Introduction to separation logic
This presentation is the property of its rightful owner.
Sponsored Links
1 / 51

Introduction to Separation Logic PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on
  • Presentation posted in: General

Introduction to Separation Logic. presented by Greta Yorsh April 02, 2008 IBM , Hawthorne. This Talk. What is Separation Logic? Strengths and weaknesses Successful applications Main challenges. What is Separation Logic?. Extension of Hoare logic low-level imperative programs

Download Presentation

Introduction to Separation Logic

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Introduction to separation logic

Introduction to Separation Logic

presented by

Greta Yorsh

April 02, 2008IBM, Hawthorne


This talk

This Talk

  • What is Separation Logic?

  • Strengths and weaknesses

  • Successful applications

  • Main challenges


What is separation logic

What is Separation Logic?

  • Extension of Hoare logic

    • low-level imperative programs

    • shared mutable data structures


Motivating example

Motivating Example

assume( *x == 3 )

assume( *x == 3 ∧ x != y ∧ x != z )

assume( y != z )

assume( y != z )

*y = 4;

*z = 5;

assert( *y != *z )

assert( *x == 3 )

  • contents are different

  • contents stay the same

  • different locations


Framing problem

Framing Problem

  • What are the conditions on aliasing btwn x, y, z ?

{ y != z } C { *y != *z }

{ *x == 3∧y != z } C {*y != *z∧*x == 3 }


Framing problem1

Framing Problem

  • What are the conditions on C and R?

    • in presence of aliasing and heap

  • Separation logic introduces new connective ∗

{ P } C {Q}

{ R ∧ P } C { Q ∧R }

{ P } C {Q}

{ R ∗ P } C { Q ∗R }


Outline

Outline

  • Assertion language: syntax and semantics

  • Hoare-style proofs

  • Program analysis

  • Concurrency

  • Termination

  • Object-oriented programs


Assertion language

Assertion Language


Examples

Examples

x  y

ls(y, z)

x  y ∗ ls(y, z)

33

8

8  33

x

y

y

z

x

∧ z = x

y

z


Syntax

Syntax


Semantics

Semantics

  • Assertions are evaluated w.r.t. a state

  • State is store and heap

    • S : Var ⇀ Int

    • H : Loc ⇀ Int where Loc ⊆ Int

  • Notations

    • disjoint domains: dom(H1) dom(H2)

    • composition: H1 ◦ H2

    • evaluation: ES Int

    • update:S[x:i]

  • S,H  P


Semantics1

Semantics


Common shorthands

Common Shorthands

  • E  E1,E2,..,En E  E1 ∗ E+1  E2 ∗ ... ∗ E+(n-1)  En

  • E1  E2 E1  E2 ∗ true

  • E  _  ∃x. E  x

x

x  3,y,7

S = [x:10, y:4]

H = [10:3,11:4,12:7]

3

4

7

11

12

10


Examples1

Examples

y

x

y

x

4

3

4

4

3

3

S = [x:10, y:30]

H = [10:4,11:3,30:4,31:3]

S = [x:10, y:10]

H = [10:4,11:3]


Inductive definitions

Inductive Definitions

  • Describe invariants of recursive data-structure

    • Trees

    • List Segments

    • Doubly-linked list segments

    • Cyclic lists

    • List of cyclic doubly linked lists

    • Lists with head pointers

    • Nested lists (bounded depth)

    • ...

  • Binary tree

    tree(E)  (E = nil ∧ emp) ∨ (∃x,y. E x,y ∗ tree(x) ∗ tree(y))


List segment

List segment

  • Acyclic, possibly empty

    ls(E, F)  (E=F ∧ emp) ∨ (EF ∧ ∃v. Ev ∗ ls(v, F))

S = [x:10, y:30]

H = [10:4,4:17,17:20,20:30]

ls(x,y)

x

4

17

20

30

  • Possibly cyclic, panhandle, empty

  • cls(E, F)  (E=F ∧ emp) ∨ (∃x. Ex ∗ cls(x, F))

dangling pointer

4

17

20

10


More complex structures

More complex structures

  • Doubly-linked list segment

    dls(x,y,z)  (x=y ∧ emp)

    ∨ (xy ∧ ∃w. xz,w ∗ dls(w,y,x))

x

y

z


Axioms

Axioms

  • ls(x,y) ∗ ls(y,nil) ⇒ ls(x,nil)

  • ls(x,y) ∗ ls(y,z) ⇒ ls(x,z)

  • ls(x,y) ⇒ ∃w. ls(x,w) ∗ wy

  • (P1 ∧ P2) ∗ Q ⇒ (P1 ∗ Q) ∧ (P2 ∗ Q)

  • x  y ∗ z  w ⇒ x  z

  • x  y ∧ z  w ⇒ x  y ∧ x = z ∧ y = w

z allocated in ls(x,y)

empty heap


Axioms1

Axioms

  • Weakening

    • P ∧ Q ⇒ P

    • P ∗ Q ⇒ P

  • Contraction

    • P ⇒ P ∧ P

    • P ⇒ P * P

x  1 ∗ y  2  x  1

x  1  x  1 ∗ x  1


Precise assertions

Precise Assertions

  •  S,H there is at most one h’  h s.t. s,h’  P

  • Examples

    • precise: x  1, ls(x,y)

    • not precise: x. x  y, P ∨ Q

  • Axiom for precise assertions

    (P1 ∧ P2) ∗ Q  (P1 ∗ Q) ∧ (P2 ∗ Q)


Pure assertions

Pure Assertions

  • Syntax: do not contain  or emp

  • Semantics: do not depend on heap (for any store)

  • Axioms for pure assertions

    x=y ∗ z = w  x=y ∧ z = w


Symbolic heaps

Symbolic Heaps

  • Fragment of Separation Logic assertion language

  • Decidable

    • satisfiability, small model property

    • entailment

A ::= (P ∧ ... ∧ P) ∧ (S ∗ ... ∗ S)

E ::= x | nil | E + E

P ::= E=E | E  E

S ::= E  E | tree(E) | ls(E, E) | dls(E, E, E)


Hoare style proofs

Hoare-Style Proofs


Hoare triples

Hoare Triples

  • {P} C {Q}

    • partial correctness

    • if P holds when C starts and C terminates then Q holds after C

    • no runtime errors (null dereferences)

  • [P] C [Q]

    • total correctness

    • if P holds when C starts then C terminates and Q holds after C


The programming language

The Programming Language

  • allocation

  • heap lookup

  • mutation

  • deallocation

<comm> ::= …

| <var> := cons(<exp>, …, <exp>)

| <var> := [<exp>]

| [<exp>] := <exp>

| dispose <exp>


Operational semantics by example

Operational Semantics by Example

Store: [x:3, y:40, z:17]

Heap: empty

  • Allocation x := cons(y, z)

  • Heap lookup y := [x+1]

  • Mutation [x + 1] := 3

  • Deallocation dispose(x+1)

Store: [x:37, y:40, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:17]

Heap: [37:40]


Hoare proof rules for partial correctness

Hoare Proof Rules for Partial Correctness

{ P } skip { P }

{ P(v/e) } v:=e {P}

{P} c1 {R} {R} c2 {Q}

{P} c1;c2{Q}

{Pb} c1 {Q} {P b} c2 {Q}

{P} if b then c1 else c2 {Q}

{ib} c {i}

{i} while b do c {ib}

P  P’ {P’} c {Q’} Q’  Q

{p} c {q}


Hoare axiom for assignment

Hoare Axiom for Assignment

  • How to extend it for heap mutation ?

  • Example:

{ P ( [e1] / e2 } [e1] := e2 {P}

{ [z]=40 } [x] := 77 { [z]=40 }

Store: [x:37, y:17, z:37]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:37]

Heap: [37:77, 38:3]


Small axioms

“Small” Axioms

  • allocation

  • heap lookup

  • mutation

  • deallocation

{ emp } x := cons(y, z) { x  y, z }

{Ez} x := [E] {E z ∧ x = z}

{E1_} [E1] := E2 {E1  E2}

{E_} dispose(E) {emp}


The frame rule

The Frame Rule

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

Mod(x := _) = {x}

Mod([E]:=F) = {}

Mod(dispose(E)) = {}


The frame rule1

The Frame Rule

  • Small Axioms give tight specification

  • Allows the Small Axioms to apply generally

  • Handle procedure calls modularly

  • Frame rule is a key to local proofs

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

{ xy ∗ ls(y,z) } dispose(x) { ls(y,z) }


Reverse

Reverse

list(x)  ls(x,nil)

{ list(x) }

y: = nil ;

while x  nil do {

t := [x]

[x] := y

y := x

x := t

}

{ list(x) ∗ list(y) }

{x  nil ∧ list(x) ∗ list(y)}

unfold

{ ∃i . x i ∗ list(i) ∗ list(y) }

{ x i } t := [x] { x t ∧ t = i }

{ xt ∗ list(t) ∗ list(y) }

{ x _ } [x] := y { x y}

{ xy ∗ list(t) ∗ list(y) }

fold

{ list(t) ∗ list(x) }

{ list(t) ∗ list(y) }

{ list(x) ∗ list(y) }

{x = nil ∧ list(x) ∗ list(y) }

{ list(y) }


Local specification

Local Specification

  • Footprint

    • part of the state that is used by the command

  • Local specification

    • reasoning only about the footprint

  • Frame rule

    • from local to global spec


Frame rule

Frame Rule

  • Sound

    • safety-monotonicity

    • frame property of small axioms

  • Complete

    • derives WLP or SP for commands


Weakest preconditions

Weakest Preconditions

Allocation

v  free(x,y,P)

Lookup

v  free(E,P)\{x}

Mutation

Disposal

wp(x:=cons(y,z), P) =  v. ( (v  x,y)

wp( x:= [E], P) =  v. (e  v) ∧ P(x/v)

wp([E1]:=E2, P) = (E1 _ ) ∗ ( (E1 E2) −∗ P))

wp(dispose E, P) = (E1 _ ) ∗ P


Automated verification and program analysis

Automated verification andProgram analysis


Symbolic execution

Symbolic Execution

  • Application of separation logic proof rules as symbolic execution

  • Restrict assertion language to symbolic heaps

  • Discharge entailments A  B

    • axiomatize consequences of induction

  • Frame inference


Deletetree

DeleteTree

DeleteTree (t) {

local i,j;

if (t != nil) {

i := [t];

j := [t+1] ;

DeleteTree(j);

DeleteTree(i);

dispose t;

}

}

{ tree(t) }

{ tree(t) ∧ t  nil }

{ ∃x,y. t x,y ∗ tree(x) ∗ tree(y) }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) ∗ emp }

{t i,j ∗ tree(i) }

{t i,j ∗ emp }

{ emp }

{ emp }


Frame inference

Frame Inference

  • Failed proof of entailment yields a frame

    • Assertion at call site

    • Callee’s precondition

    • Frame

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

t i,j ∗ tree(i) ∗ tree(j)  tree(j)

.....

t i,j ∗ tree(i)  emp

{ t i,j ∗ tree(i) }


Frame inference1

Frame Inference

  • Assertion at call site:

  • Callee’s precondition:

DeleteTree(j)

{ tree(j) }

{ emp }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) }

DeleteTree(j)

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }


Incompleteness of frame inference

Incompleteness of Frame Inference

  • Lose the information that x=y

  • Do we need inequality involving just-disposed ?

{ x _ } free(x) { emp }

{ y _ ∗ x _ } free(x) { y _ }


Program analysis

Program Analysis

  • Abstract value is a set of symbolic heaps

  • Abstract transformers by symbolic execution (TODO EXAMPLE)

  • Fixpoint check by entailement

  • Knobs

    • widening / abstraction

    • join

    • interprocedural analysis (cutpoints)

    • predicate discovery


Global properties

Global Properties?

  • Before: tree ∧ (Q∗ R)  (tree ∧ Q)∗ (tree ∧ R)

  • After: (tree ∧ Q)∗ (tree ∧ R) tree ∧ (Q∗ R)

  • Loss of global property

    • no restrictions on dangling pointers in P and Q

    • can point to each other and create cycles

{ tree ∧ P } C { tree ∧ Q }

{ (tree ∧ R)∗ (tree ∧ P) } C { (tree ∧ Q)∗ (tree ∧ R) }


Bibliography

http://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html

Bibliography


Early days

“Early Days”

  • The Logic of Bunched Implications O'Hearn and Pym. 1999

  • Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999

  • BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O'Hearn. POPL'01.

  • Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01.

  • Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002.


Successful applications

Successful Applications

  • An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001

  • Local Reasoning about a Copying Garbage CollectorBirkedal, Torp-Smith, Reynolds. POPL'04


Analysis and automated verification

Analysis and Automated Verification

  • Symbolic Execution with Separation Logic.Berdine, Calcagno, O'Hearn. APLAS'05.

  • Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O'Hearn. FMCO’06.

  • A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS’06.

  • Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS’06

  • Shape analysis for composite data structures.Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07.

  • ...


Concurrency

Concurrency

  • Resources, Concurrency and Local Reasoning O'Hearn. Reynolds Festschrift, 2007. CONCUR'04

  • A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR'04

  • Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation?)

  • Permission Accounting in Separation LogicBornat, Calcagno, O'Hearn, Parkinson. POPL’05

  • Modular Verification of a Non-blocking StackParkinson, Bornat, O'Hearn. POPL’07

  • A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07

  • Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS'07

  • Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07

  • ...


Termination

Termination

  • Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV’06

  • Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007

  • ...


Object oriented programming

Object Oriented Programming

  • Separation logic and abstraction Parkinson and Bierman. POPL’05

  • Class Invariants: The End of the Road?Parkinson. IWACO'07.

  • Separation Logic, Abstraction, and InheritanceParkinson, Bierman. POPL'08


Summary of basic ideas

Summary of Basic Ideas

  • Extension of Hoare logic to imperative programs

  • Separating conjunction ∗

  • Inductive definitions for data-structures

  • Tight specifications

  • Dangling pointers

  • Local surgeries

  • Frame rule


  • Login