1 – Langevin's twin paradox and the forwards and backwards ...
Backwards and Forwards in Separation Logic...Forwards and Backwards in Separation Algebra •...
Transcript of Backwards and Forwards in Separation Logic...Forwards and Backwards in Separation Algebra •...
www.data61.csiro.au
BackwardsandForwardsinSeparationLogicPeterHöfner(jointworkwithC.BannisterandG.Klein)May2018
ForwardsandBackwardsinSeparationAlgebra�2
• Hoaretriple• partialandtotalcorrectness• ifandthen
• strengtheningandweakening
• weakestprecondition
• similarforstrongestpostcondition
Floyd-HoareLogic(ForwardsandBackwards)
{P} C1 {Q}
{P} C1 {Q} {Q} C2 {R} {P} C1 ;C2 {R}
P2 ) P1 {P1} C {Q1} Q1 ) Q2
{P2} C {Q2}
wp(C,Q)wp(C1 ;C2, Q) = wp(C1, wp(C2, Q))
sp(C,P )
ForwardsandBackwardsinSeparationAlgebra�3
• extensiontoHoarelogic
• basedonseparationalgebrasofabstractheaps
• capturesthenotionofdisjointnessintheworld
SeparationLogic(Reynolds,O’Hearnetal.)
ForwardsandBackwardsinSeparationAlgebra�4
FrameRule
• is the ‘Frame’ – extending an environment with a disjoint portion
changes nothing – local reasoning – compositional
{P} C {Q}{P ⇤R} C {Q ⇤R} (mod(C) \ fv(R) = ;)
R
ForwardsandBackwardsinSeparationAlgebra
• wheresisastore,hisaheap,andPisanassertion overthegivenstoreandheap
�5
SeparationLogic(Reynolds,O’Hearnetal.)Motivation
s, h |= P
s, h |= P ⇤Q, 9h1, h2. h1 ? h2 and
h = h1 [ h2 and s, h1 |= P and s, h2 |= Q
P Q*
ForwardsandBackwardsinSeparationAlgebra�6
• problemwithframecalculation
• specification:
• assumethefollowingpreconditionforforwardreasoning-howtofindtheframe-situationgetsworseincaseotheroperatorsofseparationlogicareused
SeparationLogicII(ForwardsandBackwards)
{p 7! a ⇤ q 7! b} swap p q {p 7! b ⇤ q 7! a}
r 7! a ⇤ q 7! b ⇤ s 7! c ⇤ t 7! d ⇤ p 7! a
ForwardsandBackwardsinSeparationAlgebra
• separatingImplication– extendingbyPproducesQoverthecombination
• describesamappingbetweenheapsand‘holes’
�7
SeparatingImplicationMagicWand
s, h |= P �⇤Q , 8h0. (h0? h and s, h0 |= P )
implies s, h0 [ h |= Q
P �⇤Q
QP
ForwardsandBackwardsinSeparationAlgebra
• separationlogiccanbeliftedtoalgebra
• allowsabstractreasoning• transfersknowledge• idealforinteractiveandautomatedtheoremproving
�8
SeparationAlgebras
ForwardsandBackwardsinSeparationAlgebra
• modusponens
• currying/decurryingGaloisconnection (givesplentyofpropertiesforfree)
�9
ConjunctionversionImplication
Q ⇤ (Q�⇤P ) ) P
(P ⇤Q ) R) , (P ) Q�⇤R)
ForwardsandBackwardsinSeparationAlgebra�10
RelationshipsbetweenOperators
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoning(Recap)
• backwardreasoning/reasoninginweakestpreconditionstyle
• forgivenpostconditionandgivenprogram,determineweakestprecondition
• butwhataboutseparationlogicwhereframesoccur? (problemwithframecalculation)
{P ⇤R} C {Q ⇤R}
wp(C,Q)
�11
Q C
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoningII
• fromGaloisconnectionweget
• usedtotransformspecificationsforexample
{p 7! ⇤R} set ptr p v {p 7! v ⇤R}
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {P ⇤ (Q�⇤R)} C {R})*
* only in a setting where there are no free variable exist (as in our Isabelle/HOL implementation)
�12
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoningII
• fromGaloisconnectionweget
• usedtotransformspecificationsforexample
{p 7! ⇤ (p 7! v�⇤R)} set ptr p v {R}
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {P ⇤ (Q�⇤R)} C {R})*
* only in a setting where there are no free variable exist (as in our Isabelle/HOL implementation)
�12
ForwardsandBackwardsinSeparationAlgebra
BackwardsReasoningIII
• allowsfullbackwardsreasoningwithoutcalculatingtheframeineverystep
• supportedbyanIsabelle/HOL-framework
• easypatterns(alternationbetweenimplicationandconjunction)allowautomatedsimplifications
�13
ForwardsandBackwardsinSeparationAlgebra�15
• idealworld whereissomesubtractionoperator
ForwardReasoningII
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {R} C {Q ⇤ (P �⇣ R)})
�⇣
ForwardsandBackwardsinSeparationAlgebra
MoreSeparationLogic
• thereisanotheroperatorintheliterature:septraction
• algebraically:
PQ
P �⇣ Q , ¬(P �⇤(¬Q))
s, h |= P �⇣ Q
, 9h2. h subheap of h2 and s, h2 � h |= P and s, h2 |= Q
�16
ForwardsandBackwardsinSeparationAlgebra�17
• idealworldseeminglyimpossible
• can’tdescribewhathappensincasewherepreconditiondoesn’thold
ForwardReasoningII
{emp} delete p {??}
(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})
ForwardsandBackwardsinSeparationAlgebra
RelationshipsbetweenOperators
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra
• removingproducesoverthereduction
• everytimewecanfindainourheap,therestoftheheapisa
�19
Separating‘Coimplication’MagicSnake
P ⇤Q , ¬(P ⇤ (¬Q))
s, h |= P ⇤ Q , 8h1 h2. (h1 ?h2 and h = h1 [ h2 and s, h1 |= P1)
implies s, h2 |= Q
P
P
Q
Q
PQ
ForwardsandBackwardsinSeparationAlgebra
•
• manypropertiescomeforfreefromtheGaloisconnection
�20
Separating‘Coimplication’MagicSnake
P ⇤Q , ¬(P ⇤ (¬Q))
(P �⇣ Q ) R) , (Q ) (P ⇤Q))
(Galois connection)
ForwardsandBackwardsinSeparationAlgebra
RelationshipsbetweenOperators(complete)
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra
• notsatisfiedbyanysubheap
• specificationofdelete
�22
SpecificationswithSeparatingCoimplication
P ⇤ false
{p 7! ⇤R} delete p {R}
P
ForwardsandBackwardsinSeparationAlgebra�23
• Idealworldseeminglyimpossible
• Relaxspecifications/requirements
• anotherexample
BacktoForwardReasoning
{P ⇤R} C {Q ⇤R}
{p 7! ⇤R} set ptr p v {p 7! v ⇤R}
(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})
ForwardsandBackwardsinSeparationAlgebra�24
• Idealworldseeminglyimpossible
• ByGaloisconnectionsanddualitieswegetaruleforforwardreasoning
ForwardReasoningIII
(8R. {P ⇤R} C {Q ⇤R}) , (8R. {R} C {Q ⇤ (P �⇣ R)})
(8R. {P ⇤R} C {Q ⇤R}) 6, (8R. {R} C {Q ⇤ (P �⇣ R)})
ForwardsandBackwardsinSeparationAlgebra
ForwardsReasoningIV
• allowsforwardsreasoningwithoutcalculatingtheframeineverystep
• supportedinIsabelle/HOL
• easypatterns(alternationbetweenimplicationandconjunction)allowautomatedsimplifications
• partialcorrectnessonly iffailureoccursanythingispossible
ForwardsandBackwardsinSeparationAlgebra
Problems, Excitements&OpenQuestions
�26
ForwardsandBackwardsinSeparationAlgebra�27
• introduceexplicitoneormanyfailurestates• alwaysdescribewhatactuallyoccurs
• requirements/wishes:• failedprogramexecutioncannotberecovered• failureisseparatefromfalse• usedincombinationwithHoarelogic• keepthealgebraicconnections• wecandeterminewhetherornotwesucceeded
