An Introduction to Separation Logic, and the Benefits of going Higher-order … · 2013-04-30 ·...

An Introduction to Separation Logic,and the Benefits of going Higher-order

(A Tutorial)

Lars Birkedal

Logic and Semantics GroupDept. of Comp. Science, Aarhus University

April 2013

Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 1 / 39

Separation Logic

Program Logic a la Hoare Logic for reasoning about programswith pointers (or references to shared mutable data) [Reynolds,O’Hearn, . . ., 2000+]Main feature: it facilitates modular reasoning, formalized viaso-called frame rule, using a connective called separatingconjunction.


Hoare Logic - a recap

Programming Language: imperative while-languageAssertion Language: first-order logic w. equalitySpecifications for partial correctness:

{P}C{Q}if s P and C, s → s′, then s′ Q.

Rules for deriving specifications (including rules for first-orderlogic).


Separation Logic

Programming Language: as before but now with C-like pointersSpecifications for partial correctness:

{P}C{Q}if s,h P and C, s,h→ s′,h′, then s′,h′ Q.

Assertion Language: first-order logic w. equality + BI connectives:s,h emp iff h is the empty heaps,h x 7→ 5 iff h is the singleton heap with one location s(x) withvalue 5.s,h P ∗Q iff h can be split into h1 and h2, with disjoint domains,such that s,h1 P and s,h2 Q.s,h P −−∗ Q iff . . ..


Examples of “small” axioms

{x 7→ −}dispose(x){emp}

{x 7→ −}[x ] := e{x 7→ e}

Modular Reasoning via Frame Rule:{P}C {Q}

{P ∗ R}C {Q ∗ R}(assuming Mod(C) ∩ FV (R) = ∅).


Example: in-place list reversal

Linked list of cons-cells.Program: reverse =

j := nil; while i != nil do (k:=[i+1]; [i+1]:=j; j:=i; i:=k)

Local specification:

{list(α, i)} reverse {list(rev(α), j)}

where list(α, i) is def’ by ind. on sequence α:

list([], i) def= i = nil ∧ emp

list(n :: α, i) def= ∃j . i 7→ (n, j) ∗ list(α, j).


Example: in-place list reversal, II

Points to notice:Local reasoning: the precondition list(α, i) only describes resourcesneeded by reverse (the footprint of reverse)Having proved local spec, frame rule gives, e.g.:

{list(α, i) ∗ list(β, k)} reverse {list(rev(α), j) ∗ list(β, k)}

Hence we can (re-)use the specification in larger contexts.

In summa: standard separation logic makes it easy to reasonabout pointer programs when we can find some way to separatedata structures into disjoint parts.


Example: Cheney’s Copying GC

2

3 4 5

root

1 2

(1)

scan free maxFreeoffset

UFINFIN

BUSY

UFWD

FWD

· · ·FREE

NEW

OLD

[Torp-Smith, Birkedal, Reynolds, POPL’2004]


Model and Soundness

a set [[Val]] interpreting the type Val of valuesa set [[Loc]] of locations such that [[Loc]] ⊆ [[Val]]a set H = [[Loc]] ⇀fin [[Val]] of heaps (finite partial functions)partial binary operation ∗ on heaps:

h1 ∗ h2 =

{h1 ∪ h2 if h1#h2undefined otherwise,

where h1#h2 iff Dom(h1) ∩ Dom(h2) = ∅Given stack s : Var ⇀fin [[Val]], terms interpreted as usual:

[[x ]]s = s(x)[[n]]s = [[n]][[t1 ± t2]]s = [[t1]]s ± [[t2]]s. . .


