Formal Aspects of Computing

, Volume 19, Issue 2, pp 159–189 | Cite as

Specification and verification challenges for sequential object-oriented programs

  • Gary T. Leavens
  • K. Rustan M. Leino
  • Peter Müller
Original Article

Abstract

The state of knowledge in how to specify sequential programs in object-oriented languages such as Java and C# and the state of the art in automated verification tools for such programs have made measurable progress in the last several years. This paper describes several remaining challenges and approaches to their solution.

Keywords

Program verification Specification Contract Object-oriented programming Challenge 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [Abr96]
    Abrial J-R (1996) The B-Book: assigning programs to meanings. Cambridge University Press, CambridgeMATHGoogle Scholar
  2. [AGB+77]
    Ambler AL, Good DI, Browne JC, Burger WF, Cohen RM, Hoch CG, Wells RE (1977) GYPSY: a language for specification and implementation of verifiable programs. SIGPLAN Notices 12(3):1–10. doi:10.1145/800022.808306CrossRefGoogle Scholar
  3. [AL97]
    Abadi M, Leino KRM (1997) A logic of object-oriented programs. In: Bidoit M, Dauchet M (eds). Theory and practice of software development (TAPSOFT), Vol 1214 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 682–696. http://www.springerlink.com/content/kp4n0b4xhn8rjg4pGoogle Scholar
  4. [Ame91]
    America P (1991) Designing an object-oriented programming language with behavioural subtyping. In: de Bakker JW, de Roever W-P, Rozenberg G (eds). Foundations of object-oriented languages. REX School/Workshop, Noordwijkerhout, The Netherlands, May/June 1990, Vol 489 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 60–90. doi:10.1007/BFb0019440Google Scholar
  5. [Apt81]
    Apt KR (1981) Ten years of Hoare’s logic: a survey—part I. ACM Trans Program Lang Syst 3(4):431–483. doi: 10.1145/357146.357150MATHCrossRefGoogle Scholar
  6. [BBC+06]
    Ball T, Bounimova E, Cook B, Levin V, Lichtenberg J, McGarvey C, Ondrusek B, Rajamani SK, Ustuner A (2006) Thorough static analysis of device drivers. In: EuroSys’06. ACM, New York, pp 73–85. doi:10.1145/1217935.1217943Google Scholar
  7. [BCC+05]
    Burdy L, Cheon Y, Cok DR, Ernst MD, Kiniry JR, Leavens GT, Leino KRM, Poll E (2005) An overview of JML tools and applications. Int J Softw Tools Technol Transf 7(3):212–232. doi:10.1007/s10009-004-0167-4CrossRefGoogle Scholar
  8. [BCD+06]
    Barnett M, Chang B-YE, DeLine R, Jacobs B, Leino KRM (2006) Boogie: a modular reusable verifier for object-oriented programs. In: Formal Methods for Components and Objects (FMCO) 2005, Revised Lectures, Vol 4111 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 364–387. doi:10.1007/11804192_17Google Scholar
  9. [BDF+04]
    Barnett M, DeLine R, Fähndrich M, Leino KRM, Schulte W (2004) Verification of object-oriented programs with invariants. J Object Technol 3(6):27–56. http://tinyurl.com/m2a8jGoogle Scholar
  10. [Bec00]
    Beckert B (2000) A dynamic logic for Java Card. In: Drossopoulou S, Eisenbach S, Jacobs B, Leavens GT, Müller P, Poetzsch-Heffter A (eds) Workshop on formal techniques for Java Programs (FTfJP). Technical Report 269, FernUniversität HagenGoogle Scholar
  11. [Ben05]
    Benton N (2005) A typed, compositional logic for a stack-based abstract machine. In: Yi K (eds). Programming languages and systems: third Asian symposium (APLAS), Vol 3780 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 364–380. doi: 10.1007/11575467_24Google Scholar
  12. [BL05]
    Barnett M, Leino KRM (2005) Weakest-precondition of unstructured programs. In: Ernst MD, Jensen TP (eds) Program analysis for software tools and engineering (PASTE). ACM, New York, pp 82–87. doi:10.1145/1108792.1108813CrossRefGoogle Scholar
  13. [BLS05]
    Barnett M, Leino KRM, Schulte W (2005) The Spec# programming system: an overview. In: Barthe G, Burdy L, Huisman M, Lanet J-L, Muntean T (eds) Construction and analysis of safe, secure, and interoperable smart devices (CASSIS 2004), Vol 3362 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 49–69. http://www.springerlink.com/content/0m789xre652nuv06Google Scholar
  14. [BM05]
    Bannwart F, Müller P (2005) A logic for bytecode. In: Spoto F (eds). Bytecode semantics, verification, analysis and transformation (BYTECODE), Vol 141(1) of Electronic Notes in Theoretical Computer Science. Elsevier, Amsterdam, pp 255–273. doi: 10.1016/j.entcs.2005.02.026Google Scholar
  15. [BMR95]
    Borgida A, Mylopoulos J, Reiter R (1995) On the frame problem in procedure specifications. IEEE Trans Softw Eng 21(10):785–798. doi:10.1109/32.469460CrossRefGoogle Scholar
  16. [BN04]
    Barnett M, Naumann D (2004) Friends need a bit more: maintaining invariants over shared state. In: Kozen D (eds). Mathematics of program construction (MPC), Vol 3125 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 54–84. http://www.springerlink.com/content/6gt28um7j5jgra12Google Scholar
  17. [Boe99]
    Boer FSd (1999) A WP-calculus for OO. In: Thomas W (eds). Foundations of software science and computation structures (FOSSACS), Vol 1578 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 135–149. http://www.springerlink.com/content/ avdcmfyp8fxwk1y0Google Scholar
  18. [BRL03]
    Burdy L, Requet A, Lanet J-L (2003) Java applet correctness: a developer-oriented approach. In: Araki K, Gnesi S, Mandrioli D (eds) Formal methods (FME), Vol 2805 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 422–439. http://www. springerlink.com/content/wje4yrg7mm7k4u88Google Scholar
  19. [BS01]
    Beckert B, Sasse B (2001) Handling Java’s abrupt termination in a sequent calculus for Dynamic Logic. In: Beckert B, France R, Hähnle R, Jacobs B (eds) IJCAR Workshop on Precise Modelling and Deduction for Object-oriented Software Development, pp 5–14Google Scholar
  20. [Büc00]
    Büchi M (2000) Safe language mechanisms for modularization and concurrency. Technical Report TUCS Dissertations No. 28, Turku Center for Computer Science, May 2000Google Scholar
  21. [BvW98]
    Back R-J, von Wright J (1998) Refinement calculus: a systematic introduction. graduate texts in computer science. Springer, HeidelbergGoogle Scholar
  22. [BW82]
    Broy M, Wirsing M (1982) Partial abstract types. Acta Informatica 18(1):47–64. doi:10.1007/BF00625280MATHCrossRefMathSciNetGoogle Scholar
  23. [BW99]
    Büchi M, Weck W (1999) The greybox approach: when blackbox specifications hide too much. Technical Report 297, Turku Center for Computer Science, August 1999. http://tinyurl.com/ywmuzy.Google Scholar
  24. [CD02]
    Clarke DG, Drossopoulou S (2002) Ownership, encapsulation and the disjointness of type and effect. In: Object-oriented programming systems, languages, and applications (OOPSLA), Vol 37(11) of SIGPLAN Notices. ACM, New York, pp 292–310. doi:10.1145/582419.582447Google Scholar
  25. [Cha00]
    Chapman R (2000) Industrial experience with SPARK. ACM SIGADA Ada Lett 20(4):64–68. doi:10.1145/369264.369270CrossRefGoogle Scholar
  26. [Cha03]
    Chalin P (2003) Improving JML: For a safer and more effective language. In: Araki K, Gnesi S, Mandrioli D (eds) Formal methods (FME), Vol 2805 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 440–461. http://www.springerlink.com/content/26cpmd9b3vbgd2etGoogle Scholar
  27. [Cha06]
    Charles J (2006) Adding native specifications to JML. In: Workshop on formal techniques for Java-like Programs (FTfJP), July 2006. http://www.disi.unige.it/person/AnconaD/FTfJP06/paper04.pdfGoogle Scholar
  28. [Che03]
