mosel a general extensible modal framework for
play

MoSeL: A General, Extensible Modal Framework for Interactive Proofs - PowerPoint PPT Presentation

Jan 14, 2024 •151 likes •1.14k views

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert Krebbers 1 Delft University of Technology, The Netherlands October 9, 2018 @ Types Meeting, Aarhus, Denmark 1 MoSeL is joint work with Jacques-Henri

  1. MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert Krebbers 1 Delft University of Technology, The Netherlands October 9, 2018 @ Types Meeting, Aarhus, Denmark 1 MoSeL is joint work with Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Chargu´ eraud, and Derek Dreyer 1

  2. Separation logic [O’Hearn, Reynolds, and Yang, 2001] Propositions P , Q denote ownership of resources Separating conjunction P ∗ Q : The resources consists of separate parts satisfying P and Q Basic example: { x �→ v 1 ∗ y �→ v 2 } swap ( x , y ) { x �→ v 2 ∗ y �→ v 1 } the ∗ ensures that x and y are different memory locations 2

  3. Why is separation logic useful? Separation logic is very useful: ◮ It provides a high level of modularity ◮ It scales to fancy PL features like concurrency Just in Coq, there is an ever growing collection of separation logics: ◮ Bedrock ◮ CFML ◮ Charge! ◮ CHL ⊣⊢ * ◮ FCSL ◮ Iris ◮ VST ◮ . . . 3

  4. The challenge When developing a new separation logic in a proof assistant, one has to: 1. Prove soundness 2. Develop tactics to carry out proofs 4

  5. The challenge When developing a new separation logic in a proof assistant, one has to: 1. Prove soundness 2. Develop tactics to carry out proofs These steps are tedious, can we simplify them? 4

  6. In prior work, we proposed solutions for both problems: 1. Proving soundness: Iris [POPL’15, ICFP’16, ESOP’17, JFP’18] 2. Tactics: Iris Proof Mode [POPL’17] 5

  7. Iris [POPL’15, ICFP’16, ESOP’17, JFP’18] A general, language-independent, framework for modeling your own domain specific higher-order separation logics 6

  8. Iris [POPL’15, ICFP’16, ESOP’17, JFP’18] A general, language-independent, framework for modeling your own domain specific higher-order separation logics ◮ General: unifies the reasoning principles in many other logics 6

  9. Iris [POPL’15, ICFP’16, ESOP’17, JFP’18] A general, language-independent, framework for modeling your own domain specific higher-order separation logics ◮ General: unifies the reasoning principles in many other logics ◮ Language-independent: parameterized by the language 6

  10. Iris [POPL’15, ICFP’16, ESOP’17, JFP’18] A general, language-independent, framework for modeling your own domain specific higher-order separation logics ◮ General: unifies the reasoning principles in many other logics ◮ Language-independent: parameterized by the language ◮ Modeling logics: can be used to model domain specific logics ◮ iGPS for weak memory [ECOOP’17] ◮ RustBelt’s lifetime logic [POPL’18] ◮ ReLoC for program refinements [LICS’18] ◮ Iron for resource management [manuscript] 6

  11. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . Proof . iIntros "[H1 [H2 H3]]" . iDestruct "H2" as (x) "H2". iSplitL "H3". - iAssumption. - iExists x. iFrame. Qed. 7

  12. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . Proof . iIntros "[H1 [H2 H3]]" . Lemma in the Iris logic iDestruct "H2" as (x) "H2". iSplitL "H3". - iAssumption. - iExists x. iFrame. Qed. 7

  13. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : 1 subgoal P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . A : Type P , Q : iProp Proof . Ψ : A → iProp iIntros "[H1 [H2 H3]]" . x : A iDestruct "H2" as (x) "H2". (1/1) iSplitL "H3". "H1" : P - iAssumption. "H2" : Ψ x - iExists x. "H3" : Q iFrame. − − − − − − − − − − − − − − − − − − − − − −∗ Q ∗ ( ∃ a : A , P ∗ Ψ a ) Qed. 7

  14. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : 1 subgoal P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . A : Type P , Q : iProp Proof . Ψ : A → iProp iIntros "[H1 [H2 H3]]" . x : A iDestruct "H2" as (x) "H2". (1/1) iSplitL "H3". "H1" : P - iAssumption. "H2" : Ψ x - iExists x. "H3" : Q iFrame. − − − − − − − − − − − − − − − − − − − − − −∗ Q ∗ ( ∃ a : A , P ∗ Ψ a ) Qed. ∗ means: resources should be split 7

  15. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : 1 subgoal P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . A : Type P , Q : iProp Proof . Ψ : A → iProp iIntros "[H1 [H2 H3]]" . x : A iDestruct "H2" as (x) "H2". (1/1) iSplitL "H3". "H1" : P - iAssumption. "H2" : Ψ x - iExists x. "H3" : Q The hypotheses for the left conjunct iFrame. − − − − − − − − − − − − − − − − − − − − − −∗ Q ∗ ( ∃ a : A , P ∗ Ψ a ) Qed. ∗ means: resources should be split 7

  16. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : 2 subgoals P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . A : Type P , Q : iProp Proof . Ψ : A → iProp iIntros "[H1 [H2 H3]]" . x : A iDestruct "H2" as (x) "H2". (1/2) iSplitL "H3". "H3" : Q - iAssumption. − − − − − − − − − − − − − − − − − − − − − −∗ - iExists x. Q The hypotheses for the left conjunct iFrame. (2/2) Qed. "H1" : P "H2" : Ψ x − − − − − − − − − − − − − − − − − − − − − −∗ ∃ a : A , P ∗ Ψ a 7

  17. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . Proof . iIntros "[H1 [H2 H3]]" . iDestruct "H2" as (x) "H2". iSplitL "H3". - iAssumption. - iExists x. iFrame. Qed. 7

  18. Iris Proof Mode [Krebbers et al. ,POPL’17] : Coq tactics for Iris Lemma test { A } ( P Q : iProp ) (Ψ : A → iProp ) : No more subgoals . P ∗ ( ∃ a , Ψ a ) ∗ Q −∗ Q ∗ ∃ a , P ∗ Ψ a . Proof . iIntros "[H1 [H2 H3]]" . by iFrame. Qed. We can also solve this lemma automatically 7

  19. The good things about Iris Proof Mode It enabled mechanized proofs in many papers because: ◮ Proofs have the look and feel of ordinary Coq proofs For many Coq tactics tac , it has a variant iTac 8

  20. The good things about Iris Proof Mode It enabled mechanized proofs in many papers because: ◮ Proofs have the look and feel of ordinary Coq proofs For many Coq tactics tac , it has a variant iTac ◮ Support for advanced features of separation logic Higher-order quantification, invariants, ghost state, later ⊲ modality, . . . 8

  21. The good things about Iris Proof Mode It enabled mechanized proofs in many papers because: ◮ Proofs have the look and feel of ordinary Coq proofs For many Coq tactics tac , it has a variant iTac ◮ Support for advanced features of separation logic Higher-order quantification, invariants, ghost state, later ⊲ modality, . . . ◮ Integration with tactics for proving programs Symbolic execution tactics for weakest preconditions 8

  22. The good things about Iris Proof Mode It enabled mechanized proofs in many papers because: ◮ Proofs have the look and feel of ordinary Coq proofs For many Coq tactics tac , it has a variant iTac ◮ Support for advanced features of separation logic Higher-order quantification, invariants, ghost state, later ⊲ modality, . . . ◮ Integration with tactics for proving programs Symbolic execution tactics for weakest preconditions ◮ Usable in practice Used for any project involving Iris today 8

  23. The bad thing about Iris Proof Mode The implementation is tied to Iris Iris Proof Mode 9

  24. Making Iris Proof Mode independent of Iris It sounds easy [Krebbers et al., POPL’17] : [. . . ] we believe that our proof mode is very generic, and can be applied to a variety of different embedded logics [. . . ] 10

  25. Making Iris Proof Mode independent of Iris It sounds easy [Krebbers et al., POPL’17] : [. . . ] we believe that our proof mode is very generic, and can be applied to a variety of different embedded logics [. . . ] But doing it generally will be be more challenging 10

  26. Problem #1: Iris propositions are affine In Iris you may “forget” about resources: { ℓ 1 �→ v 1 ∗ ℓ 2 �→ v 2 } ℓ 2 := ! ℓ 1 { ℓ 2 �→ v 1 } 11

  27. Problem #1: Iris propositions are affine In Iris you may “forget” about resources: { ℓ 1 �→ v 1 ∗ ℓ 2 �→ v 2 } ℓ 2 := ! ℓ 1 { ℓ 2 �→ v 1 } Due to the affinity axiom P ∗ Q ⊢ Q , which is hard-wired into many tactics: iClear iAssumption Π � Q Π , P � P Π , P � Q 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert Krebbers 1 Jacques-Henri Jourdan 2 Ralf Jung 3 Joseph Tassarotti 4 Jan-Oliver Kaiser 3 Amin Timany 5 eraud 6 Derek Dreyer 3 Arthur Chargu 1 Delft

710 views • 49 slides
MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert

MoSeL: A General, Extensible Modal Framework for Interactive Proofs in Separation Logic Robbert Krebbers 1 Jacques-Henri Jourdan 2 Ralf Jung 3 Joseph Tassarotti 4 Jan-Oliver Kaiser 3 Amin Timany 5 eraud 6 Derek Dreyer 3 Arthur Chargu 1 Delft

1.55k views • 141 slides
Canola Application and Framework diving into canolas extensible rich gui framework Maemo

Canola Application and Framework diving into canolas extensible rich gui framework Maemo

Canola Application and Framework diving into canolas extensible rich gui framework Maemo Summit, October 10th, 2009 Gustavo Sverzut Barbieri <barbieri@profusion.mobi> agenda - introduction and history - canolas general overview

817 views • 38 slides
Canola Application and Framework diving into canolas extensible rich gui framework

Canola Application and Framework diving into canolas extensible rich gui framework

were here. Canola Application and Framework diving into canolas extensible rich gui framework Embedded Linux Conference Europe, October 16th, 2009 Gustavo Sverzut Barbieri <barbieri@profusion.mobi> agenda - introduction and

966 views • 37 slides
BEER Block Extensible Exchange in Rebol What is it? It is a framework to implement your own

BEER Block Extensible Exchange in Rebol What is it? It is a framework to implement your own

BEER Block Extensible Exchange in Rebol What is it? It is a framework to implement your own Application Protocols It solves the encapsulation, extensibility and flow control problems It was inspired by IETF RFC 3080 and 3081

454 views • 11 slides
ATLAS2K The Framework for Precise and Extensible Signal Descriptions in Modern ATS Sqn Ldr

ATLAS2K The Framework for Precise and Extensible Signal Descriptions in Modern ATS Sqn Ldr

ATLAS2K The Framework for Precise and Extensible Signal Descriptions in Modern ATS Sqn Ldr Dick Delaney MSc RAF Chris Gorringe Current ATLAS Strengths of ATLAS: Test technology related Keywords Formal syntax and semantics Non

353 views • 23 slides
ec : A Modular Framework for Extensible Op Open enRec and Adaptable Recommendation Algorithms

ec : A Modular Framework for Extensible Op Open enRec and Adaptable Recommendation Algorithms

ec : A Modular Framework for Extensible Op Open enRec and Adaptable Recommendation Algorithms Lo Longqi Yang Joshua Gruenstein Cheng-Kang(Andy) Eugene Bagdasaryan Deborah Estrin Hsieh Funders: 1 Pr Prom omising future e of of per

757 views • 52 slides
Rsyn - An Extensible Framework for Physical Design Guilherme Flach, Mateus Fogaa, Jucemar

Rsyn - An Extensible Framework for Physical Design Guilherme Flach, Mateus Fogaa, Jucemar

Rsyn - An Extensible Framework for Physical Design Guilherme Flach, Mateus Fogaa, Jucemar Monteiro, Marcelo Johann and Ricardo Reis Agenda 1. Introduction 2. Framework anatomy 3. Standard components 4. Conclusions 2 1. Introduction 3

842 views • 51 slides
Introduction to Mosel and Xpress ORLAB - Operations Research Laboratory Stefano Gualandi

Introduction to Mosel and Xpress ORLAB - Operations Research Laboratory Stefano Gualandi

Introduction to Mosel and Xpress ORLAB - Operations Research Laboratory Stefano Gualandi Politecnico di Milano, Italy April 15, 2011 Stefano Gualandi Introduction to Mosel and Xpress From Modeling to Strategies Model Algorithms Solution (s)

734 views • 35 slides
An Integrated Framework for Transcription, Modal and q Motivic Analysis of Ma am k

An Integrated Framework for Transcription, Modal and q Motivic Analysis of Ma am k

An Integrated Framework for Transcription, Modal and q Motivic Analysis of Ma am k Improvisation Olivier Lartillot Finnish Centre of Excellence in Interdisciplinary Music Research Mondher Ayari University of Strasbourg, France Cre

326 views • 10 slides
OpenTuner: An Extensible Framework for Program Autotuning Jason Ansel Shoaib Kamil Kalyan

OpenTuner: An Extensible Framework for Program Autotuning Jason Ansel Shoaib Kamil Kalyan

OpenTuner: An Extensible Framework for Program Autotuning Jason Ansel Shoaib Kamil Kalyan Veeramachaneni Jonathan Ragan-Kelley Jeffrey Bosboom Una-May OReilly Saman Amarasinghe MIT - CSAIL August 27, 2014 1 / 30 Raytracer Example An

718 views • 67 slides
W HAT IS EHD? Introduction EHD without cross-flow Modal Dielectric fluid Non-modal EHD with

W HAT IS EHD? Introduction EHD without cross-flow Modal Dielectric fluid Non-modal EHD with

Introduction S TABILITY OF PLANAR SHEAR FLOW EHD without cross-flow Modal IN THE PRESENCE OF ELECTROCONVECTION Non-modal EHD with cross-flow Modal F. Martinelli 1 , M.Quadrio 1 , 2 & P .Schmid 1 Non-modal Conclusions 1 LadHyx, cole

790 views • 35 slides
Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

943 views • 75 slides
OPeNDAP Hyrax An extensible data access framework within the Earth System Grid Federation Patrick

OPeNDAP Hyrax An extensible data access framework within the Earth System Grid Federation Patrick

OPeNDAP OPeNDAP Hyrax An extensible data access framework within the Earth System Grid Federation Patrick West 1 , Peter Fox 1 , James Gallagher 2 , Nathan Potter 2 , Dan Halloway 2 , Stephan Zednik 1 1. Tetherless World Constellation

170 views • 14 slides
General Reference Framework Draft General Reference Framework Why it is important for us ?

