Local Reasoning for Global Invariants, Part I: Region Logic

Dedicated to the memory of Stephen L. Bloom (1940--2010). Shared mutable objects pose grave challenges in reasoning, especially for information hiding and modularity. This article presents a novel technique for reasoning about error-avoiding partial correctness of programs featuring shared mutable objects, and investigates the technique by formalizing a logic. Using a first-order assertion language, the logic provides heap-local reasoning about mutation and separation, via ghost fields and variables of type “region” (finite sets of object references). A new form of frame condition specifies write, read, and allocation effects using region expressions; this supports a frame rule that allows a command to read state on which the framed predicate depends. Soundness is proved using a standard program semantics. The logic facilitates heap-local reasoning about object invariants, as shown here by examples. Part II of this article extends the logic with second-order framing which formalizes the hiding of data invariants.

[1]  Peter Müller,et al.  Modular Specification and Verification of Object-Oriented Programs , 2002, Lecture Notes in Computer Science.

[2]  Peter W. O'Hearn,et al.  Program logic and equivalence in the presence of garbage collection , 2003, Theor. Comput. Sci..

[3]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[4]  Frank S. de Boer,et al.  Verification of object-oriented programs: A transformational approach , 2010, J. Comput. Syst. Sci..

[5]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[6]  Anindya Banerjee,et al.  Local Reasoning for Global Invariants, Part II: Dynamic Boundaries , 2013, JACM.

[7]  Sophia Drossopoulou,et al.  Ownership, encapsulation and the disjointness of type and effect , 2002, OOPSLA '02.

[8]  W. Neville Holmes,et al.  The Craft of Programming , 2008, Computer.

[9]  Frank S. de Boer,et al.  A proof outline logic for object-oriented programming , 2005, Theor. Comput. Sci..

[10]  K. Rustan M. Leino,et al.  Data groups: specifying the modification of extended state , 1998, OOPSLA '98.

[11]  C. Pierik,et al.  Validation techniques for object-oriented proof outlines , 2006 .

[12]  Frank Piessens,et al.  An Automatic Verifier for Java-Like Programs Based on Dynamic Frames , 2008, FASE.

[13]  Xinyu Feng,et al.  Combining Domain-Specific and Foundational Logics to Verify Complete Software Systems , 2008, VSTTE.

[14]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[15]  David A. Naumann,et al.  Observational purity and encapsulation , 2005, Theor. Comput. Sci..

[16]  Anne Schilling,et al.  Linear Maps , 2007 .

[17]  Frank Piessens,et al.  Implicit dynamic frames , 2008, TOPL.

[18]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[19]  Bernhard Beckert,et al.  Dynamic Logic , 2007, The KeY Approach.

[20]  Krzysztof R. Apt,et al.  Ten Years of Hoare's Logic: A Survey—Part I , 1981, TOPL.

[21]  Matthew J. Parkinson,et al.  The Relationship between Separation Logic and Implicit Dynamic Frames , 2011, ESOP.

[22]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[23]  K. Rustan M. Leino,et al.  A Verification Methodology for Model Fields , 2006, ESOP.

[24]  Bernhard Beckert,et al.  Verification of Object-Oriented Software. The KeY Approach - Foreword by K. Rustan M. Leino , 2007, The KeY Approach.

[25]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[26]  K. Rustan M. Leino,et al.  A Basis for Verifying Multi-threaded Programs , 2009, ESOP.

[27]  Ernst-Rüdiger Olderog,et al.  Verification of Sequential and Concurrent Programs , 1991, Texts and Monographs in Computer Science.

[28]  Ioannis T. Kassios The dynamic frames theory , 2010, Formal Aspects of Computing.

[29]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[30]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[31]  Yde Venema,et al.  Dynamic Logic by David Harel, Dexter Kozen and Jerzy Tiuryn. The MIT Press, Cambridge, Massachusetts. Hardback: ISBN 0–262–08289–6, $50, xv + 459 pages , 2002, Theory and Practice of Logic Programming.

[32]  Martin Hofmann,et al.  Elimination of Ghost Variables in Program Logics , 2007, TGC.

[33]  Michael Barnett,et al.  Towards imperative modules: reasoning about invariants and sharing of mutable state , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[34]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[35]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[36]  Robert W. Floyd,et al.  Assigning Meanings to Programs , 1993 .

[37]  David Walker,et al.  Modular Protections against Non-control Data Attacks , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[38]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[39]  C. A. R. Hoare,et al.  Proof of Correctness of Data Representations (Reprint) , 2002, Software Pioneers.

