CiteSeerX — Class Refinement for Sequential Java

AnaCaval anti 1

andDavid A.Naumann 2

1

CentrodeInformati a

UniversidadeFederaldePernambu o(UFPE),Box785150740-50Re ifePEBrazil

al  in.ufpe.br www. in.ufpe.br/~al

2

DepartmentofComputerS ien e

StevensInstituteofTe hnology,HobokenNJ07030 USA

naumann s.stevens-te h.edu www. s.stevens-te h.edu/~nau mann

Keywords: lassrenement,modularspe i ationandveri ation,inheritan e

anddynami binding, renement al uli,semanti s

1 Introdu tion

This extendedabstra t des ribesprogressin an ongoingproje tonrenement

al ulus for sequential Java. Predi ate transformer semanti sis being used to

validate orre tness-preservingtransformationsforuseinprogramdevelopment,

veri ation,design refa toring,and ompilation. Wefo ushere on theseman-

ti s and its appli ation in showing soundness of forward simulation for lass

renement,thefoundationofbehavioralsub lassing.

Thisse tionisanoverviewofproje tobje tivesandre entprogress.Se tion2

addresses thelanguageand its semanti s. Se tion 3dis usses lass renement,

Se tion 4presentsourideasforfuturework.

Our work is being done in the ontext of a ollaboration involving others

at UFPE (P. Borba and A. Sampaio) and Birmingham (U. Reddy), and our

resear hassistants.

1

Ourlong-termgoalisdevelopmentoftoolsandmethodsfor

spe i ation, onstru tion,modularveri ation,restru turing,and ompilation

of Javaprograms. Currentworkusesan idealizedlanguageroolbasedonthe

sequentialpartofJava.

Renement al ulus is the unifying framework for the work. Inrenement

al uli, the spe i ation statement x :[pre;post℄ is treated as an \imaginary

ommand". For ommands and 0

, the algorithmi renement v 0

means

that 0

satisesanyspe i ationthat does.Ordinary orre tnessisexpressed

using spe i ationstatements: wehavethat x:[; ℄ v holds just if meets

thespe i ation\modiesx,requires,ensures ".Renementlawsformalize

developmentbystepwiserenementfromspe i ations[Mor94℄.

Oneofourobje tivesistoextendthismethodtoen ompassobje t-oriented

programs, and in parti ular design patterns and refa toring transformations

[Fow99℄, in luding those that involve several lasses at on e. In a ase study

applying our results, we restru ture anobje t-oriented appli ation to followa

1

TheworkisfundedbyNationalS ien eFoundationunderGrantNo.9813854,and

byCNPqundergrants520763/98-0and680032/99-1.

automatetheappli ation ofdesigntransformations.

Spe i ationstatements,in ludingthespe ial asesknownasassertionsand

assumptions,provide exibleannotationofprogramfragments.Thisisusefulnot

only forveri ation but also forstati he king [DLNS98℄and program trans-

formation. Sampaio, Caval anti, and their students are developinga ompiler

based on the normal-form approa h [HHS93,Sam97℄, whi h exploits spe i a-

tionstatementsintransformationof odefragments.Inthepastyear,anormal

formhasbeendevisedforavirtualma hinebasedonJVM.Compilationisbased

onnormal-formlaws,andsomeofthese havebeenprovedusingoursemanti s.

Amajorobje tiveis to derivedesignand ompilation lawsfrom basi laws

provedsound in predi atetransformersemanti s[BS00℄. Weakest pre ondition

semanti s is of dire t use in veri ation tools and it is well suited to proving

renementlaws.Eventuallyweplan to provesoundness of thissemanti swith

respe ttoanoperationalsemanti s,hopefullyonealreadydevelopedbyanother

resear hgroup.

Tothisend, andinorder to he kproofsoflawsandofresultsdis ussedin

thesequel,weareusingPVStoen odethetypingsystemandsemanti sofour

language.Theen odingispurelydenitional.Weareusingadeepembeddingof

program expressions in luding predi ate in spe i ationstatements. Ina ord

with the newsemanti sdes ribedin Se tion 2, ommands a t onstatesets in

PVSsothispartisashallowembedding.

