Example of a for-loop. Separation Logic. The repeat construct. Reasoning rule for for-loops. Before the loop:

Size: px

Start display at page:

Download "Example of a for-loop. Separation Logic. The repeat construct. Reasoning rule for for-loops. Before the loop:"

John Heath
5 years ago
Views:

1 Example of a for-loop Separation Logic Part 3 Arthur Charguéraud February 2015 let facto n = let r = ref 1 in for i = 2 to n do let v =!r in r := v * i; done;!r Before the loop: r ãñ 1 At each iteration: from r ãñ pi 1q! to r ãñ i! After the loop: r ãñ n! Loop invariant pi : int Ñ Hpropq that applies for any i P r2, n ` 1s: I i r ãñ pi 1q! 1 / 70 2 / 70 Reasoning rule for for-loops The repeat construct Reasoning rule for the case a ď b: General rule: H Ź I P ra, bs. ti iu t tλtt. I pi ` 1qu I pb ` 1q Ź Q tt thu pfor i a to b do tq tqu H Ź I P ra, bs. ti iu t tλtt. I pi ` 1qu I pmax a pb ` 1qq Ź Q tt thu pfor i a to b do tq tqu New language construct repeat t such that: repeat t ÝÑ if t then prepeat tq else pq Encodings: repeat t do pq while t do t 1 while t 2 repeat pt 1 ; t 2 q while t 1 do t 2 repeat pif t 1 then pt 2 ; trueq else falseq 3 / 70 4 / 70

2 Reasoning rule for repeat Example of a repeat loop Reduction rule: repeat t ÝÑ if t then prepeat tq else pq H Ź I tiu t tλb. if b then I else pq ttqu thu prepeat tq tqu Reasoning rule (partial correctness): H Ź I tiu t tλb. if b then I else pq ttqu thu prepeat tq tqu Remark: the post-condition uses a logical if-then-else. let facto n = let r = ref 1 in let k = ref 2 in repeat let i =!k in if i <= n then begin let n =!r in r := i * n; incr k; true end else false done;!r Instantiation of the rule: H k ãñ 2 r ãñ 1 Q λtt. k ãñ pn ` 1q r ãñ n! I Di. k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s 5 / 70 6 / 70 Termination of loops: an example Termination of loops let facto n = let r = ref 1 in let k = ref 2 in repeat let i =!k in if i <= n then begin let n =!r in r := i * n; incr k; true end else false done;!r With indexed invariant to justify termination: H k ãñ 2 r ãñ 1 Q λtt. k ãñ pn ` 1q r ãñ n! I i k ãñ i r ãñ pi 1q! r2 ď i ď n ` 1s i 0 2 i 1 ă i i ă i 1 ď n ` 1 păq is well-founded Generalization to total H Ź I tiu t tλb. if b then I else pq ttqu thu prepeat tq tqu H Ź I X 0 ti Xu t tλb. if b then pdy. I Y ry ă Xsq else pq ttqu thu prepeat tq tqu where A is a user-specified type, px 0 : Aq, px : Aq, pi : A Ñ Hpropq, and pă : A Ñ A Ñ Propq is a well-founded relation. 7 / 70 8 / 70

3 Induction instead of invariants Length with a while loop let facto n = let r = ref 1 in let k = ref 2 in repeat let i =!k in if i <= n then begin let n =!r in r := i * n; incr k; true end else false done;!r Let t denote the body of the repeat loop above. We prove by induction on i (going up to n ` 1) that the following triple tk ãñ i r ãñ pi 1q r2 ď i ď n ` 1su prepeat t doneq tλtt. k ãñ pn ` 1q r ãñ n!u Step 1 unfold the loop body once: tk ãñ i r ãñ pi 1q r2 ď i ď n ` 1su pif t then repeat t else ()q tλtt. k ãñ pn ` 1q r ãñ n!u Step 2 invoke the induction hypothesis on: let rec mlength (p: a cell) = let t = ref 0 in let f = ref p in while!f!= null do incr t; f := (!f).tl; done!t k ãñ pi ` 1q r ãñ i r2 ď i ` 1 ď n ` tp Mlist Lu pmlength pq tλn. rn length Ls p Mlist Lu 9 / / 70 Length with a while loop: invariant Length with a recursive function Loop invariant: I DqL 1 L 2. f ãñ q p MlistSeg q L 1 q Mlist L 2 rl L 1``L 2 s t ãñ L 1 let rec mlength (p: a cell) = if p == null then 0 else 1 + mlength p.tl Specification proved by induction on L, using the frame rule at each tp Mlist Lu pmlength pq tλn. rn length Ls p Mlist Lu 11 / / 70

