1 / 51

# Introduction to Separation Logic - PowerPoint PPT Presentation

Introduction to Separation Logic. presented by Greta Yorsh April 02, 2008 IBM , Hawthorne. This Talk. What is Separation Logic? Strengths and weaknesses Successful applications Main challenges. What is Separation Logic?. Extension of Hoare logic low-level imperative programs

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Introduction to Separation Logic' - ingrid

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Introduction to Separation Logic

presented by

Greta Yorsh

April 02, 2008IBM, Hawthorne

• What is Separation Logic?

• Strengths and weaknesses

• Successful applications

• Main challenges

• Extension of Hoare logic

• low-level imperative programs

• shared mutable data structures

assume( *x == 3 )

assume( *x == 3 ∧ x != y ∧ x != z )

assume( y != z )

assume( y != z )

*y = 4;

*z = 5;

assert( *y != *z )

assert( *x == 3 )

• contents are different

• contents stay the same

• different locations

• What are the conditions on aliasing btwn x, y, z ?

{ y != z } C { *y != *z }

{ *x == 3∧y != z } C {*y != *z∧*x == 3 }

• What are the conditions on C and R?

• in presence of aliasing and heap

• Separation logic introduces new connective ∗

{ P } C {Q}

{ R ∧ P } C { Q ∧R }

{ P } C {Q}

{ R ∗ P } C { Q ∗R }

• Assertion language: syntax and semantics

• Hoare-style proofs

• Program analysis

• Concurrency

• Termination

• Object-oriented programs

x  y

ls(y, z)

x  y ∗ ls(y, z)

33

8

8  33

x

y

y

z

x

∧ z = x

y

z

• Assertions are evaluated w.r.t. a state

• State is store and heap

• S : Var ⇀ Int

• H : Loc ⇀ Int where Loc ⊆ Int

• Notations

• disjoint domains: dom(H1) dom(H2)

• composition: H1 ◦ H2

• evaluation: ES Int

• update: S[x:i]

• S,H  P

• E  E1,E2,..,En E  E1 ∗ E+1  E2 ∗ ... ∗ E+(n-1)  En

• E1  E2 E1  E2 ∗ true

• E  _  ∃x. E  x

x

x  3,y,7

S = [x:10, y:4]

H = [10:3,11:4,12:7]

3

4

7

11

12

10

y

x

y

x

4

3

4

4

3

3

S = [x:10, y:30]

H = [10:4,11:3,30:4,31:3]

S = [x:10, y:10]

H = [10:4,11:3]

• Describe invariants of recursive data-structure

• Trees

• List Segments

• Cyclic lists

• List of cyclic doubly linked lists

• Nested lists (bounded depth)

• ...

• Binary tree

tree(E)  (E = nil ∧ emp) ∨ (∃x,y. E x,y ∗ tree(x) ∗ tree(y))

• Acyclic, possibly empty

ls(E, F)  (E=F ∧ emp) ∨ (EF ∧ ∃v. Ev ∗ ls(v, F))

S = [x:10, y:30]

H = [10:4,4:17,17:20,20:30]

ls(x,y)

x

4

17

20

30

• Possibly cyclic, panhandle, empty

• cls(E, F)  (E=F ∧ emp) ∨ (∃x. Ex ∗ cls(x, F))

dangling pointer

4

17

20

10

dls(x,y,z)  (x=y ∧ emp)

∨ (xy ∧ ∃w. xz,w ∗ dls(w,y,x))

x

y

z

• ls(x,y) ∗ ls(y,nil) ⇒ ls(x,nil)

• ls(x,y) ∗ ls(y,z) ⇒ ls(x,z)

• ls(x,y) ⇒ ∃w. ls(x,w) ∗ wy

• (P1 ∧ P2) ∗ Q ⇒ (P1 ∗ Q) ∧ (P2 ∗ Q)

