View
78
Download
0
Category
Preview:
DESCRIPTION
Introduction to Separation Logic. presented by Greta Yorsh April 02, 2008 IBM , Hawthorne. This Talk. What is Separation Logic? Strengths and weaknesses Successful applications Main challenges. What is Separation Logic?. Extension of Hoare logic low-level imperative programs - PowerPoint PPT Presentation
Citation preview
Introduction to Separation Logic
presented by Greta Yorsh
April 02, 2008IBM, Hawthorne
This Talk
• What is Separation Logic?
• Strengths and weaknesses• Successful applications• Main challenges
What is Separation Logic?
• Extension of Hoare logic – low-level imperative programs– shared mutable data structures
Motivating Example
assume( *x == 3 )
assert( *x == 3 )
assume( y != z )
*y = 4;*z = 5;assert( *y != *z )
assume( *x == 3 x != y x != z )∧ ∧
assume( y != z )
• contents are different• contents stay the same• different locations
Framing Problem
{ y != z } C { *y != *z }
{ *x == 3 ∧ y != z } C {*y != *z ∧ *x == 3 }
• What are the conditions on aliasing btwn x, y, z ?
Framing Problem
• What are the conditions on C and R?– in presence of aliasing and heap
• Separation logic introduces new connective ∗
{ P } C {Q}
{ R ∧ P } C { Q ∧ R }
{ P } C {Q}
{ R ∗ P } C { Q ∗ R }
Outline
• Assertion language: syntax and semantics• Hoare-style proofs• Program analysis• Concurrency• Termination• Object-oriented programs
ASSERTION LANGUAGE
Examples
x y
ls(y, z)
x y ls(y, z)∗
833
x
y
y
zz
∧ z = x
8 33
x
y
Syntax
Assertion Namefalse Logical falseP Q∧ Classical conjunctionP Q∨ Classical disjunctionP Q⇒ Classical implicationP Q∗ Separating conjunction (star) P − Q∗ Separating implication (magic wand)E E Points toemp Empty heap∃x. P Existential quantifierE = E Expression value equality
Semantics
• Assertions are evaluated w.r.t. a state• State is store and heap
– S : Var Int⇀– H : Loc Int where Loc Int⇀ ⊆
• Notations– disjoint domains: dom(H1) dom(H2) – composition: H1 ◦ H2– evaluation: ES Int– update: S[x:i]
• S,H P
SemanticsRelation Definition
S,H false Never satisfied
S,H P Q∧ S,H P ∧ S,H Q
S,H P Q∨ S,H P ∨ S,H Q
S,H P Q⇒ S,H |= P ⇒ S,H |= Q
S,H P Q∗ ∃H1,H2. dom(H1) dom(H2) H1 ◦ H2 = H∧ S,H1 ∧ P S,H2 ∧ Q
S,H P − Q∗ ∀H . (dom(H) ′ dom(H’) S,H ∧ ′ P) S,H◦H ⇒ ′ Q
S,H E1 E2 dom(H) = { E1S } H( ∧ E1S )= E2S
S,H emp H = {}
S,H x.P∃ i Int . S[x:i],H P
S,H E1 = E2 E1S = E2S
• E E1,E2,..,En E E1 ∗ E+1 E2 ∗ ... ∗ E+(n-1) En
• E1 E2 E1 E2 true∗
• E _ x. E ∃ x
Common Shorthands
10 1143
127 x 3,y,7 S = [x:10, y:4]
H = [10:3,11:4,12:7]
x
Examples
x 4,3
x 4,3
x 4,3 ∗ y 4,3
x 4,3 ∧ y 4,3
34
x
34
y
34
x y
S = [x:10, y:30]H = [10:4,11:3,30:4,31:3]
S = [x:10, y:10]H = [10:4,11:3]
Inductive Definitions• Describe invariants of recursive data-structure
– Trees– List Segments– Doubly-linked list segments– Cyclic lists– List of cyclic doubly linked lists– Lists with head pointers– Nested lists (bounded depth)– ...
