Hoare triples. Floyd-Hoare Logic, Separation Logic

Similar documents
Compilation and Program Analysis (#11) : Hoare triples and shape analysis

An Annotated Language

Hoare logic. A proof system for separation logic. Introduction. Separation logic

The Rule of Constancy(Derived Frame Rule)

Hoare Logic and Model Checking

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Lectures 20, 21: Axiomatic Semantics

Introduction to Axiomatic Semantics

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Introduction to Axiomatic Semantics (1/2)

Hoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic

Hoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18

Lecture 5 - Axiomatic semantics

Introduction to Axiomatic Semantics (1/2)

Integrating Arrays into the Heap-Hop program prover

6. Hoare Logic and Weakest Preconditions

Hoare Logic and Model Checking

Separation Logic: syntax, semantics and calculus

Chapter 1. Introduction

Reasoning About Imperative Programs. COS 441 Slides 10

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Programming Languages Third Edition

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

A CRASH COURSE IN SEMANTICS

Separation Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré. Australian National University Semester 2, 2016

A short manual for the tool Accumulator

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Outline. Introduction. 2 Proof of Correctness. 3 Final Notes. Precondition P 1 : Inputs include

Program Verification. Aarti Gupta

Advances in Programming Languages

The semantics of a programming language is concerned with the meaning of programs, that is, how programs behave when executed on computers.

Separation Logic Tutorial

Program Verification Using Separation Logic

Overview. Verification with Functions and Pointers. IMP with assertions and assumptions. Proof rules for Assert and Assume. IMP+: IMP with functions

Functional Programming in Haskell Prof. Madhavan Mukund and S. P. Suresh Chennai Mathematical Institute

Inferring Invariants in Separation Logic for Imperative List-processing Programs

Softwaretechnik. Program verification. Albert-Ludwigs-Universität Freiburg. June 28, Softwaretechnik June 28, / 24

Programming Languages and Compilers Qualifying Examination. Answer 4 of 6 questions.

Handout 9: Imperative Programs and State

Principles of Program Analysis. Lecture 1 Harry Xu Spring 2013

Introduction to Denotational Semantics. Brutus Is An Honorable Man. Class Likes/Dislikes Survey. Dueling Semantics

Axiomatic Rules. Lecture 18: Axiomatic Semantics & Type Safety. Correctness using Axioms & Rules. Axiomatic Rules. Steps in Proof

Introduction to Denotational Semantics. Class Likes/Dislikes Survey. Dueling Semantics. Denotational Semantics Learning Goals. You re On Jeopardy!

Abstract Interpretation

Symbolic Execution and Proof of Properties

Verification Condition Generation

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Lecture Notes on Memory Layout

BI as an Assertion Language for Mutable Data Structures

Program logics for relaxed consistency

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Critical Analysis of Computer Science Methodology: Theory

Inferring Invariants in Separation Logic for Imperative List-processing Programs

Proof Carrying Code(PCC)

Program Verification. Program Verification 307/434

Compositional Resource Invariant Synthesis

Warm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.

Chapter 3 (part 3) Describing Syntax and Semantics

CS 161 Computer Security

Main Goal. Language-independent program verification framework. Derive program properties from operational semantics

A Hoare Logic Contract Theory: An Exercise in Denotational Semantics

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Propositional Logic. Part I

Precision and the Conjunction Rule in Concurrent Separation Logic

PLSV, Mock Test, 2011

From Hoare Logic to Matching Logic Reachability. Grigore Rosu and Andrei Stefanescu University of Illinois, USA

CIS 500 Software Foundations. Final Exam. May 3, Answer key

6.001 Notes: Section 15.1

Automating Separation Logic for Concurrent C Minor

Logic and Computation Lecture 20 CSU 290 Spring 2009 (Pucella) Thursday, Mar 12, 2009

A Proposal for Weak-Memory Local Reasoning

Forward Assignment; Strongest Postconditions

A Partial Correctness Proof for Programs with Decided Specifications

System Assistance in Structured Domain Model Development*

axiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.

Lecture 10 Notes Linked Lists

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

Mathematical Logic Prof. Arindama Singh Department of Mathematics Indian Institute of Technology, Madras. Lecture - 9 Normal Forms

CMSC 330: Organization of Programming Languages. Operational Semantics

Lecture Notes on Queues

Software Quality Assurance

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Denotational Semantics of a Simple Imperative Language Using Intensional Logic

Lecture 15 : Review DRAFT

Verifying Concurrent Memory Reclamation Algorithms with Grace

Softwaretechnik. Program verification. Software Engineering Albert-Ludwigs-University Freiburg. June 30, 2011

CS2104 Prog. Lang. Concepts

Static semantics. Lecture 3-6: Semantics. Attribute grammars (2) Attribute grammars. Attribute grammars example. Dynamic semantics

Lecture 10 Notes Linked Lists

CITS5501 Software Testing and Quality Assurance Formal methods

Complexity, Induction, and Recurrence Relations. CSE 373 Help Session 4/7/2016

Mutable References. Chapter 1

Lecture Notes on Contracts

Why. an intermediate language for deductive program verification

Design and Analysis of Algorithms Prof. Madhavan Mukund Chennai Mathematical Institute. Week 02 Module 06 Lecture - 14 Merge Sort: Analysis

Hoare Logic: Proving Programs Correct

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

Transcription:

Hoare triples Floyd-Hoare Logic, Separation Logic

1. Floyd-Hoare Logic 1969 Reasoning about control

Hoare triples {A} p {B} a Hoare triple partial correctness: if the initial state satisfies assertion A, and if the execution of program p terminates, then the final state satisfies assertion B inference rules {A[a/X ]} X := a {A} {A} skip {A} {A 1 } p 1 {A 2 } {A 2 } p 2 {A 3 } {A 1 } p 1 ; p 2 {A 3 } {A a 0} p 1 {B} {A (a 0)} p 2 {B} {A} if a 0 then p 1 else p 2 {B} {A I a 0} p {A I} {A I} while a 0 do p {A I (a 0)} A 1 A 2 {A 2 } p {B 2 } B 2 B 1 {A 1 } p {B 1 } expressive properties functional correctness rather than absence of runtime errors

Hoare logic main ingredients programmers X := Y+3 (Hoare) logicians X Y+3 ingredients in Hoare logic: 1. a language for programs p Imp 2. a language for assertions A 3. inference rules important aspects: invariants in loops logical deduction rule backward reasoning (in the rule for assignment)

Hoare logic: metatheoretical properties operational semantics and validity big step operational semantics for Imp: σ, p σ σ is an environment σ : V Z a map from variables to integers given some program p, σ is a partial mapping from a finite set of variables to Z the triple {A} p {B} is valid: for all σ, if σ satisfies A and σ, p σ, then σ satisfies B

Hoare logic: metatheoretical properties operational semantics and validity big step operational semantics for Imp: σ, p σ σ is an environment σ : V Z a map from variables to integers given some program p, σ is a partial mapping from a finite set of variables to Z the triple {A} p {B} is valid: for all σ, if σ satisfies A and σ, p σ, then σ satisfies B correctness If the triple {A} p {B} can be derived using the inference rules of Hoare logic, then it is valid. NB: we could also rely on denotational semantics associate to each program p some function F p from environments to environments (relative) completeness any valid triple can be constructed in Hoare logic, provided we can decide validity of the assertions (i.e., decide whether A always holds) logic rules capture the properties we want to express

Correct rules and completeness the 6 rules of Hoare logic are not the only correct rules for instance, the rule of constancy is correct too {A} p {B} {A C} p {B C} no variable in C is modified by p completeness: no new Hoare triple can be established if we add the rule of constancy the 6 rules tell everything using the rule of constancy makes proofs easier/more natural/more readable somehow, completeness is not only a theoretical question

The axiom for assignment the axiom for assignment goes backwards {A[a/X ]} X := a {A} Floyd s forward axiom (consider X := X + 3 to convince yourself) {A} X := a { i. (X = a[i/x ] A[i/X ])}

The axiom for assignment the axiom for assignment goes backwards {A[a/X ]} X := a {A} Floyd s forward axiom (consider X := X + 3 to convince yourself) {A} X := a { i. (X = a[i/x ] A[i/X ])} see also {A X = i} X := a {A[i/X ] X = a[i/x ]} i: ghost variable (should probably be written I)

Synonyms assertion formula A environment store σ correctness soundness for a rule

2. Separation Logic 2000 Reasoning about memory

Programs manipulating pointers Hoare logic deals essentially with control if a 0 then p 1 else p 2 p 1 ; p 2 while a 0 do p move to a richer language: add (some kind of) pointers and handling of memory allocation modification (move pointers around) liberation/deallocation different kinds of properties typical runtime errors we want to detect: memory leaks, invalid disposal, invalid accesses typically, other approaches either assume memory safety, or forbid dynamic memory allocation describe what programs manipulating pointers do adopt the same methodological framework Separation Logic is an enrichment of Floyd-Hoare logic

Extending Imp structure of memory at runtime in (traditional) Hoare-Floyd logic, programs manipulate variables the environment just records the (integer) value of each variable that is all we know about the memory dynamically allocated memory: add a heap component extending the programming language on the board

Extending Imp structure of memory at runtime in (traditional) Hoare-Floyd logic, programs manipulate variables the environment just records the (integer) value of each variable that is all we know about the memory dynamically allocated memory: add a heap component extending the programming language on the board what does this program do? J := nil ; while I!= nil do K := [I + 1]; [I + 1] := J; J := I; I := K on the board

Extending assertions: introducing heap formulas a memory state is (σ, h) where σ is a store h is a heap Hoare logic assertions state properties about the environment X Y Z + Q T > 0 add formulas to reason about the heap NB: X 52 usually makes more sense than 32 52 (both are assertions)

Hoare triples in Separation logic interpretation {A} p {B} holds iff σ, h., if (σ, h) = A, ( (σ, h) satisfies A) then (σ, h), p error, and if (σ, h), p (σ, h ), then (σ, h ) = B like in traditional Hoare logic, but: the state has a heap component absence of forbidden access to the memory

Small axioms on the board

Small axioms on the board axioms for heap-accessing operations are tight they only refer to the part of the heap they need to access (their footprint) along these lines, tight version of the axiom for (usual) assignment: {X = i emp} X := a {X = a[i/x ] emp} if X does not occur in a, the rule becomes simpler: {emp} X := a {X = a emp}

Small axioms on the board axioms for heap-accessing operations are tight they only refer to the part of the heap they need to access (their footprint) along these lines, tight version of the axiom for (usual) assignment: {X = i emp} X := a {X = a[i/x ] emp} if X does not occur in a, the rule becomes simpler: moreover, being tight tells us the following: {emp} X := a {X = a emp} suppose we can prove {10 32} p {10 52} whatever p is then we know that if we run p in a state where cell 11 is allocated, then p will not change the value of 11

The frame rule the rules of Hoare logic remain sound the rule of consistency becomes unsound {A} p {B} {A C} p {B C} no variable in C is modified by p {x } [x] := 4 {x 4} {x y 3} [x] := 4 {x 4 y 3} what if x = y?

The frame rule the rules of Hoare logic remain sound the rule of consistency becomes unsound {A} p {B} {A C} p {B C} no variable in C is modified by p {x } [x] := 4 {x 4} {x y 3} [x] := 4 {x 4 y 3} what if x = y? the Frame Rule {A} p {B} {A C} p {B C} no variable in C is modified by p separation logic is inherently modular as opposed to whole program verification

Separation logic: sum up inference rules those of Hoare logic control those for the new programming constructs memory important things: invariants in while loops, backward rule for assignment, consequence rule (tight) small axioms, footprint, frame rule metatheoretical properties correctness completeness

Beyond absence of runtime errors: recursive data structures

Reasoning about lists a linked list in memory is something like (X 1 k 1, X 2 ) (X 2 k 2, X 3 ) (X n k n, nil) (X a, b) stands for X a (X + 1) b describe the structure using assertions: add the possibility to write (recursive) equations list(i) = (i = nil emp) ( j, k. (i k, j) list(j))

Reasoning about lists a linked list in memory is something like (X 1 k 1, X 2 ) (X 2 k 2, X 3 ) (X n k n, nil) describe the structure using assertions: (X a, b) stands for X a (X + 1) b add the possibility to write (recursive) equations list(i) = (i = nil emp) ( j, k. (i k, j) list(j)) the formula above just specifies that we have a list in memory we can rely on mathematical lists ([], k::ks) to provide a more informative definition list([], i) = emp i = nil list(k::ks, i) = j. (i k, j) list(ks, j)

Recursive data structures we can specify similarly various kinds of data structures we can give a meaning to such recursive definitions using Tarski s theorem

Recursive data structures we can specify similarly various kinds of data structures we can give a meaning to such recursive definitions using Tarski s theorem an exercise list(i) = (i = nil emp) ( j, k. (i k, j) list(j)) write the code for a while loop that deallocates a linked list, and prove {list(x )} p {emp}, where p is your program

On the weirdness of auxiliary variables moreover, in the lecture we saw the small axiom for lookup {a i X = j} X := [a] {X = i a[j/x ] i} in the TD you saw its simpler form {a i} X := [a] {X = i a[j/x ] i} if X does not appear in a how does one entail the other? rule of auxiliary variable elimination if u does not appear in p if X does not appear in a, a[j/x ] = a {A} p {B} { u.a} p { u.b} {a i X = j} X := [a] {X = i a i} { j. (a i X = j) } X := [a] { j. (X = i a i) } }{{}}{{} X =i a i a i j. X = j a i

Going further

Reasoning about concurrent programs concurrent separation logic shared memory, several threads permissions, locks, critical sections ownership

Towards automation Hoare logic and separation logic are used naturally in an interactive manner if loop invariants are provided (as well as the global pre and post conditions), we can automatically chop the verification task into the proof of slices of the form {A} p 1 ; p 2 ;... ; p k {B}, where the p i s are elementary commands. construction of the Hoare triple boils down to being able to prove entailments between assertions, A B cf. the Why3 tool (Filliâtre et al.)

Towards automation of separation logic restrict the set of possible formulas: symbolic heaps P H P = P 1 P k H = H 1 H n pure formulas simple heap formulas (for instance,, list,emp) small axioms are adapted to symbolic heaps, yielding a specialised operational semantics deciding entailments for the pure part of symbolic heaps, standard approaches (theorem provers/automatic decision procedures) for the heap components, exploiting implications like (list(i) i = nil) emp (i k, j list(j)) list(i) more automation: discovering loop invariants back to abstract interpretation: abstract execution, generating a postcondition as we run through the loop sometimes abstracting (narrowing) to insure termination e.g., replacing i k, j j (k, j ) j = nil with list(i) (loosing information about the size of the list)

Modular analysis use the automated framework to analyse functions manipulating pointers compute Hoare triples for functions, without information about the rest of the code solve A?antiframe B?frame antiframe: missing portion of heap because of function calls, the outer function body should have some parts of the heap in its precondition frame: leftover portion of heap the postcondition of the outer function body specifies what parts of the heap are left unchanged

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback