Embed Size (px)
Citation preview
Research ArticleTesting Automation of Context-Oriented ProgramsUsing Separation Logic
Mohamed A El-Zawawy12
1College of Computer and Information Sciences Al ImamMohammad Ibn Saud Islamic University (IMSIU)Riyadh 11432 Saudi Arabia2Department of Mathematics Faculty of Science Cairo University Giza 12613 Egypt
Correspondence should be addressed to Mohamed A El-Zawawy maelzawawycuedueg
Received 12 July 2014 Accepted 2 December 2014 Published 29 December 2014
Academic Editor Baoding Liu
Copyright copy 2014 Mohamed A El-Zawawy This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited
A new approach for programming that enables switching among contexts of commands during program execution is context-oriented programming (COP) This technique is more structured and modular than object-oriented and aspect-orientedprogramming and hence more flexible For context-oriented programming as implemented in COP languages such as ContextJlowastand ContextL this paper introduces accurate operational semantics The language model of this paper uses Java concepts and isequipped with layer techniques for activationdeactivation of layer contexts This paper also presents a logical system for COPprograms This logic is necessary for the automation of testing developing and validating of partial correctness specifications forCOP programs and is an extension of separation logic Amathematical soundness proof for the logical system against the proposedoperational semantics is presented in the paper
1 Introduction
To support and dynamically control the modularization ofcrosscutting concerns [1] a new programming style context-oriented programming (COP) [2] has appeared COP can bedefined as a programming approach that produces softwarethat is dynamically adaptable COP was invented to treatprogramming problems when the behavior of the requiredsoftware changes at runtime depending on the executionconditionsThis is not easily achieved by classical approachesof programming COP was established on languages likeSmalltalk [3] Java [4] and JavaScript [5] While the ideaof homogeneous crosscutting is to execute the same sourcecode at the join points of concerns the idea of heterogeneouscrosscutting concerns is to execute different source code atthe join points Heterogeneous crosscutting [1] is the type ofcrosscutting concerns adopted by COP Partial functions dec-larations adapting common functions to their new style areused in COP to implement these crosscuttingmethodologies
Main components of COP include (a) layers of variantfunctions for providing performance alterations and (b) a
tool for layer activationdeactavation A variant function isa function that can be executed after before and around thesame (variant) function included in another layer Hence alayer is a group of variant functions
Layer declarations are used to encapsulate partial func-tion declarations The semantics of classes and that of cross-cutting can be combined at the runtime COP [2] provides ablock statement defining a group of layers to enable runtimelayer composition Determined by the statement block anexecution scope is also provided by COP In this scopelayers are typically combined with the base system Anotherstatement enables stopping execution of specified layersThe keywords denoting these two statements are with andwithout statements [2] COP appears to be a very convenienttechnique for encapsulation of homogeneous crosscuttingconcerns as proved by many applications
However so far research did not provide appropriate logicto reason about context-oriented programs A main concernin COP is the treatment of layers activationsdeactivationsUsually the set of active layers changes from one programpoint to another Therefore the efficiency of any logic for
Hindawi Publishing CorporationApplied Computational Intelligence and So ComputingVolume 2014 Article ID 930186 8 pageshttpdxdoiorg1011552014930186
2 Applied Computational Intelligence and Soft Computing
COP strongly depends on using correct layers In spite ofthe concept of activatingdeactvating a layer is simple and itslogical treatment is a bit complex
To reason about resources Reynolds [6] and indepen-dently Samin and OrsquoHearn [7] presented new logic (sep-aration logic) This was based on Burstallrsquos early work Alogical operator (separation conjunction) enabling localizingoperation actions on shared resources is among themain con-tributions of separation logic Sound form of local reasoningwas reached by the separation conjunction which ensures theinvariance of resources not included in preconditions
To model the meanings of COP concepts this paperintroduces operational semantics Accurate meanings forbasics of COP languages are provided by the semanticsAxiomatic semantics for COP is the second contributionof this paper This semantics is an extension of separationlogic to establish and ensure partial correctness specificationsfor COP programs Rather than other logic separation logicseems most suitable for verifying COP This is so as theconcept of context changing is explicitly ldquotreatedrdquo by thespecial operators of separation logic One of the challengesin this paper is to expose this explicit relationship in the formof formal definitions and inference rules Judgments of theproposed logic have the form 119871 ⊨ 119875119878119876meaning that
(i) if layers of 119871 are active then executing 119878 in a statesatisfying 119875 is ensured not to abort
(ii) if layers of 119871 are active and the execution of 119878 in a statesatisfying 119875 ended at some state then this last statesatisfies 119876
Assertions 119875 and 119876 may reason about the programcontrol locations as well as upon the values of local and globalvariables A systemof axioms and inference rules constitutingthe proposed logic is introduced in the paperwhich presents apartial correctness specification for example COP-programas well Against the proposed operational semantics themathematical soundness of the logical system is shown in thispaper
Contributions of this paper are as follows
(1) new operational semantics to provide accurate mean-ings for COP concepts
(2) novel axiomatic semantics to construct and validatepartial correctness specifications for COP programs
The rest of the paper is organized as follows Section 2presents in detail the programming language J-COP and itsoperational semantics The assertion language axioms andinferences rules constituting the logical system are presentedin Section 3 which also presents the mathematical proof forthe correctness of the system and an example of its useRelated research is presented in Section 4
2 Programming Language andOperational Semantics
The syntax and semantics of the programming language(dubbed J-COP) used in this paper are presented in this
section Basic aspects of object-oriented programming likeinheritance and subtyping are modeled in J-COP whichfollows Java syntax for comparable structures Algorithm 1presents the syntax of J-COP
J-Cop is a rich model for COP The model includesbasic language constructs and is extendable directly overwell-studied Java features Although the model is expressiveenough to include more language features it is simple Inaddition to typical Java constructs the model allows layersactivationdeactivation overriding variant functions and atechnique for executing proceed and super
We let 119862 denote the typical member of the set of namesof classes C which is included in the set of types (Types) Inaddition to C Types includes function and reference typesThe typical element of Types is denoted by 120591 As it is commonin programming J-COPrsquos functions contain local variableswhose scopes are the same as their functions Also parametersfor functions are local variables which are denoted by LVarInstance variables model internal states of classes We let119868119881119886119903119862denote the set of instance variables of the class 119862 The
symbols 119900 and V denote typical elements of LVar and 119868119881119886119903119862
respectively Sequences of layers activationdeactivation con-stitute layer expressions (LayerExpr) with 119897119890 isin 119871119886119910119890119903119864119909119901119903FunNames and LayerNames denote the sets of function andlayer names respectively with 119891 isin 119865119906119899119873119886119898119890119904 and 119897 isin 119871119886119910119890119903119873119886119898119890119904
A class in J-COP includes function definitions and agroup of layers containing function definitions A function isdefined via a parameter a statement and an expression Theexpression models the returned value of the function A setof classes and a main function (marks the start of programexecution) are the components of a J-COP program
The operational semantics of J-COP presented in thissection is defined using state representations and a subtyperelation on classes If119862 inherits119863 by definition of119862 then119862 isa subclass of119863 (denoted by119862 ≪ 119863) and119863 is a superclass of119862The reflexive transitive closure of≪ is denoted by le States ofthe operational semantics are presented in Definition 1 whereA denotes an infinite set of memory addresses with 120572 isin AandZ is the set of integers
Definition 1 One has the following
(1) D = Z cupA(2) 119871119886119910119890119903
119862and119865119906119899
119862denote the sets of function and layer
names of 119862 respectively(3) Stacks = 119904 | 119904 LVarrarr
119901Z
(4) ObjCont = 119874119862| 119874119862 IVar
119862rarr Z 119862 isin C
(5) Heaps = ℎ | ℎ Ararr119901ObjCont
(6) 119878119905119886119905119890119904 = Stacks timesHeaps
The setD includesmodel values States of the operationalsemantics are pairs of a stack and a heap A special variable(called this) to point at the object being executed is includedin the set of local variables For each class 119862 we assumetwo functions 119865
119862and 119871
119862 The map 119865
119862determines for every
function119891 isin 119865119906119899119862its components (119901
119891 119878119891 119890119891) the parameter
variable of the function the function statement and the
Applied Computational Intelligence and Soft Computing 3
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119897119890 isin LayerExpr = with 119897 | without 119897 | 120598 | 119897119890 119897119890119878 isin Stat = 119890
1sdot V = 119890
2| 1199001= 119897119890 119900
2sdot 119891(119890) | 119900
1= 1199002sdot 119891 (119890) |
119900 = 119904119906119901119890119903 sdot 119891(119890) | 1199001= proceed 119900
2sdot 119891(119890) |
119900 = new 119862 | 119878 119878 | if 119887 then 119878119905else 119878
119891|
while 119887 do 119878119905
funs isin Fun = 119891(119901)119878 return(119890) layer isin Lay = Layer 119897 fun
inhrt isin Inherits = 120598 | inherits 119862cls isin Class = class 119862 inhrt funlowast layerlowast
prog isin Prog = clslowast main() 119878
Algorithm 1 The programming language J-COP
[119862(119890)] (119904 ℎ) = 119906119899119889119890119891119894119899119890119889 if [119890](119904 ℎ) isin 119889119900119898(ℎ) ℎ([119890](119904 ℎ)) = 119874
119863 119886119899119889 119863 ≰ 119862
[119890] (119904 ℎ) otherwise
[119890 sdot V](119904 ℎ) = 119874119863(V) if ℎ([119890](119904 ℎ)) = 119874
119863119886119899119889 V isin 119889119900119898(119874
119863)
119906119899119889119890119891119894119899119890119889 otherwise
Algorithm 2 Semantics of J-COP expressions
returned expression of the function The map 119868119862determines
for every layer 119897 isin 119871119886119910119890119903119862the parts of the layerrsquos function
(119891 119901119891 119878119891 119890119891) We also assume a function SerLay(119871 119897119890 119891) =
1198711015840
= 1198971 119897119898 whose inputs are a set of layers a layer
expression and a function name SerLay adds (removes)layers activated (deactivated) by 119897119890 to (from) 119871 Then SerLayreturns the set of layers in 119871 containing definitions for 119891
The semantics of arithmetic and boolean expressions ofJ-COP is similar to the case of simple imperative languageThe cases of (119862)119890 and 119890 sdot V are shown in Algorithm 2 Somecomments on this algorithm are in order The expression 119890 sdot Vdenotes the variable V of the class referenced by 119890 In linewith common OOP concepts variables of 119862 and that of itsancestors are included in domain of 119868119881119886119903
119862 Therefore the
semantics of 119890 sdot V is defined only if V is a local variable ofthe class referenced by 119890 or any of the classrsquos ancestors Thesemantics of 119890 (in 119890sdotV) is supposed to be an address containinga class object The semantics of (119862)119890 is undefined if 119890 is theaddress of an object of a class119863 that is not a descendant of 119862
Algorithm 3 presents the semantics of J-COPrsquos state-ments The judgments of the semantics have the form 119871 ⊣
119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) meaning that executing 119878 in the state(119904 ℎ) results in the state (1199041015840 ℎ1015840) provided that 119871 is the set ofthe currently active layers Some comments on the rules areas follows The local variable V of the object pointed to by1198901is updated in the rule (=119904
119890) This amounts to modifying
the function 119874119862in the image of [119890
1](119904 ℎ) under ℎ With
input 119890 the rule (=119904119900sdot119891) provides semantics for running the
function 119891 of the object pointed to by 1199002 The semantics
of 119897119890 in 1199001= 119897119890 119900
2sdot 119891(119890) is to activatedeactivate certain
layers The rule (=119904119897sdot119900sdot119891
) provides operational semantics forthis statement This rule does the call SerLay(119871 119897119890 119891) to add
(remove) layers activated (deactivated) via 119897119890 to (from) 119871Thiscall then returns the subset of 119871 with definitions for 119891 Therule then executes the bodies of layer functions sequentiallyThe execution number 119894 builds on its previous execution byupdating 119900
1to the value [119890
119894minus1](119904119894 ℎ119894) The statement 119900 =
super sdot 119891(119890) running the function 119891 of an ancestor of thecurrent object is given semantics in the rule (sup119904) The ruleassumes a function super that finds the ancestor of the classpointed to by 119900
2such that this ancestor includes a definition
for119891 Semantics for 1199001= proceed 119900
2sdot119891(119890) is given in the rule
(pro119904) This statement runs all functions 119891 in active layers ofthe object referenced by 119900
2
3 Assertion Language and Logical System
Extended separation logic to cover context-oriented pro-grams is presented in this sectionThe section introduces theassertion language followed by the logical systemrsquos axiomsand inference rules Against the operational semantics pre-sented in the previous section this section also outlines aformal mathematical proof for the correctness of the logicalsystem Finally an example of a derivation for a partialcorrectness specification using the logical system is includedin this section as well
Boolean expressions classical connectives first orderquantifications and assertions specific to separation logic arethe components of separation logic assertions The followingversion of assertions is used in this section
(i) emp denotes an empty heap(ii) 119890 997891rarr 119862 denotes that the heap has a unique memory
cell whose address is 119890 and whose content is aninstance of the class 119862
4 Applied Computational Intelligence and Soft Computing
119874119862= ℎ ([119890
1] (119904 ℎ)) 119874
1015840
119862= 119874119862[V 997891rarr [119890
2] (119904 ℎ)]
119871 ⊣ 1198901sdot V = 119890
2 (119904 ℎ) rarr (119904 ℎ [[119890
1] (119904 ℎ) 997891rarr 119874
1015840
119862])(=119904
119890)
ℎ([1199002](119904 ℎ)) = 119874
119862119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900
1997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(=119904
119900sdot119891)
SerLay (119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
ℎ(119904(1199002)) = 119874
119862forall1 le 119894 le 119898 (119871
119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1](119904119894 ℎ119894) this 997891rarr 119904
119894(1199002)
119901119894997891rarr [119890](119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= 119897119890 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898](119904119898+1
ℎ119898+1
)] ℎ119898+1
)(=119904
119897sdot119900sdot119891)
ℎ(119904(this)) = 119874119862119862 ≪ 119864
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[119901
119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 119900 = super sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900 997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(sup119904)
119886 isin A 119889119900119898(ℎ)
119871 ⊣ 119900 = new 119862 (119904 ℎ) rarr (119904[119900 997891rarr 119886] ℎ[119886 997891rarr 0])(new119904)
ℎ (119904 (1199002)) = 119874
119862
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (1199041[this 997891rarr 119904 (119900
2) 1199011997891rarr [119890] (119904
1 ℎ1)] ℎ1) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1] (119904119894 ℎ119894) this 997891rarr 119904 (119900
2) 119901119894997891rarr [119890] (119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= proceed 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898] (119904119898+1
ℎ119898+1
)] ℎ119898+1
)(119901119904
)
([119887](119904 ℎ) = true and 119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))or
([119887](119904 ℎ) = false and 119871 ⊣ 119878119891 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))
119871 ⊣ if 119887 then 119878119905else 119878
119891 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(if119904)
[119887](119904 ℎ) = false119871 ⊣ while 119887 do 119878
119905 (119904 ℎ) rarr (119904 ℎ)
(whl1199041)
119871 ⊣ 1198781 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1198782 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ 1198781 1198782 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(sq119904)
[119887](119904 ℎ) = true119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ while 119887 do 119878119905 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ while 119887 do 119878119905 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(whl1199042)
Algorithm 3 Inference rules of the operational semantics for J-COP constructs
(iii) this 997891rarr 119862 denotes a special case of the previousassertion where 119890 = this
(iv) 119875 lowast 119876 dubbed separating conjunction(v) 119875 minuslowast119876 dubbed separating implication(vi) ⊛
119894isin119868119875119894is a general form of separating conjunction
Algorithm 4 presents the specific definition of the lan-guage of assertions A group of states are modeled by everyassertion via a modeling relation ((119904 ℎ) ⊨ 119875) The semanticsof this relation is that the state (119904 ℎ) satisfies the assertion119875 Definition 2 formalizes the semantics of the modelingrelation
Definition 2 One has the following
(i) (119904 ℎ) ⊨ fine(1198901 119890
119899)defhArr for all 119894 ⟦119890
