Hoare Logic and Model Checking

Similar documents
Hoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic

Hoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18

Hoare Logic and Model Checking

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Hoare logic. A proof system for separation logic. Introduction. Separation logic

The Rule of Constancy(Derived Frame Rule)

Separation Logic: syntax, semantics and calculus

Separation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016

An Annotated Language

BI as an Assertion Language for Mutable Data Structures

Hoare triples. Floyd-Hoare Logic, Separation Logic

Compilation and Program Analysis (#11) : Hoare triples and shape analysis

Precision and the Conjunction Rule in Concurrent Separation Logic

Variable Side Conditions and Greatest Relations in Algebraic Separation Logic

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Inferring Invariants in Separation Logic for Imperative List-processing Programs

More on Operational Semantics

Reasoning About Imperative Programs. COS 441 Slides 10

Integrating Arrays into the Heap-Hop program prover

Linear Logic, Heap-shape Patterns and Imperative Programming

Functional Programming. Pure Functional Programming

On Garbage and Program Logic

Representation Independence, Confinement and Access Control

Local Reasoning about a Copying Garbage Collector

Denotational Semantics of a Simple Imperative Language Using Intensional Logic

A Context-Sensitive Memory Model for Verification of C/C++ Programs

Hiding local state in direct style: a higher-order anti-frame rule

Separation Logic Tutorial

CS558 Programming Languages

Lecture 14. No in-class files today. Homework 7 (due on Wednesday) and Project 3 (due in 10 days) posted. Questions?

Heap, Variables, References, and Garbage. CS152. Chris Pollett. Oct. 13, 2008.

Inferring Invariants in Separation Logic for Imperative List-processing Programs

Introduction to Permission-Based Program Logics. Thomas Wies New York University

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

Blaming the client: on data refinement in the presence of pointers

CS 270 Algorithms. Oliver Kullmann. Binary search. Lists. Background: Pointers. Trees. Implementing rooted trees. Tutorial

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Induction and Semantics in Dafny

CS558 Programming Languages

Pointers. Memory. void foo() { }//return

Introduction to Axiomatic Semantics

Lectures 20, 21: Axiomatic Semantics

Overview. Probabilistic Programming. Dijkstra s guarded command language: Syntax. Elementary pgcl ingredients. Lecture #4: Probabilistic GCL

Mutable References. Chapter 1

Declaring Pointers. Declaration of pointers <type> *variable <type> *variable = initial-value Examples:

Proving Properties on Programs From the Coq Tutorial at ITP 2015

Denotational Semantics

Representation Independence, Confinement and Access Control

Checks and Balances - Constraint Solving without Surprises in Object-Constraint Programming Languages: Full Formal Development

A Proposal for Weak-Memory Local Reasoning

Lecture Notes on Memory Layout

Operational Semantics. One-Slide Summary. Lecture Outline

Programming Languages Third Edition

A Grainless Semantics for Parallel Programs with Shared Mutable Data

6. Hoare Logic and Weakest Preconditions

Verifying Concurrent Memory Reclamation Algorithms with Grace

A CRASH COURSE IN SEMANTICS

A semantics for concurrent separation logic

Program logics for relaxed consistency

Program Analysis: Lecture 02 Page 1 of 32

PROGRAM ANALYSIS & SYNTHESIS

[0569] p 0318 garbage

Compiler Construction

CS558 Programming Languages. Winter 2013 Lecture 3

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017

Chapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes

Transforming Programs into Recursive Functions

CS 330 Lecture 18. Symbol table. C scope rules. Declarations. Chapter 5 Louden Outline

Type Systems Winter Semester 2006

Type Soundness and Race Freedom for Mezzo

Introduction to Shape and Pointer Analysis

Application: Programming Language Semantics

Denotational Semantics. Domain Theory

Programmiersprachen (Programming Languages)

G Programming Languages Spring 2010 Lecture 4. Robert Grimm, New York University

Formal Semantics of Programming Languages

Pointer Programs, Separation Logic

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Programming Languages Third Edition. Chapter 7 Basic Semantics

