An Introduction to Separation Logic,and the Benefits of going Higher-order
(A Tutorial)
Lars Birkedal
Logic and Semantics GroupDept. of Comp. Science, Aarhus University
April 2013
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 1 / 39
Separation Logic
Program Logic a la Hoare Logic for reasoning about programswith pointers (or references to shared mutable data) [Reynolds,O’Hearn, . . ., 2000+]Main feature: it facilitates modular reasoning, formalized viaso-called frame rule, using a connective called separatingconjunction.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 2 / 39
Hoare Logic - a recap
Programming Language: imperative while-languageAssertion Language: first-order logic w. equalitySpecifications for partial correctness:
{P}C{Q}if s P and C, s → s′, then s′ Q.
Rules for deriving specifications (including rules for first-orderlogic).
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 3 / 39
Separation Logic
Programming Language: as before but now with C-like pointersSpecifications for partial correctness:
{P}C{Q}if s,h P and C, s,h→ s′,h′, then s′,h′ Q.
Assertion Language: first-order logic w. equality + BI connectives:s,h emp iff h is the empty heaps,h x 7→ 5 iff h is the singleton heap with one location s(x) withvalue 5.s,h P ∗Q iff h can be split into h1 and h2, with disjoint domains,such that s,h1 P and s,h2 Q.s,h P −−∗ Q iff . . ..
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 4 / 39
Examples of “small” axioms
{x 7→ −}dispose(x){emp}
{x 7→ −}[x ] := e{x 7→ e}
Modular Reasoning via Frame Rule:{P}C {Q}
{P ∗ R}C {Q ∗ R}(assuming Mod(C) ∩ FV (R) = ∅).
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 5 / 39
Example: in-place list reversal
Linked list of cons-cells.Program: reverse =
j := nil; while i != nil do (k:=[i+1]; [i+1]:=j; j:=i; i:=k)
Local specification:
{list(α, i)} reverse {list(rev(α), j)}
where list(α, i) is def’ by ind. on sequence α:
list([], i) def= i = nil ∧ emp
list(n :: α, i) def= ∃j . i 7→ (n, j) ∗ list(α, j).
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 6 / 39
Example: in-place list reversal, II
Points to notice:Local reasoning: the precondition list(α, i) only describes resourcesneeded by reverse (the footprint of reverse)Having proved local spec, frame rule gives, e.g.:
{list(α, i) ∗ list(β, k)} reverse {list(rev(α), j) ∗ list(β, k)}
Hence we can (re-)use the specification in larger contexts.
In summa: standard separation logic makes it easy to reasonabout pointer programs when we can find some way to separatedata structures into disjoint parts.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 7 / 39
Example: Cheney’s Copying GC
2
3 4 5
root
1 2
(1)
scan free maxFreeoffset
UFINFIN
BUSY
UFWD
FWD
· · ·FREE
NEW
OLD
[Torp-Smith, Birkedal, Reynolds, POPL’2004]
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 8 / 39
Model and Soundness
a set [[Val]] interpreting the type Val of valuesa set [[Loc]] of locations such that [[Loc]] ⊆ [[Val]]a set H = [[Loc]] ⇀fin [[Val]] of heaps (finite partial functions)partial binary operation ∗ on heaps:
h1 ∗ h2 =
{h1 ∪ h2 if h1#h2undefined otherwise,
where h1#h2 iff Dom(h1) ∩ Dom(h2) = ∅Given stack s : Var ⇀fin [[Val]], terms interpreted as usual:
[[x ]]s = s(x)[[n]]s = [[n]][[t1 ± t2]]s = [[t1]]s ± [[t2]]s. . .
