rely guarantee references for refinement types over
play

Rely-Guarantee References for Refinement Types over Aliased Mutable - PowerPoint PPT Presentation

Jun 10, 2023 •466 likes •739 views

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 2 3 x:ref y:ref x := !x+1; m(y);

  1. Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013

  2. Static Verification Meets Aliasing 2 3 x:ref ℕ y:ref ℕ x := !x+1; m(y); static_assert(!x > 0);  Pass or fail?

  3. Static Program Verification: Mutation + Aliases • Common approaches: – Restrict aliasing • Separation Logic, Linear & Uniqueness Types – Restrict mutation • Read-only access • Reference Immutability, Region & Effect Systems

  4. Our Approach: Describe Mutation • Arbitrary binary relations • Explicitly characterize: – How data may change over time • Side effects, type state, protocols, invariants, monotonicity… • Lots of prior work, all working around aliasing – Safe assumptions in the presence of mutation through aliases • Eye towards backwards compatibility: – Subsume standard references, reference immutability

  5. Rely-Guarantee References • New approach to static verification of imperative programs • Formal core type system + proofs – Uses dependent types • Implementation as Coq DSL • Characterized proof burden for 4 examples – Roughly on par w/ pure functional equivalents

  6. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  7. A Duality: Threads & Aliases • Mutation by aliases ≈ thread interference • Actions through aliases can be seen as concurrent • Rely-Guarantee reasoning is good for threads – Summarizes possible interference • We can adapt concurrent analyses to treat aliasing – A few differences to discuss later

  8. Thread & Alias Interference Thread Interference Alias Interference 0 0 let x = ref 0 in let x = ref 0 in atomic_inc(x) atomic_inc(x) inc x; assert(!x>0) assert(!x>0) let y = x in inc x; assert(!y > 0);

  9. Rely-Guarantee for Threads • Characterize thread interference: 1. Rely summarizes expected interference 2. Guarantee bounds thread actions 3. Stable assertions are preserved by interference 4. Compatible threads: each rely assumes at least the other’s guarantee

  10. Rely-Guarantee for References • Characterize alias interference: 1. Rely summarizes alias interference 2. Guarantee bounds actions through this alias 3. Stable predicates preserved by interference 4. Compatible aliases: if x == y, then x.G ⊆ y.R && y.G ⊆ x.R • Subsumes ML references! (OCaml, SML, etc.)

  11. Rely-Guarantee Reference Type Predicate (e.g. >0) ref{ τ |P}[ }[R,G] standard Rely (e.g. ==) Guarantee (e.g. ≤ ) reference

  12. Alias Interference Revisited 2 3 R G R G x:ref{ ℕ|>0}{==,≤} y:ref{ ℕ|>0}{≤,==} ❹ ❶ ❷ ≤(2,3) ⇒ ≤(2,3) 2 > 0 ∧ ≤(2,3) ❸ x:=!x+1; ⇒ 3 > 0 1 Rely, 2 Guarantee, 3 Stable, 4 Compatible

  13. Splitting for Compatible References • x:ref{nat|P}[ ≈,havoc] cannot be duplicated – Duplicates must be compatible (#4) – havoc ⊈ ≈ • Must track & restrict duplication: – let y = x in … could create • Two immutable refs (ref{nat|P }[≈, ≈]) • Two unrestricted refs (ref{nat|any}[havoc, havoc]) • Producer/consumer (ref{nat|any }[≥,≤] and ref{nat|any }[≤,≥])

  14. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  15. A Coq DSL for Rely-Guarantee References • Shallow DSL embedding in a proof assistant • Satisfying proof obligations – Separated from program text – Semi-automatic • Examples include – Monotonic Counter • Simple, but illustrative • Specify how data changes over time, not inc operation – Reference Immutability

  16. Example: A Monotonic Counter Definition increasing : hrel nat := ( λ n n ’ h h ’. n <= n'). Definition counter := ref{nat|pos}[increasing,increasing]. Definition read (c:counter) : nat := !c. Definition inc (p:counter) : unit := [p]:= !p + 1. Definition mkCounter (u:unit) : counter := Alloc 1. Example test_counter (u:unit) : unit := x <- mkCounter tt; inc x. Proofs automatically discharged

  17. Invalid Code: Decrement a Monotonic Counter Definition counter := ref{nat|pos}[increasing,increasing]. Definition dec (p:counter) : unit := [p]:= !p - 1.

  18. Reference Immutability via Rely-Guarantee References • writable T ≝ ref{T|any}[havoc,havoc] • readable T ≝ ref{T|any}[havoc, ≈ ] • immutable T ≝ ref{T|any}[ ≈ , ≈ ] • Suggests a spectrum: ML refs ⊆ RI ⊆ ... ⊆ RGref

  19. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  20. References to References • Folding – If x.f is a ref, and x’s type disallows mutation to anything, type of !x.f should, too • Containment – ref{T|P}[R,G]: if T contains refs, R permits their interference as well • Precision – P,R,G only depend on heap reachable from the T they apply to Non-issues in concurrent program logics: no “threads to threads”

  21. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  22. How to Preserve Refinements • Well-formed ref{ τ |P}[R,G] (e.g. r ef{ int|>0}[ ≤ , ≤ ]) – P is stable with respect to R (#3) – Enforce containment, precision • Aliases as x:ref{ τ |P}[R,G] and y: ref{ τ | P’ }[ R’ , G’ ] – Relies summarize guarantees (#4): G’ ⊆ R, G ⊆ R’ – Ensured by splitting semantics and folding • Actions in x.G are included in alias y’s y.R, and thus by stability preserves y.P

  23. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  24. Future Work • We’ve worked out a core system • Route to a full system: – Non-atomic updates – Internalizing proof terms (in progress) – Better datatype definitions – Borrowing – Concurrency (in progress) – More examples / experience

  25. Related Work • Rely-guarantee program logics – Mostly concurrent – Explicit Stabilization (Wickerson’10) used for malloc – We apply RG at a much finer granularity • Reference Immutability, Ownership – Notion of per-reference read-only – Tschantz’05, Zibin’07, Dietl’07, Zibin’10, Gordon’12 – We generalize read-only to arbitrary relations • Dependent types for imperative programs – Types depend only on immutable data (DML, etc.) – Or bake in a low-level program logic (Ynot / Hoare Type Theory) – Our types directly treat interference

  26. Conclusion • Rely-Guarantee References – Directly address alias interference – Key challenge: nested references – Apply concurrent verification insights to aliasing • We applied rely-guarantee • Other correspondences exist • Promising early results – Modest proof burden – Backwards compatible with more traditional systems https://github.com/csgordon/rgref/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction Basics of Rely-Guarantee Overview of the paper Two techniques for constructing Rely-Guarantee models Soundness results The traditional

272 views • 23 slides
Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL Leonor Prensa Nieto TU M unchen Marseille, 7 January 2002 Isabelle HOL = Overview Motivation. Hoare logic for

263 views • 23 slides
Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

ECOOP 2014 Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon University, Pittsburgh, USA 2 Universidade Nova de Lisboa, Lisboa, Portugal Motivation Mutable state can be useful in certain cases.

1.45k views • 109 slides
Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade 2 , Rupak Majumdar 1 , Viktor Vafeiadis 1 1 Max Planck Institute for Software Systems (MPI-SWS), Germany 2 Indian Institute of Science, Bangalore,

672 views • 52 slides
Refinement Types for Algebraic Effects Danel Ahman Gordon Plotkin LFCS, University of

Refinement Types for Algebraic Effects Danel Ahman Gordon Plotkin LFCS, University of

Refinement Types for Algebraic Effects Danel Ahman Gordon Plotkin LFCS, University of Edinburgh TYPES 2015 Tallinn Todays plan Value ref. types Computation ref. types Algebraic theories Value

368 views • 21 slides
References 7 January 2019 OSU CSE 1 Primitive vs. Reference Types Java types are divided

References 7 January 2019 OSU CSE 1 Primitive vs. Reference Types Java types are divided

References 7 January 2019 OSU CSE 1 Primitive vs. Reference Types Java types are divided into two different categories: The built-in types are called primitive types Includes boolean , char , int , double All other types are

1.26k views • 86 slides
Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa Cruz joint work with: Cormac Flanagan (University of California, Santa Cruz) March 25, 2007 Assertions / Refinement Types The role of assertions in

386 views • 37 slides
Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . ) Cliff B Jones Computing Science Newcastle University FMCO 2008-10-22 Cliff B Jones (Newcastle) Developing programs by Splitting atoms

603 views • 36 slides
A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain locking 2 3 5 7 11 13 Coarse - grain locking 2 3 5 7 11 13 Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13 Fine -

743 views • 57 slides
Variables &amp; References Variables with primitive types: Primitive types Lower

Variables &amp; References Variables with primitive types: Primitive types Lower

Variables &amp; References Variables with primitive types: Primitive types Lower case names int, float, double, boolean, Declare variables: &lt;type name&gt; &lt;variableName&gt;; Memory will be allocated to

399 views • 12 slides
Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security Protocol Analysis C t lin Hri cu Prof. Dr. Holger Hermanns (UdS) Dean of Math and CS Faculty Prof. Dr. Gert Smolka (UdS) Chair of Examination

1.39k views • 107 slides
Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential

Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential

Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy Gilles Barthe, Marco Gaboardi, Emilio Jess Gallego Arias, Justin Hsu, Aaron Roth, Pierre-Yves Strub UPenn-Mines ParisTech, IMDEA Software

905 views • 89 slides
Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy Gilles

Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy Gilles

Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy Gilles Barthe 1 , Marco Gaboardi 2 , Emilio Jess Gallego Arias 3 , 4 , Justin Hsu 4 , Aaron Roth 4 , Pierre-Yves Strub 1 1 IMDEA Software, 2 University of

1.16k views • 77 slides
Introduction to Block-Structured Adaptive Mesh Refinement (AMR) Ann S. Almgren Center for

Introduction to Block-Structured Adaptive Mesh Refinement (AMR) Ann S. Almgren Center for

Introduction to Block-Structured Adaptive Mesh Refinement (AMR) Ann S. Almgren Center for Computational Sciences and Engineering (Building 50A) Lawrence Berkeley National Laboratory asalmgren@lbl.gov Almgren p. 1/25 Types of Refinement

968 views • 49 slides
Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando

Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando

Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando Solar-Lezama Program synthesis Make a list with n copies of x declarative specification Synthesizer ? 2 50 replicate n x = if if n 0

651 views • 41 slides
Outline References References References References Principles of Complex Systems Course 300,

Outline References References References References Principles of Complex Systems Course 300,

References Outline References References References References Principles of Complex Systems Course 300, Fall, 2008 Prof. Peter Dodds References Department of Mathematics &amp; Statistics University of Vermont Licensed under the Creative

274 views • 5 slides
Alias Analysis of Executable Code S. Debray, et al. (POPL 98) Presented by Xin Qi What is

Alias Analysis of Executable Code S. Debray, et al. (POPL 98) Presented by Xin Qi What is

Alias Analysis of Executable Code S. Debray, et al. (POPL 98) Presented by Xin Qi What is Special about Executables We no longer have Types cant do type filtering Structures jump all around We have Pointer

812 views • 18 slides
Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer

Alias Analysis Last time Interprocedural analysis Today Intro to alias analysis (pointer analysis) CS553 Lecture Alias Analysis I 1 Aliasing What is aliasing? When two expressions denote the same mutable memory location e.g.,

812 views • 19 slides
A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of

A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of

A Net-Reduction based Clustering Preprocessing Algorithm Jianhua Li, Laleh Behjat University of Calgary, Calgary, Canada ISPD April 12, 2006 A net reduction-based clustering preprocessing algorithm - ISPD 2006 Outline Introduction

771 views • 35 slides
Simpsons 4-slot algorithm, proved in three slides Richard Bornat School of Computing,

Simpsons 4-slot algorithm, proved in three slides Richard Bornat School of Computing,

Simpsons 4-slot algorithm, proved in three slides Richard Bornat School of Computing, Middlesex University (and Matthew Parkinson, ditto) 20th December 2005 1 Data structures: a bit array and a wide data array slot: 0 1 wide data: 2

685 views • 43 slides
Setting Up Your Environment Environment Variables Aliases Setup Files .login

Setting Up Your Environment Environment Variables Aliases Setup Files .login

Setting Up Your Environment Environment Variables Aliases Setup Files .login .tcshrc other .*rc files History Command Completion Environment Variables (35.3) Unlike a regular shell variable, an environment

774 views • 27 slides
Alias and Points-to Analysis Alan Mycroft Computer Laboratory, Cambridge University

Alias and Points-to Analysis Alan Mycroft Computer Laboratory, Cambridge University

UNIVERSITY OF CAMBRIDGE Alias and Points-to Analysis Alan Mycroft Computer Laboratory, Cambridge University http://www.cl.cam.ac.uk/teaching/current/OptComp Lecture 13a[may be updated for 2011] Alias and Points-to Analysis 1 Lecture 13a

423 views • 14 slides
Pointers, Alias &amp; ModRef Analyses Alina Sbirlea (Google), Nuno Lopes (Microsoft Research)

Pointers, Alias &amp; ModRef Analyses Alina Sbirlea (Google), Nuno Lopes (Microsoft Research)

Pointers, Alias &amp; ModRef Analyses Alina Sbirlea (Google), Nuno Lopes (Microsoft Research) Joint work with: Juneyoung Lee, Gil Hur (SNU), Ralf Jung (MPI-SWS), Zhengyang Liu, John Regehr (U. Utah) PR34548: incorrect Instcombine pub fn

738 views • 53 slides
Mark Marron, Mario MendezLojo Manuel Hermenegildo, Darko Stefanovic, Deepak Kapur 1 Want

Mark Marron, Mario MendezLojo Manuel Hermenegildo, Darko Stefanovic, Deepak Kapur 1 Want

Mark Marron, Mario MendezLojo Manuel Hermenegildo, Darko Stefanovic, Deepak Kapur 1 Want to optimize objectoriented programs which make use of pointer rich structures In an Array or Collection (e.g. java.util.List) are there any

386 views • 22 slides

More recommend