• x  y ∗ z  w ⇒ x  z

• x  y ∧ z  w ⇒ x  y ∧ x = z ∧ y = w

z allocated in ls(x,y)

empty heap

• Weakening

• P ∧ Q ⇒ P

• P ∗ Q ⇒ P

• Contraction

• P ⇒ P ∧ P

• P ⇒ P * P

x  1 ∗ y  2  x  1

x  1  x  1 ∗ x  1

•  S,H there is at most one h’  h s.t. s,h’  P

• Examples

• precise: x  1, ls(x,y)

• not precise: x. x  y, P ∨ Q

• Axiom for precise assertions

(P1 ∧ P2) ∗ Q  (P1 ∗ Q) ∧ (P2 ∗ Q)

• Syntax: do not contain  or emp

• Semantics: do not depend on heap (for any store)

• Axioms for pure assertions

x=y ∗ z = w  x=y ∧ z = w

• Fragment of Separation Logic assertion language

• Decidable

• satisfiability, small model property

• entailment

A ::= (P ∧ ... ∧ P) ∧ (S ∗ ... ∗ S)

E ::= x | nil | E + E

P ::= E=E | E  E

S ::= E  E | tree(E) | ls(E, E) | dls(E, E, E)

• {P} C {Q}

• partial correctness

• if P holds when C starts and C terminates then Q holds after C

• no runtime errors (null dereferences)

• [P] C [Q]

• total correctness

• if P holds when C starts then C terminates and Q holds after C

• allocation

• heap lookup

• mutation

• deallocation

<comm> ::= …

| <var> := cons(<exp>, …, <exp>)

| <var> := [<exp>]

| [<exp>] := <exp>

| dispose <exp>

Store: [x:3, y:40, z:17]

Heap: empty

• Allocation x := cons(y, z)

• Heap lookup y := [x+1]

• Mutation [x + 1] := 3

• Deallocation dispose(x+1)

Store: [x:37, y:40, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:17]

Heap: [37:40]

{ P } skip { P }

{ P(v/e) } v:=e {P}

{P} c1 {R} {R} c2 {Q}

{P} c1;c2{Q}

{Pb} c1 {Q} {P b} c2 {Q}

{P} if b then c1 else c2 {Q}

{ib} c {i}

{i} while b do c {ib}

P  P’ {P’} c {Q’} Q’  Q

{p} c {q}

• How to extend it for heap mutation ?

• Example:

{ P ( [e1] / e2 } [e1] := e2 {P}

{ [z]=40 } [x] := 77 { [z]=40 }

Store: [x:37, y:17, z:37]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:37]

Heap: [37:77, 38:3]

• allocation

• heap lookup

• mutation

• deallocation

{ emp } x := cons(y, z) { x  y, z }

{Ez} x := [E] {E z ∧ x = z}

{E1_} [E1] := E2 {E1  E2}

{E_} dispose(E) {emp}

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

Mod(x := _) = {x}

Mod([E]:=F) = {}

Mod(dispose(E)) = {}

• Small Axioms give tight specification

• Allows the Small Axioms to apply generally

• Handle procedure calls modularly

• Frame rule is a key to local proofs

{ P } C {Q}

Mod(C) free(R)={}

{ R ∗ P } C { Q ∗R }

{ xy ∗ ls(y,z) } dispose(x) { ls(y,z) }

list(x)  ls(x,nil)

{ list(x) }

y: = nil ;

while x  nil do {

t := [x]

[x] := y

y := x

x := t

}

{ list(x) ∗ list(y) }

{x  nil ∧ list(x) ∗ list(y)}

unfold

{ ∃i . x i ∗ list(i) ∗ list(y) }

{ x i } t := [x] { x t ∧ t = i }

{ xt ∗ list(t) ∗ list(y) }

{ x _ } [x] := y { x y}

{ xy ∗ list(t) ∗ list(y) }

fold

{ list(t) ∗ list(x) }

{ list(t) ∗ list(y) }

{ list(x) ∗ list(y) }

{x = nil ∧ list(x) ∗ list(y) }

{ list(y) }

• Footprint

• part of the state that is used by the command

• Local specification

• reasoning only about the footprint

• Frame rule

• from local to global spec

• Sound

• safety-monotonicity

• frame property of small axioms

• Complete

• derives WLP or SP for commands

Allocation

v  free(x,y,P)

