3.2  Searching for Records

This example deals with the specification of a program that searches in an array of records for a record with a specific key. The example is based on the following program class:

This program introduces an object type Record with a string field key and an integer field value. The type has an constructor to build a record from an given string and integer and a method equals that allows to check whether the record has the denoted key. This function calls the method equals on object type String; while this class is part of the Java standard library, it has to be explicitly defined in a file accessible to the RISC ProgramExplorer. We therefore introduce a dummy class

in the body of equals can therefore not be merged into one.

The core of the program is the method search which takes an array a of records and a key and returns the index of the first record in a that contains that key (or -1, if there is no such record). The core of the method body is represented by the two statements

The first statement builds a record r from the key and the value of record a[i]. The second statement calls the method equals on r to compare its key with key. This apparently clumsy way of using the function equals is necessary because the specification formalism considers object variables (variables of object types) to hold object values rather than object references (which considerably simplifies reasoning because then the modification of an object via one variable cannot affect an object referenced by another variable).

However, since the programming language Java (like most programming languages) lets object variables hold references, the semantics of our programming language would deviate from classical program semantics. Therefore the type checker ensures that two different program variables cannot refer to the same object; consequently it does not make any difference whether an object variable holds an object value or an object reference. Consequently, if equals would modify its record, above solution would not update array a (independent of whether object variables hold object values or object references) while the solution

would update a in a language with reference semantics for objects but not in a language with value semantics. For similar reasons, the even shorter solution

is also (even syntactically) prohibited. See Appendix B for a more thorough description of the constraints of our programming language compared to Java.

The method main of the program creates an array, fills it with values, updates it, and calls the method search in the usual way. It also calls the method System.out.println of the Java Standard API. This method has to be declared with the help of the dummy classes

Type-checking the class Record creates a new theory Record in the same package as the class. Right-clicking this theory from the tab Symbols and selecting Print Declaration displays

which introduces the following entities that mathematically model the program operations that involve program type Record.

• a logical record type Record which contains (among other fields) one field for each object variable in class Record, the specification language considers program variables of object type Record to hold values of the logical type Record (more details later);
• a constant null representing a logical counterpart of the null pointer of type Record;
• a function newObject which returns a non-null object of type Record as created by a call of a constructor of class Record;
• a type Array representing the logical counterpart of the program type Record[];
• a type nullArray representing the logical counterpart of the null pointer of the type Record[];
• a function newArray which returns an Array;
• an axiom newArrayAxiom which describes the result newArray as a non-null array of a certain length whose entries are null.

There are some subtleties about the modeling a program object of type Record as a mathematical Record that should be known for their proper use:

1. If the null field of a valid Record value is not FALSE, the value represents the null pointer of type Record. The Record pointer null is thus not only represented by the single mathematical constant null but by every Record value whose null field is TRUE (the constant null is just an unknown Record value for which the opposite cannot be proved)² . A precondition that asserts that a Record object is not null must therefore state for the corresponding Record value r that r.null = FALSE holds (the condition r /= null alone is too weak).
2. The field new is initialized to an unknown value at the creation of a record; two records created in different constructor calls can thus not be proved equal.

The program is now specified with the help of the following local theory

which introduces a predicate notFound to describe that in an array a of records, all positions less than n hold records whose keys are different from key.

The program method search can now be specified as

The method’s precondition states that search must not be called with the array null as argument and that its result is either -1 (indicating that the given key has not been found in the array) or that its result is the smallest index of the array such that the corresponding record has the denoted key. The specification makes use of local logical variables result and n representing the return value of the method and the length of the method parameter a.

The core loop of the method’s body can be annotated as

to give a suitable invariant and termination term.

The state after type-checking the annotated program is shown  below:

All type checking conditions can be automatically solved; the verification of the other conditions proceeds in a similar way as discussed in Chapter 4.