Electronic Notes in Theoretical 

URL httpwwwelsevier nlloc ateen tcsvo lume html  pages

Weak Behavioral Subtyping for Typ es

with Mutable Ob jects

Krishna Kishore Dhara and Gary T Leavens

Department of Computer Science  Atanaso Hal l

Iowa State University Ames Iowa  USA

dhara cs iastate edu and leavens cs iastate edu

Abstract

This pap er studies the question of when one abstract data typeADTisabehav

ioral subtyp e of another and prop oses a mo deltheoretic notion of weak b ehavioral

subtyping Weak b ehavioral subtyping p ermits sup ertyp e abstraction to b e a sound

and mo dular reasoning principle in a language with mutation and limited forms of

aliasing The necessary restrictions on aliasing can b e statically checked Weak b e

havioral subtyping allows typ es with mutable ob jects to b e subtyp es of typ es with

immutable ob jects

Intro duction

Subtyping is a fundamental semantic concept in ob jectoriented OO lan

guages In this pap er we study behavioral subtyping  when one ADTs ob jects

act like those of another Knowing the conditions on b ehavioral subtyping is

imp ortant for guiding the design of ADTs It is also critical for proving the

soundness of logics for OO program verication

Previous work on the mo del theory of b ehavioral subtyping has not allowed

mutation and aliasing    But mutation and aliasing are imp ortant

in practical OO programming and manytyp es o ccurring in practice have ob

jects with mutable timevarying state Although it is p ossible to imagine

an OO language where aliasing is eliminated entirely existing OO languages

do p ermit aliasing Unlike Liskov and Wing    wedonotallow arbi

trary aliasing but instead seek a middle ground that p ermits more b ehavioral

subtyp e relationships

The purp ose of our study is ultimately to showhow to reason in a mo d

ular fashion ab out OO programs By modular reasoning we mean reasoning

such that conclusions ab out unchanged co de remain valid when new b ehav

ioral subtyp es are added to a program One mo dular reasoning technique is

This work was supp orted in part by the National Science Foundation under GrantCCR



c  Elsevier Science B V Open access under CC BY-NC-ND license.

Dhara and Leavens

supertype abstraction in which one reasons ab out the eects of metho d sends

using the prop erties of the static typ es of the sub expressions    The pur

p ose and justication of a denition of b ehavioral subtypingisthatitmakes

sup ertyp e abstraction sound

Our technical approachtoshowing that a denition of b ehavioral sub

typing makes sup ertyp e abstraction sound is to capture the conclusions of

reasoning via sup ertyp e abstraction in a set of exp ected b ehaviors Behav

iors that might o ccur b ecause of subtyping are called surprising if they fall

outside this set Thus showing that a denition of b ehavioral subtyp e is ad

equate means showing that no surprising b ehavior is p ossible when subtyping

relationships are required to satisfy the denition

In this pap er we dene weak b ehavioral subtyping This denition is

weaker than either of Liskov and Wings denitions   b ecause it allows typ es

with mutable ob jects hereinafter mutable types tobesubtyp es of immutable

typ es Wesketch the semantics of a programming language with the necessary

aliasing control and showthatweak b ehavioral subtyping is adequate in the

sense describ ed ab ove Finally we discuss related work and present some

conclusions In this pap er we do not present the mo del theory of stronger

denitions of b ehavioral subtyping

 The Problem

 Reasoning problem with behavioral subtyping and aliasing

The following example motivates reasoning problems with b ehavioral subtyp

ing Consider the typ es BoolSeq and StoreBool with the following metho ds

The typ e BoolSeq is a typ e of b o olean sequences which has only immutable

ob jects The messages one can send to a BoolSeq are the following

method fetchs BoolSeq i Int Bool

method updates BoolSeq i Int b Bool BoolSeq

The update metho d pro duces a new ob ject which has the same state as the

argument s except that in the ith p osition it contains v

The typ e StoreBool has mutable ob jects It has the following metho ds

A return typ e of Void indicates no result of any useful typ e is returned

method fetchs BoolStore i Int Bool

method storesBoolStore iInt bBool Void

There is no subtyp e relationship b etween BoolSeq and StoreBool Sup

pose we wish to reason ab out the part of a program whichwe will call an

observation in which the following variables are available

bseq BoolSeq storb StoreBool b Bool

The observation itself consists of a variable declaration and three commands

the declaration names a variable that will b e the output of the observation

The messages not and equal have their standard meaning for Bool arguments

output Bool 

Dhara and Leavens

b  fetchbseq 

storestorb  notb

output  equalb fetchbseq 

What is the exp ected set of p ossible values for output in the ab ove observa

tion The exp ected set dep ends on three p oints

Whether ones reasoning technique p ermits one to assume that identiers

of unrelated typ es suchas BoolSeq and StoreBool cannot b e directly

aliased

Whether bseq and storb can b e aliases for the same ob ject

The notion of b ehavioral subtyping allowed

These three p oints are not completely indep endent Using Liskov and Wings

denitions of b ehavioral subtyp e    BoolSeq and StoreBool cannot have

a common subtyp e b ecause BoolSeq ob jects are immutable and thus a com

mon subtyp e would have to violate a history constraint or would havea mu

tator corresp onding to store that could not b e explained So using Liskov

and Wings denition prohibits bseq and storb from b eing directly aliased If

bseq and storb cannot b e directly aliased the set of exp ected results would

be ftrue g

If ones reasoning technique forces one to think ab out a case where bseq

and storb might b e directly aliased then the set of exp ected results dep ends

on the notion of b ehavioral subtyping used If one had a weaker notion of

b ehavioral subtyping than Liskov and Wings then it might b e p ossible for

BoolSeq and StoreBool to have a common subtyp e with mutable ob jects

Then bseq and storb could b e directly aliased and so presumably the set of

exp ected results for the observation ab ovewould b e ftrue false g Wehave

not explored such reasoning techniques whichwere suggested to us by Ian

Maung However b ecause ob jects of typ e BoolSeq are immutable and the

call of a mutator store is used in the program it is dicult to imagine the

sp ecication of a most general common subtyp e of BoolSeq and StoreBool

Another problem we see is that psychologically programmers would tend

to think that b ecause bseq is immutable the only p ossible result would b e

true without considering aliasing Thus such a reasoning technique mightbe

errorprone if used informallyWe leavetheinvestigation of such a reasoning

technique and adequate notions of b ehavioral subtyping for it as an op en

problem

The remaining case is where ones reasoning technique p ermits one to

assume that identiers of unrelated typ es cannot b e directly aliased Clearly

in this case such an assumption has to b e enforced If it is then set of

exp ected results of the observation ab oveisftrue g However in this case

there is still the p ossibility that BoolSeq and StoreBool have a common

subtyp e Allowing common subtyp es suchasMutableBSeq would havea

great practical b enet That b enet however should b e weighed against

any restrictions on aliasing 

Dhara and Leavens

Thus our problem is twofold to dene a notion of b ehavioral subtyping

that is weaker than Liskov and Wings and to state restrictions on aliasing

such that it is adequate for reasoning We refer to our notion of subtyping as

weak b ehavioral subtyping

 Reasoning with weak behavioral subtyping

By reasoning we mean mo delbased reasoning with sup ertyp e abstraction

and with the assumption that identiers of unrelated typ es cannot b e directly

aliased For the soundness of such reasoning techniques the notion of weak b e

havioral subtyping should prevent unexp ected b ehavior when subtyp e ob jects

are manipulated according to sp ecications of their sup ertyp es

As an example supp ose we wish to reason ab out an observation of the

following variables

bseq BoolSeq b Bool

The observation itself is as follows where again the declaration gives the

output variable for the observation

output Bool

b  fetchbseq 

updatebseq  notb

output  equalfetchbseq  b

Reasoning at the static typ es in the ab ove observation one would obtain the

set of exp ected results values for output tobe ftrueg

Consider a new typ e DestructBSeq which resp onds to the same set of

metho ds as BoolSeq but such that the metho d update for DestructBSeq

mutates its rst argument The question is can DestructBSeq be a weak

b ehavioral subtyp e of BoolSeq

If DestructBSeq were to b e a weak b ehavioral subtyp e of BoolSeq then

one could have a state where bseq denotes an ob ject of typ e DestructBSeq

The set of results of the ab ove observation in such a state is false whichis

an unexp ected result This unexp ected b ehavior makes reasoning techniques

based on sup ertyp e abstraction unsound Hence DestructBSeq cannot b e a

weak b ehavioral subtyp e of BoolSeq We consider soundness of sup ertyp e

abstraction as an imp ortant criteria for dening weak b ehavioral subtyp e re

lations and show a  no surprises result which guarantees exp ected b ehavior

 The Language INST and its Semantics

Our mo deltheoretic approach to solving this problem was describ ed ab ove To

carry out this approach and to give the reader a concrete picture of the kind of

languages to which our results apply we dene an OO programming language

and enforce the necessary aliasing constraints in the language The language

used in this pap er INST isamultimetho d language with an abstract syntax

given in Figure  The instance variable assignment command I I 



E and the ob ject creation new IE and the instance variable access

Dhara and Leavens

Abstract syntax

P Program TD Typ eDecl T Typ eName MD MethDecl

F Formal B Bo dy M MainPro c C Command

E Expression D Decl A AliasDecl

P  TD MD M

TD  type I subtype of fTg instance variables D end

T  I

MD  method I F T A is B

 r

F  I  T

A  j may alias  I or T

BDCreturn E

M  main observe D C by D C

 

Dj I  T  D

E  N j nothing j true j false j I j I E  j new IE j I  I



C  E j if E then C else C fi j I E j C  C j I  I  E

  

Fig  Abstract Syntax of INST  The nonterminal I is a variable and N a

numb er TD is a sequence of zero or more TDs with separators in concrete

examples

I I  expressions can only b e used directly within metho ds they cannot b e



written in the main pro cedure M This provides a simple form of information

hiding For simplicity INST do es not distinguish b etween typ es and classes

To allow access to the instance variables of metho d formals INST do not allow

subtyp e arguments to metho ds This is a simplication that avoids treating

inheritance It also would force programmers to dene a unique metho d for

eachcombination of the typ es of arguments  

Figure  gives a sample program in INST For the sake of brevity wedonot

present all the metho d declarations for BoolSeq StoreBool MutablePair

and MutableBSeq The metho d greater illustrates the may alias construct

in INST The alias comp onent of the metho d greater states that the result is

aliased to the second argument p or to a variable of typ e MutablePairMore

details on aliasing are provided later

Metho d dispatching in INST is dynamic in the sense that metho d lo okup

do es not dep end on the static typ es of variables but dep ends on dynamic typ es

of ob jects For example in Fig  the expression fetchbseq  invokes the

fetch metho d for MutableBSeq b ecause bseq denotes a MutableBSeq ob ject

even though the static typ e of bseq is BoolSeq Therefore INST is a multi

metho d language  

 Denotational Semantics

For various technical reasons we use a split semantics for INST    That

is the meaning of a program is given in two parts the typ e and metho d

declarations are compiled into a signature and an algebra over that signature

Dhara and Leavens

type BoolSeq subtype of 

instance variables fst Bool snd Bool thd Bool end

type StoreBool subtype of 

instance variables one Bool two Bool three Bool end

type MutablePair subtype of 

instance variables x Bool y Bool end

type MutableBSeq subtype of StoreBool BoolSeq

instance variables hd Bool tl MutablePair end

method mkBoolSeq EmptySeq

is bseq BoolSeq

bseq  new BoolSeq set fstbseq false

set sndbseq false set thdbseq false

return bseq

method fetchs BoolSeq i IntBool

is result Bool

if equali  then result  sfst

else if equali  then result  ssnd

else result  sthd fi fi

return result

method mkMutableBseq MutableBseq

is mb MutableBSeq p MutablePair

mb  new MutableBseq p  new MutablePair

set xp false set yp false

set hdmb false set tlmb p

return mb

method greatermb MutableBSeq p MutablePair MutablePair

may alias p or Pair

is result Pair

if lessmbtl p then result  p else result  mbtl fi

return result





main observe

bseq BoolSeq b Bool

bseq  mkMutableBSeq

b  fetchbseq 

by

output Bool

updatebseq  notb

output  equalfetchbseq b

Fig  Part of a sample program in INST  The set of exp ected results the p ossible

values for output should b e ftrueg 

Dhara and Leavens

and the meaning of the main pro cedure uses conventional denotational tech

niques The meaning functions for declarations commands and expressions

take algebra as an argument

For purp oses of this pap er in whichwe dene observations that mayob

serve states over algebras the main pro cedure M has a strange syntax It

consists of two sequences of declarations and commands The reason for split

ting the main pro cedure in this way is to indicate in what part sup ertyp e

abstraction is used Sup ertyp e abstraction would b e used to reason ab out the

part of the main pro cedure following the keyword by whichthus denes an

observation of the state constructed by the rst part The meaning of the sec

ond part is technically a function from algebras to observations of states over

algebras To get the results of a program one passes the algebra and state

constructed by the declarations and the rst part of the main pro cedure to

the observation obtained by the second part of the main pro cedure

The semantics of a program is shown formally b elow Most of the notation

has not b een discussed yet but it seemed helpful to show the valuation func

tion for programs b efore launching into the details Nonstandard notations

not explained in this paragraph will b e explained further b elow The signa

INST INST INST

ture  and the  algebra A give the signature and semantics

of the visible typ es see Figures and  in    The valuation function for

typ e declaration sequences TD adds to the signature and algebra prim

itive op erations for eachtyp e declared these primitive op erations are used

by the semantics of expressions and commands for creating ob jects and for

accessing their instance variables Once MD  has pro cessed all the metho d

declarations these primitive metho ds are suppressed A signature without

the primitive op eration symb ols is pro duced by hideInternalMessages  The

 

notation A j is the reduct of A without these primitives

hideInternalMessages  

P  Program 

SIGS  ALG  TENV  STATE ALG  OBS 



P TD MD M 

INST INST

let  ATDTD  A in

 

let  A MD MD  Ain

   

let  A hideInternalMessages  A j  in

hideInternalMessages  

   

let H s fM M A in  A Hs f



Due to lack of space we do not give the details of the semantics of typ e

and metho d declarations Instead we dene the signatures and algebras that

they denote and then turn to the semantics of expressions declarations com

mands and the main pro cedure

To dene observations we x a set of the visible or builtin typ es VIS 

fInt Boolg The externally visible values of these typ es are

def def

 ftrue false g  f  g and EXTERNALS EXTERNALS

Bool Int

Signatures are roughly as in Reynoldss category sorted algebras   with

the addition of information ab out aliasing that is used in our static restrictions 

Dhara and Leavens

on aliasing

Denition  SIGS  signature The set SIGS consists of all signatures

 which are tuples TYPES  OPS ResType RetAlias  such that

TYPES is a set of typ e symb ols such that VIS  TYPES and Void

TYPES 

 is a preorder on TYPES suchthatifS  T and T VIS then S  T 

OPS is a family of sets of op eration symb ols indexed by the natural num

b ers

ResType is a family of partial functions indexed by the natural numb ers

n

such that for each natural number n ResType  OPS  TYPES 

n

n

TYPES and ResType is monotone That is for all g OPS and for all



   

tuples of typ es S  T ifResType g T   then ResType g S   and

 

