Separation Logic

COMP2600 Formal Methods for Software Engineering

Rajeev Gore
Australian National University
Semester 2, 2016

COMP 2600 Separation Logic

Motivation: Reasoning About Pointers

Recall this example from Hoare Logic Lecture III.
How is aliasing a problem?
Suppose x and y refer to the same cell of memory.
1. {y + 1 = 5 y = 5} x:=y+1 {x = 5 y = 5}

(Assignment)

2. {y = 4 y = 5} x:=y+1 {x = 5 y = 5}

(1. PreEq)

3. {False} x:=y+1 {x = 5 y = 5}

(2. PreEq)

i.e. if initial state is inconsistent and x:=y+1 terminates then final state
makes {x = 5 y = 5} true

But also works for x = 6 y = 6

so our assignment rule is no longer as strong as possible.

Problem: we need a way to say refers to the same/different cell of memory
COMP 2600 Separation Logic

From Hoare Logic To Separation Logic

Floyd 1967: gave some rules to reason about programs
Sometimes, our Hoare Logic is called Floyd-Hoare Logic in recognition
Many attempts made to extend Floyd-Hoare Logic to handle pointers
Only really solved in the past 15 years by Reynolds, OHearn and Yang
around 2000 using a connective called separating conjunction
The connective originally studied at ANU Philosophy in 1970s by Robert
K Meyer .... who started the Logic and Computation Group!
But ... to make the presentation less scary, we need to first extend Hoare
Logic with an axiom due to Floyd

COMP 2600 Separation Logic

Hoare Logic: syntax, semantics and calculus

Syntax

Semantics

Calculus

FOL

N/A

= +

Arithmetic

N/A

:= ; while

State maps variables

if then else

to values (no pointers)

N/A

if initial state satisfies P

{P}S{Q}

and S terminates then

final state satisfies Q

COMP 2600 Separation Logic

6 Inference
Rules

Store Assignment Axiom of Floyd

Hoare Axiom: {Q(e)} x := e

{Q(x)}

(backward driven)

Floyd Axiom: forward driven but equivalent to Hoare Axiom

{x = v}

x := e {x = e(v/x)}

where v is an auxiliary variable which does not occur in e

and e(v/x) means replace all occurrences of x in e by v
Example Hoare Instance: {(x + 1 = 5)} x := x + 1 {x = 5}
Example Floyd Instance: {x = v}
i.e. {x = v}

x := x + 1 {x = (x + 1)(v/x)}

x := x + 1 {x = (v + 1)}

i.e. if we want the post-condition x = 5 then instantiate v to be 4

{x = 4} x := x + 1 {x = 5}
Note: does not solve the problem with pointers!
COMP 2600 Separation Logic

Store Assignment Axiom of Floyd

Hoare Axiom: {Q(e)} x := e

{Q(x)}

(backward driven)

Floyd Axiom: forward driven but equivalent to Hoare Axiom

{x = v}

x := e {x = e(v/x)}

where v is an auxiliary variable which does not occur in e

and e(v/x) means replace all occurrences of x in e by v
Example Hoare Instance: {(1 = 1)} x := 1
Example Floyd Instance: {x = v}
i.e. {x = v}

{x = 1}

x := 1 {x = (1)(v/x)}

x := 1 {x = 1}

i.e. if we want the pre-condition 1 = 1 (i.e. True) then instantiate v to x

{x = x} x := 1 {x = 1}
Separation Logic: based on such forward reasoning zero-premise rules
COMP 2600 Separation Logic

My Policy To Make This Material Accessible

Honest: the two really are equivalent but I am hiding the gory details of the
first order logic proof that they are equivalent
Credits: my notes are based upon a set of notes written by Michael Gordon

http://www.cl.cam.ac.uk/~mjcg/HoareLogic/
Beware: he uses heavy duty logic and his notes are for a third year course!
Promise: I will tell the truth. I may not tell the whole truth, but I will not lie.
Name clash: Separation Logic is used for both the extension of Hoare Logic
and the extension of first-order logic upon which it is based!
Search: separation logic and you will get many technical papers, most of
which will be impenetrable, so beware!

