请输入您要查询的百科知识:

 

词条 Separation logic
释义

  1. Overview

  2. Assertions: operators and semantics

  3. Reasoning about programs: triples and proof rules

  4. Sharing

  5. Concurrent separation logic

  6. Verification and program analysis tools

  7. References

In computer science, separation logic[1] is an extension of Hoare logic, a way of reasoning about programs.

It was developed by John C. Reynolds, Peter O'Hearn, Samin Ishtiaq and Hongseok Yang,[1][2][3][4] drawing upon early work by Rod Burstall.[5] The assertion language of separation logic is a special case of the logic of bunched implications (BI).[6] A CACM review article by O'Hearn charts developments in the subject to early 2019.[7]

Overview

Separation logic facilitates reasoning about:

  • programs that manipulate pointer data structures—including information hiding in the presence of pointers;
  • "transfer of ownership" (avoidance of semantic frame axioms); and
  • virtual separation (modular reasoning) between concurrent modules.

Separation logic supports the developing field of research described by Peter O'Hearn and others as local reasoning, whereby specifications and proofs of a program component mention only the portion of memory used by the component, and not the entire global state of the system. Applications include automated program verification (where an algorithm checks the validity of another algorithm) and automated parallelization of software.

Assertions: operators and semantics

Separation logic assertions describe "states" consisting of a store and a heap, roughly corresponding to the state of local (or stack-allocated) variables and dynamically-allocated objects in common programming languages such as C and Java. A store is a function mapping variables to values. A heap is a partial function mapping memory addresses to values. Two heaps and are disjoint (denoted ) if their domains do not overlap (i.e., for every memory address , at least one of and is undefined).

The logic allows to prove judgements of the form , where is a store, is a heap, and is an assertion over the given store and heap. Separation logic assertions (denoted as , , ) contain the standard boolean connectives and, in addition, , , , and , where and are expressions.

  • The constant asserts that the heap is empty, i.e., when is undefined for all addresses.
  • The binary operator takes an address and a value and asserts that the heap is defined at exactly one location, mapping the given address to the given value. I.e., when (where denotes the value of expression evaluated in store ) and is otherwise undefined.
  • The binary operator (pronounced star or separating conjunction) asserts that the heap can be split into two disjoint parts where its two arguments hold, respectively. I.e., when there exist such that and and and .
  • The binary operator (pronounced magic wand or separating implication) asserts that extending the heap with a disjoint part that satisfies its first argument results in a heap that satisfies its second argument. I.e,. when for every heap such that , also holds.

The operators and share some properties with the classical conjunction and implication operators. They can be combined using an inference rule similar to modus ponens

and they form an adjunction, i.e., if and only if for ; more precisely, the adjoint operators are and .

Reasoning about programs: triples and proof rules

In separation logic, Hoare triples have a slightly different meaning than in Hoare logic. The triple asserts that if the program executes from an initial state satisfying the precondition then the program will not go wrong (e.g., have undefined behaviour), and if it terminates, then the final state will satisfy the postcondition . In essence, during its execution, may access only memory locations whose existence is asserted in the precondition or that have been allocated by itself.

In addition to the standard rules from Hoare logic, separation logic supports the following very important rule:

This is known as the frame rule (named after the frame problem) and enables local reasoning. It says that a program that executes safely in a small state (satisfying ), can also execute in any bigger state (satisfying ) and that its execution will not affect the additional part of the state (and so will remain true in the postcondition). The side condition enforces this by specifying that none of the variables modified by occur free in , i.e. none of them are in the 'free variable' set of .

Sharing

Separation logic leads to simple proofs of pointer manipulation for data structures that exhibit regular sharing patterns which can be described simply using separating conjunctions; examples include singly and doubly linked lists and varieties of trees. Graphs and DAGs and other data structures with more general sharing

are more difficult (both for informal and for formal proof, it should be emphasized). Separation logic has, nonetheless, been applied successfully to reasoning about

programs with general sharing.

In their POPL'01 paper,[3] O'Hearn and Ishtiaq explained how the magic wand connective could be used to reason in the presence of sharing, at least in principle.

For example, in the triple

we obtain the weakest precondition for a statement that mutates the heap at location , and this works for any postcondition, not only one that is laid out neatly using the separating conjunction. This idea was taken much further by Yang, who used to provide localized reasoning about mutations in the classic Schorr-Waite graph marking algorithm.[8] Finally, one of the most recent works in this direction is that of Hobor and Villard,[9] who

employ not only but also a connective

which has variously been called overlapping conjunction or sepish,[10] and which can be used to describe overlapping data structures: holds of a heap when

and hold for subheaps and whose union is , but which possibly have a nonempty portion in common. Abstractly, can be seen to be a version of the fusion connective of relevance logic.

