Results 1  10
of
65
Separation and Information Hiding
, 2004
"... We investigate proof rules for information hiding, using the recent formalism of separation logic. In essence, we use the separating conjunction to partition the internal resources of a module from those accessed by the module's clients. The use of a logical connective gives rise to a form of d ..."
Abstract

Cited by 183 (20 self)
 Add to MetaCart
(Show Context)
We investigate proof rules for information hiding, using the recent formalism of separation logic. In essence, we use the separating conjunction to partition the internal resources of a module from those accessed by the module's clients. The use of a logical connective gives rise to a form of dynamic partitioning, where we track the transfer of ownership of portions of heap storage between program components. It also enables us to enforce separation in the presence of mutable data structures with embedded addresses that may be aliased.
Shape analysis for composite data structures
 In CAV
, 2007
"... Abstract. We propose a shape analysis that adapts to some of the complex composite data structures found in industrial systemslevel programs. Examples of such data structures include “cyclic doublylinked lists of acyclic singlylinked lists”, “singlylinked lists of cyclic doublylinked lists with ..."
Abstract

Cited by 113 (20 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a shape analysis that adapts to some of the complex composite data structures found in industrial systemslevel programs. Examples of such data structures include “cyclic doublylinked lists of acyclic singlylinked lists”, “singlylinked lists of cyclic doublylinked lists with backpointers to head nodes”, etc. The analysis introduces the use of generic higherorder inductive predicates describing spatial relationships together with a method of synthesizing new parameterized spatial predicates which can be used in combination with the higherorder predicates. In order to evaluate the proposed approach for realistic programs we have performed experiments on examples drawn from device drivers: the analysis proved safety of the data structure manipulation of several routines belonging to an IEEE 1394 (firewire) driver, and also found several previously unknown memory safety bugs. 1
Polymorphism and Separation in Hoare Type Theory
, 2006
"... In previous work, we proposed a Hoare Type Theory (HTT) which combines effectful higherorder functions, dependent types and Hoare Logic specifications into a unified framework. However, the framework did not support polymorphism, and failed to provide a modular treatment of state in specifications. ..."
Abstract

Cited by 81 (15 self)
 Add to MetaCart
(Show Context)
In previous work, we proposed a Hoare Type Theory (HTT) which combines effectful higherorder functions, dependent types and Hoare Logic specifications into a unified framework. However, the framework did not support polymorphism, and failed to provide a modular treatment of state in specifications. In this paper, we address these shortcomings by showing that the addition of polymorphism alone is sufficient for capturing modular state specifications in the style of Separation Logic. Furthermore, we argue that polymorphism is an essential ingredient of the extension, as the treatment of higherorder functions requires operations not encodable via the spatial connectives of Separation Logic.
Abstract predicates and mutable ADTs in Hoare type theory
 In Proc. ESOP’07, volume 4421 of LNCS
, 2007
"... Hoare Type Theory (HTT) combines a dependently typed, higherorder language with monadicallyencapsulated, stateful computations. The type system incorporates pre and postconditions, in a fashion similar to Hoare and Separation Logic, so that programmers can modularly specify the requirements and e ..."
Abstract

Cited by 43 (19 self)
 Add to MetaCart
(Show Context)
Hoare Type Theory (HTT) combines a dependently typed, higherorder language with monadicallyencapsulated, stateful computations. The type system incorporates pre and postconditions, in a fashion similar to Hoare and Separation Logic, so that programmers can modularly specify the requirements and effects of computations within types. This paper extends HTT with quantification over abstract predicates (i.e., higherorder logic), thus embedding into HTT the Extended Calculus of Constructions. When combined with the Hoarelike specifications, abstract predicates provide a powerful way to define and encapsulate the invariants of private state; that is, state which may be shared by several functions, but is not accessible to their clients. We demonstrate this power by sketching a number of abstract data types and functions that demand ownership of mutable memory, including an idealized custom memory manager. 1
Relational parametricity and separation logic
 In 10th FOSSACS, LNCS 4423
, 2007
"... Abstract. Separation logic is a recent extension of Hoare logic for reasoning about programs with references to shared mutable data structures. In this paper, we provide a new interpretation of the logic for a programming language with higher types. Our interpretation is based on Reynolds’s relation ..."
Abstract

