Transforming Temporal Specifications into Contracts using Specification Variables
During the verification of a program with procedures, when a procedure call is encountered, the procedure's contract is evaluated. We assume that the user has supplied the procedure contracts, although it may also be possible to infer contracts (especially the ensures clause).
In our example, to satisfy the second property of the program, we introduce a boolean variable
boolean loggingOn = false;
The procedure contract for p2()
then looks like this:
requires loggingOn = false modifies loggingOn ensures loggingOn = false
Now consider the first property:
(open (read+write)* close)*
In order to define procedure contracts for readContent()
and p1()
to ensure that this property is satisfied, we introduce an object called FileState
which has a typestate. In typestate systems, the type of an object is allowed to change during its lifetime in the computation.
Therefore FileState
has type file
and two states, open
and closed
.
Using this notion, we can write the procedure contracts for the two methods as follows:
readContent(): requires FileState = open
p1(): requires FileState = closed modifies FileState ensures FileState = open