rely guarantee references for refinement types over
play

Rely-Guarantee References for Refinement Types over Aliased Mutable - PowerPoint PPT Presentation

Jun 10, 2023 •466 likes •739 views

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 2 3 x:ref y:ref x := !x+1; m(y);

  1. Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013

  2. Static Verification Meets Aliasing 2 3 x:ref ℕ y:ref ℕ x := !x+1; m(y); static_assert(!x > 0);  Pass or fail?

  3. Static Program Verification: Mutation + Aliases • Common approaches: – Restrict aliasing • Separation Logic, Linear & Uniqueness Types – Restrict mutation • Read-only access • Reference Immutability, Region & Effect Systems

  4. Our Approach: Describe Mutation • Arbitrary binary relations • Explicitly characterize: – How data may change over time • Side effects, type state, protocols, invariants, monotonicity… • Lots of prior work, all working around aliasing – Safe assumptions in the presence of mutation through aliases • Eye towards backwards compatibility: – Subsume standard references, reference immutability

  5. Rely-Guarantee References • New approach to static verification of imperative programs • Formal core type system + proofs – Uses dependent types • Implementation as Coq DSL • Characterized proof burden for 4 examples – Roughly on par w/ pure functional equivalents

  6. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  7. A Duality: Threads & Aliases • Mutation by aliases ≈ thread interference • Actions through aliases can be seen as concurrent • Rely-Guarantee reasoning is good for threads – Summarizes possible interference • We can adapt concurrent analyses to treat aliasing – A few differences to discuss later

  8. Thread & Alias Interference Thread Interference Alias Interference 0 0 let x = ref 0 in let x = ref 0 in atomic_inc(x) atomic_inc(x) inc x; assert(!x>0) assert(!x>0) let y = x in inc x; assert(!y > 0);

  9. Rely-Guarantee for Threads • Characterize thread interference: 1. Rely summarizes expected interference 2. Guarantee bounds thread actions 3. Stable assertions are preserved by interference 4. Compatible threads: each rely assumes at least the other’s guarantee

  10. Rely-Guarantee for References • Characterize alias interference: 1. Rely summarizes alias interference 2. Guarantee bounds actions through this alias 3. Stable predicates preserved by interference 4. Compatible aliases: if x == y, then x.G ⊆ y.R && y.G ⊆ x.R • Subsumes ML references! (OCaml, SML, etc.)

  11. Rely-Guarantee Reference Type Predicate (e.g. >0) ref{ τ |P}[ }[R,G] standard Rely (e.g. ==) Guarantee (e.g. ≤ ) reference

  12. Alias Interference Revisited 2 3 R G R G x:ref{ ℕ|>0}{==,≤} y:ref{ ℕ|>0}{≤,==} ❹ ❶ ❷ ≤(2,3) ⇒ ≤(2,3) 2 > 0 ∧ ≤(2,3) ❸ x:=!x+1; ⇒ 3 > 0 1 Rely, 2 Guarantee, 3 Stable, 4 Compatible

  13. Splitting for Compatible References • x:ref{nat|P}[ ≈,havoc] cannot be duplicated – Duplicates must be compatible (#4) – havoc ⊈ ≈ • Must track & restrict duplication: – let y = x in … could create • Two immutable refs (ref{nat|P }[≈, ≈]) • Two unrestricted refs (ref{nat|any}[havoc, havoc]) • Producer/consumer (ref{nat|any }[≥,≤] and ref{nat|any }[≤,≥])

  14. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  15. A Coq DSL for Rely-Guarantee References • Shallow DSL embedding in a proof assistant • Satisfying proof obligations – Separated from program text – Semi-automatic • Examples include – Monotonic Counter • Simple, but illustrative • Specify how data changes over time, not inc operation – Reference Immutability

  16. Example: A Monotonic Counter Definition increasing : hrel nat := ( λ n n ’ h h ’. n <= n'). Definition counter := ref{nat|pos}[increasing,increasing]. Definition read (c:counter) : nat := !c. Definition inc (p:counter) : unit := [p]:= !p + 1. Definition mkCounter (u:unit) : counter := Alloc 1. Example test_counter (u:unit) : unit := x <- mkCounter tt; inc x. Proofs automatically discharged

  17. Invalid Code: Decrement a Monotonic Counter Definition counter := ref{nat|pos}[increasing,increasing]. Definition dec (p:counter) : unit := [p]:= !p - 1.

