An important, challenging problem in the verification of imperative programs with shared, mutable state is the frame problem in the presence of data abstraction. That is, one must be able to specify and verify upper bounds on the set of memory locations a method can read and write without exposing that method’s implementation. Separation logic is now widely considered the most promising solution to this problem. However, unlike conventional verification approaches, separation logic assertions cannot mention heap-dependent expressions from the host programming language such as method calls familiar to many developers. Moreover, separation logic-based verifiers are often based on symbolic execution. These symbolic execution-based verifiers typically do not support non-separating conjunction, and some of them rely on the developer to explicitly fold and unfold predicate definitions. Furthermore, several researchers have wondered whether it is possible to use verification condition generation and standard first-order provers instead of symbolic execution to automatically verify conformance with a separation logic specification. In this paper, we propose a variant of separation logic, called implicit dynamic frames, that supports heap-dependent expressions inside assertions. Conformance with an implicit dynamic frames specification can be checked by proving validity of a number of first-order verification conditions. To show that these verification

This paper defines a suite of benchmark verification problems, to serve as an acid test for verification systems that reason about programs with non-trivial data-structure invariants. Solutions to the benchmarks can be used to understand similarities and differences between verification tools and techniques. The paper also gives a procedure for scoring the solutions.

The Composite design pattern poses a challenge for reasoning about invariants with non-local dependencies and its verification has been posed as an exemplar of specification and verification challenges for sequential objectoriented programs. Region logic is a Hoare logic augmented with state dependent ’modifies’ specifications or ’dynamic frames ’ based on simple notations for object sets. Using ordinary first order logic assertions, it supports local reasoning and also the hiding of invariants on encapsulated state, in ways similar to separation logic but suited to off the shelf theorem provers. Using region logic, this paper provides a specification pattern for the Composite design pattern and verifies a representative implementation. To evaluate efficacy of the specification, it is used in verifications of several sample client programs. Verification is done by means of the Boogie verification condition generator which serves as front end to the Z3 SMT solver.

Separation logic is a concise method for specifying programs that manipulate dynamically allocated storage. Partially inspired by separation logic, Implicit Dynamic Frames has recently been proposed, aiming at first-order tool support. In this paper, we provide a total heap semantics for a standard separation logic, and prove it equivalent to the standard model. With small adaptations, we then show how to give a direct semantics to implicit dynamic frames and show this semantics correctly captures the existing definitions. This precisely connects the two logics. As a consequence of this connection, we show that a fragment of separation logic can be faithfully encoded in a first-order automatic verification tool (Chalice).

Abstract. We propose Considerate Reasoning, a novel specification and verification technique based on object invariants. This technique supports succinct specifications of implementations which follow the pattern of breaking properties of other objects and then notifying them appropriately. It allows the specification to be concerned only with the properties directly relevant to the current method call, with no need to explicitly mention the concerns of subcalls. In this way, the specification reflects the division of responsibility present in the implementation, and reflects what we regard as the natural argument behind the design. We specify and prove the well-known Composite design pattern using Considerate Reasoning. We show how to encode our approach in Boogie2. The resulting specification verifies automatically within a few seconds; no manual guidance is required beyond the careful representation of the invariants themselves. 1

Verification of large programs is impossible without proof techniques that allow local reasoning and information hiding. In this paper, we resurrect, extend and modernize an old approach to this problem first considered in the context of the programming language Euclid, developed in the 70s. The central idea is that rather than modeling the heap as a single total function from addresses (integers) to integers, we model the heap as a collection of partial functions with disjoint domains. We call each such partial function a linear map. Programmers may select objects from linear maps, update linear maps or transfer addresses and their contents from one linear map to another. Programmers may also declare new linear map variables, pass linear maps as arguments to procedures and nest one linear map within another. The program logic prevents any of these operations from duplicating locations and thereby breaking the key heap representation invariant: the domains of all linear maps remain disjoint. Linear maps facilitate modular reasoning because programs that use them are also able to use the simple, classical frame and anti-frame rules to preserve information about heap state across procedure calls. We illustrate our approach through examples, prove that our verification rules are sound, and show that operations on linear maps may be erased and replaced by equivalent operations on a single, global heap. 1.

Abstract. The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions. 1

Shared mutable objects pose grave challenges in reasoning, especially for information hiding and modularity. This paper presents a novel technique for reasoning about error-avoiding partial correctness of programs featuring shared mutable objects, and investigates the technique by formalizing a logic. Using a first order assertion language, the logic provides heap-local reasoning about mutation and separation, via ghost fields and variables of type ‘region ’ (finite sets of object references). A new form of frame condition specifies write, read, and allocation effects using region expressions; this supports a frame rule that allows a command to read state on which the framed predicate depends. Soundness is proved using a standard program semantics. The logic facilitates heap-local reasoning about object invariants, as shown here by examples. Part II of the paper extends the logic with second order framing which formalizes the hiding of data invariants.

Abstract. Device drivers often keep data in multiple data structures simultaneously while embedding list or tree related records into the records containing the actual data; this results in overlapping structures. Shape analyses have traditionally relied on a graph-based representation of memory where a node corresponds to a whole record and edges to pointers. As this is ill-suited for encoding overlapping structures, we propose and formally relate two refined memory models. We demonstrate the appropriateness of these models by implementing shape analyses based on them within the TVLA framework. The implementation is exemplified using code extracted from cache managing kernel modules. 1

Fractional Permissions are a popular approach to reasoning about programs that use shared-memory concurrency. Abstractly, they provide a way of managing that either multiple readers or one writer thread can access a resource concurrently. Concretely, specification using fractional permissions typically requires the user to pick concrete mathematical values for partial permissions, making specifications overly verbose, tedious to write, and harder to adapt and re-use. This paper contributes a flexible and expressive specification methodology for supporting fractional permissions while allowing the user to work at the abstract level of read and write permissions. The methodology is flexible and modular, and has been implemented in the verification tool Chalice.