An Introduction to Separation Logic, and the Benefits of going Higher-order (A Tutorial) Lars Birkedal Logic and Semantics Group Dept. of Comp. Science, Aarhus University April 2013 Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 1 / 39
40
Embed
An Introduction to Separation Logic, and the Benefits of going Higher-order … · 2013-04-30 · An Introduction to Separation Logic, and the Benefits of going Higher-order (A Tutorial)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An Introduction to Separation Logic,and the Benefits of going Higher-order
(A Tutorial)
Lars Birkedal
Logic and Semantics GroupDept. of Comp. Science, Aarhus University
Program Logic a la Hoare Logic for reasoning about programswith pointers (or references to shared mutable data) [Reynolds,O’Hearn, . . ., 2000+]Main feature: it facilitates modular reasoning, formalized viaso-called frame rule, using a connective called separatingconjunction.
Programming Language: as before but now with C-like pointersSpecifications for partial correctness:
{P}C{Q}if s,h P and C, s,h→ s′,h′, then s′,h′ Q.
Assertion Language: first-order logic w. equality + BI connectives:s,h emp iff h is the empty heaps,h x 7→ 5 iff h is the singleton heap with one location s(x) withvalue 5.s,h P ∗Q iff h can be split into h1 and h2, with disjoint domains,such that s,h1 P and s,h2 Q.s,h P −−∗ Q iff . . ..
Points to notice:Local reasoning: the precondition list(α, i) only describes resourcesneeded by reverse (the footprint of reverse)Having proved local spec, frame rule gives, e.g.:
Hence we can (re-)use the specification in larger contexts.
In summa: standard separation logic makes it easy to reasonabout pointer programs when we can find some way to separatedata structures into disjoint parts.
a set [[Val]] interpreting the type Val of valuesa set [[Loc]] of locations such that [[Loc]] ⊆ [[Val]]a set H = [[Loc]] ⇀fin [[Val]] of heaps (finite partial functions)partial binary operation ∗ on heaps:
h1 ∗ h2 =
{h1 ∪ h2 if h1#h2undefined otherwise,
where h1#h2 iff Dom(h1) ∩ Dom(h2) = ∅Given stack s : Var ⇀fin [[Val]], terms interpreted as usual:
In traditional separation logic:Mostly straightforward.Frame rule relies on properties of operational semanticsSafety Monotonicity For all c, s, h, if (c, s,h) is safe, then for all
heaps h′ s.t. h′#h, (c, s,h ∗ h′) is also safe.Frame Property For all c, s, h, if (c, s,h) is safe and h′#h, then
(c, s,h ∗ h′) ⇓ (s′,h′′), implies that there is h0 disjointfrom h′ such that h′′ = h0 ∗ h′ and (c, s,h) ⇓ (s′,h0).(relies on nondeterministic memory allocation).
Intuitionistic models (assertions upwards closed wrt. heapextension) for languages with no explicit deallocation.Permission models (fractions, etc.) for more fine-grained notionsof separation, allowing multiple readers of same location.. . .
Let us call separation logic as above for first-order separation logicand the frame rule for first-order frame rule.As we have seen, first-order separation logic provides modularreasoning for first-order programs.What about second-order or higher-order programs ?(programming languages with some kind of module facility).Example: a program that uses a stack module.Ideally, a client of a stack module should not know about how thestack module is implemented.So seek logic that supports reasoning about clients withoutrevealing info about module implementation.Two lines of development
higher-order separation logic supporting data abstractionseparation logic with higher-order frame rules for hiding
{emp}new() {s : α. inv(s, [])} ×∀s : α.∀x : N.∀l : N list{inv(s, l)}push(s, x) {inv(s, x :: l)} ×∀s : α.∀x : N.∀l : N list{inv(s, x :: l)}pop(s){y : N. inv(s, l) ∧ y = x}.
Modularity: clients can use the spec without knowing anythingabout how the stack is implemented (since abstract in the invpredicate).Different stack implementations can meet this spec.Presented at ESOP 2005 [Biering, Birkedal, Torp-Smith](second-order (“abstract predicates”) version independently byParkinson-Biermann, POPL 2005, for OO language)
BI Hyperdoctrines — OverviewA hyperdoctrine is a categorical formalization of a model ofpredicate logic [Lawvere 1969]. Sound and complete for IHOL.Toposes also sound and complete for IHOL.BI Hyperdoctrines sound and complete for IHOL + BI
Let C be a category with finite products. A first-order hyperdoctrine Pover C is a contravariant functor P : Cop → Poset s.t.:
Each P(X ) is a Heyting algebra.Each P(f ) : P(Y )→ P(X ) is a Heyting algebra homomorphism.There is an element =X of P(X × X ) satisfying that for allA ∈ P(X × X ),
Types and terms interpreted by objects and morphisms of CEach formula φ with free variables in Γ is interpreted as aP-predicate [[φ]] ∈ P([[Γ]]) by induction on the structure of φ usingdefinining properties of hyperdoctrine.A formula φ with free variables in Γ is satisfied if [[φ]] is > in P([[Γ]]).Sound and complete for intuitionistic predicate logic.A first-order hyperdoctrine is sound for classical predicate logic incase all the fibres P(X ) are Boolean algebras and all thereindexing functions P(f ) are Boolean algebra homomorphisms.
A (general) hyperdoctrine is a first-order hyperdoctrine with thefollowing additional properties:C is cartesian closed; andthere is H ∈ C and a natural bijection ΘX : Obj(P(X )) ' C(X ,H).
Cartesian closure interprets higher types.Type of propositions is interpreted by H.
Recall: A BI algebra is a Heyting algebra, which has an additionalsymmetric monoidal closed structure (emp, ∗, −−∗) (i.e., satisfyingthe rules shown earlier).Define: A first-order hyperdoctrine P over C is a first-order BIhyperdoctrine in case
all the fibres P(X ) are BI algebras, andall the reindexing functions P(f ) are BI algebra homomorphisms
Predicate logic with equality extended with emp, φ ∗ ψ, φ −−∗ ψsatisfying the rules shown earlier.Theorem The interpretation of first-order predicate BI is soundand complete.Also for classical predicate BI, of courseHigher-order Predicate BI
Higher-order predicate logic extended with BI as above.BI hyperdoctrines sound and complete class of models.
Let B be a complete BI algebra. Define Set-indexed BI hyperdoctrine:P(X ) = BX , functions from X to B, ordered pointwiseFor f : X → Y , P(f ) : BY → BX is comp. with f .=X (x , x ′) is > if x = x ′, otherwise ⊥.Quantification: for A ∈ BΓ×X
Earlier work showed how to use some toposes to modelpropostional BI (SubE(1) is a BI-algebra, for certain E)Toposes model (higher-order) predicate logic, since SubE is ahyperdoctrine.But, surprise, we cannot interpret predicate BI in toposes:
Theorem Let E be a topos and suppose SubE : Eop → Poset is a BIhyperdoctrine. Then the BI structure on each lattice SubE(X ) is trivial,i.e., for all ϕ,ψ ∈ SubE(X ), ϕ ∗ ψ ↔ ϕ ∧ ψ.
P(H) is a complete Boolean BI algebra, ordered by inclusion.Let S be the BI hyperdoctrine induced by the complete Boolean BIalgebraTheorem h ∈ [[φ]](v1, . . . , vn) iff [x1 7→ v1, . . . , xn 7→ vn],h φ.(also works for other models of separation logic, e.g., intuitionisticand permissions models)The BI hyperdoctrine S also gives a model of higher-orderseparation logic, with P(H) the set of truth values.Really, we have only talked about the assertion logic of separationlogic.But, since types and terms in the specification logic areinterpreted as sets, and P(H) is a set, we can also quantify overProp in the specification logic, as used in the stack example.
Data abstraction, cf. stack example from above.Formalization of separation logic
applications (e.g., proof of Cheney GC) used various extensions ofseparation logic, with relations, trees, etc.point is that they are all definable in higher-order logic, no need forad-hoc extensions:Let 2 = {⊥,>}. There is a canonical map ι : 2→ P(H). Sayφ : X → P(H) is pure if there is a map χφ : X → 2 s.t. φ = ι ◦ χφ.The sub-logic of pure predicates is simply the standard classicalhigher-order logic of Set.Allows to use classical higher-order logic for defining lists, trees,etc.In particular, recursive definitions of predicates, earlier done at themeta-level, can now be done inside the higher-order logic itself.
Logical characterizations of classes of formulas, e.g.,Traditional definition of a precise: q is precise iff, for s,h, there isat most one subheap h0 of h such that s,h0 q.Prop. q is precise iff
∀p1,p2 : Prop. (p1 ∗ q) ∧ (p2 ∗ q)→ (p1 ∧ p2) ∗ q
is valid in the BI hyperdoctrine S.Thus: can make logical proofs about precise formulas.
(Returning to program proving applications)General (generic / polymorphic) specifications and proofs ofpolymorphic programsParameterized list predicate:
plist(P, [], i) def= i = nil ∧ emp
plist(P, x :: β, i) def= ∃j . i 7→ (x , j) ∗ P(x) ∗ plist(P, β, j)
Two technical points regarding models of HOFR that have proveduseful elsewhere.
1 For prog. lang. with higher-order function: how to express thatprograms behave “locally” (safety monotonicity and frame property)?
We do not, we just require that all proved programs satisfy the framerule (bake it in to the interpretation). Analogous to how parametricmodels of System F are constructed. First done in [LICS 2005] papermentioned above.
2 Hiding / HOFR rule done via Kripke model (world consists of thehidden resources that programs should preserve).
With higher-order store, the set of worlds is recursively defined inCBUlt (see [Birkedal et. al.: Step-Indexed Kripke Models overRecursive Worlds, POPL’2011] and [MSCS-2013] paper mentionedabove).
Need some mathematical technique to establish soundness ofproof rules for recursive functions.For instance, domain theory or step-indexing.Omitted today (step-indexing will be discussed in talk onThursday).
(a glimpse)General framework for compositional reasoning aboutconcurrencyFraming and compositionality for thread-local reasoning capturedvia ∗.Instances cover (concurrent) separation logic, rely-guarantee,combinations of separation logic and rely-guarantee, e.g.,concurrent abstract predicates. Also Kripke models of typesystems.
Separation Logic instance of Views(disregarding stacks for notational simplicity):
View = P(Σ), Σ = H separation algebra.Concrete machine states S = H, heaps.Reification map: I : View → P(S), I = h 7→ {h}.Semantics of triples {p} c {q}:
∀r ∈ View .∀x ∈ p ∗ r . ∀s ∈ I(x).c, s ⇓ s′ ⇒∃y ∈ q ∗ r . s′ ∈ I(y)
Observe:Quantification over frames (“baking-in” the frame rule).Standard operational semantics.
Instrumented states in Views as needed for logical reasoning.Reference: [Dinsdale-Young, Birkedal, Gardner, Parkinson, Yang:Views: Compositional Reasoning for Concurrency. POPL-2013]
First-order standard separationg logic for modular reasoning “inthe small”Higher-order separation / higher-order frame rules for modularreasoning “in the large” (for programs composed of modules)Mostly an overviewBut some details about how to construct models, which can be ofhelp when looking at the literature, both “old style” and “new style”.