Relational Parametricity and Separation Logic. Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen

Size: px

Start display at page:

Download "Relational Parametricity and Separation Logic. Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen"

Godfrey Rodgers
5 years ago
Views:

1 Relational Parametricity and Separation Logic Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen

2 Challenge Develop a theory of data abstraction for pointer programs. When are two modules equivalent in the presence of pointers?

3 Message Focus on good clients of modules. Provability in sep. logic is a good candidate for deciding good clients.

4 Module Buffer1 *b=*p; free(p); b put(p) 5 get()

5 Module Buffer1 *b=*p; free(p); b put(p) 5 get()

6 Module Buffer1 *b=*p; free(p); b put(p) 5 get() 5

7 Module Buffer1 *b=*p; free(p); b put(p) 5 get()

8 Module Buffer1 *b=*p; free(p); b 5 put(p) get() 9

9 Module Buffer1 *b=*p; free(p); b 5 9 put(p) get()

10 Module Buffer1 *b=*p; free(p); b 9 9 put(p) get()

11 Module Buffer1 *b=*p; free(p); b 9 9 put(p) get()

12 Module Buffer1 *b=*p; free(p); Module Buffer2 free(b); b=p; b 9 put(p) get()

13 Module Buffer1 *b=*p; free(p); Module Buffer2 free(b); b=p; b 9 put(p) get() 3

14 Module Buffer1 *b=*p; free(p); Module Buffer2 free(b); b=p; b 9 3 put(p) get()

15 Module Buffer1 *b=*p; free(p); Module Buffer2 free(b); b=p; b 5 3 put(p) get()

16 Module Buffer1 *b=*p; free(p); Module Buffer2 free(b); b=p; b 5 3 put(p) get()

17 Module Buffer1 *b=*p; free(p); Module Buffer2 free(b); b=p; b 3 put(p) get()

18 Module Buffer1 *b=*p; free(p); Module Buffer2 free(b); b=p; Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {??? b 3 put(p) get()

19 Module Buffer1 Module Buffer2 Interface Spec *b=*p; free(p); {p -put(p){emp {empget(){emp free(b); b=p; Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {??? b 3 put(p) get()

20 Module Buffer1 Module Buffer2 Interface Spec *b=*p; free(p); {p -put(p){emp {empget(){emp free(b); b=p; Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {??? b 3 put(p) get()

21 Module Buffer1 Module Buffer2 Interface Spec *b=*p; free(p); {p -put(p){emp {empget(){emp free(b); b=p; Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {??? b 3 put(p) get()

22 Module Buffer1 Module Buffer2 Interface Spec *b=*p; free(p); {p -put(p){emp {empget(){emp free(b); b=p; Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {??? b 3 put(p) get()

23 Module Buffer1 Module Buffer2 Interface Spec *b=*p; free(p); {p -put(p){emp {empget(){emp free(b); b=p; Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {??? b 3 put(p) get()

24 Module Buffer1 Module Buffer2 Interface Spec *b=*p; free(p); {p -put(p){emp {empget(){emp free(b); b=p; Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {??? b 3 put(p) get()

25 Main Result Informally Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q

26 Main Result Informally Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q

27 Main Result Informally Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q

28 Main Result Informally Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q

29 Main Result Informally Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q Client Program { emp p=malloc(); *p=5; { p - put(p); { emp n = read(); { emp *p=3; {???

30 Main Result Informally Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q

31 Main Result Informally Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q for all r, put 1 (p) C[put 1, get 1 ] if eq [p ] r eq [emp ] r..., then eq [P ] r eq [Q ] r put 2 (p) C[put 2, get 2 ]

By Relational Main Result Semantics Informally of Specifications in Sep. Logic Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep.

