Separation Logic A Logic of Shared Mutable Data

Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv

Program Verification • • • Verify that the program is correct No unexpected behavior Identify bugs Valid documentation Proofs can be saved Axiomatic semantics

Notations • {P} S {Q} – If P holds when S starts and S terminates then Q holds after S – Partial correctness – No runtime errors (null dereferences) – S assumes P and guarantees Q • [P] S [Q] – If P holds when S starts then S terminates and Q holds after S – total correctness – S assumes P and guarantees Q – A backward version can be defined WP(S, Q) • The weakest condition which guarantees that S terminates and satisfies Q

Hoare Proof Rules for Partial Correctness {p} skip {p} {p/v e } v: =e {p} c 0 {r} c 1 {q} {p} c 0; c 1{q} {p b} c 0 {q} {p b} c 1 {q} {p} if b then c 0 else c 1{q}

Hoare Proof Rules for Partial Correctness {i b} c {i} while b do c{i b} p p’ {p’} c {q’} q’ q {p} c {q}

Simple Example x : = 0; i : = 0 while (i < n ) x : = x + a; i : = i + 1;

Pathological Example while true do skip

Memory allocation & destructive updates. Store: [x: 3, y: 40, z: 17] • Allocation x : = cons(y, z) Heap: empty Store: [x: 37, y: 40, z: 17] Heap: 37: 40, 38: 17 • Heap lookup y : = [x+1] Store: [x: 37, y: 17, z: 17] Heap: 37: 40, 38: 17 Store: [x: 37, y: 17, z: 17] • Mutation [x + 1] : = 3 • Deallocation dispose(x+1) Heap: 37: 40, 38: 3 Store: [x: 37, y: 17, z: 17] Heap: 37: 40

Properties of Hoare Triples • Soundness • Relative completeness

Hoare Axiom for Destructive Updates axioms {p/[e 1] e} [e 1] : = e {p} {[z]=40} [x] : = 77 {[z] =40} Store: [x: 37, y: 17, z: 37] Heap: 37: 40, 38: 3 Heap: 37: 77, 38: 3

Difficulties with Pointers • Assignment rule breaks • No constancy rule {p} c {q} {p r} c {q r} where no free variable in r is modified by c • Hard to use abstract data types • Hard to specify what is expected – Can we specify concisely what is not expected? • Scalability program verification/analysis

Outline ü Hoare logic ü Difficulties with pointers • A Simple Programming Language • Monotonicity and Seperability • Assertions & Axioms • Applications • Limitations • Missing

The Programming Language <comm> : : = … | <var> : = cons(<exp>, …, <exp>) | <var> : = [<exp>] | [<exp>] : = <exp> | dispose <exp>

States • Values = Integers Atoms Addresses • Heaps = { A Values | A Addresses, A is finite} • nil Atoms • • Store. V = V Values State. V = Store. V Heaps e : Store. V Values b : Store. V {true, false}

Commands • Small-step operational semantics <c, state> state‘ • Special error state

Commands(2) • Allocation <v : = cons(e 1, …, en), (s, h)> [s| v: l], [h|l: e 1 s|…| l+n-1: en s] where l 1, …, ln Addresses – dom h • Lookup – <v : = [e], (s, h)> ([s | v: h( e s), h) where e s dom h – <v : = [e], (s, h)> where e s dom h

Commands(3) • Mutation (destructive-update) – <[e] : = e’, (s, h)> (s, [h | e s : e’ s ]) where e s dom h – <[e] : = e’, (s, h)> where e s dom h • Deallocation – <dispose e, (s, h)> (s, h - e s ) where e s dom h – <dispose e, (s, h)> where e s dom h

Heap Montonicity • For all heaps h h’ • If a command does not fault on a small heap h then it does not fault on a larger heap h’ – If <c, (s, h’)> * then <c, (s, h)> *

Notation • h = h 0 # h 1 union of disjoint heaps • Requires that h 0 and h 1 are disjoint • h = h 0 h 1

Heap Separabality • Assumption: h = h 0 # h 1 • The effect of a command on a large heap is determined by its effect on any subheap without faults – If there exists h’ such that <c, (s, h)> * (s’, h’) and <c, (s, h 0)> ! * then there exists h’ 0 such that (i) h’= h’ 0 # h 1 and (ii) <c, (s, h 0)> * (s’, h’ 0)

Separation Logic Syntax Intended Meaning e=f Pure expression comparison e f A heap with one location pointed to by E with content F Empty heap emp p *q true, false, p q, x: p p and q hold in disjoint heaps standard e _ l: e l e e 0, e 1, …, en-1 e e 0 *e+1 e 1* … * e+n-1 e f * true

Semantics of separation logics s, h E = F E s = F s s, h E F { E s} = dom(h) and h( E ) = F s s, h emp h=[] s, h P * Q exist h 1, h 2: h=h 1 #h 2 s, h 1 P s, h 2 Q

Semantics of separation logics(cont) s, h false never s, h P Q if s, h P then s, h Q s, h x. P exists v: [s | x : v], h P

Formula Example state x 3, y Store: x: , y: Heap: : 3, +1: y 3, x x 3, y * y 3, x x 3, y y 3, x Store: x: , y: Heap: : 3, +1: , +1, , and +1 disjoint Store: x: , y: Heap: : 3, +1:

Three “Small” Axioms {E _} [E] : = b {E b} {emp} x : = cons(y, z) {x y, z} {E _} dispose(E) {emp}

The Frame Rule Tight specification {P} C {Q} {P * R} C {Q * R} Mod(x : = _) = {x} Mod([E]: =F) = {} Mod(dispose(E)) = {} Mod(C) free(R)={}

A simple application of the frame rule {P} C {Q} {P * R} C {Q * R} {(E _ )* P } dispose(E) {P} Mod(C) free(R)={}

Sound Axioms • • • p*q q*p p * (q * r) (p * q) * r p * emp p (p q) * r (p * r) (q * r) (p ⋀ q) * r (p * r) ⋀ (q * r) ( x: p) * q x: p * q (when x is not free in q)

Unsound Axioms P P*P Contraction P= x 1 P*Q P P= x 1 Q= y 2 Weakening

The Reverse Example y: = nil ; while x nil do ( t : = y y : = x x : = [x +1] [y+1] : = t )

The Reverse Example y: = nil ; while x nil do ( , . list y list x rev( 0)= rev( ). t : = y list z z= nil y : = x x : = [x +1] [y+1] : = t ) list a. z s: z a, s list s

The Reverse Example y: = nil ; while x nil do ( t : = y , . list y list x rev( 0 ) = rev( ). z: reach(x, z) reach(y, z) z=nil y : = x x : = [x +1] ) reach(a, b) = n 0: reachn(a, b) [y+1] : = t reach 0(a, b) a = b reachi+1(a, b) h, t: a h, t reachi(t, b)

The Reverse Example y: = nil ; while x nil do ( t : = y y : = x x : = [x +1] [y+1] : = t ) , . list y * list x rev( 0 ) = rev( ).

The Delete Example {list(c, nil)} bool elem_delete(delval, c) prev=nil / list(c, nil) prev=nil prev != nil / (list (c, prev) * (prev -, elem) * list (elem, nil)) elem = c while (elem nil) ( if (elem->val = delval) then ( list(x, y) x=y emp if (prev = nil) then c = [elem+1] t: x _, t * list(t, y) else [prev+1] = [elem+1]; dispose(elem); return TRUE) prev=elem; elem = [elem+1] {list(c, nil)}

Montonicity Axiom p 1 p 2, q 1 q 2 p 1 * q 1 p 2 * q 2

Type of assertions • • Pure independent of the heap Strictly-exact holds for exactly one heap Domain-exact holds for exactly one domain Intuitionistic monotonic in the heap

Garbage • The assertion language does not allow garbage collection • Can limit the assertion language to allow garbage collection

Applications • Manual program verification – – Deautch-Shorr-Waite Copy GC (POPL’ 04) Algorithms on DAGs (Space’ 04) Resource ownership (POPL’ 04) • Limited to exact predicates • Justify other formalisms – Confinement (POPL’ 02) – Ownership

Missing • • • Logic of bunch implications Completeness Concurrency Resource ownership Complexity results Substructural logic

History • [Burstall 1972] Separating Conjunctions (implicit) • [Reynolds 1999] Explicit Separating Conjunctions • [Ishtiaq & O’Hearn 2001] – Bunch implications – Frame rule