Pointers, Dynamic Data, and Reference Types

Operational Semantics of Cool

Static Program Analysis

CS558 Programming Languages Winter 2018 Lecture 4a. Andrew Tolmach Portland State University

Lecture 5 - Axiomatic semantics

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Lecture 13. Notation. The rules. Evaluation Rules So Far

Programming Languages Third Edition. Chapter 10 Control II Procedures and Environments

Towards imperative modules: reasoning about invariants and sharing of mutable state

A Shape Graph Logic and A Shape System

Separation and Information Hiding

On the C11 Memory Model and a Program Logic for C11 Concurrency

A Brief Introduction to Scheme (II)

An Overview of Separation Logic

Lecture Outline. COOL operational semantics. Operational Semantics of Cool. Motivation. Notation. The rules. Evaluation Rules So Far.

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Pointers. Chapter 8. Decision Procedures. An Algorithmic Point of View. Revision 1.0

Principles of Programming Languages

Formal Systems II: Applications

Goals: Define the syntax of a simple imperative language Define a semantics using natural deduction 1

Exercise 10 Object Structures and Aliasing November 27, 2015

Transcription:

Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft

Pointers

Pointers and state So far, we have been reasoning about a language without pointers, where all values were numbers. In this lecture we will extend the WHILE language with pointers and introduce an extension of Hoare logic, called Separation Logic, to simplify reasoning about pointers. 1

Pointers and state E ::= N null V E 1 + E 2 expressions E 1 E 2 E 1 E 2 B ::= T F E 1 = E 2 boolean expressions E 1 E 2 E 1 E 2 C ::= skip C 1 ; C 2 V := E commands if B then C 1 else C 2 while B do C V := [E] [E 1 ] := E 2 V := cons(e 1,..., E n ) dispose(e) 2

Pointers and state Commands are now evaluated with respect to a heap h that stores the current value of allocated locations. Reading, writing and disposing of pointers fails if the given location is not currently allocated. Fetch assignment command: V := [E] evaluates E to a location l and assigns the current value of l to V ; faults if l is not currently allocated 3

Pointers and state Heap assignment command: [E 1 ] := E 2 evaluates E 1 to a location l and E 2 to a value v and updates the heap to map l to v; faults if l is not currently allocated Pointer disposal command, dispose(e) evaluates E to a location l and deallocates location l from the heap; faults if l is not currently allocated 4

Pointers and state Allocation assignment command: V := cons(e 1,..., E n ) chooses n consecutive unallocated locations, say l 1,..., l n, evaluates E 1,..., E n to values v 1,..., v n, updates the heap to map l i to v i for each i and assigns l 1 to V Allocation never fails. The language supports pointer arithmetic: e.g., X := cons(0, 1); Y := [X + 1] 5

Pointers and state In this extended language we can work with proper data structures, like the following singly-linked list. head 12 99 37 For instance, this operation deletes the first element of the list: x := [head + 1]; dispose(head); dispose(head + 1); head := x // lookup address of second element // deallocate first element // swing head to point to second element 6

Operational semantics

Pointers and state For the WHILE language we modelled the state as a function assigning values (numbers) to all variables: s State = def Var Val To model pointers we will split the state into a stack and a heap a stack assigns values to program variables, and a heap maps locations to values State = def Store Heap 7

Pointers and state Values now includes both numbers and locations Val = def Z + Loc Locations are modelled as natural numbers Loc = def N To model allocation, we model the heap as a finite function Store = def Var Val Heap = def Loc fin Val 8

Pointers and state WHILE p programs can fail in several ways dereferencing an invalid pointer invalid pointer arithmetic To model failure we introduce a distinguished failure value E[[ ]] : Exp Store { } + Val B[[ ]] : BExp Store { } + B : P(Cmd State ({ } State)) 9

Pointer dereference E[[E]](s) = l l dom(h) V := [E], (s, h) (s[v h(l)], h) E[[E]](s) = l l dom(h) V := [E], (s, h) 10

