Lectures on Separation Logic. Lecture 2: Foundations

Similar documents
Program Verification Using Separation Logic

From Separation Logic to Systems Software

Theories of Programming Languages Assignment 5

Separation Logic and the Mashup Isolation Problem

Program Verification using Separation Logic Lecture 0 : Course Introduction and Assertion Language. Hongseok Yang (Queen Mary, Univ.

Collecting garbage concurrently (but correctly)

Relational Parametricity and Separation Logic. Hongseok Yang, Queen Mary, Univ. of London Lars Birkedal, IT Univ. of Copenhagen

Floyd-Hoare Style Program Verification

A Brief History of Shared memory C M U

A Short Introduction to Hoare Logic

Reasoning About Imperative Programs. COS 441 Slides 10b

THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600/COMP6260 (Formal Methods for Software Engineering)

Universität Augsburg

Lecture 2: Axiomatic semantics

Separation Logic and the Mashup Isolation Problem

A semantics for concurrent separation logic

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Hoare Examples & Proof Theory. COS 441 Slides 11

A PROOF SYSTEM FOR SEPARATION LOGIC WITH MAGIC WAND

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Separation and Information Hiding

Axiomatic Semantics. Lecture 9 CS 565 2/12/08

Completeness of Pointer Program Verification by Separation Logic

Boolean bunched logic: its semantics and completeness

Recent developments in concurrent program logics

Hoare Logic and Model Checking

Chapter 2. Assertions. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011

Local Reasoning about Data Update

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Problem Sheet 1: Axiomatic Semantics

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

Hoare Logic (I): Axiomatic Semantics and Program Correctness

CS558 Programming Languages

Hoare Logic: Reasoning About Imperative Programs

Formal Methods in Software Engineering

AN INTRODUCTION TO SEPARATION LOGIC. 2. Assertions

LOGICAL INVESTIGATIONS ON SEPARATION LOGICS (draft) EUROPEAN SUMMER SCHOOL ON LOGIC, LANGUAGE AND INFORMATION BARCELONA, SPAIN, AUGUST 2015

A Revisionist History of Concurrent Separation Logic

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

0.1 Random useful facts. 0.2 Language Definition

Separation Logic and Graphical Models

Chapter 3. Specifications. 3.1 Hoare Triples. An Introduction to Separation Logic c 2011 John C. Reynolds February 3, 2011

CSE 331 Winter 2018 Homework 1

Spring 2016 Program Analysis and Verification. Lecture 3: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Reasoning about High-Level Tree Update and its Low-Level Implementation

Equational Logic and Term Rewriting: Lecture I

2. Introduction to commutative rings (continued)

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 18, 2017

Concurrent separation logic and operational semantics

Structuring the verification of heap-manipulating programs

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

List reversal: back into the frying pan

Logic, Sets, and Proofs

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Truth-Functional Logic

Verifying Concurrent Memory Reclamation Algorithms with Grace

Computability and Complexity Results for a Spatial Assertion Language for Data Structures

CIS 500 Software Foundations. Midterm II. March 28, 2012

MATH 341, Section 001 FALL 2014 Introduction to the Language and Practice of Mathematics

Chapter 4. Lists and List Segments. An Introduction to Separation Logic c 2011 John C. Reynolds February 17, 2011

Abstraction and Refinement for Local Reasoning

Software Engineering

Modeling and Analysis of Communicating Systems

States and Actions: An Automata-theoretic Model of Objects

Iris: Higher-Order Concurrent Separation Logic. Lecture 9: Concurrency Intro and Invariants

CSE 331 Winter 2018 Reasoning About Code I

Putting order to the separation logic jungle

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Flow Interfaces Compositional Abstractions of Concurrent Data Structures. Siddharth Krishna, Dennis Shasha, and Thomas Wies

Automatic Parallelization with Separation Logic

Review CHAPTER. 2.1 Definitions in Chapter Sample Exam Questions. 2.1 Set; Element; Member; Universal Set Partition. 2.

Simply Typed Lambda Calculus

Completeness for FOL

A Guide to Proof-Writing

Lecture 2: Syntax. January 24, 2018

Predicate Logic: Sematics Part 1

Spring 2015 Program Analysis and Verification. Lecture 4: Axiomatic Semantics I. Roman Manevich Ben-Gurion University

Solutions to exercises for the Hoare logic (based on material written by Mark Staples)

A Semantic Foundation for Hidden State

Program Analysis Part I : Sequential Programs

Bilateral Proofs of Safety and Progress Properties of Concurrent Programs (Working Draft)

Deductive Verification

Bi-Abduction. Philippa Gardner (Imperial College London) Separation Logic 1 / 17. Bi-Abduction

Foundations of Computation

Nested Hoare Triples and Frame Rules for Higher-order Store

Example. Logic. Logical Statements. Outline of logic topics. Logical Connectives. Logical Connectives

Modal Logics. Most applications of modal logic require a refined version of basic modal logic.