119894⟧(119904 ℎ) = abort
(ii) (119904 ℎ) ⊨ empdefhArr dom(ℎ) = 0
(iii) (119904 ℎ) ⊨ 119890 997891rarr 119862defhArr dom(ℎ) = ⟦119890⟧(119904 ℎ) and
ℎ(⟦119890⟧(119904 ℎ)) = 119874119862
(iv) (119904 ℎ) ⊨ 1198751lowast1198752
defhArr existℎ
1015840
ℎ10158401015840 ℎ1015840 ℎ10158401015840 ℎ = ℎ1015840 sdotℎ10158401015840 (119904 ℎ1015840) ⊨
1198751 and (119904 ℎ10158401015840) ⊨ 119875
2
(v) (119904 ℎ) ⊨ 1198751minuslowast1198752
defhArr for all ℎ1015840((ℎ1015840ℎ and (119904 ℎ
1015840
) ⊨ 1198751) rArr
(119904 ℎ sdot ℎ1015840
) ⊨ 1198752)
The fact that dom(ℎ1) cap dom(ℎ
2) = 0 is denoted by the
expression ℎ1 ℎ2 The union of heaps is denoted by ℎ
1sdot ℎ2
and is defined only if ℎ1 ℎ2
A judgment of the proposed logical system is of the form119871 ⊨ 119875119878119876 where 119875 and 119876 are the pre- and postconditionsrespectively The semantics of this judgment is that if layersof 119871 are active and 119878 is executed in a state satisfying 119875then the final state will satisfy 119876 Definition 3 formalizes the
Applied Computational Intelligence and Soft Computing 5
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119875119876 119877 1198691 1198692isin Asset = 119887 | 119875 and 119876 | 119875 or 119876 | 119875 rArr 119876 | not119875 | forall119909 119875 |
exist 119909 119875 | fine(119890) | emp | 119890 997891rarr 119862 | 119875 lowast 119876 |
119875 minuslowast 119876 | ⊛119894isin119868119875119894
Algorithm 4 The assertion language
soundness concept of specifications produced by the logicalsystem Axioms and inference rules of the logical system areintroduced in Algorithm 5
We fix the abortion notion for Definition 3 A statement 119878is aborting at (119904 ℎ) (denoted by 119878 (119904 ℎ 119871) rarr abort) if (a) astate (1199041015840 ℎ1015840) such that 119878 (119904 ℎ) rarr (119904
1015840
ℎ1015840
) is not available and(b) 119878 is not stuck in an infinite loop
Definition 3 A specification 119871 ⊣ 119875119878119876 is sound if for each(119904 ℎ) such that (119904 ℎ) ⊨ 119875 the following is satisfied
(1) not(119871 ⊨ 119878 (119904 ℎ) rarr abort)
(2) if 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) then (1199041015840 ℎ1015840) ⊨ 119876
Some of the rules in Algorithm 5 are certainly notewor-thy In many rules like (=119897
119890) and (=
119897
119900sdot119891) the expressions of
relevant statements contribute to the preconditions of therules This has the advantage of ensuring that the meantmemory addresses are indeed allocated and hence evalua-tions of expressions do not abort The preconditions of (=119897
119890)
and (=119897
119900sdot119891) also ensure that appropriate variables reference
objects in heap The side-conditions of (=119897119900sdot119891) and (=
119897
119897sdot119900sdot119891)
consider that executing these statements involves executingcertain function bodies We let mod(119878 119871) denote the set oflocations modified by 119878 provided that layers of 119871 are activeThe symbol 119891V(119877) denotes the set of free variables of 119877 Therule (share119897) enables the composition of specifications havingdisjoint sets of activated layers if the preconditions of thespecifications describe disjoint regions of the heap The rule(frame119897) enables avoiding a frame of the heap119877 that does notaffect the statement This rule also ensures that 119877 is satisfiedby the postcondition
Soundness The soundness of the logical system is guaranteedby the following theorem
Theorem 4 Specifications 119871 ⊣ 119875119878119876 that resulted using thelogical system of Algorithm 5 are sound (Definition 3)
Proof Structure induction on axioms and inference rules ofAlgorithm 5 achieves the proof In the following basic casesare outlined
(i) The case of the rule (=119897119890) in this case
(a) 119878 = 1198901sdot V = 119890
2
(b) 119875 hArr 1198901997891rarr 119862 and fine(119890
1sdotV) and fine(119890
2) and 119876[119890
21198901sdot
V]
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 Hence119874119862= ℎ(⟦119890
1⟧(119904 ℎ)) and ⟦119890
2⟧(119904 ℎ) = abort Therefore
1198741015840
119862= 119874119862[V 997891rarr ⟦119890
2⟧(119904 ℎ)] is defined and so does
(119904 ℎ[⟦1198901⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Hence not(119871 ⊨ 119878 (119904 ℎ) rarr
abort) Now we suppose 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) Inthis case (1199041015840 ℎ1015840) = (119904 ℎ[⟦119890
1⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Therefore
(1199041015840
ℎ1015840
) ⊨ 119876 because (119904 ℎ) ⊨ 119876[11989021198901sdot V] This
completes the proof for this case(ii) The case of the rule (lowast=119897
119900sdot119891) in this case
(a) 119878 = 1199001= 1199002sdot 119891(119890)
(b) 119865119862(119891) = (119901
119891 119878119891 119890119891)
(c) 119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
(d) 119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(11990410158401015840
ℎ10158401015840
)(e) 119875 hArr 119900
2997891rarr 119862 and 119877 and fine(119890 119890
119891)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
119891) implies
(119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is definedTherefore (119904[this 997891rarr 119904(119900
2) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
119891] By induction hypothesis 119878
119891does not
abort at (119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) andtherefore 119900
1= 1199002sdot 119891(119890) does not abort at (119904 ℎ) Now
we suppose that 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
) By(=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[1199001997891rarr ⟦119890
119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
1198911199001] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case(iii) The case of the rule (lowast=119897
119897sdot119900sdot119891) in this case
(a) 119878 = 1199001= 119897119890 119900
2sdot 119891(119890)
(b) SerLay(119871 119897119890 119891) = 1198711015840
= 1198971 119897119898 for all 1 le
119894 le 119898(119871119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
(c) 1198711015840 ⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(1199042 ℎ2)
(d) for all 119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr ⟦119890119894minus1⟧(119904119894 ℎ119894)this
997891rarr 119904119894(1199002) 119901119894997891rarr ⟦119890⟧(119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
(e) 1198711015840 ⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
(f) for all 119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894]
119878119894119876119894[1198901198941199001]
(g) 119875 hArr 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
1 119890
119898)
implies (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined
Therefore (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
1] By induction hypothesis 119878
1does
not abort at (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
6 Applied Computational Intelligence and Soft Computing
119871 ⊣ 1198901997891rarr 119862 and fine (119890
1sdot V) and fine (119890
2) and 119876 [119890
21198901sdot V] 119890
1sdot V = 119890
2119876
(=119897
119890)
119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
119891) 1199001= 1199002sdot 119891(119890) 119876
(=119897
119900sdot119891)
SerLay(119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898) 1199001= 119897119890 119900
2sdot 119891(119890) 119876
119898(=119897
119897sdot119900sdot119891)
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[119890119901119891] 119878119891119876[119890119891119900]
119871 ⊣ this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891) 119900 = super sdot 119891(119890) 119876
(sup119897)
119871 ⊣ emp 119900 = new 119862 119900 997891rarr 119862(new119897)
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 119900
1= proceed 119900
2sdot 119891(119890) 119876
119898
(pro119897)
119871 ⊣ 119875 1198781119877
119871 ⊣ 119877 1198782119876
119871 ⊣ 119875 1198781 1198782119876
(Seq119897)
119871 ⊣ 119875 119878 119876
119871 ⊣ 1198751015840
119878 1198761015840
119871 ⊣ 119875 or 1198751015840 119878 119876 or 1198761015840(Disj119897)
119871 ⊣ 119875 and 119887 119878119905119876
119871 ⊣ 119875 and not(119887) 119878119891119876
119871 ⊣ 119875 if 119887 then 119878119905else 119878
119891119876
(if119897)
119871 ⊣ fine(119887) and 119875 119878119905fine(119887) and 119875
119871 ⊣ fine(119887) and 119875 while 119887 do 119878119905not(119887) and 119875
(while119897)
119871 ⊣ 119875 119878 119876
1198751015840
997904rArr 119875 119876 997904rArr 1198761015840
119871 ⊣ 1198751015840 119878 1198761015840(seq119897)
1198711⊣ 119875 119878 119876
1198712⊣ 1198751015840
119878 1198761015840
1198711cup 1198712⊣ 119875 and 1198751015840 119878 119876 and 1198761015840
(Conj119897)
1198711⊣ 119875 119878 119876
1198712⊣ 119877 119878 119877
1198711cap 1198712= 0
1198711cup 1198712⊣ 119875 lowast 119877 119878 119876 lowast 119877
(share119897)
119871 ⊣ 119875 119878 119876
119891V(119877) cap mod(119878 119871) = 0119871 ⊣ 119875 lowast 119877 119878 119876 lowast 119877
(frame119897)
119897 ⊣ 119875 119878 119876
119871 119897 ⊣ 1198691 119878 119869
2
119871 ⊣ 119875 and 1198691 119878 119876 or 119869
2(glob119897)
119871 ⊣ 119875 119878 119876
119909 notin 119891V(119878)119871 ⊣ exist119909 119875 119878 exist119909 119876
(Ex119897)
Algorithm 5 The inference rules of the proposed logical system
Now we suppose that 1198781 (119904 ℎ) rarr (119904
2 ℎ2) By induc-
tion hypothesis (1199042 ℎ2) ⊨ 119876[119890
11199001] implying (119904
2[1199001997891rarr
⟦1198901⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) ⊨
1198761[1199002this 119890119901
2] Therefore by induction hypothesis
1198782does not abort at (119904
2[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr
1199042(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) Now we suppose that
1198782 (1199042[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr
⟦119890⟧(1199042 ℎ2)] ℎ2) rarr (119904
3 ℎ3) By induction hypoth-
esis (1199043 ℎ3) ⊨ 119876[119890
21199001] implying (119904
3[1199001
997891rarr
⟦1198902⟧(1199043 ℎ3) this 997891rarr 119904
3(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) ⊨
1198762[1199002this 119890119901
3] Therefore by induction hypothesis
1198783does not abort at (119904
3[1199001997891rarr ⟦119890
2⟧(1199043 ℎ3) this 997891rarr
1199043(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) Hence a simple induc-
tion on119898 completes the proof for this case
(iv) The case of the rule (sup119897) in this case
(a) 119878 = 119900 = super sdot 119891(119890)(b) super(119864 119891) = 119863(c) 119865119863(119891) = (119901
119891 119878119891 119890119891)
(d) 119871 ⊣ 119878119891 (119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)(e) 119871 ⊣ 119877[119890119901
119891] 119878119891119876[119890119891119900]
(f) 119875 hArr this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891)
Applied Computational Intelligence and Soft Computing 7
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦this⟧(119904 ℎ)) = 119874
119862The condition fine(119890 119890
119891) implies
(119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined Therefore (119904[this 997891rarr
119904(1199002) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨ 119877[119890119901
119891] By induction
hypothesis 119878119891does not abort at (119904[119901
119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
and therefore 119900 = super sdot 119891(119890) does not abort at (119904 ℎ)Nowwe suppose that 119900
1= 1199002sdot119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
)By (=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[119900 997891rarr ⟦119890119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
119891119900] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case
(v) The case of the rule (pro119897) it is similar to the case of(lowast=119897
119897sdot119900sdot119891)
4 Discussion
Related Work The most related logic to our work is that ofobject-oriented programs Specifically for Java a huge liter-ature on specification proof techniques for object-orientedlanguages exists For example for annotated Java programsin JML (Java modeling language) [8] presents calculus forweakest precondition An introduction to applications andtools of JML is presented in [9] Via annotating Java sourcefiles JML enables determining Java interfaces and classesConsidering abnormal termination resulting from failures ofJava programs [10] presents an extension to Hoare logic Fortheses failures transformational techniques do not work
Notably dynamically growing reference-structures areinvolved in object-oriented programs This results in thealiasing problem in OOP languages Much logic treatingaliasing does exist One of these techniques is presentedin [11] and reasons about linked lists which are treatedusing separation logic [6] Via including global stores inthe assertion language [12] presents Hoare logic for OOPlanguages However the use of this model for global storingis proved to be a potential cause of incompleteness Classesencapsulation in an OOP language equipped with subtypingand pointers is guaranteed by aliasing restrictions in [13]
The work in [14] is an example of logic achieving mod-ular verification for OOP and focusing on correspondingmethodology and object invariants Modular verificationof complex object structures was treated in [15] using aninvariant class Sound proof systems producing restrictedformal justifications for OOP languages were introducedin [16 17] Producing a complete logical system for OOPlanguages is a very complex problem due to complex featuresof OOP languages
Interestingly none of the techniques mentioned abovetreat context-oriented programs This adds to the value ofthe work presented in the current paper apparently there isno research to generalize separation logic to cover context-oriented programs
Operational semantics and type systems are presentedin [18 19] for checking and modeling context-orientedprograms The language model of [19] is structural and verysimilar to the model of the current paper The languagemodel of [18] is functional Type systems introduced in bothof these papers prevent execution of faculty functions by
proceed The operational semantics of the current paper ismuch simpler and powerful than semantics of [18 19]
Utilizing concepts of delegation based calculus [20]presents operational semantics for a COP language namely119888119895 For COP concepts as introduced in ContextJlowast and Con-textL [21] introduces syntax-based semantics Compared tothe work mentioned above a logical system that stops COPprogram from getting stuck is presented in the current paperTo model context-dependent behavior of COP programs theproposed logical system is based on general calculi
Future Work Extending the language model of the currentpaper to allow executing candidate functions of proceed onpriority bases is a direction for a future work Extending thelanguage to include layer inheritance and layer dependency isanother direction for future work Doing so allows one layerto assume the existence of another layer and allows expressingthe assumption that two layers are not active at the same time
Conflict of Interests
The author declares that there is no conflict of interestsregarding the publication of this paper
References
[1] G Kiczales J Lamping A Mendhekar et al ldquoAspect-orientedprogrammingrdquo in Proceedings of the European Conferenceon Object-Oriented Programming (ECOOP rsquo97) pp 220ndash242Jyvaskyla Finland June 1997
[2] RHirschfeld P Costanza andONierstrasz ldquoContext-orientedprogrammingrdquoThe Journal ofObject Technology vol 7 no 3 pp125ndash151 2008
[3] W Golubski and W-M Lippe ldquoA complete semantics forSMALLTALK-80rdquo Computer Languages vol 21 no 2 pp 67ndash79 1995
[4] M Campione K Walrath and A Huml The Java Tutorial AShort Course on the Basics Addison-Wesley Longman Publish-ing Boston Mass USA 3rd edition 2000
[5] D Flanagan JavaScriptmdashPocket Reference Activate Your WebPages OrsquoReilly 3rd edition 2012
[6] J C Reynolds ldquoSeparation logic a logic for sharedmutable datastructuresrdquo in Proceedings of the 17th Annual IEEE Symposiumon Logic in Computer Science (LICS rsquo02) pp 55ndash74 July 2002
[7] S S Samin and P W OrsquoHearn ldquoBI as an assertion languagefor mutable data structuresrdquo in Principles of ProgrammingLanguages C Hankin and D Schmidt Eds pp 14ndash26 ACM2001
[8] B Jacobs ldquoWeakest pre-condition reasoning for Java programswith JML annotationsrdquo Journal of Logic and Algebraic Program-ming vol 58 no 1-2 pp 61ndash88 2004
[9] L Burdy Y Cheon D R Cok et al ldquoAn overview of JML toolsand applicationsrdquo International Journal on Software Tools forTechnology Transfer vol 7 no 3 pp 212ndash232 2005
[10] M Huisman and B Jacobs ldquoJava program verification viaa hoare logic with abrupt terminationrdquo in FundamentalApproaches to Software Engineering T S E Maibaum Edvol 1783 of Lecture Notes in Computer Science pp 284ndash303Springer Berlin Germany 2000
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
2 Applied Computational Intelligence and Soft Computing
COP strongly depends on using correct layers In spite ofthe concept of activatingdeactvating a layer is simple and itslogical treatment is a bit complex
To reason about resources Reynolds [6] and indepen-dently Samin and OrsquoHearn [7] presented new logic (sep-aration logic) This was based on Burstallrsquos early work Alogical operator (separation conjunction) enabling localizingoperation actions on shared resources is among themain con-tributions of separation logic Sound form of local reasoningwas reached by the separation conjunction which ensures theinvariance of resources not included in preconditions
To model the meanings of COP concepts this paperintroduces operational semantics Accurate meanings forbasics of COP languages are provided by the semanticsAxiomatic semantics for COP is the second contributionof this paper This semantics is an extension of separationlogic to establish and ensure partial correctness specificationsfor COP programs Rather than other logic separation logicseems most suitable for verifying COP This is so as theconcept of context changing is explicitly ldquotreatedrdquo by thespecial operators of separation logic One of the challengesin this paper is to expose this explicit relationship in the formof formal definitions and inference rules Judgments of theproposed logic have the form 119871 ⊨ 119875119878119876meaning that
(i) if layers of 119871 are active then executing 119878 in a statesatisfying 119875 is ensured not to abort
(ii) if layers of 119871 are active and the execution of 119878 in a statesatisfying 119875 ended at some state then this last statesatisfies 119876
Assertions 119875 and 119876 may reason about the programcontrol locations as well as upon the values of local and globalvariables A systemof axioms and inference rules constitutingthe proposed logic is introduced in the paperwhich presents apartial correctness specification for example COP-programas well Against the proposed operational semantics themathematical soundness of the logical system is shown in thispaper