Manydesignlawsinvolvedatarenement,forwhi hweuseanintrinsi def-

inition [HHS86,dRE98℄, and behavioral sub lassing, whi h is similar to a data

renementof oexisting lasses.Theprimarymeansforestablishingdatarene-

mentandbehavioralsub lassingis(forward)simulation.Theexistingliterature

fallsshort ofthesimulationresultsweneed. Ournewresultsonsoundnessand

preservationofsimulationarethemaintopi inthesequel.

2 Syntax and semanti s

A program in our language is a sequen e ds of Java-like lass de larations

followedbyamainprogram whosefreevariablesmayin ludeobje tsof lasses

in ds.Attributes anbeprivate,prote ted,orpubli ,likeinJava,andthey an

bemutuallyre ursive.Methodsareregardedaspubli .Mutualre ursionbetween

methodsisnotallowed,tosimplifythesemanti sofmethod allsandtheproof

oflaws.Methodsaredenedasparameterized ommands[Ba 87,CSW99℄using

allbyvalue,result,andvalue-result(with opysemanti s).

In[CN99,CN00a℄ wedened aweakest pre onditionsemanti sforrool.In

that work,weregardedapredi ate transformerasafun tion onformulae.We

extended traditional weakest pre ondition semanti s and gave an a ount of

method allsthatisbothabstra tandoperationallyintuitive.Thissemanti sis

appropriatefortheproofofrenementlaws,aworkthatiswellunderway[BS00℄.

Forthe proof of the soundness of simulation for data renement,however,

wendthesynta ti approa htopredi atestobeaproblem.Inthis ontext,it

beaformularelatingtheprivateattributesoftheabstra tand on rete lasses.

The proof of soundness of simulationrequires a omparison of programs that

dieronlybythefa tthatthe on rete lassissubstitutedfortheabstra tone.

We annot, however,say that thesemanti s of thexed lient lasses is equal

in bothprograms. Sin e their semanti s depends on thesemanti sof methods

dened in the simulated lasses, theproperrelation betweenthem is that ofa

simulationaswell.Todenethissimulation,weneedwhatwe allageneralized

ouplinginvarianttorelatestatesof lient lasses.

WenditdiÆ ulttogiveadenitionforthisgeneralizedinvariantsynta ti-

ally,butontheotherhand,itsdenitionasarelationonstatesisveryintuitive

and straightforward [CN00b℄. Also, a data renement proof te hnique should

involve the denition of the oupling invariant by the developer, but not the

denition of the generalized ouplinginvariant.Sothere is not really ajusti-

ation tohaveit as aformula.Forthisreason, wehavegiven anewsemanti s

to our languagewhere predi ates are regardedassets of states,and predi ate

transformersasfun tionsonthesesets.

Thedenitionsinthisnewsemanti sareverysimilartothoseofourprevious

work.Weusetype-theoreti te hniques toorganize thesemanti denitions. If

a ommand ano urinthemethodsofa lassN,weuseatypingjudgement

;;N B .Thetypingenvironment re ordsthe lassesin ontext,in luding

N,andthesignaturein ludesthevariablesins opefor :attributesofN,pa-

rameters,andlo alvariables.Thetypingrulesre e tJava'srestri tionsons ope

andsubsumption.Thesemanti sisdened byindu tion ontypingderivations.

Asexpe ted,the hallengewasthedenitionofthesemanti sofmethod alls.

As before, wehaveanenvironmentthat re ordsthesemanti sofmethods and

thatisdenedbyaxpoint onstru tion.Thesemanti sre ordedisthatofthe

behaviourofthemethodwhen alledfrom insidethe lasswhere itisavailable.

We usethis semanti s dire tly to dene themeaning of alls self:m(e). Fora

all oftheform x:m(e),itmustbeadapted.

At the point where the all x:m(e) o urs, the state spa e in ludes x as

wellas attributes of the alling obje t, parametersof the alling method, and

lo als ofthe alling method.In astatewhere thedynami typeofx isN 0

,the

environment givesameaningN 0

m forthe alledmethod, butthat meaning

a tsonthestatespa e onsistingofattributesofN 0

andparametersofm.Sowe

havetoadjustthepost onditionatthepointof allsothatN 0

m isappli able.

