DOCSLIB.ORG

Region Inference for an Object-Oriented Language

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Region Inference for an Object-Oriented Language Region Inference for an Object-Oriented Language £ £ ¤¡ £ ¥ Wei-Ngan Chin ¢¡ , Florin Craciun , Shengchao Qin , and Martin Rinard Computer Science Programme, Singapore-MIT Alliance £ Department of Computer Science, National University of Singapore ¥ Laboratory for Computer Science, Massachusetts Institute of Technology ¦ chinwn,craciunm,qinsc § @comp.nus.edu.sg, [email protected] ABSTRACT time tests for danglings can be omitted. Region-based memory management offers several important ad- There are two main approaches to prevent unsafe accesses. One vantages over garbage-collected heap, including real-time perfor- approach[12] uses a type-and-effect system to analyse regions that mance, better data locality and efficient use of limited memory. The might be accessed, so that those regions that are not being accessed concept of regions was first introduced for a call-by-value func- can be deallocated earlier, even if there are dangling references tional language by Tofte and Talpin, and has since been advocated to these regions. Another approach[8] prevents all potential dan- for imperative and object-oriented languages. Scope memory, a gling references (from older to younger regions) by ensuring that lexical variant of regions, is now a core feature in a recent proposal each object always point-to other objects in regions with equal or longer lifetimes. The former approach (no-dangling-access) may on Real-Time Specification for Java (RTSJ)[4]. 1 Recent works in region-based programming for Java have fo- yield more precise lifetimes , but the latter approach (no-dangling) cused on region-checking which requires manual effort in choos- is required by RTSJ and for co-existence with garbage collection. ing regions with appropriate lifetimes. In this paper, we propose an In both approaches, region annotation poses considerable mental automatic region-inference type system for a core subset of Java. overheads for programmers, not to mention compatibility problems To provide an inference method that is both precise and practical, with legacy code. In addition, the quality of hand-annotation varies, we support classes and methods that are region-polymorphic; and with sub-optimal outcome for less experienced programmers. with region-polymorphic recursion for methods. One challeng- In this paper, we provide a systematic attempt at formulating a ing aspect of our inference rules is to ensure safe region program- region inference type system for a core subset of Java. We shall ming in the presence of class subtyping, method overriding and adopt the no-dangling approach and make use of lexically scoped downcast operations. Our set of region inference rules can han- regions, where the last region to be created is the first to be deallo- dle these object-oriented features safely, without creating dangling cated. The adoption of stack of scoped regions (with determinable references. lifetimes) is intended to simplify our inference method, and for con- formance with RTSJ. Our main contributions are as follows: 1. INTRODUCTION ¨ To the best of our knowledge, no one has successfully for- In region-based memory management, each new object is added malised a sound and complete region inference method for to a region with a designated lifetime. While objects may be added object-oriented languages. We propose a systematic solution to their respective regions at different times, the entire set of ob- to this problem using a core subset of the Java language. jects in each region are freed simultaneously, when the region is ¨ deleted. Various studies have shown that region-based program- Our region type rules prevent dangling references by requir- ming can provide safe memory management with good real-time ing that all field references outlive the current object. We performance. Data locality is also improved when related objects formalise this explicitly through region lifetime constraints, are placed together in the same region. By classifying objects into without the need for an effect-based typing. regions based on their lifetimes, better utilization of memory can ¨ We support classes and methods with region-polymorphism. be achieved when dead regions are recovered on a timely basis. In addition, region polymorphic recursion is supported for Recently, several works have investigated region-based program- methods but not classes. This provides for an inference that ming for Java-based languages [17, 12, 11, 8]. Most of these works is precise and yet efficient. (e.g. [12, 8]) require programmers to manually annotate their pro- grams with regions. Region type-checking then guarantees that ¨ Our inference scheme has been crafted to support class sub- well-typed programs never access dangling references, so that run- typing and method overriding. Previous work [12] required “phantom regions” to ensure soundness of class inheritance which may cause a loss