introduction to separation logic
Download
Skip this Video
Download Presentation
Introduction to Separation Logic

Loading in 2 Seconds...

play fullscreen
1 / 51

Introduction to Separation Logic - PowerPoint PPT Presentation


  • 173 Views
  • Uploaded on

Introduction to Separation Logic. presented by Greta Yorsh April 02, 2008 IBM , Hawthorne. This Talk. What is Separation Logic? Strengths and weaknesses Successful applications Main challenges. What is Separation Logic?. Extension of Hoare logic low-level imperative programs

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Introduction to Separation Logic' - ingrid


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
introduction to separation logic

Introduction to Separation Logic

presented by

Greta Yorsh

April 02, 2008IBM, Hawthorne

this talk
This Talk
  • What is Separation Logic?
  • Strengths and weaknesses
  • Successful applications
  • Main challenges
what is separation logic
What is Separation Logic?
  • Extension of Hoare logic
    • low-level imperative programs
    • shared mutable data structures
motivating example
Motivating Example

assume( *x == 3 )

assume( *x == 3 ∧ x != y ∧ x != z )

assume( y != z )

assume( y != z )

*y = 4;

*z = 5;

assert( *y != *z )

assert( *x == 3 )

  • contents are different
  • contents stay the same
  • different locations
framing problem
Framing Problem
  • What are the conditions on aliasing btwn x, y, z ?

{ y != z } C { *y != *z }

{ *x == 3∧y != z } C {*y != *z∧*x == 3 }

framing problem1
Framing Problem
  • What are the conditions on C and R?
    • in presence of aliasing and heap
  • Separation logic introduces new connective ∗

{ P } C {Q}

{ R ∧ P } C { Q ∧R }

{ P } C {Q}

{ R ∗ P } C { Q ∗R }

outline
Outline
  • Assertion language: syntax and semantics
  • Hoare-style proofs
  • Program analysis
  • Concurrency
  • Termination
  • Object-oriented programs
examples
Examples

x  y

ls(y, z)

x  y ∗ ls(y, z)

33

8

8  33

x

y

y

z

x

∧ z = x

y

z

semantics
Semantics
  • Assertions are evaluated w.r.t. a state
  • State is store and heap
    • S : Var ⇀ Int
    • H : Loc ⇀ Int where Loc ⊆ Int
  • Notations
    • disjoint domains: dom(H1) dom(H2)
    • composition: H1 ◦ H2
    • evaluation: ES Int
    • update: S[x:i]
  • S,H  P
common shorthands
Common Shorthands
  • E  E1,E2,..,En E  E1 ∗ E+1  E2 ∗ ... ∗ E+(n-1)  En
  • E1  E2 E1  E2 ∗ true
  • E  _  ∃x. E  x

x

x  3,y,7

S = [x:10, y:4]

H = [10:3,11:4,12:7]

3

4

7

11

12

10

examples1
Examples

y

x

y

x

4

3

4

4

3

3

S = [x:10, y:30]

H = [10:4,11:3,30:4,31:3]

S = [x:10, y:10]

H = [10:4,11:3]

inductive definitions
Inductive Definitions
  • Describe invariants of recursive data-structure
    • Trees
    • List Segments
    • Doubly-linked list segments
    • Cyclic lists
    • List of cyclic doubly linked lists
    • Lists with head pointers
    • Nested lists (bounded depth)
    • ...
  • Binary tree

tree(E)  (E = nil ∧ emp) ∨ (∃x,y. E x,y ∗ tree(x) ∗ tree(y))

list segment
List segment
  • Acyclic, possibly empty

ls(E, F)  (E=F ∧ emp) ∨ (EF ∧ ∃v. Ev ∗ ls(v, F))

S = [x:10, y:30]

H = [10:4,4:17,17:20,20:30]

ls(x,y)

x

4

17

20

30

  • Possibly cyclic, panhandle, empty
  • cls(E, F)  (E=F ∧ emp) ∨ (∃x. Ex ∗ cls(x, F))

dangling pointer

4

17

20

10

more complex structures
More complex structures
  • Doubly-linked list segment

dls(x,y,z)  (x=y ∧ emp)

∨ (xy ∧ ∃w. xz,w ∗ dls(w,y,x))

x

y

z

axioms
Axioms

  • ls(x,y) ∗ ls(y,nil) ⇒ ls(x,nil)
  • ls(x,y) ∗ ls(y,z) ⇒ ls(x,z)
  • ls(x,y) ⇒ ∃w. ls(x,w) ∗ wy
  • (P1 ∧ P2) ∗ Q ⇒ (P1 ∗ Q) ∧ (P2 ∗ Q)
  • x  y ∗ z  w ⇒ x  z
  • x  y ∧ z  w ⇒ x  y ∧ x = z ∧ y = w

z allocated in ls(x,y)

empty heap

axioms1
Axioms
  • Weakening
    • P ∧ Q ⇒ P
    • P ∗ Q ⇒ P
  • Contraction
    • P ⇒ P ∧ P
    • P ⇒ P * P

x  1 ∗ y  2  x  1

x  1  x  1 ∗ x  1

precise assertions
Precise Assertions
  •  S,H there is at most one h’  h s.t. s,h’  P
  • Examples
    • precise: x  1, ls(x,y)
    • not precise: x. x  y, P ∨ Q
  • Axiom for precise assertions

