time credits and time receipts in iris
play

Time credits and time receipts in Iris Glen Mvel , Jacques-Henri - PowerPoint PPT Presentation

Mar 14, 2023 •27 likes •577 views

Time credits and time receipts in Iris Glen Mvel , Jacques-Henri Jourdan, Franois Pottier Inria CNRS, LRI, Univ. Paris Sud, Universit Paris-Saclay April 8, 2019 Prague Introduction Problem Time receipts in action Soundness Conclusion

  1. Time credits and time receipts in Iris Glen Mével , Jacques-Henri Jourdan, François Pottier Inria CNRS, LRI, Univ. Paris Sud, Université Paris-Saclay April 8, 2019 Prague

  2. Introduction Problem Time receipts in action Soundness Conclusion This talk recent works: time credits aim: prove an upper bound on the running time of a program this talk: time receipts aim: assume an upper bound on the running time of a program These are dual notions. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 1 / 17

  3. Introduction Problem Time receipts in action Soundness Conclusion This talk recent works: time credits aim: prove an upper bound on the running time of a program this talk: time receipts aim: assume an upper bound on the running time of a program These are dual notions. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 1 / 17

  4. Introduction Problem Time receipts in action Soundness Conclusion Example: a unique symbol generator The function genSym returns fresh symbols: let lastSym = ref 0 let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 2 / 17

  5. Introduction Problem Time receipts in action Soundness Conclusion Example: a unique symbol generator The function genSym returns fresh symbols: let lastSym = ref 0 (* unsigned 64-bit integer *) let genSym () = lastSym . . = ! lastSym + 1 ; (* may overflow! *) ! lastSym Strictly speaking, this code is not correct. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 2 / 17

  6. Introduction Problem Time receipts in action Soundness Conclusion Example: a unique symbol generator The function genSym returns fresh symbols: let lastSym = ref 0 (* unsigned 64-bit integer *) let genSym () = lastSym . . = ! lastSym + 1 ; (* may overflow! *) ! lastSym Strictly speaking, this code is not correct. We still want to prove that this code is “correct” in some sense. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 2 / 17

  7. Introduction Problem Time receipts in action Soundness Conclusion The Bounded Time Hypothesis [Clochard et al. , 2015] Counting from 0 to 2 64 takes centuries with a modern processor. Therefore, this overflow won’t happen in a lifetime. How to express this informal argument in separation logic? Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 3 / 17

  8. Introduction Problem Time receipts in action Soundness Conclusion The Bounded Time Hypothesis [Clochard et al. , 2015] Counting from 0 to 2 64 takes centuries with a modern processor. Therefore, this overflow won’t happen in a lifetime. How to express this informal argument in separation logic? In this talk: We answer this question using time receipts . We prove that Iris, extended with time receipts, is sound . Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 3 / 17

  9. A closer look at the problem

  10. Introduction Problem Time receipts in action Soundness Conclusion Specification of genSym A specification (in separation logic):   { P S }   P ∅ ∗ ∀ S . genSym ()   { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } for some proposition P S which represents: the ownership of the generator; the fact that S is the set of all symbols returned so far. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 4 / 17

  11. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym let lastSym = ref 0 let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  12. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym {} let lastSym = ref 0 { P ∅} { P S } let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  13. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { P ∅} { P S } let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  14. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { lastSym �→ 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } { ⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  15. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { lastSym �→ 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } Wrong {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  16. Introduction Problem Time receipts in action Soundness Conclusion An unpleasant workaround: patch the specification We may add a precondition to exclude any chance of overflow: { P S ∗ | S | < 2 64 − 1 }     P ∅ ∗ ∀ S . genSym ()   { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } This pollutes user proofs with cumbersome proof obligations. . . which may even be unprovable! Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 6 / 17

  17. Time receipts in action

  18. Introduction Problem Time receipts in action Soundness Conclusion Time receipts in separation logic To count execution steps, we introduce time receipts . Each step produces one time receipt, and only one : { True } x + y { λ z . z = ⌊ x + y ⌋ 2 64 ∗ � 1 } � Time receipts sum up: � 1 ∗ . . . ∗ � 1 ≡ � n � �� � n But time receipts do not duplicate (separation logic): � 1 �− ∗ � 1 ∗ � 1 Therefore, � n is a witness that (at least) n steps have been taken. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 7 / 17

  19. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { lastSym �→ 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

