prophecy variables in separation logic
play

Prophecy Variables in Separation Logic (Extending Iris with Prophecy - PowerPoint PPT Presentation

Jan 14, 2023 •487 likes •1.02k views

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs MPI-SWS, KU Leuven, ETH Zrich, University of Waterloo

  1. Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs MPI-SWS, KU Leuven, ETH Zürich, University of Waterloo Iris Workshop – Aarhus, October 2019

  2. Reasoning about the correctness of a program Forward reasoning is ofen easier and more natural: • Start at the beginning of a program’s execution • Reason about how it behaves as it executes 1

  3. Reasoning about the correctness of a program Forward reasoning is ofen easier and more natural: • Start at the beginning of a program’s execution • Reason about how it behaves as it executes Strictly forward reasoning is not always good enough! 1

  4. Reasoning about the correctness of a program Forward reasoning is ofen easier and more natural: • Start at the beginning of a program’s execution • Reason about how it behaves as it executes Strictly forward reasoning is not always good enough! Reasoning about the current execution step may require: • Information about past events (this is usual) • Knowledge of what will happen later in the execution 1

  5. Remember the past, know the future Auxiliary/ghost variables store information not present in the program’s physical state History variables [ Owicki & Gries 1976 ] (past): • Record what happened in the execution so far • Introduced in the context of Hoare logic • Widely used (modern form: user-defined ghost state) 2

  6. Remember the past, know the future Auxiliary/ghost variables store information not present in the program’s physical state History variables [ Owicki & Gries 1976 ] (past): • Record what happened in the execution so far • Introduced in the context of Hoare logic • Widely used (modern form: user-defined ghost state) Prophecy variables [ Abadi & Lamport 1991 ] (future): • Predict what will happen later in the execution • Introduced in the context of state machine refinement • Fairly exotic, (almost) never used for Hoare logic 2

  7. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val 3

  8. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation 3

  9. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation We consider an “eager” coin specification: • A coin is only ever tossed once • Reading its value always gives the same result 3

  10. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation We consider an “eager” coin specification: • A coin is only ever tossed once • Reading its value always gives the same result { True } new_coin () { c . ∃ b . Coin ( c , b ) } { Coin ( c , b ) } read_coin ( c ) { x . x = b ∧ Coin ( c , b ) } 3

  11. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation We consider an “eager” coin specification: • A coin is only ever tossed once • Reading its value always gives the same result { True } new_coin () { c . ∃ b . Coin ( c , b ) } { Coin ( c , b ) } read_coin ( c ) { x . x = b ∧ Coin ( c , b ) } Coin ( c , b ) � c . val �→ b 3

  12. Motivating example: lazy implementation What if we want to flip the coin as late as possible? 4

  13. Motivating example: lazy implementation What if we want to flip the coin as late as possible? “Lazy” coin implementation: new_coin () � { val = ref ( None ) } read_coin ( c ) � match ! c . val with Some ( b ) ⇒ b | None ⇒ let b = nondet _ bool (); c . val ← Some ( b ); b end 4

  14. Motivating example: lazy implementation What if we want to flip the coin as late as possible? “Lazy” coin implementation: new_coin () � { val = ref ( None ) } read_coin ( c ) � match ! c . val with Some ( b ) ⇒ b | None ⇒ let b = nondet _ bool (); c . val ← Some ( b ); b end To keep the same spec we need prophecy variables!!! 4

  15. Prior work on prophecy variables Prophecy variables have been used in: • Verification tools based on reduction [ Sezgin et al. 2010 ] • Temporal logic [ Cook & Koskinen 2011, Lamport & Merz 2017 ] 5

  16. Prior work on prophecy variables Prophecy variables have been used in: • Verification tools based on reduction [ Sezgin et al. 2010 ] • Temporal logic [ Cook & Koskinen 2011, Lamport & Merz 2017 ] But never formally integrated into Hoare logic before!!! 5

  17. Prior work on prophecy variables Prophecy variables have been used in: • Verification tools based on reduction [ Sezgin et al. 2010 ] • Temporal logic [ Cook & Koskinen 2011, Lamport & Merz 2017 ] But never formally integrated into Hoare logic before!!! Only two previous attempts: • Vafeiadis’s thesis [ Vafeiadis 2007 ] (informal and flawed) • Structural approach [ Zhang et al. 2012 ] (too limited) 5

  18. Our contribution: prophecy variables in Hoare logic We are the first to give a formal account of prophecy variables in Hoare logic! • Our results are all formalized in the Iris framework • We also extended VeriFast with prophecy variables • Useful to prove logical atomicity (RDCSS, HW Queue) 6

