Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv

Program Verification Verify that the program is correct No unexpected behavior Identify bugs Valid documentation Proofs can be saved Axiomatic semantics

Notations {P} S {Q} –If P holds when S starts and S terminates then Q holds after S –Partial correctness –No runtime errors (null dereferences) –S assumes P and guarantees Q [P] S [Q] –If P holds when S starts then S terminates and Q holds after S –total correctness –S assumes P and guarantees Q –A backward version can be defined WP(S, Q) The weakest condition which guarantees that S terminates and satisfies Q

Hoare Proof Rules for Partial Correctness {p} skip {p} {p/v  e } v:=e {p} {p} c 0 {r} {r} c 1 {q} {p} c 0 ;c 1 {q} {p  b} c 0 {q} {p  b} c 1 {q} {p} if b then c 0 else c 1 {q}

Hoare Proof Rules for Partial Correctness {i  b} c {i} {i} while b do c{i  b}  p  p’ {p’} c {q’}  q’  q {p} c {q}

Simple Example x := 0; i := 0 while (i < n ) x := x + a; i := i + 1;

Pathological Example while true do skip

Memory allocation & destructive updates Allocation x := cons(y, z) Heap lookup y := [x+1] Mutation [x + 1] := 3 Deallocation dispose(x+1) Store: [x:3, y:40, z:17] Heap: empty Store: [x:37, y:40, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40, 38:3 Store: [x:37, y:17, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40

Properties of Hoare Triples Soundness Relative completeness

Hoare Axiom for Destructive Updates {p/[e1]  e} [e1] := e {p} axioms Store: [x:37, y:17, z:37] Heap: 37:40, 38:3 {[z]=40} [x] := 77 {[z] =40} Store: [x:37, y:17, z:37] Heap: 37:77, 38:3

Difficulties with Pointers Assignment rule breaks No constancy rule Hard to use abstract data types Hard to specify what is expected –Can we specify concisely what is not expected? Scalability program verification/analysis {p} c {q} {p  r} c {q  r} where no free variable in r is modified by c

Outline Hoare logic Difficulties with pointers A Simple Programming Language Monotonicity and Seperability Assertions & Axioms Applications Limitations Missing

The Programming Language ::= … | := cons(, …, ) | := [ ] | [ ] := | dispose

States Values = Integers  Atoms  Addresses Heaps =  { A  Values | A  Addresses, A is finite} nil  Atoms Store V = V  Values State V = Store V  Heaps  e  : Store V  Values  b  : Store V  {true, false}

Commands Small-step operational semantics  state‘ Special error state 

Commands(2) Allocation  [s| v: l],[h|l:  e 1  s|…| l+n-1:  e n  s] where l 1, …, l n  Addresses – dom h Lookup –  ([s | v: h(  e  s), h) where  e  s  dom h –   where  e  s  dom h

Commands(3) Mutation (destructive-update) –  (s, [h |  e  s :  e’  s ]) where  e  s  dom h –   where  e  s  dom h Deallocation –  (s, h -  e  s ) where  e  s  dom h –   where  e  s  dom h

Heap Montonicity For all heaps h  h’ If a command does not fault on a small heap h then it does not fault on a larger heap h’ –If  *  then  * 

Notation h = h 0 # h 1 union of disjoint heaps Requires that h 0 and h 1 are disjoint h = h 0  h 1

Heap Separabality Assumption: h = h 0 # h 1 The effect of a command on a large heap is determined by its effect on any subheap without faults –If there exists h’ such that  * (s’, h’) and !  *  then there exists h’ 0 such that (i) h’= h’ 0 # h 1 and (ii)  * (s’, h’ 0 )

Proof of Seperability (Preliminaries) Lemma 1: For every l,k  N and heaps h 0 and h 1 s.t. (1) l  dom(h 1 ) and (2) dom(h 0 )  dom(h 1 )= , (h 0 # h 1 )[l:k] = h 0 [l:k]# h 1 Proof: (1& 2) imply that dom(h 0 [l:k])  dom(h 1 ) = ({l}  dom(h 0 ))  dom(h 1 ) = . Thus, h 0 [l:k]# h 1 is defined. dom(h 0 # h 1 )[l:k] = {l}  dom(h 0 # h 1 ) = (by definition) {l}  dom(h 0 )  dom(h 1 ) = (1 & 2) dom(h 0 [l:k]# h 1 ) For every t  dom(h 0 # h 1 )[l:k]: (h 0 # h 1 )[l:k](t) = k if t=l, or (h 0 # h 1 )(t) =k if t=l, or (h 0 (t) if t  dom(h 0 ) or h 1 (t) if t  dom(h 1 )) otherwise = (k if t=l, or h 0 (t) otherwise) if t  {l}  dom(h 0 ) or h 1 (t) if t  dom(h 1 ) = dom(h 0 [l:k]# h 1 (t) Note that the second equality holds because of (1&2) Corollary 1: For every l 1,..,l m,k 1,..,k m  N and heaps h 0 and h 1 s.t. {l 1,..,l m }  dom(h 1 )=  and dom(h 0 )  dom(h 1 ) = , (h 0 # h 1 )[l 1 :k 1,..,l m :k m ] = h 0 [l 1 :k 1,..,l m :k m ]# h 1

Proof of Seperability We shall prove a stronger claim: For every k, c, s, h, s k ’, h k ’ and h 0 s.t. (A) h=h 0 # h 1 (B) (c,  s,h 0  ) !  *  i. (c,  s,h  )  k (c k,  s’ k,h’ k  ) implies that an h’ 0,k exists s.t. (c,  s,h 0  )  k (c k,  s’ k,h’ 0,k  ) and h’ k =h’ 0,k #h 1 ii. (c,  s,h  )  k  s’ k,h’ k  implies that an h’ 0,k exists s.t. (c,  s,h 0  )  k  s’ k,h’ 0,k , h’ k =h’ 0,k # h 1 The proof is by induction on k. For k = 0 the claim is immediate. For k > 0, Assume (c,  s,h  )  k  s k ’,h k ’  By definition of  k exists c k-1,s’ k-1,h’ k-1 s.t. (c,  s,h  )  k-1 (c k-1,  s’ k-1,h’ k-1  )  s k ’,h k ’ . By the induction hypothesis, there exists h’ 0,k-1 s.t. (c,  s,h 0  )  k-1 (c k-1,  s’ k-1 ’,h’ o,k-1  ) and h’ k-1 = h’ o,k-1 # h 1 To prove i, we show the existence of h’ 0,k s.t. (c k-1,  s’ k-1,h’ 0,k-1  )  s k ’,h 0,k ’ . The proof continues by a case analysis on the form of the command c k-1. Note, however, that for any c k-1 which is not an heap manipulating command, the induction steps follows immediately: the inference rule justifying the transition (c k-1,  s’ k-1,h’ k-1  )  s k ’,h k ’  relies only on the content of the store and does not allow the heap to be modified, in particular, h’ k = h’ k-1. Thus, (a) by choosing h’ 0,k = h’ 0,k-1 we get that h’ k = h’ k-1 = h’ 0,k-1 # h 1, = h’ 0,k # h 1, and (b) the transition (c k- 1,  s’ k-1,h’ 0,k-1  )  s k ’,h 0,k ’  can be justified by the same inference rule which justifies (c k-1,  s’ k- 1,h’ k-1  )  s k ’,h k ’ . Note that the above judgment can be used to show that the lemma also holds when (c,  s,h  )  k (c k,  s k ’,h k ’  ) and for any c k-1 not of the form a;c k, when a is an heap manipulating command, thus we omit the proof of ii.

Proof of Seperability(Cont.) c k-1 := x=cons(e 1, …,e m ) By the cons inference rule, s k = s k-1 [x:l] and h ’ k =h ’ k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] where {l,..l+m-1}  Address \ dom(h ’ k-1 ) (*). According to the induction hypothesis (h’ k-1 = h’ 0,k-1 # h 1 ) and the definition of #, dom(h ’ k-1 ) = dom(h ’ 0,k-1 )  dom(h 1 ). Thus, (*) implies that {l,..l+m-1}  Address \ dom(h ’ 0,k-1 ). As a result, the transition, (c k-1,  s’ k-1,h’ 0,k-1  )  s k ’,h 0,k ’  can be justified for h’ 0,k = h’ 0,k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] Now, we need to show that h’ k =h’ 0,k #h 1. From (*), dom(h’ 0,k )={l,..l+m-1}  dom(h ’ 0,k-1 ) is disjoint from dom(h 1 ), thus, h’ 0,k #h 1 is defined. Also, h ’ k =h ’ k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] = (h’ 0,k-1 # h 1 ) [l+i:[[e i ]]s k-1 |i=0, …,m-1] = ({l,..l+m-1}  dom(h 1 ) =  + lemma 1) h’ 0,k-1 [l+i:[[e i ]]s k-1 |i=0, …,m-1] # h 1 = h ’ 0,k # h 1

