my lass.If itisnot,thenthedenitionof v i N 0

guarantees

thesame property. As a onsequen e,[[ ;(va

N

; vs);N Be isN 0

:bool℄℄  and

[[ 0

;(va 0

N

; vs);N Be isN 0

:bool ℄℄

0

areequalandso relatedbyv i bool.

Similarreasoningappliestothe ases(N 00

)e,e:x,and(e; x :e 0

).Fore:x we

relyonH3,andfor(e; x :e 0

),onH4. 2

to imposea parametri ity onditionontheirsemanti sfortheabovelemma to

hold. For example,thelemma would nothold fora built-in exa tequality test

ofobje tvalues.Anobje tmightbesimulatedbytwodierentobje ts;in this

ase,equalityholdsfortwo opiesoftheobje t,butnotfortherelatedobje ts.

Predi ate The semanti s [[ ;;N B :pred℄℄ of a formula is a subset of the

statespa eS[[ ;;N℄℄ . Itsdenitionisstandard and anbefoundin [7,8℄.

Lemma 2 (Preservation by predi ates). For a lass N dierent from Ns,

parameters andlo alvariablesvs,a predi ateformula',andstatesand 0

,

(; 0

)2g i N vs)

2[[ ;(va

N

; vs);N B':pred℄℄, 0

2[[ 0

;(va 0

N

; vs);N B':pred℄℄

ProofByindu tionon'.Most asesareasimple onsequen eofthedenitions

and theindu tion hypothesis. For booleanexpressions we relyontheprevious

lemma.Foruniversalquanti ation,weneedsurje tivityandtotalityof i,from

whi hwehavesurje tivityandtotalityforv i. Thedetails arein[8℄. 2

Commands The semanti s of ommands depends on the environment. Preser-

vation of simulation for ommands, therefore, depends on the orresponding

environments beingrelated by simulationas well. This is a hypothesis for the

followinglemma.Intheproofofsoundness,weusethefa tthat lasssimulation

impliesenvironmentsimulation.

Lemma 3 (Preservationby ommands). If i B4 0

,thenfora lassN

dierentfromNs,parametersandlo alvariablesvs,anda ommand ,

i;N;vs B [[ ;(va

N

; vs);N B : om ℄℄4[[ 0

;(va 0

N

; vs);N B : om℄℄  0

Proof Byindu tion on thestru tureof . Inmost ases we usethedenition

of simulation at the levelof states and predi ates, giving the argumentfor an

arbitrary  0

2 S[[ 0

;(va 0

N

; vs);N℄℄ and predi ate 2 PS[[ ;(va

N

; vs);N℄℄ .

We presentbelowjusta few interesting ases.In this proofand in othersthat

follow,weomitthetypingof ommandsandparameterized ommands,andthe

environment forthesakeof on iseness.

Case x : ['

1

;'

2

℄ For this we need surje tivity of i, and due to the use of

Lemma 2,totalityas well.Theoperatorisfun tionoverriding.

 0

2g i N vs (j[[ ;(va

N

; vs);N Bx :['

1

;'

2

℄℄℄ j)

,9(; 0

)2g i N vs^ [propertyofrelational imageandsemanti s℄

2[[ ;(va

N

; vs);N B'

1

℄℄^8v:V[[ ;T℄℄

fx 7!vg2[[ ;(va

N

; vs);N B'

2

℄℄)fx 7!vg2

, 2[[ ;(va

N

; vs);N B'

1

℄℄^ [Lemma 2andpredi ate al ulus℄

9(; 0

)2g i N vs^8v:V[[ ;T℄℄

fx 7!vg2[[ ;(va

N

; vs);N B'

2

℄℄)fx 7!vg2

) 0

2[[ 0

;(va 0

N

; vs);N B'

1

℄℄^ [propertyofg i andpredi ate al ulus℄

8v :V[[ ;T℄℄; v 0

:V[[ 0

;T℄℄9(v;v 0

)2v i T )

(fx 7!vg; 0

fx 7!v 0

g)2g i N vs ^

(fx 7!vg2[[ ;(va

N

; vs);N B'

2

℄℄)fx 7!vg2 )

, 0

2[[ 0

;(va 0

N

; vs);N B'

1

℄℄^ [Lemma 2andpredi ate al ulus℄

8v :V[[ ;T℄℄; v 0

:V[[ 0

;T℄℄9(v;v 0

)2v i T )

(fx 7!vg; 0

fx 7!v 0

g)2g i N vs ^

(

0

fx 7!v 0

g2[[ 0

;(va 0

N

; vs);N B'

