## BI as an Assertion Language for Mutable Data Structures (2000)

### Cached

### Download Links

- [www-2.cs.cmu.edu]
- [www.cs.cmu.edu]
- [www.dcs.qmw.ac.uk]
- [www.dcs.qmul.ac.uk]
- [ftp.dcs.qmw.ac.uk]
- DBLP

### Other Repositories/Bibliography

Citations: | 149 - 14 self |

### BibTeX

@MISC{Ishtiaq00bias,

author = {Samin Ishtiaq and Peter W. O'Hearn},

title = {BI as an Assertion Language for Mutable Data Structures},

year = {2000}

}

### Years of Citing Articles

### OpenURL

### Abstract

Reynolds has developed a logic for reasoning about mutable data structures in which the pre- and postconditions are written in an intuitionistic logic enriched with a spatial form of conjunction. We investigate the approach from the point of view of the logic BI of bunched implications of O'Hearn and Pym. We begin by giving a model in which the law of the excluded middle holds, thus showing that the approach is compatible with classical logic. The relationship between the intuitionistic and classical versions of the system is established by a translation, analogous to a translation from intuitionistic logic into the modal logic S4. We also consider the question of completeness of the axioms. BI's spatial implication is used to express weakest preconditions for object-component assignments, and an axiom for allocating a cons cell is shown to be complete under an interpretation of triples that allows a command to be applied to states with dangling pointers. We make this latter a feature, by incorporating an operation, and axiom, for disposing of memory. Finally, we describe a local character enjoyed by specifications in the logic, and show how this enables a class of frame axioms, which say what parts of the heap don't change, to be inferred automatically.

### Citations

1091 | Proof-Carrying Code
- Necula
- 1997
(Show Context)
Citation Context ...gnment is mirrored beautifully in the logic. There has been growing interest in using program logic for pointers in static analysis and related problems, and some excellent results have been obtained =-=[18, 24, 37, 40]-=-. The work here appears to be largely complementary. Indeed, although the devil is in the detail, it would be conceivable to combine one of these assertion languages with a substructural logic, in the... |

553 |
The frame problem in the situation calculus: A simple solution (sometimes) and a completeness result for goal regression
- Reiter
- 1991
(Show Context)
Citation Context ...of papers in the AI, modal and temporal logic of processes, and program specification literatures; we cannot do justice to these literatures in this short space (we mention only one from each strand: =-=[33, 20, 1]-=-). The main point, however, is the implicit and succinct way that behind-the-scenes dependencies, which arise from pointers that are not directly named by program variables, are dealt with using \Lamb... |

538 | Parametric shape analysis via 3-valued logic
- Sagiv, Reps, et al.
(Show Context)
Citation Context ...gnment is mirrored beautifully in the logic. There has been growing interest in using program logic for pointers in static analysis and related problems, and some excellent results have been obtained =-=[18, 24, 37, 40]-=-. The work here appears to be largely complementary. Indeed, although the devil is in the detail, it would be conceivable to combine one of these assertion languages with a substructural logic, in the... |

215 | Logical frameworks
- Pfenning
- 2001
(Show Context)
Citation Context .... While this proposal was tantalyzing, it has not subsequently been developed very far, certainly not as far as a program logic for pointers. (Encodings of the semantics of imperative languages, e.g. =-=[9]-=-, are important and useful, but fall well short of program logic.) The results of this paper might be interpreted as offering fresh justification for those early hints, and in the demanding territory ... |

190 | The Logic of Bunched Implications
- O’Hearn, Pym
- 1999
(Show Context)
Citation Context ...nter swing is treated in a local way that mirrors the intuitive operational locality of assignment. In this paper we investigate the approach from the point of view of the logic BI of O'Hearn and Pym =-=[25]-=-. The mostsdistinctive feature of BI is its joint treatment of two implication connectives. One implication, ), is from standard intuitionistic or classical logic, while the other, \Gamma \Lambdas, is... |

168 | Alias types - Smith, Walker, et al. - 2000 |

135 | Alias types for recursive data structures
- Walker, Morrisett
- 2001
(Show Context)
Citation Context ... \Lambdasand \Gamma \Lambdas, might be adapted to account for update or reconfiguration of semi-structured data. The second closely related work is that of Smith, Walker, and Morrisett on Alias types =-=[38, 39]-=-. Alias types use typetheoretic cousins of the conjunction \Lambdasand points-to relation 7! to state properties of data structures. The resulting typing rule for component assignment is very close to... |