Lookup

v  free(E,P)\{x}

Mutation

Disposal

wp(x:=cons(y,z), P) =  v. ( (v  x,y)

wp( x:= [E], P) =  v. (e  v) ∧ P(x/v)

wp([E1]:=E2, P) = (E1 _ ) ∗ ( (E1 E2) −∗ P))

wp(dispose E, P) = (E1 _ ) ∗ P

• Application of separation logic proof rules as symbolic execution

• Restrict assertion language to symbolic heaps

• Discharge entailments A  B

• axiomatize consequences of induction

• Frame inference

DeleteTree (t) {

local i,j;

if (t != nil) {

i := [t];

j := [t+1] ;

DeleteTree(j);

DeleteTree(i);

dispose t;

}

}

{ tree(t) }

{ tree(t) ∧ t  nil }

{ ∃x,y. t x,y ∗ tree(x) ∗ tree(y) }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) ∗ emp }

{t i,j ∗ tree(i) }

{t i,j ∗ emp }

{ emp }

{ emp }

• Failed proof of entailment yields a frame

• Assertion at call site

• Callee’s precondition

• Frame

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

t i,j ∗ tree(i) ∗ tree(j)  tree(j)

.....

t i,j ∗ tree(i)  emp

{ t i,j ∗ tree(i) }

• Assertion at call site:

• Callee’s precondition:

DeleteTree(j)

{ tree(j) }

{ emp }

{t i,j ∗ tree(i) ∗ tree(j) }

{t i,j ∗ tree(i) }

DeleteTree(j)

{ t i,j ∗ tree(i) ∗ tree(j) }

{ tree(j) }

• Lose the information that x=y

• Do we need inequality involving just-disposed ?

{ x _ } free(x) { emp }

{ y _ ∗ x _ } free(x) { y _ }

• Abstract value is a set of symbolic heaps

• Abstract transformers by symbolic execution (TODO EXAMPLE)

• Fixpoint check by entailement

• Knobs

• widening / abstraction

• join

• interprocedural analysis (cutpoints)

• predicate discovery

• Before: tree ∧ (Q∗ R)  (tree ∧ Q)∗ (tree ∧ R)

• After: (tree ∧ Q)∗ (tree ∧ R) tree ∧ (Q∗ R)

• Loss of global property

• no restrictions on dangling pointers in P and Q

• can point to each other and create cycles

{ tree ∧ P } C { tree ∧ Q }

{ (tree ∧ R)∗ (tree ∧ P) } C { (tree ∧ Q)∗ (tree ∧ R) }

• The Logic of Bunched Implications O'Hearn and Pym. 1999

• Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999

• BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O'Hearn. POPL'01.

• Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01.

• Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002.

• An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001

• Local Reasoning about a Copying Garbage CollectorBirkedal, Torp-Smith, Reynolds. POPL'04

• Symbolic Execution with Separation Logic.Berdine, Calcagno, O'Hearn. APLAS'05.

• Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O'Hearn. FMCO’06.

• A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS’06.

• Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS’06

• Shape analysis for composite data structures.Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07.

• ...

• Resources, Concurrency and Local Reasoning O'Hearn. Reynolds Festschrift, 2007. CONCUR'04

• A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR'04

• Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation?)

• Permission Accounting in Separation LogicBornat, Calcagno, O'Hearn, Parkinson. POPL’05

• Modular Verification of a Non-blocking StackParkinson, Bornat, O'Hearn. POPL’07

• A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07

• Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS'07

• Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07

• ...

• Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV’06

• Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007

• ...

• Separation logic and abstraction Parkinson and Bierman. POPL’05

• Class Invariants: The End of the Road?Parkinson. IWACO'07.

• Separation Logic, Abstraction, and InheritanceParkinson, Bierman. POPL'08

• Extension of Hoare logic to imperative programs

• Separating conjunction ∗

• Inductive definitions for data-structures

• Tight specifications

• Dangling pointers

• Local surgeries

• Frame rule