Presentation is loading. Please wait.

Presentation is loading. Please wait.

Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang."— Presentation transcript:

1 Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang

2 Outline The ideal assertion language Difficulties with pointers Solutions The separation logic Concurrent Separation Logic

3 Hoare Proof Rules for Partial Correctness {A} skip {A} {B[a/X]} X:=a {B} (Assignment Rule) {P} c 0 {C} {C} c 1 {Q} {P} c 0 ;c 1 {Q} {P  b} c 0 {Q} {P  b} c 1 {Q} {P} if b then c 0 else c 1 {Q} {I  b} c {I} {I} while b do c{I  b}  P  P’ {P’} c {Q’}  Q’  Q {P} c {Q} (Composition Rule) (Conditional Rule) (Loop Rule) (Consequence Rule)

4 The Ideal Assertion Language Natural Succinct Expressive –Closed under WP for every command Efficient algorithm for entailment checking

5 IMP++ Abstract syntax com::= X := a | X:= cons(a 1, a 2 ) | X := [a] |[a 1 ] := a 2 | dispose(a) | skip | com 1 ; com 2 | if b then com 1 else com 2 | while b do com|

6 Informal Semantics IMP++ Allocation x := cons(y, z) Heap lookup y := [x+1] Mutation [x + 1] := 3 Deallocation dispose(x+1) Store: [x:3, y:40, z:17] Heap: empty Store: [x:37, y:40, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40, 38:3 Store: [x:37, y:17, z:17] Heap: 37:40, 38:17 Store: [x:37, y:17, z:17] Heap: 37:40

7 First assertion language Aexpv a:= n | X | [a] | i | a 0 + a 1 | a 0 - a 1 | a 0  a 1 Assn A:= true | false | a 0 = a 1 | a 0  a 1 | A 0  A 1 | A 0  A 1 |  A | A 0  A 1 |  i. A |  i. A

8 Destructive Pointer Reversal y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t )

9 Assignment Axioms {?} [a 1 ] := a 2 {p} {?} [x] := z {[x] =y} {?} [t] := z {[x] =y}

10 Assignment Rule with Mutations [Morris 1982] Characterize aliasing patterns with assertions [McCharthy ?] Define a logic for stores heap:loc  val First order assertions over heap {p} [a 1 ] := a 2 {p[a 2 /heap(a 1 )]} [Burstall 1972] Local reasoning Split the heap into disjoints parts Contents can be shared {x=37  z=x  heap(37)=40} [x] := 77 {x=37  z=x  heap(37)=77}

11 Separation Logic x  y * y  x

12 Separation Logic x  y x y

13 Separation Logic y  x x y

14 Separation Logic x  y * y  x x y

15 Separation Logic x  y x y 42 10 42 x=10y=42

16 Separation Logic y  x x y 42 10 42 x=10y=42

17 Separation Logic x  y * y  x x y 42 10 42 x=10y=42

18 Assertions in Separation Logic SyntaxIntended Meaning e=fPure expression comparison efef A heap with one location pointed to by e with content f empEmpty heap p *qp and q hold in disjoint heaps true,false, p  q, p  q,  x: p standard e  _   l: e  l e  e 0, e 1, …, e n-1  e  e 0 * e+1  e 1 * … * e+n-1  e n-1  e  f  e  f * true

19 AssertionExample state x  3,y Store: x: , y:  Heap:  : 3,  +1:  y  3,x Store: x: , y:  Heap:  : 3,  +1:  x  3,y * y  3,x Store: x: , y:  Heap:  : 3,  +1  : 3,  +1:  ,  +1, , and  +1 disjoint x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:  x  3,y  y  3,xStore: x: , y:  Heap:  : 3,  +1:   : 3,  +1: 

20 Unsound Axioms p  p * p Contraction p= x  1 p * q  p Weakening p= x  1 q= y  2

21 In-Place Reasoning {x  7 * p} [x] := 7 {x  _ * p} {?}[x] := 7{true} {?}dispose(e){true} {p}dispose(e) {x  _ * p} if {p} c {q} holds then p describes the resources that c needs

22 Semantics of separation logics s, h  e = f  e  s =  f  s s, h  e  f{  e  s} = dom(h) and h(  e  ) =  f  s s, h  emp h=[] s, h  p * q exist h1, h2: dom(h1)  dom(h2)=  s, h1  p s, h2  q h = h1 # h2

