Verified Software Workshop 2019 Separation Logic Goes Joost-Pieter Katoen Verified Software Workshop, Isaac Newton Institute, Cambridge 2019 Joost-Pieter Katoen Separation Logic Goes 1/68
Verified Software Workshop 2019 Background and Introduction Overview Background and Introduction 1 Separation Logic 2 Probabilistic Weakest Preconditions 3 Quantitative Separation Logic 4 Case Studies 5 Epilogue 6 Joost-Pieter Katoen Separation Logic Goes 2/68
Verified Software Workshop 2019 Background and Introduction Perspective in Nature “There are several reasons why probabilistic programming could prove to be revolutionary for machine intelligence and scientific modelling.” Joost-Pieter Katoen Separation Logic Goes 3/68
Verified Software Workshop 2019 Background and Introduction Probabilistic Programming Scenic O Popular PPL: STAN ( > 10,000 active users, 33 releases) Almost every PL has a probabilistic version! probabilistic-programming.org Joost-Pieter Katoen Separation Logic Goes 4/68
Verified Software Workshop 2019 Background and Introduction Today’s Focus “Randomised skip list algorithms have the same asymptotic expected time bounds as balanced trees and are simpler, faster, and use less space.” [ Pugh, 1989 ] “The expected running time of randomised splay trees is smaller than deterministic variants” [ Albers and Karpinski, 2002 ] Joost-Pieter Katoen Separation Logic Goes 5/68
Verified Software Workshop 2019 Background and Introduction Today’s Focus Can we formally prove programs that flip coins and manipulate pointers? At the source code level. No “descend” in some operational model. No ad-hoc arguments. Enabling mechanised certification. Joost-Pieter Katoen Separation Logic Goes 6/68
Verified Software Workshop 2019 Background and Introduction Practical Relevance E Pugh ng 8g ] CACM , Joost-Pieter Katoen Separation Logic Goes 7/68
Verified Software Workshop 2019 Background and Introduction Practical Relevance 2016 ] [ Carbin et al CACM . , Joost-Pieter Katoen Separation Logic Goes 7/68
Verified Software Workshop 2019 Background and Introduction Practical Relevance [ Ruttenberg 2014 ] & Pfeffer , Joost-Pieter Katoen Separation Logic Goes 7/68
Verified Software Workshop 2019 Background and Introduction Array Randomisation randomise(array,n) { i := 0; while (0 <= i < n) { j := uniform (i,n-1); swap(array,i,j); i++ } } Is the probability of any fixed array configuration 1 n ! ? Joost-Pieter Katoen Separation Logic Goes 8/68
Verified Software Workshop 2019 Background and Introduction Faulty Garbage Collector delete (x) { if (x != 0) {{ skip // fails with probability p } [p] { // flip biased coin left := <x> ; right := <x+1>; delete (left) ; delete (right); * free(x) ; free(x+1) }} } II left right Joost-Pieter Katoen Separation Logic Goes 9/68
Verified Software Workshop 2019 Background and Introduction Faulty Garbage Collector delete (x) { if (x != 0) {{ skip // fails with probability p } [p] { // flip biased coin left := <x> ; right := <x+1>; delete (left) ; delete (right); free(x) ; free(x+1) }} } What is the probability that on termination the heap is empty? Joost-Pieter Katoen Separation Logic Goes 9/68
Verified Software Workshop 2019 Background and Introduction Pointers = Problematic Dereferencing null pointers, aliasing, memory leaks, . . . Joost-Pieter Katoen Separation Logic Goes 10/68
Verified Software Workshop 2019 Background and Introduction Probabilities = Problematic Too “In no other branch of mathematics is it so easy to make mistakes as in probability theory” [Henk Tijms, Understanding Probability, 2004] Joost-Pieter Katoen Separation Logic Goes 11/68
Verified Software Workshop 2019 Background and Introduction Mission Impossible? Not Quite! We will develop a weakest precondition calculus à la Dijkstra that: 1. combines discrete probabilities with pointers Joost-Pieter Katoen Separation Logic Goes 12/68
Verified Software Workshop 2019 Background and Introduction Mission Impossible? Not Quite! We will develop a weakest precondition calculus à la Dijkstra that: 1. combines discrete probabilities with pointers 2. mixes probabilistic choices and unbounded nondeterminism 3. preserves virtually all properties of both: Z separation logic, and Z weakest pre-expectations (aka: quantitative preconditions) though things can easily break in both worlds . . . 4. is applicable to reason about actual randomised algorithms Joost-Pieter Katoen Separation Logic Goes 12/68
Verified Software Workshop 2019 Separation Logic Overview Background and Introduction 1 Separation Logic 2 Probabilistic Weakest Preconditions 3 Quantitative Separation Logic 4 Case Studies 5 Epilogue 6 Joost-Pieter Katoen Separation Logic Goes 13/68
Verified Software Workshop 2019 Separation Logic “The Hoare Logic for Pointers” SEPARATION LOGIC John Reynolds and Peter O’Hearn Joost-Pieter Katoen Separation Logic Goes 14/68
Verified Software Workshop 2019 Separation Logic Heaps Ó“““““““““““““““–““““““““““““““““Œ ⊆ N > 0 States = S = { ( s , h ) ∂ s ⇥ Vars � Z Õ“““““““““““““““““““““““““““““““““““—“““““““““““““““““““““““““““““““““““œ , h ⇥ dom ( h ) � Z } Õ““““““““““““““““““““““““““““““““““““““““““““““—““““““““““““““““““““““““““““““““““““““““““““““œ valuation heap oh is - Joost-Pieter Katoen Separation Logic Goes 15/68
Verified Software Workshop 2019 Separation Logic Deficiency of Hoare Logic: Pointers { P } C { Q } and Mod ( C ) = Vars ( R ) = o { P 0 R } C { Q 0 R } becomes unsound for pointers, e.g., { x ( 0 } Ö x ã ⇥ = 1 { x ( 1 } { x ( 0 0 y ( 0 } Ö x ã ⇥ = 1 { x ( 1 0 y ( 0 } is not valid as y could alias x Joost-Pieter Katoen Separation Logic Goes 16/68
Verified Software Workshop 2019 Separation Logic The Frame Rule { P } C { Q } Mod ( C ) = Vars ( R ) = o and { P ì R } C { Q ì R } for any heap R that is una ff ected by program C . Then: { x ( 0 } Ö x ã ⇥ = 1 { x ( 1 } { x ( 0 ì y ( 0 } Ö x ã ⇥ = 1 { x ( 1 ì y ( 0 } is valid as the separation conjunction excludes aliasing of x and y The frame rule is the key to compositional reasoning. Joost-Pieter Katoen Separation Logic Goes 17/68
Verified Software Workshop 2019 Separation Logic Pointer Programs Heap manipulation commands: x ⇥ = new ( E ) allocation free ( E ) deallocation x ⇥ = Ö E ã lookup Ö E ã ⇥ = E ¨ mutation Operational semantics: u ∈ N > 0 \ dom ( h ) E ( s ) = v and Ö x ⇥ = new ( E ) , s , h ã � Ö term, s [ x / u ] , h B { u ⇥⇥ v } ã E ( s ) = u ∈ dom ( h ) h ( u ) = v and Ö x ⇥ = Ö E ã , s , h ã � Ö term, s [ x / v ] , h ã E ( s ) = u / ∈ dom ( h ) h ( u ) = v and Ö x ⇥ = Ö E ã , s , h ã � Ö fault, s , h ã Joost-Pieter Katoen Separation Logic Goes 18/68
Verified Software Workshop 2019 Separation Logic Elementary SL Formulas ( s , h ) Ï emp i ff dom ( h ) = o ( s , h ) Ï [ x ( y ] i ff dom ( h ) = { s ( x ) } and h ( s ( x )) = s ( y ) - en p - erp 7 Temp emp Joost-Pieter Katoen Separation Logic Goes 19/68
Verified Software Workshop 2019 Separation Logic Separation Conjunction s , h Ï F ì G i ff Ω h 1 , h 2 ⇥ h = h 1 B h 2 and s , h 1 Ï F and s , h 2 Ï G FF I FF to G f- T T For heap h = { 4 ⇥⇥ 7 } B { 7 ⇥⇥ 4 } we have: Joost-Pieter Katoen Separation Logic Goes 20/68 ( ) ( )
Verified Software Workshop 2019 Separation Logic Separation Implication º h ¨ ⇥ � h # h ¨ and s , h ¨ Ï F ⌥ implies s , h B h ¨ Ï G s , h Ï F — i ff ì G Adjointness of ì and — ì : ' •ammmBaBaammaaga*am£ ( F ì G ) � R i ff G � ( F — ì R ) * Modus ponens: . F ì ( F — ì G ) � G Joost-Pieter Katoen Separation Logic Goes 21/68
Verified Software Workshop 2019 Separation Logic Separation Implication º h ¨ ⇥ � h # h ¨ and s , h ¨ Ï F ⌥ implies s , h B h ¨ Ï G s , h Ï F — i ff ì G ⇐ of : If Adjointness of ì and — ì : F f- f- F ( F ì G ) � R i ff G � ( F — ì R ) to Modus ponens: F ì ( F — ì G ) � G Joost-Pieter Katoen Separation Logic Goes 21/68
Verified Software Workshop 2019 Separation Logic Example SL Proof Joost-Pieter Katoen Separation Logic Goes 22/68
Verified Software Workshop 2019 Probabilistic Weakest Preconditions Overview Background and Introduction 1 Separation Logic 2 Probabilistic Weakest Preconditions 3 Quantitative Separation Logic 4 Case Studies 5 Epilogue 6 Joost-Pieter Katoen Separation Logic Goes 23/68
Verified Software Workshop 2019 Probabilistic Weakest Preconditions “Dijkstra’s Weakest Preconditions Go Random” WEAKEST PRE-EXPECTATIONS Dexter Kozen, Annabelle McIver, and Carroll Morgan Joost-Pieter Katoen Separation Logic Goes 24/68
Recommend
More recommend