Docstoc

Introduction to Separation Logic

Document Sample
Introduction to Separation Logic Powered By Docstoc
					Introduction to Separation Logic

           presented by
            Greta Yorsh


             April 02, 2008
            IBM, Hawthorne
                 This Talk
• What is Separation Logic?

• Strengths and weaknesses
• Successful applications
• Main challenges
        What is Separation Logic?

• Extension of Hoare logic
  – low-level imperative programs
  – shared mutable data structures
      Motivating Example

assume( *x == 3 ∧ x != y ∧ x != z )
                 )
assume( y != z )
*y = 4;
*z = 5;
assert( *y != *z )
assert( *x == 3 )


                      • contents are different
                      • contents stay the same
                      • different locations
             Framing Problem
            { y != z } C { *y != *z }
  { *x == 3 ∧ y != z } C {*y != *z ∧ *x == 3 }


• What are the conditions on aliasing btwn x, y, z ?
             Framing Problem
                  { P } C {Q}
            { R∧ P } C {Q∧R}

• What are the conditions on C and R?
  – in presence of aliasing and heap


• Separation logic introduces new connective ∗

                  { P } C {Q}
             { R∗P } C {Q∗R}
                     Outline

•   Assertion language: syntax and semantics
•   Hoare-style proofs
•   Program analysis
•   Concurrency
•   Termination
•   Object-oriented programs
ASSERTION LANGUAGE
                     Examples
              x
              x
xy           y
              y            8  33       33
                                        8

                                    y
ls(y, z)                                     zz



x  y ∗ ls(y, z) ∧ z = x
                   Syntax
   Assertion                    Name
false          Logical false
P∧Q            Classical conjunction
P∨Q            Classical disjunction
P⇒Q            Classical implication
P∗Q            Separating conjunction (star)
P −∗ Q         Separating implication (magic wand)
EE            Points to
emp            Empty heap
∃x. P          Existential quantifier
E=E            Expression value equality
                           Semantics
• Assertions are evaluated w.r.t. a state
• State is store and heap
   – S : Var ⇀ Int
   – H : Loc ⇀ Int where Loc ⊆ Int

• Notations
   –   disjoint domains:     dom(H1)  dom(H2)
   –   composition:          H1 ◦ H2
   –   evaluation:             E S  Int
   –   update:               S[x:i]

• S,H      P
                          Semantics
      Relation                                    Definition

S,H   false      Never satisfied

S,H   P∧Q        S,H      P ∧ S,H        Q

S,H   P∨Q        S,H      P ∨ S,H        Q

S,H   P⇒Q        S,H |= P ⇒ S,H |= Q

S,H   P∗Q        ∃H1,H2. dom(H1)  dom(H2) ∧ H1 ◦ H2 = H
                         ∧ S,H1 P ∧ S,H2 Q

S,H   P −∗ Q     ∀H′. (dom(H)  dom(H’) ∧ S,H′               P) ⇒ S,H◦H′   Q

S,H   E1  E2    dom(H) = {      E1      S   } ∧ H( E1   S   )= E2   S

S,H   emp        H = {}

S,H   ∃x.P        i  Int . S[x:i],H         P

S,H   E1 = E2      E1     S   = E2   S
           Common Shorthands
• E  E1,E2,..,En  E  E1 ∗ E+1  E2 ∗ ... ∗ E+(n-1) 
  Enx

    3 4 7          S = [x:10, y:4]         x  3,y,7
                   H = [10:3,11:4,12:7]
    10 11 12




• E1  E2  E1  E2 ∗ true

• E  _  ∃x. E  x
                        Examples
                    x            y                  xy

                                                     4     3
                        4   3        4   3

                    S = [x:10, y:30]            S = [x:10, y:10]
                    H = [10:4,11:3,30:4,31:3]   H = [10:4,11:3]

    x  4,3                                         
    x  4,3                                         
x  4,3 ∗ y  4,3                                   
x  4,3 ∧ y  4,3                                   
                 Inductive Definitions
• Describe invariants of recursive data-structure
   –   Trees
   –   List Segments
   –   Doubly-linked list segments
   –   Cyclic lists
   –   List of cyclic doubly linked lists
   –   Lists with head pointers
   –   Nested lists (bounded depth)
   –   ...