• Binary treetree(E) (E = nil emp) ( x,y. E ∧ ∨ ∃ x,y tree(x) ∗ ∗
tree(y))
List segment• Acyclic, possibly empty
ls(E, F) (E=F emp) (E∧ ∨ F v. E∧ ∃ v ls(v, F)) ∗
174
x
3020
410 17 20
ls(x,y)S = [x:10, y:30]H = [10:4,4:17,17:20,20:30]
dangling pointer
• Possibly cyclic, panhandle, emptycls(E, F) (E=F emp) ( x. E∧ ∨ ∃ x cls(x, F)) ∗
More complex structures• Doubly-linked list segment
dls(x,y,z) (x=y emp)∧ ∨ (xy w. x∧ ∃ z,w dls(w,y,x)) ∗
x
z y
Axioms• ls(x,y) ls(y,nil) ls(x,nil)∗ ⇒• ls(x,y) ls(y,z) ls(x,z)∗ ⇒• ls(x,y) w. ls(x,w) w⇒ ∃ ∗ y
• (P1 P2) Q (P1 Q) (P2 Q)∧ ∗ ⇒ ∗ ∧ ∗
• x y z ∗ w x ⇒ z• x y z ∧ w x ⇒ y x = z y = w∧ ∧
empty heap
z allocated in ls(x,y)
Axioms• Weakening
– P Q P∧ ⇒– P Q P∗ ⇒
• Contraction– P P P⇒ ∧– P P * P⇒
x 1 y ∗ 2 x 1
x 1 x 1 x ∗ 1
Precise Assertions• S,H there is at most one h’ h s.t. s,h’ P
• Examples– precise: x 1, ls(x,y)– not precise: x. x y, P Q ∨
• Axiom for precise assertions(P1 P2) Q ∧ ∗ (P1 Q) (P2 Q)∗ ∧ ∗
Pure Assertions• Syntax: do not contain or emp• Semantics: do not depend on heap (for any store)
• Axioms for pure assertionsx=y z = w ∗ x=y z = w∧
• Fragment of Separation Logic assertion language
• Decidable– satisfiability, small model property– entailment
Symbolic Heaps
A ::= (P ... P) (S ... S)∧ ∧ ∧ ∗ ∗E ::= x | nil | E + EP ::= E=E | E ES ::= E E | tree(E) | ls(E, E) | dls(E, E, E)
HOARE-STYLE PROOFS
Hoare Triples• {P} C {Q}
– partial correctness– if P holds when C starts and C terminates
then Q holds after C– no runtime errors (null dereferences)
• [P] C [Q] – total correctness– if P holds when C starts
then C terminates and Q holds after C
The Programming Language
• allocation
• heap lookup
• mutation
• deallocation
<comm> ::= …
| <var> := cons(<exp>, …, <exp>)
| <var> := [<exp>]
| [<exp>] := <exp>
| dispose <exp>
Operational Semantics by Example
• Allocation x := cons(y, z)
• Heap lookup y := [x+1]
• Mutation [x + 1] := 3
• Deallocation dispose(x+1)
Store: [x:3, y:40, z:17]
Heap: empty
Store: [x:37, y:40, z:17]
Heap: [37:40, 38:17]
Store: [x:37, y:17, z:17]
Heap: [37:40, 38:3]
Store: [x:37, y:17, z:17]
Heap: [37:40, 38:17]
Store: [x:37, y:17, z:17]
Heap: [37:40]
Hoare Proof Rules for Partial Correctness
{ P } skip { P }
{ P(v/e) } v:=e {P}
{P} c1 {R} {R} c2 {Q}
{P} c1;c2{Q}
{Pb} c1 {Q} {P b} c2 {Q}
{P} if b then c1 else c2 {Q}
{ib} c {i}
{i} while b do c {ib}
P P’ {P’} c {Q’} Q’ Q
{p} c {q}
Hoare Axiom for Assignment• How to extend it for heap mutation ?
• Example:
{ P ( [e1] / e2 } [e1] := e2 {P}
Store: [x:37, y:17, z:37]
Heap: [37:40, 38:3]
{ [z]=40 } [x] := 77 { [z]=40 }
Store: [x:37, y:17, z:37]
Heap: [37:77, 38:3]
“Small” Axioms
{E1_} [E1] := E2 {E1 E2}
{ emp } x := cons(y, z) { x y, z }
{E_} dispose(E) {emp}
• allocation
• heap lookup
• mutation
• deallocation
{Ez} x := [E] {E z x = z} ∧
The Frame Rule
Mod(C) free(R)={}
Mod(x := _) = {x}
Mod([E]:=F) = {}
Mod(dispose(E)) = {}
{ P } C {Q}
{ R ∗ P } C { Q ∗ R }
The Frame Rule
• Small Axioms give tight specification• Allows the Small Axioms to apply generally
• Handle procedure calls modularly• Frame rule is a key to local proofs
Mod(C) free(R)={}{ P } C {Q}
{ R ∗ P } C { Q ∗ R }
{ xy ∗ ls(y,z) } dispose(x) { ls(y,z) }
Reversey: = nil ;
while x nil do {
t := [x]
[x] := y
y := x
x := t
}
{ list(x) }
{ list(y) }
{x nil list(x) ∧ ∗ list(y)}{ list(x) ∗ list(y) }
{ i . x ∃ i list(i) ∗ ∗ list(y) }
{ xt list(t) ∗ ∗ list(y) }{ x i } t := [x] { x t t = i } ∧
{ xy list(t) ∗ ∗ list(y) }{ x _ } [x] := y { x y }
{ list(t) ∗ list(y) }
{ list(t) ∗ list(x) }
{ list(x) ∗ list(y) }
{x = nil list(x) ∧ ∗ list(y) }
list(x) ls(x,nil)
unfold
fold
Local Specification• Footprint
– part of the state that is used by the command
• Local specification – reasoning only about the footprint
• Frame rule– from local to global spec
Frame Rule• Sound
– safety-monotonicity– frame property of small axioms
• Complete – derives WLP or SP for commands
Weakest Preconditions
wp(x:=cons(y,z), P) = v. ( (v x,y)
wp( x:= [E], P) = v. (e v) P(x/v)∧
wp([E1]:=E2, P) = (E1 _ ) ( (∗ E1 E2) −∗ P))
wp(dispose E, P) = (E1 _ ) P∗
• Allocation v free(x,y,P)
• Lookup v free(E,P)\{x}
• Mutation
• Disposal
AUTOMATED VERIFICATION ANDPROGRAM ANALYSIS
Symbolic Execution• Application of separation logic proof rules as
symbolic execution
• Restrict assertion language to symbolic heaps• Discharge entailments A B
– axiomatize consequences of induction
• Frame inference
DeleteTree
DeleteTree (t) {
local i,j;
if (t != nil) {
i := [t];
j := [t+1] ;
DeleteTree(j);
DeleteTree(i);
dispose t;
}
}
{ tree(t) }
{ emp }
{ tree(t) t ∧ nil }{ x,y. t ∃ x,y tree(x) tree(y) ∗ ∗}
{t i,j tree(i) tree(j) }∗ ∗
{t i,j tree(i) emp }∗ ∗
{t i,j emp }∗
{ emp }
{t i,j tree(i) } ∗
Frame Inference
• Failed proof of entailment yields a frame
– Assertion at call site
– Callee’s precondition
– Frame
{ t i,j tree(i) ∗ ∗tree(j) }{ tree(j) }
t i,j tree(i) tree(j) ∗ ∗ tree(j)
t i,j tree(i) ∗ emp
.....
