Extension of Separation Logic for Stack Reasoning

Jiang Xinyu

Motivation Stacks are special

Continuous Ordered

Stack reasoning is important Proof about stacks is usually more than

proof about heaps Mainly for function calls and local

variables

Problems of Our Previous Proof

Excessive use of arithmetic of natural numbers

Unnecessary shape matching Over-used symmetry law of “*” Repeated proof about the stack’s

unused space Too much care taken to the address

of each local variable

Arithmetic For the formula

We know that

These equations can be automatically proved, but must be proved separately

( 4 2 )*( 4 4) 'sp w sp w

4 2 24 4

sp spsp sp

Shape Matching This is a common pattern of proof

For stack, the proof is unnecessary This kind of goals comes from the

permutation of *-conjuncted logic assertions

* * ' ' ''* '* '

A B C A A B B C CC B A

Symmetry Law If we know

And we want to know

We should do proof like

( )*( 2 ')*( 4 '')sp w sp w sp w M

( 4) ''M sp w

( )*( 2 ')*( 4 '')

(( 2 ')*( 4 ''))*( )

( 2 ')*( 4 '')*( )

(( 4 '')*( ))*( 2 ')

( 4 '')*( )*( 2 ')

sp w sp w sp w M

sp w sp w sp w M

sp w sp w sp w M

sp w sp w sp w M

sp w sp w sp w M

Unused Stack Space Another common pattern

We should prove these sub goals

*...* ( , )( 2 ')*( )*...* ( 2, 2) ( , ')

sp w free sp n Msp w sp w free sp n push M w

( , ) ( 2, 2)* ( , 2)2( , 2) ' [ 2 '] ( ', ')

free sp n free sp n free spspfree sp M sp w push M w

Too much labels See this

Or worse?

( )*( 2 )*( 4 )*( 6 )*( 8 )*( 10 )*( 12 ')*( 14 )*( 16 )*( 18 )

sp ax sp bx sp cxsp dx sp ip sp bpsp sp sp disp si sp flags

( 2 2 ... )*( 2 2 ... 2 )*...sp a b axsp a b bx

Solution? Some of them can be alleviated

Arithmetic proof can be reduced by using hex numbers

Some can be eliminated by changing a machine model Abstract over the unused space Or treat the stack as a different data

structure Works for higher-level code, but kernel

code requires that stacks behave like normal memory

Solution… Should not assume a higher-level

machine model Also

Should not prohibit reasoning about code that operates on stacks like on heaps

Should work well with heap reasoning(separation logic)

Solution! Extending separation logic For any piece of heap, if it’s like a

stack, and we say it’s a stack, then it’s a stack!

For any stack, if we want to say that it’s a heap, no problem!

Where Does all Those Problem Come From?

Separation logic is general, but a little too general Memory may have holes, so its every

slice should have a label Merging of memories are irrelevant to

the order We introduce a more restrictive, but

terser “sublanguage”

Adjacency Conjunction We first define adjacent heaps

And the adjacent union of heaps

The adjacent conjunction is defined like the separation conjunction

1 2 1 2 1 2† max( ( )) 1 min( ( ))M M M M dom M dom M

1 2 1 2 1 2†M M M M M M M M

1 2 1 2 1 2, .A B M M M A M B M M M M

Properties Shared with Separation Conjunction

Association Monotonicity Introduce and elimination of Emp and

True But no symmetry property!

A New Property For any Memory M, if

Then

So either l1 or l2 is abundant

1 2( ) ( ')l w l w M

1 22l l

Reducing Labels Another basic assertion: has

We can prove that # .w M l l w M

1 2

1

2

( ) ( ')

( ) # '

# ( ')

l w l w M

l w w M

w l w M

Is It Really a Solution? Let’s review our problems

Excessive use of arithmetic of natural numbers

Unnecessary shape matching Over-used symmetry law Repeated proof about the stack’s

unused space Too much care taken to the address of

each local variable

Arithmetic The original

Becomes

Doing arithmetic when really necessary

( 4 2 )*( 4 4) 'sp w sp w

# ( 4 4) 'w sp w

Shape Matching This is now trivial to prove

Adjacent conjunction does not allow permutation, so the order must be the same

' ' '' ' '

A B C A A B B C CA B C

Symmetry Law We haven’t any!

Then how to prove the following goal?

We move labels

( ) # ' ''sp w w w M

( 4) ''M sp w

( ) # ' # ''

# #( 2 ') # ''

# # ' ( 4 '')

sp w w w M

w sp w w M

w w sp w M

Unused Space Not totally solved But at least we have a lemma to do

this

The definition of free is also simplified

( ) 2( 2) 2 ' # ( , ')

free n sp w A M nfree n sp w w A push M w

(0)( 2) #_ ( )

free Empfree n free n

Too much labels Only one label

And you can insert the label if it’s valid

( ) # # ## # # ' # # #sp ax bx cx dxip bp sp di si flags

( ) # ( ) ## # # ' # # #sp ax bx bp cx dxip bp sp di si flags

It Is a Solution… For Lower-level machine code verification

Where the stack are taken as a part of the heap And all heap operations are valid on stacks

Which works well with separation logic It is just an extension No original definitions or rules are changed Separation conjunction and adjacency

conjunction can be freely mixed

Tactics for the Extension Finding labels Moving labels Splitting and merging unused stack

space

Expected Tactics find_label: a special example

And more general

1 2

1 2

... ( )(...( ) ... ) ( )

n

n

A A A l w BA A A l w B

1 ...( 1 ...(... ( ) ...)(...( 1 ... (... 1 ...) ...) ( ) (... ...)A B Cn l w DA B Cn l w D

Expected Tactics label_move_left, label_move_right

( ) # ' ... # ''# # ' ... ( 2 '')

A l w w w BA w w l n w B

Expected Tactics Stack Splitting and Merging

( ) ( ) ( )free n A n m

free n m free m A

( ) ( )( )

free m free n Afree m n A

Related Work Stack Typing

Has similar adjacent conjunction For TAL Specification language differs No efforts to hide labels