## Set interfaces for generalized typestate and data structure consistency verification (2006)

Venue: | THEORETICAL COMPUTER SCIENCE, SUBMITTED |

Citations: | 3 - 3 self |

### BibTeX

@MISC{Lam06setinterfaces,

author = {Patrick Lam and Viktor Kuncak and Karen Zee and Martin Rinard},

title = {Set interfaces for generalized typestate and data structure consistency verification},

year = {2006}

}

### OpenURL

### Abstract

Typestate systems allow the type of an object to change during its lifetime in the computation. Unlike standard type systems, they can enforce safety properties that depend on changing object states. We present a new, generalized formulation sets. This abstract set formulation enables developers to reason about cardinalities of sets, and in particular to state and verify the condition that certain sets are empty. We support hierarchical typestate classifications by specifying subset and disjointness properties over the typestate sets. We present our formulation of typestate in the context of the Hob program specification and verification framework. The Hob framework allows the combination of typestate analysis with powerful independently developed analyses such as shape analyses or theorem proving techniques. We implemented our analysis and annotated several programs (75-2500 lines of code) with set specifications. Our implementation includes several optimizations that improve the scalability of the analysis and a novel loop invariant inference algorithm that eliminates the need to specify loop invariants. We present experimental data demonstrating the effectiveness of our techniques.

### Citations

5296 |
Design Patterns Elements of Reusable Object-Oriented Software
- Gamma, Helm, et al.
- 1995
(Show Context)
Citation Context ...ists of three sections: the implementation section, the specification section, and the abstraction section. Our minesweeper implementation uses the standard model-view-controller (MVC) design pattern =-=[16]-=-; the Board module implements the model part of the MVC pattern. Figures 2, 3, and 4 present the three sections of the Board module. The implementation section contains the executable code for each pr... |

731 |
Isabelle/HOL: a proof assistant for higher-order logic, volume 2283
- Nipkow, Paulson, et al.
- 2002
(Show Context)
Citation Context ...ontains a shape analysis plugin based on Pointer Assertion Logic Tool [31], and a theorem proving plugin [38] that uses a verification-condition generator and the Isabelle interactive proof assistant =-=[32]-=-. We used the flag analysis plugin to verify high-level properties in our benchmarks; we used the other two plugins to verify implementations of encapsulated data structures. Overall, most of the code... |

635 | Systematic design of program analysis frameworks
- Cousot, Cousot
(Show Context)
Citation Context ...lues of derived sets. Operation of the Analysis Algorithm. The flag analysis verifies a module M by verifying each procedure of M. To verify a procedure, the analysis performs abstract interpretation =-=[5]-=- with analysis domain elements represented by formulas. Our analysis associates quantified set algebra formulas B to each program point. A formula B has two collections of set variables: unprimed set ... |

575 | Automatic discovery of linear restraints among variables of a program
- Cousot, Halbwachs
- 1978
(Show Context)
Citation Context ... of primed and unprimed variables allows our analysis to represent, for each program point p, a binary relation on states that overapproximates the reachability relation between procedure entry and p =-=[6,17,35]-=-. In addition to the abstract sets from the specification, the analysis also generates a set for each (object-typed) local variable. This set is either empty, indicating a null reference, or has cardi... |

540 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...iate specialized analysis plugin [24]. Our approach therefore makes it possible, for the first time, to apply multiple specialized, extremely 2sprecise, and unscalable analyses such as shape analysis =-=[31,34]-=- or even manually aided theorem proving [38] to effectively verify sophisticated typestate and data structure consistency properties in sizable programs. Specification Language. Our specification lang... |

522 | Extended static checking for Java
- Flanagan, Leino, et al.
- 2002
(Show Context)
Citation Context ...pproach taken by the ESC/Java and Boogie program checking tools; next, we discuss general properties of typestate systems and compare Hob’s sets to typestate systems. Program checking tools. ESC/Java =-=[14]-=- is a program checking tool whose purpose is to identify common errors in programs using program specifications in a subset of the Java Modelling Language (JML) [3]. ESC/Java sacrifices soundness in t... |

452 | The Spec# programming system: An overview
- Barnett, Leino, et al.
- 2004
(Show Context)
Citation Context ...ava Modelling Language (JML) [3]. ESC/Java sacrifices soundness in that it does not model all details of the program heap, but can detect some common programming errors. The Spec # programming system =-=[1]-=- adds similar features to C # , including the ability to specify method contracts, 24sframe conditions and class contracts. These contracts may be verified at runtime or by the Boogie static verifier,... |

