expressiveness and relative completeness are introduced inCook(1978), which finds that Hoare logic is only complete in a certain sense, relative to his interpretive se- mantics. Clarke (1979) researches on the expressiveness of finite interpretations, with the result that certain programming languages can not possess a sound and relatively complete Hoare calculus, because the halting problem is undecidable for the languages, even if the underlying interpretation is finite. Lipton (1977) claims that the only expressive interpretations should be the standard interpretation of Peano arithmetic and the finite interpretation.
The verification and analysis presented in this thesis are essentially founded on the basis of Hoare logic. As will be seen in later chapters, our abstract program semantics used for symbolic executions of programs are based on Hoare logic, or more specifically separation logic (as an extension of Hoare logic), which is surveyed in the next section.
2.2
Separation Logic
For the modelling of program’s memory state, we use the technique of separation logic (O’Hearn and Pym, 1999; Reynolds, 1999; O’Hearn et al., 2001; Reynolds,
2002). In this section we will have a brief introduction to its history.
As a prototype of separation logic, O’Hearn and Pym (1999) introduces a logic of bunched implications (BI) which is merged from two parts: additive intuitionistic logic and multiplicative intuitionistic linear logic. Models of propositional BI’s proofs are given by bi-cartesian doubly closed categories, combining freely semantics from both logic families. This work also develops a first-order predicate version of BI with newly invented universal and existential quantifiers.
2.2. Separation Logic
However, BI is no more than a theoretical logic model until Reynolds has presented his work (Reynolds, 1999) to reason about resource-sensitive programs, whose logic model is analogous to BI’s. Generally it is an extension of Hoare’s approach to proving the correctness of imperative programs that perform destructive updates to data structures containing more than one pointer to the same location. It invents an “independent conjunction” P & Q that holds only when P and Q are both true and depend upon distinct areas of storage, whose semantics is exactly the same as the linear conjunction of BI. It is a nice coincidence that they come to the same point from two different ways, which happened several times in the history of computer science such as Turing’s computing machine and Church’s λ-calculus.
After that these two branches of research group have cooperated to deliver a series of works (O’Hearn et al.,2001;Reynolds, 2002) to set up the foundation of separation logic which can be used to reason about heap memory state. Reynolds (2002) adds two more connectives to classical logic: separation conjunction ∗ and spacial implication −∗. The formula ∆1∗ ∆2 asserts that two heaps described by ∆1 and ∆2
are domain-disjoint, while ∆1−∗ ∆2 asserts that if the current heap is extended with a
disjoint heap described by ∆1, then ∆2 holds in the extended heap. Such connectives
are supported by a low-level storage model based on both the stack and the heap memory. In this model, four sets are assumed: Loc of memory locations, Val of primitive values (with 0 ∈ Val denoting null), Var of variables (program and logical variables), and ObjVal of object values stored in the heap, with c[f17→ν1, . . . , fn7→νn]
denoting an object value of data type c where ν1, . . . , νn are current values of the
corresponding fields f1, . . . , fn. Then a concrete memory state h, s, consisting of
heap and stack, is from the following concrete domains:
h ∈ Heaps =df Loc *fin ObjVal s ∈ Stacks =df Var → Val ∪ Loc
This model supports the basic program operations such as lookup, update, allocation and deallocation with a series of Hoare logic style reasoning rules. It also provides
2.2. Separation Logic
unrestricted memory address arithmetic. In the paper the frame rule
{P } C {Q}
{P ∗ R} C {Q ∗ R} mods(C) ∩ fv(R) = ∅
is emphasised as the base of local reasoning, because it allows the reasoning of pro- grams to concentrate on programs’ footprint, namely, the variables that the program actually manipulates, instead of a large global heap state. This is important as it entitles the reasoning with the potential to scale up. Separation logic’s assertion language is also formalised on a possible worlds model of BI. The soundness and relative completeness are also discussed in the paper, as well as latest results of sep- aration logic with the illustration of its possible applications in the field of program reasoning.
For separation logic itself, there are some other works to address. Yang and O’Hearn
(2002) presents a semantic analysis of the soundness and relative completeness of separation logic for the frame axiom to be inferred automatically, with the result that it can be avoided when writing specifications. Calcagno et al.(2001) discusses on some computability and complexity results of separation logic, where it points out that the validity of separation logic formulae is not decidable; however the validity over a restricted subset of separation logic formulae is fortunately decidable with certain complexity. Following it, Berdine et al. (2004) provides a fragment of separation logic whose entailment checking problem is decidable with a sound and complete algorithm to solve it, which plays an important theoretical role in their later works of program analysis. Calcagno et al. (2007) studies the semantic structures lying behind separation logic by the concept of local action, which is a state transformer that mutates the state in a local way. It formulates local actions for a class of models called separation algebras, abstracting from the memory and other specific concrete models used in work on separation logic. Local actions provide a semantics for a generalised form of (sequential) separation logic, and allow a general soundness proof for a separation logic for concurrency.