Presentation is loading. Please wait.

Presentation is loading. Please wait.

Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv."— Presentation transcript:

1 Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv

2 Program Verification Verify that the program is correct No unexpected behavior Identify bugs Valid documentation Proofs can be saved Axiomatic semantics

3 Notations {P} S {Q} –If P holds when S starts and S terminates then Q holds after S –Partial correctness –No runtime errors (null dereferences) –S assumes P and guarantees Q [P] S [Q] –If P holds when S starts then S terminates and Q holds after S –total correctness –S assumes P and guarantees Q –A backward version can be defined WP(S, Q) The weakest condition which guarantees that S terminates and satisfies Q

4 Hoare Proof Rules for Partial Correctness {p} skip {p} {p/v  e } v:=e {p} {p} c 0 {r} {r} c 1 {q} {p} c 0 ;c 1 {q} {p  b} c 0 {q} {p  b} c 1 {q} {p} if b then c 0 else c 1 {q}

5 Hoare Proof Rules for Partial Correctness {i  b} c {i} {i} while b do c{i  b}  p  p’ {p’} c {q’}  q’  q {p} c {q}

6 Simple Example x := 0; i := 0 while (i < n ) x := x + a; i := i + 1;

7 Pathological Example while true do skip

8 Memory allocation & destructive updates Allocation x := cons(y, z) Heap lookup y := [x+1] Mutation [x + 1] := 3 Deallocation dispose(x+1) Store: [x:3, y:40, z:17] Heap: empty Store: [x:37, y:40, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40, 38:3 Store: [x:37, y:17, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40

9 Properties of Hoare Triples Soundness Relative completeness

10 Hoare Axiom for Destructive Updates {p/[e1]  e} [e1] := e {p} axioms Store: [x:37, y:17, z:37] Heap: 37:40, 38:3 {[z]=40} [x] := 77 {[z] =40} Store: [x:37, y:17, z:37] Heap: 37:77, 38:3

11 Difficulties with Pointers Assignment rule breaks No constancy rule Hard to use abstract data types Hard to specify what is expected –Can we specify concisely what is not expected? Scalability program verification/analysis {p} c {q} {p  r} c {q  r} where no free variable in r is modified by c

12 Outline Hoare logic Difficulties with pointers A Simple Programming Language Monotonicity and Seperability Assertions & Axioms Applications Limitations Missing

13 The Programming Language ::= … | := cons(, …, ) | := [ ] | [ ] := | dispose

14 States Values = Integers  Atoms  Addresses Heaps =  { A  Values | A  Addresses, A is finite} nil  Atoms Store V = V  Values State V = Store V  Heaps  e  : Store V  Values  b  : Store V  {true, false}

15 Commands Small-step operational semantics  state‘ Special error state 

16 Commands(2) Allocation  [s| v: l],[h|l:  e 1  s|…| l+n-1:  e n  s] where l 1, …, l n  Addresses – dom h Lookup –  ([s | v: h(  e  s), h) where  e  s  dom h –   where  e  s  dom h

17 Commands(3) Mutation (destructive-update) –  (s, [h |  e  s :  e’  s ]) where  e  s  dom h –   where  e  s  dom h Deallocation –  (s, h -  e  s ) where  e  s  dom h –   where  e  s  dom h

18 Heap Montonicity For all heaps h  h’ If a command does not fault on a small heap h then it does not fault on a larger heap h’ –If  *  then  * 

19 Notation h = h 0 # h 1 union of disjoint heaps Requires that h 0 and h 1 are disjoint h = h 0  h 1

20 Heap Separabality Assumption: h = h 0 # h 1 The effect of a command on a large heap is determined by its effect on any subheap without faults –If there exists h’ such that  * (s’, h’) and !  *  then there exists h’ 0 such that (i) h’= h’ 0 # h 1 and (ii)  * (s’, h’ 0 )

21 Proof of Seperability (Preliminaries) Lemma 1: For every l,k  N and heaps h 0 and h 1 s.t. (1) l  dom(h 1 ) and (2) dom(h 0 )  dom(h 1 )= , (h 0 # h 1 )[l:k] = h 0 [l:k]# h 1 Proof: (1& 2) imply that dom(h 0 [l:k])  dom(h 1 ) = ({l}  dom(h 0 ))  dom(h 1 ) = . Thus, h 0 [l:k]# h 1 is defined. dom(h 0 # h 1 )[l:k] = {l}  dom(h 0 # h 1 ) = (by definition) {l}  dom(h 0 )  dom(h 1 ) = (1 & 2) dom(h 0 [l:k]# h 1 ) For every t  dom(h 0 # h 1 )[l:k]: (h 0 # h 1 )[l:k](t) = k if t=l, or (h 0 # h 1 )(t) =k if t=l, or (h 0 (t) if t  dom(h 0 ) or h 1 (t) if t  dom(h 1 )) otherwise = (k if t=l, or h 0 (t) otherwise) if t  {l}  dom(h 0 ) or h 1 (t) if t  dom(h 1 ) = dom(h 0 [l:k]# h 1 (t) Note that the second equality holds because of (1&2) Corollary 1: For every l 1,..,l m,k 1,..,k m  N and heaps h 0 and h 1 s.t. {l 1,..,l m }  dom(h 1 )=  and dom(h 0 )  dom(h 1 ) = , (h 0 # h 1 )[l 1 :k 1,..,l m :k m ] = h 0 [l 1 :k 1,..,l m :k m ]# h 1

