A Deep Embedding of a Decidable Fragment of Separation Logic in HOL - - PowerPoint PPT Presentation

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

A Deep Embedding of a Decidable Fragment of Separation Logic in HOL

Thomas Tuerk Mike Gordon ARG Lunch, 26th June 2006

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Overview

Motivation Basic Definitions A Decision Procedure for Entailments HOL embedding Example Conclusions and Future Work

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Smallfoot

• ”Smallfoot is an automatic verification tool which checks

separation logic specifications of concurrent programs which manipulate dynamically-allocated recursive data structures.” (Smallfoot documentation)

• developed by
• Cristiano Calcagno
• Josh Berdine
• Peter O’Hearn

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Smallfoot II

Example from list.sf

list_copy(p) [list(p)] { local t; t = p; q = NULL; while(t != NULL) [list(q) * lseg(p,t) * list(t)] { sq = q; q = new(); q->tl = sq; t = t->tl; } } [list(p) * list(q)]

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Motivation

• we deeply embedded the fragment of separation logic used by

Smallfoot in HOL

• a decision procedure for entailments has been implemented in

HOL

• this formalisation may increase the trust in Smallfoot
• it may be used as a basis for non decidable fragments of

separation logic and an interactive proof environment

• it may be extended to a HOL implementation of Smallfoot

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Pure Formulae

• an expression is either a constant or a variable
• nil is a special constant
• a stack is a variable assignment
• pure formulae are inductively defined by
• true
• e1 .

= e2, e1 . = e2

• pf1 ∧ pf2
• the semantics of pure formulae with respect to a stack are

defined in the natural way

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae

• a heap is finite map h : (Values \ {nil}) fin

− → Fields

fin

− → Values

• spatial formulae are inductively defined by
• emp
• e ֒

→ [t1 : e1, . . . , tn : en]

• sf1 ∗ sf2
• tree((t1, . . . , tn), es, e)
• list segments and binary trees are defined as syntactic sugar
• bin-tree(l, r, e) := tree((l, r), nil, e)
• ls(tl, e1, e2) := tree(tl, e2, e1)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae II

l r 2 l r 1 s(xi) := i h := [1 → [l → 2, r → nil], 2 → [l → nil, r → nil]] bin-tree(l, r, x1)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae II

l r 2 l r 1 s(xi) := i h := [1 → [l → 2, r → nil], 2 → [l → nil, r → nil]] tree((l, r), nil, x1)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae II

l r 2 l r 1 s(xi) := i h := [1 → [l → 2, r → nil], 2 → [l → nil, r → nil]] ∃el, er. x1 ֒ → [l : el, r : er] ∗ tree((l, r), nil, el) ∗ tree((l, r), nil, er)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae II

l r 2 l r 1 s(xi) := i h := [1 → [l → 2, r → nil], 2 → [l → nil, r → nil]] x1 ֒ → [l : 2, r : nil] ∗ tree((l, r), nil, 2) ∗ tree((l, r), nil, nil)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae II

l r 2 l r 1 s(xi) := i h := [1 → [l → 2, r → nil], 2 → [l → nil, r → nil]] x1 ֒ → [l : 2, r : nil] ∗ tree((l, r), nil, 2) ∗ tree((l, r), nil, nil)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae II

l r 2 l r 1 s(xi) := i h := [1 → [l → 2, r → nil], 2 → [l → nil, r → nil]] x1 ֒ → [l : 2, r : nil] ∗ 2 ֒ → [l : nil, r : nil] ∗ tree((l, r), nil, nil) ∗ tree((l, r), nil, nil) ∗ tree((l, r), nil, nil)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Spatial Formulae II

l r 2 l r 1 s(xi) := i h := [1 → [l → 2, r → nil], 2 → [l → nil, r → nil]] x1 ֒ → [l : 2, r : nil] ∗ 2 ֒ → [l : nil, r : nil] ∗ tree((l, r), nil, nil) ∗ tree((l, r), nil, nil) ∗ tree((l, r), nil, nil)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Entailments

• entailments are important for Smallfoot
• example from list.sf

x0 . = nil, x1 . = nil, x2 . = nil, x0 . = x3, x0 . = x2, x4 . = x5, x1 . = x3, x1 . = x2, x3 . = x2, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢ ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil)

• entailments in this fragment of separation logic are decidable
• inferences can be easily combined to form a decision procedure
• inferences and decision procedure are presented in

Josh Berdine, Cristiano Calcagno, and Peter W. O’Hearn. Symbolic Execution with Separation Logic. In K. Yi (Ed.): APLAS 2005, LNCS 3780, pp. 52-68, 2005.

