tutorial on separation logic - ucl
TRANSCRIPT
![Page 1: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/1.jpg)
Tutorial on Separation Logic
Peter O’Hearn
Queen Mary, University of London
CAV TutorialPrinceton, July 2008
![Page 2: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/2.jpg)
Outline
I Part I : Fluency, Examples
I Part II : Model Theory
I Part III : Proof Theory
2
![Page 3: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/3.jpg)
Some Context
I 2000’s: impressive practical advances in automatic programverification E.g.
I SLAM: Protocol properties of procedure calls in device drivers, e.g.any call to ReleaseSpinLock is preceded by a call toAquireSpinLock
I ASTREE: no run-time errors in Airbus code
I The Missing LinkI ASTREE assumes: no dynamic pointer allocationI SLAM assumes: memory safetyI Wither automatic heap verification? (for substantial programs)
I Many important programs make serious use of heap: Linux, Apache,TCP/IP, IOS... but heap verification is hard.
I In some (distant?) future: automatically crash-proof Apache,OpenSSL...
I a possible motivation, not the motivation for separation logic
3
![Page 4: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/4.jpg)
Some Context
I 2000’s: impressive practical advances in automatic programverification E.g.
I SLAM: Protocol properties of procedure calls in device drivers, e.g.any call to ReleaseSpinLock is preceded by a call toAquireSpinLock
I ASTREE: no run-time errors in Airbus code
I The Missing LinkI ASTREE assumes: no dynamic pointer allocationI SLAM assumes: memory safetyI Wither automatic heap verification? (for substantial programs)
I Many important programs make serious use of heap: Linux, Apache,TCP/IP, IOS... but heap verification is hard.
I In some (distant?) future: automatically crash-proof Apache,OpenSSL...
I a possible motivation, not the motivation for separation logic
3
![Page 5: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/5.jpg)
Some Context
I 2000’s: impressive practical advances in automatic programverification E.g.
I SLAM: Protocol properties of procedure calls in device drivers, e.g.any call to ReleaseSpinLock is preceded by a call toAquireSpinLock
I ASTREE: no run-time errors in Airbus code
I The Missing LinkI ASTREE assumes: no dynamic pointer allocationI SLAM assumes: memory safetyI Wither automatic heap verification? (for substantial programs)
I Many important programs make serious use of heap: Linux, Apache,TCP/IP, IOS... but heap verification is hard.
I In some (distant?) future: automatically crash-proof Apache,OpenSSL...
I a possible motivation, not the motivation for separation logic
3
![Page 6: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/6.jpg)
Some Context
I 2000’s: impressive practical advances in automatic programverification E.g.
I SLAM: Protocol properties of procedure calls in device drivers, e.g.any call to ReleaseSpinLock is preceded by a call toAquireSpinLock
I ASTREE: no run-time errors in Airbus code
I The Missing LinkI ASTREE assumes: no dynamic pointer allocationI SLAM assumes: memory safetyI Wither automatic heap verification? (for substantial programs)
I Many important programs make serious use of heap: Linux, Apache,TCP/IP, IOS... but heap verification is hard.
I In some (distant?) future: automatically crash-proof Apache,OpenSSL...
I a possible motivation, not the motivation for separation logic
3
![Page 7: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/7.jpg)
Some Context
I 2000’s: impressive practical advances in automatic programverification E.g.
I SLAM: Protocol properties of procedure calls in device drivers, e.g.any call to ReleaseSpinLock is preceded by a call toAquireSpinLock
I ASTREE: no run-time errors in Airbus code
I The Missing LinkI ASTREE assumes: no dynamic pointer allocationI SLAM assumes: memory safetyI Wither automatic heap verification? (for substantial programs)
I Many important programs make serious use of heap: Linux, Apache,TCP/IP, IOS... but heap verification is hard.
I In some (distant?) future: automatically crash-proof Apache,OpenSSL...
I a possible motivation, not the motivation for separation logic
3
![Page 8: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/8.jpg)
Outline
I Part I : Fluency, Examples
I Part II : Model Theory
I Part III : Proof Theory
4
![Page 9: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/9.jpg)
Part I
Fluency, Examples
Sources
I O’Hearn-Reynolds-Yang, CSL’01: Local reasoning about programsthat alter data structures
I Reynolds, LICS’02: Separation Logic: A logic for shared mutable datastructure.
I Hoarefest’00 paper of Reynolds, POPL’01 paper of Ishtiaq-O’Hearn,BSL’99 paper of O’Hearn-Pym, MI’72 paper of Burstall
5
![Page 10: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/10.jpg)
Separation Logic
x|->y * y|-> x
x y
6
![Page 11: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/11.jpg)
Separation Logic
x|->y * y|-> x
x y
7
![Page 12: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/12.jpg)
Separation Logic
x|->y
x y
8
![Page 13: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/13.jpg)
Separation Logic
y|-> x
x y
9
![Page 14: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/14.jpg)
Separation Logic
x|->y * y|-> x
x y
10
![Page 15: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/15.jpg)
Separation Logic
x|->y * y|-> x
x y
x=10
y=4242
10 42
10
11
![Page 16: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/16.jpg)
Separation Logic
x|->y * y|-> x
x y
x=10
y=4242
10 42
10
12
![Page 17: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/17.jpg)
Separation Logic
x|->y
x y
x=10
y=4242
10
13
![Page 18: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/18.jpg)
Separation Logic
y|-> x
x y
x=10
y=42
42
10
14
![Page 19: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/19.jpg)
Separation Logic
x|->y * y|-> x
x y
15
![Page 20: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/20.jpg)
Heaplets (heap portions) as possible worlds (i.e., a kind ofmodal logic)
I Add to Classical Logic:I emp : “the heaplet is empty”I x 7→ y : “the heaplet has exactly one cell x , holding y”I A ∗ B : “the heaplet can be divided so A is true of one partition and B
of the other”.
I Add inductive definitions , and other more exotic things (“magicwand”, “septraction” ) as well.
I Standard model: RAM model
heap : N ⇀f Z
and lots of variations (records, permissions, ownership... more later).
