Update Ghosts Section

rcosta358 · rcosta358 · commit 06cf651663de · 2026-04-03T18:41:43.000+01:00
diff --git a/getting-started/overview.md b/getting-started/overview.md
@@ -11,7 +11,7 @@ LiquidJava is an additional type checker for Java. It extends Java with three ma
 
 - **Liquid types** to restrict the values variables, parameters, and return values can have using logical predicates.
 - **Typestates** to describe valid object protocols across method calls.
-- **Ghost variables** to track extra state when typestates aren't enough.
+- **Ghosts** to track extra state when typestates aren't enough.
 
 These make it possible to catch bugs that the standard Java type system cannot, including:
 
@@ -23,8 +23,6 @@ These make it possible to catch bugs that the standard Java type system cannot,
 ## Example
 
 ```java
-import liquidjava.specification.*;
-
 public class Example {
     public static int divide(int a, @Refinement("b != 0") int b) {
         return a / b;
diff --git a/reference/external-refinements.md b/reference/external-refinements.md
@@ -1,35 +1,42 @@
 ---
 title: External Refinements
 parent: Reference
-nav_order: 5
+nav_order: 4
 ---
 
 # External Refinements
 
-External refinements let you attach a LiquidJava model to an existing class that you do not own.
+External refinements let us add refinements to an existing class that we cannot modify.
 
-Use `@ExternalRefinementsFor` to describe the behavior of a library type in a separate interface. This lets you keep using the original library API in ordinary Java code while LiquidJava checks the extra specification in the background.
+For this, we use the `@ExternalRefinementsFor` annotation to specify the qualified name of the class we want to refine in a separate interface. This lets us refine external classes from the Java standard library, third-party dependencies, or shared APIs without modifying their source code.
 
 ```java
 import liquidjava.specification.*;
+import java.net.*;
 
