- 149 Views
- Uploaded on
- Presentation posted in: General

Introduction to Separation Logic

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Introduction to Separation Logic

presented by

Greta Yorsh

April 02, 2008IBM, Hawthorne

- What is Separation Logic?
- Strengths and weaknesses
- Successful applications
- Main challenges

- Extension of Hoare logic
- low-level imperative programs
- shared mutable data structures

assume( *x == 3 )

assume( *x == 3 ∧ x != y ∧ x != z )

assume( y != z )

assume( y != z )

*y = 4;

*z = 5;

assert( *y != *z )

assert( *x == 3 )

- contents are different
- contents stay the same
- different locations

- What are the conditions on aliasing btwn x, y, z ?

{ y != z } C { *y != *z }

{ *x == 3∧y != z } C {*y != *z∧*x == 3 }

- What are the conditions on C and R?
- in presence of aliasing and heap

- Separation logic introduces new connective ∗

{ P } C {Q}

{ R ∧ P } C { Q ∧R }

{ P } C {Q}

{ R ∗ P } C { Q ∗R }

- Assertion language: syntax and semantics
- Hoare-style proofs
- Program analysis
- Concurrency
- Termination
- Object-oriented programs

x y

ls(y, z)

x y ∗ ls(y, z)

33

8

8 33

x

y

y

z

x

∧ z = x

y

z

- Assertions are evaluated w.r.t. a state
- State is store and heap
- S : Var ⇀ Int
- H : Loc ⇀ Int where Loc ⊆ Int

- Notations
- disjoint domains: dom(H1) dom(H2)
- composition: H1 ◦ H2
- evaluation: ES Int
- update:S[x:i]

- S,H P

- E E1,E2,..,En E E1 ∗ E+1 E2 ∗ ... ∗ E+(n-1) En
- E1 E2 E1 E2 ∗ true
- E _ ∃x. E x

x

x 3,y,7

S = [x:10, y:4]

H = [10:3,11:4,12:7]

3

4

7

11

12

10

y

x

y

x

4

3

4

4

3

3

S = [x:10, y:30]

H = [10:4,11:3,30:4,31:3]

S = [x:10, y:10]

H = [10:4,11:3]

- Describe invariants of recursive data-structure
- Trees
- List Segments
- Doubly-linked list segments
- Cyclic lists
- List of cyclic doubly linked lists
- Lists with head pointers
- Nested lists (bounded depth)
- ...

- Binary tree
tree(E) (E = nil ∧ emp) ∨ (∃x,y. E x,y ∗ tree(x) ∗ tree(y))

- Acyclic, possibly empty
ls(E, F) (E=F ∧ emp) ∨ (EF ∧ ∃v. Ev ∗ ls(v, F))

S = [x:10, y:30]

H = [10:4,4:17,17:20,20:30]

ls(x,y)

x

4

17

20

30

- Possibly cyclic, panhandle, empty
- cls(E, F) (E=F ∧ emp) ∨ (∃x. Ex ∗ cls(x, F))

dangling pointer

4

17

20

10

- Doubly-linked list segment
dls(x,y,z) (x=y ∧ emp)

∨ (xy ∧ ∃w. xz,w ∗ dls(w,y,x))

x

y

z

- ls(x,y) ∗ ls(y,nil) ⇒ ls(x,nil)
- ls(x,y) ∗ ls(y,z) ⇒ ls(x,z)
- ls(x,y) ⇒ ∃w. ls(x,w) ∗ wy
- (P1 ∧ P2) ∗ Q ⇒ (P1 ∗ Q) ∧ (P2 ∗ Q)
- x y ∗ z w ⇒ x z
- x y ∧ z w ⇒ x y ∧ x = z ∧ y = w

z allocated in ls(x,y)

empty heap

- Weakening
- P ∧ Q ⇒ P
- P ∗ Q ⇒ P

- Contraction
- P ⇒ P ∧ P
- P ⇒ P * P

x 1 ∗ y 2 x 1

x 1 x 1 ∗ x 1

- S,H there is at most one h’ h s.t. s,h’ P
- Examples
- precise: x 1, ls(x,y)
- not precise: x. x y, P ∨ Q

- Axiom for precise assertions
(P1 ∧ P2) ∗ Q (P1 ∗ Q) ∧ (P2 ∗ Q)

- Syntax: do not contain or emp
- Semantics: do not depend on heap (for any store)
- Axioms for pure assertions
x=y ∗ z = w x=y ∧ z = w

- Fragment of Separation Logic assertion language
- Decidable
- satisfiability, small model property
- entailment

A ::= (P ∧ ... ∧ P) ∧ (S ∗ ... ∗ S)

E ::= x | nil | E + E

P ::= E=E | E E

S ::= E E | tree(E) | ls(E, E) | dls(E, E, E)

- {P} C {Q}
- partial correctness
- if P holds when C starts and C terminates then Q holds after C
- no runtime errors (null dereferences)

- [P] C [Q]
- total correctness
- if P holds when C starts then C terminates and Q holds after C

- allocation
- heap lookup
- mutation
- deallocation

<comm> ::= …

| <var> := cons(<exp>, …, <exp>)

| <var> := [<exp>]

| [<exp>] := <exp>

| dispose <exp>

Store: [x:3, y:40, z:17]

Heap: empty

- Allocation x := cons(y, z)
- Heap lookup y := [x+1]
- Mutation [x + 1] := 3
- Deallocation dispose(x+1)

Store: [x:37, y:40, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:17]

Heap: [37:40]

{ P } skip { P }

{ P(v/e) } v:=e {P}

{P} c1 {R} {R} c2 {Q}

{P} c1;c2{Q}

{Pb} c1 {Q} {P b} c2 {Q}

{P} if b then c1 else c2 {Q}

{ib} c {i}

{i} while b do c {ib}

P P’ {P’} c {Q’} Q’ Q

{p} c {q}

- How to extend it for heap mutation ?
- Example:

