A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John...
Transcript of A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John...
![Page 1: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/1.jpg)
A diagrammatic introduction to Separation Logic
John Wickerson, TU Berlin
Two 90-minute lectures, part of a course on ‘Quality Assurance of Embedded Systems’
January 2013
![Page 2: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/2.jpg)
Outline‣ A “VeriFast” introduction to Hoare logic
‣ List reversal in Hoare logic
‣ List reversal in separation logic
‣ Proof rules for separation logic
‣ Program variables as resource
2
![Page 3: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/3.jpg)
Hoare logic‣ Invented by Tony Hoare (now at Microsoft Research
Cambridge, UK) in 1969
‣ A formal mathematical system based on annotating program code with assertions that must hold whenever execution reaches that point
‣ Basic unit is the Hoare triple, written {p} C {q}- Hoare’s original notation was p {C} q
3
![Page 4: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/4.jpg)
Demo: simple examples in VeriFast
4
![Page 5: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/5.jpg)
Meaning of Hoare triple‣ What does {p} C {q} mean? - If C begins execution in a state satisfying p then any final
state it reaches will satisfy q
5
![Page 6: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/6.jpg)
Rules of Hoare logic
{p ∧ b} C {p}{p} while b do C {p ∧ ¬b}
{p ∧ b} C1 {q}{p ∧ ¬b} C2 {q}
{p} if b then C1 else C2 {q}
{p} skip {p}
{p} C1 {q} {q} C2 {r}{p} C1 ; C2 {r}
6
![Page 7: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/7.jpg)
Outline‣ A “VeriFast” introduction to Hoare logic
‣ List reversal in Hoare logic
‣ List reversal in separation logic
‣ Proof rules for separation logic
‣ Program variables as resource
7
![Page 8: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/8.jpg)
Proof of list reverse
a b c
0
w
0
x y z
list δ x
list -δ w
w := 0;while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
8
![Page 9: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/9.jpg)
Proof of list reverse
a
0
b c
0
w x y z
list δ x
list -δ w
w := 0;while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
9
![Page 10: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/10.jpg)
Proof of list reverse
a
0
b c
0
w x y z
list δ x
list -δ w
w := 0;while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
10
![Page 11: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/11.jpg)
Proof of list reverse
a
0
b c
w x
0
y z
list δ x
list -δ w
w := 0;while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
11
![Page 12: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/12.jpg)
Proof of list reverse
w x y z
list αlist β
δ = -β · α
w := 0;while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
list δ x
list -δ w12
![Page 13: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/13.jpg)
Proof of list reverse
w x y z
list αlist β
δ = -β · α
w := 0;
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
∃α,β. list α x ∧ list β w ∧ δ = -β·α
list δ x
list -δ w13
![Page 14: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/14.jpg)
Proof of list reverse
a
0
b c
0
w x y z
✘
w := 0;
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
∃α,β. list α x ∧ list β w ∧ δ = -β·α
list δ x
list -δ w14
![Page 15: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/15.jpg)
Proof of list reverse
w x y z
list αlist β
δ = -β · α
w := 0;
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
∃α,β. list α x ∧ list β w ∧ δ = -β·α ∧(∀z. reach(x,z) ∧ reach(w,z) ⇒ z=0)
