Separation Logic - School of Computing

Separation Logic

COMP2600 — Formal Methods for Software Engineering

Rajeev Gore

Australian National University

Semester 2, 2016

COMP 2600 — Separation Logic 1

Motivation: Reasoning About Pointers

Recall this example from Hoare Logic Lecture III.

How is aliasing a problem?

Suppose x and y refer to the same cell of memory.

1. {y+1 = 5 ∧ y = 5} x:=y+1 {x = 5 ∧ y = 5} (Assignment)

2. {y = 4 ∧ y = 5} x:=y+1 {x = 5 ∧ y = 5} (1. PreEq)

3. {False} x:=y+1 {x = 5 ∧ y = 5} (2. PreEq)

i.e. if initial state is inconsistent and x:=y+1 terminates then final statemakes {x = 5 ∧ y = 5} true But also works for x = 6∧ y = 6

so our assignment rule is no longer as strong as possible.

Problem: we need a way to say “refers to the same/different cell of memory”


From Hoare Logic To Separation Logic

Floyd 1967: gave some rules to reason about programs

Sometimes, our Hoare Logic is called Floyd-Hoare Logic in recognition

Many attempts made to extend Floyd-Hoare Logic to handle pointers

Only really solved in the past 15 years by Reynolds, O’Hearn and Yang

around 2000 using a connective ∗ called “separating conjunction”

The ∗ connective originally studied at ANU Philosophy in 1970s by Robert

K Meyer .... who started the Logic and Computation Group!

But ... to make the presentation less scary, we need to first extend Hoare

Logic with an axiom due to Floyd


Hoare Logic: syntax, semantics and calculus

Syntax Semantics Calculus

¬∧∨⇒∀∃ FOL N/A

=+−≥≤ ·· · Arithmetic N/A

:= ; while

if then else

State maps variables

to values (no pointers)N/A

{P}S{Q}if initial state satisfies P

and S terminates then

final state satisfies Q

6 Inference

Rules


Store Assignment Axiom of Floyd

Hoare Axiom: {Q(e)} x := e {Q(x)} (backward driven)

Floyd Axiom: forward driven but equivalent to Hoare Axiom

{x = v} x := e {x = e(v/x)}where v is an auxiliary variable which does not occur in e

and e(v/x) means replace all occurrences of x in e by v

Example Hoare Instance: {(x+1 = 5)} x := x+1 {x = 5}

Example Floyd Instance: {x = v} x := x+1 {x = (x+1)(v/x)}i.e. {x = v} x := x+1 {x = (v+1)}i.e. if we want the post-condition x = 5 then instantiate v to be 4{x = 4} x := x+1 {x = 5}

Note: does not solve the problem with pointers!


Store Assignment Axiom of Floyd

Hoare Axiom: {Q(e)} x := e {Q(x)} (backward driven)

Floyd Axiom: forward driven but equivalent to Hoare Axiom


and e(v/x) means replace all occurrences of x in e by v

Example Hoare Instance: {(1 = 1)} x := 1 {x = 1}

Example Floyd Instance: {x = v} x := 1 {x = (1)(v/x)}i.e. {x = v} x := 1 {x = 1}i.e. if we want the pre-condition 1 = 1 (i.e. True) then instantiate v to x{x = x} x := 1 {x = 1}

Separation Logic: based on such forward reasoning zero-premise rules


My Policy To Make This Material Accessible

Honest: the two really are equivalent but I am hiding the gory details of the

first order logic proof that they are equivalent

Credits: my notes are based upon a set of notes written by Michael Gordon

http://www.cl.cam.ac.uk/~mjcg/HoareLogic/

Beware: he uses heavy duty logic and his notes are for a third year course!

Promise: I will tell the truth. I may not tell the whole truth, but I will not lie.

Name clash: “Separation Logic” is used for both the extension of Hoare Logic

and the extension of first-order logic upon which it is based!

Search: “separation logic” and you will get many technical papers, most of

which will be impenetrable, so beware!


http://www.cl.cam.ac.uk/~mjcg/HoareLogic/

Hoare Logic + Floyd Axiom: syntax, semantics and calculus


¬∧∨⇒∀∃ FOL N/A


:= ; while

if then else

State maps variables

to values (no pointers)N/A

{P}S{Q}if initial state satisfies P

and S terminates then


6 Inference

Rules

+ Floyd Axiom



Separation Logic: syntax, semantics and calculus


emp ∗ 7→ SL N/A

¬∧∨⇒∀∃ FOL N/A


:= ; while

if then else

[.] dispose(.)

cons(.)

State is a pair (Store,Heap)

St(.) maps variables to values

H p(.) maps locations to values

N/A

{P}S{Q}

if initial state satisfies P

and S terminates

then S does not fault and


More Inference

RulesCOMP 2600 — Separation Logic 10

Our Computation Model

Background: a function maps members of a domain to members of a range

Assume: Num⊆Val numbers will be memory locations

Assume: nil ∈Val but not in Num nil not a memory location

Same as before: Store maps Variables to Values

i.e. we can ask St(x) and we will get back a Value

New: Heap maps a finite subset of Numbers to Values

i.e. we can ask H p(l) where l is a number and we will get back a Value ifthis location has been “allocated”

Old State = Store

New: State = (Store,Heap)


Evaluating Expressions in the Store of a State

Strictly speaking, the store gives values to variables only.

