sep logic slide
TRANSCRIPT
Overview
• Introduction
• Applications
• Future work
Introduction
Hoare Logic Separation Logic
SL in a nutshell
• Extension of Hoare logic with Pointer
– low-level imperative programs
– shared mutable data structures
• Pointers are everywhere
– OS kernels
– network code
– C/C++,even ML has reference
– ...
Hoare Logic
• The Language: SPL C :: skip | x := a | c0; c1 | if b then c1 else c2 | while b do c • Hoare Triple: {P} C {Q}
How to prove the claims?
• Proof rule
• What does specification mean?
Program, Prdicates, and State
premise-1, premise-2,...
conclusion
Program,State and Predicate
• Consider a program with two varible:x, y
• The state of is determined by value of x and y, e.g. { x=0, y=1 }
State is a partial function mapping var to int
• Predicate
s |= P store s satisfies assertion P
Proof Rules for SPL { P } skip { P }
{ Q[e/x] } x:=e {Q}
{P} c1 {R} {R} c2 {Q}
{P} c1;c2{Q}
{Pb} c1 {Q} {P b} c2 {Q}
{P} if b then c1 else c2 {Q}
{ib} c {i}_______
{i} while b do c {ib}
P P’, {P’} c {Q’}, Q’ Q
{p} c {q}
Another form of assignment rule
{P} x:=e {Q} = P => Q[e/x]
This is more "general" than {Q[e/x]} x:= e {Q}
We can use pre-condition strengthening Rule to prove this form.
{P} c {Q}
{P} c {R}
Post-condition weakening Rule:
Likewise, pre-condition strengthening Rule
P Q R
{P} c {Q}, Q => R
{P} c {R}
c
P => R, {R} c {Q}
{P} c {Q}
Prove via weakest pre-condition
• { xy } tmp:=x; x:=y; y:=tmp { xy }
• Rule for SEQ requires you to come up with intermediate assertions
{ xy } tmp:=x{ ? }; x:=y{ ? }; y:=tmp { xy }
• What to fill?– Use Q[e/x] suggested by the ASG theorem
– Work in reverse direction.
– "Weakest pre-condition"(wp)
Weakest Pre-condiion
• W = wp(c,Q)
{P} c {Q} = P => wp(c, Q)
• Samples: all these pre-cond are weakest { y = 10 } x := 10 { y = x } { Q } skip { Q } { Q[e/x] } x := e { Q }
• Two properties of wp– Reachability: from any s |= W, after execution of c,the new
state s' |= Q – Maximality: if after execution of c, the new state s' |= Q,
then the formal state s |= W.
wp for SPL
wp(skip, Q) = Q wp((x := e),Q) = Q[e/x] wp((c1; c2), Q) = wp(c1, (wp(c2, Q))) wp((if g then c1 else c2), Q) = g ∧ wp(c1, Q) ∨ g ∧ wp(c2, Q) ...
Same as inference rule, determined by syntax and semantic
Proof via wp
• Wp calculation is fully syntax driven– No human intelligence needed – Can be automated
• Works, as long as we can calculate "wp"-not always possible
Possible solutions: • use necessary(not sufficient) pre-cond; • synthesis several candidate pre-conds for proc;• desugar into simpler IR(easy to model and anslysis) ...
Besides:• FOL may not be expressive enough to express wp over
arbitrary domains of computation.
Beyond pre/post condition
• When specifying the order of certain actions within a program is important:– E.g CSP
• When sequences of observable states through out the execution have to satisfy certain property– E.g. Temporal Logic(ITL, CTL..)
• When the environment cannot be fully trusted:– Logic of belief
Correct,sound and compelte
• Correctness: {P}c{Q} Part, c may not terminate Toal = Part + termination
• Soundness: Every provable formula is true. |- {P}c{Q} => |= {P}c{Q}• Completness: |= {P}c{Q} => |- {P}c{Q}
Usually rely on FOL, but may not be sound and complete.
Intro to SepLogic
{ y != z } C { *y != *z }
{ *x == 3 ∧ y != z } C {*y != *z ∧ *x == 3 }
• Framing problem.
• What are the conditions on aliasing btwn x, y, z ?
Let C be: *y = 1, *z = 2, and suppose x is alias of y.
Then the above assertion is wrong.
