Modular Automatic Assertion Checking with Separation Logic

Separation logic is a program logic for reasoning about programs that manipulate pointer data structures. We describe a tool, Smallfoot, for checking certain lightweight separation logic specifications. The assertions describe the shapes of data structures rather than their detailed contents, and this allows reasoning to be fully automatic. We illustrate what the tool can do via a sequence of examples which are oriented around novel aspects of separation logic, namely: avoidance of frame axioms (which say what a procedure does not change); embracement of “dirty” features such as memory disposal and address arithmetic; information hiding in the presence of pointers; and modular reasoning about concurrent programs.

[1]  J. Schwarz,et al.  Generic Commands - A Tool for Partial Correctness Formalisms , 1977, Comput. J..

[2]  Frank Piessens,et al.  Safe concurrency for aggregate objects with invariants , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[3]  Peter W. O'Hearn,et al.  A Local Shape Analysis Based on Separation Logic , 2006, TACAS.

[4]  Charles Antony Richard Hoare Towards a theory of parallel programming , 2002 .

[5]  Reinhard Wilhelm,et al.  A semantics for procedure local heaps and its abstractions , 2005, POPL '05.

[6]  C. A. R. Hoare,et al.  Procedures and parameters: An axiomatic approach , 1971, Symposium on Semantics of Algorithmic Languages.

[7]  K. Mani Chandy,et al.  Proofs of Networks of Processes , 1981, IEEE Transactions on Software Engineering.

[8]  Peter W. O'Hearn,et al.  Separation and information hiding , 2004, POPL.

[9]  永田 守男,et al.  Verifying Properties of Parallel Programs : An Axiomatic Approach , 1976 .

[10]  Donald E. Knuth,et al.  The Art of Computer Programming, Volume I: Fundamental Algorithms, 2nd Edition , 1997 .

[11]  Peter W. O'Hearn,et al.  Local Reasoning about Programs that Alter Data Structures , 2001, CSL.

[12]  Stephen N. Freund,et al.  Thread-Modular Verification for Shared-Memory Programs , 2002, ESOP.

[13]  Maged M. Michael Hazard pointers: safe memory reclamation for lock-free objects , 2004, IEEE Transactions on Parallel and Distributed Systems.

[14]  David Gay,et al.  Autolocker: synchronization inference for atomic sections , 2006, POPL '06.

[15]  Keir Fraser,et al.  Language support for lightweight transactions , 2003, SIGP.

[16]  James Noble,et al.  Simple Ownership Types for Object Containment , 2001, ECOOP.

[17]  Cliff B. Jones,et al.  Wanted: a compositional approach to concurrency , 2003 .

[18]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[19]  Maurice Herlihy The transactional manifesto: software engineering and non-blocking synchronization , 2005, PLDI '05.

[20]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[21]  E. Clarke,et al.  Inferring Invariants in Separation Logic for Imperative List-processing Programs , 2005 .

[22]  John Tang Boyland,et al.  Checking Interference with Fractional Permissions , 2003, SAS.

[23]  David Walker,et al.  Alias Types for Recursive Data Structures , 2000, Types in Compilation.

[24]  Cormac Flanagan,et al.  A type and effect system for atomicity , 2003, PLDI.

[25]  Peter W. O'Hearn,et al.  Permission accounting in separation logic , 2005, POPL '05.

[26]  Robert Ennals Software Transactional Memory Should Not Be Obstruction-Free , 2005 .

[27]  Edmund M. Clarke,et al.  Synthesis of resource invariants for concurrent programs , 1979, POPL.

[28]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[29]  Peter Müller,et al.  Universes: Lightweight Ownership for JML , 2005, J. Object Technol..

[30]  Hongseok Yang,et al.  An Example of Local Reasoning in BI Pointer Logic: the Schorr−Waite Graph Marking Algorithm , 2001 .

[31]  Jakob Rehof,et al.  Zing: A Model Checker for Concurrent Software , 2004, CAV.

[32]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[33]  Anindya Banerjee,et al.  Ownership confinement ensures representation independence for object-oriented programs , 2002, JACM.

[34]  David A. Naumann,et al.  On assertion-based encapsulation for object invariants and simulations , 2004, Formal Aspects of Computing.

[35]  Peter W. O'Hearn,et al.  Resources, concurrency, and local reasoning , 2007 .

[36]  Mark Lillibridge,et al.  Extended static checking for Java , 2002, PLDI '02.

[37]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[38]  Richard Bornat,et al.  Local reasoning, separation and aliasing , 2003 .

[39]  Nils Klarlund,et al.  Automatic verification of pointer programs using monadic second-order logic , 1997, PLDI '97.

[40]  Stephen D. Brookes,et al.  A Semantics for Concurrent Separation Logic , 2004, CONCUR.

[41]  Anders Møller,et al.  The Pointer Assertion Logic Engine , 2000 .

[42]  Peter W. O'Hearn,et al.  Symbolic Execution with Separation Logic , 2005, APLAS.

[43]  Michael Barnett,et al.  Friends Need a Bit More: Maintaining Invariants Over Shared State , 2004, MPC.

[44]  Stephen A. Cook,et al.  Soundness and Completeness of an Axiom System for Program Verification , 1978, SIAM J. Comput..

[45]  K. Rustan M. Leino,et al.  Using data groups to specify and check side effects , 2002, PLDI '02.

[46]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[47]  Lars Birkedal,et al.  Local reasoning about a copying garbage collector , 2004, POPL '04.