16
![Page 21: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/21.jpg)
Heaplets (heap portions) as possible worlds (i.e., a kind ofmodal logic)
I Add to Classical Logic:I emp : “the heaplet is empty”I x 7→ y : “the heaplet has exactly one cell x , holding y”I A ∗ B : “the heaplet can be divided so A is true of one partition and B
of the other”.
I Add inductive definitions , and other more exotic things (“magicwand”, “septraction” ) as well.
I Standard model: RAM model
heap : N ⇀f Z
and lots of variations (records, permissions, ownership... more later).
16
![Page 22: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/22.jpg)
Heaplets (heap portions) as possible worlds (i.e., a kind ofmodal logic)
I Add to Classical Logic:I emp : “the heaplet is empty”I x 7→ y : “the heaplet has exactly one cell x , holding y”I A ∗ B : “the heaplet can be divided so A is true of one partition and B
of the other”.
I Add inductive definitions , and other more exotic things (“magicwand”, “septraction” ) as well.
I Standard model: RAM model
heap : N ⇀f Z
and lots of variations (records, permissions, ownership... more later).
16
![Page 23: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/23.jpg)
A Substructural Logic
A 6` A∗A
10 7→ 3 6` 10 7→ 3 ∗ 10 7→ 3
A∗B 6` A
10 7→ 3 ∗ 42 7→ 5 6` 10 7→ 3
17
![Page 24: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/24.jpg)
An inconsistency: trying to be two places at once
10|->3 * 10|->3
10 10
18
![Page 25: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/25.jpg)
In-place Reasoning
{(x 7→ –) ∗ P} [x ]:= 7 {(x 7→ 7) ∗ P}
19
![Page 26: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/26.jpg)
In-place Reasoning
{(x 7→ –) ∗ P} [x ]:= 7 {(x 7→ 7) ∗ P}
{true} [x ]:= 7 {??}
19
![Page 27: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/27.jpg)
In-place Reasoning
{(x 7→ –) ∗ P} [x ]:= 7 {(x 7→ 7) ∗ P}
{true} [x ]:= 7 {??}
{P ∗ (x 7→ –) } dispose(x) {P}
19
![Page 28: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/28.jpg)
In-place Reasoning
{(x 7→ –) ∗ P} [x ]:= 7 {(x 7→ 7) ∗ P}
{true} [x ]:= 7 {??}
{P ∗ (x 7→ –) } dispose(x) {P}
{true} dispose(x) {??}
19
![Page 29: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/29.jpg)
In-place Reasoning
{(x 7→ –) ∗ P} [x ]:= 7 {(x 7→ 7) ∗ P}
{true} [x ]:= 7 {??}
{P ∗ (x 7→ –) } dispose(x) {P}
{true} dispose(x) {??}
{P} x = cons(a, b) {P ∗ (x 7→ a, b)} (x 6∈ free(P))
19
![Page 30: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/30.jpg)
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E 7→tl : y ∗ lseg(y ,F )
lseg(x , y) ∗ lseg(y , x)
x
y
20
![Page 31: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/31.jpg)
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E 7→tl : y ∗ lseg(y ,F )
lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y)
x t y
20
![Page 32: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/32.jpg)
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E 7→tl : y ∗ lseg(y ,F )
Entailment lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x)
x t y
20
![Page 33: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/33.jpg)
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E 7→tl : y ∗ lseg(y ,F )
Non-Entailment lseg(x , t) ∗ t 7→nil ∗ list(y) 6` list(x)
x t y
20
![Page 34: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/34.jpg)
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p 6= nil}
i := p→ l ; j := p→ r ;
dispose(p);
{ tree(i) ∗ tree(j)}
21
![Page 35: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/35.jpg)
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p 6= nil}{(p 7→l : x ′, r : y ′) ∗ tree(x ′) ∗ tree(y ′)}i := p→ l ; j := p→ r ;
dispose(p);
{ tree(i) ∗ tree(j)}
21
![Page 36: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/36.jpg)
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p 6= nil}{(p 7→l : x ′, r : y ′) ∗ tree(x ′) ∗ tree(y ′)}i := p→ l ; j := p→ r ;{(p 7→l : i , r : j) ∗ tree(i) ∗ tree(j)}dispose(p);
{ tree(i) ∗ tree(j)}
21
![Page 37: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/37.jpg)
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p 6= nil}{(p 7→l : x ′, r : y ′) ∗ tree(x ′) ∗ tree(y ′)}i := p→ l ; j := p→ r ;{(p 7→l : i , r : j) ∗ tree(i) ∗ tree(j)}dispose(p);{emp ∗ tree(i) ∗ tree(j)}{ tree(i) ∗ tree(j)}
21
![Page 38: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/38.jpg)
Extended In-place Reasoning
I Spec{tree(p)} DispTree(p) {emp}
I Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
22
![Page 39: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/39.jpg)
Extended In-place Reasoning
I Spec{tree(p)} DispTree(p) {emp}
I Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
22
![Page 40: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/40.jpg)
Extended In-place Reasoning
I Spec{tree(p)} DispTree(p) {emp}
I Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);{emp ∗ emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
22
![Page 41: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/41.jpg)
Extended In-place Reasoning
I Spec{tree(p)} DispTree(p) {emp}
I Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);{emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
22
![Page 42: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/42.jpg)
Back in the day...(before Sep Logic)
I procedure DispTree(p)local i , j ;if p 6=nil then
i = p�l ; j := p�r ;DispTree(i);DispTree(j);dispose(p)
23
![Page 43: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/43.jpg)
Back in the day...(before Sep Logic)
II procedure DispTree(p)local i , j ;if p 6=nil then
i = p�l ; j := p�r ;DispTree(i);DispTree(j);dispose(p)
I An Unhappy Attempt to Specify
{tree(p) ∧ reach(p, n)}DispTree(p){¬allocated(n)}
23
![Page 44: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/44.jpg)
Back in the day...(before Sep Logic)
I procedure DispTree(p)local i , j ;if p 6=nil then
i = p�l ; j := p�r ;DispTree(i);DispTree(j);dispose(p)
I An Unfortunate Fix
{tree(p) ∧ reach(p, n)∧¬reach(p,m) ∧ allocated(m) ∧m.f = m′ ∧ ¬allocated(q)}DispTree(p){¬allocated(n)∧¬reach(p,m) ∧ allocated(m) ∧m.f = m′ ∧ ¬allocated(q)}
23
![Page 45: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/45.jpg)
Back in the day...(before Sep Logic)
I An unhappy proof
24
![Page 46: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/46.jpg)
Extended In-place Reasoning
I Spec{tree(p)} DispTree(p) {emp}
I Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);{emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
25
![Page 47: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/47.jpg)
Main Points
I ∗ lets you do in-place reasoning
I ∗ interacts well with inductive definitions
I powerful way to avoid writing frame axioms
I Pre/post specs tied to footprint (describe “local surgeries”)
26
![Page 48: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/48.jpg)
Main Points
I ∗ lets you do in-place reasoning
I ∗ interacts well with inductive definitions
I powerful way to avoid writing frame axioms
I Pre/post specs tied to footprint (describe “local surgeries”)
26
![Page 49: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/49.jpg)
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}
Prog ::= x :=E | x := [E ] | [E ]:=F
| x := cons(E1, . . . .,En) | dispose(E )
| skip | C ;C | if B then C else C
| while B do C
| C ‖ C
27
![Page 50: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/50.jpg)
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}
We can’t prove racy programs like
{10 7→ –}[10]:= 42 ‖ [10]:= 6
{??}
27
![Page 51: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/51.jpg)
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}
We can’t prove racy programs like
{10 7→ –}[10]:= 42 ‖ [10]:= 6
{??}
We cannot send 10 to both processes in their preconditions, since
(10 7→ –) ∗ (10 7→ –)
is false. But...
27
![Page 52: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/52.jpg)
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}
Preconditions can pick out race-free start-states, when they exist:
{x 7→ 3} {y 7→ 3}[x ]:= 4 ‖ [y ]:= 5{x 7→ 4} {y 7→ 5}
27
![Page 53: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/53.jpg)
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}
Preconditions can pick out race-free start-states, when they exist:
{x 7→ 3 ∗ y 7→ 3}{x 7→ 3} {y 7→ 3}[x ]:= 4 ‖ [y ]:= 5{x 7→ 4} {y 7→ 5}
{x 7→ 4 ∗ y 7→ 5}
That ‘proof figure” is an annotation form for
{x 7→ 3} [x ]:= 4 {x 7→ 4} {y 7→ 3} [y ]:= 5 {y 7→ 5}
{x 7→ 3 ∗ y 7→ 3} [x ]:= 4 ‖ [y ]:= 5 {x 7→ 4 ∗ y 7→ 5}27
![Page 54: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/54.jpg)
Racy programs and phantom blocks
I Brookes’s theorem: proven programs are race free
I To deal with racy programs, need to be explicit about granularity:
(with phantom do [10]:= 3) ‖ (with phantom do [10]:= 42)
28
![Page 55: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/55.jpg)
Racy programs and phantom blocks
I Brookes’s theorem: proven programs are race free
I To deal with racy programs, need to be explicit about granularity:
(with phantom do [10]:= 3) ‖ (with phantom do [10]:= 42)
28
![Page 56: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/56.jpg)
Example: Parallel Mergesort
{array(a, i , j)}procedure ms(a, i , j)newvar m:= (i + j)/2;if i < j then(
ms(a, i ,m) ‖ ms(a,m + 1, j));
merge(a, i ,m + 1, j);{sorted(a, i , j)}
I
29
![Page 57: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/57.jpg)
Example: Parallel Mergesort
{array(a, i , j)}procedure ms(a, i , j)newvar m:= (i + j)/2;if i < j then(
ms(a, i ,m) ‖ ms(a,m + 1, j));
merge(a, i ,m + 1, j);{sorted(a, i , j)}
I Can’t prove with disjoint concurrency rule
{P}C{Q} {P ′}C ′{Q ′}{P ∧ P ′}C ‖ C ′{Q ∧ Q ′}
where C does not modify any variables free in P ′,C ′,Q ′, andconversely. Because: Hoare logic treats an assignment to an arraycomponent as an assignment to the whole array.
29
![Page 58: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/58.jpg)
Example: Parallel Mergesort
{array(a, i , j)}procedure ms(a, i , j)newvar m:= (i + j)/2;if i < j then(
ms(a, i ,m) ‖ ms(a,m + 1, j));
merge(a, i ,m + 1, j);{sorted(a, i , j)}
I To prove with invariants+preservation, you track many irrelevantinterleavings
I and... state complex recursion hypothesis
29
![Page 59: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/59.jpg)
Example: Parallel Mergesort
{array(a, i , j)}procedure ms(a, i , j)newvar m:= (i + j)/2;if i < j then(
ms(a, i ,m) ‖ ms(a,m + 1, j));
merge(a, i ,m + 1, j);{sorted(a, i , j)}
I To prove with rely/guarantee, you complicate the spec (not just thereasoning)
I Rely: no one else touches my segmentI Guarantee: I only touch my own segment (frame axiom)
29
![Page 60: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/60.jpg)
In Separation Logic1
I We just use the given pre/post spec.
