## Local Reasoning about a Copying Garbage Collector (2004)

### Cached

### Download Links

- [www.itu.dk]
- [www.itu.dk]
- [www.it-c.dk]
- [www.itu.dk]
- [www.it-c.dk]
- DBLP

### Other Repositories/Bibliography

Venue: | In 31st ACM POPL |

Citations: | 67 - 8 self |

### BibTeX

@INPROCEEDINGS{Birkedal04localreasoning,

author = {Lars Birkedal and Noah Torp-smith and John C. Reynolds},

title = {Local Reasoning about a Copying Garbage Collector},

booktitle = {In 31st ACM POPL},

year = {2004},

pages = {220--231},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a programming language, model, and logic appropriate for implementing and reasoning about a memory management system. We then state what is meant by correctness of a copying garbage collector, and employ a variant of the novel separation logics [18, 23] to formally specify partial correctness of Cheney's copying garbage collector [8]. Finally, we prove that our implementation of Cheney's algorithm meets its specification, using the logic we have given, and auxiliary variables [19].

### Citations

1165 | Proof-carrying code
- Necula
- 1997
(Show Context)
Citation Context ... a type system expressive enough to type a garbage collector, which is type preserving, generational, and handles cyclic data structures. Recently, there has been a lot of work on Proof Carrying Code =-=[16, 15]-=-. The basic idea of a code producer submitting a proof of safety along with a program could, of course, be transferred to low-level programming languages, like the one used with separation logic. Nipk... |

761 | Separation logic: A logic for shared mutable data structures
- Reynolds
- 2002
(Show Context)
Citation Context ...opriate for implementing and reasoning about a memory management system. We then state what is meant by correctness of a copying garbage collector, and employ a variant of the novel separation logics =-=[18, 23]-=- to formally specify partial correctness of Cheney's copying garbage collector [8]. Finally, we prove that our implementation of Cheney's algorithm meets its specification, using the logic we have giv... |

618 | From System F to typed assembly language
- Morrisett, Walker, et al.
- 1998
(Show Context)
Citation Context ...tion in Sec. 8. The additional second motivating factor is that our analysis of garbage collection should be of use in connection with foundational proof-carrying code [2] and typed assembly language =-=[14]-=-. In these settings, a memory allocation (but no deallocation) construct is part of the instruction set and a memory management system is implicitly assumed. We believe that our correctness proof can ... |

411 | Safe kernel extensions without run-time checking
- Necula, Lee
- 1996
(Show Context)
Citation Context ... a type system expressive enough to type a garbage collector, which is type preserving, generational, and handles cyclic data structures. Recently, there has been a lot of work on Proof Carrying Code =-=[16, 15]-=-. The basic idea of a code producer submitting a proof of safety along with a program could, of course, be transferred to low-level programming languages, like the one used with separation logic. Nipk... |

333 |
An axiomatic proof technique for parallel programs
- OWICKI, GRIES
- 1976
(Show Context)
Citation Context ... correctness of Cheney's copying garbage collector [8]. Finally, we prove that our implementation of Cheney's algorithm meets its specification, using the logic we have given, and auxiliary variables =-=[19]-=-. Categories and Subject Descriptors D.2.8 [Logics and Meanings of Programs]: Specifying and Verifying and Reasoning about Programs---Assertions, Logics of programs, Specification techniques General T... |

281 | Local reasoning about programs that alter data structures
- O’Hearn, Reynolds, et al.
- 2001
(Show Context)
Citation Context ...opriate for implementing and reasoning about a memory management system. We then state what is meant by correctness of a copying garbage collector, and employ a variant of the novel separation logics =-=[18, 23]-=- to formally specify partial correctness of Cheney's copying garbage collector [8]. Finally, we prove that our implementation of Cheney's algorithm meets its specification, using the logic we have giv... |

243 | A nonrecursive list compacting algorithm - CHENEY - 1970 |

239 | Foundational proof-carrying code
- Appel
- 2001
(Show Context)
Citation Context ... preliminary ideas in this direction in Sec. 8. The additional second motivating factor is that our analysis of garbage collection should be of use in connection with foundational proof-carrying code =-=[2]-=- and typed assembly language [14]. In these settings, a memory allocation (but no deallocation) construct is part of the instruction set and a memory management system is implicitly assumed. We believ... |

