Tutorial on separation logic Viktor Vafeiadis Max Planck Institute - - PowerPoint PPT Presentation

Tutorial on separation logic

Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Dagstuhl, 2015-11-02

Plan for the talk

Talk outline

◮ Motivation ◮ Basic separation logic ◮ Concurrent separation logic ◮ Frame inference & bi-abduction ◮ Pros & cons of separation logic

Viktor Vafeiadis Tutorial on separation logic 2/19

Specifying a binary tree

◮ In a ML, one writes:

type Tree = Leaf | Node of Tree * Tree

◮ Can we do something similar for imperative trees? ◮ Assume function h : Loc ⇀ Val representing the memory

(a.k.a. the ‘heap’).

◮ We typically take Loc = Val = Z. ◮ Define predicate Tree(h, x) describing trees rooted at x.

Viktor Vafeiadis Tutorial on separation logic 3/19

Specifying a binary tree

First attempt: Tree(h, x) x = 0 ∨ Tree(h, h(x)) ∧ Tree(h, h(x + 1))

◮ The spec is satisfied by trees rooted at x.

x

◮ But also by many other shapes.

x

Viktor Vafeiadis Tutorial on separation logic 4/19

Specifying a binary tree

Solution: Record the set of used addresses. Tree(h, x, A)

• x = 0 ∧

A = ∅

• ∨∃B, C.

         

A = {x, x + 1} ∪ B ∪ C ∧ {x, x + 1} ∩ B = ∅ ∧ {x, x + 1} ∩ C = ∅ ∧ B ∩ C = ∅ ∧ Tree(h, h(x), B) ∧ Tree(h, h(x + 1), C)

         

Viktor Vafeiadis Tutorial on separation logic 5/19

Specifying a binary tree

Solution: Record the set of used addresses. Tree(h, x, A)

• x = 0 ∧

A = ∅

• ∨∃B, C.

         

A = {x, x + 1} ∪ B ∪ C ∧ {x, x + 1} ∩ B = ∅ ∧ {x, x + 1} ∩ C = ∅ ∧ B ∩ C = ∅ ∧ Tree(h, h(x), B) ∧ Tree(h, h(x + 1), C)

         

Separation logic writes this more elegantly: Tree(x) x = 0 ∧ emp ∨ ∃y, z. x → y, z ∗ Tree(y) ∗ Tree(z)

Viktor Vafeiadis Tutorial on separation logic 5/19

Separation logic assertions

Basic assertions: h | = emp ⇐ ⇒ dom(h) = ∅ h | = x → y ⇐ ⇒ dom(h) = {x} ∧ h(x) = y h | = P ∗ Q ⇐ ⇒ ∃h1, h2. h = h1 ⊎ h2 ∧ (h1 | = P) ∧ (h2 | = Q) h | = P ∧ Q ⇐ ⇒ (h | = P) ∧ (h | = Q) h | = P ∨ Q ⇐ ⇒ (h | = P) ∨ (h | = Q) Derived assertions: x → − ∃y. x → y x → y, z x → y ∗ (x + 1) → z Note that P ∗ emp ⇐ ⇒ P.

Viktor Vafeiadis Tutorial on separation logic 6/19

Inductive definitions

◮ Singly-linked list segments:

ls(x, y) x = y ∧ emp ∨ x = y ∧ ∃z. x → −, z ∗ ls(z, y)

◮ An alternative definition:

lsi(x, y) x = y ∧ emp ∨ ∃z. x → −, z ∗ lsi(z, y)

◮ Can you spot the difference?

What do ls(x, x) and lsi(x, x) denote?

Viktor Vafeiadis Tutorial on separation logic 7/19

Inductive definitions

◮ Singly-linked list segments:

ls(x, y) x = y ∧ emp ∨ x = y ∧ ∃z. x → −, z ∗ ls(z, y)

◮ An alternative definition:

lsi(x, y) x = y ∧ emp ∨ ∃z. x → −, z ∗ lsi(z, y)

◮ Can you spot the difference?

What do ls(x, x) and lsi(x, x) denote? lsi(x, y) ∗ lsi(y, z) ⇒ lsi(x, z) ls(x, y) ∗ ls(y, z) ⇒ ls(x, z)

Viktor Vafeiadis Tutorial on separation logic 7/19

Program logic

◮ Hoare triples

{P} C {Q}

◮ Fault-free interpretation

(h | = P) = ⇒ C, h →∗ abort

◮ The frame rule

{P} C {Q} fv(R) ∩ wr(C) = ∅ {P ∗ R} C {Q ∗ R} (frame) where wr(C) are the variables written by C

Viktor Vafeiadis Tutorial on separation logic 8/19

Standard rules from Hoare logic

{P} skip {P} (skip) {[E/x]P} x := E {P} (assign) {P} C1 {Q} {Q} C2 {R} {P} C1; C2 {R} (seq) {P ∧ B} C1 {Q} {P ∧ ¬B} C2 {Q} {P} if B then C1 else C2 {Q} (if) {P ∧ B} C {P} {P} while B do C {P ∧ ¬B} (while)

Viktor Vafeiadis Tutorial on separation logic 9/19

More standard rules

P′ ⇒ P {P} C {Q} Q ⇒ Q′ {P′} C {Q′} (conseq) {P1} C {Q} {P2} C {Q} {P1 ∨ P2} C {Q} (disj) {P} C {Q} x / ∈ fv(C, Q) {∃x. P} C {Q} (ex) {P} C {Q1} {P} C {Q2} {P} C {Q1 ∧ Q2} (conj) {P} C {Q} x / ∈ fv(P, C) {P} C {∀x. Q} (all)

Viktor Vafeiadis Tutorial on separation logic 10/19

New proof rules

x / ∈ fv(E, E ′) {E → E ′} x := [E] {E → E ′ ∧ x = E ′} (read) {E → −} [E] := E ′ {E → E ′} (write) x / ∈ fv(N) {emp} x:=alloc(N) {x → −, . . . , −

• N

} (alloc) {E → −} free(E) {emp} (free)

Viktor Vafeiadis Tutorial on separation logic 11/19

Mergesort

{sorted(x) ∗ sorted(y)} r := merge(x, y) {sorted(r)} {list(x)} (a, b) := split(x) {list(a) ∗ list(b)} {list(x)} r := msort(x) {sorted(r)} Proof outline for r := msort(x) {list(x)} (a, b) := split(x); {list(a) ∗ list(b)} a := msort(a); {sorted(a) ∗ list(b)} b := msort(b); {sorted(a) ∗ sorted(b)} r := merge(a, b) {sorted(r)}

Viktor Vafeiadis Tutorial on separation logic 12/19

Disjoint parallelism

Proof rule: {P1} C1 {Q1} fv(P1, C1, Q1) ∩ wr(C2) = ∅ {P2} C2 {Q2} fv(P2, C2, Q2) ∩ wr(C1) = ∅ {P1 ∗ P2} C1C2 {Q1 ∗ Q2} (par) Comments:

◮ C1 accesses only heap described by P1 or allocated itself. ◮ C2 accesses only heap described by P2 or allocated itself. ◮ The heaps are disjoint =

⇒ no races.

◮ But also no communication between threads.

Viktor Vafeiadis Tutorial on separation logic 13/19

Parallel mergesort

{sorted(x) ∗ sorted(y)} r := merge(x, y) {sorted(r)} {list(x)} (a, b) := split(x) {list(a) ∗ list(b)} {list(x)} r := pmsort(x) {sorted(r)} Proof outline for r := pmsort(x) {list(x)} (a, b) := split(x); {list(a) ∗ list(b)}

  

{list(a)} a := pmsort(a) {sorted(a)} {list(b)} b := pmsort(b) {sorted(b)}

   ;

{sorted(a) ∗ sorted(b)} r := merge(a, b) {sorted(r)}

Viktor Vafeiadis Tutorial on separation logic 14/19

Concurrent separation logic

[O’Hearn, Theor.Comp.Sci.’07]

Extend Hoare triples with resource invariants: J ⊢ {P} C {Q} J ⊢ {P1} C1 {Q1} fv(P1, C1, Q1) ∩ wr(C2) = ∅ J ⊢ {P2} C2 {Q2} fv(P2, C2, Q2) ∩ wr(C1) = ∅ J ⊢ {P1 ∗ P2} C1C2 {Q1 ∗ Q2} (par) emp ⊢ {P ∗ J ∧ B} C {Q ∗ J} J ⊢ {P} when B do C {Q} (atom) J ∗ R ⊢ {P} C {Q} J ⊢ {P ∗ R} C {Q ∗ R} (share) Let atomic C when true do C

Viktor Vafeiadis Tutorial on separation logic 15/19

Ownership transfer

Let J y = 0 ∨ x → 4. {x → 0}

      

{x → 0} [x] := 4; {x → 4} atomic y := 1 {emp} {emp} when y = 1 do y := 0 {x → 4} [x] := 5; {x → 5}

      

{x → 5}

Viktor Vafeiadis Tutorial on separation logic 16/19

The meaning of CSL triples

[MFPS 2011]

[ [J ⊢ {P} C {Q}] ] ∀h n. h | = P = ⇒ safen(C, h, J, Q) safe0(C, h, J, Q) true safen+1(C, h, J, Q) (C = skip = ⇒ h | = Q) ∧ (∀hJ hF. hJ | = J = ⇒ C, h ⊎ hJ ⊎ hF → abort) ∧ (∀hJ hF C ′ h′. C, h ⊎ hJ ⊎ hF → C ′, h′ ∧ hJ | = J = ⇒ ∃h′′ h′

• J. h′ = h′′ ⊎ h′

J ⊎ hF ∧ h′ J |

= J ∧ safen(C ′, h′′, J, Q)) Comments:

◮ h is the local heap (owned by C) ◮ Add heap hJ satisfying the resource invariant, J. ◮ Resource invariant must be re-established in h′ J. ◮ Bake in the frame rule using hF.

Viktor Vafeiadis Tutorial on separation logic 17/19

Variants of entailment

◮ Entailment:

P ⇒ Q

◮ Frame inference:

P ⇒ Q ∗ ?R

◮ Abduction:

P ∗ ?A ⇒ Q

◮ Bi-abduction:

P ∗ ?A ⇒ Q ∗ ?R

Viktor Vafeiadis Tutorial on separation logic 18/19

Summary of separation logic

Pros of SL

◮ Concise description of

inductive data structures

◮ Locality (frame rule) ◮ No memory errors ◮ No memory leaks ◮ No data races ◮ Novel ways of thinking:

e.g., ownership transfer

◮ Huge impact in PL

Cons of SL

◮ Reasoning about aliased

data structures complex

◮ Locality not always useful ◮ Reasoning in the model is

• ften better

◮ conj-rule not so useful ◮ Technical sideconditions:

precision

◮ Subtleties: e.g., ls vs lsi

Viktor Vafeiadis Tutorial on separation logic 19/19