Download presentation

Presentation is loading. Please wait.

Published byJaidyn Lisby Modified over 3 years ago

1
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff, Alexander J. Summers (ETH Zurich)

2
Unbounded Counting with Fractional Permissions over ℚ General Framework for Proving Soundness of Permission Assumptions 2 Why Should You Pay Attention?

3
3 Modular Static Verification + Shared State foo(x)bar(x)

4
4 Modular Static Verification + Shared State foo(x)bar(x) ?

5
5 Modular Static Verification + Shared State foo(x)bar(x) ?

6
6 Permissions foo(x)bar(x)

7
7 Permission Transfer foo(x)bar(x) ?

8
8 Permission Transfer foo(x)bar(x) ?

9
9 Fractional Permissions foo(x)bar(x)

10
10 Splitting Fractional Permissions foo(x)bar(x) ? ℚ : ½ + ½ or ¼ + ¾ or …

11
11 Merging Fractional Permissions foo(x)bar(x) ?

12
12 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Start with v 1 per- missions to d.f

13
13 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Give each worker the same v 2 per- missions to d.f

14
14 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away?

15
15 Iterator Example Can (n+1) th v 2 still be given away? method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Fixing v 2 up-front not possible since n unbounded …

16
16 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away? … on the other hand, for any n, a suitable v 2 can be chosen

17
17 Abstract Read Permissions (Heule et al., VMCAI’13) 1.Use symbolic values v i instead of concrete fractions 2.Constrain v i as verification proceeds to make it sufficiently small Existing Idea

18
18 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f }

19
19 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Enables ℚ to support unbounded counting

20
20 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Recursively fork visit unbounded splitting

21
21 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Abstract predicates permission multiplication

22
Permission Assumptions Sound? ⇔ Constraint System Satisfiable? 22 Problem

23
‐ Must avoid unsound assumptions (in a modular way) ‐ v < v ‐ v 1 < v 2 && v 2 < v 1 ‐ Factoring key property for constraint satisfiability out of general soundness proof is not straight- forward ‐ Heule et al. therefore allow only limited application of abstract read permissions ‐ Ensures satisfiable constraints ‐ Can’t support unbounded counting 23 Abstract Read Permissions (Heule et al., VMCAI’13)

24
24 Layered Constraints Key Property

25
25 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2

26
26 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2 ≺

27
27 Partially ordered set of variables (V, ≺) v 2 ≺ v 1 ≙ “ v 2 layered below v 1 ” Extend ≺ to v ≺ E E ::= q | v | E + E | E * E | E – E | E / E Define layered for sets C of permission inequalities v < E Layered Constraints

28
28 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

29
29 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v’ < E could be added to C

30
30 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v is layered below v’

31
31 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · v ≺ E

32
32 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · ∃ (v’ < E’) · (v’ < E’ ⇒ v < E) ∧ v’ ≺ E’ ‐ A set C is layerable if there exists a ≺ s.t. C is layered w.r.t. to ≺ Theorem: If a constraint system is layerable, then it is satisfiable Makes simple derivation system more expressive

33
33 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 is derivable

34
34 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 ⇔ v 2 < v 1 / (n + 1) is derivable

35
35 Iterator Example Revisited v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

36
1.Define a suitable ≺ -relation, e.g., introduced after 2.Define a methodology for generating layered constraints w.r.t. to chosen ≺ (soundness proof) 3.Turn constraints into free assumptions 36 Using our Work method visit(v1: Perm) {... var v2: Perm := fresh()... }

37
37 Related Work ‐ Counting Permissions (Bornat et al., POPL’05) ‐ Neither divisibility nor multiplication ‐ Compound Models (Dockins et al., APLAS’09, Leino et al., ESOP’09) ‐ No multiplication ‐ Potentially slow due to disjunctions ‐ Z[ε] + (Boyland, LNCS Volume 7850, 2013) ‐ Satisfies all three properties ‐ Complex and subtle model ‐ No existing implementation (as far as we know)

38
38 Conclusion ‐ Identified a property that guarantees satisfiability of constraints over fractional permissions over ℚ ‐ Formalised a derivation system enforcing the property ‐ Enabled fractional permissions over ℚ to support unbounded counting ‐ Factor soundness proof for permission book- keeping out of general soundness proof ‐ Future work: define methodology for fully exploiting layerable constraints in a front-end tool

39
39 Questions? www.pm.inf.ethz.ch malte.schwerhoff@inf.ethz.ch

40
40 Layered Constraints 1.Never lower-bound a v by a concrete fraction q 2.A v i may only occur in an upper bound of a v j if v j is layered (ordered) below v i Key Property

41
Given E permissions, can v be given away? 41 Adding Satisfiable Constraints Is { v < E} ∪ C satisfiable, i.e., can v < E be assumed? Is v ≺ E derivable? (Assuming that C is already layered) ⇓ ⇓ Is { v < E} ∪ C layered w.r.t to ≺ ? ⇕

42
v < E is satisfiable 42 Rewriting Expressions v’ ≺ E’ is derivable ⇐====== show that exists v' < E’ such that v < E ⇐ v' < E’ if if not possible v ≺ E is derivable and where

43
43 Iterator Example Revisited v 2 < v 1 – n * v 2 ⇔v 2 < v 1 / (n + 1) v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + 1. Syntactic Transforma tion: 2. Derive: method visit(v1: Perm) {... var v2: Perm := fresh()... }

44
44 Rewriting is only Conceptual ‐ Simple derivation system ‐ Rewriting gains expressiveness ‐ Rewriting not necessary in, e.g., a verifier that constraints permissions by adding assumptions Important

45
‐ Use as part of the soundness proof for a verifier ‐ Verifier uses symbolic permission values with constraints ‐ Show that all generated constraints are layered ‐ Facilitates separating the soundness proof for book-keeping permissions from the rest ‐ General framework, e.g., applicable to ‐ Verification Condition Generation and Symbolic Execution ‐ Separation Logic and Implicit Dynamic Frames 45 Using our Derivation System

46
46 Future Work ‐ Extend Chalice source syntax such that ‐ Unbounded counting is supported ‐ While all generated constraints remain satisfiable ‐ Soundness proof ‐ Find examples where permission values must be constrained in different scopes (e.g., across methods)

Similar presentations

OK

A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on mpeg audio compression and decompression Ppt on agile project management Ppt on online art gallery Ppt on indian culture free download Simple backgrounds for ppt on social media Ppt on product advertising print Ppt on non renewable energy resources Download ppt on indus valley civilization map Ppt on pricing policy for new products Ppt on kinds of dependent clauses