Tutorial on separation logic Viktor Vafeiadis Max Planck Institute - PowerPoint PPT Presentation

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Dagstuhl, 2015-11-02

Plan for the talk Talk outline ◮ Motivation ◮ Basic separation logic ◮ Concurrent separation logic ◮ Frame inference & bi-abduction ◮ Pros & cons of separation logic Viktor Vafeiadis Tutorial on separation logic 2/19

Specifying a binary tree ◮ In a ML, one writes: type Tree = Leaf | Node of Tree * Tree ◮ Can we do something similar for imperative trees? ◮ Assume function h : Loc ⇀ Val representing the memory (a.k.a. the ‘ heap ’). ◮ We typically take Loc = Val = Z . ◮ Define predicate Tree ( h , x ) describing trees rooted at x . Viktor Vafeiadis Tutorial on separation logic 3/19

Specifying a binary tree First attempt: Tree ( h , x ) � x = 0 ∨ Tree ( h , h ( x )) ∧ Tree ( h , h ( x + 1)) ◮ The spec is satisfied by trees rooted at x . x ◮ But also by many other shapes. x Viktor Vafeiadis Tutorial on separation logic 4/19

Specifying a binary tree Solution: Record the set of used addresses.   A = { x , x + 1 } ∪ B ∪ C  ∧ { x , x + 1 } ∩ B = ∅    � �   x = 0 ∧ ∧ { x , x + 1 } ∩ C = ∅   Tree ( h , x , A ) � ∨∃ B , C .   A = ∅ ∧ B ∩ C = ∅      ∧ Tree ( h , h ( x ) , B )    ∧ Tree ( h , h ( x + 1) , C ) Viktor Vafeiadis Tutorial on separation logic 5/19

Specifying a binary tree Solution: Record the set of used addresses.   A = { x , x + 1 } ∪ B ∪ C  ∧ { x , x + 1 } ∩ B = ∅    � �   x = 0 ∧ ∧ { x , x + 1 } ∩ C = ∅   Tree ( h , x , A ) � ∨∃ B , C .   A = ∅ ∧ B ∩ C = ∅      ∧ Tree ( h , h ( x ) , B )    ∧ Tree ( h , h ( x + 1) , C ) Separation logic writes this more elegantly: Tree ( x ) � x = 0 ∧ emp ∨ ∃ y , z . x �→ y , z ∗ Tree ( y ) ∗ Tree ( z ) Viktor Vafeiadis Tutorial on separation logic 5/19

Separation logic assertions Basic assertions: h | = emp ⇐ ⇒ dom( h ) = ∅ h | = x �→ y ⇐ ⇒ dom( h ) = { x } ∧ h ( x ) = y h | = P ∗ Q ⇐ ⇒ ∃ h 1 , h 2 . h = h 1 ⊎ h 2 ∧ ( h 1 | = P ) ∧ ( h 2 | = Q ) h | = P ∧ Q ⇐ ⇒ ( h | = P ) ∧ ( h | = Q ) h | = P ∨ Q ⇐ ⇒ ( h | = P ) ∨ ( h | = Q ) Derived assertions: x �→ − � ∃ y . x �→ y x �→ y , z � x �→ y ∗ ( x + 1) �→ z Note that P ∗ emp ⇐ ⇒ P . Viktor Vafeiadis Tutorial on separation logic 6/19

Inductive definitions ◮ Singly-linked list segments: ls ( x , y ) � x = y ∧ emp ∨ x � = y ∧ ∃ z . x �→ − , z ∗ ls ( z , y ) ◮ An alternative definition: lsi ( x , y ) � x = y ∧ emp ∨ ∃ z . x �→ − , z ∗ lsi ( z , y ) ◮ Can you spot the difference? What do ls ( x , x ) and lsi ( x , x ) denote? Viktor Vafeiadis Tutorial on separation logic 7/19

Inductive definitions ◮ Singly-linked list segments: ls ( x , y ) � x = y ∧ emp ∨ x � = y ∧ ∃ z . x �→ − , z ∗ ls ( z , y ) ◮ An alternative definition: lsi ( x , y ) � x = y ∧ emp ∨ ∃ z . x �→ − , z ∗ lsi ( z , y ) ◮ Can you spot the difference? What do ls ( x , x ) and lsi ( x , x ) denote? lsi ( x , y ) ∗ lsi ( y , z ) ⇒ lsi ( x , z ) ls ( x , y ) ∗ ls ( y , z ) �⇒ ls ( x , z ) Viktor Vafeiadis Tutorial on separation logic 7/19

Program logic ◮ Hoare triples { P } C { Q } ◮ Fault-free interpretation ⇒ � C , h � �→ ∗ abort ( h | = P ) = ◮ The frame rule { P } C { Q } fv ( R ) ∩ wr ( C ) = ∅ ( frame ) { P ∗ R } C { Q ∗ R } where wr ( C ) are the variables written by C Viktor Vafeiadis Tutorial on separation logic 8/19

Standard rules from Hoare logic ( skip ) { P } skip { P } ( assign ) { [ E / x ] P } x := E { P } { P } C 1 { Q } { Q } C 2 { R } ( seq ) { P } C 1 ; C 2 { R } { P ∧ B } C 1 { Q } { P ∧ ¬ B } C 2 { Q } ( if ) { P } if B then C 1 else C 2 { Q } { P ∧ B } C { P } ( while ) { P } while B do C { P ∧ ¬ B } Viktor Vafeiadis Tutorial on separation logic 9/19

More standard rules P ′ ⇒ P { P } C { Q } Q ⇒ Q ′ ( conseq ) { P ′ } C { Q ′ } { P 1 } C { Q } { P 2 } C { Q } ( disj ) { P 1 ∨ P 2 } C { Q } { P } C { Q } ∈ fv ( C , Q ) x / ( ex ) {∃ x . P } C { Q } { P } C { Q 1 } { P } C { Q 2 } ( conj ) { P } C { Q 1 ∧ Q 2 } { P } C { Q } x / ∈ fv ( P , C ) ( all ) { P } C {∀ x . Q } Viktor Vafeiadis Tutorial on separation logic 10/19

New proof rules x / ∈ fv ( E , E ′ ) ( read ) { E �→ E ′ } x := [ E ] { E �→ E ′ ∧ x = E ′ } ( write ) { E �→ −} [ E ] := E ′ { E �→ E ′ } x / ∈ fv ( N ) ( alloc ) { emp } x := alloc ( N ) { x �→ − , . . . , − } � �� � N ( free ) { E �→ −} free ( E ) { emp } Viktor Vafeiadis Tutorial on separation logic 11/19

Mergesort { sorted ( x ) ∗ sorted ( y ) } r := merge ( x , y ) { sorted ( r ) } { list ( x ) } ( a , b ) := split ( x ) { list ( a ) ∗ list ( b ) } { list ( x ) } r := msort ( x ) { sorted ( r ) } Proof outline for r := msort ( x ) { list ( x ) } ( a , b ) := split ( x ); { list ( a ) ∗ list ( b ) } a := msort ( a ); { sorted ( a ) ∗ list ( b ) } b := msort ( b ); { sorted ( a ) ∗ sorted ( b ) } r := merge ( a , b ) { sorted ( r ) } Viktor Vafeiadis Tutorial on separation logic 12/19

Disjoint parallelism Proof rule: { P 1 } C 1 { Q 1 } fv ( P 1 , C 1 , Q 1 ) ∩ wr ( C 2 ) = ∅ { P 2 } C 2 { Q 2 } fv ( P 2 , C 2 , Q 2 ) ∩ wr ( C 1 ) = ∅ ( par ) { P 1 ∗ P 2 } C 1 � C 2 { Q 1 ∗ Q 2 } Comments: ◮ C 1 accesses only heap described by P 1 or allocated itself. ◮ C 2 accesses only heap described by P 2 or allocated itself. ◮ The heaps are disjoint = ⇒ no races. ◮ But also no communication between threads. Viktor Vafeiadis Tutorial on separation logic 13/19

Parallel mergesort { sorted ( x ) ∗ sorted ( y ) } r := merge ( x , y ) { sorted ( r ) } { list ( x ) } ( a , b ) := split ( x ) { list ( a ) ∗ list ( b ) } { list ( x ) } r := pmsort ( x ) { sorted ( r ) } Proof outline for r := pmsort ( x ) { list ( x ) } ( a , b ) := split ( x ); { list ( a ) ∗ list ( b ) }   { list ( a ) } { list ( b ) }  a := pmsort ( a ) b := pmsort ( b )   ;  { sorted ( a ) } { sorted ( b ) } { sorted ( a ) ∗ sorted ( b ) } r := merge ( a , b ) { sorted ( r ) } Viktor Vafeiadis Tutorial on separation logic 14/19

Concurrent separation logic [O’Hearn, Theor.Comp.Sci.’07] Extend Hoare triples with resource invariants: J ⊢ { P } C { Q } J ⊢ { P 1 } C 1 { Q 1 } fv ( P 1 , C 1 , Q 1 ) ∩ wr ( C 2 ) = ∅ J ⊢ { P 2 } C 2 { Q 2 } fv ( P 2 , C 2 , Q 2 ) ∩ wr ( C 1 ) = ∅ ( par ) J ⊢ { P 1 ∗ P 2 } C 1 � C 2 { Q 1 ∗ Q 2 } emp ⊢ { P ∗ J ∧ B } C { Q ∗ J } ( atom ) J ⊢ { P } when B do C { Q } J ∗ R ⊢ { P } C { Q } ( share ) J ⊢ { P ∗ R } C { Q ∗ R } Let atomic C � when true do C Viktor Vafeiadis Tutorial on separation logic 15/19

Ownership transfer Let J � y = 0 ∨ x �→ 4. { x �→ 0 }   { x �→ 0 } { emp } [ x ] := 4; when y = 1 do y := 0      { x �→ 4 } { x �→ 4 }      atomic y := 1 [ x ] := 5;   { emp } { x �→ 5 } { x �→ 5 } Viktor Vafeiadis Tutorial on separation logic 16/19

The meaning of CSL triples [MFPS 2011] ] � ∀ h n . h | [ [ J ⊢ { P } C { Q } ] = P = ⇒ safe n ( C , h , J , Q ) safe 0 ( C , h , J , Q ) � true safe n +1 ( C , h , J , Q ) � ( C = skip = ⇒ h | = Q ) ∧ ( ∀ h J h F . h J | = J = ⇒ � C , h ⊎ h J ⊎ h F � �→ abort ) ∧ ( ∀ h J h F C ′ h ′ . � C , h ⊎ h J ⊎ h F � → � C ′ , h ′ � ∧ h J | = J ⇒ ∃ h ′′ h ′ J . h ′ = h ′′ ⊎ h ′ = J ⊎ h F ∧ h ′ J | = J ∧ safe n ( C ′ , h ′′ , J , Q )) Comments: ◮ h is the local heap (owned by C ) ◮ Add heap h J satisfying the resource invariant, J . ◮ Resource invariant must be re-established in h ′ J . ◮ Bake in the frame rule using h F . Viktor Vafeiadis Tutorial on separation logic 17/19

Variants of entailment ◮ Entailment: P ⇒ Q ◮ Frame inference: P ⇒ Q ∗ ? R ◮ Abduction: P ∗ ? A ⇒ Q ◮ Bi-abduction: P ∗ ? A ⇒ Q ∗ ? R Viktor Vafeiadis Tutorial on separation logic 18/19

Summary of separation logic Pros of SL Cons of SL ◮ Concise description of ◮ Reasoning about aliased inductive data structures data structures complex ◮ Locality (frame rule) ◮ Locality not always useful ◮ No memory errors ◮ Reasoning in the model is often better ◮ No memory leaks ◮ conj -rule not so useful ◮ No data races ◮ Technical sideconditions: ◮ Novel ways of thinking: precision e.g., ownership transfer ◮ Subtleties: e.g., ls vs lsi ◮ Huge impact in PL Viktor Vafeiadis Tutorial on separation logic 19/19