Using Hoare logic we can derive statements like this, which capture the specification of the function that increments a variable:
{ x = n } inc(x) { x = n + 1}
We'd like to be able to use such statements to construct proofs of statements
that involve procedures like inc()
, defined as follows:
{x = n ∧ y = m } inc(x); inc(y); {x = n+1 ∧ y = m+1}
The problem is that we need an intermediate proposition that is stronger than
what the specification for inc()
gives us directly. One approach is to somehow
say that things other than x
aren't modified by the first increment.
There have been a number of attempts to extend the logic to support modular reasoning about heaps and procedures. Of these, separation logic is probably the most popular.
Separation logic has a similar structure to Hoare logic, but the meaning of {P}c{Q} is different. Semantically, ∀h1, ∀h2, if P(h1), then running c in heap (h1 ⨄ h2) yields a heap h3 = h4 ⨄ h2 where Q(h4). Note that by ⨄ here we mean disjoint union.
Specifications in separation logic generally have the following syntax:
emp the heap is empty x ↦ v the heap contains a single mapping from x to v P * Q * is the _separating conjunction_ of separation logic. Holds on heap h = h1 ⨄ h2 where P(h1) and Q(h2). P ∧ Q Usual semantics P -* Q The "magic wand" implication. Idea: a heap satisfies it if it satisfies Q when extended with some disjoint heap that satisfies P. This is useful for weakest preconditions.
This is nice because the rules for assignment, consequence etc. still hold:
{x ↦ _ } x := v { x ↦ v}
just like in standard Hoare Logic.
Require Import Eqdep.Require Import List. Set Implicit Arguments. Axiom proof_irrelevance : forall (P:Prop) (H1 H2:P), H1 = H2.
In this lecture, we will develop a separation logic for reasoning about imperative Coq programs. Separation logic gives us a crucial principle for modularly reasoning about programs -- the frame rule.
Module FunctionalSepIMP. Definition ptr := nat. Definition ptr_eq := PeanoNat.Nat.eq_dec. Definition le_gt_dec := Arith.Compare_dec.le_gt_dec.
As a demonstration, let's fix the universe of storable types by giving some names to a few standard types as well as an interpretation.
Inductive stype : Set := | Nat_t : stype | Pair_t : stype -> stype -> stype | Sum_t : stype -> stype -> stype | Fn_t : stype -> stype -> stype.decide equality. Defined. Fixpoint interp(t:stype) : Set := (match t with | Nat_t => nat | Pair_t t1 t2 => (interp t1) * (interp t2) | Sum_t t1 t2 => (interp t1) + (interp t2) | Fn_t t1 t2 => (interp t1) -> (interp t2) end)%type.t1, t2: stype{t1 = t2} + {t1 <> t2}
We're going to need to store dynamic values -- a pair of an stype t
and a
value of type interp t
Definition dynamic := sigT interp.
We will continue to use lists of pointers and values as the model for heaps. However, to support an easy definition of disjoint union, we will impose the additional constraint that the list is sorted in (strictly) increasing order. It's possible to capture this constraint by defining heaps as a sigma type, where we include a proof that the heap is sorted. That makes some things easier (e.g., arguing that disjoint union is commutative) but makes other things harder. For example, equality on sigmas would demand we need to compare proofs, and use proof-irrelevance. To avoid this we can put in well-formedness constraints in just the right places.
Definition heap := list (ptr * dynamic). Definition empty_heap : heap := nil.
Here is a predicate which says that each pointer in h
is greater than x
Fixpoint list_greater (x:ptr) (h:heap) : Prop := match h with | nil => True | (y,v)::h' => x < y /\ list_greater x h' end.
A heap is well-formed if each pointer is less than the rest of the heap, and the rest of the heap is well-formed.
Fixpoint wf (h:heap) : Prop := match h with | nil => True | (x,v)::h' => list_greater x h' /\ wf h' end. Fixpoint indom (x:ptr) (h:heap) : Prop := match h with | nil => False | (y,_)::h' => if ptr_eq x y then True else indom x h' end.
A pointer x
is fresh for h
when it's not in the domain of h
Definition fresh x (h:heap) : Prop := ~ indom x h.
Here are standard lookup
and remove
functions on heaps.
Fixpoint lookup (x:ptr) (h:heap) : option dynamic := match h with | nil => None | (y,v)::h' => if ptr_eq x y then Some v else lookup x h' end. Fixpoint remove (x:ptr) (h:heap) : heap := match h with | nil => nil | (y,v)::h' => if ptr_eq x y then h' else (y,v)::(remove x h') end.