4 Length with a while loop Length with a while loop: induction let rec mlength (p: a cell) = let t = ref 0 in let f = ref p in while!f!= null do incr t; f := (!f).tl; done!t Starting from a state of the form: q Mlist L 2 f ãñ q t ãñ n the while loop reaches the state: q Mlist L 2 f ãñ null t ãñ pn ` length L 2 q begin: q Mlist L 2 f ãñ q t ãñ n focus: q ÞÑ t hd=x; tl=q 1 u q 1 Mlist L 1 2 f ãñ q t ãñ n incr: q ÞÑ t hd=x; tl=q 1 u q 1 Mlist L 1 2 f ãñ q t ãñ n ` 1 shift: q ÞÑ t hd=x; tl=q 1 u q 1 Mlist L 1 2 f ãñ q1 t ãñ n ` 1 frame: q 1 Mlist L 1 2 f ãñ q1 t ãñ n ` 1 induc: q 1 Mlist L 1 2 f ãñ null t ãñ n ` 1 ` L1 2 exit-fr: q ÞÑ t hd=x; tl=q 1 u q 1 Mlist L 1 2 f ãñ null t ãñ n ` 1 ` L1 2 unfoc: q Mlist L 2 f ãñ null t ãñ n ` L 2 13 / / 70 Summary Towards an interpretation of H Ź I P ra, bs. ti iu t tλtt. I pi ` 1qu I pmax a pb ` 1qq Ź Q tt thu pfor i a to b do tq tqu H Ź I tiu t tλb. if b then I else pq ttqu thu prepeat tq tqu H Ź I X 0 ti Xu t tλb. if b then pdy. I Y ry ă Xsq else pq ttqu thu prepeat tq tqu Assume in this slide that triples describe the entire state. A triple thu t tλx. H 1 u is interpreted in total correctness H m Dv. Dm 1. t {m ^ pxv{xy H 1 q m 1 Let Q λx. H 1. We have Q v xv{xy H 1. So, a triple thu t tqu is interpreted H m Dv. Dm 1. t {m ^ Q v m 1 + Reasoning about loops by induction allows exploiting the frame rule. 15 / / 70

5 Towards an interpretation of triples Soundness theorem In Separation Logic, a triple describes only a part m 1 of the heap. The rest of the heap, call it m 2, is assumed to remain unchanged. A triple thu t tqu can be interpreted 1 m 2. # H m1 m 1 K m 2 Dv. Dm 1 1. $ & % t {m1 Zm 2 1 Zm 2 Q v m 1 1 m 1 1 K m 2 Theorem (Soundness) If the triple thu t tqu holds 1 m 2. # H m1 m 1 K m 2 Dvm 1 1m 3. $ & % t {m1 Zm 2 1 Zm 2 Zm 3 Q v m 1 1 m 1 1 K m 2 K m 3 Above, m 3 describes the part of the heap dropped during the reasoning. 17 / / 70 Soundness proof Proof case: sequence thu t 1 tq 1 u tq 1 ttu t 2 tqu thu pt 1 ; t 2 q tqu t 1{m ó tt {m 1 t 2{m 1 ó v {m 2 pt 1 ; t 2 q {m ó v {m 2 Proof by induction over the size of the derivation of thu t tqu 1 m 2. m 1 K m 2 ^ H m 1 Dvm 1 1. t {m1 Zm 2 1 Zm 2 ^ Q v m 1 1 Ñ Assume m 1 K m 2 and H m 1. Our goal is to find v and m 1 1 such that: pt 1 ; t 2 q {m1 Zm 2 1 Zm 2 ^ Q v m 1 1 Ñ By IH1 applied to m 1 K m 2 and H m 1, we get v 1 and m 1 11 such that: (For simplicity, we leave m 1 1 K m 2 implicit and ignore garbage collection.) t 1{m1 Zm 2 ó v 1{m 1 11 Zm 2 ^ Q 1 v 1 m 1 11 Ñ By typing, v 1 must be tt. In particular, we have Q 1 tt m Ñ By IH2 applied to m 1 11 K m 2 and pq 1 ttq m 1 11, we get v 2 and m 1 12 s.t.: t 2{m 1 11 Zm 2 ó v 2{m 1 12 Zm 2 ^ Q v 2 m 1 12 Ñ We provide v 2 for v and m 1 12 for m / / 70

