1. Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004

2. Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University With: Amal Ahmed & Limin Jia

3. David WalkerStacks, Heaps and Regions: One Logic to Bind Them3 Certifying Compilers  Certifying compilers produce: »machine code + »safety proof type safety thread safety memory safety  Uses: »trustworthy mobile code »safety-critical systems »compiler debugging Source Program Certifying Compiler Machine Code + Safety Proof

4. David WalkerStacks, Heaps and Regions: One Logic to Bind Them4 Certifying Compilers Low-level Typing Abstractions JavaC #ML Transform, Optimize Machine Code + Safety Proof (Typing Invariants Encoded)  Low-level typing abstractions: »support diverse source languages »support diverse implementation & optimization strategies »clean interface between compiler and mechanical safety checkers

5. David WalkerStacks, Heaps and Regions: One Logic to Bind Them5 TALx86 Lessons [Morrisett et al.]  Checking control-flow safety is fairly easy  State & memory management is the hard part »new typing algorithms for each new compiler trick machine register state heap memory (pointers, structs,...) stack memory (stack pointers, stack structs,...) user-managed memory (more pointers, aliasing info,...)  Results: »complex, ad hoc axioms (type checker less trust-worthy) »repeated work »abstractions not generally composable or reusable

6. David WalkerStacks, Heaps and Regions: One Logic to Bind Them6 A Goal for SPACE 20...  What we are looking for: A new proof-carrying code system/typed assembly language for safe memory management »More uniform; more general »Easier to understand (simpler semantics) »Allows reuse and composition of abstractions  A promising approach: Search for new logics that can capture common storage invariants »Following Ishtiaq, O’Hearn, Pym, Reynolds, and others insights on storage semantics & separation logic »And Pfenning, CMU crew and others logical design techniques & work on logical frameworks

7. David WalkerStacks, Heaps and Regions: One Logic to Bind Them7 This Talk…  What recurring properties of memory do we need to reason about in a proof-carrying code system?  Internalizing storage properties in a modal & substructural logic »Semantics of formulae  Using the logic to describe state in a low-level type system (briefly)  Related & Future work »This talk based on work at TLDI 03; LICS 03

8. David WalkerStacks, Heaps and Regions: One Logic to Bind Them8  The memory for the heap is separate from the memory for the stack  The register EAX is separate from register EBX (and ECX, etc...)  In general, memory A is separate from memory B if the domain of A does not overlap with the domain of B Property #1: Separation EAXEBX 7 8 9 14 15 74 75 stackheap

9. David WalkerStacks, Heaps and Regions: One Logic to Bind Them9  The importance of separation: »If memory A is separate from memory B then updates to A have no impact on B »Eg: updating the stack does not change values in the heap »Eg: updating EAX does not change the contents of EBX »Eg: deallocating region r1 has no impact on region r2 (if they are separate)  Present in »Linear type systems »TALx86 »Ishtiaq, O’Hearn, Reynolds separation logic Property #1: Separation

10. David WalkerStacks, Heaps and Regions: One Logic to Bind Them10  A struct is a sequence of adjacent locations  An activation record is a sequence of adjacent locations  A stack is a sequence of adjacent activation records  In general, A is adjacent to B if the greatest location in A is next to the least location in B, and A is separate from B Property #2: Adjacency 7 8 9 a1a1 a2a2 top rest...

11. David WalkerStacks, Heaps and Regions: One Logic to Bind Them11  The importance of adjacency: »If memory A is adjacent to memory B and we can access A then we can access B »Eg: using a pointer to the beginning of a struct, we can access all of its elements »Eg: using a pointer to the top of the stack, we can access the items in the current activation record  Present in »TALx86 »Foundational PCC (Appel et al) »Ordered type systems (Petersen et al.) Property #2: Adjacency

12. David WalkerStacks, Heaps and Regions: One Logic to Bind Them12  Register EAX can contain an integer value (or a pointer value or other kinds of values)  A memory location (say, 7 ) can contain a sequence of 32 bits  A user-managed memory region may contain a collection of memory locations. Property #3: Containment 3 EAX 7 on 0: off 1: on 31:... R7R7 7 13 7 22

