Introduction to Separation Logic

1 / 51

# Introduction to Separation Logic - PowerPoint PPT Presentation

Introduction to Separation Logic. presented by Greta Yorsh April 02, 2008 IBM , Hawthorne. This Talk. What is Separation Logic? Strengths and weaknesses Successful applications Main challenges. What is Separation Logic?. Extension of Hoare logic low-level imperative programs

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Introduction to Separation Logic' - ingrid

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Introduction to Separation Logic

presented by

Greta Yorsh

April 02, 2008IBM, Hawthorne

This Talk
• What is Separation Logic?
• Strengths and weaknesses
• Successful applications
• Main challenges
What is Separation Logic?
• Extension of Hoare logic
• low-level imperative programs
• shared mutable data structures
Motivating Example

assume( *x == 3 )

assume( *x == 3 ∧ x != y ∧ x != z )

assume( y != z )

assume( y != z )

*y = 4;

*z = 5;

assert( *y != *z )

assert( *x == 3 )

• contents are different
• contents stay the same
• different locations
Framing Problem
• What are the conditions on aliasing btwn x, y, z ?

{ y != z } C { *y != *z }

{ *x == 3∧y != z } C {*y != *z∧*x == 3 }

Framing Problem
• What are the conditions on C and R?
• in presence of aliasing and heap
• Separation logic introduces new connective ∗

{ P } C {Q}

{ R ∧ P } C { Q ∧R }

{ P } C {Q}

{ R ∗ P } C { Q ∗R }

Outline
• Assertion language: syntax and semantics
• Hoare-style proofs
• Program analysis
• Concurrency
• Termination
• Object-oriented programs
Examples

x  y

ls(y, z)

x  y ∗ ls(y, z)

33

8

8  33

x

y

y

z

x

∧ z = x

y

z

Semantics
• Assertions are evaluated w.r.t. a state
• State is store and heap
• S : Var ⇀ Int
• H : Loc ⇀ Int where Loc ⊆ Int
• Notations
• disjoint domains: dom(H1) dom(H2)
• composition: H1 ◦ H2
• evaluation: ES Int
• update: S[x:i]
• S,H  P
Common Shorthands
• E  E1,E2,..,En E  E1 ∗ E+1  E2 ∗ ... ∗ E+(n-1)  En
• E1  E2 E1  E2 ∗ true
• E  _  ∃x. E  x

x

x  3,y,7

S = [x:10, y:4]

H = [10:3,11:4,12:7]

3

4

7

11

12

10

Examples

y

x

y

x

4

3

4

4

3

3

S = [x:10, y:30]

H = [10:4,11:3,30:4,31:3]

S = [x:10, y:10]

H = [10:4,11:3]

Inductive Definitions
• Describe invariants of recursive data-structure
• Trees
• List Segments
• Cyclic lists
• List of cyclic doubly linked lists
• Nested lists (bounded depth)
• ...
• Binary tree

tree(E)  (E = nil ∧ emp) ∨ (∃x,y. E x,y ∗ tree(x) ∗ tree(y))

List segment
• Acyclic, possibly empty

ls(E, F)  (E=F ∧ emp) ∨ (EF ∧ ∃v. Ev ∗ ls(v, F))

S = [x:10, y:30]

H = [10:4,4:17,17:20,20:30]

ls(x,y)

x

4

17

20

30

• Possibly cyclic, panhandle, empty
• cls(E, F)  (E=F ∧ emp) ∨ (∃x. Ex ∗ cls(x, F))

dangling pointer

4

17

20

10

More complex structures

dls(x,y,z)  (x=y ∧ emp)

∨ (xy ∧ ∃w. xz,w ∗ dls(w,y,x))

x

y

z

Axioms

• ls(x,y) ∗ ls(y,nil) ⇒ ls(x,nil)
• ls(x,y) ∗ ls(y,z) ⇒ ls(x,z)
• ls(x,y) ⇒ ∃w. ls(x,w) ∗ wy
• (P1 ∧ P2) ∗ Q ⇒ (P1 ∗ Q) ∧ (P2 ∗ Q)
• x  y ∗ z  w ⇒ x  z
• x  y ∧ z  w ⇒ x  y ∧ x = z ∧ y = w

z allocated in ls(x,y)

empty heap

Axioms
• Weakening
• P ∧ Q ⇒ P
• P ∗ Q ⇒ P
• Contraction
• P ⇒ P ∧ P
• P ⇒ P * P

x  1 ∗ y  2  x  1

x  1  x  1 ∗ x  1

Precise Assertions
•  S,H there is at most one h’  h s.t. s,h’  P
• Examples
• precise: x  1, ls(x,y)
• not precise: x. x  y, P ∨ Q
• Axiom for precise assertions

(P1 ∧ P2) ∗ Q  (P1 ∗ Q) ∧ (P2 ∗ Q)

Pure Assertions
• Syntax: do not contain  or emp
• Semantics: do not depend on heap (for any store)
• Axioms for pure assertions

x=y ∗ z = w  x=y ∧ z = w

Symbolic Heaps
• Fragment of Separation Logic assertion language
• Decidable
• satisfiability, small model property
• entailment

A ::= (P ∧ ... ∧ P) ∧ (S ∗ ... ∗ S)

E ::= x | nil | E + E

P ::= E=E | E  E

S ::= E  E | tree(E) | ls(E, E) | dls(E, E, E)

Hoare Triples
• {P} C {Q}
• partial correctness
• if P holds when C starts and C terminates then Q holds after C
• no runtime errors (null dereferences)
• [P] C [Q]
• total correctness
• if P holds when C starts then C terminates and Q holds after C
The Programming Language
• allocation
• heap lookup
• mutation
• deallocation

<comm> ::= …

| <var> := cons(<exp>, …, <exp>)

| <var> := [<exp>]

| [<exp>] := <exp>

| dispose <exp>

Operational Semantics by Example

Store: [x:3, y:40, z:17]

Heap: empty

• Allocation x := cons(y, z)
• Heap lookup y := [x+1]
• Mutation [x + 1] := 3
• Deallocation dispose(x+1)

Store: [x:37, y:40, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:17]

Heap: [37:40]

Hoare Proof Rules for Partial Correctness

{ P } skip { P }

{ P(v/e) } v:=e {P}

{P} c1 {R} {R} c2 {Q}

{P} c1;c2{Q}

{Pb} c1 {Q} {P b} c2 {Q}

{P} if b then c1 else c2 {Q}

{ib} c {i}

{i} while b do c {ib}

P  P’ {P’} c {Q’} Q’  Q

{p} c {q}

Hoare Axiom for Assignment
• How to extend it for heap mutation ?
• Example:

{ P ( [e1] / e2 } [e1] := e2 {P}

{ [z]=40 } [x] := 77 { [z]=40 }

Store: [x:37, y:17, z:37]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:37]

Heap: [37:77, 38:3]

“Small” Axioms
• allocation
• heap lookup
• mutation
• deallocation

{ emp } x := cons(y, z) { x  y, z }

{Ez} x := [E] {E z ∧ x = z}

{E1_} [E1] := E2 {E1  E2}

{E_} dispose(E) {emp}

The Frame Rule

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

Mod(x := _) = {x}

Mod([E]:=F) = {}

Mod(dispose(E)) = {}

The Frame Rule
• Small Axioms give tight specification
• Allows the Small Axioms to apply generally
• Handle procedure calls modularly
• Frame rule is a key to local proofs

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

{ xy ∗ ls(y,z) } dispose(x) { ls(y,z) }

Reverse

list(x)  ls(x,nil)

{ list(x) }

y: = nil ;

while x  nil do {

t := [x]

[x] := y

y := x

x := t

}

{ list(x) ∗ list(y) }

{x  nil ∧ list(x) ∗ list(y)}

unfold

{ ∃i . x i ∗ list(i) ∗ list(y) }

{ x i } t := [x] { x t ∧ t = i }

{ xt ∗ list(t) ∗ list(y) }

{ x _ } [x] := y { x y}

{ xy ∗ list(t) ∗ list(y) }

fold

{ list(t) ∗ list(x) }

{ list(t) ∗ list(y) }

{ list(x) ∗ list(y) }

{x = nil ∧ list(x) ∗ list(y) }

{ list(y) }

Local Specification
• Footprint
• part of the state that is used by the command
• Local specification
• reasoning only about the footprint
• Frame rule
• from local to global spec
Frame Rule
• Sound
• safety-monotonicity
• frame property of small axioms
• Complete
• derives WLP or SP for commands
Weakest Preconditions

Allocation

v  free(x,y,P)

