A Re-Entrancy Analysis for Object Oriented Programs Manuel F¨ ahndrich 1 , Diego Garbervetsky 2 ⋆ , and Wolfram Schulte 1 1 Microsoft Research, Redmond, WA, USA {maf, schulte}@microsoft.com 2 Departamento de Computaci ´ on, FCEyN, UBA, Argentina diegog@dc.uba.ar Abstract. We are interested in object-oriented programming methodologies that enable static verification of object-invariants. Reasoning soundly and effectively about the consistency of objects is still one of the main stumbling blocks to push- ing object-oriented program verification into the mainstream. In this paper we explore a simple model of invariants that is intuitive and allows us to divide the verification problem into two well-defined parts: 1) reasoning about object con- sistency within a single method, and 2) reasoning about the absence of inconsis- tent re-entrant calls. We delineate this division by specifying the assumptions and proof obligations of each part. Part one can be handled using well-established techniques in modular verification. This paper presents a novel program analysis to handle the second part. It warns developers when re-entrant calls are made on objects whose invariants may not hold. The analysis uses a points-to analysis to detect re-entrant calls and a simple dataflow analysis to decide whether the in- variant of the receiver of a re-entrant call holds. Initial experimentation shows the analysis is able to recognize that many re-entrant calls can be safely performed as their receivers are in a consistent state. 1 Introduction In object oriented programming, developers typically reason in a modular fashion. Gen- erally, they assume certain properties (invariants and preconditions) hold on entry to a method, while other properties must be established prior to exiting (invariants and postconditions). Following this design by contract approach [12], we are interested in providing a programming methodology that allow automatic and static reasoning about the conformance of programs relative to object-invariants. Reasoning soundly and ef- fectively about the consistency of objects is still one of the main stumbling blocks to pushing object-oriented program verification into the mainstream. The Boogie approach [5] is one established way for reasoning soundly about object invariants. The main drawback of the Boogie approach is that it puts a heavy burden on the programmer to make reasoning about object consistency feasible. The burden takes the form of adhering to a particular ownership model, requires program constructs delimiting the window of inconsistencies (expose blocks), and requires detailed speci- fications about which objects are consistent at what points in the program. ⋆ Partially supported by ANCyT PICT 11738