6 Summary Presentation Theorem (Soundness) If the triple thu t tqu holds 1 m 2. # H m1 m 1 K m 2 Dvm 1 1m 3. $ & % t {m1 Zm 2 1 Zm 2 Zm 3 Q v m 1 1 m 1 1 K m 2 K m 3 Pure pre-conditions as hypotheses: trp s Hu t tqu written as P thu t tqu 21 / / 70 Function apply Function twice let apply f x = f x Specification: let twice f = f(); f() Same thu pf xq tqu thu papply f xq tqu 1 Q. ^ thu pf pqq tλtt. H 1 u th 1 u pf pqq tqu thu ptwice fq th r thu pf xq tqu su papply f xq tqu 23 / / 70

7 Function repeat Function acting over a reference let repeat n f = for i = 0 to n-1 do f() done let refapply r f = r := f!r Exercise: specify the function refapply, first assuming f to be pure, and then assuming f to modify the state from H to H 1. Exercise: specify the function repeat, using an invariant I : int Ñ p@i P r0, nq. ti iu pf pqq tλtt. I pi ` 1quq ti 0u prepeat n fq ti 1 rhh 1 r. tr su pf vq tλy. ry v 1 su tr ãñ vu prefapply r fq tλtt. r ãñ v 1 u thu pf vq tλy. ry v 1 s H 1 u tpr ãñ vq Hu prefapply r fq tλtt. pr ãñ v 1 q H 1 u 25 / / 70 Iteration over a pure list Length using iter let rec iter f l = [] -> () x::t -> f x; iter f t Specification using an invariant pi : list α Ñ where L&x L``px :: nilq. let length l = let r = ref 0 in iter (fun x -> incr r) l;!r Invariant: I k r ãñ k. Specialization of the specification to I and f: `@xk. tr ãñ k u pincr rq tλtt. r ãñ k ` 1u tr ãñ 0u piter f lq tλtt. r ãñ l u 27 / / 70

8 Sum using iter let sum l = let r = ref 0 in iter (fun x -> r :=!r + x) l;!r Invariant: I k r ãñ Sum k Verification of iter let rec iter f l = [] -> () x::t -> f x; iter f t How to prove that the code satisfies its specification? where: Sum k Fold p`q 0 k 29 / / 70 Verification of iter ti ku pf xq tλtt. I pk&xqu Prove: Prove a generalized ti ku piter f sq tλtt. I pk``squ Verification of iter let rec iter f l = [] -> () x::t -> f x; iter f t By induction on l: ti ku pf xq tλtt. I pk&xqu ti ku piter f sq tλtt. I pk``squ Case s nil. We have ti ku piter f sq tλtt. I pk``nilqu Case s x :: t. By the rule for sequences: ti ku pf xq tλtt. I pk&xqu ti pk&xqu piter f tq tλtt. I ppk&xq``tqu ti ku pf x; iter f tq ti pk``squ because pk&xq``t k``px :: tq k``s. 31 / / 70

9 Constraints over the items Constraints over the items, in order Problem for computing b a? x1 ` x 2 ` x 3. Problem for computing? x 1 `... `?x n. iter (fun x -> r := sqrt (!r +. x)) [2.; -1.; 3.] iter (fun x -> r :=!r +. sqrt x) [2.0; 3.0] Generalized `@xk. x P l ti ku pf xq tλtt. I pk&xqu Most-general `@xks. l k``x :: s ti ku pf xq tλtt. I pk&xqu 33 / / 70 Invariant on remaining items Specification of fold-left Invariant on the list of processed items: Description: Code: fold f a r6 :: 4 :: 7s f pf pf a 6q 4q 7 Invariant on the list of remaining items: `@xs. ti 1 px :: squ pf xq tλtt. I 1 su let rec fold f a l = [] -> a x::k -> fold f (f a x) k ti 1 lu piter f lq tλtt. I 1 nilu Specification: Derivable using: I k Ds. rl k``ss I 1 `@xik. tj i ku pf i xq tλj. J j pk&xqu tj a nilu pfold f a lq tλb. J b lu 35 / / 70

