Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes - PowerPoint PPT Presentation

Internal calculi for Separation Logic ´ ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St´ January 14, 2020 1 LSV, CNRS, ENS Paris-Saclay 2 I3S, Universit´ e Cˆ ote d’Azur

Separation Logic ‘99 Logic of Bunched Implication ( BI ) [P. O’Hearn, D. Pym] ‘02 Separation Logic [P. O’Hearn, D. Pym, J. Reynolds] • Logic for modular verification of pointer programs. • Used in state-of-the-art, industrial tools: • Infer (Facebook) • Slayer (Microsoft) • “Why Separation Logic Works” [‘18 - D. Pym et al.] 1

Separation Logic, with apples ‘99 Logic of Bunched Implication ( BI ) [P. O’Hearn, D. Pym] ‘02 Separation Logic [P. O’Hearn, D. Pym, J. Reynolds] Multiplicative connectives (from BI ): | = ϕ ∗ ψ iff can be split into and s.t. | = ϕ and | = ψ. | = ϕ − ∗ ψ iff for every mergeable with , | | if = ϕ then = ψ Problem: How to deal with ∗ and − ∗ , on concrete models and in the context of Hilbert-style axiomatisations. 1

Modelling the memory Separation Logic is interpreted over memory states ( s , h ) where: • store , s : VAR → N • heap , h : N → fin N where VAR = { x , y , z , . . . } set of variables, N represents the set of addresses. h s ( z ) s ( y ) here, h ( s ( x )) = s ( y ) s ( x ) • Disjoint heaps ( h 1 ⊥ h 2 ): dom ( h 1 ) ∩ dom ( h 2 ) = ∅ • Union of disjoint heaps ( h 1 + h 2 ): union of partial functions. 2

Modelling the memory Separation Logic is interpreted over memory states ( s , h ) where: • store , s : VAR → N • heap , h : N → fin N where VAR = { x , y , z , . . . } set of variables, N represents the set of addresses. h s ( z ) s ( y ) here, h ( s ( x )) = s ( y ) s ( x ) • Disjoint heaps ( h 1 ⊥ h 2 ): dom ( h 1 ) ∩ dom ( h 2 ) = ∅ • Union of disjoint heaps ( h 1 + h 2 ): union of partial functions. 2

The separating conjunction ( ∗ ) ( s , h ) | = ϕ ∗ ψ Semantics: There are two heaps h 1 and h 2 s.t. ϕ • h 1 ⊥ h 2 and h = h 1 + h 2 , ϕ ∗ ψ ⇔ • ( s , h 1 ) | = ϕ , ψ • ( s , h 2 ) | = ψ . 3

The separating implication ( − ∗ ) ( s , h ) | = ϕ − ∗ ψ Semantics: For every heap h ′ , ϕ − ∗ ψ if h ′ ⊥ h and ( s , h ′ ) | ⇔ = ϕ , ψ ϕ then ( s , h + h ′ ) | = ψ . Note: ∗ and − ∗ are adjoint operators: ϕ ∗ ψ | ϕ | = ψ − ∗ γ. = γ if and only if 4

First-order Separation Logic ϕ := ⊤ | ¬ ϕ | ϕ 1 ∧ ϕ 2 | | x = y | x ֒ → y emp | ∃ x ϕ | ϕ 1 ∗ ϕ 2 | ϕ 1 − ∗ ϕ 2 ( s , h ) | dom ( h ) = ∅ , = emp iff ( s , h ) | = x = y iff s ( x ) = s ( y ), ( s , h ) | = x ֒ → y iff s ( x ) ∈ dom ( h ) and h ( s ( x )) = s ( y ), ( s , h ) | = ∃ x ϕ iff there is n ∈ N s.t. ( s [ x ← n ] , h ) | = ϕ . 5

Satisfiability problem: some complexity results. Fsttcs’01 Quantifier-free SL (0 SL ) is PSpace -complete. [C. Calcagno, P.W. O’Hearn, H. Yang] Tocl’15 SL with two quantified variables (2 SL ) is undecidable. [S. Demri, M. Deters] Fossacs’18 0 SL + reachability predicates is undecidable. Without − ∗ it is PSpace -complete. [S. Demri, E. Lozes, A. Mansutti] Fsttcs’18 1 SL + restricted reachability predicate is PSpace -c. Weakening restrictions makes it Tower -hard. 6

