Saved in:
Bibliographic Details
Main Authors: Drossopoulou, Sophia, Mackay, Julian, Eisenbach, Susan, Noble, James
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.06544
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917099149983744
author Drossopoulou, Sophia
Mackay, Julian
Eisenbach, Susan
Noble, James
author_facet Drossopoulou, Sophia
Mackay, Julian
Eisenbach, Susan
Noble, James
contents In today's complex software, internal trusted code is tightly intertwined with external untrusted code. To reason about internal code, programmers must reason about the potential effects of calls to external code, even though that code is not trusted and may not even be available. The effects of external calls can be limited, if internal code is programmed defensively, limiting potential effects by limiting access to the capabilities necessary to cause those effects. This paper addresses the specification and verification of internal code that relies on encapsulation and object capabilities to limit the effects of external calls. We propose new assertions for access to capabilities, new specifications for limiting effects, and a Hoare logic to verify that a module satisfies its specification, even while making external calls. We illustrate the approach though a running example with mechanised proofs, and prove soundness of the Hoare logic.
format Preprint
id arxiv_https___arxiv_org_abs_2506_06544
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Reasoning about External Calls
Drossopoulou, Sophia
Mackay, Julian
Eisenbach, Susan
Noble, James
Programming Languages
In today's complex software, internal trusted code is tightly intertwined with external untrusted code. To reason about internal code, programmers must reason about the potential effects of calls to external code, even though that code is not trusted and may not even be available. The effects of external calls can be limited, if internal code is programmed defensively, limiting potential effects by limiting access to the capabilities necessary to cause those effects. This paper addresses the specification and verification of internal code that relies on encapsulation and object capabilities to limit the effects of external calls. We propose new assertions for access to capabilities, new specifications for limiting effects, and a Hoare logic to verify that a module satisfies its specification, even while making external calls. We illustrate the approach though a running example with mechanised proofs, and prove soundness of the Hoare logic.
title Reasoning about External Calls
topic Programming Languages
url https://arxiv.org/abs/2506.06544