13. David WalkerStacks, Heaps and Regions: One Logic to Bind Them13  The importance of containment: »If A is contained in memory region r and region r has property P then A has property P »Eg: EAX may contain an integer --- if so, we can add 3 to the contents of EAX »Eg: Memory region R1 may contain live data --- if so, we can dereference pointers into that region  Present in »Tofte & Talpin’s region calculus »Cardelli, Gardner, Ghelli Gordon’s ambient, tree & graph logics »TALx86 (registers, static data segment, stack & heap) Property #3: Containment

14. David WalkerStacks, Heaps and Regions: One Logic to Bind Them14  Two pointers are aliases of one another if they are the same location.  Aliasing information is important since changing memory at x changes memory at y  Present in »every system!! »Talx86 reasoned about heap aliases and stack aliases Property #4: Aliasing 3 xy (x = y)

15. David WalkerStacks, Heaps and Regions: One Logic to Bind Them15 This Talk…  What recurring properties of memory are convenient for reasoning in a proof-carrying code system?  Internalizing storage properties in a modal & substructural logic »Semantics of formulae  Using the logic to describe state in a low-level type system  Related & Future work »This talk based on work at TLDI 03; LICS 03

16. David WalkerStacks, Heaps and Regions: One Logic to Bind Them16 Preliminaries - Memories  A memory is a mapping from locations to values.  Each location may have a single successor.  Successor relation gives rise to an ordering.  Locations may be composite » ::= ∗ |.n eg: *.R 1.a 7 *.R 2.a 14.b 0 m a 6 r1r1 7 r2r2 3 5 1 16 17 9

17. David WalkerStacks, Heaps and Regions: One Logic to Bind Them17 Formulae Predicatesq::=  | … FormulaeF::= q | … Semantics of formulae given by: m  F @ “F describes memory m, whose contents are located in place ” ( acts like a constraint on the memory) Simplest case: m   @ iff dom(m)={ } and m( ) : 

18. David WalkerStacks, Heaps and Regions: One Logic to Bind Them18 Formulae Example m  int @ 3 if 5 3 m (notice: m( 3 ) : int )

19. David WalkerStacks, Heaps and Regions: One Logic to Bind Them19 Formulae – Separation Predicatesq::=  | … FormulaeF::= q | F 1 ⊗  F 2 | … m  F 1 ⊗  F 2 @ iff exists disjoint m 1 and m 2 such that m 1  F 1 @ and m 2  F 2 @ and m=m 1  m 2

20. David WalkerStacks, Heaps and Regions: One Logic to Bind Them20 Formulae – Separation Example m 1  F 1 @ *m 2  F 2 @ * 7 3 m1m1 5 7 8 9 m2m2 16 17 3 16 r6r6

21. David WalkerStacks, Heaps and Regions: One Logic to Bind Them21 Formulae – Separation Example m 1  m 2  F 1 ⊗ F 2 @ * 7 3 m1m2m1m2 5 7 8 9 16 17 r6r6 16 3

22. David WalkerStacks, Heaps and Regions: One Logic to Bind Them22 Formulae – Adjacency Predicatesq::=  | … FormulaeF::= q | F 1 ⊗  F 2 | F 1 ○  F 2 | … m  F 1 ○  F 2 @ iff there exist adjacent (and disjoint) m 1, m 2 such that m 1  F 1 @ and m 2  F 2 @ and m=m 1  m 2

23. David WalkerStacks, Heaps and Regions: One Logic to Bind Them23 Formulae – Adjacency Example m 1  F 1 @ * m 2  F 2 @ * 7 3 m1m1 b 5 7 8 9 m2m2 c 10 16 17

24. David WalkerStacks, Heaps and Regions: One Logic to Bind Them24 Formulae – Adjacency Example m 1  m 2  F 1 ○ F 2 @ * 7 3 b 5 7 8 9 c 10 16 17 m1m2m1m2