Satisfiability ≈ Validity ≈ Entailment ≈ Model checking def Let ϕ − ⊛ ψ = ¬ ( ϕ − ∗ ¬ ψ ). ∃ h ′ s.t. h ′ ⊥ h , ( s , h ′ ) | ( s , h ) | = ϕ − ⊛ ψ iff = ϕ and ( s , h + h ′ ) | = ψ Satisfiability to validity ⊛ ⊤ ) | = emp ⇒ ∃ x 1 . . . ∃ x n ( ϕ − ∃ s ∃ h s.t. ( s , h ) | = ϕ iff where { x 1 , . . . , x n } = fv( ϕ ). • Reduction can be done also without quantification, but requires exponentially many queries of validity (w.r.t. fv( ϕ )). • Satisfiability to validity works also for 0 SL . 7

Undecidability implies non-axiomatisability Validity R.E. → Satisfiability R.E. → Unvalidity R.E. → Validity decidable. Tocl’15: SL with two quantified variables (2 SL ) is undecidable. Fossacs’18: 0 SL + reachability predicates is undecidable. This Talk: Hilbert-style axiomatisation for SL s (on memory states) • Quantifier-free Separation Logic (0 SL ); • SL without − ∗ and with a (novel) guarded form of quantification that can express reachability predicates. 8

Calculi for Bunched Implication / Separation Logics Fsttcs’06 Hilbert-style axiomatisation of Boolean BI [D. Galmiche, D. Larchey-Wending] Popl’14 Axiomatisation of an hybrid version of Boolean BI and axiomatisation of abstract separation logics [J. Brotherston, J. Villard] Tocl’18 Sequent calculi for abstract separation logics [Z. Hou, R. Clouston, R. Gor´ e, A. Tiu.] Fossacs’18 Modular tableaux calculi for Boolean BI [S. Docherty, D. Pym.] 9

On axiomatising 0 SL , internally ϕ := ¬ ϕ | ϕ 1 ∧ ϕ 2 | emp | x = y | x ֒ → y | ϕ 1 ∗ ϕ 2 | ϕ 1 − ∗ ϕ 2 Methodology: 1A. Model theoretical analysis of 0 SL (Lozes’04); (EF-games / simulation arguments) 1B. Definition of a “normal form” for formulae of 0 SL ; (Gaifman-like locality theorem for 0 SL ) 2. Axiomatisation specific to the formulae in this normal form; 3. Add axioms & rules to put every formula in normal form. (similar to reduction axioms in dynamic epistemic logic) 10

What can 0 SL express? • The heap has size at least β : def size ≥ β = ¬ emp ∗ . . . ∗ ¬ emp � �� � β times • x corresponds to a location in the domain of the heap: � � def ⊛ ⊤ alloc ( x ) = ¬ → x − x ֒ Let X ⊆ fin VAR and α ∈ N . We define the set of core formulae : def Core ( X , α ) = { x = y , x ֒ → y , alloc ( x ) , size ≥ β | x , y ∈ X , β ∈ [0 , α ] } . 11

An indistinguishability relation for 0 SL ( s , h ) ≈ X α ( s ′ , h ′ ) iff ∀ ϕ ∈ Core ( X , α ), ( s , h ) | = ϕ ⇔ ( s ′ , h ′ ) | = ϕ . 12

An indistinguishability relation for 0 SL ( s , h ) ≈ X α ( s ′ , h ′ ) iff ∀ ϕ ∈ Core ( X , α ), ( s , h ) | = ϕ ⇔ ( s ′ , h ′ ) | = ϕ . A simulation Lemma for the operator ∗ Let ( s , h ) ≈ X α ( s ′ , h ′ ). ∀ α 1 , α 2 satisfying α 1 + α 2 = α , ∀ h 1 , h 2 satisfying h 1 + h 2 = h , ∃ h ′ 1 , h ′ 2 s.t. h ′ 1 + h ′ 2 = h ′ , ( s , h 1 ) ≈ X α 1 ( s ′ , h ′ 1 ) and ( s , h 2 ) ≈ X α 2 ( s ′ , h ′ 2 ). Similar lemma for − ∗ . 12