2

℄℄)fx 7!vg2 )

) 0

2[[ 0

;(va 0

N

; vs);N B'

1

℄℄^

8v 0

:V[[ 0

;T℄℄9v:V[[ ;T℄℄(v;v 0

)2v i T ^

((v;v 0

)2v i T )9

(; 0

fx 7!v 0

g)2g i N vs^

(

0

fx 7!v 0

g2[[ 0

;(va 0

N

; vs);N B'

2

℄℄)2 )

[surje tivityofv i andpredi ate al ulus℄

) 0

2[[ 0

;(va 0

N

; vs);N B'

1

℄℄^ [predi ate al ulus℄

8v 0

:V[[ 0

;T℄℄ 0

fx 7!v 0

g2[[ 0

;(va 0

N

; vs);N B'

2

℄℄)

92 ^(; 0

fx 7!v 0

g)2g i N vs

) 0

2[[ 0

;(va 0

N

; vs);N Bx :['

1

;'

2

℄℄℄ (g i N vs (j j))

[propertyofrelational imageandsemanti s℄

Case self:m(e)

 0

2g i N vs (j[[ ;(va

N

; vs);N Bself:m(e)℄℄ j)

,9(; 0

)2g i N vs^2lift vs

1

pt ( \[[ ;vs;N

1

℄℄)

[propertyofrelational imageandsemanti s℄

Inthisstepweareusingthefollowingdenitionsinsidethes opeof,andalso

theirdashed ounterpartsforsemanti sfor 0

, 0

,and 0

.

N

1

=my lass; pds= :meth N

1 m;

pt=un urry( N

1

m)arglist; arglist =args (va

N

; vs)N pds e ;

rs=rvrargs pds e; vs

1

=rsCvs

Below,welistanumberoffa ts aboutthesedenitions.

1. N

1

= 0

my lass=N 0

1

,by(; 0

)2g i N vs,thedenitionofg i,andH1.

2. Sin ethemethods in da and d havethesame parameters,pds=pds.

3. arglist is pointwise related to arglist 0

,by indu tion onlists, Lemma 1,and

thedenition of ouplingforarguments.

4. ByFa t2,above,rs =rs 0

andvs

1

=vs 0

1 .

5. By hypothesis, i B 4  0

, so by denition of environment simulation,

i;N

1

;?B(N

1

m)4(

0

N

1

m).Therefore,byFa ts1,3andthedenition

ofsimulationofparameterized ommandmeanings, i;N

1

;?Bpt4pt 0

.

We pro eed as follows. Theoperatorrestri ts the state spa e of a predi ate.

For a predi ate on ;(; x : T);N, the predi ate x on ;;N is de-

ned as  2 x , 9v : [[T℄℄  fx 7! vg 2 . The substitution in

[ (domvs

1

)==domvs

1

℄ is a multiple substitution on in whi h the value of

ea h variablex indomvs

1

isrepla edwiththevaluex.

9(; 0

)2g i N vs^2lift vs

1

pt ( \[[ ;vs;N

1

℄℄)

,9(; 0

)2g i N vs^ [denitionoflift℄

(domvs

1

)C2pt(( \[[ ;vs;N

1

℄℄)[(domvs

1

)==domvs

1

℄(domvs

1 ))

)9(; 0

)2g i N vs^(domvs

1 )C

0

2pt 0

(g i N ((domvs

1 )Cvs)

(j( \[[ ;vs;N

1

℄℄)[(domvs

1

)==domvs

1

℄(domvs

1

)j)) [Fa t5℄

)(domvs

1 )C

0

2 [propertiesofg i andFa t1℄

pt 0

(((g i N vs (j j)\[[ 0

;vs;N 0

1

℄℄ )[(domvs

1

)==domvs

1

℄)domvs

1 )

,(domvs 0

1 )C

0

2 [Fa t4℄

pt 0

(((g i N vs (j j)\[[ 0

;vs;N

1

℄℄ )[(domvs 0

1

)==domvs 0

1

℄)domvs 0

1 )

, 0

2[[ 0

;(va 0

N

; vs);N Bself:m(e)℄℄(g i N vs (j j))

[denitionoflift andsemanti s℄

2

As pointedoutbefore,preservationof simulationbyenvironmentsis ne essary

fortheappli ationofthelemmaabove.Thisis theresultstatedbelow.

Lemma 4 (Preservationby environments). If i B da4 d then

i B 4 0

ThisisbasedonLemma3,andalsothefa tsthatxpointsandparameterization

preserve simulation. We refrain from formally stating those results. They are

standard and anbefoundin [8℄.