218 |
On-the-fly garbage collection: an exercise in cooperation
- Dijkstra, Lamport, et al.
- 1978
(Show Context)
Citation Context ...in [20] builds upon a concrete allocation model such as the one provided by Cheney's copying garbage collector. The first attempt of a formal correctness proof of a garbage collector was published in =-=[10], where th-=-e problem "was selected as one of the most challenging -- and hopefully, most instructive! -- problems". The proof given there is informal and merely gives an idea of how to obtain a formal ... |

208 | Typed memory management in a calculus of capabilities
- CRARY, WALKER, et al.
- 1999
(Show Context)
Citation Context ...ion only copies cells reachable from root. 7 Related Work There has been several proposals for using types to manage the problem of reasoning about programs that manipulate imperative data structures =-=[9, 25, 1, 20]-=-. They are based on the idea that welltyped programs do not go wrong, but they are not aimed at giving proofs of correctness. In the work [9] on capabilities, traditional region calculus [26] is exten... |

178 | Alias types
- Smith, Walker, et al.
- 2000
(Show Context)
Citation Context ...ion only copies cells reachable from root. 7 Related Work There has been several proposals for using types to manage the problem of reasoning about programs that manipulate imperative data structures =-=[9, 25, 1, 20]-=-. They are based on the idea that welltyped programs do not go wrong, but they are not aimed at giving proofs of correctness. In the work [9] on capabilities, traditional region calculus [26] is exten... |

169 | Resources, concurrency and local reasoning - O’Hearn |

101 |
The Semantics and Proof Theory of the Logic of Bunched Implications, Applied Logic Series
- Pym
- 2002
(Show Context)
Citation Context ...pes [25], a static notion of constraint is used describe the shape of the heap, and this is used to decide when it is safe to execute a program. In the work [1] on hierarchical storage, ideas from BI =-=[22]-=- and region calculi are used to give a type system with structure on locations. In [20] Petersen et. al. propose to use a type theory based on ordered linear logic as a foundation for defining how dat... |

73 | Proving pointer programs in higher-order logic
- Mehta, Nipkow
(Show Context)
Citation Context ...evel programming languages, like the one used with separation logic. Nipkow's research group in Munich has developed a framework for formally verifying programs in traditional Hoare logic with arrays =-=[12]-=-, and an extension to separation logic is underway. This would allow one to verify our correctness proof mechanically and perhaps to ship that proof along with proofs of programs using the garbage col... |

53 |
An axiomatic approach to computer programming
- Hoare
- 1969
(Show Context)
Citation Context ...the specification and to B as the postcondition. We present a set of proof rules that are sound with respect to Def. 5. Since the rules regarding constructs from the simple whilelanguage are standard =-=[11]-=-, we only present rules regarding the heap. Rules for heap lookup. When x ## FV (e # , A) and y ## FV (e), {(#y. e ## y #A)# x = e # } x := [e] {e[e # /x] ## x #A[x/y]} (15) When x ## FV (e,A) and y #... |

50 | Type-preserving garbage collectors
- Wang, Appel
- 2001
(Show Context)
Citation Context ...sinoff gave a correctness proof of an abstract version of a mark-and-sweep collector, which, however, did not use local reasoning. In their work on a type preserving garbage collector, Appel and Wang =-=[27]-=- transform well-typed programs into a form where they call a function, which acts as a garbage collector for the program. This function is designed such that it is well-typed in the target language, a... |

40 |
Algorithms for on-the-fly garbage collection
- Ben-Ari
- 1984
(Show Context)
Citation Context ... most challenging -- and hopefully, most instructive! -- problems". The proof given there is informal and merely gives an idea of how to obtain a formal proof. Other informal proofs were publishe=-=d in [3] and [21].-=- The fact that a "mechanically verifiable proof would need all kinds of trivial invariants" was used to justify the informal approach. Russinoff [24] explored how great a detail that was nee... |

37 |
Local reasoning for stateful programs
- Yang
- 2001
(Show Context)
Citation Context ...for a survey and historical remarks. In his dissertation, Yang showed that separation logic is a promising direction by giving an elegant proof of the non-trivial Schorr-Waite graph marking algorithm =-=[28]-=-. One of the key features making separation logic a promising tool is that Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee pr... |

