1 / 51

Introduction to Separation Logic

Introduction to Separation Logic. presented by Greta Yorsh April 02, 2008 IBM , Hawthorne. This Talk. What is Separation Logic? Strengths and weaknesses Successful applications Main challenges. What is Separation Logic?. Extension of Hoare logic low-level imperative programs

ingrid
Télécharger la présentation

Introduction to Separation Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to Separation Logic presented by Greta Yorsh April 02, 2008IBM, Hawthorne

  2. This Talk • What is Separation Logic? • Strengths and weaknesses • Successful applications • Main challenges

  3. What is Separation Logic? • Extension of Hoare logic • low-level imperative programs • shared mutable data structures

  4. Motivating Example assume( *x == 3 ) assume( *x == 3 ∧ x != y ∧ x != z ) assume( y != z ) assume( y != z ) *y = 4; *z = 5; assert( *y != *z ) assert( *x == 3 ) • contents are different • contents stay the same • different locations

  5. Framing Problem • What are the conditions on aliasing btwn x, y, z ? { y != z } C { *y != *z } { *x == 3∧y != z } C {*y != *z∧*x == 3 }

  6. Framing Problem • What are the conditions on C and R? • in presence of aliasing and heap • Separation logic introduces new connective ∗ { P } C {Q} { R ∧ P } C { Q ∧R } { P } C {Q} { R ∗ P } C { Q ∗R }

  7. Outline • Assertion language: syntax and semantics • Hoare-style proofs • Program analysis • Concurrency • Termination • Object-oriented programs

  8. Assertion Language

  9. Examples x  y ls(y, z) x  y ∗ ls(y, z) 33 8 8  33 x y y z x ∧ z = x y z

  10. Syntax

  11. Semantics • Assertions are evaluated w.r.t. a state • State is store and heap • S : Var ⇀ Int • H : Loc ⇀ Int where Loc ⊆ Int • Notations • disjoint domains: dom(H1) dom(H2) • composition: H1 ◦ H2 • evaluation: ES Int • update: S[x:i] • S,H  P

  12. Semantics

  13. Common Shorthands • E  E1,E2,..,En E  E1 ∗ E+1  E2 ∗ ... ∗ E+(n-1)  En • E1  E2 E1  E2 ∗ true • E  _  ∃x. E  x x  x  3,y,7 S = [x:10, y:4] H = [10:3,11:4,12:7] 3 4 7 11 12 10

  14. Examples y x y x 4 3 4 4 3 3 S = [x:10, y:30] H = [10:4,11:3,30:4,31:3] S = [x:10, y:10] H = [10:4,11:3]        

  15. Inductive Definitions • Describe invariants of recursive data-structure • Trees • List Segments • Doubly-linked list segments • Cyclic lists • List of cyclic doubly linked lists • Lists with head pointers • Nested lists (bounded depth) • ... • Binary tree tree(E)  (E = nil ∧ emp) ∨ (∃x,y. E x,y ∗ tree(x) ∗ tree(y))

  16. List segment • Acyclic, possibly empty ls(E, F)  (E=F ∧ emp) ∨ (EF ∧ ∃v. Ev ∗ ls(v, F)) S = [x:10, y:30] H = [10:4,4:17,17:20,20:30]  ls(x,y) x 4 17 20 30 • Possibly cyclic, panhandle, empty • cls(E, F)  (E=F ∧ emp) ∨ (∃x. Ex ∗ cls(x, F)) dangling pointer 4 17 20 10

  17. More complex structures • Doubly-linked list segment dls(x,y,z)  (x=y ∧ emp) ∨ (xy ∧ ∃w. xz,w ∗ dls(w,y,x)) x y z

  18. Axioms  • ls(x,y) ∗ ls(y,nil) ⇒ ls(x,nil) • ls(x,y) ∗ ls(y,z) ⇒ ls(x,z) • ls(x,y) ⇒ ∃w. ls(x,w) ∗ wy • (P1 ∧ P2) ∗ Q ⇒ (P1 ∗ Q) ∧ (P2 ∗ Q) • x  y ∗ z  w ⇒ x  z • x  y ∧ z  w ⇒ x  y ∧ x = z ∧ y = w  z allocated in ls(x,y)  empty heap   

  19. Axioms • Weakening • P ∧ Q ⇒ P • P ∗ Q ⇒ P • Contraction • P ⇒ P ∧ P • P ⇒ P * P   x  1 ∗ y  2  x  1   x  1  x  1 ∗ x  1