GeneralisedCorrectness
{P} C {Q} , 8s. P (s) ! Q(C(s))
ForwardsandBackwardsinSeparationAlgebra�28
• assumptions:
• associativityislost(orno‘inverses’or)
• predicatesdefineapartialorder;wheredoessit
ASingleFailureElement
false ⇤ fail = false and P ⇤ fail = fail (P 6= false)
(P ⇤ P ) ⇤ fail = false ⇤ fail = false and
P ⇤ (P ⇤ fail) = P ⇤ fail = fail
false = fail
fail
if fail ) Pthen the weakening rule of Hoare logic is lost
ForwardsandBackwardsinSeparationAlgebra�29
• assumptions:
• theGaloisconnectionsarelost-stillgivesadecentmodel -notusefulforourapproachforforwardandbackwardsreasoning
• heapsdefineapartialorder;wheredoessit
ASingleFailureElement
P ⇤ fail = fail (for all P )
fail
if fail ) Pthen the weakening rule of Hoare logic is lost
ForwardsandBackwardsinSeparationAlgebra�30
• predicateissetofheaps(satisfyingpredicate)• addasingleelementtothisset
• basicallysameproblemsasbefore(evenwhenconsideringmoresophisticatedorderings,suchasEgli-Milner,Hoare,Plotkin,Smyth,…)
Failure‘Flag’forEverySet
ForwardsandBackwardsinSeparationAlgebra�31
• eachheapcarriesaflag• isomorphictopairsofsets
• similarproblemsasbefore• howeversomemodels‘work’
Failure‘Flag’forEveryHeap
ForwardsandBackwardsinSeparationAlgebra�31
• eachheapcarriesaflag• isomorphictopairsofsets
• similarproblemsasbefore• howeversomemodels‘work’
Failure‘Flag’forEveryHeap
ForwardsandBackwardsinSeparationAlgebra�32
• NewSeptractionoperatorforgrabbingresources
ExtendingtheModel
Old
New
s, h |= P �⇣ Q
, 9h2. h subheap of h2 and s, h2 � h |= P and s, h2 |= Q
, 9h1, h2. h1 |= P and s, h1 |= Q and
and h?h1, h2 = h+ h1
s, h |= P �⇣ Q
, 9h1, h2. h1 |= P and s, h1 |= Q and
if flag(h) then h?h1, h2 = h+ h1
else flag(h2) ! (flag(h1) ! h1?h2) ^ (flag(h) ! h?h2)
ForwardsandBackwardsinSeparationAlgebra�33
• newoperatorssatisfyGaloisconnectionsanddualities
• separationalgebraisidenticaltothe‘old’incaseofnofailure
• incaseoffailure,associativityofseparatingconjunctionislost• non-intuitivewhenfailureoccurs• doesnotcarryenoughinformation
ExtendingtheModel
P ⇤ Q P �⇤Q
P ⇤Q P �⇣ Q
dual
Galois
dual
Galois
ForwardsandBackwardsinSeparationAlgebra�34
• setsofpairsofheaps(beforewehadpairofsetsofheaps)• inspiredbytheconstructionofintegersoutofnaturalnumbers
• operations
NegativeHeaps
(2, 5) ⌘ �3 ⌘ (0, 3)
where h is a pair of heaps and ? heap reductions, h |= p �⇣ q , 9h1 : h?1 ? h? and s, h1 |= p and s, h [ h1 |= q
(p 7! v, emp) �⇣ (p 7! v, emp) = (emp, emp)(p 7! v, emp) �⇣ (emp, emp) ) (emp, p 7! v)
ForwardsandBackwardsinSeparationAlgebra�35
• butyoucannotsubtractaheaptwice
• canwehavesomethinglike
NegativeHeapsII
(p 7! v, emp) �⇣ (emp, p 7! v) = false
(p 7! v, emp) �⇣ (emp, p 7! v) = (emp, [p 7! v, p 7! v])
ForwardsandBackwardsinSeparationAlgebra�36
• frameworkfor backwardsreasoningusingweakestpreconditionsandforwardreasoningusingstrongestpostconditionsforpartial(andgeneralisedcorrectness)
• automation• basicexamplesdemonstrated
• addingfailuretoachievegeneralisedcorrectnessseemstolooseatleastonecrucialproperty
• generalisedcorrectnessisnotnice;canwedobetter?
Conclusion TheGood,theBad,theUgly