Contributions of this paper are as follows
(1) new operational semantics to provide accurate mean-ings for COP concepts
(2) novel axiomatic semantics to construct and validatepartial correctness specifications for COP programs
The rest of the paper is organized as follows Section 2presents in detail the programming language J-COP and itsoperational semantics The assertion language axioms andinferences rules constituting the logical system are presentedin Section 3 which also presents the mathematical proof forthe correctness of the system and an example of its useRelated research is presented in Section 4
2 Programming Language andOperational Semantics
The syntax and semantics of the programming language(dubbed J-COP) used in this paper are presented in this
section Basic aspects of object-oriented programming likeinheritance and subtyping are modeled in J-COP whichfollows Java syntax for comparable structures Algorithm 1presents the syntax of J-COP
J-Cop is a rich model for COP The model includesbasic language constructs and is extendable directly overwell-studied Java features Although the model is expressiveenough to include more language features it is simple Inaddition to typical Java constructs the model allows layersactivationdeactivation overriding variant functions and atechnique for executing proceed and super
We let 119862 denote the typical member of the set of namesof classes C which is included in the set of types (Types) Inaddition to C Types includes function and reference typesThe typical element of Types is denoted by 120591 As it is commonin programming J-COPrsquos functions contain local variableswhose scopes are the same as their functions Also parametersfor functions are local variables which are denoted by LVarInstance variables model internal states of classes We let119868119881119886119903119862denote the set of instance variables of the class 119862 The
symbols 119900 and V denote typical elements of LVar and 119868119881119886119903119862
respectively Sequences of layers activationdeactivation con-stitute layer expressions (LayerExpr) with 119897119890 isin 119871119886119910119890119903119864119909119901119903FunNames and LayerNames denote the sets of function andlayer names respectively with 119891 isin 119865119906119899119873119886119898119890119904 and 119897 isin 119871119886119910119890119903119873119886119898119890119904
A class in J-COP includes function definitions and agroup of layers containing function definitions A function isdefined via a parameter a statement and an expression Theexpression models the returned value of the function A setof classes and a main function (marks the start of programexecution) are the components of a J-COP program
The operational semantics of J-COP presented in thissection is defined using state representations and a subtyperelation on classes If119862 inherits119863 by definition of119862 then119862 isa subclass of119863 (denoted by119862 ≪ 119863) and119863 is a superclass of119862The reflexive transitive closure of≪ is denoted by le States ofthe operational semantics are presented in Definition 1 whereA denotes an infinite set of memory addresses with 120572 isin AandZ is the set of integers
Definition 1 One has the following
(1) D = Z cupA(2) 119871119886119910119890119903
119862and119865119906119899
119862denote the sets of function and layer
names of 119862 respectively(3) Stacks = 119904 | 119904 LVarrarr
119901Z
(4) ObjCont = 119874119862| 119874119862 IVar
119862rarr Z 119862 isin C
(5) Heaps = ℎ | ℎ Ararr119901ObjCont
(6) 119878119905119886119905119890119904 = Stacks timesHeaps
The setD includesmodel values States of the operationalsemantics are pairs of a stack and a heap A special variable(called this) to point at the object being executed is includedin the set of local variables For each class 119862 we assumetwo functions 119865
119862and 119871
119862 The map 119865
119862determines for every
function119891 isin 119865119906119899119862its components (119901
119891 119878119891 119890119891) the parameter
variable of the function the function statement and the
Applied Computational Intelligence and Soft Computing 3
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119897119890 isin LayerExpr = with 119897 | without 119897 | 120598 | 119897119890 119897119890119878 isin Stat = 119890
1sdot V = 119890
2| 1199001= 119897119890 119900
2sdot 119891(119890) | 119900
1= 1199002sdot 119891 (119890) |
119900 = 119904119906119901119890119903 sdot 119891(119890) | 1199001= proceed 119900
2sdot 119891(119890) |
119900 = new 119862 | 119878 119878 | if 119887 then 119878119905else 119878
119891|
while 119887 do 119878119905
funs isin Fun = 119891(119901)119878 return(119890) layer isin Lay = Layer 119897 fun
inhrt isin Inherits = 120598 | inherits 119862cls isin Class = class 119862 inhrt funlowast layerlowast
prog isin Prog = clslowast main() 119878
Algorithm 1 The programming language J-COP
[119862(119890)] (119904 ℎ) = 119906119899119889119890119891119894119899119890119889 if [119890](119904 ℎ) isin 119889119900119898(ℎ) ℎ([119890](119904 ℎ)) = 119874
119863 119886119899119889 119863 ≰ 119862
[119890] (119904 ℎ) otherwise
[119890 sdot V](119904 ℎ) = 119874119863(V) if ℎ([119890](119904 ℎ)) = 119874
119863119886119899119889 V isin 119889119900119898(119874
119863)
119906119899119889119890119891119894119899119890119889 otherwise
Algorithm 2 Semantics of J-COP expressions
returned expression of the function The map 119868119862determines
for every layer 119897 isin 119871119886119910119890119903119862the parts of the layerrsquos function
(119891 119901119891 119878119891 119890119891) We also assume a function SerLay(119871 119897119890 119891) =
1198711015840
= 1198971 119897119898 whose inputs are a set of layers a layer
expression and a function name SerLay adds (removes)layers activated (deactivated) by 119897119890 to (from) 119871 Then SerLayreturns the set of layers in 119871 containing definitions for 119891
The semantics of arithmetic and boolean expressions ofJ-COP is similar to the case of simple imperative languageThe cases of (119862)119890 and 119890 sdot V are shown in Algorithm 2 Somecomments on this algorithm are in order The expression 119890 sdot Vdenotes the variable V of the class referenced by 119890 In linewith common OOP concepts variables of 119862 and that of itsancestors are included in domain of 119868119881119886119903
119862 Therefore the
semantics of 119890 sdot V is defined only if V is a local variable ofthe class referenced by 119890 or any of the classrsquos ancestors Thesemantics of 119890 (in 119890sdotV) is supposed to be an address containinga class object The semantics of (119862)119890 is undefined if 119890 is theaddress of an object of a class119863 that is not a descendant of 119862
Algorithm 3 presents the semantics of J-COPrsquos state-ments The judgments of the semantics have the form 119871 ⊣
119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) meaning that executing 119878 in the state(119904 ℎ) results in the state (1199041015840 ℎ1015840) provided that 119871 is the set ofthe currently active layers Some comments on the rules areas follows The local variable V of the object pointed to by1198901is updated in the rule (=119904
119890) This amounts to modifying
the function 119874119862in the image of [119890
1](119904 ℎ) under ℎ With
input 119890 the rule (=119904119900sdot119891) provides semantics for running the
function 119891 of the object pointed to by 1199002 The semantics
of 119897119890 in 1199001= 119897119890 119900
2sdot 119891(119890) is to activatedeactivate certain
layers The rule (=119904119897sdot119900sdot119891
) provides operational semantics forthis statement This rule does the call SerLay(119871 119897119890 119891) to add
(remove) layers activated (deactivated) via 119897119890 to (from) 119871Thiscall then returns the subset of 119871 with definitions for 119891 Therule then executes the bodies of layer functions sequentiallyThe execution number 119894 builds on its previous execution byupdating 119900
1to the value [119890
119894minus1](119904119894 ℎ119894) The statement 119900 =
super sdot 119891(119890) running the function 119891 of an ancestor of thecurrent object is given semantics in the rule (sup119904) The ruleassumes a function super that finds the ancestor of the classpointed to by 119900
2such that this ancestor includes a definition
for119891 Semantics for 1199001= proceed 119900
2sdot119891(119890) is given in the rule
(pro119904) This statement runs all functions 119891 in active layers ofthe object referenced by 119900
2
3 Assertion Language and Logical System
Extended separation logic to cover context-oriented pro-grams is presented in this sectionThe section introduces theassertion language followed by the logical systemrsquos axiomsand inference rules Against the operational semantics pre-sented in the previous section this section also outlines aformal mathematical proof for the correctness of the logicalsystem Finally an example of a derivation for a partialcorrectness specification using the logical system is includedin this section as well
Boolean expressions classical connectives first orderquantifications and assertions specific to separation logic arethe components of separation logic assertions The followingversion of assertions is used in this section
(i) emp denotes an empty heap(ii) 119890 997891rarr 119862 denotes that the heap has a unique memory
cell whose address is 119890 and whose content is aninstance of the class 119862
4 Applied Computational Intelligence and Soft Computing
119874119862= ℎ ([119890
1] (119904 ℎ)) 119874
1015840
119862= 119874119862[V 997891rarr [119890
2] (119904 ℎ)]
119871 ⊣ 1198901sdot V = 119890
2 (119904 ℎ) rarr (119904 ℎ [[119890
1] (119904 ℎ) 997891rarr 119874
1015840
119862])(=119904
119890)
ℎ([1199002](119904 ℎ)) = 119874
119862119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900
1997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(=119904
119900sdot119891)
SerLay (119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
ℎ(119904(1199002)) = 119874
119862forall1 le 119894 le 119898 (119871
119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1](119904119894 ℎ119894) this 997891rarr 119904
119894(1199002)
119901119894997891rarr [119890](119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= 119897119890 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898](119904119898+1
ℎ119898+1
)] ℎ119898+1
)(=119904
119897sdot119900sdot119891)
ℎ(119904(this)) = 119874119862119862 ≪ 119864
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[119901
119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 119900 = super sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900 997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(sup119904)
119886 isin A 119889119900119898(ℎ)
119871 ⊣ 119900 = new 119862 (119904 ℎ) rarr (119904[119900 997891rarr 119886] ℎ[119886 997891rarr 0])(new119904)
ℎ (119904 (1199002)) = 119874
119862
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (1199041[this 997891rarr 119904 (119900
2) 1199011997891rarr [119890] (119904
1 ℎ1)] ℎ1) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1] (119904119894 ℎ119894) this 997891rarr 119904 (119900
2) 119901119894997891rarr [119890] (119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= proceed 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898] (119904119898+1
ℎ119898+1
)] ℎ119898+1
)(119901119904
)
([119887](119904 ℎ) = true and 119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))or
([119887](119904 ℎ) = false and 119871 ⊣ 119878119891 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))
119871 ⊣ if 119887 then 119878119905else 119878
119891 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(if119904)
[119887](119904 ℎ) = false119871 ⊣ while 119887 do 119878
119905 (119904 ℎ) rarr (119904 ℎ)
(whl1199041)
119871 ⊣ 1198781 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1198782 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ 1198781 1198782 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(sq119904)
[119887](119904 ℎ) = true119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ while 119887 do 119878119905 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ while 119887 do 119878119905 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(whl1199042)
Algorithm 3 Inference rules of the operational semantics for J-COP constructs
(iii) this 997891rarr 119862 denotes a special case of the previousassertion where 119890 = this
(iv) 119875 lowast 119876 dubbed separating conjunction(v) 119875 minuslowast119876 dubbed separating implication(vi) ⊛
119894isin119868119875119894is a general form of separating conjunction
Algorithm 4 presents the specific definition of the lan-guage of assertions A group of states are modeled by everyassertion via a modeling relation ((119904 ℎ) ⊨ 119875) The semanticsof this relation is that the state (119904 ℎ) satisfies the assertion119875 Definition 2 formalizes the semantics of the modelingrelation
Definition 2 One has the following
(i) (119904 ℎ) ⊨ fine(1198901 119890
119899)defhArr for all 119894 ⟦119890
119894⟧(119904 ℎ) = abort
(ii) (119904 ℎ) ⊨ empdefhArr dom(ℎ) = 0
(iii) (119904 ℎ) ⊨ 119890 997891rarr 119862defhArr dom(ℎ) = ⟦119890⟧(119904 ℎ) and
ℎ(⟦119890⟧(119904 ℎ)) = 119874119862
(iv) (119904 ℎ) ⊨ 1198751lowast1198752
defhArr existℎ
1015840
ℎ10158401015840 ℎ1015840 ℎ10158401015840 ℎ = ℎ1015840 sdotℎ10158401015840 (119904 ℎ1015840) ⊨
1198751 and (119904 ℎ10158401015840) ⊨ 119875
2
(v) (119904 ℎ) ⊨ 1198751minuslowast1198752
defhArr for all ℎ1015840((ℎ1015840ℎ and (119904 ℎ
1015840
) ⊨ 1198751) rArr
(119904 ℎ sdot ℎ1015840
) ⊨ 1198752)
The fact that dom(ℎ1) cap dom(ℎ
2) = 0 is denoted by the
expression ℎ1 ℎ2 The union of heaps is denoted by ℎ
1sdot ℎ2
and is defined only if ℎ1 ℎ2
A judgment of the proposed logical system is of the form119871 ⊨ 119875119878119876 where 119875 and 119876 are the pre- and postconditionsrespectively The semantics of this judgment is that if layersof 119871 are active and 119878 is executed in a state satisfying 119875then the final state will satisfy 119876 Definition 3 formalizes the
Applied Computational Intelligence and Soft Computing 5
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119875119876 119877 1198691 1198692isin Asset = 119887 | 119875 and 119876 | 119875 or 119876 | 119875 rArr 119876 | not119875 | forall119909 119875 |
exist 119909 119875 | fine(119890) | emp | 119890 997891rarr 119862 | 119875 lowast 119876 |
119875 minuslowast 119876 | ⊛119894isin119868119875119894
Algorithm 4 The assertion language
soundness concept of specifications produced by the logicalsystem Axioms and inference rules of the logical system areintroduced in Algorithm 5
We fix the abortion notion for Definition 3 A statement 119878is aborting at (119904 ℎ) (denoted by 119878 (119904 ℎ 119871) rarr abort) if (a) astate (1199041015840 ℎ1015840) such that 119878 (119904 ℎ) rarr (119904
1015840
ℎ1015840
) is not available and(b) 119878 is not stuck in an infinite loop
Definition 3 A specification 119871 ⊣ 119875119878119876 is sound if for each(119904 ℎ) such that (119904 ℎ) ⊨ 119875 the following is satisfied
(1) not(119871 ⊨ 119878 (119904 ℎ) rarr abort)
(2) if 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) then (1199041015840 ℎ1015840) ⊨ 119876
Some of the rules in Algorithm 5 are certainly notewor-thy In many rules like (=119897
119890) and (=
119897
119900sdot119891) the expressions of
relevant statements contribute to the preconditions of therules This has the advantage of ensuring that the meantmemory addresses are indeed allocated and hence evalua-tions of expressions do not abort The preconditions of (=119897
119890)
and (=119897
119900sdot119891) also ensure that appropriate variables reference
objects in heap The side-conditions of (=119897119900sdot119891) and (=
119897
119897sdot119900sdot119891)
consider that executing these statements involves executingcertain function bodies We let mod(119878 119871) denote the set oflocations modified by 119878 provided that layers of 119871 are activeThe symbol 119891V(119877) denotes the set of free variables of 119877 Therule (share119897) enables the composition of specifications havingdisjoint sets of activated layers if the preconditions of thespecifications describe disjoint regions of the heap The rule(frame119897) enables avoiding a frame of the heap119877 that does notaffect the statement This rule also ensures that 119877 is satisfiedby the postcondition
Soundness The soundness of the logical system is guaranteedby the following theorem
Theorem 4 Specifications 119871 ⊣ 119875119878119876 that resulted using thelogical system of Algorithm 5 are sound (Definition 3)
Proof Structure induction on axioms and inference rules ofAlgorithm 5 achieves the proof In the following basic casesare outlined
(i) The case of the rule (=119897119890) in this case
(a) 119878 = 1198901sdot V = 119890
2
(b) 119875 hArr 1198901997891rarr 119862 and fine(119890
1sdotV) and fine(119890
2) and 119876[119890
21198901sdot
V]
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 Hence119874119862= ℎ(⟦119890
1⟧(119904 ℎ)) and ⟦119890
2⟧(119904 ℎ) = abort Therefore
1198741015840
119862= 119874119862[V 997891rarr ⟦119890
2⟧(119904 ℎ)] is defined and so does
(119904 ℎ[⟦1198901⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Hence not(119871 ⊨ 119878 (119904 ℎ) rarr
abort) Now we suppose 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) Inthis case (1199041015840 ℎ1015840) = (119904 ℎ[⟦119890
1⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Therefore
(1199041015840
ℎ1015840
) ⊨ 119876 because (119904 ℎ) ⊨ 119876[11989021198901sdot V] This
completes the proof for this case(ii) The case of the rule (lowast=119897
119900sdot119891) in this case
(a) 119878 = 1199001= 1199002sdot 119891(119890)
(b) 119865119862(119891) = (119901
119891 119878119891 119890119891)
(c) 119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
(d) 119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(11990410158401015840
ℎ10158401015840
)(e) 119875 hArr 119900
2997891rarr 119862 and 119877 and fine(119890 119890
119891)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
119891) implies
(119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is definedTherefore (119904[this 997891rarr 119904(119900
2) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
119891] By induction hypothesis 119878
119891does not
abort at (119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) andtherefore 119900
1= 1199002sdot 119891(119890) does not abort at (119904 ℎ) Now
we suppose that 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
) By(=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[1199001997891rarr ⟦119890
119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
1198911199001] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case(iii) The case of the rule (lowast=119897
119897sdot119900sdot119891) in this case
(a) 119878 = 1199001= 119897119890 119900
2sdot 119891(119890)
(b) SerLay(119871 119897119890 119891) = 1198711015840
