Results 1  10
of
83
Separation Logic: A Logic for Shared Mutable Data Structures
, 2002
"... In joint work with Peter O'Hearn and others, based on early ideas of Burstall, we have developed an extension of Hoare logic that permits reasoning about lowlevel imperative programs that use shared mutable data structure. ..."
Abstract

Cited by 761 (5 self)
 Add to MetaCart
(Show Context)
In joint work with Peter O'Hearn and others, based on early ideas of Burstall, we have developed an extension of Hoare logic that permits reasoning about lowlevel imperative programs that use shared mutable data structure.
Local Reasoning about Programs that Alter Data Structures
, 2001
"... . We describe an extension of Hoare's logic for reasoning about programs that alter data structures. We consider a lowlevel storage model based on a heap with associated lookup, update, allocation and deallocation operations, and unrestricted address arithmetic. The assertion language is b ..."
Abstract

Cited by 281 (27 self)
 Add to MetaCart
. We describe an extension of Hoare's logic for reasoning about programs that alter data structures. We consider a lowlevel storage model based on a heap with associated lookup, update, allocation and deallocation operations, and unrestricted address arithmetic. The assertion language is based on a possible worlds model of the logic of bunched implications, and includes spatial conjunction and implication connectives alongside those of classical logic. Heap operations are axiomatized using what we call the \small axioms", each of which mentions only those cells accessed by a particular command. Through these and a number of examples we show that the formalism supports local reasoning: A speci cation and proof can concentrate on only those cells in memory that a program accesses. This paper builds on earlier work by Burstall, Reynolds, Ishtiaq and O'Hearn on reasoning about data structures. 1
BI as an Assertion Language for Mutable Data Structures
, 2000
"... Reynolds has developed a logic for reasoning about mutable data structures in which the pre and postconditions are written in an intuitionistic logic enriched with a spatial form of conjunction. We investigate the approach from the point of view of the logic BI of bunched implications of O'Hea ..."
Abstract

Cited by 163 (14 self)
 Add to MetaCart
(Show Context)
Reynolds has developed a logic for reasoning about mutable data structures in which the pre and postconditions are written in an intuitionistic logic enriched with a spatial form of conjunction. We investigate the approach from the point of view of the logic BI of bunched implications of O'Hearn and Pym. We begin by giving a model in which the law of the excluded middle holds, thus showing that the approach is compatible with classical logic. The relationship between the intuitionistic and classical versions of the system is established by a translation, analogous to a translation from intuitionistic logic into the modal logic S4. We also consider the question of completeness of the axioms. BI's spatial implication is used to express weakest preconditions for objectcomponent assignments, and an axiom for allocating a cons cell is shown to be complete under an interpretation of triples that allows a command to be applied to states with dangling pointers. We make this latter a feature, by incorporating an operation, and axiom, for disposing of memory. Finally, we describe a local character enjoyed by specifications in the logic, and show how this enables a class of frame axioms, which say what parts of the heap don't change, to be inferred automatically.
Alias Types for Recursive Data Structures
, 2000
"... Linear type systems permit programmers to deallocate or explicitly recycle memory, but they are severly restricted by the fact that they admit no aliasing. This paper describes a pseudolinear type system that allows a degree of aliasing and memory reuse as well as the ability to define complex recu ..."
Abstract

Cited by 141 (14 self)
 Add to MetaCart
(Show Context)
Linear type systems permit programmers to deallocate or explicitly recycle memory, but they are severly restricted by the fact that they admit no aliasing. This paper describes a pseudolinear type system that allows a degree of aliasing and memory reuse as well as the ability to define complex recursive data structures. Our type system can encode conventional linear data structures such as linear lists and trees as well as more sophisticated data structures including cyclic and doublylinked lists and trees. In the latter cases, our type system is expressive enough to represent pointer aliasing and yet safely permit destructive operations such as object deallocation. We demonstrate the flexibility of our type system by encoding two common compiler optimizations: destinationpassing style and DeutschSchorrWaite or "linkreversal" traversal algorithms.
Intuitionistic Reasoning about Shared Mutable Data Structure
 Millennial Perspectives in Computer Science
, 2000
"... Drawing upon early work by Burstall, we extend Hoare's approach to proving the correctness of imperative programs, to deal with programs that perform destructive updates to data structures containing more than one pointer to the same location. The key concept is an "independent conjunc ..."
Abstract