list δ x
list -δ w15
![Page 16: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/16.jpg)
Proof of list reverse
listreverse(x,w)list δ x
list -δ w
16
![Page 17: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/17.jpg)
Proof of list reverse
listreverse(x,w)list δ x ∧ list ε y
list -δ w
17
![Page 18: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/18.jpg)
Proof of list reverse
a b c
0
w
0
x y z
listreverse(x,w)list δ x ∧ list ε y
list -δ w
18
![Page 19: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/19.jpg)
Proof of list reverse
a
0
b c
w x
0
y z
listreverse(x,w)list δ x ∧ list ε y
list -δ w
19
![Page 20: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/20.jpg)
Proof of list reverse
listreverse(x,w)
list δ x ∧ list ε y∧ (∀z. reach(x,z) ∧ reach(y,z) ⇒ z=0)
list -δ w
20
![Page 21: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/21.jpg)
Proof of list reverse
w := 0;
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
∃α,β. list α x ∧ list β w ∧ δ = -β·α ∧(∀z. reach(x,z) ∧ reach(w,z) ⇒ z=0)
list -δ w
list δ x ∧ list ε y∧ (∀z. reach(x,z) ∧ reach(y,z) ⇒ z=0)
21
![Page 22: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/22.jpg)
Proof of list reverse
w := 0;
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
∃α,β. list α x ∧ list β w ∧ δ = -β·α ∧(∀z. reach(x,z) ∧ reach(w,z) ⇒ z=0) ∧ list ε y ∧ (∀z. (reach(x,z) ∨ reach(w,z)) ∧ reach(y,z) ⇒ z=0)
list -δ w
list δ x ∧ list ε y∧ (∀z. reach(x,z) ∧ reach(y,z) ⇒ z=0)
22
![Page 23: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/23.jpg)
Proof of list reverse
w := 0;
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
∃α,β. list α x ∧ list β w ∧ δ = -β·α ∧(∀z. reach(x,z) ∧ reach(w,z) ⇒ z=0) ∧ list ε y ∧ (∀z. (reach(x,z) ∨ reach(w,z)) ∧ reach(y,z) ⇒ z=0)
list -δ w ∧ list ε y ∧ (∀z. reach(x,z) ∧ reach(y,z) ⇒ z=0)
list δ x ∧ list ε y∧ (∀z. reach(x,z) ∧ reach(y,z) ⇒ z=0)
23
![Page 24: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/24.jpg)
Proof of list reverse
listreverse(x,w)
list δ x ∧ list ε y∧ (∀z. reach(x,z) ∧ reach(y,z) ⇒ z=0)
list -δ w ∧ list ε y∧ (∀z. reach(x,z) ∧ reach(y,z) ⇒ z=0)
24
![Page 25: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/25.jpg)
Outline‣ A “VeriFast” introduction to Hoare logic
‣ List reversal in Hoare logic
‣ List reversal in separation logic
‣ Proof rules for separation logic
‣ Program variables as resource
25
![Page 26: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/26.jpg)
The need for separationThe ‘list’ predicate:
list [ ] x ≝ (x = 0)list (a::α) x ≝ (∃y. [x] = a ∧ [x+1] = y ∧ list α y)
a b c
0
26
![Page 27: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/27.jpg)
The need for separationThe ‘list’ predicate:
list [ ] x ≝ (x = 0)list (a::α) x ≝ (∃y. [x] = a ∧ [x+1] = y ∧ list α y)
ax
yx+1
list α y∃y
list (a::α) x ≝
list [ ] x ≝
In separation logic:x = 0
27
![Page 28: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/28.jpg)
ax
by
[x] = a ∧ [y] = b
The need for separation
28
![Page 29: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/29.jpg)
∃α,β. list α x ∧ list β w ∧ δ = -β·α ∧(∀z. reach(x,z) ∧ reach(w,z) ⇒ z=0)
list δ x
list -δ w
The need for separation
w := 0;
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
29
![Page 30: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/30.jpg)
w := 0;list δ x
list α x list β w
list -δ w
The need for separation
∃α ∃β δ = -β·α
while (x≠0) do { z := [x+1]; [x+1] := w; w := x; x := z;}
30
![Page 31: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/31.jpg)
listreverse(x,w)list δ x
list -δ w
The need for separation