Roughly,thisadjustmentextra tstheattributesofx togetastateoftheright

kindandensuresthatstatevariablesotherthanx areun hanged.Thedenition

forapre-state andapost ondition isasfollows.

2[[ ;;N Bx:m(e): om℄℄ ,fxg[rvrargsC 2pt (adapt  )

Theenvironmentprovidesthetransformerptdeterminedaspt=N 0

marglist,

whereN 0

isthe lassofx denedby,andarglististhelistofargumentsresult-

ingfromevaluatingtheexpressionse in.Thepredi atetransformerptisfora

lo al signaturethat ontainsonlytheattributesof N 0

andtheparameters.On

aller.Asalreadysaid,weneedtore on ilethesedieren esbeforeapplyingpt.

Thisistheroleofthefun tionadapt.Themethod all anonlyae tthevalue

of x and of theresultand value-result argumentsrvrargs. Werequirethat the

stateresultingfromthedomainrestri tion(C)oftox andrvrargssatisesthe

pre ondition.Thefun tion adapt onsidersthe onjun tionof withthepred-

i atethatrequiresthatthevalueofallvariables,ex eptx andthosein rvrargs,

arethesameasin.Moreover,ittransformstheresultingpredi ateintoanother

oneon the attributes of N 0

and on the resultand value-result parameters,by

extra tingtheattributesofN 0

(oroneofitssub lasses)from x andthevalue

of theparameters from thearguments. This newsemanti s ombines elements

from[CN00a℄and[Nau00℄.

3 Class Renement

Algorithmi renementofprogramsand ommands isdened intheusual way

asthepointwiseorderonpredi atetransformers.In[CN00a℄,wedenetworela-

tionsof lassrenement.Here,wearefo usingontherelation dsB da 4

= d

that apturesthesituationinwhi htheabstra t lass da isdatarenedbythe

on rete lass d inthe ontextofthesequen eof lassde larations ds.They

bothintrodu ethesame lassNs withthesamesuper lass.

Denition1 (Class Renement). For asequen e of lass de larations ds,

and lassde larations da,and d ,thatintrodu ea lass alledNs,forinstan e,

wedene dsB da 4

=

d ifand onlyif

{ thesequen esof lassde larations ds da and ds d arebothwell-formed;

{ for all ommands thatuse only methods in ds and da andwhose global

omponents have types that are Ns-free, if is a well-typed main program

for ds da,then

 iswell-typedfor ds d ; and

 ( ds da  )v( ds d  ).

A sequen e of lass de larations is well-formed if all methods, or rather, the

ommands in their bodies, are well-typed and there is no mutual re ursion.

The global omponents are thefree variables, and, indu tively, omponents of

attributesoftheobje t-valuedfree-variables.Intuitively,atypeisN-freeifany

variablede laredto havesu h atype annothaveattributesofthe lassN.

If hasglobal omponentsthatarenotN-free,thentheprogramrenement

( ds da  )v( ds d  ) is noteven well-dened be ause theprograms a t

in dierentstatespa es.Forthisreason,noglobalvariablesofobje ttypesare

allowedin theresultof[Nau01b℄,whi histhe losestresultintheliteratureto

what weneed.There, stru turalsubtypingisused, sothere isnowayto dene

anotionlikeN-free.

Forwardsimulation(in luding abstra tion fun tions) is thestandard proof

te hniquefor lassrenement.Wedene lasssimulationinthe ontextofprivate

i dened asarelationfrom statesof da to statesof d .The lasses da and

d areassumedtoprovideexa tlythesamemethods.

Coupling invariants have to satisfy ertain healthiness onditions. For in-

stan e, onlystatesfor thesame lass anberelated. Also,the initial statesof

the lassesarerelated.Morestringent onditionsaremotivatedbytheproofof

soundnessofsimulationandaredis ussedlateron.