Framing problem
• What are the conditions on C and R?– in presence of aliasing and heap
• Separation logic introduces new connective ∗
{ P } C {Q}
{ R ∧ P } C { Q ∧ R }
{ P } C {Q}
{ R ∗ P } C { Q ∗ R }
Syntax Assertion Name
false Logical false
P ∧ Q Classical conjunction
P ∨ Q Classical disjunction
P ⇒ Q Classical implication
P ∗ Q Separating conjunction
P −∗ Q Separating implication
E -> E Points to
emp Empty heap
∃x. P Existential quantifier
E = E Expression value equality
Semantics: notions
• Assertions are evaluated w.r.t. a state
• State is store and heap
– S : Var ⇀ Int
– H : Loc ⇀ Int where Loc ⊆ Int
• Notations
– disjoint domains: dom(H1) dom(H2) – composition: H = H1 ◦ H2
– evaluation: ßEàS Int– update: S[x:i]
• S,H |= P, the state satisfies spec P
Semantics
Relation Definition
S,H |= false Never satisfied
S,H |= P ∧ Q S,H |= P ∧ S,H |= Q
S,H |= P ∨ Q S,H |= P ∨ S,H |= Q
S,H |= P ⇒ Q S,H |= P ⇒ S,H |= Q
S,H |= P ∗ Q ∃H1,H2.dom(H1) dom(H2) ∧ H1 ◦ H2 = H ∧ S,H1 |= P ∧ S,H2 |= Q
S,H |= P −∗ Q ∀H′. (dom(H) dom(H’) ∧ S,H′ |= P) ⇒ S,H◦H′ |= Q
S,H |= E1 -> E2 dom(H) = {ßE1àS} ∧ H( ßE1àS )= ßE2àS
S,H |= emp H = {}
S,H |= ∃x.P i Int . S[x:i],H |= P
S,H |= E1 = E2 ßE1àS = ßE2àS
what's newS,H |= E1 -> E2S,H |= emp
S,H |= P ∗ Q the heap H can be divided in two so that P is trueof one partition and Q of the other
S,H |= P −∗ Q asserts that extending H with a disjoint part H' that satisfieds P results in a new heap satisfying Q
P * Q expressing separation nicely P -* Q structural assume/guarantee
Note: in program analysis/verification, usually use proof system without -*.
• E -> E1,E2,..,En E -> E1 ∗ E+1 -> E2 ∗ ... ∗ E+(n-1) -> En
• E -> _ ∃x. E -> x
Shorthands
10 11
43
12
7 x ->3,4,7 S = [x:10]H = [10:3,11:4,12:7]
|=
x
Examples
x -> 4,3
x -> 4,3 * true
x -> 4,3 ∗ y -> 4,3
x -> 4,3 ∧ y -> 4,3
34
x
34
y
34
xy
Inductive Definitions• Describe invariants of recursive data-structure
– Trees– List Segments– Doubly-linked list segments– Cyclic lists– List of cyclic doubly linked lists– ...
• Reasoning about mutable objects
Additional Rules for SepLogic
• Frame Rule
• Pointer Assign
{e -> x} [e] := f {e -> f}
• Dispose
{e -> x} dispose e {emp}
• Alloc
{e = v'∧emp} e := new(v) {e -> v}
• deref(fetch)
{e = v'∧f -> v} e := [f] {e = v∧f -> v}
Note: in order distinguish with *, we do not use C-style "*" or "@"..
The Frame Rule
• Side condition: no variable modified by c appears free in R
• Enalbes local reasoning: programs that
execute correctly in a small state (|= P) also
execute correctly in a bigger state (|= R * P)
{ P } c {Q}
{ R ∗ P } c { Q ∗ R }c
P
Q
R
R
On the complexity of SL
• Full SL with FO quantification is undecidable– even without * and -* [calcagno et al, FSTTCS 01]
– even with a unique selector[Brochenin et al, CSL 08]
• Model-checking, satisfiability and validity for SL are PSPACE-complete
– PSPACE-hardness from[CYOH, FSTTCS 01]
– Upper bound without arithmetics can be also obtained by translation into a “separation-free” version [Lozes, PhD 04]
Applications
Program Analysis Verified SoftwareAxiomatic Semantic ...
Program Analysis
• Smallfoot(London)
• Space Invader(London)
• Slayer(Microsoft)
• Hip + Sleek(Singapore)
• JStar(Cambridge)
• SmallfootRG(Cambridge)
• Thor(CMU)
Case Study: Infer
• Heap-Hop(Paris, London)
• HTT + Ynot(Harvard)
• Holfoot(Cambridge)
• Verifier(Tokyo)
• ...