Interpretation of assertions

s,h |= φ, where FV (φ) ⊆ Dom(s):

s,h |= t1 = t2 iff [[t1]]s = [[t2]]ss,h |= t1 7→ t2 iff Dom(h) = {[[t1]]s} and h([[t1]]s) = [[t2]]ss,h |= emp iff h = ∅s,h |= > alwayss,h |= ⊥ nevers,h |= φ ∗ ψ iff there exists h1,h2 ∈ H such that h1 ∗ h2 = h and

s,h1 |= φ and s,h2 |= ψs,h |= φ −−∗ ψ iff for all h′,h′#h and s,h′ |= φ implies s,h ∗ h′ |= ψs,h |= φ ∨ ψ iff s,h |= φ or s,h |= ψs,h |= φ ∧ ψ iff s,h |= φ and s,h |= ψs,h |= φ→ ψ iff s,h |= φ implies s,h |= ψs,h |= ∀x .φ iff for all v ∈ [[Val]], s[x 7→ v ],h |= φs,h |= ∃x .φ iff there exists v ∈ [[Val]], such that s[x 7→ v ],h |= φ


Sound Proof Rules

Standard predicate logic + rules from bunched implications:

(φ ∗ ψ) ∗ θ `Γ φ ∗ (ψ ∗ θ) φ ∗ (ψ ∗ θ) `Γ (φ ∗ ψ) ∗ θ

`Γ φ↔ φ ∗ emp φ ∗ ψ `Γ ψ ∗ φ

φ `Γ ψ θ `Γ ω

φ ∗ θ `Γ ψ ∗ ωφ ∗ ψ `Γ θ

φ `Γ ψ −−∗ θ

BI, a substructural logic, related to linear logic.See [O’Hearn, Pym: The Logic of Bunched Implications, BSL1999]


Specification logic

[[∆l ; ∆p ` {P} c {Q}]](sl) ⇐⇒

∀sp ∈ [[∆p]].∀h ∈ [[∆l ,∆p ` P]](sl , sp).

(c, sp,h) is safe ∧

(c, sp,h) ⇓ (s′p,h′) ⇒ h′ ∈ [[∆ ` Q]](sl , s′p)

[[∆l ; ∆p ` ∀x :τ. δ]](sl) ⇐⇒

[[∆l ; ∆p ` δ]](sl)[x 7→v ]) for all v ∈ [[τ ]].

. . .


Proof RulesJudgements of form ∆l ; ∆p | Γ ` δ, with logical variables ∆l , programvariables ∆p, specification logic assumptions Γ, and specification logicformula δ.Rules for commands, e.g.,

∆l ; ∆p | Γ ` {E 7→ −} [E ] := E ′{E 7→ E ′}Rule of Consequence:

∆l ; ∆p ` P → P ′ ∆l ; ∆p | Γ ` {P ′} c {Q′} ∆l ; ∆p ` Q′ → Q∆l ; ∆p | Γ | Γ ` {P} c {Q}

Frame Rule:∆l ; ∆p ` {P} c{Q}

∆l ; ∆p | Γ ` {P ∗ R} c {Q ∗ R} Mod(c) ∩ FV (R) = ∅

Forall Rule:∆l , x :τ ; ∆p | Γ ` δ∆l ; ∆p | Γ ` ∀x :τ. δ

x 6∈ FV (Γ)


Soundness of proof rules

In traditional separation logic:Mostly straightforward.Frame rule relies on properties of operational semanticsSafety Monotonicity For all c, s, h, if (c, s,h) is safe, then for all

heaps h′ s.t. h′#h, (c, s,h ∗ h′) is also safe.Frame Property For all c, s, h, if (c, s,h) is safe and h′#h, then

(c, s,h ∗ h′) ⇓ (s′,h′′), implies that there is h0 disjointfrom h′ such that h′′ = h0 ∗ h′ and (c, s,h) ⇓ (s′,h0).(relies on nondeterministic memory allocation).


Variations

Intuitionistic models (assertions upwards closed wrt. heapextension) for languages with no explicit deallocation.Permission models (fractions, etc.) for more fine-grained notionsof separation, allowing multiple readers of same location.. . .


