Concurrent separation logic and operational semantics Viktor - PowerPoint PPT Presentation

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS

What is the paper about? Soundness proof for CSL — Simple — Extensible Permissions RGSep Storable locks [Buisse, Birkedal, Støvring, MFPS 2011] Concurrent abstract predicates [Dinsdale-Young et al., ECOOP 2010] — Explains precision & conjunction rule — Fully mechanized in Isabelle/HOL

Hoare triples (partial correctness) ⊨ {P} C {Q} ∀ s h s ′ h ′ . s,h ⊨ P ∧ (C, s, h) ➝ * ( skip , s ′ , h ′ ) ⟹ s ′ ,h ′ ⊨ Q Standard operational semantics Judgment form: (C, s, h) ➝ (C ′ , s ′ , h ′ ) ( skip ;C, s, h) ➝ (C, s, h) Rules for seq. composition: (C 1 , s, h) ➝ (C 1 ′ , s ′ , h ′ ) (C 1 ;C 2 , s, h) ➝ (C 1 ′ ;C 2 , s ′ , h ′ )

Or equivalently... ⊨ {P} C {Q} ∀ s h. s,h ⊨ P ⟹ ∀ s ′ h ′ . (C, s, h) ➝ * ( skip , s ′ , h ′ ) ⟹ s ′ ,h ′ ⊨ Q safe(C,s,h,Q) ∀ s ′ h ′ . ∀ m. (C, s, h) ➝ m ( skip , s ′ , h ′ ) ⟹ s ′ ,h ′ ⊨ Q ∀ n. ∀ s ′ h ′ . ∀ m < n. (C, s, h) ➝ m ( skip , s ′ , h ′ ) ⟹ s ′ ,h ′ ⊨ Q safe n (C,s,h,Q)

As an inductive definition... ⊨ {P} C {Q} iff ∀ s h n. s,h ⊨ P ⟹ safe n (C, s, h, Q) safe 0 (C, s, h, Q) = true safe n+1 (C, s, h, Q) = (C = skip ⟹ s,h ⊨ Q) ∧ ( ∀ C ′ s ′ h ′ . (C, s, h) ➝ (C ′ , s ′ , h ′ ) ⟹ safe n (C ′ , s ′ , h ′ , Q)) ∀ s ′ h ′ . ∀ m < n. (C, s, h) ➝ m ( skip , s ′ , h ′ ) ⟹ s ′ ,h ′ ⊨ Q safe n (C,s,h,Q)

Fault-avoidance ⊨ {P} C {Q} iff ∀ s h n. s,h ⊨ P ⟹ safe n (C, s, h, Q) safe 0 (C, s, h, Q) = true safe n+1 (C, s, h, Q) = (C = skip ⟹ s,h ⊨ Q) ∧ (¬ (C, s, h) ➝ abort ) ∧ ( ∀ C ′ s ′ h ′ . (C, s, h) ➝ (C ′ , s ′ , h ′ ) ⟹ safe n (C ′ , s ′ , h ′ , Q)) — “Well-specified programs don’t go wrong”

“Bake in” the frame rule ⊨ {P} C {Q} iff ∀ s h n. s,h ⊨ P ⟹ safe n (C, s, h, Q) safe 0 (C, s, h, Q) = true safe n+1 (C, s, h, Q) = (C = skip ⟹ s,h ⊨ Q) ∧ ( ∀ h F . ¬ (C, s, h+h F ) ➝ abort ) ∧ ( ∀ h F C ′ s ′ h ′ . (C, s, h+h F ) ➝ (C ′ , s ′ , h ′ ) ⟹ ∃ h ′′ . h ′ = h ′′ +h F ∧ safe n (C ′ , s ′ , h ′′ , Q)) — No safety monotonicity & frame property — Same definition works for permissions (every permission-heap can be extended to a normal heap)

Atomic blocks C ::= ... | atomic C (C, s, h) ➝ * ( skip , s ′ , h ′ ) ( atomic C, s, h) ➝ ( skip , s ′ , h ′ ) Semantics: (C, s, h) ➝ * abort ( atomic C, s, h) ➝ abort ⊢ { P ∗ J } C { Q ∗ J } J ∗ R ⊢ { P } C { Q } J ⊢ { P } atomic C { Q } J ⊢ { P ∗ R } C { Q ∗ R } J ⊢ { P 1 } C 1 { Q 1 } J ⊢ { P 2 } C 2 { Q 2 } J ⊢ { P 1 ∗ P 2 } C 1 || C 2 { Q 1 ∗ Q 2 }

Atomic blocks J ⊨ {P} C {Q} iff ∀ s h n. s,h ⊨ P ⟹ safe n (C, s, h, J, Q) safe 0 (C, s, h, J, Q) = true safe n+1 (C, s, h, J, Q) = (C = skip ⟹ s,h ⊨ Q) ∧ ( ∀ h J h F . s,h J ⊨ J ⟹ ¬ (C, s, h+h J +h F ) ➝ abort ) ∧ ( ∀ h J h F C ′ s ′ h ′ . (C, s, h+h J +h F ) ➝ (C ′ , s ′ , h’) ∧ s,h J ⊨ J ⟹ ∃ h’’ h J ′ . h ′ = h ′′ +h J ′ +h F ∧ s ′ ,h J ′ ⊨ J ∧ safe n (C ′ , s ′ , h ′′ , J, Q))

