Rely-Guarantee References for Refinement Types over Aliased Mutable Data

Similar documents
Rely-Guarantee References for Refinement Types Over Aliased Mutable Data

Uniqueness and Reference Immutability for Safe Parallelism

Static Lock Capabilities for Deadlock-Freedom

Refinement Types for TypeScript

Type Soundness and Race Freedom for Mezzo

Chapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes

Chapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes

c Copyright 2014 Colin S. Gordon

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Grafting Functional Support on Top of an Imperative Language

CSolve: Verifying C With Liquid Types

Verifying a Concurrent Garbage Collector using a Rely-Guarantee Methodology

High-Level Small-Step Operational Semantics for Software Transactions

Hoare Logic and Model Checking

Type Systems Winter Semester 2006

Hoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic

Hoare Logic and Model Checking

Type Theory meets Effects. Greg Morrisett

Hoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic

Hoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18

Advances in Programming Languages

Chapter 1. Introduction

Static and dynamic analysis: synergy and duality

It turns out that races can be eliminated without sacrificing much in terms of performance or expressive power.

Programming Languages Lecture 15: Recursive Types & Subtyping

CIS 500 Software Foundations Fall December 6

Administrivia. Existential Types. CIS 500 Software Foundations Fall December 6. Administrivia. Motivation. Motivation

Program logics for relaxed consistency

References. ( pointers )

David Glasser Michael D. Ernst CSAIL, MIT

Reasoning about modules: data refinement and simulation

Lecture 5 - Axiomatic semantics

The Case for Simple Object-Orientation in VDM++ Erik Ernst Aarhus University, Denmark

The theory of Mezzo. François Pottier. IHP, April 2014 INRIA

Subtyping. Lecture 13 CS 565 3/27/06

Object Ownership in Program Verification

Functional Programming with Isabelle/HOL

Reminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017

Mutation. COS 326 David Walker Princeton University

An Annotated Language

CS152: Programming Languages. Lecture 24 Bounded Polymorphism; Classless OOP. Dan Grossman Spring 2011

Subtyping (cont) Lecture 15 CS 565 4/3/08

Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts

Types for References, Exceptions and Continuations. Review of Subtyping. Γ e:τ τ <:σ Γ e:σ. Annoucements. How s the midterm going?

The practice of Mezzo

Phantom Monitors: A Simple Foundation for Modular Proofs of Fine-Grained Concurrent Programs

Goal. CS152: Programming Languages. Lecture 15 Parametric Polymorphism. What the Library Likes. What The Client Likes. Start simpler.

Combined Static and Dynamic Mutability Analysis 1/31

Programming and Proving with Distributed Protocols Disel: Distributed Separation Logic.

Subtyping (cont) Formalization of Subtyping. Lecture 15 CS 565. Inversion of the subtype relation:

CS152: Programming Languages. Lecture 19 Shared-Memory Parallelism and Concurrency. Dan Grossman Spring 2011

Concurrency and Parallelism. CS152: Programming Languages. Lecture 19 Shared-Memory Parallelism and Concurrency. Concurrency vs. Parallelism.

Simplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University

Cover Page. The handle holds various files of this Leiden University dissertation

Mutation. COS 326 Andrew W. Appel Princeton University. slides copyright David Walker and Andrew W. Appel

Advances in Programming Languages

Object and Reference Immutability using Java Generics

More on Verification and Model Checking

The Mezzo case. Jonathan Protzenko. François Pottier FSFMA'13. Why design a new programming language?

Hiding local state in direct style: a higher-order anti-frame rule

Formal Verification Techniques for GPU Kernels Lecture 1

Checks and Balances - Constraint Solving without Surprises in Object-Constraint Programming Languages: Full Formal Development

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Lectures 24 and 25: Scheduling; Introduction to Effects

Lectures Basics in Procedural Programming: Machinery

The Typed λ Calculus and Type Inferencing in ML

Static Lock Capabilities for Deadlock Freedom

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

Effective Performance Measurement and Analysis of Multithreaded Applications

Static Analysis of Embedded C Code

Refinements to techniques for verifying shape analysis invariants in Coq

SIC: Provably Timing-Predictable Strictly In-Order Pipelined Processor Core

Verifying Concurrent Programs with VST

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

Towards Lean 4: Sebastian Ullrich 1, Leonardo de Moura 2.

Mutable References. Chapter 1

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

RustBelt: Securing the Foundations of the Rust Programming Language

Deductive Program Verification with Why3, Past and Future

Compositional Cutpoint Verification

SECOMP Efficient Formally Secure Compilers to a Tagged Architecture. Cătălin Hrițcu INRIA Paris

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics

Verification Condition Generation

Learning from Executions

Dependent types and program equivalence. Stephanie Weirich, University of Pennsylvania with Limin Jia, Jianzhou Zhao, and Vilhelm Sjöberg

Matching Logic. Grigore Rosu University of Illinois at Urbana-Champaign

Adam Chlipala University of California, Berkeley ICFP 2006

objects

The Checker Framework: pluggable static analysis for Java

Fortgeschrittene objektorientierte Programmierung (Advanced Object-Oriented Programming)

Why. an intermediate language for deductive program verification

Hoare triples. Floyd-Hoare Logic, Separation Logic

Aaron Turon! Mozilla Research

Encoding Separation Logic in Coq and Its Application

Theoretical Corner: The Non-Interference Property

Capabilities for Uniqueness and Borrowing

Foundations of the C++ Concurrency Memory Model

Towards a Practical, Verified Kernel

Transcription:

Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013

Static Verification Meets Aliasing 23 x:ref N y:ref N x :=!x+1; m(y); static_assert(!x > 0); Pass or fail?