25. David WalkerStacks, Heaps and Regions: One Logic to Bind Them25 Formulae – Containment Predicatesq::=  | … FormulaeF::= q | F 1 ⊗  F 2 | F 1 ○  F 2 | n[F] | … m  n[F] @ iff m  F @.n

26. David WalkerStacks, Heaps and Regions: One Logic to Bind Them26 Formulae - Containment Example m  eax[int] @ * sincem  int @ *. eax 5 eax since m(*.eax) : int m

27. David WalkerStacks, Heaps and Regions: One Logic to Bind Them27 Formulae - Containment Example m  eax[int] ⊗  ebx[char] @ * 5 eax m ‘a’ ebx

28. David WalkerStacks, Heaps and Regions: One Logic to Bind Them28 Formulae - Containment Example m  eax[int] ⊗  ebx[char] @ * since m1  eax[int] @ * and m2  ebx[char] @ * 5 eax m ‘a’ ebx

29. David WalkerStacks, Heaps and Regions: One Logic to Bind Them29 Formulae - Containment Example m  eax[int] ⊗  ebx[char] @ * since m1  eax[int] @ * and m2  ebx[char] @ * since m1  int @ *. eaxand m2  char @ *.ebx 5 eax m ‘a’ ebx

30. David WalkerStacks, Heaps and Regions: One Logic to Bind Them30 Aliasing Types  int | bool | S( ) |... Predicatesq::=  | … FormulaeF::= q | F 1 ⊗  F 2 | F 1 ○  F 2 | n[F] | …  ⊢ v : S( ) iff v = (all values with type S( ) are aliases of one another)

31. David WalkerStacks, Heaps and Regions: One Logic to Bind Them31 Aliasing  Example  m ⊨ eax[S(*.a2)] ⊗ ebx[S(*.a2)] ⊗ a2[int] @ * eax m ebx 7 a2a2 aliases

32. David WalkerStacks, Heaps and Regions: One Logic to Bind Them32 One More Useful Predicate Types  int | bool | S( ) |... Predicatesq::=  | more  | more  FormulaeF::= q | F 1 ⊗  F 2 | F 1 ○  F 2 | n[F] |... m  more  m  more  m 7 8 9 6 5 4... m 17 18 19 16 15 14...

33. David WalkerStacks, Heaps and Regions: One Logic to Bind Them33 Simple Machine Memory Layout ( more  ○  hd [  ] ○ F tail ○ F heap ○ ap [   ’] ○ more  )  ⊗  r 1 [  1 ] ⊗  r 2 [  2 ] ⊗  ⊗  sp [S( hd )] ⊗  ap [S( ap )] ... hd... ap spr1r1 r2r2 ap more  F tail F heap  more 

34. David WalkerStacks, Heaps and Regions: One Logic to Bind Them34 More logic Predicatesq::=  | more  | more  FormulaeF::= q | F 1 ⊗  F 2 | F 1 ○  F 2 | n[F] | 1 | F 1 -o F 2 | F 1  F 2 | ㄒ | F 1 ⊕  F 2 | 0 |  |  b. F |  b.F Bindingsb::= :L | n:N |  :T |  :F m  1 iff dom(m) is empty m  F 1  F 2 iff m  F 1 and m  F 2 m  ㄒ (holds for any memory m)....

