Separation Logic 4/4. Chapter 18. Integration of structural rules. Definition of the local predicate (1/2)

Size: px

Start display at page:

Download "Separation Logic 4/4. Chapter 18. Integration of structural rules. Definition of the local predicate (1/2)"

Gwendoline Manning
5 years ago
Views:

1 Separation Logic 4/4 Arthur Charguéraud Chapter 18 Characteristic Formulae with structural rules Febuary 22th, / 72 2 / 72 Integration of structural rules Definition of the local predicate (1/2) v local pλhq. H Ź Q vq let x t 1 in t 2 local pλhq. DQ 1. t 1 H Q 1 t 2 pq 1 xq Q if b then t 1 else t 2 local pλhq. pb true ñ t 1 H Qq ^ pb false ñ t 2 H Qq v 1 v 2 local pλhq. App v 1 v 2 H Qq let rec f λx. t 1 in t 2 local P f ñ t 2 H Qq where P f p@xh 1 Q 1. t 1 H 1 Q 1 ñ App f x H 1 Q 1 q q q To support: H H 1 H 2 t H 1 Q 1 Q 1 H 2 Q frame t H Q we would define: $ & H H 1 H 2 local F λhq. DH 1 H 2 Q 1. F H 1 Q 1 % Q 1 H 2 Q 3 / 72 4 / 72

2 Framing using the local predicate Definition of the local predicate (2/2) To prove thu t tqu, by the rule frame, it suffices to show: To support: H Ź H 1 H 2 th 1 u t tq 1 u Q 1 H 2 Ź Q GC thu t tqu combined H H 1 H 2 ^ th 1 u t tq 1 u ^ Q 1 H 2 Q To prove local t H Q, by definition of local, it suffices to thu t tqu tdx. Hu t tqu exists P ñ thu t tqu trp s Hu t tqu prop H H 1 H 2 ^ t H 1 Q 1 ^ Q 1 H 2 Q we define: $ & ph 1 H 2 q h local F H h ñ DH 1 H 2 Q 1. F H 1 Q 1 % Q 1 H 2 Ź Q GC 5 / 72 6 / 72 Iterated applications of structural rules Notation for characteristic formulae The local predicate may be duplicated as many times as needed: local t H Q local plocal t q H Q For example, to prove local t H Q, it suffices to show: H H 1 H 2 ^ local t H 1 Q 1 ^ Q 1 H 2 Q When not needed, local may be simply erased: t H Q ñ local t H Q let x t 1 in t 2 local pλhq. DQ 1. t 1 H Q 1 t 2 pq 1 xq Qq Definition of Coq notation: plet x F 1 in F 2 q local pλhq. DQ 1. F 1 H Q 1 F 2 pq 1 xq Qq With this notation: let x t 1 in t 2 plet x t 1 in t 2 q Technically: let x t 1 in t 2 plet X t 1 in prx Ñ Xs t 2 q q 7 / 72 8 / 72

3 Characteristic formulae generation, with notation Tactics for characteristic formulae What the user sees: Let x F 1 in F 2 v Ret v let x t 1 in t 2 Let x t 1 in t 2 if b then t 1 else t 2 If b then t 1 else t 2 v 1 v 2 App v 1 v 2 let rec f λx. t 1 in t 2 Let Rec f x t 1 in t 2 What is hidden behind the notation: local pλhq. DQ 1. F 1 H Q 1 F 2 pq 1 xq Qq What the user would need to execute: apply local_erase; esplit; split. What the user writes: xlet. 9 / / 72 Overview 1. Higher-order predicate: p Mlist L is generalized into p Mlistof R L Chapter 19 Higher-order representation predicates 2. Identity representation predicate: 3. Control accesses: p Mlistof Id L is the same as p Mlist L tp Mcellof Id v 1 R 2 V 2 u pp.hdq tλx. rx v 1 s...u 4. Compose recursively: p Nodeof R X pmlistof pnarytreeof Rqq L 11 / / 72