Concurrent separation logic

A Concurrent Separation Logic (CSL),

a version of separation logic for concurrent programs, was originally proposed by Peter O'Hearn,[11]

using a proof rule

which allows independent reasoning about threads that access separate storage. O'Hearn's proof rules adapted an early approach of Tony Hoare to reasoning about concurrency,[12]

replacing the use of scoping constraints to ensure separation by reasoning in separation logic. In addition to extending Hoare's approach to apply in the presence of heap-allocated pointers, O'Hearn showed how reasoning in concurrent separation logic could track dynamic ownership transfer of heap portions between processes; examples in the paper include a pointer-transferring buffer, and a memory manager.

A model for concurrent separation logic was first provided by Stephen Brookes in a companion paper to O'Hearn's.[13] The soundness of the logic had been a difficult problem, and in fact a counterexample of John Reynolds had shown the unsoundness of an earlier, unpublished version of the logic; the issue raised by Reynolds's example is described briefly in O'Hearn's paper, and more thoroughly in Brookes's.

At first it appeared that CSL was well suited to what Dijkstra had called loosely connected processes,[14] but perhaps not to fine-grained concurrent algorithms with significant interference. However, gradually it was realized that the basic approach of CSL was considerably more powerful than first envisaged, if one employed non-standard models of the logical connectives and even the Hoare triples.

An abstract version of separation logic was proposed that works for Hoare triples

where the preconditions and postconditions are formulae interpreted over an arbitrary partial commutative monoid instead of a particular heap model.[15]

Later, by suitable choice of commutative monoid, it was surprisingly found that the proof rules of abstract versions of concurrent separation logic could be used to reason about interfering concurrent processes, for example by encoding the rely-guarantee technique which had been originally proposed to reason about interference;[16] in this work the elements of the model were considered not resources, but rather "views" of the program state, and a non-standard interpretation of Hoare triples accompanies the non-standard reading of pre and postconditions.

Finally, CSL-style principles have been used to compose reasoning about program histories instead of program states, in order to provide modular techniques for reasoning about fine-grained concurrent algorithms.[17]

Versions of CSL have been included in many interactive and semi-automatic (or "in-between") verification tools as described in the next section. A particularly significant verification effort is that of the μC/OS-II kernel mentioned there. But, although steps have been made,[18] as of yet CSL-style reasoning has been included in comparatively few

tools in the automatic program analysis category (and none mentioned in the next section).

O'Hearn and Brookes are co-recipients of the 2016 Gödel Prize for their invention of Concurrent Separation Logic.[19]

Verification and program analysis tools

Tools for reasoning about programs fall on a spectrum from fully automatic program analysis tools, which do not require any user input, to interactive tools where the human

is intimately involved in the proof process. Many such tools have been developed; the following list includes a few representatives in each category.

  • Automatic Program Analyses. These tools typically look for restricted classes of bugs (e.g., memory safety errors) or attempt to prove their absence, but fall short of proving full correctness.
    • A current example is Facebook Infer, a static analysis tool for Java, C, and Objective-C based on separation logic and bi-abduction.[20] As of 2015 hundreds of bugs per month were being found by Infer and fixed by developers before being shipped to Facebook's mobile apps[21]
    • Other examples include SpaceInvader (one of the first SL analyzers), Predator (which has won several verification competitions), MemCAD (which mixes shape and numerical properties) and [https://github.com/Microsoft/SLAyer SLAyer] (from Microsoft Research, focussed on data structures found in device drivers)
  • Interactive Proof. Proofs have been done using embeddings of Separation Logic into interactive theorem provers such as the Coq proof assistant and HOL (proof assistant). In comparison to the program analysis work, these tools require more in the way of human effort but prove deeper properties, up to functional correctness.
    • A proof of the FSCQ file system[22] where the specification includes behaviour under crashes as well as normal operation. This work won the best paper award at the 2015 Symposium on Operating System Principles.
    • Verification of an OpenSSL implementation of a cryptographic authentication algorithm,[23] utilizing verifiable C
    • Verification of key modules of a commercial OS kernel, the μC/OS-II kernel, the first commercial pre-emptive kernel to have been verified.[24]
    • Other examples include the Ynot[25] library for the Coq proof assistant; the Holfoot embedding of Smallfoot in HOL; Fine-grained Concurrent Separation Logic, and Bedrock (a Coq library for low-level programming).
  • In Between. Many tools require more user intervention than program analyses, in that they expect the user to input assertions such as pre/post specs for functions or loop invariants, but after this input is given they attempt to be fully or almost fully automatic; this mode of verification goes back to classic works in the 1970s such as J King's verifier, and the Stanford Pascal Verifier. This style of verifier has recently been called auto active verification, a term which intends to evoke the way of interacting with a verifier via an assert-check loop, analogous to the interaction between a programmer and a type-checker.
    • The very first Separation Logic verifier, Smallfoot, was in this in-between category. It required the user to input pre/post specs, loop invariants, and resource invariants for locks. It introduced a method of symbolic execution, as well as an automatic way to infer frame axioms. Smallfoot included Concurrent Separation Logic.
    • [https://www.mpi-sws.org/~viktor/smallfootrg/ SmallfootRG] is a verifier for a marriage of separation logic and the classic rely/guarantee method for concurrent programs.
    • Heap Hop implements a separation logic for message passing, following the ideas in Singularity (operating system).
    • [https://people.cs.kuleuven.be/~bart.jacobs/verifast/ Verifast] is an advanced current tool in the in-between category. It has demonstrated proofs ranging from object-oriented patterns to highly concurrent algorithms and to systems programs.
    • The [https://protz.github.io/mezzo/ Mezzo Programming Language] and [https://www.mpi-sws.org/~viktor/papers/ecoop2015-alstypes.pdf Asynchronous Liquid Separation Types] include ideas related to CSL in the type system for a programming language. The idea to include separation in a type system has earlier examples in [https://www.eecs.harvard.edu/~greg/papers/alias.pdf Alias Types] and Syntactic Control of Interference.