  20. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S ∗ � ( max S ) {} let lastSym = ref 0 { lastSym �→ 0 } We keep track of elapsed time. { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

  21. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S ∗ � ( max S ) {} let lastSym = ref 0 { lastSym �→ 0 ∗ � 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S ∗ � max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n ∗ � n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

  22. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S ∗ � ( max S ) {} let lastSym = ref 0 { lastSym �→ 0 ∗ � 0 } Initialization { P ∅} We obtain 0 time receipts for free. { P S } let genSym () = { lastSym �→ max S ∗ � max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n ∗ � n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event identification and generation State before vs. after the event Event ordering Causal order (e.g., a may only have caused b if a happened

1.1k views • 57 slides
Real-Time System Modeling slide credits: H. Kopetz, P. Puschner Overview Model Construction

Real-Time System Modeling slide credits: H. Kopetz, P. Puschner Overview Model Construction

Real-Time System Modeling slide credits: H. Kopetz, P. Puschner Overview Model Construction Real-time clusters &amp; components Interfaces Real-time interfaces and observations Real-time images and temporal accuracy

1.24k views • 88 slides
Iris-Dashboard main screen Click on Create Task Icon Popup window shall appear

Iris-Dashboard main screen Click on Create Task Icon Popup window shall appear

Introduction Salient Features Target Audience Benefits M odules Instructions (One Time Installation) Installing Iris-ADX and supported applications Installing IRISADX Synchronization Service Filing Income Tax

653 views • 51 slides
Introduction to Real-Time Systems Peter Puschner slides credits: H. Kopetz, P. Puschner VO

Introduction to Real-Time Systems Peter Puschner slides credits: H. Kopetz, P. Puschner VO

Introduction to Real-Time Systems Peter Puschner slides credits: H. Kopetz, P. Puschner VO Echtzeitsysteme SS 2017 What is a Real-Time System? Definition 1: RT-systems are systems in which the correctness of the system behavior depends

502 views • 19 slides
E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed time for everything. And there is a time for every event under heaven A time to give birth and a time to die; A time to plant and a time to

626 views • 16 slides
Towards a Time-Predictable Node Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber

Towards a Time-Predictable Node Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber

Towards a Time-Predictable Node Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber VU 2.0 182.101 SS 2015 Embedded System Task timing is only ES Component

537 views • 25 slides
Real-Time Communication slide credits: H. Kopetz, P. Puschner Overview Communication system

Real-Time Communication slide credits: H. Kopetz, P. Puschner Overview Communication system

Real-Time Communication slide credits: H. Kopetz, P. Puschner Overview Communication system requirements Controlling the flow of messages Types of protocols Properties of communication protocols Protocol examples 2 Importance

2.22k views • 87 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil &amp; Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

Time Slice systems - - also known as bullet time, stop time, or time freeze implement a camera array that ranges anywhere from 24 to 150+ cameras to create an effect of stopped time or extremely slowed time. Although the process was pioneered

197 views • 5 slides
Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services

Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services

Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services Task Structure Task Interaction Input/Output Error Detection 2 Operating System and Middleware Application Software Component API OS

834 views • 47 slides
Engineering Economics 4-1 Cash Flow Cash flow is the sum of money recorded as receipts or

Engineering Economics 4-1 Cash Flow Cash flow is the sum of money recorded as receipts or

Engineering Economics 4-1 Cash Flow Cash flow is the sum of money recorded as receipts or disbursements in a projects financial records. A cash flow diagram presents the flow of cash as arrows on a time line scaled to the magnitude of the

383 views • 34 slides
Compilation and Worst-Case Execution-Time Analysis Peter Puschner slides credits: P. Puschner, R.

Compilation and Worst-Case Execution-Time Analysis Peter Puschner slides credits: P. Puschner, R.

Compilation and Worst-Case Execution-Time Analysis Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber VU 2.0 182.101 SS 2015 Why Compiler-Support for WCET

587 views • 40 slides
Building to Heal September 23-24, 2017 2018 Budget Receipts $950,270 2017 Receipts

Building to Heal September 23-24, 2017 2018 Budget Receipts $950,270 2017 Receipts

Year in Review July 2016 to June 2017 Building to Heal September 23-24, 2017 2018 Budget Receipts $950,270 2017 Receipts $961,904 Sunday &amp; Holy Days Fund Raising - Net Other Donations &amp; Rents Faith Formation Community

