## Separation and Data Refinement (2007)

Citations: | 1 - 0 self |

### BibTeX

@MISC{Mijajlović07separationand,

author = {Ivana Mijajlović},

title = {Separation and Data Refinement},

year = {2007}

}

### OpenURL

### Abstract

### Citations

8795 |
Introduction to Algorithms
- Cormen, Leiserson, et al.
- 1990
(Show Context)
Citation Context ...e B to problems of scheduling or security – execute on some representation of a mathematical graph. A variety of such examples can be found in any book on data structures and algorithms, for instance =-=[50, 28]-=-. Data refinement examines the relationship between the abstract, mathematical objects and their representations. In particular, using the techniques of data refinement, one can derive a concrete repr... |

764 |
The B-Book: Assigning Programs to Meanings
- Abrial
- 1996
(Show Context)
Citation Context ... 1.4. Related Work 34 Work of Abrial on the event based sequential program development [3], gives means for constructing a program from its abstract specification. His approach, based on the B method =-=[2]-=-, allows refinement of pointer programs, but is concerned with program development rather then data refinement. However, the importance of the B method is huge, as there is a lot of research based aro... |

728 | Separation logic: a logic for shared mutable data structures
- Reynolds
- 2002
(Show Context)
Citation Context ..., our main goals somewhat differ. We found great motivation for our work on data refinement in Hoare’s work [35]. However, the intuitive and technical inspiration comes from ideas in Separation logic =-=[72, 41]-=-. Namely, in their work on information hiding, O’Hearn et al. consider modules that are represented by their resource invariants and a set of module operations. They use separating conjunction to prov... |

417 |
Proof of correctness of data representations
- HOARE
- 1972
(Show Context)
Citation Context ... least as well as the abstract one, and it can replace it in any computation. The early ideas of data refinement come from Wirth [79] and Hoare in his paper on the correctness of data representations =-=[35]-=-, where also an early suggestion for the method for proving data refinement was illustrated. The method was then used and developed in the VDM technique of data refinement [42] and generalized in a pa... |

373 |
Types, abstraction, and parametric polymorphism
- Reynolds
- 1983
(Show Context)
Citation Context ...his is imposed by the Id part. The lifting theorem is expressing abstraction. It connects the meanings of different representations of the same data type, reminiscent of Reynolds’ Abstraction theorem =-=[69]-=- and Plotkin’s Lemma of logical relations [64]. Having simulation between the abstract data structure and its concrete representation, the lifting theorem ensures that the client program using the con... |

336 | Ownership types for flexible alias protection
- Clarke, Potter, et al.
- 1998
(Show Context)
Citation Context ...rtain object are allowed only through the owner of the object and so, no internal representation objects are accessible directly from the outside. Ownership types were first proposed by Clarke et al. =-=[26]-=- and they formalized this idea in their later work [25]. Here, they enforce strict encapsulation but on account of expressiveness. In work by Boyapati et al. [17, 19] and Clarke et al. [24] ownership ... |

307 | Ownership types for safe programming: preventing data-races and deadlocks, OOPSLA’02
- BOYAPATI, LEE, et al.
(Show Context)
Citation Context ... were first proposed by Clarke et al. [26] and they formalized this idea in their later work [25]. Here, they enforce strict encapsulation but on account of expressiveness. In work by Boyapati et al. =-=[17, 19]-=- and Clarke et al. [24] ownership types were extended to support a natural form of subtyping, but to allow iterators and similar constructs the encapsulation was allowed to be temporarily broken, and ... |

272 |
Program development by stepwise refinement
- Wirth
- 1971
(Show Context)
Citation Context ...ment relationship is established, the concrete object always behaves at least as well as the abstract one, and it can replace it in any computation. The early ideas of data refinement come from Wirth =-=[79]-=- and Hoare in his paper on the correctness of data representations [35], where also an early suggestion for the method for proving data refinement was illustrated. The method was then used and develop... |

