Separation Logic A Logic of Shared Mutable Data Structures - PowerPoint PPT Presentation

About This Presentation

Title:

Separation Logic A Logic of Shared Mutable Data Structures

Description:

where no free variable in r is modified by c. Outline. Hoare logic. Difficulties with pointers ... Thus, according to the lookup inference rule ... – PowerPoint PPT presentation

Number of Views:58

Avg rating:3.0/5.0

Slides: 41

Provided by: thoma423

Category:

more less

Transcript and Presenter's Notes

Title: Separation Logic A Logic of Shared Mutable Data Structures

1
Separation LogicA Logic of Shared Mutable Data
Structures

John Reynolds
CMU

Extended subset
Mooly Sagiv
2
Program Verification

Verify that the program is correct
No unexpected behavior
Identify bugs
Valid documentation
Proofs can be saved
Axiomatic semantics

3
Notations

P S Q
If P holds when S starts and S terminatesthen Q
holds after S
Partial correctness
No runtime errors (null dereferences)
S assumes P and guarantees Q
P S Q
If P holds when S starts then S terminatesand Q
holds after S
total correctness
S assumes P and guarantees Q
A backward version can be defined WP(S, Q)
The weakest condition which guarantees that S
terminates and satisfies Q

4
Hoare Proof Rules for Partial Correctness
p skip p
p/v? e ve p
p c0 r r c1 q p c0c1q
p?b c0 q p ??b c1 q p if b then c0 else
c1q
5
Hoare Proof Rules for Partial Correctness
i?b c i i while b do ci??b
?p ? p p c q ? q ? q p c q
6
Simple Example
x 0 i 0 while (i lt n ) x x
a i i 1
7
Pathological Example
while true do skip
8
Memory allocation destructive updates
Store x3, y40, z17 Heap empty

Allocation x cons(y, z)
Heap lookup y x1
Mutation x 1 3
Deallocation dispose(x1)

Store x37, y40, z17 Heap 3740, 3817
Store x37, y17, z17 Heap 3740, 3817
Store x37, y17, z17 Heap 3740, 383
Store x37, y17, z17 Heap 3740
9
Properties of Hoare Triples

Soundness
Relative completeness

10
Hoare Axiom for Destructive Updates
axioms
p/e1?e e1 e p
z40 x 77 z 40
Store x37, y17, z37 Heap 3740, 383
Store x37, y17, z37 Heap 3777, 383
11
Difficulties with Pointers

Assignment rule breaks
No constancy rule
Hard to use abstract data types
Hard to specify what is expected
Can we specify concisely what is not expected?
Scalability program verification/analysis

p c q p?r c q ?r where no free
variable in r is modified by c
12
Outline

Hoare logic
Difficulties with pointers
A Simple Programming Language
Monotonicity and Seperability
Assertions Axioms
Applications
Limitations
Missing

13
The Programming Language
ltcommgt ltvargt cons(ltexpgt, ,
ltexpgt) ltvargt ltexpgt ltexpgt
ltexpgt dispose ltexpgt
14
States

Values Integers ? Atoms ?Addresses
Heaps ? A ? Values A ? Addresses, A is
finite
nil ?Atoms
StoreV V ? Values
StateV StoreV ? Heaps
?e?? StoreV ? Values
?b?? StoreV ? true, false

15
Commands

Small-step operational semantics ltc, stategt ?
state
Special error state ??

16
Commands(2)

Allocation ltv cons(e1, , en), (s, h)gt ?s
v l,hl?e1?s ln-1 ?en?swhere l1, , ln
? Addresses dom h
Lookup
ltv e, (s, h)gt ? (s v h( ?e?s), h) where
?e?s?dom h
ltv e, (s, h)gt ? ? where ?e?s?dom h

17
Commands(3)

Mutation (destructive-update)
lte e, (s, h)gt ? (s, h ?e?s ?e?s )
where ?e?s?dom h
lte e, (s, h)gt ? ?where ?e?s?dom h
Deallocation
ltdispose e, (s, h)gt ? (s, h - ?e?s ) where
?e?s?dom h
ltdispose e, (s, h)gt ? ?where ?e?s?dom h

18
Heap Montonicity

For all heaps h ? h
If a command does not fault on a small heap h
then it does not fault on a larger heap h
If ltc, (s, h)gt ? ? then ltc, (s, h)gt ? ?