35. David WalkerStacks, Heaps and Regions: One Logic to Bind Them35 Logical Deduction Judgments have the form  F @  is a variable context – a list of free variables & their kinds  is a bunched context – trees rather than lists (O’Hearn & Pym, 1999) . | (F @ ) |  object at a place separate storage (exchange prop) adjacent storage (no exchange prop)

36. David WalkerStacks, Heaps and Regions: One Logic to Bind Them36  The natural deduction rules are sound with respect to the storage semantics  Semantics of contexts : m    Theorem (Soundness) If m   and ‧  F @ then m  F @. Logical Deduction

37. David WalkerStacks, Heaps and Regions: One Logic to Bind Them37 This Talk…  What recurring properties of memory are convenient for reasoning in a proof-carrying code system?  Internalizing storage properties in a modal & substructural logic »Semantics of formulae  Using the logic to describe state in a low-level type system  Related & Future work »This talk based on work at TLDI 03; LICS 03

38. David WalkerStacks, Heaps and Regions: One Logic to Bind Them38 Mini-KAM – Simplified ML Kit Abstract Machine Registersr::=acc1 | acc2 | sp Valuesv ::=.... Instructions  ::= immed1( v ) | immed2( v ) | add | sub | push | pop | selectStack( i ) | storeStack( i ) | select( i ) | store( i ) | letRgnInf | endRgnInf | alloc( i ) register ops stack ops region ops

39. David WalkerStacks, Heaps and Regions: One Logic to Bind Them39 Types  ::=int | S( ) | live | dead | (F @ ) →  0 Integers5 : int Places : S( ) Region statuslive : livedead : dead Code Locationsc : (F @ ) →  0 Means it is safe to jump to c with a memory m such that m  F @ Mini-KAM Types

40. David WalkerStacks, Heaps and Regions: One Logic to Bind Them40 Mini-KAM – Simplified ML Kit Abstract Machine Mini-KAM Store Hierarchy ∗ st[more  ○ a k [-] ○.. ○ a 1 [-] ○  ] R 1 [live ⊗ F ⊗ (a[-] ○ more  acc1 acc2 sp stack R 1... R n current activation record stack tail live region description of data in region allocation boundary stack area

41. David WalkerStacks, Heaps and Regions: One Logic to Bind Them41 Judgments of the form F @ can be used to describe the pre and postconditions of instructions Instruction typing judgment:  F @  : F’ @ ’ Using Formulae in Typing Rules

42. David WalkerStacks, Heaps and Regions: One Logic to Bind Them42 Judgment :  F @  : F’ @ ’ In J, look up the type of place.n: J(.n) = F if ‧  J  ( ㄒ ⊗ n[F] ) @ Rule for add instruction: (F @ )( ∗.acc1) = int (F @ )( ∗.acc2) = int  F @ add : F @ Using Formulae in Typing Rules

43. David WalkerStacks, Heaps and Regions: One Logic to Bind Them43 Judgment  J  : J’ (where J is of the form F @ p) J( ∗.sp)=S( ∗.stack.n 0 ) J( ∗.acc1)=   J storeStack (i) : J[ ∗.stack.n o + i :=  ] Using Formulae in Typing Rules ( storeStack ) In J, update the type of place.n o + i: J[.n o +i :=  ] = (F1 ○  n 0 [-] ○ ‧‧‧ ○ n i [  ] ○  F2) ⊗ F3 @ if ‧  u:J  ((F1 ○  n 0 [-] ○ ‧‧‧ ○ n i [-] ○  F2) ⊗ F3) @

44. David WalkerStacks, Heaps and Regions: One Logic to Bind Them44 This Talk…  What recurring properties of memory are convenient for reasoning in a proof-carrying code system?  Internalizing storage properties in a modal & substructural logic »Semantics of formulae  Using the logic to describe state in a low-level type system  Related & Future work »This talk based on work at TLDI 03; LICS 03

45. David WalkerStacks, Heaps and Regions: One Logic to Bind Them45 Related Work  Reasoning about adjacency »Stack-based TAL (Morrisett et al., 1998) »Foundational PCC – reasoning about memory allocation (Appel et al.) » ord - calculus for reasoning about data layout at the frontier (Petersen et al., 2003)  Reasoning about aliasing »Long history... singleton types for aliasing (Smith, Walker & Morrisett) continue to be useful  Spatial logics : separation and/or containment »BI, separation logic (Ishtiaq, O’Hearn, Reynolds & others, 2000, 2001) »Ambient logic (Cardelli & Gordon, 2000) »Tree and graph logics (Cardelli, Gardner, Ghelli, 2002)