= 1198971 119897119898 for all 1 le
119894 le 119898(119871119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
(c) 1198711015840 ⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(1199042 ℎ2)
(d) for all 119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr ⟦119890119894minus1⟧(119904119894 ℎ119894)this
997891rarr 119904119894(1199002) 119901119894997891rarr ⟦119890⟧(119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
(e) 1198711015840 ⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
(f) for all 119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894]
119878119894119876119894[1198901198941199001]
(g) 119875 hArr 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
1 119890
119898)
implies (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined
Therefore (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
1] By induction hypothesis 119878
1does
not abort at (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
6 Applied Computational Intelligence and Soft Computing
119871 ⊣ 1198901997891rarr 119862 and fine (119890
1sdot V) and fine (119890
2) and 119876 [119890
21198901sdot V] 119890
1sdot V = 119890
2119876
(=119897
119890)
119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
119891) 1199001= 1199002sdot 119891(119890) 119876
(=119897
119900sdot119891)
SerLay(119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898) 1199001= 119897119890 119900
2sdot 119891(119890) 119876
119898(=119897
119897sdot119900sdot119891)
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[119890119901119891] 119878119891119876[119890119891119900]
119871 ⊣ this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891) 119900 = super sdot 119891(119890) 119876
(sup119897)
119871 ⊣ emp 119900 = new 119862 119900 997891rarr 119862(new119897)
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 119900
1= proceed 119900
2sdot 119891(119890) 119876
119898
(pro119897)
119871 ⊣ 119875 1198781119877
119871 ⊣ 119877 1198782119876
119871 ⊣ 119875 1198781 1198782119876
(Seq119897)
119871 ⊣ 119875 119878 119876
119871 ⊣ 1198751015840
119878 1198761015840
119871 ⊣ 119875 or 1198751015840 119878 119876 or 1198761015840(Disj119897)
119871 ⊣ 119875 and 119887 119878119905119876
119871 ⊣ 119875 and not(119887) 119878119891119876
119871 ⊣ 119875 if 119887 then 119878119905else 119878
119891119876
(if119897)
119871 ⊣ fine(119887) and 119875 119878119905fine(119887) and 119875
119871 ⊣ fine(119887) and 119875 while 119887 do 119878119905not(119887) and 119875
(while119897)
119871 ⊣ 119875 119878 119876
1198751015840
997904rArr 119875 119876 997904rArr 1198761015840
119871 ⊣ 1198751015840 119878 1198761015840(seq119897)
1198711⊣ 119875 119878 119876
1198712⊣ 1198751015840
119878 1198761015840
1198711cup 1198712⊣ 119875 and 1198751015840 119878 119876 and 1198761015840
(Conj119897)
1198711⊣ 119875 119878 119876
1198712⊣ 119877 119878 119877
1198711cap 1198712= 0
1198711cup 1198712⊣ 119875 lowast 119877 119878 119876 lowast 119877
(share119897)
119871 ⊣ 119875 119878 119876
119891V(119877) cap mod(119878 119871) = 0119871 ⊣ 119875 lowast 119877 119878 119876 lowast 119877
(frame119897)
119897 ⊣ 119875 119878 119876
119871 119897 ⊣ 1198691 119878 119869
2
119871 ⊣ 119875 and 1198691 119878 119876 or 119869
2(glob119897)
119871 ⊣ 119875 119878 119876
119909 notin 119891V(119878)119871 ⊣ exist119909 119875 119878 exist119909 119876
(Ex119897)
Algorithm 5 The inference rules of the proposed logical system
Now we suppose that 1198781 (119904 ℎ) rarr (119904
2 ℎ2) By induc-
tion hypothesis (1199042 ℎ2) ⊨ 119876[119890
11199001] implying (119904
2[1199001997891rarr
⟦1198901⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) ⊨
1198761[1199002this 119890119901
2] Therefore by induction hypothesis
1198782does not abort at (119904
2[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr
1199042(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) Now we suppose that
1198782 (1199042[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr
⟦119890⟧(1199042 ℎ2)] ℎ2) rarr (119904
3 ℎ3) By induction hypoth-
esis (1199043 ℎ3) ⊨ 119876[119890
21199001] implying (119904
3[1199001
997891rarr
⟦1198902⟧(1199043 ℎ3) this 997891rarr 119904
3(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) ⊨
1198762[1199002this 119890119901
3] Therefore by induction hypothesis
1198783does not abort at (119904
3[1199001997891rarr ⟦119890
2⟧(1199043 ℎ3) this 997891rarr
1199043(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) Hence a simple induc-
tion on119898 completes the proof for this case
(iv) The case of the rule (sup119897) in this case
(a) 119878 = 119900 = super sdot 119891(119890)(b) super(119864 119891) = 119863(c) 119865119863(119891) = (119901
119891 119878119891 119890119891)
(d) 119871 ⊣ 119878119891 (119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)(e) 119871 ⊣ 119877[119890119901
119891] 119878119891119876[119890119891119900]
(f) 119875 hArr this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891)
Applied Computational Intelligence and Soft Computing 7
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦this⟧(119904 ℎ)) = 119874
119862The condition fine(119890 119890
119891) implies
(119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined Therefore (119904[this 997891rarr
119904(1199002) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨ 119877[119890119901
119891] By induction
hypothesis 119878119891does not abort at (119904[119901
119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
and therefore 119900 = super sdot 119891(119890) does not abort at (119904 ℎ)Nowwe suppose that 119900
1= 1199002sdot119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
)By (=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[119900 997891rarr ⟦119890119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
119891119900] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case
(v) The case of the rule (pro119897) it is similar to the case of(lowast=119897
119897sdot119900sdot119891)
4 Discussion
Related Work The most related logic to our work is that ofobject-oriented programs Specifically for Java a huge liter-ature on specification proof techniques for object-orientedlanguages exists For example for annotated Java programsin JML (Java modeling language) [8] presents calculus forweakest precondition An introduction to applications andtools of JML is presented in [9] Via annotating Java sourcefiles JML enables determining Java interfaces and classesConsidering abnormal termination resulting from failures ofJava programs [10] presents an extension to Hoare logic Fortheses failures transformational techniques do not work
Notably dynamically growing reference-structures areinvolved in object-oriented programs This results in thealiasing problem in OOP languages Much logic treatingaliasing does exist One of these techniques is presentedin [11] and reasons about linked lists which are treatedusing separation logic [6] Via including global stores inthe assertion language [12] presents Hoare logic for OOPlanguages However the use of this model for global storingis proved to be a potential cause of incompleteness Classesencapsulation in an OOP language equipped with subtypingand pointers is guaranteed by aliasing restrictions in [13]
The work in [14] is an example of logic achieving mod-ular verification for OOP and focusing on correspondingmethodology and object invariants Modular verificationof complex object structures was treated in [15] using aninvariant class Sound proof systems producing restrictedformal justifications for OOP languages were introducedin [16 17] Producing a complete logical system for OOPlanguages is a very complex problem due to complex featuresof OOP languages
Interestingly none of the techniques mentioned abovetreat context-oriented programs This adds to the value ofthe work presented in the current paper apparently there isno research to generalize separation logic to cover context-oriented programs
Operational semantics and type systems are presentedin [18 19] for checking and modeling context-orientedprograms The language model of [19] is structural and verysimilar to the model of the current paper The languagemodel of [18] is functional Type systems introduced in bothof these papers prevent execution of faculty functions by
proceed The operational semantics of the current paper ismuch simpler and powerful than semantics of [18 19]
Utilizing concepts of delegation based calculus [20]presents operational semantics for a COP language namely119888119895 For COP concepts as introduced in ContextJlowast and Con-textL [21] introduces syntax-based semantics Compared tothe work mentioned above a logical system that stops COPprogram from getting stuck is presented in the current paperTo model context-dependent behavior of COP programs theproposed logical system is based on general calculi
Future Work Extending the language model of the currentpaper to allow executing candidate functions of proceed onpriority bases is a direction for a future work Extending thelanguage to include layer inheritance and layer dependency isanother direction for future work Doing so allows one layerto assume the existence of another layer and allows expressingthe assumption that two layers are not active at the same time
Conflict of Interests
The author declares that there is no conflict of interestsregarding the publication of this paper
References
[1] G Kiczales J Lamping A Mendhekar et al ldquoAspect-orientedprogrammingrdquo in Proceedings of the European Conferenceon Object-Oriented Programming (ECOOP rsquo97) pp 220ndash242Jyvaskyla Finland June 1997
[2] RHirschfeld P Costanza andONierstrasz ldquoContext-orientedprogrammingrdquoThe Journal ofObject Technology vol 7 no 3 pp125ndash151 2008
[3] W Golubski and W-M Lippe ldquoA complete semantics forSMALLTALK-80rdquo Computer Languages vol 21 no 2 pp 67ndash79 1995
[4] M Campione K Walrath and A Huml The Java Tutorial AShort Course on the Basics Addison-Wesley Longman Publish-ing Boston Mass USA 3rd edition 2000
[5] D Flanagan JavaScriptmdashPocket Reference Activate Your WebPages OrsquoReilly 3rd edition 2012
[6] J C Reynolds ldquoSeparation logic a logic for sharedmutable datastructuresrdquo in Proceedings of the 17th Annual IEEE Symposiumon Logic in Computer Science (LICS rsquo02) pp 55ndash74 July 2002
[7] S S Samin and P W OrsquoHearn ldquoBI as an assertion languagefor mutable data structuresrdquo in Principles of ProgrammingLanguages C Hankin and D Schmidt Eds pp 14ndash26 ACM2001
[8] B Jacobs ldquoWeakest pre-condition reasoning for Java programswith JML annotationsrdquo Journal of Logic and Algebraic Program-ming vol 58 no 1-2 pp 61ndash88 2004
[9] L Burdy Y Cheon D R Cok et al ldquoAn overview of JML toolsand applicationsrdquo International Journal on Software Tools forTechnology Transfer vol 7 no 3 pp 212ndash232 2005
[10] M Huisman and B Jacobs ldquoJava program verification viaa hoare logic with abrupt terminationrdquo in FundamentalApproaches to Software Engineering T S E Maibaum Edvol 1783 of Lecture Notes in Computer Science pp 284ndash303Springer Berlin Germany 2000
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing 3
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119897119890 isin LayerExpr = with 119897 | without 119897 | 120598 | 119897119890 119897119890119878 isin Stat = 119890
1sdot V = 119890
2| 1199001= 119897119890 119900
2sdot 119891(119890) | 119900
1= 1199002sdot 119891 (119890) |
119900 = 119904119906119901119890119903 sdot 119891(119890) | 1199001= proceed 119900
2sdot 119891(119890) |
119900 = new 119862 | 119878 119878 | if 119887 then 119878119905else 119878
119891|
while 119887 do 119878119905
funs isin Fun = 119891(119901)119878 return(119890) layer isin Lay = Layer 119897 fun
inhrt isin Inherits = 120598 | inherits 119862cls isin Class = class 119862 inhrt funlowast layerlowast
prog isin Prog = clslowast main() 119878
Algorithm 1 The programming language J-COP
[119862(119890)] (119904 ℎ) = 119906119899119889119890119891119894119899119890119889 if [119890](119904 ℎ) isin 119889119900119898(ℎ) ℎ([119890](119904 ℎ)) = 119874
119863 119886119899119889 119863 ≰ 119862
[119890] (119904 ℎ) otherwise
[119890 sdot V](119904 ℎ) = 119874119863(V) if ℎ([119890](119904 ℎ)) = 119874
119863119886119899119889 V isin 119889119900119898(119874
119863)
119906119899119889119890119891119894119899119890119889 otherwise
Algorithm 2 Semantics of J-COP expressions
returned expression of the function The map 119868119862determines
for every layer 119897 isin 119871119886119910119890119903119862the parts of the layerrsquos function
(119891 119901119891 119878119891 119890119891) We also assume a function SerLay(119871 119897119890 119891) =
1198711015840
= 1198971 119897119898 whose inputs are a set of layers a layer
expression and a function name SerLay adds (removes)layers activated (deactivated) by 119897119890 to (from) 119871 Then SerLayreturns the set of layers in 119871 containing definitions for 119891
The semantics of arithmetic and boolean expressions ofJ-COP is similar to the case of simple imperative languageThe cases of (119862)119890 and 119890 sdot V are shown in Algorithm 2 Somecomments on this algorithm are in order The expression 119890 sdot Vdenotes the variable V of the class referenced by 119890 In linewith common OOP concepts variables of 119862 and that of itsancestors are included in domain of 119868119881119886119903
119862 Therefore the
semantics of 119890 sdot V is defined only if V is a local variable ofthe class referenced by 119890 or any of the classrsquos ancestors Thesemantics of 119890 (in 119890sdotV) is supposed to be an address containinga class object The semantics of (119862)119890 is undefined if 119890 is theaddress of an object of a class119863 that is not a descendant of 119862
Algorithm 3 presents the semantics of J-COPrsquos state-ments The judgments of the semantics have the form 119871 ⊣
119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) meaning that executing 119878 in the state(119904 ℎ) results in the state (1199041015840 ℎ1015840) provided that 119871 is the set ofthe currently active layers Some comments on the rules areas follows The local variable V of the object pointed to by1198901is updated in the rule (=119904
119890) This amounts to modifying
the function 119874119862in the image of [119890
1](119904 ℎ) under ℎ With
input 119890 the rule (=119904119900sdot119891) provides semantics for running the
function 119891 of the object pointed to by 1199002 The semantics
of 119897119890 in 1199001= 119897119890 119900
2sdot 119891(119890) is to activatedeactivate certain
layers The rule (=119904119897sdot119900sdot119891
) provides operational semantics forthis statement This rule does the call SerLay(119871 119897119890 119891) to add
(remove) layers activated (deactivated) via 119897119890 to (from) 119871Thiscall then returns the subset of 119871 with definitions for 119891 Therule then executes the bodies of layer functions sequentiallyThe execution number 119894 builds on its previous execution byupdating 119900
1to the value [119890
119894minus1](119904119894 ℎ119894) The statement 119900 =
super sdot 119891(119890) running the function 119891 of an ancestor of thecurrent object is given semantics in the rule (sup119904) The ruleassumes a function super that finds the ancestor of the classpointed to by 119900
2such that this ancestor includes a definition
for119891 Semantics for 1199001= proceed 119900
2sdot119891(119890) is given in the rule
(pro119904) This statement runs all functions 119891 in active layers ofthe object referenced by 119900
2
3 Assertion Language and Logical System
Extended separation logic to cover context-oriented pro-grams is presented in this sectionThe section introduces theassertion language followed by the logical systemrsquos axiomsand inference rules Against the operational semantics pre-sented in the previous section this section also outlines aformal mathematical proof for the correctness of the logicalsystem Finally an example of a derivation for a partialcorrectness specification using the logical system is includedin this section as well
Boolean expressions classical connectives first orderquantifications and assertions specific to separation logic arethe components of separation logic assertions The followingversion of assertions is used in this section
(i) emp denotes an empty heap(ii) 119890 997891rarr 119862 denotes that the heap has a unique memory
cell whose address is 119890 and whose content is aninstance of the class 119862
4 Applied Computational Intelligence and Soft Computing
119874119862= ℎ ([119890
1] (119904 ℎ)) 119874
1015840
119862= 119874119862[V 997891rarr [119890
2] (119904 ℎ)]
119871 ⊣ 1198901sdot V = 119890
2 (119904 ℎ) rarr (119904 ℎ [[119890
1] (119904 ℎ) 997891rarr 119874
1015840
119862])(=119904
119890)
ℎ([1199002](119904 ℎ)) = 119874
119862119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900
1997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(=119904
119900sdot119891)
SerLay (119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
ℎ(119904(1199002)) = 119874
119862forall1 le 119894 le 119898 (119871
119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1](119904119894 ℎ119894) this 997891rarr 119904
119894(1199002)
119901119894997891rarr [119890](119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= 119897119890 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898](119904119898+1
ℎ119898+1
)] ℎ119898+1
)(=119904
119897sdot119900sdot119891)
ℎ(119904(this)) = 119874119862119862 ≪ 119864
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[119901
119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 119900 = super sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900 997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(sup119904)
119886 isin A 119889119900119898(ℎ)
119871 ⊣ 119900 = new 119862 (119904 ℎ) rarr (119904[119900 997891rarr 119886] ℎ[119886 997891rarr 0])(new119904)
ℎ (119904 (1199002)) = 119874
119862
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (1199041[this 997891rarr 119904 (119900
2) 1199011997891rarr [119890] (119904
1 ℎ1)] ℎ1) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1] (119904119894 ℎ119894) this 997891rarr 119904 (119900
2) 119901119894997891rarr [119890] (119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= proceed 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898] (119904119898+1
ℎ119898+1
)] ℎ119898+1
)(119901119904
)
([119887](119904 ℎ) = true and 119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))or
([119887](119904 ℎ) = false and 119871 ⊣ 119878119891 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))
119871 ⊣ if 119887 then 119878119905else 119878
119891 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(if119904)
[119887](119904 ℎ) = false119871 ⊣ while 119887 do 119878
119905 (119904 ℎ) rarr (119904 ℎ)
(whl1199041)
119871 ⊣ 1198781 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1198782 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ 1198781 1198782 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(sq119904)
