Backwards and Forwards in Separation Logic...Forwards and Backwards in Separation Algebra •...
Transcript of Backwards and Forwards in Separation Logic...Forwards and Backwards in Separation Algebra •...
www.data61.csiro.au
BackwardsandForwardsinSeparationLogicPeterHöfner(jointworkwithC.BannisterandG.Klein)May2018
ForwardsandBackwardsinSeparationAlgebra�2
• Hoaretriple• partialandtotalcorrectness• ifandthen
• strengtheningandweakening
• weakestprecondition
• similarforstrongestpostcondition
Floyd-HoareLogic(ForwardsandBackwards)
{P} C1 {Q}
{P} C1 {Q} {Q} C2 {R} {P} C1 ;C2 {R}
P2 ) P1 {P1} C {Q1} Q1 ) Q2
{P2} C {Q2}
wp(C,Q)wp(C1 ;C2, Q) = wp(C1, wp(C2, Q))
sp(C,P )
ForwardsandBackwardsinSeparationAlgebra�3
• extensiontoHoarelogic
• basedonseparationalgebrasofabstractheaps
• capturesthenotionofdisjointnessintheworld
SeparationLogic(Reynolds,O’Hearnetal.)
ForwardsandBackwardsinSeparationAlgebra�4
FrameRule
• is the ‘Frame’ – extending an environment with a disjoint portion
changes nothing – local reasoning – compositional
{P} C {Q}{P ⇤R} C {Q ⇤R} (mod(C) \ fv(R) = ;)
R
ForwardsandBackwardsinSeparationAlgebra
• wheresisastore,hisaheap,andPisanassertion overthegivenstoreandheap
�5
SeparationLogic(Reynolds,O’Hearnetal.)Motivation
s, h |= P
s, h |= P ⇤Q, 9h1, h2. h1 ? h2 and
h = h1 [ h2 and s, h1 |= P and s, h2 |= Q
P Q*
ForwardsandBackwardsinSeparationAlgebra�6
• problemwithframecalculation
• specification:
• assumethefollowingpreconditionforforwardreasoning-howtofindtheframe-situationgetsworseincaseotheroperatorsofseparationlogicareused
SeparationLogicII(ForwardsandBackwards)
{p 7! a ⇤ q 7! b} swap p q {p 7! b ⇤ q 7! a}
r 7! a ⇤ q 7! b ⇤ s 7! c ⇤ t 7! d ⇤ p 7! a
ForwardsandBackwardsinSeparationAlgebra
• separatingImplication– extendingbyPproducesQoverthecombination
• describesamappingbetweenheapsand‘holes’
�7
SeparatingImplicationMagicWand
s, h |= P �⇤Q , 8h0. (h0? h and s, h0 |= P )
implies s, h0 [ h |= Q
P �⇤Q
QP
ForwardsandBackwardsinSeparationAlgebra
• separationlogiccanbeliftedtoalgebra
• allowsabstractreasoning• transfersknowledge• idealforinteractiveandautomatedtheoremproving
�8
SeparationAlgebras
ForwardsandBackwardsinSeparationAlgebra
• modusponens
• currying/decurryingGaloisconnection (givesplentyofpropertiesforfree)
�9
ConjunctionversionImplication
Q ⇤ (Q�⇤P ) ) P
(P ⇤Q ) R) , (P ) Q�⇤R)
ForwardsandBackwardsinSeparationAlgebra�10
RelationshipsbetweenOperators
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoning(Recap)
• backwardreasoning/reasoninginweakestpreconditionstyle
• forgivenpostconditionandgivenprogram,determineweakestprecondition
• butwhataboutseparationlogicwhereframesoccur? (problemwithframecalculation)
{P ⇤R} C {Q ⇤R}
wp(C,Q)
�11
Q C
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoningII
• fromGaloisconnectionweget
• usedtotransformspecificationsforexample
{p 7! ⇤R} set ptr p v {p 7! v ⇤R}
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {P ⇤ (Q�⇤R)} C {R})*
* only in a setting where there are no free variable exist (as in our Isabelle/HOL implementation)
�12
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoningII
• fromGaloisconnectionweget