CS156: The Calculus of Computation

Modular Labelled Sequent Calculi for Abstract Separation Logics

Local Rely-Guarantee Reasoning

4 Quantifiers and Quantified Arguments 4.1 Quantifiers

Show Your Work! Point values are in square brackets. There are 35 points possible. Some facts about sets are on the last page.

1 Propositional Logic

Soundness and Completeness of Axiomatic Semantics

Lecture 6: Finite Fields

Proof Calculus for Partial Correctness

Properties of Boolean Algebras

Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5

NESTED HOARE TRIPLES AND FRAME RULES FOR HIGHER-ORDER STORE

Transcription:

Lectures on Separation Logic. Lecture 2: Foundations Peter O Hearn Queen Mary, University of London Marktoberdorf Summer School, 2011

Outline for this lecture Part I : Assertions and Their Semantics Part II : Proof Rules for Programs Part III : Locality 2

Part I Assertions and Their Semantics 3

The RAM Model A state (s, h) has two components, s : Vars Ints h : Nats f Ints Expressions (heap-free) E, F, G ::= x, y, 0 1 E + F E F E F We presume a semantics E s Z 2

Semantics of Assertions (plus induct defs and pure bools) s, h = E F iff {E s} = dom(h) and h(e s) =F s s, h = emp iff h =[]is the empty heap s, h = P Q iff h 0, h 1. h 0 h 1 = h, s, h 0 = P and s, h 1 = Q s, h = P Q iff h. if h #h and s, h = P then s, h h = Q s, h = false never s, h = P Q iff if s, h = P then s, h = Q s, h = x.p iff v Ints. [s x v], h = P h h = union when domains disjoint, undefined otherwise h#h means domains disjoint Boolean constructs P, P Q, P Q, x.p defined in usual way from false,,. 3

Addresses are just numbers (no messing about) E F 0,...., F n = (E F0 ) (E + n F n ) An offset list (x a, o) (x + o b, o) For example, in a store where x = 17 and o = 25, the formula is true of a heap 4

Algebraic Structure Suppose we have ANY partial commutative monoid (H,, e). Determines total, ordered commutative monoid (P(H),, emp) h A B iff h A, h B. h = h A h B and h A A and h B B emp = {e} 5

Algebraic Structure Suppose we have ANY partial commutative monoid (H,, e). Determines total, ordered commutative monoid (P(H),, emp) h A B iff h A, h B. h = h A h B and h A A and h B B emp = {e} emp = I have a heap, and it is empty (not the empty set of heaps) true = p p = H = any heap will do false = p p = = no heap will do 5

Algebraic Structure Suppose we have ANY partial commutative monoid (H,, e). Determines total, ordered commutative monoid (P(H),, emp) h A B iff h A, h B. h = h A h B and h A A and h B B emp = {e} emp = I have a heap, and it is empty (not the empty set of heaps) true = p p = H = any heap will do false = p p = = no heap will do P(H) is (in the subset order) both A Boolean Algebra, and A Residuated Monoid: A B C A B C Model of Boolean BI logic (Boolean BI-algebra: O Hearn, Pym). 5

Validity P is valid if, for all s, h, s, h = P. We use validity of P Q as an oracle in this course. There are automatic (e.g., Smallfoot, jstar) and interactive (via embeddings into HOL, Coq, Isabelle) proof tools that approximate validity in separation logic. Validity examples (in the particular (RAM) model) E 3 E 0 Valid E E E F E = F E 3 F 3 E = F E 3 F 3 E 3 F 3 Invalid Valid Valid Invalid 6

Validity (continued) Validity examples (in the general models) (P Q) (P R) P (Q R) Valid P (P Q) = Q Valid (P Q) (P R) P (Q R) Invalid Proof of the first one: P ( ) is a left adjoint, hence preserves colimits. Second one: pretty immediate. Analysis of third one: for the exercises. 7

Validity (continued) What does P true mean? 8

Validity (continued) What does P true mean? More particularly, (10 3) true?? 8

Validity (continued) What does P true mean? More particularly, (10 3) true?? Valid, satisfiable, or unsatisfiable? P true P?? (10 3 true) (10 3 true)?? (10 3) = (10 3 true) (10 3 true)?? (10 3) true = (10 3) (10 3)?? 8

