Separation logic and fragments: from expressive power to decision - - PowerPoint PPT Presentation

Separation logic and fragments: from expressive power to decision procedures

St´ ephane Demri

CNRS – Marie Curie Fellow

Yorktown Heights, March 2015

In Memoriam: Morgan Deters

2

Overview

1

Separation Logic in a Nutshell

2

Expressive Power of 1SL

3

Playing with 1SL Restricted to a Single Variable (1SL1)

4

Expressiveness/Decision Procedure for 1SL1

5

A Taste of Other Decision Procedures

3

Separation Logic in a Nutshell

Separation Logic in a Nutshell

4

Floyd-Hoare logic

• Hoare triple: {φ} C {ψ} (partial correctness).

[Hoare, C. ACM 69; Floyd, 1967]

• If we start in a state where φ holds true and the command

C terminates, then it yields a state in which ψ holds.

Separation Logic in a Nutshell

5

Floyd-Hoare logic

• Hoare triple: {φ} C {ψ} (partial correctness).

[Hoare, C. ACM 69; Floyd, 1967]

• If we start in a state where φ holds true and the command

C terminates, then it yields a state in which ψ holds.

• Commands can be composed:

{φ} C1 {ψ} {ψ} C2 {ϕ} {φ} C1; C2 {ϕ}

• Strengthening preconditions / weakening postconditions:

φ ⇒ φ′ {φ′} C {ψ} ψ ⇒ ψ′ {φ} C {ψ′}

• Rule of constancy:

{φ} C {ψ} {φ ∧ ψ′} C {ψ ∧ ψ′} where no variable free in ψ′ is modified by C.

Separation Logic in a Nutshell

5

When separation logic enters into the play

• Unsoundness of the rule of constancy with pointers:

{∃u (x → u)} [x] := 4 {x → 4} {(∃u (x → u)) ∧ y → 3} [x] := 4 {x → 4 ∧ y → 3} x → u: “memory has a unique memory cell x → u”

Separation Logic in a Nutshell

6

When separation logic enters into the play

• Unsoundness of the rule of constancy with pointers:

{∃u (x → u)} [x] := 4 {x → 4} {(∃u (x → u)) ∧ y → 3} [x] := 4 {x → 4 ∧ y → 3} x → u: “memory has a unique memory cell x → u”

• Reparation with frame rule:

{φ} C {ψ} {φ ∗ ψ′} C {ψ ∗ ψ′} where no variable free in ψ′ is modified by C.

Separation Logic in a Nutshell

6

On separation logic

• Introduced by Ishtiaq, O’Hearn, Pym, Reynolds, Yang.
• Extension of Hoare logic with separating connectives.

[Reynolds, LICS’02]

• Reasoning about the heap with a strong form of locality

built-in.

• In a broad sense:

assertion logic + programming language + specification logic

Separation Logic in a Nutshell

7

On separation logic

• Introduced by Ishtiaq, O’Hearn, Pym, Reynolds, Yang.
• Extension of Hoare logic with separating connectives.

[Reynolds, LICS’02]

• Reasoning about the heap with a strong form of locality

built-in.

• In a broad sense:

assertion logic + programming language + specification logic

• A taste of separation logic:
• Models can be finite graphs.
• Binary modalities ∗ and −

∗.

• While evaluating a formula, models can be updated.

Separation Logic in a Nutshell

7

Memory states with one record field

• Program variables PVAR = {x1, x2, x3, . . .}.
• Memory state:
• Store s : PVAR → N.
• Heap h : N ⇀ N with finite domain.

