higher order concurrent separation logic why and how
play

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal - PowerPoint PPT Presentation

Aug 13, 2023 •379 likes •1.02k views

Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen, Netherlands Dec, 2015 Modular Reasoning about Higher-Order Concurrent Imperative Programs 1 / 33 Introduction Goal Program logics for

  1. Higher-Order Concurrent Separation Logic: Why and How Lars Birkedal Aarhus University Nijmegen, Netherlands Dec, 2015 Modular Reasoning about Higher-Order Concurrent Imperative Programs 1 / 33

  2. Introduction Goal ◮ Program logics for modular reasoning about partial correctness of higher-order, concurrent, imperative code programs. 2 / 33

  3. Outline 1. Why higher-order logic + guarded recursion is useful for expressing such modular specs ◮ via example of layered and recursive abstraction. 2. Why impredicative protocols to govern shared state ◮ via example verification of lock implementation ◮ invariants to enforce protocols ◮ monoids to express protocols (ownership) 3. How the logic is modelled and showed sound (key ideas) ◮ BI-hyperdoctrine over ultra-metric spaces, Kripke model with recursively defined worlds. 4. Overview of resources to learn more ◮ tutorial material ◮ papers: iCAP [ESOP-2014] and Iris [POPL-2015] ◮ paper on formalization: ModuRes Library [ITP-2015] 5. Overview of features in iCAP and Iris not covered today 3 / 33

  4. Higher-Order Programming ◮ Programming features ◮ HO functions ◮ Interfaces in OO languages ◮ Function Pointers in low-level languages ◮ for ◮ Building libraries ◮ Returning libraries ◮ Parameterization ◮ Point: ◮ Features important for modularizing large programs ◮ Allow programming relative to unknown code ◮ Goal: Logics and Models that support correspondingly modular specifications of code. 4 / 33

  5. Example: Layered and Recursive Abstractions ◮ Modular library specifications that supports layering of abstractions and recursive abstractions. 5 / 33

  6. Example: Layered and Recursive Abstractions ◮ Modular library specifications that supports layering of abstractions and recursive abstractions. LinkedList HashMap Lock 5 / 33

  7. Example: Layered and Recursive Abstractions ◮ Modular library specifications that supports layering of abstractions and recursive abstractions. M 2 LinkedList HashMap M 1 Lock 5 / 33

  8. Recursive Abstractions Reentrant Event Loop Library handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } 6 / 33

  9. Recursive Abstractions Reentrant Event Loop Library handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } Event handlers are allowed to emit events! 6 / 33

  10. Recursive Abstractions A library that allows us to close Landin’s Knot / perform Reentrant Event Loop Library recursion through the store. handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } Event handlers are allowed to emit events! 6 / 33

  11. Recursive Abstractions A library that allows us to close Landin’s Knot / perform Reentrant Event Loop Library recursion through the store. handler ( ) ; delegate void IEventLoop { interface loop ( ) ; void s i g n a l ( ) ; void void when ( handler f ) ; } Event handlers are Realistic examples of this form: allowed to emit events! libevent, Node.js, Twisted, ... C5, GUI libraries, Joins library, ... 6 / 33

  12. A Modular Lock Specification ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  13. A Modular Lock Specification Standard sep. logic lock specification The resource invariant R describes the resources protected by the lock. ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  14. A Modular Lock Specification ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  15. A Modular Lock Specification Third-order quantification. ∃ isLock , locked : Val × Prop → Prop . ∀ R : Prop . { R } { isLock(ret , R) } new Lock() { isLock(x , R) } { locked(x , R) ∗ R } x.Acquire() { locked(x , R) ∗ R } { isLock(x , R) } x.Release() ∀ x : Val . isLock(x , R) ⇔ isLock(x , R) ∗ isLock(x , R) 7 / 33

  16. A Modular Lock Specification ∀ R : Prop . ∃ isLock , locked : Val → Prop . { R } { isLock(ret) } new Lock() { isLock(x) } { locked(x) ∗ R } x.Acquire() { locked(x) ∗ R } { isLock(x) } x.Release() ∀ x : Val . isLock(x) ⇔ isLock(x) ∗ isLock(x) 7 / 33

  17. A Modular Lock Specification Second-order quantification. ∀ R : Prop . ∃ isLock , locked : Val → Prop . { R } { isLock(ret) } new Lock() { isLock(x) } { locked(x) ∗ R } x.Acquire() { locked(x) ∗ R } { isLock(x) } x.Release() ∀ x : Val . isLock(x) ⇔ isLock(x) ∗ isLock(x) 7 / 33

  18. A Modular Lock Specification This specification might suffice for layering of abstractions, but not for all recursive abstractions. ∀ R : Prop . ∃ isLock , locked : Val → Prop . { R } { isLock(ret) } new Lock() { isLock(x) } { locked(x) ∗ R } x.Acquire() { locked(x) ∗ R } { isLock(x) } x.Release() ∀ x : Val . isLock(x) ⇔ isLock(x) ∗ isLock(x) 7 / 33

  19. Recursive Abstractions Event Loop Memory Safety Specification ∃ eloop : Val → Prop . { emp } { eloop(ret) } new EventLoop() { eloop(x) } { eloop(x) } x.loop() { eloop(x) } { eloop(x) } x.signal() { eloop(x) ∗ P } { eloop(x) } x.when(f) ∀ x : Val . eloop(x) ⇔ eloop(x) ∗ eloop(x) where P = f �→ { emp }{ emp } 8 / 33

  20. Recursive Abstractions Event Loop Memory Safety Specification ∃ eloop : Val → Prop . { emp } { eloop(ret) } new EventLoop() { eloop(x) } { eloop(x) } x.loop() { eloop(x) } { eloop(x) } x.signal() { eloop(x) ∗ P } { eloop(x) } x.when(f) ∀ x : Val . eloop(x) ⇔ eloop(x) ∗ eloop(x) where P = f �→ { emp }{ emp } Event handler must run without any resources but emitting an event requires an eloop(x) resource! 8 / 33

  21. Recursive Abstractions Reentrant Event Loop Memory Safety Specification ∃ eloop : Val → Prop . { emp } { eloop(ret) } new EventLoop() { eloop(x) } { eloop(x) } x.loop() { eloop(x) } { eloop(x) } x.signal() { eloop(x) ∗ P } { eloop(x) } x.when(f) ∀ x : Val . eloop(x) ⇔ eloop(x) ∗ eloop(x) where P = f �→ { eloop(x) }{ eloop(x) } 8 / 33

  22. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Since we are interested in memory safety, eloop has to specify the memory footprint of the event loop. 9 / 33

  23. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Since we are interested in memory safety, eloop has to specify the memory footprint of the event loop. ◮ Since an event loop can call handlers, its footprint include the footprint of its handlers. ◮ Since handlers can signal events, the footprint of handlers include the footprint of their event loop. 9 / 33

  24. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Since we are interested in memory safety, eloop has to specify the memory footprint of the event loop. ◮ Since an event loop can call handlers, its footprint include the footprint of its handlers. ◮ Since handlers can signal events, the footprint of handlers include the footprint of their event loop. ◮ The footprint of an event loop is thus recursively defined. 9 / 33

  25. Recursive Abstractions Verifying a lock-based event loop implementation ◮ Imagine an implementation that maintains a set of signal handlers and a set of pending signals, protected by a lock: EventLoop : IEventLoop { class Lock lock ; private Set < handler > h a n d l e r s ; private Set < s i g n a l > s i g n a l s ; private . . . } ◮ Tying Landin’s Knot using a reference protected by a lock. 10 / 33

  26. Recursive Abstractions Verifying a lock-based event loop implementation ◮ The footprint of an event loop is thus recursively defined and the recursion “goes through the lock” . 11 / 33

  27. Recursive Abstractions Verifying a lock-based event loop implementation ◮ The footprint of an event loop is thus recursively defined and the recursion “goes through the lock” . ◮ We define eloop using guarded recursion and the third-order isLock representation predicate: eloop = fix ( λ eloop : Val → Prop . λ x : Val . ∃ l . x . lock �→ l ∗ isLock( l , ∃ y , z , A , B . set (y , A ) ∗ set (z , B ) ∗ x . handlers �→ y ∗ x . signals �→ z ∗ ∀ a ∈ A . ⊲ a �→ { eloop(x) }{ eloop(x) } )) 11 / 33

