extension of separation logic for stack reasoning jiang xinyu
DESCRIPTION
Problems of Our Previous Proof Excessive use of arithmetic of natural numbers Unnecessary shape matching Over-used symmetry law of “*” Repeated proof about the stack’s unused space Too much care taken to the address of each local variableTRANSCRIPT
Extension of Separation Logic for Stack Reasoning
Jiang Xinyu
Motivation Stacks are special
Continuous Ordered
Stack reasoning is important Proof about stacks is usually more than
proof about heaps Mainly for function calls and local
variables
Problems of Our Previous Proof
Excessive use of arithmetic of natural numbers
Unnecessary shape matching Over-used symmetry law of “*” Repeated proof about the stack’s
unused space Too much care taken to the address
of each local variable
Arithmetic For the formula
We know that
These equations can be automatically proved, but must be proved separately
( 4 2 )*( 4 4) 'sp w sp w
4 2 24 4
sp spsp sp
Shape Matching This is a common pattern of proof
For stack, the proof is unnecessary This kind of goals comes from the
permutation of *-conjuncted logic assertions
* * ' ' ''* '* '
A B C A A B B C CC B A
Symmetry Law If we know
And we want to know
We should do proof like
( )*( 2 ')*( 4 '')sp w sp w sp w M
( 4) ''M sp w
( )*( 2 ')*( 4 '')
(( 2 ')*( 4 ''))*( )
( 2 ')*( 4 '')*( )
(( 4 '')*( ))*( 2 ')
( 4 '')*( )*( 2 ')
sp w sp w sp w M
sp w sp w sp w M
sp w sp w sp w M
sp w sp w sp w M
sp w sp w sp w M
Unused Stack Space Another common pattern
We should prove these sub goals
*...* ( , )( 2 ')*( )*...* ( 2, 2) ( , ')
sp w free sp n Msp w sp w free sp n push M w
( , ) ( 2, 2)* ( , 2)2( , 2) ' [ 2 '] ( ', ')
free sp n free sp n free spspfree sp M sp w push M w
Too much labels See this
Or worse?
( )*( 2 )*( 4 )*( 6 )*( 8 )*( 10 )*( 12 ')*( 14 )*( 16 )*( 18 )
sp ax sp bx sp cxsp dx sp ip sp bpsp sp sp disp si sp flags
( 2 2 ... )*( 2 2 ... 2 )*...sp a b axsp a b bx
Solution? Some of them can be alleviated
Arithmetic proof can be reduced by using hex numbers
Some can be eliminated by changing a machine model Abstract over the unused space Or treat the stack as a different data
structure Works for higher-level code, but kernel
code requires that stacks behave like normal memory
Solution… Should not assume a higher-level
machine model Also
Should not prohibit reasoning about code that operates on stacks like on heaps
Should work well with heap reasoning(separation logic)
Solution! Extending separation logic For any piece of heap, if it’s like a
stack, and we say it’s a stack, then it’s a stack!
For any stack, if we want to say that it’s a heap, no problem!
Where Does all Those Problem Come From?
Separation logic is general, but a little too general Memory may have holes, so its every
slice should have a label Merging of memories are irrelevant to
the order We introduce a more restrictive, but
terser “sublanguage”
Adjacency Conjunction We first define adjacent heaps
And the adjacent union of heaps
The adjacent conjunction is defined like the separation conjunction
1 2 1 2 1 2† max( ( )) 1 min( ( ))M M M M dom M dom M
1 2 1 2 1 2†M M M M M M M M
1 2 1 2 1 2, .A B M M M A M B M M M M
Properties Shared with Separation Conjunction
Association Monotonicity Introduce and elimination of Emp and
True But no symmetry property!
A New Property For any Memory M, if
Then
So either l1 or l2 is abundant
1 2( ) ( ')l w l w M
1 22l l
Reducing Labels Another basic assertion: has
We can prove that # .w M l l w M
1 2
1
2
( ) ( ')
( ) # '
# ( ')
l w l w M
l w w M
w l w M
Is It Really a Solution? Let’s review our problems
Excessive use of arithmetic of natural numbers
Unnecessary shape matching Over-used symmetry law Repeated proof about the stack’s
unused space Too much care taken to the address of
each local variable
Arithmetic The original
Becomes
Doing arithmetic when really necessary
( 4 2 )*( 4 4) 'sp w sp w
# ( 4 4) 'w sp w
Shape Matching This is now trivial to prove
Adjacent conjunction does not allow permutation, so the order must be the same
' ' '' ' '
A B C A A B B C CA B C
Symmetry Law We haven’t any!
Then how to prove the following goal?
We move labels
( ) # ' ''sp w w w M
( 4) ''M sp w
( ) # ' # ''
# #( 2 ') # ''
# # ' ( 4 '')
sp w w w M
w sp w w M
w w sp w M
Unused Space Not totally solved But at least we have a lemma to do
this
The definition of free is also simplified
( ) 2( 2) 2 ' # ( , ')
free n sp w A M nfree n sp w w A push M w
(0)( 2) #_ ( )
free Empfree n free n
Too much labels Only one label
And you can insert the label if it’s valid
( ) # # ## # # ' # # #sp ax bx cx dxip bp sp di si flags
( ) # ( ) ## # # ' # # #sp ax bx bp cx dxip bp sp di si flags
It Is a Solution… For Lower-level machine code verification
Where the stack are taken as a part of the heap And all heap operations are valid on stacks
Which works well with separation logic It is just an extension No original definitions or rules are changed Separation conjunction and adjacency
conjunction can be freely mixed
Tactics for the Extension Finding labels Moving labels Splitting and merging unused stack
space
Expected Tactics find_label: a special example
And more general
1 2
1 2
... ( )(...( ) ... ) ( )
n
n
A A A l w BA A A l w B
1 ...( 1 ...(... ( ) ...)(...( 1 ... (... 1 ...) ...) ( ) (... ...)A B Cn l w DA B Cn l w D
Expected Tactics label_move_left, label_move_right
( ) # ' ... # ''# # ' ... ( 2 '')
A l w w w BA w w l n w B
Expected Tactics Stack Splitting and Merging
( ) ( ) ( )free n A n m
free n m free m A
( ) ( )( )
free m free n Afree m n A
Related Work Stack Typing
Has similar adjacent conjunction For TAL Specification language differs No efforts to hide labels