Proof Search for Propositional Abstract Separation ... - Semantic Scholar

Proof Search for Propositional Abstract Separation Logics via Labelled Sequents e1 , and Alwen Tiu2 Zh´ e H´ ou1 , Ranald Clouston1 , Rajeev Gor´ 1 2

The Australian National University Nanyang Technological University

January 22, 2014

Background Reasoning about programs that alter data structures In C++, we can write:

...; y = 5; x = &y ; ∗x = 10; ...

Programming in this style can be very confusing, verification of those programs is also hard. Separation logic [Reynolds 2002] provides a way to reason about such programs: Stores: Var→ Value

Heaps: Addr *fin Value

Pointers can be expressed explicitly: define h ∈ Heaps, s ∈ Stores as s(x) = &y , s(y ) = 5, (s, h) x 7→ y Two basic operations ∗ and −∗ allow us to: split a heap: (x 7→ y ) ∗ (x 0 7→ y 0 ) extend a heap: (w 7→ z)−∗ P express more complex things, e.g., (((1 7→ 5) ∗ (2 7→ 6))−∗ ⊥) → ((1 7→ 5)−∗ ((2 7→ 6)−∗ ⊥))

Separation logic There have been so many separation logics that it has become a “recipe” [Jensen 2013]: Choose a programming language Design an assertion logic Design a specification logic People then sought abstractions: e.g., [Calcagno, O’Hearn, Yang 2007] defined separation algebra as a cancellative, partial, commutative monoid. But now there are many variations on this theme of separation algebra...

Separation algebras Identity: ∀a ∈ M, a ◦  = a. Commutativity: ∀a, b ∈ M, a ◦ b = b ◦ a. Associativity: ∀a, b, c ∈ M, a ◦ (b ◦ c) = (a ◦ b) ◦ c. Partial-determinism: ∀a, b, c, d ∈ M, c, d ∈ a ◦ b ⇒ c = d. Total-determinism: ∀a, b ∈ M, ∃c ∈ M s.t. a ◦ b = c. Cancellativity: ∀a, b, c ∈ M, a ◦ b = a ◦ c ⇒ b = c. Indivisible unit: ∀a, b ∈ M, a ◦ b =  ⇒ a = . Disjointness: ∀a, b ∈ M, a ◦ a = b ⇒ a = . Splittability: ∀a 6=  ∈ M, ∃b 6= , c 6=  ∈ M s.t. b ◦ c = a. Cross-split: ∀a, b, c, d ∈ M, a ◦ b = c ◦ d ⇒ ∃u, v , x, y ∈ M s.t. u ◦ v = a, x ◦ y = b, u ◦ x = c, and v ◦ y = d.

Propositional Abstract Separation Logics Our base logic PASL is defined based on Calcagno et al.’s separation algebra, with the syntax from Boolean BI. Concrete formula: (((1 7→ 5) ∗ (2 7→ 6))−∗ ⊥) → ((1 7→ 5)−∗ ((2 7→ 6)−∗ ⊥)) Abstract formula: ((p ∗ q)−∗ ⊥) → (p−∗ (q−∗ ⊥)) By adding and/or removing certain conditions for the monoid, we obtain a framework of variants of PASL, thus the plural in the title. The following problems have been open since 2007: How to determine whether a formula is valid in PASL? What if the formula is not valid? How about the validity problem for a variant of PASL? Can we do all this in a modular way?

Our answers, on the top level... How to determine whether a formula is valid in PASL? We give a sequent-style proof system for PASL, called LSPASL . We can easily obtain the following results for this system: Soundness: the system is correct wrt the semantics of PASL. Cut-elimination: (backward) proof search can be systematic. What if the formula is not valid? The difficulty: since PASL is not axiomatisable, cut-elimination doesn’t give us completeness. We prove the completeness by a quite complicated counter-model construction. Completeness: if a formula is not provable, we can find a counter-model. How about the validity problem for a variant of PASL? Can we do all this in a modular way? Modularity: our proof system can easily be extended or tailored to handle many (not all) other variants of PASL.

