1 / 51

Introduction to Separation Logic

This Talk. What is Separation Logic?Strengths and weaknessesSuccessful applicationsMain challenges. What is Separation Logic?. Extension of Hoare logic low-level imperative programsshared mutable data structures. Motivating Example. assume( *x == 3 ). assert( *x == 3 ). assume( y != z ). *y = 4;*z = 5;assert( *y != *z ).

bethesda
Download Presentation

Introduction to Separation Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Introduction to Separation Logic presented by Greta Yorsh April 02, 2008 IBM, Hawthorne

    2. This Talk What is Separation Logic? Strengths and weaknesses Successful applications Main challenges

    3. What is Separation Logic? Extension of Hoare logic low-level imperative programs shared mutable data structures

    4. Motivating Example Add assertionsAdd assertions

    5. Framing Problem What are the conditions on aliasing btwn x, y, z ? frame general concept that things dont change - hoare proof rules: assignment rule does not work in presence of pointers - first rule has side condition: where no variable in r is modified by C frame general concept that things dont change - hoare proof rules: assignment rule does not work in presence of pointers - first rule has side condition: where no variable in r is modified by C

    6. Framing Problem What are the conditions on C and R? in presence of aliasing and heap Separation logic introduces new connective * frame general concept that things dont change - hoare proof rules: assignment rule does not work in presence of pointers - first rule has side condition: where no variable in r is modified by C frame general concept that things dont change - hoare proof rules: assignment rule does not work in presence of pointers - first rule has side condition: where no variable in r is modified by C

    7. Outline Assertion language: syntax and semantics Hoare-style proofs Program analysis Concurrency Termination Object-oriented programs

    8. Assertion Language

    9. Examples x ? y ls(y, z) x ? y * ls(y, z)

    10. Syntax P, Q assertions (formulas) E ranges over integer expressions (E does not contain indirection through the heap), x ranges over variablesP, Q assertions (formulas) E ranges over integer expressions (E does not contain indirection through the heap), x ranges over variables

    11. Semantics Assertions are evaluated w.r.t. a state State is store and heap S : Var ? Int H : Loc ? Int where Loc ? Int Notations disjoint domains: dom(H1) ? dom(H2) composition: H1 ? H2 evaluation: ?E?S ? Int update: S[x:i] S,H ? P

    12. Semantics H ? H' means disjoint function composition Free(P, Q) ? dom(S), Free(P) is the set of variables occurring freely in P.)H ? H' means disjoint function composition Free(P, Q) ? dom(S), Free(P) is the set of variables occurring freely in P.)

    13. E ? E1,E2,..,En ? E ? E1 * E+1 ? E2 * ... * E+(n-1) ? En E1 ? E2 ? E1 ? E2 * true E ? _ ? ?x. E ? x Common Shorthands

    14. Examples

    15. Inductive Definitions Describe invariants of recursive data-structure Trees List Segments Doubly-linked list segments Cyclic lists List of cyclic doubly linked lists Lists with head pointers Nested lists (bounded depth) ... Binary tree tree(E) ? (E = nil ? emp) ? (?x,y. E ?x,y * tree(x) * tree(y)) ls(E, F) ? (E=F ? emp) ? ( ?x. E?x * ls(x, F) ) possibly empty, possibly cyclic ls(E, F) ? (E=F ? emp) ? ( ?x. E?x * ls(x, F) ) possibly empty, possibly cyclic

    16. List segment Acyclic, possibly empty ls(E, F) ? (E=F ? emp) ? (E?F ? ?v. E?v * ls(v, F)) ls(E, F) ? (E=F ? emp) ? ( ?x. E?x * ls(x, F) ) possibly empty, possibly cyclic ls(E, F) ? (E=F ? emp) ? ( ?x. E?x * ls(x, F) ) possibly empty, possibly cyclic

    17. More complex structures Doubly-linked list segment dls(x,y,z) ? (x=y ? emp) ? (x?y ? ?w. x?z,w * dls(w,y,x))

    18. Axioms ls(x,y) * ls(y,nil) ? ls(x,nil) ls(x,y) * ls(y,z) ? ls(x,z) ls(x,y) ? ?w. ls(x,w) * w?y (P1 ? P2) * Q ? (P1 * Q) ? (P2 * Q) x ? y * z ? w ? x ? z x ? y ? z ? w ? x ? y ? x = z ? y = w ls(E1, E2) ls(E2, nil) ` ls(E1, nil) but note: ls(E1, E2) ls(E2, E3) 0 ls(E1, E3) ls(E1, E2) ls(E2, nil) ` ls(E1, nil) but note: ls(E1, E2) ls(E2, E3) 0 ls(E1, E3)

