## Checking well-formedness of pure-method specifications (2008)

Venue: | Eds.): Proc. Int. Symp. Formal Methods. Vol. 5014 of LNCS (Springer-Verlag |

Citations: | 12 - 3 self |

### BibTeX

@INPROCEEDINGS{Rudich08checkingwell-formedness,

author = {Arsenii Rudich and Ádám Darvas and Peter Müller},

title = {Checking well-formedness of pure-method specifications},

booktitle = {Eds.): Proc. Int. Symp. Formal Methods. Vol. 5014 of LNCS (Springer-Verlag},

year = {2008},

pages = {68--83}

}

### OpenURL

### Abstract

Abstract. Contract languages such as JML and Spec # specify invariants and pre- and postconditions using side-effect free expressions of the programming language, in particular, pure methods. For such contracts to be meaningful, they must be well-formed: First, they must respect the partiality of operations, for instance, the preconditions of pure methods used in the contract. Second, they must enable a consistent encoding of pure methods in a program logic, which requires that their specifications are satisfiable and that recursive specifications are well-founded. This paper presents a technique to check well-formedness of contracts. We give proof obligations that are sufficient to guarantee the existence of a model for the specification of pure methods. We improve over earlier work by providing a systematic solution including a soundness result and by supporting more forms of recursive specifications. Our technique has been implemented in the Spec # programming system. 1

### Citations

810 |
The B-Book: Assigning Programs to Meanings
- Abrial
- 1996
(Show Context)
Citation Context ...The work closest to ours is the approach of Hall et al., which shows how a model conjecture can be derived from a Z specification [16]. Partiality is handled by under-specification [26]. The B method =-=[1]-=- is similar to Z but is more focused on the notion of refinement. Satisfiability of the specification has to be proven in each refinement step. B allows users to add axioms whose consistency is not ch... |

753 |
Introduction to Metamathematics
- Kleene
- 1952
(Show Context)
Citation Context ...interpretations of all parameters are defined and the vector of parameters belongs to the function domain. The interpretation of logical operators and quantifiers is defined according to Kleene logic =-=[20]-=-. A total interpretation maps a formula to a value in Bool2 := {T, F}, while a partial interpretation maps a formula to a value in Bool3 := {T, F, ⊥}. A partial structure M can be extended to a total ... |

669 |
Systematic Software Development using VDM
- Jones
- 1990
(Show Context)
Citation Context ...oms whose consistency is not checked. Thus, they may introduce unsoundness. B allows functions to be partial and requires specifications to be well-defined by using the ∆ formula transformer [4]. VDM =-=[18]-=- also checks satisfiability of specifications and allows the use of (possibly inconsistent) axioms. VDM uses LPF [3], a 3-valued logic. In contrast to our approach, well-definedness is not proven befo... |

508 |
Interactive Theorem Proving and Program Development, Coq’Art:the Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...ar how dependencies among specification elements are handled, and no soundness proof is provided. Jack [7] is a program verifier for JML annotated Java programs. The backend prover of the tool is Coq =-=[6]-=-. The tool axiomatizes pre- and postconditions of pure methods separately. This separation ensures that axioms are only instantiated when a pure-method call occurs in a given verification condition—as... |

480 | The Spec# programming system: An overview
- Barnett, Leino, et al.
(Show Context)
Citation Context ...g more forms of recursive specifications. Our technique has been implemented in the Spec# programming system. 1 Introduction Contract languages such as the Java Modeling Language (JML) [21] and Spec# =-=[2]-=- specify invariants and pre- and postconditions using side-effect free expressions of the programming language. While contract languages are natural for programmers, they pose various challenges when ... |

422 | Preliminary design of JML: A behavioral interface specification language for Java
- Leavens, Baker, et al.
- 1998
(Show Context)
Citation Context ...nd by supporting more forms of recursive specifications. Our technique has been implemented in the Spec# programming system. 1 Introduction Contract languages such as the Java Modeling Language (JML) =-=[21]-=- and Spec# [2] specify invariants and pre- and postconditions using side-effect free expressions of the programming language. While contract languages are natural for programmers, they pose various ch... |

379 | Simplify: a Theorem Prover for Program Checking
- Detlefs, Nelson, et al.
- 2003
(Show Context)
Citation Context ...The proof obligations presented in the previous section are sufficient to show the well-formedness of a specification. However, they are not well-suited for automatic theorem provers such as Simplify =-=[14]-=- or Z3 for two reasons. First, the proof obligations to ensure consistency for postconditions (proof obligations (4) and (5)) contain existential quantifiers, for which automatic theorem provers often... |

88 | A Tutorial Introduction to PVS
- Crow, Owre, et al.
- 1995
(Show Context)
Citation Context ...f these pure methods. In other words, we guarantee that the partiality constraints are satisfied and the axiomatization is consistent.Our approach differs from existing solutions for theorem provers =-=[11, 22]-=-, where consistency is typically enforced by restricting specifications to conservative extensions, but no checks are performed for axioms. Since specifications of pure methods are axiomatic, the appr... |

79 |
ESC/Java2: Uniting ESC/Java and JML
- Cok, Kiniry
- 2004
(Show Context)
Citation Context ...d logic. In contrast to our approach, well-definedness is not proven before the actual proof process, but is proven together with the validity of verification conditions. Program verifiers. ESC/Java2 =-=[19]-=- is an automatic extended static checker for Java programs annotated with JML specifications. The tool axiomatizes specifications of pure methods [10]. Consistency of the axiom system is not ensured, ... |