Two heaps are disjoint when each pointer in h1
is fresh for h2
Fixpoint disjoint (h1 h2:heap) : Prop := match h1 with | nil => True | (x,_)::h1' => ~indom x h2 /\ disjoint h1' h2 end.
To insert
into a heap, we use insertion sort.
Fixpoint insert (x:nat) (v:dynamic) (h:heap) : heap := match h with | nil => (x,v)::nil | (y,w)::h' => if le_gt_dec x y then (x,v)::(y,w)::h' else (y,w)::(insert x v h') end.
We can merge two heaps using our insert
Definition merge (h1 h2:heap) : heap := List.fold_right (fun p h => insert (fst p) (snd p) h) h2 h1.
As in earlier lectures, we model commands via shallow embedding and using a monad. That is, a command takes a heap and returns an optional heap and a result.
Definition Cmd(t:Type) := heap -> option(heap * t). Definition ret t (x:t) : Cmd t := fun h => Some (h,x). Definition exit t : Cmd t := fun h => None. Definition bind t u (c:Cmd t) (f:t -> Cmd u) : Cmd u := fun h1 => match c h1 with | None => None | Some (h2,v) => f v h2 end. Declare Scope cmd_scope.
We introduce some notation similar to Haskell's "do" notation.
Notation "x <- c ; f" := (bind c (fun x => f)) (right associativity, at level 84) : cmd_scope. Notation "c ;; f" := (bind c (fun _:unit => f)) (right associativity, at level 84) : cmd_scope. Local Open Scope cmd_scope. Definition run(t:Type)(c:Cmd t) := c empty_heap.
The untyped read operation returns a dynamic value.
Definition untyped_read (p:ptr) : Cmd dynamic := fun h => match lookup p h with | None => None | Some u => Some (h,u) end.
This abbreviation may look funny (since we don't use t
), but it will make it
easier for Coq to figure out the stype
at which we're using things. Note
that this is a little misleading because in general, a ptr
can map to a
value of any stype!
Definition tptr (t:stype) := ptr.
The typed read operation first does an untyped read, and then checks that the
matches what we expected, failing if not, and returning the underlying
value otherwise.
H: Q
H0: forall h : heap, wf h -> R h -> P h
h: heap
H1: wf h
H2: R hexists h1 h2 : heap, wf h1 /\ wf h2 /\ (h1 = nil /\ Q) /\ P h2 /\ h = merge h1 h2 /\ (fix disjoint (h0 h3 : heap) {struct h0} : Prop := match h0 with | nil => True | (x, _) :: h1' => ~ indom x h3 /\ disjoint h1' h3 end) h1 h2P, R: hprop
Q: Prop
H: Q
H0: forall h : heap, wf h -> R h -> P h
h: heap
H1: wf h
H2: R hexists h2 : heap, wf empty_heap /\ wf h2 /\ (empty_heap = nil /\ Q) /\ P h2 /\ h = merge empty_heap h2 /\ (fix disjoint (h1 h0 : heap) {struct h1} : Prop := match h1 with | nil => True | (x, _) :: h1' => ~ indom x h0 /\ disjoint h1' h0 end) empty_heap h2mysimp. Qed. Hint Resolve pure_elim : sep_db.P, R: hprop
Q: Prop
H: Q
H0: forall h : heap, wf h -> R h -> P h
h: heap
H1: wf h
H2: R hwf empty_heap /\ wf h /\ (empty_heap = nil /\ Q) /\ P h /\ h = merge empty_heap h /\ (fix disjoint (h1 h2 : heap) {struct h1} : Prop := match h1 with | nil => True | (x, _) :: h1' => ~ indom x h2 /\ disjoint h1' h2 end) empty_heap hP, Q, R: hpropP ==> Q ** R -> P ==> R ** QP, Q, R: hpropP ==> Q ** R -> P ==> R ** QP, Q, R: hprop
H: P ==> Q ** RP ==> R ** Qapply star_comm ; auto. Qed.P, Q, R: hprop
H: P ==> Q ** R
h: heap
Hwf: wf h
HP: P h(R ** Q) hforall P : hprop, P ==> Pauto. Qed. Hint Resolve himp_id : sep_db.forall (P : hprop) (h : heap), wf h -> P h -> P hforall (t : stype) (x : tptr t) (v : interp t), x --> v ==> x -->?forall (t : stype) (x : tptr t) (v : interp t) (h : heap), wf h -> h = (x, existT interp t v) :: nil -> exists x0 : dynamic, h = (x, x0) :: nilt: stype
x: tptr t
v: interp t
h: heap
H: wf h
H0: h = (x, existT interp t v) :: nilexists x0 : dynamic, h = (x, x0) :: nilauto. Qed. Hint Resolve ptsto_ptsto_some : sep_db.t: stype
x: tptr t
v: interp t
h: heap
H: wf h
H0: h = (x, existT interp t v) :: nilh = (x, existT interp t v) :: nilforall P Q R : hprop, P ** Q ==> R -> Q ** P ==> Rforall P Q R : hprop, P ** Q ==> R -> Q ** P ==> RP, Q, R: hprop
This little tactic helps prove things are disjoint:
This lemma will help me simplify some reasoning involving existentials.
