Peter O'Hearn

University College London | UCL · Department of Computer Science

Incorrectness Logic (IL) has recently been advanced as a logical theory for compositionally proving the presence of bugs—dual to Hoare Logic, which is used to compositionally prove their absence. Though IL was motivated in large part by the aim of providing a logical foundation for bug-catching program analyses, it has remained an open question: is...

We use Iris, an implementation of concurrent separation logic in the Coq proof assistant, to verify two queue data structures used for inter-process communication in an operating system under development. Our motivations are twofold. First, we wish to leverage formal verification to boost confidence in a delicate piece of industrial code that was s...

Incorrectness separation logic (ISL) was recently introduced as a theory of under-approximate reasoning, with the goal of proving that compositional bug catchers find actual bugs. However, ISL only considers sequential programs. Here, we develop concurrent incorrectness separation logic (CISL), which extends ISL to account for bug catching in concu...

Variants of Kleene algebra have been used to provide foundations of reasoning about programs, for instance by representing Hoare Logic (HL) in algebra. That work has generally emphasised program correctness, i.e., proving the absence of bugs. Recently, Incorrectness Logic (IL) has been advanced as a formalism for the dual problem: proving the prese...

There has been a large body of work on local reasoning for proving the absence of bugs, but none for proving their presence. We present a new formal framework for local reasoning about the presence of bugs, building on two complementary foundations: 1) separation logic and 2) incorrectness logic. We explore the theory of this new incorrectness sepa...

There has been a large body of work on local reasoning for proving the absence of bugs, but none for proving their presence. We present a new formal framework for local reasoning about the presence of bugs, building on two complementary foundations: 1) separation logic and 2) incorrectness logic. We explore the theory of this new incorrectness sepa...

Program correctness and incorrectness are two sides of the same coin. As a programmer, even if you would like to have correctness, you might find yourself spending most of your time reasoning about incorrectness. This includes informal reasoning that people do while looking at or thinking about their code, as well as that supported by automated tes...

One might poetically muse that computers have the essence both of logic and machines. Through the case of the history of Separation Logic, we explore how this assertion is more than idle poetry. Separation Logic works because it merges the software engineer’s conceptual model of a program’s manipulation of computer memory with the logical model tha...

Key lessons for designing static analyses tools deployed to find bugs in hundreds of millions of lines of code.

Separation logic is a key development in formal reasoning about programs, opening up new lines of attack on longstanding problems.

RacerD is a static race detector that has been proven to be effective in engineering practice: it has seen thousands of data races fixed by developers before reaching production, and has supported the migration of Facebook's Android app rendering infrastructure from a single-threaded to a multi-threaded architecture. We prove a True Positives Theor...

Automatic static detection of data races is one of the most basic problems in reasoning about concurrency. We present RacerD—a static program analysis for detecting data races in Java programs which is fast, can scale to large code, and has proven effective in an industrial software engineering scenario. To our knowledge, RacerD is the first inter-...

This paper describes some of the challenges and opportunities when deploying static and dynamic analysis at scale, drawing on the authors' experience with the Infer and Sapienz Technologies at Facebook, each of which started life as a research-led start-up that was subsequently deployed at scale, impacting billions of people worldwide. The paper id...

This paper tells the story of the development of RacerD, a static program analysis for detecting data races that is in production at Facebook. The technical details of RacerD are described in a separate paper; we concentrate here on how the project unfolded from a human point of view. The paper describes, in this specific case, the benefits of feed...

This paper describes work in continuous reasoning, where formal reasoning about a (changing) codebase is done in a fashion which mirrors the iterative, continuous model of software development that is increasingly practiced in industry. We suggest that advances in continuous reasoning will allow formal reasoning to scale to more programs, and more...

Concurrent Separation Logic (CSL) was originally advanced in papers of the authors published in Theoretical Computer Science for John Reynolds's 70th Birthday Festschrift (2007). Preliminary versions appeared as invited papers in the CONCUR'04 conference proceedings. Foundational work leading to these papers began in 2002. Since then there have bee...

For organisations like Facebook, high quality software is important. However, the pace of change and increasing complexity of modern code makes it difficult to produce error-free software. Available tools are often lacking in helping programmers develop more reliable and secure applications. Formal verification is a technique able to detect softwar...

When disproving termination using known techniques (e.g. recurrence sets), abstractions that overapproximate the program's transition relation are unsound. In this paper we introduce live abstractions, a natural class of abstractions that can be combined with the recent concept of closed recurrence sets to soundly disprove termination. To demonstra...