{ t i,j tree(i) }∗
Frame Inference
• Assertion at call site:
• Callee’s precondition:
{t i,j tree(i) tree(j) }∗ ∗ {t i,j tree(i) } ∗
DeleteTree(j) { tree(j) } { emp }
DeleteTree(j)
{ t i,j tree(i) ∗ ∗tree(j) }{ tree(j) }
Incompleteness of Frame Inference
• Lose the information that x=y• Do we need inequality involving just-disposed ?
{ x _ } free(x) { emp }
{ y _ ∗ x _ } free(x) { y _ }
Program Analysis• Abstract value is a set of symbolic heaps• Abstract transformers by symbolic execution
(TODO EXAMPLE)• Fixpoint check by entailement
• Knobs– widening / abstraction– join– interprocedural analysis (cutpoints)– predicate discovery
Global Properties?
• Before: tree (Q ∧ ∗ R) (tree Q) ∧ (∗ tree R)∧• After: (tree Q) ∧ (∗ tree R) ∧ tree (Q ∧ ∗ R)
• Loss of global property– no restrictions on dangling pointers in P and Q– can point to each other and create cycles
{ tree P } C { tree Q }∧ ∧
{ (tree R) ∧ (∗ tree P) } C { (tree Q) ∧ ∧ ∗ (tree R) ∧ }
BIBLIOGRAPHYhttp://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html
“Early Days”• The Logic of Bunched Implications
O'Hearn and Pym. 1999• Intuitionistic Reasoning about Shared Mutable Data Structu
re
Reynolds. 1999• BI as an Assertion Language for Mutable Data Structures.
Ishtiaq, O'Hearn. POPL'01.
• Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01.
• Separation Logic: A Logic for Shared Mutable Data Structures
Reynolds. LICS 2002.
Successful Applications• An example of local reasoning in BI pointer logic:
the Schorr-Waite graph marking algorithm
Yang, SPACE 2001• Local Reasoning about a Copying Garbage Collect
or
Birkedal, Torp-Smith, Reynolds. POPL'04
Analysis and Automated Verification• Symbolic Execution with Separation Logic.
Berdine, Calcagno, O'Hearn. APLAS'05.• Smallfoot: Modular Automatic Assertion Checking with Separatio
n Logic
Berdine, Calcagno, O'Hearn. FMCO’06.
• A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS’06.
• Interprocedural Shape Analysis with Separated Heap Abstractions.
Gotsman, Berdine, Cook. SAS’06• Shape analysis for composite data structures.
Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07.• ...
Concurrency• Resources, Concurrency and Local Reasoning
O'Hearn. Reynolds Festschrift, 2007. CONCUR'04• A Semantics for Concurrent Separation Logic
Brookes. Reynolds Festschrift, 2007. CONCUR'04• Towards a Grainless Semantics for Shared Variable Concurrency
John C. Reynolds (in preparation?)
• Permission Accounting in Separation LogicBornat, Calcagno, O'Hearn, Parkinson. POPL’05
• Modular Verification of a Non-blocking Stack Parkinson, Bornat, O'Hearn. POPL’07
• A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07
• Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS'07
• Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07
• ...
Termination• Automatic termination proofs for programs with
shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV’06
• Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007
• ...
Object Oriented Programming• Separation logic and abstraction
Parkinson and Bierman. POPL’05• Class Invariants: The End of the Road?
Parkinson. IWACO'07.• Separation Logic, Abstraction, and Inheritance
Parkinson, Bierman. POPL'08• …
Summary of Basic Ideas
• Extension of Hoare logic to imperative programs• Separating conjunction ∗• Inductive definitions for data-structures• Tight specifications• Dangling pointers• Local surgeries• Frame rule
Recommended