The se ond main result we need in the proof of our main theorem is the

identityextensionlemma below.

Lemma 5 (Identityextension). Fora lassN that isnotasub lassofNs,

parametersandlo alvariablesvs,ifallattributesofN andallvariablesde lared

in vs areNs-free,theng i N vs istheidentityrelation.

Proof Bydenition, if and  0

are relatedby g i N vs, then they have the

same domain and valueat my lass. Moreover, the values v and v asso iated

to a variable x in  and  0

are related by v i T, where T is thetype of x in

;(va

N

; vs);N.

Byindu tion onthe stru ture ofT, we prove that v i T is theidentity. If

T isa primitivetype,thisisdire tfromthedenition.ThetypeT ofx annot

possiblybeNs or any ofitssub lasses as thehypothesisguarantees that there

arenolo alvariablesofsu hatype.Finally,ifT isa lassN 0

,itisnotasub lass

ofNs,thenbydenition ofv i T wehavethreepossibilities:v andv 0

areboth

error,bothnull,ortheyareobje tvalueswiththesame domainandvalueat

my lass. Also,the values asso iatedto anattribute y in thedomain ofv (and

v 0

)are relatedbyv i T 0

, where T 0

is thetypeof y in ;(va

N

; vs);N.Bythe

indu tion hypothesis,v i T 0

istheidentity. 2

Thisisa relativelysimple onsequen eofthedenitions.

Finally,we an presentoursoundnesstheorem.

Theorem 1 (Soundness). If i B da4 d ,then dsB da4 d .

Proof Well-formednessof ds da and ds d follows from ompatibility. We

provethat,forall ommands that useonlymethods of ds and da, withno

global variables whose type is not Ns-free, and well-typed for ds da;main,

(1) iswell-typedfor ds d ;main;and(2)( ds da  )v( ds d  ).

We have (1) be ause d has at least the methods of da. For (2), from

i B da 4 d ,wehave i B4 0

,byLemma 4.Therefore, by Lemma3,we

have

i;main;vsB[[ ;vs;mainB : om ℄℄4[[ 0

;vs;mainB : om ℄℄

0

wherevs re ordstheglobalvariablesof .Thismeans,bydenition,

g i mainvs(j[[ ;vs;mainB ℄℄  j)[[ 0

;vs;mainB ℄℄  0

(g imainvs(j j))

Sin evs doesnotin ludevariables whosetypeisnotNs-free,byLemma 5,we

havethatg i mainvs istheidentity,andhen e

[[ ;vs;mainB ℄℄ [[ 0

;main;vs B ℄℄

0

.

Therefore,bythesemanti sofprograms,wehavethat

[[ ?;vs B( ds da  ):program ℄℄ [[ ?;vs B( ds d  ):program℄℄

as requiredfor(2). 2

The argument for this proof is relativelysimple. The main diÆ ulty is in the

proofofLemma 3,in thepresen eofmethod allsanddynami binding.

Theneedforthegeneralized ouplinginvariantalsoposed afewdiÆ ulties.

We ould not nd a straightforwardway of expressing this invariant as a for-

mula.Froma pra ti alpointofview,however,thisisnotaproblem.Usingour

te hnique,theprogrammerneedstodeneonlythe ouplinginvariantandprove

thatthealternative lassde larationsarerelatedbysimulation.Thegeneralized

oupling invariant is used in ourproof of soundness, but it is notused in the

appli ationofthesimulationte hnique.

Ourmainresultsarepreservation,identityextension,andsoundnessofforward

simulation for a Java-like language in luding re ursive lasses, type asts and

tests,mutablestate, lass-orientedvisibility ontrol,andspe i ation onstru ts.

Previous work onsimulation for obje t-oriented languages hastreatedsimpler

languages; e.g.,one ofthemostadvan ed works[33℄ hasinstan e-orientedvisi-

bilityandhasnotype astsorspe i ation onstru ts.Asformajorfeaturesof

Javathatwedonottreat,weknowofnoworkdealingwith on urren ytogether

withfeatureslike lassesanddynami dispat h,noranyonre e tion.

Ourresult an potentiallybeextendedfor behavioral sub lassing. Su h re-

sults are known only formore restri tedlanguages than that onsidered here.

This is a topi for futurework. For now, weremark onlythat ourresultis an

impli ation: lass renement follows from simulationof methods ofthe rened

lass.To provesimulationforthosemethods,preservationrulesneedtobeused

together with ordinary veri ation rules (see, e.g., [26,27℄) and some form of

behavioralsub lassingisprobablyneededforthelatterrulestobetra table[1,

12,31℄.