Simulation for predi ate transformers is dened in the usual way [GM91℄,

but in termsofageneralized ouplinginvariant.First,ifthe lass de larations

da and d , or rather, the statesof these lasses,are related bythe oupling

invariant i,wedenearelationog i T, ouplingvaluesofatypeT.Ifthetype

T is primitive, then og i T is the identity: the values of su h a type are the

sameinboth ontexts.IfT iseither Ns oroneofitssub lasses,thenog i T is

the ouplinginvariantitself.Finally,ifT isa lassN thatdoesnotinheritfrom

Ns,thenit hasthesameattributes inboth ontexts.Inthis ase,werelatean

obje to ofN in the ontextof da toanobje to 0

in the ontextof d ,ifthe

valuesofthe orrespondingattributesof oando 0

arerelatedthemselves.

Thedenitionofthegeneralized ouplinginvariantforstatesisshownbelow.

Denition2 (Generalized Coupling Invariant). For a lass N and lo al

variables in s ope vs,wedene g i N vs torelate states for N andvs inthe

ontext of da with states  0

for the same lass and lo al variables, but in the

ontextof d .

(; 0

)2g i N vs,((vs)C;(vs)C 0

)2 i ^

8x :(vs)( x; 0

x)2og i T ifN isasub lassofNs

(; 0

)2g i N vs,dom  =dom  0

^ my lass= 0

my lass^

8x :dom nfmy lassg( x; 0

x)2og i T otherwise

whereT isthe type ofx inthe ontext ofN.

If N is a sub lass of Ns we annot simply dene g i N vs to be i be ause

of theextra lo al variables vs. If wedisregard them, by onsidering thestates

(vs)C and(vs)C 0

,thenwe anrequiretheresultingstatestoberelated

by i. The set (vs) ontains the lo al variables, as opposed to vs whi h is

theirde laration.WeusetheoperatorC(domainsubtra tion)to removethose

variablesfrom thestates.Thevaluesassignedto thevariablesof vs haveto be

relatedbyog i. Forthe aseinwhi hN isnotasub lassofNs,werequirethe

statestogivevaluestothesamevariables(dom =dom  0

),tobeforthesame

lass( my lass= 0

my lass), andnallygiverelatedvaluesto orresponding

attributes.Besidesde laredattributes,astate hasaspe ialattributemy lass

that designates its lass. The states for a lass in lude all the states for its

sub lasses.

To dene simulation for the lasses da and d we onsider the method

environments and determinedby ds da and ds d .

Denition3 (Class Simulation). Wedene

ds;avs; vs; i B da 4 d

if andonlyif forea hmethodm of da and d ,wehave that

ds; da; d ;avs; vs; i;Ns B( Ns m)4(

0

Ns m)

We requirethat the meaningre orded in  for ea h method of da and d is

simulatedbythemeaningre ordedin 0

.

Themeaningofamethodre ordedintheenvironmentisa urriedfun tion

from argumentvaluestopredi atetransformers.Simulationforthesefun tions

isdenedintermsofsimulationofpredi atetransformers.Werequirethatifthe

orrespondingargumentsarerelatedbysimulation,theresultingpredi atetrans-

formersareaswell.Simulationofargumentsamountstosimulationofvalues,for

valuearguments,andtheidentity,forvariablespassedbyresultorvalue-result.

Ourmain theoremisstatedbelow.

Theorem 1 (Soundness of Simulation). If ds;avs; vs; i B da 4 d ,

then dsB da 4

= d .

Theproofofthistheoremreliesmainlyontwofa ts.Therstispreservation:the

semanti s of the ommandsof the lient lasses of da and d are related by

simulation. This implies simulation for any main program. The se ond is an

identityextensionlemma:thegeneralized ouplinginvariantistheidentitywhen

the global omponentsin ontext areNs-free.Therefore, simulation ofamain

programimpliesalgorithmi renement,asrequiredbyDenition1.