{array(a, i ,m) ∗ array(a,m + 1, j)}{array(a, i ,m)} {array(a,m + 1, j)}ms(a, i ,m) ‖ ms(a,m + 1, j){sorted(a, i ,m)} {sorted(a,m + 1, j)}
{sorted(a, i ,m) ∗ sorted(a,m + 1, j)}
I Concurrency proof rule:
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 ‖ C2{Q1 ∗ Q2}
1a[i ] is sugar for [a + i ] in RAM model30
![Page 61: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/61.jpg)
Part II
Model Theory
Sources:
I Papers of Calcagno, O’Hearn, Pym, Yang
31
![Page 62: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/62.jpg)
General and Particular Models
I Generally. A partial commutative monoid (H , ◦, e)
◦ : H × H ⇀ H , e ∈ H
I Particularly. RAM model (lots of others possible)I H = N ⇀f ZI ◦ = union of functions with disjoint domain, undefined when
overlapping domainsI e = empty partial function
I An order h1 v h3
I General: ∃h2. h1 ◦ h2 = h3
I Particular: h1 ⊆ h3
32
![Page 63: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/63.jpg)
General and Particular Models
I Generally. A partial commutative monoid (H , ◦, e)
◦ : H × H ⇀ H , e ∈ H
I Particularly. RAM model (lots of others possible)I H = N ⇀f ZI ◦ = union of functions with disjoint domain, undefined when
overlapping domainsI e = empty partial function
I An order h1 v h3
I General: ∃h2. h1 ◦ h2 = h3
I Particular: h1 ⊆ h3
32
![Page 64: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/64.jpg)
General and Particular Models
I Generally. A partial commutative monoid (H , ◦, e)
◦ : H × H ⇀ H , e ∈ H
I Particularly. RAM model (lots of others possible)I H = N ⇀f ZI ◦ = union of functions with disjoint domain, undefined when
overlapping domainsI e = empty partial function
I An order h1 v h3
I General: ∃h2. h1 ◦ h2 = h3
I Particular: h1 ⊆ h3
32
![Page 65: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/65.jpg)
General and Particular Models
I Generally. A partial commutative monoid (H , ◦, e)
◦ : H × H ⇀ H , e ∈ H
I Particularly. RAM model (lots of others possible)I H = N ⇀f ZI ◦ = union of functions with disjoint domain, undefined when
overlapping domainsI e = empty partial function
I An order h1 v h3
I General: ∃h2. h1 ◦ h2 = h3
I Particular: h1 ⊆ h3
32
![Page 66: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/66.jpg)
General and Particular Models
I Generally. A partial commutative monoid (H , ◦, e)
◦ : H × H ⇀ H , e ∈ H
I Particularly. RAM model (lots of others possible)I H = N ⇀f ZI ◦ = union of functions with disjoint domain, undefined when
overlapping domainsI e = empty partial function
I An order h1 v h3
I General: ∃h2. h1 ◦ h2 = h3
I Particular: h1 ⊆ h3
32
![Page 67: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/67.jpg)
Algebraic Structure
I We can lift ◦ : H × H ⇀ H to ∗ : P(H)× P(H) → P(H)
h ∈ A ∗ B iff ∃hA, hB . h = hA ◦ hB and
hA ∈ A and hB ∈ B
I emp = {e}.I “I have a heap, and it is empty” (not the empty set of heaps)I (P(H), ∗, emp) is a total commutative monoid
I P(H) is (in the subset order) bothI A Boolean Algebra, andI A Residuated Monoid
A ∗ B ⊆ C ⇔ A ⊆ B −−∗ C
I cf. Boolean BI logic (O’Hearn, Pym)
33
![Page 68: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/68.jpg)
Algebraic Structure
I We can lift ◦ : H × H ⇀ H to ∗ : P(H)× P(H) → P(H)
h ∈ A ∗ B iff ∃hA, hB . h = hA ◦ hB and
hA ∈ A and hB ∈ B
I emp = {e}.I “I have a heap, and it is empty” (not the empty set of heaps)I (P(H), ∗, emp) is a total commutative monoid
I P(H) is (in the subset order) bothI A Boolean Algebra, andI A Residuated Monoid
A ∗ B ⊆ C ⇔ A ⊆ B −−∗ C
I cf. Boolean BI logic (O’Hearn, Pym)
33
![Page 69: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/69.jpg)
Algebraic Structure
I We can lift ◦ : H × H ⇀ H to ∗ : P(H)× P(H) → P(H)
h ∈ A ∗ B iff ∃hA, hB . h = hA ◦ hB and
hA ∈ A and hB ∈ B
I emp = {e}.I “I have a heap, and it is empty” (not the empty set of heaps)I (P(H), ∗, emp) is a total commutative monoid
I P(H) is (in the subset order) bothI A Boolean Algebra, andI A Residuated Monoid
A ∗ B ⊆ C ⇔ A ⊆ B −−∗ C
I cf. Boolean BI logic (O’Hearn, Pym)
33
![Page 70: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/70.jpg)
Algebraic Structure
I We can lift ◦ : H × H ⇀ H to ∗ : P(H)× P(H) → P(H)
h ∈ A ∗ B iff ∃hA, hB . h = hA ◦ hB and
hA ∈ A and hB ∈ B
I emp = {e}.I “I have a heap, and it is empty” (not the empty set of heaps)I (P(H), ∗, emp) is a total commutative monoid
I P(H) is (in the subset order) bothI A Boolean Algebra, andI A Residuated Monoid
A ∗ B ⊆ C ⇔ A ⊆ B −−∗ C
I cf. Boolean BI logic (O’Hearn, Pym)
33
![Page 71: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/71.jpg)
Models of Programs
I Program = while programs with
[e]:= e ′ x := [e] x := new(e1, . . . ., en) dispose(x)
I We represent a program as a transition system
I Each program Prog determines a set of (finite, nonempty) traces
h1 · · · hn
possibly terminated with a special state
h1 · · · hnError
I These transition systems/traces have special structure
34
![Page 72: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/72.jpg)
Models of Programs
I Program = while programs with
[e]:= e ′ x := [e] x := new(e1, . . . ., en) dispose(x)
I We represent a program as a transition system
I Each program Prog determines a set of (finite, nonempty) traces
h1 · · · hn
possibly terminated with a special state
h1 · · · hnError
I These transition systems/traces have special structure
34
![Page 73: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/73.jpg)
x y x y x y
[x]=y ; [y]= x
35
![Page 74: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/74.jpg)
x y x y x y
[x]=y ; [y]= x
36
![Page 75: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/75.jpg)
x y x y
[x]=y ; [y]= x
37
![Page 76: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/76.jpg)
x y x y
Error
[x]=y ; [y]= x
38
![Page 77: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/77.jpg)
Footprint Theorem
1. Recall order on states h v h′ .
2. Extend pointwise to traces, t v t ′
h1 v h′1
......
