Linear maps

Abstract

Verification of large programs is impossible without proof techniques that allow local reasoning and information hiding. In this paper, we take the approach of modeling the heap as a collection of partial functions with disjoint domains. We call each such partial function a linear map. Programmers may select objects from linear maps, update linear maps or transfer addresses and their contents from one linear map to another. Programmers may also declare new linear map variables and pass linear maps as arguments to procedures. The program logic prevents any of these operations from duplicating locations and thereby breaking the key heap representation invariant: the domains of all linear maps remain disjoint. Linear maps facilitate modular reasoning because programs that use them are also able to use simple, classical frame rules to preserve information about heap state across procedure calls. We illustrate our approach through examples, prove that our verification rules are sound, and show that operations on linear maps may be erased and replaced by equivalent operations on a single, global heap.