Theidentityextensionresultissimpleandratherstraightforward.Theproof

of preservation, on the other hand,broughtto lighta few surprises. The syn-

ta ti approa h to the semanti s requires the in lusion of equality on obje ts

asa primitive fun tion.We need that to dene, for instan e, the semanti sof

assignment.Su hanexpression, however,doesnotpreservedata-renementas

itreliesonequalityofprivateattributes. Lu kilyitisnotneededinthepresent

semanti sanditwaseliminatedfromthelanguage.

For variable blo ks, resultand value-result parameterization,and spe i a-

tionstatements,the ouplinginvarianthasto besurje tive.Therepresentation

ofanobje tvaluehasto in ludevaluesofprivateattributes,eventhoughthey

are hidden.Thesemanti sof avariableblo k,forinstan e, onsiders allinitial

values that alo al obje t variable anhave, in luding the dierent values for

itsprivateattributes. Ifavariable blo kde laresavariablewhose typeis that

beingrened,thentorelatethe on reteblo ktotheabstra tblo k,wehaveto

relateeverypossible on retevalueof thevariableto a orresponding abstra t

value. This requires the ouplingrelation to besurje tive.This requirement is

unne essary,andin omplete,forsimpleimperativeprograms[HHS86,dRE98℄.

A wayaround this problem is to onsider that variables are initialized. In

that ase, thesemanti s has to onsider only those initialvalues, andthe ou-

pling invariantonly needs to besurje tivefor valuesthat anbeexpressed in

that dieren es in valuesofhidden attributesare notrelevant. Thisapproa h,

however,doesnotwork forspe i ationstatements.

Wearegoingtoinvestigateasolutioninwhi hea h lasshasaninvariantand

thesemanti squantiesoverobje tssatisfyingthisinvariantonly.The oupling

invariant is dened as a relation on states that satisfy the invariant and the

surje tivity restri tion is weaker. The user hasto provide lass invariants and

dis hargethe orrespondingproofobligations.Nevertheless, lassinvariantsare

normal pra ti e and have independent justi ation. Another alternative is to

hange the semanti s to quantify overobje t valuesobtained by applying the

methods of its lass to the initial values dened by the onstru tor. In other

words, we use the weakest invariant determined by the program, rather than

requiringanexpli itlyde laredinvariant.

Angeli variable(logi al onstant)blo ksonlypreservedatarenementifthe

ouplinginvariantistotal.Ifthe ouplinginvariantisnottotal,inthe on rete

ounterpartoftheblo k,theangeli hoi eisrestri ted.Asanexample, onsider

theblo k(avarx :T  :[x =v;true℄)usingaspe i ationwithemptyframe.In

theabstra t ontext,theblo kbehaveslikeskipastheangeli hoi e ansu eed

in establishingthepre onditionofthespe i ationstatementby hoosing x to

bev. Ifv doesnothavea on rete ounterpart,however,the on reteblo kis

(avar x :T  :[false;true℄),whi h behaveslikeabort. Theapproa hesabove

analsobeusedtoavoidthetotalityrestri tionon ouplinginvariants.

Insummary,forwardsimulationissoundforalltheprogram onstru ts.To

extendsoundnesstospe i ationstatements,uninitializedvariableblo ks,result

andvalue-resultparameters,andangeli variables,however,weneedsurje tivity

andtotalitywithrespe ttosomeform of lassinvariant.

4 Future Work

An immediate topi for further work is the investigation of the alternatives

pointed out in the previous Se tion to generalize our resultsto arbitrary ou-

pling invariants.Besides pursuingthese approa hes,wearegoing toadapt our

results for the relation ds B d 4

6

= d 0

. This is the se ond lass renement

relationintrodu edin[CN00a℄,whi h apturesthesituationinwhi h dand d 0

introdu e lassesofdierentnames.This subsumestherelationof behavioural

sub lassing.

Besides thespe i goals of ourproje t,webelieve that our work omple-

mentstheworkofothersinvariousways.Inparti ular,weareusingasemanti

model to justify simulation te hniques that are often postulated as means to

a hieve behavioral sub lassing. As a spe i example, we plan to work with

GaryLeavensto interpretthe ore onstru tsof JMLusing oursemanti s.On

thisbasis,weexpe tto justifyJMLrulesforbehavioralsub lassing.

In the rst phase of our proje t we de ided that the s ope of the lan-

guagewouldin lude orefeaturesofsequentialJava,in ludingvisibility ontrols

and re ursion, but ex luding on urren y, ex eptions, and most ontentiously,

modular reasoning for pointer programs, extending re ent work of Reynolds

[Rey01,RO01,IO01,Yan00,ROY01℄.

Thisworkisbasedonanon-standardlogi ,butwehavere entlyshownhowa

formofspatial onjun tion anbeusedinthesettingofstandardlogi andpred-

i atetransformers[Nau01a℄.Thisworkfo usesonreasoningaboutne-grained

manipulationofpointers.Inparti ular,itlo alizesreasoningusingpartitionsof

theheapthat anhavetwo-wayinterlinking,unlikedis iplinessu hasUniverse

Types[MPH00℄whi hfo usonmodularreasoningatthelevelof lasses.Inthe

next phaseof our proje twe plan to deal with pointers using Universe Types

togetherwithspatial onjun tion.

Variationsofthespe i ationstatementareusedinJML[LLP +

00℄as\model

programs"whi hareparti ularlyusefulinspe ifying allingpatternsofmethods,

in luding allba ks[BW99,RL00℄.Uptonow,ourspe i ation onstru tsin lude

only thespe i ationstatements and\angeli variables"(logi al onstants) of

Morgan'srenement al ulus[Mor94℄.Inthenextphase,weplantoaddabstra t

attributesanddependen iesformodularspe i ation[LN00,Mul01℄.

Referen es

[Ba 87℄ R.J.R.Ba k.Pro eduralAbstra tionintheRenementCal ulus.Te hni al

report,DepartmentofComputerS ien e,



Abo-Finland,1987. Ser.A No.

55.

[BS00℄ P. H. M. Borba and A. C.A. Sampaio. Basi Laws of ROOL: anobje t-

oriented language. In 3rd Workshop on Formal Methods, pages 33 { 44,

Brazil,2000.

[BW99℄ Martin Bu hi and Wolfgang We k. The greybox approa h:

When bla kbox spe i ations hide too mu h. Te hni al Re-

port 297, Turku Center for Computer S ien e, August 1999.

http://www.abo./~mbue hi/publi ations/TR297.html.

[CN99℄ A. L. C.Caval antiand D. Naumann. A WeakestPre ondition Semanti s

for anObje t-oriented Language of Renement. In J. M. Wing, J. C. P.

Wood o k,andJ.Davies,editors,FM'99:WorldCongressonFormalMeth-

ods, volume1709 ofLe ture NotesinComputerS ien e,pages1439{1459.

Springer-Verlag,September1999.

[CN00a℄ A.L.C.Caval antiandD.A.Naumann.AWeakestPre onditionSemanti s

forRenementofObje t-orientedPrograms.IEEETransa tionsonSoftware

Engineering,26(8):713{728, August2000.

[CN00b℄ A. L. C. Caval anti and D. A. Naumann. Simulation and Class Rene-

mentforJava. InS.Drossopoulou,S.Eisenba h,B.Ja obs,G.T.Leavens,

P.Muller,andA.Poetzs h-Heter,editors,FormalTe hniquesforJavaPro-

grams.Te hni alReport269, FernuniversitatHagen,2000. Availablefrom

http://www.informatik.fernuni-h agen .de/ pi5/p ubli atio ns.h tml.

[CSW99℄ A.L.C.Caval anti,A.Sampaio,andJ.C.P.Wood o k. AnIn onsisten y

in Pro edures, Parameters, and Substitution in the Renement Cal ulus.

S ien eof ComputerProgramming,33(1):87{96,1999.

Extendedstati he king. Te hni al ReportReport159, Compaq Systems

Resear hCenter,De ember1998.

[dRE98℄ Willem-Paul de Roever and Kai Engelhardt. Data Renement: Model-

OrientedProofMethodsandtheirComparison. CambridgeUniversityPress,

1998.

[Fow99℄ MartinFowler.Refa toring:ImprovingtheDesignofExistingCode.Addison-

Wesley,1999.

[GM91℄ P.H.B.GardinerandC.C.Morgan. DataRenementofPredi ateTrans-

formers. Theoreti alComputer S ien e,87:143{162,1991.

[HHS86℄ J.He,C.A.R.Hoare,andJ.W.Sanders.Datarenementrened(resume).

In European Symposium on Programming, volume 213 of Springer LNCS,

1986.

[HHS93℄ C.A.R.Hoare,J.He,andA.Sampaio. Normalformapproa hto ompiler

design. A taInformati a,30:701{739,1993.

[IO01℄ SaminIshtiaqandPeterW.O'Hearn.BIasanassertionlanguageformutable

datastru tures. InPOPL.ACMPress,2001.

[LLP +

00℄ Gary T. Leavens, K. Rustan M. Leino, Erik Poll, Clyde Ruby, and Bart

Ja obs. JML: notations and tools supporting detailed designin Java. In

OOPSLA2000 Companion, Minneapolis,Minnesota,pages105{106.ACM,

O tober2000.

[LN00℄ K.RustanM.LeinoandGregNelson.Dataabstra tionandinformationhid-

ing. Te hni alReport160,COMPAQSystemsResear hCenter,November

2000.

[Mor94℄ CarrollMorgan. ProgrammingfromSpe i ations,se ond edition. Prenti e

Hall,1994.

[MPH00℄ Peter Muller and Arnd Poetzs h-Heter. A type system for ontrol-

ling representation exposure in Java. In S. Drossopoulou, S. Eisen-

ba h, B. Ja obs, G. T. Leavens, P. Muller, and A. Poetzs h-Heter,

editors, ECOOP Workshop on Formal Te hniques for Java Programs.

Te hni al Report 269, Fernuniversitat Hagen, 2000. Available from

www.informatik.fernuni-hagen.de /pi5 /pub li at ions .html .

[Mul01℄ P. Muller. Modular Spe i ation and Veri ation of Obje t-Oriented

Programs. PhD thesis, FernUniversitat Hagen, 2001. Available from

www.informatik.fernuni-hagen.de /pi5 /pub li at ions .html .

[Nau00℄ DavidA.Naumann. Predi atetransformersemanti sofahigherorderim-

perativelanguagewithre ordsubtyping.S ien eofComputerProgramming,

2000. Toappear.

[Nau01a℄ DavidA.Naumann.Idealmodelsforpointwiserelationalandstate-freeim-

perativeprogramming. InPrin iples and Pra ti e of De larative Program-

ming,2001. http: //www. s.stevens-te h.edu/~naum ann/ relam bda. ps,.

[Nau01b℄ DavidA.Naumann. Soundnessofdatarenementforahigherorderimper-

ativelanguage. Theoreti alComputerS ien e,2001. Toappear.

[Rey01℄ JohnC.Reynolds.Intuitionisti reasoningaboutsharedmutabledatastru -

ture. InMillenialPerspe tives inComputerS ien e.Palgrave,2001.

[RL00℄ ClydeRubyandGaryT.Leavens.Safely reating orre tsub lasseswithout

seeingsuper lass ode. InPro eedingsof OOPSLA2000,O tober2000.

[RO01℄ JohnC.ReynoldsandPeterW.O'Hearn. Reasoningaboutsharedmutable

datastru ture. SlidesfrominvitedtalkatSPACE2001,January2001.

about shared mutable datastru ture. Slidesfor invited talk at APPSEM

2001workshop,2001.

[Sam97℄ AugustoSampaio. AnAlgebrai Approa h toCompilerDesign,volume4of

Algebrai MethodologyandSoftwareTe hnology. WorldS ienti ,1997.

[VB99℄ E.VianaandP.Borba. IntegrandoJava omBan osdeDadosRela ionais.

III Simposio Brasileiro de Linguagens de Programa ~ao, pages 77{91, May

1999.

[Yan00℄ HongseokYang.Anexampleoflo alreasoninginBIpointerlogi :thes horr-

waitegraphmarkingalgorithm. Draft,De ember2000.