## Practical tactics for separation logic (2009)

Venue: | In TPHOLs, volume 5674 of LNCS |

Citations: | 7 - 1 self |

### BibTeX

@INPROCEEDINGS{Mccreight09practicaltactics,

author = {Andrew Mccreight},

title = {Practical tactics for separation logic},

booktitle = {In TPHOLs, volume 5674 of LNCS},

year = {2009},

pages = {343--358},

publisher = {Springer}

}

### OpenURL

### Abstract

Abstract. We present a comprehensive set of tactics that make it practical to use separation logic in a proof assistant. These tactics enable the verification of partial correctness properties of complex pointer-intensive programs. Our goal is to make separation logic as easy to use as the standard logic of a proof assistant. We have developed tactics for the simplification, rearranging, splitting, matching and rewriting of separation logic assertions as well as the discharging of a program verification condition using a separation logic description of the machine state. We have implemented our tactics in the Coq proof assistant, applying them to a deep embedding of Cminor, a C-like intermediate language used by Leroy’s verified CompCert compiler. We have used our tactics to verify the safety and completeness of a Cheney copying garbage collector written in Cminor. Our ideas should be applicable to other substructural logics and imperative languages. 1

### Citations

705 | Separation logic: a logic for shared mutable data structures
- Reynolds
(Show Context)
Citation Context ...safety and completeness of a Cheney copying garbage collector written in Cminor. Our ideas should be applicable to other substructural logics and imperative languages. 1 Introduction Separation logic =-=[1]-=- is an extension of Hoare logic for reasoning about shared mutable data structures. Separation logic specifies the contents of individual cells of memory in a manner similar to linear logic [2], avoid... |

615 | Linear logic
- Girard
- 1987
(Show Context)
Citation Context ... logic [1] is an extension of Hoare logic for reasoning about shared mutable data structures. Separation logic specifies the contents of individual cells of memory in a manner similar to linear logic =-=[2]-=-, avoiding problems with reasoning about aliasing in a very natural fashion. For this reason, it has been successfully applied to the verification of a number of pointer-intensive applications such as... |

237 |
A nonrecursive list compacting algorithm
- Cheney
- 1970
(Show Context)
Citation Context ...owing for some properties of source programs to be carried down to executable code. We have tested the applicability of these tools by using them to verifying the safety of a Cheney garbage collector =-=[8]-=-, as well as a number of smaller examples. The main contributions of this paper are a comprehensive set of tactics for reasoning about separation logic assertions (including simplification, rearrangin... |

226 | Formal certification of a compiler back-end or: programming a compiler with a proof assistant
- Leroy
- 2006
(Show Context)
Citation Context ...s this problem with a suite of tools for separationlogic-based program verification of complex pointer-intensive programs. These tools are intended for the interactive verification of Cminor programs =-=[7]-=- in the Coq proof assistant, but should be readily adaptable to similar settings. We have chosen Cminor because it can be compiled using the CompCert verifiedcompiler [7], allowing for some propertie... |

112 | Smallfoot: Modular automatic assertion checking with separation logic
- Berdine, Calcagno, et al.
- 2005
(Show Context)
Citation Context ...ally. This is difficult because the standard tactics of proof assistants such as Coq [5] cannot effectively deal with the linearity properties of separation logic. In contrast, work such as Smallfoot =-=[6]-=- focuses on the automated verification of lightweight specifications. We discuss other related work in Sect. 7. In this paper, we address this problem with a suite of tools for separationlogic-based p... |

87 | Compositional shape analysis by means of bi-abduction
- Calcagno, Distefano, et al.
- 2009
(Show Context)
Citation Context ...ted verification of lightweight separation logic specifications. This approach has been used as the basis for certified separation logic decisions procedures in Coq [18] and HOL [19]. Calcagno et al. =-=[20]-=- use separation logic for an efficient compositional shape analysis that is able to infer some specifications. Still other work has focused on mechanized reasoning about imperative pointer programs ou... |

83 | The Why/Krakatoa/Caduceus Platform for Deductive Program Verification
- Filliâtre, Marché
- 2007
(Show Context)
Citation Context ...e use of powerful preexisting theorem provers. Another approach to program verification decompiles imperative programs into functional programs that are more amenable to analysis in a proof assistant =-=[23, 15]-=-. The tactics we have described in this paper provide a solid foundation for the use of separation logic in a proof assistant but there is room for further automation. Integrating a Smallfoot-like dec... |