(here, no distinction between locations and values)

1 11 12 121 122 2 3 31 311 4 41 411 4111 42 421 422 411 h

Separation Logic in a Nutshell

8

Disjoint heaps

• Disjoint heaps: dom(h1) ∩ dom(h2) = ∅ (noted h1 ⊥ h2).
• When h1 ⊥ h2, disjoint heap h1 ⊎ h2.

x1 x2 x3 x4 = x1 x2 x3 x4 ⊎ x1 x2 x3 x4

Separation Logic in a Nutshell

9

Syntax and semantics for 1SL

• Quantified variables FVAR = {u1, u2, u3, . . .}.
• Expressions: e ::= xi | uj
• Atomic formulae: π ::= e = e′ | e ֒

→ e′ | emp | ⊥

• Formulae: φ ::= π | φ ∧ ψ | ¬φ | φ ∗ ψ | φ −

∗ ψ | ∃ u φ

Separation Logic in a Nutshell

10

Syntax and semantics for 1SL

• Quantified variables FVAR = {u1, u2, u3, . . .}.
• Expressions: e ::= xi | uj
• Atomic formulae: π ::= e = e′ | e ֒

→ e′ | emp | ⊥

• Formulae: φ ::= π | φ ∧ ψ | ¬φ | φ ∗ ψ | φ −

∗ ψ | ∃ u φ

• (s, h) |

=f emp

def

⇔ dom(h) = ∅.

• (s, h) |

=f e = e′

def

⇔ e = e′, with x

def

= s(x), u

def

= f(u).

• (s, h) |

=f e ֒ → e′

def

⇔ e ∈ dom(h) and h(e) = e′.

Separation Logic in a Nutshell

10

Binary modality: separating conjunction

(s, h) | =f φ1 ∗ φ2

def

⇔ for some h1, h2 such that h = h1 ⊎ h2, (s, h1) | =f φ1 and (s, h2) | =f φ2

Separation Logic in a Nutshell

11

− ∗ universally quantifies over an infinite set !

(s, h) | =f φ1 − ∗ φ2

def

⇔ for all h′, if h ⊥ h′ and (s, h′) | =f φ1, then (s, h ⊎ h′) | =f φ2

Separation Logic in a Nutshell

12

Satisfiability problem

• (s, h) |

=f ∃ u φ

def

⇔ there is l ∈ N such that (s, h) | =f[u→l] φ where f[u → l] is the assignment equal to f except that u takes the value l.

Separation Logic in a Nutshell

13

Satisfiability problem

• (s, h) |

=f ∃ u φ

def

⇔ there is l ∈ N such that (s, h) | =f[u→l] φ where f[u → l] is the assignment equal to f except that u takes the value l.

• Satisfiability problem:

input: formula φ in 1SL question: are there (s, h) and f such that (s, h) | =f φ?

• Validity problem, entailment problem, . . .

Separation Logic in a Nutshell

13

Standard inference rules for mutation

• (s, h) |

=f x → u iff dom(h) = {s(x)} and h(s(x)) = f(u).

• Local form (MUL)

{∃u (x → u)} [x] := y {x → y}

• Global form (MUG)

{(∃u (x → u)) ∗ φ} [x] := y {x → y ∗ φ}

• Backward-reasoning form (MUBR)

{(∃u (x → u)) ∗ ((x → y) − ∗ φ)} [x] := y {φ}

Separation Logic in a Nutshell

14

Taming the magic wand semantics

• Controversy about the use of magic wand for verification.

See recent use in [Thakur & Breck & Reps, SPIN’14]

• Program variable x is allocated:

(x ֒ → x) − ∗ ⊥

• Equality between expressions e and e′ (u not in e,e′):

∀ u (u ֒ → e − ∗ u ֒ → e′)

Separation Logic in a Nutshell

15

Simple properties stated in 1SL

• The value of u is in the domain of the heap:

alloc(u)

def

= ∃u u ֒ → u (variant of (u ֒ → u) − ∗ ⊥)

• The heap has a unique cell u1 → u2:

u1 → u2

def

= u1 ֒ → u2 ∧ ¬∃u′ (u′ = u1 ∧ alloc(u′))

• The domain of the heap is empty: emp

def

= ¬∃ u alloc(u)

• u has at least k predecessors (2 options):

