Robert.Atkey@strath.ac.uk Amortised Resource Analysis using Separation Logic Robert Atkey University of Strathclyde 20th July 2017 Dagstuhl Seminar 17291
Resource Specification and Verification Programs execute. But not for free. How much will it cost? How do we say how much it will cost?
Specifying Resource Usage Maybe we could attach sizes to things: list n ( x ) And then state the resource consumption in these terms: { list n ( x ) ∧ r c = r 1 } iterateList { list n ( x ) ∧ r c = r 1 + n } How well does this work?
Dequeue ( unit) Enqueue ( unit) Enqueue ( unit) Dequeue ( unit) Dequeue ( units) ( to reverse d c , to remove c ) Total: units a b Functional Queues
Enqueue ( unit) Enqueue ( unit) Dequeue ( unit) Dequeue ( units) ( to reverse d c , to remove c ) Total: units b Functional Queues ▶ Dequeue ( 1 unit)
Enqueue ( unit) Dequeue ( unit) Dequeue ( units) ( to reverse d c , to remove c ) Total: units b c Functional Queues ▶ Dequeue ( 1 unit) ▶ Enqueue ( 1 unit)
Dequeue ( unit) Dequeue ( units) ( to reverse d c , to remove c ) Total: units b d c Functional Queues ▶ Dequeue ( 1 unit) ▶ Enqueue ( 1 unit) ▶ Enqueue ( 1 unit)
Dequeue ( units) ( to reverse d c , to remove c ) Total: units d c Functional Queues ▶ Dequeue ( 1 unit) ▶ Enqueue ( 1 unit) ▶ Enqueue ( 1 unit) ▶ Dequeue ( 1 unit)
Total: units d Functional Queues ▶ Dequeue ( 1 unit) ▶ Enqueue ( 1 unit) ▶ Enqueue ( 1 unit) ▶ Dequeue ( 1 unit) ▶ Dequeue ( 3 units) ( 2 to reverse [ d , c ] , 1 to remove c )
d Functional Queues ▶ Dequeue ( 1 unit) ▶ Enqueue ( 1 unit) ▶ Enqueue ( 1 unit) ▶ Dequeue ( 1 unit) ▶ Dequeue ( 3 units) ( 2 to reverse [ d , c ] , 1 to remove c ) ▶ Total: 7 units
Specifying the Resource Behaviour Using a ghost variable r c for consumed resources. Predicate queue ( x , h , t ) ▶ Queue pointed to by x ; ▶ Head of length h , tail of length t ∀ r 1 . { queue ( x , h , t ) ∧ r c = r 1 } enqueue { queue ( x , h , t + 1) ∧ r c = r 1 + R } ∀ r 1 . { queue ( x , 0 , t ) ∧ r c = r 1 } dequeue { queue ( x , t − 1 , 0) ∧ r c = r 1 + (1 + t ) R } ∀ r 1 . { queue ( x , h + 1 , t ) ∧ r c = r 1 } dequeue { queue ( x , h , t ) ∧ r c = r 1 + R } Exposes the internals of the queue abstraction.
Dequeue ( unit) Enqueue ( units) Enqueue ( units) Dequeue ( unit) Dequeue ( unit) Total: units a b Amortised Analysis (Tarjan 1985)
Enqueue ( units) Enqueue ( units) Dequeue ( unit) Dequeue ( unit) Total: units b Amortised Analysis (Tarjan 1985) ▶ Dequeue ( 1 unit)
Enqueue ( units) Dequeue ( unit) Dequeue ( unit) Total: units b c Amortised Analysis (Tarjan 1985) ▶ Dequeue ( 1 unit) ▶ Enqueue ( 2 units)
Dequeue ( unit) Dequeue ( unit) Total: units b d c Amortised Analysis (Tarjan 1985) ▶ Dequeue ( 1 unit) ▶ Enqueue ( 2 units) ▶ Enqueue ( 2 units)
Dequeue ( unit) Total: units d c Amortised Analysis (Tarjan 1985) ▶ Dequeue ( 1 unit) ▶ Enqueue ( 2 units) ▶ Enqueue ( 2 units) ▶ Dequeue ( 1 unit)
Total: units d Amortised Analysis (Tarjan 1985) ▶ Dequeue ( 1 unit) ▶ Enqueue ( 2 units) ▶ Enqueue ( 2 units) ▶ Dequeue ( 1 unit) ▶ Dequeue ( 1 unit)
d Amortised Analysis (Tarjan 1985) ▶ Dequeue ( 1 unit) ▶ Enqueue ( 2 units) ▶ Enqueue ( 2 units) ▶ Dequeue ( 1 unit) ▶ Dequeue ( 1 unit) ▶ Total: 7 units
Where Do Resources Live? Tarjan: associate the extra resources for enqueue with the nodes. Banker’s method. When accessing that node we get to use the resources. Applied to functional languages by Hofmann and Jost (2003).