22 Proof of Seperability We shall prove a stronger claim: For every k, c, s, h, s k ’, h k ’ and h 0 s.t. (A) h=h 0 # h 1 (B) (c,  s,h 0  ) !  *  i. (c,  s,h  )  k (c k,  s’ k,h’ k  ) implies that an h’ 0,k exists s.t. (c,  s,h 0  )  k (c k,  s’ k,h’ 0,k  ) and h’ k =h’ 0,k #h 1 ii. (c,  s,h  )  k  s’ k,h’ k  implies that an h’ 0,k exists s.t. (c,  s,h 0  )  k  s’ k,h’ 0,k , h’ k =h’ 0,k # h 1 The proof is by induction on k. For k = 0 the claim is immediate. For k > 0, Assume (c,  s,h  )  k  s k ’,h k ’  By definition of  k exists c k-1,s’ k-1,h’ k-1 s.t. (c,  s,h  )  k-1 (c k-1,  s’ k-1,h’ k-1  )  s k ’,h k ’ . By the induction hypothesis, there exists h’ 0,k-1 s.t. (c,  s,h 0  )  k-1 (c k-1,  s’ k-1 ’,h’ o,k-1  ) and h’ k-1 = h’ o,k-1 # h 1 To prove i, we show the existence of h’ 0,k s.t. (c k-1,  s’ k-1,h’ 0,k-1  )  s k ’,h 0,k ’ . The proof continues by a case analysis on the form of the command c k-1. Note, however, that for any c k-1 which is not an heap manipulating command, the induction steps follows immediately: the inference rule justifying the transition (c k-1,  s’ k-1,h’ k-1  )  s k ’,h k ’  relies only on the content of the store and does not allow the heap to be modified, in particular, h’ k = h’ k-1. Thus, (a) by choosing h’ 0,k = h’ 0,k-1 we get that h’ k = h’ k-1 = h’ 0,k-1 # h 1, = h’ 0,k # h 1, and (b) the transition (c k- 1,  s’ k-1,h’ 0,k-1  )  s k ’,h 0,k ’  can be justified by the same inference rule which justifies (c k-1,  s’ k- 1,h’ k-1  )  s k ’,h k ’ . Note that the above judgment can be used to show that the lemma also holds when (c,  s,h  )  k (c k,  s k ’,h k ’  ) and for any c k-1 not of the form a;c k, when a is an heap manipulating command, thus we omit the proof of ii.

23 Proof of Seperability(Cont.) c k-1 := x=cons(e 1, …,e m ) By the cons inference rule, s k = s k-1 [x:l] and h ’ k =h ’ k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] where {l,..l+m-1}  Address \ dom(h ’ k-1 ) (*). According to the induction hypothesis (h’ k-1 = h’ 0,k-1 # h 1 ) and the definition of #, dom(h ’ k-1 ) = dom(h ’ 0,k-1 )  dom(h 1 ). Thus, (*) implies that {l,..l+m-1}  Address \ dom(h ’ 0,k-1 ). As a result, the transition, (c k-1,  s’ k-1,h’ 0,k-1  )  s k ’,h 0,k ’  can be justified for h’ 0,k = h’ 0,k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] Now, we need to show that h’ k =h’ 0,k #h 1. From (*), dom(h’ 0,k )={l,..l+m-1}  dom(h ’ 0,k-1 ) is disjoint from dom(h 1 ), thus, h’ 0,k #h 1 is defined. Also, h ’ k =h ’ k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] = (h’ 0,k-1 # h 1 ) [l+i:[[e i ]]s k-1 |i=0, …,m-1] = ({l,..l+m-1}  dom(h 1 ) =  + lemma 1) h’ 0,k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] # h 1 = h ’ 0,k # h 1