We investigate the connection between a general form of Concurrent Separation Logic (CSL), a logic for modular reasoning about concurrent programs, and Concurrent Kleene Algebra (CKA), which provides an axiomatic approach to models of concurrency. We show how the proof theory of a general form of CSL can be embedded in a variation on the notion of...

This report summarises the background and recent progress in the research of its co-authors. It is aimed at the construction of links between algebraic presentations of the principles of programming and the exploitation of concurrency in modern programming practice. The signature and laws of a Concurrent Kleene Algebra (CKA) largely overlap with th...

We show how the problem of nontermination proving can be reduced to a question of underapproximation search guided by a safety prover. This reduction leads to new nontermination proving implementation strategies based on existing tools for safety proving. Our preliminary implementation beats existing tools. Furthermore, our approach leads to easy s...

John Reynolds (1935-2013) was a pioneer of programming languages research. In this paper we pay tribute to the man, his ideas, and his influence.

John Reynolds (1935-2013) was a pioneer of programming languages research. In this paper we pay tribute to the man, his ideas, and his influence.

These notes are a companion to [1] which describe - the variable conditions that Smallfoot checks, - the analysis used to check them, - the algorithm used to compute a set of verification conditions corresponding to an annotated program, and - the treatment of concurrent resource initialization code.

Freefinement is an algorithm that constructs a sound refinement calculus from a verification system under certain conditions. In this paper, a verification system is any formal system for establishing whether an inductively defined term, typically a ...

This talk reports on ongoing work - with Tony Hoare, Akbar Hussain, Bernhard Möller, Rasmus Petersen, Georg Struth, Ian Wehrman, and others - on models and logics for concurrent processes [10,6,5]. The approach we are taking abstracts from syntax or particular models. Message passing and shared memory process interaction, and strong (interleaving)...

Reasoning about programs has traditionally been done using deductive reasoning, where mathematical logic is used to make proofs that connect programs with specifications. In this talk I describe an approach where an automated reasoning tool approaches program code as a scientist would in the natural world. Instead of just deductive logic, versions...

Abduction, the problem of discovering hypotheses that support a conclusion, has mainly been studied in the context of philosophical logic and Artificial Intelligence. Recently, it was used in a compositional program analysis based on separation logic that discovers (partial) pre/post specifications for un-annotated code which approximates memory re...

This paper studies algebraic models for concurrency, in light of recent work on Concurrent Kleene Algebra and Separation Logic. It establishes a strong connection between the Concurrency and Frame Rules of Separation Logic and a variant of the exchange law of Category Theory. We investigate two standard models: one uses sets of traces, and the othe...

Concurrent data structures are usually designed to satisfy correctness conditions such as sequential consistency or linearizability. In this paper, we consider the following fundamental question: What guarantees are provided by these conditions for client programs? We formally show that these conditions can be characterized in terms of observationa...

Data refinement is a common approach to reasoning about programs, based on establishing that a concrete program indeed satisfies all the required properties imposed by an intended abstract pattern. Reasoning about programs in this setting becomes complex when use of pointers is assumed and, moreover, a well-known method for proving data refinement,...

We present a proof of safety and linearizability of a highly-concurrent optimistic set algorithm. The key step in our proof is the Hindsight Lemma, which allows a thread to infer the existence of a global state in which its operation can be linearized based on limited local atomic observations about the shared state. The Hindsight Lemma allows us t...

We describe a method for reasoning about programs that uses a mixture of abductive, inductive and deductive inference. It allows us to synthesize a pre/post spec for a program procedure, without requiring any information about the procedure’s calling context. The method can be used to obtain partial specifications for portions of large code bases i...

Graphs are used to model control and data flow among events occurring in the execution of a concurrent program. Our treatment of data flow covers both shared storage and external communication. Nevertheless, the laws of Hoare and Jones correctness reasoning remain valid when interpreted in this general model.

Concurrent data structures are usually designed to satisfy correctness conditions such as sequential consistency and linearizability. In this paper, we consider the following fundamental question: what guarantees are provided by these conditions for client programs? We formally show that these conditions can be characterized in terms of observation...

Space Invader is a static analysis tool that aims to perform accurate, automatic verification of the way that programs use pointers. It uses separation logic assertions [10,11] to describe states, and works by performing a proof search, using abstract interpretation to enable convergence. As well as having roots in separation logic, Invader draws o...

This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an over-approximation of data structure usage. Compositionality...