in lifetime precision. We propose an improved solution without phantom regions, where modular compilation can be guided by a global dependency graph. ¨ We provide a theorem stating the correctness of our inference scheme which always leads to well-typed programs that are 1However, experiments done in [24] indicates no noticeable per- . formance difference between the two approaches. region-safe. Such well-typed programs are guaranteed not to £ £('*) #%$ $ & create dangling references in either the store or stack. def meth £ £/ $ $ & £ . +-, def class +-, extends field meth ¨ $ & We also provide a compile-time analysis which ensures that $ 0 prim int 0 bool void $ & downcast operations are region-safe. Previous proposal for $ 1 a region-checking system (e.g. [6]) requires runtime checks +2,30 prim $ $ & for downcast operations. field 1 f £ '*) $ $ & 1 16587 meth mn( 4 ) ¨ '*) £9' / $ $ & 16587 We describe a prototype implementation of our region infer- . 4 ' '*) $ & ence system. Preliminary experiments suggest that our infer- $ 5 5©= 0 0 (cn) null 0;:<0 f ' ' £ & & 5>= 5 ence is competitive to hand annotation. 5 0 0 0 new cn( ) f ' ' £ £ 5>= 5 5 £ 0 0 0 mn( ) mn( ) ; ' ' 5 £ The remainder of this paper is organised as follows. Sec 2 in- 0 if then else troduces the language, called Core-Java, and its region-annotated target form. Sec 3 presents a set of guidelines for good region an- (a) The Source Language notation. Sec 4 is devoted to region inference. It formalises the £ £('*) $ & region inference rules and describes how method override conflicts #%$ def meth Q £ £/ $ $ & £ . can be rectified, together with correctness theorems. Sec 5 deals def class ca extends ca where rc field meth ¤CB $ & with the region-safety of downcast operations. Sec 6 reports on a $ @A preliminary experiment from our implementation of region infer- +-? cn $ $ & 0 ence. Sec 7 discusses related works, followed by some concluding prim int 0 bool void $ $ & 1 remarks in Sec 8. +-,D0 prim B £ $ $ & 1 t @A $ & 2. CORE-JAVA AND REGION TYPES field $ t f B £ £ '*) $ $ & 5E7 4 We present the syntax of a significant (subset of) Java-like lan- meth t mn @A ( t ) where rc '*) £F' / $ $ & 5E7 . guage named Core-Java in Fig 1(a), which will be adopted as the 4 t ' '*) $ $ & 5>= source language for our region inference process. Core-Java is de- 5 0;:<0 0 0 ( +G? ) null f ' ' £ & & 5 5>= 5 +-? 0 0 signed in the same minimalist spirit as Featherweight Java[26]. It 0 new ( ) f B B ' ' £ £ £ £ 5©= 5 5 £ @A 0 @A 0 supports assignments but is also an expression-oriented language 0 mn ( ) mn ( ) ; ' ' '*) 5 £ 0 0 where statements are expressions with the void type. Loops are if then else letreg A in $ $ & & & 6H £ £ KJ £ A 0IA A 0IA A 0 omitted, as their effects can be captured by tail-recursion. rc A B = = ML £ O O 0 0INE@A A The target language, called region-annotated Core-Java, is given 0 rc rc true QB £ / $ $ & & 7 = = O O in Fig 1(b). This language is extended with region types and region . A Q 4PNE@A rc constraints for each class and method. In addition, local regions with lexical scopes are introduced by the letreg declaration. (b) The Target Language Note that denotes a region variable, while ¡ represents a data £ variable. The suffix notation ¢ denotes a list of zero or more dis- tinct syntactic terms that are separated by appropriate separators, Figure 1: The Syntax of Core-Java ¤ while ¢ represents a list of one or more distinct syntactic terms. ¥§¦ ¡ ¡©¨ The syntactic terms, ¢ , could be , , , field, etc. For example, ¥§¦ ¥§¦ ¦ ! £ ¡ ¡ ¨ R*S ¡©¨ denotes where . stance, is a class annotated with region parameters £ The constraint indicates that the lifetime of region . Parameterization allows programmers to implement a £ is not shorter than that of £ . The constraint denotes that region-polymorphic class whose components can be allocated in £ £ and must be the same region, while denotes the different regions. The first region parameter is special: it refers converse. Note that this is a reserved data variable referring to the to the region in which a specified object of this class will be al- current object, while heap is a reserved region to denote the global located. All other regions should outlive this region via the con- C¥ GX X U ¨ heap with unlimited lifetime, that is for any : heap . straint T(UWV . That is the regions of the components ! Constraint abstraction from [23] of the form q rc (possibly in ) should have longer or equal lifetimes than denotes a parameterized constraint. For uniformity, the region con- the region (namely ) of its object. This condition, called no- straint of every class and method will be captured with a con- dangling requirement, can prevent dangling references completely, straint abstraction each. Region constraint for classes will also as it guarantees that each object can never reference another ob- ¥ be known as class invariant, and be denoted using either inv cn ¨ ject in a younger region. We do not impose region parameters ! or inv.cn , with the latter in constraint abstraction form.