• Binary tree
tree(E)  (E = nil ∧ emp) ∨ (∃x,y. E x,y ∗ tree(x) ∗ tree(y))
                     List segment
• Acyclic, possibly empty
  ls(E, F)  (E=F ∧ emp) ∨ (EF ∧ ∃v. Ev ∗ ls(v, F))

    S = [x:10, y:30]                   ls(x,y)
    H = [10:4,4:17,17:20,20:30]
     x
      4     17      20     30
                                  dangling
      10     4      17     20     pointer

• Possibly cyclic, panhandle, empty
  cls(E, F)  (E=F ∧ emp) ∨ (∃x. Ex ∗ cls(x, F))
        More complex structures
• Doubly-linked list segment
  dls(x,y,z)  (x=y ∧ emp)
             ∨ (xy ∧ ∃w. xz,w ∗ dls(w,y,x))

        x

        z                                       y
                     Axioms
• ls(x,y) ∗ ls(y,nil) ⇒ ls(x,nil) 
• ls(x,y) ∗ ls(y,z) ⇒ ls(x,z)          z allocated in ls(x,y)
• ls(x,y) ⇒ ∃w. ls(x,w) ∗ wy               empty heap


• (P1 ∧ P2) ∗ Q ⇒ (P1 ∗ Q) ∧ (P2 ∗ Q)     
• x  y ∗ z  w ⇒ x  z
• xy∧zw⇒xy∧ x=z∧y=w   
                    Axioms
• Weakening
  –P∧Q⇒P        
  –P∗Q⇒P            x1∗y2  x
                     1
• Contraction
  –P⇒P∧P        
  –P⇒P*P            x1 x1∗x1
              Precise Assertions
•  S,H there is at most one h’   h s.t. s,h’   P

• Examples
  – precise:          x  1, ls(x,y)
  – not precise:      x. x  y, P ∨ Q


• Axiom for precise assertions
  (P1 ∧ P2) ∗ Q  (P1 ∗ Q) ∧ (P2 ∗ Q)
               Pure Assertions
• Syntax: do not contain  or emp
• Semantics: do not depend on heap (for any store)

• Axioms for pure assertions
  x=y ∗ z = w  x=y ∧ z = w
                Symbolic Heaps
• Fragment of Separation Logic assertion language
    A ::= (P ∧ ... ∧ P) ∧ (S ∗ ... ∗ S)
    E ::= x | nil | E + E
    P ::= E=E | E  E
    S ::= E  E | tree(E) | ls(E, E) | dls(E, E, E)

• Decidable
  – satisfiability, small model property
  – entailment
HOARE-STYLE PROOFS
                    Hoare Triples
• {P} C {Q}
   – partial correctness
   – if P holds when C starts and C terminates
     then Q holds after C
   – no runtime errors (null dereferences)


• [P] C [Q]
   – total correctness
   – if P holds when C starts
     then C terminates and Q holds after C
      The Programming Language

<comm> ::= …
  | <var> := cons(<exp>, …, <exp>)   • allocation
  | <var> := [<exp>]                 • heap lookup
  | [<exp>] := <exp>                 • mutation
  | dispose <exp>
                                     • deallocation
       Operational Semantics by Example
                               Store: [x:3, y:40, z:17]

• Allocation x := cons(y, z)   Heap: empty

                               Store: [x:37, y:40, z:17]
                               Heap: [37:40, 38:17]

• Heap lookup y := [x+1]
                               Store: [x:37, y:17, z:17]
                               Heap: [37:40, 38:17]

                               Store: [x:37, y:17, z:17]
• Mutation [x + 1] := 3
                               Heap: [37:40, 38:3]

• Deallocation dispose(x+1)    Store: [x:37, y:17, z:17]
                               Heap: [37:40]
Hoare Proof Rules for Partial Correctness
     { P } skip { P }

     { P(v/e) } v:=e {P}


     {P} c1 {R}     {R} c2 {Q}
     {P} c1;c2{Q}

     {Pb} c1 {Q}       {P b} c2 {Q}
     {P} if b then c1 else c2 {Q}

     {ib} c {i}
     {i} while b do c {ib}

       P  P’      {P’} c {Q’}      Q’  Q
     {p} c {q}
        Hoare Axiom for Assignment
• How to extend it for heap mutation ?

