Results 1  10
of
24
A theory of indirection via approximation
 IN POPL
, 2010
"... Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct m ..."
Abstract

Cited by 16 (9 self)
 Add to MetaCart
Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct models containing indirect reference by presenting a “theory of indirection”. Our method can be applied in a wide variety of settings and uses only simple, elementary mathematics. In addition to various forms of indirect reference, the resulting models support powerful features such as impredicative quantification and equirecursion; moreover they are compatible with the kind of powerful substructural accounting required to model (higherorder) separation logic. In contrast to previous work, our model is easy to apply to new settings and has a simple axiomatization, which is complete in the sense that all models of it are isomorphic. Our proofs are machinechecked in Coq.
Verified Software Toolchain
, 2011
"... The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the asserti ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the assertions claimed at the top of the toolchain really hold in the machinelanguage program, running in the operatingsystem context, on a weaklyconsistentsharedmemory machine. Our verification approach is modular, in that proofs about operating systems or concurrency libraries are oblivious of the programming language or machine language, proofs about compilers are oblivious of the program logic used to verify static analyzers, and so on. The approach is scalable, in that each component is verified in the semantic idiom most natural for that component. Finally, the verification is foundational: the trusted base for proofs of observable properties of the machinelanguage program includes only the operational semantics of the machine language, not the source language, the compiler, the program logic, or any other part of the toolchain—even when these proofs are
Fictional Separation Logic
"... Separation logic formalizes the idea of local reasoning for heapmanipulating programs via the frame rule and the separating conjunction P ∗ Q, which describes states that can be split into separate parts, with one satisfying P and the other satisfying Q. In standard separation logic, separation m ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Separation logic formalizes the idea of local reasoning for heapmanipulating programs via the frame rule and the separating conjunction P ∗ Q, which describes states that can be split into separate parts, with one satisfying P and the other satisfying Q. In standard separation logic, separation means physical separation. In this paper, we introduce fictional separation logic, which includes more general forms of fictional separating conjunctions P ∗ Q, where ∗ does not require physical separation, but may also be used in situations where the memory resources described by P and Q overlap. We demonstrate, via a range of examples, how fictional separation logic can be used to reason locally and modularly about mutable abstract data types, possibly implemented using sophisticated sharing. Fictional separation logic is defined on top of standard separation logic, and both the metatheory and the application of the logic is much simpler than earlier related approaches.
Local Reasoning for Global Invariants, Part II: Dynamic Boundaries
"... The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software ..."
Abstract

Cited by 6 (4 self)
 Add to MetaCart
The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions. The restrictions amount to a stateful frame condition that must be satisfied by any client; this dynamic encapsulation boundary complements conventional scopebased encapsulation. The technical development is based on a companion paper, Part I, that presents a programming logic with stateful frame conditions for commands.
Two for the Price of One: Lifting Separation Logic Assertions
"... Recently, data abstraction has been studied in the context of separation logic, with noticeable practical successes: the developed logics have enabled clean proofs of tricky challenging programs, such as subjectobserver patterns, and they have become the basis of efficient verification tools for Jav ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Recently, data abstraction has been studied in the context of separation logic, with noticeable practical successes: the developed logics have enabled clean proofs of tricky challenging programs, such as subjectobserver patterns, and they have become the basis of efficient verification tools for Java (jStar), C (VeriFast) and Hoare Type Theory (Ynot). In this paper, we give a new semantic analysis of such logicbased approaches using Reynolds’s relational parametricity. The core of the analysis is our lifting theorems, which give a sound and complete condition for when a true implication between assertions in the standard interpretation entails that the same implication holds in a relational interpretation. Using these theorems, we provide an algorithm for identifying abstractionrespecting clientside proofs; the proofs ensure that clients cannot distinguish two appropriatelyrelated module implementations. 1
Views: Compositional Reasoning for Concurrent Programs
"... Compositional abstractions underly many reasoning principles for concurrent programs: the concurrent environment is abstracted in order to reason about a thread in isolation; and these abstractions are composed to reason about a program consisting of many threads. For instance, separation logic uses ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Compositional abstractions underly many reasoning principles for concurrent programs: the concurrent environment is abstracted in order to reason about a thread in isolation; and these abstractions are composed to reason about a program consisting of many threads. For instance, separation logic uses formulae that describe part of the state, abstracting the rest; when two threads use disjoint state, their specifications can be composed with the separating conjunction. Type systems abstract the state to the types of variables; threads may be composed when they agree on the types of shared variables. In this paper, we present the “Concurrent Views Framework”, a metatheory of concurrent reasoning principles. The theory is parameterised by an abstraction of state with a notion of composition, which we call views. The metatheory is remarkably simple, but highly applicable: the relyguarantee method, concurrent separation logic, concurrent abstract predicates, type systems for recursive references and for unique pointers, and even an adaptation of the OwickiGries method can all be seen as instances of the Concurrent Views Framework. Moreover, our metatheory proves each of these systems is sound without requiring induction on the operational semantics.
