Introduction to Separation Logic presented by Greta Yorsh
Introduction to Separation Logic presented by Greta Yorsh April 02, 2008 IBM, Hawthorne
This Talk • What is Separation Logic? • Strengths and weaknesses • Successful applications • Main challenges
What is Separation Logic? • Extension of Hoare logic – low-level imperative programs – shared mutable data structures
Motivating Example assume( ) assume( *y = 4; *z = 5; assert( *x == 3 ) ∧ x != y ∧ x != z y != z ) *y != *z ) *x == 3 ) • contents are different • contents stay the same • different locations
Framing Problem { y != z } C { *y != *z } { *x == 3 ∧ y != z } C {*y != *z ∧ *x == 3 } • What are the conditions on aliasing btwn x, y, z ?
Framing Problem { P } C {Q} { R∧ P } C {Q∧R} • What are the conditions on C and R? – in presence of aliasing and heap • Separation logic introduces new connective ∗ { P } C {Q} { R∗P } C {Q∗R}
Outline • • • Assertion language: syntax and semantics Hoare-style proofs Program analysis Concurrency Termination Object-oriented programs
ASSERTION LANGUAGE
Examples xx x y yy 33 8 8 33 y ls(y, z) x y ∗ ls(y, z) ∧ z = x zz
Syntax Assertion false P∧Q P∨Q Name Logical false Classical conjunction Classical disjunction P⇒Q P∗Q P −∗ Q E E emp ∃x. P E=E Classical implication Separating conjunction (star) Separating implication (magic wand) Points to Empty heap Existential quantifier Expression value equality
Semantics • Assertions are evaluated w. r. t. a state • State is store and heap – S : Var ⇀ Int – H : Loc ⇀ Int where Loc ⊆ Int • Notations – disjoint domains: – composition: – evaluation: – update: • S, H P dom(H 1) dom(H 2) H 1 ◦ H 2 E S Int S[x: i]
Semantics Relation Definition S, H false Never satisfied S, H P ∧ Q S, H P ∧ S, H Q S, H P ∨ S, H Q S, H P ⇒ Q S, H |= P ⇒ S, H |= Q S, H P ∗ Q ∃H 1, H 2. dom(H 1) dom(H 2) ∧ H 1 ◦ H 2 = H ∧ S, H 1 P ∧ S, H 2 Q S, H P −∗ Q ∀H′. (dom(H) dom(H’) ∧ S, H′ P) ⇒ S, H◦H′ Q S, H E 1 E 2 dom(H) = { E 1 S } ∧ H( E 1 S )= E 2 S S, H emp H = {} S, H ∃x. P i Int. S[x: i], H P S, H E 1 = E 2 E 1 S = E 2 S
Common Shorthands • E E 1, E 2, . . , En E E 1 ∗ E+1 E 2 ∗. . . ∗ E+(n-1) Enx 3 4 7 10 11 12 S = [x: 10, y: 4] H = [10: 3, 11: 4, 12: 7] • E 1 E 2 ∗ true • E _ ∃x. E x x 3, y, 7
Examples xy y x 4 3 S = [x: 10, y: 30] H = [10: 4, 11: 3, 30: 4, 31: 3] x 4, 3 ∗ y 4, 3 x 4, 3 ∧ y 4, 3 4 3 S = [x: 10, y: 10] H = [10: 4, 11: 3]
Inductive Definitions • Describe invariants of recursive data-structure – – – – Trees List Segments Doubly-linked list segments Cyclic lists List of cyclic doubly linked lists Lists with head pointers Nested lists (bounded depth). . . • Binary tree(E) (E = nil ∧ emp) ∨ (∃x, y. E x, y ∗ tree(x) ∗ tree(y))
List segment • Acyclic, possibly empty ls(E, F) (E=F ∧ emp) ∨ (E F ∧ ∃v. E v ∗ ls(v, F)) S = [x: 10, y: 30] H = [10: 4, 4: 17, 17: 20, 20: 30] ls(x, y) x 4 17 20 30 10 4 17 20 dangling pointer • Possibly cyclic, panhandle, empty cls(E, F) (E=F ∧ emp) ∨ (∃x. E x ∗ cls(x, F))
More complex structures • Doubly-linked list segment dls(x, y, z) (x=y ∧ emp) ∨ (x y ∧ ∃w. x z, w ∗ dls(w, y, x)) x z y
Axioms • ls(x, y) ∗ ls(y, nil) ⇒ ls(x, nil) • ls(x, y) ∗ ls(y, z) ⇒ ls(x, z) • ls(x, y) ⇒ ∃w. ls(x, w) ∗ w y z allocated in ls(x, y) empty heap • (P 1 ∧ P 2) ∗ Q ⇒ (P 1 ∗ Q) ∧ (P 2 ∗ Q) • x y∗z w⇒ x z • x y ∧ z w ⇒ x y ∧ x = z ∧ y =w
Axioms • Weakening –P∧Q⇒P –P∗Q⇒P x 1∗y 2 x 1 • Contraction – P ⇒ P ∧ P –P⇒P*P x 1∗x 1
Precise Assertions • S, H there is at most one h’ h s. t. s, h’ P • Examples – precise: – not precise: x 1, ls(x, y) x. x y, P ∨ Q • Axiom for precise assertions (P 1 ∧ P 2) ∗ Q (P 1 ∗ Q) ∧ (P 2 ∗ Q)