 @ExternalRefinementsFor("java.net.Socket")
-@StateSet({"unconnected, bound, connected, closed"})
+@StateSet({"unconnected", "bound", "connected", "closed"})
 public interface SocketRefinements {
-    @StateRefinement(to = "unconnected(this)")
+    @StateRefinement(to="unconnected()")
     public void Socket();
-
-    @StateRefinement(from = "unconnected(this)", to = "bound(this)")
-    public void bind(SocketAddress bindpoint);
-
-    @StateRefinement(from = "bound(this)", to = "connected(this)")
-    public void connect(SocketAddress endpoint);
-
-    @StateRefinement(from = "!closed(this)", to = "closed(this)")
+    
+    @StateRefinement(from="unconnected()", to="bound()")
+    public void bind(SocketAddress add);
+    
+    @StateRefinement(from="bound()", to="connected()")
+    public void connect(SocketAddress add);
+    
+    @StateRefinement(from="connected()")
+    public void sendUrgentData(int n);
+    
+    @StateRefinement(from="!closed()", to="closed()")
     public void close();
 }
 ```
 
-This pattern is useful when you want to verify protocols for standard-library classes, third-party dependencies, or shared APIs without modifying their source code.
+```java
+Socket socket = new Socket();
+socket.connect(new InetSocketAddress("example.com", 80)); // type error!
+socket.close();
+```
 
-The [Examples]({{ '/examples/' | relative_url }}) page links to runnable repositories that include this style of modeling.
diff --git a/reference/ghost-variables.md b/reference/ghost-variables.md
diff --git a/reference/ghost.md b/reference/ghost.md
@@ -0,0 +1,48 @@
+---
+title: Ghosts
+parent: Reference
+nav_order: 5
+---
+
+# Ghosts
+
+Some protocols need more than a small set of named states. LiquidJava supports ghost variables for tracking extra state. They can be used in refinements and state refinements to express richer invariants about the object. Similarly to the states, these are functions that take the object being refined as a parameter.
+
+Ghosts are declared with the `@Ghost` annotation, and they can be updated with `@StateRefinement` annotations on methods.
+
+```java
+import liquidjava.specification.*;
+
+@ExternalRefinementsFor("java.util.Stack")
+@Ghost("int size")
+public interface StackRefinements<E> {
+
+    @StateRefinement(to="size() == 0")
+    public void Stack();
+
+    @StateRefinement(to="size() == size(old(this)) + 1")
+    public E push(E elem);
+
+    @StateRefinement(from="size() > 0", to="size() == size(old(this)) - 1")
+    public E pop();
+
+    @StateRefinement(from="size() > 0")
+    public E peek();
+}
+````
+
+```java
+Stack<String> s = new Stack<>();
+s.push("hello");
+s.pop();
+s.pop(); // type error!
+```
+
+In the "constructor" method, the ghost variable `size` is initialized to 0. An equality in a method postcondition is how ghost variables are updated. However, here it is not necessary, since when no postcondition is declared, it is initialized to its default value, similarly to how Java initializes fields to their default values when no explicit initializer is provided (`int --> 0`, `boolean --> false`, etc.). 
+
+In the `push` method, we specify no precondition, since we can always push an element to the stack, but we specify a postcondition that increments the `size` by one. In this case, we tell the typechecker that the new value of `size` after calling `push` is equal to the old value of `size` plus one. This is possible using the `old` function, which takes an object instance and returns its value before the method call.
+
+In the `pop` method, we specify a precondition that the `size` must be greater than zero, since we cannot pop from an empty stack. We also specify a postcondition that decrements the `size` by one, similarly to the `push` method.
+
+In the `peek` method, we specify the same precondition, since we also cannot peek from an empty stack, but we don't specify a postcondition since peeking does not change the size of the stack.
+
diff --git a/reference/index.md b/reference/index.md
@@ -4,7 +4,7 @@ nav_order: 2
 has_children: true
 has_toc: false
 permalink: /reference/
-description: Browse the LiquidJava reference for refinements, aliases, state refinements, ghost variables, and external refinements.
+description: Browse the LiquidJava reference for refinements, aliases, state refinements, ghosts, and external refinements.
 cards:
   - title: Refinements
     url: /reference/refinements/
@@ -15,8 +15,8 @@ cards:
   - title: State Refinements
     url: /reference/state-refinements/
     description: Learn how to model protocol-oriented object states and valid method transitions.
-  - title: Ghost Variables
-    url: /reference/ghost-variables/
+  - title: Ghosts
+    url: /reference/ghosts/
     description: Learn how to track logical state that helps express and verify richer object invariants.
   - title: External Refinements
     url: /reference/external-refinements/
diff --git a/reference/refinements.md b/reference/refinements.md
@@ -15,13 +15,13 @@ import liquidjava.specification.*;
 
 public class RefinementExamples {
     @Refinement("x > 0") // x must be greater than 0
-    int x;
+    int x = 1;
 
     @Refinement("0 <= _ && _ <= 100") // y must be between 0 and 100
-    int y;
+    int y = 50;
 
     @Refinement("z % 2 == 0 ? z >= 0 : z < 0") // z must be positive if even, negative if odd
-    int z;
+    int z = 4;
 
     @Refinement("_ >= 0") // the return value must be non-negative
     int absDiv(int a, @Refinement("b != 0") int b) { // b must be non-zero
@@ -33,7 +33,7 @@ public class RefinementExamples {
 
 ## Predicate Syntax
 
-The predicates allowed inside a refinement belong to quantifier-free linear integer arithmetic. In practice, this means you can write boolean expressions over integer values using comparisons, logical connectives, arithmetic operators, and conditional expressions. You can also call ghost variables and aliases from refinements, which we cover in later sections.
+The predicates allowed inside a refinement belong to quantifier-free linear integer arithmetic. In practice, this means you can write boolean expressions over integer values using comparisons, logical connectives, arithmetic operators, and conditional expressions. You can also call ghosts and aliases from refinements, which we cover in later sections.
 
 | Form | Syntax | Example |
 | --- | --- | --- |
diff --git a/reference/state-refinements.md b/reference/state-refinements.md
@@ -8,45 +8,84 @@ nav_order: 3
 
 Beyond basic refinements, LiquidJava supports object state modeling through typestates. This lets you describe when a method can or cannot be called based on the state of the object.
 
-## Example
+The possible states of a class are declared with `@StateSet`, and the state transitions are described with `@StateRefinement(from = "...", to = "...")`:
+- `from` describes the **precondition** - the object state in which the method can be invoked
+- `to` describes the **postcondition** - the state the object will have after the method is called
 
