Separation logic

In computer science, separation logic[1] is an extension of Hoare logic, a way of reasoning about programs. It was developed by John C. Reynolds, Peter O'Hearn, Samin Ishtiaq and Hongseok Yang,[1][2][3][4] drawing upon early work by Rod Burstall.[5] The assertion language of separation logic is a special case of the logic of bunched implications (BI).[6] A CACM review article by O'Hearn charts developments in the subject to early 2019.[7]


Separation logic facilitates reasoning about:

  • programs that manipulate pointer data structures—including information hiding in the presence of pointers;
  • "transfer of ownership" (avoidance of semantic frame axioms); and
  • virtual separation (modular reasoning) between concurrent modules.

Separation logic supports the developing field of research described by Peter O'Hearn and others as local reasoning, whereby specifications and proofs of a program component mention only the portion of memory used by the component, and not the entire global state of the system. Applications include automated program verification (where an algorithm checks the validity of another algorithm) and automated parallelization of software.

Assertions: operators and semantics

Separation logic assertions describe "states" consisting of a store and a heap, roughly corresponding to the state of local (or stack-allocated) variables and dynamically-allocated objects in common programming languages such as C and Java. A store is a function mapping variables to values. A heap is a partial function mapping memory addresses to values. Two heaps and are disjoint (denoted ) if their domains do not overlap (i.e., for every memory address , at least one of and is undefined).

The logic allows to prove judgements of the form , where is a store, is a heap, and is an assertion over the given store and heap. Separation logic assertions (denoted as , , ) contain the standard boolean connectives and, in addition, , , , and , where and are expressions.

  • The constant asserts that the heap is empty, i.e., when is undefined for all addresses.
  • The binary operator takes an address and a value and asserts that the heap is defined at exactly one location, mapping the given address to the given value. I.e., when (where denotes the value of expression evaluated in store ) and is otherwise undefined.
  • The binary operator (pronounced star or separating conjunction) asserts that the heap can be split into two disjoint parts where its two arguments hold, respectively. I.e., when there exist such that and and and .
  • The binary operator (pronounced magic wand or separating implication) asserts that extending the heap with a disjoint part that satisfies its first argument results in a heap that satisfies its second argument. I.e,. when for every heap such that , also holds.

The operators and share some properties with the classical conjunction and implication operators. They can be combined using an inference rule similar to modus ponens

and they form an adjunction, i.e., if and only if for ; more precisely, the adjoint operators are and .

Reasoning about programs: triples and proof rules

In separation logic, Hoare triples have a slightly different meaning than in Hoare logic. The triple asserts that if the program executes from an initial state satisfying the precondition then the program will not go wrong (e.g., have undefined behaviour), and if it terminates, then the final state will satisfy the postcondition . In essence, during its execution, may access only memory locations whose existence is asserted in the precondition or that have been allocated by itself.

In addition to the standard rules from Hoare logic, separation logic supports the following very important rule:

This is known as the frame rule (named after the frame problem) and enables local reasoning. It says that a program that executes safely in a small state (satisfying ), can also execute in any bigger state (satisfying ) and that its execution will not affect the additional part of the state (and so will remain true in the postcondition). The side condition enforces this by specifying that none of the variables modified by occur free in , i.e. none of them are in the 'free variable' set of .


Separation logic leads to simple proofs of pointer manipulation for data structures that exhibit regular sharing patterns which can be described simply using separating conjunctions; examples include singly and doubly linked lists and varieties of trees. Graphs and DAGs and other data structures with more general sharing are more difficult for both formal and informal proof. Separation logic has, nonetheless, been applied successfully to reasoning about programs with general sharing.

In their POPL'01 paper,[3] O'Hearn and Ishtiaq explained how the magic wand connective could be used to reason in the presence of sharing, at least in principle. For example, in the triple

we obtain the weakest precondition for a statement that mutates the heap at location , and this works for any postcondition, not only one that is laid out neatly using the separating conjunction. This idea was taken much further by Yang, who used to provide localized reasoning about mutations in the classic Schorr-Waite graph marking algorithm.[8] Finally, one of the most recent works in this direction is that of Hobor and Villard,[9] who employ not only but also a connective which has variously been called overlapping conjunction or sepish,[10] and which can be used to describe overlapping data structures: holds of a heap when and hold for subheaps and whose union is , but which possibly have a nonempty portion in common. Abstractly, can be seen to be a version of the fusion connective of relevance logic.