66 | F.;Nipkow, T.: Proving Pointer Programs in Higher-Order Logic
- Mehta
- 2005
(Show Context)
Citation Context ...mpositional shape analysis that is able to infer some specifications. Still other work has focused on mechanized reasoning about imperative pointer programs outside of the context of separation logic =-=[11, 21, 22]-=- using either deep or shallow embeddings. Expressing assertions via more conventional propositions enables the use of powerful preexisting theorem provers. Another approach to program verification dec... |

63 | Local reasoning about a copying garbage collector
- Birkedal, Torp-Smith, et al.
- 2004
(Show Context)
Citation Context ...with reasoning about aliasing in a very natural fashion. For this reason, it has been successfully applied to the verification of a number of pointer-intensive applications such as garbage collectors =-=[3, 4]-=-. However, most work on separation logic has involved paper, rather than machine-checkable, proofs. Mechanizing a proof can increase our confidence in the proof and potentially automate away some of t... |

61 |
Types, bytes, and separation logic
- Tuch, Klein, et al.
- 2007
(Show Context)
Citation Context ...n 400 words. Affeldt and Marti [13] use separation logic in a proof assistant, but unfold the definitions of the separation logic assertions to allow the use of more conventional tactics. Tuch et al. =-=[17]-=- define a mechanized program logic for reasoning about C-like memory models. They are able to verify programs using separation logic, but do not have any complex tactics for separation logic connectiv... |

45 | Using reflection to build efficient and certified decision procedures
- Boutin
- 1997
(Show Context)
Citation Context ...elopment of proofs, so tactics should run quickly. Our tactics are implemented entirely in Coq’s tactic language Ltac. To improve efficiency and reliability, some tactics are implemented reflectively =-=[14]-=-. Implementing a tactic reflectively means implementing it mostly in a strongly typed functional language (CIC) instead of Coq’s untyped imperative tactic language. Reflective tactics can be efficient... |

30 | A general framework for certifying garbage collectors and their mutators
- McCreight, Shao, et al.
- 2007
(Show Context)
Citation Context ...with reasoning about aliasing in a very natural fashion. For this reason, it has been successfully applied to the verification of a number of pointer-intensive applications such as garbage collectors =-=[3, 4]-=-. However, most work on separation logic has involved paper, rather than machine-checkable, proofs. Mechanizing a proof can increase our confidence in the proof and potentially automate away some of t... |

28 |
Inductive definitions in the system Coq—rules and properties
- Paulin-Mohring
- 1993
(Show Context)
Citation Context ... definitions of the separation logic assertions we use in this paper. We write P for propositions and T for types in the underlying logic, which in our case is the Calculus of Inductive Constructions =-=[10]-=- (CIC). Propositions have type Prop. We write A and B for separation logic assertions, implemented using a shallow embedding [11]. Each separation logic assertion is a memory predicate with type Mem →... |

24 | Verification of the heap manager of an operating system using separation logic
- Marti, Affeldt, et al.
- 2006
(Show Context)
Citation Context ... Unfolding the definition of * from Fig. 1 and breaking down the assumption in a similar way will involve large numbers of side conditions about memory equality and disjointedness. While Marti et al. =-=[14]-=- have used this approach, it throws away the abstract reasoning of separation logic. Instead, we follow the approach of Reynolds [1] and others and reason about separation logic assertions using basic... |

21 | Separation logic for small-step Cminor
- Appel, Blazy
(Show Context)
Citation Context ...a stack pointer. We define two projections mem(σ) and venv(σ) to extract the memory and variable environment components of a state. We have formally defined a standard small-step semantics for Cminor =-=[9]-=-, omitted here for reasons of space. Expression evaluation eval(σ, e) evaluates expression e in the context of state σ and either returns Some(v) if execution succeeds or None if it fails. Execution o... |

21 | Certifying machine code safety: Shallow versus deep embedding
- Wildmoser, Nipkow
- 2004
(Show Context)
Citation Context ...ng logic, which in our case is the Calculus of Inductive Constructions [10] (CIC). Propositions have type Prop. We write A and B for separation logic assertions, implemented using a shallow embedding =-=[11]-=-. Each separation logic assertion is a memory predicate with type Mem → Prop, so we write A m for the proposition that memory m can be described by separation logic predicate A. The separation logic a... |

16 | M.J.C.: Machine-code verification for multiple architectures - an application of decompilation into logic
- Myreen, Slind, et al.
(Show Context)
Citation Context ...d not support any of the features we listed earlier in this paragraph and did not use modular arithmetic. There has been other work on mechanized garbage collector verification, such as Myreen et al. =-=[15]-=- who verify a Cheney collector in 2000 lines using a decompilation based approach. That publication unfortunately does not have enough detail of the collector verification to explain the difference in... |

13 |
Automated verification of practical garbage collectors
- Hawblitzel, Petrank
- 2009
(Show Context)
Citation Context ...t publication unfortunately does not have enough detail of the collector verification to explain the difference in proof size, though it is likely due in part to greater automation. Hawblitzel et al. =-=[16]-=- used a theorem prover to automatically verify a collector that is realistic enough to be used for real C# benchmarks. 7 Related Work and Conclusion Appel’s unpublished note [12] describes Coq tactics... |

12 | Imperative functional programming with Isabelle/HOL
- Bulwahn, Krauss, et al.
- 2008
(Show Context)
Citation Context ...mpositional shape analysis that is able to infer some specifications. Still other work has focused on mechanized reasoning about imperative pointer programs outside of the context of separation logic =-=[11, 21, 22]-=- using either deep or shallow embeddings. Expressing assertions via more conventional propositions enables the use of powerful preexisting theorem provers. Another approach to program verification dec... |

7 | A certified verifier for a fragment of separation logic
- Marti, Affeldt
(Show Context)
Citation Context ...mallfoot [6], has focused on automated verification of lightweight separation logic specifications. This approach has been used as the basis for certified separation logic decisions procedures in Coq =-=[18]-=- and HOL [19]. Calcagno et al. [20] use separation logic for an efficient compositional shape analysis that is able to infer some specifications. Still other work has focused on mechanized reasoning a... |

4 | A separation logic framework in HOL
- Tuerk
(Show Context)
Citation Context ... has focused on automated verification of lightweight separation logic specifications. This approach has been used as the basis for certified separation logic decisions procedures in Coq [18] and HOL =-=[19]-=-. Calcagno et al. [20] use separation logic for an efficient compositional shape analysis that is able to infer some specifications. Still other work has focused on mechanized reasoning about imperati... |

3 |
Tactics for separation logic. http://www.cs.princeton.edu/ ~appel/papers/septacs.pdf
- Appel
- 2006
(Show Context)
Citation Context ...d m(v) = v ′ . The empty assertion emp only holds on empty memory. The trivial assertion true holds on every memory. The modal operator !P from linear logic (also adapted to separation logic by Appel =-=[12]-=-) holds on a memory m if the proposition P is true and m is empty. The existential ∃x : T. A is analogous to the standard existential operator. We omit the type T when it is clear from context, and fo... |

3 |
The Mechanized Verification of Garbage Collector Implementations
- McCreight
- 2008
(Show Context)
Citation Context ...ation of lightweight properties of large code bases, rather than heavier properties for smaller code bases. We developed an earlier generation of tactics for verifying programs using separation logic =-=[11]-=- in Coq for a less realistic machine and used them to verify a series of garbage collectors [4]. Organization of the Paper. First we will give an overview of separation logic assertions, then discuss ... |

2 |
L.: A general framework for certifying gcs and their mutators
- McCreight, Shao, et al.
- 2007
(Show Context)
Citation Context ...with reasoning about aliasing in a very natural fashion. For this reason, it has been successfully applied to the verification of a number of pointer-intensive applications such as garbage collectors =-=[3, 4]-=-. However, most work on separation logic has involved paper, rather than machine-checkable, proofs. Mechanizing a proof can increase our confidence in the proof and potentially automate away some of t... |

1 |
A.: Formal verification of the heap manager of an os using separation logic
- Marti, Affeldt, et al.
(Show Context)
Citation Context ... Unfolding the definition of * from Fig. 3 and breaking down the assumption in a similar way will involve large numbers of side conditions about memory equality and disjointedness. While Marti et al. =-=[13]-=- have used this approach, it throws away the abstract reasoning of separation logic. Instead, we follow the approach of Reynolds [1] and others and reason about separation logic assertions using basic... |

1 |
C.: Working with linear logic in Coq. In: TPHOLs ’99 (workin-progress paper
- Power, Webster
- 1999
(Show Context)
Citation Context ...for Cminor which is structured in terms of conventional Hoare logic “triples” instead of as a precondition generator, and requires more restrictions about the purity of expressions. Power and Webster =-=[17]-=- describe a deep embedding of linear logic in Coq along with a couple of very primitive tactics. Affeldt and Marti [14] use separation logic in a proof assistant, but unfold the definitions of the sep... |