A Unified Framework for Verification Techniques for Object Invariants

Drossopoulou, Sophia; Francalanza, Adrian; Müller, Péter; Summers, Alexander J.

doi:10.1007/978-3-540-70592-5_18

Cited by 38 publications

(34 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some other conditions are given by the programmer, for example object or monitor invariants. There are several flavors of treating program-specific invariants, mostly focusing on the special case of object invariants [7]. Various forms of ownership [1,13] are popular invariant disciplines.…”

Section: Discussionmentioning

confidence: 99%

A Discipline for Program Verification Based on Backpointers and Its Use in Observational Disjointness

Kassios

Kritikos

2013

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. In the verification of programs that manipulate the heap, logics that emphasize localized reasoning, such as separation logic, are being used extensively. In such logics, state conditions may only refer to parts of the heap that are reachable from the stack. However, the correct implementation of some data structures is based on state conditions that depend on unreachable locations. For example, reference counting depends on the invariant that "the number of nodes pointing to a certain node is equal to its reference counter ". Such conditions are cumbersome or even impossible to formalize in existing variants of separation logic. In the first part of this paper, we develop a minimal programming discipline that enables the programmer to soundly express backpointer conditions, i.e., state conditions that involve heap objects that point to the reachable part of the heap, such as the above-mentioned reference counting invariant. In the second part, we demonstrate the expressiveness of our methodology by verifying the implementation of concurrent copy-on-write lists (CCoWL). CCoWL is a data structure with observational disjointness, i.e., its specification pretends that different lists depend on disjoint parts of the heap, so that separation logic reasoning is made easy, while its implementation uses sharing to maximize performance. The CCoWL case study is a very challenging problem, to which we are not aware of any other solutions.

show abstract

Section: Discussionmentioning

confidence: 99%

A Discipline for Program Verification Based on Backpointers and Its Use in Observational Disjointness

Kassios

Kritikos

2013

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…Both concepts, as well as Lu et al's modular technique [16], are designed for ownership-based type systems. These techniques are captured in Drossopoulou et al's abstract unified framework [9]. Although it is stated that this abstract framework should be suitable to model class invariants in a concurrent setting, the framework has never been applied on a concrete verification technique for concurrent programs.…”

Section: Related Workmentioning

confidence: 99%

Verifying Class Invariants in Concurrent Programs

Zaharieva-Stojanovski

Huisman

2014

Fundamental Approaches to Software Engineering

View full text Add to dashboard Cite

Abstract. Class invariants are a highly useful feature for the verification of object-oriented programs, because they can be used to capture all valid object states. In a sequential program setting, the validity of class invariants is typically described in terms of a visible state semantics, i.e., invariants only have to hold whenever a method begins or ends execution, and they may be broken inside a method body. However, in a concurrent setting, this restriction is no longer usable, because due to thread interleavings, any program state is potentially a visible state.In this paper we present a new approach for reasoning about class invariants in multithreaded programs. We allow a thread to explicitly break an invariant at specific program locations, while ensuring that no other thread can observe the broken invariant. We develop our technique in a permission-based separation logic environment. However, we deviate from separation logic's standard rules and allow a class invariant to express properties over shared memory locations (the invariant footprint), independently of the permissions on these locations. In this way, a thread may break or reestablish an invariant without holding permissions to all locations in its footprint. To enable modular verification, we adopt the restrictions of Müller's ownership-based type system.

show abstract

“…Moreover, code within the module, acting on one instance of Set, could violate the invariant of another instance. Besides scope and typing, a popular technique to deal with encapsulation in the presence of pointers is "ownership" (e.g., [9,11]). Ownership systems ghost freed : rgn; var flist : Node; count : int;…”

Section: A Collection Implemented By a Listmentioning

confidence: 99%

“…Drossopoulou et al [11] introduce a general framework to describe verification techniques for invariants. A number of ownership disciplines from the literature are studied as instances of the framework.…”

Section: Related Workmentioning

confidence: 99%

“…Reynolds gave a derivation using the rule of conjunction 10 that shows the SOF rule of SL is not sound without restriction to predicates that are "precise" in the sense of determining a unique footprint [31]. 11 The semantic analysis in [31] shows that the need for a unique footprint applies to region logic as well. However, region logic separates the footprint from the formula, allowing the invariant formula to denote an imprecise predicate while framing the formula by effects that in a given state determines a unique set of locations.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Dynamic Boundaries: Information Hiding by Second Order Framing with First Order Assertions

Naumann

Banerjee

2010

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions.

show abstract

A Unified Framework for Verification Techniques for Object Invariants

Cited by 38 publications

References 30 publications

A Discipline for Program Verification Based on Backpointers and Its Use in Observational Disjointness

A Discipline for Program Verification Based on Backpointers and Its Use in Observational Disjointness

Verifying Class Invariants in Concurrent Programs

Dynamic Boundaries: Information Hiding by Second Order Framing with First Order Assertions

Contact Info

Product

Resources

About