Separation logic is an extension of Hoare’s logic for reasoning about programs that manipulate pointers. It is based on the separating conjunction P ∗ Q, which asserts that P and Q hold for separate portions of computer memory. This tutorial on separation logic has three parts. 1 Basics. Concentrating on highlights from the early work [1,2,3,4]. 1...

Separation logic is an extension of Hoare’s logic for reasoning about programs that manipulate pointers. Its assertion language extends classical logic with a separating conjunction operator A*B, which asserts that A and B hold for separate portions of memory. In this tutorial I will first cover the basics of the logic, concentrating on highlights...

Pointer safety faults in device drivers are one of the leading causes of crashes in operating systems code. In principle, shape analysis tools can be used to prove the absence of this type of error. In practice, however, shape analysis is not used due to the unacceptable mixture of scalability and precision provided by existing tools. In this paper...

This paper explores a unification of the ideas of Concurrent Separation Logic with those of Communicating Sequential Processes. It extends separation logic by an operator for separation in time as well as separation in space. It extends CSP in the direction of the pi-calculus: dynamic change of alphabet is achieved by communication of channel names...

Existing shape analysis algorithms infer descriptions of data structures at program points, starting from a given precondition. We describe an analysis that does not require any preconditions. It works by attempting to infer a description of only the cells that might be accessed, following the footprint idea in separation logic. The analysis allows...

Separation logic is an extension of Hoare's logic which supports a local way of reasoning about programs that mutate memory. We present a study of the semantic structures lying behind the logic. The core idea is of a local action, a state transformer that mutates the state in a local way. We formulate local actions for a class of models called sepa...

We propose a shape analysis that adapts to some of the complex composite data structures found in industrial systems-level pro- grams. Examples of such data structures include "cyclic doubly-linked lists of acyclic singly-linked lists", "singly-linked lists of cyclic doubly- linked lists with back-pointers to head nodes", etc. The analysis intro- d...

This paper contributes to the development of techniques for the modular proof of programs that include concurrent algorithms. We present a proof of a non-blocking concurrent algorithm, which provides a shared stack. The inter-thread interference, which is essential to the algorithm, is confined in the proof and the specification to the modular oper...

An invariance assertion for a program location ' is a statement that always holds at ' during execution of the program. Program invari- ance analyses infer invariance assertions that can be useful when trying to prove safety properties. We use the term variance asser- tion to mean a statement that holds between any state at ' and any previous state...

Concurrent separation logic provides a way of reasoning about the usage of resources in concurrent programs. Proofs in the logic all track the transfer of ownership of portions of memory between concurrent processes, mirroring design principles for concurrent systems programs. This allows the safe treatment of "daring" concurrent programs, that acc...

Without Abstract

Previous shape analysis algorithms use a memory model where the heap is composed of discrete nodes that can be accessed only via access paths built from variables and field names, an assumption that is violated by pointer arithmetic. In this paper we show how this assumption can be removed, and pointer arithmetic embraced, by using an analysis base...

We describe a new program termination analysis designed to handle imperative programs whose termination depends on the mutation of the program's heap. We first describe how an abstract interpretation can be used to construct a finite number of relations which, if each is well-founded, implies termination. We then give an abstract interpreta- tion b...

We present a bunched intermediate language for strong (type-changing) update and disposal of first-order references. In contrast to other substructural type systems, the additive constructs of bunched types allow the encapsulation of state that is shared by a collection of procedures.

Given the right computer-based tools, the use of formal methods could become widespread and transform software engineering. The computer science community recently committed itself to making verified software a reality within the next 15 to 20 years when representatives met in Zurich in 2005 to discuss an international grand challenge on verificati...

We describe a program analysis for linked list programs where the abstract domain uses formulae from separation logic.

We describe a sound method for automatically proving Hoare triples for loop-free code in Separation Logic, for certain preconditions and postconditions (symbolic heaps). The method uses a form of sym- bolic execution, a decidable proof theory for symbolic heaps, and extrac- tion of frame axioms from incomplete proofs. This is a precursor to the use...

Separation logic is a program logic for reasoning about programs that manipulate pointer data structures. We describe Smallfoot, a tool for checking certain lightweight separation logic specifications. The assertions describe the shapes of data structures rather than their detailed contents, and this allows reasoning to be fully automatic. The pres...

If program verification tools are ever to be used widely, it is essential that they work in a modular fashion. Otherwise, verification will not scale. This paper discusses the scientific challenges that this poses for research in program logic. Some recent work on separation logic is described, and test problems that would be useful in measuring ad...

