76
Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London Marktoberdorf Summer School, 2011 Thursday, August 18, 2011

Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

  • Upload
    others

  • View
    6

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Lectures on Separation Logic.

Lecture 4: A New Recipe from East London

Peter O’Hearn

Queen Mary, University of London

Marktoberdorf Summer School, 2011

Thursday, August 18, 2011

Page 2: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

...joint work with

Thursday, August 18, 2011

Page 3: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

...joint work withHongseok

Yang

Cristiano Calcagno

Dino Distefano

Thursday, August 18, 2011

Page 4: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Source for this lecture

Compositional shape analysis by means of bi-abduction

CDOY, to appear in JACM. Prelim version in POPL’09

Thursday, August 18, 2011

Page 5: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Principle of Compositionality

The meaning of a composite phrase is defined in terms of the meanings of its parts

Originally, in Language Semantics

Applied to Program Analysis

The analysis result of a composite program is computed from the analysis results of its parts

Thursday, August 18, 2011

Page 6: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Problem

Huge abstract domain. Too many abstract states to tabulate all in a procedure summary.

Thursday, August 18, 2011

Page 7: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

We achieve compositionality,

by aiming for ``small specs’’

that describe the footprint

Thursday, August 18, 2011

Page 8: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

We achieve compositionality,

by aiming for ``small specs’’

that describe the footprint

Thursday, August 18, 2011

Page 9: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

A Small Spec, and a Small Proof

� Spec[tree(p)] DispTree(p) [emp]

� Proof of body of recursive procedure

[tree(i)∗tree(j)]DispTree(i);[emp ∗ tree(j)]DispTree(j);[emp]

{P}C{Q}{P∗R}C{Q∗R} Frame Rule

Thursday, August 18, 2011

Page 10: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

A Small Spec, and a Small Proof

� Spec[tree(p)] DispTree(p) [emp]

� Proof of body of recursive procedure

[tree(i)∗tree(j)]DispTree(i);[emp ∗ tree(j)]DispTree(j);[emp]

{P}C{Q}{P∗R}C{Q∗R} Frame Rule

To automatewe must infer framesduring ``execution’’

Thursday, August 18, 2011

Page 11: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Extensions of the entailment question I: Frame Inference

A � B

A ∗ ?1AAAAA � A ∗ ?2AAAAA

Thursday, August 18, 2011

Page 12: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Extensions of the entailment question I: Frame Inference

A � B ∗ ?

A ∗ ?1AAAAA � A ∗ ?2AAAAA

Thursday, August 18, 2011

Page 13: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Extensions of the entailment question I: Frame Inference

tree(i) ∗ tree(j) � tree(i) ∗ ?

A ∗ ?1AAAAA � A ∗ ?2AAAAA

Thursday, August 18, 2011

Page 14: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Extensions of the entailment question I: Frame Inference

tree(i) ∗ tree(j) � tree(i) ∗ tree(j)A ∗ ?1AAAAA � A ∗ ?2AAAAA

Thursday, August 18, 2011

Page 15: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Extensions of the entailment question I: Frame Inference

x �= nil ∧ list(x) � ∃x �. x �→ x � ∗ ?

A ∗ ?1AAAAA � A ∗ ?2AAAAA

Thursday, August 18, 2011

Page 16: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Extensions of the entailment question I: Frame Inference

x �= nil ∧ list(x) � ∃x �. x �→ x � ∗ list(x �)

A ∗ ?1AAAAA � A ∗ ?2AAAAA

Thursday, August 18, 2011

Page 17: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Extensions of the entailment question I: Frame Inference

A � B ∗ ?

A ∗ ?1AAAAA � A ∗ ?2AAAAA

Thursday, August 18, 2011

Page 18: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

How to infer a frame

Convert a failed derivation

list(y) � emp Junk: Not Axiom!list(x) ∗ list(y) � list(x) Subtractlseg(x , t) ∗ t �→nil ∗ list(y) � list(x) Abstract (Inductive)

into a successful one

emp � emp Axiomlist(y) � list(y) Subtractlist(x) ∗ list(y) � list(x) ∗ list(y) Subtractlseg(x , t) ∗ t �→nil ∗ list(y) � list(x) ∗ list(y) Abstract (Inductive)

61Thursday, August 18, 2011

Page 19: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

A Small Spec, and a Small Proof

� Spec[tree(p)] DispTree(p) [emp]

� Proof of body of recursive procedure

[tree(i)∗tree(j)]DispTree(i);[emp ∗ tree(j)]DispTree(j);[emp]

{P}C{Q}{P∗R}C{Q∗R} Frame Rule

Thursday, August 18, 2011

Page 20: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Thursday, August 18, 2011

Page 21: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Wait a minute, where are yougonna get preconditions? How

to get started?