hn v h′n
3. Notes: requires traces of same length; Error v only itself.
4. Footprint Theorem If t is a trace of program Prog , then there is asmallest tf v t where tf is a trace of Prog
39
![Page 78: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/78.jpg)
The “smallness” of the tree assertion
I
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
I
40
![Page 79: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/79.jpg)
The “smallness” of the tree assertionI
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
I tree(E ) is true of
E
40
![Page 80: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/80.jpg)
The “smallness” of the tree assertionI
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
I tree(E ) is false of
E
40
![Page 81: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/81.jpg)
The “smallness” of the tree assertionI
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E 7→l : x , r : y) ∗ tree(x) ∗ tree(y)
I and even false of
E
40
![Page 82: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/82.jpg)
Small Specs (only talk about footprint)
I We saw
{tree(p)} DispTree(p) {emp}
I and we could have given
{E 7→ –} [E ] = b {E 7→ b}
{emp} x = new(y , z) {x 7→ y , z }
{E 7→ −} dispose(E ) {emp}
41
![Page 83: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/83.jpg)
Small Specs (only talk about footprint)
I We saw
{tree(p)} DispTree(p) {emp}
I and we could have given
{E 7→ –} [E ] = b {E 7→ b}
{emp} x = new(y , z) {x 7→ y , z }
{E 7→ −} dispose(E ) {emp}
41
![Page 84: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/84.jpg)
Frame TheoremI Frame Theorem: If t is a trace of program Prog and t v t ′ then t ′
is a trace of Prog
I
42
![Page 85: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/85.jpg)
Frame TheoremI Frame Theorem: If t is a trace of program Prog and t v t ′ then t ′
is a trace of Prog (Wrong Theorem!)
I
42
![Page 86: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/86.jpg)
Frame TheoremI Frame Theorem: If t is a trace of program Prog and t v t ′ then t ′
is a trace of Prog (Wrong Theorem!)
I
x y x y
Error
[x]=y ; [y]= x
43
![Page 87: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/87.jpg)
Frame Theorem
I Frame Theorem: If t is a trace of program Prog and t v t ′ then t ′
is a trace of Prog (Wrong Theorem!)
I
x y x y x y
[x]=y ; [y]= x
43
![Page 88: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/88.jpg)
Frame Theorem
I Frame Theorem: If t is a successful (non-error) trace of programProg and t v t ′ then t ′ is a trace of Prog
I
x y x y x y
[x]=y ; [y]= x
44
![Page 89: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/89.jpg)
Frame Theorem
I Frame Theorem: If t is a successful (non-error) trace of programProg and t v t ′ then t ′ is a trace of Prog (Wrong Theorem!)
I
x y x y x y
[x]=y ; [y]= x
44
![Page 90: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/90.jpg)
Recall the Order
1. Order on states h v h′ .
2. Extend pointwise to traces, t v t ′
h1 v h′1
......
hn v h′n
45
![Page 91: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/91.jpg)
Frame Theorem
I If t = h1 · · · hn , define t ◦ h = (h1◦h) · · · (hn◦h)
I Frame Theorem: If t is a successful (non-error) trace of programProg and t ◦ h is defined, then then t ◦ h is a trace of Prog
I
x y x y x y
[x]=y ; [y]= x
46
![Page 92: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/92.jpg)
Frame Theorem
I If t = h1 · · · hn , define t ◦ h = (h1◦h) · · · (hn◦h)
I Frame Theorem: If t is a successful (non-error) trace of programProg and t ◦ h is defined, then then t ◦ h is a trace of Prog
I
x y x y x y
[x]=y ; [y]= x
46
![Page 93: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/93.jpg)
Frame Theorem
I If t = h1 · · · hn , define t ◦ h = (h1◦h) · · · (hn◦h)
I Frame Theorem: If t is a successful (non-error) trace of programProg and t ◦ h is defined, then then t ◦ h is a trace of Prog
I
x y x y x y
[x]=y ; [y]= x
46
![Page 94: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/94.jpg)
Frame Theorem
I If t = h1 · · · hn , define t ◦ h = (h1◦h) · · · (hn◦h)
I Frame Theorem: If t is a successful (non-error) trace of programProg and t ◦ h is defined, then then t ◦ h is a trace of Prog
I
x y x y x y
[x]=y ; [y]= x
47
![Page 95: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/95.jpg)
Recall the ???
{(x 7→ –) ∗ P} [x ]:= 7 {(x 7→ 7) ∗ P}
{true} [x ]:= 7 {??}
{P ∗ (x 7→ –) } dispose(x) {P}
{true} dispose(x) {??}
48
![Page 96: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/96.jpg)
Tight Specs for (nearly) Free3
I {A}Prog{B} holds iff ∀h ∈ A,1. no error: ¬∃t. htError ∈Traces(Prog)2. partial correctness: ∀t, h′. hth′ ∈Traces(Prog) ⇒ h′ ∈ B
I If we run Prog in h ◦ hfr where h ∈A, then hfr will not change.2
I This “will not change” property is a fact of the semantics of programsand specs. It is independent of separation logic.
I It is true of many more models than the RAM
I We can just “exploit” this fact with the frame rule
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
2One more technical property concerning safety and footprints is needed to implythis: any safe (doesn’t lead to error) state has a smallest safe state below it, and startstates of footprints are below (or equal) those.
3Error-avoiding used in Hoare-Wirth 1972, tightness observed in 200049
![Page 97: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/97.jpg)
Tight Specs for (nearly) Free3
I {A}Prog{B} holds iff ∀h ∈ A,1. no error: ¬∃t. htError ∈Traces(Prog)2. partial correctness: ∀t, h′. hth′ ∈Traces(Prog) ⇒ h′ ∈ B
I If we run Prog in h ◦ hfr where h ∈A, then hfr will not change.2
I This “will not change” property is a fact of the semantics of programsand specs. It is independent of separation logic.
