Upload
jaidyn-lisby
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Constraint Semanticsfor
Abstract Read Permissions
28th July 2014, FTfJP, Uppsala
John Tang Boyland (UW-Milwaukee/ETH Zurich)Peter Müller, Malte Schwerhoff, Alexander J. Summers (ETH Zurich)
2
Unbounded Counting with Fractional Permissions over
ℚ
General Framework for Proving Soundness of
Permission Assumptions
Why Should You Pay Attention?
12
Iterator Example
method visit(it: Iterator, d: Data) { var n: Int := 0
while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }
...}
method worker(e: Element, d: Data) { // reads d.f}
Start with v1 per-missions to d.f
13
Iterator Example
method visit(it: Iterator, d: Data) { var n: Int := 0
while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }
...}
method worker(e: Element, d: Data) { // reads d.f}
Give each workerthe same v2 per-missions to d.f
14
Iterator Example
method visit(it: Iterator, d: Data) { var n: Int := 0
while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }
...}
method worker(e: Element, d: Data) { // reads d.f}
Can (n+1)th v2 stillbe given away?
15
Iterator Example
Can (n+1)th v2 stillbe given away?
method visit(it: Iterator, d: Data) { var n: Int := 0
while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }
...}
method worker(e: Element, d: Data) { // reads d.f} Fixing v2 up-front not
possible since n unbounded …
16
Iterator Example
method visit(it: Iterator, d: Data) { var n: Int := 0
while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }
...}
method worker(e: Element, d: Data) { // reads d.f}
Can (n+1)th v2 stillbe given away?
… on the other hand, for any n, a suitable
v2 can be chosen
17
Abstract Read Permissions(Heule et al., VMCAI’13)
1. Use symbolic values vi insteadof concrete fractions
2. Constrain vi as verification proceeds to make it sufficiently small
Existing Idea
18
Iterator Example with Abstract Read Permissions
method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh()
while (it.hasNext()) {
fork worker(it.next(), d, v2) n := n + 1 }
...}
method worker(e: Element, d: Data, v: Perm) { // reads d.f}
19
Iterator Example with Abstract Read Permissions
method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh()
while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }
...}
method worker(e: Element, d: Data, v: Perm) { // reads d.f}
Enables ℚ to support unbounded counting
!
20
Other Permission Model Properties (Short Digression)
method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh()
while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }
...}
method worker(e: Element, d: Data, v: Perm) { // reads d.f}
Recursively fork visit unbounded splitting
21
Other Permission Model Properties (Short Digression)
method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh()
while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }
...}
method worker(e: Element, d: Data, v: Perm) { // reads d.f}
Abstract predicates permission multiplication
23
‐Must avoid unsound assumptions (in a modular way)
‐ v < v‐ v1 < v2 && v2 < v1
‐Factoring key property for constraint satisfiability out of general soundness proof is not straight-forward
‐Heule et al. therefore allow only limited application of abstract read permissions
‐ Ensures satisfiable constraints‐ Can’t support unbounded counting
Abstract Read Permissions (Heule et al., VMCAI’13)
27
Partially ordered set of variables (V, )≺v2 v≺ 1 ≙ “v2 layered below v1”
Extend ≺ to v E≺E ::= q | v | E + E | E * E | E – E | E / E
Define layered for sets C ofpermission inequalities v < E
Layered Constraints
29
Extending ≺ to E
q ∊ ℚ+
v q≺ v E≺ 1 v E≺ 2
v E≺ 1 E⊚ 2
with ⊚ ∊ {+, , /}∗
v v’ v’ E≺ ≺v E – v’≺
Ensures that v’ < E could be added to C
30
Extending ≺ to E
q ∊ ℚ+
v q≺ v E≺ 1 v E≺ 2
v E≺ 1 E⊚ 2
with ⊚ ∊ {+, , /}∗
v v’ v’ E≺ ≺v E – v’≺
Ensures that v is layered below v’
31
Layered and Layerable Constraints
‐A set C of permission inequalities v < Eis layered w.r.t. to ≺ if
∀ (v < E) ∊ C · v E≺
32
Layered and Layerable Constraints
‐A set C of permission inequalities v < Eis layered w.r.t. to ≺ if
∀ (v < E) ∊ C · (v’ < E’) ·∃
(v’ < E’ ⇒ v < E) ∧ v’ E’≺‐A set C is layerable if there exists a ≺ s.t. C is layered w.r.t. to ≺Theorem: If a constraint system is layerable, then it is
satisfiable
Makes simple derivation
system more expressive
33
Iterator Example Revisited
q ∊ ℚ+
v q≺ v E≺ 1 v E≺ 2
v E≺ 1 E⊚ 2
with ⊚ ∊ {+, , /}∗
v v’ v’ E≺ ≺v E – v’≺
Constraint from iterator examplev2 < v1 – n * v2
is layered ifv2 v≺ 1 – n * v2
is derivable
34
Iterator Example Revisited
q ∊ ℚ+
v q≺ v E≺ 1 v E≺ 2
v E≺ 1 E⊚ 2
with ⊚ ∊ {+, , /}∗
v v’ v’ E≺ ≺v E – v’≺
Constraint from iterator examplev2 < v1 – n * v2
is layered ifv2 v≺ 1 – n * v2 ⇔ v2 < v1 / (n + 1)
is derivable
35
Iterator Example Revisited
v2 v≺ 1 v2 (n + 1)≺v2 v≺ 1 / (n + 1)
(n + 1) ∊ ℚ+
q ∊ ℚ+
v q≺ v E≺ 1 v E≺ 2
v E≺ 1 E⊚ 2
with ⊚ ∊ {+, , /}∗
v v’ v’ E≺ ≺v E – v’≺
36
1. Define a suitable ≺-relation, e.g., introduced after
2. Define a methodology for generating layered constraints w.r.t. to chosen ≺ (soundness proof)
3. Turn constraints into free assumptions
Using our Work
method visit(v1: Perm) { ... var v2: Perm := fresh() ... }
37
Related Work
‐Counting Permissions (Bornat et al., POPL’05)
‐ Neither divisibility nor multiplication
‐Compound Models (Dockins et al., APLAS’09, Leino et al., ESOP’09)
‐ No multiplication‐ Potentially slow due to disjunctions
‐Z[ε]+ (Boyland, LNCS Volume 7850, 2013)‐ Satisfies all three properties‐ Complex and subtle model‐ No existing implementation (as far as we know)
38
Conclusion
‐ Identified a property that guarantees satisfiability of constraints over fractional permissions over ℚ
‐Formalised a derivation system enforcing the property
‐Enabled fractional permissions over ℚ to support unbounded counting
‐Factor soundness proof for permission book-keeping out of general soundness proof
‐Future work: define methodology for fully exploiting layerable constraints in a front-end tool