Thursday, August 18, 2011

Page 22: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Wait a minute, where are yougonna get preconditions? How

to get started?

Oh, don’t tell me, that sounds...out of this world...

Thursday, August 18, 2011

Page 23: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Thursday, August 18, 2011

Page 24: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Thursday, August 18, 2011

Page 25: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abductive Inference(Charles Peirce, writing about scientific process)

“Abduction is the process of forming an explanatory hypothesis. It is the only logical operation which introduces any new idea”

“A man must be downright crazy to deny that science has made many true discoveries. But every single item of scientific theory whichstands established today has been due to Abduction.”

The Collected Papers of Charles Sanders Peirce, Volume V,Pragmatism and Pragmaticism

Thursday, August 18, 2011

Page 26: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

� Given symbolic heaps A and B , find M such that

A ∗M � B

� We would like M to be consistent, and ‘minimal’ (there is an order)� Spatially smallness

ls(y , 0) � ls(y , 0) ∗ z �→ 0

� logical strength∃z .ls(y , z) � ls(y , 0)

Thursday, August 18, 2011

Page 27: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

� Given symbolic heaps A and B , find M such that

A ∗M � B

� We would like M to be consistent, and ‘minimal’ (there is an order)� Spatially smallness

ls(y , 0) � ls(y , 0) ∗ z �→ 0

� logical strength∃z .ls(y , z) � ls(y , 0)

Thursday, August 18, 2011

Page 28: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

A ∗ ? � BAAAAAAAAAAA ∗ ?1 � AAAAAAAAAAA ∗ ?2

Thursday, August 18, 2011

Page 29: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

x �→ nil ∗ ? � list(x) ∗ list(y)AAAAAAAAAAA ∗ ?1 � AAAAAAAAAAA ∗ ?2

Thursday, August 18, 2011

Page 30: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

x �→ nil ∗ list(y) � list(x) ∗ list(y)AAAAAAAAAAA ∗ ?1 � AAAAAAAAAAA ∗ ?2

Thursday, August 18, 2011

Page 31: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

x �→ − ∗ ?? � y �→ − ∗ trueAAAAAAAAAAA ∗ ?1 � AAAAAAAAAAA ∗ ?2

Thursday, August 18, 2011

Page 32: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

x �→ − ∗�x = y ∧ emp

�� y �→ − ∗ true

AAAAAAAAAAA ∗ ?1 � AAAAAAAAAAA ∗ ?2

Thursday, August 18, 2011

Page 33: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Abduction Question

x �→ − ∗ y �→ − � y �→ − ∗ trueAAAAAAAAAAA ∗ ?1 � AAAAAAAAAAA ∗ ?2

Thursday, August 18, 2011

Page 34: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) {2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0;5 foo(x,y);6 return(x); }

Abductive Inference:

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 35: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0;5 foo(x,y);6 return(x); }

Abductive Inference:

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 36: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x �→ 05 foo(x,y);6 return(x); }

Abductive Inference:

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 37: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x �→ 05 foo(x,y);6 return(x); }

Abductive Inference: x �→ 0 ∗ ? � list(x) ∗ list(y)

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 38: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x �→ 05 foo(x,y);6 return(x); }

Abductive Inference: x �→ 0 ∗ list(y) � list(x) ∗ list(y)

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 39: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp list(y)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x �→ 05 foo(x,y);6 return(x); }

Abductive Inference: x �→ 0 ∗ list(y) � list(x) ∗ list(y)

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 40: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp list(y)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x �→ 05 foo(x,y); list(x)6 return(x); }

Abductive Inference: x �→ 0 ∗ list(y) � list(x) ∗ list(y)

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 41: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp list(y)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x �→ 05 foo(x,y); list(x)6 return(x); } list(ret)

Abductive Inference: x �→ 0 ∗ list(y) � list(x) ∗ list(y)

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 42: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Example: Inferring a pre/post pair

1 void p(list-item *y) { emp list(y)(Inferred Pre)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x �→ 05 foo(x,y); list(x)6 return(x); } list(ret)(Inferred Post)

Abductive Inference: x �→ 0 ∗ list(y) � list(x) ∗ list(y)

Given Summary/spec: [list(x) ∗ list(y)]foo(x , y)[list(x)]

Thursday, August 18, 2011

Page 43: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Bi-Abduction

A ∗ ?anti-frame � B ∗ ?frame

� Generally, we have to solve both inference questions at each procedurecall site (and each heap dereference)

� It lets us do a bottom-up analysis: callees before callers. Generatespre/post specs without being given preconditions or postconditions.

