Separation Logic and Graphical Models

Transcription

1 Separation Logic and Graphical Models John Wickerson and Tony Hoare Semantics Lunch, 25th October

2 Trace composition Problem: Composition is non-deterministic. 2

3 Trace composition Problem: Composition is non-deterministic. 3

4 Trace composition Problem: Composition is non-deterministic. 4

5 Trace composition Problem: Composition is non-deterministic. 5

6 Trace composition Problem: Composition is non-deterministic. 6

7 Trace composition Problem: Composition is non-deterministic. Fix: Give nodes and arrows unique identities. 3 b c e

8 Trace composition Problem: Composition is non-deterministic. Fix: Give nodes and arrows unique identities. 3 b e c 1 7 8

9 Trace representation A trace is a 6-tuple: set of nodes, set of arrows, node labelling, N P fin (Node) A Pfin(Arrow) NL N NodeLabel arrow labelling, AL A ArrowLabel head map, tail map, H A N T A N We require that dom(h) dom(t )=A and we forbid cycles 9

10 Trace representation A trace is a 6-tuple: set of nodes, N = {e} set of arrows, A = {4, 6, 8, 13} node labelling, NL = {e } arrow labelling, AL = {4, 6, 8, 13 } head map, H = {6 e, 8 e} tail map, T = {4 e, 13 e} 6 e

11 Trace disjointness Composition is defined iff the operands are disjoint, which means: 1. there are no common nodes 2. any common arrows have the same label 3. any common arrows can be connected (i.e. dangle out of one trace and into the other) 4. composition would not introduce a cycle 11

12 Trace composition t 1 t 2 = if t 1 and t 2 are disjoint then let (N 1,A 1,NL 1, AL 1,H 1,T 1 )=t 1 and (N 2,A 2,NL 2, AL 2,H 2,T 2 )=t 2 in (N 1 N 2,A 1 A 2,NL 1 NL 2, AL 1 AL 2,H 1 H 2,T 1 T 2 ) else undefined 12

13 Quiz (1 of 4) b e c

14 Quiz (1 of 4) b e c

15 Quiz (2 of 4) b e e

16 Quiz (2 of 4) b e e

17 Quiz (2 of 4) b e e

18 Quiz (3 of 4) b e c

19 Quiz (3 of 4) b e c

20 Quiz (3 of 4) b e c

21 Quiz (4 of 4) b e c

22 Quiz (4 of 4) b c e

23 Properties of composition The composition operator: is a partial binary operator of type Trace Trace Trace is commutative and associative has unit u = (,,,,, ) is cancellative (that is: if t1 t3 and t2 t3 are defined and equal, then t1 = t2) So... (Trace,, u) is a separation algebra 23

24 Models of separation logic Heap model: (Heap,, u) where a heap is a partial mapping from memory addresses to values, composes heaps that have disjoint domains, and u is the empty heap Trace model: (Trace,, u) where composes disjoint traces, and u is the empty trace There are several others. 24

25 The operator We lift to sets: P Q def = {t t 1 P. t 2 Q. t = t 1 t 2 } 25

26 in pictures 26

27 in pictures = 27

28 The operator We lift to sets: P Q def = {t t 1 P. t 2 Q. t = t 1 t 2 } In the heap model, P and Q are sets of heaps; i.e., assertions about the heap. In our model, P and Q are sets of traces; i.e., programs. 28

29 Denotational semantics of an imperative language with concurrency 29

30 Command language C ::= acq(l) acquiring a lock rel(l) releasing a lock lock l in C lock declaration read(x, v) reading a specific value write(x, v) writing a specific value var x in C variable declaration skip empty command Σi I.C i non-deterministic choice C non-deterministic looping C ; C sequential composition C ll C parallel composition 30

31 Meaning of commands C :Γ Γ P(Trace) where Γ is a set of control arrow identifiers C (γ,γ )= a set of traces that have: one incoming control arrow, labelled (γ), and one outgoing control arrow, labelled (γ ) 31

32 Denotational semantics (1) acq l (γ,γ )= open(l) (γ) acq(l) closed(l) (γ ) rel l (γ,γ )= closed(l) (γ) rel(l) open(l) (γ ) 32

33 Denotational semantics (2) lock l in C (γ,γ )= new(l) open(l) C (γ,γ ) open(l) del(l) hide(l) new(l) acq(l) rel(l) acq(l) rel(l) del(l) 33

34 Denotational semantics (3) read(x, v) (γ,γ )= (γ) data(x,v) (γ ) read(x,v) write(x, v) (γ,γ )= (γ) (γ ) write(x,v) data(x,v) 34

35 Denotational semantics (4) var x in C (γ,γ )= new(x) data(x,0) C (γ,γ ) del(x) hide(x) triangle(x) 35

36 The triangle property triangle(x) holds for traces such as this one: new(x) write(x,2) data(x,2) read(x,2) write(x,4) del(x) data(x,4) read(x,4) data(x,4) read(x,4) 36

37 The triangle property triangle(x) holds for traces such as this one: new(x) write(x,2) data(x,2) read(x,2) write(x,4) del(x) data(x,4) read(x,4) data(x,4) read(x,4) 37

38 Denotational semantics (5) skip (γ,γ )= (γ) skip (γ ) Σi I.C i (γ,γ )= i I.C i (γ,γ ) 38

39 Denotational semantics (6) C 1 ; C 2 = C 1 ; C 2 where F ; G = λ(γ,γ ). γ / {γ,γ }. (F (γ,γ ) G(γ,γ )) hide(γ ) C (γ,γ )= k 0. C k (γ,γ ) where F 0 = skip and F k+1 = F ; F k 39

40 Example write(x, 5) ; read(x, 6) (γ,γ ) = γ / {γ,γ }. (γ) (γ ) (γ ) (γ ) hide(γ ) = (γ) (γ ) 40

41 Example var x in {write(x, 5) ; read(x, 6)} (γ,γ ) = new(x) data(x,0) (γ) (γ ) del(x) hide(x) triangle(x) = 41

42 Denotational semantics (7) C 1 ll C 2 (γ,γ )= {γ 1,γ 2,γ 3,γ 4 }#{γ,γ }. (γ) fork (γ1) (γ2) C 1 (γ 1,γ 3 ) C 2 (γ 2,γ 4 ) (γ3) join (γ ) (γ4) hide(γ 1,γ 2,γ 3,γ 4 ) 42

43 Future directions 43

44 A model of weak memory? new(x) write(x,2) data(x,2) read(x,2) write(x,4) del(x) data(x,4) read(x,4) data(x,4) read(x,4) 44

45 A model of weak memory? new(x) write(x,2) data(x,2) read(x,2) write(x,4) del(x) data(x,4) read(x,4) data(x,4) read(x,4) 45

46 A model of processes? c!5 data(c,5) c?5 data(c,5) = c!5 data(c,5) c?5 data(c,5) c!5 data(c,5) c?5 46

47 The End 47