Boolean BI Syntax: F := p | > | ⊥ | F ∧ F | F → F | >∗ | F ∗ F | F −∗ F Semantics: A non-deterministic monoid (M, ◦, ): a set M, binary operator ◦, unit . m P iff P ∈ Var and m ∈ v (P) m ⊥ iff never m A ∨ B iff m A or m B m > iff always m A ∧ B iff m A and m B m ¬A iff m 6 A m A → B iff m 6 A or m B m >∗ iff m =  m A ∗ B iff ∃a, b.(a ◦ b = m and a A and b B) m A−∗ B iff ∀a, b.((m ◦ a = b and a A) implies b B)

Conditions for ◦ Identity: ∀a ∈ M, a ◦  = a. Commutativity: ∀a, b ∈ M, a ◦ b = b ◦ a. Associativity: ∀a, b, c ∈ M, a ◦ (b ◦ c) = (a ◦ b) ◦ c.

Conditions for ◦ Identity: ∀a ∈ M, a ◦  = a. Commutativity: ∀a, b ∈ M, a ◦ b = b ◦ a. Associativity: ∀a, b, c ∈ M, a ◦ (b ◦ c) = (a ◦ b) ◦ c. Partial-determinism: ∀a, b, c, d ∈ M, c, d ∈ a ◦ b ⇒ c = d.

Conditions for ◦ Identity: ∀a ∈ M, a ◦  = a. Commutativity: ∀a, b ∈ M, a ◦ b = b ◦ a. Associativity: ∀a, b, c ∈ M, a ◦ (b ◦ c) = (a ◦ b) ◦ c. Partial-determinism: ∀a, b, c, d ∈ M, c, d ∈ a ◦ b ⇒ c = d. Total-determinism: ∀a, b ∈ M, ∃c ∈ M s.t. a ◦ b = c.

Conditions for ◦ Identity: ∀a ∈ M, a ◦  = a. Commutativity: ∀a, b ∈ M, a ◦ b = b ◦ a. Associativity: ∀a, b, c ∈ M, a ◦ (b ◦ c) = (a ◦ b) ◦ c. Partial-determinism: ∀a, b, c, d ∈ M, c, d ∈ a ◦ b ⇒ c = d. Total-determinism: ∀a, b ∈ M, ∃c ∈ M s.t. a ◦ b = c. Cancellativity: ∀a, b, c ∈ M, a ◦ b = a ◦ c ⇒ b = c. Indivisible unit: ∀a, b ∈ M, a ◦ b =  ⇒ a = . Disjointness: ∀a, b ∈ M, a ◦ a = b ⇒ a = . Splittability: ∀a 6=  ∈ M, ∃b 6= , c 6=  ∈ M s.t. b ◦ c = a. Cross-split: ∀a, b, c, d ∈ M, a ◦ b = c ◦ d ⇒ ∃u, v , x, y ∈ M s.t. u ◦ v = a, x ◦ y = b, u ◦ x = c, and v ◦ y = d.

Attempt to refute a formula semantically ((p ∗ q)−∗ ⊥) → (p−∗ (q−∗ ⊥)) Prove by contradiction, pick an arbitrary element h0 in the monoid.

m A−∗ B iff ∀a, b.((m ◦ a = b and a A) implies b B) h0 6 p−∗ (q−∗ ⊥) iff ∃h1 , h2 .((h0 ◦ h1 = h2 and h1 p) and h2 6 (q−∗ ⊥))

Attempt to refute a formula semantically ((p ∗ q)−∗ ⊥) → (p−∗ (q−∗ ⊥))

m A−∗ B iff ∀a, b.((m ◦ a = b and a A) implies b B) h2 6 q−∗ ⊥ iff ∃h3 , h4 .((h2 ◦ h3 = h4 and h3 q) and h4 6 ⊥)

Attempt to refute a formula semantically ((p ∗ q)−∗ ⊥) → (p−∗ (q−∗ ⊥))

m A ∗ B iff ∃a, b.(a ◦ b = m and a A and b B) h5 p ∗ q iff ∃h1 , h3 .(h1 ◦ h3 = h5 and h1 p and h3 q) Contradiction!

