time credits and time receipts in iris
play

Time credits and time receipts in Iris Glen Mvel , Jacques-Henri - PowerPoint PPT Presentation

Mar 14, 2023 •27 likes •577 views

Time credits and time receipts in Iris Glen Mvel , Jacques-Henri Jourdan, Franois Pottier Inria CNRS, LRI, Univ. Paris Sud, Universit Paris-Saclay April 8, 2019 Prague Introduction Problem Time receipts in action Soundness Conclusion

  1. Time credits and time receipts in Iris Glen Mével , Jacques-Henri Jourdan, François Pottier Inria CNRS, LRI, Univ. Paris Sud, Université Paris-Saclay April 8, 2019 Prague

  2. Introduction Problem Time receipts in action Soundness Conclusion This talk recent works: time credits aim: prove an upper bound on the running time of a program this talk: time receipts aim: assume an upper bound on the running time of a program These are dual notions. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 1 / 17

  3. Introduction Problem Time receipts in action Soundness Conclusion This talk recent works: time credits aim: prove an upper bound on the running time of a program this talk: time receipts aim: assume an upper bound on the running time of a program These are dual notions. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 1 / 17

  4. Introduction Problem Time receipts in action Soundness Conclusion Example: a unique symbol generator The function genSym returns fresh symbols: let lastSym = ref 0 let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 2 / 17

  5. Introduction Problem Time receipts in action Soundness Conclusion Example: a unique symbol generator The function genSym returns fresh symbols: let lastSym = ref 0 (* unsigned 64-bit integer *) let genSym () = lastSym . . = ! lastSym + 1 ; (* may overflow! *) ! lastSym Strictly speaking, this code is not correct. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 2 / 17

  6. Introduction Problem Time receipts in action Soundness Conclusion Example: a unique symbol generator The function genSym returns fresh symbols: let lastSym = ref 0 (* unsigned 64-bit integer *) let genSym () = lastSym . . = ! lastSym + 1 ; (* may overflow! *) ! lastSym Strictly speaking, this code is not correct. We still want to prove that this code is “correct” in some sense. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 2 / 17

  7. Introduction Problem Time receipts in action Soundness Conclusion The Bounded Time Hypothesis [Clochard et al. , 2015] Counting from 0 to 2 64 takes centuries with a modern processor. Therefore, this overflow won’t happen in a lifetime. How to express this informal argument in separation logic? Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 3 / 17

  8. Introduction Problem Time receipts in action Soundness Conclusion The Bounded Time Hypothesis [Clochard et al. , 2015] Counting from 0 to 2 64 takes centuries with a modern processor. Therefore, this overflow won’t happen in a lifetime. How to express this informal argument in separation logic? In this talk: We answer this question using time receipts . We prove that Iris, extended with time receipts, is sound . Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 3 / 17

  9. A closer look at the problem

  10. Introduction Problem Time receipts in action Soundness Conclusion Specification of genSym A specification (in separation logic):   { P S }   P ∅ ∗ ∀ S . genSym ()   { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } for some proposition P S which represents: the ownership of the generator; the fact that S is the set of all symbols returned so far. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 4 / 17

  11. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym let lastSym = ref 0 let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  12. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym {} let lastSym = ref 0 { P ∅} { P S } let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  13. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { P ∅} { P S } let genSym () = lastSym . . = ! lastSym + 1 ; ! lastSym { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  14. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { lastSym �→ 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } { ⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  15. Introduction Problem Time receipts in action Soundness Conclusion Tentative proof of genSym Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { lastSym �→ 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } Wrong {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 5 / 17

  16. Introduction Problem Time receipts in action Soundness Conclusion An unpleasant workaround: patch the specification We may add a precondition to exclude any chance of overflow: { P S ∗ | S | < 2 64 − 1 }     P ∅ ∗ ∀ S . genSym ()   { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } This pollutes user proofs with cumbersome proof obligations. . . which may even be unprovable! Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 6 / 17

  17. Time receipts in action

  18. Introduction Problem Time receipts in action Soundness Conclusion Time receipts in separation logic To count execution steps, we introduce time receipts . Each step produces one time receipt, and only one : { True } x + y { λ z . z = ⌊ x + y ⌋ 2 64 ∗ � 1 } � Time receipts sum up: � 1 ∗ . . . ∗ � 1 ≡ � n � �� � n But time receipts do not duplicate (separation logic): � 1 �− ∗ � 1 ∗ � 1 Therefore, � n is a witness that (at least) n steps have been taken. Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 7 / 17

