Abstract. Shared mutable objects pose grave challenges in reasoning, especially for data abstraction and modularity. This paper presents a novel logic for erroravoiding partial correctness of programs featuring shared mutable objects. Using a first order assertion language, the logic provides heap-local reasoning about mutation and separation, via ghost fields and variables of type ‘region ’ (finite sets of object references). A new form of modifies clause specifies write, read, and allocation effects using region expressions; this supports effect masking and a frame rule that allows a command to read state on which the framed predicate depends. Soundness is proved using a standard program semantics. The logic facilitates heap-local reasoning about object invariants: disciplines such as ownership are expressible but not hard-wired in the logic. 1

This paper provides a way to specify expressive declassification policies, in particular, when, what, and where policies that include conditions under which downgrading is allowed. Secondly, an end-to-end semantic property is introduced, based on a model that allows observations of intermediate low states as well as termination. An attacker’s knowledge only increases at explicit declassification steps, and within limits set by policy. Thirdly, static enforcement is provided by combining type-checking with program verification techniques applied to the small subprograms that carry out declassifications. Enforcement is proved sound for a simple programming language and the extension to object-oriented programs is described. 1.

Programming in an object-oriented language demands a fine balance between high degrees of expressiveness and control. At one level, we need to permit objects to interact freely to achieve our implementation goals. At a higher level, we need to enforce architectural constraints so that the system can be understood by new developers and can evolve as requirements change. To resolve this tension, numerous explorers have ventured out into the vast landscape of type systems expressing ownership and behavioural restrictions such as immutability. (Many have never returned.) This work in progress reports on our consolidation of the resulting discoveries into a single programming language. Our language, Joe3, imposes little additional syntactic overhead, yet can encode powerful patterns such as fractional permissions, and the reference modes of Flexible Alias Protection. 1.

Object immutability is a familiar concept that allows safe sharing of objects. Existing language support for immutability is based on immutable classes. However, class-based approaches are restrictive because programmers can neither make instances of arbitrary classes immutable, nor can they control when an instance becomes immutable. These restrictions prevent many interesting applications where objects of mutable classes go through a number of modifications before they become immutable. This paper presents a flexible technique to enforce the immutability of individual objects by transferring their ownership to a special freezer object, which prevents further modification. The paper demonstrates how immutability facilitates program verification by extending the Boogie methodology for object invariants to immutable objects. The technique is based on Spec#’s dynamic ownership, but the concepts also apply to other ownership systems that support transfer.

The Universe type system is an ownership type system which enforces the owners-as-modifiers model. In this paper, we present a static analysis for inference of Universe types. We have implemented the analysis and performed preliminary experiments. Our results are promising. 1.

The Universe Type System is an ownership type system for object-oriented programming languages that hierarchically structures the object store; it is used to reason modularly about programs. We formalise Universe Types for a core subset of Java in two steps: We first define a Topological Type System that structures the object store hierarchically into an ownership tree, and demonstrate soundness of the Topological Type System by proving subject reduction. Motivated by concerns of modular verification, we then present an Encapsulation Type System that enforces the owner-as-modifier discipline; that is, that object updates are initiated by the owner of the object. The contributions of this paper are, firstly, an extensive type-theoretic account of the Universe Type System, with explanations and complete proofs, and secondly, the clean separation of the topological from the encapsulation concerns.

Shared mutable objects and reentrant callacks can subvert encapsulation in objectbased programs. For modular reasoning, verifiers rely on methodologies. These combine special annotations or types with instrumentation (ghost state) and syntactic restrictions on programs and specifications, which pose challenges for proving soundness and for comparing/combining methodologies. This paper formalizes a second order frame rule, similar to that of separation logic but for a logic with explicit regions. The rule captures proof obligations of invariant methodologies such as ownership for dynamically instantiable abstractions, using an extended provability judgement that threads a state-based separation discipline through a proof to points where encapsulation is at risk. Soundness with respect to a standard semantics is proved by an admissibility argument. 1

Ownership type systems structure the heap and enforce restrictions on the behavior of a program. Benefits of ownership type systems include simplified program verification, absence of race conditions and deadlocks, and enforcement of architectural styles. Dependent classes are a generalization of virtual class systems that allows one class to depend on multiple objects. Dependency is expressed by explicit declaration of the depended-upon objects as class parameters. This allows one to declare dependencies independently of the nesting of classes, which increases the expressive power and reduces the coupling between classes. In this paper, we describe how ownership type systems can be expressed on top of dependent classes. The ownership type systems are split into two parts: (1) ensuring the topological structure of the heap and (2) enforcing restrictions on the behavior of the program. We present an encoding of the topological part in dependent classes and describe how to enforce the restrictions of ownership type systems directly on the dependent classes program. Finally, we present the encoding of some examples for the MVC interpreter and discuss future work.

The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions. The restrictions amount to a stateful frame condition that must be satisfied by any client; this dynamic encapsulation boundary complements conventional scope-based encapsulation. The technical development is based on a companion paper, Part I, that presents a programming logic with stateful frame conditions for commands.

The benefits of architectural analyses are only achieved if one can guarantee that the implementation conforms to the architecture. We propose an approach for checking and measuring the structural conformance of a software system’s implementation to its execution architecture. In contrast to existing approaches, our approach uses static analyses, and works with existing Java-like programming languages, existing object-oriented designs and existing integrated development environments. We address the problem with a multi-pronged approach, as follows: (a) express and enforce architectural intent related to object encapsulation and communication directly in code using ownership domain annotations; (b) extract a sound execution architecture from the annotated program semi-automatically; and (c) compare the as-built extracted architecture to the as-designed architecture semi-automatically; and (d) obtain a measure of conformance. We present an initial evaluation of the approach on two extended examples. In both cases, we extract asbuilt execution architectures that convey meaningful abstractions, convert them into standard componentand-connector architectures, and obtain measures of conformance between the as-designed and the as-built