Results 1  10
of
34
The VeriFast Program Verifier
, 2008
"... This note describes a separationlogicbased approach for the specification and verification of safety properties of pointermanipulating imperative programs. The programmer may declare inductive datatypes and primitive recursive functions for specification. Verification proceeds by symbolic executi ..."
Abstract

Cited by 51 (7 self)
 Add to MetaCart
This note describes a separationlogicbased approach for the specification and verification of safety properties of pointermanipulating imperative programs. The programmer may declare inductive datatypes and primitive recursive functions for specification. Verification proceeds by symbolic execution using an abstract representation of memory as a separation logic assertion. Folding or unfolding abstract predicate assertions is performed through explicit ghost statements. Lemma functions enable inductive proofs of memory representation equivalences and facts about the primitive recursive functions. An SMT solver is used to solve queries over data values; an algorithm is described that prevents nontermination of the SMT solver while enabling reduction of any ground term. Since no significant search is performed by either the verifier or the SMT solver, verification time is predictable and low.
Relational parametricity and separation logic
 In 10th FOSSACS, LNCS 4423
, 2007
"... Abstract. Separation logic is a recent extension of Hoare logic for reasoning about programs with references to shared mutable data structures. In this paper, we provide a new interpretation of the logic for a programming language with higher types. Our interpretation is based on Reynolds’s relation ..."
Abstract

Cited by 33 (14 self)
 Add to MetaCart
(Show Context)
Abstract. Separation logic is a recent extension of Hoare logic for reasoning about programs with references to shared mutable data structures. In this paper, we provide a new interpretation of the logic for a programming language with higher types. Our interpretation is based on Reynolds’s relational parametricity, and it provides a formal connection between separation logic and data abstraction.
Automatic Numeric Abstractions for HeapManipulating Programs
, 2010
"... We present a logic for relating heapmanipulating programs to numeric abstractions. These numeric abstractions are expressed as simple imperative programs over integer variables and have the property that termination and safety of the numeric program ensures termination and safety of the original, h ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
(Show Context)
We present a logic for relating heapmanipulating programs to numeric abstractions. These numeric abstractions are expressed as simple imperative programs over integer variables and have the property that termination and safety of the numeric program ensures termination and safety of the original, heapmanipulating program. We have implemented an automated version of this abstraction process and present experimental results for programs involving a variety of data structures.
A Relational Modal Logic for HigherOrder Stateful ADTs
"... The method of logical relations is a classic technique for proving the equivalence of higherorder programs that implement the same observable behavior but employ different internal data representations. Although it was originally studied for pure, strongly normalizing languages like System F, it ha ..."
Abstract

Cited by 20 (12 self)
 Add to MetaCart
(Show Context)
The method of logical relations is a classic technique for proving the equivalence of higherorder programs that implement the same observable behavior but employ different internal data representations. Although it was originally studied for pure, strongly normalizing languages like System F, it has been extended over the past two decades to reason about increasingly realistic languages. In particular, Appel and McAllester’s idea of stepindexing has been used recently to develop syntactic Kripke logical relations for MLlike languages that mix functional and imperative forms of data abstraction. However, while stepindexed models are powerful tools, reasoning with them directly is quite painful, as one is forced to engage in tedious stepindex arithmetic to derive even simple results. In this paper, we propose a logic LADR for equational reasoning about higherorder programs in the presence of existential type abstraction, general recursive types, and higherorder mutable state. LADR exhibits a novel synthesis of features from PlotkinAbadi logic, GödelLöb logic, S4 modal logic, and relational separation logic. Our model of LADR is based on Ahmed, Dreyer, and Rossberg’s stateoftheart stepindexed Kripke logical relation, which was designed to facilitate proofs of representation independence for “statedependent ” ADTs. LADR enables one to express such proofs at a much higher level, without counting steps or reasoning about the subtle, stepstratified construction of possible worlds.
Verification of information flow and access control policies with dependent types
, 2011
"... We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can a ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
(Show Context)
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard typetheoretic types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and statedependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.
Unifying Refinement and HoareStyle Reasoning in a Logic for HigherOrder Concurrency (Technical Appendix)
, 2013
"... Note: This online appendix contains a few minor typo corrections found after submission. It also contains a more significant correction to the Flat Combining case study. The original submission contained a lastminute simplification of the protocol that turned out not to be sound. This updated appen ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
(Show Context)
Note: This online appendix contains a few minor typo corrections found after submission. It also contains a more significant correction to the Flat Combining case study. The original submission contained a lastminute simplification of the protocol that turned out not to be sound. This updated appendix (and the updated paper available at
Compiling functional types to relational specifications for low level imperative code
 In TLDI
, 2009
"... We describe a semantic type soundness result, formalized in the Coq proof assistant, for a compiler from a simple functional language into an idealized assembly language. Types in the highlevel language are interpreted as binary relations, built using both secondorder quantification and separation, ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
(Show Context)
We describe a semantic type soundness result, formalized in the Coq proof assistant, for a compiler from a simple functional language into an idealized assembly language. Types in the highlevel language are interpreted as binary relations, built using both secondorder quantification and separation, over stores and values in the lowlevel machine. Categories and Subject Descriptors F.3.1 [Logics and meanings of programs]: Specifying and Verifying and Reasoning about
Abstracting Allocation: The New new Thing
 In Computer Science Logic
, 2006
"... Abstract. We introduce a FloydHoarestyle framework for specification and verification of machine code programs, based on relational parametricity (rather than unary predicates) and using both stepindexing and a novel form of separation structure. This yields compositional, descriptive and extensi ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce a FloydHoarestyle framework for specification and verification of machine code programs, based on relational parametricity (rather than unary predicates) and using both stepindexing and a novel form of separation structure. This yields compositional, descriptive and extensional reasoning principles for many features of lowlevel sequential computation: independence, ownership transfer, unstructured control flow, firstclass code pointers and address arithmetic. We demonstrate how to specify and verify the implementation of a simple memory manager and, independently, its clients in this style. The work has been fully machinechecked within the Coq proof assistant. 1
Proving Acceptability Properties of Relaxed Nondeterministic Approximate Programs
"... Approximate program transformations such as skipping tasks [29, 30], loop perforation [21, 22, 35], reduction sampling [38], multiple selectable implementations [3, 4, 16, 38], dynamic knobs [16], synchronization elimination [20, 32], approximate function memoization [11], and approximate data types ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
(Show Context)
Approximate program transformations such as skipping tasks [29, 30], loop perforation [21, 22, 35], reduction sampling [38], multiple selectable implementations [3, 4, 16, 38], dynamic knobs [16], synchronization elimination [20, 32], approximate function memoization [11], and approximate data types [34] produce programs that can execute at a variety of points in an underlying performance versus accuracy tradeoff space. These transformed programs have the ability to trade accuracy of their results for increased performance by dynamically and nondeterministically modifying variables that control their execution. We call such transformed programs relaxed programs because they have been extended with additional nondeterminism to relax their semantics and enable greater flexibility in their execution. We present language constructs for developing and specifying relaxed programs. We also present proof rules for reasoning about acceptability properties [28], which the program must satisfy to be acceptable. Our proof rules work with two kinds of acceptability properties: relational acceptability properties, which characterize desired relationships between the values of variables in the original and relaxed programs, and unary acceptability properties, which involve values only from a single (original or relaxed) program. The proof rules support a staged reasoning approach in which the majority of the reasoning effort works with the original program. Exploiting the common structure that the original and relaxed programs share, relational reasoning transfers reasoning effort from the original program to prove properties of the relaxed program. We have formalized the dynamic semantics of our target programming language and the proof rules in Coq and verified that the proof rules are sound with respect to the dynamic semantics. Our Coq implementation enables developers to obtain fully machinechecked verifications of their relaxed programs.
Refinement and Separation Contexts
 In Foundations of Software Technology and Theoretical Computer Science (FST&TCS
, 2004
"... A separation context is a client program which does not dereference internals of the module with which it interacts. We use precise relations to unambiguously describe the storage of the module. We prove that separation contexts preserve such relations, as well as interesting properties of separ ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
A separation context is a client program which does not dereference internals of the module with which it interacts. We use precise relations to unambiguously describe the storage of the module. We prove that separation contexts preserve such relations, as well as interesting properties of separation contexts in connection with refinement.