Load more

Recommended publications
  • Structured Recursion for Non-Uniform Data-Types
    Structured recursion for non-uniform data-types by Paul Alexander Blampied, B.Sc. Thesis submitted to the University of Nottingham for the degree of Doctor of Philosophy, March 2000 Contents Acknowledgements .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 1 Chapter 1. Introduction .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 2 1.1. Non-uniform data-types .. .. .. .. .. .. .. .. .. .. .. .. 3 1.2. Program calculation .. .. .. .. .. .. .. .. .. .. .. .. .. 10 1.3. Maps and folds in Squiggol .. .. .. .. .. .. .. .. .. .. .. 11 1.4. Related work .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 14 1.5. Purpose and contributions of this thesis .. .. .. .. .. .. .. 15 Chapter 2. Categorical data-types .. .. .. .. .. .. .. .. .. .. .. .. 18 2.1. Notation .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 19 2.2. Data-types as initial algebras .. .. .. .. .. .. .. .. .. .. 21 2.3. Parameterized data-types .. .. .. .. .. .. .. .. .. .. .. 29 2.4. Calculation properties of catamorphisms .. .. .. .. .. .. .. 33 2.5. Existence of initial algebras .. .. .. .. .. .. .. .. .. .. .. 37 2.6. Algebraic data-types in functional programming .. .. .. .. 57 2.7. Chapter summary .. .. .. .. .. .. .. .. .. .. .. .. .. 61 Chapter 3. Folding in functor categories .. .. .. .. .. .. .. .. .. .. 62 3.1. Natural transformations and functor categories .. .. .. .. .. 63 3.2. Initial algebras in functor categories .. .. .. .. .. .. .. .. 68 3.3. Examples and non-examples .. .. .. .. .. .. .. .. .. .. 77 3.4. Existence of initial algebras in functor categories .. .. .. .. 82 3.5.
    [Show full text]
  • Assertions, Pre/Post- Conditions and Invariants
    9/14/12 Assertions, pre/post- conditions and invariants Section 2.1 in Walls and Mirrors Section 4.5 Rosen Programming as a contract n Specifying what each method does q Specify it in a comment before method's header n Precondition q What is assumed to be true before the method is executed q Caller obligation n Postcondition q Specifies what will happen if the preconditions are met q Method obligation 1 9/14/12 Class Invariants n A class invariant is a condition that all objects of that class must satisfy while it can be observed by clients n What about Points in Cloud? q boundaries? q center? What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } // what could you state here? 2 9/14/12 What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } //n >= limit //more? What is an assertion? n An assertion is a statement that says something about the state of your program n Should be true if there are no mistakes in the program //n == 1 while (n < limit) { n = 2 * n; } //n >= limit //n is the smallest power of 2 >= limit 3 9/14/12 assert Using assert: assert n == 1; while (n < limit) { n = 2 * n; } assert n >= limit; When to use Assertions n We can use assertions to guarantee the behavior.
    [Show full text]
  • Sound Invariant Checking Using Type Modifiers and Object Capabilities
    Sound Invariant Checking Using Type Modifiers and Object Capabilities. Isaac Oscar Gariano Victoria University of Wellington [email protected] Marco Servetto Victoria University of Wellington [email protected] Alex Potanin Victoria University of Wellington [email protected] Abstract In this paper we use pre existing language support for type modifiers and object capabilities to enable a system for sound runtime verification of invariants. Our system guarantees that class invariants hold for all objects involved in execution. Invariants are specified simply as methods whose execution is statically guaranteed to be deterministic and not access any externally mutable state. We automatically call such invariant methods only when objects are created or the state they refer to may have been mutated. Our design restricts the range of expressible invariants but improves upon the usability and performance of our system compared to prior work. In addition, we soundly support mutation, dynamic dispatch, exceptions, and non determinism, while requiring only a modest amount of annotation. We present a case study showing that our system requires a lower annotation burden compared to Spec#, and performs orders of magnitude less runtime invariant checks compared to the widely used ‘visible state semantics’ protocols of D, Eiffel. We also formalise our approach and prove that such pre existing type modifier and object capability support is sufficient to ensure its soundness. 2012 ACM Subject Classification Theory of computation → Invariants, Theory of computation → Program verification, Software and its engineering → Object oriented languages Keywords and phrases type modifiers, object capabilities, runtime verification, class invariants Digital Object Identifier 10.4230/LIPIcs.CVIT.2016.23 1 Introduction Object oriented programming languages provide great flexibility through subtyping and arXiv:1902.10231v1 [cs.PL] 26 Feb 2019 dynamic dispatch: they allow code to be adapted and specialised to behave differently in different contexts.