Dequeue ( unit) ( real unit) Enqueue ( units) ( real unit) Enqueue ( units) ( real unit) Dequeue ( unit) ( real unit) Dequeue ( unit) ( real units) Total: units a b Where Do Resources Live?
Enqueue ( units) ( real unit) Enqueue ( units) ( real unit) Dequeue ( unit) ( real unit) Dequeue ( unit) ( real units) Total: units b Where Do Resources Live? ▶ Dequeue ( 1 unit) ( 1 real unit)
Enqueue ( units) ( real unit) Dequeue ( unit) ( real unit) Dequeue ( unit) ( real units) Total: units b c Where Do Resources Live? R ▶ Dequeue ( 1 unit) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit)
Dequeue ( unit) ( real unit) Dequeue ( unit) ( real units) Total: units b d c Where Do Resources Live? R R ▶ Dequeue ( 1 unit) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit)
Dequeue ( unit) ( real units) Total: units d c Where Do Resources Live? R R ▶ Dequeue ( 1 unit) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit) ▶ Dequeue ( 1 unit) ( 1 real unit)
Total: units d Where Do Resources Live? ▶ Dequeue ( 1 unit) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit) ▶ Dequeue ( 1 unit) ( 1 real unit) ▶ Dequeue ( 1 unit) ( 3 real units)
d Where Do Resources Live? ▶ Dequeue ( 1 unit) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit) ▶ Enqueue ( 2 units) ( 1 real unit) ▶ Dequeue ( 1 unit) ( 1 real unit) ▶ Dequeue ( 1 unit) ( 3 real units) ▶ Total: 7 units
Consumable Resources Let’s assume that resources are a commutative, ordered monoid.
a c b d Separation Logic with Consumable Resources list ( n , x ) ≡ x = null ∧ emp �→ z ] ∗ R n ∗ list ( n , z ) ∨ ∃ yz . [ x data �→ y ] ∗ [ x next H r R R R R r , H | = list (1 , x )
a c b d Separation Logic with Consumable Resources list ( n , x ) ≡ x = null ∧ emp �→ z ] ∗ R n ∗ list ( n , z ) ∨ ∃ yz . [ x data �→ y ] ∗ [ x next H 1 H 2 r 1 r 2 R R R R r 1 · r 2 , H 1 ⊎ H 2 | = [ x data �→ a ] ∗ [ x next �→ y ] ∗ R ∗ list (1 , y )
c A b d Separation Logic with Consumable Resources list ( n , x ) ≡ x = null ∧ emp �→ z ] ∗ R n ∗ list ( n , z ) ∨ ∃ yz . [ x data �→ y ] ∗ [ x next H 1 H 2 r 2 R R R After some mutation and resource consumption.
Specifying Resources and Heap Shape queue ( x ) ≡ ∃ yz . [ x front �→ y ] ∗ [ x back �→ z ] ∗ list (0 , y ) ∗ list (1 , z ) { queue ( x ) ∗ R ∗ R } enqueue { queue ( x ) } { queue ( x ) ∗ R } dequeue { queue ( x ) } Precondition specifies: Heap shape required } Two may be intertwined Resources required
It’s all intertwingly Reasoning follows Innumerate Shepherd model ▶ Numbers and arithmetic are abstract nonsense! ▶ Structure matters Resources are made available as they are needed to process the data they are attached to. Integrates well with the local reasoning of Separation Logic.
f Assertion Language t 1 ▷ ◁ t 2 | ⊤ | ϕ 1 ∧ ϕ 2 | ϕ 1 ∨ ϕ 2 | ϕ 1 → ϕ 2 ::= ϕ | emp | ϕ 1 ∗ ϕ 2 | ϕ 1 — ∗ ϕ 2 | ∀ x .ϕ | ∃ x .ϕ | [ t 1 �→ t 2 ] | R r | . . .