4 Mutable list of possibly-aliased lists Mutable list of disjoint mutable lists L p5::7::nilq::p8::3::3::nilq ::pnilq::p4::nilq :: nil p Mlist K æ pp i, L i q P M p i Mlist L i r@p i P K. p i P dom Ms p MlistofMlist L (to be later generalized into: p Mlistof R L) 13 / / 72 Representation using iterated star Representation using a recursive predicate L p5::7::nilq::p8::3::3::nilq ::pnilq::p4::nilq :: nil L p5::7::nilq::p8::3::3::nilq ::pnilq::p4::nilq :: nil K p 1 :: p 2 :: p 3 :: p 4 :: nil p MlistofMlist L DK. p Mlist K Æ i P r0, L q pkrisq Mlist plrisq r K L s p MlistofMlist L match L with nil ñ rp nulls X :: L 1 ñ Dxp 1. p t hd=x; tl=p 1 u p 1 MlistofMlist L 1 x Mlist X 15 / / 72

5 Generalization to a higher-order predicate p MlistofMlist L match L with nil ñ rp nulls X :: L 1 ñ Dxp 1. p t hd=x; tl=p 1 u p 1 MlistofMlist L 1 Generalization: x Mlist X p Mlistof R L match L with nil ñ rp nulls X :: L 1 ñ Dxp 1. p t hd=x; tl=p 1 u p 1 Mlistof R L 1 In particular: x R X p MlistofMlist L p Mlistof Mlist L Type-checking p Mlistof R L is a notation for Mlistof R L p pof type Hpropq x R X is a notation for R X x pof type Hpropq p Mlistof R L match L with nil ñ rp nulls X :: L 1 ñ Dxp 1. p t hd=x; tl=p 1 u p 1 Mlistof R L 1 x R X Exercise: since pp : locq and px : Valq and px : Aq for some A, what is the type of R? What is the type of Mlistof? R : A Ñ Val Ñ Hprop Mlistof pa Ñ Val Ñ Hpropq Ñ lista Ñ loc Ñ Hprop 17 / / 72 The identity representation predicate p Mlistof R L match L with nil ñ rp nulls X :: L 1 ñ Dxp 1. p t hd=x; tl=p 1 u p 1 Mlistof R L 1 x R X p Mlist L match L with nil ñ rp nulls x :: L 1 ñ Dp 1. p t hd=x; tl=p 1 u p 1 Mlist L 1 Exercise: define the identity representation predicate Id such that p Mlistof Id L p Mlist L Summary 1. Higher-order predicate: p Mlist L is generalized into p Mlistof R L 2. Identity representation predicate: p Mlistof Id L is the same as p Mlist L Definition: x Id X rx Xs 19 / / 72

6 Specification of construction, for basic values Chapter 20 Higher-order representation predicates and the access problem tp 1 Mlist Lu pcons x p 1 q tλp. p Mlist px :: Lqu 21 / / 72 Specification of construction Specification of deconstruction tx R X p 1 Mlistof R Lu pcons x p 1 q tλp. p Mlistof R px :: Lqu tp Mlistof R px :: Lqu puncons pq tλpx, p 1 q. x R X p 1 Mlistof R Lu 23 / / 72

Specification of accesses: the problem Specification of accesses: a partial solution Incorrect specification for head: tp Mlistof R px :: Lqu phead pq tλx.

7 Specification of accesses: the problem Specification of accesses: a partial solution Incorrect specification for head: tp Mlistof R px :: Lqu phead pq tλx. x R X p Mlistof R px :: Lqu Correct yet limited specification: tp Mlistof R px :: Lqu phead pq tλx. x R X px R X p Mlistof R px :: Lqqu Magic wand rule: H ph H 1 q H 1 25 / / 72 Specification of accesses: a brute force solution Specification of accesses: focus before read p Mlistof R L DK. p Mlist K Æ i P r0, L q pkrisq R plrisq r K L s p Mlistof R px :: Lq Dxp 1. p t hd=x; tl=p 1 u x R X p 1 Mlistof R L 1 Then read using: tp ÞÑ t hd=x; tl=p 1 uu pp.hdq tλy. ry xs p ÞÑ t hd=x; tl=p 1 uu 27 / / 72