    [Show full text]
  • The Contract Pattern Permission Granted to Copy for Plop ’97 Conference
    Copyright 1997, Michel de Champlain The Contract Pattern Permission granted to copy for PLoP ’97 Conference. All other rights reserved. Michel de Champlain Department of Computer Science University of Canterbury, Christchurch, New Zealand [email protected] http://www.cosc.canterbury.ac.nz/~michel 12 August 1997 Abstract This paper describes the Contract pattern, an idiom that lets you apply assertions to guarantee pre-conditions and post-conditions of methods and invariants on the state of objects. This pattern can be used to develop reliable classes by making the Design by Contract methodology—introduced by Meyer in the specific context of the Eiffel language—available in Java and possibly other object-oriented languages. Intent Provide an implementation of the Design by contract methodology [Meyer88] for developing reliable classes and create robust objects in Java. This programming pattern lets you apply assertions to guarantee the pre-conditions and post-conditions of methods and invariants on the state of objects. Also Known As Design by contract Motivation Sometimes it’s necessary to restrict a class interface because you don’t want to provide all the possible input combinations for all collaborators. One way to achieve this goal is to make minimal and consistent methods that impose pre-conditions on input parameters. Moreover, you might want to ensure the class behavior by imposing post-conditions before methods return. You might also need to make sure that the class is always in a stable state. Such an approach can result in reliable classes to create robust objects. Consider for example a bounded counter that has both a lower and upper bound.
    [Show full text]
  • Safely Creating Correct Subclasses Without Superclass Code Clyde Dwain Ruby Iowa State University
    Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 2006 Modular subclass verification: safely creating correct subclasses without superclass code Clyde Dwain Ruby Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Part of the Computer Sciences Commons Recommended Citation Ruby, Clyde Dwain, "Modular subclass verification: safely creating correct subclasses without superclass code " (2006). Retrospective Theses and Dissertations. 1877. https://lib.dr.iastate.edu/rtd/1877 This Dissertation is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. Modular subclass verification: Safely creating correct subclasses without superclass code by Clyde Dwain Ruby A dissertation submitted to the graduate faculty in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY Major: Computer Science Program of Study Committee Gary T. Leavens, Major Professor Samik Basu Clifford Bergman Shashi K. Gadia Jonathan D. H. Smith Iowa State University Ames, Iowa 2006 Copyright © Clyde Dwain Ruby, 2006. All rights reserved. UMI Number: 3243833 Copyright 2006 by Ruby, Clyde Dwain All rights reserved. UMI Microform 3243833 Copyright 2007 by ProQuest Information and Learning Company. All rights reserved. This microform edition is protected against unauthorized copying under Title 17, United States Code. ProQuest Information and Learning Company 300 North Zeeb Road P.O. Box 1346 Ann Arbor, MI 48106-1346 ii TABLE OF CONTENTS ACKNOWLEDGEMENTS .
    [Show full text]
  • 3. Design by Contract
    3. Design by Contract Oscar Nierstrasz Design by Contract Bertrand Meyer, Touch of Class — Learning to Program Well with Objects and Contracts, Springer, 2009. 2 Bertrand Meyer is a French computer scientist who was a Professor at ETH Zürich (successor of Niklaus Wirth) from 2001-2015. He is best known as the inventor of “Design by Contract”, and as the designer of the Eiffel programming language, which provides built-in for DbC. DbC was first described in a technical report by Meyer in 1986: https://en.wikipedia.org/wiki/Design_by_contract Who’s to blame? The components fit but the system does not work. Who’s to blame? The component developer or the system integrator? 3 DbC makes clear the “contract” between a supplier (an object or “component”) and its client. When something goes wrong, the contract states whose fault it is. This simplifies both design and debugging. Why DbC? > Design by Contract —documents assumptions (what do objects expect?) —simplifies code (no special actions for failure) —aids debugging (identifies who’s to blame) 4 As we shall see, DbC improves your OO design in several ways. First, contracts make explicit the assumptions under which an object (supplier) will work correctly. Second, they simplify your code, since no special action is required when things go wrong — the exception handling framework provides the necessary tools. Third, contracts help in debugging since errors are caught earlier, when contracts are violated, not when your program crashes because of an invalid state, and it is clear where to lay the blame for the violation (i.e., in the object or its client).