  18. Reference Immutability via Rely-Guarantee References • writable T ≝ ref{T|any}[havoc,havoc] • readable T ≝ ref{T|any}[havoc, ≈ ] • immutable T ≝ ref{T|any}[ ≈ , ≈ ] • Suggests a spectrum: ML refs ⊆ RI ⊆ ... ⊆ RGref

  19. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  20. References to References • Folding – If x.f is a ref, and x’s type disallows mutation to anything, type of !x.f should, too • Containment – ref{T|P}[R,G]: if T contains refs, R permits their interference as well • Precision – P,R,G only depend on heap reachable from the T they apply to Non-issues in concurrent program logics: no “threads to threads”

  21. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  22. How to Preserve Refinements • Well-formed ref{ τ |P}[R,G] (e.g. r ef{ int|>0}[ ≤ , ≤ ]) – P is stable with respect to R (#3) – Enforce containment, precision • Aliases as x:ref{ τ |P}[R,G] and y: ref{ τ | P’ }[ R’ , G’ ] – Relies summarize guarantees (#4): G’ ⊆ R, G ⊆ R’ – Ensured by splitting semantics and folding • Actions in x.G are included in alias y’s y.R, and thus by stability preserves y.P

  23. Outline • Concurrent Reasoning for Aliases • Typechecking Rely-Guarantee References • Technical Challenge: Nested References • Intuition for Soundness • Conclusions

  24. Future Work • We’ve worked out a core system • Route to a full system: – Non-atomic updates – Internalizing proof terms (in progress) – Better datatype definitions – Borrowing – Concurrency (in progress) – More examples / experience

  25. Related Work • Rely-guarantee program logics – Mostly concurrent – Explicit Stabilization (Wickerson’10) used for malloc – We apply RG at a much finer granularity • Reference Immutability, Ownership – Notion of per-reference read-only – Tschantz’05, Zibin’07, Dietl’07, Zibin’10, Gordon’12 – We generalize read-only to arbitrary relations • Dependent types for imperative programs – Types depend only on immutable data (DML, etc.) – Or bake in a low-level program logic (Ynot / Hoare Type Theory) – Our types directly treat interference

  26. Conclusion • Rely-Guarantee References – Directly address alias interference – Key challenge: nested references – Apply concurrent verification insights to aliasing • We applied rely-guarantee • Other correspondences exist • Promising early results – Modest proof burden – Backwards compatible with more traditional systems https://github.com/csgordon/rgref/

Recommend

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction

On Rely-Guarantee Reasoning Stephan van Staden June 29, 2015 1 / 15 Overview Introduction Basics of Rely-Guarantee Overview of the paper Two techniques for constructing Rely-Guarantee models Soundness results The traditional

272 views • 23 slides
Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL

Verification of Parallel Programs with the Owicki-Gries and Rely-Guarantee Methods in Isabelle/HOL Leonor Prensa Nieto TU M unchen Marseille, 7 January 2002 Isabelle HOL = Overview Motivation. Hoare logic for

263 views • 23 slides
Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon

ECOOP 2014 Rely-Guarantee Protocols Filipe Milito 1,2 Jonathan Aldrich 1 Lus Caires 2 1 Carnegie Mellon University, Pittsburgh, USA 2 Universidade Nova de Lisboa, Lisboa, Portugal Motivation Mutable state can be useful in certain cases.