46. David WalkerStacks, Heaps and Regions: One Logic to Bind Them46 Lots More Work to Do  Add inductive definitions & syntactic rules for reasoning about arrays, recursive data structures  Investigate encodings for common invariants »stack-allocation algorithms »region-allocation algorithms »aliasing patterns  Better understand the connection between modal (hybrid) logic & regions

47. David WalkerStacks, Heaps and Regions: One Logic to Bind Them47 Conclusion  Described a unified framework for reasoning about »Separation »Adjacency »Containment »Aliasing  Semantics are sound, simple and uniform  Logic forms the basis for a sound and flexible low- level type system  See TLDI 03; LICS 03 for details

48. David WalkerStacks, Heaps and Regions: One Logic to Bind Them48

49. David WalkerStacks, Heaps and Regions: One Logic to Bind Them49

50. David WalkerStacks, Heaps and Regions: One Logic to Bind Them50 when two bits of storage (at a1 and a2) may alias:  a1.  a2. (a1[int] ⊗ ㄒ ) & (a2[int] ⊗ ㄒ ) both memories satisfy the formula: May Alias Formula 5 a1 7 a2 5 a

51. David WalkerStacks, Heaps and Regions: One Logic to Bind Them51 CodeDescribing Formula (b-stackgrow) ( x 2 ) (b-unpack) ( x 2 ) sub sp,sp,2 st sp[0],r1 st sp[1],r2 ld r1,sp[0] ld r2,sp[1] add sp,sp,2 Example: Saving Temporaries on the Stack (more  ○ 1 [  1 ] ○ 2 [  2 ] ○ [  ] ○ F 1 ) ⊗ sp [S( )] ⊗ r1 [  1 ] ⊗ r2 [  2 ] F pre (more  ○ 1 [  1 ] ○ 2 [  2 ] ○ [  ] ○ F 1 ) ⊗ sp [S( 1 )] ⊗ r1 [  1 ] ⊗ r2 [  2 ] F post

52. David WalkerStacks, Heaps and Regions: One Logic to Bind Them52 Types  ::=int | S(p) | (F @ p) →  0 Informally, c : (F @ p) →  0 means it is safe to jump to c with a memory m such that m  F @ p Formulae Wrapped in Types

53. David WalkerStacks, Heaps and Regions: One Logic to Bind Them53 Motivation: Certifying Compilers Source Program Certifying Compiler Safety ProofMachine Code

54. David WalkerStacks, Heaps and Regions: One Logic to Bind Them54 Parse, Typecheck Motivation: Certifying Compilers Source Program Safety ProofMachine Code High-level Typed IL Analysis, Optimization Medium-level Typed IL Code Generation Typed Assembly Language Assembler Prover Type- preserving Compiler Hints

55. David WalkerStacks, Heaps and Regions: One Logic to Bind Them55 Motivation: Certifying Compilers Java Safety ProofMachine Code Optimize Optimize Optimize Medium-level Typed IL Code Generation Typed Assembly Language Assembler Prover Type- preserving Compiler Hints High TIL High TIL High TIL JavaML

56. David WalkerStacks, Heaps and Regions: One Logic to Bind Them56 Motivation: Proof-Carrying Code  The Princeton foundational PCC system (Appel et al.)  Scaling PCC to production compilers and realistic languages  Some requirements: »Multiple source languages, single target language »Core proof system must be general and flexible support for general language features handle different implementation and optimization strategies »Trusted computing base should be small to limit security bugs

57. David WalkerStacks, Heaps and Regions: One Logic to Bind Them57 PCC System – Layers of Abstraction Higher-order logic Machine spec Semantics of types Low-level typing abstractions High-level typing abstractions Compiler support for a range of language features general & flexible interface to compiler

