se.inf.ethz.chse.inf.ethz.ch/old/teaching/2008-h/tc-0239/slides/sv2008_seplogic.pdf · syntax...
TRANSCRIPT
An Introduction to Separation Logic
Cristiano Calcagno (thanks to Matthew Parkinson)Imperial College London
– p. 1/22
Overview
Introduction• Motivation• The Logic• Some examples
– p. 2/22
Motivation
– p. 3/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
– p. 4/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
X
3 3
Stack
Heap
– p. 4/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
X Y
3 3 4 4
Stack
Heap
– p. 4/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
X Y
3 4 4
Stack
Heap
– p. 4/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
X Y
3 4
Stack
Heap
– p. 4/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
X Y
3 4
Stack
Heap
– p. 4/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
X Y
4
Stack
Heap
– p. 4/22
Example program
Motivation
x := cons(3,3);y := cons(4,4);[x+1] := y;[y+1] := x;y := x+1;dispose x;y := [y];
X Y
4
Stack
Heap
– p. 4/22
Why Separation Logic?
Motivation
Consider the following piece of code[Note: read [x] as indirect through x to the heap.]
[y] := 4;
[z] := 5;
Guarantee([y] != [z])
Need to know locations are different.
– p. 5/22
Why Separation Logic?
Motivation
Consider the following piece of code[Note: read [x] as indirect through x to the heap.]
Assume(y != z)
[y] := 4;
[z] := 5;
Guarantee([y] != [z])
Need to know locations are different.• Add assertions?
– p. 5/22
Why Separation Logic?
Motivation
Consider the following piece of code[Note: read [x] as indirect through x to the heap.]
Assume([x] = 3)
Assume(y != z)
[y] := 4;
[z] := 5;
Guarantee([y] != [z])
Guarantee([x] = 3)
Need to know locations are different.• Add assertions?
We need to know when things stay the same but how?
– p. 5/22
Why Separation Logic?
Motivation
Consider the following piece of code[Note: read [x] as indirect through x to the heap.]
Assume([x] = 3 ∧ x != y ∧ x != z)
Assume(y != z)
[y] := 4;
[z] := 5;
Guarantee([y] != [z])
Guarantee([x] = 3)
Need to know locations are different.• Add assertions?
We need to know when things stay the same but how?
• Add assertions?
– p. 5/22
Framing
Motivation
We want a general concept of things not being affected.
{P}C{Q}{[x] = 3 ∧ P}C{Q ∧ [x] = 3}
– p. 6/22
Framing
Motivation
We want a general concept of things not being affected.
{P}C{Q}{R ∧ P}C{Q ∧ R}
What are the conditions on C and R?• Very hard to define if reasoning about a heap and aliasing
– p. 6/22
Framing
Motivation
We want a general concept of things not being affected.
{P}C{Q}{R ∧ P}C{Q ∧ R}
What are the conditions on C and R?• Very hard to define if reasoning about a heap and aliasing
This is where separation logic comes in
{P}C{Q}{R ∗ P}C{Q ∗ R}
Introduces new connective ∗ used to separate state.
– p. 6/22
Separation Logic
– p. 7/22
Syntax
Separation Logic
P,Q ::= false Logical false| P ∧ Q Classical conjunction| P ∨ Q Classical disjunction| P ⇒ Q Classical implication| P ∗ Q Separating conjunction| P −∗ Q Separating implication| E = E Expression value equality| E �→ E points to| empty empty heap| ∃x.P existential quantifier
We use E to range over integer expressions (E does not containindirection through the heap), x over variables and C over commands.
– p. 8/22
Semantics 1/2
Separation Logic
Assertions are given with respect to a heap, H, and stack, S.
S : Var → Int H : Loc ⇀ Int where Loc ⊆ Int
S,H |= false never satisfied
S,H |= P ∧ Q iff S,H |= P ∧ S,H |= Q
S,H |= P ∨ Q iff S,H |= P ∨ S,H |= Q
S,H |= P ⇒ Q iff S,H |= P ⇒ S,H |= Q
S,H |= E = E′ iff �E�S = �E′�S
S,H |= empty iff H = {}
We use �E�S to mean evaluation with respect to the stack, S.
