Introduction to Separation Logic

1
Introduction to Separation Logic

• presented by
• Greta Yorsh
• April 02, 2008IBM, Hawthorne

2
This Talk

• What is Separation Logic?
• Strengths and weaknesses
• Successful applications
• Main challenges

3
What is Separation Logic?

• Extension of Hoare logic
• low-level imperative programs
• shared mutable data structures

4
Motivating Example
assume( x 3 )
assume( x 3 ? x ! y ? x ! z )
assume( y ! z )
assume( y ! z )
y 4 z 5 assert( y ! z )
assert( x 3 )

• contents are different
• contents stay the same
• different locations

5
Framing Problem
y ! z C y ! z
x 3 ? y ! z C y ! z ? x 3

• What are the conditions on aliasing btwn x, y, z ?

6
Framing Problem
P C Q
R ? P C Q ? R

• What are the conditions on C and R?
• in presence of aliasing and heap
• Separation logic introduces new connective

P C Q
R P C Q R
7
Outline

• Assertion language syntax and semantics
• Hoare-style proofs
• Program analysis
• Concurrency
• Termination
• Object-oriented programs

8
Assertion Language
9
Examples

• x ? y
• ls(y, z)
• x ? y ls(y, z)

8 ? 33
? z x
10
Syntax
11
Semantics

• Assertions are evaluated w.r.t. a state
• State is store and heap
• S Var ? Int
• H Loc ? Int where Loc ? Int
• Notations
• disjoint domains dom(H1) ? dom(H2)
• composition H1 ? H2
• evaluation ?E?S ? Int
• update Sxi
• S,H ? P

12
Semantics
13
Common Shorthands

• E ? E1,E2,..,En ? E ? E1 E1 ? E2 ...
  E(n-1) ? En
• E1 ? E2 ? E1 ? E2 true
• E ? _ ? ?x. E ? x

x
14
Examples
x
y
y
x
S x10, y30 H 104,113,304,313
S x10, y10 H 104,113
?
?
?
?
?
?
?
?
15
Inductive Definitions

• Describe invariants of recursive data-structure
• Trees
• List Segments
• Doubly-linked list segments
• Cyclic lists
• List of cyclic doubly linked lists
• Lists with head pointers
• Nested lists (bounded depth)
• ...
• Binary tree
• tree(E) ? (E nil ? emp) ? (?x,y. E ?x,y
  tree(x) tree(y))

16
List segment

• Acyclic, possibly empty
• ls(E, F) ? (EF ? emp) ? (E?F ? ?v. E?v ls(v,
  F))

• Possibly cyclic, panhandle, empty
• cls(E, F) ? (EF ? emp) ? (?x. E?x cls(x, F))

17
More complex structures

• Doubly-linked list segment
• dls(x,y,z) ? (xy ? emp)
• ? (x?y ? ?w. x?z,w dls(w,y,x))

x
y
z
18
Axioms
?

• ls(x,y) ls(y,nil) ? ls(x,nil)
• ls(x,y) ls(y,z) ? ls(x,z)
• ls(x,y) ? ?w. ls(x,w) w?y
• (P1 ? P2) Q ? (P1 Q) ? (P2 Q)
• x ? y z ? w ? x ? z
• x ? y ? z ? w ? x ? y ? x z ? y w

?
z allocated in ls(x,y)
?
empty heap
?
?
?
19
Axioms

• Weakening
• P ? Q ? P
• P Q ? P
• Contraction
• P ? P ? P
• P ? P P

?
?
x ? 1 y ? 2 ? x ? 1
?
?
x ? 1 ? x ? 1 x ? 1
20
Precise Assertions

• ? S,H there is at most one h ? h s.t. s,h ?
  P
• Examples
• precise x ? 1, ls(x,y)
• not precise ?x. x ? y, P ? Q
• Axiom for precise assertions
• (P1 ? P2) Q ? (P1 Q) ? (P2 Q)

21
Pure Assertions

• Syntax do not contain ? or emp
• Semantics do not depend on heap (for any store)
• Axioms for pure assertions
• xy z w ? xy ? z w

22
Symbolic Heaps

• Fragment of Separation Logic assertion language
• Decidable
• satisfiability, small model property
• entailment

• A (P ? ... ? P) ? (S ... S)
• E x nil E E
• P EE E ? E
• S E ? E tree(E) ls(E, E) dls(E, E, E)

23
Hoare-Style Proofs
24
Hoare Triples

• P C Q
• partial correctness
• if P holds when C starts and C terminates then
  Q holds after C
• no runtime errors (null dereferences)
• P C Q
• total correctness
• if P holds when C starts then C terminates and
  Q holds after C

25
The Programming Language
ltcommgt ltvargt cons(ltexpgt, ,
ltexpgt) ltvargt ltexpgt ltexpgt
ltexpgt dispose ltexpgt

• allocation
• heap lookup
• mutation
• deallocation

26
Operational Semantics by Example

• Allocation x cons(y, z)
• Heap lookup y x1
• Mutation x 1 3
• Deallocation dispose(x1)

Store x3, y40, z17 Heap empty
Store x37, y40, z17 Heap 3740, 3817
Store x37, y17, z17 Heap 3740, 3817
Store x37, y17, z17 Heap 3740, 383
Store x37, y17, z17 Heap 3740
27
Hoare Proof Rules for Partial Correctness
P skip P
P(v/e) ve P
P c1 R R c2 Q P c1c2Q
P?b c1 Q P ??b c2 Q P if b then
c1 else c2 Q
i?b c i i while b do c i??b
?P ? P P c Q ? Q ? Q p c q
28
Hoare Axiom for Assignment

• How to extend it for heap mutation ?
• Example

?
P ( e1 / e2 e1 e2 P
z40 x 77 z40
Store x37, y17, z37 Heap 3740, 383
Store x37, y17, z37 Heap 3777, 383
29
Small Axioms

• allocation
• heap lookup
• mutation
• deallocation

emp x cons(y, z) x ? y, z
E?z x E E? z ? x z
E1?_ E1 E2 E1 ? E2
E?_ dispose(E) emp
30
The Frame Rule
P C Q
Mod(C) ?free(R)
R P C Q R
31
The Frame Rule
P C Q
Mod(C) ?free(R)
R P C Q R

• Small Axioms give tight specification
• Allows the Small Axioms to apply generally
• Handle procedure calls modularly
• Frame rule is a key to local proofs

x?y ls(y,z) dispose(x) ls(y,z)
32
Reverse
list(x) ? ls(x,nil)
y nil while x ? nil do t x
x y y x x t
list(x)
list(x) list(y)
x ? nil ? list(x) list(y)
?i . x ?i list(i) list(y)
x ?i t x x? t ? t i
x?t list(t) list(y)
x ?_ x y x? y
x?y list(t) list(y)
list(t) list(x)
list(t) list(y)
list(x) list(y)
x nil ? list(x) list(y)
list(y)
33
Local Specification

• Footprint
• part of the state that is used by the command
• Local specification
• reasoning only about the footprint
• Frame rule
• from local to global spec

34
Frame Rule

• Sound
• safety-monotonicity
• frame property of small axioms
• Complete
• derives WLP or SP for commands

35
Weakest Preconditions

• Allocation
• v ? free(x,y,P)
• Lookup
• v ? free(E,P)\x
• Mutation
• Disposal

• wp(xcons(y,z), P) ? v. ( (v ? x,y)
• wp( x E, P) ? v. (e ? v) ? P(x/v)
• wp(E1E2, P) (E1 ?_ ) ( (E1? E2) - P))
• wp(dispose E, P) (E1 ?_ ) P

36
Automated verification andProgram analysis
37
Symbolic Execution

• Application of separation logic proof rules as
  symbolic execution
• Restrict assertion language to symbolic heaps
• Discharge entailments A ? B
• axiomatize consequences of induction
• Frame inference

38
DeleteTree
tree(t)

• DeleteTree (t)
• local i,j
• if (t ! nil)
• i t
• j t1
• DeleteTree(j)
• DeleteTree(i)
• dispose t

tree(t) ? t ? nil
?x,y. t ?x,y tree(x) tree(y)
t ?i,j tree(i) tree(j)
t ?i,j tree(i) emp
t ?i,j tree(i)
t ?i,j emp
emp
emp
39
Frame Inference

• Failed proof of entailment yields a frame
• Assertion at call site
• Callees precondition
• Frame

t ?i,j tree(i) tree(j)
tree(j)
t ?i,j tree(i) tree(j) ? tree(j)
.....
t ?i,j tree(i) ? emp
t ?i,j tree(i)
40
Frame Inference
DeleteTree(j)
tree(j)
emp
t ?i,j tree(i) tree(j)
t ?i,j tree(i)
DeleteTree(j)

• Assertion at call site
• Callees precondition

t ?i,j tree(i) tree(j)
tree(j)
41
Incompleteness of Frame Inference
x ?_ free(x) emp
y ?_ x ?_ free(x) y ?_

• Lose the information that xy
• Do we need inequality involving just-disposed ?

42
Program Analysis

• Abstract value is a set of symbolic heaps
• Abstract transformers by symbolic execution (TODO
  EXAMPLE)
• Fixpoint check by entailement
• Knobs
• widening / abstraction
• join
• interprocedural analysis (cutpoints)
• predicate discovery

43
Global Properties?
tree ? P C tree ? Q
(tree ? R) (tree ? P) C (tree ? Q)
(tree ? R)

• Before tree ? (Q R) ? (tree ? Q) (tree ?
  R)
• After (tree ? Q) (tree ? R) ? tree ? (Q
  R)
• Loss of global property
• no restrictions on dangling pointers in P and Q
• can point to each other and create cycles

44
OPCM

• Ordered Partially Commutative Monoid (OPCM)
• M lt E, , e, ? gt
• is associative, commutative,
• e is the unit of
• ? is a partial order on E
• Redefine OPCM
• get semantics of the assertion language for free
• Redefine small axioms
• satisfy safety-monotonicity and frame property
• get frame rule for free

45
Bibliography

• http//www.dcs.qmw.ac.uk/ohearn/localreasoning.ht
  ml

46
Early Days

• The Logic of Bunched Implications O'Hearn and
  Pym. 1999
• Intuitionistic Reasoning about Shared Mutable
  Data Structure Reynolds. 1999
• BI as an Assertion Language for Mutable Data
  Structures. Ishtiaq, O'Hearn. POPL'01.
• Local Reasoning about Programs that Alter Data
  Structures O'Hearn, Reynolds, Yang. CSL'01.
• Separation Logic A Logic for Shared Mutable Data
  Structures Reynolds. LICS 2002.

47
Successful Applications

• An example of local reasoning in BI pointer
  logic the Schorr-Waite graph marking algorithm
  Yang, SPACE 2001
• Local Reasoning about a Copying Garbage
  CollectorBirkedal, Torp-Smith, Reynolds. POPL'04

48
Analysis and Automated Verification

• Symbolic Execution with Separation
  Logic.Berdine, Calcagno, O'Hearn. APLAS'05.
• Smallfoot Modular Automatic Assertion Checking
  with Separation Logic Berdine, Calcagno,
  O'Hearn. FMCO06.
• A local shape analysis based on separation logic
  Distefano, O'Hearn, Yang. TACAS06.
• Interprocedural Shape Analysis with Separated
  Heap Abstractions. Gotsman, Berdine, Cook.
  SAS06
• Shape analysis for composite data
  structures.Berdine, Calcagno, Cook, Distefano,
  O'Hearn, Wies, Yang. CAV'07.
• ...

49
Concurrency

• Resources, Concurrency and Local Reasoning
  O'Hearn. Reynolds Festschrift, 2007. CONCUR'04
• A Semantics for Concurrent Separation Logic
  Brookes. Reynolds Festschrift, 2007. CONCUR'04
• Towards a Grainless Semantics for Shared Variable
  Concurrency John C. Reynolds (in preparation?)
• Permission Accounting in Separation LogicBornat,
  Calcagno, O'Hearn, Parkinson. POPL05
• Modular Verification of a Non-blocking Stack
  Parkinson, Bornat, O'Hearn. POPL07
• A Marriage of Rely/Guarantee and Separation Logic
  Parkinson, Vafeiadis. CONCUR07
• Modular Safety Checking for Fine-Grained
  Concurrency (smallfootRG)Calcagno, Parkinson,
  Vafeiadis. SAS'07
• Thread-Modular Shape Analysis. Gotsman, Berdine,
  Cook, Sagiv. PLDI07
• ...

50
Termination

• Automatic termination proofs for programs with
  shape-shifting heaps. Berdine, Cook, Distefano,
  O'Hearn. CAV06
• Variance Analyses from Invariance
  Analyses.Berdine, Chawdhary, Cook, Distefano,
  O'Hearn. POPL 2007
• ...

51
Object Oriented Programming

• Separation logic and abstraction Parkinson and
  Bierman. POPL05
• Class Invariants The End of the Road?
  Parkinson. IWACO'07.
• Separation Logic, Abstraction, and Inheritance
  Parkinson, Bierman. POPL'08

52
Summary of Basic Ideas

• Extension of Hoare logic to imperative programs
• Separating conjunction
• Inductive definitions for data-structures
• Tight specifications
• Dangling pointers
• Local surgeries
• Frame rule