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 9 / 39
Interpretation of assertions
s,h |= φ, where FV (φ) ⊆ Dom(s):
s,h |= t1 = t2 iff [[t1]]s = [[t2]]ss,h |= t1 7→ t2 iff Dom(h) = {[[t1]]s} and h([[t1]]s) = [[t2]]ss,h |= emp iff h = ∅s,h |= > alwayss,h |= ⊥ nevers,h |= φ ∗ ψ iff there exists h1,h2 ∈ H such that h1 ∗ h2 = h and
s,h1 |= φ and s,h2 |= ψs,h |= φ −−∗ ψ iff for all h′,h′#h and s,h′ |= φ implies s,h ∗ h′ |= ψs,h |= φ ∨ ψ iff s,h |= φ or s,h |= ψs,h |= φ ∧ ψ iff s,h |= φ and s,h |= ψs,h |= φ→ ψ iff s,h |= φ implies s,h |= ψs,h |= ∀x .φ iff for all v ∈ [[Val]], s[x 7→ v ],h |= φs,h |= ∃x .φ iff there exists v ∈ [[Val]], such that s[x 7→ v ],h |= φ
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 10 / 39
Sound Proof Rules
Standard predicate logic + rules from bunched implications:
(φ ∗ ψ) ∗ θ `Γ φ ∗ (ψ ∗ θ) φ ∗ (ψ ∗ θ) `Γ (φ ∗ ψ) ∗ θ
`Γ φ↔ φ ∗ emp φ ∗ ψ `Γ ψ ∗ φ
φ `Γ ψ θ `Γ ω
φ ∗ θ `Γ ψ ∗ ωφ ∗ ψ `Γ θ
φ `Γ ψ −−∗ θ
BI, a substructural logic, related to linear logic.See [O’Hearn, Pym: The Logic of Bunched Implications, BSL1999]
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 11 / 39
Specification logic
[[∆l ; ∆p ` {P} c {Q}]](sl) ⇐⇒
∀sp ∈ [[∆p]].∀h ∈ [[∆l ,∆p ` P]](sl , sp).
(c, sp,h) is safe ∧
(c, sp,h) ⇓ (s′p,h′) ⇒ h′ ∈ [[∆ ` Q]](sl , s′p)
[[∆l ; ∆p ` ∀x :τ. δ]](sl) ⇐⇒
[[∆l ; ∆p ` δ]](sl)[x 7→v ]) for all v ∈ [[τ ]].
. . .
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 12 / 39
Proof RulesJudgements of form ∆l ; ∆p | Γ ` δ, with logical variables ∆l , programvariables ∆p, specification logic assumptions Γ, and specification logicformula δ.Rules for commands, e.g.,
∆l ; ∆p | Γ ` {E 7→ −} [E ] := E ′{E 7→ E ′}Rule of Consequence:
∆l ; ∆p ` P → P ′ ∆l ; ∆p | Γ ` {P ′} c {Q′} ∆l ; ∆p ` Q′ → Q∆l ; ∆p | Γ | Γ ` {P} c {Q}
Frame Rule:∆l ; ∆p ` {P} c{Q}
∆l ; ∆p | Γ ` {P ∗ R} c {Q ∗ R} Mod(c) ∩ FV (R) = ∅
Forall Rule:∆l , x :τ ; ∆p | Γ ` δ∆l ; ∆p | Γ ` ∀x :τ. δ
x 6∈ FV (Γ)
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 13 / 39
Soundness of proof rules
In traditional separation logic:Mostly straightforward.Frame rule relies on properties of operational semanticsSafety Monotonicity For all c, s, h, if (c, s,h) is safe, then for all
heaps h′ s.t. h′#h, (c, s,h ∗ h′) is also safe.Frame Property For all c, s, h, if (c, s,h) is safe and h′#h, then
(c, s,h ∗ h′) ⇓ (s′,h′′), implies that there is h0 disjointfrom h′ such that h′′ = h0 ∗ h′ and (c, s,h) ⇓ (s′,h0).(relies on nondeterministic memory allocation).
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 14 / 39
Variations
Intuitionistic models (assertions upwards closed wrt. heapextension) for languages with no explicit deallocation.Permission models (fractions, etc.) for more fine-grained notionsof separation, allowing multiple readers of same location.. . .
