Illustrating the Mezzo programming language

When programmers want to prove strong program invariants, they are usually faced with a choice between using theorem provers and using traditional programming languages. The former requires them to provide program proofs, which, for many applications, is considered a heavy burden. The latter provides less guarantees and the programmer usually has to write run-time assertions to compensate for the lack of suitable invariants expressible in the type system. We introduce Mezzo, a programming language in the tradition of ML, in which the usual concept of a type is replaced by a more precise notion of a permission. Programs written in Mezzo usually enjoy stronger guarantees than programs written in pure ML. However, because Mezzo is based on a type system, the reasoning requires no user input. In this paper, we illustrate the key concepts of Mezzo, highlighting the static guarantees our language provides

Resource Usage Protocols for Iterators

We discuss usage protocols for iterator objects that prevent concurrent modifications of the underlying collection while iterators are in progress. We formalize these protocols in Java-like object interfaces, enriched with separation logic contracts. We present examples of iterator clients and proofs that they adhere to the iterator protocol, as well as examples of iterator implementations and proofs that they implement the iterator interface

Separation Logic for Small-step Cminor

Cminor is a mid-level imperative programming language; there are proved-correct optimizing compilers from C to Cminor and from Cminor to machine language. We have redesigned Cminor so that it is suitable for Hoare Logic reasoning and we have designed a Separation Logic for Cminor. In this paper, we give a small-step semantics (instead of the big-step of the proved-correct compiler) that is motivated by the need to support future concurrent extensions. We detail a machine-checked proof of soundness of our Separation Logic. This is the first large-scale machine-checked proof of a Separation Logic w.r.t. a small-step semantics. The work presented in this paper has been carried out in the Coq proof assistant. It is a first step towards an environment in which concurrent Cminor programs can be verified using Separation Logic and also compiled by a proved-correct compiler with formal end-to-end correctness guarantees.Comment: Version courte du rapport de recherche RR-613

A Conservative Type System Based on Fractional Permissions

The system of fractional permissions is a useful tool for giving semantics to various annotations for uniqueness, data groups, method effect, nullness, etc. However, due to its complexity, the current implementation for fractional permissions has various performance issues, and is not suitable for real world applications. This thesis presents a conservative type system on top of the existing fractional permission type system. The system is designed with high-level types, and is more restrictive. The benefit is that it can run much faster. With this system, we propose a multi-tiered approach for type checking: the conservative type system is first applied, and only those that it cannot handle will then be processed by the more powerful fractional permission system. A crucial property about a type system is its soundness. In this thesis we also present a mechanized proof, written in Twelf, for the conservative type system. A mechanized proof is checked by computer, and offers much more confidence about its correctness. Moreover, we proved the soundness property with a novel approach: instead of defining the semantics of the language and proving progress and preservation directly, we delegate it to the soundness proof of the fractional permission system. The novel technical features in this thesis include: 1) a multi-tiered approach for type checking and a conservative type system build on top of fractional permissions; 2) a mechanized proof for the type system, and 3) a novel way of proving soundness property for a type system

Comprehending annotations on object-oriented programs using fractional permissions

Fractional permissions are a general system for managing access to mutable state. We show how fractional permis-sions can give semantics to a regimen of annotations includ-ing“unique,”“non-null,”“read-only,”ownership, and method effects. The unification supports new annotations: “unique-write ” and “from”. We also develop a model of object in-variants in the presence of inheritance using “nesting, ” an extension of “adoption.” 1

Permission-Based Separation Logic for Multithreaded Java Programs

This paper presents a program logic for reasoning about multithreaded Java-like programs with dynamic thread creation, thread joining and reentrant object monitors. The logic is based on concurrent separation logic. It is the first detailed adaptation of concurrent separation logic to a multithreaded Java-like language. The program logic associates a unique static access permission with each heap location, ensuring exclusive write accesses and ruling out data races. Concurrent reads are supported through fractional permissions. Permissions can be transferred between threads upon thread starting, thread joining, initial monitor entrancies and final monitor exits. In order to distinguish between initial monitor entrancies and monitor reentrancies, auxiliary variables keep track of multisets of currently held monitors. Data abstraction and behavioral subtyping are facilitated through abstract predicates, which are also used to represent monitor invariants, preconditions for thread starting and postconditions for thread joining. Value-parametrized types allow to conveniently capture common strong global invariants, like static object ownership relations. The program logic is presented for a model language with Java-like classes and interfaces, the soundness of the program logic is proven, and a number of illustrative examples are presented

Sound Automation of Magic Wands (extended version)

The magic wand $\mathbin{-\!\!*}$ (also called separating implication) is a separation logic connective commonly used to specify properties of partial data structures, for instance during iterative traversals. A footprint of a magic wand formula $A \mathbin{-\!\!*} B$ is a state that, combined with any state in which $A$ holds, yields a state in which $B$ holds. The key challenge of proving a magic wand (also called packaging a wand) is to find such a footprint. Existing package algorithms either have a high annotation overhead or, as we show in this paper, are unsound. We present a formal framework that precisely characterises a wide design space of possible package algorithms applicable to a large class of separation logics. We prove in Isabelle/HOL that our formal framework is sound and complete, and use it to develop a novel package algorithm that offers competitive automation and is sound. Moreover, we present a novel, restricted definition of wands and prove in Isabelle/HOL that it is possible to soundly combine fractions of such wands, which is not the case for arbitrary wands. We have implemented our techniques for the Viper language, and demonstrate that they are effective in practice.Comment: Extended version of CAV 2022 publicatio