prophecy variables in separation logic
play

Prophecy Variables in Separation Logic (Extending Iris with Prophecy - PowerPoint PPT Presentation

Jan 14, 2023 •487 likes •1.02k views

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs MPI-SWS, KU Leuven, ETH Zrich, University of Waterloo

  1. Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre, Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs MPI-SWS, KU Leuven, ETH Zürich, University of Waterloo Iris Workshop – Aarhus, October 2019

  2. Reasoning about the correctness of a program Forward reasoning is ofen easier and more natural: • Start at the beginning of a program’s execution • Reason about how it behaves as it executes 1

  3. Reasoning about the correctness of a program Forward reasoning is ofen easier and more natural: • Start at the beginning of a program’s execution • Reason about how it behaves as it executes Strictly forward reasoning is not always good enough! 1

  4. Reasoning about the correctness of a program Forward reasoning is ofen easier and more natural: • Start at the beginning of a program’s execution • Reason about how it behaves as it executes Strictly forward reasoning is not always good enough! Reasoning about the current execution step may require: • Information about past events (this is usual) • Knowledge of what will happen later in the execution 1

  5. Remember the past, know the future Auxiliary/ghost variables store information not present in the program’s physical state History variables [ Owicki & Gries 1976 ] (past): • Record what happened in the execution so far • Introduced in the context of Hoare logic • Widely used (modern form: user-defined ghost state) 2

  6. Remember the past, know the future Auxiliary/ghost variables store information not present in the program’s physical state History variables [ Owicki & Gries 1976 ] (past): • Record what happened in the execution so far • Introduced in the context of Hoare logic • Widely used (modern form: user-defined ghost state) Prophecy variables [ Abadi & Lamport 1991 ] (future): • Predict what will happen later in the execution • Introduced in the context of state machine refinement • Fairly exotic, (almost) never used for Hoare logic 2

  7. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val 3

  8. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation 3

  9. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation We consider an “eager” coin specification: • A coin is only ever tossed once • Reading its value always gives the same result 3

  10. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation We consider an “eager” coin specification: • A coin is only ever tossed once • Reading its value always gives the same result { True } new_coin () { c . ∃ b . Coin ( c , b ) } { Coin ( c , b ) } read_coin ( c ) { x . x = b ∧ Coin ( c , b ) } 3

  11. Motivating example: eager specification Let us look at a simple coin implementation: new_coin () � { val = ref ( nondet _ bool ()) } read_coin ( c ) � ! c . val Used for the sake of presentation We consider an “eager” coin specification: • A coin is only ever tossed once • Reading its value always gives the same result { True } new_coin () { c . ∃ b . Coin ( c , b ) } { Coin ( c , b ) } read_coin ( c ) { x . x = b ∧ Coin ( c , b ) } Coin ( c , b ) � c . val �→ b 3

  12. Motivating example: lazy implementation What if we want to flip the coin as late as possible? 4

  13. Motivating example: lazy implementation What if we want to flip the coin as late as possible? “Lazy” coin implementation: new_coin () � { val = ref ( None ) } read_coin ( c ) � match ! c . val with Some ( b ) ⇒ b | None ⇒ let b = nondet _ bool (); c . val ← Some ( b ); b end 4

  14. Motivating example: lazy implementation What if we want to flip the coin as late as possible? “Lazy” coin implementation: new_coin () � { val = ref ( None ) } read_coin ( c ) � match ! c . val with Some ( b ) ⇒ b | None ⇒ let b = nondet _ bool (); c . val ← Some ( b ); b end To keep the same spec we need prophecy variables!!! 4

  15. Prior work on prophecy variables Prophecy variables have been used in: • Verification tools based on reduction [ Sezgin et al. 2010 ] • Temporal logic [ Cook & Koskinen 2011, Lamport & Merz 2017 ] 5

  16. Prior work on prophecy variables Prophecy variables have been used in: • Verification tools based on reduction [ Sezgin et al. 2010 ] • Temporal logic [ Cook & Koskinen 2011, Lamport & Merz 2017 ] But never formally integrated into Hoare logic before!!! 5

  17. Prior work on prophecy variables Prophecy variables have been used in: • Verification tools based on reduction [ Sezgin et al. 2010 ] • Temporal logic [ Cook & Koskinen 2011, Lamport & Merz 2017 ] But never formally integrated into Hoare logic before!!! Only two previous attempts: • Vafeiadis’s thesis [ Vafeiadis 2007 ] (informal and flawed) • Structural approach [ Zhang et al. 2012 ] (too limited) 5

  18. Our contribution: prophecy variables in Hoare logic We are the first to give a formal account of prophecy variables in Hoare logic! • Our results are all formalized in the Iris framework • We also extended VeriFast with prophecy variables • Useful to prove logical atomicity (RDCSS, HW Queue) 6

