higher order concurrent separation logic why and how
play

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal - PowerPoint PPT Presentation

Aug 13, 2023 •379 likes •1.02k views

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen, Netherlands Dec, 2015 Modular Reasoning about Higher-Order Concurrent Imperative Programs 1 / 33 Introduction Goal Program logics for

  1. Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen, Netherlands Dec, 2015 Modular Reasoning about Higher-Order Concurrent Imperative Programs 1 / 33

  2. Introduction Goal ◮ Program logics for modular reasoning about partial correctness of higher-order, concurrent, imperative code programs. 2 / 33

  3. Outline 1. Why higher-order logic + guarded recursion is useful for expressing such modular specs ◮ via example of layered and recursive abstraction. 2. Why impredicative protocols to govern shared state ◮ via example verification of lock implementation ◮ invariants to enforce protocols ◮ monoids to express protocols (ownership) 3. How the logic is modelled and showed sound (key ideas) ◮ BI-hyperdoctrine over ultra-metric spaces, Kripke model with recursively defined worlds. 4. Overview of resources to learn more ◮ tutorial material ◮ papers: iCAP [ESOP-2014] and Iris [POPL-2015] ◮ paper on formalization: ModuRes Library [ITP-2015] 5. Overview of features in iCAP and Iris not covered today 3 / 33

  4. Higher-Order Programming ◮ Programming features ◮ HO functions ◮ Interfaces in OO languages ◮ Function Pointers in low-level languages ◮ for ◮ Building libraries ◮ Returning libraries ◮ Parameterization ◮ Point: ◮ Features important for modularizing large programs ◮ Allow programming relative to unknown code ◮ Goal: Logics and Models that support correspondingly modular specifications of code. 4 / 33

  5. Example: Layered and Recursive Abstractions ◮ Modular library specifications that supports layering of abstractions and recursive abstractions. 5 / 33

  6. Example: Layered and Recursive Abstractions ◮ Modular library specifications that supports layering of abstractions and recursive abstractions. LinkedList HashMap Lock 5 / 33

  7. Example: Layered and Recursive Abstractions ◮ Modular library specifications that supports layering of abstractions and recursive abstractions. M 2 LinkedList HashMap M 1 Lock 5 / 33

  8. Recursive Abstractions Reentrant Event Loop Library handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } 6 / 33

  9. Recursive Abstractions Reentrant Event Loop Library handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } Event handlers are allowed to emit events! 6 / 33

  10. Recursive Abstractions A library that allows us to close Landin’s Knot / perform Reentrant Event Loop Library recursion through the store. handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } Event handlers are allowed to emit events! 6 / 33

  11. Recursive Abstractions A library that allows us to close Landin’s Knot / perform Reentrant Event Loop Library recursion through the store. handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } Event handlers are Realistic examples of this form: allowed to emit events! libevent, Node.js, Twisted, ... C5, GUI libraries, Joins library, ... 6 / 33

  12. A Modular Lock Specification ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  13. A Modular Lock Specification Standard sep. logic lock specification The resource invariant R describes the resources protected by the lock. ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  14. A Modular Lock Specification ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  15. A Modular Lock Specification Third-order quantification. ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  16. A Modular Lock Specification ∀ R : Prop . ∃ isLock , locked : Val → Prop . { R } { isLock(ret) } new Lock() { isLock(x) } { locked(x) ∗ R } x.Acquire() { locked(x) ∗ R } { isLock(x) } x.Release() ∀ x : Val . isLock(x) ⇔ isLock(x) ∗ isLock(x) 7 / 33

  17. A Modular Lock Specification Second-order quantification. ∀ R : Prop . ∃ isLock , locked : Val → Prop . { R } { isLock(ret) } new Lock() { isLock(x) } { locked(x) ∗ R } x.Acquire() { locked(x) ∗ R } { isLock(x) } x.Release() ∀ x : Val . isLock(x) ⇔ isLock(x) ∗ isLock(x) 7 / 33

  18. A Modular Lock Specification This specification might suffice for layering of abstractions, but not for all recursive abstractions. ∀ R : Prop . ∃ isLock , locked : Val → Prop . { R } { isLock(ret) } new Lock() { isLock(x) } { locked(x) ∗ R } x.Acquire() { locked(x) ∗ R } { isLock(x) } x.Release() ∀ x : Val . isLock(x) ⇔ isLock(x) ∗ isLock(x) 7 / 33

  19. Recursive Abstractions Event Loop Memory Safety Specification ∃ eloop : Val → Prop . { emp } { eloop(ret) } new EventLoop() { eloop(x) } { eloop(x) } x.loop() { eloop(x) } { eloop(x) } x.signal() { eloop(x) ∗ P } { eloop(x) } x.when(f) ∀ x : Val . eloop(x) ⇔ eloop(x) ∗ eloop(x) where P = f �→ { emp }{ emp } 8 / 33

  20. Recursive Abstractions Event Loop Memory Safety Specification ∃ eloop : Val → Prop . { emp } { eloop(ret) } new EventLoop() { eloop(x) } { eloop(x) } x.loop() { eloop(x) } { eloop(x) } x.signal() { eloop(x) ∗ P } { eloop(x) } x.when(f) ∀ x : Val . eloop(x) ⇔ eloop(x) ∗ eloop(x) where P = f �→ { emp }{ emp } Event handler must run without any resources but emitting an event requires an eloop(x) resource! 8 / 33

  21. Recursive Abstractions Reentrant Event Loop Memory Safety Specification ∃ eloop : Val → Prop . { emp } { eloop(ret) } new EventLoop() { eloop(x) } { eloop(x) } x.loop() { eloop(x) } { eloop(x) } x.signal() { eloop(x) ∗ P } { eloop(x) } x.when(f) ∀ x : Val . eloop(x) ⇔ eloop(x) ∗ eloop(x) where P = f �→ { eloop(x) }{ eloop(x) } 8 / 33

  22. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Since we are interested in memory safety, eloop has to specify the memory footprint of the event loop. 9 / 33

  23. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Since we are interested in memory safety, eloop has to specify the memory footprint of the event loop. ◮ Since an event loop can call handlers, its footprint include the footprint of its handlers. ◮ Since handlers can signal events, the footprint of handlers include the footprint of their event loop. 9 / 33

  24. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Since we are interested in memory safety, eloop has to specify the memory footprint of the event loop. ◮ Since an event loop can call handlers, its footprint include the footprint of its handlers. ◮ Since handlers can signal events, the footprint of handlers include the footprint of their event loop. ◮ The footprint of an event loop is thus recursively defined. 9 / 33

  25. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Imagine an implementation that maintains a set of signal handlers and a set of pending signals, protected by a lock: EventLoop : IEventLoop { class Lock lock ; private Set < handler > h a n d l e r s ; private Set < s i g n a l > s i g n a l s ; private . . . } ◮ Tying Landin’s Knot using a reference protected by a lock. 10 / 33

  26. Recursive Abstractions Verifying a lock-based event loop implementation ◮ The footprint of an event loop is thus recursively defined and the recursion “goes through the lock” . 11 / 33

  27. Recursive Abstractions Verifying a lock-based event loop implementation ◮ The footprint of an event loop is thus recursively defined and the recursion “goes through the lock” . ◮ We define eloop using guarded recursion and the third-order isLock representation predicate: eloop = fix ( λ eloop : Val → Prop . λ x : Val . ∃ l . x . lock �→ l ∗ isLock( l , ∃ y , z , A , B . set (y , A ) ∗ set (z , B ) ∗ x . handlers �→ y ∗ x . signals �→ z ∗ ∀ a ∈ A . ⊲ a �→ { eloop(x) }{ eloop(x) } )) 11 / 33

  28. Recursive Abstractions Verifying a lock-based event loop implementation ◮ The footprint of an event loop is thus recursively defined and the recursion “goes through the lock” . ◮ We define eloop using guarded recursion and the third-order isLock representation predicate: eloop = fix ( λ eloop : Val → Prop . λ x : Val . ∃ l . x . lock �→ l ∗ isLock( l , ∃ y , z , A , B . set (y , A ) ∗ set (z , B ) ∗ x . handlers �→ y ∗ x . signals �→ z ∗ ∀ a ∈ A . ⊲ a �→ { eloop(x) }{ eloop(x) } )) 11 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft University of Technology, The Netherlands January 15, 2017 @ TTT, Paris, France 1 Iris is joint work with: Ralf Jung, Jacques-Hendri Jourdan, Ale s

1.49k views • 124 slides
Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2 Lars Birkedal 3 1 Delft University of Technology, The Netherlands 2 imec-Distrinet, KU Leuven, Belgium 3 Aarhus University, Denmark January 18, 2017 @

953 views • 71 slides
Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Delft University of Technology, The Netherlands June 12, 2017 @ MFPS, Ljubljana, Slovenia 1 Iris is joint work with: Ralf Jung, Jacques-Henri

1.16k views • 87 slides
Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1

Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1

Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1 Ale Robbert Krebbers 2 Lars Birkedal 1 1 Aarhus University 2 Delft University of Technology January 17, 2019 POPL 2019

566 views • 38 slides
Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics Group Dept. of Comp. Science, Aarhus University (Joint work with J. Bengtson, J.B. Jensen, H. Mehnert, P . Sestoft, F . Sieczkowski) April 2013

499 views • 34 slides
A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of

A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of

A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of Copenhagen Joint work with B. Reus, J. Schwinghammer, H. Yang July, 2008 Lars Birkedal (ITU) Sep. Logic for Higher-order Store ICALP 1 / 20

457 views • 20 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa, Aquinas Hobor and John Wickerson IRIS Day OScience, Coronavirus Lockdown Edition Tuesday 7th April, 2020 1/ 13 Concurrent separation logic (

164 views • 13 slides
Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the paper about? Soundness proof for CSL Simple Extensible Permissions RGSep Storable locks [Buisse, Birkedal, Stvring, MFPS 2011] Concurrent

270 views • 14 slides
Verifying a hash table and its iterators in higher-order separation logic Franois Pottier

Verifying a hash table and its iterators in higher-order separation logic Franois Pottier

Verifying a hash table and its iterators in higher-order separation logic Franois Pottier Vocal meeting Paris, November 10, 2016 Motivation Why verify a hash table implementation ? a simple and useful data structure implements an

499 views • 19 slides
Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of Technology, The Netherlands February 5, 2019 @ Vrije Universiteit, Amsterdam, The Netherlands 1 Tactic-style proofs (as in LCF/Coq/HOL/ etc. ) have shown to

978 views • 97 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program

Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program

Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program logics Goal: Understand concurrent programs. Tool: Concurrent program logics: C oncurrent S eparation L ogic OG, RG, RGSep, LRG, DG, CAP, CaReSL.

345 views • 16 slides
Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan, Franois Pottier August, 2020 ICFP, New York LRI &amp; Inria, Paris, France This talk Our aim: Verifying fine-grained concurrent

511 views • 38 slides
Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Dagstuhl, 2015-11-02 Plan for the talk Talk outline Motivation Basic separation logic Concurrent separation logic Frame inference

597 views • 21 slides
Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of

Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of

Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of Technology, The Netherlands January 20, 2020 @ ADSL, New Orleans, USA 1 This is joint work with Dan Frumin (Radboud University) and Lars Birkedal (Aarhus

1.78k views • 126 slides
Minimal Representations of Order Types by Geometric Graphs Aichholzer 1 , Balko 2 , Hoffmann 3 ,

Minimal Representations of Order Types by Geometric Graphs Aichholzer 1 , Balko 2 , Hoffmann 3 ,

Minimal Representations of Order Types by Geometric Graphs Aichholzer 1 , Balko 2 , Hoffmann 3 , Kyn cl 2 , Mulzer 4 , Parada 1 , Pilz 1,3 , Scheucher 5 , Valtr 2 , Vogtenhuber 1 , and Welzl 3 1 Graz University of Technology 2 Charles

961 views • 51 slides
Alternative Representations Propositions and State-Variables Literature Malik Ghallab, Dana

Alternative Representations Propositions and State-Variables Literature Malik Ghallab, Dana

Alternative Representations Propositions and State-Variables Literature Malik Ghallab, Dana Nau, and Paolo Traverso. Automated Planning Theory and Practice , chapter 2. Elsevier/Morgan Kaufmann, 2004. Alternative Representations 2 1

297 views • 15 slides
Towards Transparent Linguistic Analysis of Dutch Newspaper Article Genres using Machine Learning

Towards Transparent Linguistic Analysis of Dutch Newspaper Article Genres using Machine Learning

Towards Transparent Linguistic Analysis of Dutch Newspaper Article Genres using Machine Learning Erik Tjong Kim Sang , Kim Smeenk , Aysenur Bilgin, Tom Klaver, Laura Hollink, Jacco van Ossenbruggen, Frank Harbers and Marcel Broersma CLIN29,

188 views • 14 slides
FORM TEACHERS BRIEFING 17 JANUARY 2020 Engaging Learners, Nurturing Leaders, Empowering Givers

FORM TEACHERS BRIEFING 17 JANUARY 2020 Engaging Learners, Nurturing Leaders, Empowering Givers

FORM TEACHERS BRIEFING 17 JANUARY 2020 Engaging Learners, Nurturing Leaders, Empowering Givers AGENDA Introduction Communication School Rules Expectations &amp; Class Routines Subject Matters and Level Highlights LEARNING

512 views • 32 slides
Multicast Address-Set Claim (MASC) Implemen tation P a vlin Radosla v o v (USC/ISI)

Multicast Address-Set Claim (MASC) Implemen tation P a vlin Radosla v o v (USC/ISI)

Multicast Address-Set Claim (MASC) Implemen tation P a vlin Radosla v o v (USC/ISI) USC F OIL 1 MASC F unction 1: Asso ciate group ranges with AS's 225.x.x.x TLD 1 TLD 2 225.0x.x.x 225.1x.x.x Parent 1 Parent 2

289 views • 7 slides
T HE high luminosity LHC upgrade aims at increasing the integrated luminosity of the LHC by a

T HE high luminosity LHC upgrade aims at increasing the integrated luminosity of the LHC by a

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TASC.2017.2651358, IEEE Transactions on Applied

248 views • 5 slides
Outbound Changes and Issues Rohan Mahy rohan@ekabal.com Agreed Changes since -04 (1/2)

Outbound Changes and Issues Rohan Mahy rohan@ekabal.com Agreed Changes since -04 (1/2)

Outbound Changes and Issues Rohan Mahy rohan@ekabal.com Agreed Changes since -04 (1/2) Moved STUN to a separate section. Reference this section from within the relevant sections in the rest of the document. Add language clarifying

473 views • 13 slides
+ Section 3 Threading and Locking + Definitions What is a thread? + Definitions What is a

+ Section 3 Threading and Locking + Definitions What is a thread? + Definitions What is a

+ Section 3 Threading and Locking + Definitions What is a thread? + Definitions What is a thread? A single flow of control with a process + Definitions What is a thread? A single flow of control with a process Why use threads? + Definitions

716 views • 26 slides

More recommend