I It is true of many more models than the RAM
I We can just “exploit” this fact with the frame rule
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
2One more technical property concerning safety and footprints is needed to implythis: any safe (doesn’t lead to error) state has a smallest safe state below it, and startstates of footprints are below (or equal) those.
3Error-avoiding used in Hoare-Wirth 1972, tightness observed in 200049
![Page 98: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/98.jpg)
Tight Specs for (nearly) Free3
I {A}Prog{B} holds iff ∀h ∈ A,1. no error: ¬∃t. htError ∈Traces(Prog)2. partial correctness: ∀t, h′. hth′ ∈Traces(Prog) ⇒ h′ ∈ B
I If we run Prog in h ◦ hfr where h ∈A, then hfr will not change.2
I This “will not change” property is a fact of the semantics of programsand specs. It is independent of separation logic.
I It is true of many more models than the RAM
I We can just “exploit” this fact with the frame rule
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
2One more technical property concerning safety and footprints is needed to implythis: any safe (doesn’t lead to error) state has a smallest safe state below it, and startstates of footprints are below (or equal) those.
3Error-avoiding used in Hoare-Wirth 1972, tightness observed in 200049
![Page 99: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/99.jpg)
Tight Specs for (nearly) Free3
I {A}Prog{B} holds iff ∀h ∈ A,1. no error: ¬∃t. htError ∈Traces(Prog)2. partial correctness: ∀t, h′. hth′ ∈Traces(Prog) ⇒ h′ ∈ B
I If we run Prog in h ◦ hfr where h ∈A, then hfr will not change.2
I This “will not change” property is a fact of the semantics of programsand specs. It is independent of separation logic.
I It is true of many more models than the RAM
I We can just “exploit” this fact with the frame rule
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
2One more technical property concerning safety and footprints is needed to implythis: any safe (doesn’t lead to error) state has a smallest safe state below it, and startstates of footprints are below (or equal) those.
3Error-avoiding used in Hoare-Wirth 1972, tightness observed in 200049
![Page 100: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/100.jpg)
Summary (Model Theoretic Properties)
1. Footprint Theorem If t is a trace of program Prog, then there is asmallest tf v t where tf is a trace of Prog
2. Frame Theorem: If t is a successful (non-error) trace of programProg and t ◦ h is defined, then then t ◦ h is a trace of Prog
50
![Page 101: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/101.jpg)
Part III
Proof Theory
I Papers of Berdine, Calcagno, Distefano, Yang, O’Hearn
51
![Page 102: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/102.jpg)
A Special Format
A special form4
(B1 ∧ · · · ∧ Bn)∧(H1 ∗ · · · ∗ Hm)
where
H ::= E 7→ρ | tree(E ) | lseg(E ,E )B ::= E=E | E 6=E
E ::= x | nil
ρ ::= f1 : E1, . . . , fn : En
B ::= E=E | E 6=E
and many other inductive predicates
4assertional if-then-else as well52
![Page 103: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/103.jpg)
Entailments P ` Q (Berdine/Calcagno Proof Theory)
I A proof theory oriented around Abstraction and Subtraction .
I Sample Abstraction Rule
lseg(x , t) ∗ list(t) ` list(x)
I Subtraction RuleQ1 ` Q2
Q1 ∗ S ` Q2 ∗ S
I Try to reduce an entailment to the axiom
B ∧ emp ` true ∧ emp
53
![Page 104: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/104.jpg)
Entailments P ` Q (Berdine/Calcagno Proof Theory)
I A proof theory oriented around Abstraction and Subtraction .
I Sample Abstraction Rule
lseg(x , t) ∗ list(t) ` list(x)
I Subtraction RuleQ1 ` Q2
Q1 ∗ S ` Q2 ∗ S
I Try to reduce an entailment to the axiom
B ∧ emp ` true ∧ emp
53
![Page 105: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/105.jpg)
Entailments P ` Q (Berdine/Calcagno Proof Theory)
I A proof theory oriented around Abstraction and Subtraction .
I Sample Abstraction Rule
lseg(x , t) ∗ list(t) ` list(x)
I Subtraction RuleQ1 ` Q2
Q1 ∗ S ` Q2 ∗ S
I Try to reduce an entailment to the axiom
B ∧ emp ` true ∧ emp
53
![Page 106: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/106.jpg)
Entailments P ` Q (Berdine/Calcagno Proof Theory)
I A proof theory oriented around Abstraction and Subtraction .
I Sample Abstraction Rule
lseg(x , t) ∗ list(t) ` list(x)
I Subtraction RuleQ1 ` Q2
Q1 ∗ S ` Q2 ∗ S
I Try to reduce an entailment to the axiom
B ∧ emp ` true ∧ emp
53
![Page 107: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/107.jpg)
Works great!
lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)
54
![Page 108: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/108.jpg)
Works great!
lseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)
54
![Page 109: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/109.jpg)
Works great!
list(x) ` list(x) Subtractlseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)
54
![Page 110: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/110.jpg)
Works great!
¨
emp ` emp Axiom!list(x) ` list(x) Subtractlseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)
54
![Page 111: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/111.jpg)
Works great!
¨
emp ` emp Axiom!list(x) ` list(x) Subtractlseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)
lseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) Abstract (Inductive)
54
![Page 112: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/112.jpg)
Works great!
¨
emp ` emp Axiom!list(x) ` list(x) Subtractlseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)
list(x) ∗ list(y) ` list(x) Subtractlseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) Abstract (Inductive)
54
![Page 113: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/113.jpg)
Works great!