58. David WalkerStacks, Heaps and Regions: One Logic to Bind Them58 A Hard Problem (Semantics)  Semantics of memory updates and memory reuse  Semantic model of ML-style mutable references (Ahmed, Appel, Virga, 2002)  To handle ML function closures: »extended model with mutable references to (impredicative) polymorphic types (Ahmed, Appel, Virga, 2003)  To allow memory reuse: »extended model to support region-based memory management

59. David WalkerStacks, Heaps and Regions: One Logic to Bind Them59 Motivation: Certifying Compilers Prover Machine Code + Safety Proof Typing abstractions (TAL) JavaC #ML High-level Typed IL Analysis, Optimization Medium-level Typed IL Should be general & flexible; support many language features implementation + optimization strategies

60. David WalkerStacks, Heaps and Regions: One Logic to Bind Them60 Typing Abstractions for Memory  Reasoning about memory is complicated »many different memory management strategies, aliasing patterns, data layout possibilities, etc.  Systems for safe mobile code would benefit from »a unified framework for reasoning about a variety of invariants »convenient abstractions that help structure proofs of memory safety

61. David WalkerStacks, Heaps and Regions: One Logic to Bind Them61 Abstractions for Memory? Machine Code + Safety Proof TALx86 Source High TIL Medium TIL Cornell Popcorn & Cyclone VCGen + Prover Machine Code + Safety Proof Source High TIL Medium TIL Cedilla Systems Special J Prover Machine Code + Safety Proof LTAL Source High TIL Medium TIL Princeton Foundational PCC

62. David WalkerStacks, Heaps and Regions: One Logic to Bind Them62 Abstractions for Memory? Machine Code + Safety Proof TALx86 Source High TIL Medium TIL Cornell Popcorn & Cyclone VCGen + Prover Machine Code + Safety Proof Source High TIL Medium TIL Cedilla Systems Special J Prover Machine Code + Safety Proof LTAL Source High TIL Medium TIL Princeton Foundational PCC

63. David WalkerStacks, Heaps and Regions: One Logic to Bind Them63 Abstractions for Memory? Reasoning about memory is complicated: many different memory management strategies, aliasing patterns, data layout possibilities, etc. Machine Code + Safety Proof TALx86 Source High TIL Medium TIL Cornell Popcorn, Cyclone VCGen + Prover Machine Code + Safety Proof Source High TIL Medium TIL Cedilla Systems Special J Prover Machine Code + Safety Proof LTAL Source High TIL Medium TIL Princeton Foundational PCC

64. David WalkerStacks, Heaps and Regions: One Logic to Bind Them64 Typing Abstractions for Memory?  Reasoning about memory is complicated »many different memory management strategies, aliasing patterns, data layout possibilities, etc. Machine Code + Safety Proof TALx86 Source High TIL Medium TIL Cornell Popcorn & Cyclone VCGen + Prover Machine Code + Safety Proof Source High TIL Medium TIL Cedilla Systems Special J Prover Machine Code + Safety Proof LTAL Source High TIL Medium TIL Princeton Foundational PCC

65. David WalkerStacks, Heaps and Regions: One Logic to Bind Them65 Types  ::=int | S(p) | (F @ p) →  0 Informally, c : (F @ p) →  0 means it is safe to jump to c with a memory m such that m  F @ p Formulae Wrapped in Types

66. David WalkerStacks, Heaps and Regions: One Logic to Bind Them66 Lessons from Typed Assembly Language  Lesson 1: »Much of the type theory designed for higher-level languages can be reused to help verify machine code. TAL is “just” the closed, continuation-passing style polymorphic lambda calculus (++)  Lesson 2: »The hard part is memory management & memory safety.