8 Ownership transfer with a queue of mutable items Specification of queues of basic items Push: tr su pcreate()q tλp. p Queue nilu tp Queue Lu ppush x pq tλ. p Queue pl&xqu tp Queue px :: Lqu ppop pq tλr. rr xs p Queue Lu Pop: tp Queue L p 1 Queue L 1 u pconcat p p q tλ. p Queue pl``l 1 qu 29 / / 72 Specification of queues of mutable items The copy problem Exercise: specify functions over queues using a higher-order representation predicate written p Queueof R L. Shorthand: just write Q R instead of Queueof R. tr su pcreate()q tλp. p Queueof R nilu tp Queueof R L x R Xu ppush x pq tλ. p Queueof R pl&xqu tp Queueof R px :: Lqu ppop pq tλx. p Queueof R L x R Xu tp Queueof R L p 1 Queueof R L 1 u pconcat p p 1 q tλ. p Queueof R pl``l 1 qu Incorrect specification for copy: tp Queueof R Lu pcopy pq tλp 1. p Queueof R L p 1 Queueof R Lu Exercise: specify a function copy f p that duplicables a mutable queue specified using Queueof, where f is a function to duplicate items. `@xx. tx R Xu pf xq tλx 1. x R X x 1 R Xu ñ tp Queueof R Lu pcopy f pq tλp 1. p Queueof R L p 1 Queueof R Lu 31 / / 72

9 Representation for records Chapter 21 Higher-order representation predicates for records p Mcellof R 1 V 1 R 2 V 2 Dv 1 v 2. p t hd=v 1 ; tl=v 2 u v 1 R 1 V 1 v 2 R 2 V 2 33 / / 72 Representation predicate for lists, revisited Focus/unfocus for accessing a record field p Mlistof R L match L with nil ñ rp nulls X :: L 1 ñ Dxp 1. p t hd=x; tl=p 1 u x R X p 1 Mlistof R L 1 p Mcellof R 1 V 1 R 2 V 2 Dv 1 v 2. p t hd=v 1 ; tl=v 2 u v 1 R 1 V 1 v 2 R 2 V 2 Exercise: rewrite the specification of Mlistof using Mcellof. p Mlistof R L match L with nil ñ rp nulls X :: L 1 ñ p Mcellof R X pmlistof Rq L 1 Focus on a field: p Mcellof R 1 V 1 R 2 V 2 Dv 1. p Mcellof Id v 1 R 2 V 2 v 1 R 1 V 1 Access to a focused field: tp Mcellof Id v 1 R 2 V 2 u pp.hdq tλx. rx v 1 s p Mcellof Id v 1 R 2 V 2 u tp Mcellof Id v 1 R 2 V 2 u pp.hd <- wq tλ. p Mcellof Id w R 2 V 2 u 35 / / 72

10 Binary tree: representation Chapter 22 Higher-order representation predicates for trees p Mtreeof R T match T with Leaf ñ rp nulls Node X T 1 T 2 ñ Dxp 1 p 2. p ÞÑ t item=x; left=p 1 ; right=p 2 u x R X p 1 Mtreeof R T 1 p 2 Mtreeof R T 2 37 / / 72 Binary tree: representation, revisited Trees with list of subtrees: implementation Representation predicate for tree cells: p Nodeof R 1 V 1 R 2 V 2 R 3 V 3 Dv 1 v 2 v 3. p ÞÑ t item=v 1 ; left=v 2 ; right=v 3 u v 1 R 1 V 1 v 2 R 2 V 2 v 3 R 3 V 3 p Mtreeof R T match T with Leaf ñ rp nulls Node X T 1 T 2 ñ p Nodeof R X pmtreeof Rq T 1 pmtreeof Rq T 2 type a node = { mutable item : a; mutable children : ( a node) cell } Inductive tree (A:Type) : Type := Leaf : tree A Node : A Ñ list (tree A) Ñ tree A. 39 / / 72