COMP 2600 Separation Logic

Hoare Logic + Floyd Axiom: syntax, semantics and calculus

Syntax

Semantics

Calculus

FOL

N/A

= +

Arithmetic

N/A

:= ; while

State maps variables

if then else

to values (no pointers)

{P}S{Q}

COMP 2600 Separation Logic

N/A

if initial state satisfies P

6 Inference

and S terminates then

Rules

final state satisfies Q

+ Floyd Axiom

COMP 2600 Separation Logic

Separation Logic: syntax, semantics and calculus

Syntax

Semantics

Calculus

SL

N/A

FOL

N/A

= +

Arithmetic

N/A

emp

:= ; while
if then else
[.]

dispose(.)

State is a pair (Store, Heap)

St(.) maps variables to values

N/A

H p(.) maps locations to values

cons(.)
if initial state satisfies P

{P}S{Q}
COMP 2600 Separation Logic

and S terminates

More Inference

then S does not fault and

Rules

final state satisfies Q

10

Our Computation Model

Background: a function maps members of a domain to members of a range
Assume: Num Val
Assume: nil Val but not in Num

numbers will be memory locations

nil not a memory location

Same as before: Store maps Variables to Values

i.e. we can ask St(x) and we will get back a Value
New: Heap maps a finite subset of Numbers to Values
i.e. we can ask H p(l) where l is a number and we will get back a Value if
this location has been allocated
Old State = Store
New: State = (Store, Heap)
COMP 2600 Separation Logic

11

Evaluating Expressions in the Store of a State

Strictly speaking, the store gives values to variables only.
But we need a way to say value of an expression in a store so we will abuse
notation and use St(e) for this as below:

St(n) where n is a number is just its usual value

St(1) = 1

St(x + n) where n is a number and x is a variable is St(x) + St(n) = St(x) + n

St(e1 = e2 ) is true if St(e1 ) = St(e2 )
This is supposed to be intuitive, so please complain if it isnt!

COMP 2600 Separation Logic

12

COMP 2600 Separation Logic

13

Separation Logic: syntax, semantics and calculus

Syntax

Semantics

Calculus

SL

N/A

FOL

N/A

= +

Arithmetic

N/A

emp

:= ; while
if then else
[.]

dispose(.)

State is a pair (Store, Heap)

St(.) maps variables to values

N/A

H p(.) maps locations to values

cons(.)
if initial state satisfies P

{P}S{Q}
COMP 2600 Separation Logic

and S terminates

More Inference

then S does not fault and

Rules

final state satisfies Q

14

Extra Programming Constructs: Syntax and Intuitions

Fetch: v := [e]

evaluate expression e in current state to get location l

fault if location l is not in the current heap
otherwise variable v is assigned the contents of location l
Example: x := [y + 1]

St

x := [y + 1]

Hp

y = 20 20 21
1

Non Examples: x := [[y + 1]]

COMP 2600 Separation Logic

St

Hp

y = 20 20 21
x=2

x := [y] + 1
15

Extra Programming Constructs: Syntax and Intuitions

Heap Assignment/Mutation: [e] := e1

evaluate e (in the current state) as location l

fault if location l is not in the current heap
otherwise make the contents of location l the value of expression e1
Example [y + 1] := 5

St

[y + 1] := 5

Hp

y = 20 20 21
1

COMP 2600 Separation Logic

Hp

y = 20 20 21

Non-examples: [[x]] := 5

St

[x] + 1 := 5
16

Extra Programming Constructs: Syntax and Intuitions

Allocation: v := cons(e1 , e2 , , en )

extend the heap with n consecutive new locations l, l + 1, , l + n 1

put values of e1 , , en into locations l, , l + n 1 respectively
extend the store by assigning v the value l

(never faults)

Example: p := cons(3, 7)

St

p := cons(3, 7)

Hp

St

Hp

p = 10

10

11

Example: p := cons(q, q + 1)