854 views • 8 slides
W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

T IME S ERIES D ATA P APERS C OVERED Interactive Visualization of Serial Periodic Data John V. Carlis and Joseph A. Konstan Visualizing and Discovering Non-Trivial Patterns in Large Time Series Databases Jessica Lin, Eamonn Keogh,

764 views • 32 slides
? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really begins here The Wise Man Grard Mari Professor of Art History at Sciences-Po The art guru who told fascinating stories Myself Coline Debayle

1.14k views • 57 slides
Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

CPSC-313: Introduction to Computer Systems Time and Timers Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers Reading: R&amp;R, Ch 9 Current Time UNIX Time Zero : 00.00 (midnight), January 1,

244 views • 7 slides
Cross-Examination Mick Hassell Trial Counsel for Law Firms trialcounsel.ca The Paralegal Licence

Cross-Examination Mick Hassell Trial Counsel for Law Firms trialcounsel.ca The Paralegal Licence

2017-01-27 Cross-Examination Mick Hassell Trial Counsel for Law Firms trialcounsel.ca The Paralegal Licence An Advocates Licence trialcounsel.ca 1 2017-01-27 Presentation Roadmap 1. Trial Advocacy 2. Fundamentals of Cross 3. Ethics 4.

283 views • 24 slides
Baumgartner, POLI 203 Spring 2016 I am Troy Davis, part 1 Reading: I am Troy Davis, pp. 1-160

Baumgartner, POLI 203 Spring 2016 I am Troy Davis, part 1 Reading: I am Troy Davis, pp. 1-160

Baumgartner, POLI 203 Spring 2016 I am Troy Davis, part 1 Reading: I am Troy Davis, pp. 1-160 March 30, 2016 Your first paper: good job! Mondays speaker I need 5-10 volunteers to carry some things from my office to Genome Science, in

294 views • 17 slides
Edmund-Philipp Schuster Assistant Professor of Law, Department of Law #LSEBrexit Corporate

Edmund-Philipp Schuster Assistant Professor of Law, Department of Law #LSEBrexit Corporate

LSE Consulting presentation: Study on the Law Applicable to Companies, prepared for DG Justice Edmund-Philipp Schuster Assistant Professor of Law, Department of Law #LSEBrexit Corporate Mobility and the Harmonisation of Private International

277 views • 13 slides
Columns Picture here Environmental Justice in Ireland: Problems &amp; Prospects ine Ryall

Columns Picture here Environmental Justice in Ireland: Problems &amp; Prospects ine Ryall

Columns Picture here Environmental Justice in Ireland: Problems &amp; Prospects ine Ryall Environmental Justice Access to an effective remedy to enforce environmental law &amp; environmental rights and obligations Aarhus Convention Aarhus

616 views • 23 slides
Data Loss Prevention Academic Senate Meeting October 18, 2017 Data Protection Program

Data Loss Prevention Academic Senate Meeting October 18, 2017 Data Protection Program

Data Loss Prevention Academic Senate Meeting October 18, 2017 Data Protection Program Empower users with the Secure critical data assets, ability to use new protect data confidentiality, and technologies while managing minimize

329 views • 4 slides
Geographic Data Science - Lecture IX Causal Inference Dani Arribas-Bel Today Correlation Vs

Geographic Data Science - Lecture IX Causal Inference Dani Arribas-Bel Today Correlation Vs

Geographic Data Science - Lecture IX Causal Inference Dani Arribas-Bel Today Correlation Vs Causation Causal inference Why/when causality matters Hurdles to causal inference &amp; strategies to overcome them Correlation Vs Causation

626 views • 45 slides
Statistical aspects of stochastic algorithms for entropic optimal transportation between

Statistical aspects of stochastic algorithms for entropic optimal transportation between

Stochastic algorithm for optimal transport Statistical aspects of stochastic algorithms for entropic optimal transportation between probability measures J er emie Bigot Institut de Math ematiques de Bordeaux Equipe Image, Optimisation

767 views • 55 slides
high crime rate -&gt; people afraid of opening windows SIO15: Chapter 13: Heat Waves and Great

high crime rate -&gt; people afraid of opening windows SIO15: Chapter 13: Heat Waves and Great

high crime rate -&gt; people afraid of opening windows SIO15: Chapter 13: Heat Waves and Great Storms Fig 13.33 SIO15: Chapter 13: Heat Waves and Great Storms 104F in hottest summer in 500 years many places (last record heat: 1757)

437 views • 10 slides

More recommend