  19. Our contribution: prophecy variables in Hoare logic We are the first to give a formal account of prophecy variables in Hoare logic! • Our results are all formalized in the Iris framework • We also extended VeriFast with prophecy variables • Useful to prove logical atomicity (RDCSS, HW Queue) Presented this morning by Ralf Prophecies help in case of “future-dependent” LP 6

  20. Key idea of our approach We leverage separation logic to easily ensure soundness!!! 7

  21. Key idea of our approach We leverage separation logic to easily ensure soundness!!! The high-level idea is to use new instruction for: • Predicting a future observation ( let p = NewProph ) • Realizing such an observation ( Resolve p to v ) 7

  22. Key idea of our approach We leverage separation logic to easily ensure soundness!!! Principles of prophecy variables in separation logic: 1. The future is ours • We model the right to resolve a prophecy as a resource • Proph B 1 ( p , b ) gives exclusive right to resolve p 7

  23. Key idea of our approach We leverage separation logic to easily ensure soundness!!! Principles of prophecy variables in separation logic: 1. The future is ours • We model the right to resolve a prophecy as a resource • Proph B 1 ( p , b ) gives exclusive right to resolve p “Assign a value to” 7

  24. Key idea of our approach We leverage separation logic to easily ensure soundness!!! Principles of prophecy variables in separation logic: 1. The future is ours • We model the right to resolve a prophecy as a resource • Proph B 1 ( p , b ) gives exclusive right to resolve p “Assign a value to” 2. We must fulfill our destiny • A prophecy can only be resolved to the predicted value • A contradiction can be derived if that is not the case 7

  25. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code 8

  26. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } 8

  27. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } 8

  28. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } { Proph B 1 ( p , b ) } Resolve p to v (Resolves the prophecy p to value v ) { v = b } 8

  29. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } Consumes the resolution token { Proph B 1 ( p , b ) } Resolve p to v (Resolves the prophecy p to value v ) { v = b } 8

  30. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } Consumes the resolution token { Proph B 1 ( p , b ) } Resolve p to v (Resolves the prophecy p to value v ) { v = b } But we learn that the prophesied and resolved values are equal 8

  31. Back to the lazy coin example With the required ghost code the example becomes: new_coin () � { val = ref ( None ) , p = NewProph } read_coin ( c ) � match ! c . val with Some ( b ) ⇒ b | None ⇒ let b = nondet _ bool (); Resolve c . p to b ; c . val ← Some ( b ); b end 9

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre , Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs 1/18 What is Iris?! What are prophecy variables?! The

431 views • 18 slides
Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint work with Freek Wiedijk Radboud University Nijmegen March 19, 2013 @ FoSSaCS, Rome, Italy What is this program supposed to do? int *p = NULL; l: if

907 views • 73 slides
Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint work with Freek Wiedijk Radboud University Nijmegen February 4, 2013 @ Gallium, INRIA Rocquencourt, France What is this program supposed to do? int

1.4k views • 103 slides
Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio Mansutti LSV, CNRS, ENS Paris-Saclay Paris - April 2019 What we will see An extension of propositional separation logic that can express some

569 views • 42 slides
A Probabilistic Separation Logic Justin Hsu UWMadison Computer Sciences 1 Brilliant

A Probabilistic Separation Logic Justin Hsu UWMadison Computer Sciences 1 Brilliant

A Probabilistic Separation Logic Justin Hsu UWMadison Computer Sciences 1 Brilliant Collaborators Gilles Barthe Kevin Liao Jialu Bao Simon Docherty Alexandra Silva 2 What Is Independence, Intuitively? Two random variables x and y are

1.28k views • 95 slides
Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Dagstuhl, 2015-11-02 Plan for the talk Talk outline Motivation Basic separation logic Concurrent separation logic Frame inference

597 views • 21 slides
Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms Smaller Arthur Charguraud Franois Pottier LTP meeting Saclay, November 28, 2016 Motivation More Motivation Separation Logic with Read-Only

441 views • 27 slides
Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008 Timothe Martiel Research Topics in Software Engineering 1 / 19 Outline 1 From Separation Logic to Inheritance 2 Beyond Separation Logic 3 What About

553 views • 24 slides
BABYLON IN BIBLE BABYLON IN BIBLE PROPHECY PROPHECY PROPHECY PROPHECY By Andy Woods By Andy

BABYLON IN BIBLE BABYLON IN BIBLE PROPHECY PROPHECY PROPHECY PROPHECY By Andy Woods By Andy

BABYLON IN BIBLE BABYLON IN BIBLE PROPHECY PROPHECY PROPHECY PROPHECY By Andy Woods By Andy Woods Seven Areas Seven Areas Tower of Babel (Gen 11) ( ) Prophecies of Isaiah and Jeremiah (Isa 13-14; Jer 50-51) Zechariahs

680 views • 42 slides
An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and Verification Group Dept. of Computer Science University College London, UK J.Brotherston@ucl.ac.uk Logic Summer School, ANU, 7 December 2015 1/ 19

789 views • 63 slides
Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St

Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St

Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St January 14, 2020 1 LSV, CNRS, ENS Paris-Saclay 2 I3S, Universit e C ote dAzur Separation Logic 99 Logic of Bunched Implication ( BI ) [P.

310 views • 27 slides
Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model

Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model

CS6202: Advanced Topics in Programming Languages and Systems Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model Hoare-style Inference Rules Specification and Annotations Linked List and Segments

1.02k views • 76 slides
Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max Kanovich 2 1 Imperial College London 2 Queen Mary University of London LICS-25, University of Edinburgh, 12 July 2010 Separation logic (Reynolds,

1.11k views • 31 slides
Computational Logic A Hands-on Introduction to Logic Programming 1 Syntax: Variables,

Computational Logic A Hands-on Introduction to Logic Programming 1 Syntax: Variables,

Computational Logic A Hands-on Introduction to Logic Programming 1 Syntax: Variables, Constants, Structures (using Prolog notation conventions) Variables: start with uppercase character (or ), may include and digits:

543 views • 30 slides
Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis

Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis

Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis 2 Max Kanovich 1 1 UCL 2 Middlesex University University of Vienna, 14 Mar 2017 1/ 19 Compositional proofs in separation logic (1) Separation

1.14k views • 91 slides
Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis

Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis

Gluon and Ghost Propagators from Schwinger-Dyson Equation and Lattice Simulations Joannis Papavassiliou Departament of Theoretical Physics and IFIC, University of Valencia CSIC, Spain Approaches to QCD, Oberwlz, Austria, 7-13th

458 views • 27 slides
Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard

Logic Against Ghosts: Comparison of two Proof Approaches for Linked Lists Allan Blanchard Nikolai Kosmatov Frdric Loulergue April 10, 2019 @ SAC-SVT 2019 0/18 - A.Blanchard, N.Kosmatov, F.Loulergue - April 10, 2019 Motivation

831 views • 31 slides
On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City

On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City

15:50-16:10, 9th Feb., GC2018 On fermionic ghosts and the removal from scalar-fermion systems Yuki Sakakihara (Osaka City University) ref. Rampei Kimura, YS, Masahide Yamaguchi Phys. Rev. D96 (2017) 044015, another paper in prep. WHY

855 views • 12 slides
Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 ,

Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 ,

Local Verification of Global Invariants in Concurrent Programs Ernie Cohen 1 , Michal Moskal 2 , Wolfram Schulte 2 , Stephan Tobies 1 1 European Microsoft Innovation Center, Aachen 2 Microsoft Research, Redmond Presentation: Florian Besser

746 views • 27 slides
Finite element methods in scientifjc computing Wolfgang Bangerth, Colorado State University

Finite element methods in scientifjc computing Wolfgang Bangerth, Colorado State University

Finite element methods in scientifjc computing Wolfgang Bangerth, Colorado State University http://www.dealii.org/ Wolfgang Bangerth Lecture 1 http://www.dealii.org/ Wolfgang Bangerth Overview The numerical solution of partial differential

1.12k views • 89 slides
Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc

Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc

Sharing Ghost Variables in a Collection of Abstract Domains Marc Chevalier J er ome Feret Problems Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc Chevalier J er ome Feret DI ENS,

458 views • 31 slides
One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of

One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of

One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of Nuclear Physics (Cracow) supported by LIDER/02/35/L-2/10/NCBiR/2011 based on A. van Hameren, P .K., K. Kutak, JHEP 1212 (2012) 029 Motivation Why

263 views • 12 slides
Coulomb gauge and Schwinger-Dyson equations Peter Watson Instit ut f ur Theoretische

Coulomb gauge and Schwinger-Dyson equations Peter Watson Instit ut f ur Theoretische

Coulomb gauge and Schwinger-Dyson equations Peter Watson Instit ut f ur Theoretische Physik Universit at T ubingen (supported by DFG contracts no. Re856/6-1 & Re856/6-2) Collaborator: H. Reinhardt P. W. and H. Reinhardt,

152 views • 14 slides

More recommend