Verifying Class Invariants in Concurrent Programs

Class invariants are a highly useful feature for the verification of object-oriented programs, because they can be used to capture all valid object states. In a sequential program setting, the validity of class invariants is typically described in terms of a visible state semantics, i.e., invariants only have to hold whenever a method begins or ends execution, and they may be broken inside a method body. However, in a concurrent setting, this restriction is no longer usable, because due to thread interleavings, any program state is potentially a visible state. In this paper we present a new approach for reasoning about class invariants in multithreaded programs. We allow a thread to explicitly break an invariant at specific program locations, while ensuring that no other thread can observe the broken invariant. We develop our technique in a permission-based separation logic environment. However, we deviate from separation logic's standard rules and allow a class invariant to express properties over shared memory locations (the invariant footprint), independently of the permissions on these locations. In this way, a thread may break or reestablish an invariant without holding permissions to all locations in its footprint. To enable modular verification, we adopt the restrictions of Muller's ownership-based type system.

[1]  Frank Piessens,et al.  Safe concurrency for aggregate objects with invariants , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[2]  Peter Müller,et al.  Universes: Lightweight Ownership for JML , 2005, J. Object Technol..

[3]  Matthew J. Parkinson,et al.  Local reasoning for Java , 2005 .

[4]  Peter Müller,et al.  Object Ownership in Program Verification , 2012 .

[5]  Gary T. Leavens,et al.  Modular invariants for layered object structures , 2006, Sci. Comput. Program..

[6]  Benjamin Weiß,et al.  Deductive verification of object-oriented software: dynamic frames, dynamic logic and predicate abstraction , 2011 .

[7]  Sophia Drossopoulou,et al.  A Unified Framework for Verification Techniques for Object Invariants , 2008, ECOOP.

[8]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[9]  V. Stavridou,et al.  Abstraction and specification in program development , 1988 .

[10]  Ruurd Kuiper,et al.  Verification of Object Oriented Programs Using Class Invariants , 2000, FASE.

[11]  Bertrand Meyer,et al.  Object-oriented software construction (2nd ed.) , 1997 .

[12]  Armin Biere,et al.  High‐level data races , 2003, Softw. Test. Verification Reliab..

[13]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[14]  Yi Lu,et al.  Validity Invariants and Effects , 2007, ECOOP.

[15]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[16]  Marieke Huisman,et al.  Permission-Based Separation Logic for Multithreaded Java Programs , 2014, Log. Methods Comput. Sci..

[17]  Bertrand Meyer,et al.  Object-Oriented Software Construction, 2nd Edition , 1997 .

[18]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[19]  Marieke Huisman,et al.  The VerCors project: setting up basecamp , 2012, PLPV '12.

[20]  Sanjit A. Seshia,et al.  Modular verification of multithreaded programs , 2005, Theor. Comput. Sci..

[21]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[22]  Gavin M. Bierman,et al.  Separation logic, abstraction and inheritance , 2008, POPL '08.

[23]  Wolfram Schulte,et al.  Local Verification of Global Invariants in Concurrent Programs , 2010, CAV.

[24]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[25]  Arnd Poetzsch-Heffter,et al.  Specification and verification of object-oriented programs , 1997 .