charge a framework for higher order separation logic in
play

Charge! a framework for higher-order separation logic in Coq Lars - PowerPoint PPT Presentation

Dec 31, 2023 •148 likes •499 views

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics Group Dept. of Comp. Science, Aarhus University (Joint work with J. Bengtson, J.B. Jensen, H. Mehnert, P . Sestoft, F . Sieczkowski) April 2013

  1. Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics Group Dept. of Comp. Science, Aarhus University (Joint work with J. Bengtson, J.B. Jensen, H. Mehnert, P . Sestoft, F . Sieczkowski) April 2013 Lars Birkedal (AU) Charge! Types 2013, Toulouse 1 / 35

  2. Separation Logic Program Logic a la Hoare Logic for reasoning about programs with pointers (or references to shared mutable data) [Reynolds, O’Hearn, . . . , 2000+] Main feature: it facilitates modular reasoning, formalized via so-called frame rule, using a connective called separating conjunction. Lars Birkedal (AU) Charge! Types 2013, Toulouse 2 / 35

  3. Hoare Logic - a recap Programming Language: imperative while -language Assertion Language: first-order logic w. equality Specifications for partial correctness: { P } C { Q } if s � P and C , s → s ′ , then s ′ � Q . Rules for deriving specifications (including rules for first-order logic). Lars Birkedal (AU) Charge! Types 2013, Toulouse 3 / 35

  4. Separation Logic Programming Language: as before but now with C-like pointers Specifications for partial correctness: { P } C { Q } if s , h � P and C , s , h → s ′ , h ′ , then s ′ , h ′ � Q . Assertion Language: first-order logic w. equality + BI connectives: s , h � emp iff h is the empty heap s , h � x �→ 5 iff h is the singleton heap with one location s ( x ) with value 5. s , h � P ∗ Q iff h can be split into h 1 and h 2 , with disjoint domains, such that s , h 1 � P and s , h 2 � Q . s , h � P − − ∗ Q iff . . . . Lars Birkedal (AU) Charge! Types 2013, Toulouse 4 / 35

  5. Example of “small” axiom { x �→ −} dispose ( x ) { emp } Modular Reasoning via Frame Rule: { P } C { Q } { P ∗ R } C { Q ∗ R } (assuming modifies ( C ) ∩ freevar ( R ) = ∅ ). Lars Birkedal (AU) Charge! Types 2013, Toulouse 5 / 35

  6. Higher-Order Separation Logic Example Developed HOSL in ESOP-2005 paper. Stack ADT stackspec = ∃ α : Type . ∃ inv : α × N list → Prop . { emp } new () { s : α. inv ( s , []) } × ∀ s : α. ∀ x : N . ∀ l : N list { inv ( s , l ) } push ( s , x ) { inv ( s , x :: l ) } × ∀ s : α. ∀ x : N . ∀ l : N list { inv ( s , x :: l ) } pop ( s ) { y : N . inv ( s , l ) ∧ y = x } . Modularity: clients can use the spec without knowing anything about how the stack is implemented (since abstract in the inv predicate). Different stack implementations can meet this spec. Lars Birkedal (AU) Charge! Types 2013, Toulouse 6 / 35

  7. Charge! Aims tool for verification of OO (Java / C#) code machine-checkable correctness proofs proofs similar to pen and paper proofs in separation logic automate tedious first-order reasoning where possible Idea: test the theory on larger examples (hard to do with pen and paper) make it available for students to experiment with Real-life test cases: from the C5 collection library for C# uses interfaces heavily to parameterize modules on each other (“interfaces” is the OO way of programming with unknown code) Lars Birkedal (AU) Charge! Types 2013, Toulouse 7 / 35

  8. Other approaches When we started work on Charge: For similar prog. language and logic: Verifast / jStar specialized tools, Verifast: larger TCB (own specialized theorem prover). We focus more on modular reasoning about modular code, using facilities of Coq jStar: no guarantee of soundness since based on user-declared theories Language designed arround type theory: Hoare Type Theory / Ynot [Nanevski, Morrisett, Birkedal, Chlipala, et. al.] now we wanted to test ideas for logic for existing mainstream programming language C-like language: Appel / McCreight macros. useful ideas that we build on, exposes the model of separation logic to user, reasoning about heaps directly, which we seeked to avoid Lars Birkedal (AU) Charge! Types 2013, Toulouse 8 / 35

  9. Overview of Charge! Shallow embedding of HOSL in Coq. Support for program variables in assertions Step-indexed specification logic with quantifiers Nested triples, i.e. step-indexed specifications in assertions Hoare triple defined on semantic commands Building blocks for defining control flow constructs: seq ˆ c 1 ˆ c 1 + ˆ ˆ c ∗ ˆ id c 2 c 2 assume P Instantiation to Java / C# like OO language. Static types replaced by specifications Tactics to automate part of the reasoning. Test applications Pattern for interface specifications (since C5 relies on interfaces) Snapshotable trees (datastructure with sharing ) Lars Birkedal (AU) Charge! Types 2013, Toulouse 9 / 35

  10. Uniform Predicates Definition (Separation Algebra) A separation algebra is a partial, cancellative, commutative monoid (Σ , ◦ , 1 ) where Σ is the carrier, ◦ is the monoid operator, and 1 is the unit element. Generalizes heaps, so we often refer to elements of Σ as heaps. h 1 ⊑ h 2 , if there exists an h 3 such that h 2 = h 1 ◦ h 3 . Definition (Uniform Predicate) UPred (Σ) � { p ⊆ Σ × N | ∀ g , m . ∀ h ⊒ g . ∀ n ≤ m . ( g , m ) ∈ p → ( h , n ) ∈ p ) } Lars Birkedal (AU) Charge! Types 2013, Toulouse 10 / 35

  11. Uniform Predicates, II Lemma UPred (Σ) forms a complete BI algebra. true � Σ × N false � ∅ p ∧ q � p ∩ q p ∨ q � p ∪ q ∀ x : U . f � � � ∃ x : U . f � x : U f x x : U f x p → q � { ( h , n ) | ∀ g ⊒ h . ∀ m ≤ n . ( g , m ) ∈ p → ( g , m ) ∈ q } p ∗ q � { ( h 1 ◦ h 2 , n ) | h 1 # h 2 ∧ ( h 1 , n ) ∈ p ∧ ( h 2 , n ) ∈ q } ∗ q � p − { ( h , n ) | ∀ m ≤ n . ∀ h 1 # h . ( h 1 , m ) ∈ p → ( h ◦ h 1 , m ) ∈ q } For the quantifiers, U is of type Type , i.e. the sort of types in Coq, and f is any Coq function from U to UPred (Σ) . This allows us to quantify over any member of Type in Coq. Lars Birkedal (AU) Charge! Types 2013, Toulouse 11 / 35

  12. Stacks and Assertions Definition stack � var → val . s ≃ V s ′ � ∀ x ∈ V . s x = s ′ x . Stack monad: sm T � { ( f : stack → T , V : P ( var )) | ∀ s , s ′ . s ≃ V s ′ → f s = f s ′ } (intuition: V over-approx of free variables in f ). Definition expr � sm val pure � sm Prop asn (Σ) � sm UPred (Σ) Lemma asn (Σ) forms a complete BI algebra. Lars Birkedal (AU) Charge! Types 2013, Toulouse 12 / 35

  13. Stacks and Substitution Stack monad used to define map f �→ � f If f : T → U , then � f : sm T → sm U . Example Given R : val → T → UPred ( heap ) , then � R : sm val → sm T → sm UPred ( heap ) , i.e. expr → sm T → asn ( heap ) . Make lifting explicit in specifications since restricts how program variables behave under substitution. ( � f e )[ e ′ / x ] = � f ( e [ e ′ / x ]) for any f : val → UPred (Σ) , But do NOT have ( g e )[ e ′ / x ] = g ( e [ e ′ / x ]) for any g : expr → asn (Σ) , because g e may have more free program variables than those appearing in e . Hence in specs we typically quantify over functions into UPred (Σ) , which we then lift to asn (Σ) as needed. Lars Birkedal (AU) Charge! Types 2013, Toulouse 13 / 35

  14. Semantic Commands Definition (pre-command) A pre-command ˜ c relates an initial state to either a terminal state or the special err state: precmd � P ( stack × Σ × (( stack × Σ) ⊎ { err } ) × N ) c ) � n x to mean that ( s , h , x , n ) ∈ ˜ We write ( s , h , ˜ c . Definition (Frame property) A pre-command ˜ c has the frame property in case the following holds. If c ) � n ( s ′ , h ′ ) then there exists h ′ c ) � � n err and ( s , h 1 ◦ h 2 , ˜ ( s , h 1 , ˜ 1 such that h ′ = h ′ c ) � n ( s ′ , h ′ 1 ◦ h 2 and ( s , h 1 , ˜ 1 ) . Lars Birkedal (AU) Charge! Types 2013, Toulouse 14 / 35