Our notion of lass renement does not allow therened type to o ur in

global variables; it is based on the standard notion of algorithmi renement.

We believe itis possible to adapt ourproofs to a denition that usesa notion

of renement that builds in the hiding of private attributes, in whi h ase no

restri tion to N-free typesis needed forthem. Wehave foundthis adaptation

tobeadvantageousinourongoingworkonbehavioralsub lassing.

Ourmostquestionableomissionis pointers.Building ontheinsights gained

inthepresentwork,andonre entprogressinreasoningaboutpointers[34,18℄,

BanerjeeandNaumann re entlyobtainedresults similarto oursfor aJava-like

language withpointers[4℄. Thatwork usesastate-transformermodelanddoes

not treat spe i ation onstru ts. It uses simulation for program equivalen e

rather than renement. We believe the present semanti s an be extended to

en ompasspointers, butthat isleftasfuturework.

It was surprisingly diÆ ult to nd workable formalizations for typing, se-

manti s,andsimulation,and theresultexhibitsideas drawn froma numberof

independent lines of resear h onsimulation. Two surprising healthiness ondi-

tions,totalityandsurje tivity, ametolight.Theyseemtobea onsequen eof

thefa tthat,eventhoughprivateattributesofanobje tarenotdire tlya es-

sible from the lients, semanti ally theyare available for manipulation by the

methods.Itmaybepossibletodroptheserestri tionsifwerestri tourattention

onlyto thevaluesthat anbeobtained byinitializinganobje tand alling its

methods.

Surje tivityandtotalityareneededonlyforspe i ation onstru ts.Inpar-

ti ular, our proof of Lemma 3 uses surje tivity for the ase of lo al variables,

but that is be ause we treat the blo k onstru t from renement al uli [26℄

that makesanunboundedly nondeterministi hoi e ofinitialvalues.Surje tiv-

ityisnotneeded forinitializedlo al variables,whi hare thenormin Java-like

languages(andarealsousedin [29℄).

to ensurebehavioralsub lassing, weavoided therequirement that lasses have

spe i ations or that theyexhibit behavioralsub lassing. If su h requirements

are imposed, alternativehealthiness onditions arepossible;this is thesubje t

offutureworkas well.

Referen es

1. Mart



in Abadi and K. Rustan M. Leino. A logi of obje t-oriented programs.

InPro eedings, TAPSOFT1997. Springer-Verlag, 1997. Expanded inDECSRC

report161.

2. R. J. R. Ba k. Pro edural Abstra tion in the Renement Cal ulus. Te hni al

report,DepartmentofComputerS ien e,



Abo-Finland,1987.Ser.ANo.55.

3. R. J. R. Ba k and J. Wright. Renement Cal ulus: A Systemati Introdu tion.

GraduateTextsinComputerS ien e.Springer-Verlag,1998.

4. Anindya Banerjee and David Naumann. Representation independen e, onne-

mentanda ess ontrol. InPOPL2002,pages166{177,2001.

5. MartinBu hiandWolfgangWe k. Thegreyboxapproa h:Whenbla kboxspe i-

ationshidetoomu h.Te hni alReport297,TurkuCenterforComputerS ien e,

August1999. http://www.abo./~mbue hi/publi ations/TR297.html.

6. A. L. C. Caval anti and D. Naumann. A Weakest Pre ondition Semanti s for

anObje t-oriented LanguageofRenement. InJ.M.Wing,J.C.P.Wood o k,

andJ.Davies,editors,FM'99:WorldCongressonFormalMethods,volume1709of

Le tureNotesinComputerS ien e,pages1439{1459.Springer-Verlag,September

1999.

7. A.L.C.Caval antiandD. A.Naumann. AWeakestPre onditionSemanti sfor

Renement of Obje t-oriented Programs. IEEE Transa tionson Software Engi-

neering,26(8):713{728,August2000.

8. A. L. C. Caval anti and D. A. Naumann. Forward Simulation

for Data Renement of Classes - Extended Version. Te hni al Re-

port 2001-4, Computer S ien e, Stevens Institute of Te hnology, 2001.

http://www. s.stevens -t e h. ed u/~ na um an n/ tr2 00 1- 4. ps .

9. A.L.C.Caval antiandDavidA.Naumann.Onaspe i ation-orientedmodelfor

obje t-orientation.InPro eedingsoftheVIBrazilianSymposiumonProgramming

Languares,2002. Toappear.

10. A. L.C.Caval anti, A.C.A.Sampaio, andJ.C.P.Wood o k. Pro eduresand

Re ursionintheRenementCal ulus. JournaloftheBrazilianComputerSo iety,

5(1):1{15,1998.

