Iris: Higher-Order Concurrent Separation Logic. Lecture 4: Basic Separation Logic: Proving Pointer Programs

Similar documents
Iris: Higher-Order Concurrent Separation Logic. Lecture 9: Concurrency Intro and Invariants

Iris: Higher-Order Concurrent Separation Logic. Lecture 6: Case Study: foldr

Hoare Examples & Proof Theory. COS 441 Slides 11

A Short Introduction to Hoare Logic

CSE 505, Fall 2005, Midterm Examination 8 November Please do not turn the page until everyone is ready.

FORMALIZING CONCURRENT STACKS WITH HELPING: A CASE STUDY IN IRIS

GOTO the past / programs choose their own adventure. CSE 505: Programming Languages

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

CS 4110 Programming Languages & Logics. Lecture 16 Programming in the λ-calculus

A Logical Relation for Monadic Encapsulation of State

CIS (More Propositional Calculus - 6 points)

Program Verification Using Separation Logic

Propositional Definite Clause Logic: Syntax, Semantics and Bottom-up Proofs

Introduction to Logic in Computer Science: Autumn 2006

Soundness Theorem for System AS1

COMP6463: λ-calculus

Hoare Logic: Reasoning About Imperative Programs

Lecture Overview. 2 Weak Induction

Program verification using Hoare Logic¹

Barrier Proof. 1 Code and spec. April 21, 2016

Floyd-Hoare Style Program Verification

Lecture Notes on Call-by-Value and Call-by-Name

Homework 5: Parallelism and Control Flow : Types and Programming Languages Fall 2015 TA: Evan Cavallo

Step-Indexed Biorthogonality: a Tutorial Example

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and

ITI Introduction to Computing II

Learning Goals of CS245 Logic and Computation

CSE 505, Fall 2009, Midterm Examination 5 November Please do not turn the page until everyone is ready.

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Theories of Programming Languages Assignment 5

Automata-Theoretic Model Checking of Reactive Systems

Lecture 2: Axiomatic semantics

Proof Rules for Correctness Triples

Outline. 1 Introduction. 3 Quicksort. 4 Analysis. 5 References. Idea. 1 Choose an element x and reorder the array as follows:

Coinductive big-step semantics and Hoare logics for nontermination

Derivatives in 2D. Outline. James K. Peterson. November 9, Derivatives in 2D! Chain Rule

CSC236H Lecture 2. Ilir Dema. September 19, 2018

1 Overview. 2 Extreme Points. AM 221: Advanced Optimization Spring 2016

Functional Programming with F# Overview and Basic Concepts

Reasoning About Imperative Programs. COS 441 Slides 10b

In case (1) 1 = 0. Then using and from the previous lecture,

Type Systems Winter Semester 2006

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Programming Languages

Program verification. Hoare triples. Assertional semantics (cont) Example: Semantics of assignment. Assertional semantics of a program

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms

Typing λ-terms. Types. Typed λ-terms. Base Types. The Typing Relation. Advanced Formal Methods. Lecture 3: Simply Typed Lambda calculus

Overview of Today s Lecture

Cylindrical Algebraic Decomposition in Coq

Lecture 5 : Proofs DRAFT

Relational Models and Program Logics: Logical Relations in Iris

LING 501, Fall 2004: Quantification

(Inv) Computing Invariant Factors Math 683L (Summer 2003)

Special Topics on Applied Mathematical Logic

CSE373: Data Structures and Algorithms Lecture 3: Math Review; Algorithm Analysis. Catie Baker Spring 2015

a. ~p : if p is T, then ~p is F, and vice versa

CS522 - Programming Language Semantics

Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ.

LING/C SC/PSYC 438/538. Lecture 17 Sandiway Fong

Induction and Recursion

Individuals and Relations

0.1 Random useful facts. 0.2 Language Definition

Finite Automata Theory and Formal Languages TMV027/DIT321 LP Recap: Logic, Sets, Relations, Functions

20.1 2SAT. CS125 Lecture 20 Fall 2016

ITI Introduction to Computing II

20D - Homework Assignment 4

E.g. The set RE of regular expressions is given by the following rules:

Warm-Up Problem. Let be a Predicate logic formula and a term. Using the fact that. (which can be proven by structural induction) show that 1/26

