Modular subclass verification: Safely creating correct subclasses without superclass code Clyde Dwain Ruby TR #06-34 December 2006 Keywords: Downcalls, super-calls, subclass, semantic fragile subclassing problem, subclassing contract, code contract, specification inheritance, method refinement, alias control, specification of side effects, Java language, JML language. 2006 CR Categories: D.2.1 [Software Engineering] Requirements/Specifications Languages, tools, JML; D.2.2 [Software Engineering] Design Tools and Techniques Object-oriented design methods, software libraries; D.2.3 [Software Engineering] Coding Tools and Techniques Object-oriented programming; D.2.4 [Software Engineering] Software/Program Verification Class invariants, correctness proofs, formal methods, programming by contract, reliability, val- idation, tools, JML; D.2.7 [Software Engineering] Distribution, Maintenance, and Enhancement Documentation, extensibility; D.2.10 [Software Engineering] Design Methodologies, tools, JML; D.2.11 [Software Engineering] Software Architectures Data abstraction, information hiding, languages, JML; D.2.13 [Software Engineering] Reusable Software Reusable libraries; D.3.2 [Programming Languages] Language Classifications Object-oriented langauges; D.3.3 [Programming Languages] Language Constructs and Features Classes and objects, frame- works, inheritance; F.3.1 [Logics and Meanings of Programs] Specifying and Verifying and Rea- soning about Programs Assertions, invariants, logics of programs, pre- and post-conditions, specification techniques. Copyright © Clyde Dwain Ruby, 2006. Department of Computer Science 226 Atanasoff Hall Iowa State University Ames, Iowa 50011-1041, USA Modular subclass verification: Safely creating correct subclasses without superclass code by Clyde Dwain Ruby A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Computer Science Program of Study Committee Gary T. Leavens, Major Professor Samik Basu Clifford Bergman Shashi K. Gadia Jonathan D. H. Smith Iowa State University Ames, Iowa 2006 Copyright © Clyde Dwain Ruby, 2006. All rights reserved. ii TABLE OF CONTENTS ACKNOWLEDGEMENTS . viii ABSTRACT . ix CHAPTER 1: INTRODUCTION . 1 1.1 Background . 1 1.2 The Problem . 1 1.3 Specification of Method Behavior . 3 1.3.1 Public Specifications . 3 1.4 Specification of the Method Calling Structure . 6 1.4.1 Subclasses and Specification Inheritance . 7 1.4.2 Protected Specifications . 9 1.4.3 The Subclassing Contract . 13 1.4.4 Summary . 13 1.5 Protecting Internal Objects . 15 1.6 Approach, Contributions, and Assumptions . 18 1.6.1 Approach . 18 1.6.2 The Three Part Specification . 20 1.6.3 Class Library and Framework Implementation Guidelines . 20 1.6.4 Tool Support . 21 1.6.5 Notation and Terminology . 21 1.6.6 Assumptions . 22 1.7 Outline of Dissertation . 24 CHAPTER 2: PREVENTING UNVERIFIABLE BEHAVIOR . 26 2.1 Introduction . 26 2.2 New Subclass Instance Variables . 27 2.2.1 Additional Side-Effects . 28 2.2.1.1 Data groups . 28 2.2.1.2 Data group dependencies . 28 2.2.1.3 Visibility requirements . 29 2.2.1.4 Nested data groups and indirect dependencies . 32 2.2.1.5 Additional side-effects . 33 2.2.2 The Additional Side-Effects Overriding Rule . 34 2.2.2.1 Abstract classes . 36 2.2.2.2 Subclass invariants . 37 iii 2.2.3 The Additional Side-Effects Invalidation Rule . 39 2.3 Method Refinement . 42 2.4 Subclass Invariants . 44 2.4.1 The Invariant Invalidation Rule . 44 2.4.2 The Invariant Overriding Rule . 46 2.4.3 Explicit Parameter Objects . 46 2.4.4 Temporary Side-Effects . 50 2.4.5 Downcalls by Constructors . 52 2.5 Mutually Recursive Methods . 54 2.6 Private Variables and Methods . 58 2.6.1 Maintaining private superclass fields . 58 2.6.1.1 An alternative approach . 60 2.6.1.2 Summary . 62 2.6.2 Visibility of type invariants . 63 2.6.3 Private field accesses . 64 2.6.4 Private method calls . 64 2.7 Concrete Data Refinement . 65 2.8 Super-Calls . 68 2.9 Discussion . 69 2.9.1 Non-Refining Methods . 69 2.9.2 Unoverrideable Methods . 72 2.9.3 Unimplementable Subclasses . 73 2.9.4 Invalidation Rules Revisited . 75 2.9.4.1 The Additional Side-Effects Invalidation Rule revisited . 75 2.9.4.2 The constructor invalidation rules revisited . 77 2.9.4.3 Summary . 78 2.9.5 Package Visible Fields and Methods . 78 2.9.6 The Subclassing Contract as a Specification . 79 2.9.6.1 Properties of specifications . 79 2.9.6.2 The subclassing contract . 80 2.9.7 Summary . 81 2.9.7.1 Comparison with our previously published work . 83 CHAPTER 3: PREVENTING UNEXPECTED SIDE-EFFECTS . 84 3.1 Introduction . 84 3.2 Terminology and Concepts . ..