57 | Java applet correctness: a developer-oriented approach
- Burdy, Requet, et al.
- 2003
(Show Context)
Citation Context ...to unsoundness. Recently, well-definedness checks have been added by Chalin [9] but it is not clear how dependencies among specification elements are handled, and no soundness proof is provided. Jack =-=[7]-=- is a program verifier for JML annotated Java programs. The backend prover of the tool is Coq [6]. The tool axiomatizes pre- and postconditions of pure methods separately. This separation ensures that... |

27 | Practical reasoning about invocations and implementations of pure methods
- Darvas, Leino
- 2007
(Show Context)
Citation Context ...h improves on existing solutions for program verifiers in three ways. First, it supports (mutually) recursive specifications, whereas in previous work recursive specifications are severely restricted =-=[13, 12]-=-. Second, our approach allows us to use the specification of one method to prove well-formedness of another, which is needed in many practical examples. Such dependencies are not discussed in previous... |

26 | Avoiding the undefined by underspecification
- Gries, Schneider
- 1995
(Show Context)
Citation Context ... calls are well-defined only for non-null receivers and when the precondition of the method is satisfied. This challenge can be solved by encoding partial functions as under-specified total functions =-=[15]-=-. However, it has been argued that such an encoding is counter-intuitive for programmers, is not well-suited for runtime assertion checking, and assigns meaning to bogus contracts instead of having th... |

23 | P.: Reasoning about method calls in interface specifications
- Darvas, Müller
- 2006
(Show Context)
Citation Context ...re natural for programmers, they pose various challenges when contracts are encoded in the logic of a program verifier or theorem prover, especially when contracts use pure (side-effect free) methods =-=[13]-=-. This paper addresses two challenges related to pure-method specifications. The first challenge is how to ensure that a specification is well-defined, that is, that all partial operations are applied... |

21 | Reasoning with specifications containing method calls and model fields
- Cok
(Show Context)
Citation Context ...ic of the program verifier. This is typically done by introducing an uninterpreted function symbol for each pure method m, whose properties are axiomatized based on m’s contract and object invariants =-=[10, 13]-=-. A specification is consistent if this axiomatization is free from contradictions. Consistency is crucial for soundness. We present a technique to check consistency by showing that the contracts of p... |

17 | A practical approach to partial functions in CVC Lite
- Berezin, Barrett, et al.
(Show Context)
Citation Context ... structures [ϕ] 2 Me in the standard way. Here, e is a variable assignment that maps the free variables of ϕ to values. For the interpretation in partial structures [ϕ] 3 Me, we follow Berezin et al. =-=[5]-=-: intuitively, the interpretation of a function is defined if and only if the interpretations of all parameters are defined and the vector of parameters belongs to the function domain. The interpretat... |

8 | A Sound Assertion Semantics for the Dependable Systems Evolution Verifying Compiler
- Chalin
- 2007
(Show Context)
Citation Context ...nd, our approach allows us to use the specification of one method to prove well-formedness of another, which is needed in many practical examples. Such dependencies are not discussed in previous work =-=[9, 13]-=- and are not supported by program verifiers that perform consistency checks, such as Spec#. Neglecting dependencies leads to the rejection of well-formed specifications. Third, we prove consistency fo... |

7 |
Are the Logical Foundations of Verifying Compiler Prototypes Matching User Expectations?” Formal Aspects of Computing
- Chalin
- 2007
(Show Context)
Citation Context ...ued that such an encoding is counter-intuitive for programmers, is not well-suited for runtime assertion checking, and assigns meaning to bogus contracts instead of having them rejected by a verifier =-=[8]-=-. Another solution is the use of 3-valued logic, such as LPF [3]. However, 3-valued logic is typically not supported by the theorem provers that are used in program verifiers. We present a technique b... |

2 |
Well Defined B
- Behm, Burdy, et al.
- 1998
(Show Context)
Citation Context ...refore, we apply a technique that reduces the 3-valued domain to a 2-valued domain by ensuring that ⊥ is never encountered. This is a standard technique applied in different tools, for instance, in B =-=[4]-=-, CVC Lite [5], and ESC/Java2 [9]. The main idea is to use the formula transformer ∆ [17, 4], which takes a (possibly open) formula ϕ and domain restriction δ, and produces a new formula ϕ ′ . The int... |

2 | Model conjectures for Z specifications
- Hall, McDermid, et al.
- 1995
(Show Context)
Citation Context ...ems. Z is a formal specification language for computing systems [25]. The work closest to ours is the approach of Hall et al., which shows how a model conjecture can be derived from a Z specification =-=[16]-=-. Partiality is handled by under-specification [26]. The B method [1] is similar to Z but is more focused on the notion of refinement. Satisfiability of the specification has to be proven in each refi... |

2 |
On a formalization of the non-definedness notion. Zeitschrift für Mathematische Logik und Grundlagen der Mathematik
- Hoogewijs
- 1979
(Show Context)
Citation Context ...o support standard theorem provers, which typically use 2-valued logic and total functions [22, 14]. Therefore, we express the proof obligations in 2valued logic by applying the ∆ formula transformer =-=[17]-=- to the specification expressions. We proved the following soundness result: If all proof obligations for the pure methods of a program are proved then there is a partial model for the axiomatization ... |