Cited by 33 (14 self)
 Add to MetaCart
Abstract. Separation logic is a recent extension of Hoare logic for reasoning about programs with references to shared mutable data structures. In this paper, we provide a new interpretation of the logic for a programming language with higher types. Our interpretation is based on Reynolds’s relational parametricity, and it provides a formal connection between separation logic and data abstraction.
Stepindexed Kripke models over recursive worlds
 In Proc. of POPL
, 2011
"... Over the last decade, there has been extensive research on modelling challenging features in programming languages and program logics, such as higherorder store and storable resource invariants. A recent line of work has identified a common solution to some of these challenges: Kripke models over w ..."
Abstract

Cited by 29 (13 self)
 Add to MetaCart
(Show Context)
Over the last decade, there has been extensive research on modelling challenging features in programming languages and program logics, such as higherorder store and storable resource invariants. A recent line of work has identified a common solution to some of these challenges: Kripke models over worlds that are recursively defined in a category of metric spaces. In this paper, we broaden the scope of this technique from the original domaintheoretic setting to an elementary, operational one based on step indexing. The resulting method is widely applicable and leads to simple, succinct models of complicated language features, as we demonstrate in our semantics of Charguéraud and Pottier’s typeandcapability system for an MLlike higherorder language. Moreover, the method provides a highlevel understanding of the essence of recent approaches based on step indexing. 1.
A theory of indirection via approximation
 IN POPL
, 2010
"... Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct m ..."
Abstract

Cited by 18 (9 self)
 Add to MetaCart
(Show Context)
Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct models containing indirect reference by presenting a “theory of indirection”. Our method can be applied in a wide variety of settings and uses only simple, elementary mathematics. In addition to various forms of indirect reference, the resulting models support powerful features such as impredicative quantification and equirecursion; moreover they are compatible with the kind of powerful substructural accounting required to model (higherorder) separation logic. In contrast to previous work, our model is easy to apply to new settings and has a simple axiomatization, which is complete in the sense that all models of it are isomorphic. Our proofs are machinechecked in Coq.
Behavioral subtyping, specification inheritance, and modular reasoning
"... Verification of a dynamicallydispatched method call, E.m(), seems to depend on E’s dynamic type. To avoid case analysis and allow incremental development, objectoriented program verification uses supertype abstraction. That is, one reasons about E.m() using m’s specification for E’s static type. S ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
(Show Context)
Verification of a dynamicallydispatched method call, E.m(), seems to depend on E’s dynamic type. To avoid case analysis and allow incremental development, objectoriented program verification uses supertype abstraction. That is, one reasons about E.m() using m’s specification for E’s static type. Supertype abstraction is valid when each subtype in the program is a behavioral subtype. This paper formalizes supertype abstraction and behavioral subtyping for a Javalike sequential language with mutation, and proves that behavioral subtyping is both necessary and sufficient for the validity of supertype abstraction. Specification inheritance, as in JML, is also formalized and proved to entail behavioral subtyping.
A Semantic Foundation for Hidden State
"... We present the first complete soundness proof of the antiframe rule, a recently proposed proof rule for capturing information hiding in the presence of higherorder store. Our proof involves solving a nontrivial recursive domain equation. It helps identify some of the key ingredients for soundness, ..."
Abstract

Cited by 17 (10 self)
 Add to MetaCart
(Show Context)
We present the first complete soundness proof of the antiframe rule, a recently proposed proof rule for capturing information hiding in the presence of higherorder store. Our proof involves solving a nontrivial recursive domain equation. It helps identify some of the key ingredients for soundness, and thereby suggests how one might hope to relax some of the restrictions imposed by the rule.
Ultrametric Semantics of Reactive Programs
"... Abstract—We describe a denotational model of higherorder functional reactive programming using ultrametric spaces and nonexpansive maps, which provide a natural Cartesian closed generalization of causal stream functions and guarded recursive definitions. We define a type theory corresponding to thi ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
Abstract—We describe a denotational model of higherorder functional reactive programming using ultrametric spaces and nonexpansive maps, which provide a natural Cartesian closed generalization of causal stream functions and guarded recursive definitions. We define a type theory corresponding to this semantics and show that it satisfies normalization. Finally, we show how reactive programs written in this language may be implemented efficiently using an imperatively updated dataflow graph, and give a separation logic proof that this lowlevel implementation is correct with respect to the highlevel semantics. I.