A lightweight logical approach to race-free sharing of heap storage between concurrent threads is described, based on the notion of permission to access. Transfer of permission between threads, subdivision and combination of permission is discussed. The roots of the approach are in Boyland's [3] demonstration of the utility of fractional permission...

We present a fragment of separation logic oriented to linked lists, and study decision procedures for validity of entailments. The restrictions in the fragment are motivated by the stylized form of reasoning done in example program proofs. The fragment includes a predicate for describing linked list segments (a kind of reachability or transitive cl...

In the 1960s Dijkstra suggested that, in order to limit the complexity of potential process interactions, concurrent programs should be designed so that different processes behave independently, except at rare moments of synchronization [3]. Then, in the 1970s Hoare and Brinch Hansen argued that debugging and reasoning about concurrent programs cou...

We investigate proof rules for information hiding, using the recent formalism of separation logic. In essence, we use the separating conjunction to partition the internal resources of a module from those accessed by the module's clients. The use of a logical connective gives rise to a form of dynamic partitioning, where we track the transfer of own...

We present a new semantics for Algol-like languages that combines methods from two prior lines of development: • the object-based approach of Reddy, where the meaning of an imperative program is described in terms of sequences of observable actions, and • the functor-category approach initiated by Reynolds, where the varying nature of the run-time...

affiliated with Nineteenth Annual IEEE Symposium on Logic in Computer Science - LICS 2004 and ICALP'04 - 31st International Colloquium on Automata, Languages and Programming . Congrès (éditeur). internationale.

It is generally thought that reasoning about programs in memory safe, garbage collected languages is much easier than in languages where the programmer has more explicit control over memory. Paradoxically, existing program logics are based on a low-level view of storage that is sensitive to the presence or absence of unreachable cells, and Reynolds...

The logic of bunched implications, BI, is a substructural system which freely combines an additive (intuitionistic) and a multiplicative (linear) implication via bunches (contexts with two combining operations, one which admits Weakening and Contraction and one which does not). BI may be seen to arise from two main perspectives. On the one hand, fr...

Continuations can be used to explain a wide variety of control behaviours, including calling/returning (procedures), raising/handling (exceptions), labelled jumping (goto statements), process switching (coroutines), and backtracking. However, continuations are often manipulated in a highly stylised way, and we show that all of these, bar backtracki...

We present a semantic analysis of a recently proposed formalism for local reasoning, where a specification (and hence proof) can concentrate on only those cells that a program accesses. Our main results are the soundness and, in a sense, completeness of a rule that allows frame axioms, which describe invariant properties of portions of heap memory,...

This paper studies a recently developed an approach to rea- soning about mutable data structures, which uses an assertion language with spatial conjunction and implication connectives. We investigate computability and complexity properties of a subset of the language, which allows statements about the shape of pointer structures (such as \there is...

This paper studies a recently developed an approach to reasoning about mutable data structures, which uses an assertion language with spatial conjunction and implication connectives. We investigate computability and complexity properties of a subset of the language, which allows statements about the shape of pointer structures (such as "there is a...

This paper studies a recently developed an approach to reasoning about mutable data structures, which uses an assertion language with spatial conjunction and implication connectives. We investigate computability and complexity properties of a subset of the language, which allows statements about the shape of pointer structures (such as here is a li...

We describe an extension of Hoare’s logic for reasoning about programs that alter data structures. We consider a low-level storage model based on a heap with associated lookup, update, allocation and deallocation operations, and unrestricted address arithmetic. The assertion language is based on a possible worlds model of the logic of bunched impli...

Garbage collection relieves the programmer of the burden of managing dynamically allocated memory, by providing an automatic way to reclaim unneeded storage. This eliminates or lessens program errors that arise from attempts to access disposed memory, and generally leads to simpler programs. One might therefore expect that reasoning about programs...

t on a type system with goals that are similar to our logics [22]. The research of my own that is described in these lectures was supported by National Science Foundation Grant CCR{9804014. 3 References

Engberg and Winskel's Petri net semantics of linear logic is re-considered, from the point of view of the logic BI of bunched implications.

In 1978, John Reynolds introduced Syntactic Control of Interference, a type-based method of managing aliasing and other forms interference resulting from shared storage. In contemporary terms, Reynolds's type system was an ane -calculus, where the structural rule of Contraction is absent. Although very clean, two limitations were recognized from th...