Validity (continued) What does P true mean? More particularly, (10 3) true?? Valid, satisfiable, or unsatisfiable? P true P?? (10 3 true) (10 3 true)?? (10 3) = (10 3 true) (10 3 true)?? (10 3) true = (10 3) (10 3)?? Satisfiability of P P is like paraconsistent logic. 8

Magic Wand in the RAM model s, h = P Q iff h. if h #h and s, h = P then s, h h = Q Consider (42 7) P. If I can extend the heap with a cell 42, then P will be true. (But the formula will be true also if 42 is already allocated, to anything.) 14

Magic Wand in the RAM model s, h = P Q iff h. if h #h and s, h = P then s, h h = Q Consider (42 7) P. If I can extend the heap with a cell 42, then P will be true. (But the formula will be true also if 42 is already allocated, to anything.) If I can allocate 42 and initialize it to 7, then P will be true 14

Magic Wand in the RAM model s, h = P Q iff h. if h #h and s, h = P then s, h h = Q Consider (42 7) P. If I can extend the heap with a cell 42, then P will be true. (But the formula will be true also if 42 is already allocated, to anything.) If I can allocate 42 and initialize it to 7, then P will be true x. (x 3, 4) P : The weakest precondition of the command x:=cons(3,4); 14

Part II Proof Rules for Programs 4

Programs E ::= x E + E E E C ::= x:= E x:= [E] [E]:= F x:= cons(e 1,...., E n ) dispose(e) skip C; C if B then C else C while B do C 3

Small Axioms O Hearn-Reynolds-Yang, 2001: Local Reasoning about Programs that alter Data Structures For x, m, n distinct variables, {E } [E]:= F {E F } {E } dispose(e) {emp} {x = m emp}x:= cons(e 1,...., E k ){x E 1 [m/x],...., E k [m/x]} {x = m emp} x:= E {x =(E[m/x]) emp} {x = m E n} x:= [E] {x = n E[m/x] n} 4

Structural Rules (O Hearn-Reynolds-Yang, 2001) 1 {P}C{Q} {P R}C{Q R} Modifies(C) Free(R) = P P {P} C {Q} Q Q {P } C {Q } {P} C {Q} { x.p} C { x.q} x Free(C) {P} C {Q} ({P} C {Q})[E 1 /x 1,...., E k /x k ] {x 1,...., x k } Free(P, C, Q), and x i Modifies(C) implies E i is a variable not free in another E j 1 Modifies(x:= )={x}, Modifies([E]:= )={} 5

Remaining Constructs (Hoare, 1967) {P B}C{P} {P}while BC{P B} {P}skip{P} {P}C 1 {Q} {Q}C 2 {R} {P}C 1 ; C 2 {R} {P B} C {Q} {P B} C {Q} {P} if B then C else C {Q} 6

Sample Derived Laws In-place reasoning axiom: {10 }[10]:= 7{10 7} {10 R}[10]:= 7{10 7 R} Frame Weakest Precondition Axiom: {10 }[10]:= 7{10 7} {10 ((10 7) P)}[10]:= 7{10 7 ((10 7) P)} Frame Conseq {10 ((10 7) P)}[10]:= 7{P} 7

A Little Example We usually present proofs as annotated programs, like {list(x) x = nil} { x. x x list(x )} t:= [x] {x t list(t)} dispose(x) {list(t)} Here, two assertions in a row indiate use of the rule of consequence. An assertion between two commands is the Q in the sequencing rule. The last step uses the small axiom for dispose and the rule of consequence on the right with the fact that emp is an identity. The previous statement uses the small axiom, the rule of consequence, the existential rule. Exercise: Convert this into a full proof, where you use an oracle in the rule of consequence step. 8

Another Example {emp} x:= cons(a, a) {x a, a} t:= cons(b, b) {(x a, a) (t b, b)} [x + 1]:= t x {(x a, t x) (t b, b)} [t + 1]:= x t {(x a, t x) (t b, x t)} { o. (x a, o) (x + o b, o)} This is an offset list, as before 9

Completeness Using the small axioms and structural rules, we can derive all true triples about basic statements (weakest precondition, then it follows). Then, we can get relative (Cook) completeness for entire programming language. There is a limit to how far we can go, because of fundamental negative results of Ed Clarke. These are just remarks, which I make because I am often asked. Please don t overestimate the importance of completeness. 11

About Modifies sets 3 (probably skip this) The modifies clause in {P}C{Q} {P R}C{Q R} Modifies(C) Free(R) = concerns s component of s, h, where deals with the h. Historically, in Floyd-Hoare logic there was s but no h, and s was allowed to be altered. This is the source of the famous axiom {P[e/x]}x:= e{p} but also of the modifies clauses in some proof rules. Most presentations of SL inherit this history. But, in many programming languages (C, Java, ML, Haskell...) the s the association of variable names to values (perhaps addresses) is not allowed to be mutated 2. Then the proof rules become simpler: no modifies. This applies to program-proof tools Space Invader, Verifast, jstar... 2 s is then the environment in Strachey s 12 sense, and h is the store

