Introduction to Separation Logic

presented by Greta Yorsh

April 02, 2008IBM, Hawthorne

This Talk

• What is Separation Logic?

• Strengths and weaknesses• Successful applications• Main challenges

What is Separation Logic?

• Extension of Hoare logic – low-level imperative programs– shared mutable data structures

Motivating Example

assume( *x == 3 )

assert( *x == 3 )

assume( y != z )

*y = 4;*z = 5;assert( *y != *z )

assume( *x == 3 x != y x != z )∧ ∧

assume( y != z )

• contents are different• contents stay the same• different locations

Framing Problem

{ y != z } C { *y != *z }

{ *x == 3 ∧ y != z } C {*y != *z ∧ *x == 3 }

• What are the conditions on aliasing btwn x, y, z ?

Framing Problem

• What are the conditions on C and R?– in presence of aliasing and heap

• Separation logic introduces new connective ∗

{ P } C {Q}

{ R ∧ P } C { Q ∧ R }

{ P } C {Q}

{ R ∗ P } C { Q ∗ R }

Outline

• Assertion language: syntax and semantics• Hoare-style proofs• Program analysis• Concurrency• Termination• Object-oriented programs

ASSERTION LANGUAGE

Examples

x y

ls(y, z)

x y ls(y, z)∗

833

x

y

y

zz

∧ z = x

8 33

x

y

Syntax

Assertion Namefalse Logical falseP Q∧ Classical conjunctionP Q∨ Classical disjunctionP Q⇒ Classical implicationP Q∗ Separating conjunction (star) P − Q∗ Separating implication (magic wand)E E Points toemp Empty heap∃x. P Existential quantifierE = E Expression value equality

Semantics

• Assertions are evaluated w.r.t. a state• State is store and heap

– S : Var Int⇀– H : Loc Int where Loc Int⇀ ⊆

• Notations– disjoint domains: dom(H1) dom(H2) – composition: H1 ◦ H2– evaluation: ES Int– update: S[x:i]

• S,H P

SemanticsRelation Definition

S,H false Never satisfied

S,H P Q∧ S,H P ∧ S,H Q

S,H P Q∨ S,H P ∨ S,H Q

S,H P Q⇒ S,H |= P ⇒ S,H |= Q

S,H P Q∗ ∃H1,H2. dom(H1) dom(H2) H1 ◦ H2 = H∧ S,H1 ∧ P S,H2 ∧ Q

S,H P − Q∗ ∀H . (dom(H) ′ dom(H’) S,H ∧ ′ P) S,H◦H ⇒ ′ Q

S,H E1 E2 dom(H) = { E1S } H( ∧ E1S )= E2S

S,H emp H = {}

S,H x.P∃ i Int . S[x:i],H P

S,H E1 = E2 E1S = E2S

• E E1,E2,..,En E E1 ∗ E+1 E2 ∗ ... ∗ E+(n-1) En

• E1 E2 E1 E2 true∗

• E _ x. E ∃ x

Common Shorthands

10 1143

127 x 3,y,7 S = [x:10, y:4]

H = [10:3,11:4,12:7]

x

Examples

x 4,3

x 4,3

x 4,3 ∗ y 4,3

x 4,3 ∧ y 4,3

34

x

34

y

34

x y

S = [x:10, y:30]H = [10:4,11:3,30:4,31:3]

S = [x:10, y:10]H = [10:4,11:3]

Inductive Definitions• Describe invariants of recursive data-structure

– Trees– List Segments– Doubly-linked list segments– Cyclic lists– List of cyclic doubly linked lists– Lists with head pointers– Nested lists (bounded depth)– ...

• Binary treetree(E) (E = nil emp) ( x,y. E ∧ ∨ ∃ x,y tree(x) ∗ ∗

tree(y))

List segment• Acyclic, possibly empty

ls(E, F) (E=F emp) (E∧ ∨ F v. E∧ ∃ v ls(v, F)) ∗

174

x

3020

410 17 20

ls(x,y)S = [x:10, y:30]H = [10:4,4:17,17:20,20:30]

dangling pointer

• Possibly cyclic, panhandle, emptycls(E, F) (E=F emp) ( x. E∧ ∨ ∃ x cls(x, F)) ∗

More complex structures• Doubly-linked list segment

dls(x,y,z) (x=y emp)∧ ∨ (xy w. x∧ ∃ z,w dls(w,y,x)) ∗

x

z y

Axioms• ls(x,y) ls(y,nil) ls(x,nil)∗ ⇒• ls(x,y) ls(y,z) ls(x,z)∗ ⇒• ls(x,y) w. ls(x,w) w⇒ ∃ ∗ y

• (P1 P2) Q (P1 Q) (P2 Q)∧ ∗ ⇒ ∗ ∧ ∗

• x y z ∗ w x ⇒ z• x y z ∧ w x ⇒ y x = z y = w∧ ∧

empty heap

z allocated in ls(x,y)

Axioms• Weakening

– P Q P∧ ⇒– P Q P∗ ⇒

• Contraction– P P P⇒ ∧– P P * P⇒

x 1 y ∗ 2 x 1

x 1 x 1 x ∗ 1

Precise Assertions• S,H there is at most one h’ h s.t. s,h’ P

• Examples– precise: x 1, ls(x,y)– not precise: x. x y, P Q ∨

• Axiom for precise assertions(P1 P2) Q ∧ ∗ (P1 Q) (P2 Q)∗ ∧ ∗

Pure Assertions• Syntax: do not contain or emp• Semantics: do not depend on heap (for any store)

• Axioms for pure assertionsx=y z = w ∗ x=y z = w∧

• Fragment of Separation Logic assertion language

• Decidable– satisfiability, small model property– entailment

Symbolic Heaps

A ::= (P ... P) (S ... S)∧ ∧ ∧ ∗ ∗E ::= x | nil | E + EP ::= E=E | E ES ::= E E | tree(E) | ls(E, E) | dls(E, E, E)

HOARE-STYLE PROOFS

Hoare Triples• {P} C {Q}

– partial correctness– if P holds when C starts and C terminates

then Q holds after C– no runtime errors (null dereferences)

• [P] C [Q] – total correctness– if P holds when C starts

then C terminates and Q holds after C

The Programming Language

• allocation

• heap lookup

• mutation

• deallocation

<comm> ::= …

| <var> := cons(<exp>, …, <exp>)

| <var> := [<exp>]

| [<exp>] := <exp>

| dispose <exp>

Operational Semantics by Example

• Allocation x := cons(y, z)

• Heap lookup y := [x+1]

• Mutation [x + 1] := 3

• Deallocation dispose(x+1)

Store: [x:3, y:40, z:17]

Heap: empty

Store: [x:37, y:40, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:3]

Store: [x:37, y:17, z:17]

Heap: [37:40, 38:17]

Store: [x:37, y:17, z:17]

Heap: [37:40]

Hoare Proof Rules for Partial Correctness

{ P } skip { P }

{ P(v/e) } v:=e {P}

{P} c1 {R} {R} c2 {Q}

{P} c1;c2{Q}

{Pb} c1 {Q} {P b} c2 {Q}

{P} if b then c1 else c2 {Q}

{ib} c {i}

{i} while b do c {ib}

P P’ {P’} c {Q’} Q’ Q

{p} c {q}

Hoare Axiom for Assignment• How to extend it for heap mutation ?

• Example:

{ P ( [e1] / e2 } [e1] := e2 {P}

Store: [x:37, y:17, z:37]

Heap: [37:40, 38:3]

{ [z]=40 } [x] := 77 { [z]=40 }

Store: [x:37, y:17, z:37]

Heap: [37:77, 38:3]

“Small” Axioms

{E1_} [E1] := E2 {E1 E2}

{ emp } x := cons(y, z) { x y, z }

{E_} dispose(E) {emp}

• allocation

• heap lookup

• mutation

• deallocation

{Ez} x := [E] {E z x = z} ∧

The Frame Rule

Mod(C) free(R)={}

Mod(x := _) = {x}

Mod([E]:=F) = {}

Mod(dispose(E)) = {}

{ P } C {Q}

{ R ∗ P } C { Q ∗ R }

The Frame Rule

• Small Axioms give tight specification• Allows the Small Axioms to apply generally

• Handle procedure calls modularly• Frame rule is a key to local proofs

Mod(C) free(R)={}{ P } C {Q}

{ R ∗ P } C { Q ∗ R }

{ xy ∗ ls(y,z) } dispose(x) { ls(y,z) }

Reversey: = nil ;

while x nil do {

t := [x]

[x] := y

y := x

x := t

}

{ list(x) }

{ list(y) }

{x nil list(x) ∧ ∗ list(y)}{ list(x) ∗ list(y) }

{ i . x ∃ i list(i) ∗ ∗ list(y) }

{ xt list(t) ∗ ∗ list(y) }{ x i } t := [x] { x t t = i } ∧

{ xy list(t) ∗ ∗ list(y) }{ x _ } [x] := y { x y }

{ list(t) ∗ list(y) }

{ list(t) ∗ list(x) }

{ list(x) ∗ list(y) }

{x = nil list(x) ∧ ∗ list(y) }

list(x) ls(x,nil)

unfold

fold

Local Specification• Footprint

– part of the state that is used by the command

• Local specification – reasoning only about the footprint

• Frame rule– from local to global spec

Frame Rule• Sound

– safety-monotonicity– frame property of small axioms

• Complete – derives WLP or SP for commands

Weakest Preconditions

wp(x:=cons(y,z), P) = v. ( (v x,y)

wp( x:= [E], P) = v. (e v) P(x/v)∧

wp([E1]:=E2, P) = (E1 _ ) ( (∗ E1 E2) −∗ P))

wp(dispose E, P) = (E1 _ ) P∗

• Allocation v free(x,y,P)

