On assertion-based encapsulation for object invariants and simulations

Naumann, David A.

doi:10.1007/s00165-006-0020-5

Cited by 4 publications

(7 citation statements)

References 70 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An example is a queue, where neither the left nor the right end of the queue conceptually dominates the other in a hierarchy. As a result, a number of extensions or alterations of Boogie have been developed which aim to deal with the inflexibility of the hierarchy structures (e.g., [Naumann andBarnett 2004a, 2004b;Leino and Müller 2004]). We refer to the survey article [Naumann 2007] for further information and references concerning work on Boogie and other work on specifying object-oriented programs.…”

Section: Resultsmentioning

confidence: 99%

Separation and information hiding

O’Hearn

Yang

Reynolds

2009

ACM Trans. Program. Lang. Syst.

View full text Add to dashboard Cite

We investigate proof rules for information hiding, using the formalism of separation logic. In essence, we use the separating conjunction to partition the internal resources of a module from those accessed by the module's clients. The use of a logical connective gives rise to a form of dynamic partitioning, where we track the transfer of ownership of portions of heap storage between program components. It also enables us to enforce separation in the presence of mutable data structures with embedded addresses that may be aliased.

show abstract

Section: Resultsmentioning

confidence: 99%

Separation and information hiding

O’Hearn

Yang

Reynolds

2009

ACM Trans. Program. Lang. Syst.

View full text Add to dashboard Cite

show abstract

“…Liskov and Wing's discussion implies that "the invariant" is what the programmer declares and reasons about. This is broken in unrestricted OO languages, because of sharing and reentrance [31,32,34,38]. We illustrate these problems below.…”

Section: Invariants and Behavioral Subtypingmentioning

confidence: 99%

Behavioral Subtyping, Specification Inheritance, and Modular Reasoning

Leavens

Naumann

2015

ACM Trans. Program. Lang. Syst.

Self Cite

View full text Add to dashboard Cite

Behavioral subtyping is an established idea that enables modular reasoning about behavioral properties of object-oriented programs. It requires that syntactic subtypes are behavioral refinements. It validates reasoning about a dynamically-dispatched method call, say E.m(), using the specification associated with the static type of the receiver expression E. For languages with references and mutable objects the idea of behavioral subtyping has not been rigorously formalized as such, the standard informal notion has inadequacies, and exact definitions are not obvious. This paper formalizes behavioral subtyping and supertype abstraction for a Java-like sequential language with classes, interfaces, exceptions, mutable heap objects, references, and recursive types. Behavioral subtyping is proved sound and semantically complete for reasoning with supertype abstraction. Specification inheritance, as used in the specification language JML, is formalized and proved to entail behavioral subtyping. KeywordsBehavioral subtyping, supertype abstraction, specification inheritance, modularity, specification, verification, state transformer, dynamic dispatch, invariants, Eiffel language, JML language AbstractBehavioral subtyping is an established idea that enables modular reasoning about behavioral properties of object-oriented programs. It requires that syntactic subtypes are behavioral refinements. It validates reasoning about a dynamically-dispatched method call, say E .m(), using the specification associated with the static type of the receiver expression E . For languages with references and mutable objects the idea of behavioral subtyping has not been rigorously formalized as such, the standard informal notion has inadequacies, and exact definitions are not obvious. This paper formalizes behavioral subtyping and supertype abstraction for a Java-like sequential language with classes, interfaces, exceptions, mutable heap objects, references, and recursive types. Behavioral subtyping is proved sound and semantically complete for reasoning with supertype abstraction. Specification inheritance, as used in the specification language JML, is formalized and proved to entail behavioral subtyping.

show abstract

“…That is the topic of this section, which focuses on object invariants. More extensive discussions and citations on these topics can be found in Müller's VSTTE paper [31] and my survey paper [33].…”

Section: Heap Encapsulation Using Auxiliary Statementioning

confidence: 99%

“…Some additional challenges pertinent to objectoriented programming, but not tied to the main theme, are discussed in Section 4. A detailed tutorial on the state-based approach to encapsulation advocated here appears elsewhere [33].Several near-term challenges (1-5 years) are presented here in the setting of sequential object-oriented programs. Because the approach taken here is based on the use of assertions, it is also quite relevant to verification of concurrent object-oriented programs and low level imperative code.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Modular Reasoning in Object-Oriented Programming

Naumann

2008

Verified Software: Theories, Tools, Experiments

Self Cite

View full text Add to dashboard Cite

Abstract. Difficulties in reasoning about functional correctness and relational properties of object-oriented programs are reviewed. An approach using auxiliary state is briefly described, with emphasis on the author's work. Some near term challenges are sketched.Formal verification depends on scientific theories of programming, which answer questions such as these: What are good models of computational behavior? What behavioral properties of components are needed for modular reasoning about a composed system? How can such properties be specified and a component be verified, or even derived from its specification? How can a program and justification of its correctness be revised in accord with small revision of its specification? Such questions have well developed answers that are adequate for small programs under strong simplifying assumptions. But many useful programs are quite large and built from complicated components that violate simplifying assumptions.The longstanding challenge of compositional reasoning remains substantially unsolved. Object-oriented programs pose several challenges that are the focus of my recent research, in which auxiliary state is being used to specify encapsulation boundaries and disciplined interdependence. Section 2, explains the approach, accomplishments, and challenges in terms of invariants for shared mutable objects. Section 3 addresses relational properties including data refinement and secure information flow. This line of research has been carried out for Java-like programming languages; I argue in Section 1 for the importance of such languages. Some additional challenges pertinent to objectoriented programming, but not tied to the main theme, are discussed in Section 4. A detailed tutorial on the state-based approach to encapsulation advocated here appears elsewhere [33].Several near-term challenges (1-5 years) are presented here in the setting of sequential object-oriented programs. Because the approach taken here is based on the use of assertions, it is also quite relevant to verification of concurrent object-oriented programs and low level imperative code.

show abstract

On assertion-based encapsulation for object invariants and simulations

Cited by 4 publications

References 70 publications

Separation and information hiding

Separation and information hiding

Behavioral Subtyping, Specification Inheritance, and Modular Reasoning

Modular Reasoning in Object-Oriented Programming

Contact Info

Product

Resources

About