# Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

## Presentation on theme: "Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,"— Presentation transcript:

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff, Alexander J. Summers (ETH Zurich)

Unbounded Counting with Fractional Permissions over ℚ General Framework for Proving Soundness of Permission Assumptions 2 Why Should You Pay Attention?

3 Modular Static Verification + Shared State foo(x)bar(x)

4 Modular Static Verification + Shared State foo(x)bar(x) ?

5 Modular Static Verification + Shared State foo(x)bar(x) ?

6 Permissions foo(x)bar(x)

7 Permission Transfer foo(x)bar(x) ?

8 Permission Transfer foo(x)bar(x) ?

9 Fractional Permissions foo(x)bar(x)

10 Splitting Fractional Permissions foo(x)bar(x) ? ℚ : ½ + ½ or ¼ + ¾ or …

11 Merging Fractional Permissions foo(x)bar(x) ?

12 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Start with v 1 per- missions to d.f

13 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Give each worker the same v 2 per- missions to d.f

14 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away?

15 Iterator Example Can (n+1) th v 2 still be given away? method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Fixing v 2 up-front not possible since n unbounded …

16 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away? … on the other hand, for any n, a suitable v 2 can be chosen

17 Abstract Read Permissions (Heule et al., VMCAI’13) 1.Use symbolic values v i instead of concrete fractions 2.Constrain v i as verification proceeds to make it sufficiently small Existing Idea

18 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f }

19 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Enables ℚ to support unbounded counting

20 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Recursively fork visit  unbounded splitting

21 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Abstract predicates  permission multiplication

Permission Assumptions Sound? ⇔ Constraint System Satisfiable? 22 Problem

‐ Must avoid unsound assumptions (in a modular way) ‐ v < v ‐ v 1 < v 2 && v 2 < v 1 ‐ Factoring key property for constraint satisfiability out of general soundness proof is not straight- forward ‐ Heule et al. therefore allow only limited application of abstract read permissions ‐ Ensures satisfiable constraints ‐ Can’t support unbounded counting 23 Abstract Read Permissions (Heule et al., VMCAI’13)

24 Layered Constraints Key Property

25 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2

26 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2 ≺

27 Partially ordered set of variables (V, ≺) v 2 ≺ v 1 ≙ “ v 2 layered below v 1 ” Extend ≺ to v ≺ E E ::= q | v | E + E | E * E | E – E | E / E Define layered for sets C of permission inequalities v < E    Layered Constraints

28 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

29 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v’ < E could be added to C

30 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v is layered below v’

31 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · v ≺ E

32 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · ∃ (v’ < E’) · (v’ < E’ ⇒ v < E) ∧ v’ ≺ E’ ‐ A set C is layerable if there exists a ≺ s.t. C is layered w.r.t. to ≺ Theorem: If a constraint system is layerable, then it is satisfiable Makes simple derivation system more expressive

33 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 is derivable

34 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 ⇔ v 2 < v 1 / (n + 1) is derivable

35 Iterator Example Revisited v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

1.Define a suitable ≺ -relation, e.g., introduced after 2.Define a methodology for generating layered constraints w.r.t. to chosen ≺ (soundness proof) 3.Turn constraints into free assumptions 36 Using our Work method visit(v1: Perm) {... var v2: Perm := fresh()... }

37 Related Work ‐ Counting Permissions (Bornat et al., POPL’05) ‐ Neither divisibility nor multiplication ‐ Compound Models (Dockins et al., APLAS’09, Leino et al., ESOP’09) ‐ No multiplication ‐ Potentially slow due to disjunctions ‐ Z[ε] + (Boyland, LNCS Volume 7850, 2013) ‐ Satisfies all three properties ‐ Complex and subtle model ‐ No existing implementation (as far as we know)

38 Conclusion ‐ Identified a property that guarantees satisfiability of constraints over fractional permissions over ℚ ‐ Formalised a derivation system enforcing the property ‐ Enabled fractional permissions over ℚ to support unbounded counting ‐ Factor soundness proof for permission book- keeping out of general soundness proof ‐ Future work: define methodology for fully exploiting layerable constraints in a front-end tool

39 Questions? www.pm.inf.ethz.ch malte.schwerhoff@inf.ethz.ch

40 Layered Constraints 1.Never lower-bound a v by a concrete fraction q 2.A v i may only occur in an upper bound of a v j if v j is layered (ordered) below v i Key Property

Given E permissions, can v be given away? 41 Adding Satisfiable Constraints Is { v < E} ∪ C satisfiable, i.e., can v < E be assumed? Is v ≺ E derivable? (Assuming that C is already layered) ⇓ ⇓ Is { v < E} ∪ C layered w.r.t to ≺ ? ⇕

v < E is satisfiable 42 Rewriting Expressions v’ ≺ E’ is derivable ⇐====== show that exists v' < E’ such that v < E ⇐ v' < E’ if if not possible v ≺ E is derivable and where

43 Iterator Example Revisited v 2 < v 1 – n * v 2 ⇔v 2 < v 1 / (n + 1) v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + 1. Syntactic Transforma tion: 2. Derive: method visit(v1: Perm) {... var v2: Perm := fresh()... }

44 Rewriting is only Conceptual ‐ Simple derivation system ‐ Rewriting gains expressiveness ‐ Rewriting not necessary in, e.g., a verifier that constraints permissions by adding assumptions Important

‐ Use as part of the soundness proof for a verifier ‐ Verifier uses symbolic permission values with constraints ‐ Show that all generated constraints are layered ‐ Facilitates separating the soundness proof for book-keeping permissions from the rest ‐ General framework, e.g., applicable to ‐ Verification Condition Generation and Symbolic Execution ‐ Separation Logic and Implicit Dynamic Frames 45 Using our Derivation System

46 Future Work ‐ Extend Chalice source syntax such that ‐ Unbounded counting is supported ‐ While all generated constraints remain satisfiable ‐ Soundness proof ‐ Find examples where permission values must be constrained in different scopes (e.g., across methods)

Download ppt "Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,"

Similar presentations