  28. Recursive Abstractions Verifying a lock-based event loop implementation ◮ The footprint of an event loop is thus recursively defined and the recursion “goes through the lock” . ◮ We define eloop using guarded recursion and the third-order isLock representation predicate: eloop = fix ( λ eloop : Val → Prop . λ x : Val . ∃ l . x . lock �→ l ∗ isLock( l , ∃ y , z , A , B . set (y , A ) ∗ set (z , B ) ∗ x . handlers �→ y ∗ x . signals �→ z ∗ ∀ a ∈ A . ⊲ a �→ { eloop(x) }{ eloop(x) } )) 11 / 33

Recommend

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft

Iris: a framework for higher-order concurrent separation logic in Coq Robbert Krebbers 1 Delft University of Technology, The Netherlands January 15, 2017 @ TTT, Paris, France 1 Iris is joint work with: Ralf Jung, Jacques-Hendri Jourdan, Ale s

1.49k views • 124 slides
Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2

Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Amin Timany 2 Lars Birkedal 3 1 Delft University of Technology, The Netherlands 2 imec-Distrinet, KU Leuven, Belgium 3 Aarhus University, Denmark January 18, 2017 @

953 views • 71 slides
Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1

Iris Proof Mode Interactive Proofs in Higher-Order Concurrent Separation Logic Robbert Krebbers 1 Delft University of Technology, The Netherlands June 12, 2017 @ MFPS, Ljubljana, Slovenia 1 Iris is joint work with: Ralf Jung, Jacques-Henri

1.16k views • 87 slides
Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1

Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1

Iron: Managing Obligations in Higher-Order Concurrent Separation Logic s Bizjak 1 Daniel Gratzer 1 Ale Robbert Krebbers 2 Lars Birkedal 1 1 Aarhus University 2 Delft University of Technology January 17, 2019 POPL 2019

566 views • 38 slides
Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics Group Dept. of Comp. Science, Aarhus University (Joint work with J. Bengtson, J.B. Jensen, H. Mehnert, P . Sestoft, F . Sieczkowski) April 2013

499 views • 34 slides
A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of

A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of

A Simple Model of Separation Logic for Higher-order Store Lars Birkedal IT University of Copenhagen Joint work with B. Reus, J. Schwinghammer, H. Yang July, 2008 Lars Birkedal (ITU) Sep. Logic for Higher-order Store ICALP 1 / 20

457 views • 20 slides
Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Why higher-order logic? Higher-Order logic Expressive Mathematics Verification

Extending SMT solvers to higher-order logic Haniel Barbosa Andrew Reynolds Daniel El Ouraoui Clark Barrett Cesare Tinelli SMT 2019 20190707, Lisbon, PT To be published in the proceedings of CADE 2019 Why higher-order logic?

569 views • 25 slides
Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa, Aquinas Hobor and John Wickerson IRIS Day OScience, Coronavirus Lockdown Edition Tuesday 7th April, 2020 1/ 13 Concurrent separation logic (

164 views • 13 slides
Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the

Concurrent separation logic and operational semantics Viktor Vafeiadis MPI-SWS What is the paper about? Soundness proof for CSL Simple Extensible Permissions RGSep Storable locks [Buisse, Birkedal, Stvring, MFPS 2011] Concurrent

270 views • 14 slides
Verifying a hash table and its iterators in higher-order separation logic Franois Pottier

Verifying a hash table and its iterators in higher-order separation logic Franois Pottier

Verifying a hash table and its iterators in higher-order separation logic Franois Pottier Vocal meeting Paris, November 10, 2016 Motivation Why verify a hash table implementation ? a simple and useful data structure implements an

499 views • 19 slides
Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of

Mechanized proofs in higher-order separation logic Robbert Krebbers Delft University of Technology, The Netherlands February 5, 2019 @ Vrije Universiteit, Amsterdam, The Netherlands 1 Tactic-style proofs (as in LCF/Coq/HOL/ etc. ) have shown to

