data types; F.3.1 [Logics and Meaning of Programs] Specifying and verifying and reasoning about programs --- logics of programs. F.3.2 [Logics and Meanings of Programs] Semantics of Programming Languages --- algebraic approaches to semantics, denotational sematics. Submitted to the European Conference on Object-Oriented Programming, ECOOP '93. c fl Krishna Kishore Dhara and Gary T. Leavens, 1992. All rights reserved. Department of Computer Science 226 Atanasoff Hall Iowa Sate University Ames, Iowa 50011-1040, USA Subtyping for mutable types in object-oriented programming languages Krishna Kishore Dhara and Gary T. Leavens 3 Department of Computer Science, 226 Atanasoff Hall Iowa State University, Ames, Iowa 50011-1040 USA dhara@cs.iastate.edu and leavens@cs.iastate.edu November 24, 1992 Abstract Subtype relationships in object-oriented programming languages are studied to aid code reuse and reasoning about programs that use subtype polymorphism. We define what it means...

This paper gives a quick overview of Larch/C++, an interface specification language for C++. Through examples, we explain declarations, function specifications, class specifications, and template specifications. An extended example is given in the last section. The reader is assumed to have some familiarity with C++. The reader should have some familiarity with the idea of formal specification, but is not required to be familiar with the Larch approach to formal specification.

Abstract The interface specification of a procedure describes the procedure's behavior using pre- and postconditions. These pre- and postconditions are written using various functions. If some of these functions are partial, or underspecified, then the procedure specification may not be well-defined. We show how to write pre- and postcondition specifications that avoid such problems, by having the precondition "protect " the postcondition from the effects of partiality and underspecification. We formalize the notion of protection from partiality in the context of specification languages like VDM-SL and COLD-K. We also formalize the notion of protection from underspecification for the Larch family of specification languages, and for Larch show how one can prove that a procedure specification is protected from the effects of underspecification.

ion in Explicitly Parallel Programs by Katherine Anne Yelick c fl Massachusetts Institute of Technology, 1990 This report is a revised version of the author's thesis, which was submitted to the Department of Electrical Engineering and Computer Science on December 31, 1990 in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the Massachusetts Institute of Technology. The thesis was supervised by John V. Guttag. The author's current address is the Computer Science Division, University of California, Berkeley, CA 94720. 2 Abstract It is well-known that writing parallel programs that are both fast and correct is significantly harder than writing sequential ones. In this thesis we introduce a transition-based approach to the design and implementation of parallel programs. This approach is aimed at applications whose complex data and control structures make them hard to parallelize by conventional means. It is based on a programming model with explicit pa...

We present formal specifications of a new abstraction, weak sets,whichcanbe used to alleviate high latencies when retrieving data from a wide-area information system liketheWorld Wide Web. In the presence of failures, concurrency, and distribution, clients performing queries may observe behavior that is inconsistent with the stringent semantic requirements of mathematical sets. For example, an element retrieved and returned to the clientmay be subsequently deleted before the query terminates. Wechose to specify formally the behavior of weak sets because wewanted to understand the varying degrees of inconsistency clients might be willing to tolerate and to understand the tradeoff between providing strong consistency guarantees and implementing weak sets efficiently. Our specification assertion language uses a novel construct that lets us model reachability explicitly# with it, we can distinguish between the existence of an object and its accessibility. These specifications were instrum...

Dynamic verification is a new approach to formal verification, applicable to generic algorithms such as those found in the Standard Template Library (STL, part of the Draft ANSI/ISO C++ Standard Library). Using behavioral abstraction and symbolic execution techniques, verifications are carried out at a meta-level such that the results can be used in a variety of instances of the generic algorithms without repeating the proofs. This is achieved by substituting for type parameters of generic algorithms special data types that model generic concepts by accepting symbolic inputs and deducing outputs using inference methods. By itself, this symbolic execution technique supports testing of programs with symbolic values at a meta-level. For formal verification we also need to generate multiple program execution paths and use assertions (to handle while loops, for example), but we show how this can be achieved via directives to a conventional debugger program and an analysis database. The asse...

We describe the problems encountered in the design of Larch/C++, especially its object-oriented features. We discuss a range of possible solutions to these problems, and give the rationale for our particular solutions. We also present examples of Larch/C++ specifications and discuss differences from Larch/C.

The Verifying Compiler (VC) project is a core component of the Dependable Systems Evolution Grand Challenge. The VC offers the promise of automatically proving that a program or component is correct, where correctness is defined by program assertions. While several VC prototypes exist, all adopt a semantics for assertions that is unsound. This paper presents a consolidation of VC requirements analysis activities that, in particular, brought us to ask targeted VC customers what kind of semantics they wanted. Taking into account both practitioners ’ needs and current technological factors, we offer recovery of soundness through an adjusted definition of assertion validity that matches user expectations and can be implemented practically using current prover technology. We describe how support for the new semantics has been added to ESC/Java2, one of the most fully developed VC prototypes. Preliminary results demonstrate the effectiveness of the new semantics at uncovering previously indiscernible specification errors. 1

Abstract not found

Abstract. In model-driven verification a model checker executes a program by embedding it within a test harness, thus admitting program verification without the need to translate the program, which runs as native code. Model checking techniques in which code is actually executed have recently gained popularity due to their ability to handle the full semantics of actual implementation languages and to support verification of rich properties. In this paper, we show that combination with dynamic analysis can, with relatively low overhead, considerably extend the capabilities of this style of model checking. In particular, we show how to use the CIL framework to instrument code in order to allow the SPIN model checker, when verifying C programs, to check additional properties, simulate system resets, and use local coverage information to guide the model checking search. An additional benefit of our approach is that instrumentations developed for model checking may be used without modification in testing or monitoring code. We are motivated by experience in applying model-driven verification to JPL-developed flight software modules, from which we take our example applications. We believe this is the first investigation in which an independent instrumentation for dynamic analysis has been integrated with model checking. 1