The distinction between interactive and in-between verifiers is not a sharp one. For example,

Bedrock strives for a high degree of automation, in what it terms mostly-automatic verification, where

Verifast sometimes requires annotations that resemble the tactics (little programs) used in interactive verifiers.

References

1. ^{{cite journal| url=http://www.cs.cmu.edu/~jcr/seplogic.pdf | title=Separation Logic: A Logic for Shared Mutable Data Structures | first=John C. | last=Reynolds | authorlink=John C. Reynolds | journal=LICS | year=2002 }}
2. ^{{cite book| chapter=Intuitionistic Reasoning about Shared Mutable Data Structure | first=John C. | last=Reynolds | title=Millennial Perspectives in Computer Science, Proceedings of the 1999 Oxford–Microsoft Symposium in Honour of Sir Tony Hoare | year=1999 | publisher=Palgrave | editor-first1=Jim | editor-last1=Davies | editor-first2=Bill | editor-last2=Roscoe | editor-first3=Jim | editor-last3=Woodcock | editorlink1=Jim Davies (computer scientist) | editorlink2=Bill Roscoe | editorlink3=Jim Woodcock }}
3. ^{{cite journal| title=BI as an Assertion Language for Mutable Data Structures | first1=Samin | last1=Ishtiaq | first2=Peter | last2=O'Hearn | authorlink2=Peter O'Hearn | journal=POPL | publisher=ACM | year=2001 }}
4. ^{{cite journal| title=Local Reasoning about Programs that Alter Data Structures | first1=Peter | last1=O'Hearn | first2=John C. | last2=Reynolds | first3=Hongseok | last3=Yang | journal=CSL | year=2001 |citeseerx = 10.1.1.29.1331}}
5. ^{{cite journal| title=Some techniques for proving programs which alter data structures | first=R. M. | last=Burstall | authorlink=Rod Burstall | journal=Machine Intelligence | volume=7 | year=1972 }}
6. ^{{cite journal| title=The Logic of Bunched Implications | first1=P. W. | last1=O'Hearn | first2=D. J. | last2=Pym | journal=Bulletin of Symbolic Logic | volume=5 | number=2 |date=June 1999 | pages=215–244 | doi=10.2307/421090 | jstor=421090 | citeseerx=10.1.1.27.4742 }}
7. ^{{Cite journal|last=O'Hearn|first=Peter|date=January 2019|title=Separation Logic|journal=Commun. ACM|volume=62|issue=2|pages=86–95|doi=10.1145/3211968|issn=0001-0782}}
8. ^{{cite journal|last1=Yang|first1=Hongseok|title=An Example of Local Reasoning in BI Pointer Logic: the Schorr−Waite Graph Marking Algorithm|journal=Proceedings of the 1st Workshop on Semantics' Program Analysis' and Computing Environments for Memory Management|date=2001|url=http://www.cs.ox.ac.uk/people/hongseok.yang/paper/SchorrWaite.ps}}
9. ^{{cite journal|last1=Hobor|first1=Aquinas|last2=Villard|first2=Jules|title=The Ramifications of Sharing in Data Structures|journal=Popl'13|volume=48|date=2013|pages=523–536|doi=10.1145/2480359.2429131|url=http://www.doc.ic.ac.uk/~jvillar1/pub/ramification-HVpopl13.pdf}}
10. ^{{cite book|last1=Gardner|first1=Philippa|last2=Maffeis|first2=Sergio|last3=Smith|first3=Hareth|title=Towards a program logic for JavaScript|journal=Popl'12|date=2012|pages=31–44|doi=10.1145/2103656.2103663|url=http://www.doc.ic.ac.uk/~gds/papers/TowardsProgramLogicJavaScriptPOPL2012.pdf|isbn=9781450310833|hdl=10044/1/33265}}