Part III Locality 5

SL is pretty modular Frame {P}C{Q} {P R}C{Q R} Concurrency {P}C{Q} {P }C {Q } {P P }C C {Q Q } 6

SL is pretty modular Frame {P}C{Q} {P R}C{Q R} Concurrency {P}C{Q} {P }C {Q } {P P }C C {Q Q } Why? 6

Recall the??? {(x ) P} [x]:= 7 {(x 7) P} {true} [x]:= 7 {??} {P (x ) } dispose(x) {P} {true} dispose(x) {??} 23

[x]=y ; [y]= x x y x y x y 12

[x]=y ; [y]= x x y x y x y 13

[x]=y ; [y]= x x y x y 14

[x]=y ; [y]= x x y x y Error 15

Recall the??? {(x ) P} [x]:= 7 {(x 7) P} {true} [x]:= 7 {??} {P (x ) } dispose(x) {P} {true} dispose(x) {??} 23

Tight Specs for (nearly) Free 2 {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B 2 Error-avoiding used in Hoare-Wirth 1972, tightness observed in 2000 24

Tight Specs for (nearly) Free 2 {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B The no error clause has a remarkable consequence: touching anything not known to be allocated in the pre falsifies the triple 2 Error-avoiding used in Hoare-Wirth 1972, tightness observed in 2000

Tight Specs for (nearly) Free 2 {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B The no error clause has a remarkable consequence: touching anything not known to be allocated in the pre falsifies the triple For example, suppose I tell you {10 }C{10 25} but I don t tell you what C is. 2 Error-avoiding used in Hoare-Wirth 1972, tightness observed in 2000 24

Tight Specs for (nearly) Free 2 {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B The no error clause has a remarkable consequence: touching anything not known to be allocated in the pre falsifies the triple For example, suppose I tell you {10 }C{10 25} but I don t tell you what C is. I claim C cannot change location 11 if it happens to be allocated in the pre-state (when 10 is also allocated). if C changed location 11, it would have to access location 11, and this would lead to Error when starting in a state where 10 is allocated and 11 is not. That would falsify the triple (no error clause) 2 Error-avoiding used in Hoare-Wirth 1972, tightness observed in 2000 24

Tight Specs for (nearly) Free {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B The no error clause has a remarkable consequence: touching anything not known to be allocated in the pre falsifies the triple 25

Tight Specs for (nearly) Free {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B The no error clause has a remarkable consequence: touching anything not known to be allocated in the pre falsifies the triple Loudly, now: This remarkable consequence does not depend on separation logic. SL just gives us a convenient way to exploit it {P}C{Q} {P R}C{Q R} 25

Concurrency, Similarly {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B 26

Concurrency, Similarly {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B Now, suppose I tell you {10 }C 1 {10 25} and {11 }C 2 {11 47} 26

Concurrency, Similarly {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B Now, suppose I tell you {10 }C 1 {10 25} and {11 }C 2 {11 47} I claim that C1 does not touch 10, and C 2 does not touch 11 (from appropriate start state). Same argument as above. 26

Concurrency, Similarly {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B Now, suppose I tell you {10 }C 1 {10 25} and {11 }C 2 {11 47} I claim that C1 does not touch 10, and C 2 does not touch 11 (from appropriate start state). Same argument as above. This justifies concluding {10 11 }C 1 C 2 {10 25 11 47} 26

Concurrency, Similarly {A}Prog{B} holds iff h A, 1. no error: t. hterror Traces(Prog) 2. partial correctness: t, h. hth Traces(Prog) h B Now, suppose I tell you {10 }C 1 {10 25} and {11 }C 2 {11 47} I claim that C1 does not touch 10, and C 2 does not touch 11 (from appropriate start state). Same argument as above. This justifies concluding {10 11 }C 1 C 2 {10 25 11 47} That reasoning is the idea behind {P}C{Q} {P }C {Q } {P P }C C {Q Q } in the disjoint concurrency case. A much more difficult argument (Brookes s tour de force) is needed to deal with synchronization. 26

Main Messages 1. The locality/modularity of separation logic is a consequence of semantic properties of programs. 6

Main Messages 1. The locality/modularity of separation logic is a consequence of semantic properties of programs. 2. Separation logic is just a packaging of the semantic facts. (The logic is only convenient...) 7

Question: what is the post? {lseg(x,nil) & x!=nil } [42]:=nil {???}

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback