A Verification Methodology for Model Fields

  • K. Rustan M. Leino
  • Peter Müller
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3924)


Model fields are specification-only fields that encode abstractions of the concrete state of a data structure. They allow specifications to describe the behavior of object-oriented programs without exposing implementation details.

This paper presents a sound verification methodology for model fields that handles object-oriented features, supports data abstraction, and can be applied to a variety of realistic programs. The key innovation of the methodology is a novel encoding of model fields, where updates of the concrete state do not automatically change the values of model fields. Model fields are updated only by a special pack statement. The methodology guarantees that the specified relation between a model field and the concrete state of an object holds whenever the object is valid, that is, is known to satisfy its invariant.

The methodology also improves on previous work in three significant ways: First, the formalization of model fields prevents unsoundness, even if an interface specification is inconsistent. Second, the methodology fully supports inheritance. Third, the methodology enables modular reasoning about frame properties without using explicit dependencies, which are not handled well by automatic theorem provers.


Model Field Concrete State Dynamic Type Separation Logic Object Invariant 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Barnett, M., DeLine, R., Fähndrich, M., Leino, K.R.M., Schulte, W.: Verification of object-oriented programs with invariants. JOT 3(6) (2004)Google Scholar
  2. 2.
    Barnett, M., Leino, K.R.M., Schulte, W.: The Spec# programming system: An overview. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 49–69. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Barnett, M., Naumann, D.: Friends need a bit more: Maintaining invariants over shared state. In: Kozen, D. (ed.) MPC 2004. LNCS, vol. 3125, pp. 54–84. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Breunesse, C.-B., Poll, E.: Verifying JML specifications with model fields. In: Formal Techniques for Java-like Programs, pp. 51–60 (2003); Tech. Rep. 408, ETH Zurich Google Scholar
  5. 5.
    Cheon, Y., Leavens, G.T., Sitaraman, M., Edwards, S.: Model variables: cleanly supporting abstraction in design by contract. Software—Practice & Experience 35(6), 583–599 (2005)CrossRefGoogle Scholar
  6. 6.
    Cok, D., Kiniry, J.R.: ESC/Java2: Uniting ESC/Java and JML. In: Barthe, G., Burdy, L., Huisman, M., Lanet, J.-L., Muntean, T. (eds.) CASSIS 2004. LNCS, vol. 3362, pp. 108–128. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Detlefs, D., Nelson, G., Saxe, J.B.: Simplify: A theorem prover for program checking. Tech. Rep. HPL-2003-148, HP Labs (July 2003)Google Scholar
  8. 8.
    Detlefs, D.L., Leino, K.R.M., Nelson, G., Saxe, J.B.: Extended static checking. Research Report 159, Compaq Systems Research Center (December 1998)Google Scholar
  9. 9.
    Dietl, W., Müller, P.: Universes: Lightweight ownership for JML. JOT 4(8) (2005)Google Scholar
  10. 10.
    Flanagan, C., Leino, K.R.M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: PLDI, vol. 37(5) in SIGPLAN Notices, pp. 234–245. ACM, New York (2002)Google Scholar
  11. 11.
    Hoare, C.A.R.: Proofs of correctness of data representation. Acta Inf. 1, 271–281 (1972)CrossRefzbMATHGoogle Scholar
  12. 12.
    Jacobs, B., Piessens, F.: Verifying programs using inspector methods for state abstraction. Tech. Rep. CW 432, Dept. of Comp. Sci., K. U. Leuven (December 2005)Google Scholar
  13. 13.
    Kassios, Y.T.: Dynamic frames: Support for framing, dependencies and sharing without restrictions. Tech. Rep. CSRG-528, U. of Toronto, Comp. Sys. Research Group (July 2005)Google Scholar
  14. 14.
    Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of JML: A behavioral interface specification language for Java. Technical Report 98-06-rev28, Iowa State University, Department of Computer Science (2003), See
  15. 15.
    Rustan, K., Leino, M.: Toward Reliable Modular Programs. PhD thesis, California Institute of Technology (1995)Google Scholar
  16. 16.
    Rustan, K., Leino, M.: Data groups: Specifying the modification of extended state. In: OOPSLA, vol. 33(10) in SIGPLAN Notices, pp. 144–153. ACM, New York (1998)Google Scholar
  17. 17.
    Rustan, K., Leino, M., Müller, P.: Object invariants in dynamic contexts. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 491–516. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  18. 18.
    Leino, K.R.M., Nelson, G.: Data abstraction and information hiding. ACM Transactions on Programming Languages and Systems 24(5), 491–553 (2002)CrossRefGoogle Scholar
  19. 19.
    Müller, P.: Modular Specification and Verification of Object-Oriented Programs. LNCS, vol. 2262. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  20. 20.
    Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular specification of frame properties in JML. Concurrency & Computation: Practice & Experience 15, 117–154 (2003)CrossRefzbMATHGoogle Scholar
  21. 21.
    Naumann, D., Barnett, M.: Towards imperative modules: Reasoning about invariants and sharing of mutable state. In: LICS, pp. 313–323. IEEE, Los Alamitos (2004)Google Scholar
  22. 22.
    O’Hearn, P.W., Yang, H., Reynolds, J.C.: Separation and information hiding. In: POPL, pp. 268–280. ACM, New York (2004)Google Scholar
  23. 23.
    Parkinson, M., Bierman, G.: Separation logic and abstraction. In: POPL, pp. 247–258. ACM, New York (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • K. Rustan M. Leino
    • 1
  • Peter Müller
    • 2
  1. 1.Microsoft ResearchUSA
  2. 2.ETH ZürichSwitzerland

Personalised recommendations