(P1 ∧ P2) ∗ Q  (P1 ∗ Q) ∧ (P2 ∗ Q)

pure assertions
Pure Assertions
  • Syntax: do not contain  or emp
  • Semantics: do not depend on heap (for any store)
  • Axioms for pure assertions

x=y ∗ z = w  x=y ∧ z = w

symbolic heaps
Symbolic Heaps
  • Fragment of Separation Logic assertion language
  • Decidable
    • satisfiability, small model property
    • entailment

A ::= (P ∧ ... ∧ P) ∧ (S ∗ ... ∗ S)

E ::= x | nil | E + E

P ::= E=E | E  E

S ::= E  E | tree(E) | ls(E, E) | dls(E, E, E)

hoare triples
Hoare Triples
  • {P} C {Q}
    • partial correctness
    • if P holds when C starts and C terminates then Q holds after C
    • no runtime errors (null dereferences)
  • [P] C [Q]
    • total correctness
    • if P holds when C starts then C terminates and Q holds after C
the programming language
The Programming Language
  • allocation
  • heap lookup
  • mutation
  • deallocation

<comm> ::= …

| <var> := cons(<exp>, …, <exp>)

| <var> := [<exp>]

| [<exp>] := <exp>

| dispose <exp>

operational semantics by example
Operational Semantics by Example

Store: [x:3, y:40, z:17]

Heap: empty

  • Allocation x := cons(y, z)
  • Heap lookup y := [x+1]
  • Mutation [x + 1] := 3
  • Deallocation dispose(x+1)

Store: [x:37, y:40, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:17]

Heap: [37:40]

hoare proof rules for partial correctness
Hoare Proof Rules for Partial Correctness

{ P } skip { P }

{ P(v/e) } v:=e {P}

{P} c1 {R} {R} c2 {Q}

{P} c1;c2{Q}

{Pb} c1 {Q} {P b} c2 {Q}

{P} if b then c1 else c2 {Q}

{ib} c {i}

{i} while b do c {ib}

P  P’ {P’} c {Q’} Q’  Q

{p} c {q}

hoare axiom for assignment
Hoare Axiom for Assignment
  • How to extend it for heap mutation ?
  • Example:

{ P ( [e1] / e2 } [e1] := e2 {P}

{ [z]=40 } [x] := 77 { [z]=40 }

Store: [x:37, y:17, z:37]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:37]

Heap: [37:77, 38:3]

small axioms
“Small” Axioms
  • allocation
  • heap lookup
  • mutation
  • deallocation

{ emp } x := cons(y, z) { x  y, z }

{Ez} x := [E] {E z ∧ x = z}

{E1_} [E1] := E2 {E1  E2}

{E_} dispose(E) {emp}

the frame rule
The Frame Rule

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

Mod(x := _) = {x}

Mod([E]:=F) = {}

Mod(dispose(E)) = {}

the frame rule1
The Frame Rule
  • Small Axioms give tight specification
  • Allows the Small Axioms to apply generally
  • Handle procedure calls modularly
  • Frame rule is a key to local proofs

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

{ xy ∗ ls(y,z) } dispose(x) { ls(y,z) }

reverse
Reverse

list(x)  ls(x,nil)

{ list(x) }

y: = nil ;

while x  nil do {

t := [x]

[x] := y

y := x

x := t

}

{ list(x) ∗ list(y) }

{x  nil ∧ list(x) ∗ list(y)}

unfold

{ ∃i . x i ∗ list(i) ∗ list(y) }

{ x i } t := [x] { x t ∧ t = i }

{ xt ∗ list(t) ∗ list(y) }

{ x _ } [x] := y { x y}

{ xy ∗ list(t) ∗ list(y) }

fold

{ list(t) ∗ list(x) }

{ list(t) ∗ list(y) }

{ list(x) ∗ list(y) }

{x = nil ∧ list(x) ∗ list(y) }

{ list(y) }

local specification
Local Specification
  • Footprint
    • part of the state that is used by the command
  • Local specification
    • reasoning only about the footprint
  • Frame rule
    • from local to global spec
frame rule
Frame Rule
  • Sound
    • safety-monotonicity
    • frame property of small axioms
  • Complete
    • derives WLP or SP for commands
weakest preconditions
Weakest Preconditions

