an introduction to separation logic
play

An introduction to separation logic James Brotherston Programming - PowerPoint PPT Presentation

May 08, 2023 •151 likes •789 views

An introduction to separation logic James Brotherston Programming Principles, Logic and Verification Group Dept. of Computer Science University College London, UK J.Brotherston@ucl.ac.uk Logic Summer School, ANU, 7 December 2015 1/ 19

  1. An introduction to separation logic James Brotherston Programming Principles, Logic and Verification Group Dept. of Computer Science University College London, UK J.Brotherston@ucl.ac.uk Logic Summer School, ANU, 7 December 2015 1/ 19

  2. Introduction Verification of imperative programs is classically based on Hoare triples: { P } C { Q } where C is a program and P, Q are assertions in some logical language. 2/ 19

  3. Introduction Verification of imperative programs is classically based on Hoare triples: { P } C { Q } where C is a program and P, Q are assertions in some logical language. These are read, roughly speaking, as for any state σ satisfying P , if C transforms state σ to σ ′ , then σ ′ satisfies Q . 2/ 19

  4. Introduction Verification of imperative programs is classically based on Hoare triples: { P } C { Q } where C is a program and P, Q are assertions in some logical language. These are read, roughly speaking, as for any state σ satisfying P , if C transforms state σ to σ ′ , then σ ′ satisfies Q . (with some wriggle room allowing us to deal with faulting or non-termination in various ways.) 2/ 19

  5. Hoare-style verification A Hoare-style program logic therefore relies on three main components: 3/ 19

  6. Hoare-style verification A Hoare-style program logic therefore relies on three main components: 1. a language of programs, and an operational semantics explaining how they transform states; 3/ 19

  7. Hoare-style verification A Hoare-style program logic therefore relies on three main components: 1. a language of programs, and an operational semantics explaining how they transform states; 2. a language of logical assertions, and a semantics explaining how to read them as true or false in a particular state; 3/ 19

  8. Hoare-style verification A Hoare-style program logic therefore relies on three main components: 1. a language of programs, and an operational semantics explaining how they transform states; 2. a language of logical assertions, and a semantics explaining how to read them as true or false in a particular state; 3. a formal interpretation of Hoare triples, together with (sound) proof rules for manipulating them. 3/ 19

  9. Hoare-style verification A Hoare-style program logic therefore relies on three main components: 1. a language of programs, and an operational semantics explaining how they transform states; 2. a language of logical assertions, and a semantics explaining how to read them as true or false in a particular state; 3. a formal interpretation of Hoare triples, together with (sound) proof rules for manipulating them. We’ll look at these informally first, then introduce a little more formal detail. 3/ 19

  10. Programs, informally We consider a standard while language with pointers, memory (de)allocation and recursive procedures. 4/ 19

  11. Programs, informally We consider a standard while language with pointers, memory (de)allocation and recursive procedures.E.g.: deltree(*x) { if x=nil then return; else { l,r := x.left,x.right; deltree(l); deltree(r); free(x); } } 4/ 19

  12. Assertions, informally Our assertion language lets us describe heap data structures such as linked lists and trees. 5/ 19

  13. Assertions, informally Our assertion language lets us describe heap data structures such as linked lists and trees. E.g., binary trees with root pointer x can be defined by: x = nil : emp ⇒ tree ( x ) x � = nil : x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) ⇒ tree ( x ) 5/ 19

  14. Assertions, informally Our assertion language lets us describe heap data structures such as linked lists and trees. E.g., binary trees with root pointer x can be defined by: x = nil : emp ⇒ tree ( x ) x � = nil : x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) ⇒ tree ( x ) where • emp denotes the empty heap; 5/ 19

  15. Assertions, informally Our assertion language lets us describe heap data structures such as linked lists and trees. E.g., binary trees with root pointer x can be defined by: x = nil : emp ⇒ tree ( x ) x � = nil : x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) ⇒ tree ( x ) where • emp denotes the empty heap; • x �→ ( y, z ) denotes a single pointer to a pair of data cells; 5/ 19

  16. Assertions, informally Our assertion language lets us describe heap data structures such as linked lists and trees. E.g., binary trees with root pointer x can be defined by: x = nil : emp ⇒ tree ( x ) x � = nil : x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) ⇒ tree ( x ) where • emp denotes the empty heap; • x �→ ( y, z ) denotes a single pointer to a pair of data cells; • ∗ means “and separately in memory”. 5/ 19

  17. An example proof deltree(*x) { if x=nil then return; else { l,r := x.left,x.right; deltree(l); deltree(r); free(x); } } 6/ 19

  18. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; else { l,r := x.left,x.right; deltree(l); deltree(r); free(x); } } { emp } 6/ 19

  19. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; { emp } else { l,r := x.left,x.right; deltree(l); deltree(r); free(x); } } { emp } 6/ 19

  20. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; { emp } else { { x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) } l,r := x.left,x.right; deltree(l); deltree(r); free(x); } } { emp } 6/ 19

  21. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; { emp } else { { x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) } l,r := x.left,x.right; { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l); deltree(r); free(x); } } { emp } 6/ 19

  22. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; { emp } else { { x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) } l,r := x.left,x.right; { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l); { x �→ ( l, r ) ∗ emp ∗ tree ( r ) } deltree(r); free(x); } } { emp } 6/ 19

  23. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; { emp } else { { x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) } l,r := x.left,x.right; { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l); { x �→ ( l, r ) ∗ emp ∗ tree ( r ) } deltree(r); { x �→ ( l, r ) ∗ emp ∗ emp } free(x); } } { emp } 6/ 19

  24. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; { emp } else { { x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) } l,r := x.left,x.right; { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l); { x �→ ( l, r ) ∗ emp ∗ tree ( r ) } deltree(r); { x �→ ( l, r ) ∗ emp ∗ emp } free(x); { emp ∗ emp ∗ emp } } } { emp } 6/ 19

  25. An example proof { tree ( x ) } deltree(*x) { if x=nil then return; { emp } else { { x �→ ( y, z ) ∗ tree ( y ) ∗ tree ( z ) } l,r := x.left,x.right; { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l); { x �→ ( l, r ) ∗ emp ∗ tree ( r ) } deltree(r); { x �→ ( l, r ) ∗ emp ∗ emp } free(x); { emp ∗ emp ∗ emp } } { emp } } { emp } 6/ 19

  26. Frame property Consider the following step in the previous example: { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l) { x �→ ( l, r ) ∗ emp ∗ tree ( r ) } 7/ 19

  27. Frame property Consider the following step in the previous example: { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l) { x �→ ( l, r ) ∗ emp ∗ tree ( r ) } Implicitly, this relies on a framing property, namely: { tree ( l ) } deltree(l) { emp } { x �→ ( l, r ) ∗ tree ( l ) ∗ tree ( r ) } deltree(l) { x �→ ( l, r ) ∗ emp ∗ tree ( r ) } 7/ 19

  28. Classical failure of frame rule The so-called frame rule, { P } C { Q } { F ∧ P } C { F ∧ Q } is well known to fail in standard Hoare logic. 8/ 19

  29. Classical failure of frame rule The so-called frame rule, { P } C { Q } { F ∧ P } C { F ∧ Q } is well known to fail in standard Hoare logic.E.g., { x = 0 } x := 2 { x = 2 } { y = 0 ∧ x = 0 } x := 2 { y = 0 ∧ x = 2 } is not valid (because y could alias x ). 8/ 19

  30. Classical failure of frame rule The so-called frame rule, { P } C { Q } { F ∧ P } C { F ∧ Q } is well known to fail in standard Hoare logic.E.g., { x = 0 } x := 2 { x = 2 } { y = 0 ∧ x = 0 } x := 2 { y = 0 ∧ x = 2 } is not valid (because y could alias x ). As we’ll see, using the “separating conjunction” ∗ instead of ∧ will however give us a valid frame rule. 8/ 19

  31. Heap memory model • We assume an infinite set Val of values of which an infinite subset Loc ⊂ Val are allocable locations; nil is a non-allocable value. 9/ 19

  32. Heap memory model • We assume an infinite set Val of values of which an infinite subset Loc ⊂ Val are allocable locations; nil is a non-allocable value. • Stacks map variables to values, s : Var → Val . 9/ 19

  33. Heap memory model • We assume an infinite set Val of values of which an infinite subset Loc ⊂ Val are allocable locations; nil is a non-allocable value. • Stacks map variables to values, s : Var → Val . • Heaps map finitely many locations to values, h : Loc ⇀ fin Val . We write e for the empty heap (undefined on all locations). 9/ 19

Recommend

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and Verification Group Dept. of Computer Science University College London, UK J.Brotherston@ucl.ac.uk Oracle Labs, Brisbane, 4 December 2015 1/ 19

291 views • 27 slides
Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio Mansutti LSV, CNRS, ENS Paris-Saclay Paris - April 2019 What we will see An extension of propositional separation logic that can express some

569 views • 42 slides
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of

Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of

Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE , where mutability only concerned program

734 views • 57 slides
Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Dagstuhl, 2015-11-02 Plan for the talk Talk outline Motivation Basic separation logic Concurrent separation logic Frame inference

597 views • 21 slides
Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms Smaller Arthur Charguraud Franois Pottier LTP meeting Saclay, November 28, 2016 Motivation More Motivation Separation Logic with Read-Only

441 views • 27 slides
Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008 Timothe Martiel Research Topics in Software Engineering 1 / 19 Outline 1 From Separation Logic to Inheritance 2 Beyond Separation Logic 3 What About

553 views • 24 slides
Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St

Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St

Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St January 14, 2020 1 LSV, CNRS, ENS Paris-Saclay 2 I3S, Universit e C ote dAzur Separation Logic 99 Logic of Bunched Implication ( BI ) [P.

310 views • 27 slides
Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model

Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model

CS6202: Advanced Topics in Programming Languages and Systems Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model Hoare-style Inference Rules Specification and Annotations Linked List and Segments

1.02k views • 76 slides
Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max Kanovich 2 1 Imperial College London 2 Queen Mary University of London LICS-25, University of Edinburgh, 12 July 2010 Separation logic (Reynolds,

1.11k views • 31 slides
Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis

Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis

Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis 2 Max Kanovich 1 1 UCL 2 Middlesex University University of Vienna, 14 Mar 2017 1/ 19 Compositional proofs in separation logic (1) Separation

1.14k views • 91 slides
Separation logic and fragments: from expressive power to decision procedures St ephane Demri

Separation logic and fragments: from expressive power to decision procedures St ephane Demri

Separation logic and fragments: from expressive power to decision procedures St ephane Demri CNRS Marie Curie Fellow Yorktown Heights, March 2015 In Memoriam: Morgan Deters 2 Overview Separation Logic in a Nutshell 1 2 Expressive

915 views • 55 slides
Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that

Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that

Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. This lecture will Kasper Svendsen University of Cambridge introduce a formal proof system for Separation

740 views • 10 slides
Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

CS6202: Advanced Topics in Programming Hoare Logic Hoare Logic Languages and Systems Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview Notation : {P} code {Q} Assertion Logic {P}

557 views • 19 slides
Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa, Aquinas Hobor and John Wickerson IRIS Day OScience, Coronavirus Lockdown Edition Tuesday 7th April, 2020 1/ 13 Concurrent separation logic (

164 views • 13 slides
On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18 Warsaw, October 2018 The blossom of separation logics Separation logic: extension of Hoare-Floyd logic for (concurrent) programs with mutable data

642 views • 48 slides
Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics Group Dept. of Comp. Science, Aarhus University (Joint work with J. Bengtson, J.B. Jensen, H. Mehnert, P . Sestoft, F . Sieczkowski) April 2013

499 views • 34 slides
Undecidability of propositional separation logic and its neighbours James Brotherston Computer

Undecidability of propositional separation logic and its neighbours James Brotherston Computer

Undecidability of propositional separation logic and its neighbours James Brotherston Computer Science Seminar Institute of Cybernetics, Tallinn University of Technology 17 Nov 2011 1/ 27 Outline 1. An overview of propositional separation

948 views • 76 slides
Parametric completeness for separation theories (via hybrid logic) James Brotherston University

Parametric completeness for separation theories (via hybrid logic) James Brotherston University

Parametric completeness for separation theories (via hybrid logic) James Brotherston University College London New York University, 11 December 2014 Joint work with Jules Villard 1/ 26 Part I Introduction, motivation and background 2/ 26

1.39k views • 118 slides
Separation Logic Competition SL-COMP 2018 Presented by Mihaela Sighireanu joint work with Radu

Separation Logic Competition SL-COMP 2018 Presented by Mihaela Sighireanu joint work with Radu

Introduction Static Results Dynamic Results Conclusion and Future Separation Logic Competition SL-COMP 2018 Presented by Mihaela Sighireanu joint work with Radu Iosif, Andrew J. Reynolds, Cristina Serban, Chong Gao, Jens Katelaan, Benedict

465 views • 24 slides
A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert

A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert

A Separation Logic for Non-determinism and Sequence Points in C Formalized in Coq Robbert Krebbers Radboud University Nijmegen May 14, 2014 @ TYPES, Paris, France 1 What is this program supposed to do? int main() { int x; int y = (x = 3) +

378 views • 16 slides
Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen,

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen,

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen, Netherlands Dec, 2015 Modular Reasoning about Higher-Order Concurrent Imperative Programs 1 / 33 Introduction Goal Program logics for

1.02k views • 63 slides
A case for relaxed program logics Separation logic as a tool for

A case for relaxed program logics Separation logic as a tool for

A case for relaxed program logics Separation logic as a tool for understanding and debugging the C/C++ concurrency model Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

304 views • 13 slides
Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the paper about? Soundness proof for CSL Simple Extensible Permissions RGSep Storable locks [Buisse, Birkedal, Stvring, MFPS 2011] Concurrent

270 views • 14 slides

More recommend