23 Semantics of separation logics(cont) s, h  false never s, h  p  q if s, h  p then s, h  q s, h   x. p exists v: s[v/x], h  p

24 Three “Small” Axioms {e  _} [e] := b {e  b} {emp} x := cons(y, z) {x  y, z} {e  _} dispose(e) {emp}

25 The Frame Rule {p} c {q} {p * r} c {q * r} Mod(c)  free(r)={} Mod(x := _) = {x} Mod([e]:=f) =  Mod(dispose(e)) = 

26 A simple application of the frame rule {p} c {q} {p * r} c {q * r} Mod(c)  free(r)={} {(e  _ )* p } dispose(e) {p}

27 Inductive Definitions Define assertions inductively Allows natural specifications list [r] x  (r=   x= nil  emp)  (  a, s, y: r=a.s  x  a, y * list [s] y) list(x, y)  (x=y  emp)  (  t: x  _, t * list(t, y)) tree(r)  (r=nil  emp)  (  l, r: r  _, l, r * tree(l) * tree(r))

28 The Reverse Example y: = nil ; while x  nil do ( t := y y := x x := [x +1] [y+1] := t ) , . list [  ] y * list [  ] x  rev(  0 )= rev(  ). 

29 The Delete Example bool elem_delete(delval, c) prev=nil elem = c while (elem  nil) ( if ([elem] = delval) then ( if (prev = nil) then c = [elem+1] else [prev+1] = [elem+1]; dispose(elem); return TRUE) prev=elem; elem = [elem+1] prev=nil /\ list(c,nil)  prev != nil /\ (list (c,prev) * (prev  -,elem) * list (elem, nil)) list(x, y)  (x=y  emp)   t: x  _, t * list(t, y) {list(c, nil)}

30 Extensions For WP we need another operator “Fresh” implication p -* q –We can extend a heap in which p is true with an additional disjoint heap such that q is true in the combined heap

31 Disjoint Concurrency {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 } {p 1 * p 2 } c 1 || c 2 {q 1 * q 2 }

32 Disjoint Concurrency {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 } {p 1 * p 2 } c 1 || c 2 {q 1 * q 2 } {10  _} [10] := 5 || [10] := 7 {?} Cannot prove racy programs

33 Disjoint Concurrency {p 1 } c 1 {q 1 } {p 2 } c 2 {q 2 } {p 1 * p 2 } c 1 || c 2 {q 1 * q 2 } Preconditions can pick race free programs when they exist {x  3} [x] :=4 {[x]= 4}  {y  3} [y] :=7 {[y]= 7} {x  3 * y  3} {x  4 * y  7}

34 Example: Parallel Dispose Tree procedure dispTree(p) { local l, r if (p !=nil) then { l = [p+1]; r = [p+2]; dispose(p) || dispTree(l) || dispTree(r) }

35 Parallel Dispose Tree - Proof Sketch {tree(p)} dispTree(p) {emp} {p  _, l, r} dispose(p) {emp} {tree(l)} dispTree(l) {emp} {tree(r)} dispTree(r) {emp} p  _, l, r * tree(l) * tree(r) dispose(p) || dispTree(l) || dispTree(r) emp * emp * emp

36 Extensions Hoare Conditional Critical Regions –with r when B do C Fine-Grained Concurrency –Combine with Rely/Guarantee

37 Summary Separation logic provides a solution for the heap –Limited aliasing –Dynamic ownership Concise specifications Elegant proofs for several examples

Download ppt "Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Soundness of Higher-order Frame Rules (How did category theory help me?) Hongseok Yang Seoul National University Joint work with Lars Birkedal and Noah.

Soundness of Higher-order Frame Rules (How did category theory help me?) Hongseok Yang Seoul National University Joint work with Lars Birkedal and Noah.
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.

Formal Semantics of Programming Languages 虞慧群 Topic 6: Advanced Issues.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Programming Language Semantics Axiomatic Semantics Chapter 6.

Programming Language Semantics Axiomatic Semantics Chapter 6.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv.

Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv.
Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space 03-640-760603-640-5358 html://www.cs.tau.ac.il/~msagiv/courses/sem03.html.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Semantics with Applications Mooly Sagiv Schrirber 317 03-640-7606 html://www.cs.tau.ac.il/~msagiv/courses/sem08.html Textbooks:Winskel The.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

Similar presentations

Ads by Google