Thursday, August 18, 2011

Page 44: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Logical Aspects for Generating Pre’s

� If path π doesn’t modify vars in M...

{pre}π{post} post∗M � A

{pre∗M}π{A}

Derived rule: consequence of Frame Rule and PostconditionWeakening.

� Says not to bother to re-analyze path π; continue on.

� Works only for individual paths, so that abductively inducedpreconditions are unsound in general.

1Thursday, August 18, 2011

Page 45: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Logical Aspects for Generating Pre’s

� If path π doesn’t modify vars in M...

{pre}π{post} post∗M � A

{pre∗M}π{A}

Derived rule: consequence of Frame Rule and PostconditionWeakening.

� Says not to bother to re-analyze path π; continue on.

� Works only for individual paths, so that abductively inducedpreconditions are unsound in general.

1Thursday, August 18, 2011

Page 46: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Soundness Example

z �→ − ∗ ?? � x �→ − ∗ true

1 void nondet-example(struct node *x,*z) { (z �→ −) ∗ (x = z ∧ emp)2 if nondet()3 z �→ tail = 0; free(x);4 else5 free(x); free(z)6 return(); }

2Thursday, August 18, 2011

Page 47: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Soundness Example

z �→ − ∗ ?? � x �→ − ∗ true

1 void nondet-example(struct node *x,*z) { (z �→ −) ∗ (x = z ∧ emp)2 if nondet()3 z �→ tail = 0; free(x);4 else5 free(x); free(z)6 return(); }

2

No good for paththrough line 5

Thursday, August 18, 2011

Page 48: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Abduction Soundness Example

z �→ − ∗ ?? � x �→ − ∗ true

1 void nondet-example(struct node *x,*z) { (z �→ −) ∗ (x �→ −)2 if nondet()3 z �→ tail = 0; free(x);4 else5 free(x); free(z)6 return(); }

2

Good for both paths

Thursday, August 18, 2011

Page 49: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Inductive

(Periodically Generalizing Precondition,to stop Infinite Regress)

Thursday, August 18, 2011

Page 50: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Distefano Abstraction2

� Merge adjacent pointers/lists into a single list, as long as shared pointis not reachable from more than one program var.

� Sample Abstraction (rewrite) Rule:

A ∗ ρ(x ,Y ) ∗ ρ�(Y , 0) −→ A ∗ ls(x , 0)

where logical var Y not free in Aand ρ, ρ� range over ls, �→

� Example:x �→ X1 ∗ y �→ X1 ∗ X1 �→ X2 ∗ X2 �→ 0

is abstracted to

x �→ X1 ∗ y �→ X1 ∗ ls(X1, 0).

2Distefano’s 2003 thesis, and ported to SL in TACAS’06

Thursday, August 18, 2011

Page 51: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

The Distefano Abstraction2

� Merge adjacent pointers/lists into a single list, as long as shared pointis not reachable from more than one program var.

� Sample Abstraction (rewrite) Rule:

A ∗ ρ(x ,Y ) ∗ ρ�(Y , 0) −→ A ∗ ls(x , 0)

where logical var Y not free in Aand ρ, ρ� range over ls, �→

� Example:x �→ X1 ∗ y �→ X1 ∗ X1 �→ X2 ∗ X2 �→ 0

is abstracted to

x �→ X1 ∗ y �→ X1 ∗ ls(X1, 0).

2Distefano’s 2003 thesis, and ported to SL in TACAS’06

Thursday, August 18, 2011

Page 52: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Distefano’s Abstraction at work: Deductively

{emp}x=nil;while ( ) { ls(x , nil)

new(y);y ->tl = x;x=y;

}

Calculated Loop Invariant

x = nil ∧ emp

∨ x �→ nil

∨ ls(x , nil)

1Thursday, August 18, 2011

Page 53: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Distefano’s Abstraction at work: Deductively

{emp}x=nil;while ( ) { ls(x , nil)

new(y);y ->tl = x;x=y;

}

Calculated Loop Invariant

x = nil ∧ emp

∨ x �→ nil

∨ ls(x , nil)

1

Fixed-point reached!