• usedtotransformspecificationsforexample
{p 7! ⇤ (p 7! v�⇤R)} set ptr p v {R}
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {P ⇤ (Q�⇤R)} C {R})*
* only in a setting where there are no free variable exist (as in our Isabelle/HOL implementation)
�12
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoningIII
• allowsfullbackwardsreasoningwithoutcalculatingtheframeineverystep
• supportedbyanIsabelle/HOL-framework
• easypatterns(alternationbetweenimplicationandconjunction)allowautomatedsimplifications
�13
ForwardsandBackwardsinSeparationAlgebra�15
• idealworld whereissomesubtractionoperator
ForwardReasoningII
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {R} C {Q ⇤ (P �⇣ R)})
�⇣
ForwardsandBackwardsinSeparationAlgebra
MoreSeparationLogic
• thereisanotheroperatorintheliterature:septraction
• algebraically:
PQ
P �⇣ Q , ¬(P �⇤(¬Q))
s, h |= P �⇣ Q
, 9h2. h subheap of h2 and s, h2 � h |= P and s, h2 |= Q
�16
ForwardsandBackwardsinSeparationAlgebra�17
• idealworldseeminglyimpossible
• can’tdescribewhathappensincasewherepreconditiondoesn’thold
ForwardReasoningII
{emp} delete p {??}
(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})
ForwardsandBackwardsinSeparationAlgebra
RelationshipsbetweenOperators
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra
• removingproducesoverthereduction
• everytimewecanfindainourheap,therestoftheheapisa
�19
Separating‘Coimplication’MagicSnake
P ⇤Q , ¬(P ⇤ (¬Q))
s, h |= P ⇤ Q , 8h1 h2. (h1 ?h2 and h = h1 [ h2 and s, h1 |= P1)
implies s, h2 |= Q
P
P
Q
Q
PQ
ForwardsandBackwardsinSeparationAlgebra
•
• manypropertiescomeforfreefromtheGaloisconnection
�20
Separating‘Coimplication’MagicSnake
P ⇤Q , ¬(P ⇤ (¬Q))
(P �⇣ Q ) R) , (Q ) (P ⇤Q))
(Galois connection)
ForwardsandBackwardsinSeparationAlgebra
RelationshipsbetweenOperators(complete)
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra
• notsatisfiedbyanysubheap
• specificationofdelete
�22
SpecificationswithSeparatingCoimplication
P ⇤ false
{p 7! ⇤R} delete p {R}
P
ForwardsandBackwardsinSeparationAlgebra�23
• Idealworldseeminglyimpossible
• Relaxspecifications/requirements
• anotherexample
BacktoForwardReasoning
{P ⇤R} C {Q ⇤R}
{p 7! ⇤R} set ptr p v {p 7! v ⇤R}
(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})
ForwardsandBackwardsinSeparationAlgebra�24
• Idealworldseeminglyimpossible
• ByGaloisconnectionsanddualitieswegetaruleforforwardreasoning
ForwardReasoningIII
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {R} C {Q ⇤ (P �⇣ R)})
(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})
ForwardsandBackwardsinSeparationAlgebra
ForwardsReasoningIV
• allowsforwardsreasoningwithoutcalculatingtheframeineverystep
• supportedinIsabelle/HOL
• easypatterns(alternationbetweenimplicationandconjunction)allowautomatedsimplifications
• partialcorrectnessonly iffailureoccursanythingispossible
ForwardsandBackwardsinSeparationAlgebra
Problems, Excitements&OpenQuestions
�26
ForwardsandBackwardsinSeparationAlgebra�27
• introduceexplicitoneormanyfailurestates• alwaysdescribewhatactuallyoccurs
• requirements/wishes:• failedprogramexecutioncannotberecovered• failureisseparatefromfalse• usedincombinationwithHoarelogic• keepthealgebraicconnections• wecandeterminewhetherornotwesucceeded