– p. 9/22
Semantics 1/2
Separation Logic
Assertions are given with respect to a heap, H, and stack, S.
S : Var → Int H : Loc ⇀ Int where Loc ⊆ Int
S,H |= false never satisfied
S,H |= P ∧ Q iff S,H |= P ∧ S,H |= Q
S,H |= P ∨ Q iff S,H |= P ∨ S,H |= Q
S,H |= P ⇒ Q iff S,H |= P ⇒ S,H |= Q
S,H |= E = E′ iff �E�S = �E′�S
S,H |= empty iff H = {}
We use �E�S to mean evaluation with respect to the stack, S.
– p. 9/22
Semantics 1/2
Separation Logic
Assertions are given with respect to a heap, H, and stack, S.
S : Var → Int H : Loc ⇀ Int where Loc ⊆ Int
S,H |= false never satisfied
S,H |= P ∧ Q iff S,H |= P ∧ S,H |= Q
S,H |= P ∨ Q iff S,H |= P ∨ S,H |= Q
S,H |= P ⇒ Q iff S,H |= P ⇒ S,H |= Q
S,H |= E = E′ iff �E�S = �E′�S
S,H |= empty iff H = {}
We use �E�S to mean evaluation with respect to the stack, S.
– p. 9/22
Semantics 1/2
Separation Logic
Assertions are given with respect to a heap, H, and stack, S.
S : Var → Int H : Loc ⇀ Int where Loc ⊆ Int
S,H |= false never satisfied
S,H |= P ∧ Q iff S,H |= P ∧ S,H |= Q
S,H |= P ∨ Q iff S,H |= P ∨ S,H |= Q
S,H |= P ⇒ Q iff S,H |= P ⇒ S,H |= Q
S,H |= E = E′ iff �E�S = �E′�S
S,H |= empty iff H = {}
We use �E�S to mean evaluation with respect to the stack, S.
– p. 9/22
Semantics 1/2
Separation Logic
Assertions are given with respect to a heap, H, and stack, S.
S : Var → Int H : Loc ⇀ Int where Loc ⊆ Int
S,H |= false never satisfied
S,H |= P ∧ Q iff S,H |= P ∧ S,H |= Q
S,H |= P ∨ Q iff S,H |= P ∨ S,H |= Q
S,H |= P ⇒ Q iff S,H |= P ⇒ S,H |= Q
S,H |= E = E′ iff �E�S = �E′�S
S,H |= empty iff H = {}
We use �E�S to mean evaluation with respect to the stack, S.
– p. 9/22
Semantics 1/2
Separation Logic
Assertions are given with respect to a heap, H, and stack, S.
S : Var → Int H : Loc ⇀ Int where Loc ⊆ Int
S,H |= false never satisfied
S,H |= P ∧ Q iff S,H |= P ∧ S,H |= Q
S,H |= P ∨ Q iff S,H |= P ∨ S,H |= Q
S,H |= P ⇒ Q iff S,H |= P ⇒ S,H |= Q
S,H |= E = E′ iff �E�S = �E′�S
S,H |= empty iff H = {}
We use �E�S to mean evaluation with respect to the stack, S.
– p. 9/22
Semantics 2/2
Separation Logic
Now for more complicated semantics ;)
S,H |= E �→ E′
iff dom(H) = {�E�S} ∧ H(�E�S) = �E′�S
S,H |= P ∗ Q
iff ∃H1H2.(H1⊥H2) ∧ (H1 ◦ H2 = H) ∧ (S,H1 |= P ) ∧ (S,H2 |= Q)
S,H |= P −∗ Q
iff ∀H ′.(H⊥H ′) ∧ (S,H ′ |= P ) ⇒ S,H ◦ H ′ |= Q
where H⊥H ′ means disjoint domains,and H ◦ H ′ means disjoint function composition.