[119887](119904 ℎ) = true119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ while 119887 do 119878119905 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ while 119887 do 119878119905 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(whl1199042)
Algorithm 3 Inference rules of the operational semantics for J-COP constructs
(iii) this 997891rarr 119862 denotes a special case of the previousassertion where 119890 = this
(iv) 119875 lowast 119876 dubbed separating conjunction(v) 119875 minuslowast119876 dubbed separating implication(vi) ⊛
119894isin119868119875119894is a general form of separating conjunction
Algorithm 4 presents the specific definition of the lan-guage of assertions A group of states are modeled by everyassertion via a modeling relation ((119904 ℎ) ⊨ 119875) The semanticsof this relation is that the state (119904 ℎ) satisfies the assertion119875 Definition 2 formalizes the semantics of the modelingrelation
Definition 2 One has the following
(i) (119904 ℎ) ⊨ fine(1198901 119890
119899)defhArr for all 119894 ⟦119890
119894⟧(119904 ℎ) = abort
(ii) (119904 ℎ) ⊨ empdefhArr dom(ℎ) = 0
(iii) (119904 ℎ) ⊨ 119890 997891rarr 119862defhArr dom(ℎ) = ⟦119890⟧(119904 ℎ) and
ℎ(⟦119890⟧(119904 ℎ)) = 119874119862
(iv) (119904 ℎ) ⊨ 1198751lowast1198752
defhArr existℎ
1015840
ℎ10158401015840 ℎ1015840 ℎ10158401015840 ℎ = ℎ1015840 sdotℎ10158401015840 (119904 ℎ1015840) ⊨
1198751 and (119904 ℎ10158401015840) ⊨ 119875
2
(v) (119904 ℎ) ⊨ 1198751minuslowast1198752
defhArr for all ℎ1015840((ℎ1015840ℎ and (119904 ℎ
1015840
) ⊨ 1198751) rArr
(119904 ℎ sdot ℎ1015840
) ⊨ 1198752)
The fact that dom(ℎ1) cap dom(ℎ
2) = 0 is denoted by the
expression ℎ1 ℎ2 The union of heaps is denoted by ℎ
1sdot ℎ2
and is defined only if ℎ1 ℎ2
A judgment of the proposed logical system is of the form119871 ⊨ 119875119878119876 where 119875 and 119876 are the pre- and postconditionsrespectively The semantics of this judgment is that if layersof 119871 are active and 119878 is executed in a state satisfying 119875then the final state will satisfy 119876 Definition 3 formalizes the
Applied Computational Intelligence and Soft Computing 5
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119875119876 119877 1198691 1198692isin Asset = 119887 | 119875 and 119876 | 119875 or 119876 | 119875 rArr 119876 | not119875 | forall119909 119875 |
exist 119909 119875 | fine(119890) | emp | 119890 997891rarr 119862 | 119875 lowast 119876 |
119875 minuslowast 119876 | ⊛119894isin119868119875119894
Algorithm 4 The assertion language
soundness concept of specifications produced by the logicalsystem Axioms and inference rules of the logical system areintroduced in Algorithm 5
We fix the abortion notion for Definition 3 A statement 119878is aborting at (119904 ℎ) (denoted by 119878 (119904 ℎ 119871) rarr abort) if (a) astate (1199041015840 ℎ1015840) such that 119878 (119904 ℎ) rarr (119904
1015840
ℎ1015840
) is not available and(b) 119878 is not stuck in an infinite loop
Definition 3 A specification 119871 ⊣ 119875119878119876 is sound if for each(119904 ℎ) such that (119904 ℎ) ⊨ 119875 the following is satisfied
(1) not(119871 ⊨ 119878 (119904 ℎ) rarr abort)
(2) if 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) then (1199041015840 ℎ1015840) ⊨ 119876
Some of the rules in Algorithm 5 are certainly notewor-thy In many rules like (=119897
119890) and (=
119897
119900sdot119891) the expressions of
relevant statements contribute to the preconditions of therules This has the advantage of ensuring that the meantmemory addresses are indeed allocated and hence evalua-tions of expressions do not abort The preconditions of (=119897
119890)
and (=119897
119900sdot119891) also ensure that appropriate variables reference
objects in heap The side-conditions of (=119897119900sdot119891) and (=
119897
119897sdot119900sdot119891)
consider that executing these statements involves executingcertain function bodies We let mod(119878 119871) denote the set oflocations modified by 119878 provided that layers of 119871 are activeThe symbol 119891V(119877) denotes the set of free variables of 119877 Therule (share119897) enables the composition of specifications havingdisjoint sets of activated layers if the preconditions of thespecifications describe disjoint regions of the heap The rule(frame119897) enables avoiding a frame of the heap119877 that does notaffect the statement This rule also ensures that 119877 is satisfiedby the postcondition
Soundness The soundness of the logical system is guaranteedby the following theorem
Theorem 4 Specifications 119871 ⊣ 119875119878119876 that resulted using thelogical system of Algorithm 5 are sound (Definition 3)
Proof Structure induction on axioms and inference rules ofAlgorithm 5 achieves the proof In the following basic casesare outlined
(i) The case of the rule (=119897119890) in this case
(a) 119878 = 1198901sdot V = 119890
2
(b) 119875 hArr 1198901997891rarr 119862 and fine(119890
1sdotV) and fine(119890
2) and 119876[119890
21198901sdot
V]
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 Hence119874119862= ℎ(⟦119890
1⟧(119904 ℎ)) and ⟦119890
2⟧(119904 ℎ) = abort Therefore
1198741015840
119862= 119874119862[V 997891rarr ⟦119890
2⟧(119904 ℎ)] is defined and so does
(119904 ℎ[⟦1198901⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Hence not(119871 ⊨ 119878 (119904 ℎ) rarr
abort) Now we suppose 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) Inthis case (1199041015840 ℎ1015840) = (119904 ℎ[⟦119890
1⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Therefore
(1199041015840
ℎ1015840
) ⊨ 119876 because (119904 ℎ) ⊨ 119876[11989021198901sdot V] This
completes the proof for this case(ii) The case of the rule (lowast=119897
119900sdot119891) in this case
(a) 119878 = 1199001= 1199002sdot 119891(119890)
(b) 119865119862(119891) = (119901
119891 119878119891 119890119891)
(c) 119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
(d) 119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(11990410158401015840
ℎ10158401015840
)(e) 119875 hArr 119900
2997891rarr 119862 and 119877 and fine(119890 119890
119891)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
119891) implies
(119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is definedTherefore (119904[this 997891rarr 119904(119900
2) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
119891] By induction hypothesis 119878
119891does not
abort at (119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) andtherefore 119900
1= 1199002sdot 119891(119890) does not abort at (119904 ℎ) Now
we suppose that 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
) By(=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[1199001997891rarr ⟦119890
119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
1198911199001] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case(iii) The case of the rule (lowast=119897
119897sdot119900sdot119891) in this case
(a) 119878 = 1199001= 119897119890 119900
2sdot 119891(119890)
(b) SerLay(119871 119897119890 119891) = 1198711015840
= 1198971 119897119898 for all 1 le
119894 le 119898(119871119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
(c) 1198711015840 ⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(1199042 ℎ2)
(d) for all 119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr ⟦119890119894minus1⟧(119904119894 ℎ119894)this
997891rarr 119904119894(1199002) 119901119894997891rarr ⟦119890⟧(119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
(e) 1198711015840 ⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
(f) for all 119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894]
119878119894119876119894[1198901198941199001]
(g) 119875 hArr 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
1 119890
119898)
implies (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined
Therefore (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
1] By induction hypothesis 119878
1does
not abort at (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
6 Applied Computational Intelligence and Soft Computing
119871 ⊣ 1198901997891rarr 119862 and fine (119890
1sdot V) and fine (119890
2) and 119876 [119890
21198901sdot V] 119890
1sdot V = 119890
2119876
(=119897
119890)
119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
119891) 1199001= 1199002sdot 119891(119890) 119876
(=119897
119900sdot119891)
SerLay(119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898) 1199001= 119897119890 119900
2sdot 119891(119890) 119876
119898(=119897
119897sdot119900sdot119891)
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[119890119901119891] 119878119891119876[119890119891119900]
119871 ⊣ this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891) 119900 = super sdot 119891(119890) 119876
(sup119897)
119871 ⊣ emp 119900 = new 119862 119900 997891rarr 119862(new119897)
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 119900
1= proceed 119900
2sdot 119891(119890) 119876
119898
(pro119897)
119871 ⊣ 119875 1198781119877
119871 ⊣ 119877 1198782119876
119871 ⊣ 119875 1198781 1198782119876
(Seq119897)
119871 ⊣ 119875 119878 119876
119871 ⊣ 1198751015840
119878 1198761015840
119871 ⊣ 119875 or 1198751015840 119878 119876 or 1198761015840(Disj119897)
119871 ⊣ 119875 and 119887 119878119905119876
119871 ⊣ 119875 and not(119887) 119878119891119876
119871 ⊣ 119875 if 119887 then 119878119905else 119878
119891119876
(if119897)
119871 ⊣ fine(119887) and 119875 119878119905fine(119887) and 119875
119871 ⊣ fine(119887) and 119875 while 119887 do 119878119905not(119887) and 119875
(while119897)
119871 ⊣ 119875 119878 119876
1198751015840
997904rArr 119875 119876 997904rArr 1198761015840
119871 ⊣ 1198751015840 119878 1198761015840(seq119897)
1198711⊣ 119875 119878 119876
1198712⊣ 1198751015840
119878 1198761015840
1198711cup 1198712⊣ 119875 and 1198751015840 119878 119876 and 1198761015840
(Conj119897)
1198711⊣ 119875 119878 119876
1198712⊣ 119877 119878 119877
1198711cap 1198712= 0
1198711cup 1198712⊣ 119875 lowast 119877 119878 119876 lowast 119877
(share119897)
119871 ⊣ 119875 119878 119876
119891V(119877) cap mod(119878 119871) = 0119871 ⊣ 119875 lowast 119877 119878 119876 lowast 119877
(frame119897)
119897 ⊣ 119875 119878 119876
119871 119897 ⊣ 1198691 119878 119869
2
119871 ⊣ 119875 and 1198691 119878 119876 or 119869
2(glob119897)
119871 ⊣ 119875 119878 119876
119909 notin 119891V(119878)119871 ⊣ exist119909 119875 119878 exist119909 119876
(Ex119897)
Algorithm 5 The inference rules of the proposed logical system
Now we suppose that 1198781 (119904 ℎ) rarr (119904
2 ℎ2) By induc-
tion hypothesis (1199042 ℎ2) ⊨ 119876[119890
11199001] implying (119904
2[1199001997891rarr
⟦1198901⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) ⊨
1198761[1199002this 119890119901
2] Therefore by induction hypothesis
1198782does not abort at (119904
2[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr
1199042(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) Now we suppose that
1198782 (1199042[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr
⟦119890⟧(1199042 ℎ2)] ℎ2) rarr (119904
3 ℎ3) By induction hypoth-
esis (1199043 ℎ3) ⊨ 119876[119890
21199001] implying (119904
3[1199001
997891rarr
⟦1198902⟧(1199043 ℎ3) this 997891rarr 119904
3(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) ⊨
1198762[1199002this 119890119901
3] Therefore by induction hypothesis
1198783does not abort at (119904
3[1199001997891rarr ⟦119890
2⟧(1199043 ℎ3) this 997891rarr
1199043(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) Hence a simple induc-
tion on119898 completes the proof for this case
(iv) The case of the rule (sup119897) in this case
(a) 119878 = 119900 = super sdot 119891(119890)(b) super(119864 119891) = 119863(c) 119865119863(119891) = (119901
119891 119878119891 119890119891)
(d) 119871 ⊣ 119878119891 (119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)(e) 119871 ⊣ 119877[119890119901
119891] 119878119891119876[119890119891119900]
(f) 119875 hArr this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891)
Applied Computational Intelligence and Soft Computing 7
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦this⟧(119904 ℎ)) = 119874
119862The condition fine(119890 119890
119891) implies
(119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined Therefore (119904[this 997891rarr
119904(1199002) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨ 119877[119890119901
119891] By induction
hypothesis 119878119891does not abort at (119904[119901
119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
and therefore 119900 = super sdot 119891(119890) does not abort at (119904 ℎ)Nowwe suppose that 119900
1= 1199002sdot119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
)By (=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[119900 997891rarr ⟦119890119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
119891119900] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case
(v) The case of the rule (pro119897) it is similar to the case of(lowast=119897
119897sdot119900sdot119891)
4 Discussion
Related Work The most related logic to our work is that ofobject-oriented programs Specifically for Java a huge liter-ature on specification proof techniques for object-orientedlanguages exists For example for annotated Java programsin JML (Java modeling language) [8] presents calculus forweakest precondition An introduction to applications andtools of JML is presented in [9] Via annotating Java sourcefiles JML enables determining Java interfaces and classesConsidering abnormal termination resulting from failures ofJava programs [10] presents an extension to Hoare logic Fortheses failures transformational techniques do not work
Notably dynamically growing reference-structures areinvolved in object-oriented programs This results in thealiasing problem in OOP languages Much logic treatingaliasing does exist One of these techniques is presentedin [11] and reasons about linked lists which are treatedusing separation logic [6] Via including global stores inthe assertion language [12] presents Hoare logic for OOPlanguages However the use of this model for global storingis proved to be a potential cause of incompleteness Classesencapsulation in an OOP language equipped with subtypingand pointers is guaranteed by aliasing restrictions in [13]
The work in [14] is an example of logic achieving mod-ular verification for OOP and focusing on correspondingmethodology and object invariants Modular verificationof complex object structures was treated in [15] using aninvariant class Sound proof systems producing restrictedformal justifications for OOP languages were introducedin [16 17] Producing a complete logical system for OOPlanguages is a very complex problem due to complex featuresof OOP languages
Interestingly none of the techniques mentioned abovetreat context-oriented programs This adds to the value ofthe work presented in the current paper apparently there isno research to generalize separation logic to cover context-oriented programs
Operational semantics and type systems are presentedin [18 19] for checking and modeling context-orientedprograms The language model of [19] is structural and verysimilar to the model of the current paper The languagemodel of [18] is functional Type systems introduced in bothof these papers prevent execution of faculty functions by
proceed The operational semantics of the current paper ismuch simpler and powerful than semantics of [18 19]
Utilizing concepts of delegation based calculus [20]presents operational semantics for a COP language namely119888119895 For COP concepts as introduced in ContextJlowast and Con-textL [21] introduces syntax-based semantics Compared tothe work mentioned above a logical system that stops COPprogram from getting stuck is presented in the current paperTo model context-dependent behavior of COP programs theproposed logical system is based on general calculi
Future Work Extending the language model of the currentpaper to allow executing candidate functions of proceed onpriority bases is a direction for a future work Extending thelanguage to include layer inheritance and layer dependency isanother direction for future work Doing so allows one layerto assume the existence of another layer and allows expressingthe assumption that two layers are not active at the same time
Conflict of Interests
The author declares that there is no conflict of interestsregarding the publication of this paper
References
[1] G Kiczales J Lamping A Mendhekar et al ldquoAspect-orientedprogrammingrdquo in Proceedings of the European Conferenceon Object-Oriented Programming (ECOOP rsquo97) pp 220ndash242Jyvaskyla Finland June 1997
[2] RHirschfeld P Costanza andONierstrasz ldquoContext-orientedprogrammingrdquoThe Journal ofObject Technology vol 7 no 3 pp125ndash151 2008
[3] W Golubski and W-M Lippe ldquoA complete semantics forSMALLTALK-80rdquo Computer Languages vol 21 no 2 pp 67ndash79 1995
[4] M Campione K Walrath and A Huml The Java Tutorial AShort Course on the Basics Addison-Wesley Longman Publish-ing Boston Mass USA 3rd edition 2000
[5] D Flanagan JavaScriptmdashPocket Reference Activate Your WebPages OrsquoReilly 3rd edition 2012
[6] J C Reynolds ldquoSeparation logic a logic for sharedmutable datastructuresrdquo in Proceedings of the 17th Annual IEEE Symposiumon Logic in Computer Science (LICS rsquo02) pp 55ndash74 July 2002
[7] S S Samin and P W OrsquoHearn ldquoBI as an assertion languagefor mutable data structuresrdquo in Principles of ProgrammingLanguages C Hankin and D Schmidt Eds pp 14ndash26 ACM2001
[8] B Jacobs ldquoWeakest pre-condition reasoning for Java programswith JML annotationsrdquo Journal of Logic and Algebraic Program-ming vol 58 no 1-2 pp 61ndash88 2004
[9] L Burdy Y Cheon D R Cok et al ldquoAn overview of JML toolsand applicationsrdquo International Journal on Software Tools forTechnology Transfer vol 7 no 3 pp 212ndash232 2005
[10] M Huisman and B Jacobs ldquoJava program verification viaa hoare logic with abrupt terminationrdquo in FundamentalApproaches to Software Engineering T S E Maibaum Edvol 1783 of Lecture Notes in Computer Science pp 284ndash303Springer Berlin Germany 2000
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
4 Applied Computational Intelligence and Soft Computing
119874119862= ℎ ([119890
1] (119904 ℎ)) 119874
1015840
119862= 119874119862[V 997891rarr [119890
2] (119904 ℎ)]
119871 ⊣ 1198901sdot V = 119890
2 (119904 ℎ) rarr (119904 ℎ [[119890
1] (119904 ℎ) 997891rarr 119874
1015840
119862])(=119904
119890)
ℎ([1199002](119904 ℎ)) = 119874
119862119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900
1997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(=119904
119900sdot119891)
SerLay (119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
ℎ(119904(1199002)) = 119874
119862forall1 le 119894 le 119898 (119871
119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1](119904119894 ℎ119894) this 997891rarr 119904
119894(1199002)
119901119894997891rarr [119890](119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= 119897119890 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898](119904119898+1
ℎ119898+1
)] ℎ119898+1
)(=119904
119897sdot119900sdot119891)
ℎ(119904(this)) = 119874119862119862 ≪ 119864
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119878119891 (119904[119901
