Reasoning About Method Calls in Interface Specifications

class Inconsistent { /*@ normal_behavior @ ensures \result == 0 && @ \result == 1; @*/ /*@ pure @*/ abstract int wrong(); /*@ normal_behavior @ assignable \nothing; @ ensures \result == 6 + wrong() && @ \result == 5 + wrong(); @*/ int bar() { return 6; } } Figure 6: The specification of wrong is not satisfiable. theory used to verify methods that use m in their specification. If this background theory is inconsistent, the reasoning is potentially unsound. For instance, the above axiom is part of the background theory used to verify method bar and allows one to verify bar, although its specification is obviously not satisfiable. Note that this unsoundness occurs even though wrong is not called from bar’s implementation. In practice, unsatisfiable specifications are far less obvious than in the example of method wrong, because they typically involve several normal behavior specification cases including inherited specifications. A verification technique has to ensure that unsatisfiable specifications do not lead to unsound reasoning. To eliminate this source of unsoundness, we use axioms that are weaker than the naive axiomatization above. These axioms require one to prove, by giving a witness, that the specification of a pure method m is satisfiable in order to assume the properties of m and mS. That is, the axioms for m and mS are guarded by the following antecedent: (∃ r, OS ′ • specm(t, p, OS, r, OS ′) ) The existence of a witness has to be proven in order to employ the corresponding axiom. For method wrong, one cannot give a witness r that satisfies r = 0 ∧ r = 1. Therefore, the antecedent of the corresponding axiom is false, and the axiom is void. VOL 05, NO. 5 JOURNAL OF OBJECT TECHNOLOGY 75 REASONING ABOUT METHOD CALLS IN INTERFACE SPECIFICATIONS

[1]  K. Rustan M. Leino,et al.  A Verification Methodology for Model Fields , 2006, ESOP.

[2]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[3]  K. Rustan M. Leino,et al.  Data abstraction and information hiding , 2002, TOPL.

[4]  Gary T. Leavens,et al.  Forcing behavioral subtyping through specification inheritance , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[5]  Fred B. Schneider,et al.  Avoiding the Undefined by Underspecification , 1995, Computer Science Today.

[6]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..

[7]  K. R Leino,et al.  Towards Reliable Modular Programs , 1995 .

[8]  Arnd Poetzsch-Heffter,et al.  Logical foundations for typed object-oriented languages , 1998, PROCOMET.

[9]  Bertrand Meyer,et al.  Eiffel: The Language , 1991 .

[10]  Martin C. Rinard,et al.  Purity and Side Effect Analysis for Java Programs , 2005, VMCAI.

[11]  Arnd Poetzsch-Heffter,et al.  Specification and verification of object-oriented programs , 1997 .

[12]  C. A. R. Hoare,et al.  Proof of correctness of data representation , 1975, Language Hierarchies and Interfaces.

[13]  Peter Müller,et al.  Universes: Lightweight Ownership for JML , 2005, J. Object Technol..

[14]  Gary T. Leavens Modular specification and verification of object-oriented programs , 1991, IEEE Software.

[15]  David R. Cok,et al.  Reasoning with specifications containing method calls and model fields , 2005, J. Object Technol..

[16]  Claude Marché,et al.  The KRAKATOA tool for certificationof JAVA/JAVACARD programs annotated in JML , 2004, J. Log. Algebraic Methods Program..

[17]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[18]  Peter Müller,et al.  Modular Specification and Verification of Object-Oriented Programs , 2002, Lecture Notes in Computer Science.

[19]  Erik Poll,et al.  Verifying JML specifications with model fields , 2003 .

[20]  David A. Naumann,et al.  Observational purity and encapsulation , 2005, Theor. Comput. Sci..

[21]  Stephen H. Edwards,et al.  Model variables: cleanly supporting abstraction in design by contract , 2005, Softw. Pract. Exp..

[22]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.