Arnd Poetzsch-Heffter

A Programming Logic for Sequential Java

A Hoare-style programming logic for the sequential kernel of Java is presented. It handles recursive methods, class and interface types, subtyping, inheritance, dynamic and static binding, aliasing via object references, and encapsulation. The logic is proved sound w.r.t. an SOS semantics by embedding both into higher-order logic.

Modular invariants for layered object structures

Classical specification and verification techniques support invariants for individual objects whose fields are primitive values, but do not allow sound modular reasoning about invariants involving more complex object structures. Such non-trivial object structures are common, and occur in lists, hash tables, and whenever systems are built in layers. A sound and modular verification technique for layered object structures has to deal with the well-known problem of representation exposure and the problem that invariants of higher layers are potentially violated by methods in lower layers; such methods cannot be modularly shown to preserve these invariants.We generalize classical techniques to cover layered object structures using a refined semantics for invariants based on an ownership model for alias control. This semantics enables sound and modular reasoning. We further extend this ownership technique to even more expressive invariants that gain their modularity by imposing certain visibility requirements.

JCoBox: generalizing active objects to concurrent components

Concurrency in object-oriented languages is still waiting for a satisfactory solution. Formany application areas, standardmechanisms like threads and locks are too low level and have shown to be error-prone and notmodular enough. Lately the actor paradigm has regained attention as a possible solution to concurrency in OOLs. We propose JCoBox: a Java extension with an actor-like concurrencymodel based on the notion of concurrently running object groups, so-called coboxes. Communication is based on asynchronous method calls with standard objects as targets. Cooperative multi-tasking within coboxes allows for combining active and reactive behavior in a simple and safe way. Futures and promises lead to a data-driven synchronization of tasks. This paper describes the concurrency model, the formal semantics, and the implementation of JCoBox, and shows that the performance of the implementation is comparable to state-of-the-art actor-based language implementations for the JVM.

Using data groups to specify and check side effects

Reasoning precisely about the side effects of procedure calls is important to many program analyses. This paper introduces a technique for specifying and statically checking the side effects of methods in an object-oriented language. The technique uses data groups, which abstract over variables that are not in scope, and limits program behavior by two alias-confining restrictions, pivot uniqueness and owner exclusion. The technique is shown to achieve modular soundness and is simpler than previous attempts at solving this problem.

Modular specification of frame properties in JML

We present a modular specification technique for frame properties. The technique uses modifies clauses and abstract fields with declared dependencies. Modularity is guaranteed by a programming model that enforces data abstraction by preventing representation and argument exposure, a semantics of modifies clauses that uses a notion of ‘relevant location’, and by modularity rules for dependencies. For concreteness, we adapt this technique to the Java Modeling Language, JML. Copyright

An Architecture for Interactive Program Provers

Formal specification and verification techniques can improve the quality of programs by enabling the analysis and proof ofsem antic program properties. This paper describes the modular architecture of an interactive program prover that we are currently developing for a Java subset. In particular, it discusses the integration of a programming language-specific prover component with a general purpose theorem prover.

Logical foundations for typed object-oriented languages

This paper presents logical foundations for the most important object-oriented language features, including abstract types, dynamic binding, subtyping, and inheritance. These foundations are introduced along with an object-oriented kernel language. We show how object environments of such languages can be formalized in an algebraic way. Based on this foundation, we develop a Hoare-style logic for formal verification of object-oriented programs.

Slicing for model reduction in adaptive embedded systems development

Model-based development of adaptive embedded systems is an approach to deal with the increased complexity that adaptation requirements impose on system design. Integrating formal verification techniques into this design process provides means to rigorously prove critical properties. However, most automatic verification techniques such as model checking are only effectively applicable to systems of limited sizes due to the state-explosion problem. Our approach to alleviate this problem consists of (a) a semantics-based integration of model-based development and formal verification for adaptive embedded systems and (b) an automatic slicing technique of models with respect to properties to be verified. Slicing is carried out on a high-level formal intermediate representation of the models providing a clear separation of functional and adaptation behaviour. The internal model structure can be exploited to identify system parts that are irrelevant for a property. In particular, slicing offers efficient model reductions for the verification of properties of the adaptation behaviour. The overall approach and the slicing techniques have been evaluated together with the development of an adaptive vehicle stability control system.

Prototyping realistic programming languages based on formal specifications

Abstract. The specification of realistic programming languages is difficult and expensive. One approach to make language specification more attractive is the development of techniques and systems for the generation of language–specific software from specifications. To contribute to this approach, a tool–based framework with the following features is presented: It supports new techniques to specify more language aspects in a static fashion. This improves the efficiency of generated software. It provides powerful interfaces to generated software components. This facilitates the use of these components as parts of language–specific software. It has a rather simple formal semantics. In the framework, static semantics is defined by a very general attribution technique enabling e.g. the specification of flow graphs. The dynamic semantics is defined by evolving algebra rules, a technique that has been successfully applied to realistic programming languages.After providing the formal background of the framework, an object–oriented programming language is specified to illustrate the central specification features. In particular, it is shown how parallelism can be handled. The relationship to attribute grammar extensions is discussed using a non-trivial compiler problem. Finally, the paper describes new techniques for implementing the framework and reports on experiences made so far with the implemented system.

Towards Proof Generating Compilers

Correctness of compilation is important for the reliability of software. New techniques to guarantee correctness do not verify the compiler itself, but check for each compiled program whether it is correctly translated. Following these ideas, we developed an approach in which checking is realized as proof checking within a formal specification and verification framework. Based on formal specifications of source and target language and a translation predicate, compilers produce, in addition to the target program c, a proof that c is correct w.r.t. its source program. This proof can be checked independently of the compiler by the framework. Thus, it can be used as a translation certificate. The paper describes the overall approach and applies it to a simple translation scenario. Specification and verification is done within the theorem prover Isabelle/HOL. To show the flexibility of the approach, we present two different proof techniques for translation correctness.