  15. Semantic Commands, II Definition (Semantic command) A semantic command satisfies the frame property and does not evaluate to anything in zero steps. c ) � � 0 semcmd � { ˆ c ∈ precmd | ˆ c has the frame property ∧ ∀ s , h , x . ( s , h , ˆ The following are semantic commands: seq ˆ c 1 ˆ c 1 + ˆ ˆ c ∗ ˆ id c 2 c 2 assume P check P (The check -command works like the id -command if pure assertion P can be inferred.) Lars Birkedal (AU) Charge! Types 2013, Toulouse 15 / 35

  16. Specification Logic Definition spec � { S ⊆ N | ∀ m , n . m ≤ n ∧ n ∈ S → m ∈ S } Gives an intuitionistic specification logic: Lemma ( spec , ⊆ ) is a cHA. Definition (Hoare Triple) { P } ˆ c { Q } � { n | ∀ m ≤ n . ∀ k ≤ m . ∀ s , h . c ) � � k err ∧ ( h , m ) ∈ P s → ( s , h , ˆ c ) � k ( s ′ , h ′ ) → ( h ′ , m − k ) ∈ Q s ′ } ∀ h ′ , s ′ . ( s , h , ˆ Lars Birkedal (AU) Charge! Types 2013, Toulouse 16 / 35

  17. Nested Specifications Nested specifications for reasoning about higher-order / unknown code. FunI : spec → UPred (Σ) � λ S . Σ × S . Lemma FunI is monotone, preserves implication, and has a left and a right adjoint. So all specification logic connectives preserved. (Could merge specifiation and assertion logic.) Lars Birkedal (AU) Charge! Types 2013, Toulouse 17 / 35

  18. Recursion Step-indexing used for mutually recursive specifications. ⊲ S � { n + 1 | n ∈ S } ∪ { 0 } Γ ∧ ⊲ S | = S 0 ∈ Γ → 0 ∈ S Löb Γ | = S Lars Birkedal (AU) Charge! Types 2013, Toulouse 18 / 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft University of Technology, The Netherlands January 15, 2017 @ TTT, Paris, France 1 Iris is joint work with: Ralf Jung, Jacques-Hendri Jourdan, Ale s

1.49k views • 124 slides
Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen,

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen,

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen, Netherlands Dec, 2015 Modular Reasoning about Higher-Order Concurrent Imperative Programs 1 / 33 Introduction Goal Program logics for

1.02k views • 63 slides
A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of

A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of

A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of Copenhagen Joint work with B. Reus, J. Schwinghammer, H. Yang July, 2008 Lars Birkedal (ITU) Sep. Logic for Higher-order Store ICALP 1 / 20

457 views • 20 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Verifying a hash table and its iterators in higher-order separation logic Franois Pottier

Verifying a hash table and its iterators in higher-order separation logic Franois Pottier

Verifying a hash table and its iterators in higher-order separation logic Franois Pottier Vocal meeting Paris, November 10, 2016 Motivation Why verify a hash table implementation ? a simple and useful data structure implements an

499 views • 19 slides
Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2 Lars Birkedal 3 1 Delft University of Technology, The Netherlands 2 imec-Distrinet, KU Leuven, Belgium 3 Aarhus University, Denmark January 18, 2017 @

953 views • 71 slides
Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of Technology, The Netherlands February 5, 2019 @ Vrije Universiteit, Amsterdam, The Netherlands 1 Tactic-style proofs (as in LCF/Coq/HOL/ etc. ) have shown to

978 views • 97 slides
Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Delft University of Technology, The Netherlands June 12, 2017 @ MFPS, Ljubljana, Slovenia 1 Iris is joint work with: Ralf Jung, Jacques-Henri

1.16k views • 87 slides
Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1

Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1

Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1 Ale Robbert Krebbers 2 Lars Birkedal 1 1 Aarhus University 2 Delft University of Technology January 17, 2019 POPL 2019

566 views • 38 slides
Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
Semantics and A utomation of Higher-Order Logic Some Remarks Christoph Benzm uller

Semantics and A utomation of Higher-Order Logic Some Remarks Christoph Benzm uller

Semantics and A utomation of Higher-Order Logic Some Remarks Christoph Benzm uller Department of Computer Science, Saarland University Workshop on Logic, Proofs and Programs 17 18 June 2004, Nancy First-order Logic c

607 views • 42 slides
Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval

Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval

Proof Engineering of Higher Order Logic Robert White (Shuai Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval Introduction Higher Order Logic HOL Kernel Inference Rules Robert White

539 views • 29 slides
Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order

Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order

Higher Order Proof Engineering Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order Proof Engineering Outline Introduction HOL Light and HOL Proof Checking OpenTheory Holide and Dedukti ProofCloud

767 views • 23 slides
Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio Mansutti LSV, CNRS, ENS Paris-Saclay Paris - April 2019 What we will see An extension of propositional separation logic that can express some