361 | Enforcing high-level protocols in low-level software
- DeLine, Fähndrich
- 2001
(Show Context)
Citation Context ...oop invariant inference algorithm that eliminates the need to specify loop invariants. We present experimental data demonstrating the effectiveness of our techniques. 1 Introduction Typestate systems =-=[7,10,12,13,21,37]-=- allow the type of an object to change during its lifetime in the computation. Unlike standard type systems, typestate systems can enforce safety properties that depend on changing object states. 1 Th... |

302 |
A.: Two approaches to interprocedural data flow analysis
- Sharir, Pnueli
- 1981
(Show Context)
Citation Context ... of primed and unprimed variables allows our analysis to represent, for each program point p, a binary relation on states that overapproximates the reachability relation between procedure entry and p =-=[6,17,35]-=-. In addition to the abstract sets from the specification, the analysis also generates a set for each (object-typed) local variable. This set is either empty, indicating a null reference, or has cardi... |

291 | An overview of JML tools and applications
- Burdy, Cheon, et al.
- 2005
(Show Context)
Citation Context .... Program checking tools. ESC/Java [14] is a program checking tool whose purpose is to identify common errors in programs using program specifications in a subset of the Java Modelling Language (JML) =-=[3]-=-. ESC/Java sacrifices soundness in that it does not model all details of the program heap, but can detect some common programming errors. The Spec # programming system [1] adds similar features to C #... |

208 |
Typestate: A programming language concept for enhancing software reliability
- Strom, Yemini
- 1986
(Show Context)
Citation Context ...oop invariant inference algorithm that eliminates the need to specify loop invariants. We present experimental data demonstrating the effectiveness of our techniques. 1 Introduction Typestate systems =-=[7,10,12,13,21,37]-=- allow the type of an object to change during its lifetime in the computation. Unlike standard type systems, typestate systems can enforce safety properties that depend on changing object states. 1 Th... |

157 | Adoption and focus: practical linear types for imperative programming
- Fähndrich, DeLine
(Show Context)
Citation Context ...oop invariant inference algorithm that eliminates the need to specify loop invariants. We present experimental data demonstrating the effectiveness of our techniques. 1 Introduction Typestate systems =-=[7,10,12,13,21,37]-=- allow the type of an object to change during its lifetime in the computation. Unlike standard type systems, typestate systems can enforce safety properties that depend on changing object states. 1 Th... |

145 | The Pointer Assertion Logic Engine
- Møller, Schwartzbach
- 2001
(Show Context)
Citation Context ...iate specialized analysis plugin [24]. Our approach therefore makes it possible, for the first time, to apply multiple specialized, extremely 2sprecise, and unscalable analyses such as shape analysis =-=[31,34]-=- or even manually aided theorem proving [38] to effectively verify sophisticated typestate and data structure consistency properties in sizable programs. Specification Language. Our specification lang... |

115 | Typestates for objects
- DeLine, Fähndrich
- 2004
(Show Context)
Citation Context ...ypestate of an object with aliases only in that set, then restore the typestate and reenable the use of the aliases [10]. It is also possible to support object-oriented constructs such as inheritance =-=[8]-=-. Finally, in the role system, the declared typestate of each object characterizes all of the references to the object, which enables the typestate system to check that the new typestate is compatible... |

106 | R.: Performance Analysis of Parallelizing Compilers on the Perfect Benchmarks Programs
- Blume, Eigenmann
- 1992
(Show Context)
Citation Context ...2sisExposed flag and removes the cell from the UnexposedList: Cell c = UnexposedList.getFirst(); Board.setExposed(c, true); drawCellEnd(c); 8.3 Water Water is a port of the Perfect Club benchmark MDG =-=[2]-=-. It uses a predictor/corrector method to evaluate forces and potentials in a system of water molecules in the liquid state. The central loop of the computation performs a time step simulation. Each s... |

104 | Declaring and checking non-null types in an object-oriented language - Fahndrich, Leino - 2003 |

