Local reasoning for global invariants, Part II: Dynamic boundaries

Anindya Banerjee, David A. Naumann

Research output: Contribution to journalArticlepeer-review

18 Scopus citations

Abstract

The hiding of internal invariants creates a mismatch between procedure specifications in an interface and proof obligations on the implementations of those procedures. The mismatch is sound if the invariants depend only on encapsulated state, but encapsulation is problematic in contemporary software due to the many uses of shared mutable objects. The mismatch is formalized here in a proof rule that achieves flexibility via explicit restrictions on client effects, expressed using ghost state and ordinary first order assertions. The restrictions amount to a stateful frame condition that must be satisfied by any client; this dynamic encapsulation boundary complements conventional scope-based encapsulation. The technical development is based on a companion article, Part I, that presents Region Logic-a programming logic with stateful frame conditions for commands.

Original languageEnglish
Article number19
JournalJournal of the ACM (JACM)
Volume60
Issue number3
DOIs
StatePublished - Jun 2013

Keywords

  • Data abstraction
  • Data invariants
  • Heap separation
  • Information hiding
  • Modularity
  • Resource protection

Fingerprint

Dive into the research topics of 'Local reasoning for global invariants, Part II: Dynamic boundaries'. Together they form a unique fingerprint.

Cite this