ResType g S   ResType g T 

RetAlias limits the typ es of variables that may b e directly aliased to the

result of a metho d based on the typ es of variables aliased to the actuals

RetAlias is a family of partial functions indexed by the natural numb ers

n

such that for each natural number n RetAlias  OPS  TYPES 

n n

n

PowerSet TYPES   PowerSet TYPES  



To simplify notation we usually write g OPS as shorthand for g

S

OPS  Similarly we write ResType for ResType and RetAlias for

n

nNat

n

RetAlias 

n

As an example Fig  gives a part of the signature for the INST program

in Fig  The RetAlias function in Fig  gives the alias relation b etween

the arguments and the result for each op eration Recall that the metho d

greater returns either a direct alias to its second argument or a direct alias

to an instance variable of typ e MutablePair This is captured in the RetAlias

function for greater

Our mo dels of abstract typ es with mutable ob jects are algebraic    

Ob jects are mo deled bytyp ed lo cations containing values whichmayinturn

contain lo cations We dene algebras and stores simultaneously b ecause the

op erations of an algebra take and return a store   

Denition  ALG  algebra STORE  The set ALG  consists

of all algebras

A A

A A A A A

A SORTS LOCS ObjectTypes VALS TtoS OPS externVal 

such that

A

SORTS TYPES is a set of sort symbols

A A

LOCS is a family of sets indexed by ObjectTypes representing typ ed

lo cations

A

A

ObjectTypes  SORTS is the set of ob ject typ e symbols 

Dhara and Leavens

def

TYPES  Bool Int Void BoolSeq StoreBool MutablePair

MutableBSeq

def

  T T jT TYPES MutableBSeq BoolSeq

MutableBSeq StoreBool

def

OPS  true  fetch  greater 

ResType

ResType true   Bool

ResType fetch BoolSeq Int  Bool

ResType fetch MutableBSeq Int  Bool

ResType greater MutableBSeq MutablePair  MutablePair



RetAlias

RetAlias true   fg

RetAlias fetch BoolSeq Int  ar g argfg

RetAlias fetch MutableBSeq Int  ar g argfg

RetAlias greater MutableBSeq MutablePair  ar g arg

ar g 

MutablePair





Fig  Part of the signature  for the INST program given in Figure

A A

VALS is a family of abstract values indexed by SORTS such that for

A

A A

 LOCS each T ObjectTypes VALS

T T

A

A A

TtoS  ObjectTypes  SORTS is a function that gives a sort symbol

for each ob ject typ e symbol

A

OPS is a family of op eration interpretations indexed by the natural num

b ers such that for each n Nat and g OPS there is a p olymorphic

n

n A

A



where for each S TYPES and T TYPES partial function g OPS

n

A

A A



 STORE A   if ResType g S T then g satises g VALS

S

A

 VALS   STORE A 

U T

T



A

externVal is a family of functions indexed by VIS such that for each

A A

T VIS externVal  VALS  STORE A  EXTERNALS 

T

T T



def n

A A

and STORE A  LOCS  VALS is such that if   STORE A and

A A

 dom   then  l  VALS l LOCS

A

U T

T

TtoS U  

Dhara and Leavens

S S

def

A

SORTS  TYPES VarT j T TYPES

sortForBoolSeq sortForStoreBool

sortForMutablePair sortForMutableBSeq

S

def

A

 VarT j T TYPES BoolSeq MutableBSeq ObjectTypes

StoreBool MutablePair

def

A T A

LOCS  fl j i Nat g for each T ObjectTypes

T i

def

A A

VALS  VALS

Int Int

def

A A

VALS  v v v  j v v v VALS

fst snd thd fst snd thd

sortForBoolSeq Bool



def

A A A

l LOCS  v l  j v VALS VALS

t h t h

MutablePair Bool sortForMutableBSeq

A

 Typ e to Sort Mapping TtoS

VarT  T T TYPES

BoolSeq  sortForBoolSeq

StoreBool  sortForStoreBool

MutablePair  sortForMutablePair

MutableBSeq  sortForMutableBSeq

A

externVal

def

Bool

v   v externVal

A

def

Int

v   v externVal

A

 

Fig  Comp onents part  of a algebra A  for the INST program in Fig 

A

 Fig and Fig give We write l  T as an abbreviation for l LOCS

T



part of the algebra A corresp onding to the program in Fig 

The set TENV  of type environments over a signature  is dened by

n

TENV   Identier  TYPES  Let H stand for a typ e environment

below

A state consists of an environment and a store The set ENV A ofH

H

n

A

environments over A is the set of all mappings   Identier  LOCS such

A

 that for every T TYPES ifH x T then x dom  and x LOCS

T

def

The set STATE A of H states over A is dened by STATE A 

H H

ENV A  STORE A  We write ENV A for ENV A and

H H TENV 

STATE A forENV A  STORE A  

Dhara and Leavens

A

OPS

def

A

v v   v  v  add

 

def

A BoolSeq Int BoolSeq

fetch l v   let f s t l  in

Int A

v  then f  if equal

Int A

v  else if equal

then s  

else t stor e

def

MutableBSeq Int BoolSeq A

l v   let f st l l  in fetch

A Int

if equal v  then f st  

A Int

else if equal v 

A

l   then fst

A

else snd l  



 

Fig  Comp onents part  of a algebra A  for the INST program in Fig 

Denition  nominal state A H state  is nominal if and only if 

is nominal A store  STORE A isnominal if and only if for all lo cations

A

l  T dom    l  VALS 

T

The main pro cedure M returns a typ e environment a state and a func

tion from algebras to observations This function is dened by the second half

of the main pro cedure An observation takes a state such as the one pro duced

by the rst half of the main pro cedure and prints the values of the variables

in D  H observations are dened as follows



def

OBS A  STATE A  ANSWERS  

H H 

def n

ANSWERS  Identier  EXTERNALS 

The variables declared in D must have visible typ e This condition is checked



by typeEnvAndCheckVisible which pro duces a typ e environmentiftheyare

visible and otherwise

To simplify notation we omit  from ALG  and we write ALG for the

family ALG  Similarly we use TENV for TENV  STORE

SI GS

for STORE A ENV for ENV A STATE for STATE A and OBS for

H H

OBS A  However for a typ e like the M below it should b e understo o d that

H

if  is the signature passed to M then the algebra A passed to M must b e

a algebra Similarly thetyp e environments states and observations will

also match

M  SI GS  MainPro c  ALG  TENV  STATE  ALG  OBS 



M  main observe D C by C D A 

  

Dhara and Leavens

let H  typeEnv D in

let  D D A emptyEnviron emptyStore  in





let   C C A   in





let H  typeEnvAndCheckVisible D in



let f B    

B B



let   C C B    in

  B B

B

  

let    D D B    in

  B

B B B

B

  

 I  I  let T  H I in externVal 

B B T



in H   f

For a given signature  an expression has a meaning which dep ends on

a algebra We do not show the semantics for the expressions of the form

new IEorI I  b ecause these cannot o ccur in the main pro cedure



and so play no role in dening observations

E  SIGS  Expression  ALG  STATE  VALS  STORE 



E N A   N N A 

 

A

E nothing A   nothing 



A

E true A   true 



A

E false A  false 



E I A   let v   I  in v 



A

 

 

E IE A   let v  E E A   in I productize v  

 

E  SIGS  ExpressionList  ALG  STATE

A

 List VALS   STORE A 



E  A   nil 





 

E EE A   let v  E E A   in

 n 



let v  E E A    in

n n  n

addToEnd vv  

n n

The semantics of commands is straightforward Assignment binds variable

lo cations to ob jects or values

C  SIGS  Command  ALG  STATE  STORE



 

C E A   let v  E E A   in 

 

C C  C A  let   C C A   in C C A   

    

C if E then C else C fi A  

 



let v  E E A   in



A

  

v   then C C A    else C C A    if externVal

  