10 Application of fold-left Forall tj i ku pf i xq tλj. J j pk&xqu tj a nilu pfold f a lq tλb. J b lu let r = ref 0 let sum_count l = fold (fun a x -> incr r; a+x) 0 l Exercise: give the invariant of fold in the function sum_count. where Sum k Fold p`q 0 k. J i k pr ãñ k q ri Sum ks Definition of Forall P L : Forall P nil Definition of Forall2 P L 1 L 2 : Forall2 P nil nil P x Forall P L Forall P px :: Lq P x 1 x 2 Forall2 P L 1 L 2 Forall2 P px 1 :: L 1 q px 2 :: L 2 q 37 / / 70 Specification of map A general specification of map let rec map f l = [] -> [] x::k -> (f x)::(map f k) Exercise: give a specification to map using Forall2, assuming f to be pure. Specification of l. Specification of p@x. tr su pf xq tλx 1. rp x x 1 suq tr su pmap f lq tλl 1. rforall2 P l l 1 l. p@x. tr su pf xq tλx 1. rp x x 1 suq tr su pmap f lq tλl 1. rforall2 P l l 1 su Combining the Il. `@xk. ti ku pf xq tλx 1. rp x x 1 s I pk&xqu ti nilu pmap f lq tλl 1. rforall2 P l l 1 s I lu 39 / / 70

11 Another general specification of map Specification of Il. ti ku pf xq tλx 1. rp x x 1 s J pk&xqu ti nilu pmap f lq tλl 1. rforall2 P l l 1 s I lu let rec find f l = [] -> None x::k -> if f x then Some x else find f k Alternative `@xkk 1. tj k k 1 u pf xq tλx 1. J pk&xq pk 1 &x 1 qu tj nil nilu pmap f lq tλl 1. J l l 1 u l. p@x. tr su pf xq tλb. rb true ô P xsuq tr su pfind f lq tλo. r match o with None Forall p P q l Some x Dkt. l k``x :: t ^ Forall p P q k ^ P x su 41 / / 70 Specification of sort Summary List.sort (fun x y -> x - y) [2;4;5;3;2;9] `@xik. tj i ku pf i xq tλj. J j ^ total-order pĺq p@xy. tr su pf x yq tλn. rn ď 0 ô x ĺ ysuq tr su psort f lq tλl 1. rpermut l l 1 ^ sorted pĺq l 1 su tj a nilu pfold f a lq tλb. J b lu `@xkk 1. tj k k 1 u pf xq tλx 1. J pk&xq pk 1 &x 1 qu tj nil nilu pmap f lq tλl 1. J l l 1 u Include the hypothesis l k``x :: s if the position of x matters. Specification of the list of past items or of remaining items. Boolean tr su pf xq tλb. rb true ô P xsu. Order tr su pf x yq tλn. rn ď 0 ô x ĺ ysu. 43 / / 70

Iterating over a mutable list Iterating over a mutable list let rec miter f p = if p == null then () else (f p.hd; miter f p.tl) Recall the specification of iter on pure lists: @fil.

12 Iterating over a mutable list Iterating over a mutable list let rec miter f p = if p == null then () else (f p.hd; miter f p.tl) Recall the specification of iter on pure Specification of pil. tp Mlist l I nilu pmiter f pq tλtt. p Mlist l I lu 45 / / 70 Mapping a function over a mutable list Mapping a function over a mutable list Recall the specification of map on pure `@xkk 1. tj k k 1 u pf xq tλx 1. J pk&xq pk 1 &x 1 qu tj nil nilu pmap f lq tλl 1. J l l 1 u Mapping a function over elements, in place: Exercise: specify the function mmap, assuming f to be pure. let rec mmap f p = if p == null then () else (p.hd <- f p.hd; mmap f pjl. `@xkk 1. tj k k 1 u pf xq tλx 1. J pk&xq pk 1 &x 1 qu tp Mlist l J nil nilu pmmap f pq tλtt. Dl 1. p Mlist l 1 J l l 1 u 47 / / 70