¨
emp ` emp Axiom!list(x) ` list(x) Subtractlseg(x , t) ∗ list(t) ` list(x) Abstract (Inductive)lseg(x , t) ∗ t 7→[tl : y ] ∗ list(y) ` list(x) Abstract (Roll)
_
list(y) ` emp Junk: Not Axiom!list(x) ∗ list(y) ` list(x) Subtractlseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) Abstract (Inductive)
54
![Page 114: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/114.jpg)
List of abstraction rules for lseg
Rolling
emp → lseg(E ,E )
E1 6=E3 ∧ E1 7→[tl :E2, ρ] ∗ lseg(E2,E3) → lseg(E1,E3)
Induction Avoidance
lseg(E1,E2) ∗ lseg(E2, nil) → lseg(E1, nil)
lseg(E1,E2) ∗ E2 7→[t : nil] → lseg(E1, nil)
lseg(E1,E2) ∗ lseg(E2,E3) ∗ E3 7→[ρ] → lseg(E1,E3) ∗ E3 7→[ρ]
E3 6=E4 ∧ lseg(E1,E2) ∗ lseg(E2,E3) ∗ lseg(E3,E4)
→ lseg(E1,E3) ∗ lseg(E3,E4)
55
![Page 115: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/115.jpg)
Proof Procedure for Q1 ` Q2, Normalization Phase
I Substitute out all equalities
Q1[E/x ] ` Q2[E/x ]
x = E ∧ Q1 ` Q2
I Generate disequalities. E.g., using
x 7→[ρ] ∗ y 7→[ρ′] → x 6= y
I Remove empty lists and trees: lseg(x , x), tree(nil)
I Check antecedent for inconsistency, if so, return “valid”.Inconcistencies: x 7→[ρ] ∗ x 7→[ρ′] nil 7→ − x 6= x · · ·
I Check pure consequences (easy inequational logic), if failed then“invalid”
56
![Page 116: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/116.jpg)
Proof Procedure for Q1 ` Q2, Abstract/Subtract Phase
Trying to prove B1 ∧ H1 ` H2
I For each spatial predicate in H2, try to apply abstraction rules tomatch it with things in H1.
I Then, apply subtraction rule.
Q1 ` Q2
Q1 ∗ S ` Q2 ∗ S
I If you are left withB ∧ emp ` true ∧ emp
report “valid”, else “invalid”
57
![Page 117: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/117.jpg)
Perspective
I The BC procedure is cubic and complete on certain formulae
I In general it is incomplete, but BC have another (exponential)procedure that is complete.
I It shows that you can do some very effective substructural theoremproving
I Nguyen-Chin and Brotherston handle more inductive definitions.Nguyen and Chin show how to call upon off-the-shelf provers (seeChin’s CAV talk on Saturday)
I For embeddings in proof assistants, similar strategies can be used intactics (I think).. ConcCminor, ArmCam, L4.verified, TopsyTokyo...
I Abstract interpreters based on sep logic – Space Invader, SLAyer,THOR, jStar, Xisa, VELOCITY – use special versions of theabstraction rules to ensure convergence. See Yang’s and Magill’s CAVtalks on Saturday.
58
![Page 118: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/118.jpg)
Perspective
I The BC procedure is cubic and complete on certain formulae
I In general it is incomplete, but BC have another (exponential)procedure that is complete.
I It shows that you can do some very effective substructural theoremproving
I Nguyen-Chin and Brotherston handle more inductive definitions.Nguyen and Chin show how to call upon off-the-shelf provers (seeChin’s CAV talk on Saturday)
I For embeddings in proof assistants, similar strategies can be used intactics (I think).. ConcCminor, ArmCam, L4.verified, TopsyTokyo...
I Abstract interpreters based on sep logic – Space Invader, SLAyer,THOR, jStar, Xisa, VELOCITY – use special versions of theabstraction rules to ensure convergence. See Yang’s and Magill’s CAVtalks on Saturday.
58
![Page 119: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/119.jpg)
Perspective
I The BC procedure is cubic and complete on certain formulae
I In general it is incomplete, but BC have another (exponential)procedure that is complete.
I It shows that you can do some very effective substructural theoremproving
I Nguyen-Chin and Brotherston handle more inductive definitions.Nguyen and Chin show how to call upon off-the-shelf provers (seeChin’s CAV talk on Saturday)
I For embeddings in proof assistants, similar strategies can be used intactics (I think).. ConcCminor, ArmCam, L4.verified, TopsyTokyo...
I Abstract interpreters based on sep logic – Space Invader, SLAyer,THOR, jStar, Xisa, VELOCITY – use special versions of theabstraction rules to ensure convergence. See Yang’s and Magill’s CAVtalks on Saturday.
58
![Page 120: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/120.jpg)
Perspective
I The BC procedure is cubic and complete on certain formulae
I In general it is incomplete, but BC have another (exponential)procedure that is complete.
I It shows that you can do some very effective substructural theoremproving
I Nguyen-Chin and Brotherston handle more inductive definitions.Nguyen and Chin show how to call upon off-the-shelf provers (seeChin’s CAV talk on Saturday)
I For embeddings in proof assistants, similar strategies can be used intactics (I think).. ConcCminor, ArmCam, L4.verified, TopsyTokyo...
I Abstract interpreters based on sep logic – Space Invader, SLAyer,THOR, jStar, Xisa, VELOCITY – use special versions of theabstraction rules to ensure convergence. See Yang’s and Magill’s CAVtalks on Saturday.
58
![Page 121: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/121.jpg)
Perspective
I The BC procedure is cubic and complete on certain formulae
I In general it is incomplete, but BC have another (exponential)procedure that is complete.
I It shows that you can do some very effective substructural theoremproving
I Nguyen-Chin and Brotherston handle more inductive definitions.Nguyen and Chin show how to call upon off-the-shelf provers (seeChin’s CAV talk on Saturday)
I For embeddings in proof assistants, similar strategies can be used intactics (I think).. ConcCminor, ArmCam, L4.verified, TopsyTokyo...
I Abstract interpreters based on sep logic – Space Invader, SLAyer,THOR, jStar, Xisa, VELOCITY – use special versions of theabstraction rules to ensure convergence. See Yang’s and Magill’s CAVtalks on Saturday.
58
![Page 122: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/122.jpg)
Earlier Slide... Let’s think about automating
I Spec{tree(p)} DispTree(p) {emp}
I Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)} {emp ∗ tree(j)}DispTree(j);{emp ∗ emp} {emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
59
![Page 123: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/123.jpg)
Extensions of the entailment question I: Frame Inference
A ` B
A ∗ ?1AAAAA ` A ∗ ?2AAAAA
60
![Page 124: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/124.jpg)
Extensions of the entailment question I: Frame Inference
A ` B ∗ ?