    19. Axioms Weakening P ? Q ? P P * Q ? P Contraction P ? P ? P P ? P * P Classical logic Substructural logic removal of structural rules: weakening, contraction, Bunched implications (BI) mixes substructural logic with classical/intuitionistic logic ? admits weakening and contraction, * does not Classical logic Substructural logic removal of structural rules: weakening, contraction, Bunched implications (BI) mixes substructural logic with classical/intuitionistic logic ? admits weakening and contraction, * does not

    20. Precise Assertions ? S,H there is at most one h ? h s.t. s,h ? P Examples precise: x ? 1, ls(x,y) not precise: ?x. x ? y, P ? Q Axiom for precise assertions (P1 ? P2) * Q ? (P1 * Q) ? (P2 * Q)

    21. Pure Assertions Syntax: do not contain ? or emp Semantics: do not depend on heap (for any store) Axioms for pure assertions x=y * z = w ? x=y ? z = w

    22. Symbolic Heaps A ::= (P ? ... ? P) ? (S * ... * S) E ::= x | nil | E + E P ::= E=E | E ? E S ::= E ? E | tree(E) | ls(E, E) | dls(E, E, E)

    23. Hoare-Style Proofs

    24. Hoare Triples {P} C {Q} partial correctness if P holds when C starts and C terminates then Q holds after C no runtime errors (null dereferences) [P] C [Q] total correctness if P holds when C starts then C terminates and Q holds after C This interpretation ensures that a well-specified program does not access any L-values not guaranteed to exist by the precondition.This interpretation ensures that a well-specified program does not access any L-values not guaranteed to exist by the precondition.

    25. The Programming Language allocation heap lookup mutation deallocation

    26. Operational Semantics by Example Allocation x := cons(y, z) Heap lookup y := [x+1] Mutation [x + 1] := 3 Deallocation dispose(x+1)

    27. Hoare Proof Rules for Partial Correctness

    28. Hoare Axiom for Assignment How to extend it for heap mutation ? Example:

    29. Small Axioms

    30. The Frame Rule Small axioms - tight specification Frame Rule - allows the Small Axioms to apply generally.Small axioms - tight specification Frame Rule - allows the Small Axioms to apply generally.

    31. The Frame Rule Small Axioms give tight specification Allows the Small Axioms to apply generally Handle procedure calls modularly Frame rule is a key to local proofs Small axioms - tight specification Frame Rule - allows the Small Axioms to apply generally. For all heaps H ? H If a command does not fault on a small heap H then it does not fault on a larger heap H Heap Montonicity The frame rule is complete in the following sense: Suppose that all we know about a command c is that some partial correctness specification {p} c {q} is valid. Then, whenever the validity of {p} c {q} is a semantic consequence of this knowledge, {p} c {q} can be derived from {p} c {q} by use of the frame rule and the rules of consequence, auxiliary variable elimination, and substitution. Small axioms - tight specification Frame Rule - allows the Small Axioms to apply generally. For all heaps H ? H If a command does not fault on a small heap H then it does not fault on a larger heap H Heap Montonicity The frame rule is complete in the following sense: Suppose that all we know about a command c is that some partial correctness specification {p} c {q} is valid. Then, whenever the validity of {p} c {q} is a semantic consequence of this knowledge, {p} c {q} can be derived from {p} c {q} by use of the frame rule and the rules of consequence, auxiliary variable elimination, and substitution.

    32. Reverse

    33. Local Specification Footprint part of the state that is used by the command Local specification reasoning only about the footprint Frame rule from local to global spec

    34. Frame Rule Sound safety-monotonicity frame property of small axioms Complete derives WLP or SP for commands

    35. Weakest Preconditions wp(x:=cons(y,z), P) = ? v. ( (v ? x,y) wp( x:= [E], P) = ? v. (e ? v) ? P(x/v) wp([E1]:=E2, P) = (E1 ?_ ) * ( (E1? E2) -* P)) wp(dispose E, P) = (E1 ?_ ) * P Allocation v ? free(x,y,P) Lookup v ? free(E,P)\{x} Mutation Disposal

    36. Automated verification and Program analysis

    37. Symbolic Execution Application of separation logic proof rules as symbolic execution Restrict assertion language to symbolic heaps Discharge entailments A ? B axiomatize consequences of induction Frame inference

    38. DeleteTree DeleteTree (t) { local i,j; if (t != nil) { i := [t]; j := [t+1] ; DeleteTree(j); DeleteTree(i); dispose t; } }