  19. Our contribution: prophecy variables in Hoare logic We are the first to give a formal account of prophecy variables in Hoare logic! • Our results are all formalized in the Iris framework • We also extended VeriFast with prophecy variables • Useful to prove logical atomicity (RDCSS, HW Queue) Presented this morning by Ralf Prophecies help in case of “future-dependent” LP 6

  20. Key idea of our approach We leverage separation logic to easily ensure soundness!!! 7

  21. Key idea of our approach We leverage separation logic to easily ensure soundness!!! The high-level idea is to use new instruction for: • Predicting a future observation ( let p = NewProph ) • Realizing such an observation ( Resolve p to v ) 7

  22. Key idea of our approach We leverage separation logic to easily ensure soundness!!! Principles of prophecy variables in separation logic: 1. The future is ours • We model the right to resolve a prophecy as a resource • Proph B 1 ( p , b ) gives exclusive right to resolve p 7

  23. Key idea of our approach We leverage separation logic to easily ensure soundness!!! Principles of prophecy variables in separation logic: 1. The future is ours • We model the right to resolve a prophecy as a resource • Proph B 1 ( p , b ) gives exclusive right to resolve p “Assign a value to” 7

  24. Key idea of our approach We leverage separation logic to easily ensure soundness!!! Principles of prophecy variables in separation logic: 1. The future is ours • We model the right to resolve a prophecy as a resource • Proph B 1 ( p , b ) gives exclusive right to resolve p “Assign a value to” 2. We must fulfill our destiny • A prophecy can only be resolved to the predicted value • A contradiction can be derived if that is not the case 7

  25. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code 8

  26. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } 8

  27. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } 8

  28. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } { Proph B 1 ( p , b ) } Resolve p to v (Resolves the prophecy p to value v ) { v = b } 8

  29. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } Consumes the resolution token { Proph B 1 ( p , b ) } Resolve p to v (Resolves the prophecy p to value v ) { v = b } 8

  30. “One-shot” prophecy variable specification Prophecy variables are manipulated using ghost code Provides an exclusive resolution token { True } (Creates a one-shot prophecy variable p ) NewProph { p . ∃ b . Proph B 1 ( p , b ) } Consumes the resolution token { Proph B 1 ( p , b ) } Resolve p to v (Resolves the prophecy p to value v ) { v = b } But we learn that the prophesied and resolved values are equal 8

  31. Back to the lazy coin example With the required ghost code the example becomes: new_coin () � { val = ref ( None ) , p = NewProph } read_coin ( c ) � match ! c . val with Some ( b ) ⇒ b | None ⇒ let b = nondet _ bool (); Resolve c . p to b ; c . val ← Some ( b ); b end 9

Recommend

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung,

Prophecy Variables in Separation Logic (Extending Iris with Prophecy Variables) Ralf Jung, Rodolphe Lepigre , Gaurav Parthasarathy, Marianna Rapoport, Amin Timany, Derek Dreyer, Bart Jacobs 1/18 What is Iris?! What are prophecy variables?! The

431 views • 18 slides
Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint work with Freek Wiedijk Radboud University Nijmegen March 19, 2013 @ FoSSaCS, Rome, Italy What is this program supposed to do? int *p = NULL; l: if

907 views • 73 slides
Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint

Separation Logic for Non-local Control Flow and Block Scope Variables Robbert Krebbers Joint work with Freek Wiedijk Radboud University Nijmegen February 4, 2013 @ Gallium, INRIA Rocquencourt, France What is this program supposed to do? int

1.4k views • 103 slides
Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio Mansutti LSV, CNRS, ENS Paris-Saclay Paris - April 2019 What we will see An extension of propositional separation logic that can express some

569 views • 42 slides
A Probabilistic Separation Logic Justin Hsu UWMadison Computer Sciences 1 Brilliant

A Probabilistic Separation Logic Justin Hsu UWMadison Computer Sciences 1 Brilliant

A Probabilistic Separation Logic Justin Hsu UWMadison Computer Sciences 1 Brilliant Collaborators Gilles Barthe Kevin Liao Jialu Bao Simon Docherty Alexandra Silva 2 What Is Independence, Intuitively? Two random variables x and y are

1.28k views • 95 slides
Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS)

Tutorial on separation logic Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) Dagstuhl, 2015-11-02 Plan for the talk Talk outline Motivation Basic separation logic Concurrent separation logic Frame inference

597 views • 21 slides
Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms Smaller Arthur Charguraud Franois Pottier LTP meeting Saclay, November 28, 2016 Motivation More Motivation Separation Logic with Read-Only

441 views • 27 slides
Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008 Timothe Martiel Research Topics in Software Engineering 1 / 19 Outline 1 From Separation Logic to Inheritance 2 Beyond Separation Logic 3 What About

553 views • 24 slides
BABYLON IN BIBLE BABYLON IN BIBLE PROPHECY PROPHECY PROPHECY PROPHECY By Andy Woods By Andy