11 Trees with list of subtrees: specification Trees with list of subtrees: representation of nodes p Nodeof R 1 V 1 R 2 V 2 Dv 1 v 2. p ÞÑ t item=v 1 ; children=v 2 u v 1 R 1 V 1 v 2 R 2 V 2 p Narytreeof R T match T with Leaf ñ rp nulls Node X L ñ Dxc. p ÞÑ t item=x; children=c u x R X c Mlistof pnarytreeof Rq L p Narytreeof R T match T with Leaf ñ rp nulls Node X L ñ Dxc. p ÞÑ t item=x; children=c u x R X c Mlistof pnarytreeof Rq L 41 / / 72 Trees with list of subtrees, revisited Exercises Exercise: rewrite the specification of Narytreeof using Nodeof. p Narytreeof R T match T with Leaf ñ rp nulls Node X L ñ p Nodeof R X pmlistof pnarytreeof Rqq L Exam from 2015, Exercise 2: Bootstrapped chunked bags. Available from the webpage of the course. 43 / / 72

12 Iteration on lists Chapter 23 Iteration with higher-order representation predicates ti ku pf xq tλ. I pk&xqu ñ ti nilu piter f lq tλ. I pli. `@xk. ti ku pf xq tλ. I pk&xqu ñ tp Mlist l I nilu pmiter f pq tλ. p Mlist l I 1. `@xkk 1. tj 1 k k 1 u pf xq tλx 1. J pk&xq pk 1 &x 1 qu ñ tp Mlist l J 1 nil nilu pmmap f lq tλl 1. p Mlist l J 1 l l 1 u Challenge: ñ `@x... t...u pf xq tλ....u tp Mlistof R L...u pmiter f pq tλ. p......u 45 / / 72 Iterating over a mutable list of mutable items Exercise: specify the function miter, using an invariant of the form J K K 1, describing the state before and the state after the prlj. `@xxkk 1. tx R X J K K 1 u pf xq tλ. DX 1. x R X 1 J pk&xq pk 1 &X 1 qu ñ tp Mlistof R L J nil nilu pmiter f pq tλ. DL 1. p Mlistof R L 1 J L L 1 u Incrementing a mutable list of distinct references (1/2) let incr_all p = miter (fun x -> incr x) p let example_p = { hd = ref 5; tl = { hd = ref 3; tl = null } } x Ref X x ÞÑ X Exercise: using the representation predicates Ref and Mlistof, specify the function (fun x -> incr x) and incr_all. tx Ref Xu pincr xq tλ. x Ref px ` 1qu tp Mlistof Ref Lu pincr_all pq tλ. p Mlistof Ref pmap p`1q Lqu 47 / / 72

13 Incrementing a mutable list of distinct references prlj. ñ `@xxkk 1. tx R X J K K 1 u pf xq tλ. DX 1. x R X 1 J pk&xq pk 1 &X 1 qu tp Mlistof R L J nil nilu pmiter f pq tλ. DL 1. p Mlistof R L 1 J L L 1 u Chapter 24 Resource analysis in Separation Logic Consider: J K K 1 rk 1 map p`1q Ks Derives: `@xx. tx Ref Xu pfun x -> incr xq tλ. x Ref px ` 1qu ñ tp Mlistof Ref Lu pincr_all pq tλ. p Mlistof Ref pmap p`1q Lqu 49 / / 72 Controlling deallocation File handle protocols (1) Remove the garbage collection rule: thu t tq GCu gc-post thu t tqu (2) Add a free function for explicit deallocation: tr ÞÑ vu pfree rq tλ. r su (3) Theorem: for a full program execution starting in the empty heap, all the data still allocated at the end is described in the post-condition. (4) Corollary: terminating on the empty heap ensures no memory leaks. Goal: ensure that if a file is open then it is eventually closed. f File L where pf : locq denotes the file handler, and pl : list charq denotes the remaining bytes to read. tr su pfopen sq tλf. DL. f File Lu tf File pc :: Lqu pfread fq tλx. rx cs f File Lu tf File Lu pfclose fq tλ. r su tr su t tλn. rp nsu 51 / / 72

