A relational model for confined separation logic

Confined separation logic is a new extension to separation logic designed to deal with problems involving dangling references within shared mutable structures. In par- ticular, it allows for reasoning about confinement in object- oriented programs. In this paper, we discuss the semantics of such an extension by defining a relational model for the overall logic, parametric on the shapes of both the store and the heap. This model provides a simple and elegant interpretation of the new confinement connectives and helps in seeking for duals. A number of properties of this logic are proved calculationally.Supported by NNSFC (No. 60573081

A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods (Work in Progress)

We present a novel technique for the verification of invariants in the setting of a Java-like language including static fields and methods. The technique is a generalisation of the existing Visibility Technique of Mueller et al., which employs universe types. In order to cater for mutable static fields, we extend this topology to multiple trees (a forest), where each tree is rooted in a class. This allows classes to naturally own object instances as their static fields.We describe how to extend the Visibility Technique to this topology, incorporating extra flexibility for the treatment of static methods. We encounter a potential source of callbacks not present in the original technique, and show how to overcome this using an effects system. To allow flexible and modular verification, we refine our topology with a hierarchy of `level

CVPP: A Tool Set for Compositonal Verification of Control-Flow Safety Properties.

This paper describes CVPP, a tool set for compositional verification of control–flow safety properties for programs with procedures. The compositional verification principle that underlies CVPP is based on maximal models constructed from component specifications. Maximal models replace the actual components when verifying the whole program, either for the purposes of modularity of verification or due to unavailability of the component implementations at verification time. A characteristic feature of the principle and the tool set is the distinction between program structure and behaviour. While behavioural properties are more abstract and convenient for specification purposes, structural ones are easier to manipulate, in particular when it comes to verifica-tion or the construction of maximal models. Therefore, CVPP also contains the means to characterise a given behavioural formula by a set of structural formulae. The paper presents the underlying framework for compositional verification and the components of the tool set. Several verification scenarios are described, as well as wrapper tools that sup-port the automatic execution of such scenarios, providing appropriate pre – and post–processing to interface smoothly with the user and to encapsulate the inner workings of the tool set

Procedure-modular specification and verification of temporal safety properties

This paper describes ProMoVer, a tool for fully automated procedure-modular verification of Java programs equipped with method-local and global assertions that specify safety properties of sequences of method invocations. Modularity at the procedure-level is a natural instantiation of the modular verification paradigm, where correctness of global properties is relativized on the local properties of the methods rather than on their implementations. Here, it is based on the construction of maximal models for a program model that abstracts away from program data. This approach allows global properties to be verified in the presence of code evolution, multiple method implementations (as arising from software product lines), or even unknown method implementations (as in mobile code for open platforms). ProMoVer automates a typical verification scenario for a previously developed tool set for compositional verification of control flow safety properties, and provides appropriate pre- and post-processing. Both linear-time temporal logic and finite automata are supported as formalisms for expressing local and global safety properties, allowing the user to choose a suitable format for the property at hand. Modularity is exploited by a mechanism for proof reuse that detects and minimizes the verification tasks resulting from changes in the code and the specifications. The verification task is relatively light-weight due to support for abstraction from private methods and automatic extraction of candidate specifications from method implementations. We evaluate the tool on a number of applications from the domains of Java Card and web-based application

The dynamic frames theory

The theory of Dynamic Frames has been invented to deal with the frame problem in the presence of encapsulation and pointers. It has proved more flexible and conceptually simpler than previous approaches that tackled the problem. It is now being actively used both for theoretical and for practical purposes related to the formal verification of program correctness. This paper presents the full theory of Dynamic Frames, together with its reasoning laws and exemplifies the use of these laws in proving correct several common design patterns. It also discusses the ongoing research on the topi

Alias-free Parameters in C for Better Reasoning and Optimization

Aliasing among formal parameters and among formals and globals causes problems for both reasoning and optimization. Whole-program static analysis could provide some knowledge about such aliasing, but this is not usually done, and in any case would have to be conservative. All aliasing patterns that are not ruled out by an analysis have to be considered possible both by a person reasoning about correctness and by a compiler trying to optimize code. For compilers, the conservative nature of the static analysis leads to missed optimization opportunities. We have designed and implemented a small extension to C that partially solves the reasoning problem and leads to significantly better optimization. The extension guarantees that there will be no direct aliasing among arguments and globals inside procedure bodies, and yet allows aliasing among arguments and globals at the call site. This is done by having multiple bodies for each procedure, up to one for each aliasing pattern. Procedure calls are automatically dispatched to the body that matches the run-time aliasing pattern among the actual parameters and the globals. We present experimental evidence that this approach is practical. It is easy to convert existing C code, because not every procedure in a program has to be converted, and because converted code can call code that has not been converted and vice versa. By following simple guidelines, one can convert a program in a way that usually makes it run faster than before. In our experiments with 6 of the SPEC 2000 integer benchmarks we found an average speedup of about 5%. In one case, we had a speedup of about 29%