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 15 / 39
Modular Reasoning for Modules
Let us call separation logic as above for first-order separation logicand the frame rule for first-order frame rule.As we have seen, first-order separation logic provides modularreasoning for first-order programs.What about second-order or higher-order programs ?(programming languages with some kind of module facility).Example: a program that uses a stack module.Ideally, a client of a stack module should not know about how thestack module is implemented.So seek logic that supports reasoning about clients withoutrevealing info about module implementation.Two lines of development
higher-order separation logic supporting data abstractionseparation logic with higher-order frame rules for hiding
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 16 / 39
Higher-Order Separation Logic ExampleStack ADT
stackspec =∃α : Type.∃inv : α× N list→ Prop.
{emp}new() {s : α. inv(s, [])} ×∀s : α.∀x : N.∀l : N list{inv(s, l)}push(s, x) {inv(s, x :: l)} ×∀s : α.∀x : N.∀l : N list{inv(s, x :: l)}pop(s){y : N. inv(s, l) ∧ y = x}.
Modularity: clients can use the spec without knowing anythingabout how the stack is implemented (since abstract in the invpredicate).Different stack implementations can meet this spec.Presented at ESOP 2005 [Biering, Birkedal, Torp-Smith](second-order (“abstract predicates”) version independently byParkinson-Biermann, POPL 2005, for OO language)
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 17 / 39
Models of HOSL: BI-Hyperdoctrines
Focus first on extending the assertion logic to higher-order logic.As suggested by the example, have in mind many-typedformulation with
τ ::= Val | . . . | 1 | τ × τ | τ → τ | Prop
Seek an approach that covers the many variations needed inapplications.So let’s pause and think about abstract models of higher-orderlogic.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 18 / 39
BI Hyperdoctrines — OverviewA hyperdoctrine is a categorical formalization of a model ofpredicate logic [Lawvere 1969]. Sound and complete for IHOL.Toposes also sound and complete for IHOL.BI Hyperdoctrines sound and complete for IHOL + BI
Hyperdoctrine
Toposes
Sub_E(−)
BI−Hyperdoctrine
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 19 / 39
First-order Hyperdoctrines, I
Let C be a category with finite products. A first-order hyperdoctrine Pover C is a contravariant functor P : Cop → Poset s.t.:
Each P(X ) is a Heyting algebra.Each P(f ) : P(Y )→ P(X ) is a Heyting algebra homomorphism.There is an element =X of P(X × X ) satisfying that for allA ∈ P(X × X ),
> ≤ P(∆X )(A) iff =X≤ A.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 20 / 39
First-order Hyperdoctrines, II
For each product projection π : Γ× X → Γ in C,P(π) : P(Γ)→ P(Γ× X ) has both a left adjoint (∃X )Γ and a rightadjoint (∀X )Γ:
A ≤ P(π)(A′) if and only if (∃X )Γ(A) ≤ A′
P(π)(A′) ≤ A if and only if A′ ≤ (∀X )Γ(A).
Natural in Γ.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 21 / 39
Interpretation in Hyperdoctrines
Types and terms interpreted by objects and morphisms of CEach formula φ with free variables in Γ is interpreted as aP-predicate [[φ]] ∈ P([[Γ]]) by induction on the structure of φ usingdefinining properties of hyperdoctrine.A formula φ with free variables in Γ is satisfied if [[φ]] is > in P([[Γ]]).Sound and complete for intuitionistic predicate logic.A first-order hyperdoctrine is sound for classical predicate logic incase all the fibres P(X ) are Boolean algebras and all thereindexing functions P(f ) are Boolean algebra homomorphisms.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 22 / 39
Hyperdoctrines
A (general) hyperdoctrine is a first-order hyperdoctrine with thefollowing additional properties:C is cartesian closed; andthere is H ∈ C and a natural bijection ΘX : Obj(P(X )) ' C(X ,H).
Cartesian closure interprets higher types.Type of propositions is interpreted by H.