Thursday, August 18, 2011

Page 54: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

And Inductively (by pictures)

3Thursday, August 18, 2011

Page 55: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 56: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 57: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 58: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

IfOnly...

Thursday, August 18, 2011

Page 59: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 60: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

IfOnly...

Thursday, August 18, 2011

Page 61: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

IfOnly...

Thursday, August 18, 2011

Page 62: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 63: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Generalize

Thursday, August 18, 2011

Page 64: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

....

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Generalize

Thursday, August 18, 2011

Page 65: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

....

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 66: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

.... nil

x

Deduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 67: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

.... nil

x

.... nil

xDeduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 68: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

.... nil

x

.... nil

xDeduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 69: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

.... nil

x

nil

xDeduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 70: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

while (x!= nil) do { t:=x; x:=x->tl free(t);}

.... nil

x

nil

xDeduce

Generalize

AbduceProgram

Pre/Post spec

new preabstracted pre

Thursday, August 18, 2011

Page 71: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Soundness issues for Abstraction

� Sound for deductive (to calculate loop invariants) because of:

{A}C{B} B � abs(B)

{A}C{abs(B)}

� Unsound for precondition generalization, because

A � abs(A) {A}C{B}{abs(A)}C{B}

� So, our analysis has a second phase, where we check our work andthrow away bad preconditions.

4Thursday, August 18, 2011

Page 72: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Soundness issues for Abstraction

� Sound for deductive (to calculate loop invariants) because of:

{A}C{B} B � abs(B)

{A}C{abs(B)}

� Unsound for precondition generalization, because

A � abs(A) {A}C{B}{abs(A)}C{B}

� So, our analysis has a second phase, where we check our work andthrow away bad preconditions.

4Thursday, August 18, 2011

Page 73: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Summary of reasoning method

� Input: A procedure (a bare piece of code)

� Output: Pre/post spec (or nothing)

1. Start by trying to deductively prove a program, from a beginning

precondtion.

2. When proof fails, use abduction to infer what is needed. Add to

precondition, and carry on.

3. Periodically generalize precondition.

4. Stop when you get to postconditon.

5. Then check that you have actually got a proof.

Note the different roles of abduction and inductive generalization

5Thursday, August 18, 2011

Page 74: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Conclusion

� This work has been about a passage A �→ C [A], taking an abstractdomain (or logic) A and making a compositional version C [A].

� Using Abduction-Induction-Deduction gives a boost where we canapproach large code bases, more quickly.

� Many proven procedures, but many unproven procedures. What next?

� Perhaps, bring human back into loop1. analysis-centric: alter A to A�, get C [A�]2. proof-centric: use abduction, etc, in concert with interactive provers

7Thursday, August 18, 2011

Page 75: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Conclusion

� This work has been about a passage A �→ C [A], taking an abstractdomain (or logic) A and making a compositional version C [A].

� Using Abduction-Induction-Deduction gives a boost where we canapproach large code bases, more quickly.

� Many proven procedures, but many unproven procedures. What next?� Perhaps, bring human back into loop

1. analysis-centric: alter A to A�, get C [A�]2. proof-centric: use abduction, etc, in concert with interactive provers

6Thursday, August 18, 2011

Page 76: Lectures on Separation Logic. Lecture 4: A New Recipe from ...Lectures on Separation Logic. Lecture 4: A New Recipe from East London Peter O’Hearn Queen Mary, University of London

Other tools

In these lectures I have talked about the Smallfoot, Space Invader and

Abductor tools developed in London (Queen Mary and Imperial). While

these tools advanced interesting ideas, their active development has ceased

and there are more recent tools which are probably easier for newcomers to

use/try out.

Some other tools include (list not exhaustive)

� Program Analyses. SLAyer (Msoft), Predator (Brno), Xisa

(Colorado, Paris), jStar (London, Cambridge) ...

� Automatic Verifiers. Verifast (Leuwen), jStar, Hip/Sleek (Singapore,

Teeside)

� Interactive. Bedrock (MIT), Flint (Yale), Verismall (Princeton),

Holfoot (Cambridge) ...

The tools in the first two lines at least have been publically released.

2Thursday, August 18, 2011