Modular Reasoning for Modules

Let us call separation logic as above for first-order separation logicand the frame rule for first-order frame rule.As we have seen, first-order separation logic provides modularreasoning for first-order programs.What about second-order or higher-order programs ?(programming languages with some kind of module facility).Example: a program that uses a stack module.Ideally, a client of a stack module should not know about how thestack module is implemented.So seek logic that supports reasoning about clients withoutrevealing info about module implementation.Two lines of development

higher-order separation logic supporting data abstractionseparation logic with higher-order frame rules for hiding


Higher-Order Separation Logic ExampleStack ADT

stackspec =∃α : Type.∃inv : α× N list→ Prop.

{emp}new() {s : α. inv(s, [])} ×∀s : α.∀x : N.∀l : N list{inv(s, l)}push(s, x) {inv(s, x :: l)} ×∀s : α.∀x : N.∀l : N list{inv(s, x :: l)}pop(s){y : N. inv(s, l) ∧ y = x}.

Modularity: clients can use the spec without knowing anythingabout how the stack is implemented (since abstract in the invpredicate).Different stack implementations can meet this spec.Presented at ESOP 2005 [Biering, Birkedal, Torp-Smith](second-order (“abstract predicates”) version independently byParkinson-Biermann, POPL 2005, for OO language)


Models of HOSL: BI-Hyperdoctrines

Focus first on extending the assertion logic to higher-order logic.As suggested by the example, have in mind many-typedformulation with

τ ::= Val | . . . | 1 | τ × τ | τ → τ | Prop

Seek an approach that covers the many variations needed inapplications.So let’s pause and think about abstract models of higher-orderlogic.


BI Hyperdoctrines — OverviewA hyperdoctrine is a categorical formalization of a model ofpredicate logic [Lawvere 1969]. Sound and complete for IHOL.Toposes also sound and complete for IHOL.BI Hyperdoctrines sound and complete for IHOL + BI

Hyperdoctrine

Toposes

Sub_E(−)

BI−Hyperdoctrine


First-order Hyperdoctrines, I

Let C be a category with finite products. A first-order hyperdoctrine Pover C is a contravariant functor P : Cop → Poset s.t.:

Each P(X ) is a Heyting algebra.Each P(f ) : P(Y )→ P(X ) is a Heyting algebra homomorphism.There is an element =X of P(X × X ) satisfying that for allA ∈ P(X × X ),

> ≤ P(∆X )(A) iff =X≤ A.


First-order Hyperdoctrines, II

For each product projection π : Γ× X → Γ in C,P(π) : P(Γ)→ P(Γ× X ) has both a left adjoint (∃X )Γ and a rightadjoint (∀X )Γ:

A ≤ P(π)(A′) if and only if (∃X )Γ(A) ≤ A′

P(π)(A′) ≤ A if and only if A′ ≤ (∀X )Γ(A).

Natural in Γ.


Interpretation in Hyperdoctrines

Types and terms interpreted by objects and morphisms of CEach formula φ with free variables in Γ is interpreted as aP-predicate [[φ]] ∈ P([[Γ]]) by induction on the structure of φ usingdefinining properties of hyperdoctrine.A formula φ with free variables in Γ is satisfied if [[φ]] is > in P([[Γ]]).Sound and complete for intuitionistic predicate logic.A first-order hyperdoctrine is sound for classical predicate logic incase all the fibres P(X ) are Boolean algebras and all thereindexing functions P(f ) are Boolean algebra homomorphisms.


Hyperdoctrines

A (general) hyperdoctrine is a first-order hyperdoctrine with thefollowing additional properties:C is cartesian closed; andthere is H ∈ C and a natural bijection ΘX : Obj(P(X )) ' C(X ,H).

Cartesian closure interprets higher types.Type of propositions is interpreted by H.

Basic Example:C = SetP(X ) = Sub(X ).H = 2


BI Hyperdoctrines

Recall: A BI algebra is a Heyting algebra, which has an additionalsymmetric monoidal closed structure (emp, ∗, −−∗) (i.e., satisfyingthe rules shown earlier).Define: A first-order hyperdoctrine P over C is a first-order BIhyperdoctrine in case

all the fibres P(X ) are BI algebras, andall the reindexing functions P(f ) are BI algebra homomorphisms

Likewise for general BI hyperdoctrines.