Basic Example:C = SetP(X ) = Sub(X ).H = 2
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 23 / 39
BI Hyperdoctrines
Recall: A BI algebra is a Heyting algebra, which has an additionalsymmetric monoidal closed structure (emp, ∗, −−∗) (i.e., satisfyingthe rules shown earlier).Define: A first-order hyperdoctrine P over C is a first-order BIhyperdoctrine in case
all the fibres P(X ) are BI algebras, andall the reindexing functions P(f ) are BI algebra homomorphisms
Likewise for general BI hyperdoctrines.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 24 / 39
First-Order Predicate BI
Predicate logic with equality extended with emp, φ ∗ ψ, φ −−∗ ψsatisfying the rules shown earlier.Theorem The interpretation of first-order predicate BI is soundand complete.Also for classical predicate BI, of courseHigher-order Predicate BI
Higher-order predicate logic extended with BI as above.BI hyperdoctrines sound and complete class of models.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 25 / 39
Example of BI hyperdoctrine
Let B be a complete BI algebra. Define Set-indexed BI hyperdoctrine:P(X ) = BX , functions from X to B, ordered pointwiseFor f : X → Y , P(f ) : BY → BX is comp. with f .=X (x , x ′) is > if x = x ′, otherwise ⊥.Quantification: for A ∈ BΓ×X
(∃X )Γ(A)def= λi ∈ Γ.
∨x∈X A(i , x)
(∀X )Γ(A)def= λi ∈ Γ.
∧x∈X A(i , x)
in BΓ.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 26 / 39
Toposes and BI Hyperdoctrines
Earlier work showed how to use some toposes to modelpropostional BI (SubE(1) is a BI-algebra, for certain E)Toposes model (higher-order) predicate logic, since SubE is ahyperdoctrine.But, surprise, we cannot interpret predicate BI in toposes:
Theorem Let E be a topos and suppose SubE : Eop → Poset is a BIhyperdoctrine. Then the BI structure on each lattice SubE(X ) is trivial,i.e., for all ϕ,ψ ∈ SubE(X ), ϕ ∗ ψ ↔ ϕ ∧ ψ.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 27 / 39
Separation Logic as a BI Hyp.
P(H) is a complete Boolean BI algebra, ordered by inclusion.Let S be the BI hyperdoctrine induced by the complete Boolean BIalgebraTheorem h ∈ [[φ]](v1, . . . , vn) iff [x1 7→ v1, . . . , xn 7→ vn],h φ.(also works for other models of separation logic, e.g., intuitionisticand permissions models)The BI hyperdoctrine S also gives a model of higher-orderseparation logic, with P(H) the set of truth values.Really, we have only talked about the assertion logic of separationlogic.But, since types and terms in the specification logic areinterpreted as sets, and P(H) is a set, we can also quantify overProp in the specification logic, as used in the stack example.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 28 / 39
Applications of HOSL
Data abstraction, cf. stack example from above.Formalization of separation logic
applications (e.g., proof of Cheney GC) used various extensions ofseparation logic, with relations, trees, etc.point is that they are all definable in higher-order logic, no need forad-hoc extensions:Let 2 = {⊥,>}. There is a canonical map ι : 2→ P(H). Sayφ : X → P(H) is pure if there is a map χφ : X → 2 s.t. φ = ι ◦ χφ.The sub-logic of pure predicates is simply the standard classicalhigher-order logic of Set.Allows to use classical higher-order logic for defining lists, trees,etc.In particular, recursive definitions of predicates, earlier done at themeta-level, can now be done inside the higher-order logic itself.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 29 / 39
HOSL Applications, II
Logical characterizations of classes of formulas, e.g.,Traditional definition of a precise: q is precise iff, for s,h, there isat most one subheap h0 of h such that s,h0 q.Prop. q is precise iff
∀p1,p2 : Prop. (p1 ∗ q) ∧ (p2 ∗ q)→ (p1 ∧ p2) ∗ q
is valid in the BI hyperdoctrine S.Thus: can make logical proofs about precise formulas.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 30 / 39
HOSL Applications, III
(Returning to program proving applications)General (generic / polymorphic) specifications and proofs ofpolymorphic programsParameterized list predicate:
plist(P, [], i) def= i = nil ∧ emp
plist(P, x :: β, i) def= ∃j . i 7→ (x , j) ∗ P(x) ∗ plist(P, β, j)
Generic specification:
β : seqInt ` ∀P : PropInt . {plist(P, β, i)} reverse {plist(P, β†, j)},
Point: one general spec (hence one proof of implementation code)that can be instantiated at will by clients.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 31 / 39
Higher-Order Frame Rules (a sketch)
Hiding the resource invariant.Abstract stack spec:
stackspec =∀P : N→ Prop.