19
Notation

h h0 h1 union of disjoint heaps
Requires that h0 and h1 are disjoint
h h0 ? h1

20
Heap Separabality

Assumption h h0 h1
The effect of a command on a large heap is
determined by its effect on any subheap without
faults
If there exists h such thatltc, (s, h)gt ?
(s, h) and ltc, (s, h0)gt !? ? then there
exists h0 such that (i) h h0 h1 and (ii)
ltc, (s, h0)gt ? (s, h0)

21
Proof of Seperability (Preliminaries)

Lemma 1
For every l,k ?N and heaps h0 and h1 s.t. (1)
l?dom(h1) and (2) dom(h0)?dom(h1)?,
(h0 h1)lk
h0lk h1
Proof
(1 2) imply that dom(h0lk) ? dom(h1) (l ?
dom(h0)) ? dom(h1) ?. Thus, h0lk h1 is
defined.
dom(h0 h1)lk l ? dom(h0 h1) (by
definition)
l ? dom(h0) ?
dom(h1) (1 2)
dom(h0lk h1)
For every t ? dom(h0 h1)lk
(h0 h1)lk(t) k if tl, or (h0 h1)(t)
k if tl, or (h0(t) if t ? dom(h0) or h1(t) if t
? dom(h1)) otherwise
(k if tl, or h0(t) otherwise)
if t ? l ? dom(h0) or h1(t) if t ? dom(h1)
dom(h0lk h1(t)
Note that the second equality holds because of
(12)
Corollary 1 For every l1,..,lm,k1,..,km?N and
heaps h0 and h1 s.t. l1,..,lm ?dom(h1)? and
dom(h0) ? dom(h1) ?, (h0 h1)l1k1,..,lmkm
h0l1k1,..,lmkm h1

22
Proof of Seperability

We shall prove a stronger claim
For every k, c, s, h, sk, hk and h0 s.t. (A)
hh0 h1 (B) (c,?s,h0?) !??
i. (c,?s,h?)?k(ck,?sk,hk?) implies that an
h0,k exists s.t. (c,?s,h0?)?k(ck, ?sk,h0,k?)
and hkh0,k h1
ii. (c,?s,h?)?k ?sk,hk? implies that an h0,k
exists s.t. (c,?s,h0?) ?k ?sk,h0,k?, hkh0,k
h1
The proof is by induction on k.
For k 0 the claim is immediate.
For k gt 0, Assume (c,?s,h?)?k ?sk,hk?
By definition of ?k exists ck-1,sk-1,hk-1s.t.
(c,?s,h?)?k-1 (ck-1,?sk-1,hk-1?) ??sk,hk?.
By the induction hypothesis, there exists
h0,k-1s.t. (c,?s,h0?)?k-1 (ck-1,?sk-1,ho,k-1?)
and hk-1 ho,k-1 h1
To prove i, we show the existence of h0,k s.t.
(ck-1,?sk-1,h0,k-1?) ??sk,h0,k?.
The proof continues by a case analysis on the
form of the command ck-1.
Note, however, that for any ck-1 which is not an
heap manipulating command, the induction steps
follows immediately the inference rule
justifying the transition (ck-1,?sk-1,hk-1?)
??sk,hk? relies only on the content of the
store and does not allow the heap to be modified,
in particular, hk hk-1.
Thus, (a) by choosing h0,k h0,k-1 we get that
hk hk-1 h0,k-1 h1, h0,k h1 , and
(b) the transition (ck-1,?sk-1,h0,k-1?)
??sk,h0,k? can be justified by the same
inference rule which justifies (ck-1,?sk-1,hk-1?
) ??sk,hk?.
Note that the above judgment can be used to show
that the lemma also holds when (c,?s,h?)?k (ck,
?sk,hk?) and for any ck-1 not of the form ack
, when a is an heap manipulating command, thus we
omit the proof of ii.