14 Complexity analysis Time credits in pre-conditions Time credits: Properties: $ x : Hprop where x P R` $px ` yq $ x $ y and $ 0 r s Constant-time: tt Array M $ cu parray.length tq tλn. rn M s t Array Mu Linear-time: Principle: The execution of every instruction costs $1. Simplification: Entering the body of a function or a loop costs $1. t$pc 1 n ` c 2 qu parray.make n vq tλt. DL. t Array L r...su Superlinear-time: tt Array L $pc 1 L log L ` c 2 qu parray.sort tq tλt. DL 1. t Array L 1 r...su 53 / / 72 Amortized analysis Stack of unbounded size with amortized constant-time operations: t$ cu pstack.create()q tλ. s Stack nilu ts Stack L $ cu pstack.push s xq tλ. s Stack px :: Lqu ts Stack px :: Lq $ cu pstack.pop sq tλy. ry xs s Stack Lu Representation predicate with a potential function: Chapter 25 Read-only permissions s Stack L DntMk. s ÞÑ t size=n; data=t u t Array M rn L ď M 2 k s r@i P r0, nq. Mris Lriss $pc 1 abspn M {2qq 55 / / 72

15 Motivation for read-only permissions Fractional permissions What we currently need to write: ta 1 Array L 1 a 2 Array L 2 u pconcat a 1 a 2 q tλa 3. a 3 Array pl 1``L 2 q a 1 Array L 1 a 2 Array L 2 u What we wish to write: ro ro ta 1 Array L 1 a 2 Array L 2 u pconcat a 1 a 2 q tλa 3. a 3 Array pl 1``L 2 qu More than syntactic sugar: we wish ro to enforce no write operations, we wish to allow aliasing of read-only arguments. Splitting and merging: More generally: Operations: pr α ÞÑ vq with 0 ă α ď 1 pr ÞÑ vq pr 1 ÞÑ vq pr 1{2 ÞÑ vq pr 1{2 ÞÑ vq pr α`β ÞÑ vq pr α ÞÑ vq pr β ÞÑ vq with 0 ă α, β ď tr su pref vq tλr. r 1 ÞÑ vu tr 1 ÞÑ v 1 u pr := vq tλ. r 1 ÞÑ vu tr α ÞÑ vu p!rq tλx. rx vs pr α ÞÑ vqu 57 / / 72 Fractional permissions in practice Generic read-only modifier Extension of the logic with a modifier ROpHq that applies to any ta 1 α Array L1 a 2 β Array L2 u pconcat a 1 a 2 q tλa 3. a 1 α Array L1 a 2 β Array L2 a 3 1 Array pl1``l 2 qu Limitations: need to quantify fractions explicitly, need to syntactic sugar to avoid copy-pasting, need to re-establish post-conditions, a fraction 1 2H cannot be defined for arbitrary H. a ro Array L ROpa Array Lq ROpHq is duplicatable and never mentioned in post-conditions. ROpHq Ź ROpHq ROpHq dup-ro tropl ÞÑ vqu pget lq tλx. rx vsu get-ro 59 / / 72

16 Read-only frame rule Read-only sequencing rule ROpHq is introduced on frame: thu t 1 tq 1 u tq 1 pqu t 2 tqu thu pt 1 ; t 2 q tqu seq th ROpH 1 qu t tqu no-ro-in H 1 th H 1 u t tq H 1 u frame-ro th ROpH 1 qu t 1 tq 1 u tq 1 pq ROpH 1 qu t 2 tqu th ROpH 1 qu pt 1 ; t 2 q tqu seq-ro thu t 1 tq 1 u tq 1 pq H 1 u t 2 tqu th H 1 u pt 1 ; t 2 q tqu seq-frame 61 / / 72 RO in practice tropa 1 Array L 1 q ROpa 2 Array L 2 qu pconcat a 1 a 2 q tλa 3. a 3 Array pl 1``L 2 qu Chapter 26 Parallelism and Concurrency 63 / / 72