A ∗ ?1AAAAA ` A ∗ ?2AAAAA
60
![Page 125: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/125.jpg)
Extensions of the entailment question I: Frame Inference
tree(i) ∗ tree(j) ` tree(i) ∗ ?
A ∗ ?1AAAAA ` A ∗ ?2AAAAA
60
![Page 126: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/126.jpg)
Extensions of the entailment question I: Frame Inference
tree(i) ∗ tree(j) ` tree(i) ∗ tree(j)A ∗ ?1AAAAA ` A ∗ ?2AAAAA
60
![Page 127: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/127.jpg)
Extensions of the entailment question I: Frame Inference
x 6= nil ∧ list(x) ` ∃x ′. x 7→ x ′ ∗ ?
A ∗ ?1AAAAA ` A ∗ ?2AAAAA
60
![Page 128: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/128.jpg)
Extensions of the entailment question I: Frame Inference
x 6= nil ∧ list(x) ` ∃x ′. x 7→ x ′ ∗ list(x ′)
A ∗ ?1AAAAA ` A ∗ ?2AAAAA
60
![Page 129: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/129.jpg)
Extensions of the entailment question I: Frame Inference
A ` B ∗ ?
A ∗ ?1AAAAA ` A ∗ ?2AAAAA
60
![Page 130: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/130.jpg)
How to infer a frame
Convert a failed derivation
list(y) ` emp Junk: Not Axiom!list(x) ∗ list(y) ` list(x) Subtractlseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) Abstract (Inductive)
into a successful one
emp ` emp Axiomlist(y) ` list(y) Subtractlist(x) ∗ list(y) ` list(x) ∗ list(y) Subtractlseg(x , t) ∗ t 7→nil ∗ list(y) ` list(x) ∗ list(y) Abstract (Inductive)
61
![Page 131: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/131.jpg)
How to infer a frame, more generally
I Problem: A ` B∗?I Apply abstraction and subtraction to shrink your goal:
if you get to F ` emp then F is your frame axiom.
F ` emp ⇑... ⇑
A ` B ⇑
I Sometimes you need to deal with multiple leaves at top (case analysis)
62
![Page 132: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/132.jpg)
Extensions of the entailment question II:
I
A ` B
A ∗ ?1 ` A ∗ ?2
I We call the ? here an “anti-frame”.5
5Calcagno, Distefano, O’Hearn, Yang, 2008 (forthcoming)63
![Page 133: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/133.jpg)
Extensions of the entailment question II:
I
A ∗ ? ` B
A ∗ ?1 ` A ∗ ?2
I We call the ? here an “anti-frame”.5
5Calcagno, Distefano, O’Hearn, Yang, 2008 (forthcoming)63
![Page 134: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/134.jpg)
Extensions of the entailment question II: Abduction
I
A ∗ ? ` B
A ∗ ?1 ` A ∗ ?2
I We call the ? here an “anti-frame”.5
5Calcagno, Distefano, O’Hearn, Yang, 2008 (forthcoming)63
![Page 135: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/135.jpg)
Extensions of the entailment question II:
I
A ∗ ? ` B
A ∗ ?1 ` A ∗ ?2
I We call the ? here an “anti-frame”.5
5Calcagno, Distefano, O’Hearn, Yang, 2008 (forthcoming)63
![Page 136: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/136.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) {2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0;5 merge(x,y);6 return(x); }
Abductive Inference:
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 137: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/137.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0;5 merge(x,y);6 return(x); }
Abductive Inference:
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 138: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/138.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x 7→ 05 merge(x,y);6 return(x); }
Abductive Inference:
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 139: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/139.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x 7→ 05 merge(x,y);6 return(x); }
Abductive Inference: x 7→ 0 ∗ ? ` list(x) ∗ list(y)
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 140: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/140.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x 7→ 05 merge(x,y);6 return(x); }
Abductive Inference: x 7→ 0 ∗ list(y) ` list(x) ∗ list(y)
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 141: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/141.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp list(y)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x 7→ 05 merge(x,y);6 return(x); }
Abductive Inference: x 7→ 0 ∗ list(y) ` list(x) ∗ list(y)
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 142: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/142.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp list(y)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x 7→ 05 merge(x,y); list(x)6 return(x); }
Abductive Inference: x 7→ 0 ∗ list(y) ` list(x) ∗ list(y)
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 143: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/143.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp list(y)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x 7→ 05 merge(x,y); list(x)6 return(x); } list(ret)
Abductive Inference: x 7→ 0 ∗ list(y) ` list(x) ∗ list(y)
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 144: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/144.jpg)
Abduction Example: Inferring a pre/post pair
1 void p(list-item *y) { emp list(y) (Inferred Pre)2 list-item *x;3 x=malloc(sizeof(list-item));4 x→tail = 0; x 7→ 05 merge(x,y); list(x)6 return(x); } list(ret) (Inferred Post)
Abductive Inference: x 7→ 0 ∗ list(y) ` list(x) ∗ list(y)
Given Summary/spec: {list(x) ∗ list(y)}merge(x , y){list(x)}
64
![Page 145: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/145.jpg)
Proof Theory Summary
I Despite undecidability results for even propositional logics, when usedin the right way, substructural proof theory can be “quite” effective
I Interesting inference questions beyond entailment:I Frame inference
A ` B ∗ ?
which lets you use small specs, andI Anti-frame inference (or, abduction),
A ∗ ? ` B
which can help in finding the small specs
65
![Page 146: Tutorial on Separation Logic - UCL](https://reader030.vdocuments.us/reader030/viewer/2022012508/61853f629fff5875c2191f95/html5/thumbnails/146.jpg)
Proof Theory Summary
I Despite undecidability results for even propositional logics, when usedin the right way, substructural proof theory can be “quite” effective
I Interesting inference questions beyond entailment:I Frame inference
A ` B ∗ ?
which lets you use small specs, andI Anti-frame inference (or, abduction),
A ∗ ? ` B
which can help in finding the small specs
65