Allocation

v  free(x,y,P)

Lookup

v  free(E,P)\{x}

Mutation

Disposal

wp(x:=cons(y,z), P) =  v. ( (v  x,y)

wp( x:= [E], P) =  v. (e  v) ∧ P(x/v)

wp([E1]:=E2, P) = (E1 _ ) ∗ ( (E1 E2) −∗ P))

wp(dispose E, P) = (E1 _ ) ∗ P

symbolic execution
Symbolic Execution
  • Application of separation logic proof rules as symbolic execution
  • Restrict assertion language to symbolic heaps
  • Discharge entailments A  B
    • axiomatize consequences of induction
  • Frame inference
deletetree
DeleteTree

DeleteTree (t) {

local i,j;

if (t != nil) {

i := [t];

j := [t+1] ;

DeleteTree(j);

DeleteTree(i);

dispose t;

}

}

{ tree(t) }

{ tree(t) ∧ t  nil }

{ ∃x,y. t x,y ∗ tree(x) ∗ tree(y) }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) ∗ emp }

{t i,j ∗ tree(i) }

{t i,j ∗ emp }

{ emp }

{ emp }

frame inference
Frame Inference
  • Failed proof of entailment yields a frame
    • Assertion at call site
    • Callee’s precondition
    • Frame

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

t i,j ∗ tree(i) ∗ tree(j)  tree(j)

.....

t i,j ∗ tree(i)  emp

{ t i,j ∗ tree(i) }

frame inference1
Frame Inference
  • Assertion at call site:
  • Callee’s precondition:

DeleteTree(j)

{ tree(j) }

{ emp }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) }

DeleteTree(j)

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

incompleteness of frame inference
Incompleteness of Frame Inference
  • Lose the information that x=y
  • Do we need inequality involving just-disposed ?

{ x _ } free(x) { emp }

{ y _ ∗ x _ } free(x) { y _ }

program analysis
Program Analysis
  • Abstract value is a set of symbolic heaps
  • Abstract transformers by symbolic execution (TODO EXAMPLE)
  • Fixpoint check by entailement
  • Knobs
    • widening / abstraction
    • join
    • interprocedural analysis (cutpoints)
    • predicate discovery
global properties
Global Properties?
  • Before: tree ∧ (Q∗ R)  (tree ∧ Q)∗ (tree ∧ R)
  • After: (tree ∧ Q)∗ (tree ∧ R) tree ∧ (Q∗ R)
  • Loss of global property
    • no restrictions on dangling pointers in P and Q
    • can point to each other and create cycles

{ tree ∧ P } C { tree ∧ Q }

{ (tree ∧ R)∗ (tree ∧ P) } C { (tree ∧ Q)∗ (tree ∧ R) }

early days
“Early Days”
  • The Logic of Bunched Implications O\'Hearn and Pym. 1999
  • Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999
  • BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O\'Hearn. POPL\'01.
  • Local Reasoning about Programs that Alter Data Structures O\'Hearn, Reynolds, Yang. CSL\'01.
  • Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002.
successful applications
Successful Applications
  • An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001
  • Local Reasoning about a Copying Garbage CollectorBirkedal, Torp-Smith, Reynolds. POPL\'04
analysis and automated verification
Analysis and Automated Verification
  • Symbolic Execution with Separation Logic.Berdine, Calcagno, O\'Hearn. APLAS\'05.
  • Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O\'Hearn. FMCO’06.
  • A local shape analysis based on separation logic Distefano, O\'Hearn, Yang. TACAS’06.
  • Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS’06
  • Shape analysis for composite data structures.Berdine, Calcagno, Cook, Distefano, O\'Hearn, Wies, Yang. CAV\'07.
  • ...
concurrency
Concurrency
  • Resources, Concurrency and Local Reasoning O\'Hearn. Reynolds Festschrift, 2007. CONCUR\'04
  • A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR\'04
  • Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation?)
  • Permission Accounting in Separation LogicBornat, Calcagno, O\'Hearn, Parkinson. POPL’05
  • Modular Verification of a Non-blocking StackParkinson, Bornat, O\'Hearn. POPL’07
  • A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07
  • Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS\'07
  • Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07
  • ...
termination
Termination
  • Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O\'Hearn. CAV’06
  • Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O\'Hearn. POPL 2007
  • ...
object oriented programming
Object Oriented Programming
  • Separation logic and abstraction Parkinson and Bierman. POPL’05
  • Class Invariants: The End of the Road?Parkinson. IWACO\'07.
  • Separation Logic, Abstraction, and InheritanceParkinson, Bierman. POPL\'08
summary of basic ideas
Summary of Basic Ideas
  • Extension of Hoare logic to imperative programs
  • Separating conjunction ∗
  • Inductive definitions for data-structures
  • Tight specifications
  • Dangling pointers
  • Local surgeries
  • Frame rule
ad