## Compositional resource invariant synthesis (2009)

Venue: | In APLAS’09: Asian Symposium on Programming Languages and Systems |

Citations: | 2 - 0 self |

### BibTeX

@INPROCEEDINGS{Calcagno09compositionalresource,

author = {Cristiano Calcagno and Dino Distefano and Viktor Vafeiadis},

title = {Compositional resource invariant synthesis},

booktitle = {In APLAS’09: Asian Symposium on Programming Languages and Systems},

year = {2009},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. We describe an algorithm for synthesizing resource invariants that are used in the verification of concurrent programs. This synthesis employs bi-abductive inference to identify the footprints of different parts of the program and decide what invariant each lock protects. We demonstrate our algorithm on several small (yet intricate) examples which are out of the reach of other automatic analyses in the literature. 1

### Citations

165 | Resources, concurrency and local reasoning
- OHearn
(Show Context)
Citation Context ... lock, it can assume that the corresponding resource invariant holds. When it releases the lock, it must prove that the resource invariant is still true. In concurrent separation logic (CSL), O’Hearn =-=[9]-=- has adapted the notion of resource invariants by making them record exactly the part of the memory that a given lock protects. His elegant examples show how the ownership of memory cells can be trans... |

136 | A local shape analysis based on separation logic
- Distefano, O’Hearn, et al.
- 2006
(Show Context)
Citation Context ...the resource of the CCR C, respectively. 3.2 Storage Model and Symbolic Heaps We describe the storage model and symbolic heaps: a fragment of separation logic formulae suitable for symbolic execution =-=[2, 6]-=-. Let LVar (ranged over by x ′ , y ′ , z ′ , . . . ) be a set of logical variables, disjoint from program variables PVar, to be used in the assertion language. Let Locs be a countably infinite set of ... |

108 | Symbolic execution with separation logic
- Berdine, Calcagno, et al.
- 2005
(Show Context)
Citation Context ...the resource of the CCR C, respectively. 3.2 Storage Model and Symbolic Heaps We describe the storage model and symbolic heaps: a fragment of separation logic formulae suitable for symbolic execution =-=[2, 6]-=-. Let LVar (ranged over by x ′ , y ′ , z ′ , . . . ) be a set of logical variables, disjoint from program variables PVar, to be used in the assertion language. Let Locs be a countably infinite set of ... |

96 | Compositional shape analysis by means of bi-abduction
- Calcagno, Distefano, et al.
- 2009
(Show Context)
Citation Context ... that a command requires in order to run safely. By employing the footprint concept, we obtain a more systematic way for computing resource invariants. We describe an algorithm that uses bi-abduction =-=[4]-=- to calculate what state is actually protected by the resource. We show the effectiveness of our algorithm by applying it to all the involved examples given by O’Hearn [9]. 2 Informal description of t... |

91 | Shape analysis for composite data structures
- Berdine, Calcagno, et al.
- 2007
(Show Context)
Citation Context ...asic spatial predicates. In this paper we consider a simple instance of S. However, our algorithm works equally well for other more sophisticated choices of spatial predicates such those described in =-=[1, 5]-=-. The points-to predicate x ↦→ y denotes a heap with a single allocated cell at address x with content y, and ls(x, y) denotes a non-empty list segment from x to y (not including y). 3.3 Bi-Abduction ... |

81 | Verifying safety properties of concurrent Java programs using 3-valued logic
- Yahav
- 2001
(Show Context)
Citation Context ...he same heuristic to verify both programs in Fig. 2. Note that these small programs can be verified with analyses that are not thread-modular: e.g. by considering all thread interleavings as in Yahav =-=[12]-=-, or by keeping track of the correlations between the local states of each pair of threads as in Segalov et al. [11]. The drawback of such analyses is that they do not scale very well to large program... |

32 | Thread-modular shape analysis
- Gotsman, Berdine, et al.
- 2007
(Show Context)
Citation Context ... and states that “ownership is in the eye of the asserter.” This is also the approach taken by Smallfoot [3], which required the user to specify the resource invariants. More recently, Gotsman et al. =-=[7]-=- proposed a very practical, heuristic method for calculating resource invariants. Their method is based on a thread-modularput(x) = with buf when (!full) do { c := x; full := true; } get(y) = with bu... |

27 | Shape analysis with structural invariant checkers
- Chang, Rival, et al.
- 2007
(Show Context)
Citation Context ...→ −. Since A is emp, no refinement of I is required and this completes the proof of the LHS thread. For the RHS we have: {emp} get(y) {emp} {y ↦→ −} dispose(y) {emp} {y ↦→ −} get(y); dispose(y) {emp} =-=(5)-=- However, we obtain this derivation by the anti-frame A ≡ y ↦→ −, and by our notion of failure of the proof search introduced in Sec. 5.2 this means that we cannot actually prove the RHS thread. The a... |

15 |
Context-sensitive correlation analysis for detecting races
- Pratikakis, Foster, et al.
- 2006
(Show Context)
Citation Context ... each resource declaration is annotated with the set of global variables it protects. Such annotations need not be given always by the user, as they can often be inferred by systems such as Locksmith =-=[10]-=-. The only shape analysis based on concurrent separation logic that attempts to calculate resource invariants is the thread-modular shape analysis by Gotsman et al. [7]. This uses a heuristic to decid... |

14 |
P.W.: Smallfoot: Automatic modular assertion checking with separation logic
- Berdine, Calcagno, et al.
- 2006
(Show Context)
Citation Context ...perty. O’Hearn does not address the issue of how to come up with the correct resource invariant and states that “ownership is in the eye of the asserter.” This is also the approach taken by Smallfoot =-=[3]-=-, which required the user to specify the resource invariants. More recently, Gotsman et al. [7] proposed a very practical, heuristic method for calculating resource invariants. Their method is based o... |

10 | Bottom-up shape analysis
- Gulavani, Chakraborty, et al.
- 2009
(Show Context)
Citation Context ...H ′ ∗ F Many solutions are possible for A and F. A criterion to judge the quality of solutions as well as a bi-abductive prover were defined in [4]. A modified version of bi-abduction was proposed in =-=[8]-=-. Bi-abduction was introduced as a useful mechanism to construct compositional shape analyses. Such analyses can be seen as the attempt to build proofs for Hoare triples of a program. More precisely, ... |

1 |
Efficiently inferring thread correlations. Unpublished
- Segalov, Lev-Ami, et al.
- 2009
(Show Context)
Citation Context ...at are not thread-modular: e.g. by considering all thread interleavings as in Yahav [12], or by keeping track of the correlations between the local states of each pair of threads as in Segalov et al. =-=[11]-=-. The drawback of such analyses is that they do not scale very well to large programs. In contrast, as we use compositional techniques for discovering resource invariants, we are hopeful that our algo... |