11. ^{{cite journal|last1=O'Hearn|first1=Peter|title=Resources, Concurrency and Local Reasoning|journal=Theoretical Computer Science|date=2007|volume=375|issue=1–3|pages=271–307|doi=10.1016/j.tcs.2006.12.035|url=http://www.cs.ucl.ac.uk/staff/p.ohearn/papers/concurrency.pdf}}
12. ^{{cite journal|last1=Hoare|first1=C.A.R.|title=Towards a theory of parallel programming|journal=Operating System Techniques. Academic Press|date=1972}}
13. ^{{cite journal|last1=Brookes|first1=Stephen|title=A Semantics for Concurrent Separation Logic|journal=Theoretical Computer Science|date=2007|volume=375|issue=1–3|pages=227–270|doi=10.1016/j.tcs.2006.12.034|url=http://www.cs.cmu.edu/~brookes/papers/seplogicrevisedfinal.pdf}}
14. ^{{Cite EWD|123|Cooperating sequential processes}} (September 1965)
15. ^{{cite book|last1=Calcagno|first1=Cristiano|last2=O'Hearn|first2=Peter|last3=Yang|first3=Hongseok|title=Local Action and Abstract Separation Logic|journal=22nd Annual IEEE Symposium on Logic in Computer Science|pages=366–378|date=2007|doi=10.1109/LICS.2007.30|url=http://www.cs.ox.ac.uk/people/hongseok.yang/paper/asl-short.pdf|isbn=978-0-7695-2908-0|citeseerx=10.1.1.66.6337}}
16. ^{{cite journal|last1=Dinsdale-Young|first1=Thomas|last2=Birkedal|first2=Lars|last3=Gardner|first3=Philippa|last4=Parkinson|first4=Matthew|last5=Yang|first5=Hongseok|title=Views: Compositional Reasoning for Concurrent Programs|journal=Proceedings of the 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages|volume=48|pages=287–300|date=2013|doi=10.1145/2480359.2429104|url=http://research.microsoft.com/pubs/180039/views.pdf}}
17. ^{{cite journal|last1=Sergey|first1=Ilya|last2=Nanevski|first2=Aleksandar|last3=Banerjee|first3=Anindya|title=Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity|journal=24th European Symposium on Programming|date=2015|url=http://ilyasergey.net/papers/histories-esop15.pdf}}
18. ^{{cite book |last1=Gotsman |first1=Alexey |last2=Berdine |first2=Josh |last3=Cook |first3=Byron |last4=Sagiv |first4=Mooly |title=Thread Modular Shape Analysis |journal=PLDI |volume=5403 |date=2007 |pages=266–277 |doi=10.1007/978-3-540-93900-9_3 |url=http://research.microsoft.com/en-us/um/cambridge/projects/terminator/thread-modular.pdf|series=Lecture Notes in Computer Science |isbn=978-3-540-93899-6 }}
19. ^https://www.eatcs.org/index.php/component/content/article/1-news/2280-2016-godel-prize-
20. ^Separation logic and bi-abduction, page, Infer project site.
21. ^[https://code.facebook.com/posts/1648953042007882/open-sourcing-facebook-infer-identify-bugs-before-you-ship/ Open-sourcing Facebook Infer: Identify bugs before you ship.] C Calcagno, D DIstefano and P O'Hearn. 11 June 2015
22. ^[https://pdos.csail.mit.edu/papers/fscq:sosp15.pdf Using Crash Hoare Logic for Certifying the FSCQ File System], H Chen et al, SOSP'15
23. ^Verified correctness and security of OpenSSL HMAC. Lennart Beringer, Adam Petcher, Katherine Q. Ye, and Andrew W. Appel. In 24th USENIX Security Symposium, August 2015
24. ^A Practical Verification Framework for Preemptive OS Kernels. Fengwei Xu, Ming Fu, Xinyu Feng, Xiaoran Zhang, Hui Zhang and Zhaohui Li:. In CAV 2016: 59-79
25. ^The Ynot Project homepage, Harvard University, USA.

4 : 2002 introductions|Program logic|Substructural logic|Logic in computer science
随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/11/17 8:06:43