67. David WalkerStacks, Heaps and Regions: One Logic to Bind Them67 One Logic to Bind Them  New goals for general-purpose safe memory management »composable abstractions »reusable abstractions »orthogonal abstractions »comprehensible abstractions  A unified & composable framework for reasoning about »separation of objects (memory blocks) »adjacency of objects »aliasing of pointers »containment of one place in another  Proof that deduction in our logic is sound with respect to the memory model  Use logic in a type system for an IL for region-based memory management (Mini-KAM) and prove that the language is sound

68. David WalkerStacks, Heaps and Regions: One Logic to Bind Them68 This Talk…  Logical formulae and the memory model »Flat memory »Hierarchical memory  Type system for Mini-KAM (informally)

69. David WalkerStacks, Heaps and Regions: One Logic to Bind Them69 A Logical Approach to Memory Management  One logic for reasoning about key storage properties: »separation of objects (memory blocks) »adjacency of objects »containment of one place in another »aliasing of pointers  Logic comes with »orthogonal connectives to internalize key properties »syntactic proof rules »sound store semantics  Logic is incorporated into a typed abstract machine »safe stack, heap and region-based memory management

70. David WalkerStacks, Heaps and Regions: One Logic to Bind Them70 Formulae – Multiplicative Unit Predicatesq::= [  ] | … FormulaeF::= q | F 1 ⊗  F 2 | F 1 ○  F 2 | 1 | … m  1 iff m

71. David WalkerStacks, Heaps and Regions: One Logic to Bind Them71 Hierarchical Memories R1R1 7 8 9 R2R2 14 15 m

72. David WalkerStacks, Heaps and Regions: One Logic to Bind Them72 Path/placep ::= ∗ | p.n eg: *.R 1. 7 *.R 2. 14 Hierarchical Memories, Paths R1R1 7 8 9 R2R2 14 15 m ∗ R1R1 R2R2 7 8 9 14 15

73. David WalkerStacks, Heaps and Regions: One Logic to Bind Them73 Path/placep ::= ∗ | p.n eg: *.R 1. 7 *.R 2. 14 A hierarchical memory is a mapping from paths to values. Hierarchical Memories, Paths R1R1 7 8 9 R2R2 14 15 m =A 1 ∗ R1R1 R2R2 7 8 9 15 14 b 0 b 1 … b 31

74. David WalkerStacks, Heaps and Regions: One Logic to Bind Them74 Formulae – Containment Predicates q::=  | more  | more  FormulaeF::= q | F 1 ⊗  F 2 | F 1 ○  F 2 | 1 | F 1  F 2 | ㄒ | F 1 ⊕  F 2 | 0 |  |  b. F |  b.F | n[F] Bindings b::= p:P | n:N |  :T |  :F Semantics given by: m  F @ p

75. David WalkerStacks, Heaps and Regions: One Logic to Bind Them75 Formula Semantics – Separation FormulaeF::= … | F 1 ⊗  F 2 | … | n[F] m  (F 1 ⊗  F 2 ) @ p iff there exist disjoint m 1 and m 2 m 1  F 1 @ p and m 2  F 2 @ p and m=m 1  m 2

76. David WalkerStacks, Heaps and Regions: One Logic to Bind Them76 Formula Semantics – Separation Example m 1  F 1 @ ∗ m 2  F 2 @ ∗ dom(m 1 )={ ∗.R 5. 3 }dom(m 2 )={ ∗.R 5. 4 } R5R5 m1m1 3 3 R5R5 m2m2 4 3

77. David WalkerStacks, Heaps and Regions: One Logic to Bind Them77 Formula Semantics – Separation Example m 1  F 1 @ ∗ m 2  F 2 @ ∗ dom(m 1 )={ ∗.R 5. 3 }dom(m 2 )={ ∗.R 5. 4 } R5R5 m1m2m1m2 3 3 R5R5 4 3 m 1  m 2  (F 1 ⊗  F 2 ) @ ∗

78. David WalkerStacks, Heaps and Regions: One Logic to Bind Them78 Sample Deductive Rules  Each connective is defined in terms of judgmental concepts only; no dependencies on other connectives  Simpler to understand & manipulate  ∥ F @ p ⊢ F @ p (hypothesis)  ∥  ⊢ n[F] @ p (n[] I)  ∥  ⊢ F @ p.n (n[] E)  ∥  ⊢ n[F] @ p