      { P ( [e1] / e2 }

• Example:
                            [e1] := e2   {P}
                                               
              { [z]=40 }     [x] := 77 { [z]=40 }

Store: [x:37, y:17, z:37]           Store: [x:37, y:17, z:37]
Heap: [37:40, 38:3]                 Heap: [37:77, 38:3]
                 “Small” Axioms

{ emp } x := cons(y, z) { x  y, z }   • allocation

{Ez} x := [E] {E z ∧ x = z}          • heap lookup

{E1_} [E1] := E2 {E1  E2}            • mutation

{E_} dispose(E)        {emp}          • deallocation
    The Frame Rule

   { P } C {Q}
                  Mod(C) free(R)={}
{ R∗P } C {Q∗R}

                   Mod(x := _) = {x}

                   Mod([E]:=F) = {}

                   Mod(dispose(E)) = {}
                The Frame Rule

               { P } C {Q}
                                     Mod(C) free(R)={}
         { R∗P } C {Q∗R}


• Small Axioms give tight specification
• Allows the Small Axioms to apply generally
     { xy ∗ ls(y,z) } dispose(x) { ls(y,z) }

• Handle procedure calls modularly
• Frame rule is a key to local proofs
list(x)  ls(x,nil)
{ list(x) }
                                         Reverse
  y: = nil ;

{ list(x) ∗ list(y) }
  while x  nil do { {x  nil ∧ list(x) ∗ list(y)}

                     { ∃i . x i ∗ list(i) ∗ list(y) }
                                                               unfold
               t := [x]                                 { x i } t := [x] { x t ∧ t = i }
                          { xt ∗ list(t) ∗ list(y) }
               [x] := y                                 { x _ } [x] := y { x y }
                          { xy ∗ list(t) ∗ list(y) }
                          { list(t) ∗ list(x) }
                                                        fold
               y := x
                          { list(t) ∗ list(y) }
               x := t
                          { list(x) ∗ list(y) }
  }   {x = nil ∧ list(x) ∗ list(y) }
{ list(y) }
               Local Specification
• Footprint
  – part of the state that is used by the command
• Local specification
  – reasoning only about the footprint
• Frame rule
  – from local to global spec
                  Frame Rule
• Sound
  – safety-monotonicity
  – frame property of small axioms
• Complete
  – derives WLP or SP for commands
              Weakest Preconditions

wp(x:=cons(y,z), P) =  v. ( (v  x,y)           • Allocation
                                                   v  free(x,y,P)

                                                 • Lookup
wp( x:= [E], P) =  v. (e  v) ∧ P(x/v)
                                                   v  free(E,P)\{x}


wp([E1]:=E2, P) = (E1 _ ) ∗ ( (E1 E2) −∗ P))   • Mutation

wp(dispose E, P) = (E1 _ ) ∗ P                  • Disposal
AUTOMATED VERIFICATION AND
PROGRAM ANALYSIS
            Symbolic Execution
• Application of separation logic proof rules as
  symbolic execution

• Restrict assertion language to symbolic heaps
• Discharge entailments A B
  – axiomatize consequences of induction
• Frame inference
                                      DeleteTree
{ tree(t) }
DeleteTree (t) {
          local i,j;
          if (t != nil) {        { tree(t) ∧ t  nil }
                                 { ∃x,y. t x,y ∗ tree(x) ∗ tree(y)
                       i := [t]; }
                       j := [t+1] ;
                                        {t i,j ∗ tree(i) ∗ tree(j) }
                       DeleteTree(j);
                                                          ∗
                                        {t i,j ∗ tree(i) } emp }
                       DeleteTree(i);
                                        {t i,j ∗ emp }
                       dispose t;
          }
                                        { emp }
}
{ emp }
                    Frame Inference
• Failed proof of entailment yields a frame
– Assertion at call site      { t i,j ∗ tree(i) ∗ tree(j)
                              }
– Callee’s precondition       { tree(j) }

          t i,j ∗ tree(i) ∗ tree(j)        tree(j)



                     t i,j ∗ tree(i)
                                      ..... emp

– Frame       { t i,j ∗ tree(i) }
                   Frame Inference
               { tree(j) }   DeleteTree(j) { emp }
{t i,j ∗ tree(i) ∗ tree(j) } DeleteTree(j) {t i,j ∗ tree(i) }

• Assertion at call site: { t i,j ∗ tree(i) ∗ tree(j)
                         }
• Callee’s precondition: { tree(j) }
 Incompleteness of Frame Inference