    [Show full text]
  • FORTH-ICS / TR 381 July 2006 'An Informal Proof on the Contradictory
    FORTH-ICS / TR 381 July 2006 ‘An Informal Proof on the Contradictory Role of Finalizers in a Garbage Collection Context’ Anthony Savidis ABSTRACT Garbage collection in OOP languages provides facilities to hook code that is executed upon object finalization. Semantically, the point in time that finalizer code is executed is not determined by the application logic, but by the garbage collection system. This fact renders a potential mismatch, since application-specific code, i.e. the finalizer implementation, normally affecting program state and control flow, is called automatically at a point in time that is indifferent to the application semantics. Although an analogous situation is observed in event-based systems, since event processors are called-back asynchronously by the underlying system, there is a fundamental difference: while event generation is essentially nondeterministic, originated from external event sources, object destruction is a semantic action that is always decided by applications. In summary, the mismatch is that although applications decide if and when destruction occurs, the garbage collector is responsible to commit the relevant code. We prove that this mismatch is due to the contradictory presence of finalizers in a garbage collection context. Page 1 Introduction Preface This technical report has been also motivated by requests from colleagues to report the informal proof for the contradictory role of finalizers in garbage collection, simply relying on informal common software engineering principles. Additionally, the reporting has been also motivated by arguments that came to my attention via personal communication that either the claim cannot be proved (I assume that “cannot prove” arguments are subject to formal proofs, so such arguments are more weak than the claim they attack), or that the claim is trivial requiring essentially no proof (intuitively true, but does not explain why Java, C#, Python, just to name a few languages, still adopt finalizers).
    [Show full text]
  • A Machine-Checked Proof for a Translation of Event-B Machines to JML
    A Machine-Checked Proof for a Translation of Event-B Machines to JML N´estorCata~no1,Camilo Rueda2, and Tim Wahls3 1 EAFIT Unviersity [email protected] 2 Camilo Rueda Pontificia Universidad Javeriana [email protected] 3 Tim Wahls Dickinson College [email protected] Abstract. We present a machine-checked soundness proof of a trans- lation of Event-B to the Java Modeling Language (JML). The transla- tion is based on an operator EB2Jml that maps Event-B events to JML method specifications, and deterministic and non-deterministic assign- ments to JML method post-conditions. This translation has previously been implemented as the EventB2Jml tool. We adopted a taking our own medicine approach in the formalisation of our proof so that Event-B as well as JML are formalised in Event-B and the proof is discharged with the Rodin platform. Hence, for any Event-B substitution (whether an event or an assignment) and for the JML method specification obtained by applying EventB2Jml to the substitution, we prove that the semantics of the JML method specification is simulated by the semantics of the sub- stitution. Therefore, the JML specification obtained as translation from the Event-B substitution is a refinement of the substitution. Our proof includes invariants and the standard Event-B initialising event, but it does not include full machines or Event-B contexts. We assume that the semantics of JML and Event-B operate both on the same initial and final states, and we justify our assumption. Keywords: Event-B, JML, EventB2Jml, Formal Proof, Translation, Rodin 1 Introduction arXiv:1309.2339v1 [cs.SE] 9 Sep 2013 In an earlier work [14], we have proposed a design methodology that combines the use of design-by-contract techniques with JML [36,29,33] and correctness-by- construction techniques with Event-B [1].
    [Show full text]
  • Verification of Object Oriented Programs Using Class Invariants
    Verification of Object Oriented Programs Using Class Invariants Kees Huizing and Ruurd Kuiper and SOOP?? Eindhoven University of Technology, PO Box 513, 5600 MB Eindhoven, The Netherlands, [email protected], [email protected] Abstract A proof system is presented for the verification and derivation of object oriented pro- grams with as main features strong typing, dynamic binding, and inheritance. The proof system is inspired on Meyer’s system of class invariants [12] and remedies its unsound- ness, which is already recognized by Meyer. Dynamic binding is treated in a flexible way: when throughout the class hierarchy overriding methods respect the pre- and post- conditions of the overridden methods, very simple proof rules for method calls suffice; more powerful proof rules are supplied for cases where one cannot or does not want to follow this restriction. The proof system is complete relative to proofs for properties of pointers and the data domain. 1 Introduction Although formal verification is not very common in the discipline of object oriented programming, the importance of formal specification is generally ac- knowledged ([12]). With the increased interest in component based develop- ment, it becomes even more important that components are specified in an un- ambiguous manner, since users or buyers of components often have no other knowledge about a component than its specification and at the same time rely heavily on its correct functioning in their framework. The specification of a class, sometimes called contract, usually contains at least pre- and postcondi- tions for the public mehtods and a class invariant. A class invariant expresses which states of the objects of the class are consis- tent, or “legal”.