23
Proof of Seperability(Cont.)

ck-1 xcons(e1,,em)
By the cons inference rule, sk sk-1xl and
hkhk-1lieisk-1 i0,,m-1 where
l,..lm-1 ?Address \ dom(hk-1) ().
According to the induction hypothesis
(hk-1 h0,k-1 h1) and the definition of ,
dom(hk-1) dom(h0,k-1)? dom(h1). Thus, ()
implies that l,..lm-1 ?Address \ dom(h
0,k-1).
As a result, the transition, (ck-1,?sk-1,h0,k-1?
) ??sk,h0,k? can be justified for
h0,k h0,k-1lieisk-1
i0,,m-1
Now, we need to show that hkh0,kh1. From
(), dom(h0,k)l,..lm-1 ? dom(h0,k-1) is
disjoint from dom(h1), thus, h0,kh1 is defined.
Also, hkhk-1lieisk-1 i0,,m-1
(h0,k-1 h1) lieisk-1
i0,,m-1 (l,..lm-1 ? dom(h1) ? lemma
1)
h0,k-1lieisk-1 i0,,m-1 h1
h0,k h1

24
Proof of Seperability (Cont)

ck-1 e1e2
By the mutation inference rule, sk sk-1 and
hkhk-1 e1sk-1e2sk-1 .
If e1sk-1? dom (h0,k-1) then
(ck-1,?sk-1,h0,k-1?) ??. However, by our
induction assumption we get that (c,?s,h0?)?k-1
(ck-1,?sk-1,ho,k-1?). This implies
(c,?s,h0?)?? which contradicts A.
Thus, e1sk-1 ? dom (h0,k-1). According to
the mutation inference rule (ck-1,?sk-1,h0,k-1?
) ? ?sk, h0,k? for sksk-1 and h0,kh0,k-1
e1sk-1e2sk-1
Since e1sk-1 ? dom (h0,k-1) and by our
induction assumption (hk-1 h0,k-1 h1) we
get that e1sk-1 ? dom (h1).
Thus, the requirements of Lemma 1 are fulfilled
and
hk hk-1 e1sk-1e1sk-1 (h0,k-1
h1) e1sk-1e1sk-1
(h0,k-1 e1sk-1e2sk-1 h1)
h0,k h1

25
Proof of Seperability (Cont)

ck-1 x e1
By the lookup inference rule, sk sk-1
xe1sk-1 and hkhk-1.
Following the same reasoning as in the case of
mutation ,
we can prove that e1sk-1 ? dom (h0,k-1).
Thus, according to the lookup inference rule
(ck-1,?sk-1,h0,k-1?) ? ?sk, h0,k?
for sksk-1x e1sk-1 and h0,kh0,k-1.
By our induction assumption (hk-1 h0,k-1
h1), thus hk h0,k h1.

26
Proof of Seperability theorem

ck-1 dispose e
By the de-allocation inference rule, sk sk and
hkhk-1 dom(hk-1) - e1sk-1
Following the same reasoning as in the case of
mutation,
we can prove that esk-1 ? dom (h0,k-1) and
that esk-1 ? dom (h1).
Thus, according to the de-allocation inference
rule
(ck-1,?sk-1,h0,k-1?) ? ?sk, h0,k?
for sksk-1 and h0,kh0,k-1 dom(h0,k-1) -
e1sk-1 .
By our induction hypothesis (hk-1 h0,k-1
h1),
Thus hk hk-1 dom(hk-1) - e1sk-1
(h0,k h1) dom(hk-1) -
e1sk-1 (esk-1 ? dom (h1))
h0,k-1 dom(h0,k-1) -
e1sk-1 h1
h0,k h1