Concurrent separation logic

A Concurrent Separation Logic (CSL), a version of separation logic for concurrent programs, was originally proposed by Peter O'Hearn,[11] using a proof rule

which allows independent reasoning about threads that access separate storage. O'Hearn's proof rules adapted an early approach of Tony Hoare to reasoning about concurrency,[12] replacing the use of scoping constraints to ensure separation by reasoning in separation logic. In addition to extending Hoare's approach to apply in the presence of heap-allocated pointers, O'Hearn showed how reasoning in concurrent separation logic could track dynamic ownership transfer of heap portions between processes; examples in the paper include a pointer-transferring buffer, and a memory manager.

Commenting on the early classical work on interference freedom by Susan Owicki and David Gries, O'Hearn says that explicit checking for non-interference isn't necessary because his system rules out interference in an implicit way, by the nature of the way proofs are constructed.

A model for concurrent separation logic was first provided by Stephen Brookes in a companion paper to O'Hearn's.[13] The soundness of the logic had been a difficult problem, and in fact a counterexample of John Reynolds had shown the unsoundness of an earlier, unpublished version of the logic; the issue raised by Reynolds's example is described briefly in O'Hearn's paper, and more thoroughly in Brookes's.

At first it appeared that CSL was well suited to what Dijkstra had called loosely connected processes,[14] but perhaps not to fine-grained concurrent algorithms with significant interference. However, gradually it was realized that the basic approach of CSL was considerably more powerful than first envisaged, if one employed non-standard models of the logical connectives and even the Hoare triples.

An abstract version of separation logic was proposed that works for Hoare triples where the preconditions and postconditions are formulae interpreted over an arbitrary partial commutative monoid instead of a particular heap model.[15] Later, by suitable choice of commutative monoid, it was surprisingly found that the proof rules of abstract versions of concurrent separation logic could be used to reason about interfering concurrent processes, for example by encoding the rely-guarantee technique which had been originally proposed to reason about interference;[16] in this work the elements of the model were considered not resources, but rather "views" of the program state, and a non-standard interpretation of Hoare triples accompanies the non-standard reading of pre and postconditions. Finally, CSL-style principles have been used to compose reasoning about program histories instead of program states, in order to provide modular techniques for reasoning about fine-grained concurrent algorithms.[17]

Versions of CSL have been included in many interactive and semi-automatic (or "in-between") verification tools as described in the next section. A particularly significant verification effort is that of the μC/OS-II kernel mentioned there. But, although steps have been made,[18] as of yet CSL-style reasoning has been included in comparatively few tools in the automatic program analysis category (and none mentioned in the next section).

O'Hearn and Brookes are co-recipients of the 2016 Gödel Prize for their invention of Concurrent Separation Logic.[19]

Verification and program analysis tools

Tools for reasoning about programs fall on a spectrum from fully automatic program analysis tools, which do not require any user input, to interactive tools where the human is intimately involved in the proof process. Many such tools have been developed; the following list includes a few representatives in each category.