131 | Syntactic control of interference - Reynolds - 1978 |

107 | Intuitionistic reasoning about shared mutable data structure
- Reynolds
- 2000
(Show Context)
Citation Context ...ell affects seemingly unrelated expressions. The real problem is to control, or understand, this complexity, rather than simply to axiomatize it. A striking advance has been recently made by Reynolds =-=[35]-=-, building on early work of Burstall [5]. The main novelty is the use of a spatial form of conjunction P \LambdasQ, that splits the heap into distinct portions that the different conjuncts talk about.... |

101 | Semantical analysis of intuitionistic logic I, Formal Systems and Recursive - Kripke - 1963 |

100 |
Towards a geometry of interaction
- Girard
(Show Context)
Citation Context ...rent heap must have size two, and (x 7! 2; 3) cannot then hold because it requires the current heap to have size one. The importance of restricting Contraction was brought to the fore by linear logic =-=[12, 13]-=-. But it is important to realize that BI takes a very different approach to the surrounding additive connectives. To see this, consider that P \Gamma ffi Q j= P ) Q always holds in linear logic, using... |

99 | Proving pointer programs in Hoare logic
- Bornat
- 2000
(Show Context)
Citation Context ...) that alter the heap. Other issues are raised by operations for allocating and, especially, disposing of memory. A number of researchers have developed program-proving formalisms for pointers (e.g., =-=[16, 30, 23, 17, 22, 3, 6]-=-), but no definitive solution has emerged as of yet. Most importantly, lying behind technicalities with axioms for assignment and storage management is a deeper difficulty, the "complexity of pointer ... |

98 | Toward reliable modular programs
- Leino
- 1995
(Show Context)
Citation Context ...of papers in the AI, modal and temporal logic of processes, and program specification literatures; we cannot do justice to these literatures in this short space (we mention only one from each strand: =-=[33, 20, 1]-=-). The main point, however, is the implicit and succinct way that behind-the-scenes dependencies, which arise from pointers that are not directly named by program variables, are dealt with using \Lamb... |

98 |
The Semantics and Proof Theory of the Logic of Bunched Implications
- Pym
(Show Context)
Citation Context ...lean BI; on the common connectives, the semantic models of Ambient Logic that have been presented are instances of the possible worlds semantics of BI first presented in [25] and further developed in =-=[26, 32]-=-. Ambient logic also has a connective, the "ambient match", which interacts with \Lambdasin a way that leads to pleasantly compact and intuitive specifications of certain properties of mobile processe... |

74 |
Some techniques for proving correctness of programs which alter data structures
- Burstall
- 1972
(Show Context)
Citation Context ...ns. The real problem is to control, or understand, this complexity, rather than simply to axiomatize it. A striking advance has been recently made by Reynolds [35], building on early work of Burstall =-=[5]-=-. The main novelty is the use of a spatial form of conjunction P \LambdasQ, that splits the heap into distinct portions that the different conjuncts talk about. In addition, there is a form of asserti... |

72 |
An axiomatic definition of the programming language Pascal. Acta lnformatica 2
- Hoare, Wirth
- 1973
(Show Context)
Citation Context ...) that alter the heap. Other issues are raised by operations for allocating and, especially, disposing of memory. A number of researchers have developed program-proving formalisms for pointers (e.g., =-=[16, 30, 23, 17, 22, 3, 6]-=-), but no definitive solution has emerged as of yet. Most importantly, lying behind technicalities with axioms for assignment and storage management is a deeper difficulty, the "complexity of pointer ... |

59 |
Larch in five easy pieces
- Guttag, Horning, et al.
- 1985
(Show Context)
Citation Context ...am doesn't change, so much so that these frame axioms distract from the main concern - what changes. In the absence of pointers what doesn't change can be succinctly summarized using modifies clauses =-=[14]-=-, which list the program variables corresponding to locations that can be altered by a program. But for pointers, which may include links to cells not named bysvariables in the program, the problem is... |

54 | Safety checking of machine code
- Xu, Miller, et al.
- 2000
(Show Context)
Citation Context ...gnment is mirrored beautifully in the logic. There has been growing interest in using program logic for pointers in static analysis and related problems, and some excellent results have been obtained =-=[18, 24, 37, 40]-=-. The work here appears to be largely complementary. Indeed, although the devil is in the detail, it would be conceivable to combine one of these assertion languages with a substructural logic, in the... |

45 | A WP calculus for OO - Boer - 1999 |

40 | Syntactic control of interference revisited
- O'Hearn, Power, et al.
- 1995
(Show Context)
Citation Context ...a \Lambdas.) The second property shows a further similarity with passivity in syntactic control of interference [34], where additive and multiplicative function type constructs agree on passive types =-=[28]-=-. 3.3 Interpretation of Triples Hoare triples are of the form fP g C fQg, where P and Q are assertions as above and C is a command. We adopt an interpretation which ensures that well-specified command... |

