Exploiting Abstractions for Specification Reuse Java/C# Case Study Egon Börger in cooperation with R. Stärk, V. Gervasi, G. Fruja Dipartimento di Informatica, Universita di Pisa

© Egon Börger: Using Abstraction for Reuse 2 Supporting Good System Design Principles Key Strategy: Separation of Different Concerns –Separating orthogonal design decisions to keep design space open (specify-for-change (Parnas), avoiding premature design decisions) to structure design space (rigorous interfaces for system (de)composition ) –Separating design from analysis –Separating within analysis validation (by simulation) from verification Separating levels (degrees of detail) of verification –By reasoning for human inspection (design justification) –By rule based reasoning systems »interactive systems »automatic tools: model checkers, automatic theorem provers Key Method: Refinements for crossing system levels (Dahl, Dijkstra, Hoare, Wirth)

© Egon Börger: Using Abstraction for Reuse 3 Examples of ASM Design &Verification Hierarchies Compiler verification established piecemeal ISO Prolog to WAM : 12 refinement steps, KIV verifiedProlog to WAM backtracking, structure of predicates, structure of clauses, structure of terms & substitution, optimizations SCP 95 Occam to Transputer Occam to Transputer Comp.J modeling steps exhibiting channels, sequentialization of par procs, pgm ctrl structure, env, transputer datapath and workspace, relocatable code (relative instr addresses & resolving labels) Java to JVM Java to JVM : language & security driven decomposition 5 sublanguages (imperative, modules, oo, exceptions, concurrency) 4 JVM levels for trustful execution, checking defensively at run time and diligently at compile time, loading Jbook 2001 Control Systems, Architectures, Protocols,…AsmBook 2003

© Egon Börger: Using Abstraction for Reuse 4 Reuse of ASM Specifications and Verifications Reuse of submachines (layered components) lemmas FAC 96 OUP 95 CLP(R)IBM-CLAM PROLOG WAM SCP 95 PROTOS-LIBM-PAM Facilitated by extensional character of involved lgs/machines

© Egon Börger: Using Abstraction for Reuse 5 Java/C# semantics by instantiating an abstract interpreter Instantiating components (macros) and refining static analysis C# Interpreter Language Interpreter MSIL Interpreter by additions and changing instantiations Common Features JAVA Interpreter JVM Interpreter Jbook 2001 Instantiations from common abstraction support precise evaluation of differences

© Egon Börger: Using Abstraction for Reuse 6 Instantiating Hierarchical Language Layers supporting modular definitions C# I C# C C# T C# E C# O Java I Java C Java E Java T Java O imperative static class features (procedures) exception handling concurrent threads oo features Adding components C# D, C# U for Delegate and Unsafe layers Adding new features Adapting instantiations Common features

© Egon Börger: Using Abstraction for Reuse 7 Language driven decomposition of Java/C# execC# = execC# I imperative control constructs execC# C static class features (modules) execC# O oo features execC# E exception handling execC# T concurrent threads execC# D delegates & events execC# U unsafe code Abstraction Principle (used for Java and C# models) : grouping similar instructions into one parameterized abstract instruction

© Egon Börger: Using Abstraction for Reuse 8 Decomposition of layered submachines At each language layer L (in both Java and C#) split for exp and stm: execC# L = execC#Exp L expression evaluation execC#Stm L statement execution Submachines permit instructionwise definition of language semantics, containing identical rules for common languages constructs (mostly in I, C, O, E) similar rules with different functs & differently instantiated macros captured by variations (mostly refinements) of state components (e.g. Value domain, type structure, etc.) rules (e.g. YIELD macro, mem related macros, etc.) new rules for additional language constructs goto (makes abruption rules more complicated) call by reference (triggers introduction of addresses and mem function) typeof, as throw without arguments (triggers introduction of exc stack)

© Egon Börger: Using Abstraction for Reuse 9 Separation of Statics and Dynamics supporting modular definition of semantic features Supported by classification of ASM functions –static or dynamic (controlled, monitored, shared, output) –basic or derived rules capture the system dynamics and define the controlled and partly the shared functions auxiliary functions can be given purely functional or axiomatic (or whatever other form of satisfactory) definitions Static semantics of C# extends that of Java due to –different type structure (dichotomy of ref/val types, struct types) with (un)boxing and user-defined type conversion triggers refinement of YIELD and memory content related macros –call-by-reference with ref/out params triggers addresses and introduction of mem content function –extensive operator overloading

© Egon Börger: Using Abstraction for Reuse 10 Java/C#: Similarities and Differences hierarchical layers –I, C, O, E, T separation of statics/dynamics common or similar constructs –captured in the models by variations (mostly refinements) of state components rules (in particular macros) new language layers –delegates and events –unsafe code (pointers) type structure –val/ref dichotomy (compiler allocates mem to val type var upon decl) with (un)boxing for conversion bw the two –struct types (efficient “classes” like val types) new instructions There is a great variety of more technical than conceptual differences listed below

© Egon Börger: Using Abstraction for Reuse 11 Java/C#: Technical Differences pragmatically motivated constructs –reducible to core model by syntactical translataions properties indexers events attributes interoperability features (not treated in the model) –for linking to COM, DLL libraries, other CCI languages operator overloading (un)checked blocks (for C# overflow control) private/non-private meths (1) scope definitions (e.g. for labels) place of initializations (3) abr stm constraints (simplify C# abr rules) excs in static constructors (2) stack trace of excs (4) “instance of” vs “is” –additional clause for val types (1) In Java priv meths use InvokeSpecial (=InvokeNonVirtual), non-private meths are by default Virtual (late binding). In C# the latter have to be marked by modifier virtual or override, othw they are called directly (early binding) (2) In Java class becomes Unusable, in C# the old exc object is rethrown (3) In Java before and in C# after the evaluation of arguments (4) In Java set when exc obj is created/initialized, in C# when it is thrown

© Egon Börger: Using Abstraction for Reuse 12 References R. Stärk, J. Schmid, E. Börger : Java and the Java Virtual Machine. Definition, Verification, Validation. Springer- Verlag, E. Börger, G. Fruja, V. Gervasi, R. Stärk : A High-Level Modular Definition of the Semantics of C# (TCS 2004) R. Stärk, E. Börger : An ASM specification of C# threads and the.NET memory model (Springer LNCS: Proc. ASM 2004) E. Börger, R. Stärk : Abstract State Machines. A Method for High-Level System Design and Analysis. Springer- Verlag,

© Egon Börger: Using Abstraction for Reuse 13 References E.Börger, D. Rosenzweig: Mathematical Definition of Full Prolog –Science of Computer Programming 24 (1995) E.Börger, R.F.Salamone: CLAM Specification for Provably Correct Compilation of CLP (R) Programs E.Börger (Ed.) Specification and Validation Methods. Oxford University Press, 1995, C. Beierle, E.Börger: Specification and correctness proof of a WAM extension with abstract type constraints. –Formal Aspects of Computing Vol. 8(4), 1996, C. Beierle, E.Börger: Refinement of a typed WAM extension by polymorphic order-sorted types. –Formal Aspects of Computing Vol. 8(5),1996, 539—564 E.Börger, I. Durdanovic: Correctness of Compiling Occam to Transputer Code. –The Computer Journal, Vol. 39, No.1, pp.52-92, 1996.