An indistinguishability relation for 0 SL ( s , h ) ≈ X α ( s ′ , h ′ ) iff ∀ ϕ ∈ Core ( X , α ), ( s , h ) | = ϕ ⇔ ( s ′ , h ′ ) | = ϕ . A simulation Lemma for the operator ∗ Let ( s , h ) ≈ X α ( s ′ , h ′ ). ∀ α 1 , α 2 satisfying α 1 + α 2 = α , ∀ h 1 , h 2 satisfying h 1 + h 2 = h , ∃ h ′ 1 , h ′ 2 s.t. h ′ 1 + h ′ 2 = h ′ , ( s , h 1 ) ≈ X α 1 ( s ′ , h ′ 1 ) and ( s , h 2 ) ≈ X α 2 ( s ′ , h ′ 2 ). Similar lemma for − ∗ . This lemma hides a Spoiler/Duplicator EF-games for 0 SL , and shows the existence of a winning strategy for Duplicator. For every move of Spoiler, the Duplicator has a winning answer. 12

An indistinguishability relation for 0 SL ( s , h ) ≈ X α ( s ′ , h ′ ) iff ∀ ϕ ∈ Core ( X , α ), ( s , h ) | = ϕ ⇔ ( s ′ , h ′ ) | = ϕ . A simulation Lemma for the operator ∗ Let ( s , h ) ≈ X α ( s ′ , h ′ ). ∀ α 1 , α 2 satisfying α 1 + α 2 = α , ∀ h 1 , h 2 satisfying h 1 + h 2 = h , ∃ h ′ 1 , h ′ 2 s.t. h ′ 1 + h ′ 2 = h ′ , ( s , h 1 ) ≈ X α 1 ( s ′ , h ′ 1 ) and ( s , h 2 ) ≈ X α 2 ( s ′ , h ′ 2 ). Similar lemma for − ∗ . A “Gaifman locality theorem” for 0 SL Every formula ϕ in 0 SL is logically equivalent to a Boolean combination of core formulae from Core (vars( ϕ ) , size ( ϕ )). def Core ( X , α ) = { x = y , x ֒ → y , alloc ( x ) , size ≥ β | x , y ∈ X , β ∈ [0 , α ] } . 12

Normalising connectives & reasoning on core formulae Normalisation of ∗ and − ∗ Completeness for ⊢ ψ 1 ∗ ψ 2 ⇔ ψ 3 core formulae ⊢ ψ 4 − ∗ ψ 5 ⇔ ψ 6 ⊢ ϕ ⇔ ψ ⊢ ψ ⊢ ϕ where ϕ in SL , and ψ i , ψ are in � X ,α Bool ( Core ( X , α )). 13

From a simple calculus for Core formulae... (PC) propositional calculus; (A) x ֒ → y ⇒ alloc ( x ) (R) x = x (F) x ֒ → y ∧ x ֒ → z ⇒ y = z (S) ϕ ∧ x = y ⇒ ϕ [ y ← x ] (H1) size ≥ β +1 ⇒ size ≥ β � � (H2) ( alloc ( x ) ∧ x � = y ) ⇒ size ≥ card ( X ), where X ⊆ fin VAR. x ∈ X y ∈ X \{ x } set of complete 1 conjunctions CoreTypes ( X , α ) : of formulae in Core ( X , card ( X ) + α ). Lemma Let ϕ ∈ CoreTypes ( X , α ). We have, | = ¬ ϕ iff ⊢ ¬ ϕ . 1 Every ϕ ∈ Core ( X , card ( X ) + α ) appears in a literal of the conjunction. 14

From a simple calculus for Core formulae... (PC) propositional calculus; (A) x ֒ → y ⇒ alloc ( x ) (R) x = x (F) x ֒ → y ∧ x ֒ → z ⇒ y = z (S) ϕ ∧ x = y ⇒ ϕ [ y ← x ] (H1) size ≥ β +1 ⇒ size ≥ β � � (H2) ( alloc ( x ) ∧ x � = y ) ⇒ size ≥ card ( X ), where X ⊆ fin VAR. x ∈ X y ∈ X \{ x } set of complete 1 conjunctions CoreTypes ( X , α ) : of formulae in Core ( X , card ( X ) + α ). Lemma Lemma Let ϕ ∈ CoreTypes ( X , α ). We have, | = ¬ ϕ iff ⊢ ¬ ϕ . A Boolean combination of core formulae, | = ϕ iff ⊢ ϕ . 1 Every ϕ ∈ Core ( X , card ( X ) + α ) appears in a literal of the conjunction. 14