Object invariants describe the consistency of object-oriented data structures and are central to reasoning about the correctness of object-oriented software. Yet, reasoning about object invariants in the presence of object references, methods, and subclassing is difficult. This paper describes a methodology for specifying and verifying object-oriented programs, using object invariants to specify the consistency of data and using ownership to organize objects into contexts. The novelty is that contexts can be dynamic: there is no bound on the number of objects in a context and objects can be transferred between contexts. The invariant of an object is allowed to depend on the fields of the object, on the fields of all objects in transitively-owned contexts, and on fields of objects reachable via given sequences of fields. With these invariants, one can describe a large variety of properties, including properties of cyclic data structures. Object invariants can be declared in or near the classes whose fields they depend on, not necessarily in the class of an owning object. The methodology is designed to allow modular reasoning, even in the presence of subclasses, and is proved sound.

Abstract not found

Object-oriented systems are able to treat objects indirectly by message passing. This allows them to manipulate objects without knowing their exact runtime type. Behavioral subtyping helps one reason in a modular fashion about such programs. That is, one can reason based on the static types of expressions in a program, provided that static types are upper bounds of the runtime types in a subtyping preorder, and that subtypes satisfy the conditions of behavioral subtyping. We survey various notions of behavioral subtyping proposed in the literature for objectoriented programming. We also sketch a notion of behavioral subtyping for objects in component-based systems, where reasoning about the events that a component can raise is important.

Abstract not found