The ramifications of sharing in data structures

Programs manipulating mutable data structures with intrinsic sharing present a challenge for modular verification. Deep aliasing inside data structures dramatically complicates reasoning in isolation over parts of these objects because changes to one part of the structure (say, the left child of a dag node) can affect other parts (the right child or some of its descendants) that may point into it. The result is that finding intuitive and compositional proofs of correctness is usually a struggle. We propose a compositional proof system that enables local reasoning in the presence of sharing. While the AI "frame problem" elegantly captures the reasoning required to verify programs without sharing, we contend that natural reasoning about programs with sharing instead requires an answer to a different and more challenging AI problem, the "ramification problem": reasoning about the indirect consequences of actions. Accordingly, we present a RAMIFY proof rule that attacks the ramification problem head-on and show how to reason with it. Our framework is valid in any separation logic and permits sound compositional and local reasoning in the context of both specified and unspecified sharing. We verify the correctness of a number of examples, including programs that manipulate dags, graphs, and overlaid data structures in nontrivial ways.

[1]  Chris J. Cheney A nonrecursive list compacting algorithm , 1970, Commun. ACM.

[2]  Alasdair Urquhart,et al.  Semantics for relevant logics , 1972, Journal of Symbolic Logic.

[3]  J. Finger,et al.  Exploiting constraints in design synthesis , 1987 .

[4]  David K. Gifford,et al.  Polymorphic effect systems , 1988, POPL '88.

[5]  John C. Reynolds,et al.  Intuitionistic reasoning about shared mutable data structure , 1999 .

[6]  Richard Bornat,et al.  Proving Pointer Programs in Hoare Logic , 2000, MPC.

[7]  Hongseok Yang,et al.  Local reasoning for stateful programs , 2001 .

[8]  Michael Thielscher,et al.  The Qualification Problem: A solution to the problem of anomalous models , 2001, Artif. Intell..

[9]  Peter W. O'Hearn,et al.  BI as an assertion language for mutable data structures , 2001, POPL '01.

[10]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[11]  Richard Bornat,et al.  Local reasoning, separation and aliasing , 2003 .

[12]  Tobias Nipkow,et al.  Proving Pointer Programs in Higher-Order Logic , 2003, CADE.

[13]  Roman Manevich,et al.  Partially Disjunctive Heap Abstraction , 2004, SAS.

[14]  Hongseok Yang,et al.  Variables as Resource in Separation Logic , 2005, MFPS.

[15]  Peter W. O'Hearn,et al.  Smallfoot: Modular Automatic Assertion Checking with Separation Logic , 2005, FMCO.

[16]  Tobias Nipkow,et al.  Proving pointer programs in higher-order logic , 2005, Inf. Comput..

[17]  Akinori Yonezawa,et al.  Formal Verification of the Heap Manager of an Operating System Using Separation Logic , 2006, ICFEM.

[18]  Viktor Kuncak,et al.  Field Constraint Analysis , 2005, VMCAI.

[19]  Viktor Vafeiadis,et al.  A Marriage of Rely/Guarantee and Separation Logic , 2007, CONCUR.

[20]  Peter W. O'Hearn,et al.  Local Action and Abstract Separation Logic , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[21]  Viktor Vafeiadis,et al.  Modular fine-grained concurrency verification , 2008 .

[22]  Lars Birkedal,et al.  Local reasoning about a copying garbage collector , 2004, POPL '04.

[23]  Andrew W. Appel,et al.  Oracle Semantics for Concurrent Separation Logic , 2008, ESOP.

[24]  Erez Petrank,et al.  Automated verification of practical garbage collectors , 2009, POPL '09.

[25]  Andrew W. Appel,et al.  A Fresh Look at Separation Algebras and Share Accounting , 2009, APLAS.

[26]  Javier O. Blanco,et al.  Local reasoning for abstraction and sharing , 2009, SAC '09.

[27]  Andrew W. Appel,et al.  A Logical Mix of Approximation and Separation , 2010, APLAS.

[28]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[29]  Lars Birkedal,et al.  Verifying event-driven programs using ramified frame properties , 2010, TLDI '10.

[30]  Hongseok Yang,et al.  Program Analysis for Overlaid Data Structures , 2011, CAV.

[31]  Holger Gast Developer-Oriented Correctness Proofs - A Case Study of Cheney's Algorithm , 2011, ICFEM.

[32]  Philippa Gardner,et al.  Towards a program logic for JavaScript , 2012, POPL '12.

[33]  Lars Birkedal,et al.  Formalized Verification of Snapshotable Trees: Separation and Sharing , 2012, VSTTE.

[34]  The ramifications of sharing in data structures , 2013, POPL.