271 | Local reasoning about programs that alter data structures
- O’Hearn, Reynolds, et al.
- 2001
(Show Context)
Citation Context ...te this 97s5.1. More about Separation Logic 98 point with several examples, which require acquaintance with some axioms and rules of separation logic [72]. We first introduce the tight interpretation =-=[60]-=- of triples. Definition 15 (Tight interpretation). For predicates p and q and a command c, we say that a specification {p}c{q} holds if and only if for all states (s,h) which satisfy p, 1. ¬(s,h)[c]wr... |

238 |
The Formal Semantics of Programming Languages, an introduction. Foundations of Computing
- Winskel
- 1993
(Show Context)
Citation Context ...ogic of Bunched Implications [56], designed with an assumption that RAM is the underlying storage model. It is an extension of Hoare logic [34], whose description can be found in any of the textbooks =-=[70, 78, 75]-=- and so we assume the reader is familiar with it. The usual assertion language of Hoare logic is extended with assertions that express properties about heaps. Assuming where P,Q,R ::= B | E1 ↦→ E2 Ato... |

196 | A parameterized type system for race-free Java programs
- Boyapati, Rinard
(Show Context)
Citation Context ... were first proposed by Clarke et al. [26] and they formalized this idea in their later work [25]. Here, they enforce strict encapsulation but on account of expressiveness. In work by Boyapati et al. =-=[17, 19]-=- and Clarke et al. [24] ownership types were extended to support a natural form of subtyping, but to allow iterators and similar constructs the encapsulation was allowed to be temporarily broken, and ... |

194 | Verification of object-oriented programs with invariants
- Barnett, DeLine, et al.
- 2004
(Show Context)
Citation Context ...a abstractions. A representative example is a memory manager with malloc() and free() operations. Verification methodology for model fields [44], based on the Boogie Methodology for object invariants =-=[12, 45]-=-, uses specification only fields to enable the abstraction of the concrete state of a data structure. This work addresses the problems caused by the mutable objects and aliasing when dealing with modu... |

193 |
Islands: Aliasing protection in objectoriented languages
- Hogg
- 1991
(Show Context)
Citation Context ...is the Geneva convention on aliasing problems [40]. The document defines and explains aliasing in the object-oriented context and gives a categorization of the approaches to the problem. In his paper =-=[39]-=-, Hogg introduced a concept of islands which prevent problems caused by aliasing. Islands are used to isolate a group of related objects. An island is a completely encapsulated unit, within which any ... |

190 | The logic of bunched implications
- O’Hearn, Pym
(Show Context)
Citation Context ...a natural extension with heaps of the storage model used in traditional setting. 3.2.2 The assertion language of Separation logic Separation logic [41, 72] is a model of Logic of Bunched Implications =-=[56]-=-, designed with an assumption that RAM is the underlying storage model. It is an extension of Hoare logic [34], whose description can be found in any of the textbooks [70, 78, 75] and so we assume the... |

176 |
The denotational semantics of programming languages
- Tennent
(Show Context)
Citation Context ...ogic of Bunched Implications [56], designed with an assumption that RAM is the underlying storage model. It is an extension of Hoare logic [34], whose description can be found in any of the textbooks =-=[70, 78, 75]-=- and so we assume the reader is familiar with it. The usual assertion language of Hoare logic is extended with assertions that express properties about heaps. Assuming where P,Q,R ::= B | E1 ↦→ E2 Ato... |

163 |
as an assertion language for mutable data structures
- BI
(Show Context)
Citation Context ..., our main goals somewhat differ. We found great motivation for our work on data refinement in Hoare’s work [35]. However, the intuitive and technical inspiration comes from ideas in Separation logic =-=[72, 41]-=-. Namely, in their work on information hiding, O’Hearn et al. consider modules that are represented by their resource invariants and a set of module operations. They use separating conjunction to prov... |

163 | Separation and information hiding
- O’Hearn, Yang, et al.
- 2004
(Show Context)
Citation Context ...entation be replaced by another. Parkinson’s abstract predicates are also tailored to deal well with modularity and abstraction, but his work does not consider data refinement. Work of O’Hearn et al. =-=[58]-=- on information hiding, where modules are represented using internal resource invariants, was our main inspiration. The resource invariants fit naturally with refinement. Parkinson does not have inter... |

160 | Resources, concurrency and local reasoning
- O'Hearn
(Show Context)
Citation Context ...features of the object-oriented approach. Concurrency. Our work on data refinement relies heavily on Separation logic. There has been a significant progress in Separation logic in work on concurrency =-=[59]-=-, in particular, shared-memory programs. One possible direction for future work is to use ideas from concurrent separation logic and apply them in the field of data refinement in a concurrent setting.... |

154 |
Introduction to Algorithms: A Creative Approach, Addison-Wesley
- Manber
- 1989
(Show Context)
Citation Context ...e B to problems of scheduling or security – execute on some representation of a mathematical graph. A variety of such examples can be found in any book on data structures and algorithms, for instance =-=[50, 28]-=-. Data refinement examines the relationship between the abstract, mathematical objects and their representations. In particular, using the techniques of data refinement, one can derive a concrete repr... |

149 |
Data refinement: model-oriented proof methods and their comparison. CUP
- Roever, Engelhardt
- 1998
(Show Context)
Citation Context ...a abstraction and data refinement with regard to languages which do not utilize pointers. A systematic study of model-oriented proof methods of data refinement can be found in De Roever’s et al. book =-=[29]-=-. Nancy Lynch et al. also studied simulation techniques, for instance in [48, 49, 47]. Pointers wreak havoc with data abstraction and module encapsulation. There are a number of early documents which ... |

146 | Ownership types for object encapsulation
- Boyapati, Liskov, et al.
- 2003
(Show Context)
Citation Context ... extended to support a natural form of subtyping, but to allow iterators and similar constructs the encapsulation was allowed to be temporarily broken, and hence local reasoning was not supported. In =-=[18]-=- the ownership types system was proposed which is both expressive and supports local reasoning. There is a lot of research done in the area of ownership and encapsulation, and here we mention only som... |

136 | Forward and backward simulations { part I: Untimed systems
- Lynch, Vaandrager
- 1993
(Show Context)
Citation Context ...ze pointers. A systematic study of model-oriented proof methods of data refinement can be found in De Roever’s et al. book [29]. Nancy Lynch et al. also studied simulation techniques, for instance in =-=[48, 49, 47]-=-. Pointers wreak havoc with data abstraction and module encapsulation. There are a number of early documents which confirm and try to resolve this problem. One of thems1.4. Related Work 32 is the Gene... |

128 | Ownership, encapsulation and disjointness of type and effect
- Clarke, Drossopoulou
- 2002
(Show Context)
Citation Context ...rke et al. [26] and they formalized this idea in their later work [25]. Here, they enforce strict encapsulation but on account of expressiveness. In work by Boyapati et al. [17, 19] and Clarke et al. =-=[24]-=- ownership types were extended to support a natural form of subtyping, but to allow iterators and similar constructs the encapsulation was allowed to be temporarily broken, and hence local reasoning w... |

128 | Object invariants in dynamic contexts
- Leino, Müller
- 2004
(Show Context)
Citation Context ...a abstractions. A representative example is a memory manager with malloc() and free() operations. Verification methodology for model fields [44], based on the Boogie Methodology for object invariants =-=[12, 45]-=-, uses specification only fields to enable the abstraction of the concrete state of a data structure. This work addresses the problems caused by the mutable objects and aliasing when dealing with modu... |

116 | Smallfoot: Modular automatic assertion checking with separation logic
- Berdine, Calcagno, et al.
- 2005
(Show Context)
Citation Context ...ram satisfies a certain specification in separation logic to make sure that we are dealing with a separation context. Moreover, now that there exist tools based on separation logic, such as Smallfoot =-=[13, 14, 15]-=-, this implies that some amount of automatic checking of separation contexts can be done. We illustrate this latter point by example. 5.1 More about Separation Logic In Chapter 3 we have introduced th... |