Infer
Name Lines Time
Infer
warning/error
InferFindbugs
junit 26463 5m9s 2m5s 16 221
Findbugs
jieba 1012 1m5s 52s 0 18
pysonar2 9311 2m38s 4m45s 12 302
Infer:Linux3.19.0-25-generic#26-UbuntuSMPLinux
CPUMhZ:2094.702Memtotal:1716644Kb
History
• Local Reasoning about Programs that Alter Data Structures, CSL 01
• Smallfoot: Modular Automatic Assertion Checking with Separation Logic, FMCO 05
• Symbolic Execution with Separation Logic, APLAS 05• Footprint analysis: A shape analysis that
discovers preconditions, SAS 07(intraproc..)• A local shape analysis based on separation logic,
CAV 08(Spaceinvader)• Compositional Shape Analysis by Means of Bi-
Abduction, POPL 09(Spaceinvader-Abductor)• Moving Fast with Software Verification(Infer)
Step I: Smallfoot v0.1
• Based on SL and symbolic execution
• A decidable proof theory for symbolic heaps
• Hard-coded inductive predicates for C-like toy language
• Implementation: about 4k lines of Ocaml
http://www.dcs.qmul.ac.uk/research/logic/theory/projects/smallfoot
Automatic Reasoning with Hoare Logic
• User provides annotations(formulae) for pre- and post- conditions of procedure and loop invariants
• Verification condition generator
• Validity checker(for weakest precondition)
Example
• Formulae or constraint: {P}c{Q}
• Verification condition: P => wp(c, Q)
• Check: s,h.s,h |= P => wp(c, Q)
How to check?
Tool• Interactive theorem prover(Coq, Isabelle..)?• Complete automatic decision procedure?• ...
Goal• Safety properties(pointer errors, memory leaks,
etc) • Full functional correctness
Theory• Use decidable fragement(Full SL is undecidable)
– Decidable Logic
Automatic
Expressive
Decidable Logics:Strand, LISBQ, CSL, etc.
Expressive Logics:Separation logics, HOL,
Matching logic, etc.
Back to the Future: revisiting...using SMT Solvers.
The Fragment of Assertion
Assertions A of symbolic heaps(pure parts and heap parts).
A ::= (P ∧ ... ∧ P) ; (S ∗ ... ∗ S)
E ::= x | nil | E ∧ E
P ::= E=E | E ES ::= E -> E1...En | tree(E) | ls(E, E) | ...
ls(E,F) <=> if E=F then emp else x. E->x * ls(x, F)
tree(E) <=> if E=nil then emp else x,y. E->x,y * tree(x) * tree(y)
Constraints Geneartion
From S1 *...* Sn to constraints of form:
(E1F1∧...∧EkFk) => P
E.g, from ls(x,y) * ls(z,w) generate:
x y => x nil z w => z nil (x y ∧ z w) => x z
Entailments Between Symbolic Heaps
Terminating proof theory for entailments A |- A'
Normalization Rules
• recognize inconsistency
• get rid of equalities via substitution
• Perform case analysis using a form of excluded middle
• ...
Step II: SpaceInvader v1.1
• Compositional shape analysis via Bi-Abduction
• Implementation: ~3.9w lines
Bi-Abductive Resource Invariant Synthesis, APLAS 09
Compositional Shape Analysis by means of BI-Abduction, POPL 09
..