In separation logic, a total correctness assertion:
[{{ P }} c {{ Q }}]
holds iff (1) we start with a heap h
that can be broken into two parts, one that satisfies P
and another satisfying sing h2
for some h2, (2) we run the command c
on heap h
and get out Some
heap h'
and value v
, and (3) the output heap h'
satisfies Q v ** sing h2
. That is, the output heap can be broken into two disjoint heaps, one satisfying Q v
, and one satisfying sing h2
This effectively forces the command to be parametric in some part of the heap (h2
) and leave it alone. In turn, this means that if we have proven a separate property about h2
, this property will be preserved when we run c
Definition sep_tc_triple(t:Type) (P:hprop)(c:Cmd t)(Q:t -> hprop) := forall h h2, (P ** sing h2) h -> match c h with | None => False | Some (h',v) => (Q v ** sing h2) h' end. Notation "{{ P }} c {{ Q }}" := (sep_tc_triple P c Q) (at level 90) : cmd_scope.
Lots of definitions to be unwound...
Ltac unf := unfold sep_tc_triple, star, hexists, pure, emp, sing.
This says that ret v
can be run in a heap satisfying emp
and returns a heap satisfying emp
and the return value is equal to v. But remember that this really means that ret
can be run in any heap h
that can be broken into a portion satisfying emp
(i.e., the empty heap and some other heap (which must be h
!) and that the other portion will be preserved. In short, the specification captures the fact that ret
will not change the heap.
This is one possible proof rule for bind
. Basically, we require that the post-condition of the first command implies the pre-condition of the second command.
The great part is that now if we have a property on some disjoint part of the state, say p2 --> n2, then after calling inc, we are guaranteed that property is preserved via the frame rule.
H: forall h h2 : heap, (exists h1 h3 : heap, wf h1 /\ wf h3 /\ P1 h1 /\ h2 = h3 /\ h = merge h1 h3 /\ disjoint h1 h3) -> match c h with | Some (h', v) => exists h1 h3 : heap, wf h1 /\ wf h3 /\ Q1 v h1 /\ h2 = h3 /\ h' = merge h1 h3 /\ disjoint h1 h3 | None => False end
H7: disjoint x x0match match c (merge x x0) with | Some (h2, v) => f v h2 | None => None end with | Some (h', v) => exists h1 h2 : heap, wf h1 /\ wf h2 /\ Q2 v h1 /\ x0 = h2 /\ h' = merge h1 h2 /\ disjoint h1 h2 | None => False endT1, T2: Type
P1: hprop
P1: hprop
P1: hprop
P1: hprop
P1: hprop
P1: hprop
P1: hprop
P1: hprop
P1: hprop
h: heap
H10: disjoint x1 x2match f t h with | Some (h', v) => exists h1 h2 : heap, wf h1 /\ wf h2 /\ Q2 v h1 /\ x0 = h2 /\ h' = merge h1 h2 /\ disjoint h1 h2 | None => False endT1, T2: Type
P1: hprop
H10: disjoint x1 x2match f t (merge x1 x2) with | Some (h', v) => exists h1 h2 : heap, wf h1 /\ wf h2 /\ Q2 v h1 /\ x2 = h2 /\ h' = merge h1 h2 /\ disjoint h1 h2 | None => False end -> match f t (merge x1 x2) with | Some (h', v) => exists h1 h2 : heap, wf h1 /\ wf h2 /\ Q2 v h1 /\ x2 = h2 /\ h' = merge h1 h2 /\ disjoint h1 h2 | None => False endauto. Qed. Arguments bind_tc {T1 T2 P1 Q1 P2 Q2 c f}.T1, T2: Type
And we also have a rule of consequence which allows us to strengthen the pre-condition and weaken the post-condition. Note however, that this will not allow us to "forget" any locations in our footprint.
This is a specialization of consequence that is a little more useful.
This is a specialization of consequence that is a little more useful.
Finally, this is the most important rule and the one we lacked with Hoare logic: If {{ P }} c {{ Q }}
, then also {{ P ** R }} c {{ Q ** R }}
. That is, properties such as R
which are disjoint from the footprint are preserved when we run the command.
H12: disjoint x x0merge x (merge x2 x0) = merge (merge x x2) x0
Following are a few examples that illustrate the use of Separation Logic.