Lookup

v  free(E,P)\{x}

Mutation

Disposal

wp(x:=cons(y,z), P) =  v. ( (v  x,y)

wp( x:= [E], P) =  v. (e  v) ∧ P(x/v)

wp([E1]:=E2, P) = (E1 _ ) ∗ ( (E1 E2) −∗ P))

wp(dispose E, P) = (E1 _ ) ∗ P

Symbolic Execution
• Application of separation logic proof rules as symbolic execution
• Restrict assertion language to symbolic heaps
• Discharge entailments A  B
• axiomatize consequences of induction
• Frame inference
DeleteTree

DeleteTree (t) {

local i,j;

if (t != nil) {

i := [t];

j := [t+1] ;

DeleteTree(j);

DeleteTree(i);

dispose t;

}

}

{ tree(t) }

{ tree(t) ∧ t  nil }

{ ∃x,y. t x,y ∗ tree(x) ∗ tree(y) }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) ∗ emp }

{t i,j ∗ tree(i) }

{t i,j ∗ emp }

{ emp }

{ emp }

Frame Inference
• Failed proof of entailment yields a frame
• Assertion at call site
• Callee’s precondition
• Frame

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

t i,j ∗ tree(i) ∗ tree(j)  tree(j)

.....

t i,j ∗ tree(i)  emp

{ t i,j ∗ tree(i) }

Frame Inference
• Assertion at call site:
• Callee’s precondition:

DeleteTree(j)

{ tree(j) }

{ emp }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) }

DeleteTree(j)

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

Incompleteness of Frame Inference
• Lose the information that x=y
• Do we need inequality involving just-disposed ?

{ x _ } free(x) { emp }

{ y _ ∗ x _ } free(x) { y _ }

Program Analysis
• Abstract value is a set of symbolic heaps
• Abstract transformers by symbolic execution (TODO EXAMPLE)
• Fixpoint check by entailement
• Knobs
• widening / abstraction
• join
• interprocedural analysis (cutpoints)
• predicate discovery
Global Properties?
• Before: tree ∧ (Q∗ R)  (tree ∧ Q)∗ (tree ∧ R)
• After: (tree ∧ Q)∗ (tree ∧ R) tree ∧ (Q∗ R)
• Loss of global property
• no restrictions on dangling pointers in P and Q
• can point to each other and create cycles

{ tree ∧ P } C { tree ∧ Q }

{ (tree ∧ R)∗ (tree ∧ P) } C { (tree ∧ Q)∗ (tree ∧ R) }

“Early Days”
• The Logic of Bunched Implications O\'Hearn and Pym. 1999
• Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999
• BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O\'Hearn. POPL\'01.
• Local Reasoning about Programs that Alter Data Structures O\'Hearn, Reynolds, Yang. CSL\'01.
• Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002.
Successful Applications
• An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001
• Local Reasoning about a Copying Garbage CollectorBirkedal, Torp-Smith, Reynolds. POPL\'04
Analysis and Automated Verification
• Symbolic Execution with Separation Logic.Berdine, Calcagno, O\'Hearn. APLAS\'05.
• Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O\'Hearn. FMCO’06.
• A local shape analysis based on separation logic Distefano, O\'Hearn, Yang. TACAS’06.
• Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS’06
• Shape analysis for composite data structures.Berdine, Calcagno, Cook, Distefano, O\'Hearn, Wies, Yang. CAV\'07.
• ...
Concurrency
• Resources, Concurrency and Local Reasoning O\'Hearn. Reynolds Festschrift, 2007. CONCUR\'04
• A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR\'04
• Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation?)
• Permission Accounting in Separation LogicBornat, Calcagno, O\'Hearn, Parkinson. POPL’05
• Modular Verification of a Non-blocking StackParkinson, Bornat, O\'Hearn. POPL’07
• A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07
• Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS\'07
• Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07
• ...
Termination
• Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O\'Hearn. CAV’06
• Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O\'Hearn. POPL 2007
• ...
Object Oriented Programming
• Separation logic and abstraction Parkinson and Bierman. POPL’05
• Class Invariants: The End of the Road?Parkinson. IWACO\'07.
• Separation Logic, Abstraction, and InheritanceParkinson, Bierman. POPL\'08
Summary of Basic Ideas
• Extension of Hoare logic to imperative programs
• Separating conjunction ∗
• Inductive definitions for data-structures
• Tight specifications
• Dangling pointers
• Local surgeries
• Frame rule