119891997891rarr [119890](119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 119900 = super sdot 119891(119890) (119904 ℎ) rarr (11990410158401015840[119900 997891rarr [119890119891](11990410158401015840 ℎ10158401015840)] ℎ10158401015840)
(sup119904)
119886 isin A 119889119900119898(ℎ)
119871 ⊣ 119900 = new 119862 (119904 ℎ) rarr (119904[119900 997891rarr 119886] ℎ[119886 997891rarr 0])(new119904)
ℎ (119904 (1199002)) = 119874
119862
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 1198781 (1199041[this 997891rarr 119904 (119900
2) 1199011997891rarr [119890] (119904
1 ℎ1)] ℎ1) rarr (119904
2 ℎ2)
forall119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr [119890119894minus1] (119904119894 ℎ119894) this 997891rarr 119904 (119900
2) 119901119894997891rarr [119890] (119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
119871 ⊣ 1199001= proceed 119900
2sdot 119891(119890) (119904 ℎ) rarr (119904
119898+1[1199001997891rarr [119890119898] (119904119898+1
ℎ119898+1
)] ℎ119898+1
)(119901119904
)
([119887](119904 ℎ) = true and 119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))or
([119887](119904 ℎ) = false and 119871 ⊣ 119878119891 (119904 ℎ) rarr (119904
1015840
ℎ1015840
))
119871 ⊣ if 119887 then 119878119905else 119878
119891 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(if119904)
[119887](119904 ℎ) = false119871 ⊣ while 119887 do 119878
119905 (119904 ℎ) rarr (119904 ℎ)
(whl1199041)
119871 ⊣ 1198781 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ 1198782 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ 1198781 1198782 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(sq119904)
[119887](119904 ℎ) = true119871 ⊣ 119878119905 (119904 ℎ) rarr (119904
10158401015840
ℎ10158401015840
)
119871 ⊣ while 119887 do 119878119905 (11990410158401015840
ℎ10158401015840
) rarr (1199041015840
ℎ1015840
)
119871 ⊣ while 119887 do 119878119905 (119904 ℎ) rarr (1199041015840 ℎ1015840)
(whl1199042)
Algorithm 3 Inference rules of the operational semantics for J-COP constructs
(iii) this 997891rarr 119862 denotes a special case of the previousassertion where 119890 = this
(iv) 119875 lowast 119876 dubbed separating conjunction(v) 119875 minuslowast119876 dubbed separating implication(vi) ⊛
119894isin119868119875119894is a general form of separating conjunction
Algorithm 4 presents the specific definition of the lan-guage of assertions A group of states are modeled by everyassertion via a modeling relation ((119904 ℎ) ⊨ 119875) The semanticsof this relation is that the state (119904 ℎ) satisfies the assertion119875 Definition 2 formalizes the semantics of the modelingrelation
Definition 2 One has the following
(i) (119904 ℎ) ⊨ fine(1198901 119890
119899)defhArr for all 119894 ⟦119890
119894⟧(119904 ℎ) = abort
(ii) (119904 ℎ) ⊨ empdefhArr dom(ℎ) = 0
(iii) (119904 ℎ) ⊨ 119890 997891rarr 119862defhArr dom(ℎ) = ⟦119890⟧(119904 ℎ) and
ℎ(⟦119890⟧(119904 ℎ)) = 119874119862
(iv) (119904 ℎ) ⊨ 1198751lowast1198752
defhArr existℎ
1015840
ℎ10158401015840 ℎ1015840 ℎ10158401015840 ℎ = ℎ1015840 sdotℎ10158401015840 (119904 ℎ1015840) ⊨
1198751 and (119904 ℎ10158401015840) ⊨ 119875
2
(v) (119904 ℎ) ⊨ 1198751minuslowast1198752
defhArr for all ℎ1015840((ℎ1015840ℎ and (119904 ℎ
1015840
) ⊨ 1198751) rArr
(119904 ℎ sdot ℎ1015840
) ⊨ 1198752)
The fact that dom(ℎ1) cap dom(ℎ
2) = 0 is denoted by the
expression ℎ1 ℎ2 The union of heaps is denoted by ℎ
1sdot ℎ2
and is defined only if ℎ1 ℎ2
A judgment of the proposed logical system is of the form119871 ⊨ 119875119878119876 where 119875 and 119876 are the pre- and postconditionsrespectively The semantics of this judgment is that if layersof 119871 are active and 119878 is executed in a state satisfying 119875then the final state will satisfy 119876 Definition 3 formalizes the
Applied Computational Intelligence and Soft Computing 5
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119875119876 119877 1198691 1198692isin Asset = 119887 | 119875 and 119876 | 119875 or 119876 | 119875 rArr 119876 | not119875 | forall119909 119875 |
exist 119909 119875 | fine(119890) | emp | 119890 997891rarr 119862 | 119875 lowast 119876 |
119875 minuslowast 119876 | ⊛119894isin119868119875119894
Algorithm 4 The assertion language
soundness concept of specifications produced by the logicalsystem Axioms and inference rules of the logical system areintroduced in Algorithm 5
We fix the abortion notion for Definition 3 A statement 119878is aborting at (119904 ℎ) (denoted by 119878 (119904 ℎ 119871) rarr abort) if (a) astate (1199041015840 ℎ1015840) such that 119878 (119904 ℎ) rarr (119904
1015840
ℎ1015840
) is not available and(b) 119878 is not stuck in an infinite loop
Definition 3 A specification 119871 ⊣ 119875119878119876 is sound if for each(119904 ℎ) such that (119904 ℎ) ⊨ 119875 the following is satisfied
(1) not(119871 ⊨ 119878 (119904 ℎ) rarr abort)
(2) if 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) then (1199041015840 ℎ1015840) ⊨ 119876
Some of the rules in Algorithm 5 are certainly notewor-thy In many rules like (=119897
119890) and (=
119897
119900sdot119891) the expressions of
relevant statements contribute to the preconditions of therules This has the advantage of ensuring that the meantmemory addresses are indeed allocated and hence evalua-tions of expressions do not abort The preconditions of (=119897
119890)
and (=119897
119900sdot119891) also ensure that appropriate variables reference
objects in heap The side-conditions of (=119897119900sdot119891) and (=
119897
119897sdot119900sdot119891)
consider that executing these statements involves executingcertain function bodies We let mod(119878 119871) denote the set oflocations modified by 119878 provided that layers of 119871 are activeThe symbol 119891V(119877) denotes the set of free variables of 119877 Therule (share119897) enables the composition of specifications havingdisjoint sets of activated layers if the preconditions of thespecifications describe disjoint regions of the heap The rule(frame119897) enables avoiding a frame of the heap119877 that does notaffect the statement This rule also ensures that 119877 is satisfiedby the postcondition
Soundness The soundness of the logical system is guaranteedby the following theorem
Theorem 4 Specifications 119871 ⊣ 119875119878119876 that resulted using thelogical system of Algorithm 5 are sound (Definition 3)
Proof Structure induction on axioms and inference rules ofAlgorithm 5 achieves the proof In the following basic casesare outlined
(i) The case of the rule (=119897119890) in this case
(a) 119878 = 1198901sdot V = 119890
2
(b) 119875 hArr 1198901997891rarr 119862 and fine(119890
1sdotV) and fine(119890
2) and 119876[119890
21198901sdot
V]
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 Hence119874119862= ℎ(⟦119890
1⟧(119904 ℎ)) and ⟦119890
2⟧(119904 ℎ) = abort Therefore
1198741015840
119862= 119874119862[V 997891rarr ⟦119890
2⟧(119904 ℎ)] is defined and so does
(119904 ℎ[⟦1198901⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Hence not(119871 ⊨ 119878 (119904 ℎ) rarr
abort) Now we suppose 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) Inthis case (1199041015840 ℎ1015840) = (119904 ℎ[⟦119890
1⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Therefore
(1199041015840
ℎ1015840
) ⊨ 119876 because (119904 ℎ) ⊨ 119876[11989021198901sdot V] This
completes the proof for this case(ii) The case of the rule (lowast=119897
119900sdot119891) in this case
(a) 119878 = 1199001= 1199002sdot 119891(119890)
(b) 119865119862(119891) = (119901
119891 119878119891 119890119891)
(c) 119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
(d) 119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(11990410158401015840
ℎ10158401015840
)(e) 119875 hArr 119900
2997891rarr 119862 and 119877 and fine(119890 119890
119891)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
119891) implies
(119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is definedTherefore (119904[this 997891rarr 119904(119900
2) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
119891] By induction hypothesis 119878
119891does not
abort at (119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) andtherefore 119900
1= 1199002sdot 119891(119890) does not abort at (119904 ℎ) Now
we suppose that 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
) By(=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[1199001997891rarr ⟦119890
119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
1198911199001] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case(iii) The case of the rule (lowast=119897
119897sdot119900sdot119891) in this case
(a) 119878 = 1199001= 119897119890 119900
2sdot 119891(119890)
(b) SerLay(119871 119897119890 119891) = 1198711015840
= 1198971 119897119898 for all 1 le
119894 le 119898(119871119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
(c) 1198711015840 ⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(1199042 ℎ2)
(d) for all 119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr ⟦119890119894minus1⟧(119904119894 ℎ119894)this
997891rarr 119904119894(1199002) 119901119894997891rarr ⟦119890⟧(119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
(e) 1198711015840 ⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
(f) for all 119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894]
119878119894119876119894[1198901198941199001]
(g) 119875 hArr 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
1 119890
119898)
implies (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined
Therefore (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
1] By induction hypothesis 119878
1does
not abort at (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
6 Applied Computational Intelligence and Soft Computing
119871 ⊣ 1198901997891rarr 119862 and fine (119890
1sdot V) and fine (119890
2) and 119876 [119890
21198901sdot V] 119890
1sdot V = 119890
2119876
(=119897
119890)
119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
119891) 1199001= 1199002sdot 119891(119890) 119876
(=119897
119900sdot119891)
SerLay(119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898) 1199001= 119897119890 119900
2sdot 119891(119890) 119876
119898(=119897
119897sdot119900sdot119891)
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[119890119901119891] 119878119891119876[119890119891119900]
119871 ⊣ this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891) 119900 = super sdot 119891(119890) 119876
(sup119897)
119871 ⊣ emp 119900 = new 119862 119900 997891rarr 119862(new119897)
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 119900
1= proceed 119900
2sdot 119891(119890) 119876
119898
(pro119897)
119871 ⊣ 119875 1198781119877
119871 ⊣ 119877 1198782119876
119871 ⊣ 119875 1198781 1198782119876
(Seq119897)
119871 ⊣ 119875 119878 119876
119871 ⊣ 1198751015840
119878 1198761015840
119871 ⊣ 119875 or 1198751015840 119878 119876 or 1198761015840(Disj119897)
119871 ⊣ 119875 and 119887 119878119905119876
119871 ⊣ 119875 and not(119887) 119878119891119876
119871 ⊣ 119875 if 119887 then 119878119905else 119878
119891119876
(if119897)
119871 ⊣ fine(119887) and 119875 119878119905fine(119887) and 119875
119871 ⊣ fine(119887) and 119875 while 119887 do 119878119905not(119887) and 119875
(while119897)
119871 ⊣ 119875 119878 119876
1198751015840
997904rArr 119875 119876 997904rArr 1198761015840
119871 ⊣ 1198751015840 119878 1198761015840(seq119897)
1198711⊣ 119875 119878 119876
1198712⊣ 1198751015840
119878 1198761015840
1198711cup 1198712⊣ 119875 and 1198751015840 119878 119876 and 1198761015840
(Conj119897)
1198711⊣ 119875 119878 119876
1198712⊣ 119877 119878 119877
1198711cap 1198712= 0
1198711cup 1198712⊣ 119875 lowast 119877 119878 119876 lowast 119877
(share119897)
119871 ⊣ 119875 119878 119876
119891V(119877) cap mod(119878 119871) = 0119871 ⊣ 119875 lowast 119877 119878 119876 lowast 119877
(frame119897)
119897 ⊣ 119875 119878 119876
119871 119897 ⊣ 1198691 119878 119869
2
119871 ⊣ 119875 and 1198691 119878 119876 or 119869
2(glob119897)
119871 ⊣ 119875 119878 119876
119909 notin 119891V(119878)119871 ⊣ exist119909 119875 119878 exist119909 119876
(Ex119897)
Algorithm 5 The inference rules of the proposed logical system
Now we suppose that 1198781 (119904 ℎ) rarr (119904
2 ℎ2) By induc-
tion hypothesis (1199042 ℎ2) ⊨ 119876[119890
11199001] implying (119904
2[1199001997891rarr
⟦1198901⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) ⊨
1198761[1199002this 119890119901
2] Therefore by induction hypothesis
1198782does not abort at (119904
2[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr
1199042(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) Now we suppose that
1198782 (1199042[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr
⟦119890⟧(1199042 ℎ2)] ℎ2) rarr (119904
3 ℎ3) By induction hypoth-
esis (1199043 ℎ3) ⊨ 119876[119890
21199001] implying (119904
3[1199001
997891rarr
⟦1198902⟧(1199043 ℎ3) this 997891rarr 119904
3(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) ⊨
1198762[1199002this 119890119901
3] Therefore by induction hypothesis
1198783does not abort at (119904
3[1199001997891rarr ⟦119890
2⟧(1199043 ℎ3) this 997891rarr
1199043(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) Hence a simple induc-
tion on119898 completes the proof for this case
(iv) The case of the rule (sup119897) in this case
(a) 119878 = 119900 = super sdot 119891(119890)(b) super(119864 119891) = 119863(c) 119865119863(119891) = (119901
119891 119878119891 119890119891)
(d) 119871 ⊣ 119878119891 (119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)(e) 119871 ⊣ 119877[119890119901
119891] 119878119891119876[119890119891119900]
(f) 119875 hArr this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891)
Applied Computational Intelligence and Soft Computing 7
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦this⟧(119904 ℎ)) = 119874
119862The condition fine(119890 119890
119891) implies
(119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined Therefore (119904[this 997891rarr
119904(1199002) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨ 119877[119890119901
119891] By induction
hypothesis 119878119891does not abort at (119904[119901
119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
and therefore 119900 = super sdot 119891(119890) does not abort at (119904 ℎ)Nowwe suppose that 119900
1= 1199002sdot119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
)By (=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[119900 997891rarr ⟦119890119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
119891119900] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case
(v) The case of the rule (pro119897) it is similar to the case of(lowast=119897
119897sdot119900sdot119891)
4 Discussion
Related Work The most related logic to our work is that ofobject-oriented programs Specifically for Java a huge liter-ature on specification proof techniques for object-orientedlanguages exists For example for annotated Java programsin JML (Java modeling language) [8] presents calculus forweakest precondition An introduction to applications andtools of JML is presented in [9] Via annotating Java sourcefiles JML enables determining Java interfaces and classesConsidering abnormal termination resulting from failures ofJava programs [10] presents an extension to Hoare logic Fortheses failures transformational techniques do not work
Notably dynamically growing reference-structures areinvolved in object-oriented programs This results in thealiasing problem in OOP languages Much logic treatingaliasing does exist One of these techniques is presentedin [11] and reasons about linked lists which are treatedusing separation logic [6] Via including global stores inthe assertion language [12] presents Hoare logic for OOPlanguages However the use of this model for global storingis proved to be a potential cause of incompleteness Classesencapsulation in an OOP language equipped with subtypingand pointers is guaranteed by aliasing restrictions in [13]
The work in [14] is an example of logic achieving mod-ular verification for OOP and focusing on correspondingmethodology and object invariants Modular verificationof complex object structures was treated in [15] using aninvariant class Sound proof systems producing restrictedformal justifications for OOP languages were introducedin [16 17] Producing a complete logical system for OOPlanguages is a very complex problem due to complex featuresof OOP languages
Interestingly none of the techniques mentioned abovetreat context-oriented programs This adds to the value ofthe work presented in the current paper apparently there isno research to generalize separation logic to cover context-oriented programs
Operational semantics and type systems are presentedin [18 19] for checking and modeling context-orientedprograms The language model of [19] is structural and verysimilar to the model of the current paper The languagemodel of [18] is functional Type systems introduced in bothof these papers prevent execution of faculty functions by
proceed The operational semantics of the current paper ismuch simpler and powerful than semantics of [18 19]
Utilizing concepts of delegation based calculus [20]presents operational semantics for a COP language namely119888119895 For COP concepts as introduced in ContextJlowast and Con-textL [21] introduces syntax-based semantics Compared tothe work mentioned above a logical system that stops COPprogram from getting stuck is presented in the current paperTo model context-dependent behavior of COP programs theproposed logical system is based on general calculi
Future Work Extending the language model of the currentpaper to allow executing candidate functions of proceed onpriority bases is a direction for a future work Extending thelanguage to include layer inheritance and layer dependency isanother direction for future work Doing so allows one layerto assume the existence of another layer and allows expressingthe assumption that two layers are not active at the same time
Conflict of Interests
The author declares that there is no conflict of interestsregarding the publication of this paper
References
[1] G Kiczales J Lamping A Mendhekar et al ldquoAspect-orientedprogrammingrdquo in Proceedings of the European Conferenceon Object-Oriented Programming (ECOOP rsquo97) pp 220ndash242Jyvaskyla Finland June 1997
[2] RHirschfeld P Costanza andONierstrasz ldquoContext-orientedprogrammingrdquoThe Journal ofObject Technology vol 7 no 3 pp125ndash151 2008
[3] W Golubski and W-M Lippe ldquoA complete semantics forSMALLTALK-80rdquo Computer Languages vol 21 no 2 pp 67ndash79 1995
[4] M Campione K Walrath and A Huml The Java Tutorial AShort Course on the Basics Addison-Wesley Longman Publish-ing Boston Mass USA 3rd edition 2000
[5] D Flanagan JavaScriptmdashPocket Reference Activate Your WebPages OrsquoReilly 3rd edition 2012
[6] J C Reynolds ldquoSeparation logic a logic for sharedmutable datastructuresrdquo in Proceedings of the 17th Annual IEEE Symposiumon Logic in Computer Science (LICS rsquo02) pp 55ndash74 July 2002
[7] S S Samin and P W OrsquoHearn ldquoBI as an assertion languagefor mutable data structuresrdquo in Principles of ProgrammingLanguages C Hankin and D Schmidt Eds pp 14ndash26 ACM2001
