Results 1  10
of
34
A theory of indirection via approximation
 IN POPL
, 2010
"... Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct m ..."
Abstract

Cited by 16 (9 self)
 Add to MetaCart
(Show Context)
Building semantic models that account for various kinds of indirect reference has traditionally been a difficult problem. Indirect reference can appear in many guises, such as heap pointers, higherorder functions, object references, and sharedmemory mutexes. We give a general method to construct models containing indirect reference by presenting a “theory of indirection”. Our method can be applied in a wide variety of settings and uses only simple, elementary mathematics. In addition to various forms of indirect reference, the resulting models support powerful features such as impredicative quantification and equirecursion; moreover they are compatible with the kind of powerful substructural accounting required to model (higherorder) separation logic. In contrast to previous work, our model is easy to apply to new settings and has a simple axiomatization, which is complete in the sense that all models of it are isomorphic. Our proofs are machinechecked in Coq.
Verified Software Toolchain
, 2011
"... The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the asserti ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
The software toolchain includes static analyzers to check assertions about programs; optimizing compilers to translate programs to machine language; operating systems and libraries to supply context for programs. Our Verified Software Toolchain verifies with machinechecked proofs that the assertions claimed at the top of the toolchain really hold in the machinelanguage program, running in the operatingsystem context, on a weaklyconsistentsharedmemory machine. Our verification approach is modular, in that proofs about operating systems or concurrency libraries are oblivious of the programming language or machine language, proofs about compilers are oblivious of the program logic used to verify static analyzers, and so on. The approach is scalable, in that each component is verified in the semantic idiom most natural for that component. Finally, the verification is foundational: the trusted base for proofs of observable properties of the machinelanguage program includes only the operational semantics of the machine language, not the source language, the compiler, the program logic, or any other part of the toolchain—even when these proofs are
Views: Compositional Reasoning for Concurrent Programs
"... Compositional abstractions underly many reasoning principles for concurrent programs: the concurrent environment is abstracted in order to reason about a thread in isolation; and these abstractions are composed to reason about a program consisting of many threads. For instance, separation logic uses ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Compositional abstractions underly many reasoning principles for concurrent programs: the concurrent environment is abstracted in order to reason about a thread in isolation; and these abstractions are composed to reason about a program consisting of many threads. For instance, separation logic uses formulae that describe part of the state, abstracting the rest; when two threads use disjoint state, their specifications can be composed with the separating conjunction. Type systems abstract the state to the types of variables; threads may be composed when they agree on the types of shared variables. In this paper, we present the “Concurrent Views Framework”, a metatheory of concurrent reasoning principles. The theory is parameterised by an abstraction of state with a notion of composition, which we call views. The metatheory is remarkably simple, but highly applicable: the relyguarantee method, concurrent separation logic, concurrent abstract predicates, type systems for recursive references and for unique pointers, and even an adaptation of the OwickiGries method can all be seen as instances of the Concurrent Views Framework. Moreover, our metatheory proves each of these systems is sound without requiring induction on the operational semantics.
Fictional Separation Logic
"... Separation logic formalizes the idea of local reasoning for heapmanipulating programs via the frame rule and the separating conjunction P ∗ Q, which describes states that can be split into separate parts, with one satisfying P and the other satisfying Q. In standard separation logic, separation m ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
Separation logic formalizes the idea of local reasoning for heapmanipulating programs via the frame rule and the separating conjunction P ∗ Q, which describes states that can be split into separate parts, with one satisfying P and the other satisfying Q. In standard separation logic, separation means physical separation. In this paper, we introduce fictional separation logic, which includes more general forms of fictional separating conjunctions P ∗ Q, where ∗ does not require physical separation, but may also be used in situations where the memory resources described by P and Q overlap. We demonstrate, via a range of examples, how fictional separation logic can be used to reason locally and modularly about mutable abstract data types, possibly implemented using sophisticated sharing. Fictional separation logic is defined on top of standard separation logic, and both the metatheory and the application of the logic is much simpler than earlier related approaches.
Local Reasoning for Global Invariants, Part II: Dynamic Boundaries
"... The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions. The restrictions amount to a stateful frame condition that must be satisfied by any client; this dynamic encapsulation boundary complements conventional scopebased encapsulation. The technical development is based on a companion paper, Part I, that presents a programming logic with stateful frame conditions for commands.
CLASSICAL BI: ITS SEMANTICS AND PROOF THEORY
"... Abstract. We present Classical BI (CBI), a new addition to the family of bunched logics which originates in O’Hearn and Pym’s logic of bunched implications BI. CBI differs from existing bunched logics in that its multiplicative connectives behave classically rather than intuitionistically (including ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present Classical BI (CBI), a new addition to the family of bunched logics which originates in O’Hearn and Pym’s logic of bunched implications BI. CBI differs from existing bunched logics in that its multiplicative connectives behave classically rather than intuitionistically (including in particular a multiplicative version of classical negation). At the semantic level, CBIformulas have the normal bunched logic reading as declarative statements about resources, but its resource models necessarily feature more structure than those for other bunched logics; principally, they satisfy the requirement that every resource has a unique dual. At the prooftheoretic level, a very natural formalism for CBI is provided by a display calculus à la Belnap, which can be seen as a generalisation of the bunched sequent calculus for BI. In this paper we formulate the aforementioned model theory and proof theory for CBI, and prove some fundamental results about the logic, most notably completeness of the proof theory with respect to the semantics. 1.
The Ramifications of Sharing in Data Structures
"... Programs manipulating mutable data structures with intrinsic sharing present a challenge for modular verification. Deep aliasing inside data structures dramatically complicates reasoning in isolation over parts of these objects because changes to one part of the structure (say, the left child of a d ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Programs manipulating mutable data structures with intrinsic sharing present a challenge for modular verification. Deep aliasing inside data structures dramatically complicates reasoning in isolation over parts of these objects because changes to one part of the structure (say, the left child of a dag node) can affect other parts (the right child or some of its descendants) that may point into it. The result is that finding intuitive and compositional proofs of correctness is usually a struggle. We propose a compositional proof system that enables local reasoning in the presence of sharing. While the AI “frame problem ” elegantly captures the reasoning required to verify programs without sharing, we contend that natural reasoning about programs with sharing instead requires an answer to a different and more challenging AI problem, the “ramification problem”: reasoning about the indirect consequences of actions. Accordingly, we present a RAMIFY proof rule that attacks the ramification problem headon and show how to reason with it. Our framework is valid in any separation logic and permits sound compositional and local reasoning in the context of both specified and unspecified sharing. We verify the correctness of a number of examples, including programs that manipulate dags, graphs, and overlaid data structures in nontrivial ways.
Two for the Price of One: Lifting Separation Logic Assertions
"... Recently, data abstraction has been studied in the context of separation logic, with noticeable practical successes: the developed logics have enabled clean proofs of tricky challenging programs, such as subjectobserver patterns, and they have become the basis of efficient verification tools for Jav ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Recently, data abstraction has been studied in the context of separation logic, with noticeable practical successes: the developed logics have enabled clean proofs of tricky challenging programs, such as subjectobserver patterns, and they have become the basis of efficient verification tools for Java (jStar), C (VeriFast) and Hoare Type Theory (Ynot). In this paper, we give a new semantic analysis of such logicbased approaches using Reynolds’s relational parametricity. The core of the analysis is our lifting theorems, which give a sound and complete condition for when a true implication between assertions in the standard interpretation entails that the same implication holds in a relational interpretation. Using these theorems, we provide an algorithm for identifying abstractionrespecting clientside proofs; the proofs ensure that clients cannot distinguish two appropriatelyrelated module implementations. 1
Parametric Completeness for Separation Theories
, 2013
"... In this paper, we address the logical gap between provability in the logic BBI, which is the standard propositional basis for separation logic, and validity in an intended class of separation models, as employed in applications of separation logic such as program verification. An intended class of s ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
In this paper, we address the logical gap between provability in the logic BBI, which is the standard propositional basis for separation logic, and validity in an intended class of separation models, as employed in applications of separation logic such as program verification. An intended class of separation models is usually specified by a collection of axioms describing various useful model properties, which we call a separation theory. Our three main contributions are as follows. First, we show that that several important properties of separation models are not definable in BBI. Second, we show that these properties become definable when a simple theory of naming is added to BBI, in the manner familiar from hybrid logic. We initially present a simple, binderfree hybrid version of BBI and then later add a binder, which can capture more complex model properties. Third, we present an axiomatic proof system for our hybrid logic whose extension with any set of syntactically “pure” axioms is sound and complete with respect to the models satisfying those axioms. As a corollary of this general result, we obtain sound and complete axiomatic proof systems for a large class of separation theories which, to the best of our knowledge, includes all those appearing in the published literature. Our results are obtained by adaptations of techniques from the general setting of modal and hybrid logics.
Charge! A framework for higherorder separation logic in Coq
"... We present a comprehensive set of tactics for working with a shallow embedding of a higherorder separation logic for a subset of Java in Coq. The tactics make it possible to reason at a level of abstraction similar to penandpaper separationlogic proof outlines. In particular, the tactics allow t ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
We present a comprehensive set of tactics for working with a shallow embedding of a higherorder separation logic for a subset of Java in Coq. The tactics make it possible to reason at a level of abstraction similar to penandpaper separationlogic proof outlines. In particular, the tactics allow the user to reason in the embedded logic rather than in the concrete model, where the stacks and heaps are exposed. The development is generic in the choice of heap model, and most of the development is also independent of the choice of programming language.