Separation Logic: syntax, semantics and calculus

Size: px

Start display at page:

Download "Separation Logic: syntax, semantics and calculus"

Ashley Holmes
6 years ago
Views:

1 Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables to values H p(.) maps locations to values N/A if initial state satisfies P {P}S{Q} and S terminates More Inference then S does not fault and Rules COMP 2600 Separation Logic 26 final state satisfies Q

2 Summary of Lecture I: Reasoning About Pointers State is now a pair (Store, Heap) where Store maps variables to values and Heap maps a finite subset of numbers to values (smallest heap) New Programming Language Constructs Fetch: v := [e] e.g. x := [y + 1] evaluate expression e in current state to get location l fault if location l is not in the current heap otherwise variable v is assigned the contents of location l Heap Assignment/Mutation: [e] := e 1 e.g. [y + 1] := 5 evaluate e (in the current state) as location l fault if location l is not in the current heap otherwise make the contents of location l the value of expression e 1 COMP 2600 Separation Logic 27

3 Summary of Lecture I: Reasoning About Pointers Allocation: v := cons(e 1,e 2,,e n ) e.g. p := cons(3,7) extend the heap with n consecutive new locations l,l +1,,l +n 1 put values of e 1,,e n into locations l,,l + n 1 respectively extend the store by assigning v the value l never faults Deallocation: dispose(e) evaluate e to get some number l e.g. dispose(q) fault if location l is not in the heap otherwise remove location l from the heap {P}S{Q} if initial state satisfies P and S terminates then S does not fault and final state satisfies Q (so our rules will have to guarantee no faults) COMP 2600 Separation Logic 28

4 Summary of Lecture I: Reasoning About Pointers {P}S{Q} if initial state satisfies P and S terminates then S does not fault and final state satisfies Q (so our rules will have to guarantee no faults) New: atomic formula emp s.t. (St,H p) = emp if dom(h p) = /0 (emptyset) Floyd Store Axiom for Separation Logic: replaces Hoare (Store) Axiom {x = v emp} x := e {x = e(v/x) emp} where v is an auxiliary variable which does not occur in e Hoare Logic: keep other rules (PreConStr, PostCondWeak, Seq, Cond, While), so Separation Logic is a genuine extension of Hoare Logic Reasoning: goes forwards rather than backward Need: more rules to handle the new programming language constructs and maybe new formula connectives to reason about these constructs COMP 2600 Separation Logic 29

5 COMP 2600 Separation Logic 30

6 Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables to values H p(.) maps locations to values N/A if initial state satisfies P {P}S{Q} and S terminates More Inference then S does not fault and Rules COMP 2600 Separation Logic 31 final state satisfies Q

7 Fetch Assignment Axiom of Separation Logic {(x = v 1 ) (e v 2 )} x := [e] {(x = v 2 ) (e(v 1 /x) v 2 )} where v 1 and v 2 are auxiliary variables which do not occur in e Example: x := [y] St H p x := [y] St H p y = y = x = 1 1 e is y: so {(x = v 1 ) (y v 2 )} x := [y] {(x = v 2 ) (y(v 1 /x) v 2 )} v 2 is 1: so {(x = v 1 ) (y 1)} x := [y] {(x = 1) (y(v 1 /x) 1)} y(v 1 /x) is y: since there are no occurrences of x in y so {(x = v 1 ) (y 1)} x := [y] {(x = 1) (y 1)} COMP 2600 Separation Logic 32

8 Fetch Assignment Axiom of Separation Logic {(x = v 1 ) (e v 2 )} x := [e] {(x = v 2 ) (e(v 1 /x) v 2 )} where v 1 and v 2 are auxiliary variables which do not occur in e Example: x := [y] St H p x := [y] St H p y = y = x = 1 1 Fetch Axiom Instance: from previous slide {(x = v 1 ) (y 1)} x := [y] {(x = 1) (y 1)} New: binary formula connective to extend our syntax of formulae COMP 2600 Separation Logic 33

9 COMP 2600 Separation Logic 34

10 Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables to values H p(.) maps locations to values N/A if initial state satisfies P {P}S{Q} and S terminates More Inference then S does not fault and Rules COMP 2600 Separation Logic 35 final state satisfies Q

11 Semantics of Separation Logic Store : Var Val Heap : Num f in Val State = Store Heap St(e) value of an expression in a store as explained earlier (St,H p) = emp if dom(h p) = /0 New: binary connective e 1 e 2 which relates two expressions Semantics: (St,H p) = e 1 e 2 if dom(h p)={st(e 1 )} and H p(st(e 1 )) = St(e 2 ) i.e. a state (St,H p) makes the formula e 1 e 2 true if the heap is of size one and maps the location St(e 1 ) to the value St(e 2 ) COMP 2600 Separation Logic 36