24 Proof of Seperability (Cont) c k-1 := [e 1 ]=e 2 By the mutation inference rule, s k = s k-1 and h ’ k =h ’ k-1 [ [[e 1 ]]s k-1 :[[e 2 ]]s k-1 ]. If [[e 1 ]]s k-1  dom (h ’ 0,k-1 ) then (c k-1,  s’ k-1 ’,h’ 0,k-1  ) . However, by our induction assumption we get that (c,  s,h 0  )  k-1 (c k-1,  s’ k-1 ’,h’ o,k-1  ). This implies (c,  s,h 0  )  *  which contradicts A. Thus, [[e 1 ]]s k-1  dom (h ’ 0,k-1 ). According to the mutation inference rule (c k-1,  s’ k-1,h’ 0,k- 1  )   s’ k, h’ 0,k  for s’ k =s’ k-1 and h’ 0,k =h’ 0,k-1 [ [[e 1 ]]s k-1 :[[e 2 ]]s k-1 ] Since [[e 1 ]]s k-1  dom (h ’ 0,k-1 ) and by our induction assumption (h’ k-1 = h’ 0,k-1 # h 1 ) we get that [[e 1 ]]s k-1  dom (h 1 ). Thus, the requirements of Lemma 1 are fulfilled and h ’ k = h ’ k-1 [ [[e 1 ]]s k-1 :[[e 1 ]]s k-1 ] = (h’ 0,k-1 # h 1 ) [ [[e 1 ]]s k-1 :[[e 1 ]]s k-1 ] = (h’ 0,k-1 [ [[e 1 ]]s k-1 :[[e 2 ]]s k-1 ] # h 1 ) = h’ 0,k # h 1

25 Proof of Seperability (Cont) c k-1 := x = [e 1 ] By the lookup inference rule, s k = s k-1 [ x:[[e 1 ]]s k-1 ] and h ’ k =h ’ k-1. Following the same reasoning as in the case of mutation, we can prove that [[e 1 ]]s k-1  dom (h ’ 0,k-1 ). Thus, according to the lookup inference rule (c k-1,  s’ k-1,h’ 0,k-1  )   s’ k, h’ 0,k  for s’ k =s’ k-1 [x :[[e 1 ]]s k-1 ] and h’ 0,k =h’ 0,k-1. By our induction assumption (h’ k-1 = h’ 0,k-1 # h 1 ), thus h’ k = h’ 0,k # h 1.

26 Proof of Seperability theorem c k-1 := dispose [e] By the de-allocation inference rule, s k = s k and h ’ k =h ’ k-1 | dom(h ’ k-1) - [e1]]sk-1 Following the same reasoning as in the case of mutation, we can prove that [[e]]s k-1  dom (h ’ 0,k-1 ) and that [[e]]s k-1  dom (h 1 ). Thus, according to the de-allocation inference rule (c k-1,  s’ k-1,h’ 0,k-1  )   s’ k, h’ 0,k  for s’ k =s’ k-1 and h’ 0,k =h’ 0,k-1 | dom(h ’ 0,k-1) - [e1]]sk-1. By our induction hypothesis (h’ k-1 = h’ 0,k-1 # h 1 ), Thus h ’ k = h ’ k-1 | dom(h ’ k-1) - [e1]]sk-1 = (h’ 0,k # h 1 ) | dom(h ’ k-1) - [e1]]sk-1 = ([[e]]s k-1  dom (h 1 )) h’ 0,k-1 | dom(h ’ 0,k-1) - [e1]]sk-1 # h 1 = h’ 0,k # h 1

27 Separation Logic SyntaxIntended Meaning e=fPure expression comparison efef A heap with one location pointed to by E with content F empEmpty heap p *qp and q hold in disjoint heaps true,false, p  q, p  q,  x: p standard e  _   l: e  l e  e 0, e 1, …, e n-1  e  e 0 *e+1  e 1 * … * e+n-1  e n-1  e  f  e  f * true

28 Semantics of separation logics s, h  E = F  E  s =  F  s s, h  E  F{  E  s} = dom(h) and h(  E  ) =  F  s s, h  emp h=[] s, h  P * Q exist h1, h2: h=h1 #h2 s, h1  P s, h2  Q

29 Semantics of separation logics(cont) s, h  false never s, h  P  Q if s, h  P then s, h  Q s, h   x. P exists v: [s | x :v], h  P

30 FormulaExample state x  3,y Store: x: , y:  Heap:  : 3,  +1:  y  3,x Store: x: , y:  Heap:  : 3,  +1:  x  3,y * y  3,x Store: x: , y:  Heap:  : 3,  +1  : 3,  +1:  ,  +1, , and  +1 disjoint x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:  x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:   : 3,  +1: 

31 Three “Small” Axioms {E  _} [E] := b {E  b} {emp} x := cons(y, z) {x  y, z} {E  _} dispose(E) {emp}

32 The Frame Rule {P} C {Q} {P * R} C {Q * R} Mod(C)  free(R)={} Mod(x := _) = {x} Mod([E]:=F) = {} Mod(dispose(E)) = {} Tight specification