31
![Page 32: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/32.jpg)
The need for separation
listreverse(x,w)list δ x
list -δ w
list ε y
32
![Page 33: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/33.jpg)
The need for separation
listreverse(x,w)list δ x
list -δ w
list ε y
33
![Page 34: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/34.jpg)
Outline‣ A “VeriFast” introduction to Hoare logic
‣ List reversal in Hoare logic
‣ List reversal in separation logic
‣ Proof rules for separation logic
‣ Program variables as resource
34
![Page 35: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/35.jpg)
e
[e] := a
ae
ae
x := [e]
ae
providing ‘x’ does not appear in e
x := alloc()x dispose(e)
e
HEAP-WRITE HEAP-READ ALLOCATION DEALLOCATION
x := e
ASSIGN
P[e/x]
P
SKIP
P
Qproviding ⟦P⟧ ⇒ ⟦Q⟧
Proof rules for separation logic
x=a
742
y=7
z := 7
z42
y=z
742
y=7
y42
y=7
x=1
35
![Page 36: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/36.jpg)
Proof rules for separation logic
CFRAME
provided wr(C) ∩ rd(𝓒) = ∅
⟹Q
PCQ
P𝓒⎡
⎣
⎤
⎦
| |||
||
𝓒 ::= -
| 𝓒 p
𝓒p|
∃x 𝓒|
where
z42
[42] := 7
742
FRAME⟹
z42
[42] := 7
742
z17∃z
Example:
36
![Page 37: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/37.jpg)
Proof rules for separation logic
SEQ⟹A B
A
B
P
Q R
QP
R
Q
37
![Page 38: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/38.jpg)
Proof rules for separation logic
z42
[42] := 7
742
z17∃z
742
z17∃z
a := [17]
a17
38
![Page 39: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/39.jpg)
Proof rules for separation logic
z42
[42] := 7
742
z17∃z
742
z17∃z
a := [17]
a17
39
![Page 40: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/40.jpg)
Proof rules for separation logic
z42
[42] := 7
742
z17∃z
a := [17]
a17
40
![Page 41: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/41.jpg)
Proof rules for separation logic
z42
[42] := 7
742
z17∃z
a := [17]
a17
41
![Page 42: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/42.jpg)
Three assignments
[x] := 1
[y] := 1
[z] := 1
[x]=0 ∧ [y]=0 ∧ [z]=0
[x]=1 ∧ [y]=0 ∧ [z]=0
[x]=1 ∧ [y]=1 ∧ [z]=0
[x]=1 ∧ [y]=1 ∧ [z]=1
42
![Page 43: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/43.jpg)
Three assignments
[x] := 1
[x]=0 ∧ [y]=0 ∧ [z]=0 ∧ x≠y ∧ y≠z ∧ x≠z
[y] := 1
[x]=1 ∧ [y]=0 ∧ [z]=0 ∧ x≠y ∧ y≠z ∧ x≠z
[z] := 1
[x]=1 ∧ [y]=1 ∧ [z]=0 ∧ x≠y ∧ y≠z ∧ x≠z
[x]=1 ∧ [y]=1 ∧ [z]=1 ∧ x≠y ∧ y≠z ∧ x≠z
43
![Page 44: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/44.jpg)
Three assignments
[x] := 1
[y] := 1
[z] := 1
0x
1x
0
1y
y
0
1z
z
0y
0z
1x
0z
1x
1y
44
![Page 45: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/45.jpg)
Three assignments
[x] := 1
[y] := 1
[z] := 1
0x
1x
0
1y
y
0
1z
z
0y
0z
1x
0z
1x
1y
45
![Page 46: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/46.jpg)
Three assignments
[x] := 1
[y] := 1
[z] := 1
0x
1x
1y
1z
0y
0z
46
![Page 47: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/47.jpg)
Three assignments
[x] := 1
[y] := 1
[z] := 1
0x
1x
1y
1z
0y
0z
47
![Page 48: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/48.jpg)
Three assignments
[x] := 1
[y] := 1
[z] := 1
0x
1x
1y
1z
0y
0z
48
[x] := 1
[x]=0 ∧ [y]=0 ∧ [z]=0 ∧ x≠y ∧ y≠z ∧ x≠z
[y] := 1
[x]=1 ∧ [y]=0 ∧ [z]=0 ∧ x≠y ∧ y≠z ∧ x≠z
[z] := 1
[x]=1 ∧ [y]=1 ∧ [z]=0 ∧ x≠y ∧ y≠z ∧ x≠z
[x]=1 ∧ [y]=1 ∧ [z]=1 ∧ x≠y ∧ y≠z ∧ x≠z
![Page 49: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/49.jpg)
Proof rules for separation logic
WHILE⟹A
P
P
while (b) {
}
P
P
Ab
¬b
A
P
Q
b
B
P
Q
¬bIF
⟹
if (b) {
} else {
P
B
A
}
Q
49
![Page 50: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/50.jpg)