    Cheon Y (2003) A runtime assertion checker for the Java Modeling Language. PhD dissertation, Technical Report 03-09, Department of Computer Science, Iowa State University, April 2003. ftp://ftp.cs.iastate.edu/pub/techreports/TR03-09/TR.pdfGoogle Scholar
  29. [CHL04]
    Cheon Y, Hayashi Y, Leavens GT (2004) A thought on specification reflection. In: Callaos N, Lesso W, Sanchez B (eds) The 8th World multi-conference on systemics, cybernetics and informatics (SCI), Vol II, Computing Techniques, pp 485–490Google Scholar
  30. [CK05]
    Cok DR, Kiniry JR (2005) ESC/Java2: Uniting ESC/Java and JML: progress and issues in building and using ESC/Java2, including a case study involving the use of the tool to verify portions of an Internet voting tally system. In: Barthe G, Burdy L, Huisman M, Lanet J-L, Muntean T (eds) Construction and analysis of safe, secure, and interoperable smart devices (CASSIS 2004), Vol 3362 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 108–128. http://www.springerlink.com/content/mbxr4yj1dj0lj6apGoogle Scholar
  31. [CKS05]
    Cook B, Kroening D, Sharygina N (2005) Cogent: accurate theorem proving for program verification. In: Etessami K, Rajamani SK (eds) Computer aided verification (CAV), Vol 3576 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 296–300. doi:10.1007/11513988_30Google Scholar
  32. [CLSE05]
    Cheon Y, Leavens GT, Sitaraman M, Edwards S (2005) Model variables: cleanly supporting abstraction in design by contract. Softw Pract Exp 35(6):583–599. doi: 10.1002/spe.649CrossRefGoogle Scholar
  33. [COB03]
    Calcagno C, O’Hearn P, Bornat R (2003) Program logic and equivalence in the presence of garbage collection. Theor Comput Sci 298(2):557–581. doi:10.1016/S0304-3975(02)00868-XMATHCrossRefMathSciNetGoogle Scholar
  34. [Coh90]
    Cohen E (1990) Programming in the 1990s: an introduction to the calculation of programs. Springer, HeidelbergMATHGoogle Scholar
  35. [Cok05]
    Cok DR (2005) Reasoning with specifications containing method calls and model fields. J Object Technol 4(8):77–103. http://www.jot.fm/issues/issue_2005_10/article4Google Scholar
  36. [CPN98]
    Clarke DG, Potter JM, Noble J (1998) Ownership types for flexible alias protection. In: Object-oriented programming systems, languages, and applications (OOPSLA), Vol 33(10) of SIGPLAN Notices. ACM, New York, pp 48–64. doi:http://doi.acm.org/10.1145/286936.286947Google Scholar
  37. [CPR98]
    Cook B, Podelski A, Rybalchenko A (2006) Termination proofs for systems code. In: Schwartzbach MI, Ball T (eds) Proceedings of the ACM SIGPLAN 2006 conference on programming language design and implementation (PLDI). ACM, New York, pp 415–426. doi:http://doi.acm.org/10.1145/1133981.1134029CrossRefGoogle Scholar
  38. [Cri84]
    Cristian F (1984) Correct and robust programs. IEEE Trans Softw Eng 10:163–174MathSciNetCrossRefGoogle Scholar
  39. [DL96]
    Dhara KK, Leavens GT (1996) Forcing behavioral subtyping through specification inheritance. In: Proceedings of the 18th international conference on software engineering, March 1996, Berlin. IEEE Computer Society Press, New York, pp 258–267. A corrected version is ISU CS TR #95-20c, http://tinyurl.com/s2krg. doi:10.1109/ICSE.1996.493421Google Scholar
  40. [DL05]
    DeLine R, Leino KRM (2005) Boogie PL: aA typed procedural language for checking object-oriented programs. Technical Report MSR-TR-2005-70, Microsoft Research. ftp://ftp.research.microsoft.com/pub/tr/TR-2005-70.pdfGoogle Scholar
  41. [DM06]
    Darvas A, Müller P (2006) Reasoning about method calls in interface specifications. J Object Technol 5(5):59–85. http://www.jot.fm/issues/issue_2006_06/article3.pdfGoogle Scholar
  42. [DNS05]
    Detlefs D, Nelson G, Saxe JB (2005) Simplify: a theorem prover for program checking. J ACM 52(3):365–473. http://doi.acm.org/10.1145/1066100.1066102CrossRefMathSciNetGoogle Scholar
  43. [ECGN01]
    Ernst M, Cockrell J, Griswold WG, Notkin D (2001) Dynamically discovering likely program invariants to support program evolution. IEEE Trans Softw Eng 27(2):99–123.doi:10.1109/32.908957CrossRefGoogle Scholar
  44. [ECM05a]
    C# language specification. ECMA Standard 334, June 2005Google Scholar
  45. [ECM05b]
    Eiffel analysis, design and programming language. ECMA Standard 367, June 2005Google Scholar
  46. [EM85]
    Ehrig H, Mahr B (1985) Fundamentals of algebraic specification 1: equations and initial semantics, Vol 6 of EATCS Monographs on Theoretical Computer Science. Springer, HeidelbergGoogle Scholar
  47. [FJ92]
    Feijs LMG, Jonkers HBM (1992) Formal specification and design, Vol 35 of Cambridge Tracts in Theoretical Computer Science. Cambridge University Press, CambridgeGoogle Scholar
  48. [FL01]
    Flanagan C, Leino KRM (2001) Houdini, an annotation assistant for ESC/Java. In: Oliveira JN, Zave P (eds) FME 2001: formal methods for increasing software productivity, Vol 2021 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 500–517. http://www.springerlink.com/content/nxukfdgg7623q3a9Google Scholar
  49. [FLL+02]
    Flanagan C, Leino KRM, Lillibridge M, Nelson G, Saxe JB, Stata R (2002) Extended static checking for Java. In: Proceedings of the 2002 ACM SIGPLAN conference on programming language design and implementation (PLDI), Vol 37(5) of SIGPLAN Notices. ACM, New York, pp 234–245. doi:10.1145/512529.512558Google Scholar
  50. [FM04]
    Filliâtre J-C, Marché C (2004) Multi-prover verification of C programs. In: Formal methods and software engineering, 6th international conference on formal engineering methods, ICFEM 2004, Vol 3308 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 15–29. http://www.springerlink.com/content/ejxv14xdjf5676u5Google Scholar
  51. [GB99]
    Greenhouse A, Boyland J (1999) An object-oriented effects system. In: European conference on object-oriented programming (ECOOP). Springer, Heidelberg, pp 205–229. http://www.springerlink.com/content/tu309p114v1kbd8vGoogle Scholar
  52. [GH78]
    Guttag JV, Horning JJ (1978) The algebraic specification of abstract data types. Acta Informatica 10(1):27–52. doi:10.1007/BF00260922MATHCrossRefMathSciNetGoogle Scholar
  53. [GH93]
    Guttag JV, Horning JJ (1993) Larch: languages and tools for formal specification. Springer, HeidelbergMATHGoogle Scholar
  54. [GHJV95]
    Gamma E, Helm R, Johnson R, Vlissides J (1995) Design patterns. Addison-Wesley, ReadingGoogle Scholar
  55. [Gre03]
    Greenhouse A (2003) A programmer-oriented approach to safe concurrency. Technical Report CMU-CS-03-135, School of Computer Science, Carnegie Mellon University, May 2003. http://reports-archive.adm.cs.cmu.edu/anon/2003/CMU-CS-03-135.pdfGoogle Scholar
  56. [Gri81]
    Gries D (1981) The science of programming. Springer, HeidelbergMATHGoogle Scholar
  57. [GS94]
    Gries D, Schneider FB (1994) A logical approach to discrete math. texts and monographs in computer science. Springer, HeidelbergGoogle Scholar
  58. [GTWW77]
    Goguen JA, Thatcher JW, Wagner EG, Wright JB (1977) Initial algebra semantics and continuous algebras. J ACM 24:68–95. doi:10.1145/321992.321997MATHCrossRefMathSciNetGoogle Scholar
  59. [Heh93]
    Hehner ECR (1993) A practical theory of programming. texts and monographs in computer science. Springer, Heidelberg. Available from http://www.cs.utoronto.ca/ hehner/aPToPGoogle Scholar
  60. [Heh05]
    Hehner ECR (2005) Specified blocks. Verified Software: Theories, Tools, Experiments (VSTTE), http://vstte.inf.ethz.ch/Files/ hehner.pdf, October 2005Google Scholar
  61. [HJ00]
