Journal of Automated Reasoning

, Volume 54, Issue 3, pp 199–284 | Cite as

Symbolic Execution Proofs for Higher Order Store Programs

  • Bernhard Reus
  • Nathaniel Charlton
  • Ben Horsfall


Higher order store programs are programs which store, manipulate and invoke code at runtime. Important examples of higher order store programs include operating system kernels which dynamically load and unload kernel modules. Yet conventional Hoare logics, which provide no means of representing changes to code at runtime, are not applicable to such programs. Recently, however, new logics using nested Hoare triples have addressed this shortcoming. In this paper we describe, from top to bottom, a sound semi-automated verification system for higher order store programs. We give a programming language with higher order store features, define an assertion language with nested triples for specifying such programs, and provide reasoning rules for proving programs correct. We then present in full our algorithms for automatically constructing correctness proofs. In contrast to earlier work, the language also includes ordinary (fixed) procedures and mutable local variables, making it easy to model programs which perform dynamic loading and other higher order store operations. We give an operational semantics for programs and a step-indexed interpretation of assertions, and use these to show soundness of our reasoning rules, which include a deep frame rule which allows more modular proofs. Our automated reasoning algorithms include a scheme for separation logic based symbolic execution of programs, and automated provers for solving various kinds of entailment problems. The latter are presented in the form of sets of derived proof rules which are constrained enough to be read as a proof search algorithm.


