SLIDE 1 CS6202 Separation Logic 1
CS6202: Advanced Topics in Programming Languages and Systems Lecture 8/9 : Separation Logic
- Overview
- Assertion Logic
- Semantic Model
- Hoare-style Inference Rules
- Specification and Annotations
- Linked List and Segments
- Trees and Instuitionistic Logic
- (above from John Reynold’s mini-course)
- Automated Verification
SLIDE 2 CS6202 Separation Logic 2
Motivation Motivation
Program reasoning is important for: correctness of software safety (fewer or no bugs) performance guarantee
SLIDE 3
CS6202 Separation Logic 3
Hoare Logic Hoare Logic
Can handle reasoning of imperative programs well. Notation : {P} code {Q} {P} precondition before executing code {Q} postcondition after executing code
Some examples : {x=1} x:=x+1 {x=2}
{x=x0} x:=x+1 {x=x0+1} {Q[x+1/x]} x:=x+1 {Q} {P} x:=x+1 { x1. P[x1/x] x=x1+1}
SLIDE 4 CS6202 Separation Logic 4
Problem Problem
Hoare logic can handle program variables but not heap
- bjects well due to aliasing problems.
Consider an in-place list reversal algorithm [i] denotes a heap location at address i
SLIDE 5 CS6202 Separation Logic 5
Loop Invariant Loop Invariant
Loop invariant is a statement that holds at the beginning of each iteration of the loop.
heap predicate relates a list
SLIDE 6
CS6202 Separation Logic 6
Loop Invariant Loop Invariant
in separation logic :
SLIDE 7
CS6202 Separation Logic 7
Basics of Separation Logic Basics of Separation Logic
SLIDE 8
CS6202 Separation Logic 8
Simple Language with Heap Store Simple Language with Heap Store
SLIDE 9
CS6202 Separation Logic 9
Memory Faults Memory Faults
Can be caused by out of range look up of memory.
SLIDE 10
CS6202 Separation Logic 10
Assertion Language Assertion Language
SLIDE 11
CS6202 Separation Logic 11
Semantic Model Semantic Model
SLIDE 12
CS6202 Separation Logic 12
Semantic Model Semantic Model
SLIDE 13 CS6202 Separation Logic 13
Separation Conjunction Separation Conjunction -
Examples
SLIDE 14 CS6202 Separation Logic 14
Conjunction Conjunction -
Examples
Conjunction describes the same heap space.
SLIDE 15 CS6202 Separation Logic 15
Separation Implication Separation Implication -
Examples
SLIDE 16
CS6202 Separation Logic 16
Inference Rules Inference Rules
Reasoning with normalization, weakening and strengthening.
SLIDE 17
CS6202 Separation Logic 17
Pure Assertion Pure Assertion
Axiom schematic guided by pure formulae
SLIDE 18
CS6202 Separation Logic 18
Two Unsound Axiom Schemata Two Unsound Axiom Schemata
Structural logic without contraction and weakening.
SLIDE 19
CS6202 Separation Logic 19
Partial Correctness Specification Partial Correctness Specification
SLIDE 20
CS6202 Separation Logic 20
Total Correctness Specification Total Correctness Specification
SLIDE 21
CS6202 Separation Logic 21
Examples of Valid Specifications Examples of Valid Specifications
SLIDE 22
CS6202 Separation Logic 22
Hoare Inference Rules Hoare Inference Rules
SLIDE 23
CS6202 Separation Logic 23
Hoare Inference Rules Hoare Inference Rules
Structural rules are applicable to any commands.
SLIDE 24
CS6202 Separation Logic 24
Partial Correctness of While Loop Partial Correctness of While Loop
SLIDE 25
CS6202 Separation Logic 25
Total Correctness of While Loop Total Correctness of While Loop
SLIDE 26
CS6202 Separation Logic 26
Hoare Inference Rules Hoare Inference Rules
SLIDE 27
CS6202 Separation Logic 27
Hoare Inference Rules Hoare Inference Rules
SLIDE 28
CS6202 Separation Logic 28
Annotated Specifications Annotated Specifications
In annotated specifications, additional assertions called annotations are placed in command in such a way that it assist proof construction process. Examples :
SLIDE 29
CS6202 Separation Logic 29
Minimal Annotated Specifications Minimal Annotated Specifications
Should attempt to minimise annotations where possible. Restrict to pre/post of methods and invariant of loops. Further advances : (i) intraprocedural inference (ii) interprocedural inference.
SLIDE 30
CS6202 Separation Logic 30
Structural Inference Rules Structural Inference Rules
SLIDE 31
CS6202 Separation Logic 31
Structural Inference Rules Structural Inference Rules
SLIDE 32
CS6202 Separation Logic 32
Structural Inference Rules Structural Inference Rules
SLIDE 33
CS6202 Separation Logic 33
Rule of Constancy from Hoare Logic Rule of Constancy from Hoare Logic
SLIDE 34
CS6202 Separation Logic 34
Frame Rule of Separation Logic Frame Rule of Separation Logic
This facilitates local reasoning and specification
SLIDE 35
CS6202 Separation Logic 35
Local Specifications Local Specifications
SLIDE 36
CS6202 Separation Logic 36
Inference Rules for Mutation Inference Rules for Mutation
SLIDE 37
CS6202 Separation Logic 37
Inference Rules for Inference Rules for Deallocation Deallocation
SLIDE 38
CS6202 Separation Logic 38
Inference Rules for Inference Rules for Noninterfering Noninterfering Allocation Allocation
SLIDE 39
CS6202 Separation Logic 39
Inference Rules for Lookup Inference Rules for Lookup
SLIDE 40
CS6202 Separation Logic 40
Notation for Sequences Notation for Sequences
SLIDE 41
CS6202 Separation Logic 41
Singly Linked List Singly Linked List
What is the default property (invariant) of this predicate?
