www.data61.csiro.au

BackwardsandForwardsinSeparationLogicPeterHöfner(jointworkwithC.BannisterandG.Klein)May2018

ForwardsandBackwardsinSeparationAlgebra�2

• Hoaretriple• partialandtotalcorrectness• ifandthen

• strengtheningandweakening

• weakestprecondition

• similarforstrongestpostcondition

Floyd-HoareLogic(ForwardsandBackwards)

{P} C1 {Q}

{P} C1 {Q} {Q} C2 {R} {P} C1 ;C2 {R}

P2 ) P1 {P1} C {Q1} Q1 ) Q2

{P2} C {Q2}

wp(C,Q)wp(C1 ;C2, Q) = wp(C1, wp(C2, Q))

sp(C,P )

ForwardsandBackwardsinSeparationAlgebra�3

• extensiontoHoarelogic

• basedonseparationalgebrasofabstractheaps

• capturesthenotionofdisjointnessintheworld

SeparationLogic(Reynolds,O’Hearnetal.)

ForwardsandBackwardsinSeparationAlgebra�4

FrameRule

• is the ‘Frame’ – extending an environment with a disjoint portion

changes nothing – local reasoning – compositional

{P} C {Q}{P ⇤R} C {Q ⇤R} (mod(C) \ fv(R) = ;)

R

ForwardsandBackwardsinSeparationAlgebra

• wheresisastore,hisaheap,andPisanassertion overthegivenstoreandheap

�5

SeparationLogic(Reynolds,O’Hearnetal.)Motivation

s, h |= P

s, h |= P ⇤Q, 9h1, h2. h1 ? h2 and

h = h1 [ h2 and s, h1 |= P and s, h2 |= Q

P Q*

ForwardsandBackwardsinSeparationAlgebra�6

• problemwithframecalculation

• specification:

• assumethefollowingpreconditionforforwardreasoning-howtofindtheframe-situationgetsworseincaseotheroperatorsofseparationlogicareused

SeparationLogicII(ForwardsandBackwards)

{p 7! a ⇤ q 7! b} swap p q {p 7! b ⇤ q 7! a}

r 7! a ⇤ q 7! b ⇤ s 7! c ⇤ t 7! d ⇤ p 7! a

ForwardsandBackwardsinSeparationAlgebra

• separatingImplication– extendingbyPproducesQoverthecombination

• describesamappingbetweenheapsand‘holes’

�7

SeparatingImplicationMagicWand

s, h |= P �⇤Q , 8h0. (h0? h and s, h0 |= P )

implies s, h0 [ h |= Q

P �⇤Q

QP

ForwardsandBackwardsinSeparationAlgebra

• separationlogiccanbeliftedtoalgebra

• allowsabstractreasoning• transfersknowledge• idealforinteractiveandautomatedtheoremproving

�8

SeparationAlgebras

ForwardsandBackwardsinSeparationAlgebra

• modusponens

• currying/decurryingGaloisconnection (givesplentyofpropertiesforfree)

�9

ConjunctionversionImplication

Q ⇤ (Q�⇤P ) ) P

(P ⇤Q ) R) , (P ) Q�⇤R)

ForwardsandBackwardsinSeparationAlgebra�10

RelationshipsbetweenOperators

P ⇤ Q P �⇤Q

P ⇤Q P �⇣ Q

dual

Galois

dual

Galois

ForwardsandBackwardsinSeparationAlgebra

BackwardsReasoning(Recap)

• backwardreasoning/reasoninginweakestpreconditionstyle

• forgivenpostconditionandgivenprogram,determineweakestprecondition

• butwhataboutseparationlogicwhereframesoccur? (problemwithframecalculation)

{P ⇤R} C {Q ⇤R}

wp(C,Q)

�11

Q C

ForwardsandBackwardsinSeparationAlgebra

BackwardsReasoningII

• fromGaloisconnectionweget

• usedtotransformspecificationsforexample

{p 7! ⇤R} set ptr p v {p 7! v ⇤R}

(8R. {P ⇤R} C {Q ⇤R}) , (8R. {P ⇤ (Q�⇤R)} C {R})*

* only in a setting where there are no free variable exist (as in our Isabelle/HOL implementation)

�12

ForwardsandBackwardsinSeparationAlgebra

BackwardsReasoningII

• fromGaloisconnectionweget

• usedtotransformspecificationsforexample

{p 7! ⇤ (p 7! v�⇤R)} set ptr p v {R}

(8R. {P ⇤R} C {Q ⇤R}) , (8R. {P ⇤ (Q�⇤R)} C {R})*

* only in a setting where there are no free variable exist (as in our Isabelle/HOL implementation)

�12

ForwardsandBackwardsinSeparationAlgebra

BackwardsReasoningIII

• allowsfullbackwardsreasoningwithoutcalculatingtheframeineverystep

• supportedbyanIsabelle/HOL-framework

• easypatterns(alternationbetweenimplicationandconjunction)allowautomatedsimplifications

�13

ForwardsandBackwardsinSeparationAlgebra�15

• idealworld whereissomesubtractionoperator

ForwardReasoningII

(8R. {P ⇤R} C {Q ⇤R}) , (8R. {R} C {Q ⇤ (P �⇣ R)})

�⇣

ForwardsandBackwardsinSeparationAlgebra

MoreSeparationLogic

• thereisanotheroperatorintheliterature:septraction

• algebraically:

PQ

P �⇣ Q , ¬(P �⇤(¬Q))

s, h |= P �⇣ Q

, 9h2. h subheap of h2 and s, h2 � h |= P and s, h2 |= Q

�16

ForwardsandBackwardsinSeparationAlgebra�17

• idealworldseeminglyimpossible

• can’tdescribewhathappensincasewherepreconditiondoesn’thold

ForwardReasoningII

{emp} delete p {??}

(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})

ForwardsandBackwardsinSeparationAlgebra

RelationshipsbetweenOperators

P ⇤ Q P �⇤Q

P ⇤Q P �⇣ Q

dual

Galois

dual

Galois

ForwardsandBackwardsinSeparationAlgebra

• removingproducesoverthereduction

• everytimewecanfindainourheap,therestoftheheapisa

�19

Separating‘Coimplication’MagicSnake

P ⇤Q , ¬(P ⇤ (¬Q))

s, h |= P ⇤ Q , 8h1 h2. (h1 ?h2 and h = h1 [ h2 and s, h1 |= P1)

implies s, h2 |= Q

P

P

Q

Q

PQ

ForwardsandBackwardsinSeparationAlgebra

•

• manypropertiescomeforfreefromtheGaloisconnection

�20

Separating‘Coimplication’MagicSnake

P ⇤Q , ¬(P ⇤ (¬Q))

(P �⇣ Q ) R) , (Q ) (P ⇤Q))

(Galois connection)

ForwardsandBackwardsinSeparationAlgebra

RelationshipsbetweenOperators(complete)

P ⇤ Q P �⇤Q

P ⇤Q P �⇣ Q

dual

Galois

dual

Galois

ForwardsandBackwardsinSeparationAlgebra

• notsatisfiedbyanysubheap

• specificationofdelete

�22

SpecificationswithSeparatingCoimplication

P ⇤ false

{p 7! ⇤R} delete p {R}

P

ForwardsandBackwardsinSeparationAlgebra�23

• Idealworldseeminglyimpossible

• Relaxspecifications/requirements

• anotherexample

BacktoForwardReasoning

{P ⇤R} C {Q ⇤R}

{p 7! ⇤R} set ptr p v {p 7! v ⇤R}

(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})

ForwardsandBackwardsinSeparationAlgebra�24

• Idealworldseeminglyimpossible

• ByGaloisconnectionsanddualitieswegetaruleforforwardreasoning

ForwardReasoningIII

(8R. {P ⇤R} C {Q ⇤R}) , (8R. {R} C {Q ⇤ (P �⇣ R)})

(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})

ForwardsandBackwardsinSeparationAlgebra

ForwardsReasoningIV

• allowsforwardsreasoningwithoutcalculatingtheframeineverystep

• supportedinIsabelle/HOL

• easypatterns(alternationbetweenimplicationandconjunction)allowautomatedsimplifications

• partialcorrectnessonly iffailureoccursanythingispossible

ForwardsandBackwardsinSeparationAlgebra

Problems, Excitements&OpenQuestions

�26

ForwardsandBackwardsinSeparationAlgebra�27

• introduceexplicitoneormanyfailurestates• alwaysdescribewhatactuallyoccurs

• requirements/wishes:• failedprogramexecutioncannotberecovered• failureisseparatefromfalse• usedincombinationwithHoarelogic• keepthealgebraicconnections• wecandeterminewhetherornotwesucceeded

GeneralisedCorrectness

{P} C {Q} , 8s. P (s) ! Q(C(s))