list δ x
list -δ w
z := [x+1]
[x+1] := w
w := xx := z
w := 0list [ ] w
list α x list β w
x≠0
ix
x’ list α x’
∃α ∃β
∃x’
ix
z
ix
w
list β x
δ = -β·(i::α)
list β wlist α x
δ = -β·α
δ = -β·α
∃i
list α z
x=0
α = [ ]
while (x≠0) {
}
50
∃α
∃β
δ = -(i::β)·α
![Page 51: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/51.jpg)
Demo: List reverse in VeriFast
51
![Page 52: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/52.jpg)
Outline‣ A “VeriFast” introduction to Hoare logic
‣ List reversal in Hoare logic
‣ List reversal in separation logic
‣ Proof rules for separation logic
‣ Program variables as resource
52
![Page 53: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/53.jpg)
[x] := 1
[y] := 1
[z] := 1
0x
1x
1y
1z
0y
0z
Three assignments
53
![Page 54: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/54.jpg)
Three assignments
[x] := 1 [y] := 1 [z] := 1
0x
1x
1y
1z
0y
0z
54
![Page 55: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/55.jpg)
Variables as resource
w := x
x=5
w=5
z=8
x=8
x := z
55
![Page 56: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/56.jpg)
Variables as resource
w := x
x=5
w=5
z=8
x=8
x := z
✘
56
![Page 57: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/57.jpg)
Variables as resource
x
x := e
ASSIGN
ex
x > 5
nx∃n
n > 5
x = 5
5x
57
![Page 58: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/58.jpg)
Variables as resource
w := x
x := z
xw
x
x z
x=5
w=5w
zz=8
x=8
58
![Page 59: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/59.jpg)
Variables as resource
✘
w := x
x := z
xw
x
x z
x=5
w=5w
zz=8
x=8
x<7x
59
![Page 60: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/60.jpg)
Variables as resource
w := x
x := z
xw
x
x z
x=5
w=5w
zz=8
x=8
z>3z
60
![Page 61: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/61.jpg)
Variables as resource
w := x
x := z
xw
x
x z
x=5
w=5w
zz=8
x=8
61
![Page 62: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/62.jpg)
Variables as resource
w := x
x := z
w
x
x=5
w=5w
zz=8
x=8
x
x
½ x
½ x ½ x
½
z½
z>3½ z
62
![Page 63: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/63.jpg)
Variables as resource
w := x
x := z
w
x
x=5
w=5w
zz=8
x=8
x
x
½ x
½ x ½ x
½
z½
x<7¼ x
63
✘
![Page 64: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/64.jpg)
α = [ ]
δ = -β·α
δ = -β·α
x≠0
wlist δ x
list -δ w
w := 0list [ ] w
list α x list β w
ix
x’ list α x’
∃α ∃β
∃x’
ix
w
list β x
list β wlist α x
∃i
list α zi
xz
z := [x+1]
[x+1] := w
w := x
x := z
x=0}
zx
while (x≠0) {
64
∃α
∃β
δ = -β·(i::α)
δ = -(i::β)·α
![Page 65: A diagrammatic introduction to Separation LogicA diagrammatic introduction to Separation Logic John Wickerson, TU Berlin Two 90-minute lectures, part of a course on ‘Quality Assurance](https://reader034.fdocuments.in/reader034/viewer/2022042606/5fa691c961c7ce4fff46f9a0/html5/thumbnails/65.jpg)
Some further readingSeparation Logic: A Logic for Shared Mutable Data Structures. By John C. Reynolds. In Proceedings of LICS, 2002.Available from http://www.cs.cmu.edu/~jcr/seplogic.pdf The main reference for newcomers to separation logic.
Ribbon Proofs for Separation Logic. By John Wickerson, Mike Dodds and Matthew Parkinson. In Proceedings of ESOP, 2013. Available from http://www.cl.cam.ac.uk/~jpw48/ribbons_esop13.pdf Introduces the ‘graphical’ reading of separation logic.
Variables as Resource in Separation Logic. By Richard Bornat, Cristiano Calcagno and Hongseok Yang. In Proceedings of MFPS, 2006.Available from http://www.eis.mdx.ac.uk/staffpages/r_bornat/papers/bornatentcs.pdf Introduces the idea of treating program variables as ‘resources’.
65