    Huisman M, Jacobs B (2000) Java program verification via a Hoare logic with abrupt termination. In: Fundamental approaches to software engineering (FASE). Springer, Heidelberg, pp 284–303. http://www.springerlink.com/content/fkrbjn1vg56ra052Google Scholar
  62. [HJW+92]
    Hudak P, Jones SP, Wadler P, Boutel B, Fairbairn J, Fasel J, Guzmán MM, Hammond K, Hughes J, Johnsson T, Kieburtz D, Nikhil R, Partain W, Peterson J (1992) Report on the programming language Haskell: a non-strict, purely functional language, version 1.2. ACM SIGPLAN Notices 27(5). doi:10.1145/130697.130699Google Scholar
  63. [HMS05]
    Hoare T, Misra J, Shankar N (2005) Verified software: theories, tools, experiments (VSTTE 2005). http://vstte.ethz.ch, October 2005. Sponsored by International Federation for Information Processing, Technical Committee 2Google Scholar
  64. [Hoa69]
    Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10):576–580,583. doi:10.1145/363235.363259Google Scholar
  65. [Hoa72]
    Hoare CAR (1972) Proof of correctness of data representations. Acta Informatica 1(4):271–281. doi:10.1007/BF00289507MATHCrossRefGoogle Scholar
  66. [Hoa03]
    Hoare T (2003) The verifying compiler: a grand challenge for computing research. J ACM 50(1):63–69. doi:10.1145/602382.602403CrossRefGoogle Scholar
  67. [Jac04]
    Jacobs B (2004) Weakest pre-condition reasoning for Java programs with JML annotations. J Logic Algebraic Program 58(1–2):61–88. doi:10.1016/j.jlap.2003.07.005MATHCrossRefMathSciNetGoogle Scholar
  68. [JKW03]
    Jacobs B, Kiniry J, Warnier M (2003) Java program verification challenges. In: de Boer FS, Bonsangue MM, Graf S, de Roever W-P (eds) FMCO 2002: formal methods for component objects, proceedings, Vol 2852 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 202–219Google Scholar
  69. [JMPS05]
    Jacobs B, Meijer E, Piessens F, Schulte W (2005) Iterators revisited: proof rules and implementation. In: Workshop on formal techniques for Java-like Programs (FTfJP), July 2005. http://www.cs.ru.nl/ftfjp/2005/Jacobs.pdfGoogle Scholar
  70. [Jon90]
    Jones CB (1990) Systematic software development using VDM International series in computer science, 2nd edn. Prentice Hall, Englewood CliffsGoogle Scholar
  71. [Jon91]
    Jones KD (1991) LM3: A larch interface language for Modula-3: a definition and introduction: Version 1.0. Technical Report 72, Digital Equipment Corporation, Systems Research CenterGoogle Scholar
  72. [JP01]
    Jacobs B, Poll E (2001) A logic for the Java modeling language JML. In: Fundamental approaches to software engineering (FASE), Vol 2029 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 284–299. http://www.springerlink.com/content/17ul9mb1y0ja42ebGoogle Scholar
  73. [JP06]
    Jacobs B, Piessens F (2006) Verification of programs with inspector methods. In: Workshop on Formal Techniques for Java-like Programs (FTfJP), July 2006. http://www.disi.unige.it/person/AnconaD/FTfJP06/paper09.pdfGoogle Scholar
  74. [KC97]
    Katrib M, Coira J (1997) Improving Eiffel assertions using quantified iterators. J Object-Oriented Program 10(7):35–43Google Scholar
  75. [Kra98]
    Kramer R (1998) iContract—the JavaTM design by contractTM tool. In: TOOLS 26: technology of object-oriented languages and systems, August 1998. IEEE Computer Society Press, New York, pp 295–307. doi:10.1109/TOOLS.1998.711021Google Scholar
  76. [LBR99]
    Leavens GT, Baker AL, Ruby C (1999) JML: a notation for detailed design. In: Kilov H, Rumpe B, Simmonds I (eds) Behavioral Specifications of businesses and systems. Kluwer, Dordrecht, pp 175–188Google Scholar
  77. [LBR06]
    Leavens GT, Baker AL, Ruby C (2006) Preliminary design of JML: a behavioral interface specification language for Java. ACM SIGSOFT Softw Eng Notes 31(3):1–38. doi:10.1145/1127878.1127884CrossRefGoogle Scholar
  78. [LCC+05]