[8] B Jacobs ldquoWeakest pre-condition reasoning for Java programswith JML annotationsrdquo Journal of Logic and Algebraic Program-ming vol 58 no 1-2 pp 61ndash88 2004
[9] L Burdy Y Cheon D R Cok et al ldquoAn overview of JML toolsand applicationsrdquo International Journal on Software Tools forTechnology Transfer vol 7 no 3 pp 212ndash232 2005
[10] M Huisman and B Jacobs ldquoJava program verification viaa hoare logic with abrupt terminationrdquo in FundamentalApproaches to Software Engineering T S E Maibaum Edvol 1783 of Lecture Notes in Computer Science pp 284ndash303Springer Berlin Germany 2000
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing 5
119890 isin AExpr = 119899 | 119900 | 119890 sdot V | 11989011198941199001199011198902| (119862)119890 | this
119887 isin BExpr = true | false | 11989011198881199001199011198902| 11988711198871199001199011198872
119875119876 119877 1198691 1198692isin Asset = 119887 | 119875 and 119876 | 119875 or 119876 | 119875 rArr 119876 | not119875 | forall119909 119875 |
exist 119909 119875 | fine(119890) | emp | 119890 997891rarr 119862 | 119875 lowast 119876 |
119875 minuslowast 119876 | ⊛119894isin119868119875119894
Algorithm 4 The assertion language
soundness concept of specifications produced by the logicalsystem Axioms and inference rules of the logical system areintroduced in Algorithm 5
We fix the abortion notion for Definition 3 A statement 119878is aborting at (119904 ℎ) (denoted by 119878 (119904 ℎ 119871) rarr abort) if (a) astate (1199041015840 ℎ1015840) such that 119878 (119904 ℎ) rarr (119904
1015840
ℎ1015840
) is not available and(b) 119878 is not stuck in an infinite loop
Definition 3 A specification 119871 ⊣ 119875119878119876 is sound if for each(119904 ℎ) such that (119904 ℎ) ⊨ 119875 the following is satisfied
(1) not(119871 ⊨ 119878 (119904 ℎ) rarr abort)
(2) if 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) then (1199041015840 ℎ1015840) ⊨ 119876
Some of the rules in Algorithm 5 are certainly notewor-thy In many rules like (=119897
119890) and (=
119897
119900sdot119891) the expressions of
relevant statements contribute to the preconditions of therules This has the advantage of ensuring that the meantmemory addresses are indeed allocated and hence evalua-tions of expressions do not abort The preconditions of (=119897
119890)
and (=119897
119900sdot119891) also ensure that appropriate variables reference
objects in heap The side-conditions of (=119897119900sdot119891) and (=
119897
119897sdot119900sdot119891)
consider that executing these statements involves executingcertain function bodies We let mod(119878 119871) denote the set oflocations modified by 119878 provided that layers of 119871 are activeThe symbol 119891V(119877) denotes the set of free variables of 119877 Therule (share119897) enables the composition of specifications havingdisjoint sets of activated layers if the preconditions of thespecifications describe disjoint regions of the heap The rule(frame119897) enables avoiding a frame of the heap119877 that does notaffect the statement This rule also ensures that 119877 is satisfiedby the postcondition
Soundness The soundness of the logical system is guaranteedby the following theorem
Theorem 4 Specifications 119871 ⊣ 119875119878119876 that resulted using thelogical system of Algorithm 5 are sound (Definition 3)
Proof Structure induction on axioms and inference rules ofAlgorithm 5 achieves the proof In the following basic casesare outlined
(i) The case of the rule (=119897119890) in this case
(a) 119878 = 1198901sdot V = 119890
2
(b) 119875 hArr 1198901997891rarr 119862 and fine(119890
1sdotV) and fine(119890
2) and 119876[119890
21198901sdot
V]
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 Hence119874119862= ℎ(⟦119890
1⟧(119904 ℎ)) and ⟦119890
2⟧(119904 ℎ) = abort Therefore
1198741015840
119862= 119874119862[V 997891rarr ⟦119890
2⟧(119904 ℎ)] is defined and so does
(119904 ℎ[⟦1198901⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Hence not(119871 ⊨ 119878 (119904 ℎ) rarr
abort) Now we suppose 119871 ⊨ 119878 (119904 ℎ) rarr (1199041015840
ℎ1015840
) Inthis case (1199041015840 ℎ1015840) = (119904 ℎ[⟦119890
1⟧(119904 ℎ) 997891rarr 119874
1015840
119862]) Therefore
(1199041015840
ℎ1015840
) ⊨ 119876 because (119904 ℎ) ⊨ 119876[11989021198901sdot V] This
completes the proof for this case(ii) The case of the rule (lowast=119897
119900sdot119891) in this case
(a) 119878 = 1199001= 1199002sdot 119891(119890)
(b) 119865119862(119891) = (119901
119891 119878119891 119890119891)
(c) 119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
(d) 119871 ⊣ 119878119891 (119904[this 997891rarr 119904(119900
2) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(11990410158401015840
ℎ10158401015840
)(e) 119875 hArr 119900
2997891rarr 119862 and 119877 and fine(119890 119890
119891)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
119891) implies
(119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is definedTherefore (119904[this 997891rarr 119904(119900
2) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
119891] By induction hypothesis 119878
119891does not
abort at (119904[this 997891rarr 119904(1199002) 119901119891
997891rarr ⟦119890⟧(119904 ℎ)] ℎ) andtherefore 119900
1= 1199002sdot 119891(119890) does not abort at (119904 ℎ) Now
we suppose that 1199001= 1199002sdot 119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
) By(=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[1199001997891rarr ⟦119890
119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
1198911199001] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case(iii) The case of the rule (lowast=119897
119897sdot119900sdot119891) in this case
(a) 119878 = 1199001= 119897119890 119900
2sdot 119891(119890)
(b) SerLay(119871 119897119890 119891) = 1198711015840
= 1198971 119897119898 for all 1 le
119894 le 119898(119871119862(119897119894) = (119891 119901
119894 119878119894 119890119894))
(c) 1198711015840 ⊣ 1198781 (119904[this 997891rarr 119904(119900
2) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr
(1199042 ℎ2)
(d) for all 119894 gt 1 1198711015840
⊣ 119878119894 (119904119894[1199001997891rarr ⟦119890119894minus1⟧(119904119894 ℎ119894)this
997891rarr 119904119894(1199002) 119901119894997891rarr ⟦119890⟧(119904
119894 ℎ119894)] ℎ119894) rarr (119904
119894+1 ℎ119894+1)
(e) 1198711015840 ⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
(f) for all 119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894]
119878119894119876119894[1198901198941199001]
(g) 119875 hArr 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898)
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦1199002⟧(119904 ℎ)) = 119874
119862 The condition fine(119890 119890
1 119890
119898)
implies (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined
Therefore (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨
119877[1199002this 119890119901
1] By induction hypothesis 119878
1does
not abort at (119904[this 997891rarr 119904(1199002) 1199011997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
6 Applied Computational Intelligence and Soft Computing
119871 ⊣ 1198901997891rarr 119862 and fine (119890
1sdot V) and fine (119890
2) and 119876 [119890
21198901sdot V] 119890
1sdot V = 119890
2119876
(=119897
119890)
119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
119891) 1199001= 1199002sdot 119891(119890) 119876
(=119897
119900sdot119891)
SerLay(119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898) 1199001= 119897119890 119900
2sdot 119891(119890) 119876
119898(=119897
119897sdot119900sdot119891)
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[119890119901119891] 119878119891119876[119890119891119900]
119871 ⊣ this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891) 119900 = super sdot 119891(119890) 119876
(sup119897)
119871 ⊣ emp 119900 = new 119862 119900 997891rarr 119862(new119897)
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 119900
1= proceed 119900
2sdot 119891(119890) 119876
119898
(pro119897)
119871 ⊣ 119875 1198781119877
119871 ⊣ 119877 1198782119876
119871 ⊣ 119875 1198781 1198782119876
(Seq119897)
119871 ⊣ 119875 119878 119876
119871 ⊣ 1198751015840
119878 1198761015840
119871 ⊣ 119875 or 1198751015840 119878 119876 or 1198761015840(Disj119897)
119871 ⊣ 119875 and 119887 119878119905119876
119871 ⊣ 119875 and not(119887) 119878119891119876
119871 ⊣ 119875 if 119887 then 119878119905else 119878
119891119876
(if119897)
119871 ⊣ fine(119887) and 119875 119878119905fine(119887) and 119875
119871 ⊣ fine(119887) and 119875 while 119887 do 119878119905not(119887) and 119875
(while119897)
119871 ⊣ 119875 119878 119876
1198751015840
997904rArr 119875 119876 997904rArr 1198761015840
119871 ⊣ 1198751015840 119878 1198761015840(seq119897)
1198711⊣ 119875 119878 119876
1198712⊣ 1198751015840
119878 1198761015840
1198711cup 1198712⊣ 119875 and 1198751015840 119878 119876 and 1198761015840
(Conj119897)
1198711⊣ 119875 119878 119876
1198712⊣ 119877 119878 119877
1198711cap 1198712= 0
1198711cup 1198712⊣ 119875 lowast 119877 119878 119876 lowast 119877
(share119897)
119871 ⊣ 119875 119878 119876
119891V(119877) cap mod(119878 119871) = 0119871 ⊣ 119875 lowast 119877 119878 119876 lowast 119877
(frame119897)
119897 ⊣ 119875 119878 119876
119871 119897 ⊣ 1198691 119878 119869
2
119871 ⊣ 119875 and 1198691 119878 119876 or 119869
2(glob119897)
119871 ⊣ 119875 119878 119876
119909 notin 119891V(119878)119871 ⊣ exist119909 119875 119878 exist119909 119876
(Ex119897)
Algorithm 5 The inference rules of the proposed logical system
Now we suppose that 1198781 (119904 ℎ) rarr (119904
2 ℎ2) By induc-
tion hypothesis (1199042 ℎ2) ⊨ 119876[119890
11199001] implying (119904
2[1199001997891rarr
⟦1198901⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) ⊨
1198761[1199002this 119890119901
2] Therefore by induction hypothesis
1198782does not abort at (119904
2[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr
1199042(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) Now we suppose that
1198782 (1199042[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr
⟦119890⟧(1199042 ℎ2)] ℎ2) rarr (119904
3 ℎ3) By induction hypoth-
esis (1199043 ℎ3) ⊨ 119876[119890
21199001] implying (119904
3[1199001
997891rarr
⟦1198902⟧(1199043 ℎ3) this 997891rarr 119904
3(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) ⊨
1198762[1199002this 119890119901
3] Therefore by induction hypothesis
1198783does not abort at (119904
3[1199001997891rarr ⟦119890
2⟧(1199043 ℎ3) this 997891rarr
1199043(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) Hence a simple induc-
tion on119898 completes the proof for this case
(iv) The case of the rule (sup119897) in this case
(a) 119878 = 119900 = super sdot 119891(119890)(b) super(119864 119891) = 119863(c) 119865119863(119891) = (119901
119891 119878119891 119890119891)
(d) 119871 ⊣ 119878119891 (119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)(e) 119871 ⊣ 119877[119890119901
119891] 119878119891119876[119890119891119900]
(f) 119875 hArr this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891)
Applied Computational Intelligence and Soft Computing 7
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦this⟧(119904 ℎ)) = 119874
119862The condition fine(119890 119890
119891) implies
(119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined Therefore (119904[this 997891rarr
119904(1199002) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨ 119877[119890119901
119891] By induction
hypothesis 119878119891does not abort at (119904[119901
119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
and therefore 119900 = super sdot 119891(119890) does not abort at (119904 ℎ)Nowwe suppose that 119900
1= 1199002sdot119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
)By (=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[119900 997891rarr ⟦119890119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
119891119900] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case
(v) The case of the rule (pro119897) it is similar to the case of(lowast=119897
119897sdot119900sdot119891)
4 Discussion
Related Work The most related logic to our work is that ofobject-oriented programs Specifically for Java a huge liter-ature on specification proof techniques for object-orientedlanguages exists For example for annotated Java programsin JML (Java modeling language) [8] presents calculus forweakest precondition An introduction to applications andtools of JML is presented in [9] Via annotating Java sourcefiles JML enables determining Java interfaces and classesConsidering abnormal termination resulting from failures ofJava programs [10] presents an extension to Hoare logic Fortheses failures transformational techniques do not work
Notably dynamically growing reference-structures areinvolved in object-oriented programs This results in thealiasing problem in OOP languages Much logic treatingaliasing does exist One of these techniques is presentedin [11] and reasons about linked lists which are treatedusing separation logic [6] Via including global stores inthe assertion language [12] presents Hoare logic for OOPlanguages However the use of this model for global storingis proved to be a potential cause of incompleteness Classesencapsulation in an OOP language equipped with subtypingand pointers is guaranteed by aliasing restrictions in [13]
The work in [14] is an example of logic achieving mod-ular verification for OOP and focusing on correspondingmethodology and object invariants Modular verificationof complex object structures was treated in [15] using aninvariant class Sound proof systems producing restrictedformal justifications for OOP languages were introducedin [16 17] Producing a complete logical system for OOPlanguages is a very complex problem due to complex featuresof OOP languages
Interestingly none of the techniques mentioned abovetreat context-oriented programs This adds to the value ofthe work presented in the current paper apparently there isno research to generalize separation logic to cover context-oriented programs
Operational semantics and type systems are presentedin [18 19] for checking and modeling context-orientedprograms The language model of [19] is structural and verysimilar to the model of the current paper The languagemodel of [18] is functional Type systems introduced in bothof these papers prevent execution of faculty functions by
proceed The operational semantics of the current paper ismuch simpler and powerful than semantics of [18 19]
Utilizing concepts of delegation based calculus [20]presents operational semantics for a COP language namely119888119895 For COP concepts as introduced in ContextJlowast and Con-textL [21] introduces syntax-based semantics Compared tothe work mentioned above a logical system that stops COPprogram from getting stuck is presented in the current paperTo model context-dependent behavior of COP programs theproposed logical system is based on general calculi
Future Work Extending the language model of the currentpaper to allow executing candidate functions of proceed onpriority bases is a direction for a future work Extending thelanguage to include layer inheritance and layer dependency isanother direction for future work Doing so allows one layerto assume the existence of another layer and allows expressingthe assumption that two layers are not active at the same time
Conflict of Interests
The author declares that there is no conflict of interestsregarding the publication of this paper
References
[1] G Kiczales J Lamping A Mendhekar et al ldquoAspect-orientedprogrammingrdquo in Proceedings of the European Conferenceon Object-Oriented Programming (ECOOP rsquo97) pp 220ndash242Jyvaskyla Finland June 1997
[2] RHirschfeld P Costanza andONierstrasz ldquoContext-orientedprogrammingrdquoThe Journal ofObject Technology vol 7 no 3 pp125ndash151 2008
[3] W Golubski and W-M Lippe ldquoA complete semantics forSMALLTALK-80rdquo Computer Languages vol 21 no 2 pp 67ndash79 1995
[4] M Campione K Walrath and A Huml The Java Tutorial AShort Course on the Basics Addison-Wesley Longman Publish-ing Boston Mass USA 3rd edition 2000
[5] D Flanagan JavaScriptmdashPocket Reference Activate Your WebPages OrsquoReilly 3rd edition 2012
[6] J C Reynolds ldquoSeparation logic a logic for sharedmutable datastructuresrdquo in Proceedings of the 17th Annual IEEE Symposiumon Logic in Computer Science (LICS rsquo02) pp 55ndash74 July 2002
[7] S S Samin and P W OrsquoHearn ldquoBI as an assertion languagefor mutable data structuresrdquo in Principles of ProgrammingLanguages C Hankin and D Schmidt Eds pp 14ndash26 ACM2001
[8] B Jacobs ldquoWeakest pre-condition reasoning for Java programswith JML annotationsrdquo Journal of Logic and Algebraic Program-ming vol 58 no 1-2 pp 61ndash88 2004
[9] L Burdy Y Cheon D R Cok et al ldquoAn overview of JML toolsand applicationsrdquo International Journal on Software Tools forTechnology Transfer vol 7 no 3 pp 212ndash232 2005
[10] M Huisman and B Jacobs ldquoJava program verification viaa hoare logic with abrupt terminationrdquo in FundamentalApproaches to Software Engineering T S E Maibaum Edvol 1783 of Lecture Notes in Computer Science pp 284ndash303Springer Berlin Germany 2000
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
6 Applied Computational Intelligence and Soft Computing
119871 ⊣ 1198901997891rarr 119862 and fine (119890
1sdot V) and fine (119890
2) and 119876 [119890
21198901sdot V] 119890
1sdot V = 119890
2119876
(=119897
119890)
119865119862(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[1199002this 119890119901
119891] 119878119891119876[1198901198911199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
119891) 1199001= 1199002sdot 119891(119890) 119876
(=119897
119900sdot119891)
SerLay(119871 119897119890 119891) = 1198711015840 = 1198971 119897
119898
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 and fine(119890 119890
1 119890
119898) 1199001= 119897119890 119900
2sdot 119891(119890) 119876
119898(=119897
119897sdot119900sdot119891)
super(119864 119891) = 119863 119865119863(119891) = (119901
119891 119878119891 119890119891)
119871 ⊣ 119877[119890119901119891] 119878119891119876[119890119891119900]
119871 ⊣ this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891) 119900 = super sdot 119891(119890) 119876
(sup119897)
119871 ⊣ emp 119900 = new 119862 119900 997891rarr 119862(new119897)
1198711015840
= 1198971 119897
119898 sube 119871 (forall1 le 119894 le 119898 (119871
119862(119897119894)) = (119891 119901
119894 119878119894 119890119894))
1198711015840
⊣ 119877[1199002this 119890119901
1] 11987811198761[11989011199001]
forall119894 gt 1 1198711015840
⊣ 119876119894minus1[1199002this 119890119901
119894] 119878119894119876119894[1198901198941199001]
119871 ⊣ 1199002997891rarr 119862 and 119877 119900
1= proceed 119900
2sdot 119891(119890) 119876
119898
(pro119897)
119871 ⊣ 119875 1198781119877
119871 ⊣ 119877 1198782119876
119871 ⊣ 119875 1198781 1198782119876
(Seq119897)
119871 ⊣ 119875 119878 119876
119871 ⊣ 1198751015840
119878 1198761015840
119871 ⊣ 119875 or 1198751015840 119878 119876 or 1198761015840(Disj119897)
119871 ⊣ 119875 and 119887 119878119905119876