Proof of Seperability (Cont) c k-1 := [e 1 ]=e 2 By the mutation inference rule, s k = s k-1 and h ’ k =h ’ k-1 [ [[e 1 ]]s k-1 :[[e 2 ]]s k-1 ]. If [[e 1 ]]s k-1  dom (h ’ 0,k-1 ) then (c k-1,  s’ k-1 ’,h’ 0,k-1  ) . However, by our induction assumption we get that (c,  s,h 0  )  k-1 (c k-1,  s’ k-1 ’,h’ o,k-1  ). This implies (c,  s,h 0  )  *  which contradicts A. Thus, [[e 1 ]]s k-1  dom (h ’ 0,k-1 ). According to the mutation inference rule (c k-1,  s’ k-1,h’ 0,k- 1  )   s’ k, h’ 0,k  for s’ k =s’ k-1 and h’ 0,k =h’ 0,k-1 [ [[e 1 ]]s k-1 :[[e 2 ]]s k-1 ] Since [[e 1 ]]s k-1  dom (h ’ 0,k-1 ) and by our induction assumption (h’ k-1 = h’ 0,k-1 # h 1 ) we get that [[e 1 ]]s k-1  dom (h 1 ). Thus, the requirements of Lemma 1 are fulfilled and h ’ k = h ’ k-1 [ [[e 1 ]]s k-1 :[[e 1 ]]s k-1 ] = (h’ 0,k-1 # h 1 ) [ [[e 1 ]]s k-1 :[[e 1 ]]s k-1 ] = (h’ 0,k-1 [ [[e 1 ]]s k-1 :[[e 2 ]]s k-1 ] # h 1 ) = h’ 0,k # h 1

Proof of Seperability (Cont) c k-1 := x = [e 1 ] By the lookup inference rule, s k = s k-1 [ x:[[e 1 ]]s k-1 ] and h ’ k =h ’ k-1. Following the same reasoning as in the case of mutation, we can prove that [[e 1 ]]s k-1  dom (h ’ 0,k-1 ). Thus, according to the lookup inference rule (c k-1,  s’ k-1,h’ 0,k-1  )   s’ k, h’ 0,k  for s’ k =s’ k-1 [x :[[e 1 ]]s k-1 ] and h’ 0,k =h’ 0,k-1. By our induction assumption (h’ k-1 = h’ 0,k-1 # h 1 ), thus h’ k = h’ 0,k # h 1.

Proof of Seperability theorem c k-1 := dispose [e] By the de-allocation inference rule, s k = s k and h ’ k =h ’ k-1 | dom(h ’ k-1) - [e1]]sk-1 Following the same reasoning as in the case of mutation, we can prove that [[e]]s k-1  dom (h ’ 0,k-1 ) and that [[e]]s k-1  dom (h 1 ). Thus, according to the de-allocation inference rule (c k-1,  s’ k-1,h’ 0,k-1  )   s’ k, h’ 0,k  for s’ k =s’ k-1 and h’ 0,k =h’ 0,k-1 | dom(h ’ 0,k-1) - [e1]]sk-1. By our induction hypothesis (h’ k-1 = h’ 0,k-1 # h 1 ), Thus h ’ k = h ’ k-1 | dom(h ’ k-1) - [e1]]sk-1 = (h’ 0,k # h 1 ) | dom(h ’ k-1) - [e1]]sk-1 = ([[e]]s k-1  dom (h 1 )) h’ 0,k-1 | dom(h ’ 0,k-1) - [e1]]sk-1 # h 1 = h’ 0,k # h 1

Separation Logic SyntaxIntended Meaning e=fPure expression comparison efef A heap with one location pointed to by E with content F empEmpty heap p *qp and q hold in disjoint heaps true,false, p  q, p  q,  x: p standard e  _   l: e  l e  e 0, e 1, …, e n-1  e  e 0 *e+1  e 1 * … * e+n-1  e n-1  e  f  e  f * true

Semantics of separation logics s, h  E = F  E  s =  F  s s, h  E  F{  E  s} = dom(h) and h(  E  ) =  F  s s, h  emp h=[] s, h  P * Q exist h1, h2: h=h1 #h2 s, h1  P s, h2  Q

Semantics of separation logics(cont) s, h  false never s, h  P  Q if s, h  P then s, h  Q s, h   x. P exists v: [s | x :v], h  P

