An Automatic Verifier for Java-Like Programs Based on Dynamic Frames

Data abstraction is crucial in the construction of modular programs, since it ensures that internal changes in one module do not propagate to other modules. In object-oriented programs, classes typically enforce data abstraction by providing access to their internal state only through methods. By using method calls in method contracts, data abstraction can be extended to specifications. In this paper, methods used for this purpose must be side-effect free, and are called pure methods. We present an approach to the automatic verification of object-oriented programs that use pure methods for data abstraction. The cornerstone of our approach is the solution to the framing problem, i.e. client code must be able to determine whether state changes affect the return values of pure methods. More specifically, we extend each method contract with a method footprint, an upper bound on the memory locations read or written by the corresponding method. Footprints are specified using dynamic frames, special pure methods that return sets of memory locations. Thanks to this abstraction, implementations can evolve independently from specifications, loosely coupled only by pure functions. We implemented this approach in a custom build of the Spec# program verifier, and used it to automatically verify several challenging programs, including the iterator and observer patterns. The verifier itself and the examples shown in this paper can be downloaded from the authors' homepage [1].

[1]  K. Rustan M. Leino,et al.  Using data groups to specify and check side effects , 2002, PLDI '02.

[2]  Frank Piessens,et al.  Inspector Methods for State Abstraction , 2007, J. Object Technol..

[3]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[4]  Ioannis T. Kassios Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions , 2006, FM.

[5]  Anindya Banerjee,et al.  Regional Logic for Local Reasoning about Global Invariants , 2008, ECOOP.

[6]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[7]  Matthew J. Parkinson,et al.  Local reasoning for Java , 2005 .

[8]  Gary T. Leavens Modular specification and verification of object-oriented programs , 1991, IEEE Software.

[9]  K. Rustan M. Leino,et al.  A Verifying Compiler for a Multi-threaded Object-Oriented Language , 2007 .

[10]  Frank Piessens,et al.  Verification of Programs with Inspector Methods , 2006 .

[11]  K. Rustan M. Leino,et al.  A Verification Methodology for Model Fields , 2006, ESOP.

[12]  Gary T. Leavens,et al.  Forcing behavioral subtyping through specification inheritance , 1996, Proceedings of IEEE 18th International Conference on Software Engineering.

[13]  Gary T. Leavens,et al.  Specification and verification challenges for sequential object-oriented programs , 2007, Formal Aspects of Computing.

[14]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[15]  Stephen Gilmore,et al.  Mobile Resource Guarantees for Smart Devices , 2004, CASSIS.

[16]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[17]  Frank Piessens,et al.  Verification of programs using inspector methods , 2006 .

[18]  K. Rustan M. Leino,et al.  Object Invariants in Dynamic Contexts , 2004, ECOOP.

[19]  K. Rustan M. Leino,et al.  Practical Reasoning About Invocations and Implementations of Pure Methods , 2007, FASE.

[20]  Michael Barnett,et al.  Friends Need a Bit More: Maintaining Invariants Over Shared State , 2004, MPC.

[21]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[22]  Martin Odersky ECOOP 2004 – Object-Oriented Programming , 2004, Lecture Notes in Computer Science.

[23]  Ioannis T. Kassios A theory of object oriented refinement , 2006 .