  19. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S {} let lastSym = ref 0 { lastSym �→ 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

  20. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S ∗ � ( max S ) {} let lastSym = ref 0 { lastSym �→ 0 } We keep track of elapsed time. { P ∅} { P S } let genSym () = { lastSym �→ max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

  21. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S ∗ � ( max S ) {} let lastSym = ref 0 { lastSym �→ 0 ∗ � 0 } { P ∅} { P S } let genSym () = { lastSym �→ max S ∗ � max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n ∗ � n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

  22. Introduction Problem Time receipts in action Soundness Conclusion Proof of genSym using time receipts Invariant: P S � lastSym �→ max S ∗ � ( max S ) {} let lastSym = ref 0 { lastSym �→ 0 ∗ � 0 } Initialization { P ∅} We obtain 0 time receipts for free. { P S } let genSym () = { lastSym �→ max S ∗ � max S } lastSym . . = ! lastSym + 1 ; { lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } {⌊ max S + 1 ⌋ 2 64 / ∈ S ∗ lastSym �→ ⌊ max S + 1 ⌋ 2 64 ∗ � ( max S + 1 ) } ! lastSym { λ n . n / ∈ S ∗ lastSym �→ n ∗ � n } { λ n . n / ∈ S ∗ P ( S ∪ { n } ) } Glen Mével , Jacques-Henri Jourdan, François Pottier Time credits and time receipts in Iris 8 / 17

Recommend

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event identification and generation State before vs. after the event Event ordering Causal order (e.g., a may only have caused b if a happened

1.1k views • 57 slides
Real-Time System Modeling slide credits: H. Kopetz, P. Puschner Overview Model Construction

Real-Time System Modeling slide credits: H. Kopetz, P. Puschner Overview Model Construction

Real-Time System Modeling slide credits: H. Kopetz, P. Puschner Overview Model Construction Real-time clusters &amp; components Interfaces Real-time interfaces and observations Real-time images and temporal accuracy

1.24k views • 88 slides
Iris-Dashboard main screen Click on Create Task Icon Popup window shall appear

Iris-Dashboard main screen Click on Create Task Icon Popup window shall appear

Introduction Salient Features Target Audience Benefits M odules Instructions (One Time Installation) Installing Iris-ADX and supported applications Installing IRISADX Synchronization Service Filing Income Tax

653 views • 51 slides
Introduction to Real-Time Systems Peter Puschner slides credits: H. Kopetz, P. Puschner VO

Introduction to Real-Time Systems Peter Puschner slides credits: H. Kopetz, P. Puschner VO

Introduction to Real-Time Systems Peter Puschner slides credits: H. Kopetz, P. Puschner VO Echtzeitsysteme SS 2017 What is a Real-Time System? Definition 1: RT-systems are systems in which the correctness of the system behavior depends

502 views • 19 slides
E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed time for everything. And there is a time for every event under heaven A time to give birth and a time to die; A time to plant and a time to

626 views • 16 slides
Towards a Time-Predictable Node Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber

Towards a Time-Predictable Node Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber

Towards a Time-Predictable Node Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber VU 2.0 182.101 SS 2015 Embedded System Task timing is only ES Component

537 views • 25 slides
Real-Time Communication slide credits: H. Kopetz, P. Puschner Overview Communication system

Real-Time Communication slide credits: H. Kopetz, P. Puschner Overview Communication system

Real-Time Communication slide credits: H. Kopetz, P. Puschner Overview Communication system requirements Controlling the flow of messages Types of protocols Properties of communication protocols Protocol examples 2 Importance

2.22k views • 87 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil &amp; Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

Time Slice systems - - also known as bullet time, stop time, or time freeze implement a camera array that ranges anywhere from 24 to 150+ cameras to create an effect of stopped time or extremely slowed time. Although the process was pioneered

197 views • 5 slides
Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services

Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services

Real-Time Component Software slide credits: H. Kopetz, P. Puschner Overview OS services Task Structure Task Interaction Input/Output Error Detection 2 Operating System and Middleware Application Software Component API OS

834 views • 47 slides
Engineering Economics 4-1 Cash Flow Cash flow is the sum of money recorded as receipts or

Engineering Economics 4-1 Cash Flow Cash flow is the sum of money recorded as receipts or

Engineering Economics 4-1 Cash Flow Cash flow is the sum of money recorded as receipts or disbursements in a projects financial records. A cash flow diagram presents the flow of cash as arrows on a time line scaled to the magnitude of the

383 views • 34 slides
Compilation and Worst-Case Execution-Time Analysis Peter Puschner slides credits: P. Puschner, R.