∃u1, . . . , uk

• i=j

ui = uj ∧

k

• i=1

ui ֒ → u

k times

• (∃ u (u ֒

→ u)) ∗ · · · ∗ (∃ u (u ֒ → u))

Separation Logic in a Nutshell

16

Expressive power / Decidability / Complexity

1SL ≡ DSOL ≡ WSOL ≡ 1SL(− ∗), undec. 1SL2, undec. 1SL(∗), dec., non-elem. 1SL2(− ∗) ≡ DSOL, undec. 1SL2(∗), non-elem. 1SL1, PSPACE-C 1SL0, PSPACE-C

• [Calcagno & Yang & O’Hearn, APLAS’01]

1SL0

• [Brochenin & Demri & Lozes, IC 12]

1SL(− ∗)

• [Demri & Galmiche & Larchey-Wendling & Mery, CSR’14]

1SL1

• [Demri & Deters, CSL-LICS’14]

1SL2(− ∗)

Separation Logic in a Nutshell

17

A smooth extension: 2SL

• Heap h : N ⇀ N × N with finite domain.
• When h1 ⊥ h2, disjoint heap h1 ⊎ h2.
• Atomic formulae: π ::= e = e′ | e ֒

→ e′, e′′ | emp | ⊥ (s, h) | =f e ֒ → e′, e′′

def

⇔ e ∈ dom(h) and h(e) = (e′, e′′)

• 2SL satisfiability problem is undecidable by reduction from

finitary satisfiability for classical predicate logic.

[Trakhtenbrot, 50; Calcagno & Yang & O’Hearn, APLAS 01]

• Validity in 2SL is not recursively enumerable.

Separation Logic in a Nutshell

18

Expressive Power of 1SL

Expressive Power of 1SL

19

Weak second-order logic WSOL

• Formulae:

φ ::= ui = uj | ui ֒ → uj | φ ∧ φ | ¬φ | ∃ ui φ | ∃ P φ | P(u1, . . . , un)

• h |

=V ∃ P φ iff there is a finite R ⊆ Nn such that h | =V[P→R] φ.

• h |

=V P(u1, . . . , un) iff (V(u1), . . . , V(un)) ∈ V(P).

• DSOL: Dyadic fragment of WSOL.
• Known reduction from WSOL to DSOL.

Expressive Power of 1SL

20

From 1SL to DSOL (internalization of 1SL semantics)

hp(P)

def

= ∀ u, u′, u′′ (P(u, u′) ∧ P(u, u′′)) ⇒ u′ = u′′ P = Q∗R

def

= ∀ u, u′ (P(u, u′) ⇔ (Q(u, u′) ∨ R(u, u′)) ∧ ¬(Q(u, u′)∧R(u, u′))

• Translation ∃ P (∀ u, u′ P(u, u′) ⇔ u ֒

→ u′) ∧ tP(φ): tP(u ֒ → u′)

def

= P(u, u′) tP(ψ ∗ ϕ)

def

= ∃ Q, Q′ P = Q ∗ Q′ ∧ tQ(ψ) ∧ tQ′(ϕ) tP(ψ − ∗ ϕ)

def

= ∀ Q ((∃ Q′ hp(Q′) ∧ Q′ = Q ∗ P) ∧ hp(Q) ∧ tQ(ψ)) ⇒ (∃ Q′ hp(Q′) ∧ Q′ = Q ∗ P ∧ tQ′(ϕ))

Expressive Power of 1SL

21

Principles to reduce DSOL into 1SL2(− ∗)

• Valuation heap encodes first-order and second-order

valuations.

• Pair (l, l′) belongs to Pi whenever l and l′ can be identified

thanks to some special patterns with arithmetical constraints on the number of predecessors.

• To be able to distinguish the original heap from the

valuation heap.

• To be able to have distinct patterns for different variables.

Expressive Power of 1SL

22

{2, 5, 7, 9}-well-formed heap

Expressive Power of 1SL

23

A translation T

• For every sentence φ in DSOL, for every heap h, we have

h | = φ iff h | = T(φ).