    [Show full text]
  • The Fields and the Class Invariant /** B[0..Size-1] Is a Min-Heap, I.E
    Heaps with priorities We previously studied the max-heap, which implements a bag of integers with insertion of a value and extraction (polling) of a maximum value in O(log n) time for a heap of size n. Min-heaps are similar. We now extend the idea to implement a min-heap of a set of distinct values each with a priority. The priority will be a double value. The separation of value from priority is needed in several different situations. Here are two: • Consider finding the shortest route from Ithaca, NY, to Washington, D.C. A heap will contain points along the way, and the priorities will be the shortest distances found thus far from Ithaca to those points. • In a discrete event simulation, pending events can be kept in a heap, with the priority being the time at which an event is to occur. Keeping the set in a min-heap makes it easy to extract the next event to process. We will define all the methods needed, but we won’t show many of the method bodies, since they are fairly easy to write based on the earlier discussion of max- and min-heaps. Class Heap and inner class Item /** A heap of elements of type E. */ We will implement a generic min-heap with priorities. The public class Heap<E> { start of class Heap appears to the right. An object of this class implements a heap of elements of type E. For example, E could private class Item { be a point on a map or an event to be simulated.
    [Show full text]
  • Weaving Aspects Into C++ Applications for Validation of Temporal Invariants
    Weaving Aspects into C++ Applications for Validation of Temporal Invariants Tanton H. Gibbs and Brian A. Malloy Computer Science Department Clemson University Clemson, SC 29634, USA thgibbs, malloy @cs.clemson.edu f g Abstract [5]. During maintenance, invariants have proven invaluable for disclosing locations in the program In this paper, we describe temporal invariants, where the maintainer may have introduced a fault which are class invariants that are qualified by the [10]. operators eventually, always, never, or already. Tem- The problem with class invariants is that some poral invariants can capture assertions that may not important assertions about a class are initially in- be valid initially but, as the program continues, must valid, due to circular dependencies or the monoton- eventually become valid. Moreover, temporal invari- ically increasing nature of the system under con- ants can indicate references to memory that should struction [8]. For example, during compilation of eventually be deallocated. To facilitate incorporation a program, a name object is constructed to facil- of temporal invariants as a maintenance or reengi- itate name lookup. However, certain fields in the neering activity, we weave invariants into the sys- name object, such as the corresponding scope of the tem as aspects. In our case study of a C++ sys- name, may not be known until after name lookup tem, the aspects are woven into join points using has occurred [24]. Moreover, assertions about a policies. We investigate the effectiveness of tem- class may have an important impact on memory poral invariants and we compare the performance management. For example, some heap-based ob- of our aspect-oriented implementation with several jects of a class must be eventually deleted or system other approaches.
    [Show full text]
  • Modular Verification of Static Class Invariants
    Modular verification of static class invariants K. Rustan M. Leino 1 and Peter Muller¨ 2 1 Microsoft Research, Redmond, WA, USA, [email protected] 2 ETH Zurich,¨ Switzerland, [email protected] Abstract. Object invariants describe the consistency of object-oriented data struc- tures and are central to reasoning about the correctness of object-oriented soft- ware. But object invariants are not the only consistency conditions on which a program may depend. The data in object-oriented programs consists not just of object fields, but also of static fields, which hold data that is shared among ob- jects. The consistency of static fields is described by static class invariants, which are enforced at the class level. Static class invariants can also mention instance fields, describing the consistency of dynamic data structures rooted in static fields. Sometimes there are even consistency conditions that relate the instance fields of many or all objects of a class; static class invariants describe these relations, too, since they cannot be enforced by any one object in isolation. This paper presents a systematic way (a methodology) for specifying and verify- ing static class invariants in object-oriented programs. The methodology supports the three major uses of static fields and invariants in the Java library. The method- ology is amenable to static, modular verification and is sound. Keywords: Static class invariant, verification, object-oriented programming, sta- tic field 1 Introduction A central problem in reasoning about a computer program’s correctness comes down to reasoning about which program states the program can ever reach. Programmers rely on that only some states are reached, most prominently by assuming that the pro- gram’s data structures satisfy certain properties.
    [Show full text]