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

RemoveTrivial

RemoveTrivial-EQ-L Π, Σ ⊢ Π′, Σ′ e . = e, Π, Σ ⊢ Π′, Σ′ RemoveTrivial-EQ-R Π, Σ ⊢ Π′, Σ′ Π, Σ ⊢ e . = e, Π′, Σ′ RemoveTrivial-EmpTree-L Π, Σ ⊢ Π′, Σ′ Π, tree((t1, . . . , tk), e, e), Σ ⊢ Π′, Σ′ RemoveTrivial-EmpTree-R Π, Σ ⊢ Π′, Σ′ Π, Σ ⊢ Π′, tree((t1, . . . , tk), e, e), Σ′

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Hypothesis

Hypothesis pf, Π, Σ ⊢ Π′, Σ′ pf, Π, Σ ⊢ pf, Π′, Σ′

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Axiom / Inconsistent

Axiom Π ⊢ Inconsistent-unequal e . = e, Π, Σ ⊢ Π′, Σ′ Inconsistent-pointsto-nil Π, nil ֒ → [. . .], Σ ⊢ Π′, Σ′

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Frame

Frame-base Π, Σ ⊢ Π′, Σ′ Π, sf, Σ ⊢ Π′, sf, Σ′

• problem: this is a real implication, information is lost
• thus, order of inference application matters
• example: e ֒

→ [f : e1], e ֒ → [g : e2] ⊢ e ֒ → [f : e1]

• solution: add additional informations to entailments

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Frame II

Frame-points to e, η, π, Π, Σ ⊢ Π′, Σ′ η, π, Π, e ֒ → [t1 : e1, . . . , tn : en], Σ ⊢ Π′, e ֒ → [t1 : e1, . . . , tm : em], Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =m ≤ n Frame-tree η, (e, es), π, Π, Σ ⊢ Π′, Σ′ η, π, Π, tree((t1, . . . , tk), es, e), Σ ⊢ Π′, tree((t1, . . . , tk), es, e), Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

• all used inferences are equivalences
• order of application does not matter
• continued applications of inferences will terminate

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Substitution

Substitution η[e/x], π[e/x], Π[e/x], Σ[e/x] ⊢ Π′[e/x], Σ′[e/x] η, x . = e, π, Π, Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

NIL-NOT-LVAL

NIL-NOT-LVAL-pointsto η, π, e . = nil, Π, e ֒ → [. . .], Σ ⊢ Π′, Σ′ η, π, Π, e ֒ → [. . .], Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = NIL-NOT-LVAL-tree η, π, e . = nil, e . = es, Π, tree (. . . , es, e) , Σ ⊢ Π′, Σ′ η, π, e . = es, Π, tree (. . . , es, e) , Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

side condition

In order to prevent looping only new facts are added.

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Partial

Partial-pointsto-pointsto η, π, e1 . = e2, Π, e1 ֒ → [. . .], e2 ֒ → [. . .], Σ ⊢ Π′, Σ′ η, π, Π, e1 ֒ → [. . .], e2 ֒ → [. . .], Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Partial-pointsto-tree η, π, e1 . = e2, e2 . = e3, Π, e1 ֒ → [. . .], tree(. . . , e3, e2), Σ ⊢ Π′, Σ′ η, π, e2 . = e3, Π, e1 ֒ → [. . .], tree(. . . , e3, e2), Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = . . .

side condition

In order to prevent looping only new facts are added.

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Simple Unroll

Unroll-right-list e1, η, π, e1 . = e3, Π, Σ ⊢ Π′, ls(tl, e2, e3), Σ′ η, π, e1 . = e3, Π, e1 ֒ → [tl : e2, . . .], Σ ⊢ Π′, ls(tl, e1, e3), Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Unroll-right-bintree e, η, π, Π, Σ ⊢ Π′, bin-tree(l, r, el), bin-tree(l, r, er), Σ′ η, π, Π, e ֒ → [l : el, r : er, . . .], Σ ⊢ Π′, bin-tree(l, r, e), Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Unroll-NilList η, π, e . = nil, Π, Σ ⊢ Π′, Σ′ η, π, Π, ls(tl, nil, e), Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Unroll-precond-list e1, η, π, e1 . = e2, Π, Σ ⊢ Π′, Σ′ e1, η, π, Π, ls(tl, e1, e2), Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Unroll

Unroll-list η, π, e1 . = e2, Π, Σ ⊢ Π′, Σ′ ∀x. η, π, e1 . = e2, e2 . = x, Π, e1 ֒ → [fl : x], x ֒ → [fl : e2], Σ ⊢ Π′, Σ′ η, π, Π, ls(tl, e1, e2), Σ ⊢ Π′, Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

• logic can not consider the content of a list
• therefore, two cases are sufficient
• no induction needed!
• similar inference exists for arbitrary trees
• however, in general useful for decision procedure

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Append-list

Append-list η, (e1, e2), π, e1 . = e3, Π, Σ ⊢ Π′, ls(tl, e2, e3), Σ′ η, π, e1 . = e3, Π, ls(tl, e1, e2), Σ ⊢ Π′, ls(tl, e1, e3), Σ′ = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

