SLIDE 1 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
Program Proofs in Hybrid Separation Logic
Armaël Guéneau & Jules Villard
Imperial College of London & ENS Lyon
4th September 2014
Armaël Guéneau Program Proofs in Hybrid Separation Logic 1/31
SLIDE 2 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
INTRODUCTION
General field of study: imperative programs verification.
§ We want to prove specifications, as Hoare triples:
tPu c tQu
§ We are also interested in memory safety
An existing framework: Separation logic
§ Assertions P, Q describe memory heaps § An additional inference rule for triples § Proving a specification requires memory safety
Armaël Guéneau Program Proofs in Hybrid Separation Logic 2/31
SLIDE 3 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
OUTLINE OF THIS TALK
§ Let’s play with separation logic: a motivational
example
§ Introducing hybrid separation logic § Can we do nicer proofs of our example using it? § Can we automate these proofs?
Armaël Guéneau Program Proofs in Hybrid Separation Logic 3/31
SLIDE 4
A MOTIVATIONAL EXAMPLE: copytree
SLIDE 5 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
tree* copytree(tree* x) { if (x == NULL) return x; tree* l’ = copytree(x->l); tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; return x’; } struct tree { int val; tree* l; tree* r; };
What specification for copytree?
Armaël Guéneau Program Proofs in Hybrid Separation Logic 5/31
SLIDE 6 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
A FIRST SPECIFICATION
Separating conjunction
P1 › P2 ô P1 P2 ttree xu x’ = copytree(x) ttree x › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 6/31
SLIDE 7 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
A FIRST SPECIFICATION
tree x ” pDl, r : x ÞÑ val, l, r › tree l › tree rq _px = 0 ^ empq x ÞÑ a, b, c: emp: the empty heap
Armaël Guéneau Program Proofs in Hybrid Separation Logic 7/31
SLIDE 8 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
// ttree xu tree* copytree(tree* x) { if (x == NULL) return x; tree* l’ = copytree(x->l); tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; x’->val = x->val; return x’; } // ttree x › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 8/31
SLIDE 9 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
// ttree xu tree* copytree(tree* x) { if (x == NULL) return x; // tx ÞÑ val, l, r › tree l › tree ru tree* l’ = copytree(x->l); // tx ÞÑ val, l, r › tree l › tree r › tree l1u tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; x’->val = x->val; return x’; } // ttree x › tree x1u
tPu c tQu Frame tP › Ru c tQ › Ru
Armaël Guéneau Program Proofs in Hybrid Separation Logic 8/31
SLIDE 10 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
// ttree xu tree* copytree(tree* x) { if (x == NULL) return x; // tx ÞÑ val, l, r › tree l › tree ru // ttree lu tree* l’ = copytree(x->l); // ttree l › tree l1u // tx ÞÑ val, l, r › tree l › tree r › tree l1u tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; x’->val = x->val; return x’; } // ttree x › tree x1u
tPu c tQu Frame tP › Ru c tQ › Ru
Armaël Guéneau Program Proofs in Hybrid Separation Logic 8/31
SLIDE 11 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
// ttree xu tree* copytree(tree* x) { if (x == NULL) return x; // tx ÞÑ val, l, r › tree l › tree ru // ttree lu tree* l’ = copytree(x->l); // ttree l › tree l1u // tx ÞÑ val, l, r › tree l › tree r › tree l1u tree* r’ = copytree(x->r); // tx ÞÑ val, l, r › tree l › tree r › tree l1 › tree r1u tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; x’->val = x->val; return x’; } // ttree x › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 8/31
SLIDE 12 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
// ttree xu tree* copytree(tree* x) { if (x == NULL) return x; // tx ÞÑ val, l, r › tree l › tree ru // ttree lu tree* l’ = copytree(x->l); // ttree l › tree l1u // tx ÞÑ val, l, r › tree l › tree r › tree l1u tree* r’ = copytree(x->r); // tx ÞÑ val, l, r › tree l › tree r › tree l1 › tree r1u tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; x’->val = x->val; // tx ÞÑ val, l, r › tree l › tree r › x1 ÞÑ val, l1, r1 › tree l1 › tree r1u return x’; } // ttree x › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 8/31
SLIDE 13 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
In fact, copytree also works on dags (directed acyclic graphs). dag x ” Dl, r : x ÞÑ val, l, r › pdag l ?? dag rq _px = 0 ^ empq
Armaël Guéneau Program Proofs in Hybrid Separation Logic 9/31
SLIDE 14 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
TALKING ABOUT OVERLAPPING HEAPS
Overlapping conjunction
P1 Y › P2 ô P1 P2
Armaël Guéneau Program Proofs in Hybrid Separation Logic 10/31
SLIDE 15 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
WHAT DEFINITION OF dag x?
dag x ” Dl, r : x ÞÑ val, l, r › pdag l Y › dag rq _px = 0 ^ empq
Armaël Guéneau Program Proofs in Hybrid Separation Logic 11/31
SLIDE 16 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
tdag xu x’ = copytree(x) tdag x › tree x1u We cannot prove this specification. // tx ÞÑ val, l, r › pdag l Y › dag rqu tree* l’ = copytree(x->l); // tx ÞÑ val, l, r › pdag l Y › dag rq › tree l1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 12/31
SLIDE 17 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
tdag xu x’ = copytree(x) tdag x › tree x1u We cannot prove this specification. // tx ÞÑ val, l, r › pdag l Y › dag rqu // tdag lu tree* l’ = copytree(x->l); // tdag l › tree l1u // tx ÞÑ val, l, r › pdag l Y › dag rq › tree l1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 12/31
SLIDE 18 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
Solution idea from Reynolds [Rey02]: use an assertion variable that implicitly quantifies over properties on the heap. tp ^ dag τ xu x’ Ð copytree(x) tp › tree τ xu
§ Has a taste of second-order logic § Overkill?
Armaël Guéneau Program Proofs in Hybrid Separation Logic 13/31
SLIDE 19 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE [REY02]
Solution from Hobor & Villard [HobVill13]:
§ Very precise dag predicate (parametrized by a mathematical view
§ Prove functional correctness § Ramification instead of frame rule + heavy semantic proofs
Armaël Guéneau Program Proofs in Hybrid Separation Logic 14/31
SLIDE 20 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
THE copytree EXAMPLE
Automated reasoning requires a much simpler reasoning. To talk about preserving parts of the heap, we can use labels! (think heap variables)
Armaël Guéneau Program Proofs in Hybrid Separation Logic 15/31
SLIDE 21
HYBRID SEPARATION LOGIC:
SEPARATION LOGIC + LABELS
SLIDE 22 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
INTRODUCING THE HYBRID SEPARATION LOGIC
Separation logic: defines the interpretation of ^, _, ñ, ›, − − ›, ... Hybrid separation logic: separation logic + ℓ (heap variables or labels) + @ℓA (@-modality) + D-quantifiers on labels ρ: valuation: Labels á Heaps h | ùρ ℓ ô h = ρpℓq h | ùρ @ℓA ô ρpℓq | ùρ A h | ùρ Dℓ : A ô exists hℓ heap st. h | ùρrℓÑhℓs A
Armaël Guéneau Program Proofs in Hybrid Separation Logic 17/31
SLIDE 23 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
EXAMPLE: CHARACTERIZATION OF Y ›
P Y › Q ô Dd, a, b, u, v : pa › d › bq ^ @upa › dq ^ @vpd › bq ^ @uP ^ @vQ
Armaël Guéneau Program Proofs in Hybrid Separation Logic 18/31
SLIDE 24 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
REMARK: D ARE PRENEX
In practice, D-quantifiers are prenex. tPu c tQu Exists tDx.Pu c tDx.Qu We never need to explicitely manipulate formulæ with D.
Armaël Guéneau Program Proofs in Hybrid Separation Logic 19/31
SLIDE 25 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
INTUITIVE REMARKS
§ Propagation lemma
tA ^ @ℓPu c tBu tA ^ @ℓPu c tB ^ @ℓPu
§ u ^ @uP ñ P § P ^ @uP ä
ñ u ^ @uP
§ ℓ1 › . . . › ℓn ^ @upℓ1 › . . . › ℓnq ñ u ^ @upℓ1 › . . . › ℓnq
Armaël Guéneau Program Proofs in Hybrid Separation Logic 20/31
SLIDE 26
PROVING PROGRAM SPECIFICATIONS USING
HYBRID SEPARATION LOGIC
SLIDE 27 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
BACK TO copytree
dag x ” Dl, r : x ÞÑ val, l, r › pdag l Y › dag rq _ppx = 0q ^ empq tree x ” Dl, r : x ÞÑ val, l, r › tree l › tree r _ppx = 0q ^ empq tℓ ^ @ℓdag xu x’ Ð copytree(x) tℓ › tree x1u This specification is provable.
Armaël Guéneau Program Proofs in Hybrid Separation Logic 22/31
SLIDE 28 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
// tℓ ^ @ℓdag xu tree* copytree(tree* x) { if (x == NULL) return x; tree* l’ = copytree(x->l); tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; return x’; } // tℓ › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 23/31
SLIDE 29 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
tree* copytree(tree* x) { if (x == NULL) return x; // $ & % ℓ ^@ℓpx ÞÑ val, l, r › dℓ › d › drq ^@updℓ › dq ^ @udag l ^@vpd › drq ^ @vdag r , .
- tree* l’ = copytree(x->l);
tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; return x’; } // tℓ › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 23/31
SLIDE 30 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
tree* copytree(tree* x) { if (x == NULL) return x; // $ & % ℓ ^@ℓpx ÞÑ val, l, r › dℓ › d › drq ^@updℓ › dq ^ @udag l ^@vpd › drq ^ @vdag r , .
- tree* l’ = copytree(x->l);
// tℓ › tree l1 ^ . . .u tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; return x’; } // tℓ › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 23/31
SLIDE 31 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
tree* copytree(tree* x) { if (x == NULL) return x; // $ & % ℓ ^@ℓpx ÞÑ val, l, r › dℓ › d › drq ^@updℓ › dq ^ @udag l ^@vpd › drq ^ @vdag r , .
- tree* l’ = copytree(x->l);
// tℓ › tree l1 ^ . . .u tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; return x’; } // tℓ › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 23/31
SLIDE 32 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
spatial part pure facts (propagate) ℓ ^@lpx ÞÑ val, l, r › dℓ › d › drq ^@updℓ › dq ^ @udag l ^@vpd › drq ^ @vdag r ñ x ÞÑ val, l, r › dℓ › d › dr Frame dℓ › d ñ u ^@udag l l’ = copytree(x->l) u › tree l1 x ÞÑ val, l, r › u › tree l1 › dr ñ x ÞÑ val, l, r › dℓ › d › tree l1 › dr ñ ℓ › tree l1
Armaël Guéneau Program Proofs in Hybrid Separation Logic 24/31
SLIDE 33 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
tree* copytree(tree* x) { if (x == NULL) return x; // $ & % ℓ ^@ℓpx ÞÑ val, l, r › dℓ › d › drq ^@updℓ › dq ^ @udag l ^@vpd › drq ^ @vdag r , .
- tree* l’ = copytree(x->l);
// tℓ › tree l1 ^ . . .u tree* r’ = copytree(x->r); tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; return x’; } // tℓ › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 25/31
SLIDE 34 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
tree* copytree(tree* x) { if (x == NULL) return x; // $ & % ℓ ^@ℓpx ÞÑ val, l, r › dℓ › d › drq ^@updℓ › dq ^ @udag l ^@vpd › drq ^ @vdag r , .
- tree* l’ = copytree(x->l);
// tℓ › tree l1 ^ . . .u tree* r’ = copytree(x->r); // tℓ › tree l1 › tree r1 ^ . . .u tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; return x’; } // tℓ › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 25/31
SLIDE 35 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
tree* copytree(tree* x) { if (x == NULL) return x; // $ & % ℓ ^@ℓpx ÞÑ val, l, r › dℓ › d › drq ^@updℓ › dq ^ @udag l ^@vpd › drq ^ @vdag r , .
- tree* l’ = copytree(x->l);
// tℓ › tree l1 ^ . . .u tree* r’ = copytree(x->r); // tℓ › tree l1 › tree r1 ^ . . .u tree* x’ = malloc(sizeof(tree )); x’->l = l’; x’->r = r’; // tℓ › tree l1 › tree r1 › x1 ÞÑ val, l1, r1 ^ . . .u return x’; } // tℓ › tree x1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 25/31
SLIDE 36 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
TO WRAP UP
We’re happy: we have a formal framework (Hybrid separation logic) that gives us a nicer proof than the state of the art. However, copytree is a bit simple: it doesn’t modify anything.
Armaël Guéneau Program Proofs in Hybrid Separation Logic 26/31
SLIDE 37 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
MORE PROGRAMS ON DAGS
§ mark: mark every node of a dag Ñ changes the content § spanning: compute the spanning tree of a dag Ñ changes the
shape
Armaël Guéneau Program Proofs in Hybrid Separation Logic 27/31
SLIDE 38
TOWARDS AUTOMATIC REASONING ON
HYBRID FORMULÆ
SLIDE 39 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
INTEGRATION IN llStar
We have a working automatic proof of copytree in llStar.
Armaël Guéneau Program Proofs in Hybrid Separation Logic 29/31
SLIDE 40 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
HANDLING HYBRID FORMULÆ IN TOOLS
We have a canonical form for hybrid formulæ and the associated algorithm.
Armaël Guéneau Program Proofs in Hybrid Separation Logic 30/31
SLIDE 41 INTRODUCTION THE copytree EXAMPLE HYBRID SEPARATION LOGIC EXAMPLE PROOFS AUTOMATIC REASONING CONCLUSION
CONCLUSION
§ Hybrid separation logic: nicer and simpler proofs on some
examples
§ Proofs that just look like folding/unfolding @s: easy automatic
proving?
Armaël Guéneau Program Proofs in Hybrid Separation Logic 31/31
SLIDE 42
THE copytree EXAMPLE [REY02]
(Counter) example: tdag xu x’ = evil_copytree(x) tdag x › tree x1u tx ÞÑ val, l, r › pdag l Y › dag rqu l’ = evil_copytree(l) tx ÞÑ val, l, r › pdag l Y › dag rq › tree l1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 32/31
SLIDE 43 SOME MORE EXAMPLES
§ tℓu skip tℓu is valid. § tℓ ^ @ℓpy ÞÑ vqu x = *y tℓu (modifies the stack, not the heap) § tℓu *x = 3 tℓu is not § tℓ ^ @ℓpx ÞÑ 4qu *x = 3 tℓu is not
Armaël Guéneau Program Proofs in Hybrid Separation Logic 33/31
SLIDE 44 mark
mark marks the nodes it goes through.
§ It does not preserve the heap § However it preserves its shape
void mark(dag* x) { if (x == NULL) return; mark(x->l); mark(x->r); x->val = 1; }
Armaël Guéneau Program Proofs in Hybrid Separation Logic 34/31
SLIDE 45
mark
“Same region” operator on labels
h | ùρ ℓ „ ℓ1 iff ρpℓq and ρpℓ1q cover the same heap region
(i.e. Dom(ρpℓq) = Dom(ρpℓ1q)
Eg, @ℓpx ÞÑ 3q ^ @ℓ1px ÞÑ 4q ñ ℓ „ ℓ1 @ℓpx ÞÑ 3 › y ÞÑ 4q ^ @ℓ1px ÞÑ 3q ñ ℓ ℓ1 ℓ „ ℓ @ua › b ^ @va1 › b1 ñ a „ a1 ^ b „ b1 ñ u „ v
Armaël Guéneau Program Proofs in Hybrid Separation Logic 35/31
SLIDE 46
mark
We can now write a specification for mark: tℓ ^ @ℓdag xu mark(x) tDℓ1 : ℓ1 ^ @ℓ1dag x ^ ℓ „ ℓ1u
Armaël Guéneau Program Proofs in Hybrid Separation Logic 36/31
SLIDE 47
mark
Preserving region: the minimum needed for the induction to hold.
Armaël Guéneau Program Proofs in Hybrid Separation Logic 37/31
SLIDE 48 spanning
Computes the spaning tree of a dag by removing superfluous edges.
§ Input: a dag of unmarked nodes, which may point to marked
nodes.
§ Preserve the marked part; mark and compute the spanning tree of
the unmarked one.
Armaël Guéneau Program Proofs in Hybrid Separation Logic 38/31
SLIDE 49
spanning
void spanning(dag* x) { if (x == NULL) return; x->val = 1; if (x->l && !x->l->val) spanning(l); else x->l = NULL; if (x->r && !x->r->val) spanning(r); else x->r = NULL; }
Armaël Guéneau Program Proofs in Hybrid Separation Logic 39/31
SLIDE 50
spanning
Idea: parametrize the inductive predicate by labels
dagpx, a, bq
Armaël Guéneau Program Proofs in Hybrid Separation Logic 40/31
SLIDE 51
spanning
Specification: tdagpx, a, bqu spanning(x) tDa1 : a1 › b ^ @a1mtreepxq ^ a1 „ au
Armaël Guéneau Program Proofs in Hybrid Separation Logic 41/31