978 views • 97 slides
SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil

SteelCore: An Extensible Concurrent Separation Logic for Effectful Dependent Programs Nikhil Swamy, Aseem Rastogi, Aymeric Fromherz , Denis Merigoux, Danel Ahman, Guido Martinez ICFP 2020 1/12 Verifying Concurrent Programs Lots of recent work

556 views • 37 slides
Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program

Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program

Relaxed separation logic Viktor Vafeiadis Chinmay Narayan MPI-SWS IIT Delhi Concurrent program logics Goal: Understand concurrent programs. Tool: Concurrent program logics: C oncurrent S eparation L ogic OG, RG, RGSep, LRG, DG, CAP, CaReSL.

345 views • 16 slides
Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan,

Cosmo: a concurrent separation logic for Multicore OCaml Glen Mvel , Jacques-Henri Jourdan, Franois Pottier August, 2020 ICFP, New York LRI &amp; Inria, Paris, France This talk Our aim: Verifying fine-grained concurrent

511 views • 38 slides
Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Dagstuhl, 2015-11-02 Plan for the talk Talk outline Motivation Basic separation logic Concurrent separation logic Frame inference

597 views • 21 slides
Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of

Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of

Relational reasoning using concurrent separation logic Robbert Krebbers 1 Delft University of Technology, The Netherlands January 20, 2020 @ ADSL, New Orleans, USA 1 This is joint work with Dan Frumin (Radboud University) and Lars Birkedal (Aarhus

1.78k views • 126 slides
On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order

On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order

On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order Communication Masaki Murakami Okayama University JAPAN A Formal Model of Concurrent Systems the model presented here is a translation of asynchronous

847 views • 31 slides
Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18 Warsaw, October 2018 The blossom of separation logics Separation logic: extension of Hoare-Floyd logic for (concurrent) programs with mutable data

642 views • 48 slides
Semantics and A utomation of Higher-Order Logic Some Remarks Christoph Benzm uller

Semantics and A utomation of Higher-Order Logic Some Remarks Christoph Benzm uller

Semantics and A utomation of Higher-Order Logic Some Remarks Christoph Benzm uller Department of Computer Science, Saarland University Workshop on Logic, Proofs and Programs 17 18 June 2004, Nancy First-order Logic c

607 views • 42 slides
HIGHER-ORDER IMPERATIVE PROGRAMS MORTEN KROGH-JESPERSEN PHD-STUDENT, LOGIC AND SEMANTICS GROUP

HIGHER-ORDER IMPERATIVE PROGRAMS MORTEN KROGH-JESPERSEN PHD-STUDENT, LOGIC AND SEMANTICS GROUP

MODULAR REASONING ABOUT CONCURRENT HIGHER-ORDER IMPERATIVE PROGRAMS MORTEN KROGH-JESPERSEN PHD-STUDENT, LOGIC AND SEMANTICS GROUP WHAT IS IT THAT YOU DO? MORTEN KROGH-JESPERSEN THE LOGIC AND SEMANTICS GROUP Lars Birkedal Ranald Clouston

512 views • 15 slides
Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval

Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval

Proof Engineering of Higher Order Logic Robert White (Shuai Proof Engineering of Higher Order Logic Wang) Collaboration, Translation, Checking and Retrieval Introduction Higher Order Logic HOL Kernel Inference Rules Robert White

539 views • 29 slides
Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order

Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order

Higher Order Proof Engineering Higher Order Proof Engineering Robert White ILLC/INRIA Cool Logic, ILLC 1/23 Higher Order Proof Engineering Outline Introduction HOL Light and HOL Proof Checking OpenTheory Holide and Dedukti ProofCloud

767 views • 23 slides
VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS

VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS

VERCORS: VERIFICATION OF CONCURRENT SYSTEMS MARIEKE HUISMAN UNIVERSITY OF TWENTE, NETHERLANDS OUTLINE OF THIS LECTURE How to ensure software quality? Classical program logic Separation logic The next challenge: concurrent

1.36k views • 108 slides

More recommend