Introduction to Axiomatic Semantics

Turing machines and linear bounded automata

Inf2D 06: Logical Agents: Knowledge Bases and the Wumpus World

G54FOP: Lecture 17 & 18 Denotational Semantics and Domain Theory III & IV

Discrete Mathematics

6.001 Recitation 22: Streams

Operational Semantics

Finite Automata Theory and Formal Languages TMV027/DIT321 LP4 2018

Types and Programming Languages (15-814), Fall 2018 Assignment 4: Data Representation (Sample Solutions)

The Importance of Being Formal. Martin Henz. February 5, Propositional Logic

Introduction to Formal Proof. 5: Theories

A Relational Model of Types-and-Effects in Higher-Order Concurrent Separation Logic

Relational Parametricity and Separation Logic. Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen

Realizability Semantics of Parametric Polymorphism, General References, and Recursive Types

CS156: The Calculus of Computation Zohar Manna Autumn 2008

First-order logic Syntax and semantics

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Logic I - Session 22. Meta-theory for predicate logic

System F. Proofs and Types. Bow-Yaw Wang. Academia Sinica. Spring 2012

Chapter 3: Propositional Calculus: Deductive Systems. September 19, 2008

Hoare Logic for Realistically Modelled Machine Code

Programming with Dependent Types in Coq

Quick Sort Notes , Spring 2010

COMP219: Artificial Intelligence. Lecture 19: Logic for KR

Nested Hoare Triples and Frame Rules for Higher-order Store

Lecture Notes on Programs with Arrays

STEP Support Programme. Pure STEP 1 Questions

Nonmonotone Inductive Definitions

Simply Typed Lambda-Calculi (II)

Computer Algorithms CISC4080 CIS, Fordham Univ. Outline. Last class. Instructor: X. Zhang Lecture 2

Computer Algorithms CISC4080 CIS, Fordham Univ. Instructor: X. Zhang Lecture 2

Transcription:

1 Iris: Higher-Order Concurrent Separation Logic Lecture 4: Basic Separation Logic: Proving Pointer Programs Lars Birkedal Aarhus University, Denmark November 10, 2017

2 Overview Earlier: Operational Semantics of λ ref,conc e, (h, e) (h, e ), and (h, E) (h, E ) Basic Logic of Resources l v, P Q, P Q, Γ P Q Basic Separation Logic: Hoare Triples Today: {P} e {v.q} : Prop Basic Separation Logic: Proving Pointer Programs Key Points Reasoning about mutable shared data structures by relating them to mathematical models islist l xs

Derivable Rules Last time we saw rules for basic language constructs (expressions that may reduce in one step) And the Bind rule for reasoning about more complex expressions. It is possible to derive other rules that can be used to simplify reasoning. Example Ht-Pre-Eq Γ S {P[v/x]} e[v/x] {u.q[v/x]} Γ, x : Val S {x = v P} e {u.q} This rule is derivable, which means that if we assume the antecedent (the formula above the line), then we can use the logical rules (both basic logical entailments and rules for Hoare triples) to prove the conclusion (the formula below the line). Several such are mentioned in the exercises. Do those to get familiar with how the logic works. 3

4 Example: let expressions Let expressions let x = e in e 2 are definable in λ ref,conc : Derivable rule let x = e in e 2 (λx. e 2 ) e Ht-let-det S {P} e 1 {x.x = v Q} (rec f (x) = e 2 ) e S {P} let x = e 1 in e 2 {u.r} S {Q[v/x]} e 2 [v/x] {u.r}

5 Sequencing Sequencing e1; e 2 is also definable (using let). Derivable rule Ht-seq S {P} e 1 {v.q} S {P} e 1 {.Q} S {P} e 1 ; e 2 {u.r} S {P} e 1 ; e 2 {u.r} S { x. Q} e 2 {u.r} S {Q} e 2 {u.r} where.q means that Q does not mention the return value.

6 Application and Deterministic Bind Ht-beta S {P} e [v/x] {u.q} S {P} (λx.e)v {u.q} Ht-bind-det E is an eval. context S {P} e {x.x = u Q} S {Q[u/x]} E[u] {w. R} S {P} E[e] {w. R}

7 Example: swap (finally!) Implementation swap = λx y.let z =! x in x! y; y z Possible Specification {l 1 v 1 l 2 v 2 } swap l 1 l 2 {v.v = () l 1 v 2 l 2 v 1 }. Proof: By Rule Ht-let-det SFTS the following two triples {l 1 v 1 l 2 v 2 }! l 1 {v.v = v 1 l 1 v 1 l 2 v 2 } {l 1 v 1 l 2 v 2 } l 1!l 2 ; l 2 v 1 {v.v = () l 1 v 2 l 2 v 1 }

8 Example: swap Consider the first triple: {l 1 v 1 l 2 v 2 }! l 1 {v.v = v 1 l 1 v 1 l 2 v 2 } To show this, use Ht-load and Ht-frame.

9 Example: swap Consider the second triple: {l 1 v 1 l 2 v 2 } l 1!l 2 ; l 2 v 1 {v.v = () l 1 v 2 l 2 v 1 } By sequencing rule Ht-seq, SFTS: {l1 v 1 l 2 v 2 } l 1! l 2 {.l 1 v 2 l 2 v 2 } {l1 v 2 l 2 v 2 } l 2 v 1 {v.v = () l 1 v 2 l 2 v 1 } For the second, recall that l 2 v 2 implies l 2. Hence we can use Ht-csq and Ht-store followed by Ht-frame. For the first, use deterministic bind, and then proceed with Ht-store, etc.

Proof Outlines In the literature, you will often see proof outlines, which sketch how proofs of programs are done. Tricky to make precise, so not used in the Iris Lecture Notes. Possible proof outline for above proof for swap: {l 1 v 1 l 2 v 2 } swap l 1 l 2 {l 1 v 1 l 2 v 2 } let z =! l 1 in {l 1 v 1 l 2 v 2 z = v 1 } l 1! l 2 ; {l 1 v 2 l 2 v 2 z = v 1 } l 2 z {l 1 v 2 l 2 v 1 z = v 1 } {l 1 v 2 l 2 v 1 } 10

11 Mutable Shared Data Structures: Linked Lists Key Point: We reason about mutable shared data structures by relating them to mathematical models. Today: Mutable Shared Data Structure = linked lists Mathematical Model = sequences (aka functional lists) islist l xs relates value l to sequence xs Defined by induction on xs islist l [] l = inj 1 () islist l (x : xs) hd, l. l = inj 2 (hd) hd (x, l ) islist l xs Exercise: Draw the linked list corresponding to mathematical sequence [1, 2, 3]. Why do we use above?

12 Example: inc on linked lists Incrementing all values in a linked list of integers. Implementation rec inc(l) = match l with Specification inj 1 x 1 () inj 2 x 2 let h = π 1! x 2 in end let t = π 2! x 2 in x 2 (h + 1, t); inc t xs. l.{islist l xs} inc l {v.v = () islist l (map(1+)xs)}

13 Example: inc on linked lists Proof Proceed by the recursion rule. When considering the body of inc, proceed by case analysis of xs. Case xs = []: TS l.{islist l[]} match l with... {v.v = () islist l(map(1+)[])} Case xs = x : xs : TS x, xs. l.{islist l(x : xs )} match l with... {v.v = () islist l(map(1+)(x : xs ))} In both cases, we proceed by the match rule (the islist predicate will tell us which branch is chosen).

14 Case xs = [] To show l.{islist l[]} match l with... {v.v = () islist l(map(1+)[])} Note: islist l[] l = inj 1 (). Thus SFTS {islist l[]} l {v.v = inj 1 () islist l[]} which we do by Ht-frame and Ht-Pre-Eq followed by Ht-ret.

15 Case xs = x : xs To show x, xs. l.{islist l(x : xs )} match l with... {v.v = () islist l(map(1+)(x : xs ))} Note: islist l(x : xs) hd, l.l = inj 2 hd hd (x, l ) islist l xs. Thus we have {l = inj 2 hd hd (x, l ) islist l xs } l {r.r = inj 2 hd l = inj 2 hd hd (x, l ) islist l xs } for some l and hd, using the rule Ht-exist, the frame rule, the Ht-Pre-Eq rule, and the Ht-ret rule. Hence, the second branch will be taken and by the match rule it suffices to verify the body of the second branch.

Case xs = x : xs, continued Using Ht-let-det and Ht-Proj repeatedly we quickly prove {l = inj 2 hd hd (x, l ) islist l xs } let h = π 1!hd in let t = π 2!hd in hd (h + 1, t) {l = inj 2 hd hd (x + 1, l ) islist l xs t = l h = x} Now, by Ht-seq and Ht-csq, we are left with proving {l = inj 2 hd hd (x + 1, l ) islist txs } f t {r.r = () islist l(map(+1)(x : xs ))} which follows from assumption (cf. recursion rule) and definition of the islist predicate. 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback