Allowing State Changes in Specifications

  • Mike Barnett
  • David A. Naumann
  • Wolfram Schulte
  • Qi Sun
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3995)


We provide a static analysis (using both dataflow analysis and theorem proving) to allow state changes within specifications. This can be used for specification languages that share the same expression sub-language with an implementation language so that method calls can appear in preconditions, postconditions, and object invariants without violating the soundness of the system.


Secure Information Garbage Collection Proof Obligation Object Invariant Pure Function 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Banerjee, A., Heintze, N., Riecke, J.G.: A core calculus of dependency. In: ACM Symp. on Princ. of Program. Lang. (POPL) (1999)Google Scholar
  2. 2.
    Amtoft, T., Bandhakavi, S., Banerjee, A.: A logic for information flow in object-oriented programs. In: POPL (2006) (Extended version available as KSU CIS-TR-2005-1)Google Scholar
  3. 3.
    Banerjee, A., Naumann, D.A.: Ownership confinement ensures representation independence for object-oriented programs. Journal of the ACM 52(6), 894–960 (2005)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Banerjee, A., Naumann, D.A.: Stack-based access control for secure information flow. Journal of Functional Programming 15(2), 131–177 (2005); Special issue on Language Based SecurityMathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Banerjee, A., Naumann, J.D.A.: State Based Ownership, Reentrance, and Encapsulation. In: Black, A.P. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 387–411. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Barnett, M., DeLine, R., Fähndrich, M., Rustan, K., Leino, M., Schulte, W.: Verification of object-oriented programs with invariants. ECOOP 2003 3(6), 27–56 (2003); Special issue: ECOOP 2003 workshop on Formal Techniques for Java-like ProgramsCrossRefGoogle Scholar
  7. 7.
    Mike Barnett, K., Leino, R.M., Schulte, W.: The Spec# programming system: An overview. In: CASSIS post-proceedings (2004)Google Scholar
  8. 8.
    Barnett, M., Naumann, D.A., Schulte, W., Sun, Q.: 99.44% pure: Useful abstractions in specifications. In: ECOOP workshop on Formal Techniques for Java-like Programs (FTfJP), Technical Report NIII-R0426, University of Nijmegen (2004)Google Scholar
  9. 9.
    Barnett, M., Naumann, D.A., Schulte, W., Sun, Q.: Allowing state changes in specifications. Technical Report MSR-TR-2006-22, Microsoft Research (2006)Google Scholar
  10. 10.
    Barnett, M., Schulte, W.: Runtime verification of.NET contracts. The Journal of Systems and Software 65(3), 199–208 (2003)CrossRefGoogle Scholar
  11. 11.
    Barthe, G., Naumann, D.A., Rezk, T.: Deriving an information flow checker and certifying compiler for java. In: 27th IEEE Symposium on Security and Privacy (May 2006) (to appear)Google Scholar
  12. 12.
    Clarke, D.: Object ownership and containment. Dissertation, Computer Science and Engineering, University of New South Wales, Australia (2001)Google Scholar
  13. 13.
    Clarke, D., Drossopoulou, S.: Ownership, encapsulation and the disjointness of type and effect. In: OOPSLA, pp. 292–310 (November 2002)Google Scholar
  14. 14.
    de Roever, W.-P., Engelhardt, K.: Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press, Cambridge (1998)CrossRefMATHGoogle Scholar
  15. 15.
    Denning, D., Denning, P.: Certification of programs for secure information flow. Communications of the ACM 20(7), 504–513 (1977)CrossRefMATHGoogle Scholar
  16. 16.
    Flanagan, C., Rustan, K., Leino, M., Lillibridge, M., Nelson, G., Saxe, J.B., Stata, R.: Extended static checking for Java. In: ACM Conf. on Program. Lang. Design and Implementation (PLDI), pp. 234–245 (2002)Google Scholar
  17. 17.
    Grothoff, C., Palsberg, J., Vitek, J.: Encapsulating objects with confined types. In: OOPSLA (2001) Google Scholar
  18. 18.
    Hoare, C.A.R.: Proofs of correctness of data representations. Acta Informatica 1, 271–281 (1972)CrossRefMATHGoogle Scholar
  19. 19.
    Hogg, J., Lea, D., Wills, A., de Champeaux, D., Holt, R.: The Geneva Convention on the treatment of object aliasing. OOPS Messenger 3(2), 11–16 (1992)CrossRefGoogle Scholar
  20. 20.
    Leavens, G., Cheon, Y., Clifton, C., Ruby, C., Cok, D.R.: How the design of JML accomodates both runtime assertion checking and formal verification. Technical Report 03-04, Department of Computer Science, Iowa State University (March 2003)Google Scholar
  21. 21.
    Leavens, G.T., Cheon, Y., Clifton, C., Ruby, C., Cok, D.R.: How the Design of JML Accommodates Both Runtime Assertion Checking and Formal Verification. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2002. LNCS, vol. 2852, pp. 262–284. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  22. 22.
    Rustan, K., Leino, M.: A myth in the specification of programs. Manuscript KRML62 (available from the author)Google Scholar
  23. 23.
    M. Leino, K.R., Müller, P.: Object invariants in dynamic contexts. In: Odersky, M. (ed.) ECOOP 2004. LNCS, vol. 3086, pp. 491–515. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Meyer, B.: Object-oriented Software Construction, 2nd edn. Prentice Hall, Englewood Cliffs (1997)MATHGoogle Scholar
  25. 25.
    Mitchell, J.C. (ed.): Foundations for Programming Languages. MIT Press, Cambridge (1996)Google Scholar
  26. 26.
    Müller, P., Poetzsch-Heffter, A., Leavens, G.T.: Modular invariants for object structures. In: Science of Computer Programming (to appear, 2006)Google Scholar
  27. 27.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: ACM Symp. on Princ. of Program. Lang. (POPL), pp. 228–241 (1999)Google Scholar
  28. 28.
    Naumann, J.D.A.: Observational Purity and Encapsulation. In: Cerioli, M. (ed.) FASE 2005. LNCS, vol. 3442, pp. 190–204. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Pottier, F., Conchon, S.: Information flow inference for free. In: Proceedings of the fifth ACM International Conference on Functional Programming, pp. 46–57 (2000)Google Scholar
  30. 30.
    Pottier, F., Simonet, V.: Information flow inference for ML. ACM Transactions on Programming Languages and Systems 25(1), 117–158 (2003)CrossRefMATHGoogle Scholar
  31. 31.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  32. 32.
    Sălcianu, A., Rinard, M.: A combined pointer and purity analysis for Java programs. Technical Report MIT-CSAIL-TR-949, Department of Computer Science, Massachusetts Institute of Technology (May 2004)Google Scholar
  33. 33.
    Sun, Q., Banerjee, A., Naumann, J.D.A.: Modular and Constraint-Based Information Flow Inference for an Object-Oriented Language. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 84–99. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Mike Barnett
    • 1
  • David A. Naumann
    • 2
  • Wolfram Schulte
    • 1
  • Qi Sun
    • 2
  1. 1.Microsoft ResearchRedmondUSA
  2. 2.Stevens Institute of TechnologyHobokenUSA

Personalised recommendations