∀x : N.{P(x)}push(x) {emp} ∧{emp}pop(){r : 1 + N. (∃n. r = inr(n)→ P(n)) ∧
(r = inl(∗)→ emp)}.
Proof of client relative to abstract spec:
stackspec ` client
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 32 / 39
Apply HO-frame rule:
(stackspec ` client)⊗ inv
Inferstackspec⊗ inv ` client⊗ inv
and then distribute inv over pre- and post-conditions in stackspecto get
{P(x) ∗ inv}push(x) {emp ∗inv} ∧{emp ∗inv}pop(){r : 1 + N. (∃n. r = inr(n)→ P(n) ∗ inv) ∧
(r = inl(∗)→ emp ∗inv)}.}
that matches an implementation with resource invariant inv .
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 33 / 39
Analogy and references
HOSL approach: polymorphic typesHOFR approach: subtyping(analogy not formalized)Second-order frame rule [O’Hearn, Yang, Reynolds, POPL 2004]Higher-order frame rules [Birkedal, Torp-Smith, Yang, LICS 2005]For recent account for higher-order language, withbells-and-whistles, see [Schwinghammer, Birkedal, Pottier, Reus,Stovring, Yang: A step-indexed Kripke model of hidden state.Mathematical Structures in Computer Science 23(1): 1-54 (2013)]HOFR also useful for structuring reasoning about assembly code,see [Jensen, Benton, Kennedy: High-level Separation Logic forLow-level Code, POPL-2013]
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 34 / 39
What is involved in models of HOFR ?
Two technical points regarding models of HOFR that have proveduseful elsewhere.
1 For prog. lang. with higher-order function: how to express thatprograms behave “locally” (safety monotonicity and frame property)?
We do not, we just require that all proved programs satisfy the framerule (bake it in to the interpretation). Analogous to how parametricmodels of System F are constructed. First done in [LICS 2005] papermentioned above.
2 Hiding / HOFR rule done via Kripke model (world consists of thehidden resources that programs should preserve).
With higher-order store, the set of worlds is recursively defined inCBUlt (see [Birkedal et. al.: Step-Indexed Kripke Models overRecursive Worlds, POPL’2011] and [MSCS-2013] paper mentionedabove).
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 35 / 39
Recursion / Step-Indexing
Need some mathematical technique to establish soundness ofproof rules for recursive functions.For instance, domain theory or step-indexing.Omitted today (step-indexing will be discussed in talk onThursday).
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 36 / 39
Views
(a glimpse)General framework for compositional reasoning aboutconcurrencyFraming and compositionality for thread-local reasoning capturedvia ∗.Instances cover (concurrent) separation logic, rely-guarantee,combinations of separation logic and rely-guarantee, e.g.,concurrent abstract predicates. Also Kripke models of typesystems.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 37 / 39
Separation Logic instance of Views(disregarding stacks for notational simplicity):
View = P(Σ), Σ = H separation algebra.Concrete machine states S = H, heaps.Reification map: I : View → P(S), I = h 7→ {h}.Semantics of triples {p} c {q}:
∀r ∈ View .∀x ∈ p ∗ r . ∀s ∈ I(x).c, s ⇓ s′ ⇒∃y ∈ q ∗ r . s′ ∈ I(y)
Observe:Quantification over frames (“baking-in” the frame rule).Standard operational semantics.
Instrumented states in Views as needed for logical reasoning.Reference: [Dinsdale-Young, Birkedal, Gardner, Parkinson, Yang:Views: Compositional Reasoning for Concurrency. POPL-2013]
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 38 / 39
Summary
First-order standard separationg logic for modular reasoning “inthe small”Higher-order separation / higher-order frame rules for modularreasoning “in the large” (for programs composed of modules)Mostly an overviewBut some details about how to construct models, which can be ofhelp when looking at the literature, both “old style” and “new style”.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 39 / 39
Thank you for your attention.
Lars Birkedal (AU) Separation Logic Tutorial IRIT Seminar, Toulouse 40 / 39