Separation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016

Transcription

1 Separation Logic COMP2600 Formal Methods for Software Engineering Rajeev Goré Australian National University Semester 2, 2016 COMP 2600 Separation Logic 1

2 Motivation: Reasoning About Pointers Recall this example from Hoare Logic Lecture III. How is aliasing a problem? Suppose x and y refer to the same cell of memory. 1. {y + 1 = 5 y = 5} x:=y+1 {x = 5 y = 5} (Assignment) 2. {y = 4 y = 5} x:=y+1 {x = 5 y = 5} (1. PreEq) 3. {False} x:=y+1 {x = 5 y = 5} (2. PreEq) i.e. if initial state is inconsistent and x:=y+1 terminates then final state makes {x = 5 y = 5} true But also works for x = 6 y = 6 so our assignment rule is no longer as strong as possible. Problem: we need a way to say refers to the same/different cell of memory COMP 2600 Separation Logic 2

3 From Hoare Logic To Separation Logic Floyd 1967: gave some rules to reason about programs Sometimes, our Hoare Logic is called Floyd-Hoare Logic in recognition Many attempts made to extend Floyd-Hoare Logic to handle pointers Only really solved in the past 15 years by Reynolds, O Hearn and Yang around 2000 using a connective called separating conjunction The connective originally studied at ANU Philosophy in 1970s by Robert K Meyer... who started the Logic and Computation Group! But... to make the presentation less scary, we need to first extend Hoare Logic with an axiom due to Floyd COMP 2600 Separation Logic 3

4 Hoare Logic: syntax, semantics and calculus Syntax Semantics Calculus FOL N/A = + Arithmetic N/A := ; while if then else State maps variables to values (no pointers) N/A {P}S{Q} if initial state satisfies P and S terminates then final state satisfies Q 6 Inference Rules COMP 2600 Separation Logic 4

5 Store Assignment Axiom of Floyd Hoare Axiom: {Q(e)} x := e {Q(x)} (backward driven) Floyd Axiom: forward driven but equivalent to Hoare Axiom {x = v} x := e {x = e(v/x)} where v is an auxiliary variable which does not occur in e and e(v/x) means replace all occurrences of x in e by v Example Hoare Instance: {(x + 1 = 5)} x := x + 1 {x = 5} Example Floyd Instance: {x = v} x := x + 1 {x = (x + 1)(v/x)} i.e. {x = v} x := x + 1 {x = (v + 1)} i.e. if we want the post-condition x = 5 then instantiate v to be 4 {x = 4} x := x + 1 {x = 5} Note: does not solve the problem with pointers! COMP 2600 Separation Logic 5

6 Store Assignment Axiom of Floyd Hoare Axiom: {Q(e)} x := e {Q(x)} (backward driven) Floyd Axiom: forward driven but equivalent to Hoare Axiom {x = v} x := e {x = e(v/x)} where v is an auxiliary variable which does not occur in e and e(v/x) means replace all occurrences of x in e by v Example Hoare Instance: {(1 = 1)} x := 1 {x = 1} Example Floyd Instance: {x = v} x := 1 {x = (1)(v/x)} i.e. {x = v} x := 1 {x = 1} i.e. if we want the pre-condition 1 = 1 (i.e. True) then instantiate v to x {x = x} x := 1 {x = 1} Separation Logic: based on such forward reasoning zero-premise rules COMP 2600 Separation Logic 6

7 My Policy To Make This Material Accessible Honest: the two really are equivalent but I am hiding the gory details of the first order logic proof that they are equivalent Credits: my notes are based upon a set of notes written by Michael Gordon Beware: he uses heavy duty logic and his notes are for a third year course! Promise: I will tell the truth. I may not tell the whole truth, but I will not lie. Name clash: Separation Logic is used for both the extension of Hoare Logic and the extension of first-order logic upon which it is based! Search: separation logic and you will get many technical papers, most of which will be impenetrable, so beware! COMP 2600 Separation Logic 7

8 Hoare Logic + Floyd Axiom: syntax, semantics and calculus Syntax Semantics Calculus FOL N/A = + Arithmetic N/A := ; while if then else State maps variables to values (no pointers) N/A {P}S{Q} if initial state satisfies P and S terminates then final state satisfies Q 6 Inference Rules + Floyd Axiom COMP 2600 Separation Logic 8

9 COMP 2600 Separation Logic 9

10 Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables to values H p(.) maps locations to values N/A if initial state satisfies P {P}S{Q} and S terminates More Inference then S does not fault and Rules COMP 2600 Separation Logic 10 final state satisfies Q

11 Our Computation Model Background: a function maps members of a domain to members of a range Assume: Num Val Assume: nil Val but not in Num numbers will be memory locations nil not a memory location Same as before: Store maps Variables to Values i.e. we can ask St(x) and we will get back a Value New: Heap maps a finite subset of Numbers to Values i.e. we can ask H p(l) where l is a number and we will get back a Value if this location has been allocated Old State = Store New: State = (Store, Heap) COMP 2600 Separation Logic 11