Why labelled sequents? Hilbert systems are not easy to automate (in fact, don’t exist for many separation algebras [Brotherston & Villard, 2013]). Display calculus [Brotherston 2009] is also hard to implement. Nested sequent calculus [Seo, Park, Park 2013] can be very complicated even for BBI only. Seems that the proof theory is hard. But we can try to work on the semantics. We used labelled sequent calclulus to handle BBI, and proposed rules for cancellativity and partial-determinism already [TABLEAUX 2013]. Directly encodes the semantics. Easy to understand and use. Very extensible. Doesn’t give much insight on decidability, though...

The labelled sequent calculus LSPASL A labelled sequent is of the form G; Γ ` ∆, where G is a set of relational atoms, Γ, ∆ are multisets of labelled formulae.

A relational atom (x, y . z) encodes the relation x ◦ y = z in the semantics.

A labelled formula x : F in Γ encodes x F , and in ∆ encodes x 6 F in the semantics.

LSPASL = LSBBI + P + C

Sample inference rules

(, w . ); G; Γ ` ∆ G; Γ; w : >∗ ` ∆

>∗ L

(, w . w ); G[w /w 0 ]; Γ[w /w 0 ] ` ∆[w /w 0 ] (, w 0 . w ); G; Γ ` ∆

Eq1

Sample inference rules

(x, y . z); G; Γ; x : A ` z : B; ∆ −∗ R G; Γ ` y : A−∗ B; ∆ x, z do not occur in the conclusion.

(x, y . z); G; Γ; y : A−∗ B ` x : A; ∆ (x, y . z); G; Γ; y : A−∗ B; z : B ` ∆ (x, y . z); G; Γ; y : A−∗ B ` ∆

−∗ L

Sample inference rules Identity: ∀a ∈ M, a ◦  = a. (a,  . a); G; Γ ` ∆ G; Γ ` ∆

U

Commutativity: ∀a, b ∈ M, a ◦ b = b ◦ a. (b, a . c); (a, b . c); G; Γ ` ∆ (a, b . c); G; Γ ` ∆

E

Sample inference rules Partial-determinism: ∀a, b, c, d ∈ M, c, d ∈ a ◦ b ⇒ c = d. (a, b . c); G[c/d]; Γ[c/d] ` ∆[c/d] (a, b . d); (a, b . c); G; Γ ` ∆

P

Cancellativity: ∀a, b, c ∈ M, a ◦ b = a ◦ c ⇒ b = c. (a, b . d); G[b/c]; Γ[b/c] ` ∆[b/c] (a, b . d); (a, c . d); G; Γ ` ∆

C

Proving a formula id

. . . ; h1 : p ` h1 : p; . . . . . . ; h3 : q ` h3 : q; . . . (h1 , h3 . h5 ); . . . ; ; h1 : p; h3 : q ` h5 : p ∗ q; h4 : ⊥

id ∗R

. . . ; h4 : ⊥ ` . . .

. . . ; (h , h . h ); (h , h . h ); h : (p ∗ q)−∗ ⊥; h : p; h : q ` h : ⊥ . . . . . . .1. . .3. . . .5. . . . .5 . . .0 . . . .4 . . . 0. . . . . . . . . . . . . . . .1 . . . . . .3 . . . . . . .4. . . . . (h1 , h0 . h2 ); (h3 , h2 . h4 ); h0 : (p ∗ q)−∗ ⊥; h1 : p; h3 : q ` h4 : ⊥ (h1 , h0 . h2 ); h0 : (p ∗ q)−∗ ⊥; h1 : p ` h2 : q−∗ ⊥ ; h0 : (p ∗ q)−∗ ⊥ ` h0 : p−∗ (q−∗ ⊥) ; ` h0 : ((p ∗ q)−∗ ⊥) → (p−∗ (q−∗ ⊥))

→R

A, E

−∗ R

−∗ R

⊥L −∗ L

Counter-model construction The rules with label substitutions induce an equivalence relation =G on labels. We then define a saturated structure using =G .