12 Fetch Assignment Axiom of Separation Logic {(x = v 1 ) (e v 2 )} x := [e] {(x = v 2 ) (e(v 1 /x) v 2 )} where v 1 and v 2 are auxiliary variables which do not occur in e Example: x := [y] St H p x := [y] St H p y = y = x = 1 1 Fetch Axiom Instance: from previous slide {(x = v 1 ) (y 1)} x := [y] {(x = 1) (y 1)} Example: (St,H p) = y 1 if dom(h p) = {St(y)} and H p(st(y)) = St(1) i.e.: (St,H p) = y 1 if dom(h p) = {20} and H p(20) = 1 COMP 2600 Separation Logic 37

13 Fetch Assignment Axiom of Separation Logic {(x = v 1 ) (e v 2 )} x := [e] {(x = v 2 ) (e(v 1 /x) v 2 )} where v 1 and v 2 are auxiliary variables which do not occur in e St H p x := [e] St H p e St(e) e St(e) x = v 1 v 2 x = v 2 v 2 Fetch: x := [e] evaluate expression e in current state to get location l fault if location l is not in the current heap otherwise variable x is assigned the contents of location l (e v 2 ) in precondition demands heap contains location l so fetch instruction will not fault if it is executed from such a prestate Smallness: the heap is as small as possible i.e. of size one COMP 2600 Separation Logic 38

14 Heap Assignment Axiom of Separation Logic Heap Assignment Axiom {e } [e] := e 1 {e e 1 } where (e ) abbreviates ( z. e z) and z does not occur in e St H p [y] := 5 St H p y St(y) y St(y) 5 Heap Assignment Axiom Instance {y } [y] := 5 {y 5} where (y ) abbreviates ( z. y z) and z does not occur in y Heap Assignment Semantics: put value of e 1 into contents of location e evaluate e (in the current state) as location l i.e. St(e) fault if location l i.e. St(e) is not in the current heap i.e. H p otherwise make contents of location l the value of e 1 i.e St(e 1 ) COMP 2600 Separation Logic 39

15 Heap Assignment Axiom of Separation Logic Heap Assignment Axiom {e } [e] := e 1 {e e 1 } where (e ) abbreviates ( z. e z) St H p [e] := e 1 St H p e St(e) e St(e) c St(e 1 ) Semantics of e e 1 is (St,H p) = e e 1 if dom(h p)={st(e)} and H p(st(e)) = St(e 1 ) i.e. H p is a single location St(e) containing St(e 1 ) Semantics of e is (St,H p) = z.e z if for some value c we have dom(h p)={st(e)} and H p(st(e)) = c i.e. H p is a single location St(e) containing c So Heap Assignment Axiom means: if H p is a single location St(e) containing c then [e] := e 1 gives a single location St(e) containing St(e 1 ) COMP 2600 Separation Logic 40

16 Heap Assignment Axiom of Separation Logic Heap Assignment Axiom {e } [e] := e 1 {e e 1 } where (e ) abbreviates ( z. e z) St H p [e] := e 1 St H p e St(e) e St(e) c St(e 1 ) So Heap Assignment Axiom means: if H p is a single location St(e) containing c then [e] := e 1 gives a single location St(e) containing St(e 1 ) Heap Assignment Semantics: put value of e 1 into contents of location e evaluate e (in the current state) as location l i.e. St(e) fault if location l i.e. St(e) is not in the current heap i.e. H p otherwise make the contents of location l i.e. H p(st(e)) the value of expression e 1 i.e St(e 1 ) COMP 2600 Separation Logic 41

17 Heap Assignment Axiom of Separation Logic Heap Assignment Axiom {e } [e] := e 1 {e e 1 } where (e ) abbreviates ( z. e z) St H p [e] := e 1 St H p e St(e) e St(e) c St(e 1 ) Heap Assignment Axiom means: if H p is a single location St(e) containing some value then [e] := e 1 gives a single location St(e) containing St(e 1 ) Faults?: The assignment statement faults if location St(e) is not in the heap But: the precondition (e ) tells us that heap does contains location St(e) Hence: heap assignment will not fault if it is executed from such a prestate Smallness: the heap is as small as possible i.e. of size one COMP 2600 Separation Logic 42

18 Allocation Assignment Axiom of Separation Logic Allocation Assignment Axiom {x = v emp} x := cons(e 1,e 2,,e n ) {x e 1 (v/x),e 2 (v/x),,e n (v/x)} where v is an auxiliary variable different from x and not appearing in e 1,e 2,,e n Allocation Assignment Axiom means: if St(x) = v and H p is empty then x := cons(e 1,e 2,,e n ) makes x e 1 (v/x),e 2 (v/x),,e n (v/x) true Allocation Assignment Statement: means the following by definition St x := cons(e 1,e 2,,e n ) St H p x = l l l + 1 l + n 1 St(e 1 (v/x)) St(e 2 (v/x)) St(e n (v/x)) Never faults by definition COMP 2600 Separation Logic 43

