|
|
| Line 1: |
Line 1: |
| In [[computer science]], '''separation logic'''<ref name="lics02">[http://www.cs.cmu.edu/~jcr/seplogic.pdf Separation Logic: A Logic for Shared Mutable Data Structures.] John C. Reynolds. LICS 2002.</ref> is an extension of [[Hoare logic]], a way of reasoning about programs.
| | I would like to introduce myself to you, I am Andrew and my wife doesn't like it at all. One of the issues she loves most is canoeing and she's been performing it for quite a while. He is an information officer. I've always cherished residing in Kentucky but now I'm contemplating other choices.<br><br>My blog post: clairvoyant psychic - [http://c045.danah.co.kr/home/index.php?document_srl=1356970&mid=qna visit the next internet site], |
| It was developed by [[John C. Reynolds]], [[Peter O'Hearn]], Samin Ishtiaq and Hongseok Yang,<ref name="lics02" /><ref name="sl1999">Intuitionistic Reasoning about Shared Mutable Data Structure. John Reynolds. Millennial Perspectives in Computer Science, Proceedings of the 1999 Oxford-Microsoft Symposium in Honour of Sir Tony Hoare</ref><ref name="popl01">BI as an Assertion Language for Mutable Data Structures. Samin Ishtiaq, Peter O'Hearn. POPL 2001.</ref><ref name="csl01">[http://www.eecs.qmul.ac.uk/~ohearn/papers/localreasoning.pdf Local Reasoning about Programs that Alter Data Structures.] Peter O'Hearn, John Reynolds, Hongseok Yang. CSL 2001</ref> drawing upon early work by [[Rod Burstall]].<ref name="burstall">Some techniques for proving programs which alter data structures. R.M. Burstall. Machine Intelligence 7, 1972.</ref> The assertion language of separation logic is a special case of the [[logic of bunched implications]] (BI).<ref name="bi">The Logic of Bunched Implications P.W. O'Hearn and D. J. Pym. Bulletin of Symbolic Logic , 5(2), June 1999, pp215-244</ref>
| |
| | |
| Separation logic facilitates reasoning about:
| |
| | |
| * programs that manipulate pointer data structures — including [[information hiding]] in the presence of pointers;
| |
| * ''"transfer of ownership"'' (avoidance of semantic frame [[axiom]]s); and
| |
| * virtual separation (modular reasoning) between concurrent modules.
| |
| | |
| Separation logic supports the developing field of research described by [[Peter O'Hearn]] and others as ''local reasoning'', whereby specifications and proofs of a program component mention only the portion of memory used by the component, and not the entire global state of the system. Applications include automated [[program verification]] (where an [[algorithm]] checks the validity of another algorithm) and automated [[parallelization]] of software.
| |
| | |
| == Assertions: Operators and semantics ==
| |
| | |
| Separation logic assertions describe "states" consisting of a ''store'' and a ''heap'', roughly corresponding to the state of [[stack-based memory allocation|local (or ''stack-allocated'') variables]] and [[dynamic memory allocation|''dynamically-allocated'' objects]] in common programming languages such as [[C (programming language)|C]] and [[Java (programming language)|Java]]. A store <math>s</math> is a [[function (mathematics)|function]] mapping variables to values. A heap <math>h</math> is a [[partial function]] mapping memory addresses to values. Two heaps <math>h</math> and <math>h'</math> are ''disjoint'' (denoted <math>h \,\bot\, h'</math>) if their domains do not overlap (i.e., if for every memory address <math>\ell</math>, at least one of <math>h(\ell)</math> and <math>h'(\ell)</math> is undefined).
| |
| | |
| The logic allows to prove judgements of the form <math>s, h \models P</math>, where <math>s</math> is a store, <math>h</math> is a heap, and <math>P</math> is an ''assertion'' over the given store and heap. Separation logic assertions (denoted as <math>P</math>, <math>Q</math>, <math>R</math>) contain the standard boolean connectives and, in addition, <math>\mathbf{e}\mathbf{m}\mathbf{p}</math>, <math>e \mapsto e'</math>, <math>P \ast Q</math>, and <math>P {-\!\!\ast}\, Q</math>, where <math>e</math> and <math>e'</math> are expressions.
| |
| * The constant <math>\mathbf{e}\mathbf{m}\mathbf{p}</math> asserts that the heap is ''empty'', i.e., <math>s, h \models \mathbf{e}\mathbf{m}\mathbf{p}</math> when <math>h</math> is undefined for all addresses.
| |
| * The binary operator <math>\mapsto</math> takes an address and a value and asserts that the heap is defined at exactly one location, mapping the given address to the given value. I.e., <math>s, h \models e \mapsto e'</math> when <math>h([\![e]\!]_{s}) = [\![e']\!]_{s}</math> (where <math>[\![e]\!]_{s}</math> denotes the value of expression <math>e</math> evaluated in store <math>s</math>) and <math>h</math> is otherwise undefined.
| |
| * The binary operator <math>\ast</math> (pronounced ''star'' or ''separating conjunction'') asserts that the heap can be split into two ''disjoint'' parts where its two arguments hold, respectively. I.e., <math>s, h \models P \ast Q</math> when there exist <math>h_1, h_2</math> such that <math>h_1 \,\bot\, h_2</math> and <math>h = h_1 \cup h_2</math> and <math>s, h_1 \models P</math> and <math>s, h_2 \models Q</math>.
| |
| * The binary operator <math>-\!\!\ast</math> (pronounced ''magic wand'' or ''separating implication'') asserts that extending the heap with a disjoint part that satisfies its first argument results in a heap that satisfies its second argument. I.e,. <math>s, h \models P -\!\!\ast\, Q</math> when for every heap <math>h' \,\bot\, h</math> such that <math>s, h' \models P</math>, also <math>s, h \cup h' \models Q</math> holds.
| |
| | |
| The operators <math>\ast</math> and <math>-\!\!\ast</math> share some properties with the classical [[Logical Conjunction|conjunction]] and [[Entailment|implication]] operators. They can be combined using an inference rule similar to [[modus ponens]]
| |
| :<math>\frac{s, h \models P \ast (P -\!\!\ast\, Q)}{s, h \models Q}</math> | |
| and they form an [[adjunction (category theory)|adjunction]], i.e., <math>s, h \cup h' \models P \ast Q \Rightarrow R</math> if and only if <math>s, h \models P \Rightarrow Q -\!\!\ast\, R</math> for <math>h \,\bot\, h'</math>; more precisely, the adjoint operators are <math>\_ \ast Q </math> and <math>Q -\!\!\ast\, \_</math>.
| |
| | |
| ==Reasoning about programs: triples and proof rules==
| |
| | |
| In separation logic, Hoare triples have a slightly different meaning than in [[Hoare logic]]. The triple <math>\{P\}\ C\ \{Q\}</math> asserts that if the program, <math>C</math>, executes from an initial state satisfying the precondition, <math>P</math>, then the program will ''not go wrong'' (e.g., have undefined behaviour), and if it terminates, then the final state will satisfy the postcondition, <math>Q</math>. In essence, during its execution, <math>C</math> may access only memory locations whose existence is asserted in the precondition or that have been allocated by <math>C</math> itself.
| |
| | |
| In addition to the standard rules from [[Hoare logic]], separation logic supports the following very important rule:
| |
| | |
| <math>\frac{ \{P\}\ C\ \{Q\} }{ \{P \ast R\}\ C\ \{Q \ast R\} }~\mathsf{mod}(C) \cap \mathsf{fv}(R) =\emptyset</math>
| |
| | |
| This is known as the '''frame rule''' (named after the [[frame problem]]) and enables local reasoning. It says that a program that executes safely in a small state (satisfying <math>P</math>), can also execute in any bigger state (satisfying <math>P \ast R</math>) and that its execution will not affect the additional part of the state (and so <math>R</math> will remain true in the postcondition). The side condition enforces this by specifying that none of the variables modified by <math>C</math> occur free in <math>R</math>, i.e. none of them are in the 'free variable' set <math>\mathsf{fv}</math> of <math>R</math>.
| |
| | |
| ==Implementations==
| |
| The [[Ynot]] library for the [[Coq proof assistant]] contains an implementation.
| |
| | |
| ==References==
| |
| <references />
| |
| | |
| [[Category:Program logic]]
| |
| [[Category:Substructural logic]]
| |
| [[Category:Logic in computer science]]
| |
I would like to introduce myself to you, I am Andrew and my wife doesn't like it at all. One of the issues she loves most is canoeing and she's been performing it for quite a while. He is an information officer. I've always cherished residing in Kentucky but now I'm contemplating other choices.
My blog post: clairvoyant psychic - visit the next internet site,