    Leavens GT, Cheon Y, Clifton C, Ruby C, Cok DR (2005) How the design of JML accommodates both runtime assertion checking and formal verification. Sci Comput Program 55(1–3):185–208. doi:10.1016/j.scico.2004.05.015MATHCrossRefMathSciNetGoogle Scholar
  79. [LD00]
    Leavens GT, Dhara KK (2000) Concepts of behavioral subtyping and a sketch of their extension to component-based systems. In: Leavens GT, Sitaraman M (eds) Foundations of component-based systems, Chap 6. Cambridge University Press, Cambridge, pp 113–135. http://www.cs.iastate.edu/ leavens/FoCBS-book/06-leavens-dhara.pdfGoogle Scholar
  80. [Lea06]
    Leavens GT (2006) JML’s rich, inherited specifications for behavioral subtypes. In: Liu Z, Jifeng H (eds) Formal methods and software engineering: 8th international conference on formal engineering methods (ICFEM), Vol 4260 of Lecture Notes in Computer Science, New York. Springer, Heidelberg, pp 2–34. doi:10.1007/11901433_2Google Scholar
  81. [Lei95]
    Leino KRM (1995) Toward reliable modular programs. PhD Thesis, California Institute of Technology. Available as Technical Report Caltech-CS-TR-95-03. http://caltechcstr.library.caltech.edu/234/00/95-03.psGoogle Scholar
  82. [Lei97]
    Leino KRM (1997) Ecstatic: an object-oriented programming language with an axiomatic semantics. In: Pierce B (ed) Fourth international workshop on foundations of object-oriented languages (FOOL), January 1997. Available from: http://www.cis.upenn.edu/ bcpierce/FOOL/Google Scholar
  83. [Lei98]
    Leino KRM (1998) Data groups: specifying the modification of extended state. In: Object-oriented programming systems, languages, and applications (OOPSLA), Vol 33(10) of SIGPLAN Notices. ACM, New York, pp 144–153. doi:10.1145/286936.286953Google Scholar
  84. [LM04]
    Leino KRM, Müller P (2004) Object invariants in dynamic contexts. In: Odersky M (ed) European conference on object- oriented programming (ECOOP), Vol 3086 of Lecture Notes in Computer Science, June 2004. Springer, Heidelberg, pp 491–516. http://www.springerlink.com/content/ttfnjg36yq64pah8Google Scholar
  85. [LM05]
    Leino KRM, Müller P (2005) Modular verification of static class invariants. In: Fitzgerald J, Hayes IJ, Tarlecki A (eds) Formal methods (FM), Vol 3582 of Lecture Notes in Computer Science, July 2005. Springer, Heidelberg, pp 26–42. doi:10.1007/11526841_4Google Scholar
  86. [LM06]
    Leino KRM, Müller P (2006) A verification methodology for model fields. In: Sestoft P (ed) European symposium on programming (ESOP), Vol 3924 of Lecture Notes in Computer Science, March 2006. Springer, Heidelberg, pp 115–130. doi:10.1007/11693024_9Google Scholar
  87. [LN02]
    Leino KRM, Nelson G (2002) Data abstraction and information hiding. ACM Trans Programm Lang Syst 24(5):491–553. doi:10.1145/570886.570888CrossRefGoogle Scholar
  88. [LN07]
    Leavens GT, Naumann DA (2006) Behavioral subtyping, specification inheritance, and modular reasoning. Technical Report 06-20a, Department of Computer Science, Iowa State University, Ames, August 2006. ftp://ftp.cs.iastate.edu/pub/techreports/TR06-20/TR.pdfGoogle Scholar
  89. [LPC+06]
    Leavens GT, Poll E, Clifton C, Cheon Y, Ruby C, Cok DR, Müller P, Kiniry J, Chalin P (2006) JML reference manual. Department of Computer Science, Iowa State University. Available from http://www.jmlspecs.org, January 2006Google Scholar
  90. [LPHZ02]
    Leino KRM, Poetzsch-Heffter A, Zhou Y (2002) Using data groups to specify and check side effects. In: Proceedings of the 2002 ACM SIGPLAN conference on programming language design and implementation (PLDI), Vol 37(5) of SIGPLAN Notices, May 2002. ACM, New York, pp 246–257. doi:10.1145/512529.512559Google Scholar
  91. [LSS99]
