Local reasoning about programs exploits the natural local behaviour common in programs by focussing on the footprint - that part of the resource accessed by the program. We address the problem of formally characterising and analysing the footprint notion for abstract local functions introduced by Calcagno, O Hearn and Yang. With our definition, we prove that the footprints are the only essential elements required for a complete specification of a local function. We formalise the notion of small specifications in local reasoning and show that for well-founded resource models, a smallest specification always exists that only includes the footprints, and also present results for the non-well-founded case. Finally, we use this theory of footprints to investigate the conditions under which the footprints correspond to the smallest safe states. We present a new model of RAM in which, unlike the standard model, the footprints of every program correspond to the smallest safe states, and we also identify a general condition on the primitive commands of a programming language which guarantees this property for arbitrary models.
Deep Dive into Footprints in Local Reasoning.
Local reasoning about programs exploits the natural local behaviour common in programs by focussing on the footprint - that part of the resource accessed by the program. We address the problem of formally characterising and analysing the footprint notion for abstract local functions introduced by Calcagno, O Hearn and Yang. With our definition, we prove that the footprints are the only essential elements required for a complete specification of a local function. We formalise the notion of small specifications in local reasoning and show that for well-founded resource models, a smallest specification always exists that only includes the footprints, and also present results for the non-well-founded case. Finally, we use this theory of footprints to investigate the conditions under which the footprints correspond to the smallest safe states. We present a new model of RAM in which, unlike the standard model, the footprints of every program correspond to the smallest safe states, and we als
Local reasoning about programs focusses on the collection of resources directly acted upon by the program. It has recently been introduced and used to substantial effect in local Hoare reasoning about memory update. Researchers previously used Hoare reasoning based on First-order Logic to specify how programs interacted with the whole memory. O'Hearn, Reynolds and Yang instead introduced local Hoare reasoning based on Separation Logic [14,11]. The idea is to reason only about the local parts of the memory-the footprints-that are accessed by a program. Intuitively, the footprints form the pre-conditions of the small axioms, which provide the smallest complete specification of the program. All the true Hoare triples are derivable from the small axioms and the general Hoare rules. In particular, the frame rule extends the reasoning to properties about the rest of the heap which has not been changed by the command.
O’Hearn, Reynolds and Yang originally introduced Separation Logic to solve the problem of how to reason about the mutation of data structures in memory. They have applied their reasoning to several memory models, including heaps based on pointer arithmetic [14], heaps with permissions [4], and the combination of heaps with variable stacks which views variables as resource [5,17]. In each case, the basic soundness and completeness results for local Hoare reasoning are essentially the same. For this reason, Calcagno, O’Hearn and Yang [9] recently introduced abstract local functions over abstract resource models which they call separation algebras. They generalised their specific examples of local imperative commands and memory models in this abstract framework. They introduced Abstract Separation Logic to provide local Hoare reasoning about such functions, and give general soundness and completeness results.
We believe that the general concept of a local function is a fundamental step towards establishing the theoretical foundations of local reasoning, and Abstract Separation Logic is an important generalisation of the local Hoare reasoning systems now widely studied in the literature. However, Calcagno, O’Hearn and Yang do not characterise the footprints and small axioms in this general theory, which is a significant omission. O’Hearn, Reynolds and Yang, in one of their first papers on the subject [14], state the local reasoning viewpoint as:
’to understand how a program works, it should be possible for reasoning and specification to be confined to the cells that the program actually accesses. The value of any other cell will automatically remain unchanged.’ A complete understanding of the foundations of local Hoare reasoning therefore requires a formal characterisation of the footprint notion. O’Hearn tried to formalise footprints in his work on Separation Logic (personal communication with O’Hearn). His intuition was that the footprints should be the smallest states on which the program is safe -the safety footprint, and that the small axioms arising from these footprints should give rise to a complete specification using the general rules for local Hoare reasoning. However, Yang discovered that this notion of footprint does not work, since it does not always yield a complete specification for the program. Consider the program 1AD ::= x := new(); dispose(x)
This allocate-deallocate program allocates a new cell, stores its address value in the stack variable x, and then deallocates the cell. It is local because all its atomic constituents are local. This tiny example captures the essence of a common type of program; there are many programs which, for example, create a list, work on the list, and then destroy the list.
The smallest heap on which the AD program is safe is the empty heap emp. The specification using this pre-condition is:
We can extend our reasoning to larger heaps by applying the frame rule: for example, extending to a one-cell heap with arbitrary address l and value v gives
However, axiom (1) does not give the complete specification of the AD program. In fact, it captures very little of the spirit of allocation followed by de-allocation. For example, the following triple is also true:
This triple (3) is true because, if l is already allocated, then the new address cannot be l and hence x cannot be l. It cannot be derived from (1). However, the combination of axiom (1) and axiom (3) for arbitrary one-cell heaps does provide the smallest complete specification. This example illustrates that O’Hearn’s intuitive view of the footprints as the minimal safe states just does not work for common imperative programs.
In this paper, we introduce the formal definition of the footprint of a local function that does yield a complete specification for the function. For our AD example, our definition identifies emp and the arbitrary one-cell heaps l → v as footprints, as expected. We prove the general result that, for any local function, the footprints are the only elements which are essenti
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