{ P ( [e1] / e2 } [e1] := e2 {P}

{ [z]=40 } [x] := 77 { [z]=40 }

Store: [x:37, y:17, z:37]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:37]

Heap: [37:77, 38:3]

- allocation
- heap lookup
- mutation
- deallocation

{ emp } x := cons(y, z) { x y, z }

{Ez} x := [E] {E z ∧ x = z}

{E1_} [E1] := E2 {E1 E2}

{E_} dispose(E) {emp}

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

Mod(x := _) = {x}

Mod([E]:=F) = {}

Mod(dispose(E)) = {}

- Small Axioms give tight specification
- Allows the Small Axioms to apply generally
- Handle procedure calls modularly
- Frame rule is a key to local proofs

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

{ xy ∗ ls(y,z) } dispose(x) { ls(y,z) }

list(x) ls(x,nil)

{ list(x) }

y: = nil ;

while x nil do {

t := [x]

[x] := y

y := x

x := t

}

{ list(x) ∗ list(y) }

{x nil ∧ list(x) ∗ list(y)}

unfold

{ ∃i . x i ∗ list(i) ∗ list(y) }

{ x i } t := [x] { x t ∧ t = i }

{ xt ∗ list(t) ∗ list(y) }

{ x _ } [x] := y { x y}

{ xy ∗ list(t) ∗ list(y) }

fold

{ list(t) ∗ list(x) }

{ list(t) ∗ list(y) }

{ list(x) ∗ list(y) }

{x = nil ∧ list(x) ∗ list(y) }

{ list(y) }

- Footprint
- part of the state that is used by the command

- Local specification
- reasoning only about the footprint

- Frame rule
- from local to global spec

- Sound
- safety-monotonicity
- frame property of small axioms

- Complete
- derives WLP or SP for commands

Allocation

v free(x,y,P)

Lookup

v free(E,P)\{x}

Mutation

Disposal

wp(x:=cons(y,z), P) = v. ( (v x,y)

wp( x:= [E], P) = v. (e v) ∧ P(x/v)

wp([E1]:=E2, P) = (E1 _ ) ∗ ( (E1 E2) −∗ P))

wp(dispose E, P) = (E1 _ ) ∗ P

- Application of separation logic proof rules as symbolic execution
- Restrict assertion language to symbolic heaps
- Discharge entailments A B
- axiomatize consequences of induction

- Frame inference

DeleteTree (t) {

local i,j;

if (t != nil) {

i := [t];

j := [t+1] ;

DeleteTree(j);

DeleteTree(i);

dispose t;

}

}

{ tree(t) }

{ tree(t) ∧ t nil }

{ ∃x,y. t x,y ∗ tree(x) ∗ tree(y) }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) ∗ emp }

{t i,j ∗ tree(i) }

{t i,j ∗ emp }

{ emp }

{ emp }

- Failed proof of entailment yields a frame
- Assertion at call site
- Callee’s precondition
- Frame

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

t i,j ∗ tree(i) ∗ tree(j) tree(j)

.....

t i,j ∗ tree(i) emp

{ t i,j ∗ tree(i) }

- Assertion at call site:
- Callee’s precondition:

DeleteTree(j)

{ tree(j) }

{ emp }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) }

DeleteTree(j)

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

- Lose the information that x=y
- Do we need inequality involving just-disposed ?

{ x _ } free(x) { emp }

{ y _ ∗ x _ } free(x) { y _ }

- Abstract value is a set of symbolic heaps
- Abstract transformers by symbolic execution (TODO EXAMPLE)
- Fixpoint check by entailement
- Knobs
- widening / abstraction
- join
- interprocedural analysis (cutpoints)
- predicate discovery

- Before: tree ∧ (Q∗ R) (tree ∧ Q)∗ (tree ∧ R)
- After: (tree ∧ Q)∗ (tree ∧ R) tree ∧ (Q∗ R)
- Loss of global property
- no restrictions on dangling pointers in P and Q
- can point to each other and create cycles

{ tree ∧ P } C { tree ∧ Q }

{ (tree ∧ R)∗ (tree ∧ P) } C { (tree ∧ Q)∗ (tree ∧ R) }

http://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html

- The Logic of Bunched Implications O'Hearn and Pym. 1999
- Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999
- BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O'Hearn. POPL'01.
- Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01.
- Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002.

- An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001
- Local Reasoning about a Copying Garbage CollectorBirkedal, Torp-Smith, Reynolds. POPL'04

- Symbolic Execution with Separation Logic.Berdine, Calcagno, O'Hearn. APLAS'05.
- Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O'Hearn. FMCO’06.
- A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS’06.
- Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS’06
- Shape analysis for composite data structures.Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07.
- ...

- Resources, Concurrency and Local Reasoning O'Hearn. Reynolds Festschrift, 2007. CONCUR'04
- A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR'04
- Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation?)
- Permission Accounting in Separation LogicBornat, Calcagno, O'Hearn, Parkinson. POPL’05
- Modular Verification of a Non-blocking StackParkinson, Bornat, O'Hearn. POPL’07
- A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07
- Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS'07
- Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07
- ...

- Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV’06
- Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007
- ...

- Separation logic and abstraction Parkinson and Bierman. POPL’05
- Class Invariants: The End of the Road?Parkinson. IWACO'07.
- Separation Logic, Abstraction, and InheritanceParkinson, Bierman. POPL'08
- …

- Extension of Hoare logic to imperative programs
- Separating conjunction ∗
- Inductive definitions for data-structures
- Tight specifications
- Dangling pointers
- Local surgeries
- Frame rule