First-Order Predicate BI

Predicate logic with equality extended with emp, φ ∗ ψ, φ −−∗ ψsatisfying the rules shown earlier.Theorem The interpretation of first-order predicate BI is soundand complete.Also for classical predicate BI, of courseHigher-order Predicate BI

Higher-order predicate logic extended with BI as above.BI hyperdoctrines sound and complete class of models.


Example of BI hyperdoctrine

Let B be a complete BI algebra. Define Set-indexed BI hyperdoctrine:P(X ) = BX , functions from X to B, ordered pointwiseFor f : X → Y , P(f ) : BY → BX is comp. with f .=X (x , x ′) is > if x = x ′, otherwise ⊥.Quantification: for A ∈ BΓ×X

(∃X )Γ(A)def= λi ∈ Γ.

∨x∈X A(i , x)

(∀X )Γ(A)def= λi ∈ Γ.

∧x∈X A(i , x)

in BΓ.


Toposes and BI Hyperdoctrines

Earlier work showed how to use some toposes to modelpropostional BI (SubE(1) is a BI-algebra, for certain E)Toposes model (higher-order) predicate logic, since SubE is ahyperdoctrine.But, surprise, we cannot interpret predicate BI in toposes:

Theorem Let E be a topos and suppose SubE : Eop → Poset is a BIhyperdoctrine. Then the BI structure on each lattice SubE(X ) is trivial,i.e., for all ϕ,ψ ∈ SubE(X ), ϕ ∗ ψ ↔ ϕ ∧ ψ.


Separation Logic as a BI Hyp.

P(H) is a complete Boolean BI algebra, ordered by inclusion.Let S be the BI hyperdoctrine induced by the complete Boolean BIalgebraTheorem h ∈ [[φ]](v1, . . . , vn) iff [x1 7→ v1, . . . , xn 7→ vn],h φ.(also works for other models of separation logic, e.g., intuitionisticand permissions models)The BI hyperdoctrine S also gives a model of higher-orderseparation logic, with P(H) the set of truth values.Really, we have only talked about the assertion logic of separationlogic.But, since types and terms in the specification logic areinterpreted as sets, and P(H) is a set, we can also quantify overProp in the specification logic, as used in the stack example.


Applications of HOSL

Data abstraction, cf. stack example from above.Formalization of separation logic

applications (e.g., proof of Cheney GC) used various extensions ofseparation logic, with relations, trees, etc.point is that they are all definable in higher-order logic, no need forad-hoc extensions:Let 2 = {⊥,>}. There is a canonical map ι : 2→ P(H). Sayφ : X → P(H) is pure if there is a map χφ : X → 2 s.t. φ = ι ◦ χφ.The sub-logic of pure predicates is simply the standard classicalhigher-order logic of Set.Allows to use classical higher-order logic for defining lists, trees,etc.In particular, recursive definitions of predicates, earlier done at themeta-level, can now be done inside the higher-order logic itself.


HOSL Applications, II

Logical characterizations of classes of formulas, e.g.,Traditional definition of a precise: q is precise iff, for s,h, there isat most one subheap h0 of h such that s,h0 q.Prop. q is precise iff

∀p1,p2 : Prop. (p1 ∗ q) ∧ (p2 ∗ q)→ (p1 ∧ p2) ∗ q

is valid in the BI hyperdoctrine S.Thus: can make logical proofs about precise formulas.


HOSL Applications, III

(Returning to program proving applications)General (generic / polymorphic) specifications and proofs ofpolymorphic programsParameterized list predicate:

plist(P, [], i) def= i = nil ∧ emp

plist(P, x :: β, i) def= ∃j . i 7→ (x , j) ∗ P(x) ∗ plist(P, β, j)

Generic specification:

β : seqInt ` ∀P : PropInt . {plist(P, β, i)} reverse {plist(P, β†, j)},

Point: one general spec (hence one proof of implementation code)that can be instantiated at will by clients.


Higher-Order Frame Rules (a sketch)

Hiding the resource invariant.Abstract stack spec:

stackspec =∀P : N→ Prop.