ForwardsandBackwardsinSeparationAlgebra�28

• assumptions:

• associativityislost(orno‘inverses’or)

• predicatesdefineapartialorder;wheredoessit

ASingleFailureElement

false ⇤ fail = false and P ⇤ fail = fail (P 6= false)

(P ⇤ P ) ⇤ fail = false ⇤ fail = false and

P ⇤ (P ⇤ fail) = P ⇤ fail = fail

false = fail

fail

if fail ) Pthen the weakening rule of Hoare logic is lost

ForwardsandBackwardsinSeparationAlgebra�29

• assumptions:

• theGaloisconnectionsarelost-stillgivesadecentmodel -notusefulforourapproachforforwardandbackwardsreasoning

• heapsdefineapartialorder;wheredoessit

ASingleFailureElement

P ⇤ fail = fail (for all P )

fail

if fail ) Pthen the weakening rule of Hoare logic is lost

ForwardsandBackwardsinSeparationAlgebra�30

• predicateissetofheaps(satisfyingpredicate)• addasingleelementtothisset

• basicallysameproblemsasbefore(evenwhenconsideringmoresophisticatedorderings,suchasEgli-Milner,Hoare,Plotkin,Smyth,…)

Failure‘Flag’forEverySet

ForwardsandBackwardsinSeparationAlgebra�31

• eachheapcarriesaflag• isomorphictopairsofsets

• similarproblemsasbefore• howeversomemodels‘work’

Failure‘Flag’forEveryHeap

ForwardsandBackwardsinSeparationAlgebra�31

• eachheapcarriesaflag• isomorphictopairsofsets

• similarproblemsasbefore• howeversomemodels‘work’

Failure‘Flag’forEveryHeap

ForwardsandBackwardsinSeparationAlgebra�32

• NewSeptractionoperatorforgrabbingresources

ExtendingtheModel

Old

New

s, h |= P �⇣ Q

, 9h2. h subheap of h2 and s, h2 � h |= P and s, h2 |= Q

, 9h1, h2. h1 |= P and s, h1 |= Q and

and h?h1, h2 = h+ h1

s, h |= P �⇣ Q

, 9h1, h2. h1 |= P and s, h1 |= Q and

if flag(h) then h?h1, h2 = h+ h1

else flag(h2) ! (flag(h1) ! h1?h2) ^ (flag(h) ! h?h2)

ForwardsandBackwardsinSeparationAlgebra�33

• newoperatorssatisfyGaloisconnectionsanddualities

• separationalgebraisidenticaltothe‘old’incaseofnofailure

• incaseoffailure,associativityofseparatingconjunctionislost• non-intuitivewhenfailureoccurs• doesnotcarryenoughinformation

ExtendingtheModel

P ⇤ Q P �⇤Q

P ⇤Q P �⇣ Q

dual

Galois

dual

Galois

ForwardsandBackwardsinSeparationAlgebra�34

• setsofpairsofheaps(beforewehadpairofsetsofheaps)• inspiredbytheconstructionofintegersoutofnaturalnumbers

• operations

NegativeHeaps

(2, 5) ⌘ �3 ⌘ (0, 3)

where h is a pair of heaps and ? heap reductions, h |= p �⇣ q , 9h1 : h?1 ? h? and s, h1 |= p and s, h [ h1 |= q

(p 7! v, emp) �⇣ (p 7! v, emp) = (emp, emp)(p 7! v, emp) �⇣ (emp, emp) ) (emp, p 7! v)

ForwardsandBackwardsinSeparationAlgebra�35

• butyoucannotsubtractaheaptwice

• canwehavesomethinglike

NegativeHeapsII

(p 7! v, emp) �⇣ (emp, p 7! v) = false

(p 7! v, emp) �⇣ (emp, p 7! v) = (emp, [p 7! v, p 7! v])

ForwardsandBackwardsinSeparationAlgebra�36

• frameworkfor backwardsreasoningusingweakestpreconditionsandforwardreasoningusingstrongestpostconditionsforpartial(andgeneralisedcorrectness)

• automation• basicexamplesdemonstrated

• addingfailuretoachievegeneralisedcorrectnessseemstolooseatleastonecrucialproperty

• generalisedcorrectnessisnotnice;canwedobetter?

Conclusion TheGood,theBad,theUgly

www.csiro.au

ThankyouData61PeterHöfner

t+61294905861epeter.hoefner@data61.csiro.auwwww.data61.csiro.au