Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang

Outline The ideal assertion language Difficulties with pointers Solutions The separation logic Concurrent Separation Logic

Hoare Proof Rules for Partial Correctness {A} skip {A} {B[a/X]} X:=a {B} (Assignment Rule) {P} c 0 {C} {C} c 1 {Q} {P} c 0 ;c 1 {Q} {P  b} c 0 {Q} {P  b} c 1 {Q} {P} if b then c 0 else c 1 {Q} {I  b} c {I} {I} while b do c{I  b}  P  P’ {P’} c {Q’}  Q’  Q {P} c {Q} (Composition Rule) (Conditional Rule) (Loop Rule) (Consequence Rule)

The Ideal Assertion Language Natural Succinct Expressive –Closed under WP for every command Efficient algorithm for entailment checking

IMP++ Abstract syntax com::= X := a | X:= cons(a 1, a 2 ) | X := [a] |[a 1 ] := a 2 | dispose(a) | skip | com 1 ; com 2 | if b then com 1 else com 2 | while b do com|

Informal Semantics IMP++ Allocation x := cons(y, z) Heap lookup y := [x+1] Mutation [x + 1] := 3 Deallocation dispose(x+1) Store: [x:3, y:40, z:17] Heap: empty Store: [x:37, y:40, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40, 38:3 Store: [x:37, y:17, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40

First assertion language Aexpv a:= n | X | [a] | i | a 0 + a 1 | a 0 - a 1 | a 0  a 1 Assn A:= true | false | a 0 = a 1 | a 0  a 1 | A 0  A 1 | A 0  A 1 |  A | A 0  A 1 |  i. A |  i. A

Destructive Pointer Reversal y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t )

Assignment Axioms {?} [a 1 ] := a 2 {p} {?} [x] := z {[x] =y} {?} [t] := z {[x] =y}

Assignment Rule with Mutations [Morris 1982] Characterize aliasing patterns with assertions [McCharthy ?] Define a logic for stores heap:loc  val First order assertions over heap {p} [a 1 ] := a 2 {p[a 2 /heap(a 1 )]} [Burstall 1972] Local reasoning Split the heap into disjoints parts Contents can be shared {x=37  z=x  heap(37)=40} [x] := 77 {x=37  z=x  heap(37)=77}

Separation Logic x  y * y  x

Separation Logic x  y x y

Separation Logic y  x x y

Separation Logic x  y * y  x x y

Separation Logic x  y x y x=10y=42

Separation Logic y  x x y x=10y=42

Separation Logic x  y * y  x x y x=10y=42

Assertions in Separation Logic SyntaxIntended Meaning e=fPure expression comparison efef A heap with one location pointed to by e with content f empEmpty heap p *qp and q hold in disjoint heaps true,false, p  q, p  q,  x: p standard e  _   l: e  l e  e 0, e 1, …, e n-1  e  e 0 * e+1  e 1 * … * e+n-1  e n-1  e  f  e  f * true

AssertionExample state x  3,y Store: x: , y:  Heap:  : 3,  +1:  y  3,x Store: x: , y:  Heap:  : 3,  +1:  x  3,y * y  3,x Store: x: , y:  Heap:  : 3,  +1  : 3,  +1:  ,  +1, , and  +1 disjoint x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:  x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:   : 3,  +1: 

Unsound Axioms p  p * p Contraction p= x  1 p * q  p Weakening p= x  1 q= y  2

In-Place Reasoning {x  7 * p} [x] := 7 {x  _ * p} {?}[x] := 7{true} {?}dispose(e){true} {p}dispose(e) {x  _ * p} if {p} c {q} holds then p describes the resources that c needs

Semantics of separation logics s, h  e = f  e  s =  f  s s, h  e  f{  e  s} = dom(h) and h(  e  ) =  f  s s, h  emp h=[] s, h  p * q exist h1, h2: dom(h1)  dom(h2)=  s, h1  p s, h2  q h = h1 # h2

Semantics of separation logics(cont) s, h  false never s, h  p  q if s, h  p then s, h  q s, h   x. p exists v: s[v/x], h  p

Three “Small” Axioms {e  _} [e] := b {e  b} {emp} x := cons(y, z) {x  y, z} {e  _} dispose(e) {emp}

The Frame Rule {p} c {q} {p * r} c {q * r} Mod(c)  free(r)={} Mod(x := _) = {x} Mod([e]:=f) =  Mod(dispose(e)) = 

A simple application of the frame rule {p} c {q} {p * r} c {q * r} Mod(c)  free(r)={} {(e  _ )* p } dispose(e) {p}

Inductive Definitions Define assertions inductively Allows natural specifications list [r] x  (r=   x= nil  emp)  (  a, s, y: r=a.s  x  a, y * list [s] y) list(x, y)  (x=y  emp)  (  t: x  _, t * list(t, y)) tree(r)  (r=nil  emp)  (  l, r: r  _, l, r * tree(l) * tree(r))

The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list [  ] y * list [  ] x  rev(  0 )= rev(  ). 

The Delete Example bool elem_delete(delval, c) prev=nil elem = c while (elem  nil) ( if ([elem] = delval) then ( if (prev = nil) then c = [elem+1] else [prev+1] = [elem+1]; dispose(elem); return TRUE) prev=elem; elem = [elem+1] prev=nil /\ list(c,nil)  prev != nil /\ (list (c,prev) * (prev  -,elem) * list (elem, nil)) list(x, y)  (x=y  emp)   t: x  _, t * list(t, y) {list(c, nil)}

Extensions For WP we need another operator “Fresh” implication p -* q –We can extend a heap in which p is true with an additional disjoint heap such that q is true in the combined heap

Disjoint Concurrency {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 } {p 1 * p 2 } c 1 || c 2 {q 1 * q 2 }

Disjoint Concurrency {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 } {p 1 * p 2 } c 1 || c 2 {q 1 * q 2 } {10  _} [10] := 5 || [10] := 7 {?} Cannot prove racy programs

Disjoint Concurrency {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 } {p 1 * p 2 } c 1 || c 2 {q 1 * q 2 } Preconditions can pick race free programs when they exist {x  3} [x] :=4 {[x]= 4}  {y  3} [y] :=7 {[y]= 7} {x  3 * y  3} {x  4 * y  7}

Example: Parallel Dispose Tree procedure dispTree(p) { local l, r if (p !=nil) then { l = [p+1]; r = [p+2]; dispose(p) || dispTree(l) || dispTree(r) }

Parallel Dispose Tree - Proof Sketch {tree(p)} dispTree(p) {emp} {p  _, l, r} dispose(p) {emp} {tree(l)} dispTree(l) {emp} {tree(r)} dispTree(r) {emp} p  _, l, r * tree(l) * tree(r) dispose(p) || dispTree(l) || dispTree(r) emp * emp * emp

Extensions Hoare Conditional Critical Regions –with r when B do C Fine-Grained Concurrency –Combine with Rely/Guarantee

Summary Separation logic provides a solution for the heap –Limited aliasing –Dynamic ownership Concise specifications Elegant proofs for several examples