Charge! A framework for higherorder separation logic in Coq
"... We present a comprehensive set of tactics for working with a shallow embedding of a higherorder separation logic for a subset of Java in Coq. The tactics make it possible to reason at a level of abstraction similar to penandpaper separationlogic proof outlines. In particular, the tactics allow t ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
We present a comprehensive set of tactics for working with a shallow embedding of a higherorder separation logic for a subset of Java in Coq. The tactics make it possible to reason at a level of abstraction similar to penandpaper separationlogic proof outlines. In particular, the tactics allow the user to reason in the embedded logic rather than in the concrete model, where the stacks and heaps are exposed. The development is generic in the choice of heap model, and most of the development is also independent of the choice of programming language.
CLASSICAL BI: ITS SEMANTICS AND PROOF THEORY
"... Abstract. We present Classical BI (CBI), a new addition to the family of bunched logics which originates in O’Hearn and Pym’s logic of bunched implications BI. CBI differs from existing bunched logics in that its multiplicative connectives behave classically rather than intuitionistically (including ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
Abstract. We present Classical BI (CBI), a new addition to the family of bunched logics which originates in O’Hearn and Pym’s logic of bunched implications BI. CBI differs from existing bunched logics in that its multiplicative connectives behave classically rather than intuitionistically (including in particular a multiplicative version of classical negation). At the semantic level, CBIformulas have the normal bunched logic reading as declarative statements about resources, but its resource models necessarily feature more structure than those for other bunched logics; principally, they satisfy the requirement that every resource has a unique dual. At the prooftheoretic level, a very natural formalism for CBI is provided by a display calculus à la Belnap, which can be seen as a generalisation of the bunched sequent calculus for BI. In this paper we formulate the aforementioned model theory and proof theory for CBI, and prove some fundamental results about the logic, most notably completeness of the proof theory with respect to the semantics. 1.
Local Actions for a Currystyle Operational Semantics
, 2011
"... Soundness proofs of program logics such as Hoare logics and type systems are often made easier by decorating the operational semantics with information that is useful in the proof. However, modifying the operational semantics to carry around such information can make it more difficult to show that t ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Soundness proofs of program logics such as Hoare logics and type systems are often made easier by decorating the operational semantics with information that is useful in the proof. However, modifying the operational semantics to carry around such information can make it more difficult to show that the operational semantics corresponds to what actually occurs on a real machine. In this work we present a program logic framework targeting operational semantics in Currystyle—that is, operational semantics without proof decorations such as separation algebras, share models, and step indexes. Although we target Currystyle operational semantics, our framework permits local reasoning via the frame rule and retains expressive assertions in the program logic. Soundness of the program logic is derived mechanically from simple properties of primitive commands and expressions. We demonstrate our framework by deriving a separation logic for the model of a core imperative programming language with external function calls. We also apply our framework in a more realistic setting in the soundness proof of a separation logic for CompCert’s Cminor. Our proofs are machinechecked in Coq.