No races J ⊨ {P} C {Q} iff ∀ s h n. s,h ⊨ P ⟹ safe n (C, s, h, J, Q) safe 0 (C, s, h, J, Q) = true safe n+1 (C, s, h, J, Q) = (C = skip ⟹ s,h ⊨ Q) ∧ ( ∀ h J h F . s,h J ⊨ J ⟹ ¬ (C, s, h+h J +h F ) ➝ abort ) ∧ accesses(C, s) ⊆ dom(h) ∧ ( ∀ h J h F C ′ s ′ h ′ . (C, s, h+h J +h F ) ➝ (C ′ , s ′ , h ′ ) ∧ s,h J ⊨ J ⟹ ∃ h ′′ h J ′ . h ′ = h ′′ +h J ′ +h F ∧ s ′ ,h J ′ ⊨ J ∧ safe n (C ′ , s ′ , h ′′ , J, Q))

Multiple resources C ::= ... | resource r in C | with r when B do C | within r do C B(s) ( with r when B do C, s, h) ➝ ( within r do C, s, h) Semantics (C, s, h) ➝ (C ′ , s ′ , h ′ ) r ∉ L(C) (Extract) ( within r do C, s, h) ➝ ( within r do C, s ′ , h ′ ) ( within r do skip , s, h) ➝ ( skip , s, h) L(C) : set of locks currently acquired by C Γ ⊢ { (P ∗ J) ∧ B } C { Q ∗ J } Γ , r : J ⊢ { P } with r when B do C { Q } Γ , r : J ⊢ { P } C { Q } Γ ⊢ { P ∗ J } resource r in C { Q ∗ J }

Multiple resources Γ ⊨ {P} C {Q} iff ∀ s h n. s,h ⊨ P ⟹ safe n (C, s, h, Γ , Q) safe 0 (C, s, h, Γ , Q) = true safe n+1 (C, s, h, Γ , Q) = (C = skip ⟹ s,h ⊨ Q) ∧ ( ∀ h F . ¬ (C, s, h+h F ) ➝ abort ) locks acquired ∧ accesses(C, s) ⊆ dom(h) ∧ ( ∀ h Γ h F C ′ s ′ h ′ . (C, s, h+h Γ +h F ) ➝ (C ′ , s ′ , h ′ ) ∧ s,h Γ ⊨ ⊛ r ∈ L(C ′ ) \ L(C) Γ (r) ⟹ ∃ h ′′ h Γ ′ . h ′ =h ′′ +h Γ ′ +h F ∧ s ′ ,h Γ ′ ⊨ ⊛ r ∈ L(C) \ L(C ′ ) Γ (r) ∧ safe n (C ′ , s ′ , h ′′ , Γ , Q)) locks released L(C) : set of locks currently acquired by C

What is the paper about? Soundness proof for CSL — Simple — Extensible Permissions RGSep Storable locks [Buisse, Birkedal, Støvring, MFPS 2011] Concurrent abstract predicates [Dinsdale-Young et al., ECOOP 2010] — Explains precision & conjunction rule — Fully mechanized in Isabelle/HOL

Precision & the conjunction rule Prove: safe n (C,s,h, Γ ,Q 1 ) ∧ safe n (C,s,h, Γ ,Q 2 ) ⟹ safe n (C,s,h, Γ ,Q 1 ∧ Q 2 ) safe n+1 (C, s, h, Γ , Q) = […] ∧ ( ∀ h Γ h F C ′ s ′ h ′ . […] ⟹ ∃ h ′′ h Γ ′ . h ′ =h ′′ +h Γ ′ +h F ∧ s ′ ,h Γ ′ ⊨ ⊛ r ∈ L(C) \ L(C ′ ) Γ (r) ∧ safe n (C, s ′ , h ′′ , Γ , Q)) ∃ h ′′ 1 h Γ ′ 1 . h ′ =h ′′ 1 +h Γ ′ 1 +h F ∧ s ′ ,h Γ ′ 1 ⊨ ⊛ r ∈ L(C) \ L(C ′ ) Γ (r) ∧ safe n (C,s ′ ,h ′′ 1 , Γ ,Q 1 ) ∃ h ′′ 2 h Γ ′ 2 . h ′ =h ′′ 2 +h Γ ′ 2 +h F ∧ s ′ ,h Γ ′ 2 ⊨ ⊛ r ∈ L(C) \ L(C ′ ) Γ (r) ∧ safe n (C,s ′ ,h ′′ 2 , Γ ,Q 2 ) Definition. P precise iff ∀ s h 1 h 2 h ′ 1 h ′ 2 . h 1 +h ′ 1 = h 2 +h ′ 2 ∧ s,h 1 ⊨ P ∧ s,h 1 ⊨ P ⟹ h 1 =h 2 ∧ h ′ 1 =h ′ 2