Pure Assertions • Syntax: do not contain or emp • Semantics: do not depend on heap (for any store) • Axioms for pure assertions x=y ∗ z = w x=y ∧ z = w
Symbolic Heaps • Fragment of Separation Logic assertion language A : : = (P ∧. . . ∧ P) ∧ (S ∗. . . ∗ S) E : : = x | nil | E + E P : : = E=E | E E S : : = E E | tree(E) | ls(E, E) | dls(E, E, E) • Decidable – satisfiability, small model property – entailment
HOARE-STYLE PROOFS
Hoare Triples • {P} C {Q} – partial correctness – if P holds when C starts and C terminates then Q holds after C – no runtime errors (null dereferences) • [P] C [Q] – total correctness – if P holds when C starts then C terminates and Q holds after C
The Programming Language <comm> : : = … | <var> : = cons(<exp>, …, <exp>) • allocation | <var> : = [<exp>] • heap lookup | [<exp>] : = <exp> • mutation | dispose <exp> • deallocation
Operational Semantics by Example Store: [x: 3, y: 40, z: 17] • Allocation x : = cons(y, z) Heap: empty Store: [x: 37, y: 40, z: 17] Heap: [37: 40, 38: 17] • Heap lookup y : = [x+1] Store: [x: 37, y: 17, z: 17] Heap: [37: 40, 38: 17] • Mutation [x + 1] : = 3 • Deallocation dispose(x+1) Store: [x: 37, y: 17, z: 17] Heap: [37: 40, 38: 3] Store: [x: 37, y: 17, z: 17] Heap: [37: 40]
Hoare Proof Rules for Partial Correctness { P } skip { P } { P(v/e) } v: =e {P} c 1 {R} c 2 {Q} {P} c 1; c 2{Q} {P b} c 1 {Q} {P b} c 2 {Q} {P} if b then c 1 else c 2 {Q} {i b} c {i} while b do c {i b} P P’ {p} c {q} {P’} c {Q’} Q’ Q
Hoare Axiom for Assignment • How to extend it for heap mutation ? { P ( [e 1] / e 2 } • Example: { [z]=40 } [e 1] : = e 2 {P} [x] : = 77 { [z]=40 } Store: [x: 37, y: 17, z: 37] Heap: [37: 40, 38: 3] Heap: [37: 77, 38: 3]
“Small” Axioms { emp } x : = cons(y, z) { x y, z } • allocation {E z} x : = [E] {E z ∧ x = z} • heap lookup {E 1 _} [E 1] : = E 2 {E 1 E 2} • mutation {E _} dispose(E) • deallocation {emp}
The Frame Rule { P } C {Q} { R∗P } C {Q∗R} Mod(C) free(R)={} Mod(x : = _) = {x} Mod([E]: =F) = {} Mod(dispose(E)) = {}
The Frame Rule { P } C {Q} { R∗P } C {Q∗R} Mod(C) free(R)={} • Small Axioms give tight specification • Allows the Small Axioms to apply generally { x y ∗ ls(y, z) } dispose(x) { ls(y, z) } • Handle procedure calls modularly • Frame rule is a key to local proofs
list(x) ls(x, nil) { list(x) } Reverse y: = nil ; { list(x) ∗ list(y) } while x nil do { {x nil ∧ list(x) ∗ list(y)} { ∃i. x i ∗ list(i) ∗ list(y) } unfold { x i } t : = [x] { x t ∧ t = i } t : = [x] { x t ∗ list(t) ∗ list(y) } [x] : = y { x y ∗ list(t) ∗ list(y) } { list(t) ∗ list(x) } y : = x x : = t { list(t) ∗ list(y) } { list(x) ∗ list(y) } {x = nil ∧ list(x) ∗ list(y) } { list(y) } } { x _ } [x] : = y { x y } fold
Local Specification • Footprint – part of the state that is used by the command • Local specification – reasoning only about the footprint • Frame rule – from local to global spec
Frame Rule • Sound – safety-monotonicity – frame property of small axioms • Complete – derives WLP or SP for commands
Weakest Preconditions wp(x: =cons(y, z), P) = v. ( (v x, y) • Allocation v free(x, y, P) wp( x: = [E], P) = v. (e v) ∧ P(x/v) • Lookup v free(E, P){x} wp([E 1]: =E 2, P) = (E 1 _ ) ∗ ( (E 1 E 2) −∗ P)) • Mutation wp(dispose E, P) = (E 1 _ ) ∗ P • Disposal
AUTOMATED VERIFICATION AND PROGRAM ANALYSIS
Symbolic Execution • Application of separation logic proof rules as symbolic execution • Restrict assertion language to symbolic heaps • Discharge entailments A B – axiomatize consequences of induction • Frame inference