• WSOL and 1SL2(−

∗) have the same expressive power.

[Demri & Deters, CSL-LICS’14]

Expressive Power of 1SL

24

A translation T

• For every sentence φ in DSOL, for every heap h, we have

h | = φ iff h | = T(φ).

• WSOL and 1SL2(−

∗) have the same expressive power.

[Demri & Deters, CSL-LICS’14]

• Satisfiability problem for 1SL2(−

∗) is undecidable.

• Validity in 1SL is not recursively enumerable.
• . . . but 1SL(∗) is decidable by translation into weak

monadic 2nd order theory of (D, f, =).

[Rabin, Trans. of AMS 69]

Expressive Power of 1SL

24

Playing with 1SL Restricted to a Single Variable

(1SL0:PSPACE-complete — 1SL2:undecidable)

Playing with 1SL Restricted to a Single Variable (1SL1)

25

Simple properties stated in 1SL1

• Unique cell x1 → x2:

x1 → x2

def

= x1 ֒ → x2 ∧ ¬∃u (u = x1 ∧ ((u ֒ → u) − ∗ ⊥))

• The variable xi points to a location that is a loop:

toloop(xi)

def

= ∃ u (xi ֒ → u ∧ u ֒ → u). xi

• The variable xi points to a location that is allocated:

toalloc(xi)

def

= ∃ u (xi ֒ → u ∧ alloc(u)). xi

Playing with 1SL Restricted to a Single Variable (1SL1)

26

More properties

• Variables xi and xj point to a shared location:

conv(xi, xj)

def

= ∃ u (xi ֒ → u ∧ xj ֒ → u).

xi xj

• there is a location between xi and xj:

btwn(xi, xj)

def

= ∃u (xi ֒ → u ∧ u ֒ → xj).

xi xj

Playing with 1SL Restricted to a Single Variable (1SL1)

27

More properties

• Variables xi and xj point to a shared location:

conv(xi, xj)

def

= ∃ u (xi ֒ → u ∧ xj ֒ → u).

xi xj

• there is a location between xi and xj:

btwn(xi, xj)

def

= ∃u (xi ֒ → u ∧ u ֒ → xj).

xi xj

What else?

Playing with 1SL Restricted to a Single Variable (1SL1)

27

Expressive completeness

• We characterize the expressive power of 1SL1:

any 1SL1 formula is logically equivalent to a Boolean combination of atomic properties (yet to be defined).

• This extends results for 1SL0.

[Lozes, SPACE’04]

Playing with 1SL Restricted to a Single Variable (1SL1)

28

Partition one: self-loops, predecessors, etc.

• pred(s, h)

def

=

i pred(s, h, i) with

pred(s, h, i)

def

= {l′ : h(l′) = s(xi)} for every i ∈ [1, q].

• loop(s, h)

def

= {l ∈ dom(h) : h(l) = l}.

• rem(s, h)

def

= dom(h) \ (pred(s, h) ∪ loop(s, h)).

• dom(h) = rem(s, h) ⊎ (pred(s, h) ∪ loop(s, h)).

Playing with 1SL Restricted to a Single Variable (1SL1)

29

Partition two: introducing the core

• ref(s, h)

def

= dom(h) ∩ s(V); acc(s, h)

def

= dom(h) ∩ h(s(V)).

• ♥(s, h)

def

= ref(s, h) ∪ acc(s, h); ♥(s, h)

def

= dom(h) \ ♥(s, h). r r ♥ p ♥

• ♥
• ♥

x1 x2 x3 x4

Playing with 1SL Restricted to a Single Variable (1SL1)

30

Locations outside of the core

• Locations in the core are easy to identify thanks to

program variables.

• pred♥(s, h, i)

def

= pred(s, h, i) \ ♥(s, h).

• loop♥(s, h)

def

= loop(s, h) \ ♥(s, h).