Bool

C I  E A  



let H b e suchthat  STATE A in

H



let v  E E A   in



S

A



if v  VALS then else  I   v 

U H v 

U

Declarations bind variables to variable lo cations The nextFree T function

in the meaning of a declaration returns the next free lo cation of typeTina

given store

D  SIGS  Decl  ALG  STATE  STATE



D  A s  s

 

Dhara and Leavens



D IT A   let T  T T in

 



let l  nextFree VarT   in

I  l  

D D  D A s  D D A D D A s

    

The semantics of b o dies of metho ds will also b e used to help dene

the restrictions on aliasing The typ e of a b o dy B is the typ e of the return

expression

B  SIGS  Bo dy  ALG   STATE  VALS  STORE 



B D C return E A s  let   D D A s in

 

let   C C A    in E E A   

   

 Enforcing Restrictions on Aliasing

For our notion of weak b ehavioral subtyping to b e adequate we need to pre

vent direct aliasing b etween related but distinct typ es Since we also wantto

b e able to reason mo dularly we need to also prevent direct aliasing b etween

variables of unrelated typ es b ecause two unrelated typ es might at some later

time have a common subtyp e Thus in this section we dene restrictions on

aliasing such that variables of dierenttyp es cannot b e directly aliased We

do this by an abstract interpretation of INST programs which conservatively

estimates the set of typ es that may b e aliased to each expression result This

set of typ es is called an alias typeset

The denitions b elow are for declarations commands and expressions that

could b e executed in the main pro cedure For this purp ose we dene the set

MBo dy as the subset of Bo dy that includes only declarations commands

and expressions that can b e written in the main pro cedure

A lo cation l is reachable in a H state s over an algebra A if and only if

there exists a typ e T and a body B MBo dy such that  H  B  T and

l   B B A s The notation  H  B  T  means that for  and H



B can b e proved to havetyp e T using the rules in Fig 

The alias typ e set of a lo cation in a H state over an algebra is dened by

the following

def

aliasTypeSet H Als 





fT j T TYPES B MBo dy  H  B  T l   B B A sg



Since the lo cation returned by mkMutableBSeq in the main pro cedure in

Fig  is not reachable its alias typ e set is  However after executing the

assignment command bseq  mkMutableBSeq the alias typ e set of the

lo cation will b e BoolSeq b ecause that is the static typ e of the variable

bseq

If a lo cations alias typ e set contains at most one typ e then it can only

b e aliased byvariables of the same typ e This prop erty is captured bythe

following

def

subtypeCheck r  S r  T r   S  T   

Alias legality means that every reachable lo cation has this prop erty 

Dhara and Leavens

Denition  alias legality stAliasOk  Let A b e a algebra H be



a TENV ands STATE A  Then s is said to b e alias legal written

H

stAliasOk H As if and only if for all reachable lo cations l in s



subtypeCheck aliasTypeSet H Als



Figure  gives the typ e and alias checking rules for expressions declara

tions and commands that can app ear in the main pro cedure For expressions

the notation  H  E  T  r means E has static typ e T and r is an upp er

b ound on the alias typ e set of the result of E  The rule for the assignment

statementchecks that the binding do es not pro duce illegal aliasing For decla

 

rations  H  D  H means H is the typ e environment after elab orating

D  For metho ds the alias typ e set of the result is declared and compiled

into the signature in its RetAlias We do not give the exact rules for metho d

b o dies b ecause they are not needed in this pap er

To see the practical implications of our technique for restricting aliasing it

is useful to consider how the prop ertythatvariables of distinct typ es are not

directly aliased would b e established in the b o dy of a metho d after binding

actuals to formals One option would b e to prohibit any direct aliasing among

the actuals in a call This is more restrictive than we need b ecause aliasing

between formals of the same typ e is not a problem Instead we require that

the programmer write enough metho ds so that any call with directly aliased

actuals will b e handled by a metho d implementation where the formals cor

resp onding to those actuals havethesametyp e For example consider a

metho d foo with two arguments If the same ob ject is to b e passed for b oth

arguments to foo then the call to foo will b e handled by a metho d which has

two formals of the same typ e as the dynamic typ e of the ob ject In a more

realistic language with metho d inheritance this would force the programmer

to write sp ecialized versions of foo having b oth arguments of the same typ e

some of whichmight not otherwise have to b e written

Because wedonotwork with metho ds in this pap er and b ecause wework

with algebras that may not result from INST programs we need to imp ose

an equivalent condition that calling an op eration in a algebra cannot result

in illegal aliases To prevent illegal aliases in the result state the H state s

A

that results from a call to g must satisfy stAliasOk H As Toprevent



the result itself from b eing directly aliased with variables of dierenttyp es

the actual alias typ e set of the result must b e smaller than that declared

Denition  preserves alias legality Let A b e a algebra Let H be

atyp e environment Then A preserves alias legality if and only if for each H

state  suchthatstAliasOk H A   for each op eration g OPS



A



 

for each tuple of typ es S ifRetAlias g S r r  v VALS and l  

S

A

g v   then

 A 

stAliasOk H A   l LOCS  aliasTypeSet H Al    r





For algebras that preserve alias legality the alias checking rules are sound

Dhara and Leavens

Num  H  NInt  fg nothing  H  nothing  Void  fg

true  H  true  Bool  fg false  H  false  Bool  fg

ident  H  IH I  H I if I dom H 

 

 H  ES  r



 

call

ResType I S T RetAlias I S r r





 H  IE  T  r

decl  H  IT I  T H

  

 H  D  H  H  D  H



decl list



 H  D  D  H



 H  ES  r

ExpCom

p

 H  E

 H  ES  r H I  T S  T r  T

assign

p

 H  I  E

p p

 H  C  H  EBool  r  H  C



Cond

p

 H  if E then C else C fi



p p

 H  C  H  C



Seq

p

 H  C  C



p

 

 fg  D  H  H  C

p

  

Main

 H  D  H checkVisible D   H  C

  

p

  main observe D C by D C

 

Fig  Typ e and alias checking rules for the main pro cedure part of INST 

Lemma  Let M be a main procedure of INST  Let A beaalgebra If

p

A preserves alias legality and H s f   M M Athen   M  



stAliasOk H As



 Weak Behavioral Subtyping

The intuitive idea of b ehavioral subtyping is that eachobjectofa subtyp e

should b ehavelike some ob ject of its sup ertyp es One might think that to

express b ehaves like it would b e enough to simply relate abstract values

However this would not take lo cations and hence aliasing into consideration

One cannot relate just lo cations either b ecause the abstract values stored in

lo cations also determine b ehavior Relating lo cations along with the store

do es not account for aliasing b etween variables in the environment So one

Dhara and Leavens

must relate whole states This idea is captured by the denition of simulation

relations b elow

 Simulation Relations

The following formulation of simulation relations uses techniques from   

The bindable prop erty ensures that simulation is preserved by assignments

The substitution prop ertysays that simulation relationships b etween states

are preserved by metho d calls It is expressed by assigning a variable to the

value returned by the op erations in each algebra and then requiring that

the resulting extended states b e related The co ercion prop erty is similar to

the requirement that each ob ject of a subtyp e should simulate some ob ject

of its sup ertyp es It ensures that each state simulates a state that do es not

use subtyping The EXTERNALS identical prop ertysays that a simulation

relation is identityonvalues of visible typ es This is used to compare the

outputs of observations The others are needed for technical reasons

Denition  simulation relation Let C and A b e algebras A

simulation relation R from C to A is a family of binary relations on states

hR  H TENV i suchthat R  STATE C  STATE A and for

H H H H

 

eachtyp e environment H each   STATE C and each  

C C H A A

STATE A the following prop erties hold

H

bindable for eachvariable x for eachtyp e T and for eachvariable y such

C  A C

 and x  l  y  if   y  and l that H y T l

C A C

x C y y

A 

 then x  l 

A

x A

   R    

C C H A A

A A  C C 

     l l    R    l l 

A A C xT H C

y x A y x C



substitution for each tuple of typ es S for eachtyp e T for each op eration

 

symbol g  S  T for each tuple of variables y such that H y S and



v   y  v   y  and for eachvariable x if x 

C C C A A A

C

A  C

 then x  l l  and 

A C

x A x

   R    

C C H A A

 C C  

  r  l g v   in  let r 

C C C C

C x C C

R

xT H

 A  A 

let r   g v   in  l  r    

A A A A

A A x A

 

co ercion there exists a nominal state    STATE A suchthat

H

A A

 

     R 

C C H

A A

EXTERNALS identical for eachtyp e T VIS for eachvariable x such

that H x T if   R    then

C C H A A

C A

externVal   x  externVal   x 

C C C A A A 

Dhara and Leavens

       

   are H states   and  shrinkable if H  H 

C C A A C C

 

     then     and 

A A C C

A A

   

 R     R        

H C C H A A

C C A A

 

bistrict R and whenever s R s and either s or s is then so is

H H

the other

Simulation relations preserve aliasing That is if twovariables x and y

are aliased in a state s and if s R s thenx and y must b e aliased

C C H A

in s  If this were not the case then one could observechanges in x by

A

using op erations on y in s while in s the same changes to y would not b e

C A

observable through x But this would violate the substitution prop erty

A careful reader might observe that the requirement that every state should

be simulated by a nominal state in the co ercion prop erty eliminates certain

kinds of direct aliasing More precisely it eliminates direct aliasing b etween

variables of dierenttyp es The reason for this is the following Supp ose

S  T and consider a state in whichand x  T and y  S were directly aliased

Then to satisfy the co ercion prop erty sucha statewould have to b e related

to one where x and y b oth denoted ob jects of their typ es and thus could not

b e directly aliased This motivates the alias restrictions we imp ose on INST

Note that the identity relation on states is not a simulation A simulation

relation also needs to have the co ercion prop erty

 

Example  There is a  simulation relation from algebra A in Fig

and Fig  to itself

   

A relation R  STATE A  STATE A is dened such that R

H H



and    R    if and only if the following conditions hold

 

dom    dom  



For eachtyp e T for eachxT dom   if v    x v    x

  

A

A

then v  cv STtoS T    The co ercion function and v VALS



S

c is dened as follows

cv S S  v

MutablePair

cv l  sortForMutableBSeq sortForBoolSeq



MutablePair

let v v l  in



v v v 

 

MutablePair

cv l  sortForMutableBSeq sortForStoreBool



MutablePair

let v v l  in



v v v 

 

 

Then R satises all the prop erties of a  simulation relation

However there do es not always exist a simulation relation from an alge



bra to itself Consider an algebra B with the typ e DestructBSeq a BoolSeq 

Dhara and Leavens

with a destructive update as a presumed subtyp e of BoolSeq Then there



cannot b e a simulation relation from B to itself b ecause the op eration update

violates the substitution prop erty

 Weak Behavioral Subtypes

The following denition of a weak b ehavioral subtyp e relation characterizes

when a sp ecication of several ADTs has a subtyp e relation  that is ade

quate for mo dular reasoning Since we do not discuss the forms of typ e sp ec

ications we use their denotations which are sets of algebras that preserve

alias legality

Denition  weak b ehavioral subtyping Let SPEC b e a set of 

algebras such that each A in SPEC preserves alias legality The presumed

subtyp e relationship  on typ es of  is a weak behavioral subtyperelation

for SPEC if and only if for each B SPEC there is some A SPEC such

that there is a simulation from B to A

 

If we let SPEC take all the  algebras isomorphic to A thenitiseasy



to see that the subtyp e relation of  is a weak b ehavioral subtyp e relation

Hence this denition allows typ es with immutable ob jects suchasBoolSeq

to havesubtyp es with mutable ob jects suchas MutableBSeq

Because this denition p ermits B and A to b e dierent algebras it works

for incomplete sp ecications those with observably dierentmodels Such

incomplete sp ecications are imp ortant in practice so that a subtyp e can b e

more completely sp ecied than its sup ertyp es Unfortunately space limita

tions do not allowustogive an example

Not every presumed subtyp e relation is a weak b ehavioral subtyp e relation

b ecause of the co ercion and substitution prop erties of simulation relations For

example there is no weak b ehavioral subtyp e relation such that DestructBSeq

is a subtyp e of BoolSeq

 Weak Behavioral Subtyping means No Surprises

Wenowshow that the denition of weak b ehavioral subtyping is adequate

for mo dular reasoning with sup ertyp e abstraction We do this in a mo del

theoretic fashion by rst dening the set of exp ected results of an observation

or rather of a function from algebras to observations The exp ected results

are results of observations on nominal states that is states that do not use

subtyping

Denition  exp ected results Let SPEC b e a set of algebras that

preserve alias legality Let H be a typ e environment Let f b e a function from

algebras to H observations Then the set of expectedresults of f for SPEC

is the union over all A SPEC and all s STATE A such that s is

A H A

nominal of f A s 

A

A result is surprising if it is not exp ected Surprising results can o ccur if

one uses a presumed subtyp e relation that do es not satisfy the denition of 

Dhara and Leavens

weak b ehavioral subtyping and observes a state that is not nominal

Theorem  no surprises Let SPEC beasetofalgebras that preserve

alias legality Let H be a type environment Let f  ALG  OBS besuch

that there is some A SPEC and some main procedure M in INST such that

H s f M M A



Then for al l C SPEC  and for al l s STATE C if is weak

C H

behavioral subtyperelationship for SPEC  then f C s  is an expectedresult

C

for SPEC 

Pro of Sketch Because  is a weak b ehavioral subtyp e relation for SPEC

 

there is an C SP EC and a simulation relation R from C to C  Using

structural induction showthatsimulations are preserved by commands and

declarations Then in the semantics of the main pro cedure the resulting states

 