Define a Hintikka sequent as a saturated structure which is also consistent. For example, it satisfies: It is not the case that a : A ∈ Γ, b : A ∈ ∆ and a =G b. If a : A ∧ B ∈ Γ then a : A ∈ Γ and a : B ∈ Γ. ...

Counter-model construction (cont.) Every Hintikka sequent is falsifiable, thus can be used as a counter-model for the formulae in the succedent. Start with ` a0 : F , use a fair scheduler to apply each rule infinitely often, obtaining a limit sequent. The limit sequent is a saturated structure, i.e., is a Hintikka sequent. If F is unprovable, we can find a counter-model in the semantics, so F is invalid (completeness). Inspired by (but different from) the completeness proof of Tableaux system for partial-BBI [Larchey-Wendling, 2013].

Extensions of PASL Indivisible unit: if a ◦ b = , then a = . (, b . ); G[/a]; Γ[/a] ` ∆[/a] (a, b . ); G; Γ ` ∆

IU

Disjointness: if a ◦ a = b, then a = . (,  . b); G[/a]; Γ[/a] ` ∆[/a] (a, a . b); G; Γ ` ∆

D

Summary The main result: LSBBI + any subset of {P, C , IU, D} is sound and cut-free complete w.r.t. the corresponding abstract semantics. A modular theorem prover is implemented based on the proof theory with some optimisations and heuristics. Available online: http://users.cecs.anu.edu.au/~zhehou/ Happy to do a demo in a coffee break if you wish! Detailed and extended version of this paper: http://users.cecs.anu.edu.au/~zhehou/publications/ Proof_search_for_propositional_abstract_separation_ logics_via_labelled_sequents.pdf

Future work Other properties in separation theories Splittability/Divisibility: every non-unit element can be split into two non-unit elements. Not true in Reynolds’ separation logic. Cross-split:

Treatments for these two properties can be found in the extended version.

Future work (cont.) Reynolds’ semantics

G; Γ;  : e1 7→ e2 ` ∆

7→ L1

(e1 7→ e2 ) must be a singleton heap, so it can’t be empty.

Future work (cont.) Reynolds’ semantics

(, h0 . h0 ); G[/h1 ][h0 /h2 ]; Γ[/h1 ][h0 /h2 ]; h0 : e1 7→ e2 ` ∆[/h1 ][h0 /h2 ] (h0 ,  . h0 ); G[/h2 ][h0 /h1 ]; Γ[/h2 ][h0 /h1 ]; h0 : e1 → 7 e2 ` ∆[/h2 ][h0 /h1 ] (h1 , h2 . h0 ); G; Γ; h0 : e1 7→ e2 ` ∆

7→ L2

(e1 7→ e2 ) must be a singleton heap, so it can’t be a composite heap.

Future work (cont.) Reynolds’ semantics

G; Γ[e1 /e3 ][e2 /e4 ]; h : e1 7→ e2 ` ∆[e1 /e3 ][e2 /e4 ] G; Γ; h : e1 7→ e2 ; h : e3 7→ e4 ` ∆

7→ L4

A singleton heap is a function mapping from exactly one address to one value.

Future work (cont.) Reynolds’ semantics

G[h/h0 ]; Γ[h/h0 ]; h : e1 7→ e2 ; h : e1 7→ e3 ` ∆[h/h0 ] G; Γ; h : e1 7→ e2 ; h0 : e1 7→ e3 ` ∆

7→ L3

The rule 7→ L3 is unsound. In Reynolds’ model, the set Heaps contains two heaps such as (5 7→ 4) and (5 7→ 6).

Future work (cont.) Reynolds’ semantics

(h, h0 . h00 ); G; Γ; h : e1 7→ e2 ; h0 : e1 7→ e3 ` ∆

These rules are not enough...

7→ L3