Proving Consistency of Pure Methods and Model Fields

Pure methods and model fields are useful and common specification constructs that can be interpreted by the introduction of axioms in a program verifier's underlying proof system. Care has to be taken that these axioms do not introduce an inconsistency into the proof system. This paper describes and proves sound an approach that ensures no inconsistencies are introduced. Unlike some previous syntax-based approaches, this approach is based on semantics, which lets it admit some natural but previously problematical specifications. The semantic conditions are discharged by the program verifier using an SMT solver, and the paper describes heuristics that help avoid common problems in finding witnesses with trigger-based SMT solvers. The paper reports on the positive experience with using this approach in Spec# for over a year.

[1]  Peter Müller,et al.  Checking Well-Formedness of Pure-Method Specifications , 2008, FM.

[2]  Mike Barnett,et al.  99 . 44 % pure : Useful Abstractions in Specifications , 2004 .

[3]  David Gerard Clarke,et al.  Object ownership and containment , 2003 .

[4]  David A. Naumann,et al.  Observational purity and encapsulation , 2005, Theor. Comput. Sci..

[5]  Stephen H. Edwards,et al.  Model variables: cleanly supporting abstraction in design by contract , 2005, Softw. Pract. Exp..

[6]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[7]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA 2003.

[8]  Ruurd Kuiper,et al.  Specification and Verification of Invariants by Exploiting Layers in OO Designs , 2008, Fundam. Informaticae.

[9]  Stephen H. Edwards,et al.  Model variables: cleanly supporting abstraction in design by contract: Research Articles , 2005 .

[10]  K. Rustan M. Leino,et al.  Verification of Equivalent-Results Methods , 2008, ESOP.

[11]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[12]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[13]  Peter Müller,et al.  Modular Specification and Verification of Object-Oriented Programs , 2002, Lecture Notes in Computer Science.

[14]  Martin Odersky ECOOP 2004 – Object-Oriented Programming , 2004, Lecture Notes in Computer Science.

[15]  Erik Poll,et al.  Verifying JML specifications with model fields , 2003 .

[16]  K. Rustan M. Leino,et al.  A Verification Methodology for Model Fields , 2006, ESOP.

[17]  Patrice Chalin,et al.  Are the Logical Foundations of Verifying Compiler Prototypes Matching user Expectations? , 2007, Formal Aspects of Computing.

[18]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA.

[19]  Kaisa Sere,et al.  FM 2008: Formal Methods, 15th International Symposium on Formal Methods, Turku, Finland, May 26-30, 2008, Proceedings , 2008, FM.

[20]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[21]  K. Rustan M. Leino,et al.  Object Invariants in Dynamic Contexts , 2004, ECOOP.

[22]  K. Rustan M. Leino,et al.  Practical Reasoning About Invocations and Implementations of Pure Methods , 2007, FASE.

[23]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[24]  Peter Müller,et al.  Reasoning About Method Calls in Interface Specifications , 2006, J. Object Technol..

[25]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[26]  David R. Cok,et al.  Reasoning with specifications containing method calls and model fields , 2005, J. Object Technol..

[27]  Gary T. Leavens,et al.  Modular invariants for layered object structures , 2006, Sci. Comput. Program..

[28]  James Noble,et al.  Ownership types for flexible alias protection , 1998, OOPSLA '98.