    39. Frame Inference Failed proof of entailment yields a frame Assertion at call site Callees precondition Frame

    40. Frame Inference Assertion at call site: Callees precondition:

    41. Incompleteness of Frame Inference Lose the information that x=y Do we need inequality involving just-disposed ?

    42. Program Analysis Abstract value is a set of symbolic heaps Abstract transformers by symbolic execution (TODO EXAMPLE) Fixpoint check by entailement Knobs widening / abstraction join interprocedural analysis (cutpoints) predicate discovery

    43. Global Properties? Before: tree ? (Q * R) ? (tree ? Q) * (tree ? R) After: (tree ? Q) * (tree ? R) ? tree ? (Q * R) Loss of global property no restrictions on dangling pointers in P and Q can point to each other and create cycles

    44. OPCM Ordered Partially Commutative Monoid (OPCM) M = < E, *, e, ? > * is associative, commutative, e is the unit of * ? is a partial order on E Redefine OPCM get semantics of the assertion language for free Redefine small axioms satisfy safety-monotonicity and frame property get frame rule for free depends granularity of star depends granularity of star

    45. Bibliography http://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html

    46. Early Days The Logic of Bunched Implications O'Hearn and Pym. 1999 Intuitionistic Reasoning about Shared Mutable Data Structure Reynolds. 1999 BI as an Assertion Language for Mutable Data Structures. Ishtiaq, O'Hearn. POPL'01. Local Reasoning about Programs that Alter Data Structures O'Hearn, Reynolds, Yang. CSL'01. Separation Logic: A Logic for Shared Mutable Data Structures Reynolds. LICS 2002. BI had a general model theory oriented around ``resource composition', no heap Reynolds: separating conjunction as the heap composition primitive, simplify some proofs about aliasing. POPL01: Reynolds idea as standard, not intuitionistic logic, and support free(). CSL01: ``small axioms'', and an example showing why one can't avoid the notorious frame problem in program specification. CSL01, LICS02: Examples of ``within data structure'' locality, which went beyond the ``between data structure'' locality that had been displayed in the POPL'01 paper. Concentrate on ``local surgeries'' that worked on small areas of a data structure, to be later glued together using the frame rule. how are BI and separation logic related, are they the same thing? separation logic is a formalism of program dynamics, based on Hoare triples, while in BI there are no Hoare triples (separation logic is an extension of BI) BI is a model theory which is inspired by a primitive of resource composition, whereas separation logic has been based on particular storage models. The heap models of separation logic are specific BI models, and furthermore not all BI models are about separation Classical logic Substructural logic removal of structural rules: weakening, contraction, Bunched implications (BI) mixes substructural logic with classical/intuitionistic logic ? admits weakening and contraction, * does not BI had a general model theory oriented around ``resource composition', no heap Reynolds: separating conjunction as the heap composition primitive, simplify some proofs about aliasing. POPL01: Reynolds idea as standard, not intuitionistic logic, and support free(). CSL01: ``small axioms'', and an example showing why one can't avoid the notorious frame problem in program specification. CSL01, LICS02: Examples of ``within data structure'' locality, which went beyond the ``between data structure'' locality that had been displayed in the POPL'01 paper. Concentrate on ``local surgeries'' that worked on small areas of a data structure, to be later glued together using the frame rule. how are BI and separation logic related, are they the same thing? separation logic is a formalism of program dynamics, based on Hoare triples, while in BI there are no Hoare triples (separation logic is an extension of BI) BI is a model theory which is inspired by a primitive of resource composition, whereas separation logic has been based on particular storage models. The heap models of separation logic are specific BI models, and furthermore not all BI models are about separation Classical logic Substructural logic removal of structural rules: weakening, contraction, Bunched implications (BI) mixes substructural logic with classical/intuitionistic logic ? admits weakening and contraction, * does not

    47. Successful Applications An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm Yang, SPACE 2001 Local Reasoning about a Copying Garbage Collector Birkedal, Torp-Smith, Reynolds. POPL'04