Pointer assignment E[[E 1 ]](s) = l l dom(h) E[[E 2 ]](s) = v v [E 1 ] := E 2, (s, h) (s, h[l v]) E[[E 1 ]](s) = l l dom(h) E[[E 2 ]](s) = [E 1 ] := E 2, (s, h) [E 1 ] := E 2, (s, h) 11

Reasoning about pointers

Reasoning about pointers In standard Hoare logic we can syntactically approximate the set of program variables that might be affected by a command C. mod(skip) = mod(x := E) = {X } mod(c 1 ; C 2 ) = mod(c 1 ) mod(c 2 ) mod(if B then C 1 else C 2 ) = mod(c 1 ) mod(c 2 ) mod(while B do C) = mod(c) 12

The rule of constancy The rule of constancy expresses that assertions that do not refer to variables modified by a command are automatically preserved during its execution. {P} C {Q} mod(c) FV (R) = {P R} C {Q R} This rule derivable in standard Hoare logic. This rule is important for modularity as it allows us to only mention the part of the state that we access. 13

Reasoning about pointers Imagine we extended Hoare logic with a new assertion, E 1 E 2, for asserting that location E 1 currently contains the value E 2 and extend the proof system with the following axiom: { } [E 1 ] := E 2 {E 1 E 2 } Then we loose the rule of constancy: { } [X ] := 1 {X 1} { Y 0} [X ] := 1 {X 1 Y 0} (the post-condition is false if X and Y refer to the same location.) 14

Reasoning about pointers In the presence of pointers, syntactically distinct variables can refer to the same location. Updates made through one variable can thus influence the state referenced by other variables. This complicates reasoning as we explicitly have to track inequality of pointers to reason about updates: {E 1 E 3 E 3 E 4 } [E 1 ] := E 2 {E 1 E 2 E 3 E 4 } 15

Separation logic

Separation logic Separation logic is an extension of Hoare logic that simplifies reasoning about mutable state using new connectives to control aliasing. Separation logic was proposed by John Reynolds in 2000 and developed further by Peter O Hearn and Hongsek Yang around 2001. It is still a very active area of research. 16

Separation logic Separation logic introduces two new concepts for reasoning about mutable state:: ownership: Separation logic assertions do not just describe properties of the current state, they also assert ownership of part of the heap. separation: Separation logic introduces a new connective, written P Q, for asserting that the part of the heap owned by P and Q are disjoint. This makes it easy to describe data structures without sharing. 17

Separation logic Separation logic introduces a new assertion, written E 1 E 2, for reasoning about individual heap cells. The points-to assertion, E 1 E 2, asserts that the current value of heap location E 1 is E 2, and asserts ownership of heap location E 1. 18

Meaning of separation logic assertions The semantics of a separation logic assertion, written [[P]](s), is a set of heaps that satisfy the assertion P. The intended meaning is that if h [[P]](s) then P asserts ownership of any locations in dom(h). The heaps h [[P]](s) are thus referred to as partial heaps, since they only contain the locations owned by P. The empty heap assertion, only holds for the empty heap: [[emp]](s) = def {[]} 19

Meaning of separation logic assertions The points-to assertion, E 1 E 2, asserts ownership of the location referenced by E 1 and that this location currently contains E 2 : [[E 1 E 2 ]](s) = def {h dom(h) = {E[[E 1 ]](s)} h(e[[e 1 ]](s)) = E[[E 2 ]](s)} Separating conjunction, P Q, asserts that the heap can be split into two distjoint parts such that one satisfies P and the other Q: [[P Q]](s) = def {h h 1, h 2. h = h 1 h 2 h 1 [[P]](s) h 2 [[Q]](s)} Here we use h 1 h 2 as shorthand for h 1 h 2 where h 1 h 2 is only defined when dom(h 1 ) dom(h 2 ) =. 20

