152 research outputs found
Illustrating the Mezzo programming language
When programmers want to prove strong program invariants, they are usually
faced with a choice between using theorem provers and using traditional
programming languages. The former requires them to provide program proofs,
which, for many applications, is considered a heavy burden. The latter provides
less guarantees and the programmer usually has to write run-time assertions to
compensate for the lack of suitable invariants expressible in the type system.
We introduce Mezzo, a programming language in the tradition of ML, in which
the usual concept of a type is replaced by a more precise notion of a
permission. Programs written in Mezzo usually enjoy stronger guarantees than
programs written in pure ML. However, because Mezzo is based on a type system,
the reasoning requires no user input. In this paper, we illustrate the key
concepts of Mezzo, highlighting the static guarantees our language provides
Resource Usage Protocols for Iterators
We discuss usage protocols for iterator objects that prevent concurrent modifications of the underlying collection while iterators are in progress. We formalize these protocols in Java-like object interfaces, enriched with separation logic contracts. We present examples of iterator clients and proofs that they adhere to the iterator protocol, as well as examples of iterator implementations and proofs that they implement the iterator interface
Separation Logic for Small-step Cminor
Cminor is a mid-level imperative programming language; there are
proved-correct optimizing compilers from C to Cminor and from Cminor to machine
language. We have redesigned Cminor so that it is suitable for Hoare Logic
reasoning and we have designed a Separation Logic for Cminor. In this paper, we
give a small-step semantics (instead of the big-step of the proved-correct
compiler) that is motivated by the need to support future concurrent
extensions. We detail a machine-checked proof of soundness of our Separation
Logic. This is the first large-scale machine-checked proof of a Separation
Logic w.r.t. a small-step semantics. The work presented in this paper has been
carried out in the Coq proof assistant. It is a first step towards an
environment in which concurrent Cminor programs can be verified using
Separation Logic and also compiled by a proved-correct compiler with formal
end-to-end correctness guarantees.Comment: Version courte du rapport de recherche RR-613
A Conservative Type System Based on Fractional Permissions
The system of fractional permissions is a useful tool for giving semantics to various
annotations for uniqueness, data groups, method effect, nullness, etc. However, due
to its complexity, the current implementation for fractional permissions has various
performance issues, and is not suitable for real world applications.
This thesis presents a conservative type system on top of the existing fractional
permission type system. The system is designed with high-level types, and is more
restrictive. The benefit is that it can run much faster. With this system, we propose a
multi-tiered approach for type checking: the conservative type system is first applied,
and only those that it cannot handle will then be processed by the more powerful
fractional permission system.
A crucial property about a type system is its soundness. In this thesis we also present
a mechanized proof, written in Twelf, for the conservative type system. A mechanized
proof is checked by computer, and offers much more confidence about its
correctness. Moreover, we proved the soundness property with a novel approach: instead of
defining the semantics of the language and proving progress and preservation directly, we
delegate it to the soundness proof of the fractional permission system.
The novel technical features in this thesis include: 1) a multi-tiered approach for type
checking and a conservative type system build on top of fractional permissions; 2) a
mechanized proof for the type system, and 3) a novel way of proving soundness property
for a type system
Comprehending annotations on object-oriented programs using fractional permissions
Fractional permissions are a general system for managing access to mutable state. We show how fractional permis-sions can give semantics to a regimen of annotations includ-ing“unique,”“non-null,”“read-only,”ownership, and method effects. The unification supports new annotations: “unique-write ” and “from”. We also develop a model of object in-variants in the presence of inheritance using “nesting, ” an extension of “adoption.” 1
Permission-Based Separation Logic for Multithreaded Java Programs
This paper presents a program logic for reasoning about multithreaded
Java-like programs with dynamic thread creation, thread joining and reentrant
object monitors. The logic is based on concurrent separation logic. It is the
first detailed adaptation of concurrent separation logic to a multithreaded
Java-like language. The program logic associates a unique static access
permission with each heap location, ensuring exclusive write accesses and
ruling out data races. Concurrent reads are supported through fractional
permissions. Permissions can be transferred between threads upon thread
starting, thread joining, initial monitor entrancies and final monitor exits.
In order to distinguish between initial monitor entrancies and monitor
reentrancies, auxiliary variables keep track of multisets of currently held
monitors. Data abstraction and behavioral subtyping are facilitated through
abstract predicates, which are also used to represent monitor invariants,
preconditions for thread starting and postconditions for thread joining.
Value-parametrized types allow to conveniently capture common strong global
invariants, like static object ownership relations. The program logic is
presented for a model language with Java-like classes and interfaces, the
soundness of the program logic is proven, and a number of illustrative examples
are presented
Sound Automation of Magic Wands (extended version)
The magic wand (also called separating implication) is a
separation logic connective commonly used to specify properties of partial data
structures, for instance during iterative traversals. A footprint of a magic
wand formula is a state that, combined with any state in
which holds, yields a state in which holds. The key challenge of
proving a magic wand (also called packaging a wand) is to find such a
footprint. Existing package algorithms either have a high annotation overhead
or, as we show in this paper, are unsound. We present a formal framework that
precisely characterises a wide design space of possible package algorithms
applicable to a large class of separation logics. We prove in Isabelle/HOL that
our formal framework is sound and complete, and use it to develop a novel
package algorithm that offers competitive automation and is sound. Moreover, we
present a novel, restricted definition of wands and prove in Isabelle/HOL that
it is possible to soundly combine fractions of such wands, which is not the
case for arbitrary wands. We have implemented our techniques for the Viper
language, and demonstrate that they are effective in practice.Comment: Extended version of CAV 2022 publicatio
- …