19 Allocation Assignment Axiom of Separation Logic Allocation Assignment Axiom {x = v emp} x := cons(e 1,e 2,,e n ) {x e 1 (v/x),e 2 (v/x),,e n (v/x)} where v is an auxiliary variable different from x and not appearing in e 1,e 2,,e n St x := cons(e 1,e 2,,e n ) St H p x = l l l + 1 l + n 1 St(e 1 (v/x)) St(e 2 (v/x)) St(e n (v/x)) Semantics of x e 1 (v/x),e 2 (v/x),,e n (v/x) must say H p consists of n distinct locations such that picture holds Let: x e 1 (v/x),e 2 (v/x),,e n (v/x) abbreviate x e 1 (v/x) (x + 1) e 2 (v/x) (x + n 1) e n (v/x) COMP 2600 Separation Logic 44

20 Semantics of Separation Logic Store : Var Val Heap : Num f in Val State = Store Heap St(e) value of an expression in a store as explained earlier (St,H p) = emp if H p = /0 (St,H p) = e 1 e 2 if dom(h p)={st(e 1 )} and H p(st(e 1 )) = St(e 2 ) New: binary connective relating two formulae Semantics: (St,H p) = A B if H p can be partitioned into two disjoint heaps H p 1 and H p 2 and (St,H p 1 ) = A and (St,H p 2 ) = B Implies: (St,H p) = A 1 A 2 A n if H p can be partitioned into n distinct heaps H p 1,H p 2,,H p n and (St,H p 1 ) = A 1 and (St,H p 2 ) = A 2 and and (St,H p n ) = A n COMP 2600 Separation Logic 45

21 Allocation Assignment Axiom of Separation Logic Allocation Assignment Axiom {x = v emp} x := cons(e 1,e 2,,e n ) {x e 1 (v/x),e 2 (v/x),,e n (v/x)} where v is an auxiliary variable different from x and not appearing in e 1,e 2,,e n St x := cons(e 1,e 2,,e n ) St H p x = v x St(x) St(x) + 1 St(x) + n 1 St(e 1 (v/x)) St(e 2 (v/x)) St(e n (v/x)) So: x e 1 (v/x),e 2 (v/x),,e n (v/x) abbreviates x e 1 (v/x) (x + 1) e 2 (v/x) (x + n 1) e n (v/x) Allocation Assignment Axiom means: if St(x) = v and the heap is empty then executing x := cons(e 1,e 2,,e n ) gives a heap consisting of n new consecutive locations, where location St(x)+i contains St(e i+1 (v/x)) COMP 2600 Separation Logic 46

22 Allocation Assignment Axiom of Separation Logic Allocation Assignment Axiom {x = v emp} x := cons(e 1,e 2,,e n ) {x e 1 (v/x),e 2 (v/x),,e n (v/x)} where v is an auxiliary variable different from x and not appearing in e 1,e 2,,e n So: x e 1 (v/x),e 2 (v/x),,e n (v/x) abbreviates x e 1 (v/x) (x + 1) e 2 (v/x) (x + n 1) e n (v/x) Allocation Assignment Axiom means: if St(x) = v and the heap is empty then executing x := cons(e 1,e 2,,e n ) gives a heap consisting of n new consecutive locations, where location St(x)+i contains St(e i+1 (v/x)) Faults?: never by definition of allocation Smallness: the initial heap is as small as possible i.e. empty and the final heap is no larger than needed COMP 2600 Separation Logic 47

23 Dispose Axiom of Separation Logic Dispose Axiom {e } dispose(e) {emp} where (e ) abbreviates ( z. e z) and z does not occur in e St H p dispose(e) St e St(e) c Dispose Axiom means: if the heap is a single location St(e) containing some value c then executing dispose(e) gives the empty heap Deallocation: dispose(e) evaluate e to get some number l i.e. St(e) e.g. dispose(q) fault if location l is not in the heap otherwise remove location l from the heap COMP 2600 Separation Logic 48

24 Dispose Axiom of Separation Logic Dispose Axiom {e } dispose(e) {emp} where (e ) abbreviates ( z. e z) and z does not occur in e St H p dispose(e) St e St(e) c Dispose Axiom means: if the heap is a single location St(e) containing some value c then executing dispose(e) gives the empty heap Faults?: running dispose(e) from a prestate satisfying e means that the location St(e) is in the H p so it will not fault Smallness: initial heap is smallest possible heap from which we can dispose something i.e. singleton COMP 2600 Separation Logic 49

Separation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016

Separation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016 Separation Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 COMP 2600 Separation Logic 1 Motivation: Reasoning About Pointers Recall this