 ```java
-import liquidjava.specification.StateRefinement;
-import liquidjava.specification.StateSet;
+import liquidjava.specification.*;
 
 @StateSet({"open", "closed"})
-public class MyFile {
-    @StateRefinement(to = "open(this)")
-    public MyFile() {}
+public class File {
+    @StateRefinement(to = "open()")
+    public File() {}
 
-    @StateRefinement(from = "open(this)", msg = "file must be open to read")
+    @StateRefinement(from = "open()")
     public void read() {}
 
-    @StateRefinement(from = "open(this)", to = "closed(this)", msg = "file must be open to close")
+    @StateRefinement(from = "open()", to = "closed()")
     public void close() {}
 }
+```
 
-MyFile f = new MyFile();
+```java
+File f = new File();
 f.read();
 f.close();
-f.read(); // type error: file must be open to read
+f.read(); // type error!
+```
+
+If a class follows an implicit protocol that can be described by a DFA, the protocol can be encoded in LiquidJava so that methods are enforced to be called in the correct order.
+
+## Syntax
+
+Note that states are functions. These take a single parameter, which is the object being refined. Since we are describing the state of the current object, we use `this` as the parameter, which is being used implicitly in the example above. Actually, all of these are equivalent: `open()`, `this.open()`, and `open(this)`.
+
+## State Initialization
+
+Constructors can only declare a `to` transition, since they are responsible for establishing the initial state of the object.
+
+```java
+import liquidjava.specification.*;
+
+@StateSet({"new", "ready"})
+public class Buffer {
+    @StateRefinement(to="ready()")
+    public Buffer() {}
+}
 ```
 
-This encodes a simple protocol:
+If no `to` transition is written, LiquidJava defaults the constructor to the first state listed in the corresponding `@StateSet`.
 
-- construction produces an open file
-- `read` requires the file to be open
-- `close` requires the file to be open and transitions it to closed
+Constructors must always be present for typestate checking to work correctly, because they are the point where the initial state values are assigned. Otherwise, the initial values are not set and the verifier won't be able to track the state of the object across method calls, which can lead to unexpected type errors.
 
-An illegal call sequence, such as reading after closing, becomes a verification error. As with refinements, you can provide custom error messages to make violations easier to diagnose.
+When refining interfaces, there is no real constructor, but LiquidJava still needs an initialization point. In those cases, if the type is named `Interface`, it must declare a method with the signature `public void Interface()` so the initial values are set correctly. This method plays the role of a constructor for the typestate system.
 
-## Why This Matters
 
-Typestates are especially helpful for:
+## Multiple StateSets
+
+Classes can declare more than one `@StateSet` annotation. This is useful when the object has independent, orthogonal dimensions of state.
+
+```java
+import liquidjava.specification.*;
+
+@StateSet({"open", "closed"})
+@StateSet({"clean", "dirty"})
+public class Device {
+    @StateRefinement(to="open() && clean()")
+    public Device() {}
+
+    @StateRefinement(from="open() && clean()", to="open() && dirty()")
+    public void use() {}
+
+    @StateRefinement(from="open() && dirty()", to="open() && clean()")
+    public void clean() {}
+
+    @StateRefinement(from="open() && clean()", to="closed() && clean()")
+    public void close() {}
+}
+```
 
-- files and sockets
-- locks and synchronization primitives
-- lifecycle-driven components
-- APIs with strict call ordering rules
+Each state set is exclusive: at any moment, the object can only be in one state from that specific set. In the example above, the object cannot be both `open` and `closed`, and it cannot be both `clean` and `dirty`.
 
-Continue with [Ghost Variables]({{ '/reference/ghost-variables/' | relative_url }}) and [External Refinements]({{ '/reference/external-refinements/' | relative_url }}) for protocols that need richer tracking.
+When a transition affects multiple orthogonal states, the states must be combined with `&&` in the `from` and `to` annotations. In the example above, the `use` method transitions from `open && clean` to `open && dirty`, and the `close` method transitions from `open && clean` to `closed && clean`.