1.45k views • 109 slides
Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade

Rely/Guarantee Reasoning for Asynchronous Programs Ivan Gavran 1 , Filip Niksic 1 , Aditya Kanade 2 , Rupak Majumdar 1 , Viktor Vafeiadis 1 1 Max Planck Institute for Software Systems (MPI-SWS), Germany 2 Indian Institute of Science, Bangalore,

672 views • 52 slides
Refinement Types for Algebraic Effects Danel Ahman Gordon Plotkin LFCS, University of

Refinement Types for Algebraic Effects Danel Ahman Gordon Plotkin LFCS, University of

Refinement Types for Algebraic Effects Danel Ahman Gordon Plotkin LFCS, University of Edinburgh TYPES 2015 Tallinn Todays plan Value ref. types Computation ref. types Algebraic theories Value

368 views • 21 slides
References 7 January 2019 OSU CSE 1 Primitive vs. Reference Types Java types are divided

References 7 January 2019 OSU CSE 1 Primitive vs. Reference Types Java types are divided

References 7 January 2019 OSU CSE 1 Primitive vs. Reference Types Java types are divided into two different categories: The built-in types are called primitive types Includes boolean , char , int , double All other types are

1.26k views • 86 slides
Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa Cruz joint work with: Cormac Flanagan (University of California, Santa Cruz) March 25, 2007 Assertions / Refinement Types The role of assertions in

386 views • 37 slides
Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . )

Developing programs by Splitting atoms (rely/guarantee conditions, data reification, . . . ) Cliff B Jones Computing Science Newcastle University FMCO 2008-10-22 Cliff B Jones (Newcastle) Developing programs by Splitting atoms

603 views • 36 slides
A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain

A marriage of rely/guarantee &amp; separation logic Viktor V afeiadis MPI - SWS Coarse - grain locking 2 3 5 7 11 13 Coarse - grain locking 2 3 5 7 11 13 Fine - grain locking Pessimistic: lock - coupling 2 3 5 7 11 13 Fine -

743 views • 57 slides
Variables &amp; References Variables with primitive types: Primitive types Lower

Variables &amp; References Variables with primitive types: Primitive types Lower

Variables &amp; References Variables with primitive types: Primitive types Lower case names int, float, double, boolean, Declare variables: &lt;type name&gt; &lt;variableName&gt;; Memory will be allocated to

399 views • 12 slides
Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security Protocol Analysis C t lin Hri cu Prof. Dr. Holger Hermanns (UdS) Dean of Math and CS Faculty Prof. Dr. Gert Smolka (UdS) Chair of Examination

1.39k views • 107 slides
Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential

Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential

Higher-Order Approximate Relational Refinement Types for Mechanism Design and Differential Privacy Gilles Barthe, Marco Gaboardi, Emilio Jess Gallego Arias, Justin Hsu, Aaron Roth, Pierre-Yves Strub UPenn-Mines ParisTech, IMDEA Software

905 views • 89 slides
Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy Gilles

Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy Gilles

Higher-Order Relational Refinement Types for Mechanism Design and Differential Privacy Gilles Barthe 1 , Marco Gaboardi 2 , Emilio Jess Gallego Arias 3 , 4 , Justin Hsu 4 , Aaron Roth 4 , Pierre-Yves Strub 1 1 IMDEA Software, 2 University of

1.16k views • 77 slides
Introduction to Block-Structured Adaptive Mesh Refinement (AMR) Ann S. Almgren Center for

Introduction to Block-Structured Adaptive Mesh Refinement (AMR) Ann S. Almgren Center for

Introduction to Block-Structured Adaptive Mesh Refinement (AMR) Ann S. Almgren Center for Computational Sciences and Engineering (Building 50A) Lawrence Berkeley National Laboratory asalmgren@lbl.gov Almgren p. 1/25 Types of Refinement

968 views • 49 slides
Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando

Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando

Programs Synthesis from Polymorphic Refinement Types Nadia Polikarpova Ivan Kuraj Armando Solar-Lezama Program synthesis Make a list with n copies of x declarative specification Synthesizer ? 2 50 replicate n x = if if n 0

651 views • 41 slides
Outline References References References References Principles of Complex Systems Course 300,

Outline References References References References Principles of Complex Systems Course 300,

References Outline References References References References Principles of Complex Systems Course 300, Fall, 2008 Prof. Peter Dodds References Department of Mathematics &amp; Statistics University of Vermont Licensed under the Creative

274 views • 5 slides
Outline References References References References Complex Networks, Course 295A, Spring,

Outline References References References References Complex Networks, Course 295A, Spring,

References Outline References References References References Complex Networks, Course 295A, Spring, 2008 Prof. Peter Dodds Department of Mathematics &amp; Statistics References University of Vermont Licensed under the Creative Commons

460 views • 4 slides
Constrained Horn Clauses ( and Refinement Types) Toby Cathcart Burn, Luke Ong and Steven Ramsay

Constrained Horn Clauses ( and Refinement Types) Toby Cathcart Burn, Luke Ong and Steven Ramsay

Higher-Order Constrained Horn Clauses ( and Refinement Types) Toby Cathcart Burn, Luke Ong and Steven Ramsay University of Oxford l l e e t t add add x y = x + y l l e e t t r e c it iter er f m n = i i f f n 0 t t h h e

318 views • 31 slides
References Propositions as Types [1] Chapter 6 of: Basic Simple Type Theory , J. Roger Hindley,

References Propositions as Types [1] Chapter 6 of: Basic Simple Type Theory , J. Roger Hindley,

References Propositions as Types [1] Chapter 6 of: Basic Simple Type Theory , J. Roger Hindley, Cambridge, 1997. The Curry-Howard Correspondence [2] The formulae-as-types notion of construction, Howard, William A. (1980) in [4], 479490.

534 views • 4 slides
Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC

Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC

Cuesta College Night Oct. 30, 2017 Transfer Admission Guarantee Programs in the CSU and UC Blake Reed, Counselor Thea Labrenz, Counselor Types of Guarantee Programs In the UC system they are refers to them as Transfer Admission

285 views • 14 slides
GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF

GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF

Chapter No. Page No. 9 201 International Finance IMPORT / EXPORT GUARANTEES GUARANTEE GIVING OF A GUARANTEE MEANS: ENTERING INTO A CONTRACT TO PERFORM THE PROMISE OF DISCHARGE THE LIABILITY OF THIRD PERSON IN CASE OF HIS DEFAULT.

463 views • 13 slides
Com pound Types: References, Pointers Where are we going with this? LHS and RHS LHS = Left

Com pound Types: References, Pointers Where are we going with this? LHS and RHS LHS = Left

Com pound Types: References, Pointers Where are we going with this? LHS and RHS LHS = Left Hand Side Means replace contents Set value where this thing is stored RHS = Right Hand Side Means value Evaluate expression,

231 views • 12 slides
Crystallographic refinement Roberto A. Steiner roberto.steiner@kcl.ac.uk with many slides

Crystallographic refinement Roberto A. Steiner roberto.steiner@kcl.ac.uk with many slides

Crystallographic refinement Roberto A. Steiner roberto.steiner@kcl.ac.uk with many slides contributed by Pavel Afonine Crystallography workshop - Trieste 23-27 April 2012 Key aspects of refinement Crystallographic refinement is the process by

1.55k views • 124 slides
Getting to know you... In what types of courses do you feel confident? Why? In what types of

Getting to know you... In what types of courses do you feel confident? Why? In what types of

Exam Preparation: Strategies for Success in Mathematics Courses and other Q-Courses Are you here to find the secret formula to Dr. Malgorzata Dubiel guarantee success in a Q-course? Senior Lecturer Dr. Jamie Mulholland Lecturer with

88 views • 8 slides

More recommend