99 | Avoiding exponential explosion: generating compact verification conditions
- Flanagan, Saxe
- 2001
(Show Context)
Citation Context ...low merges, since most conjuncts are shared on both control-flow branches. The effects of this transformations appear similar to the effects of SSA form conversion in weakest precondition computation =-=[15,29]-=-. Basic Quantifier Elimination. We symbolically compute the composition of statement relations while computing postconditions by existentially quantifying over all state variables. However, most relat... |

99 | Role analysis
- Kuncak, Lam, et al.
- 2002
(Show Context)
Citation Context |

70 | MONA implementation secrets
- Klarlund, Møller, et al.
(Show Context)
Citation Context ...es set specifications by first constructing set algebra formulas whose validity implies the validity of the set specifications, then verifying these formulas using an off-the-shelf decision procedure =-=[19]-=-. The flag analysis plugin is important for two reasons. First, flag field values often reflect the high-level conceptual state of the entity that an object represents, and flag changes correspond to ... |

68 | Fickle: Dynamic Object Re-Classification - Drossopoulou, Damiani, et al. - 2001 |

45 | A relational approach to interprocedural shape analysis
- Jeannet, Loginov, et al.
- 2004
(Show Context)
Citation Context ... of primed and unprimed variables allows our analysis to represent, for each program point p, a binary relation on states that overapproximates the reachability relation between procedure entry and p =-=[6,17,35]-=-. In addition to the abstract sets from the specification, the analysis also generates a set for each (object-typed) local variable. This set is either empty, indicating a null reference, or has cardi... |

44 | Generalized typestate checking for data structure consistency
- Lam, Kuncak, et al.
- 2005
(Show Context)
Citation Context ... minesweeper implementation, and various small programs (see Section 8). Our inference algorithm successfully inferred all 15 invariants in our benchmark programs. In a previous version of our system =-=[26]-=-, we used a simpler technique for loop invariant inference. The narrow applicability of our previous technique required us to manually supply loop invariants for most loops in our example programs. Be... |

42 | Efficient weakest preconditions
- Leino
(Show Context)
Citation Context ...low merges, since most conjuncts are shared on both control-flow branches. The effects of this transformations appear similar to the effects of SSA form conversion in weakest precondition computation =-=[15,29]-=-. Basic Quantifier Elimination. We symbolically compute the composition of statement relations while computing postconditions by existentially quantifying over all state variables. However, most relat... |

40 |
Consistency in hierarchical databases systems
- SILBERSCHATZ, KEDIZM
- 1980
(Show Context)
Citation Context ...of the child objects that that object owns. This hierarchical specification approach is reminiscent of hierarchical access specifications in Jade [33] and hierarchical locking mechanisms in databases =-=[36]-=-. Hob, on the other hand, is designed to support computations organized around a flat set of data structures. The constructs that eliminate specification aggregation cut across the procedure call hier... |

34 | The Design, Implementation and Evaluation of Jade, a Portable, Implicitly Parallel Programming Language
- Rinard
- 1994
(Show Context)
Citation Context ...nts for the object that it directly accesses, not all of the child objects that that object owns. This hierarchical specification approach is reminiscent of hierarchical access specifications in Jade =-=[33]-=- and hierarchical locking mechanisms in databases [36]. Hob, on the other hand, is designed to support computations organized around a flat set of data structures. The constructs that eliminate specif... |

32 | Mona Version 1.4 User Manual
- Klarlund, Møller
- 2001
(Show Context)
Citation Context ...current dataflow fact and A is the claim to be verified. 5 The implication to be verified, B ⇒ A, is a formula in the boolean algebra of sets. We use the MONA decision procedure to check its validity =-=[18]-=-, along with the transformations described in Section 5. 5 Boolean Algebra Formula Transformations In our experience, applying several formula transformations drastically reduced the size of the formu... |

27 | Typestate verification: Abstraction techniques and complexity results
- Field, Goyal, et al.
(Show Context)
Citation Context |

27 |
Complexity of Boolean Algebras
- Kozen
- 1980
(Show Context)
Citation Context ...red in that specification; it is an error if no such set or boolean variable has been declared. The expressive power of such formulas is the first-order theory of boolean algebras, which is decidable =-=[20,30]-=-. The decidability of the specification language ensures that analysis plugins can precisely propagate the specified relations between the abstract sets. 4 Overview of Flag Analysis Our flag analysis ... |