– p. 10/22
Semantics 2/2
Separation Logic
Now for more complicated semantics ;)
S,H |= E �→ E′
iff dom(H) = {�E�S} ∧ H(�E�S) = �E′�S
S,H |= P ∗ Q
iff ∃H1H2.(H1⊥H2) ∧ (H1 ◦ H2 = H) ∧ (S,H1 |= P ) ∧ (S,H2 |= Q)
S,H |= P −∗ Q
iff ∀H ′.(H⊥H ′) ∧ (S,H ′ |= P ) ⇒ S,H ◦ H ′ |= Q
where H⊥H ′ means disjoint domains,and H ◦ H ′ means disjoint function composition.
– p. 10/22
Semantics 2/2
Separation Logic
Now for more complicated semantics ;)
S,H |= E �→ E′
iff dom(H) = {�E�S} ∧ H(�E�S) = �E′�S
S,H |= P ∗ Q
iff ∃H1H2.(H1⊥H2) ∧ (H1 ◦ H2 = H) ∧ (S,H1 |= P ) ∧ (S,H2 |= Q)
S,H |= P −∗ Q
iff ∀H ′.(H⊥H ′) ∧ (S,H ′ |= P ) ⇒ S,H ◦ H ′ |= Q
where H⊥H ′ means disjoint domains,and H ◦ H ′ means disjoint function composition.
– p. 10/22
Example heaps
Separation Logic
Stack
Heap
X
44
Y
44
X
44
Y
A BA B
x �→ 4, 4 x �x ↪→ 4, 4 � �(x �→ 4, 4) ∗ (y �→ 4, 4) � x
(x �→ 4, 4) ∧ (y �→ 4, 4) x �(x ↪→ 4, 4) ∧ (y ↪→ 4, 4) � �
where(E �→ E0, . . . , En) def= (E �→ E0) ∗ (E + 1 �→ E1) ∗ . . . (E + n �→ En)
and E ↪→ E′ def= (E �→ E′) ∗ true
– p. 11/22
∧ versus ∗
Separation Logic
Similarities
P ∧ Q ⇔ Q ∧ P P ∗ Q ⇔ Q ∗ P
P ∧ true ⇔ P P ∗ empty ⇔ P
P ∧ (P ⇒ Q) ⇒ Q P ∗ (P −∗ Q) ⇒ Q
– p. 12/22
∧ versus ∗
Separation Logic
Similarities
P ∧ Q ⇔ Q ∧ P P ∗ Q ⇔ Q ∗ P
P ∧ true ⇔ P P ∗ empty ⇔ P
P ∧ (P ⇒ Q) ⇒ Q P ∗ (P −∗ Q) ⇒ Q
Differences
P ⇒ P ∧ P one ⇒ one ∗ one
P ∧ P ⇒ P one ∗ one ⇒ one
where onedef= ∃x, y.(x �→ y).
– p. 12/22
Commands
Separation Logic
S : Var → Int H : Loc ⇀ Int where Loc ⊆ Int
(S,H, [E] := E′) ⇓ error if �E�S /∈ dom(H)(S,H, [E] := E′) ⇓ (S, (H | l → �E′�S)) if �E�S = l ∈ dom(H)
(S,H, x := [E]) ⇓ error if �E�S /∈ dom(H)(S,H, x := [E]) ⇓ ((S | x → H(l)),H) if �E�S = l ∈ dom(H)
(S,H, dispose(E)) ⇓ error if �E�S /∈ dom(H)(S,H, dispose(E)) ⇓ (S,H − l) if �E�S = l ∈ dom(H)
(S,H, x := cons(E0, . . . , En)) ⇓((S | x → l), (H | l → �E0�S · · · l + n → �En�S)) if l, . . . , l + n /∈ dom(H)
We say that (S,H,C) is safe if (S,H,C) ⇓ error.
– p. 13/22
Small Axioms
Separation Logic
{E �→ _} [E] := E′ {E �→ E′}
{X = x ∧ (E �→ Y )} x := [E] {(E[X/x] �→ Y ) ∧ Y = x}
{E �→ _} dispose(E) {empty}
{empty} x := cons(E0, . . . , En) {(x �→ E0, . . . , En)}
We use E �→ _ as a shorthand for ∃x.E �→ x.
