hoare logic and model checking pointers
play

Hoare Logic and Model Checking Pointers Kasper Svendsen University - PowerPoint PPT Presentation

Hoare Logic and Model Checking Pointers Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers and state Pointers and state E ::= N


  1. Hoare Logic and Model Checking Pointers Kasper Svendsen University of Cambridge CST Part II – 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers and state Pointers and state E ::= N | null | V | E 1 + E 2 | expressions E 1 � E 2 | E 1 ⇥ E 2 | · · · | So far, we have been reasoning about a language without pointers, B ::= T | F | E 1 = E 2 boolean expressions where all values were numbers. | E 1  E 2 | E 1 � E 2 | · · · In this lecture we will extend the WHILE language with pointers ::= skip | C 1 ; C 2 | V := E commands C and introduce an extension of Hoare logic, called Separation Logic, | if B then C 1 else C 2 to simplify reasoning about pointers. | while B do C | V := [ E ] | [ E 1 ] := E 2 | V := cons ( E 1 , ..., E n ) | dispose ( E ) 1 2

  2. Pointers and state Pointers and state Commands are now evaluated with respect to a heap h that stores Heap assignment command: [ E 1 ] := E 2 the current value of allocated locations. • evaluates E 1 to a location l and E 2 to a value v and updates Reading, writing and disposing of pointers fails if the given the heap to map l to v ; faults if l is not currently allocated location is not currently allocated. Pointer disposal command, dispose ( E ) Fetch assignment command: V := [ E ] • evaluates E to a location l and deallocates location l from the • evaluates E to a location l and assigns the current value of l heap; faults if l is not currently allocated to V ; faults if l is not currently allocated 3 4 Pointers and state Pointers and state In this extended language we can work with proper data structures, Allocation assignment command: V := cons ( E 1 , ..., E n ) like the following singly-linked list. • chooses n consecutive unallocated locations, say l 1 , ..., l n , 12 99 37 evaluates E 1 , ..., E n to values v 1 , ..., v n , updates the heap to head map l i to v i for each i and assigns l 1 to V For instance, this operation deletes the first element of the list: Allocation never fails. x := [ head + 1]; // lookup address of second element dispose ( head ); // deallocate first element The language supports pointer arithmetic: e.g., dispose ( head + 1); X := cons (0 , 1); Y := [ X + 1] head := x // swing head to point to second element 5 6

  3. Pointers and state For the WHILE language we modelled the state as a function assigning values (numbers) to all variables: def s 2 State = Var ! Val Operational semantics To model pointers we will split the state into a stack and a heap • a stack assigns values to program variables, and • a heap maps locations to values def State = Store ⇥ Heap 7 Pointers and state Pointers and state WHILE p programs can fail in several ways Values now includes both numbers and locations • dereferencing an invalid pointer def Val = Z + Loc • invalid pointer arithmetic Locations are modelled as natural numbers def To model failure we introduce a distinguished failure value Loc = N E [ [ � ] ] : Exp ⇥ Store ! { } + Val To model allocation, we model the heap as a finite function B [ [ � ] ] : BExp ⇥ Store ! { } + B = Loc fin def def Store = Var ! Val Heap ! Val + : P ( Cmd ⇥ State ⇥ ( { } [ State )) 8 9

  4. Pointer dereference Pointer assignment E [ [ E 1 ] ]( s ) = l E [ [ E 2 ] ]( s ) = v l 2 dom ( h ) E [ [ E ] ]( s ) = l l 2 dom ( h ) v 6 = h V := [ E ] , ( s , h ) i + ( s [ V 7! h ( l )] , h ) h [ E 1 ] := E 2 , ( s , h ) i + ( s , h [ l 7! v ]) E [ [ E ] ]( s ) = l l 62 dom ( h ) E [ [ E 1 ] ]( s ) = l l 62 dom ( h ) E [ [ E 2 ] ]( s ) = h V := [ E ] , ( s , h ) i + h [ E 1 ] := E 2 , ( s , h ) i + h [ E 1 ] := E 2 , ( s , h ) i + 10 11 Reasoning about pointers In standard Hoare logic we can syntactically approximate the set of program variables that might be a ff ected by a command C . Reasoning about pointers mod ( skip ) = ; mod ( X := E ) = { X } mod ( C 1 ; C 2 ) = mod ( C 1 ) [ mod ( C 2 ) mod ( if B then C 1 else C 2 ) = mod ( C 1 ) [ mod ( C 2 ) mod ( while B do C ) = mod ( C ) 12

  5. The rule of constancy Reasoning about pointers Imagine we extended Hoare logic with a new assertion, E 1 , ! E 2 , The rule of constancy expresses that assertions that do not refer to for asserting that location E 1 currently contains the value E 2 and variables modified by a command are automatically preserved extend the proof system with the following axiom: during its execution. ` { P } C { Q } mod ( C ) \ FV ( R ) = ; ` { > } [ E 1 ] := E 2 { E 1 , ! E 2 } ` { P ^ R } C { Q ^ R } Then we loose the rule of constancy: This rule derivable in standard Hoare logic. ` { > } [ X ] := 1 { X , ! 1 } ` { > ^ Y , ! 0 } [ X ] := 1 { X , ! 1 ^ Y , ! 0 } This rule is important for modularity as it allows us to only mention the part of the state that we access. (the post-condition is false if X and Y refer to the same location.) 13 14 Reasoning about pointers In the presence of pointers, syntactically distinct variables can refer to the same location. Updates made through one variable can thus influence the state referenced by other variables. Separation logic This complicates reasoning as we explicitly have to track inequality of pointers to reason about updates: ` { E 1 6 = E 3 ^ E 3 , ! E 4 } [ E 1 ] := E 2 { E 1 , ! E 2 ^ E 3 , ! E 4 } 15

  6. Separation logic Separation logic Separation logic introduces two new concepts for reasoning about mutable state:: Separation logic is an extension of Hoare logic that simplifies • ownership : Separation logic assertions do not just describe reasoning about mutable state using new connectives to control properties of the current state, they also assert ownership of aliasing. part of the heap. Separation logic was proposed by John Reynolds in 2000 and • separation : Separation logic introduces a new connective, developed further by Peter O’Hearn and Hongsek Yang around written P ⇤ Q , for asserting that the part of the heap owned 2001. It is still a very active area of research. by P and Q are disjoint . This makes it easy to describe data structures without sharing. 16 17 Separation logic Meaning of separation logic assertions The semantics of a separation logic assertion, written [ [ P ] ]( s ), is a set of heaps that satisfy the assertion P . Separation logic introduces a new assertion, written E 1 7! E 2 , for The intended meaning is that if h 2 [ [ P ] ]( s ) then P asserts reasoning about individual heap cells. ownership of any locations in dom ( h ). The points-to assertion, E 1 7! E 2 , asserts The heaps h 2 [ [ P ] ]( s ) are thus referred to as partial heaps , since they only contain the locations owned by P . • that the current value of heap location E 1 is E 2 , and • asserts ownership of heap location E 1 . The empty heap assertion, only holds for the empty heap: def [ [ emp ] ]( s ) = { [] } 18 19

  7. Meaning of separation logic assertions Examples of separation logic assertions The points-to assertion, E 1 7! E 2 , asserts ownership of the location 1. X 7! E 1 ⇤ Y 7! E 2 referenced by E 1 and that this location currently contains E 2 : This assertion is unsatisfiable in a state where X and Y refer def [ [ E 1 7! E 2 ] ]( s ) = { h | dom ( h ) = {E [ [ E 1 ] ]( s ) } to the same location, since X 7! E 1 and Y 7! E 2 would both ^ h ( E [ [ E 1 ] ]( s )) = E [ [ E 2 ] ]( s ) } assert ownership of the same location. Separating conjunction, P ⇤ Q , asserts that the heap can be split The following heap satisfies the assertion: into two distjoint parts such that one satisfies P and the other Q : def E 1 E 2 X Y [ [ P ⇤ Q ] ]( s ) = { h | 9 h 1 , h 2 . h = h 1 ] h 2 ^ h 1 2 [ [ P ] ]( s ) ^ h 2 2 [ [ Q ] ]( s ) } 2. X 7! E ⇤ X 7! E Here we use h 1 ] h 2 as shorthand for h 1 [ h 2 where h 1 ] h 2 is only This assertion is not satisfiable. defined when dom ( h 1 ) \ dom ( h 2 ) = ; . 20 21 Meaning of separation logic assertions Examples of separation logic assertions The first-order primitives are interpreted much like for Hoare logic: def [ [ ? ] ]( s ) = ; 3. X 7! E 1 ^ Y 7! E 2 def [ [ > ] ]( s ) = Heap def [ P ^ Q ] ]( s ) \ [ [ ]( s ) = [ [ P ] [ Q ] ]( s ) This asserts that X and Y alias each other and E 1 = E 2 : def [ [ P _ Q ] ]( s ) = [ [ P ] ]( s ) [ [ [ Q ] ]( s ) E 1 def X Y [ [ P ) Q ] ]( s ) = { h | h 2 [ [ P ] ]( s ) ) h 2 [ [ Q ] ]( s ) } . . . 22 23

  8. Examples of separation logic assertions Summary: Separation logic assertions 4. X 7! Y ⇤ Y 7! X X Y Separation logic assertions describe properties of the current state and assert ownership of parts of the current heap. 5. X 7! E 1 , Y ⇤ Y 7! E 2 , null Separation logic controls aliasing of pointers by asserting that E 1 E 2 X assertions own disjoint heap parts. Here X 7! E 1 , ..., E n is shorthand for X 7! E 1 ⇤ ( X + 1) 7! E 2 ⇤ · · · ⇤ ( X + n � 1) 7! E n 24 25 Separation logic triples Separation logic (SL) extends the assertion language but uses the same Hoare triples to reason about the behaviour of programs ` { P } C { Q } ` [ P ] C [ Q ] Separation logic triples but with a di ff erent meaning. Our SL triples extend the meaning of our HL triples in two ways • they ensure that our WHILE p programs do not fail • they require that we respect the ownership discipline associated with assertions 26

Recommend


More recommend