119871 ⊣ 119875 and not(119887) 119878119891119876
119871 ⊣ 119875 if 119887 then 119878119905else 119878
119891119876
(if119897)
119871 ⊣ fine(119887) and 119875 119878119905fine(119887) and 119875
119871 ⊣ fine(119887) and 119875 while 119887 do 119878119905not(119887) and 119875
(while119897)
119871 ⊣ 119875 119878 119876
1198751015840
997904rArr 119875 119876 997904rArr 1198761015840
119871 ⊣ 1198751015840 119878 1198761015840(seq119897)
1198711⊣ 119875 119878 119876
1198712⊣ 1198751015840
119878 1198761015840
1198711cup 1198712⊣ 119875 and 1198751015840 119878 119876 and 1198761015840
(Conj119897)
1198711⊣ 119875 119878 119876
1198712⊣ 119877 119878 119877
1198711cap 1198712= 0
1198711cup 1198712⊣ 119875 lowast 119877 119878 119876 lowast 119877
(share119897)
119871 ⊣ 119875 119878 119876
119891V(119877) cap mod(119878 119871) = 0119871 ⊣ 119875 lowast 119877 119878 119876 lowast 119877
(frame119897)
119897 ⊣ 119875 119878 119876
119871 119897 ⊣ 1198691 119878 119869
2
119871 ⊣ 119875 and 1198691 119878 119876 or 119869
2(glob119897)
119871 ⊣ 119875 119878 119876
119909 notin 119891V(119878)119871 ⊣ exist119909 119875 119878 exist119909 119876
(Ex119897)
Algorithm 5 The inference rules of the proposed logical system
Now we suppose that 1198781 (119904 ℎ) rarr (119904
2 ℎ2) By induc-
tion hypothesis (1199042 ℎ2) ⊨ 119876[119890
11199001] implying (119904
2[1199001997891rarr
⟦1198901⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) ⊨
1198761[1199002this 119890119901
2] Therefore by induction hypothesis
1198782does not abort at (119904
2[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr
1199042(1199002) 1199012997891rarr ⟦119890⟧(119904
2 ℎ2)] ℎ2) Now we suppose that
1198782 (1199042[1199001997891rarr ⟦119890
1⟧(1199042 ℎ2) this 997891rarr 119904
2(1199002) 1199012997891rarr
⟦119890⟧(1199042 ℎ2)] ℎ2) rarr (119904
3 ℎ3) By induction hypoth-
esis (1199043 ℎ3) ⊨ 119876[119890
21199001] implying (119904
3[1199001
997891rarr
⟦1198902⟧(1199043 ℎ3) this 997891rarr 119904
3(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) ⊨
1198762[1199002this 119890119901
3] Therefore by induction hypothesis
1198783does not abort at (119904
3[1199001997891rarr ⟦119890
2⟧(1199043 ℎ3) this 997891rarr
1199043(1199002) 1199013997891rarr ⟦119890⟧(119904
3 ℎ3)] ℎ3) Hence a simple induc-
tion on119898 completes the proof for this case
(iv) The case of the rule (sup119897) in this case
(a) 119878 = 119900 = super sdot 119891(119890)(b) super(119864 119891) = 119863(c) 119865119863(119891) = (119901
119891 119878119891 119890119891)
(d) 119871 ⊣ 119878119891 (119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) rarr (119904
10158401015840
ℎ10158401015840
)(e) 119871 ⊣ 119877[119890119901
119891] 119878119891119876[119890119891119900]
(f) 119875 hArr this 997891rarr 119862 and 119862 ≪ 119864 and 119877 and fine(119890 119890119891)
Applied Computational Intelligence and Soft Computing 7
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦this⟧(119904 ℎ)) = 119874
119862The condition fine(119890 119890
119891) implies
(119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined Therefore (119904[this 997891rarr
119904(1199002) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨ 119877[119890119901
119891] By induction
hypothesis 119878119891does not abort at (119904[119901
119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
and therefore 119900 = super sdot 119891(119890) does not abort at (119904 ℎ)Nowwe suppose that 119900
1= 1199002sdot119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
)By (=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[119900 997891rarr ⟦119890119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
119891119900] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case
(v) The case of the rule (pro119897) it is similar to the case of(lowast=119897
119897sdot119900sdot119891)
4 Discussion
Related Work The most related logic to our work is that ofobject-oriented programs Specifically for Java a huge liter-ature on specification proof techniques for object-orientedlanguages exists For example for annotated Java programsin JML (Java modeling language) [8] presents calculus forweakest precondition An introduction to applications andtools of JML is presented in [9] Via annotating Java sourcefiles JML enables determining Java interfaces and classesConsidering abnormal termination resulting from failures ofJava programs [10] presents an extension to Hoare logic Fortheses failures transformational techniques do not work
Notably dynamically growing reference-structures areinvolved in object-oriented programs This results in thealiasing problem in OOP languages Much logic treatingaliasing does exist One of these techniques is presentedin [11] and reasons about linked lists which are treatedusing separation logic [6] Via including global stores inthe assertion language [12] presents Hoare logic for OOPlanguages However the use of this model for global storingis proved to be a potential cause of incompleteness Classesencapsulation in an OOP language equipped with subtypingand pointers is guaranteed by aliasing restrictions in [13]
The work in [14] is an example of logic achieving mod-ular verification for OOP and focusing on correspondingmethodology and object invariants Modular verificationof complex object structures was treated in [15] using aninvariant class Sound proof systems producing restrictedformal justifications for OOP languages were introducedin [16 17] Producing a complete logical system for OOPlanguages is a very complex problem due to complex featuresof OOP languages
Interestingly none of the techniques mentioned abovetreat context-oriented programs This adds to the value ofthe work presented in the current paper apparently there isno research to generalize separation logic to cover context-oriented programs
Operational semantics and type systems are presentedin [18 19] for checking and modeling context-orientedprograms The language model of [19] is structural and verysimilar to the model of the current paper The languagemodel of [18] is functional Type systems introduced in bothof these papers prevent execution of faculty functions by
proceed The operational semantics of the current paper ismuch simpler and powerful than semantics of [18 19]
Utilizing concepts of delegation based calculus [20]presents operational semantics for a COP language namely119888119895 For COP concepts as introduced in ContextJlowast and Con-textL [21] introduces syntax-based semantics Compared tothe work mentioned above a logical system that stops COPprogram from getting stuck is presented in the current paperTo model context-dependent behavior of COP programs theproposed logical system is based on general calculi
Future Work Extending the language model of the currentpaper to allow executing candidate functions of proceed onpriority bases is a direction for a future work Extending thelanguage to include layer inheritance and layer dependency isanother direction for future work Doing so allows one layerto assume the existence of another layer and allows expressingthe assumption that two layers are not active at the same time
Conflict of Interests
The author declares that there is no conflict of interestsregarding the publication of this paper
References
[1] G Kiczales J Lamping A Mendhekar et al ldquoAspect-orientedprogrammingrdquo in Proceedings of the European Conferenceon Object-Oriented Programming (ECOOP rsquo97) pp 220ndash242Jyvaskyla Finland June 1997
[2] RHirschfeld P Costanza andONierstrasz ldquoContext-orientedprogrammingrdquoThe Journal ofObject Technology vol 7 no 3 pp125ndash151 2008
[3] W Golubski and W-M Lippe ldquoA complete semantics forSMALLTALK-80rdquo Computer Languages vol 21 no 2 pp 67ndash79 1995
[4] M Campione K Walrath and A Huml The Java Tutorial AShort Course on the Basics Addison-Wesley Longman Publish-ing Boston Mass USA 3rd edition 2000
[5] D Flanagan JavaScriptmdashPocket Reference Activate Your WebPages OrsquoReilly 3rd edition 2012
[6] J C Reynolds ldquoSeparation logic a logic for sharedmutable datastructuresrdquo in Proceedings of the 17th Annual IEEE Symposiumon Logic in Computer Science (LICS rsquo02) pp 55ndash74 July 2002
[7] S S Samin and P W OrsquoHearn ldquoBI as an assertion languagefor mutable data structuresrdquo in Principles of ProgrammingLanguages C Hankin and D Schmidt Eds pp 14ndash26 ACM2001
[8] B Jacobs ldquoWeakest pre-condition reasoning for Java programswith JML annotationsrdquo Journal of Logic and Algebraic Program-ming vol 58 no 1-2 pp 61ndash88 2004
[9] L Burdy Y Cheon D R Cok et al ldquoAn overview of JML toolsand applicationsrdquo International Journal on Software Tools forTechnology Transfer vol 7 no 3 pp 212ndash232 2005
[10] M Huisman and B Jacobs ldquoJava program verification viaa hoare logic with abrupt terminationrdquo in FundamentalApproaches to Software Engineering T S E Maibaum Edvol 1783 of Lecture Notes in Computer Science pp 284ndash303Springer Berlin Germany 2000
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing 7
Suppose that for state (119904 ℎ) (119904 ℎ) ⊨ 119875 This impliesℎ(⟦this⟧(119904 ℎ)) = 119874
119862The condition fine(119890 119890
119891) implies
(119904[119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) is defined Therefore (119904[this 997891rarr
119904(1199002) 119901119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ) ⊨ 119877[119890119901
119891] By induction
hypothesis 119878119891does not abort at (119904[119901
119891997891rarr ⟦119890⟧(119904 ℎ)] ℎ)
and therefore 119900 = super sdot 119891(119890) does not abort at (119904 ℎ)Nowwe suppose that 119900
1= 1199002sdot119891(119890) (119904 ℎ) rarr (119904
1015840
ℎ1015840
)By (=119904
119900sdot119891) (1199041015840 ℎ1015840) = (119904
10158401015840
[119900 997891rarr ⟦119890119891⟧(11990410158401015840
ℎ10158401015840
)] ℎ10158401015840
) Alsoby induction hypothesis (11990410158401015840 ℎ10158401015840) ⊨ 119876[119890
119891119900] implying
(1199041015840
ℎ1015840
) ⊨ 119876 This completes the proof for this case
(v) The case of the rule (pro119897) it is similar to the case of(lowast=119897
119897sdot119900sdot119891)
4 Discussion
Related Work The most related logic to our work is that ofobject-oriented programs Specifically for Java a huge liter-ature on specification proof techniques for object-orientedlanguages exists For example for annotated Java programsin JML (Java modeling language) [8] presents calculus forweakest precondition An introduction to applications andtools of JML is presented in [9] Via annotating Java sourcefiles JML enables determining Java interfaces and classesConsidering abnormal termination resulting from failures ofJava programs [10] presents an extension to Hoare logic Fortheses failures transformational techniques do not work
Notably dynamically growing reference-structures areinvolved in object-oriented programs This results in thealiasing problem in OOP languages Much logic treatingaliasing does exist One of these techniques is presentedin [11] and reasons about linked lists which are treatedusing separation logic [6] Via including global stores inthe assertion language [12] presents Hoare logic for OOPlanguages However the use of this model for global storingis proved to be a potential cause of incompleteness Classesencapsulation in an OOP language equipped with subtypingand pointers is guaranteed by aliasing restrictions in [13]
The work in [14] is an example of logic achieving mod-ular verification for OOP and focusing on correspondingmethodology and object invariants Modular verificationof complex object structures was treated in [15] using aninvariant class Sound proof systems producing restrictedformal justifications for OOP languages were introducedin [16 17] Producing a complete logical system for OOPlanguages is a very complex problem due to complex featuresof OOP languages
Interestingly none of the techniques mentioned abovetreat context-oriented programs This adds to the value ofthe work presented in the current paper apparently there isno research to generalize separation logic to cover context-oriented programs
Operational semantics and type systems are presentedin [18 19] for checking and modeling context-orientedprograms The language model of [19] is structural and verysimilar to the model of the current paper The languagemodel of [18] is functional Type systems introduced in bothof these papers prevent execution of faculty functions by
proceed The operational semantics of the current paper ismuch simpler and powerful than semantics of [18 19]
Utilizing concepts of delegation based calculus [20]presents operational semantics for a COP language namely119888119895 For COP concepts as introduced in ContextJlowast and Con-textL [21] introduces syntax-based semantics Compared tothe work mentioned above a logical system that stops COPprogram from getting stuck is presented in the current paperTo model context-dependent behavior of COP programs theproposed logical system is based on general calculi
Future Work Extending the language model of the currentpaper to allow executing candidate functions of proceed onpriority bases is a direction for a future work Extending thelanguage to include layer inheritance and layer dependency isanother direction for future work Doing so allows one layerto assume the existence of another layer and allows expressingthe assumption that two layers are not active at the same time
Conflict of Interests
The author declares that there is no conflict of interestsregarding the publication of this paper
References
[1] G Kiczales J Lamping A Mendhekar et al ldquoAspect-orientedprogrammingrdquo in Proceedings of the European Conferenceon Object-Oriented Programming (ECOOP rsquo97) pp 220ndash242Jyvaskyla Finland June 1997
[2] RHirschfeld P Costanza andONierstrasz ldquoContext-orientedprogrammingrdquoThe Journal ofObject Technology vol 7 no 3 pp125ndash151 2008
[3] W Golubski and W-M Lippe ldquoA complete semantics forSMALLTALK-80rdquo Computer Languages vol 21 no 2 pp 67ndash79 1995
[4] M Campione K Walrath and A Huml The Java Tutorial AShort Course on the Basics Addison-Wesley Longman Publish-ing Boston Mass USA 3rd edition 2000
[5] D Flanagan JavaScriptmdashPocket Reference Activate Your WebPages OrsquoReilly 3rd edition 2012
[6] J C Reynolds ldquoSeparation logic a logic for sharedmutable datastructuresrdquo in Proceedings of the 17th Annual IEEE Symposiumon Logic in Computer Science (LICS rsquo02) pp 55ndash74 July 2002
[7] S S Samin and P W OrsquoHearn ldquoBI as an assertion languagefor mutable data structuresrdquo in Principles of ProgrammingLanguages C Hankin and D Schmidt Eds pp 14ndash26 ACM2001
[8] B Jacobs ldquoWeakest pre-condition reasoning for Java programswith JML annotationsrdquo Journal of Logic and Algebraic Program-ming vol 58 no 1-2 pp 61ndash88 2004
[9] L Burdy Y Cheon D R Cok et al ldquoAn overview of JML toolsand applicationsrdquo International Journal on Software Tools forTechnology Transfer vol 7 no 3 pp 212ndash232 2005
[10] M Huisman and B Jacobs ldquoJava program verification viaa hoare logic with abrupt terminationrdquo in FundamentalApproaches to Software Engineering T S E Maibaum Edvol 1783 of Lecture Notes in Computer Science pp 284ndash303Springer Berlin Germany 2000
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
8 Applied Computational Intelligence and Soft Computing
[11] J M Morris ldquoA general axiom of assignmentrdquo in TheoreticalFoundations of Programming Methodology pp 25ndash34 SpringerBerlin Germany 1982
[12] N Dershowitz Ed Verification Theory and Practice EssaysDedicated to ZoharManna on the Occasion of His 64th Birthdayvol 2772 of Lecture Notes in Computer Science Springer BerlinGermany 2003
[13] A Banerjee and D A Naumann ldquoOwnership confinementensures representation independence for object-oriented pro-gramsrdquo Journal of the ACM vol 52 no 6 pp 894ndash960 2005
[14] M Barnett B-Y E Chang R DeLine B Jacobs and K R MLeino ldquoBoogie a modular reusable verifier for object-orientedprogramsrdquo in Formal Methods for Components and Objects FS de Boer M M Bonsangue S Graf and W-P de RoeverEds vol 4111 of Lecture Notes in Computer Science pp 364ndash387Springer Berlin Germany 2006
[15] P Muller A Poetzsch-Heffter and G T Leavens ldquoModularinvariants for layered object structuresrdquo Science of ComputerProgramming vol 62 no 3 pp 253ndash286 2006
[16] D von Oheimb ldquoHoare logic for Java in Isabelleholrdquo Concur-rency Computation Practice and Experience vol 13 no 13 pp1173ndash1214 2001
[17] G Klein and T Nipkow ldquoA machine-checked model for a Java-like language virtual machine and compilerrdquo ACM Transac-tions on Programming Languages and Systems vol 28 no 4 pp619ndash695 2006
[18] R Hirschfeld A Igarashi and H Masuhara ldquoContextfj aminimal core calculus for context-oriented programmingrdquo inProceedings of the 10th International Workshop on Foundationsof Aspect-Oriented Languages (FOAL rsquo11) pp 19ndash23 ACMMarch 2011
[19] M A El-Zawawy and E A Aleisa ldquoA new model for context-oriented programsrdquo Life Science Journal vol 10 no 2 pp 2515ndash2523 2013
[20] H Schippers D Janssens M Haupt and R HirschfeldldquoDelegation-based semantics for modularizing crosscuttingconcernsrdquo inProceedings of the 23rdACMConference onObject-Oriented Programming Systems Languages and Applications(OOPSLA rsquo08) pp 525ndash542 Nashville Tenn USA October2008
[21] D Clarke and I Sergey ldquoA semantics for context-orientedprogramming with layersrdquo in Proceedings of the InternationalWorkshop on Context-Oriented Programming (COP rsquo09) ACMGenova Italy July 2009
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Submit your manuscripts athttpwwwhindawicom
Computer Games Technology
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Distributed Sensor Networks
International Journal of
Advances in
FuzzySystems
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014
International Journal of
ReconfigurableComputing
Hindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Applied Computational Intelligence and Soft Computing
thinspAdvancesthinspinthinsp
Artificial Intelligence
HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014
Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Journal of
Computer Networks and Communications
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation
httpwwwhindawicom Volume 2014
Advances in
Multimedia
International Journal of
Biomedical Imaging
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
ArtificialNeural Systems
Advances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Computational Intelligence and Neuroscience
Industrial EngineeringJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Human-ComputerInteraction
Advances in
Computer EngineeringAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
![Context-Oriented Programming for Adaptive Software Systems · Context-Oriented Programming (COP) [Costanza05, Hirschfeld08] New programming paradigm for modularizing context-dependent](https://img.dokumen.tips/doc/110x75/5f1bda5bf08963400e101f3f/context-oriented-programming-for-adaptive-software-systems-context-oriented-programming.jpg)