569 views • 42 slides
Compiling from Higher Order Logic Konrad Slind School of Computing, University of Utah June 17,

Compiling from Higher Order Logic Konrad Slind School of Computing, University of Utah June 17,

Compiling from Higher Order Logic Konrad Slind School of Computing, University of Utah June 17, 2008 Konrad Slind Compiling from Higher Order Logic Acknowledgements Anthony Fox, Mike Gordon, Guodong Li, Magnus Myreen, Scott Owens Konrad

777 views • 43 slides
Introduction to Higher Order Logic Carl Pollard Department of Linguistics Ohio State University

Introduction to Higher Order Logic Carl Pollard Department of Linguistics Ohio State University

Introduction to Higher Order Logic Carl Pollard Department of Linguistics Ohio State University November 29, 2011 Carl Pollard Introduction to Higher Order Logic Extending TLC to HOL (Church 1940) Start with a TLC. Add a type t for truth

464 views • 18 slides
Measuring progress to predict success: Can a good proof strategy be evolved? Giles Reger 1 ,

Measuring progress to predict success: Can a good proof strategy be evolved? Giles Reger 1 ,

Measuring progress to predict success: Can a good proof strategy be evolved? Giles Reger 1 , Martin Suda 2 1 School of Computer Science, University of Manchester, UK 2 TU Wien, Vienna, Austria AITP 2017 Obergurgl, March 29, 2017 1/21 Vampire

616 views • 50 slides
AUTOMOTIVE NEWS MARKETING 360 ED LAUKES GROUP VICE PRESIDENT, TOYOTA DIVISION MARKETING Under

AUTOMOTIVE NEWS MARKETING 360 ED LAUKES GROUP VICE PRESIDENT, TOYOTA DIVISION MARKETING Under

ll ll PROTECTED AUTOMOTIVE NEWS MARKETING 360 ED LAUKES GROUP VICE PRESIDENT, TOYOTA DIVISION MARKETING Under this Olympic and Paralympic flag, let us reaffirm the power of sport to bring people together. AKIO TOYODA

633 views • 13 slides
Connecticut Bar Association Commercial l Law & Bankr kruptcy Section Hon. Julie A. Manning ,

Connecticut Bar Association Commercial l Law & Bankr kruptcy Section Hon. Julie A. Manning ,

Deali ling wit ith Debtor/Credit itor Is Issues: Options for Busin inesses in in the Age of COVID ID-19 19 April il 20, 2020 Connecticut Bar Association Commercial l Law & Bankr kruptcy Section Hon. Julie A. Manning , Chief U.S.

1.05k views • 68 slides
Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to

Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to

Taming the SOA Beast SOA introduces complexity as well as new organizational impacts. We need to re-think the process. December 2008 Why SOA? Business Effectiveness Agility, responsiveness to market/competitive dynamics Business

513 views • 24 slides
Kelowna Chamber of Commerce - OC Series Online Kickstarting Tourism Recovery in Kelowna Where

Kelowna Chamber of Commerce - OC Series Online Kickstarting Tourism Recovery in Kelowna Where

Kelowna Chamber of Commerce - OC Series Online Kickstarting Tourism Recovery in Kelowna Where Are We Now? Overnight visitation numbers in May were only 85,960 people (43.6% decrease over last year) YLW in May saw a total of 6,805

401 views • 15 slides
Channel design Channel coverage Intensive Selective Exclusive Channel

Channel design Channel coverage Intensive Selective Exclusive Channel

PLANNING A B2B MARKETING CHANNEL STRATEGY Channel design Channel coverage Intensive Selective Exclusive Channel management decisions Selecting suitable channel partners Managing and motivating channel partners

560 views • 29 slides
Resurprise Me! By: Will Gannon A smart recipe picker for the picky eater Architecture Weka

Resurprise Me! By: Will Gannon A smart recipe picker for the picky eater Architecture Weka

Resurprise Me! By: Will Gannon A smart recipe picker for the picky eater Architecture Weka open source classifier library Parser for common recipe aggregators Allrecipes.com Food.com Application or web interface Pulls

51 views • 3 slides
The Future of Federal Energy RD&D Policy September 10, 2020 Jeremy Harrell Managing

The Future of Federal Energy RD&D Policy September 10, 2020 Jeremy Harrell Managing

The Future of Federal Energy RD&D Policy September 10, 2020 Jeremy Harrell Managing Director, Policy @jharrell 2020 breaks ice on climate and energy policy Overview of ClearPath 1 The clean energy innovation imperative 2 Biggest DC

627 views • 23 slides

More recommend