– p. 14/22
Frame Rule
Separation Logic
The most important rule
{P} C {Q}{P ∗ R} C {Q ∗ R}
where FV (R) ∩ modifies(C) = ∅.
– p. 15/22
Frame Rule
Separation Logic
The most important rule
{P} C {Q}{P ∗ R} C {Q ∗ R}
where FV (R) ∩ modifies(C) = ∅.
Why modifies?
modifies([E] := E′) = modifies(dispose(E)) = ∅modifies(x := [E]) = modifies(x := cons(E0, . . . , En)) = {x}
Otherwise
{(x �→ 4)} y := [x] {(x �→ 4) ∧ y = 4}{(x �→ 4) ∗ (y = 3)} y := [x] {((x �→ 4) ∧ y = 4) ∗ (y = 3)}
– p. 15/22
Frame Rule
Separation Logic
The most important rule
{P} C {Q}{P ∗ R} C {Q ∗ R}
where FV (R) ∩ modifies(C) = ∅.
The semantics of a triple, |= {P} C {Q}, is ∀S,H if (S,H |= P ), then(S,H,C) is safe and if (S,H,C) ⇓ (S′,H ′) then S′,H ′ |= Q
– p. 15/22
Frame Rule
Separation Logic
The most important rule
{P} C {Q}{P ∗ R} C {Q ∗ R}
where FV (R) ∩ modifies(C) = ∅.
The semantics of a triple, |= {P} C {Q}, is ∀S,H if (S,H |= P ), then(S,H,C) is safe and if (S,H,C) ⇓ (S′,H ′) then S′,H ′ |= Q
Tight interpretation!
– p. 15/22
Frame Rule
Separation Logic
The most important rule
{P} C {Q}{P ∗ R} C {Q ∗ R}
where FV (R) ∩ modifies(C) = ∅.
The semantics of a triple, |= {P} C {Q}, is ∀S,H if (S,H |= P ), then(S,H,C) is safe and if (S,H,C) ⇓ (S′,H ′) then S′,H ′ |= Q
Tight interpretation!Why safe? Otherwise
{true} [x] := 7 {true}{true ∗ (x �→ 4)} [x] := 7 {true ∗ (x �→ 4)}
– p. 15/22
Data types
Separation Logic
Consider binary trees
τdef= ε | (τ1, a, τ2)
– p. 16/22
Data types
Separation Logic
Consider binary trees
τdef= ε | (τ1, a, τ2)
We can give the definition of a binary tree predicate as
tree ε i ≡ empty ∧ i = nil
tree (τ1, a, τ2) i ≡ ∃j, k. (i �→ j, a, k) ∗ (tree τ1 j) ∗ (tree τ2 k)
– p. 16/22
Data types
Separation Logic
Consider binary trees
τdef= ε | (τ1, a, τ2)
We can give the definition of a binary tree predicate as
tree ε i ≡ empty ∧ i = nil
tree (τ1, a, τ2) i ≡ ∃j, k. (i �→ j, a, k) ∗ (tree τ1 j) ∗ (tree τ2 k)
Properties
(33 �→ 41, a, nil) ∗ (41 �→ nil, b, nil) =⇒ tree ((ε, b, ε), a, ε) 33tree τ i =⇒ (τ = ε) ⇔ empty ⇔ (i = nil)(tree _ i) ∧ (i = nil) =⇒ ∃j, k. (i �→ j, _, k) ∗ (tree _ j) ∗ (tree _ k)
– p. 16/22
Tree dispose
Separation Logic
{(tree _ p)}proc dispTree(p)
newvar i,jif p!=nil
i := [p];j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
endifendproc{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p)}proc dispTree(p)
newvar i,jif p!=nil
{(tree _ p) ∧ p = nil}i := [p];j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}endif
endproc{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}{∃i, j. (p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}
i := [p];j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}{∃i, j. (p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}{(p �→ i′) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i′) ∗ (tree _ j)}