• this inference holds under some complicated side condition
• it is preferable to unrolling lists
• its correctness proof uses unrolling of lists and simple unrolls

and the frame inference

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Decision Procedure

• these inferences can be easily combined to form a decision

procedure for entailments

• apply inferences in arbitrary order as long as possible
• be careful with NIL-NOT-LVAL, Partial, Hypothesis to avoid

looping

• iff the entailment could not be reduced to true, it is false
• remaining entailments are as simple, that a concrete

counterexample can be easily constructed

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

HOL embedding

• deep embedding in HOL is straight forward except for trees
• trees are introduced considering their maximal depth
• equivalence with other recursive definition is formally proofed
• inferences are implemented as conversions
• the decision procedure is implemented as a conversion

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

HOL embedding II

LOC deep embedding and inferences

• approx. 10 000

special versions of inferences for conversions

• approx. 2 500

conversions and decision procedure

• approx. 2 000

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example from list.sf

x0 . = nil, x1 . = nil, x2 . = nil, x0 . = x3, x0 . = x2, x4 . = x5, x1 . = x3, x1 . = x2, x3 . = x2, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢ ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example from list.sf

Π, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢ ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example inference application

Π, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢ ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example inference application

Π, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Frame

ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil) ⇐ ⇒ x2, (x3, nil), Π, ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢ ls(tl, x1, x2)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example inference application

Π, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Frame

ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil) ⇐ ⇒ x2, (x3, nil), Π, ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Append-List

ls(tl, x1, x2) ⇐ ⇒ x2, (x3, nil), (x1, x0), Π, x0 ֒ → [tl, x2] ⊢ ls(tl, x0, x2)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example inference application

Π, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Frame

ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil) ⇐ ⇒ x2, (x3, nil), Π, ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Append-List

ls(tl, x1, x2) ⇐ ⇒ x2, (x3, nil), (x1, x0), Π, x0 ֒ → [tl, x2] ⊢

Simple-Unroll

ls(tl, x0, x2) ⇐ ⇒ x2, x0, (x3, nil), (x1, x0), Π ⊢ ls(tl, x2, x2)

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example inference application

Π, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Frame

ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil) ⇐ ⇒ x2, (x3, nil), Π, ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Append-List

ls(tl, x1, x2) ⇐ ⇒ x2, (x3, nil), (x1, x0), Π, x0 ֒ → [tl, x2] ⊢

Simple-Unroll

ls(tl, x0, x2) ⇐ ⇒ x2, x0, (x3, nil), (x1, x0), Π ⊢

Remove-Trivial

ls(tl, x2, x2) ⇐ ⇒ x2, x0, (x3, nil), (x1, x0), Π ⊢

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example inference application

Π, x2 ֒ → [hd : x5, tl : x3], ls(tl, x3, nil), ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Frame

ls(tl, x1, x2), x2 ֒ → [tl : x3], ls(tl, x3, nil) ⇐ ⇒ x2, (x3, nil), Π, ls(tl, x1, x0), x0 ֒ → [tl, x2] ⊢

Append-List

ls(tl, x1, x2) ⇐ ⇒ x2, (x3, nil), (x1, x0), Π, x0 ֒ → [tl, x2] ⊢

Simple-Unroll

ls(tl, x0, x2) ⇐ ⇒ x2, x0, (x3, nil), (x1, x0), Π ⊢

Remove-Trivial

ls(tl, x2, x2) ⇐ ⇒ x2, x0, (x3, nil), (x1, x0), Π ⊢

Axiom

⇐ ⇒ ⊤

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example HOL

val t = ‘‘LIST_DS_ENTAILS ([],[]) ([pf_unequal (dse_var 0) dse_nil; pf_unequal (dse_var 1) dse_nil; pf_unequal (dse_var 2) dse_nil; pf_unequal (dse_var 0) (dse_var 3); pf_unequal (dse_var 0) (dse_var 2); pf_unequal (dse_var 4) (dse_var 5); pf_unequal (dse_var 1) (dse_var 3); pf_unequal (dse_var 1) (dse_var 2); pf_unequal (dse_var 3) (dse_var 2)], [sf_points_to (dse_var 2) [("hd",dse_var 5); ("tl", dse_var 3)]; sf_ls "tl" (dse_var 3) dse_nil; sf_ls "tl" (dse_var 1) (dse_var 0); sf_points_to (dse_var 0) [("tl", (dse_var 2))]]) ([], [sf_ls "tl" (dse_var 1) (dse_var 2); sf_points_to (dse_var 2) [("tl", dse_var 3)]; sf_ls "tl" (dse_var 3) dse_nil])‘‘;

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

example HOL II

val thm1 = (ds_inference_FRAME___CONV THENC ds_inference_APPEND_LIST___CONV THENC ds_inference_SIMPLE_UNROLL___CONV THENC ds_inference_REMOVE_TRIVIAL___CONV THENC ds_inference_AXIOM___CONV) t; val thm2 = ds_DECIDE_CONV t;

Motivation Basic Definitions Entailments HOL embedding Example Conclusions and Future Work

Conclusions

• there is a deep embedding of the decidable fragment of

separation logic used by Smallfoot

• all inferences used by Smallfoot have been verified using HOL
• a decision procedure for entailments has been implemented

Future Work

• add symbolic execution to build a Smallfoot implementation

in HOL

• extend the logic
• try interactive proofs for more complicated fragments of

separation logic