Separation logic and fragments: from expressive power to decision - PowerPoint PPT Presentation

Separation logic and fragments: from expressive power to decision procedures St´ ephane Demri CNRS – Marie Curie Fellow Yorktown Heights, March 2015

In Memoriam: Morgan Deters 2

Overview Separation Logic in a Nutshell 1 2 Expressive Power of 1SL Playing with 1SL Restricted to a Single Variable (1SL1) 3 4 Expressiveness/Decision Procedure for 1SL1 A Taste of Other Decision Procedures 5 3

Separation Logic in a Nutshell 4 Separation Logic in a Nutshell

Floyd-Hoare logic • Hoare triple: { φ } C { ψ } (partial correctness). [Hoare, C. ACM 69; Floyd, 1967] • If we start in a state where φ holds true and the command C terminates, then it yields a state in which ψ holds. 5 Separation Logic in a Nutshell

Floyd-Hoare logic • Hoare triple: { φ } C { ψ } (partial correctness). [Hoare, C. ACM 69; Floyd, 1967] • If we start in a state where φ holds true and the command C terminates, then it yields a state in which ψ holds. • Commands can be composed: { φ } C 1 { ψ } { ψ } C 2 { ϕ } { φ } C 1 ; C 2 { ϕ } • Strengthening preconditions / weakening postconditions: φ ⇒ φ ′ { φ ′ } C { ψ } ψ ⇒ ψ ′ { φ } C { ψ ′ } • Rule of constancy: { φ } C { ψ } { φ ∧ ψ ′ } C { ψ ∧ ψ ′ } where no variable free in ψ ′ is modified by C . 5 Separation Logic in a Nutshell

When separation logic enters into the play • Unsoundness of the rule of constancy with pointers: {∃ u ( x �→ u ) } [ x ] := 4 { x �→ 4 } { ( ∃ u ( x �→ u )) ∧ y �→ 3 } [ x ] := 4 { x �→ 4 ∧ y �→ 3 } x �→ u : “memory has a unique memory cell x �→ u ” 6 Separation Logic in a Nutshell

When separation logic enters into the play • Unsoundness of the rule of constancy with pointers: {∃ u ( x �→ u ) } [ x ] := 4 { x �→ 4 } { ( ∃ u ( x �→ u )) ∧ y �→ 3 } [ x ] := 4 { x �→ 4 ∧ y �→ 3 } x �→ u : “memory has a unique memory cell x �→ u ” • Reparation with frame rule: { φ } C { ψ } { φ ∗ ψ ′ } C { ψ ∗ ψ ′ } where no variable free in ψ ′ is modified by C . 6 Separation Logic in a Nutshell

On separation logic • Introduced by Ishtiaq, O’Hearn, Pym, Reynolds, Yang. • Extension of Hoare logic with separating connectives. [Reynolds, LICS’02] • Reasoning about the heap with a strong form of locality built-in. • In a broad sense: assertion logic + programming language + specification logic 7 Separation Logic in a Nutshell

On separation logic • Introduced by Ishtiaq, O’Hearn, Pym, Reynolds, Yang. • Extension of Hoare logic with separating connectives. [Reynolds, LICS’02] • Reasoning about the heap with a strong form of locality built-in. • In a broad sense: assertion logic + programming language + specification logic • A taste of separation logic: • Models can be finite graphs. • Binary modalities ∗ and − ∗ . • While evaluating a formula, models can be updated. 7 Separation Logic in a Nutshell

Memory states with one record field • Program variables PVAR = { x 1 , x 2 , x 3 , . . . } . • Memory state: • Store s : PVAR → N . • Heap h : N ⇀ N with finite domain. (here, no distinction between locations and values) h 4111 411 411 41 4 2 3 31 311 42 1 421 422 11 12 121 122 8 Separation Logic in a Nutshell

Disjoint heaps • Disjoint heaps: dom ( h 1 ) ∩ dom ( h 2 ) = ∅ (noted h 1 ⊥ h 2 ). • When h 1 ⊥ h 2 , disjoint heap h 1 ⊎ h 2 . x 4 x 4 x 4 x 3 x 2 x 3 x 2 x 3 x 2 x 1 x 1 x 1 = ⊎ 9 Separation Logic in a Nutshell