∀x : N.{P(x)}push(x) {emp} ∧{emp}pop(){r : 1 + N. (∃n. r = inr(n)→ P(n)) ∧

(r = inl(∗)→ emp)}.

Proof of client relative to abstract spec:

stackspec ` client


Apply HO-frame rule:

(stackspec ` client)⊗ inv

Inferstackspec⊗ inv ` client⊗ inv

and then distribute inv over pre- and post-conditions in stackspecto get

{P(x) ∗ inv}push(x) {emp ∗inv} ∧{emp ∗inv}pop(){r : 1 + N. (∃n. r = inr(n)→ P(n) ∗ inv) ∧

(r = inl(∗)→ emp ∗inv)}.}

that matches an implementation with resource invariant inv .


Analogy and references

HOSL approach: polymorphic typesHOFR approach: subtyping(analogy not formalized)Second-order frame rule [O’Hearn, Yang, Reynolds, POPL 2004]Higher-order frame rules [Birkedal, Torp-Smith, Yang, LICS 2005]For recent account for higher-order language, withbells-and-whistles, see [Schwinghammer, Birkedal, Pottier, Reus,Stovring, Yang: A step-indexed Kripke model of hidden state.Mathematical Structures in Computer Science 23(1): 1-54 (2013)]HOFR also useful for structuring reasoning about assembly code,see [Jensen, Benton, Kennedy: High-level Separation Logic forLow-level Code, POPL-2013]


What is involved in models of HOFR ?

Two technical points regarding models of HOFR that have proveduseful elsewhere.

1 For prog. lang. with higher-order function: how to express thatprograms behave “locally” (safety monotonicity and frame property)?

We do not, we just require that all proved programs satisfy the framerule (bake it in to the interpretation). Analogous to how parametricmodels of System F are constructed. First done in [LICS 2005] papermentioned above.

2 Hiding / HOFR rule done via Kripke model (world consists of thehidden resources that programs should preserve).

With higher-order store, the set of worlds is recursively defined inCBUlt (see [Birkedal et. al.: Step-Indexed Kripke Models overRecursive Worlds, POPL’2011] and [MSCS-2013] paper mentionedabove).


Recursion / Step-Indexing

Need some mathematical technique to establish soundness ofproof rules for recursive functions.For instance, domain theory or step-indexing.Omitted today (step-indexing will be discussed in talk onThursday).


Views

(a glimpse)General framework for compositional reasoning aboutconcurrencyFraming and compositionality for thread-local reasoning capturedvia ∗.Instances cover (concurrent) separation logic, rely-guarantee,combinations of separation logic and rely-guarantee, e.g.,concurrent abstract predicates. Also Kripke models of typesystems.


Separation Logic instance of Views(disregarding stacks for notational simplicity):

View = P(Σ), Σ = H separation algebra.Concrete machine states S = H, heaps.Reification map: I : View → P(S), I = h 7→ {h}.Semantics of triples {p} c {q}:

∀r ∈ View .∀x ∈ p ∗ r . ∀s ∈ I(x).c, s ⇓ s′ ⇒∃y ∈ q ∗ r . s′ ∈ I(y)

Observe:Quantification over frames (“baking-in” the frame rule).Standard operational semantics.

Instrumented states in Views as needed for logical reasoning.Reference: [Dinsdale-Young, Birkedal, Gardner, Parkinson, Yang:Views: Compositional Reasoning for Concurrency. POPL-2013]


Summary

First-order standard separationg logic for modular reasoning “inthe small”Higher-order separation / higher-order frame rules for modularreasoning “in the large” (for programs composed of modules)Mostly an overviewBut some details about how to construct models, which can be ofhelp when looking at the literature, both “old style” and “new style”.


Thank you for your attention.


An Introduction to Separation Logic, and the Benefits of going Higher-order … · 2013-04-30 ·...

Documents

Transcript of An Introduction to Separation Logic, and the Benefits of going Higher-order … · 2013-04-30 ·...