But we need a way to say “value of an expression in a store” so we will abuse

notation and use St(e) for this as below:

St(n) where n is a number is just its usual value St(1) = 1

St(x+n) where n is a number and x is a variable is St(x)+St(n) = St(x)+n

St(e1 = e2) is true if St(e1) = St(e2)

This is supposed to be intuitive, so please complain if it isn’t!





emp ∗ 7→ SL N/A

¬∧∨⇒∀∃ FOL N/A


:= ; while

if then else

[.] dispose(.)

cons(.)




N/A

{P}S{Q}


and S terminates



More Inference


Extra Programming Constructs: Syntax and Intuitions

Fetch: v := [e]

• evaluate expression e in current state to get location l

• fault if location l is not in the current heap

• otherwise variable v is assigned the contents of location l

Example: x := [y+1]

St H p x := [y+1] St H p

y = 20 20 21 y = 20 20 21

1 2 x = 2 1 2

Non Examples: x := [[y+1]] x := [y]+1



Heap Assignment/Mutation: [e] := e1

• evaluate e (in the current state) as location l

• fault if location l is not in the current heap

• otherwise make the contents of location l the value of expression e1

Example [y+1] := 5

St H p [y+1] := 5 St H p

y = 20 20 21 y = 20 20 21

1 2 1 5

Non-examples: [[x]] := 5 [x]+1 := 5


Extra Programming Constructs: Syntax and IntuitionsAllocation: v := cons(e1,e2, · · · ,en)• extend the heap with n consecutive new locations l, l+1, · · · , l+n−1

• put values of e1, · · · ,en into locations l, · · · , l +n−1 respectively

• extend the store by assigning v the value l (never faults)

Example: p := cons(3,7)

St H p p := cons(3,7) St H p

· · · p = 10 · · · 10 11· · · · · · 3 7

Example: p := cons(q,q+1)

St H p p := cons(q,q+1) St H p

q = 5 · · · q = 5 · · · 110 111

· · · p = 110 · · · 5 6



Deallocation: dispose(e)

• evaluate e to get some number l

• fault if location l is not in the heap

• otherwise remove location l from the heap

Example: dispose(q)

St H p dispose(q) St H p

q = 5 5 110 111 q = 5 110 111

p = 110 3 5 6 p = 110 5 6

Example: dispose(p)

St H p dispose(p) St H p

q = 5 5 110 111 q = 5 5 111

p = 110 3 5 6 p = 110 3 6





emp ∗ 7→ SL N/A

¬∧∨⇒∀∃ FOL N/A


:= ; while

if then else

[.] dispose(.)

cons(.)




N/A

{P}S{Q}


and S terminates



More Inference


Semantics of Separation Logic

Store : Var→Val Heap : Num ⇀ f in Val State = Store×Heap

St(e) value of an expression in a store as explained earlier

(St,H p) |= emp if dom(H p) = /0

i.e. a state (St,H p) makes the formula emp true if the heap is empty


Store Assignment Axiom For Separation Logic

Hoare Axiom: {Q(e)} x := e {Q(x)}

Floyd Axiom:


Store Assignment Axiom for Separation Logic:

{x = v∧emp} x := e {x = e(v/x)∧emp}where v is an auxiliary variable which does not occur in e

New: atomic formula emp to say that the “heap is empty”

Why: we want to track the smallest amount of heap information


Store Assignment Axiom for Separation Logic

Store Assignment Axiom for Separation Logic:

{x = v∧emp} x := e {x = e(v/x)∧emp}where v is an auxiliary variable which does not occur in e

Example Instance: {x = v∧emp} x := 1 {x = (1)(v/x)∧emp}

i.e. {x = v∧emp} x := 1 {x = 1∧emp}

i.e. if we want the pre-condition 1 = 1 (i.e. True) then instantiate v to x{x = x∧emp} x := 1 {x = 1∧emp}


Fetch Assignment Axiom of Separation Logic

{(x = v1)∧ (e 7→ v2)} x := [e] {(x = v2)∧ (e(v1/x) 7→ v2)}where v1 and v2 are auxiliary variables which do not occur in e

Example: x := [y]St H p x := [y] St H p

y = 20 20 y = 20 20

1 x = 1 1

e is y: so{(x = v1)∧ (y 7→ v2)} x := [y] {(x = v2)∧ (e(v1/x) 7→ v2)}

v2 is 1: so{(x = v1)∧ (y 7→ 1)} x := [y] {(x = 1)∧ (e(v1/x) 7→ 1)}

e(v1/x) is y: since there are no occurrences of x in y so{(x = v1)∧ (y 7→ 1)} x := [y] {(x = 1)∧ (y 7→ 1)}





emp ∗ 7→ SL N/A

¬∧∨⇒∀∃ FOL N/A


:= ; while

if then else

[.] dispose(.)

cons(.)




N/A

{P}S{Q}


and S terminates



More Inference


Documents

Separation Logic - School of Computing