SLIDE 42
CS6202 Separation Logic 42
Singly Linked List Segment Singly Linked List Segment
SLIDE 43
CS6202 Separation Logic 43
Singly Linked List Segment Singly Linked List Segment
Properties
SLIDE 44 CS6202 Separation Logic 44
Non Non-
- Touching Linked List Segment
Touching Linked List Segment
Easier test for emptiness
SLIDE 45
CS6202 Separation Logic 45
Braced List Segment Braced List Segment
SLIDE 46
CS6202 Separation Logic 46
Bornat Bornat List List
SLIDE 47
CS6202 Separation Logic 47
Doubly Linked List Doubly Linked List
SLIDE 48 CS6202 Separation Logic 48
XOR XOR-
Linked List Segment
SLIDE 49
CS6202 Separation Logic 49
Array Allocation Array Allocation
Inference rule :
SLIDE 50
CS6202 Separation Logic 50
Trees Trees
SLIDE 51
CS6202 Separation Logic 51
DAGs DAGs
SLIDE 52
CS6202 Separation Logic 52
Intuitionistic Intuitionistic Separation Logic Separation Logic
Supports justification rather than truth. Things that no longer hold include: law of excluded middle (P P) double negation ( P = P) Pierce’s law (((P Q) P) P) Formulae valid in intuitionistic separation logic but not the classical one. x 1,y emp x 1,y * y ,nil x 1,_
SLIDE 53
CS6202 Separation Logic 53
Intuitionistic Intuitionistic Assertion Assertion
SLIDE 54
CS6202 Separation Logic 54
Inference for Procedures Inference for Procedures
SLIDE 55
CS6202 Separation Logic 55
Copying Tree Copying Tree
SLIDE 56
CS6202 Separation Logic 56
Copying Tree (Proof) Copying Tree (Proof)
SLIDE 57
CS6202 Separation Logic 57
Copying Tree (Proof) Copying Tree (Proof)
SLIDE 58
CS6202 Separation Logic 58
Automated Verification Automated Verification
Modular Verification (i) Given pre/post conditions for each method and loop (ii) Determine each postcondition is sound for method body. (iii) Each precondition is satisfied for each call site. Why Verification? (i) can handle more complex examples (ii) can be used to check inference algorithm (iii) grand challenge of verifiable software
SLIDE 59
CS6202 Separation Logic 59
Core Imperative Language Core Imperative Language
SLIDE 60
CS6202 Separation Logic 60
Data Nodes and Notation Data Nodes and Notation
SLIDE 61
CS6202 Separation Logic 61
Shape Predicates Shape Predicates
Linked-list with size Double linked-list (right traversal) with size Sorted linked-list with size, min, max
SLIDE 62
CS6202 Separation Logic 62
Insertion Sort Algorithm Insertion Sort Algorithm
SLIDE 63 CS6202 Separation Logic 63
Prime Notation Prime Notation
Prime notation is used to capture the latest values
- f each program variable. This allows a state
transition to be expressed since the unprimed form denotes original values.
SLIDE 64
CS6202 Separation Logic 64
Prime Notation Prime Notation
Example : {x’=x y’=y} x:=x+1 {x’=x+1 y’=y} x:=x+y {x’=x+1+y y’=y} y:=2 {x’=x+1+y y’=2}
SLIDE 65
CS6202 Separation Logic 65
Forward Verification Forward Verification
Given 1, infer 2 : {1} e {2}
SLIDE 66
CS6202 Separation Logic 66
Forward Verification Forward Verification
SLIDE 67
CS6202 Separation Logic 67
Separation Constraint Normalization Rules Separation Constraint Normalization Rules
Target :
SLIDE 68
CS6202 Separation Logic 68
Separation Constraint Approximation Separation Constraint Approximation
XPuren() returns a sound approximation of the form :
non-null symbolic addresses
Normalization :
SLIDE 69
CS6202 Separation Logic 69
Translating to Pure Form Translating to Pure Form
SLIDE 70
CS6202 Separation Logic 70
Deriving Shape Invariant Deriving Shape Invariant
From each pure invariant, such as (n 0) for ll<n> We use Inv1(..) to obtain a more precise invariant :
SLIDE 71
CS6202 Separation Logic 71
Separation Constraint Entailment Separation Constraint Entailment
denotes
SLIDE 72
CS6202 Separation Logic 72
Separation Constraint Entailment Separation Constraint Entailment
SLIDE 73
CS6202 Separation Logic 73
Unfolding Predicate in Antecedent Unfolding Predicate in Antecedent
SLIDE 74
CS6202 Separation Logic 74
Folding a Predicate in Consequent Folding a Predicate in Consequent
Folding is recursively applied until x::ll<n> matches with the two data nodes in the antecedent, resulting in : Effect of folding is not the same as unfolding a predicate In consequent as values of derived variable may be lost!
SLIDE 75
CS6202 Separation Logic 75
Folding a Predicate in Consequent Folding a Predicate in Consequent
SLIDE 76
CS6202 Separation Logic 76
Soundness of Entailment Soundness of Entailment