Delete. Tree { tree(t) } Delete. Tree (t) { local i, j; { tree(t) ∧ t nil } { ∃x, y. t x, y ∗ tree(x) ∗ tree(y) i : = [t]; } if (t != nil) { j : = [t+1] ; Delete. Tree(j); Delete. Tree(i); dispose t; } } { emp } {t i, j ∗ tree(i) ∗ tree(j) } {t i, j ∗ tree(i) }∗ emp } {t i, j ∗ emp } { emp }
Frame Inference • Failed proof of entailment yields a frame – Assertion at call site – Callee’s precondition { t i, j ∗ tree(i) ∗ tree(j) } { tree(j) } t i, j ∗ tree(i) ∗ tree(j) . . . t i, j ∗ tree(i) emp – Frame { t i, j ∗ tree(i) }
Frame Inference { tree(j) } Delete. Tree(j) { emp } {t i, j ∗ tree(i) ∗ tree(j) } Delete. Tree(j) {t i, j ∗ tree(i) } • Assertion at call site: { t i, j ∗ tree(i) ∗ tree(j) } • Callee’s precondition: { tree(j) }
Incompleteness of Frame Inference { x _ } free(x) { emp } { y _ ∗ x _ } free(x) { y _ } • Lose the information that x=y • Do we need inequality involving just-disposed ?
Program Analysis • Abstract value is a set of symbolic heaps • Abstract transformers by symbolic execution (TODO EXAMPLE) • Fixpoint check by entailement • Knobs – widening / abstraction – join – interprocedural analysis (cutpoints) – predicate discovery
Global Properties? { tree ∧ P } C { tree ∧ Q } { (tree ∧ R) ∗ (tree ∧ P) } C { (tree ∧ Q) ∗ (tree ∧ R) } • Before: tree ∧ (Q ∗ R) (tree ∧ Q) ∗ (tree ∧ R) • After: (tree ∧ Q) ∗ (tree ∧ R) tree ∧ (Q ∗ R) • Loss of global property – no restrictions on dangling pointers in P and Q
BIBLIOGRAPHY http: //www. dcs. qmw. ac. uk/~ohearn/localreasoning. html
“Early Days” • The Logic of Bunched Implications O'Hearn and Pym. 1999 • Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999 • BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O'Hearn. POPL'01. • Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01. • Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002.
Successful Applications • An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001 • Local Reasoning about a Copying Garbage Collector Birkedal, Torp-Smith, Reynolds. POPL'04
Analysis and Automated Verification • Symbolic Execution with Separation Logic. Berdine, Calcagno, O'Hearn. APLAS'05. • Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O'Hearn. FMCO’ 06. • A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS’ 06. • Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS’ 06 • Shape analysis for composite data structures. Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07. • . . .
Concurrency • Resources, Concurrency and Local Reasoning O'Hearn. Reynolds Festschrift, 2007. CONCUR'04 • A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR'04 • Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation? ) • Permission Accounting in Separation Logic Bornat, Calcagno, O'Hearn, Parkinson. POPL’ 05 • Modular Verification of a Non-blocking Stack Parkinson, Bornat, O'Hearn. POPL’ 07 • A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’ 07 • Modular Safety Checking for Fine-Grained Concurrency (smallfoot. RG) Calcagno, Parkinson, Vafeiadis. SAS'07 • Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’ 07 • . . .
Termination • Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV’ 06 • Variance Analyses from Invariance Analyses. Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007 • . . .
Object Oriented Programming • Separation logic and abstraction Parkinson and Bierman. POPL’ 05 • Class Invariants: The End of the Road? Parkinson. IWACO'07. • Separation Logic, Abstraction, and Inheritance Parkinson, Bierman. POPL'08 • …
Summary of Basic Ideas • • Extension of Hoare logic to imperative programs Separating conjunction ∗ Inductive definitions for data-structures Tight specifications Dangling pointers Local surgeries Frame rule
- Slides: 51