            { x _ } free(x) { emp }

    { y _ ∗ x _ } free(x) { y _ }



• Lose the information that x=y
• Do we need inequality involving just-disposed ?
               Program Analysis
• Abstract value is a set of symbolic heaps
• Abstract transformers by symbolic execution
  (TODO EXAMPLE)
• Fixpoint check by entailement

• Knobs
  – widening / abstraction
  – join
  – interprocedural analysis (cutpoints)
  – predicate discovery
              Global Properties?
              { tree ∧ P } C { tree ∧ Q }

{ (tree ∧ R) ∗ (tree ∧ P) } C { (tree ∧ Q) ∗ (tree ∧ R) }


• Before: tree ∧ (Q ∗ R)  (tree ∧ Q) ∗ (tree ∧ R)
• After: (tree ∧ Q) ∗ (tree ∧ R)  tree ∧ (Q ∗ R)

• Loss of global property
  – no restrictions on dangling pointers in P and Q
  – can point to each other and create cycles
BIBLIOGRAPHY
http://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html
                    “Early Days”
• The Logic of Bunched Implications
  O'Hearn and Pym. 1999
• Intuitionistic Reasoning about Shared Mutable Data
  Structure
  Reynolds. 1999
• BI as an Assertion Language for Mutable Data Structures.
  Ishtiaq, O'Hearn. POPL'01.

• Local Reasoning about Programs that Alter Data Structures
  O'Hearn, Reynolds, Yang. CSL'01.
• Separation Logic: A Logic for Shared Mutable Data
  Structures
  Reynolds. LICS 2002.
          Successful Applications
• An example of local reasoning in BI pointer logic:
  the Schorr-Waite graph marking algorithm
  Yang, SPACE 2001
• Local Reasoning about a Copying Garbage
  Collector
  Birkedal, Torp-Smith, Reynolds. POPL'04
 Analysis and Automated Verification
• Symbolic Execution with Separation Logic.
  Berdine, Calcagno, O'Hearn. APLAS'05.
• Smallfoot: Modular Automatic Assertion Checking with
  Separation Logic
  Berdine, Calcagno, O'Hearn. FMCO’06.

• A local shape analysis based on separation logic
  Distefano, O'Hearn, Yang. TACAS’06.
• Interprocedural Shape Analysis with Separated Heap
  Abstractions.
  Gotsman, Berdine, Cook. SAS’06
• Shape analysis for composite data structures.
  Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07.
• ...
                         Concurrency
• Resources, Concurrency and Local Reasoning
  O'Hearn. Reynolds Festschrift, 2007. CONCUR'04
• A Semantics for Concurrent Separation Logic
  Brookes. Reynolds Festschrift, 2007. CONCUR'04
• Towards a Grainless Semantics for Shared Variable Concurrency
  John C. Reynolds (in preparation?)

• Permission Accounting in Separation Logic
  Bornat, Calcagno, O'Hearn, Parkinson. POPL’05
• Modular Verification of a Non-blocking Stack
  Parkinson, Bornat, O'Hearn. POPL’07
• A Marriage of Rely/Guarantee and Separation Logic
  Parkinson, Vafeiadis. CONCUR’07
• Modular Safety Checking for Fine-Grained Concurrency (smallfootRG)
  Calcagno, Parkinson, Vafeiadis. SAS'07

• Thread-Modular Shape Analysis.
  Gotsman, Berdine, Cook, Sagiv. PLDI’07
• ...
                Termination
• Automatic termination proofs for programs with
  shape-shifting heaps.
  Berdine, Cook, Distefano, O'Hearn. CAV’06
• Variance Analyses from Invariance Analyses.
  Berdine, Chawdhary, Cook, Distefano, O'Hearn.
  POPL 2007
• ...
     Object Oriented Programming
• Separation logic and abstraction
  Parkinson and Bierman. POPL’05
• Class Invariants: The End of the Road?
  Parkinson. IWACO'07.
• Separation Logic, Abstraction, and Inheritance
  Parkinson, Bierman. POPL'08
• …
           Summary of Basic Ideas

•   Extension of Hoare logic to imperative programs
•   Separating conjunction ∗
•   Inductive definitions for data-structures
•   Tight specifications
•   Dangling pointers
•   Local surgeries
•   Frame rule

				
DOCUMENT INFO