Footnotes

...situations.

The weaker meaning requires each method to preserve the invariant of the class it belongs to. Assume two objects X and Y of classes C_X and C_Y that reference a common object Z of class C_Z. Obviously it is possible to violate the invariant of C_Y via methods of C_X and C_Z (which do not need to preserve inv_Y). Thus, we cannot make use of inv_Y during the verification of Y because it may not hold.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...m

We assume that invariants may only state properties of reachable objects. An object X is reachable from object Y if there is a chain of references from Y to X.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...module.

Note, that a class can be semantically private despite being syntactically public.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

...invariant.

The stronger invariant requires stronger preconditions for some methods, e.g., the multiplication method. Thus, the new class is not a behavioral subtype of fraction.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

Peter Mueller and Arnd Poetzsch-Heffter
Sept. 2, 1997