Examples of separation logic assertions 1. X E 1 Y E 2 This assertion is unsatisfiable in a state where X and Y refer to the same location, since X E 1 and Y E 2 would both assert ownership of the same location. The following heap satisfies the assertion: X E 1 E 2 Y 2. X E X E This assertion is not satisfiable. 21

Meaning of separation logic assertions The first-order primitives are interpreted much like for Hoare logic: [[ ]](s) = def [[ ]](s) = def Heap [[P Q]](s) = def [[P]](s) [[Q]](s) [[P Q]](s) = def [[P]](s) [[Q]](s) [[P Q]](s) = def {h h [[P]](s) h [[Q]](s)}. 22

Examples of separation logic assertions 3. X E 1 Y E 2 This asserts that X and Y alias each other and E 1 = E 2 : X E 1 Y 23

Examples of separation logic assertions 4. X Y Y X X Y 5. X E 1, Y Y E 2, null X E 1 E 2 Here X E 1,..., E n is shorthand for X E 1 (X + 1) E 2 (X + n 1) E n 24

Summary: Separation logic assertions Separation logic assertions describe properties of the current state and assert ownership of parts of the current heap. Separation logic controls aliasing of pointers by asserting that assertions own disjoint heap parts. 25

Separation logic triples

Separation logic triples Separation logic (SL) extends the assertion language but uses the same Hoare triples to reason about the behaviour of programs {P} C {Q} [P] C [Q] but with a different meaning. Our SL triples extend the meaning of our HL triples in two ways they ensure that our WHILE p programs do not fail they require that we respect the ownership discipline associated with assertions 26

Separation logic triples Separation logic triples require that we assert ownership in the precondition of any heap-cells modified. For instance, the following triple asserts ownership of the location denoted by X and stores the value 2 at this location {X 1} [X ] := 2 {X 2} However, the following triple is not valid, because it updates a location that it may not be the owner of {Y 1} [X ] := 2 {Y 1} 27

Framing How can we make this idea that triples must assert ownership of the heap-cells they modify precise? The idea is to require that all triples must preserve any assertions disjoint from the precondition. This is captured by the frame-rule: {P} C {Q} mod(c) FV (R) = {P R} C {Q R} The assertion R is called the frame. 28

Framing How does preserving all frames force triples to assert ownership of heap-cells they modify? Imagine that the following triple did hold and preserved all frames: {Y 1} [X ] := 2 {Y 1} In particular, it would preserve the frame x 1: {Y 1 X 1} [X ] := 2 {Y 1 X 1} This triple definitely does not hold, since the location referenced by X contains 2 in the terminal state. 29

Framing This problem does not arise for triples that assert ownership of the heap-cells they modify, since triples only have to preserve frames disjoint from the precondition. For instance, consider this triple which does assert ownership of X {X 1} [X ] := 2 {X 2} If we frame on X 1 then we get the following triple which holds vacuously since no initial states satisfies X 1 X 1. {X 1 X 1} [X ] := 2 {X 2 X 1} 30

Meaning of Separation logic triples The meaning of {P} C {Q} in Separation logic is thus C does not fault when executed in an initial state satisfying P, if C terminates in a terminal state when executed from an initial heap h 1 h F where h 1 satisfies P then the terminal state has the form h 1 h F where h 1 satisfies Q This bakes-in the requirement that triples must satisfy framing, by requiring that they preserve all disjoint frames h F. 31

Meaning of Separation logic triples Written formally, the meaning is: = {P} C {Q} = def ( s, h. h [[P]](s) ( C, (s, h) )) ( s, s, h, h, h F. dom(h) dom(h F ) = h [[P]](s) C, (s, h h F ) (s, h ) h 1. h = h 1 h F h 1 [[Q]](s )) 32

Summary Separation logic is an extension of Hoare logic with new primitives to simplify reasoning about pointers. Separation logic extends Hoare logic with a notion of ownership and separation to control aliasing and reason about shared mutable data structures. Suggested reading: John C. Reynolds. Separation Logic: A Logic for Shared Mutable Data Structures. 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback