Framing the Frame Problem

摘要

Some parts of the software verification process require human annotation, but as much as possible of the rest should be automatic. An excellent candidate for full automation is change analysis, also known as the frame problem: how to determine which program properties remain unchanged under a given operation. The problem is particularly delicate in the case of programs using pointers or references, in particular object-oriented programs. The double frame inference strategy automates both frame specification and frame verification. On the specification side, it deduces the set of permissible changes of a routine (its "modifies clause") from a simple examination of its postcondition. On the implementation side, it applies the change calculus, itself based on the alias calculus, to determine the set of expressions whose values the routine can actually change. Frame verification then consists of ascertaining that the actual change set is a subset of the permissible change set.