12 Evaluating Expressions in the Store of a State Strictly speaking, the store gives values to variables only. But we need a way to say value of an expression in a store so we will abuse notation and use St(e) for this as below: St(n) where n is a number is just its usual value St(1) = 1 St(x + n) where n is a number and x is a variable is St(x) + St(n) = St(x) + n St(e 1 = e 2 ) is true if St(e 1 ) = St(e 2 ) This is supposed to be intuitive, so please complain if it isn t! COMP 2600 Separation Logic 12

13 COMP 2600 Separation Logic 13

14 Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables to values H p(.) maps locations to values N/A if initial state satisfies P {P}S{Q} and S terminates More Inference then S does not fault and Rules COMP 2600 Separation Logic 14 final state satisfies Q

15 Extra Programming Constructs: Syntax and Intuitions Fetch: v := [e] evaluate expression e in current state to get location l fault if location l is not in the current heap otherwise variable v is assigned the contents of location l Example: x := [y + 1] St H p x := [y + 1] St H p y = y = x = Non Examples: x := [[y + 1]] x := [y] + 1 COMP 2600 Separation Logic 15

16 Extra Programming Constructs: Syntax and Intuitions Heap Assignment/Mutation: [e] := e 1 evaluate e (in the current state) as location l fault if location l is not in the current heap otherwise make the contents of location l the value of expression e 1 Example [y + 1] := 5 St H p [y + 1] := 5 St H p y = y = Non-examples: [[x]] := 5 [x] + 1 := 5 COMP 2600 Separation Logic 16

17 Extra Programming Constructs: Syntax and Intuitions Allocation: v := cons(e 1,e 2,,e n ) extend the heap with n consecutive new locations l,l +1,,l +n 1 put values of e 1,,e n into locations l,,l + n 1 respectively extend the store by assigning v the value l (never faults) Example: p := cons(3,7) St H p p := cons(3,7) St H p p = Example: p := cons(q,q + 1) St H p p := cons(q,q + 1) St H p q = 5 q = p = COMP 2600 Separation Logic 17

18 Extra Programming Constructs: Syntax and Intuitions Deallocation: dispose(e) evaluate e to get some number l fault if location l is not in the heap otherwise remove location l from the heap Example: dispose(q) St H p dispose(q) St H p q = q = p = p = Example: dispose(p) St H p dispose(p) St H p q = q = p = p = COMP 2600 Separation Logic 18

19 COMP 2600 Separation Logic 19

20 Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables to values H p(.) maps locations to values N/A if initial state satisfies P {P}S{Q} and S terminates More Inference then S does not fault and Rules COMP 2600 Separation Logic 20 final state satisfies Q

21 Semantics of Separation Logic Store : Var Val Heap : Num f in Val State = Store Heap St(e) value of an expression in a store as explained earlier (St,H p) = emp if dom(h p) = /0 i.e. a state (St,H p) makes the formula emp true if the heap is empty COMP 2600 Separation Logic 21

22 Store Assignment Axiom For Separation Logic Hoare Axiom: {Q(e)} x := e {Q(x)} Floyd Axiom: {x = v} x := e {x = e(v/x)} where v is an auxiliary variable which does not occur in e Store Assignment Axiom for Separation Logic: {x = v emp} x := e {x = e(v/x) emp} where v is an auxiliary variable which does not occur in e New: atomic formula emp to say that the heap is empty Why: we want to track the smallest amount of heap information COMP 2600 Separation Logic 22

23 Store Assignment Axiom for Separation Logic Store Assignment Axiom for Separation Logic: {x = v emp} x := e {x = e(v/x) emp} where v is an auxiliary variable which does not occur in e Example Instance: {x = v emp} x := 1 {x = (1)(v/x) emp} i.e. {x = v emp} x := 1 {x = 1 emp} i.e. if we want the pre-condition 1 = 1 (i.e. True) then instantiate v to x {x = x emp} x := 1 {x = 1 emp} COMP 2600 Separation Logic 23

24 Fetch Assignment Axiom of Separation Logic {(x = v 1 ) (e v 2 )} x := [e] {(x = v 2 ) (e(v 1 /x) v 2 )} where v 1 and v 2 are auxiliary variables which do not occur in e Example: x := [y] St H p x := [y] St H p y = y = x = 1 1 e is y: so {(x = v 1 ) (y v 2 )} x := [y] {(x = v 2 ) (e(v 1 /x) v 2 )} v 2 is 1: so {(x = v 1 ) (y 1)} x := [y] {(x = 1) (e(v 1 /x) 1)} e(v 1 /x) is y: since there are no occurrences of x in y so {(x = v 1 ) (y 1)} x := [y] {(x = 1) (y 1)} COMP 2600 Separation Logic 24

25 COMP 2600 Separation Logic 25

26 Separation Logic: syntax, semantics and calculus Syntax Semantics Calculus emp SL N/A FOL N/A = + Arithmetic N/A := ; while if then else [.] dispose(.) cons(.) State is a pair (Store,Heap) St(.) maps variables to values H p(.) maps locations to values N/A if initial state satisfies P {P}S{Q} and S terminates More Inference then S does not fault and Rules COMP 2600 Separation Logic 26 final state satisfies Q