32 By Relational Main Result Semantics Informally of Specifications in Sep. Logic Buffer1 and Buffer2 are observationally equivalent, if we consider only provable clients C in sep. logic: for some P and Q, Γ SL ( {p put(p){emp {empget(){emp ) {P C{Q for all r, put 1 (p) C[put 1, get 1 ] if eq [p ] r eq [emp ] r..., then eq [P ] r eq [Q ] r put 2 (p) C[put 2, get 2 ]

33 Sample Specification k : com {l k{emp {P C{Q

34 Syntax k : com {l k{emp {P C{Q Commands. (e.g. free(x), *x=y.)

35 Syntax k : com {l k{emp {P C{Q Commands. (e.g. free(x), *x=y.) Assertions. (e.g. emp, l -.)

36 Syntax k : com {l k{emp {P C{Q Commands. (e.g. free(x), *x=y.) Assertions. (e.g. emp, l -.) Specifications. (e.g. {l -k{emp, {empc{emp.)

37 Semantics of Commands and Assertions k : com {l k{emp {P C{Q Heaps [[com]] [[assert]] def = Locations fin Values def = Heaps local (Heaps {fault) def = P(Heaps)

38 Relational Semantics of Specifications k : com {l k{emp {P C{Q η 1, η 2, r = ϕ

39 Relational Semantics of Specifications k : com {l k{emp {P C{Q Environments E.g. [k [[free(l)]]] η 1, η 2, r = ϕ

40 Relational Semantics of Specifications k : com {l k{emp {P C{Q Environments E.g. [k [[free(l)]]] η 1, η 2, r = ϕ Relations on Heaps E.g. h 1 [eq H ]h 2 iff h 1 = h 2 h 2 q h 1 [allocemp l ]h 2 iff v. h 1 =[l v] h 2 =[]

41 Semantics of Hoare Triples k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2

42 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2

43 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 h1 = n1!m1 eq [P ] r h2 = n2!m2

44 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 h1 = n1!m1 eq [P ] r h2 = n2!m2 [[C]] η1 [[C]] η2

45 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 h1 = n1!m1 eq [P ] r h2 = n2!m2 [[C]] η1 [[C]] η2 h'1 = n'1!m'1 eq [Q ] r h'2 = n'2!m'2

46 Semantics of Hoare Triples Separating Conj. for Relations: [k [[ l = 0]]], [k [[skip]]], allocemp l h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff = {empk{emp η 1, η 2, eq [emp ] = {empdispose(l){emp h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 [] [l v] eq [emp ] allocemp l [] []

47 Semantics of Hoare Triples Separating Conj. for Relations: [k [[ l = 0]]], [k [[skip]]], allocemp l h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff = {empk{emp η 1, η 2, eq [emp ] = {empdispose(l){emp h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 [] [l v] [[k]] η1 = [[ l = 0]] eq [emp ] allocemp l [] [] [[k]] η2 = [[skip]]

48 Semantics of Hoare Triples Separating Conj. for Relations: [k [[ l = 0]]], [k [[skip]]], allocemp l h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff = {empk{emp η 1, η 2, eq [emp ] = {empdispose(l){emp h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 [] [l v] [[k]] η1 = [[ l = 0]] [] [l 0] eq [emp ] [] [] allocemp l [[k]] η2 = [[skip]] eq [emp ] [] [] allocemp l

49 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff η 1, η 2, eq [emp ] = {l dispose(l){emp {empdispose(l){emp h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 [l 0] [] eq [l ] eq [emp ] [l 0] []

50 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff η 1, η 2, eq [emp ] = {l dispose(l){emp {empdispose(l){emp h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 [l 0] [] [[dispose(l)]] η1 eq [l ] [l 0] [] eq [emp ] [[dispose(l)]] η2

51 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff η 1, η 2, eq [emp ] = {l dispose(l){emp {empdispose(l){emp h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 [l 0] [] [[dispose(l)]] η1 [] [] eq [l ] eq [emp ] eq [emp ] eq [emp ] [l 0] [] [[dispose(l)]] η2 [] []

52 Semantics of Hoare Triples Separating Conj. for Relations: h 1 [r 1 r 2 ]h 2 k : com {l k{emp {P C{Q η 1, η 2, r = {P C{Q iff ] [[C]] η1 [eq [P ] r eq [Q ] r [[C]] η2 holds iff η 1, η 2, eq [emp ] = {l dispose(l){emp {empdispose(l){emp h 1 = n 1 m 1 h 2 = n 2 m 2 n 1 [r 1 ]m 1 n 2 [r 2 ]m 2 Lemma: Suppose C does not call functions. = usual {P C{Q if and only if = new {P C{Q [l 0] [] [[dispose(l)]] η1 [] [] eq [l ] eq [emp ] eq [emp ] eq [emp ] [l 0] [] [[dispose(l)]] η2 [] []

53 Semantics of Implications k : com {l k{emp {P C{Q η 1, η 2, r = ϕ ψ iff r. if (η 1, η 2, r r = ϕ), then (η 1, η 2, r r = ψ)

54 Semantics of Implications k : com {l k{emp {P C{Q η 1, η 2, r = ϕ ψ iff r. if (η 1, η 2, r r = ϕ), then (η 1, η 2, r r = ψ) Kripke Semantics of Intuit. Logic. Worlds: Relations r on Heaps Accessibility Relation: r r r 0. r r 0 = r.

55 Relational Semantics of Specifications k : com {l k{emp {P C{Q

56 Relational Semantics of Specifications k : com {l k{emp {P C{Q η 1, η 2, eq [emp ] = {l k{emp {P C{Q

57 Relational Semantics of Specifications k : com {l k{emp {P C{Q η 1, η 2, eq [emp ] = {l k{emp {P C{Q r. if (η 1, η 2, r = {l k{emp), then (η 1, η 2, r = {P C{Q).

58 Relational Semantics of Specifications k : com {l k{emp {P C{Q η 1, η 2, eq [emp ] = {l k{emp {P C{Q r. if (η 1, η 2, r = {l k{emp), then (η 1, η 2, r = {P C{Q). r. if η 1 (k)[eq a r eq b r]η 2 (k), then [[C]] η1 [eq p r eq q r][c]] η2 (where a = [[l ]], b = [[emp]], p = [[P ]], and q = [[Q]])

59 Semantics of Triples [[com]] def = Heaps local (Heaps {fault) η 1, η 2, r = {P C{Q iff r. [[C]] η1 [ eq [P ] r r eq [Q ] r r ] [[C]] η2

60 Semantics of Triples [[com]] def = Heaps local (Heaps {fault) η 1, η 2, r = {P C{Q iff r. [[C]] η1 [ eq [P ] r r eq [Q ] r r ] [[C]] η2

61 Semantics of Triples [[com]] def = Heaps local (Heaps {fault) η 1, η 2, r = {P C{Q iff r. [[C]] η1 [ eq [P ] r r eq [Q ] r r ] [[C]] η2

62 Semantics of Triples [[com]] def = Heaps local (Heaps {fault) η 1, η 2, r = {P C{Q iff r. [[C]] η1 [ eq [P ] r r eq [Q ] r r ] [[C]] η2 [Lemma] Supp. C does not call fns. If = new {P C{Q, [[C]] satisfies the locality cond. restricted to [[P true]]. [Frame Property] h [[P true]] [[C]](h) = h 1 = [[C]](h h 9 ) = h 1 h 9

63 [Frame Property when set quantification is used] Semantics of Triples h [[P true]] [[C]](h) = h 1 = h 2 [[Q]]. [[C]](h h 9 ) = h 2 h 9 [[com]] def = Heaps local (Heaps {fault) η 1 η,, ηq 2, r = = {P {P C{Q iff [ ] r q. 0.[[C]] [[C]] η1 eq [P ] r r eq [Q ] r r η ([[P ]] q 0 q) [[C]] η ([[Q]] q 0 [[C]] q) η2 [Lemma] Supp. C does not call fns. If = new {P C{Q, [[C]] satisfies the locality cond. restricted to [[P true]]. [Frame Property] h [[P true]] [[C]](h) = h 1 = [[C]](h h 9 ) = h 1 h 9

64 Semantics in the Paper Uses FM-domain theory and biorthogonality to deal with memory allocation.

65 Theory of Data Abstraction for Pointer Programs Focus on good clients. Provability in sep. logic is a good candidate for deciding good clients.

66 Relational Kripke Reading of Logic Can reveal that proofs in a logic says more than what are intended.

Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ.

Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language Hongseok Yang (Queen Mary, Univ. of London) Dream Automatically verify the memory safety of systems software,