  • Automatic Program Analyses. These tools typically look for restricted classes of bugs (e.g., memory safety errors) or attempt to prove their absence, but fall short of proving full correctness.
    • A current example is Facebook Infer, a static analysis tool for Java, C, and Objective-C based on separation logic and bi-abduction.[20] As of 2015 hundreds of bugs per month were being found by Infer and fixed by developers before being shipped to Facebook's mobile apps[21]
    • Other examples include SpaceInvader (one of the first SL analyzers), Predator (which has won several verification competitions), MemCAD (which mixes shape and numerical properties) and SLAyer (from Microsoft Research, focussed on data structures found in device drivers)
  • Interactive Proof. Proofs have been done using embeddings of Separation Logic into interactive theorem provers such as the Coq proof assistant and HOL (proof assistant). In comparison to the program analysis work, these tools require more in the way of human effort but prove deeper properties, up to functional correctness.
    • A proof of the FSCQ file system[22] where the specification includes behaviour under crashes as well as normal operation. This work won the best paper award at the 2015 Symposium on Operating System Principles.
    • Verification of a large fragment of the Rust type system and some of its standard libraries in the RustBelt project using the Iris framework for separation logic in The Coq proof assistant.
    • Verification of an OpenSSL implementation of a cryptographic authentication algorithm,[23] utilizing verifiable C
    • Verification of key modules of a commercial OS kernel, the μC/OS-II kernel, the first commercial pre-emptive kernel to have been verified.[24]
    • Other examples include the Ynot[25] library for the Coq proof assistant; the Holfoot embedding of Smallfoot in HOL; Fine-grained Concurrent Separation Logic, and Bedrock (a Coq library for low-level programming).
  • In Between. Many tools require more user intervention than program analyses, in that they expect the user to input assertions such as pre/post specs for functions or loop invariants, but after this input is given they attempt to be fully or almost fully automatic; this mode of verification goes back to classic works in the 1970s such as J King's verifier, and the Stanford Pascal Verifier. This style of verifier has recently been called auto active verification, a term which intends to evoke the way of interacting with a verifier via an assert-check loop, analogous to the interaction between a programmer and a type-checker.
    • The very first Separation Logic verifier, Smallfoot, was in this in-between category. It required the user to input pre/post specs, loop invariants, and resource invariants for locks. It introduced a method of symbolic execution, as well as an automatic way to infer frame axioms. Smallfoot included Concurrent Separation Logic.
    • SmallfootRG is a verifier for a marriage of separation logic and the classic rely/guarantee method for concurrent programs.
    • Heap Hop implements a separation logic for message passing, following the ideas in Singularity (operating system).
    • VeriFast is an advanced current tool in the in-between category. It has demonstrated proofs ranging from object-oriented patterns to highly concurrent algorithms and to systems programs.
    • Viper is a state-of-the-art automated verification infrastructure for permission-based reasoning. It mainly consists of a programming language and two verification backends, one based on symbolic execution and another one on verification condition generation (VCG).[26] Based on the Viper infrastructure, several frontends for various programming languages have emerged: Gobra for Go, Nagini for Python, Prusti for Rust, and VerCors for C, Java, OpenCL, and OpenMP. These frontends translate the frontend programming language into Viper to then use a Viper verification backend for proving the input program's correctness.
    • The Mezzo Programming Language and Asynchronous Liquid Separation Types include ideas related to CSL in the type system for a programming language. The idea to include separation in a type system has earlier examples in Alias Types and Syntactic Control of Interference.

The distinction between interactive and in-between verifiers is not a sharp one. For example, Bedrock strives for a high degree of automation, in what it terms mostly-automatic verification, where Verifast sometimes requires annotations that resemble the tactics (little programs) used in interactive verifiers.

Decidability and complexity

The satisfiability problem for a quantifier-free, multi-sorted fragment of separation logic parameterized over the sorts of locations and data can be shown to be PSPACE-complete.[27] An algorithm for solving this fragment in DPLL(T)-based SMT solvers has been integrated into cvc5.[28] Extending this result, satisfiability for an analog of the Bernays–Schönfinkel class for separation logic with uninterpreted memory locations can also be shown to be PSPACE-complete, whereas the problem is undecidable with interpreted memory locations (e.g., integers) or further quantifier alternations[29]


Read other articles:

此条目序言章节没有充分总结全文内容要点。 (2019年3月21日)请考虑扩充序言,清晰概述条目所有重點。请在条目的讨论页讨论此问题。 哈萨克斯坦總統哈薩克總統旗現任Қасым-Жомарт Кемелұлы Тоқаев卡瑟姆若马尔特·托卡耶夫自2019年3月20日在任任期7年首任努尔苏丹·纳扎尔巴耶夫设立1990年4月24日(哈薩克蘇維埃社會主義共和國總統) 哈萨克斯坦 哈萨克斯坦政府與…

كبسةمعلومات عامةاسم آخر مكبوسالمنشأ  السعودية الكويت اليمن البحرين الأردنالمنطقة دول الخليج، شبه الجزيرة العربيةالنوع طبق أرز حرارة التقديم ساخنالمكونات الرئيسية الأرز (طويل الحبة، وغالبا بسمتي)، اللحم أو الدجاج، البهارات (هال، زعفران، قرفة، ليمون أسود، ور…

هذه المقالة تحتاج للمزيد من الوصلات للمقالات الأخرى للمساعدة في ترابط مقالات الموسوعة. فضلًا ساعد في تحسين هذه المقالة بإضافة وصلات إلى المقالات المتعلقة بها الموجودة في النص الحالي. (نوفمبر 2019) هذه المقالة يتيمة إذ تصل إليها مقالات أخرى قليلة جدًا. فضلًا، ساعد بإضافة وصلة إ…

عايدة عبد العزيز (بالعربية: عايده عبد العزيز)‏  معلومات شخصية الميلاد 27 أكتوبر 1930 [1]  دملو  الوفاة 3 فبراير 2022 (91 سنة) [2]  القاهرة  مواطنة المملكة المصرية (1930–1952) جمهورية مصر (1953–1958) الجمهورية العربية المتحدة (1958–1971) مصر (1971–2022)  الزوج أحمد عبد الحليم &#…

Uzbek footballer In this name that follows Eastern Slavic naming customs, the patronymic is Husanovich and the family name is Ismailov. Анзур ИсмаиловAnzur Ismailov Ismailov with Pakhtakor Tashkent in 2020Personal informationFull name Anzur Husanovich IsmailovDate of birth (1985-04-21) 21 April 1985 (age 39)Place of birth Tashkent, Uzbek SSR, USSRHeight 1.90 m (6 ft 3 in)Position(s) Defender, midfielderTeam informationCurrent team FC AGMKNumber 5Youth career2…

American orchestral conductor This article is about the American orchestra conductor. For others with the same or similar name, see David Bernard (disambiguation). This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This biography of a living person needs additional citations for verification. Please help by adding reliable sources. Contentious material about living persons that is unsourced or …

For other uses, see Ji'an (disambiguation). Prefecture-level city in Jiangxi, People's Republic of ChinaJi'an 吉安市KianPrefecture-level cityTop to bottom, left to right: Ji'an city hall, the Wugong Mountains on the border with Pingxiang, the Jinggang Mountains, Ji'an Revolutionary Museum, Qingyuan District HallLocation of Ji'an City jurisdiction in JiangxiCoordinates (Ji'an municipal government): 27°05′28″N 114°58′01″E / 27.091243°N 114.96681°E / 27.09…

British television documentary Yesterday's MenGenreDocoumentaryCountry of originUnited KingdomOriginal languageEnglish Yesterday's Men is a British documentary that appeared as part of the 24 Hours series (BBC 1)[1] on 17 June 1971.[2] The programme is remembered for provoking a clash between the Labour Party and the BBC. According to Anthony Smith, the editor of 24 Hours at the time, the film led to the biggest and most furious row that a television programme in the English lang…

British politician The Right HonourableThe Lord EmmottGCMG GBE PCThe Deputy Speaker as depicted in Vanity Fair, 19 October 1910Deputy Speaker of the House of CommonsChairman of Ways and MeansIn office1906–1911MonarchsEdward VII George VPreceded bySir John Grant Lawson, 1st BaronetSucceeded byJohn Henry WhitleyUnder-Secretary of State for the ColoniesIn office23 October 1911 – 6 August 1914MonarchGeorge VPrime MinisterH. H. AsquithPreceded byThe Lord Lucas of CrudwellSucceede…

Overtime work schedule in Mainland China, 9AM-9PM, 6 days per week This article is missing information about background on other (especially non-tech) overwork cultures in China; legitimized special work hour system in Shenzhen. Please expand the article to include this information. Further details may exist on the talk page. (July 2021) 996 working hour systemChinese996工作制TranscriptionsStandard MandarinHanyu Pinyinjiǔjiǔliù gōngzuò zhì The 996 working hour system (Chinese: 996…

IBM Storage enterprise system that store data on flash memory IBM FlashSystemFlashSystem A9000ManufacturerTMS (2001-2013)IBM (2013-current)IntroducedJan 2001 (as TMS RamSan)April 11, 2013 (as IBM FlashSystem)TypeEnterprise solid state computer data storage systemProcessorx86 (Intel Xeon)[1][2][3] IBM FlashSystem is an IBM Storage enterprise system that stores data on flash memory. Unlike storage systems that use standard solid-state drives, IBM FlashSystem products incorp…

United States historic placeAloha TowerU.S. National Register of Historic Places The Aloha Tower has been greeting vessels to port at Honolulu Harbor since September 11, 1926.Show map of OahuShow map of HawaiiLocationHonolulu, HICoordinates21°18′25.5″N 157°51′57.5″W / 21.307083°N 157.865972°W / 21.307083; -157.865972Built1926ArchitectArthur L. ReynoldsArchitectural styleLate Gothic Revival, Art Deco[2]NRHP reference No.76000660 [1 …

British politician and barrister (1926–2008) The Right HonourableThe Lord ReesPC QCPeter ReesChief Secretary to the TreasuryIn office11 June 1983 – 2 September 1985Prime MinisterMargaret ThatcherPreceded byLeon BrittanSucceeded byJohn MacGregorMember of Parliamentfor DoverIn office18 June 1970 – 18 May 1987Preceded byDavid EnnalsSucceeded byDavid Shaw Personal detailsBornPeter Wynford Innes Rees(1926-12-09)9 December 1926Camberley, Surrey, EnglandDied30 November 2008(…

1947 Christchurch mayoral election ← 1944 19 November 1947 1950 → Turnout41,581 (46.20%)   Candidate Ernest Andrews David Barnes Melville Lyons Party Citizens' Labour Independent Popular vote 21,183 15,587 4,811 Percentage 50.94 37.48 15,587 Mayor before election Ernest Andrews Elected Mayor Ernest Andrews The 1947 Christchurch mayoral election was part of the New Zealand local elections held that same year. In 1947, election were held for the Mayor of Christchurc…

Artikel ini sebatang kara, artinya tidak ada artikel lain yang memiliki pranala balik ke halaman ini.Bantulah menambah pranala ke artikel ini dari artikel yang berhubungan atau coba peralatan pencari pranala.Tag ini diberikan pada Desember 2023. Tiago AlvesInformasi pribadiNama lengkap Tiago AlvesTanggal lahir 12 Januari 1993 (umur 31)Tempat lahir BrasilPosisi bermain PenyerangKarier senior*Tahun Tim Tampil (Gol)2011–2014 Santos 9 (0)2012 → Boa Esporte (loan) 9 (1)2013 → América Mine…

Cultural and population changes in England c. 450 to 630 AD This article is part of the series:Anglo-Saxonsociety and culture People Settlement Women History Language Language Literature Runes Material culture Architecture Art Burial Coins Dress Glass Weaponry Power and organization Charters Government Law Monarchs and kingdoms Warfare Military Religion Christianity Paganism vte This article is about Anglo-Saxon settlement in Britain. For later historical events in Anglo-Saxon England, see Histo…

الشركة السعودية للتنمية والاستثمار التقنيالشركة السعودية للتنمية والاستثمار التقنيالشعارمعلومات عامةالاختصار TAQNIA (بالإنجليزية) البلد  السعودية التأسيس 21 يونيو 2011 18 رجب 1432 هـ [1]النوع شركة المقر الرئيسي الرياض،  السعوديةموقع الويب (العربية) المنظومة الاقتص…

Voce principale: Braunschweiger Turn- und Sportverein Eintracht von 1895. Braunschweiger Turn- und Sportverein Eintracht von 1895Stagione 2009-2010Sport calcio Squadra Eintracht Braunschweig Allenatore Torsten Lieberknecht All. in seconda Jürgen Rische Darius Scholtysik 3. Liga4º posto Coppa di GermaniaPrimo turno Maggiori presenzeCampionato: Petković (38)Totale: Petković (39) Miglior marcatoreCampionato: Kruppke (15)Totale: Kruppke (15) StadioEintracht-Stadion Maggior numero di spettat…

Coach Wooden Keys to Life AwardAwarded forQualities exemplified by Coach Wooden: outstanding character, integrity, and leadership on the court, in the work place, in the home, and in the communityCountryUnited StatesPresented byAthletes in ActionHistoryFirst award1998Most recentBilly Kennedy, Texas A&M and his wife Mary The Coach Wooden Keys to Life Award is presented annually to a member of the college or professional basketball community who lives out qua…

River in South Sudan Sobat RiverSobat River from airLocationCountrySouth SudanStateJonglei, Upper Nile (state)Physical characteristicsSourceBaro River • locationDibdib, Ethiopia • coordinates7°42′04″N 35°52′44″E / 7.701°N 35.879°E / 7.701; 35.879 • elevation2,367 m (7,766 ft) 2nd sourcePibor River • locationPibor Post, Greater Pibor • coordinates6°47′42″N 33°09…