We present a separation logic specification and verification of linked lists with views, a data structure from the C5 collection library for .NET. A view is a generalization of the well-known concept of an iterator. Linked lists with views form an interesting case study for verification since they allow mutation through multiple, possibly overlapping, views of the same underlying list. For modularity, we build on a fragment of higherorder separation logic and use abstract predicates to give a

more »

... ecification with respect to which clients can be proved correct. We introduce a novel mathematical model of lists with views, and formulate succinct modular abstract specifications of the operations on the data structure. To show that the concrete implementation realizes the specification, we use fractional permissions in a novel way to capture the sharing of data between views and their underlying list. We conclude by suggesting directions for future research that arose from conducting this case study. Hence views provide a much more powerful mechanism than iterators but also pose new challenges for verification. In particular, the co-dependencies between a list and its views are typically implemented by cyclic pointer structures, and there is no "obvious" mathematical model of a linked list with views. We find that this makes the data structure a challenging and compelling case study for specification and verification with separation logic and related approaches. Related Work Hoare pioneered the proof method of relating a concrete (object-oriented) implementation to an abstract (functional, mathematical) implementation [Hoa72]; we use the same technique here. We also use the concepts of precondition and postcondition, which are due to Dijkstra [Dij76] and which form the basis for Meyer's design-bycontract methodology [Mey92]. However, we do not use class invariants, because they appear to fall short when, as in the case of linked lists with views, there is no hierarchical "ownership" relation among the objects making up a data structure [Par07]. Hence our formalization is not immediately expressible in contemporary frameworks such as the Java Modeling Language [CKLP06] or .NET Code Contracts [FBL10] . The formalization and proof of lists with views, presented in this paper, uses separation logic and has many similarities with separation logic formalizations of iterators. The iterators from the Java standard library seem to be the most popular objects of study [KAB + 09, Par05, HH08, BRZ07]. In contrast to the list views discussed here, such iterators become invalid after structural modification to the underlying list, and so it becomes an important part of the specification to capture the protocol that constrains the permitted order of method calls. Krishnaswami et al. [KAB + 09] use higher-order separation logic to give an elegant specification of iterators. It allows multiple iterators at the same time, but iterators are read-only. Parkinson [Par05] specifies iterators in first-order separation logic, instead using counting permissions to share the list between multiple iterators. Again, modification of the list through iterators is not considered. Haack & Hurlin [HH08] use fractional permissions to give a specification that allows both multiple iterators and (limited) modification of the list through iterators. The techniques used to achieve this have similarities to what we present in Section 4.3. In contrast to iterators, it is always well-defined how views behave after the underlying list is modified.