This paper studies the question of when one abstract data type (ADT) is a behavioral subtype of another, and proposes a model-theoretic notion of ...

Abstract. Using equational logic as a specification language, we investigate the proof theory of behavioral subtyping for object-oriented abstract data types with immutable objects and deterministic methods that can use multiple dispatch. In particular, we investigate a proof technique for correct behavioral subtyping in which each subtype’s specification includes terms that can be used to coerce its objects to objects of each of its supertypes. We show that this technique is sound, using our previous work on the model theory of such abstract data types. We also give an example to show that the technique is not complete, even if the methods do not use multiple dispatch, and even if types specified are term-generated. In preparation for the results on equational subtyping we develop the proof theory of a richer form of equational logic that is suitable for dealing with subtyping and behavioral equivalence. This gives some insight into question of when our proof techniques can be make effectively computable, but in general behavioral consequence is not effectively computable. 1.

A model theory for correct behavioral subtyping for abstract data types (with immutable objects) is developed within the framework of the behavior-realization adjunction. To allow for incomplete specifications, proofs of correct behavioral subtyping are based on comparison to one of several paradigmatic models. For specifications that are not term-generated, these results are the first complete algebraic characterizations of behavioral subtyping.

OSU-CISRC-5/00-TR13 Simulations are a popular way to show data refinement. Simulations that have been proposed are either state level, relating concrete to abstract states in a given state space, or value level, relating individual concrete to abstract values and hence holding for all state spaces. Value-level simulations are less complex and easier to use, but the extent of their completeness has not been well studied. We show that in fact known value-level simulations are in general incomplete but are complete when operations are limited to a single argument.

Abstract. We consider Java-like object types equipped with assertions as in recent proposals and implementations. The first issue that we consider is the formal notion of an object-oriented type extended with logicbased constraints along with the notions of inheritance and substitutability for such extended types. The second issue is a suitable logic for explicitly expressing properties of sequences of object states, particular cases of which appear for mutator methods in Java-related and other object-oriented assertion languages. The third issue is a suitable prover technology and the required techniques for verifying properties of object types extended with logic-based constraints. We present our solution for these problems based on the view of object types as temporal theories along with a model theory and the required verification techniques. The temporal logic-based approach makes it possible to reason about properties of sequences of object states which allows verification of behavioral subtyping requirements that are based on history properties. 1

We compare different kinds of first-order models of objects and message passing, as found in object-oriented programming languages. We show that generic function models can easily simulate record models for static, class-based languages. We explore type systems for such languages, and show that our ...

Simulations are a popular way to show data refinement. Simulations that have been proposed are either state level, relating concrete to abstract states in a given state space, or value level, relating individual concrete to abstract values and hence holding for all state spaces. Value-level simulations are less complex and easier to use, but the extent of their completeness has not been well studied. We show that in fact known value-level simulations are in general incomplete but are complete when operations are limited to a single argument. Key words: Data refinement, program correctness, formal verification, components 0 Introduction Suppose we have a program pgm(A) that uses the operations of a data type A. We wish to substitute a more concrete data type C while guaranteeing that the behavior of pgm(C) will not surprise us. In fact, we would like to know if we can do this for all programs, not just a particular one, in which case we can say that C refines A. What "not surpri...