Syntax and semantics for 1SL • Quantified variables FVAR = { u 1 , u 2 , u 3 , . . . } . • Expressions: e ::= x i | u j • Atomic formulae: π ::= e = e ′ | e ֒ → e ′ | emp | ⊥ • Formulae: φ ::= π | φ ∧ ψ | ¬ φ | φ ∗ ψ | φ − ∗ ψ | ∃ u φ 10 Separation Logic in a Nutshell

Syntax and semantics for 1SL • Quantified variables FVAR = { u 1 , u 2 , u 3 , . . . } . • Expressions: e ::= x i | u j • Atomic formulae: π ::= e = e ′ | e ֒ → e ′ | emp | ⊥ • Formulae: φ ::= π | φ ∧ ψ | ¬ φ | φ ∗ ψ | φ − ∗ ψ | ∃ u φ def • ( s , h ) | = f emp ⇔ dom ( h ) = ∅ . = f e = e ′ ⇔ � e � = � e ′ � , with � x � def def def • ( s , h ) | = s ( x ) , � u � = f ( u ) . → e ′ ⇔ � e � ∈ dom ( h ) and h ( � e � ) = � e ′ � . def • ( s , h ) | = f e ֒ 10 Separation Logic in a Nutshell

Binary modality: separating conjunction ( s , h ) | = f φ 1 ∗ φ 2 def ⇔ for some h 1 , h 2 such that h = h 1 ⊎ h 2 , ( s , h 1 ) | = f φ 1 and ( s , h 2 ) | = f φ 2 11 Separation Logic in a Nutshell

− ∗ universally quantifies over an infinite set ! ( s , h ) | = f φ 1 − ∗ φ 2 def ⇔ for all h ′ , if h ⊥ h ′ and ( s , h ′ ) | = f φ 1 , then ( s , h ⊎ h ′ ) | = f φ 2 12 Separation Logic in a Nutshell

Satisfiability problem def • ( s , h ) | = f ∃ u φ ⇔ there is l ∈ N such that ( s , h ) | = f [ u �→ l ] φ where f [ u �→ l ] is the assignment equal to f except that u takes the value l . 13 Separation Logic in a Nutshell

Satisfiability problem def • ( s , h ) | = f ∃ u φ ⇔ there is l ∈ N such that ( s , h ) | = f [ u �→ l ] φ where f [ u �→ l ] is the assignment equal to f except that u takes the value l . • Satisfiability problem: input: formula φ in 1SL question: are there ( s , h ) and f such that ( s , h ) | = f φ ? • Validity problem, entailment problem, . . . 13 Separation Logic in a Nutshell

Standard inference rules for mutation • ( s , h ) | = f x �→ u iff dom ( h ) = { s ( x ) } and h ( s ( x )) = f ( u ) . • Local form (MUL) {∃ u ( x �→ u ) } [ x ] := y { x �→ y } • Global form (MUG) { ( ∃ u ( x �→ u )) ∗ φ } [ x ] := y { x �→ y ∗ φ } • Backward-reasoning form (MUBR) { ( ∃ u ( x �→ u )) ∗ (( x �→ y ) − ∗ φ ) } [ x ] := y { φ } 14 Separation Logic in a Nutshell

Taming the magic wand semantics • Controversy about the use of magic wand for verification. See recent use in [Thakur & Breck & Reps, SPIN’14] • Program variable x is allocated: ( x ֒ → x ) − ∗ ⊥ • Equality between expressions e and e ′ ( u not in e , e ′ ): → e ′ ) ∀ u ( u ֒ → e − ∗ u ֒ 15 Separation Logic in a Nutshell

Simple properties stated in 1SL • The value of u is in the domain of the heap: def alloc ( u ) = ∃ u u ֒ → u (variant of ( u ֒ → u ) − ∗ ⊥ ) • The heap has a unique cell u 1 �→ u 2 : → u 2 ∧ ¬∃ u ′ ( u ′ � = u 1 ∧ alloc ( u ′ )) def u 1 �→ u 2 = u 1 ֒ def • The domain of the heap is empty: emp = ¬∃ u alloc ( u ) • u has at least k predecessors (2 options): k � � ∃ u 1 , . . . , u k u i � = u j ∧ → u u i ֒ i � = j i = 1 k times � �� � ( ∃ u ( u ֒ → u )) ∗ · · · ∗ ( ∃ u ( u ֒ → u )) 16 Separation Logic in a Nutshell

Expressive power / Decidability / Complexity 1SL ≡ DSOL ≡ WSOL ≡ 1SL( − ∗ ), undec. 1SL2, undec. 1SL( ∗ ), dec., non-elem. 1SL1, PSPACE -C 1SL2( − ∗ ) ≡ DSOL, undec. 1SL2( ∗ ), non-elem. 1SL0, PSPACE -C • [Calcagno & Yang & O’Hearn, APLAS’01] 1SL0 • [Brochenin & Demri & Lozes, IC 12] 1SL( − ∗ ) • [Demri & Galmiche & Larchey-Wendling & Mery, CSR’14] 1SL1 • [Demri & Deters, CSL-LICS’14] 1SL2( − ∗ ) 17 Separation Logic in a Nutshell

A smooth extension: 2SL • Heap h : N ⇀ N × N with finite domain. • When h 1 ⊥ h 2 , disjoint heap h 1 ⊎ h 2 . • Atomic formulae: π ::= e = e ′ | e ֒ → e ′ , e ′′ | emp | ⊥ def → e ′ , e ′′ � e � ∈ dom ( h ) and h ( � e � ) = ( � e ′ � , � e ′′ � ) ( s , h ) | = f e ֒ ⇔ • 2SL satisfiability problem is undecidable by reduction from finitary satisfiability for classical predicate logic. [Trakhtenbrot, 50; Calcagno & Yang & O’Hearn, APLAS 01] • Validity in 2SL is not recursively enumerable. 18 Separation Logic in a Nutshell

Expressive Power of 1SL 19 Expressive Power of 1SL

Weak second-order logic WSOL • Formulae: φ ::= u i = u j | u i ֒ → u j | φ ∧ φ | ¬ φ | ∃ u i φ | ∃ P φ | P ( u 1 , . . . , u n ) = V ∃ P φ iff there is a finite R ⊆ N n such that • h | h | = V [ P �→ R ] φ . • h | = V P ( u 1 , . . . , u n ) iff ( V ( u 1 ) , . . . , V ( u n )) ∈ V ( P ) . • DSOL: Dyadic fragment of WSOL. • Known reduction from WSOL to DSOL. 20 Expressive Power of 1SL

From 1SL to DSOL (internalization of 1SL semantics) = ∀ u , u ′ , u ′′ ( P ( u , u ′ ) ∧ P ( u , u ′′ )) ⇒ u ′ = u ′′ def hp ( P ) = ∀ u , u ′ ( P ( u , u ′ ) ⇔ ( Q ( u , u ′ ) ∨ R ( u , u ′ )) ∧ ¬ ( Q ( u , u ′ ) ∧ R ( u , u ′ )) def P = Q ∗ R • Translation ∃ P ( ∀ u , u ′ P ( u , u ′ ) ⇔ u ֒ → u ′ ) ∧ t P ( φ ) : def → u ′ ) P ( u , u ′ ) t P ( u ֒ = ∃ Q , Q ′ P = Q ∗ Q ′ ∧ t Q ( ψ ) ∧ t Q ′ ( ϕ ) def t P ( ψ ∗ ϕ ) = ∀ Q (( ∃ Q ′ hp ( Q ′ ) ∧ Q ′ = Q ∗ P ) ∧ hp ( Q ) ∧ t Q ( ψ )) def t P ( ψ − ∗ ϕ ) = ⇒ ( ∃ Q ′ hp ( Q ′ ) ∧ Q ′ = Q ∗ P ∧ t Q ′ ( ϕ )) 21 Expressive Power of 1SL