    Leino KRM, Saxe JB, Stata R (1999) Checking Java programs via guarded commands. In: Jacobs B, Leavens GT, Müller P, Poetzsch-Heffter A (eds) Formal techniques for Java Programs (FTfJP), Technical Report 251. FernUniversität Hagen, May 1999. Also available as Technical Note 1999-002, Compaq Systems Research CenterGoogle Scholar
  92. [Luc90]
    Luckham D (1990) Programming with specifications: an introduction to Anna, a language for specifying Ada programs. Texts and Monographs in Computer Science. Springer, HeidelbergGoogle Scholar
  93. [LvH85]
    Luckham D, von Henke FW (1985) An overview of Anna—a specification language for Ada. IEEE Softw 2(2):9–23Google Scholar
  94. [LW94]
    Liskov B, Wing JM (1994) A behavioral notion of subtyping. ACM Trans Program Lang Syst 16(6):1811–1841. doi:10.1145/197320.197383CrossRefGoogle Scholar
  95. [LW95]
    Leavens GT, Weihl WE (1995) Specification and verification of object-oriented programs using supertype abstraction. Acta Informatica 32(8):705–778. doi:10.1007/BF01178658MATHMathSciNetGoogle Scholar
  96. [Mey92]
    Meyer B (1992) Eiffel: the language. Prentice Hall, New JerseyMATHGoogle Scholar
  97. [Mey97]
    Meyer B (1997) Object-oriented software construction, 2nd edn. Prentice Hall, New JerseyMATHGoogle Scholar
  98. [Mir04]
    Miragliotta M (2004) Specification model library for the interactive program prover Jive. Student project, ETH Zurich. Available from: http://www.sct.inf.ethz.ch/projects/student_docs/Marcello_Miragliotta/M arcello_Miragliotta_paper.pdfGoogle Scholar
  99. [Mor94]
    Morgan C (1994) Programming from specifications, 2nd edn. Prentice Hall International, Hempstead, http://web.comlab.ox.ac.uk/oucl/publications/books/PfS/MATHGoogle Scholar
  100. [MPH03]
    Müller P, Poetzsch-Heffter A, Leavens GT (2003) Modular specification of frame properties in JML. Concurr Comput Pract Exp 15(2):117–154. doi:10.1002/cpe.713MATHCrossRefGoogle Scholar
  101. [MPHL06]
    Müller P, Poetzsch-Heffter A, Leavens GT (2006) Modular invariants for layered object structures. Sci Comput Program 62(3):253–286. doi:10.1016/j.scico.2006.03.001MATHCrossRefGoogle Scholar
  102. [MPMU04]
    Marché C, Paulin-Mohring C, Urbain X (2004) The Krakatoa tool for certification of Java/JavaCard programs annotated in JML. J Logic Algebraic Programm 58(1–2):89–106. doi:10.1016/j.jlap.2003.07.006MATHCrossRefGoogle Scholar
  103. [Mü102]
    Müller P (2002) Modular specification and verification of object-oriented programs, Vol 2262 of Lecture Notes in Computer Science. Springer, HeidelbergGoogle Scholar
  104. [NE01]
    Nimmer JW, Ernst MD (2001) Static verification of dynamically detected program invariants: integrating Daikon and ESC/Java. In: Proceedings of RV’01, first workshop on runtime verification, July 2001. Elsevier, Amsterdam. doi:10.1016/S1571-0661(04)00256-7Google Scholar
  105. [OYR04]
    O’Hearn PW, Yang H, Reynolds JC (2004) Separation and information hiding. In: Jones ND, Leroy X (eds) Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on principles of programming languages (POPL), January 2004. ACM, New York, pp 268–280. doi:10.1145/964001.964024CrossRefGoogle Scholar
  106. [PB05]
    Parkinson M, Bierman G (2005) Separation logic and abstraction. In: Palsberg J, Abadi M (eds) Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on principles of programming languages (POPL), January 2005. ACM, New York, pp 247–258. doi:10.1145/1040305.1040326CrossRefGoogle Scholar
  107. [PHM99]
    Poetzsch-Heffter A, Müller P (1999) A programming logic for sequential Java. In: Swierstra SD (ed) European symposium on programming languages and systems (ESOP), Vol 1576 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 162–176. http://tinyurl.com/krjleGoogle Scholar
  108. [Rey02]
    Reynolds JC (2002) Separation logic: a logic for shared mutable data structures. In: IEEE symposium on logic in computer science. IEEE, New York, pp 55–74Google Scholar
  109. [Ros95]