• Lookup v free(E,P)\{x}

• Mutation

• Disposal

AUTOMATED VERIFICATION ANDPROGRAM ANALYSIS

Symbolic Execution• Application of separation logic proof rules as

symbolic execution

• Restrict assertion language to symbolic heaps• Discharge entailments A B

– axiomatize consequences of induction

• Frame inference

DeleteTree

DeleteTree (t) {

local i,j;

if (t != nil) {

i := [t];

j := [t+1] ;

DeleteTree(j);

DeleteTree(i);

dispose t;

}

}

{ tree(t) }

{ emp }

{ tree(t) t ∧ nil }{ x,y. t ∃ x,y tree(x) tree(y) ∗ ∗}

{t i,j tree(i) tree(j) }∗ ∗

{t i,j tree(i) emp }∗ ∗

{t i,j emp }∗

{ emp }

{t i,j tree(i) } ∗

Frame Inference

• Failed proof of entailment yields a frame

– Assertion at call site

– Callee’s precondition

– Frame

{ t i,j tree(i) ∗ ∗tree(j) }{ tree(j) }

t i,j tree(i) tree(j) ∗ ∗ tree(j)

t i,j tree(i) ∗ emp

.....

{ t i,j tree(i) }∗

Frame Inference

• Assertion at call site:

• Callee’s precondition:

{t i,j tree(i) tree(j) }∗ ∗ {t i,j tree(i) } ∗

DeleteTree(j) { tree(j) } { emp }

DeleteTree(j)

{ t i,j tree(i) ∗ ∗tree(j) }{ tree(j) }

Incompleteness of Frame Inference

• Lose the information that x=y• Do we need inequality involving just-disposed ?

{ x _ } free(x) { emp }

{ y _ ∗ x _ } free(x) { y _ }

Program Analysis• Abstract value is a set of symbolic heaps• Abstract transformers by symbolic execution

(TODO EXAMPLE)• Fixpoint check by entailement

• Knobs– widening / abstraction– join– interprocedural analysis (cutpoints)– predicate discovery

Global Properties?

• Before: tree (Q ∧ ∗ R) (tree Q) ∧ (∗ tree R)∧• After: (tree Q) ∧ (∗ tree R) ∧ tree (Q ∧ ∗ R)

• Loss of global property– no restrictions on dangling pointers in P and Q– can point to each other and create cycles

{ tree P } C { tree Q }∧ ∧

{ (tree R) ∧ (∗ tree P) } C { (tree Q) ∧ ∧ ∗ (tree R) ∧ }

BIBLIOGRAPHYhttp://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html

“Early Days”• The Logic of Bunched Implications

O'Hearn and Pym. 1999• Intuitionistic Reasoning about Shared Mutable Data Structu

re

Reynolds. 1999• BI as an Assertion Language for Mutable Data Structures.

Ishtiaq, O'Hearn. POPL'01.

• Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01.

• Separation Logic: A Logic for Shared Mutable Data Structures

Reynolds. LICS 2002.

Successful Applications• An example of local reasoning in BI pointer logic:

the Schorr-Waite graph marking algorithm

Yang, SPACE 2001• Local Reasoning about a Copying Garbage Collect

or

Birkedal, Torp-Smith, Reynolds. POPL'04

Analysis and Automated Verification• Symbolic Execution with Separation Logic.

Berdine, Calcagno, O'Hearn. APLAS'05.• Smallfoot: Modular Automatic Assertion Checking with Separatio

n Logic

Berdine, Calcagno, O'Hearn. FMCO’06.

• A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS’06.

• Interprocedural Shape Analysis with Separated Heap Abstractions.

Gotsman, Berdine, Cook. SAS’06• Shape analysis for composite data structures.

Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07.• ...

Concurrency• Resources, Concurrency and Local Reasoning

O'Hearn. Reynolds Festschrift, 2007. CONCUR'04• A Semantics for Concurrent Separation Logic

Brookes. Reynolds Festschrift, 2007. CONCUR'04• Towards a Grainless Semantics for Shared Variable Concurrency

John C. Reynolds (in preparation?)

• Permission Accounting in Separation LogicBornat, Calcagno, O'Hearn, Parkinson. POPL’05

• Modular Verification of a Non-blocking Stack Parkinson, Bornat, O'Hearn. POPL’07

• A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07

• Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS'07

• Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07

• ...

Termination• Automatic termination proofs for programs with

shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV’06

• Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007

• ...

Object Oriented Programming• Separation logic and abstraction

Parkinson and Bierman. POPL’05• Class Invariants: The End of the Road?

Parkinson. IWACO'07.• Separation Logic, Abstraction, and Inheritance

Parkinson, Bierman. POPL'08• …

Summary of Basic Ideas

• Extension of Hoare logic to imperative programs• Separating conjunction ∗• Inductive definitions for data-structures• Tight specifications• Dangling pointers• Local surgeries• Frame rule