i := [p]; {X = x ∧ (E �→ Y )} x := [E] {(E[X/x] �→ Y ) ∧ Y = x}j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}{∃i, j. (p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}{(p �→ i′) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i′) ∗ (tree _ j)}
{i = i ∧ (p �→ i′)}i := [p]; {X = x ∧ (E �→ Y )} x := [E] {(E[X/x] �→ Y ) ∧ Y = x}{(p �→ i′) ∧ i = i′}
j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}{∃i, j. (p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}{(p �→ i′) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i′) ∗ (tree _ j)}
{i = i ∧ (p �→ i′)}i := [p];{(p �→ i′) ∧ i = i′}
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];dispTree(i);dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}dispTree(i); {(tree _ p)} dispTree(p) {empty}dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}{(tree _ i)}
dispTree(i); {(tree _ p)} dispTree(p) {empty}{empty}
dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}{(tree _ i)}
dispTree(i); {(tree _ p)} dispTree(p) {empty}{empty}
{(p �→ i, _, j) ∗ empty ∗ (tree _ j)}dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}{(tree _ i)}
dispTree(i);{empty}
{(p �→ i, _, j) ∗ empty ∗ (tree _ j)}{(p �→ i, _, j) ∗ (tree _ j)}
dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}dispTree(i);
{(p �→ i, _, j) ∗ (tree _ j)}dispTree(j);dispose(p+2);dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}dispTree(i);
{(p �→ i, _, j) ∗ (tree _ j)}dispTree(j);
{(p �→ i, _, j)}dispose(p+2); {E �→ _} dispose(E) {empty}dispose(p+1);dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}dispTree(i);
{(p �→ i, _, j) ∗ (tree _ j)}dispTree(j);
{(p �→ i, _, j)}dispose(p+2);
{(p �→ i, _)}dispose(p+1); {E �→ _} dispose(E) {empty}dispose(p);
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}dispTree(i);
{(p �→ i, _, j) ∗ (tree _ j)}dispTree(j);
{(p �→ i, _, j)}dispose(p+2);
{(p �→ i, _)}dispose(p+1);
{(p �→ i)}dispose(p); {E �→ _} dispose(E) {empty}
{empty}
– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}dispTree(i);
{(p �→ i, _, j) ∗ (tree _ j)}dispTree(j);
{(p �→ i, _, j)}dispose(p+2);
{(p �→ i, _)}dispose(p+1);
{(p �→ i)}dispose(p);
{empty}
�– p. 17/22
Tree dispose
Separation Logic
{(tree _ p) ∧ p = nil}i := [p];
{(p �→ i) ∗ ∃j. (p + 1 �→ _, j) ∗ (tree _ i) ∗ (tree _ j)}j := [p+2];
{(p �→ i, _, j) ∗ (tree _ i) ∗ (tree _ j)}dispTree(i);
{(p �→ i, _, j) ∗ (tree _ j)}dispTree(j);
{(p �→ i, _, j)}dispose(p+2);
{(p �→ i, _)}dispose(p+1);
{(p �→ i)}dispose(p);
{empty}
Frame rule is key to the proof! �– p. 17/22
Data types
Separation Logic
Consider sequences of integers σdef= [] | a :: σ and the recursive formula
list [] i ≡ empty ∧ i = nil
list (a ::σ) i ≡ ∃j. (i �→ a, j) ∗ (list σ j)
This formula defines a linked list.
– p. 18/22
Data types
Separation Logic
Consider sequences of integers σdef= [] | a :: σ and the recursive formula
list [] i ≡ empty ∧ i = nil
list (a ::σ) i ≡ ∃j. (i �→ a, j) ∗ (list σ j)
This formula defines a linked list. We will also need list segments
lseg [] i k ≡ empty ∧ i = k
lseg (a ::σ) i k ≡ ∃j. (i �→ a, j) ∗ (list σ j k)
– p. 18/22
Data types
Separation Logic
Consider sequences of integers σdef= [] | a :: σ and the recursive formula
list [] i ≡ empty ∧ i = nil
list (a ::σ) i ≡ ∃j. (i �→ a, j) ∗ (list σ j)
This formula defines a linked list. We will also need list segments
lseg [] i k ≡ empty ∧ i = k
lseg (a ::σ) i k ≡ ∃j. (i �→ a, j) ∗ (list σ j k)
Properties
(33 �→ a, 41) ∗ (41 �→ b, 11) ⇐⇒ lseg [a :: b] 33 11list σ i ⇐⇒ lseg σ i nil
(lseg σ1 i j) ∗ (lseg σ2 j k) ⇒ lseg (σ1 :: σ2) i k
– p. 18/22
List append
Separation Logic
{(list σ1 x) ∗ (list σ2 y)}proc append(x,y)
newvar h,c,n;if x=nil then return y;h:= x;c:= x;n:= [c+1];while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;return h;
end proc{list (σ1 :: σ2) ret}
– p. 19/22
List append
Separation Logic
{(list σ1 x) ∗ (list σ2 y)}proc append(x,y)
newvar h,c,n;if x=nil then return y;
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}h:= x;c:= x;n:= [c+1];while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
return h;end proc{list (σ1 :: σ2) ret}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}h:= x;c:= x;n:= [c+1];while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;n:= [c+1];while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{(∃i. (c �→ a, i) ∗ (list σ′
1 i) ∧ σ1 = a :: σ′1 ∧ h = c) ∗ list σ2 y}
n:= [c+1];while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{(∃i. (c �→ a, i) ∗ (list σ′
1 i) ∧ σ1 = a :: σ′1 ∧ h = c) ∗ list σ2 y}
{((c �→ a, i) ∗ (list σ′1 i) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{(∃i. (c �→ a, i) ∗ (list σ′
1 i) ∧ σ1 = a :: σ′1 ∧ h = c) ∗ list σ2 y}
{((c �→ a, i) ∗ (list σ′1 i) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{c + 1 �→ i}n:= [c+1];{(c + 1 �→ i) ∧ i = n}
while(n!=nil)c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{(∃i. (c �→ a, i) ∗ (list σ′
1 i) ∧ σ1 = a :: σ′1 ∧ h = c) ∗ list σ2 y}
{((c �→ a, i) ∗ (list σ′1 i) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{c + 1 �→ i}n:= [c+1];{(c + 1 �→ i) ∧ i = n}
{((c �→ a, i) ∧ i = n) ∗ (list σ′1 i) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{(∃i. (c �→ a, i) ∗ (list σ′
1 i) ∧ σ1 = a :: σ′1 ∧ h = c) ∗ list σ2 y}
{((c �→ a, i) ∗ (list σ′1 i) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{c + 1 �→ i}n:= [c+1];{(c + 1 �→ i) ∧ i = n}
{((c �→ a, i) ∧ i = n) ∗ (list σ′1 i) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{((c �→ a, n) ∗ (list σ′
1 n) ∧ σ1 = a :: σ′1 ∧ h = c) ∗ (list σ2 y)}
while(n!=nil)c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}while(n!=nil)
c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{((empty ∧ h = c) ∗ (c �→ a, n) ∗ (list σ′
1 n)∧ σ1 = a :: σ′
1
)∗ (list σ2 y)
}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{((lseg [] h c ∧ h = c) ∗ (c �→ a, n) ∗ (list σ′
1 n)∧ σ1 = a :: σ′
1
)∗ (list σ2 y)
}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}{((lseg [] h c) ∗ (c �→ a, n) ∗ (list σ′
1 n)∧ σ1 = [] :: a :: σ′
1
)∗ (list σ2 y)
}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];
[c+1] := y;{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];{(
(lseg σ′ h c) ∗ (c �→ a′, nil) ∧ (σ1 = σ′ :: a′))∗ (list σ2 y)
}[c+1] := y;