33 A simple application of the frame rule {P} C {Q} {P * R} C {Q * R} Mod(C)  free(R)={} {(E  _ )* P } dispose(E) {P}

34 Sound Axioms p * q  q * p p * (q * r)  (p * q) * r p * emp  p (p  q) * r  (p * r)  (q * r) (p ⋀ q) * r  (p * r) ⋀ (q * r) (  x:p) * q   x: p * q (when x is not free in q)

35 Unsound Axioms P  P * P Contraction P= x  1 P * Q  P Weakening P= x  1 Q= y  2

36 The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t )

37 The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list  y  list  x  rev(  0 )= rev(  ).  list  z  z= nil list a.  z   s: z  a, s  list  s

38 The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list  y  list  x  rev(  0 ) = rev(  ).   z: reach(x, z)  reach(y, z)  z=nil reach(a, b) =  n  0: reach n (a, b) reach 0 (a, b)  a = b reach i+1 (a, b)   h, t: a  h, t  reach i (t, b)

39 The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list  y * list  x  rev(  0 ) = rev(  ).

40 The Delete Example bool elem_delete(delval, c) prev=nil elem = c while (elem  nil) ( if (elem->val = delval) then ( if (prev = nil) then c = [elem+1] else [prev+1] = [elem+1]; dispose(elem); return TRUE) prev=elem; elem = [elem+1] prev=nil /\ list(c,nil)  prev != nil /\ (list (c,prev) * (prev  -,elem) * list (elem, nil)) list(x, y)  x=y  emp   t: x  _, t * list(t, y) {list(c, nil)}

41 Soundness of the Frame Rule Given: (A) {p} c {q} that is for all s, h such that s,h  p, (Aa) !  *  and (Ab) for all s’ h’ such that  *(s’,h’)>, s’ h’  q (B) where c does not change free variables of r Prove: {p*r} c {q*r} (C) that is, show for all s, h such that s,h  p*r, (Ca) !  *  and (Cb) for all s’ h’ such that  *(s’,h’)>, s’ h’  q*r (1) Let s, h such that s, h  p*r (2) By definition of p*r, there exists h0,h1 such that (2a) h = h0#h1 and (2b) s, h0  p and (2c) s, h1  r (3) From (2b) and (Aa for h0) follows that no abort in the small heap h0: !  *  (4) From (3) and [Mon for h0] follows that no abort in the large heap h: !  *  (this shows Ca) (5) To show (Cb), let s’ h’ such that  * (s’,h’) show that s’h’  q*r that is, show that there exists h’0 and h’1 such that (5a) h’=h’0#h’1 and (5b) s’ h’0  q and (5c) s’ h’1  r (6) From (3) and [SEP for h h0] and (s’h’ from 5) there exists h’0 such that h’= h’ 0 # h1 (so (5a) holds for h’0 and h1) and (6a)  * (s’, h’ 0 ) (7) From (6a) and (Ab for h0 and h’0) follows that s’,h’0  q (this shows (5b) ) (8) From (2c) and (B) follows that  r (this shows (5c) for h’1 being h1)

42 Montonicity Axiom p1  p2, q1  q2 p1 * q1  p2 * q2

43 Type of assertions Pure independent of the heap Strictly-exact holds for exactly one heap Domain-exact holds for exactly one domain Intuitionistic monotonic in the heap

44 Garbage The assertion language does not allow garbage collection Can limit the assertion language to allow garbage collection

45 Applications Manual program verification –Deautch-Shorr-Waite –Copy GC (POPL’04) –Algorithms on DAGs (Space’04) –Resource ownership (POPL’04) Limited to exact predicates Justify other formalisms –Confinement (POPL’02) –Ownership

46 Missing Logic of bunch implications Completeness Concurrency Resource ownership Complexity results Substructural logic

47 History [Burstall 1972] Separating Conjunctions (implicit) ]Reynolds 1999] Explicit Separating Conjunctions [Ishtiaq & O’Hearn 2001] –Bunch implications –Frame rule

Download ppt "Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Introduction to Proofs

Introduction to Proofs
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.

3-Valued Logic Analyzer (TVP) Tal Lev-Ami and Mooly Sagiv.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.

Axiomatic Semantics The meaning of a program is defined by a formal system that allows one to deduce true properties of that program. No specific meaning.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Boolean Algebra cont’ The digital abstraction Graphs and Topological Sort מבנה המחשב + מבוא למחשבים ספרתיים תרגול 2#

Boolean Algebra cont’ The digital abstraction Graphs and Topological Sort מבנה המחשב + מבוא למחשבים ספרתיים תרגול 2#
Axiomatic Semantics Dr. M Al-Mulhem ICS535-091.

Axiomatic Semantics Dr. M Al-Mulhem ICS
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.

Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.

Similar presentations

Ads by Google