Motivated by a model for syntactic control of interference, we introduce a general categorical concept of bireflectivity. Bireflective subcategories of a category A are subcategories with left and right adjoint equal, subject to a coherence condition. We characterize them in terms of split-idempotent natural transformations on id A . In the special...

Reynolds has developed a logic for reasoning about mutable data structures in which the pre- and postconditions are written in an intuitionistic logic enriched with a spatial form of conjunction. We investigate the approach from the point of view of the logic BI of bunched implications of O'Hearn and Pym. We begin by giving a model in which the law...

Introduction This paper is a companion to Linearly Used Continuations" by the authors. There, we show how a variety of control behaviours use continuations anely, including calling/returning (procedures), raising/handling (exceptions), labelled jumping (goto statements), and process switching (coroutines). Our purpose here is to show how an ane typ...

ce rules. 6 Transition Rules for the New Commands Construction v :- cons(eo ...n-1)($h)) [h [: 'O'exp$ [... [ -- T/, - 1: 'n_l'exp$ ]) where ... -- n - 1 E Locations - dom h. Lookup When eexp$ E dom h: (V :---- [e] ($ h)) ([ $ [ v: h(]exp$) ] When exp $ dom h: (v :--[e], (s, h)) abort 7 More Transition Rules Mutation When eexp5 E dom h: ([e] '-- ',...

this paper is to describe the main conceptual aspects of linearly used continuations in a way that keeps the technical discussion as simple as possible. So we concentrate on soundness only. A comprehensive analysis of completeness properties of our transforms, or variants, represents a challenge for future work, and in stating the transforms for a...

. Memory-safe programming languages harness the power of pointers by disallowing certain operations { notably operations for pointer arithmetic and disposal { and memory reclamation is often achieved through garbage collection. But existing logics of pointer programs are based on a low level view of storage that is sensitive to the presence or abse...

We study a typing scheme derived from a semantic situation where a single category possesses several closed structures, or function types. In this scheme typing contexts are trees built from two (or more) binary combining operations, or in short, bunches. The most basic system has two combining connectives, and the structural rules of Weakening and...

Bornat has recently described an approach to reasoning about pointers, building on work of Morris. Here we describe a semantics that validates the approach, and use it to help devise axioms for operations that allocate and dispose of memory. 1. INTRODUCTION It is widely acknowledged that pointers cause problems for program-proving formalisms (e.g....

ion and Store Shapes . . . . . . . . . . 6 2 Two Variations on Algol 8 2.1 Idealized Algol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Name: P.W. O'Hearn Address: Department of Computer Science, Queen Mary and Westfield College, London E1 4NS, UK. e-mail: ohearn@dcs.qmw.ac.uk Name: J.C. Reynolds Address: School of Computer Science...

Motivated by a model for syntactic control of interference, we introduce a general categorical concept of bireflectivity. Bireflective subcategories of a category are subcategories with left and right adjoint equal, subject to a coherence condition. We characterize them in terms of split-idempotent natural transformations on id . In the special ca...

In “syntactic control of interference” (POPL, 1978), J.C. Reynolds proposes three design principles intended to constrain the scope of imperative state effects in Algol-like languages. The resulting linguistic framework seems to be a very satisfactory way of combining functional and imperative concepts, having the desirable attributes of both purel...

We introduce a logic BI in which a multiplicative (or linear) and an additive (or intuitionistic) implication live side-by-side. The propositional version of BI arises from an analysis of the proof-theoretic relationship between conjunction and implication; it can be viewed as a merging of intuitionistic logic and multiplicative intuitionistic line...

. We introduce the ff-calculus, a typed calculus that includes a multiplicative function type Gamma alongside an additive function type !. It arises proof-theoretically as a calculus of proof terms for the logic of bunched implications of O'Hearn and Pym, and semantically from doubly closed categories, where a single category possesses two closed s...

We propose a proof representation format for human-oriented proofs at the assertion level with under-specification. This work aims at providing a possible solution to challenging phenomena worked out in empirical studies in the DIALOG project at Saarland University. A particular challenge in this project is to bridge the gap between the human-orien...

We introduce the αλ-calculus, a typed calculus that includes a multiplicative function type -* alongside an additive function type →. It arises proof-theoretically as a calculus of proof terms for the logic of bunched implications of O’Hearn and Pym, and semantically from doubly closed categories, where a single category possesses two closed struct...

As a service to our readers, SIGACT News has an agreement with Computing Reviews to reprint reviews of books and articles of interest to the theoretical computer science community. Computing Reviews is a monthly journal that publishes ...