FormulaExample state x  3,y Store: x: , y:  Heap:  : 3,  +1:  y  3,x Store: x: , y:  Heap:  : 3,  +1:  x  3,y * y  3,x Store: x: , y:  Heap:  : 3,  +1  : 3,  +1:  ,  +1, , and  +1 disjoint x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:  x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:   : 3,  +1: 

Three “Small” Axioms {E  _} [E] := b {E  b} {emp} x := cons(y, z) {x  y, z} {E  _} dispose(E) {emp}

The Frame Rule {P} C {Q} {P * R} C {Q * R} Mod(C)  free(R)={} Mod(x := _) = {x} Mod([E]:=F) = {} Mod(dispose(E)) = {} Tight specification

A simple application of the frame rule {P} C {Q} {P * R} C {Q * R} Mod(C)  free(R)={} {(E  _ )* P } dispose(E) {P}

Sound Axioms p * q  q * p p * (q * r)  (p * q) * r p * emp  p (p  q) * r  (p * r)  (q * r) (p ⋀ q) * r  (p * r) ⋀ (q * r) (  x:p) * q   x: p * q (when x is not free in q)

Unsound Axioms P  P * P Contraction P= x  1 P * Q  P Weakening P= x  1 Q= y  2

The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t )

The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list  y  list  x  rev(  0 )= rev(  ).  list  z  z= nil list a.  z   s: z  a, s  list  s

The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list  y  list  x  rev(  0 ) = rev(  ).   z: reach(x, z)  reach(y, z)  z=nil reach(a, b) =  n  0: reach n (a, b) reach 0 (a, b)  a = b reach i+1 (a, b)   h, t: a  h, t  reach i (t, b)

The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list  y * list  x  rev(  0 ) = rev(  ).

The Delete Example bool elem_delete(delval, c) prev=nil elem = c while (elem  nil) ( if (elem->val = delval) then ( if (prev = nil) then c = [elem+1] else [prev+1] = [elem+1]; dispose(elem); return TRUE) prev=elem; elem = [elem+1] prev=nil /\ list(c,nil)  prev != nil /\ (list (c,prev) * (prev  -,elem) * list (elem, nil)) list(x, y)  x=y  emp   t: x  _, t * list(t, y) {list(c, nil)}

Soundness of the Frame Rule Given: (A) {p} c {q} that is for all s, h such that s,h  p, (Aa) !  *  and (Ab) for all s’ h’ such that  *(s’,h’)>, s’ h’  q (B) where c does not change free variables of r Prove: {p*r} c {q*r} (C) that is, show for all s, h such that s,h  p*r, (Ca) !  *  and (Cb) for all s’ h’ such that  *(s’,h’)>, s’ h’  q*r (1) Let s, h such that s, h  p*r (2) By definition of p*r, there exists h0,h1 such that (2a) h = h0#h1 and (2b) s, h0  p and (2c) s, h1  r (3) From (2b) and (Aa for h0) follows that no abort in the small heap h0: !  *  (4) From (3) and [Mon for h0] follows that no abort in the large heap h: !  *  (this shows Ca) (5) To show (Cb), let s’ h’ such that  * (s’,h’) show that s’h’  q*r that is, show that there exists h’0 and h’1 such that (5a) h’=h’0#h’1 and (5b) s’ h’0  q and (5c) s’ h’1  r (6) From (3) and [SEP for h h0] and (s’h’ from 5) there exists h’0 such that h’= h’ 0 # h1 (so (5a) holds for h’0 and h1) and (6a)  * (s’, h’ 0 ) (7) From (6a) and (Ab for h0 and h’0) follows that s’,h’0  q (this shows (5b) ) (8) From (2c) and (B) follows that  r (this shows (5c) for h’1 being h1)

Montonicity Axiom p1  p2, q1  q2 p1 * q1  p2 * q2

Type of assertions Pure independent of the heap Strictly-exact holds for exactly one heap Domain-exact holds for exactly one domain Intuitionistic monotonic in the heap

Garbage The assertion language does not allow garbage collection Can limit the assertion language to allow garbage collection

Applications Manual program verification –Deautch-Shorr-Waite –Copy GC (POPL’04) –Algorithms on DAGs (Space’04) –Resource ownership (POPL’04) Limited to exact predicates Justify other formalisms –Confinement (POPL’02) –Ownership

Missing Logic of bunch implications Completeness Concurrency Resource ownership Complexity results Substructural logic

History [Burstall 1972] Separating Conjunctions (implicit) ]Reynolds 1999] Explicit Separating Conjunctions [Ishtiaq & O’Hearn 2001] –Bunch implications –Frame rule