This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an over-approximation of data structure usage. Compositionality brings its usual benefits – increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision – to shape analysis, for the first time. The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call bi-abduction. Biabduction displays abduction as a kind of inverse to the frame problem: it jointly infers anti-frames (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented

We present a semantic analysis of a recently proposed formalism for local reasoning, where a specification (and hence proof) can concentrate on only those cells that a program accesses. Our main results are the soundness and, in a sense, completeness of a rule that allows frame axioms, which describe invariant properties of portions of heap memory, to be inferred automatically; thus, these axioms can be avoided when writing specifications.

This paper presents sound and complete Hoare logics for partial and total correctness of recursive parameterless procedures in the context of unbounded nondeterminism. For total correctness, the literature so far has either restricted recursive procedures to be deterministic or has studied unbounded nondeterminism only in conjunction with loops rather than procedures. We consider both single procedures and systems of mutually recursive procedures. All proofs have been checked with the theorem prover Isabelle/HOL.

Abstract. Behavioral subtyping enables modular reasoning about the functional behavior of object-oriented programs. It validates supertype abstraction, that is, modular reasoning about dynamically dispatched method calls, such as E.m(), using specifications associated with their receiver’s static type, such as the static type of E. For languages with references and mutable objects neither behavioral subtyping nor supertype abstraction has been rigorously formalized as such. Moreover, the standard informal notion of behavioral subtyping has inadequacies. This paper gives a new formalization of behavioral subtyping and supertype abstraction, and a new proof of their equivalence. Our new formalization handles a realistic subset of sequential Java, with classes and interfaces, recursive types, and dynamically-allocated mutable objects.

This paper presents a new rule for reasoning about method calls in object-oriented programs. It concerns an optimized adaptation of Hoare's rule of adaptation to the object-oriented paradigm. The new rule contributes in various ways to the modularity of the specification. We also

Modularity in programming language semantics derives from abstracting over the structure of underlying denotations, yielding semantic descriptions that are more abstract and reusable. One such semantic framework is Liang’s modular monadic semantics in which the underlying semantic structure is encapsulated with a monad. Such abstraction can be at odds with program verification, however, because program specifications require access to the (deliberately) hidden semantic representation. The techniques for reasoning about modular monadic definitions of imperative programs introduced here overcome this barrier. And, just like program definitions in modular monadic semantics, our program specifications and proofs are representation-independent and hold for whole classes of monads, thereby yielding proofs of great generality.

Abstract. This paper presents a new rule for reasoning about method calls in object-oriented programs. It is an adaptation of Hoare’s rule of adaptation to the object-oriented paradigm, which takes both the write effects and the creational effects of a method into account. The new rule contributes in various ways to the modularity of the specification. We also argue that our rule of adaptation is the missing link between Hoare logics and proof outlines for object-oriented programs. 1

The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions. The restrictions amount to a stateful frame condition that must be satisfied by any client; this dynamic encapsulation boundary complements conventional scope-based encapsulation. The technical development is based on a companion paper, Part I, that presents a programming logic with stateful frame conditions for commands.

Abstract. A verification strategy implementing precondition generation is presented. It automatically constructs a weak precondition for the statements of a Java subset. The strategy uses the rules of an underlying Hoare logic. 1