    Rosenblum DS (1995) A practical approach to programming with assertions. IEEE Trans Softw Eng 21(1):19–31. doi:10.1109/32.341844CrossRefGoogle Scholar
  110. [SF04]
    Soundarajan N, Fridella S (2004) Incremental reasoning for object oriented systems. In: Owe O, Krogdahl S, Lyche T (eds) From object-orientation to formal methods, essays in memory of Ole–Johan Dahl, Vol 2635 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 302–333. http://www.springerlink.com/content/n9uv7k2bha03l9lnGoogle Scholar
  111. [Sha06]
    Shaner S (2006) Semantics for model programs in JML. Master’s Thesis, Iowa State University (expected)Google Scholar
  112. [Spi92]
    Spivey JM (1992) The Z notation: a reference manual. international series in computer science, 2nd edn. Prentice-Hall, New York. http://spivey.oriel.ox.ac.uk/mike/zrm/Google Scholar
  113. [vO01]
    von Oheimb D (2001) Analyzing Java in Isabelle/HOL: formalization, type safety and Hoare logic. PhD Thesis, Technische Universität München. http://www4.in.tum.de/ oheimb/diss/Google Scholar
  114. [vON02]
    von Oheimb D, Nipkow T (2002) Hoare logic for NanoJava: auxiliary variables, side effects and virtual methods revisited. In: Eriksson L-H, Lindsay PA (eds) Formal methods—getting IT Right (FME’02), Vol 2391 of Lecture Notes in Computer Science. Springer, Heidelberg, pp 89–105. http://www.springerlink.com/content/bp1vtfr9ha3kl3t5Google Scholar
  115. [vPG03]
    von Praun C, Gross TR (2003) Static conflict analysis for multi-threaded object-oriented programs. In: Proceedings of the ACM SIGPLAN 2003 conference on programming language design and implementation (PLDI), June 2003. ACM, New York, pp 115–128. doi:10.1145/781131.781145Google Scholar
  116. [Wan79]
    Wand M (1979) Final algebra semantics and data type extensions. J Comput Syst Sci 19(1):27–44. doi:10.1016/0022-0000(79)90011-4MATHCrossRefMathSciNetGoogle Scholar
  117. [WBL94]
    Wahls T, Baker AL, Leavens GT (1994) The direct execution of SPECS-C++: a model-based specification language for C++ classes. Technical Report 94-02b, Department of Computer Science, Iowa State University, March 1994. ftp://ftp.cs.iastate.edu/pub/ techreports/TR94-02/TR.ps.ZGoogle Scholar
  118. [Wil92]
    Wills A (1992) Specification in Fresco. In: Stepney S, Barden R, Cooper D (eds) Object orientation in Z, workshops in computing, Chap 11. Springer, Heidelberg, pp 127–135Google Scholar
  119. [Win87]
    Wing JM (1987) Writing larch interface language specifications. ACM Trans Program Lang Syst 9(1):1–24. doi:10.1145/9758.10500MATHCrossRefMathSciNetGoogle Scholar
  120. [Win90]
    Wing JM (1990) A specifier’s introduction to formal methods. Computer 23(9):8–24. doi:10.1109/2.58215CrossRefGoogle Scholar
  121. [WMC05]
    Wilson T, Maharaj S, Clark RG (2005) Omnibus verification policies: a flexible, configurable approach to assertion-based software verification. In: Aichernig BK, Beckert B (eds) Third IEEE international conference on software engineering and formal methods (SEFM), September 2005. IEEE Comput Soc, New York, pp 150–159. doi:10.1109/SEFM.2005.29Google Scholar
  122. [XA05]
    Xie Y, Aiken A (2005) Scalable error detection using boolean satisfiability. In: Palsberg J, Abadi M (eds) Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on principles of programming languages (POPL), January 2005. ACM, New York, pp 351–363. doi:10.1145/1040305.1040334CrossRefGoogle Scholar

Copyright information

© British Computer Society 2007

Authors and Affiliations

  • Gary T. Leavens
    • 1
  • K. Rustan M. Leino
    • 2
  • Peter Müller
    • 3
  1. 1.Dept. of Computer ScienceIowa State UniversityAmesUSA
  2. 2.Microsoft Research, Redmond, One Microsoft WayRedmondUSA
  3. 3.ETH ZurichETH Zentrum RZ F2ZurichSwitzerland

Personalised recommendations