11. Willem-Paul de Roever and Kai Engelhardt. Data Renement: Model-Oriented

ProofMethodsandtheirComparison. CambridgeUniversityPress,1998.

12. DavidL.Detlefs,K.RustanM.Leino,GregNelson,andJamesB.Saxe.Extended

stati he king. Te hni alReportReport159,CompaqSystemsResear hCenter,

De ember1998.

13. Martin Fowler. Refa toring: Improving the Design of Existing Code. Addison-

Wesley,1999.

14. P.H.B.GardinerandC.C.Morgan.DataRenementofPredi ateTransformers.

Theoreti alComputer S ien e,87:143{162,1991.

15. J.He, C.A.R. Hoare,and J.W.Sanders. Prespe i ationinDataRenement.

InformationPro essingLetters,25(1),1987.

1:271{281,1972.

17. C.A.R.Hoare,J.He,andA.Sampaio.Normalformapproa hto ompilerdesign.

A taInformati a,30:701{739,1993.

18. Samin Ishtiaq and Peter W. O'Hearn. BI as an assertion language formutable

datastru tures. InPOPL.ACMPress,2001.

19. C.B.Jones. Software Development:ARigorous Approa h. Prenti e-Hall,1980.

20. G.T.Leavens andW.E.Weihl. Spe i ationandveri ationofobje t-oriented

programasusingsupertypeabstra tion. A taInformati a,32,1995.

21. GaryT.Leavens, K.RustanM.Leino, ErikPoll,ClydeRuby,and BartJa obs.

JML: notations andtools supporting detaileddesigninJava. InOOPSLA 2000

Companion,Minneapolis,Minnesota,pages105{106.ACM,O tober2000.

22. GaryT.Leavensand Don Pigozzi. A ompletealgebrai hara terization ofbe-

havioralsubtyping. A taInformati a,36:617{663,2000.

23. K.R.MLeino,A.Poetzs h-Heter,andY.Zhou.Usingdatagroupstospe ifyand

he k side ee ts. In Programming Language Designand Implementation 2002,

2002. Toappear.

24. B.H.LiskovandJ.M.Wing. ABehaviouralNotionof Subtyping. ACM Trans-

a tionsonProgrammingLanguagesandSystems,16(6),1994.

25. Nan y Lyn h and Frits Vaandrager. Forward and ba kward simulations part I:

Untimedsystems. InformationandComputation,121(2),1995.

26. C.C.Morgan. ProgrammingfromSpe i ations. Prenti e-Hall,2ndedition,1994.

27. C. C. Morganand P. H. B. Gardiner. Data Renement by Cal ulation. A ta

Informati a,27(6):481{503,1990.

28. P. Muller. Modular Spe i ation and Veri ation of Obje t-Oriented Pro-

grams. PhD thesis, FernUniversitat Hagen, 2001. Available from

www.informatik.fernun i- ha ge n. de/ pi 5/ pu bl i a ti on s. ht ml.

29. DavidA. Naumann. Soundness ofdatarenement forahigherorderimperative

language. Theoreti alComputer S ien e,278(1{2):271{301,2002.

30. GordonPlotkin. Lambdadenabilityandlogi alrelations.Te hni alReportSAI-

RM-4,UniversityofEdinburgh,S hoolofArti ialIntelligen e,1973.

31. A. Poetzs h-Heterand P.Muller. Aprogramminglogi forsequentialJava. In

S.D.Swierstra,editor,ProgrammingLanguagesandSystems(ESOP'99),volume

1576ofLe tureNotesinComputerS ien e,pages162{176.Springer-Verlag,1999.

32. John Powerand Edmund Robinson. Logi al relationsand data abstra tion. In

Computer S ien eLogi ,2000.

33. U.S.Reddy.Obje tsand lassesinAlgol-likelanguages.InFifthIntern.Workshop

onFoundations ofObje t-orientedLanguages,Jan1998.Fullversiontoappearin

InformationandComputation.

34. John C.Reynolds. Intuitionisti reasoningaboutshared mutabledatastru ture.

InMillenial Perspe tivesinComputer S ien e.Palgrave,2001.

35. ClemensSzyperski. Component Software: BeyondObje t-OrientedProgramming.

ACMPressBooks.Addison-Wesley,1999.

36. R. D. Tennent. Corre tness of datarepresentations inAlgol-likelanguages. In

A. W. Ros oe, editor, A Classi al Mind: Essays Dedi ated to C. A. R. Hoare.

Prenti e-Hall,1994.