Definition inc(p:tptr Nat_t) := v <- read p ; write p (1 + v).
The next definition says that if we start in a state where p
holds n
then after running inc, we do not fail and get into a state
where p
holds 1+n
. Notice that it's rather delicate to
hang on to the fact that the value read out is equal to n
. If
we used binary post-conditions (a relation on both the input heap
and output heap), this wouldn't be necessary.
The great part is that now if we have a property on some disjoint
part of the state, say p2 --> n2
, then after calling inc
, we
are guaranteed that property is preserved via the frame rule.
Here is a function to swap the contents of two pointers.
Definition swap(t:stype)(p1 p2:tptr t) := v1 <- read p1 ; v2 <- read p2 ; write p2 v1 ;; write p1 v2.
Alas, reasoning isn't quite as simple as we might hope. We have to not only put in the right uses of the frame and consequence rules, but we must also so a lot of commuting and re-associating to discharge the verification conditions. For Ynot, Adam Chlipala wrote an Ltac tactic that mostly took care of this sort of simple reasoning. And Gonthier et al. have done some nice work showing how to use type-classes or canonical-structures to automate a lot of this sort of thing. Below, we'll see you an alternative technique based on reflection.
Our goal will be to build a Coq function that can simplify a separation implication P ==> Q
and prove that function correct. One simple strategy is to flatten out all of the stars and cross off all of the simple predicates that appear in both P
and Q
But of course, we can't just crawl over an hprop
because in general, these are functions! So our trick is to write down some syntax that represents a particular predicate, and then give an interpretation that maps that syntax back to our real predicate. Then we can compute with the syntax.
The Quote library should help us with this, but alas, it's not as clever as we might hope it would be...
Definition hprop_name := nat. Definition hprop_map := list (hprop_name * hprop). Definition hprop_name_eq := PeanoNat.Nat.eq_dec.
We begin by giving a basic syntax for predicates. Atom
will be used to represent things like abstract predicates (e.g., a variable P
) or a points-to-predicate etc. We'll use an environment to map an hprop_name
to the real hprop
Inductive Hprop : Set := | Emp : Hprop | Atom : hprop_name -> Hprop | Star : Hprop -> Hprop -> Hprop. Infix "#" := Star (right associativity, at level 80) : sep_scope. Fixpoint lookup_hprop (n:hprop_name) (hp:hprop_map) := match hp with | nil => (pure False) | (m,P)::rest => if hprop_name_eq n m then P else lookup_hprop n rest end. Section HINTERP.
We'll assume we have an hprop_map lying around.
lying around.
Variable hmap : hprop_map.
Now we given an interpretation to the syntax for predicates:
Fixpoint hinterp (hp:Hprop) : hprop := match hp with | Emp => emp | Atom n => lookup_hprop n hmap | Star h1 h2 => star (hinterp h1) (hinterp h2) end.
We can flatten a predicate into a list of hprop_name
Fixpoint flatten (hp:Hprop) : list hprop_name := match hp with | Emp => nil | Atom n => n::nil | Star h1 h2 => (flatten h1) ++ (flatten h2) end.
This function removes exactly one copy of n
, an hprop_name
, from the input list, returning None
if we fail to find a copy of n
Fixpoint remove_one(n:hprop_name)(hps : list hprop_name) :option (list hprop_name) := match hps with | nil => None | (m::rest) => if hprop_name_eq n m then Some rest else match remove_one n rest with | None => None | Some hps' => Some (m::hps') end end.
This is the heart of our simplification algorithm. Here, we are running through the list of names hp1
, trying to cross off each one that occurs in hp2
. If the current name doesn't occur, we add it to the end of hp0
so that we can keep track of it. That is, our invariant at each step should be that hp0 ** hp1 ==> hp2
once we map the list back to an hprop
Fixpoint simplify (hp0 hp1 hp2:list hprop_name) := match hp1 with | nil => (hp0,hp2) | (n::hp1') => match remove_one n hp2 with | Some hp2' => simplify hp0 hp1' hp2' | None => simplify (hp0 ++ n::nil) hp1' hp2 end end.
Convert a list of names back into an hprop
Definition collapse := List.fold_right (fun n p => Star (Atom n) p) Emp.
Convert a list of names into an hprop
Definition interp_list := List.fold_right (fun n p => (lookup_hprop n hmap) ** p) emp.
Our cross-off algorithm takes two hprop
, flattens them into lists of names, simplifies the two lists by crossing off common names, and then returns the two hprop
we get by collapsing the resulting simplified lists.
The following are various lemmas needed to reason about the interpretation of the syntax.
hp1, hp2: list hprop_namematch remove_one n hp1 with | Some hp1' =>