Lecture 8/9 : Separation Logic Can handle reasoning of imperative - - PowerPoint PPT Presentation

lecture 8 9 separation logic
SMART_READER_LITE
LIVE PREVIEW

Lecture 8/9 : Separation Logic Can handle reasoning of imperative - - PowerPoint PPT Presentation

Aug 25, 2022 357 likes •559 views

CS6202: Advanced Topics in Programming Hoare Logic Hoare Logic Languages and Systems Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview Notation : {P} code {Q} Assertion Logic {P}

slide-1
SLIDE 1

CS6202 Separation Logic 1

CS6202: Advanced Topics in Programming Languages and Systems Lecture 8/9 : Separation Logic

  • Overview
  • Assertion Logic
  • Semantic Model
  • Hoare-style Inference Rules
  • Specification and Annotations
  • Linked List and Segments
  • Trees and Instuitionistic Logic
  • (above from John Reynold’s mini-course)
  • Automated Verification

CS6202 Separation Logic 2

Motivation Motivation

Program reasoning is important for: correctness of software safety (fewer or no bugs) performance guarantee

  • ptimization

CS6202 Separation Logic 3

Hoare Logic Hoare Logic

Can handle reasoning of imperative programs well. Notation : {P} code {Q} {P} precondition before executing code {Q} postcondition after executing code

Some examples : {x=1} x:=x+1 {x=2}

{x=x0} x:=x+1 {x=x0+1} {Q[x+1/x]} x:=x+1 {Q} {P} x:=x+1 { x1. P[x1/x] x=x1+1}

CS6202 Separation Logic 4

Problem Problem

Hoare logic can handle program variables but not heap

  • bjects well due to aliasing problems.

Consider an in-place list reversal algorithm [i] denotes a heap location at address i

slide-2
SLIDE 2

CS6202 Separation Logic 5

Loop Invariant Loop Invariant

Loop invariant is a statement that holds at the beginning of each iteration of the loop.

heap predicate relates a list

  • f elements and a pointer

CS6202 Separation Logic 6

Loop Invariant Loop Invariant

in separation logic :

CS6202 Separation Logic 7

B a sics of S eparation Logic B a sics of S eparation Logic

CS6202 Separation Logic 8

Simple Language with Heap Store Simple Language with Heap Store

slide-3
SLIDE 3

CS6202 Separation Logic 9

Memory F aults Memory F aults

Can be caused by out of range look up of memory.

CS6202 Separation Logic 10

Assertion L anguage Assertion L anguage

CS6202 Separation Logic 11

S emantic Model S emantic Model

CS6202 Separation Logic 12

S emantic Model S emantic Model

slide-4
SLIDE 4

CS6202 Separation Logic 13

S eparation Conjunction S eparation Conjunction -

  • Examples

Examples

CS6202 Separation Logic 14

Conjunction Conjunction -

  • Examples

Examples

Conjunction describes the same heap space.

CS6202 Separation Logic 15

S eparation Implication S eparation Implication -

  • Examples

Examples

CS6202 Separation Logic 16

Inference Rules Inference Rules

Reasoning with normalization, weakening and strengthening.

slide-5
SLIDE 5

CS6202 Separation Logic 17

Pure Assertion Pure Assertion

Axiom schematic guided by pure formulae

CS6202 Separation Logic 18

T wo Unsound Axiom S chemata T wo Unsound Axiom S chemata

Structural logic without contraction and weakening.

CS6202 Separation Logic 19

Partial Correctness Specification Partial Correctness Specification

CS6202 Separation Logic 20

T

  • tal Correctness Specification

T

  • tal Correctness Specification
slide-6
SLIDE 6

CS6202 Separation Logic 21

Examples of Valid Specifications Examples of Valid Specifications

CS6202 Separation Logic 22

Hoare Inference Rules Hoare Inference Rules

CS6202 Separation Logic 23

Hoare Inference Rules Hoare Inference Rules

Structural rules are applicable to any commands.

CS6202 Separation Logic 24

Partial Correctness of While Loop Partial Correctness of While Loop

slide-7
SLIDE 7

CS6202 Separation Logic 25

T

  • tal Correctness of While L
  • op

T

  • tal Correctness of While L
  • op

CS6202 Separation Logic 26

Hoare Inference Rules Hoare Inference Rules

CS6202 Separation Logic 27

Hoare Inference Rules Hoare Inference Rules

CS6202 Separation Logic 28

Annotated Specifications Annotated Specifications

In annotated specifications, additional assertions called annotations are placed in command in such a way that it assist proof construction process. Examples :

slide-8
SLIDE 8

CS6202 Separation Logic 29

Minimal Annotated Specifications Minimal Annotated Specifications

Should attempt to minimise annotations where possible. Restrict to pre/post of methods and invariant of loops. Further advances : (i) intraprocedural inference (ii) interprocedural inference.

CS6202 Separation Logic 30

Structural Inference Rules Structural Inference Rules

CS6202 Separation Logic 31

Structural Inference Rules Structural Inference Rules

CS6202 Separation Logic 32

Structural Inference Rules Structural Inference Rules

slide-9
SLIDE 9

CS6202 Separation Logic 33

Rule of Constancy from Hoare L

  • gic

Rule of Constancy from Hoare L

  • gic

CS6202 Separation Logic 34

Frame Rule of S eparation Logic Frame Rule of S eparation Logic

This facilitates local reasoning and specification

CS6202 Separation Logic 35

Local Specifications Local Specifications

CS6202 Separation Logic 36

Inference Rules for Mutation Inference Rules for Mutation

slide-10
SLIDE 10

CS6202 Separation Logic 37

Inference Rules for Inference Rules for Deallocation Deallocation

CS6202 Separation Logic 38

Inference Rules for Inference Rules for Noninterfering Noninterfering Allocation Allocation

CS6202 Separation Logic 39

Inference Rules for Lookup Inference Rules for Lookup

CS6202 Separation Logic 40

Notation for S equences Notation for S equences

slide-11
SLIDE 11

CS6202 Separation Logic 41

Singly Linked List Singly Linked List

What is the default property (invariant) of this predicate?

CS6202 Separation Logic 42

Singly Linked List S egment Singly Linked List S egment

CS6202 Separation Logic 43

Singly Linked List S egment Singly Linked List S egment

Properties

CS6202 Separation Logic 44

Non Non-

  • T
  • uching Linked List S

egment T

  • uching Linked List S

egment

Easier test for emptiness

slide-12
SLIDE 12

CS6202 Separation Logic 45

Braced List Segment Braced List Segment

CS6202 Separation Logic 46

Bornat Bornat List List

CS6202 Separation Logic 47

Doubly Linked List Doubly Linked List

CS6202 Separation Logic 48

XOR XOR-

  • Linked List Segment

Linked List Segment

slide-13
SLIDE 13

CS6202 Separation Logic 49

Array Allocation Array Allocation

Inference rule :

CS6202 Separation Logic 50

Trees Trees

CS6202 Separation Logic 51

DAGs DAGs

CS6202 Separation Logic 52

Intuitionistic Intuitionistic S eparation Logic S eparation Logic

Supports justification rather than truth. Things that no longer hold include: law of excluded middle (P P) double negation ( P = P) Pierce’s law (((P Q) P) P) Formulae valid in intuitionistic separation logic but not the classical one. x 1,y emp x 1,y * y ,nil x 1,_

slide-14
SLIDE 14

CS6202 Separation Logic 53

Intuitionistic Intuitionistic Assertion Assertion

CS6202 Separation Logic 54

Inference for Procedures Inference for Procedures

CS6202 Separation Logic 55

Copying Tree Copying Tree

CS6202 Separation Logic 56

Copying Tree (Proof) Copying Tree (Proof)

slide-15
SLIDE 15

CS6202 Separation Logic 57

Copying Tree (Proof) Copying Tree (Proof)

CS6202 Separation Logic 58

Automated Verification Automated Verification

Modular Verification (i) Given pre/post conditions for each method and loop (ii) Determine each postcondition is sound for method body. (iii) Each precondition is satisfied for each call site. Why Verification? (i) can handle more complex examples (ii) can be used to check inference algorithm (iii) grand challenge of verifiable software

CS6202 Separation Logic 59

Core Imperative Language Core Imperative Language

CS6202 Separation Logic 60

Data Nodes and Notation Data Nodes and Notation

slide-16
SLIDE 16

CS6202 Separation Logic 61

Shape Predicates Shape Predicates

Linked-list with size Double linked-list (right traversal) with size Sorted linked-list with size, min, max

CS6202 Separation Logic 62

Insertion Sort Algorithm Insertion Sort Algorithm

CS6202 Separation Logic 63

Prime Notation Prime Notation

Prime notation is used to capture the latest values

  • f each program variable. This allows a state

transition to be expressed since the unprimed form denotes original values.

CS6202 Separation Logic 64

Prime Notation Prime Notation

Example : {x’=x y’=y} x:=x+1 {x’=x+1 y’=y} x:=x+y {x’=x+1+y y’=y} y:=2 {x’=x+1+y y’=2}

slide-17
SLIDE 17

CS6202 Separation Logic 65

Forward Verification Forward Verification

Given 1, infer 2 : {1} e {2}

CS6202 Separation Logic 66

Forward Verification Forward Verification

CS6202 Separation Logic 67

Separation Constraint Normalization Rules Separation Constraint Normalization Rules

Target :

CS6202 Separation Logic 68

Separation Constraint Approximation Separation Constraint Approximation

XPuren() returns a sound approximation of the form :

non-null symbolic addresses

Normalization :

slide-18
SLIDE 18

CS6202 Separation Logic 69

Translating to Pure Form Translating to Pure Form

CS6202 Separation Logic 70

Deriving Shape Invariant Deriving Shape Invariant

From each pure invariant, such as (n 0) for ll<n> We use Inv1(..) to obtain a more precise invariant :

CS6202 Separation Logic 71

Separation Constraint Entailment Separation Constraint Entailment

denotes

CS6202 Separation Logic 72

Separation Constraint Entailment Separation Constraint Entailment

slide-19
SLIDE 19

CS6202 Separation Logic 73

Unfolding Predicate in Antecedent Unfolding Predicate in Antecedent

CS6202 Separation Logic 74

Folding a Predicate in Consequent Folding a Predicate in Consequent

Folding is recursively applied until x::ll<n> matches with the two data nodes in the antecedent, resulting in : Effect of folding is not the same as unfolding a predicate In consequent as values of derived variable may be lost!

CS6202 Separation Logic 75

Folding a Predicate in Consequent Folding a Predicate in Consequent

CS6202 Separation Logic 76

Soundness of Entailment Soundness of Entailment