[40]  Frank Piessens,et al.  Implicit Dynamic Frames: Combining Dynamic Frames and Separation Logic , 2009, ECOOP.

[41]  Hongseok Yang,et al.  Semantics of separation-logic typing and higher-order frame rules , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[42]  David Harel,et al.  First-Order Dynamic Logic , 1979, Lecture Notes in Computer Science.

[43]  Matthew J. Parkinson,et al.  jStar: towards practical verification for java , 2008, OOPSLA.

[44]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[45]  Deepak Kapur,et al.  Sharing analysis of arrays, collections, and recursive structures , 2008, PASTE '08.

[46]  Dan Suciu,et al.  Journal of the ACM , 2006 .

[47]  Viktor Kuncak,et al.  Sets with Cardinality Constraints in Satisfiability Modulo Theories , 2011, VMCAI.

[48]  Frank S. de Boer,et al.  On Behavioral Subtyping and Completeness , 2005 .

[49]  Gary T. Leavens,et al.  How the design of JML accommodates both runtime assertion checking and formal verification , 2003, Sci. Comput. Program..

[50]  Craig Chambers,et al.  Ownership Domains: Separating Aliasing Policy from Mechanism , 2004, ECOOP.

[51]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[52]  Gary T. Leavens,et al.  Behavioral Subtyping is Equivalent to Modular Reasoning for Object-oriented Programs , 2006 .

[53]  K. Rustan M. Leino,et al.  Data abstraction and information hiding , 2002, TOPL.

[54]  Anindya Banerjee,et al.  Regional Logic for Local Reasoning about Global Invariants , 2008, ECOOP.

[55]  Anindya Banerjee,et al.  Boogie Meets Regions: A Verification Experience Report , 2008, VSTTE.

[56]  Gary T. Leavens,et al.  Behavioral Subtyping, Specification Inheritance, and Modular Reasoning , 2015, ACM Trans. Program. Lang. Syst..

[57]  K. Rustan M. Leino,et al.  Using data groups to specify and check side effects , 2002, PLDI '02.

[58]  Anindya Banerjee,et al.  Expressive Declassification Policies and Modular Static Enforcement , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[59]  Frank Piessens,et al.  A Quick Tour of the VeriFast Program Verifier , 2010, APLAS.

[60]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[61]  David A. Naumann,et al.  Region logic: local reasoning for java programs and its automation , 2011 .

[62]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[63]  Gary T. Leavens,et al.  Specification and verification challenges for sequential object-oriented programs , 2007, Formal Aspects of Computing.

[64]  Anindya Banerjee,et al.  Local Reasoning and Dynamic Framing for the Composite Pattern and Its Clients , 2010, VSTTE.

[65]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[66]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[67]  Viktor Vafeiadis,et al.  Structuring the verification of heap-manipulating programs , 2010, POPL '10.

[68]  Anindya Banerjee,et al.  Dynamic Boundaries: Information Hiding by Second Order Framing with First Order Assertions , 2010, ESOP.

[69]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[70]  Peter H. Schmitt,et al.  Dynamic Frames in Java Dynamic Logic , 2010, FoVeOOS.

[71]  K. Rustan M. Leino,et al.  Object Invariants in Dynamic Contexts , 2004, ECOOP.

[72]  Calogero G. Zarba Combining Sets with Elements , 2003, Verification: Theory and Practice.

[73]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[74]  Erez Petrank,et al.  Automated verification of practical garbage collectors , 2009, POPL '09.

[75]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[76]  Frank S. de Boer,et al.  Verification of Sequential and Concurrent Programs , 1997, Texts and Monographs in Computer Science.

[77]  Ioannis T. Kassios Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions , 2006, FM.

[78]  Frank Piessens,et al.  Automatic verification of Java programs with dynamic frames , 2010, Formal Aspects of Computing.

[79]  Marieke Huisman Proceedings of the 8th international workshop on Specification and verification of component-based systems , 2009, FSE 2009.

[80]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[81]  Peter Müller,et al.  Checking Well-Formedness of Pure-Method Specifications , 2008, FM.

[82]  Viktor Kuncak,et al.  Towards Efficient Satisfiability Checking for Boolean Algebra with Presburger Arithmetic , 2007, CADE.

[83]  Liuba Shrira,et al.  Ownership types for object encapsulation , 2003, POPL '03.