GeneralisedCorrectness
{P} C {Q} , 8s. P (s) ! Q(C(s))
ForwardsandBackwardsinSeparationAlgebra�28
• assumptions:
• associativityislost(orno‘inverses’or)
• predicatesdefineapartialorder;wheredoessit
ASingleFailureElement
false ⇤ fail = false and P ⇤ fail = fail (P 6= false)
(P ⇤ P ) ⇤ fail = false ⇤ fail = false and
P ⇤ (P ⇤ fail) = P ⇤ fail = fail
false = fail
fail
if fail ) Pthen the weakening rule of Hoare logic is lost
ForwardsandBackwardsinSeparationAlgebra�29
• assumptions:
• theGaloisconnectionsarelost-stillgivesadecentmodel -notusefulforourapproachforforwardandbackwardsreasoning
• heapsdefineapartialorder;wheredoessit
ASingleFailureElement
P ⇤ fail = fail (for all P )
fail
if fail ) Pthen the weakening rule of Hoare logic is lost
ForwardsandBackwardsinSeparationAlgebra�30
• predicateissetofheaps(satisfyingpredicate)• addasingleelementtothisset
• basicallysameproblemsasbefore(evenwhenconsideringmoresophisticatedorderings,suchasEgli-Milner,Hoare,Plotkin,Smyth,…)
Failure‘Flag’forEverySet
ForwardsandBackwardsinSeparationAlgebra�31
• eachheapcarriesaflag• isomorphictopairsofsets
• similarproblemsasbefore• howeversomemodels‘work’
Failure‘Flag’forEveryHeap
ForwardsandBackwardsinSeparationAlgebra�31
• eachheapcarriesaflag• isomorphictopairsofsets
• similarproblemsasbefore• howeversomemodels‘work’
Failure‘Flag’forEveryHeap
ForwardsandBackwardsinSeparationAlgebra�32
• NewSeptractionoperatorforgrabbingresources
ExtendingtheModel
Old
New
s, h |= P �⇣ Q
, 9h2. h subheap of h2 and s, h2 � h |= P and s, h2 |= Q
, 9h1, h2. h1 |= P and s, h1 |= Q and
and h?h1, h2 = h+ h1
s, h |= P �⇣ Q
, 9h1, h2. h1 |= P and s, h1 |= Q and
if flag(h) then h?h1, h2 = h+ h1
else flag(h2) ! (flag(h1) ! h1?h2) ^ (flag(h) ! h?h2)
ForwardsandBackwardsinSeparationAlgebra�33
• newoperatorssatisfyGaloisconnectionsanddualities
• separationalgebraisidenticaltothe‘old’incaseofnofailure
• incaseoffailure,associativityofseparatingconjunctionislost• non-intuitivewhenfailureoccurs• doesnotcarryenoughinformation
ExtendingtheModel
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra�34
• setsofpairsofheaps(beforewehadpairofsetsofheaps)• inspiredbytheconstructionofintegersoutofnaturalnumbers
• operations
NegativeHeaps
(2, 5) ⌘ �3 ⌘ (0, 3)
where h is a pair of heaps and ? heap reductions, h |= p �⇣ q , 9h1 : h?1 ? h? and s, h1 |= p and s, h [ h1 |= q
(p 7! v, emp) �⇣ (p 7! v, emp) = (emp, emp)(p 7! v, emp) �⇣ (emp, emp) ) (emp, p 7! v)
ForwardsandBackwardsinSeparationAlgebra�35
• butyoucannotsubtractaheaptwice
• canwehavesomethinglike
NegativeHeapsII
(p 7! v, emp) �⇣ (emp, p 7! v) = false
(p 7! v, emp) �⇣ (emp, p 7! v) = (emp, [p 7! v, p 7! v])
ForwardsandBackwardsinSeparationAlgebra�36
• frameworkfor backwardsreasoningusingweakestpreconditionsandforwardreasoningusingstrongestpostconditionsforpartial(andgeneralisedcorrectness)
• automation• basicexamplesdemonstrated
• addingfailuretoachievegeneralisedcorrectnessseemstolooseatleastonecrucialproperty
• generalisedcorrectnessisnotnice;canwedobetter?
Conclusion TheGood,theBad,theUgly