This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Vol. 3, No. 6 Special issue: ECOOP 2003 workshop on FTfJP Verification of object-oriented programs with invariants Mike Barnett , Robert DeLine , Manuel F¨ahndrich , K. Rustan M. Leino , Wolfram Schulte Microsoft Research, Redmond, WA, USA An object invariant defines what it means for an object’s data to be in a consis- tent state. Object invariants are central to the design and correctness of object- oriented programs. This paper defines a programming methodology for using object invariants. The methodology, which enriches a program’s state space to express when each object invariant holds, deals with owned object components, ownership transfer, and subclassing, and is expressive enough to allow many interesting object-oriented programs to be specified and verified. Lending itself to sound modular verification, the methodology also provides a solution to the problem of determining what state a method is allowed to modify. 1 INTRODUCTION Writing and maintaining software is difficult and error prone, in part because it requires coping with many details. Mechanical programming tools can relieve some of this bur- den. For example, an important and pervasive tool is the type checker, which allows the programmer to describe in broad-brush terms the set of values each program vari- able can take. Using these descriptions, the type checker mechanically checks all reads and writes of program variables to ensure that no variable takes on a forbidden value. The type checker is usually built into the compiler, which also checks other details. For example, the compiler may check that every variable use is preceded by an assignment, that any read-only variable is not changed after its initial assignment, or that variables declared in certain scopes or with certain access modifiers are not referenced from inap- propriate places. These successful detail management techniques have in common that the programmer formulates the condition that is supposed to hold and leaves the details of enforcing the condition to a mechanical tool. In this paper, we consider object-oriented programs and focus on object invariants . An object invariant specifies a relation on an object’s data that the programmer intends for to hold. Using object invariants, one can detect or prevent data corruption errors and other misuse of the data. Ultimately, we are interested in leaving the detail management of object invariants to a mechanical tool, but doing so requires that we first determine a good methodology for using object invariants. The idea that objects, in their steady states, satisfy certain data invariants goes back Cite this article as follows: Mike Barnett, Robert DeLine, Manuel F¨ahndrich, K. Rustan M....
View Full Document
- Winter '11
- Object-Oriented Programming, Type system, JOURNAL OF OBJECT TECHNOLOGY