Abstract

Most classes in an object-oriented program provide access to an object’s state through methods, so that client code does not depend on and cannot interfere with the object’s internal representation composed of fields and internal component objects. In order to extend the benefits of methods to specifications, method contracts may themselves be expressed using methods, hence providing support for state abstraction in specifications. In this paper, we propose an approach to the verification of programs that use inspector methods in method contracts and object invariants. Inspector methods must not have side-effects and must not throw exceptions, but they may have parameters, and they may depend on the state of objects passed as arguments. Our approach builds on the Boogie methodology for object invariants and ownership. Performing state abstraction in a programming language that allows aliasing through object references poses a framing problem. Specifically, client code needs to be able to tell whether modifying a given object or calling a given method may affect the value of a given inspector method call. We solve this by modeling inspector methods as functions that take as arguments only those parts of the heap on which they depend. Thanks to a novel logical encoding of the heap, we can do this without breaking information hiding, even in cases where inspector methods depend on internal component objects. The core of our approach has been implemented in a custom build of the Spec# program verifier.

Citations