BABYLON IN BIBLE BABYLON IN BIBLE PROPHECY PROPHECY PROPHECY PROPHECY By Andy Woods By Andy

BABYLON IN BIBLE BABYLON IN BIBLE PROPHECY PROPHECY PROPHECY PROPHECY By Andy Woods By Andy Woods Seven Areas Seven Areas Tower of Babel (Gen 11) ( ) Prophecies of Isaiah and Jeremiah (Isa 13-14; Jer 50-51) Zechariahs

680 views • 42 slides
An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and Verification Group Dept. of Computer Science University College London, UK J.Brotherston@ucl.ac.uk Logic Summer School, ANU, 7 December 2015 1/ 19

789 views • 63 slides
Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St

Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St

Internal calculi for Separation Logic ephane Demri 1 Etienne Lozes 2 Alessio Mansutti 1 St January 14, 2020 1 LSV, CNRS, ENS Paris-Saclay 2 I3S, Universit e C ote dAzur Separation Logic 99 Logic of Bunched Implication ( BI ) [P.

310 views • 27 slides
Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model

Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model

CS6202: Advanced Topics in Programming Languages and Systems Lecture 8/9 : Separation Logic Overview Assertion Logic Semantic Model Hoare-style Inference Rules Specification and Annotations Linked List and Segments

1.02k views • 76 slides
Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max Kanovich 2 1 Imperial College London 2 Queen Mary University of London LICS-25, University of Edinburgh, 12 July 2010 Separation logic (Reynolds,

1.11k views • 31 slides
Computational Logic A Hands-on Introduction to Logic Programming 1 Syntax: Variables,

Computational Logic A Hands-on Introduction to Logic Programming 1 Syntax: Variables,

Computational Logic A Hands-on Introduction to Logic Programming 1 Syntax: Variables, Constants, Structures (using Prolog notation conventions) Variables: start with uppercase character (or ), may include and digits:

543 views • 30 slides
Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis

Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis

Biabduction (and Related Problems) in Array Separation Logic James Brotherston 1 Nikos Gorogiannis 2 Max Kanovich 1 1 UCL 2 Middlesex University University of Vienna, 14 Mar 2017 1/ 19 Compositional proofs in separation logic (1) Separation

1.14k views • 91 slides
Separation logic and fragments: from expressive power to decision procedures St ephane Demri

Separation logic and fragments: from expressive power to decision procedures St ephane Demri

Separation logic and fragments: from expressive power to decision procedures St ephane Demri CNRS Marie Curie Fellow Yorktown Heights, March 2015 In Memoriam: Morgan Deters 2 Overview Separation Logic in a Nutshell 1 2 Expressive

915 views • 55 slides
An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and

An introduction to separation logic James Brotherston Programming Principles, Logic and Verification Group Dept. of Computer Science University College London, UK J.Brotherston@ucl.ac.uk Oracle Labs, Brisbane, 4 December 2015 1/ 19

291 views • 27 slides
Why should we believe the Bible? Fulfilled Prophecy The Evidence of Fulfilled Prophecy The rise

Why should we believe the Bible? Fulfilled Prophecy The Evidence of Fulfilled Prophecy The rise

Why should we believe the Bible? Fulfilled Prophecy The Evidence of Fulfilled Prophecy The rise and fall of world kingdoms (Daniel 2:36-45) The coming of Cyrus (Isaiah 44:25; 45:1) The demise of Tyre (Ezekiel 26) The more than

615 views • 9 slides
Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

CS6202: Advanced Topics in Programming Hoare Logic Hoare Logic Languages and Systems Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview Notation : {P} code {Q} Assertion Logic {P}

557 views • 19 slides
The God of Prophecy GOD is a God of Prophecy Remember the former things of old: for I am God,

The God of Prophecy GOD is a God of Prophecy Remember the former things of old: for I am God,

The God of Prophecy GOD is a God of Prophecy Remember the former things of old: for I am God, and there is none else; I am God, and there is none like me, Declaring the end from the beginning, and from ancient times the things that are not

326 views • 18 slides
Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa,

Reasoning over Permissions Regions in Concurrent Separation Logic James Brotherston, Diana Costa, Aquinas Hobor and John Wickerson IRIS Day OScience, Coronavirus Lockdown Edition Tuesday 7th April, 2020 1/ 13 Concurrent separation logic (

164 views • 13 slides
On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18

On Temporal and Separation Logics St ephane Demri CNRS, LSV, ENS Paris-Saclay TIME18 Warsaw, October 2018 The blossom of separation logics Separation logic: extension of Hoare-Floyd logic for (concurrent) programs with mutable data

642 views • 48 slides
Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics

Charge! a framework for higher-order separation logic in Coq Lars Birkedal Logic and Semantics Group Dept. of Comp. Science, Aarhus University (Joint work with J. Bengtson, J.B. Jensen, H. Mehnert, P . Sestoft, F . Sieczkowski) April 2013

499 views • 34 slides

More recommend