Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland...

Constraint Semanticsfor

Abstract Read Permissions

28th July 2014, FTfJP, Uppsala

John Tang Boyland (UW-Milwaukee/ETH Zurich)Peter Müller, Malte Schwerhoff, Alexander J. Summers (ETH Zurich)

2

Unbounded Counting with Fractional Permissions over

ℚ

General Framework for Proving Soundness of

Permission Assumptions

Why Should You Pay Attention?

3

Modular Static Verification + Shared State

foo(x) bar(x)

4


foo(x) bar(x)

?

5


foo(x) bar(x)

?

?

?

6

Permissions

foo(x) bar(x)

7

Permission Transfer

foo(x) bar(x)

?

8

Permission Transfer

foo(x) bar(x)

?

?

9

Fractional Permissions

foo(x) bar(x)

10

Splitting Fractional Permissions

foo(x) bar(x)

?

ℚ: ½ + ½ or ¼ + ¾ or …

11

Merging Fractional Permissions

foo(x) bar(x)

?

12

Iterator Example

method visit(it: Iterator, d: Data) { var n: Int := 0

while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }

...}

method worker(e: Element, d: Data) { // reads d.f}

Start with v1 per-missions to d.f

13

Iterator Example



...}


Give each workerthe same v2 per-missions to d.f

14

Iterator Example



...}


Can (n+1)th v2 stillbe given away?

15

Iterator Example




...}

method worker(e: Element, d: Data) { // reads d.f} Fixing v2 up-front not

possible since n unbounded …

16

Iterator Example



...}



… on the other hand, for any n, a suitable

v2 can be chosen

17

Abstract Read Permissions(Heule et al., VMCAI’13)

1. Use symbolic values vi insteadof concrete fractions

2. Constrain vi as verification proceeds to make it sufficiently small

Existing Idea

18

Iterator Example with Abstract Read Permissions

method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh()

while (it.hasNext()) {

fork worker(it.next(), d, v2) n := n + 1 }

...}

method worker(e: Element, d: Data, v: Perm) { // reads d.f}

19

Iterator Example with Abstract Read Permissions


while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }

...}


Enables ℚ to support unbounded counting

!

20

Other Permission Model Properties (Short Digression)



...}


Recursively fork visit unbounded splitting

21

Other Permission Model Properties (Short Digression)



...}


Abstract predicates permission multiplication

22

Permission Assumptions Sound?

⇔

Constraint System Satisfiable?

Problem

23

‐Must avoid unsound assumptions (in a modular way)

‐ v < v‐ v1 < v2 && v2 < v1

‐Factoring key property for constraint satisfiability out of general soundness proof is not straight-forward

‐Heule et al. therefore allow only limited application of abstract read permissions

‐ Ensures satisfiable constraints‐ Can’t support unbounded counting

Abstract Read Permissions (Heule et al., VMCAI’13)

24

Layered Constraints

Key Property

25

Layered Constraints

¼, ½, ¾, … q ∊ ℚ+

00

v1 v3

v7v4

v6

v8v5 v2

26

Layered Constraints

¼, ½, ¾, … q ∊ ℚ+

00

v1v3

v7v4

v6

v8v5 v2

≺

27

Partially ordered set of variables (V, )≺v2 v≺ 1 ≙ “v2 layered below v1”

Extend ≺ to v E≺E ::= q | v | E + E | E * E | E – E | E / E

Define layered for sets C ofpermission inequalities v < E

Layered Constraints

28

Extending ≺ to E

q ∊ ℚ+

v q≺ v E≺ 1 v E≺ 2

v E≺ 1 E⊚ 2

with ⊚ ∊ {+, , /}∗

v v’ v’ E≺ ≺v E – v’≺

29

Extending ≺ to E

q ∊ ℚ+

v q≺ v E≺ 1 v E≺ 2

v E≺ 1 E⊚ 2

with ⊚ ∊ {+, , /}∗

v v’ v’ E≺ ≺v E – v’≺

Ensures that v’ < E could be added to C

30

Extending ≺ to E

q ∊ ℚ+

v q≺ v E≺ 1 v E≺ 2

v E≺ 1 E⊚ 2

with ⊚ ∊ {+, , /}∗

v v’ v’ E≺ ≺v E – v’≺

Ensures that v is layered below v’

31

Layered and Layerable Constraints

‐A set C of permission inequalities v < Eis layered w.r.t. to ≺ if

∀ (v < E) ∊ C · v E≺

32

Layered and Layerable Constraints

‐A set C of permission inequalities v < Eis layered w.r.t. to ≺ if

∀ (v < E) ∊ C · (v’ < E’) ·∃

(v’ < E’ ⇒ v < E) ∧ v’ E’≺‐A set C is layerable if there exists a ≺ s.t. C is layered w.r.t. to ≺Theorem: If a constraint system is layerable, then it is

satisfiable

Makes simple derivation

system more expressive

33

Iterator Example Revisited

q ∊ ℚ+

v q≺ v E≺ 1 v E≺ 2

v E≺ 1 E⊚ 2

with ⊚ ∊ {+, , /}∗

v v’ v’ E≺ ≺v E – v’≺

Constraint from iterator examplev2 < v1 – n * v2

is layered ifv2 v≺ 1 – n * v2

is derivable

34


q ∊ ℚ+

v q≺ v E≺ 1 v E≺ 2

v E≺ 1 E⊚ 2

with ⊚ ∊ {+, , /}∗

v v’ v’ E≺ ≺v E – v’≺

Constraint from iterator examplev2 < v1 – n * v2

is layered ifv2 v≺ 1 – n * v2 ⇔ v2 < v1 / (n + 1)

is derivable

35


v2 v≺ 1 v2 (n + 1)≺v2 v≺ 1 / (n + 1)

(n + 1) ∊ ℚ+

q ∊ ℚ+

v q≺ v E≺ 1 v E≺ 2

v E≺ 1 E⊚ 2

with ⊚ ∊ {+, , /}∗

v v’ v’ E≺ ≺v E – v’≺

36

1. Define a suitable ≺-relation, e.g., introduced after

2. Define a methodology for generating layered constraints w.r.t. to chosen ≺ (soundness proof)

3. Turn constraints into free assumptions

Using our Work

method visit(v1: Perm) { ... var v2: Perm := fresh() ... }

37

Related Work

‐Counting Permissions (Bornat et al., POPL’05)

‐ Neither divisibility nor multiplication

‐Compound Models (Dockins et al., APLAS’09, Leino et al., ESOP’09)

‐ No multiplication‐ Potentially slow due to disjunctions

‐Z[ε]+ (Boyland, LNCS Volume 7850, 2013)‐ Satisfies all three properties‐ Complex and subtle model‐ No existing implementation (as far as we know)

38

Conclusion

‐ Identified a property that guarantees satisfiability of constraints over fractional permissions over ℚ

‐Formalised a derivation system enforcing the property

‐Enabled fractional permissions over ℚ to support unbounded counting

‐Factor soundness proof for permission book-keeping out of general soundness proof

‐Future work: define methodology for fully exploiting layerable constraints in a front-end tool

39

Questions?www.pm.inf.ethz.ch

[email protected]

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland...

Documents

Transcript of Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland...