Spec# is the latest in a long line of work on programming languages and systems aimed at improving the development of correct software. This paper describes the goals and architecture of the Spec# programming system, consisting of the object-oriented Spec# programming language, the Spec# compiler, and the Boogie static program verifier. The language includes constructs for writing specifications that capture programmer intentions about how methods and data are to be used, the compiler emits run-time checks to enforce these specifications, and the verifier can check the consistency between a program and its specifications. The Spec#

Abstract not found

Ever since their invention 30 years ago, checked exceptions have been a point of much discussion. On the one hand, they increase the robustness of soft ware by preventing the manifestation of unanticipated checked exceptions at run-time. On the other hand, they decrease the adaptability of software bec ause they must be propagated explicitly, and must often be handled even if they cannot be signalled. We show that these problems are caused by a conflict between the exceptional interface of a method and the principle of abstraction. We then solve this conflict by introducing anchored exception declarations, which allow the exceptional behaviour of a method to be declared relative to that of others. We present their formal semantics, along with the necessary rules for ensuring compile-time safety, and give a proof of correctness. We show that ancho red exception declarations do not violate the principle of information hiding when used properly, and provide a guideline for when to use them. We have implemented anchored exception declarations as an extension to the ClassicJava programming language, called Cappuccino.

Abstract. Exception specifications can aid in the tasks of writing correct exception handlers and understanding exceptional control flow, but current exception specification systems are impractical in a number of ways. In particular, they are too low-level, too heavyweight, and do not provide adequate support for describing exception policies. We have identified the essential properties of a practical exception specification system and we present a methodology and tool that provides integrated support for specifying, understanding, and evolving exception policies. The annotations required of the programmer are lightweight and easier to maintain than those of current systems; in our studies we observed a 50 % to 93 % reduction in annotations. By leveraging these annotations, our system provides scalable support for understanding exception flow and for modifying exception annotations. 1

The Iterator design pattern allows client code to access the elements of an aggregate object sequentially without exposing its underlying representation. Several modern

In most software development projects, it is not feasible for developers to handle explicitly all possible unusual events which may occur during program execution, such as arithmetic overflow, highly unusual environment conditions, heap memory or call stack exhaustion, or asynchronous thread cancellation. Modern programming languages provide unchecked exceptions to deal with these circumstances safely and with minimal programming overhead. However, reasoning about programs in the presence of unchecked exceptions is difficult, especially in a multithreaded setting where the system should survive the failure of a subsystem. We propose a static verification approach for multithreaded programs with unchecked exceptions. Our approach is an extension of the Spec # verification methodology for object-oriented programs. It verifies that objects encapsulating shared resources are always ready to be disposed of, by allowing ownership transfers to other threads only through well-nested parallel execution operations. Also, the approach prevents developers from relying on invariants that may have been broken by a failure. We believe the programming style enforced by our approach leads to better programs, even in the absence of formal verification. The proposed approach enables developers using mainstream languages to gain some of the benefits of approaches based on isolated sub-processes. We believe this is the first verification approach that soundly verifies common exception handling and locking patterns in the presence of unchecked exceptions. 1

“The earlier errors are found, the less costly they are to fix! ” 1 Code consumers make high demands on software applications. By providing a certificate associated with a program, the code producers can guarantee the properties the consumer demands on. The project team of MOBIUS is developing techniques to verify security and functional properties of Java programs in order to generate certificates. Based on ESC/-Java2, an already existing static checker, the new environment of MOBIUS produce proof obligations of difficult security properties that have to be discharged manually, using Coq. In order to achieve this, we integrate a new direct Verification Condition generator (VCGen) into ESC/Java2. This master thesis covers the work needed to integrate this VCGen. We developed the translations of code specifications into first order logic terms. Code specifications, to specify the functional behavior of a particular program, are annotations written in Java Modeling Language (JML). We have defined

Proof Carrying Code provides trust in mobile code by requiring certificates that ensure the code adherence to specific conditions. The prominent approach to generate certificates for compiled code is Certifying Compilation, that automatically generates certificates for simple safety properties. In this work, we present Certificate Translation, a novel extension for standard compilers that automatically transforms formal proofs for more expressive and complex properties of the source program to certificates for the compiled code. The article outlines the principles of certificate translation, instantiated for a non optimizing compiler and for standard compiler optimizations in the context of an intermediate RTL Language.