Cited by 107 (5 self)
 Add to MetaCart
(Show Context)
Drawing upon early work by Burstall, we extend Hoare's approach to proving the correctness of imperative programs, to deal with programs that perform destructive updates to data structures containing more than one pointer to the same location. The key concept is an "independent conjunction" P & Q that holds only when P and Q are both true and depend upon distinct areas of storage. To make this concept precise we use an intuitionistic logic of assertions, with a Kripke semantics whose possible worlds are heaps (mapping locations into tuples of values).
Proving pointer programs in Hoare Logic
, 2000
"... . It is possible, but difficult, to reason in Hoare logic about programs which address and modify data structures defined by pointers. The challenge is to approach the simplicity of Hoare logic's treatment of variable assignment, where substitution affects only relevant assertion formul. The ..."
Abstract

Cited by 107 (7 self)
 Add to MetaCart
. It is possible, but difficult, to reason in Hoare logic about programs which address and modify data structures defined by pointers. The challenge is to approach the simplicity of Hoare logic's treatment of variable assignment, where substitution affects only relevant assertion formul. The axiom of assignment to object components treats each component name as a pointerindexed array. This permits a formal treatment of inductively defined data structures in the heap but tends to produce instances of modified component mappings in arguments to inductively defined assertions. The major weapons against these troublesome mappings are assertions which describe spatial separation of data structures. Three example proofs are sketched. 1 Introduction The power of the Floyd/Hoare treatment of imperative programs [8][11] lies in its use of variable substitution to capture the semantics of assignment: simply, R E x , the result of replacing every free occurrence of variable x in R by...
Proving Pointer Programs in HigherOrder Logic
 Information and Computation
, 2003
"... This paper develops sound modelling and reasoning methods for imperative programs with pointers: heaps are modelled as mappings from addresses to values, and pointer structures are mapped to higherlevel data types for verification. The programming language is embedded in higherorder logic, its ..."
Abstract

Cited by 73 (1 self)
 Add to MetaCart
(Show Context)
This paper develops sound modelling and reasoning methods for imperative programs with pointers: heaps are modelled as mappings from addresses to values, and pointer structures are mapped to higherlevel data types for verification. The programming language is embedded in higherorder logic, its Hoare logic is derived. The whole development is purely definitional and thus sound. The viability of this approach is demonstrated with a nontrivial case study. We show the correctness of the SchorrWaite graph marking algorithm and present part of the readable proof in Isabelle/HOL.
Toward the Formal Verification of a C0 Compiler: Code Generation and Implementation Correctness
 Proceedings of the Third IEEE International Conference on Software Engineering and Formal Methods (SEFM’05). IEEE Computer Society. ISBN
, 2005
"... c©2005 IEEE. Personal use of this material is permitted. However, permission to reprint / republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other ..."
Abstract

Cited by 46 (5 self)
 Add to MetaCart
(Show Context)
c©2005 IEEE. Personal use of this material is permitted. However, permission to reprint / republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
A Logical Analysis of Aliasing in Imperative HigherOrder Functions
 INTERNATIONAL CONFERENCE ON FUNCTIONAL PROGRAMMING, ICFP’05
, 2005
"... We present a compositional program logic for callbyvalue imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
We present a compositional program logic for callbyvalue imperative higherorder functions with general forms of aliasing, which can arise from the use of reference names as function parameters, return values, content of references and part of data structures. The program logic
A Stratified Semantics of General References Embeddable in HigherOrder Logic (Extended Abstract)
, 2002
"... Amal J. Ahmed Andrew W. Appel # Roberto Virga Princeton University {amal,appel,rvirga}@cs.princeton.edu Abstract We demonstrate a semantic model of general references  that is, mutable memory cells that may contain values of any (staticallychecked) closed type, including other references. Our mo ..."
Abstract

Cited by 31 (8 self)
 Add to MetaCart
Amal J. Ahmed Andrew W. Appel # Roberto Virga Princeton University {amal,appel,rvirga}@cs.princeton.edu Abstract We demonstrate a semantic model of general references  that is, mutable memory cells that may contain values of any (staticallychecked) closed type, including other references. Our model is in terms of execution sequences on a von Neumann machine