Iris: Higher-Order Concurrent Separation Logic. Lecture 4: Basic Separation Logic: Proving Pointer Programs

Transcription

1 1 Iris: Higher-Order Concurrent Separation Logic Lecture 4: Basic Separation Logic: Proving Pointer Programs Lars Birkedal Aarhus University, Denmark November 10, 2017

2 2 Overview Earlier: Operational Semantics of λ ref,conc e, (h, e) (h, e ), and (h, E) (h, E ) Basic Logic of Resources l v, P Q, P Q, Γ P Q Basic Separation Logic: Hoare Triples Today: {P} e {v.q} : Prop Basic Separation Logic: Proving Pointer Programs Key Points Reasoning about mutable shared data structures by relating them to mathematical models islist l xs

3 Derivable Rules Last time we saw rules for basic language constructs (expressions that may reduce in one step) And the Bind rule for reasoning about more complex expressions. It is possible to derive other rules that can be used to simplify reasoning. Example Ht-Pre-Eq Γ S {P[v/x]} e[v/x] {u.q[v/x]} Γ, x : Val S {x = v P} e {u.q} This rule is derivable, which means that if we assume the antecedent (the formula above the line), then we can use the logical rules (both basic logical entailments and rules for Hoare triples) to prove the conclusion (the formula below the line). Several such are mentioned in the exercises. Do those to get familiar with how the logic works. 3

4 4 Example: let expressions Let expressions let x = e in e 2 are definable in λ ref,conc : Derivable rule let x = e in e 2 (λx. e 2 ) e Ht-let-det S {P} e 1 {x.x = v Q} (rec f (x) = e 2 ) e S {P} let x = e 1 in e 2 {u.r} S {Q[v/x]} e 2 [v/x] {u.r}

5 5 Sequencing Sequencing e1; e 2 is also definable (using let). Derivable rule Ht-seq S {P} e 1 {v.q} S {P} e 1 {.Q} S {P} e 1 ; e 2 {u.r} S {P} e 1 ; e 2 {u.r} S { x. Q} e 2 {u.r} S {Q} e 2 {u.r} where.q means that Q does not mention the return value.

6 6 Application and Deterministic Bind Ht-beta S {P} e [v/x] {u.q} S {P} (λx.e)v {u.q} Ht-bind-det E is an eval. context S {P} e {x.x = u Q} S {Q[u/x]} E[u] {w. R} S {P} E[e] {w. R}

7 7 Example: swap (finally!) Implementation swap = λx y.let z =! x in x! y; y z Possible Specification {l 1 v 1 l 2 v 2 } swap l 1 l 2 {v.v = () l 1 v 2 l 2 v 1 }. Proof: By Rule Ht-let-det SFTS the following two triples {l 1 v 1 l 2 v 2 }! l 1 {v.v = v 1 l 1 v 1 l 2 v 2 } {l 1 v 1 l 2 v 2 } l 1!l 2 ; l 2 v 1 {v.v = () l 1 v 2 l 2 v 1 }

8 8 Example: swap Consider the first triple: {l 1 v 1 l 2 v 2 }! l 1 {v.v = v 1 l 1 v 1 l 2 v 2 } To show this, use Ht-load and Ht-frame.

9 9 Example: swap Consider the second triple: {l 1 v 1 l 2 v 2 } l 1!l 2 ; l 2 v 1 {v.v = () l 1 v 2 l 2 v 1 } By sequencing rule Ht-seq, SFTS: {l1 v 1 l 2 v 2 } l 1! l 2 {.l 1 v 2 l 2 v 2 } {l1 v 2 l 2 v 2 } l 2 v 1 {v.v = () l 1 v 2 l 2 v 1 } For the second, recall that l 2 v 2 implies l 2. Hence we can use Ht-csq and Ht-store followed by Ht-frame. For the first, use deterministic bind, and then proceed with Ht-store, etc.

10 Proof Outlines In the literature, you will often see proof outlines, which sketch how proofs of programs are done. Tricky to make precise, so not used in the Iris Lecture Notes. Possible proof outline for above proof for swap: {l 1 v 1 l 2 v 2 } swap l 1 l 2 {l 1 v 1 l 2 v 2 } let z =! l 1 in {l 1 v 1 l 2 v 2 z = v 1 } l 1! l 2 ; {l 1 v 2 l 2 v 2 z = v 1 } l 2 z {l 1 v 2 l 2 v 1 z = v 1 } {l 1 v 2 l 2 v 1 } 10

11 11 Mutable Shared Data Structures: Linked Lists Key Point: We reason about mutable shared data structures by relating them to mathematical models. Today: Mutable Shared Data Structure = linked lists Mathematical Model = sequences (aka functional lists) islist l xs relates value l to sequence xs Defined by induction on xs islist l [] l = inj 1 () islist l (x : xs) hd, l. l = inj 2 (hd) hd (x, l ) islist l xs Exercise: Draw the linked list corresponding to mathematical sequence [1, 2, 3]. Why do we use above?

12 12 Example: inc on linked lists Incrementing all values in a linked list of integers. Implementation rec inc(l) = match l with Specification inj 1 x 1 () inj 2 x 2 let h = π 1! x 2 in end let t = π 2! x 2 in x 2 (h + 1, t); inc t xs. l.{islist l xs} inc l {v.v = () islist l (map(1+)xs)}

13 13 Example: inc on linked lists Proof Proceed by the recursion rule. When considering the body of inc, proceed by case analysis of xs. Case xs = []: TS l.{islist l[]} match l with... {v.v = () islist l(map(1+)[])} Case xs = x : xs : TS x, xs. l.{islist l(x : xs )} match l with... {v.v = () islist l(map(1+)(x : xs ))} In both cases, we proceed by the match rule (the islist predicate will tell us which branch is chosen).

14 14 Case xs = [] To show l.{islist l[]} match l with... {v.v = () islist l(map(1+)[])} Note: islist l[] l = inj 1 (). Thus SFTS {islist l[]} l {v.v = inj 1 () islist l[]} which we do by Ht-frame and Ht-Pre-Eq followed by Ht-ret.

15 15 Case xs = x : xs To show x, xs. l.{islist l(x : xs )} match l with... {v.v = () islist l(map(1+)(x : xs ))} Note: islist l(x : xs) hd, l.l = inj 2 hd hd (x, l ) islist l xs. Thus we have {l = inj 2 hd hd (x, l ) islist l xs } l {r.r = inj 2 hd l = inj 2 hd hd (x, l ) islist l xs } for some l and hd, using the rule Ht-exist, the frame rule, the Ht-Pre-Eq rule, and the Ht-ret rule. Hence, the second branch will be taken and by the match rule it suffices to verify the body of the second branch.

16 Case xs = x : xs, continued Using Ht-let-det and Ht-Proj repeatedly we quickly prove {l = inj 2 hd hd (x, l ) islist l xs } let h = π 1!hd in let t = π 2!hd in hd (h + 1, t) {l = inj 2 hd hd (x + 1, l ) islist l xs t = l h = x} Now, by Ht-seq and Ht-csq, we are left with proving {l = inj 2 hd hd (x + 1, l ) islist txs } f t {r.r = () islist l(map(+1)(x : xs ))} which follows from assumption (cf. recursion rule) and definition of the islist predicate. 16