  20. Precise Assertions •  S,H there is at most one h’  h s.t. s,h’  P • Examples • precise: x  1, ls(x,y) • not precise: x. x  y, P ∨ Q • Axiom for precise assertions (P1 ∧ P2) ∗ Q  (P1 ∗ Q) ∧ (P2 ∗ Q)

  21. Pure Assertions • Syntax: do not contain  or emp • Semantics: do not depend on heap (for any store) • Axioms for pure assertions x=y ∗ z = w  x=y ∧ z = w

  22. Symbolic Heaps • Fragment of Separation Logic assertion language • Decidable • satisfiability, small model property • entailment A ::= (P ∧ ... ∧ P) ∧ (S ∗ ... ∗ S) E ::= x | nil | E + E P ::= E=E | E  E S ::= E  E | tree(E) | ls(E, E) | dls(E, E, E)

  23. Hoare-Style Proofs

  24. Hoare Triples • {P} C {Q} • partial correctness • if P holds when C starts and C terminates then Q holds after C • no runtime errors (null dereferences) • [P] C [Q] • total correctness • if P holds when C starts then C terminates and Q holds after C

  25. The Programming Language • allocation • heap lookup • mutation • deallocation <comm> ::= … | <var> := cons(<exp>, …, <exp>) | <var> := [<exp>] | [<exp>] := <exp> | dispose <exp>

  26. Operational Semantics by Example Store: [x:3, y:40, z:17] Heap: empty • Allocation x := cons(y, z) • Heap lookup y := [x+1] • Mutation [x + 1] := 3 • Deallocation dispose(x+1) Store: [x:37, y:40, z:17] Heap: [37:40, 38:17] Store: [x:37, y:17, z:17] Heap: [37:40, 38:17] Store: [x:37, y:17, z:17] Heap: [37:40, 38:3] Store: [x:37, y:17, z:17] Heap: [37:40]

  27. Hoare Proof Rules for Partial Correctness { P } skip { P } { P(v/e) } v:=e {P} {P} c1 {R} {R} c2 {Q} {P} c1;c2{Q} {Pb} c1 {Q} {P b} c2 {Q} {P} if b then c1 else c2 {Q} {ib} c {i} {i} while b do c {ib} P  P’ {P’} c {Q’} Q’  Q {p} c {q}

  28. Hoare Axiom for Assignment • How to extend it for heap mutation ? • Example:  { P ( [e1] / e2 } [e1] := e2 {P} { [z]=40 } [x] := 77 { [z]=40 } Store: [x:37, y:17, z:37] Heap: [37:40, 38:3] Store: [x:37, y:17, z:37] Heap: [37:77, 38:3]

  29. “Small” Axioms • allocation • heap lookup • mutation • deallocation { emp } x := cons(y, z) { x  y, z } {Ez} x := [E] {E z ∧ x = z} {E1_} [E1] := E2 {E1  E2} {E_} dispose(E) {emp}

  30. The Frame Rule { P } C {Q} Mod(C) free(R)={} { R ∗ P } C { Q ∗R } Mod(x := _) = {x} Mod([E]:=F) = {} Mod(dispose(E)) = {}

  31. The Frame Rule • Small Axioms give tight specification • Allows the Small Axioms to apply generally • Handle procedure calls modularly • Frame rule is a key to local proofs { P } C {Q} Mod(C) free(R)={} { R ∗ P } C { Q ∗R } { xy ∗ ls(y,z) } dispose(x) { ls(y,z) }

  32. Reverse list(x)  ls(x,nil) { list(x) } y: = nil ; while x  nil do { t := [x] [x] := y y := x x := t } { list(x) ∗ list(y) } {x  nil ∧ list(x) ∗ list(y)} unfold { ∃i . x i ∗ list(i) ∗ list(y) } { x i } t := [x] { x t ∧ t = i } { xt ∗ list(t) ∗ list(y) } { x _ } [x] := y { x y} { xy ∗ list(t) ∗ list(y) } fold { list(t) ∗ list(x) } { list(t) ∗ list(y) } { list(x) ∗ list(y) } {x = nil ∧ list(x) ∗ list(y) } { list(y) }

  33. Local Specification • Footprint • part of the state that is used by the command • Local specification • reasoning only about the footprint • Frame rule • from local to global spec