17 Parallel pairs Efficient use of parallel pairs with granularity control A parallel pair, written p t 1, t 2 q, for evaluating two subterms in parallel. Computing: aris ` ari ` 1s `... ` arj 1s. let rec sum a i j = if j - i = 1 then a.(i) else begin let m = (i+j) / 2 in let (s1,s2) = ( sum a i m, sum a m j ) in s1 + s2 end let rec sum a i j = if j - i < sequential_cutoff then begin let r = ref 0 in for k = i to j-1 do r :=!r + a.(k) done;!r end else begin let m = (i+j) / 2 in let (s1,s2) = ( sum a i m, sum a m j ) in s1 + s2 end Generalizable to map-reduce: fptr0sq fpar1sq... fparn 1sq. 65 / / 72 Reasoning rule for parallel pairs Parallel rule needs read-only permissions th 1 u t 1 tq 1 u th 2 u t 2 tq 2 u th 1 H 2 u p t 1, t 2 q tq 1 Q 2 u parallel th 1 u t 1 tq 1 u th 2 u t 2 tq 2 u th 1 H 2 u p t 1, t 2 q tq 1 Q 2 u parallel Compute: urar0ss ` urar1ss `... ` urarn 1ss. where Q 1 Q 2 λpx 1, x 2 q. Q 1 x 1 Q 2 x 2 This rule restricts parallel threads to act on disjoint parts of memory. map_reduce (fun x -> u.(x)) 0 (+) 0 n The ownership of the array u is needed in both branches. th 1 ROpH 3 qu t 1 tq 1 u th 2 ROpH 3 qu t 2 tq 2 u th 1 H 2 ROpH 3 qu p t 1, t 2 q tq 1 Q 2 u parallel-ro 67 / / 72

18 Concurrent locks: example Concurrent locks: specification of operations let r = ref 0 let s = ref n let p = create_lock() let concurrent_step () = let () = acquire_lock p in incr r; decr s; release_lock p Heap predicate p Lock H asserts that lock p protects an invariant H. Here: p Lock pdi. pr ÞÑ iq ps ÞÑ n iqq Duplicatable representation predicate: p ro Lock H thu pcreate_lock ()q tλp. p ro Lock tp ro Lock Hu pacquire_lock pq tλ. th p ro Lock Hu prelease_lock pq tλ. r su 69 / / 72 Concurrent locks: exercise Describe the state at the front of each lines (except 5 and 6). Explicit the instantiation of the existential in the invariant. 1 let r = ref 0 2 let s = ref n 3 let p = create_lock() 4 5 let concurrent_step () = 6 let () = acquire_lock p in 7 incr r; 8 decr s; 9 release_lock p 1: rs. 2: r ÞÑ 0. 3: r ÞÑ 0 s ÞÑ n. 4: p ro Lock pdi. pr ÞÑ iq ps ÞÑ n iqq. 7: pr ÞÑ iq ps ÞÑ n iq. 8: pr ÞÑ i ` 1q ps ÞÑ n iq. 9: pr ÞÑ i ` 1q ps ÞÑ n i 1q. Instantiate the invariant with i ` 1. Conclusion Program verification using Separation Logic gives you: Expressiveness: tree-shaped structures, and structures with sharing Expressiveness: effectful, first-class functions, with local state Modularity: most-general specifications Modularity: composable representation predicates Abstraction: existential quantification of intermediate pointers Abstraction: existential quantification of invariants Practice: formalization in Coq of all heap predicates Practice: characteristic formulae for reasoning rules 71 / / 72

Focus rules for segments. Focus and defocus rules for concatenation. Mlength with a while loop. Mlength with a while loop.

Focus rules for segments. Focus and defocus rules for concatenation. Mlength with a while loop. Mlength with a while loop. The function nth-cell Separation Logic Part 2 Returns the i-th cell of a list: Arthur Charguéraud February 2015 let rec nth_cell (i:int) (p: a cell) = if i = 0 then p else nth_cell (i-1) (p.tl) Why is