Compilation and Worst-Case Execution-Time Analysis Peter Puschner slides credits: P. Puschner, R.

Compilation and Worst-Case Execution-Time Analysis Peter Puschner slides credits: P. Puschner, R. Kirner, B. Huber VU 2.0 182.101 SS 2015 Why Compiler-Support for WCET

587 views • 40 slides
Building to Heal September 23-24, 2017 2018 Budget Receipts $950,270 2017 Receipts

Building to Heal September 23-24, 2017 2018 Budget Receipts $950,270 2017 Receipts

Year in Review July 2016 to June 2017 Building to Heal September 23-24, 2017 2018 Budget Receipts $950,270 2017 Receipts $961,904 Sunday &amp; Holy Days Fund Raising - Net Other Donations &amp; Rents Faith Formation Community

854 views • 8 slides
W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

T IME S ERIES D ATA P APERS C OVERED Interactive Visualization of Serial Periodic Data John V. Carlis and Joseph A. Konstan Visualizing and Discovering Non-Trivial Patterns in Large Time Series Databases Jessica Lin, Eamonn Keogh,

764 views • 32 slides
? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really begins here The Wise Man Grard Mari Professor of Art History at Sciences-Po The art guru who told fascinating stories Myself Coline Debayle

1.14k views • 57 slides
Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

CPSC-313: Introduction to Computer Systems Time and Timers Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers Reading: R&amp;R, Ch 9 Current Time UNIX Time Zero : 00.00 (midnight), January 1,

244 views • 7 slides
Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization. If round-trip time is used, then accurate clocks are only needed at the anchors. 9/8/05 Jie Gao, CSE590-fall05 1 Time Difference of Arrival

830 views • 54 slides
International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research

International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research

International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research Kimberly Fisher Secretary International Association for Time Use Research Centre for Time Use Research Early Time Use Developments Earliest

661 views • 34 slides
XBRL Offerings from IRIS Presentation to Bolagsverket, Sweden What Does the Presentation Cover

XBRL Offerings from IRIS Presentation to Bolagsverket, Sweden What Does the Presentation Cover

XBRL Offerings from IRIS Presentation to Bolagsverket, Sweden What Does the Presentation Cover Introduction of IRIS IRIS T axonomy Development Services IRIS T axonomy Creation T ool IRIS Noah IRIS Validator

724 views • 41 slides
Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in distributed systems A baseball example Synchronizing real clocks Cristians algorithm The Berkeley Algorithm Network

484 views • 21 slides
As a PhD student we have to much to handle and not enough time to get it all done Time

As a PhD student we have to much to handle and not enough time to get it all done Time

As a PhD student we have to much to handle and not enough time to get it all done Time management (Getting more done) Showan Asyabi- Shain Roozkhosh Time Management Techniques Urgent Not Urgent Important Paper Deadlines Quality Time

565 views • 15 slides
Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time Environment The static source code requires considerable support to be executed on a computer Data objects must be created and destroyed

590 views • 42 slides
SUBGROUP 3 MEETING O C T O B E R 2 4 , 2 0 1 4 M I C H E L L E L . Y O U N K E R STUDENTS ARE

SUBGROUP 3 MEETING O C T O B E R 2 4 , 2 0 1 4 M I C H E L L E L . Y O U N K E R STUDENTS ARE

Ohio Mathematics Initiative SUBGROUP 3 MEETING O C T O B E R 2 4 , 2 0 1 4 M I C H E L L E L . Y O U N K E R STUDENTS ARE Taking too much time Taking too many credits Diverted into Remediation Not graduating 2 TOO MUCH TIME TO

776 views • 35 slides
Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female

Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female

Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female 57.7% 63.7% Male 42.3% 36.3% ETHNICITY FIRST TIME % NOT FIRST TIME % Asian 15.8% 17.5% Black 13.9% 13.7% Hispanic 43.2% 42.5% White

456 views • 12 slides

More recommend