  34. Frame Rule • Sound • safety-monotonicity • frame property of small axioms • Complete • derives WLP or SP for commands

  35. Weakest Preconditions Allocation v  free(x,y,P) Lookup v  free(E,P)\{x} Mutation Disposal wp(x:=cons(y,z), P) =  v. ( (v  x,y) wp( x:= [E], P) =  v. (e  v) ∧ P(x/v) wp([E1]:=E2, P) = (E1 _ ) ∗ ( (E1 E2) −∗ P)) wp(dispose E, P) = (E1 _ ) ∗ P

  36. Automated verification andProgram analysis

  37. Symbolic Execution • Application of separation logic proof rules as symbolic execution • Restrict assertion language to symbolic heaps • Discharge entailments A  B • axiomatize consequences of induction • Frame inference

  38. DeleteTree DeleteTree (t) { local i,j; if (t != nil) { i := [t]; j := [t+1] ; DeleteTree(j); DeleteTree(i); dispose t; } } { tree(t) } { tree(t) ∧ t  nil } { ∃x,y. t x,y ∗ tree(x) ∗ tree(y) } {t i,j ∗ tree(i) ∗ tree(j) } {t i,j ∗ tree(i) ∗ emp } {t i,j ∗ tree(i) } {t i,j ∗ emp } { emp } { emp }

  39. Frame Inference • Failed proof of entailment yields a frame • Assertion at call site • Callee’s precondition • Frame { t i,j ∗ tree(i) ∗ tree(j) } { tree(j) } t i,j ∗ tree(i) ∗ tree(j)  tree(j) ..... t i,j ∗ tree(i)  emp { t i,j ∗ tree(i) }

  40. Frame Inference • Assertion at call site: • Callee’s precondition: DeleteTree(j) { tree(j) } { emp } {t i,j ∗ tree(i) ∗ tree(j) } {t i,j ∗ tree(i) } DeleteTree(j) { t i,j ∗ tree(i) ∗ tree(j) } { tree(j) }

  41. Incompleteness of Frame Inference • Lose the information that x=y • Do we need inequality involving just-disposed ? { x _ } free(x) { emp } { y _ ∗ x _ } free(x) { y _ }

  42. Program Analysis • Abstract value is a set of symbolic heaps • Abstract transformers by symbolic execution (TODO EXAMPLE) • Fixpoint check by entailement • Knobs • widening / abstraction • join • interprocedural analysis (cutpoints) • predicate discovery

  43. Global Properties? • Before: tree ∧ (Q∗ R)  (tree ∧ Q)∗ (tree ∧ R) • After: (tree ∧ Q)∗ (tree ∧ R) tree ∧ (Q∗ R) • Loss of global property • no restrictions on dangling pointers in P and Q • can point to each other and create cycles { tree ∧ P } C { tree ∧ Q } { (tree ∧ R)∗ (tree ∧ P) } C { (tree ∧ Q)∗ (tree ∧ R) }

  44. http://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html Bibliography

  45. “Early Days” • The Logic of Bunched Implications O'Hearn and Pym. 1999 • Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999 • BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O'Hearn. POPL'01. • Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01. • Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002.

  46. Successful Applications • An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001 • Local Reasoning about a Copying Garbage CollectorBirkedal, Torp-Smith, Reynolds. POPL'04

  47. Analysis and Automated Verification • Symbolic Execution with Separation Logic.Berdine, Calcagno, O'Hearn. APLAS'05. • Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O'Hearn. FMCO’06. • A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS’06. • Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS’06 • Shape analysis for composite data structures.Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07. • ...

  48. Concurrency • Resources, Concurrency and Local Reasoning O'Hearn. Reynolds Festschrift, 2007. CONCUR'04 • A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR'04 • Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation?) • Permission Accounting in Separation LogicBornat, Calcagno, O'Hearn, Parkinson. POPL’05 • Modular Verification of a Non-blocking StackParkinson, Bornat, O'Hearn. POPL’07 • A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR’07 • Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)Calcagno, Parkinson, Vafeiadis. SAS'07 • Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI’07 • ...

  49. Termination • Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV’06 • Variance Analyses from Invariance Analyses.Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007 • ...

  50. Object Oriented Programming • Separation logic and abstraction Parkinson and Bierman. POPL’05 • Class Invariants: The End of the Road?Parkinson. IWACO'07. • Separation Logic, Abstraction, and InheritanceParkinson, Bierman. POPL'08 • …

More Related