32 |
Implementation of the call-by-value lambda-calculus using a stack of regions
- Tofte, Talpin
- 1994
(Show Context)
Citation Context ...9, 25, 1, 20]. They are based on the idea that welltyped programs do not go wrong, but they are not aimed at giving proofs of correctness. In the work [9] on capabilities, traditional region calculus =-=[26]-=- is extended with an annotation of a capability to each region, and this gives criteria to decide when it is safe to deallocate a region. In the setting of alias types [25], a static notion of constra... |

30 | Garbage collection for strongly-typed languages using run-time type reconstruction - Aditya, Flood, et al. - 1994 |

28 |
A mechanically verified incremental garbage collector
- Russinoff
- 1994
(Show Context)
Citation Context .... Other informal proofs were published in [3] and [21]. The fact that a "mechanically verifiable proof would need all kinds of trivial invariants" was used to justify the informal approach. =-=Russinoff [24]-=- explored how great a detail that was needed for a formal proof and demonstrated that the proofs in [3] and [21] are fallacious. Moreover, Russinoff gave a correctness proof of an abstract version of ... |

27 | A type theory for memory allocation and data layout
- Petersen, Harper, et al.
- 2003
(Show Context)
Citation Context ...ion only copies cells reachable from root. 7 Related Work There has been several proposals for using types to manage the problem of reasoning about programs that manipulate imperative data structures =-=[9, 25, 1, 20]-=-. They are based on the idea that welltyped programs do not go wrong, but they are not aimed at giving proofs of correctness. In the work [9] on capabilities, traditional region calculus [26] is exten... |

24 | Reasoning about hierarchical storage
- Ahmed, Jia, et al.
- 2003
(Show Context)
Citation Context |

19 | Program logic and equivalence in the presence of garbage collection
- Calcagno, O'Hearn, et al.
(Show Context)
Citation Context ...ors that we would like to call attention to. The first is that our analysis answers a question in the literature and thus paves the way for important future work that so far has been out of reach: In =-=[7]-=-, local reasoning and separation logic for a garbage collected language is analyzed. An underlying garbage collector is presumed in the operational semantics of the language, inasmuch as a partial pru... |

19 | Compiler-directed Type Reconstruction for Polymorphic Languages
- Aditya, Caro
- 1993
(Show Context)
Citation Context ...ing the program. This is because some objects in the heap might be reachable, but we might be able to infer information about reachable objects in the heap at run-time, (e.g. via type reconstruction [=-=Aditya and Caro 1993-=-]) which implies that these objects are not necessary for execution of the rest of the program. In this case we say that these objects are reachable, but not live, and it would, of course, give better... |

16 | Low-level linear memory management - Hawblitzel, Wei, et al. - 2004 |

15 |
An incremental garbage collection algorithm for multi-mutator systems
- Pixley
- 1988
(Show Context)
Citation Context ...allenging -- and hopefully, most instructive! -- problems". The proof given there is informal and merely gives an idea of how to obtain a formal proof. Other informal proofs were published in [3]=-= and [21]. The fact-=- that a "mechanically verifiable proof would need all kinds of trivial invariants" was used to justify the informal approach. Russinoff [24] explored how great a detail that was needed for a... |

11 | Typed regions
- Monnier, Shao
- 2002
(Show Context)
Citation Context ... guarantees safety, but not correctness of the garbage collector, and there is no treatment of cyclic data structures, since the user language does not create cyclic data structures. Monnier and Shao =-=[13]-=- combine ideas from region calculi and alias types in their work on typed regions and propose a programming language with a type system expressive enough to type a garbage collector, which is type pre... |

8 | A Larch specification of copying garbage collection
- Nettles
- 1992
(Show Context)
Citation Context ...e reasons above, proving correctness of a garbage collector, has been considered a key challenge for a long time. (In 1992 Nettles gave an informal proof of correctness of a copying garbage collector =-=[17]-=- and expressed a wish for a formal verification.) There are two other motivating factors that we would like to call attention to. The first is that our analysis answers a question in the literature an... |

8 | BIhyperdoctrines and higher order separation logic - Biering, Birkedal, et al. - 2005 |

2 |
Local Reasoning, Separation and Aliasing. Submitted to the SPACE'04 workshop. Available at http://www.cs.mdx.ac.uk/staffpages/r bornat
- Bornat
(Show Context)
Citation Context ... movement of cyclic data structures. We believe the methods used herein are of wider use and future work should include further experimentation with other subtle algorithms, such as those analyzed in =-=[6]-=- (and also, Bornat's methods might be applicable to Cheney's algorithm). Although the goal of the paper was to prove the simple variant of Cheney's collector, it is natural to ask whether the approach... |