24 | Algol-like Languages (Two volumes - O’Hearn, Tennent - 1997 |

23 | hlodular refinement of hierarchic reactive machines
- Alur, Grosu
- 2000
(Show Context)
Citation Context ...of papers in the AI, modal and temporal logic of processes, and program specification literatures; we cannot do justice to these literatures in this short space (we mention only one from each strand: =-=[33, 20, 1]-=-). The main point, however, is the implicit and succinct way that behind-the-scenes dependencies, which arise from pointers that are not directly named by program variables, are dealt with using \Lamb... |

23 | A general axiom of assignment. Assignment and linked data structures. A proof of the SchorrWaite algorithm - Morris |

20 | A trace model for pointers and objects
- Hoare, He
- 1999
(Show Context)
Citation Context ... no definitive solution has emerged as of yet. Most importantly, lying behind technicalities with axioms for assignment and storage management is a deeper difficulty, the "complexity of pointer swing =-=[15]-=-" that results from aliasing: there can be more than one pointer to a cell that is altered, in which case assignment to the cell affects seemingly unrelated expressions. The real problem is to control... |

18 | A query language for semistructured data based on the ambient logic
- Cardelli, Ghelli
(Show Context)
Citation Context ...ions of certain properties of mobile processes. In an interesting further development, Cardelli and Ghelli have proposed a labelled tree model as a basis for a query language for semi-structured data =-=[7]-=-. The tree model is similar to the pointer model of BI, but for two main differences: the model here allows for circular structures as well as trees; and, the combining operation here is partial, wher... |

17 | Semantic analysis of pointer aliasing, allocation and disposal in Hoare logic - Calcagno, Ishtiaq, et al. - 2000 |

16 |
modal logics for mobile ambients
- Cardelli, Gordon, et al.
- 2000
(Show Context)
Citation Context ...e simplicity, as illustrated by the pointer model, is a key to applications. There are two other closely related pieces of work to report on. The first is work of Cardelli and Gordon on Ambient Logic =-=[8]-=-, a logic for mobile ambients. Their logic can be seen as an extension of Boolean BI; on the common connectives, the semantic models of Ambient Logic that have been presented are instances of the poss... |

16 |
Calculating with pointer structures
- Möller
- 1997
(Show Context)
Citation Context ...) that alter the heap. Other issues are raised by operations for allocating and, especially, disposing of memory. A number of researchers have developed program-proving formalisms for pointers (e.g., =-=[16, 30, 23, 17, 22, 3, 6]-=-), but no definitive solution has emerged as of yet. Most importantly, lying behind technicalities with axioms for assignment and storage management is a deeper difficulty, the "complexity of pointer ... |

13 |
Proving assertions about programs that manipulate data structures
- Oppen, Cook
- 1975
(Show Context)
Citation Context |

10 |
Soundness and completeness of an axiomatic system for program verification
- Cook
- 1978
(Show Context)
Citation Context ...e from the basic axioms (in either the Reynolds or backwards forms), Sequencing, and Consequence exactly when it is true. (Extending this result to loops would get us into the issue of expressiveness =-=[10]-=-, which is outside the scope of our concerns here.) The following notation will be convenient: if ` 2 dom(h) then let h@` denote the singleton heap in which ` is mapped to h(`); also, let h \Gammas` d... |

9 | A variable typed logic of eects - Honsell, Mason, et al. - 1995 |

6 |
Automatic verification of pointer programs using monadic secondorder logic
- Jenson, Jorgensen, et al.
- 1997
(Show Context)
Citation Context |

6 | On the frame problem in procedure speci - Borgida, Mylopoulos, et al. - 1995 |

6 | An axiomatic de of the programming language Pascal - Hoare, Wirth - 1973 |

4 | Larch in easy pieces - Guttag, Horning, et al. - 1985 |

3 | Possible worlds and resources: the semantics of BI. Submitted - O’Hearn, Pym, et al. - 2000 |

3 | Modular re of hierarchic reactive machines - Alur, Grosu - 2000 |

2 | Observations about Using Logic as a Specification Language
- Miller
- 1995
(Show Context)
Citation Context ...such as ss-calculus or object calculi. In the linear logic literature there have been numerous hints, suggesting that substructural logic can be used to specify and reason about actions locally (e.g. =-=[13, 21]-=-). While this proposal was tantalyzing, it has not subsequently been developed very far, certainly not as far as a program logic for pointers. (Encodings of the semantics of imperative languages, e.g.... |

2 | Automatic veri of pointer programs using monadic second-order logic - Jenson, Jorgensen, et al. - 1997 |

1 | Observations about using logic as a speci language - Miller - 1995 |

1 | Local reasoning about pointer programs using bunched implications - O'Hearn, Yang - 2000 |