http://www0.cs.ucl.ac.uk/staff/p.ohearn/Invader/Invader/Invader_Home.html
Overview
• Frame Inference: A |- B * F, allows an analyzer to use small specs
• Abduction Inference: A * M |- B, helps to synthesize small specs
• Bi-abduction: A * M |- B * F In interprocedural analysis, usually: A is an assertion at the call site, and B is a precondition from callee’s spec
Frame Inference
{list(l1) * list(l2)} Dispose(l1); Dispose(l2);
• To use the Frame Rule we must first compute R• Frame Inference: give A and B, compute X such that A |- B*X
Example: list(l1)*list(l2) |- list(l1)*list(l2)
{ P } c {Q}
{ R ∗ P } c { Q ∗ R }
Abduction Inference
lst_nd* p(lst_nd *y) { //1: suppose SH is emp lst_nd * x;
x = malloc(sizeof(lst_nd)); x -> tail = 0;
merge(x, y);
return(x);
}
void merge(lst_nd *x, lst_nd *y) {
//Given Pre: list(x) * list(y)
} //Given Post: list(x)
Abduction Inference
lst_nd* p(lst_nd *y) { lst_nd * x;
x = malloc(sizeof(lst_nd)); x -> tail = 0;
// 2.after above, we get A = x->0
merge(x, y);
return(x);
}
void merge(lst_nd *x, lst_nd *y) {
//Given Pre: list(x) * list(y)
} //Given Post: list(x)
Abduction Inference
lst_nd* p(lst_nd *y) { lst_nd * x; x = malloc(sizeof(lst_nd)); x -> tail = 0; merge(x, y); return(x); } void merge(lst_nd *x, lst_nd *y) { //Given Pre: list(x) * list(y) } //Given Post: list(x) Assertion at call site: x->0 Pre from callee’s spec: list(x) * list(y) Then we infer list(y) is missing. We should start with list(y) rather then emp!
Proof Rules for Abduction Inference
Bi-Abduction Inference
BiAbd(A, B) = M := Abduce(A, B*true); F := Frame(A*M, B); return (M, F)
Abduce() is given by abduction inference rules.
BiAbd(A, B) = (M, F) ⇒ A * M |- B * F
Compostional Shape Analysis
Construct spec table for every proc.
Suppose the procs return a single value and do not access global variables
(later to discuss missing part b and A..
Semantic of function call• H is current heap(and assertion at call site)
• Callee's spec will not change(generate new set R)
Shape analysis
Analyze level by level:
if f is in Proc_i and f calls g
then g belongs to Proc_j for some j <= i
Two abstract runs(InferPre, InferSpec)
InferPre• To infer the precondition of f in Proc_k
• T_in: computed spec(from lower level of Proc)
InferSpec
• Calculate post-cond calculation from give pre-cond, and filter unsafe pre-cond
Underlying Shape Analysis
The "missing parts"
The semantic of commands: using 3 functions
Rearr, Exec, Abs
Rearrangement: put e in the proper form for an rule to fire
Execution: symbolically executes the atomic command in the rearranged heap Abstraction
Note: more about rearr, exec, abs, refer to:A local shape analysis based on separation logic, TACAS 06
The abstract transfer function
Verified Software
• A formal-verified C static analyzer, POPL 15
• Compositional CompCert, POPL 15
• Verified Correctness and Security of OpenSSL HMAC, USENIX Security 15.
• Mostly-automated verification of low-level programs in computational separation logic, PLDI 11
• ...
Case study: the verified C static analyzer
http://compcert.inria.fr/verasco/
The Verasco Project
• Develop and verify in Coq a realistic static analyzer by abstract interpretation
• Integration with CompCert
Modular architecture
Future Extension
• Numerical abstract domains
• Better handling of control-flow(e.g. support recursion..)
• Memory absbract domains
(e.g. C union, dynamic allocation, shape analysis..)
To be continued ...
Axiomatic semantic for PL To handler diferrent programming languages features:
• Separation logic and abstraction Parkinson and Bierman. POPL’05
• Separation Logic, Abstraction, and Inheritance Parkinson, Bierman. POPL'08
• Towards a program logic for JavaScript. Gardner, Maffeis, and Smith. POPL'12• ...
SL for OO language; Coucurrent SL; Higher order Store for SL; ...
Concurrent SL(CSL) [O'hearn 04]
• Key Ideas:
Threads can only access disjoint resources at the same time.
SL for Object-Orientation
• OO languages are popular and widely used
• Reasoning about OO programs is challengin – shared mutable state
– inheritance(i.e subtyping and method overriding..
Extend the memory model
s, h, d |= P• s: Variable -> ObjectID ∪ Integer
• h: ObjectID × FieldName -> ObjectID ∪ Integer
• d: ObjectID -> ClassNames
To be continued...
Higher Order Store
Stores that may contain procedures.
An observationally complete program logic for imperative higher-order functions, LICS 05
A Simple Model of Separation Logic for Higher-order Store,ICALP 08
Nested Hoare triples and frame rules for higher-order store, CSL 09 ...
Future workRelationship between SL and higher order type system(e.g. dependent type, HoTT..?)
Relationship between SL and traditional alias analysis?
Distributed compositional shape analysis?..
....