115 | The Geneva convention of the treatment of object aliasing
- HOGG, LEA, et al.
- 1992
(Show Context)
Citation Context ...straction and module encapsulation. There are a number of early documents which confirm and try to resolve this problem. One of thems1.4. Related Work 32 is the Geneva convention on aliasing problems =-=[40]-=-. The document defines and explains aliasing in the object-oriented context and gives a categorization of the approaches to the problem. In his paper [39], Hogg introduced a concept of islands which p... |

106 | Symbolic execution with separation logic
- Berdine, Calcagno, et al.
- 2005
(Show Context)
Citation Context ...][R × Id][a ↦→ []], where [] denotes an empty array. After the three insert() commands the abstract state is s1 = [i ↦→ 0,sum ↦→ 0,s ↦→ {2,5,14}], and the concrete state is s2 = [i ↦→ 0,sum ↦→ 0,a ↦→ =-=[2,5,14]-=-] and clearly s1[R × Id]s2. In concrete case, the state obtained by running a while statement is s2[i ↦→ 10,sum ↦→ 7], and in the abstract case it is s1[i ↦→ 10,sum ↦→ 7], so clearly, these two states... |

106 | Confined types
- Vitek, Bokowski
- 1999
(Show Context)
Citation Context ...for program verification in Smalltalk. Systems are built by composing capsules, which contain both code and specification, including the assertions about aliasing. Similar concepts are confined types =-=[76]-=- and balloons [4]. Another approach to encapsulation of data representation is work on ownership types. Ownership types impose an ownership hierarchy on objects – an object can own other objects which... |

103 | Proving pointer programs in hoare logic
- Bornat
- 2000
(Show Context)
Citation Context ...riting a formula or running a program which would pick out only those location, can be formalized by precise predicates. Bornat used this idea to provide spatial separation in traditional Hoare logic =-=[16]-=-.sx listseg(x,x) * true listseg(x,x) * true y Figure 3.1: Circular list x 3.2. Setting the Stage 60 We give several examples of precise predicates. Predicates emp, E ↦→ E ′ , E ↦→ − are precise, p ∗ q... |

96 |
Software Development: a Rigorous Approach
- Jones
- 1980
(Show Context)
Citation Context ...of data representations [35], where also an early suggestion for the method for proving data refinement was illustrated. The method was then used and developed in the VDM technique of data refinement =-=[42]-=- and generalized in a paper by Hoare et al [33]. While it has become very influential, certain limitations to the “traditional” method have been recognized. In this introductory chapter we shed some l... |

90 | ProB: A model checker for B
- Leuschel, Butler
- 2003
(Show Context)
Citation Context ... mushrooming, it is impossible not to think of developing a tool as a possible future direction. In fact, there are several refinement tools that are used for development of (safetycritical) software =-=[27, 46, 1]-=-, and that adds to the motivation. 169sIndex H, 51 Sc, 51 Sm, 51 ∆p, 75 Σ, 53 aop, 119 ∗, 53, 75 av, 61 E, 120 [[−]] c (p,η) , 120 [[−]] (p,η), 120 F, 114 F ′ , 114 fsim, 76 GLAct, 59 �−, 61 lft(r), 1... |

89 | Representation independence, confinement and access control
- Banerjee, Naumann
- 2002
(Show Context)
Citation Context ...d supports local reasoning. There is a lot of research done in the area of ownership and encapsulation, and here we mention only some of them [43, 66, 65]. Work of Banerjee and Naumann on confinement =-=[10]-=- also imposes typing restrictions to ensure representation independence. Namely, they introduce a notion of “confinement” which requires a heap to consist of three parts: client, class interface and i... |

88 | Simple ownership types for object containment
- Clarke, Noble, et al.
(Show Context)
Citation Context ...object and so, no internal representation objects are accessible directly from the outside. Ownership types were first proposed by Clarke et al. [26] and they formalized this idea in their later work =-=[25]-=-. Here, they enforce strict encapsulation but on account of expressiveness. In work by Boyapati et al. [17, 19] and Clarke et al. [24] ownership types were extended to support a natural form of subtyp... |

87 | External Uniqueness is Unique Enough
- CLARKE, WRIGSTAD
- 2003
(Show Context)
Citation Context ...roaches simply cannot handle ownership transfer [39, 4, 10], while admitting that this is a limitation. However, some solutions have been presented in order to solve this issue. Work of Clarke et al. =-=[23]-=- proposes a concept of external uniqueness, while that ofs1.4. Related Work 36 Naumann et al. [11] builds on it. External uniqueness requires that there is a unique reference from the outside to the a... |

87 |
On the Refinement Calculus
- Morgan, Vickers
- 1993
(Show Context)
Citation Context ...emantics [31], Morgan et al. introduced a single complete rule for data refinement [32]. This is similar to our notion of power simulations. However, this work, as their other work on data refinement =-=[54]-=-, does not address problems raised by pointers. Power simulation is also closely related to Reddy’s method for data refinement [68]. In order to have a single complete data-refinement method for a lan... |

86 | Forward and backward simulations { Part II: Timingbased systems
- Lynch, Vaandrager
- 1995
(Show Context)
Citation Context ...ze pointers. A systematic study of model-oriented proof methods of data refinement can be found in De Roever’s et al. book [29]. Nancy Lynch et al. also studied simulation techniques, for instance in =-=[48, 49, 47]-=-. Pointers wreak havoc with data abstraction and module encapsulation. There are a number of early documents which confirm and try to resolve this problem. One of thems1.4. Related Work 32 is the Gene... |

78 |
Theories of Programming Languages
- Reynolds
- 1998
(Show Context)
Citation Context ...ogic of Bunched Implications [56], designed with an assumption that RAM is the underlying storage model. It is an extension of Hoare logic [34], whose description can be found in any of the textbooks =-=[70, 78, 75]-=- and so we assume the reader is familiar with it. The usual assertion language of Hoare logic is extended with assertions that express properties about heaps. Assuming where P,Q,R ::= B | E1 ↦→ E2 Ato... |

75 | A decidable fragment of separation logic
- Berdine, Calcagno, et al.
- 2004
(Show Context)
Citation Context ...ram satisfies a certain specification in separation logic to make sure that we are dealing with a separation context. Moreover, now that there exist tools based on separation logic, such as Smallfoot =-=[13, 14, 15]-=-, this implies that some amount of automatic checking of separation contexts can be done. We illustrate this latter point by example. 5.1 More about Separation Logic In Chapter 3 we have introduced th... |

69 |
Local reasoning for Java
- Parkinson
- 2005
(Show Context)
Citation Context ... the concrete state of a data structure. This work addresses the problems caused by the mutable objects and aliasing when dealing with modularity and data abstraction. Parkinson’s abstract predicates =-=[61]-=- present another approach to dealing with frame properties and abstraction. Back is one of the first promoters of the weakest precondition predicate transformer semantics in program development and da... |

65 | Ownership confinement ensures representation independence for object-oriented programs
- Banerjee, Naumann
- 2005
(Show Context)
Citation Context ...resentation. Only links between a client and a class interface, and between the class interface and its internal representation may exist. All other references are forbidden. In their following paper =-=[8]-=-, Banerjee and Naumann remove the restriction that pointers from data representation to outside of it may not exist; these pointers may now be fully used. They also prove generalized abstraction theor... |

60 |
On the Correctness of Refinement Steps in Program Development
- Back
- 1978
(Show Context)
Citation Context ...er approach to dealing with frame properties and abstraction. Back is one of the first promoters of the weakest precondition predicate transformer semantics in program development and data refinement =-=[6]-=-. Recently, he has addressed the problems that arise from pointers [7], by converting all the pointer operations into assignment statement and then applying the rules of refinement calculus to constru... |

56 |
The weakest prespecification
- Hoare, He
- 1986
(Show Context)
Citation Context ... were together necessary and sufficient for sound and complete data refinement. Hoare and He generalized Dijkstra’s weakest precondition [30] introducing the notion of the weakest prespecification in =-=[37]-=-. They showed how it can be used in the VDM framework for derivation using the simulation method. In their technical monograph [38], Hoare and He gave an account of data refinement in a categorical se... |