Program verification Higher order store Recursion through the store Separation logic Automated verification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The Crowfoot website. (2011)
  2. 2.
    Beckmann, O., Houghton, A., Mellor, M.R., Kelly, P.H.J.: Runtime code generation in C++ as a foundation for domain-specific optimisation. In: Domain-Specific Program Generation, pp 291–306 (2003)Google Scholar
  3. 3.
    Benton, N., Kennedy, A., Beringer, L., Hofmann, M.: Relational semantics for effect-based program transformations: higher-order store. In: PPDP, pp 301–312 (2009)Google Scholar
  4. 4.
    Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: FMCO, pp 115–137 (2005)Google Scholar
  5. 5.
    Berdine, J., Calcagno, C., O’Hearn, P.W.: Symbolic execution with separation logic. In: APLAS, pp 52–68 (2005)Google Scholar
  6. 6.
    Biering, B., Birkedal, L., Torp-Smith, N. : Bi-hyperdoctrines, higher-order separation logic, and abstraction. ACM Trans. Program. Lang. Syst. 29 (5) (2007)Google Scholar
  7. 7.
    Birkedal, L., Reus, B., Schwinghammer, J., Støvring, K., Thamsborg, J., Yang, H.: Step-indexed Kripke models over recursive worlds. In: POPL’11, pp 119–132. IEEE (2011)Google Scholar
  8. 8.
    Birkedal, L., Torp-Smith, N., Yang, H.: Semantics of separation-logic typing and higher-order frame rules for Algol-like languages. LMCS 2 (5) (2006)Google Scholar
  9. 9.
    Blom, S., Huisman, M.: Witnessing the elimination of magic wands (2013)Google Scholar
  10. 10.
    Cai, H., Shao, Z., Vaynberg, A.: Certified self-modifying code. In: PLDI, pp 66–77 (2007)Google Scholar
  11. 11.
    Calcagno, C., Distefano, D., O’Hearn, P., Yang, H.: Compositional shape analysis by means of bi-abduction. ACM SIGPLAN Notices 44 (1), 289–300 (2009)CrossRefGoogle Scholar
  12. 12.
    Charguéraud, A: Characteristic formulae for the verification of imperative programs. In: Chakravarty, M.M.T., Hu, Z., Danvy, O. (eds.) ICFP, pp 418–430. ACM (2011)Google Scholar
  13. 13.
    Charlton, N., Horsfall, B., Reus, B.: Formal reasoning about runtime code update. In: Abiteboul, S., Böhm, K., Koch, C., Tan, K.-L. (eds.) ICDE Workshops, pp 134–138. IEEE (2011)Google Scholar
  14. 14.
    Charlton, N., Horsfall, B., Reus, B. : Crowfoot: A verifier for higher-order store programs. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI, volume 7148 of Lecture Notes in Computer Science, pp 136–151. Springer (2012)Google Scholar
  15. 15.
    Charlton, N., Reus, B.: A deeper understanding of the deep frame axiom. Extended abstract, presented at LOLA (Syntax and Semantics of Low Level Languages) (2010)Google Scholar
  16. 16.
    Charlton, N., Reus, B.: Specification patterns and proofs for recursion through the store. In: FCT, pp 310–321 (2011)Google Scholar
  17. 17.
    Chin, W.-N., David, C., Nguyen, H.H., Qin, S.: Automated verification of shape, size and bag properties via user-defined predicates in separation logic. Sci. Comput. Program. 77 (9), 1006–1036 (2012)CrossRefzbMATHGoogle Scholar
  18. 18.
    Chlipala, A.: Mostly-automated verification of low-level programs in computational separation logic. In: Hall, M.W., Padua, D.A. (eds.) PLDI, pp 234–245. ACM (2011)Google Scholar
  19. 19.
    Chlipala, A., Malecha, J.G., Morrisett, G., Shinnar, A., Wisnesky, R.: Effective interactive proofs for higher-order imperative programs. In: Hutton, G., Tolmach, A.P. (eds.) ICFP, pp 79–90. ACM (2009)Google Scholar
  20. 20.
    Distefano, D., O’Hearn, P.W., Yang, H.: A local shape analysis based on separation logic. In: TACAS, pp 287–302 (2006)Google Scholar
  21. 21.
    Distefano, D., Parkinson, M.J.: jStar: towards practical verification for Java. In: OOPSLA, pp 213–226 (2008)Google Scholar
  22. 22.
    Gherghina, C., David, C., Qin, S., Chin, W.-N.: Structured specifications for better verification of heap-manipulating programs. In: FM, pp 386–401 (2011)Google Scholar
  23. 23.
    Gordon, M.J.C., Milner, R., Wadsworth, C.P.: Edinburgh LCF, volume 78 of Lecture Notes in Computer Science. Springer (1979)Google Scholar
  24. 24.
    Henderson, B.: Linux loadable kernel module HOWTO (v1.09). Available online (2006)
  25. 25.
    Hoare, C.A.R.: Procedures and parameters: An axiomatic approach. In: Engeler, E. (ed.) Symposium on Semantics of Algorithmic Languages, volume 188 of Lecture Notes in Mathematics, pp 102–116. Springer Berlin, Heidelberg (1971)CrossRefGoogle Scholar
  26. 26.
    Honda, K., Yoshida, N., Berger, M.: An observationally complete program logic for imperative higher-order functions. In: LICS, pp 270–279 (2005)Google Scholar
  27. 27.
    Horsfall, B.: Automated reasoning for reflective programs. PhD thesis (2014)Google Scholar
  28. 28.
    Horsfall, B., Charlton, N., Reus, B.: Verifying the reflective visitor pattern. In: FtFJP, pp 27–34 (2012)Google Scholar
  29. 29.
    Jacobs, B., Smans, J., Philippaerts, P., Vogels, F., Penninckx, W., Piessens, F.: VeriFast: A powerful, sound, predictable, fast verifier for C and Java. In: NASA Formal Methods, pp 41–55 (2011)Google Scholar
  30. 30.
    Jacobs, B, Smans, J, Piessens, F: A quick tour of the VeriFast program verifier. In: APLAS, pp 304–311 (2010)Google Scholar
  31. 31.
    Lee, W., Park, S.: A proof system for separation logic with magic wand. In: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL, pp. 477–490, New York, USA, 2014. ACMGoogle Scholar
  32. 32.
    Nanevski, A. J., Morrisett, G., Birkedal, L.: Hoare type theory, polymorphism and separation. J. Funct. Program. 18 (5–6), 865–911 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  33. 33.
    Ni, Z., Shao, Z.: Certified assembly programming with embedded code pointers. In: POPL, pp 320–333 (2006)Google Scholar
  34. 34.
    Pottier, F.: Hiding local state in direct style: a higher-order anti-frame rule. In LICS, pp. 331–340, Pittsburgh, Pennsylvania (2008)Google Scholar
  35. 35.
    Pym, D.J., O’Hearn, P.W., Yang, H.: Possible worlds and resources: the semantics of BI. Theor. Comput. Sci. 315 (1), 257–305 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  36. 36.
    Reus, B., Schwinghammer, J.: Separation logic for higher-order store. In: CSL, pp 575–590 (2006)Google Scholar
  37. 37.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: LICS, pp 55–74 (2002)Google Scholar
  38. 38.
    Rutten, J.J.M.M.: Elements of generalized ultrametric domain theory. Theor. Comput. Sci. 170 (1–2), 349–381 (1996)CrossRefzbMATHMathSciNetGoogle Scholar
  39. 39.
    Schwerhoff, M., Summers, A.J.: Lightweight support for magic wands in an automatic verifier. Technical report, ETH Zurich (2014)Google Scholar
  40. 40.
    Schwinghammer, J., Birkedal, L., Reus, B., Yang, H.: Nested Hoare triples and frame rules for higher-order store. In: CSL, pp 440–454 (2009)Google Scholar
  41. 41.
    Schwinghammer, J., Birkedal, L., Reus, B., Yang, H.: Nested Hoare triples and frame rule for higher-order store. Logical Methods Comput. Sci. 7 (3) (2011)Google Scholar
  42. 42.
    Schwinghammer, J., Yang, H., Birkedal, L., Pottier, F., Reus, B: A semantic foundation for hidden state. In: FOSSACS, pp 2–17 (2010)Google Scholar
  43. 43.
    Stoyle, G., Hicks, M., Bierman, G., Sewell, P., Neamtiu, I.: Mutatis mutandis: Safe and predictable dynamic software updating. ACM Trans. Program. Lang. Syst. 29 (4) (2007)Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2014

Authors and Affiliations

  • Bernhard Reus
    • 1
  • Nathaniel Charlton
    • 1
  • Ben Horsfall
    • 1
  1. 1.Department of InformaticsUniversity of SussexBrightonUnited Kingdom

Personalised recommendations