General Reference Framework Draft General Reference Framework Why it is important for us ?

Ljubljana Process II Rehabilitating our Common Heritage RCC TFFCS The First working meeting Cetinje, October 18 th 2011. General Reference Framework Draft General Reference Framework Why it is important for us ? To implement it

337 views • 15 slides
Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems

Trigger Scripts For Trigger Scripts For Extensible File Extensible File Systems Systems Cameron Macdonell Macdonell Cameron Overview Overview The The Scruf Scruf Framework Framework Examples of Extended File Systems

470 views • 18 slides
an Object-Based File System for Large-Scale Federated IT Infrastructures Jan Stender, Zuse

an Object-Based File System for Large-Scale Federated IT Infrastructures Jan Stender, Zuse

an Object-Based File System for Large-Scale Federated IT Infrastructures Jan Stender, Zuse Institute Berlin HPC File Systems: From Cluster To Grid October 3-4, 2007 In this talk ... Introduction: Object-based File Systems Target Environment

525 views • 31 slides
Content Replication in I2-DSI using Rsync+ Bert J Dempsey Debra Weiss University of North

Content Replication in I2-DSI using Rsync+ Bert J Dempsey Debra Weiss University of North

Content Replication in I2-DSI using Rsync+ Bert J Dempsey Debra Weiss University of North Carolina at Chapel Hill dempsey@ils.unc.edu Multiple-site replication in I2-DSI http://dsi.internet2.edu/ 1 Replicating Channels Channel provider

579 views • 8 slides
ASTEROID AN ANALYZABLE, RESILIENT, EMBEDDED REAL-TIME OPERATING SYSTEM DESIGN Bj orn D

ASTEROID AN ANALYZABLE, RESILIENT, EMBEDDED REAL-TIME OPERATING SYSTEM DESIGN Bj orn D

ASTEROID AN ANALYZABLE, RESILIENT, EMBEDDED REAL-TIME OPERATING SYSTEM DESIGN Bj orn D obel, Hermann H artig (TU Dresden) Philip Axer, Rolf Ernst (TU Braunschweig) B oblingen, 07 .02.2013 The Many Faces of Hardware Faults

911 views • 52 slides
Replicating the Performance Evaluation of an N-Body Application on a Manycore Accelerator

Replicating the Performance Evaluation of an N-Body Application on a Manycore Accelerator

Replicating the Performance Evaluation of an N-Body Application on a Manycore Accelerator Vincius Garcia Pinto Vinicius Alves Herbstrith Lucas Mello Schnorr October 18, 2015 1 / 21 PINTO V.G., HERBSTRITH V. A., SCHNORR L.M. 6th Workshop on

1.04k views • 21 slides
Chapter 1 systems. Appreciate the evolution of computers. Introduction Understand the

Chapter 1 systems. Appreciate the evolution of computers. Introduction Understand the

Chapter 1 Objectives Know the difference between computer organization and computer architecture. Understand units of measure common to computer Chapter 1 systems. Appreciate the evolution of computers. Introduction Understand

761 views • 19 slides
IPv6 over Low power WPAN WG (6lowpan) Chairs: Geoff Mulligan <geoff@mulligan.com> Carsten

IPv6 over Low power WPAN WG (6lowpan) Chairs: Geoff Mulligan <geoff@mulligan.com> Carsten

IPv6 over Low power WPAN WG (6lowpan) Chairs: Geoff Mulligan <geoff@mulligan.com> Carsten Bormann <cabo@tzi.org> Mailing List: 6lowpan@ietf.org Jabber: 6lowpan@jabber.ietf.org http://6lowpan.tzi.org 6lowpan@IETF76, 2009-11-10

974 views • 62 slides
Gender Diversity at the Top: Good Intentions and Unexpected Consequences GENDER DIVERSITY

Gender Diversity at the Top: Good Intentions and Unexpected Consequences GENDER DIVERSITY

Gender Diversity at the Top: Good Intentions and Unexpected Consequences GENDER DIVERSITY MAKES ORGANISATIONS BETTER More family More More social Smaller pay friendly diversity responsibility gaps practices initiatives (Bear, Rahman

436 views • 18 slides
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands

Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands

Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D. student of Daniel J. Bernstein

1.16k views • 104 slides

More recommend