 in the semantics of the main pro cedure are  in the observation part 

B B

related So bythe EXTERNALS identical prop erty the resulting answer

functions must give the same result for eachvariable namely for those in D



of the main pro cedure M 

The conclusion of the theorem do es not hold if  is not a weak b ehavioral

subtyp e relation The observation and the presumed subtyp e relation b etween

DestructBSeq and BoolSeq in subsection  is an example of such a situation

where unexp ected results are observed b ecause our presumed subtyp e relation

is not a weak b ehavioral subtyp e relation

The ab ove theorem validates our denition of weak b ehavioral subtyping

It also computes the tasks mentioned in the intro duction

 Related Work

Our work on the mo deltheory of b ehavioral subtyping is an extension of

Leavens work in    Simulation relations in   relate only abstract values

and hence cannot see anymutations in the state Leavens and other mo del

theoretic approaches   do not deal with mutation and aliasing

In contrast to our mo deltheoretic approach America   and Liskov and

Wing    give pro oftheoretic denitions of b ehavioral subtyping America

do es not deal with extra mutators in subtyp es Liskov and Wing allow extra

mutators provided if the extra mutators can b e explained in terms of the

sup ertyp e metho ds or if they do not violate any history constraints This

rules out the p ossibilityofmutable subtyp es to immutable typ es Weleave

for future work a direct comparison b etween our denition and such pro of

theoretic denitions and formulating the mo deltheoretic equivalentofLiskov

and Wings denitions

The subtyp e relationships b etween various collection typ es in Co oks hi

erarchy  are weak b ehavioral subtyp es in our sense For immutable record

typ es our denition matches Cardellis rules   The typ e hierarchies dis

cussed in   are weak b ehavioral subtyp es 

Dhara and Leavens

 Discussion

The most interesting weak b ehavioral subtyp es are b etween mutable and im

mutable typ es For example a mutable typ e Array Int can b e sp ecied

as a weak b ehavioral subtyp e of an immutable typ e Sequence Int This

allows for example a pro cedure that computes the sum of a Sequence Int

to b e applied to an Array Int ob ject Similarly a mutable record typ e can

b e sp ecied as a subtyp e of an immutable record typ e with fewer elds

One can even have a hierarchyofweak b ehavioral subtyp es with increas

ing degrees of mutability As an example a completely mutable arrayisa

weak b ehavioral subtyp e of partially mutable array whichinturnisaweak

b ehavioral subtyp e of an immutable array

Subtyp e ob jects can have more state than sup ertyp e ob jects A Triple

can b e a weak b ehavioral subtyp e of Pair with the only requirementthatthe

degree of mutabilityof Triple should b e at least equal to that of the Pair

That is if the rst comp onent of the Pair can b e mutated then the rst

comp onentoftheTriple should also b e mutated but there is no constraint

on the mutability of the other comp onents of a Triple

For weak b ehavioral subtyping to b e adequate for sup ertyp e abstraction

one needs to prohibit direct aliases b etween ob jects of dierenttyp es We

suggested a way to use multimetho d dispatchtoavoid part of the burden this

places on expressiveness byhaving the programmer dene enough metho ds

The burden of our aliasing restrictions can b e weakened still further by

allowing direct aliasing b etween variables of immutable typ es Finally if a

programming language supp orted b oth our notion of weak b ehavioral subtyp

ing and Liskov and Wings strong b ehavioral subtyping direct aliasing could

b e allowed b etween strong b ehavioral subtyp es

Wedohowever allow aliasing b etween ob jects of the same typ e and in

direct aliasing b etween ob jects of dierenttyp es An MutableBSeq ob ject is

indirectly aliased to a MutablePair ob ject in the mkMutableBSeq metho d in

Fig 

 Summary

The main contribution of our work is a new denition of subtyping for ar

bitrary deterministic abstract data typ es in the presence of mutation and

aliasing This denition is weaker than Liskov and Wings denitions   

b ecause it allows typ es with immutable ob jects to have subtyp es with muta

ble ob jects This exibility seems to b e imp ortant in practice The price to

b e paid however is that the language must restrict aliasing Wehave given

suitable aliasing restrictions which disallow direct aliasing b etween identiers

of dierenttyp es We b elieve that such aliasing restrictions may actually b e

of some practical b enet as they allownaive reasoning to b e sound 

Dhara and Leavens

Acknowledgements

Thanks to Ian Maung discussions ab out mo dular reasoning and to Don Pigozzi

Barbara Liskov Jeannette Wing and the participants at the  Founda

tions of OO Languages workshop for discussions ab out our work on this topic

Thanks to John Mitchell for his suggestion that we should present more of

the language which help ed clarify this work Thanks also to Luca Cardelli

and to the anonymous referees for their suggestions which help ed improve

the pap er

References

 Pierre America Inheritance and subtyping in a parallel ob jectoriented

language In Jean Bezivin et al editors ECOOP European Conferenceon

ObjectOrientedProgramming Paris France pages   New York NY

June  SpringerVerlag Lecture Notes in Computer Science Volume 

  Pierre America Designing an ob jectoriented programming language with

b ehavioural subtyping In J W de Bakker W PdeRoever and G Rozenb erg

editors Foundations of ObjectOrientedLanguages REX SchoolWorkshop

Noordwijkerhout The Netherlands MayJune volume  of Lecture

Notes in Computer Science pages  SpringerVerlag New York NY



  Kim B Bruce and Peter Wegner An algebraic mo del of subtyp e and

inheritance In Francois Bancilhon and Peter Buneman editors Advances

in Database Programming Languages pages   AddisonWesley Reading

Mass August 

  Luca Cardelli Typ eful programming In E J Neuhold and M Paul editors

Formal Description of Programming Concepts IFIP StateoftheArt Rep orts

pages   SpringerVerlag New York NY 

  Craig Chamb ers Ob jectoriented multimetho ds in Cecil In Ole Lehrmann

Madsen editor ECOOP  European Conference on ObjectOriented

Programming Utrecht The Netherlandsvolume  of Lecture Notes in

Computer Science pages   SpringerVerlag New York NY  

 Craig Chamb ers and Gary T Leavens Typ echecking and mo dules for multi

metho ds ACM SIGPLAN Notices   Octob er   OOPSLA 

Conference Pro ceedings Octob er   Portland Oregon

 Jolly Chen The LarchGeneric interface language Technical rep ort

Massachusetts Institute of Technology EECS department May 

The authors Bachelors thesis Available from at MIT

guttaglcsmitedu

WRCookInterfaces and sp ecications for the Smalltalk collection classes

ACM SIGPLAN Notices   Octob er   OOPSLA  Proceedings

Andreas Paep cke editor 

Dhara and Leavens

 Gary T Leavens Mo dular sp ecication and verication of ob jectoriented

programs IEEE Software    July 

 Gary T Leavens and Krishna Kishore Dhara Blended algebraic and

denotational semantics for ADT languages Technical Rep ort   b

Department of Computer Science Iowa State University Ames Iowa 

Septemb er   Submitted for publication Available by anonymous ftp from

ftpcsiastateedu and by email from almanaccsiastateedu

 Gary T Leavens and Don Pigozzi Typ ed homomorphic relations extended

with subtyp es Technical Rep ort   Department of Computer Science Iowa

State University Ames Iowa  June  App ears in the pro ceedings

of Mathematical Foundations of Programming Semantics  SpringerVerlag

Lecture Notes in Computer Science volume  pages    

  Gary T Leavens and Don Pigozzi Typ ed homomorphic relations extended

with subtyp es In Stephen Bro okes editor Mathematical Foundations of

Programming Semantics volume  of Lecture Notes in Computer Science

pages   SpringerVerlag New York NY  

  Gary T Leavens and Don Pigozzi The b ehaviorrealization adjunction and

generalized homomorphic relations Technical Rep ort   Departmentof

Computer Science Iowa State University Ames Iowa  Septemb er  

Submitted for publication

  Gary T Leavens and William E Weihl Reasoning ab out ob jectoriented

programs that use subtyp es extended abstract ACM SIGPLAN Notices

    Octob er  OOPSLA ECOOP  ProceedingsN

Meyrowitz editor

  Gary T Leavens and William E Weihl Subtyping mo dular sp ecication

and mo dular verication for applicative ob jectoriented programs Technical

Rep ort   d Department of Computer Science Iowa State UniversityAmes

Iowa  August   Full version of a pap er to app ear in Acta

InformaticaAvailable by anonymous ftp from ftpcsiastateedu and by email

from almanaccsiastateedu

 Gary Todd Leavens Verifying ob jectoriented programs that use subtyp es

Technical Rep ort  Massachusetts Institute of Technology Lab oratory for

Computer Science February  The authors PhD thesis

 and Jeannette Wing Abehavioral notion of subtyping

ACM Transactions on Programming Languages and Systems  

Novemb er  

 Barbara Liskov and Jeannette M Wing Sp ecications and their use in dening

subtyp es ACM SIGPLAN Notices   Octob er   OOPSLA 

Proceedings Andreas Paep cke editor

 John C Reynolds Using category theory to design implicit conversions and

generic op erators In Neil D Jones editor SemanticsDirected Compiler

Generation Proceedings of a Workshop Aarhus Denmarkvolume  of Lecture

Notes in Computer Science pages   SpringerVerlag January  

Dhara and Leavens

  Jeannette Marie Wing Atwotiered approach to sp ecifying programs

Technical Rep ort TR  Massachusetts Institute of Technology Lab oratory

for Computer Science