1 | Correctness of a garbage collector via local reasoning
- Birkedal, Torp-Smith, et al.
- 2003
(Show Context)
Citation Context ...ning allows us to reason locally about different fragments of the algorithm, thus illustrating the power of the Frame Rule. Full proofs with all details can be found in the companion technical report =-=[4]-=-. In Sec. 7 we discuss some related work, besides what we have already discussed above, and finally we conclude and present some suggestions for future work in Sec. 8. 2 Syntax and Semantics In this s... |

1 |
Correctness of copydag via local reasoning. Private Communication
- Bornat
- 2003
(Show Context)
Citation Context ...using sets and relations can be used more widely, to specify and prove correct other programs involving shared or cyclic structures. Indeed a somewhat similar approach is being used by Richard Bornat =-=[5]-=- to specify and verify an algorithm for copying directed acyclic graphs. Moreover, we have extended the iterated separating conjunction [23] of separation logic to arbitrary finite sets. The assertion... |

1 | Ptr(e) ∧ (e ′ , e) ∈ r → e ∈ m (73 - PtrRg |

1 | Ik on the form A1 ∗· · ·∗Am. Similarly, the conclusion in the derivation has the form I ′ 1 ∧ · · · ∧ Ik ′ where I′ i are pure for i ∈ {1 - TBD, Year |

1 | x ↦→ y) ∗ (∃y ′ . (x, y ′ ) ∈ tail ∧ x + 4 ↦→ y ′ ))) � AUFWD, where the two implications follow from (36) and (10), respectively - head |

1 | The third implication is an instance of (14). For FIN, it is easiest to note that the condition scan = offset in the conclusion of the derivation above makes both of the assertions about FIN equivalent to emp. The following derivation takes care of FREE ( - Lemma |

1 | ϕ \ {(root, free - tail |

1 | ϕ † ∧ (free − 8 - head |

1 | ϕ † ∧ x + 4 ↦→ y ′ )) � AUFIN Here, the first implication uses (39), (51), and Lemma 3.9. The second follows from (52), and the third implication follows from purity. Finally, the last implication is an instance of the rule - tail |

1 |
The first of these implications follows from (14), the third follows from (15), the fourth from purity, the fifth from (73), and the last follows from (80
- unknown authors
(Show Context)
Citation Context ...), (4) ℓ ∈ dom(h) and h(ℓ) ∈ P tr implies h(ℓ) ∈ pdom(h), (5) ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year.s8 · Torp-Smith, Birkedal, Reynolds and r ∈ pdom(h). =-=(6)-=- Conversely, if the conditions (4) to (6) hold for a rooted heap (r, h), then one can show rp(r, h) ⊆ pdom(h) and rl(r, h) ⊆ dom(h) by induction on n to the corresponding formulas where rp and rl are ... |

1 |
The first of these implications follows from (14), the second is a matter of notation. The third implication is an instance of (15), and the next comes from purity. The sixth implication in the derivation follows from (60), and the last is by (54). This s
- unknown authors
(Show Context)
Citation Context ... (6), (r ′ , h ′ ) is an arbitrary rooted heap, and that β is a function from pdom(h) to pdom(h ′ ) such that for all p ∈ pdom(h) and k ∈ {0, 4}, and h ′ ((β(p)) + k) = β ∗ (h(p + k)) (7) r ′ = β(r). =-=(8)-=- Here, β ∗ is the extension of β to Z that is the identity on numbers that are not in pdom(h). Then β is called a heap morphism from (r, h) to (r ′ , h ′ ). Lemma 3.1. Assume (r, h) satisfies (4) to (... |

1 | ϕ \ {(a, free - head |

1 | ϕ \ {(a, free - tail |

1 | ϕ † ∧ x + 4 ↦→ y ′ )))) The specification step uses the rule for assignment. Like in Section 6.1 and 6.2.3, we now have to show that the pure part of I follows from the pure part I ′′ p of the conclusion I′′ in the derivation above, and that the separatin - tail |

1 | ϕ † ) ∧ x + 4 ↦→ y ′ )) implies and that implies ∀∗x - tail |