52 | A semantic basis for local reasoning
- Yang, O’Hearn
- 2002
(Show Context)
Citation Context ...location that is not in the current state. We now specify actions on states that access resources in a local way. A relation r ⊆ Σ × Σ ⊎ {wrong} is local [58] if it satisfies the following properties =-=[81, 58]-=- • Safety Monotonicity: For all stacks s and heaps h and h1 such that h#h1, if ¬h[r]wrong, then ¬h · h1[r]wrong. • Frame Property: For all stacks s,s ′ and heaps h0,h1 and h ′ with h0#h1, if ¬(s,h0)[r... |

51 |
An axiomatic approach to computer programming
- Hoare
- 1969
(Show Context)
Citation Context ...of Separation logic Separation logic [41, 72] is a model of Logic of Bunched Implications [56], designed with an assumption that RAM is the underlying storage model. It is an extension of Hoare logic =-=[34]-=-, whose description can be found in any of the textbooks [70, 78, 75] and so we assume the reader is familiar with it. The usual assertion language of Hoare logic is extended with assertions that expr... |

46 |
Data refinement of predicate transformers
- Gardiner, Morgan
- 1991
(Show Context)
Citation Context ...derivation of treebased pointer algorithms [20]. These approaches, however, aim at the program development problems rather than those of data refinement. Influenced by predicate transformer semantics =-=[31]-=-, Morgan et al. introduced a single complete rule for data refinement [32]. This is similar to our notion of power simulations. However, this work, as their other work on data refinement [54], does no... |

46 | Possible worlds and resources: the semantics of BI
- Pym, O'Hearn, et al.
- 2004
(Show Context)
Citation Context ... of set S by s. Let H be a set of heaps which is a set equipped with a structure of a partial commutative monoid (H,·,e). In effect, our development is on the level of the abstract model theory of BI =-=[57]-=-, rather than the single model used in separation logic [41, 72]. The unit e denotes the empty heap and for any heap h satisfies the laws of a neutral element with respect to the operation ·. We will ... |

45 | Generic ownership for generic Java
- Potanin, Noble, et al.
- 2006
(Show Context)
Citation Context ...ship types system was proposed which is both expressive and supports local reasoning. There is a lot of research done in the area of ownership and encapsulation, and here we mention only some of them =-=[43, 66, 65]-=-. Work of Banerjee and Naumann on confinement [10] also imposes typing restrictions to ensure representation independence. Namely, they introduce a notion of “confinement” which requires a heap to con... |

37 | A verification methodology for model fields
- LEINO, MÜLLER
- 2006
(Show Context)
Citation Context ...he separation contexts, we are able to reason about such data abstractions. A representative example is a memory manager with malloc() and free() operations. Verification methodology for model fields =-=[44]-=-, based on the Boogie Methodology for object invariants [12, 45], uses specification only fields to enable the abstraction of the concrete state of a data structure. This work addresses the problems c... |

36 |
Local Reasoning for Stateful Programs
- Yang
- 2001
(Show Context)
Citation Context ...ed, under the condition that the variables changed by the program C are not free in predicate describing that extra memory. Detailed proof of the soundness of the frame rule is given in Yang’s thesis =-=[80]-=-. The proof is based on the locality properties: safety monotonicity and frame property introduced in Section 3.3.4 and the tight interpretation of triples. 5.2 Connection Between Separation Logic and... |

33 |
C.C.Morgan: “a Single Complete Rule for Data Refinement
- Gardiner
- 1993
(Show Context)
Citation Context ..., aim at the program development problems rather than those of data refinement. Influenced by predicate transformer semantics [31], Morgan et al. introduced a single complete rule for data refinement =-=[32]-=-. This is similar to our notion of power simulations. However, this work, as their other work on data refinement [54], does not address problems raised by pointers. Power simulation is also closely re... |