27
Separation Logic
Syntax Intended Meaning
ef Pure expression comparison
e?f A heap with one location pointed to by E with content F
emp Empty heap
p q p and q hold in disjoint heaps
true,false, p?q, p?q, ?x p standard
e ? _ ? ?l e ? l e?e0, e1, , en-1 ? e ? e0
e1 ? e1 en-1 ?en-1 ?e?f ? e ?f true
28
Semantics of separation logics
29
Semantics of separation logics(cont)
30
Formula Example state
x?3,y Store x?, y ? Heap ? 3, ?1 ?
y?3,x Store x?, y ? Heap ? 3, ? 1 ?
x?3,y y?3,x Store x?, y ? Heap ? 3, ?1 ? 3, ? 1 ? ?, ?1, ?, and ?1 disjoint
x?3,y ? y?3,x Store x?, y ? Heap ? 3, ?1?
x?3,y ? y?3,x Store x?, y ? Heap ? 3, ?1 ? ? 3, ? 1 ?
31
Three Small Axioms
E?_ E b E ? b
emp x cons(y, z) x ?y, z
E?_ dispose(E) emp
32
The Frame Rule
Tight specification
Mod(x _) x
Mod(EF)
Mod(dispose(E))
33
A simple application of the frame rule
(E?_ ) P dispose(E) P
34
Sound Axioms

p q ? q p
p (q r) ? (p q) r
p emp ? p
(p ? q) r ? (p r) ? (q r)
(p ? q) r ? (p r) ? (q r)
(?xp) q ? ?x p q (when x is not free in q)

35
Unsound Axioms
P ? P P
Contraction
P x?1
P x?1 Q y ?2
36
The Reverse Example
y nil while x ? nil do ( t y y x
x x 1 y1 t )
37
The Reverse Example
y nil while x ? nil do ( t y y x
x x 1 y1 t )
??, ?. list ? y? list ? x ? rev(?0) rev(?).?
list ? z ? z nil
list a. ? z ? ? s z ? a, s? list ? s
38
The Reverse Example
y nil while x ? nil do ( t y y x
x x 1 y1 t )
??, ?. list ? y? list ? x ? rev(?0 )
rev(?).?? ?z reach(x, z) ? reach(y, z) ? znil
reach(a, b) ?n?0 reachn(a, b) reach0(a, b) ? a
b reachi1(a, b) ? ? h, t a ? h, t?reachi(t,
b)
39
The Reverse Example
y nil while x ? nil do ( t y y x
x x 1 y1 t )
??, ?. list ? y list ? x ? rev(?0 ) rev(?).
40
The Delete Example
list(c, nil)
bool elem_delete(delval, c) prevnil elem
c while (elem ?nil) ( if (elem-gtval
delval) then ( if (prev nil) then c
elem1 else prev1 elem1
dispose(elem) return TRUE)
prevelem elem elem1
prevnil /\ list(c,nil) ? prev ! nil /\ (list
(c,prev) (prev ? -,elem) list (elem, nil))
list(x, y)? xy ?emp ?
? t x?_, t list(t, y)
list(c, nil)
41
Soundness of the Frame Rule

Given
(A) p c q that is for all s, h such that
s,h ? p,(Aa) ltc,(s,h)gt !?? and (Ab) for all
s h such that ltc, (s,h)gt?(s,h)gt, s h? q
(B) where c does not change free variables of r
Prove pr c qr
(C) that is, show for all s, h such that s,h ?
pr,(Ca) ltc,(s,h)gt !?? and (Cb) for all s h
such that ltc, (s,h)gt?(s,h)gt, s h? qr
(1) Let s, h such that s, h ? pr
(2) By definition of pr, there exists h0,h1 such
that
(2a) h h0h1 and (2b) s, h0 ? p and (2c) s, h1
? r
(3) From (2b) and (Aa for h0) follows that no
abort in the small heap h0 ltc, (s, h0)gt !??
(4) From (3) and Mon for h0 follows that no
abort in the large heap h ltc, (s,h)gt !?? (this
shows Ca)
(5) To show (Cb), let s h such that ltc,
(s,h)gt? (s,h)
show that sh? qr
that is, show that there exists h0 and h1 such
that (5a) hh0h1 and (5b) s h0 ? q and (5c)
s h1?r
(6) From (3) and SEP for h h0 and (sh from 5)
there exists h0 such that h h0 h1 (so (5a)
holds for h0 and h1)
and (6a) ltc, (s, h0)gt ? (s, h0)
(7) From (6a) and (Ab for h0 and h0) follows
that s,h0 ? q (this shows (5b) )
(8) From (2c) and (B) follows that lts, h1gt ? r
(this shows (5c) for h1 being h1)