Download presentation

Presentation is loading. Please wait.

Published byJaidyn Lisby Modified about 1 year ago

1
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff, Alexander J. Summers (ETH Zurich)

2
Unbounded Counting with Fractional Permissions over ℚ General Framework for Proving Soundness of Permission Assumptions 2 Why Should You Pay Attention?

3
3 Modular Static Verification + Shared State foo(x)bar(x)

4
4 Modular Static Verification + Shared State foo(x)bar(x) ?

5
5 Modular Static Verification + Shared State foo(x)bar(x) ?

6
6 Permissions foo(x)bar(x)

7
7 Permission Transfer foo(x)bar(x) ?

8
8 Permission Transfer foo(x)bar(x) ?

9
9 Fractional Permissions foo(x)bar(x)

10
10 Splitting Fractional Permissions foo(x)bar(x) ? ℚ : ½ + ½ or ¼ + ¾ or …

11
11 Merging Fractional Permissions foo(x)bar(x) ?

12
12 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Start with v 1 per- missions to d.f

13
13 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Give each worker the same v 2 per- missions to d.f

14
14 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away?

15
15 Iterator Example Can (n+1) th v 2 still be given away? method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Fixing v 2 up-front not possible since n unbounded …

16
16 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away? … on the other hand, for any n, a suitable v 2 can be chosen

17
17 Abstract Read Permissions (Heule et al., VMCAI’13) 1.Use symbolic values v i instead of concrete fractions 2.Constrain v i as verification proceeds to make it sufficiently small Existing Idea

18
18 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f }

19
19 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Enables ℚ to support unbounded counting

20
20 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Recursively fork visit unbounded splitting

21
21 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Abstract predicates permission multiplication

22
Permission Assumptions Sound? ⇔ Constraint System Satisfiable? 22 Problem

23
‐ Must avoid unsound assumptions (in a modular way) ‐ v < v ‐ v 1 < v 2 && v 2 < v 1 ‐ Factoring key property for constraint satisfiability out of general soundness proof is not straight- forward ‐ Heule et al. therefore allow only limited application of abstract read permissions ‐ Ensures satisfiable constraints ‐ Can’t support unbounded counting 23 Abstract Read Permissions (Heule et al., VMCAI’13)

24
24 Layered Constraints Key Property

25
25 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2

26
26 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2 ≺

27
27 Partially ordered set of variables (V, ≺) v 2 ≺ v 1 ≙ “ v 2 layered below v 1 ” Extend ≺ to v ≺ E E ::= q | v | E + E | E * E | E – E | E / E Define layered for sets C of permission inequalities v < E Layered Constraints

28
28 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

29
29 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v’ < E could be added to C

30
30 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v is layered below v’

31
31 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · v ≺ E

32
32 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · ∃ (v’ < E’) · (v’ < E’ ⇒ v < E) ∧ v’ ≺ E’ ‐ A set C is layerable if there exists a ≺ s.t. C is layered w.r.t. to ≺ Theorem: If a constraint system is layerable, then it is satisfiable Makes simple derivation system more expressive

33
33 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 is derivable

34
34 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 ⇔ v 2 < v 1 / (n + 1) is derivable

35
35 Iterator Example Revisited v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

36
1.Define a suitable ≺ -relation, e.g., introduced after 2.Define a methodology for generating layered constraints w.r.t. to chosen ≺ (soundness proof) 3.Turn constraints into free assumptions 36 Using our Work method visit(v1: Perm) {... var v2: Perm := fresh()... }

37
37 Related Work ‐ Counting Permissions (Bornat et al., POPL’05) ‐ Neither divisibility nor multiplication ‐ Compound Models (Dockins et al., APLAS’09, Leino et al., ESOP’09) ‐ No multiplication ‐ Potentially slow due to disjunctions ‐ Z[ε] + (Boyland, LNCS Volume 7850, 2013) ‐ Satisfies all three properties ‐ Complex and subtle model ‐ No existing implementation (as far as we know)

38
38 Conclusion ‐ Identified a property that guarantees satisfiability of constraints over fractional permissions over ℚ ‐ Formalised a derivation system enforcing the property ‐ Enabled fractional permissions over ℚ to support unbounded counting ‐ Factor soundness proof for permission book- keeping out of general soundness proof ‐ Future work: define methodology for fully exploiting layerable constraints in a front-end tool

39
39 Questions? www.pm.inf.ethz.ch malte.schwerhoff@inf.ethz.ch

40
40 Layered Constraints 1.Never lower-bound a v by a concrete fraction q 2.A v i may only occur in an upper bound of a v j if v j is layered (ordered) below v i Key Property

41
Given E permissions, can v be given away? 41 Adding Satisfiable Constraints Is { v < E} ∪ C satisfiable, i.e., can v < E be assumed? Is v ≺ E derivable? (Assuming that C is already layered) ⇓ ⇓ Is { v < E} ∪ C layered w.r.t to ≺ ? ⇕

42
v < E is satisfiable 42 Rewriting Expressions v’ ≺ E’ is derivable ⇐====== show that exists v' < E’ such that v < E ⇐ v' < E’ if if not possible v ≺ E is derivable and where

43
43 Iterator Example Revisited v 2 < v 1 – n * v 2 ⇔v 2 < v 1 / (n + 1) v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + 1. Syntactic Transforma tion: 2. Derive: method visit(v1: Perm) {... var v2: Perm := fresh()... }

44
44 Rewriting is only Conceptual ‐ Simple derivation system ‐ Rewriting gains expressiveness ‐ Rewriting not necessary in, e.g., a verifier that constraints permissions by adding assumptions Important

45
‐ Use as part of the soundness proof for a verifier ‐ Verifier uses symbolic permission values with constraints ‐ Show that all generated constraints are layered ‐ Facilitates separating the soundness proof for book-keeping permissions from the rest ‐ General framework, e.g., applicable to ‐ Verification Condition Generation and Symbolic Execution ‐ Separation Logic and Implicit Dynamic Frames 45 Using our Derivation System

46
46 Future Work ‐ Extend Chalice source syntax such that ‐ Unbounded counting is supported ‐ While all generated constraints remain satisfiable ‐ Soundness proof ‐ Find examples where permission values must be constrained in different scopes (e.g., across methods)

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google