Background radiation equivalent time: Difference between revisions

In computer science, separation logic^[1] is an extension of Hoare logic, a way of reasoning about programs. It was developed by John C. Reynolds, Peter O'Hearn, Samin Ishtiaq and Hongseok Yang,^[1][2][3][4] drawing upon early work by Rod Burstall.^[5] The assertion language of separation logic is a special case of the logic of bunched implications (BI).^[6]

Separation logic facilitates reasoning about:

• programs that manipulate pointer data structures — including information hiding in the presence of pointers;
• "transfer of ownership" (avoidance of semantic frame axioms); and
• virtual separation (modular reasoning) between concurrent modules.

Separation logic supports the developing field of research described by Peter O'Hearn and others as local reasoning, whereby specifications and proofs of a program component mention only the portion of memory used by the component, and not the entire global state of the system. Applications include automated program verification (where an algorithm checks the validity of another algorithm) and automated parallelization of software.

Assertions: Operators and semantics

Separation logic assertions describe "states" consisting of a store and a heap, roughly corresponding to the state of local (or stack-allocated) variables and dynamically-allocated objects in common programming languages such as C and Java. A store ${\displaystyle s}$ is a function mapping variables to values. A heap ${\displaystyle h}$ is a partial function mapping memory addresses to values. Two heaps ${\displaystyle h}$ and ${\displaystyle h^{\prime }}$ are disjoint (denoted ${\displaystyle h\mathrm{\perp }{h}^{\prime }}$) if their domains do not overlap (i.e., if for every memory address ${\displaystyle \ell }$, at least one of ${\displaystyle h(\ell )}$ and ${\displaystyle h^{\prime }(\ell )}$ is undefined).

The logic allows to prove judgements of the form ${\displaystyle s,h\models P}$, where ${\displaystyle s}$ is a store, ${\displaystyle h}$ is a heap, and ${\displaystyle P}$ is an assertion over the given store and heap. Separation logic assertions (denoted as ${\displaystyle P}$, ${\displaystyle Q}$, ${\displaystyle R}$) contain the standard boolean connectives and, in addition, ${\displaystyle \mathbf{e}\mathbf{m}\mathbf{p}}$, ${\displaystyle e\mapsto e^{\prime }}$, ${\displaystyle P\ast Q}$, and ${\displaystyle P-\ast Q}$, where ${\displaystyle e}$ and ${\displaystyle e^{\prime }}$ are expressions.

• The constant ${\displaystyle \mathbf{e}\mathbf{m}\mathbf{p}}$ asserts that the heap is empty, i.e., ${\displaystyle s,h\models \mathbf{e}\mathbf{m}\mathbf{p}}$ when ${\displaystyle h}$ is undefined for all addresses.
• The binary operator ${\displaystyle \mapsto }$ takes an address and a value and asserts that the heap is defined at exactly one location, mapping the given address to the given value. I.e., ${\displaystyle s,h\models e\mapsto e^{\prime }}$ when ${\displaystyle h([[e]{]}_s)=[[e^{\prime }]{]}_s}$ (where ${\displaystyle [[e]{]}_s}$ denotes the value of expression ${\displaystyle e}$ evaluated in store ${\displaystyle s}$) and ${\displaystyle h}$ is otherwise undefined.
• The binary operator ${\displaystyle \ast }$ (pronounced star or separating conjunction) asserts that the heap can be split into two disjoint parts where its two arguments hold, respectively. I.e., ${\displaystyle s,h\models P\ast Q}$ when there exist ${\displaystyle h_1,h_2}$ such that ${\displaystyle h_1\mathrm{\perp }{h}_2}$ and ${\displaystyle h=h_1\cup h_2}$ and ${\displaystyle s,h_1\models P}$ and ${\displaystyle s,h_2\models Q}$.
• The binary operator ${\displaystyle -\ast }$ (pronounced magic wand or separating implication) asserts that extending the heap with a disjoint part that satisfies its first argument results in a heap that satisfies its second argument. I.e,. ${\displaystyle s,h\models P-\ast Q}$ when for every heap ${\displaystyle h^{\prime }\mathrm{\perp }h}$ such that ${\displaystyle s,h^{\prime }\models P}$, also ${\displaystyle s,h\cup h^{\prime }\models Q}$ holds.

The operators ${\displaystyle \ast }$ and ${\displaystyle -\ast }$ share some properties with the classical conjunction and implication operators. They can be combined using an inference rule similar to modus ponens

${\displaystyle \frac{s,h\models P\ast (P-\ast Q)}{s,h\models Q}}$

and they form an adjunction, i.e., ${\displaystyle s,h\cup h^{\prime }\models P\ast Q\Rightarrow R}$ if and only if ${\displaystyle s,h\models P\Rightarrow Q-\ast R}$ for ${\displaystyle h\mathrm{\perp }{h}^{\prime }}$; more precisely, the adjoint operators are ${\displaystyle \_\ast Q}$ and ${\displaystyle Q-\ast \_}$.

Reasoning about programs: triples and proof rules

In separation logic, Hoare triples have a slightly different meaning than in Hoare logic. The triple ${\displaystyle \{P\}C\{Q\}}$ asserts that if the program, ${\displaystyle C}$, executes from an initial state satisfying the precondition, ${\displaystyle P}$, then the program will not go wrong (e.g., have undefined behaviour), and if it terminates, then the final state will satisfy the postcondition, ${\displaystyle Q}$. In essence, during its execution, ${\displaystyle C}$ may access only memory locations whose existence is asserted in the precondition or that have been allocated by ${\displaystyle C}$ itself.

In addition to the standard rules from Hoare logic, separation logic supports the following very important rule:

${\displaystyle \frac{\{P\}C\{Q\}}{\{P\ast R\}C\{Q\ast R\}}\mathsf{m}\mathsf{o}\mathsf{d}(C)\cap \mathsf{f}\mathsf{v}(R)=\mathrm{\varnothing }}$

This is known as the frame rule (named after the frame problem) and enables local reasoning. It says that a program that executes safely in a small state (satisfying ${\displaystyle P}$), can also execute in any bigger state (satisfying ${\displaystyle P\ast R}$) and that its execution will not affect the additional part of the state (and so ${\displaystyle R}$ will remain true in the postcondition). The side condition enforces this by specifying that none of the variables modified by ${\displaystyle C}$ occur free in ${\displaystyle R}$, i.e. none of them are in the 'free variable' set ${\displaystyle \mathsf{f}\mathsf{v}}$ of ${\displaystyle R}$.

Implementations

The Ynot library for the Coq proof assistant contains an implementation.

References