• rem♥(s, h)

def

= rem(s, h) \ ♥(s, h). dom(h) = ♥(s, h) ⊎ pred♥(s, h) ⊎ loop♥(s, h) ⊎ rem♥(s, h)

Playing with 1SL Restricted to a Single Variable (1SL1)

31

Test formulae

• Equality

def

= {xi = xj | i, j ∈ [1, q]}.

• Pattern

def

= {xi ֒ → xj, conv(xi, xj), btwn(xi, xj) | i, j ∈ [1, q]}∪ {toalloc(xi), toloop(xi), alloc(xi) | i ∈ [1, q]}.

• Extrau def

= {u = u, u ֒ → u, alloc(u)} ∪ {xi = u, xi ֒ → u, u ֒ → xi | i ∈ [1, q]}.

Playing with 1SL Restricted to a Single Variable (1SL1)

32

Test formulae

• Equality

def

= {xi = xj | i, j ∈ [1, q]}.

• Pattern

def

= {xi ֒ → xj, conv(xi, xj), btwn(xi, xj) | i, j ∈ [1, q]}∪ {toalloc(xi), toloop(xi), alloc(xi) | i ∈ [1, q]}.

• Extrau def

= {u = u, u ֒ → u, alloc(u)} ∪ {xi = u, xi ֒ → u, u ֒ → xi | i ∈ [1, q]}.

• Sizeα

def

= {# predi

♥ k | i ∈ [1, q], k ∈ [1, α]} ∪

{# loop♥ k, # rem♥ k | k ∈ [1, α]}.

• Testu

α

def

= Equality ∪ Pattern ∪ Sizeα ∪ Extrau ∪ {⊥}.

Playing with 1SL Restricted to a Single Variable (1SL1)

32

Deciding satisfiability for test formulae

• Satisfiability of conjunctions of test formulae or their

negation can be checked in polynomial time.

• Satisfiability problem for Boolean combinations of test

formulae is NP-complete.

Playing with 1SL Restricted to a Single Variable (1SL1)

33

Deciding satisfiability for test formulae

• Satisfiability of conjunctions of test formulae or their

negation can be checked in polynomial time.

• Satisfiability problem for Boolean combinations of test

formulae is NP-complete.

• Polynomial-time decision procedure based on a saturation

algorithm. conv(xi, xj) toloop(xi) toloop(xj)

Playing with 1SL Restricted to a Single Variable (1SL1)

33

Expressiveness/Decision Procedure for 1SL1

Expressiveness/Decision Procedure for 1SL1

34

Quantifier elimination

• Any φ in 1SL1 (with q program variables) is equivalent to a

Boolean combination φ′ of test formulae in Testu

q×|φ|.

[CSR’14]

• Any satisfiable φ in 1SL1 has a polynomial-size model.
• 1SL2 is strictly more expressive than 1SL1.
• 1SL1 cannot distinguish the two models below, 1SL2 can:

x1 → • → • → x2 | x1 → • → •

• → x2

Expressiveness/Decision Procedure for 1SL1

35

Abstract memory states ≈ atoms

r r ♥ p ♥

• ♥
• ♥

x1 x2 x3 x4

Abstract memory states ≈ atoms

r r ♥ p ♥

• ♥
• ♥

x1 x2 x3 x4 {x4} {x3} {x2} {x1}

Abstract memory states ≈ atoms

r r ♥ p ♥

• ♥
• ♥

x1 x2 x3 x4 {x4} {x3} {x2} {x1}

l = 2, r = 2, p1 = 1, p2 = p3 = p4 = 0. Abstract memory state: a = ((V, E), l, r, p1, . . . , pq). Vpar ⊆ V partition of {x1, . . . , xq}.

Expressiveness/Decision Procedure for 1SL1

36

Abstraction

• abs(s, h): abstract memory states abstracting the memory

state (s, h).

• Isomorphic a and a′: identical partition, isomorphic graphs,

identical numerical values.

• Given q, α ≥ 1, the number of abstract memory states is

exponential in q + α and each abstract memory state can be encoded in space q + log(α).

Expressiveness/Decision Procedure for 1SL1

37

Pointed abstract memory states

• Need for abstracting the interpretation of variable u.
• Pointed abstract memory states (a, u) with u in the set

V d≤1 ∪ {D, P(1), . . . , P(q), L, R} (conditions apply)

• abs(s, h, l) defined accordingly.
• (a, u) and (a′, u′) are isomorphic

def

⇔ a and a′ are isomorphic and, u = u′ or u and u′ are related by the isomorphism.

Expressiveness/Decision Procedure for 1SL1

38

Abstract separation

• ∗a((a, u), (a1, u1), (a2, u2))

def

⇔ there exist l ∈ N, a store s and disjoint heaps h1 and h2 such that abs(s, h1 ⊎ h2, l) = (a, u), abs(s, h1, l) = (a1, u1) and abs(s, h2, l) = (a2, u2).

• Given q, α ≥ 1, the ternary relation ∗a can be decided in

polynomial time in q + log(α) for all the pointed abstract memory states over (q, α).

Expressiveness/Decision Procedure for 1SL1

39

Polynomial-space model-checking algorithm

1: if ψ is atomic then return AMC((a, u), ψ); 2: if ψ = ¬ψ1 then return not MC((a, u), ψ1); 3: if ψ = ψ1 ∧ ψ2 then return (MC((a, u), ψ1) and

MC((a, u), ψ2));

4: if ψ = ∃ u ψ1 then return ⊤ iff there is u′ such that

MC((a, u′), ψ1) = ⊤;

5: if ψ = ψ1 ∗ ψ2 then return ⊤ iff there are (a1, u1) and (a2, u2)

such that ∗a((a, u), (a1, u1), (a2, u2)) and MC((a1, u1), ψ1) = MC((a2, u2), ψ2) = ⊤;

6: if ψ = ψ1 −

∗ ψ2 then return ⊥ iff for some (a′, u′) and (a′′, u′′) such that ∗a((a′′, u′′), (a′, u′), (a, u)), MC((a′, u′), ψ1) = ⊤ and MC((a′′, u′′), ψ2) = ⊥;

Expressiveness/Decision Procedure for 1SL1

40

A Taste of Other Decision Procedures

A Taste of Other Decision Procedures

41

A selection of techniques

• Tableaux calculus for 2SL0 [Galmiche & Mery, JLC 10].

(satisfiability for 2SL0 is PSPACE-complete only)

• Graph-based (semantical) methods.

[Cook et al., CONCUR’11; Enea & Saveluc & Sighireanu, ESOP’13]

• Translating into FO or propositional calculus.

[Lozes, SPACE’04; Calcagno & Gardner & Hague, FOSSACS’05]

A Taste of Other Decision Procedures

42

A robust framework: using SMT solvers

• Convergence of SAT and theory reasoning: Satisfiability

Modulo Theories (SMT).

• Mature and robust tools: CVC4, MathSAT, Yices, Z3, etc.
• SMT solvers at the heart of verification tools.
• Pointer logic is one of the new theories being developed.
• Recent works using SMT solvers for separation logic.
• E.g., translating SLLB into the logic of graph reachability

and stratified sets (GRASS).

[Piskac & Wies & Zufferey, CAV’13]

See also [Navarro P´

erez & A. Rybalchenko, APLAS’13]

A Taste of Other Decision Procedures

43

Concluding remarks

• 1SL2 and 1SL1 have exact expressive power

characterization.

• At the heart of verification methods for programs with

mutable data structures.

• For the first time, SMT-COMP 2014 run a competition with

SMT solvers for separation logic as an “off” event.

• Many pending questions, e.g.:

1 How to design decidable fragments with the magic wand? 2 Design tractable fragments useful for formal verification. 3 Proof methods for separation logic. 4 Alternative memory models.

Conclusion

44