{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];{(
(lseg σ′ h c) ∗ (c �→ a′, nil) ∧ (σ1 = σ′ :: a′))∗ (list σ2 y)
}[c+1] := y;{((lseg σ′ h c) ∗ (c �→ a′, y) ∧ (σ1 = σ′ :: a′)
)∗ (list σ2 y)
}{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
{((list σ1 x) ∧ x! = nil) ∗ (list σ2 y)}{((list (a :: σ′
1) x) ∧ σ1 = a :: σ′1) ∗ (list σ2 y)}
h:= x;c:= x;
{((list (a :: σ′1) c) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}n:= [c+1];
{((c �→ a, n) ∗ (list σ′1 n) ∧ σ1 = a :: σ′
1 ∧ h = c) ∗ (list σ2 y)}
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];{(
(lseg σ′ h c) ∗ (c �→ a′, nil) ∧ (σ1 = σ′ :: a′))∗ (list σ2 y)
}[c+1] := y;{((lseg σ′ h c) ∗ (c �→ a′, y) ∧ (σ1 = σ′ :: a′)
)∗ (list σ2 y)
}{(lseg σ1 h y) ∗ (list σ2 y)}{list (σ1 :: σ2) h}
– p. 19/22
List append
Separation Logic
while(n!=nil)
{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];
– p. 19/22
List append
Separation Logic
{n = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;n:= [c+1];{
∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
– p. 19/22
List append
Separation Logic
{n = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;{
c = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c′) ∗ (c′ �→ a′, c) ∗ (list σ′′ c)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
n:= [c+1];{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
– p. 19/22
List append
Separation Logic
{n = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;{
c = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c′) ∗ (c′ �→ a′, c) ∗ (list σ′′ c)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}{
c = nil ∧ ∃σ′, σ′′.
((lseg σ′ h c) ∗ (list σ′′ c)
∧ (σ1 = σ′ :: σ′′)
)}
n:= [c+1];{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
– p. 19/22
List append
Separation Logic
{n = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;{
c = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c′) ∗ (c′ �→ a′, c) ∗ (list σ′′ c)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}{
c = nil ∧ ∃σ′, σ′′.
((lseg σ′ h c) ∗ (list σ′′ c)
∧ (σ1 = σ′ :: σ′′)
)}{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n′) ∗ (list σ′′ n′)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
n:= [c+1];{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
– p. 19/22
List append
Separation Logic
{n = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}c:= n;{
c = nil ∧ ∃σ′, a′, σ′′.
((lseg σ′ h c′) ∗ (c′ �→ a′, c) ∗ (list σ′′ c)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}{
c = nil ∧ ∃σ′, σ′′.
((lseg σ′ h c) ∗ (list σ′′ c)
∧ (σ1 = σ′ :: σ′′)
)}{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n′) ∗ (list σ′′ n′)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
n:= [c+1];{∃σ′, a′, σ′′.
((lseg σ′ h c) ∗ (c �→ a′, n) ∗ (list σ′′ n)
∧ (σ1 = σ′ :: a′ :: σ′′)
)}
�– p. 19/22
Weakest Preconditions
Separation Logic
Are small axioms and frame rule enough?
From small axiom
{E �→ _} [E] := E′ {E �→ E′}apply frame (E �→ E′) −∗ Q to obtain
{(E �→ _) ∗ ((E �→ E′) −∗ Q)
}[E] := E′ {(E �→ E′) ∗ ((E �→ E′) −∗ Q)
}then consequence, to get the weakest precondition
{(E �→ _) ∗ ((E �→ E′) −∗ Q)
}[E] := E′ {Q}
Weakest precondition: if {P} [E] := E′ {Q} holds,then P ⇒ (E �→ _) ∗ ((E �→ E′) −∗ Q).
– p. 20/22
Conclusions
Separation Logic
• Tight specifications• Dangling pointers• Local surgeries• Frame rule
– p. 21/22
References
Separation Logic
The references for this part of the course can all be found on:http://www.dcs.qmw.ac.uk/~ohearn/localreasoning.html
– p. 22/22