13 Function mfind Summary From pure lists: Specification: To imperative l. tr su pf xq tλb. rb istrue pp xqsuq tp Mlist lu pmfind f pq tλo. match o with None p Mlist l rforall p P q ls Some q Dkt. p MlistSeg q k q Mlist px :: tq rl k``x :: t ^ Forall p P q k ^ P xs u tp Mlist l I nilu pmiter f pq tλtt. p Mlist l I lu Post-conditions may return different shapes of heap: match o with None p Mlist l rforall p P q ls Some q Dkt. p MlistSeg q k q Mlist px :: tq rl k``x :: t ^ Forall p P q k ^ P xs 49 / / 70 Deallocation Application to file handles Remove the garbage collection rule: Goal: ensure that if a file is open then it is eventually closed. Add the free function: thu t tq H 1 u thu t tqu Representation predicate: f File L where pf : locq and pl : list charq tr Ref vu pfree rq tλtt. r su Terminating on the empty heap ensures the absence of memory leak: tr su t tλn. rp nsu Operations on files: tr su pfopen sq tλf. DL. f File Lu tf File pc :: Lqu pfread fq tλx. rx cs f File Lu tf File Lu pfclose fq tλtt. r su 51 / / 70

14 Implicit parallelism Shared data structures Parallel pairs in parallel ML: let (x,y) = ( f(), g() ) Separation Logic rule for parallel pairs: th 1 u t 1 tq 1 u th 2 u t 2 tq 2 u th 1 H 2 u p t 1, t 2 q tq 1 Q 2 u where Q 1 Q 2 λpx 1, x 2 q. Q 1 x 1 Q 2 x 2 let rec sum t i j = if j - i < 100 then let r = ref 0 in for k = i to j-1 do r :=!r + t.(k) done;!r else let m = (i+j) / 2 in let (s1,s2) = ( sum t i m, sum t m j ) in s1 + s2 53 / / 70 Concurrency Read-only permissions From read-write to read-only permissions: Several threads may concurrently read shared mutable data. The main thread should ultimately get back its write access. Threads may acquire locks for writing in shared mutable data. r ãñ v Ź r ãñ ro v Read-only permissions are duplicatable: pr ãñ ro vq Ź pr ãñ ro vq pr ãñ ro vq Read-only permissions disable writing: Ñ Concurrent Separation Logic, not covered in this course, additionally supports concurrent read/write accesses to shared memory cells. New: tr su pref vq tλr. r ãñ vu tr ãñ v 1 u pr := vq tλtt. r ãñ vu tr ãñ vu p!rq tλx. rx vs r ãñ vu tr ãñ ro vu p!rq tλx. rx vs r ãñ ro vu 55 / / 70

15 Fractional permissions Permission splitting and merging: Read-only permissions as arbitrary fractions We define: r ãñ v pr 1{2 ãñ vq pr 1{2 ãñ vq r ãñ ro v Dα. pr ãñ α vq with α P p0, 1s More generally, pr ãñ vq is a shorthand for pr 1 ãñ vq and: Duplicatibility P p0, 1s. pr α`β ãñ vq pr α ãñ vq pr β ãñ vq pr ãñ ro vq Ź pr ãñ ro vq pr ãñ ro vq tr su pref vq tλr. pr ãñ vqu tr ãñ v 1 u pr := vq tλtt. pr ãñ vqu tr α ãñ vu p!rq tλx. rx vs pr α ãñ vqu Proof: pdα. r α ãñ vq Ź pdα. r α ãñ vq pdα. r α ãñ vq because, for any given α, we have: pr α ãñ vq Ź pr α{2 ãñ vq pr α{2 ãñ vq 57 / / 70 Example of concurrent locks Concurrent locks A lock protects a piece of heap described by some invariant H: let r = ref 0 let s = ref n let p = create_lock() let concurrent_step () = let () = acquire_lock p in incr r; decr s; release_lock p p Lock H Example: p Lock pdi. pr ãñ iq ps ãñ n iqq. thu pcreate_lock ()q tλp. p Lock tp Lock Hu pacquire_lock pq tλtt. th p Lock Hu prelease_lock pq tλtt. r su The existence of a lock is in fact a duplicable information: p ro Lock H. 59 / / 70