    48. Analysis and Automated Verification Symbolic Execution with Separation Logic. Berdine, Calcagno, O'Hearn. APLAS'05. Smallfoot: Modular Automatic Assertion Checking with Separation Logic Berdine, Calcagno, O'Hearn. FMCO06. A local shape analysis based on separation logic Distefano, O'Hearn, Yang. TACAS06. Interprocedural Shape Analysis with Separated Heap Abstractions. Gotsman, Berdine, Cook. SAS06 Shape analysis for composite data structures. Berdine, Calcagno, Cook, Distefano, O'Hearn, Wies, Yang. CAV'07. ... 1) Smallfoot requires (lightweight) preconditions, postconditions and loop invariants to be given by the user. It uses its own toy programming language, designed to ease experimentation in the initial steps, rather than a real programming language. 2) TACAS06: Smallfoot's symbolic execution mechanism together with selected true impications to infer invariants via a fixed-point calculation, in the usual way of abstract interpretation. 3) CAV07: Found several previously unknown memory safety bugs and memory leaks in the IEEE 1394 firewire device driver.1) Smallfoot requires (lightweight) preconditions, postconditions and loop invariants to be given by the user. It uses its own toy programming language, designed to ease experimentation in the initial steps, rather than a real programming language. 2) TACAS06: Smallfoot's symbolic execution mechanism together with selected true impications to infer invariants via a fixed-point calculation, in the usual way of abstract interpretation. 3) CAV07: Found several previously unknown memory safety bugs and memory leaks in the IEEE 1394 firewire device driver.

    49. Concurrency Resources, Concurrency and Local Reasoning O'Hearn. Reynolds Festschrift, 2007. CONCUR'04 A Semantics for Concurrent Separation Logic Brookes. Reynolds Festschrift, 2007. CONCUR'04 Towards a Grainless Semantics for Shared Variable Concurrency John C. Reynolds (in preparation?) Permission Accounting in Separation Logic Bornat, Calcagno, O'Hearn, Parkinson. POPL05 Modular Verification of a Non-blocking Stack Parkinson, Bornat, O'Hearn. POPL07 A Marriage of Rely/Guarantee and Separation Logic Parkinson, Vafeiadis. CONCUR07 Modular Safety Checking for Fine-Grained Concurrency (smallfootRG) Calcagno, Parkinson, Vafeiadis. SAS'07 Thread-Modular Shape Analysis. Gotsman, Berdine, Cook, Sagiv. PLDI07 ... OHearn concur and tcs07: Some highlights: we can transfer portions of heap between processes, as in a resource manager or in efficient message passing; we can do modular reasoning in the presence of semaphores (e.g., split binary semaphores without maintaining a global invariant); we do parallel mergesort with no rely or guarantee conditions, the proven processes automatically mind their own business. proven programs are race-free, and Steve Brookes showed a theorem to that effect. 1.5) POPL05: proof of the classic readers-and-writers program. 2) POPL07: the concurrent separation logic just forces you to be explicit about granularity, by wrapping little critical sections around those portions of code considered atomic.OHearn concur and tcs07: Some highlights: we can transfer portions of heap between processes, as in a resource manager or in efficient message passing; we can do modular reasoning in the presence of semaphores (e.g., split binary semaphores without maintaining a global invariant); we do parallel mergesort with no rely or guarantee conditions, the proven processes automatically mind their own business. proven programs are race-free, and Steve Brookes showed a theorem to that effect. 1.5) POPL05: proof of the classic readers-and-writers program. 2) POPL07: the concurrent separation logic just forces you to be explicit about granularity, by wrapping little critical sections around those portions of code considered atomic.

    50. Termination Automatic termination proofs for programs with shape-shifting heaps. Berdine, Cook, Distefano, O'Hearn. CAV06 Variance Analyses from Invariance Analyses. Berdine, Chawdhary, Cook, Distefano, O'Hearn. POPL 2007 ... a termination-proof method that could be applied to other abstract interpretations, resulting ina termination-proof method that could be applied to other abstract interpretations, resulting in

    51. Object Oriented Programming Separation logic and abstraction Parkinson and Bierman. POPL05 Class Invariants: The End of the Road? Parkinson. IWACO'07. Separation Logic, Abstraction, and Inheritance Parkinson, Bierman. POPL'08 POPL05: handle a subset of Java, by adding ``abstract predicates'' to separation logic. These predicates are logical cousins of type variabes, and their explanation of abstraction with them is somehow analogous to the treatments of classical abstract typesusing the polymorphic lambda-calculus, by Reynols, Mitchell and Plotkin. IWACO07: entertaining and radical position paper against the notion of class invariants. POPL08 : extend POPL05 to account for inheritancePOPL05: handle a subset of Java, by adding ``abstract predicates'' to separation logic. These predicates are logical cousins of type variabes, and their explanation of abstraction with them is somehow analogous to the treatments of classical abstract typesusing the polymorphic lambda-calculus, by Reynols, Mitchell and Plotkin. IWACO07: entertaining and radical position paper against the notion of class invariants. POPL08 : extend POPL05 to account for inheritance

    52. Summary of Basic Ideas Extension of Hoare logic to imperative programs Separating conjunction * Inductive definitions for data-structures Tight specifications Dangling pointers Local surgeries Frame rule

More Related