Semantic Domains Logic is defined over pairs x = ( H , r ) . Use a ternary relation to define how resources and heaps are combined: Rxyz ⇔ H 1 # H 2 ∧ H 1 ⊎ H 2 = H 3 ∧ r 1 · r 2 ⊑ r 3 where x = ( H 1 , r 1 ) , y = ( H 2 , r 2 ) , z = ( H 3 , r 3 ) Extend the order on resources to pairs of heaps and resources by ( H 1 , r 1 ) ⊑ ( H 2 , r 2 ) iff H 1 = H 2 and r 1 ⊑ r 2 .
f emp Semantics of Assertions x = ( H , r ) η, x | = ⊤ iff always η, x | = t 1 { = , ̸ = } t 2 iff � t 1 � η { = , ̸ = } � t 2 � η η, x | = iff x = ( H , r ) and H = {} η, x | = [ t 1 �→ t 2 ] iff x = ( H , r ) and H = { ( � t 1 � η , f ) �→ � t 2 � η } η, x | = R r i iff x = ( H , r ) and r i ⊑ r and H = {} η, x | = iff η, x | = ϕ 1 and η, x | = ϕ 2 ϕ 1 ∧ ϕ 2 η, x | = iff η, x | = ϕ 1 or η, x | = ϕ 2 ϕ 1 ∨ ϕ 2 η, x | = iff exists y , z . st. Ryzx ϕ 1 ∗ ϕ 2 and η, y | = ϕ 1 and η, z | = ϕ 2 η, x | = iff for all y . if x ⊑ y and η, y | = ϕ 1 ϕ 1 → ϕ 2 then η, y | = ϕ 2 η, x | = ϕ 1 — iff for all y , z . if Rxyz and η, y | = ϕ 1 ∗ ϕ 2 then η, z | = ϕ 2 η, x | = ∀ v .ϕ iff for all a , η [ v �→ a ] , x | = ϕ η, x | = ∃ v .ϕ iff exists a , η [ v �→ a ] , x | = ϕ
Doubly-linked lists: dlseg n p x y x y x next z prev p R n z x dlseg n x z y Trees: tree n x x null right z x left y R n y z x tree y tree z emp emp Examples of Inductive Predicates List segments: lseg ( n , x , y ) ≡ x = y ∧ emp �→ z ] ∗ R n ∗ lseg ( n , z , y ) ∨ ∃ d , z . [ x data �→ d ] ∗ [ x next
Trees: tree n x x null right z x left y R n y z x tree y tree z emp prev Examples of Inductive Predicates List segments: lseg ( n , x , y ) ≡ x = y ∧ emp �→ z ] ∗ R n ∗ lseg ( n , z , y ) ∨ ∃ d , z . [ x data �→ d ] ∗ [ x next Doubly-linked lists: dlseg ( n , p , x , y ) ≡ x = y ∧ emp �→ p ] ∗ R n ∗ dlseg ( n , x , z , y ) ∨ ∃ z . [ x next �→ z ] ∗ [ x
prev right Examples of Inductive Predicates List segments: lseg ( n , x , y ) ≡ x = y ∧ emp �→ z ] ∗ R n ∗ lseg ( n , z , y ) ∨ ∃ d , z . [ x data �→ d ] ∗ [ x next Doubly-linked lists: dlseg ( n , p , x , y ) ≡ x = y ∧ emp �→ p ] ∗ R n ∗ dlseg ( n , x , z , y ) ∨ ∃ z . [ x next �→ z ] ∗ [ x Trees: tree ( n , x ) ≡ x = null ∧ emp �→ z ] ∗ R n ∗ tree ( y ) ∗ tree ( z ) ∨ ∃ y , z . [ x left �→ y ] ∗ [ x
Recommend
More recommend