St

Hp

q=5

p := cons(q, q + 1)

St

Hp

q=5

110

111

p = 110

COMP 2600 Separation Logic

17

Extra Programming Constructs: Syntax and Intuitions

Deallocation: dispose(e)

evaluate e to get some number l

fault if location l is not in the heap
otherwise remove location l from the heap
Example: dispose(q)

St

Hp

q=5

110

p = 110

St

Hp

111

q=5

110

111

p = 110

St

Hp

dispose(q)

Example: dispose(p)

St

Hp

q=5

110

111

q=5

111

p = 110

p = 110

COMP 2600 Separation Logic

dispose(p)

18

COMP 2600 Separation Logic

19

Separation Logic: syntax, semantics and calculus

Syntax

Semantics

Calculus

SL

N/A

FOL

N/A

= +

Arithmetic

N/A

emp

:= ; while
if then else
[.]

dispose(.)

State is a pair (Store, Heap)

St(.) maps variables to values

N/A

H p(.) maps locations to values

cons(.)
if initial state satisfies P

{P}S{Q}
COMP 2600 Separation Logic

and S terminates

More Inference

then S does not fault and

Rules

final state satisfies Q

20

Semantics of Separation Logic

Store : Var Val

Heap : Num * f in Val

State = Store Heap

St(e) value of an expression in a store as explained earlier

(St, H p) |= emp if dom(H p) = 0/
i.e. a state (St, H p) makes the formula emp true if the heap is empty

COMP 2600 Separation Logic

21

Store Assignment Axiom For Separation Logic

Hoare Axiom: {Q(e)} x := e

{Q(x)}

Floyd Axiom:

{x = v}

x := e {x = e(v/x)}

where v is an auxiliary variable which does not occur in e

Store Assignment Axiom for Separation Logic:

{x = v emp}

x := e {x = e(v/x) emp}

where v is an auxiliary variable which does not occur in e

New: atomic formula emp to say that the heap is empty
Why: we want to track the smallest amount of heap information

COMP 2600 Separation Logic

22

Store Assignment Axiom for Separation Logic

Store Assignment Axiom for Separation Logic:

{x = v emp}

x := e {x = e(v/x) emp}

where v is an auxiliary variable which does not occur in e

Example Instance: {x = v emp}

x := 1 {x = (1)(v/x) emp}

i.e. {x = v emp} x := 1 {x = 1 emp}

i.e. if we want the pre-condition 1 = 1 (i.e. True) then instantiate v to x

{x = x emp} x := 1 {x = 1 emp}

COMP 2600 Separation Logic

23

Fetch Assignment Axiom of Separation Logic

{(x = v1 ) (e 7 v2 )}

x := [e] {(x = v2 ) (e(v1 /x) 7 v2 )}

where v1 and v2 are auxiliary variables which do not occur in e

Example: x := [y]

St

Hp

y = 20 20
1

x := [y]

St

Hp

y = 20 20
x=1

e is y: so
{(x = v1 ) (y 7 v2 )} x := [y] {(x = v2 ) (e(v1 /x) 7 v2 )}
v2 is 1: so
{(x = v1 ) (y 7 1)}

x := [y] {(x = 1) (e(v1 /x) 7 1)}

e(v1 /x) is y: since there are no occurrences of x in y so

{(x = v1 ) (y 7 1)} x := [y] {(x = 1) (y 7 1)}
COMP 2600 Separation Logic

24

COMP 2600 Separation Logic

25

Separation Logic: syntax, semantics and calculus

Syntax

Semantics

Calculus

SL

N/A

FOL

N/A

= +

Arithmetic

N/A

emp

:= ; while
if then else
[.]

dispose(.)

State is a pair (Store, Heap)

St(.) maps variables to values

N/A

H p(.) maps locations to values

cons(.)
if initial state satisfies P

{P}S{Q}
COMP 2600 Separation Logic

and S terminates

More Inference

then S does not fault and

Rules

final state satisfies Q

26