A Relational Program Logic with Data Abstraction and Dynamic Framing

TL;DR

This paper introduces a relational Hoare logic that formalizes data encapsulation, hiding invariants, and simulation for object-oriented programs with dynamic allocation, enabling reasoning about program equivalence and noninterference.

Contribution

It extends Hoare's program logic to include data abstraction and dynamic framing, formalizing encapsulation and simulation in a relational setting with first-order logic assertions.

Findings

Soundness with respect to operational semantics

Expressiveness for relational properties like noninterference

Applicability demonstrated with SMT-based implementation

Abstract

Dedicated to Tony Hoare. In a paper published in 1972 Hoare articulated the fundamental notions of hiding invariants and simulations. Hiding: invariants on encapsulated data representations need not be mentioned in specifications that comprise the API of a module. Simulation: correctness of a new data representation and implementation can be established by proving simulation between the old and new implementations using a coupling relation defined on the encapsulated state. These results were formalized semantically and for a simple model of state, though the paper claimed this could be extended to encompass dynamically allocated objects. In recent years, progress has been made towards formalizing the claim, for simulation, though mainly in semantic developments. In this article, hiding and simulation are combined with the idea in Hoare's 1969 paper: a logic of programs. For an object-based language with dynamic allocation, we introduce a relational Hoare logic with stateful frame conditions that formalizes encapsulation, hiding of invariants, and couplings that relate two implementations. Relations and other assertions are expressed in first-order logic. Specifications can express a wide range of relational properties such as conditional equivalence and noninterference with declassification. The proof rules facilitate relational reasoning by means of convenient alignments and are shown sound with respect to a conventional operational semantics. A derived proof rule for equivalence of linked programs directly embodies representation independence. Applicability to representative examples is demonstrated using an SMT-based implementation.