16 Exercise: specification of fold-right Description: fold f r6 :: 4 :: 7s a f 6 pf 4 pf 7 aqq Exercises Code: let rec fold_right f l a = [] -> a x::k -> f x (fold_right f k a) Give a specification to fold-right. 61 / / 70 Solution: specification of fold-right Exercise: reasoning rule for while loops Description: fold f r6 :: 4 :: 7s a f 6 pf 4 pf 7 aqq Code: let rec fold_right f l a = [] -> a x::k -> f x (fold_right f k a) Give a direct reasoning rule for while loops, for partial correctness thu pwhile t 1 do t 2 q tqu Jla. `@xik. tj i ku pf x iq tλj. J j px :: kqu tj a nilu pfold f l aq tλb. J b lu 63 / / 70

17 Solution: reasoning rule for while loops Exercise: verification of map The loop invariant I describes the state between every iterations. The post-condition J describes the state after the evaluation of t 1. H Ź I tiu t 1 tju tj trueu t 2 tλtt. Iu J false Ź Q tt thu pwhile t 1 do t 2 q tqu where pi : Hpropq and pj : bool Ñ Hpropq. let rec map f l = [] -> [] x::k -> (f x)::(map f k) Prove that the code satisfies the l. p@x. tr su pf xq tλx 1. rp x x 1 suq tr su pmap f lq tλl 1. rforall2 P l l 1 su 65 / / 70 Solution: verification of map let rec map f l = [] -> [] x::k -> let x = f x in let k = map f k in l. p@x. tr su pf xq tλx 1. rp x x 1 suq tr su pmap f lq tλl 1. rforall2 P l l 1 su Proof by induction on l. Ñ Case l nil. Use the fact: Forall2 P nil nil. Ñ Case l x :: t. tr su pf xq tλx 1. rp x x 1 su tr su pmap f kq tλk 1. rforall2 P k k 1 su by assumption by induction hypothesis tr su px 1 :: k 1 q tλl 1. rforall2 P l l 1 su by Forall2 P px :: kq px 1 :: k 1 q. Exercise: soundness of the frame rule In the proof of the soundness theorem (without garbage 1 m 2. m 1 K m 2 ^ H m 1 Dvm 1 1. t {m1 Zm 2 1 Zm 2 ^ Q v m 1 1 prove the soundness of the frame rule: H H 1 H 2 th 1 u t tq 1 u Q 1 H 2 Q thu t tqu Hint: assume m 1 K m 2 and H m 1 and the induction hypothesis, which 3 m 4. m 3 K m 4 ^ H 1 m 3 Dvm 1 3. t {m3 Zm 4 3 Zm 4 ^ Q 1 v m 1 3 and exhibit v and m 1 1 such that t {m 1 Zm 2 1 Zm 2 and Q v m / / 70

18 Solution: soundness of the frame rule Solution: soundness of the frame rule H H 1 H 2 th 1 u t tq 1 u Q 1 H 2 Q thu t tqu Ñ Assume m 1 K m 2 and H m 1. Our goal is to find v and m 1 1 such that: t {m1 Zm 2 1 Zm 2 ^ Q v m 1 1 Ñ Since H m 1, we have ph 1 H 2 q m 1, so there exists m 11 and m 12 s.t.: m 1 m 11 Z m 12 ^ H 1 m 11 ^ H 2 m 12 Ñ By IH applied to m 11 K pm 12 Z m 2 q, we get v and m 1 11 such that: t {m11 Zpm 12 Zm 2 q 11 Zpm 12 Zm 2 q ^ Q 1 v m 1 11 Ñ By definition of star, we have ppq 1 vq H 2 q pm 1 11 Z m 12q. Ñ Q 1 H 2 Q implies ppq 1 vq H 2 q pq vq. Thus, Q v pm 1 11 Z m 12q. Ñ We provide pm 1 11 Z m 12q for m 1 1 and v for v. We can check: t {pm11 Zm 12 qzm 2 ó v {pm 1 11 Zm 12 qzm 2 ^ Q v pm 1 11 Z m 12 q Goal: t {m1 Zm 2 1 Zm 2 Instantiation: t {pm11 Zm 12 qzm 2 ó v {pm 1 11 Zm 12 qzm 2 Induction hyp.: t {m11 Zpm 12 Zm 2 q 11 Zpm 12 Zm 2 q 69 / / 70

Separation Logic. Part 3. Arthur Charguéraud. February / 66

Separation Logic. Part 3. Arthur Charguéraud. February / 66 Separation Logic Part 3 Arthur Charguéraud February 2014 1 / 66 Content Reasoning about loops For loops While loops Repeat-loops Total correctness Frame in a while loop Higher-order iterators for pure