26 | An algorithm for deciding BAPA: Boolean Algebra with Presburger Arithmetic
- Kuncak, Nguyen, et al.
- 2005
(Show Context)
Citation Context ...s first-order logic with transitive closure. Despite this expressive power, our set specification language is decidable and furthermore extends naturally to Boolean Algebra with Presburger Arithmetic =-=[22,23]-=-. The Flag Analysis Plugin. The generalized typestate analysis in the Hob system is implemented in the flag analysis plugin, which is the focus of this paper. The flag analysis plugin uses the values ... |

25 |
Heap monotonic typestates
- Fähndrich, Leino
- 2003
(Show Context)
Citation Context |

24 |
editors. Symbolic evaluation methods for program analysis
- Clarke, Richardson
- 1981
(Show Context)
Citation Context ...mprove the quality of our specifications by identifying errors in specifications. 11sIt is instructive to compare our technique to weakest precondition computation [15] and forward symbolic execution =-=[4]-=-. These techniques are optimized for the common case of assignment statements and perform relation composition and quantifier elimination in one step. Our technique achieves the same result, but is me... |

22 | Combining theorem proving with static analysis for data structure consistency
- Zee, Lam, et al.
- 2004
(Show Context)
Citation Context ...oach therefore makes it possible, for the first time, to apply multiple specialized, extremely 2sprecise, and unscalable analyses such as shape analysis [31,34] or even manually aided theorem proving =-=[38]-=- to effectively verify sophisticated typestate and data structure consistency properties in sizable programs. Specification Language. Our specification language is the full first-order theory of the b... |

19 | Cross-cutting techniques in program specification and analysis
- Lam, Kuncak, et al.
- 2005
(Show Context)
Citation Context ...sed or marked cell in the minesweeper game. Field declarations are grouped into formats. Multiple modules can contribute fields to the same format, allowing encapsulation at the granularity of fields =-=[25]-=-. The specification section contains the public interface for the module, expressed in terms of specification variables, including the global set-valued variables MarkedCells, MinedCells, ExposedCells... |

19 | Hob: a tool for verifying data structure consistency
- Lam, Kuncak, et al.
- 2007
(Show Context)
Citation Context ...sets to internally represent its dataflow facts, it can propagate and verify these constraints in a precise way. 3sEvaluation. We implemented our flag analysis plugin in the context of the Hob system =-=[27,28]-=-. In addition to the flag analysis plugin, the Hob system contains a shape analysis plugin based on Pointer Assertion Logic Tool [31], and a theorem proving plugin [38] that uses a verification-condit... |

16 | On our experience with modular pluggable analyses
- Lam, Kuncak, et al.
- 2004
(Show Context)
Citation Context ...onsistency properties. The set specifications separate the analysis of a complex program into independent verification tasks, where each task is verified by an appropriate specialized analysis plugin =-=[24]-=-. Our approach therefore makes it possible, for the first time, to apply multiple specialized, extremely 2sprecise, and unscalable analyses such as shape analysis [31,34] or even manually aided theore... |

14 |
Über mögligkeiten im relativkalkül
- Loewenheim
- 1915
(Show Context)
Citation Context ...red in that specification; it is an error if no such set or boolean variable has been declared. The expressive power of such formulas is the first-order theory of boolean algebras, which is decidable =-=[20,30]-=-. The decidability of the specification language ensures that analysis plugins can precisely propagate the specified relations between the abstract sets. 4 Overview of Flag Analysis Our flag analysis ... |

13 | The first-order theory of sets with cardinality constraints is decidable
- Kuncak, Rinard
- 2004
(Show Context)
Citation Context ...s first-order logic with transitive closure. Despite this expressive power, our set specification language is decidable and furthermore extends naturally to Boolean Algebra with Presburger Arithmetic =-=[22,23]-=-. The Flag Analysis Plugin. The generalized typestate analysis in the Hob system is implemented in the flag analysis plugin, which is the focus of this paper. The flag analysis plugin uses the values ... |

5 |
The Hob project web page. http://hob.csail.mit.edu
- Lam, Kuncak, et al.
- 2004
(Show Context)
Citation Context ...sets to internally represent its dataflow facts, it can propagate and verify these constraints in a precise way. 3sEvaluation. We implemented our flag analysis plugin in the context of the Hob system =-=[27,28]-=-. In addition to the flag analysis plugin, the Hob system contains a shape analysis plugin based on Pointer Assertion Logic Tool [31], and a theorem proving plugin [38] that uses a verification-condit... |