Static Program Verification: Mutation + Aliases Common approaches: Restrict aliasing Separation Logic, Linear & Uniqueness Types Restrict mutation Read-only access Reference Immutability, Region & Effect Systems

Our Approach: Describe Mutation Arbitrary binary relations Explicitly characterize: How data may change over time Side effects, type state, protocols, invariants, monotonicity Lots of prior work, all working around aliasing Safe assumptions in the presence of mutation through aliases Eye towards backwards compatibility: Subsume standard references, reference immutability

Rely-Guarantee References New approach to static verification of imperative programs Formal core type system + proofs Uses dependent types Implementation as Coq DSL Characterized proof burden for 4 examples Roughly on par w/ pure functional equivalents

Outline Concurrent Reasoning for Aliases Typechecking Rely-Guarantee References Technical Challenge: Nested References Intuition for Soundness Conclusions

A Duality: Threads & Aliases Mutation by aliases thread interference Actions through aliases can be seen as concurrent Rely-Guarantee reasoning is good for threads Summarizes possible interference We can adapt concurrent analyses to treat aliasing A few differences to discuss later

Thread & Alias Interference Thread Interference Alias Interference 0 0 let x = ref 0 in atomic_inc(x) atomic_inc(x) assert(!x>0) assert(!x>0) let x = ref 0 in inc x; let y = x in inc x; assert(!y > 0);

Rely-Guarantee for Threads Characterize thread interference: 1. Rely summarizes expected interference 2. Guarantee bounds thread actions 3. Stable assertions are preserved by interference 4. Compatible threads: each rely assumes at least the other s guarantee

Rely-Guarantee for References Characterize alias interference: 1. Rely summarizes alias interference 2. Guarantee bounds actions through this alias 3. Stable predicates preserved by interference 4. Compatible aliases: if x == y, then x.g y.r && y.g x.r Subsumes ML references! (OCaml, SML, etc.)

Rely-Guarantee Reference Type Predicate (e.g. >0) ref{τ P}[R,G] standard reference Rely (e.g. ==) Guarantee (e.g. )

Alias Interference Revisited 23 R G R G x:ref{n >0}{==, } y:ref{n >0}{,==} x:=!x+1; ❹ ❷ ❶ (2,3) (2,3) 2 > 0 (2,3) ❸ 3 > 0 1 Rely, 2 Guarantee, 3 Stable, 4 Compatible

Splitting for Compatible References x:ref{nat P}[,havoc] cannot be duplicated Duplicates must be compatible (#4) havoc Must track & restrict duplication: let y = x in could create Two immutable refs (ref{nat P}[, ]) Two unrestricted refs (ref{nat any}[havoc, havoc]) Producer/consumer (ref{nat any}[, ] and ref{nat any}[, ])

Outline Concurrent Reasoning for Aliases Typechecking Rely-Guarantee References Technical Challenge: Nested References Intuition for Soundness Conclusions

A Coq DSL for Rely-Guarantee References Shallow DSL embedding in a proof assistant Satisfying proof obligations Separated from program text Semi-automatic Examples include Monotonic Counter Simple, but illustrative Specify how data changes over time, not inc operation Reference Immutability

Example: A Monotonic Counter Definition increasing : hrel nat := (λ n n h h. n <= n'). Definition counter := ref{nat pos}[increasing,increasing]. Definition read (c:counter) : nat :=!c. Definition inc (p:counter) : unit := [p]:=!p + 1. Definition mkcounter (u:unit) : counter := Alloc 1. Example test_counter (u:unit) : unit := x <- mkcounter tt; inc x. Proofs automatically discharged

Invalid Code: Decrement a Monotonic Counter Definition counter := ref{nat pos}[increasing,increasing]. Definition dec (p:counter) : unit := [p]:=!p - 1.

Reference Immutability via Rely-Guarantee References writable T ref{t any}[havoc,havoc] readable T ref{t any}[havoc, ] immutable T ref{t any}[, ] Suggests a spectrum: ML refs RI... RGref

Outline Concurrent Reasoning for Aliases Typechecking Rely-Guarantee References Technical Challenge: Nested References Intuition for Soundness Conclusions

References to References Folding If x.f is a ref, and x s type disallows mutation to anything, type of!x.f should, too Containment ref{t P}[R,G]: if T contains refs, R permits their interference as well Precision P,R,G only depend on heap reachable from the T they apply to Non-issues in concurrent program logics: no threads to threads

Outline Concurrent Reasoning for Aliases Typechecking Rely-Guarantee References Technical Challenge: Nested References Intuition for Soundness Conclusions

How to Preserve Refinements Well-formed ref{τ P}[R,G] (e.g. ref{int >0}[, ]) P is stable with respect to R (#3) Enforce containment, precision Aliases as x:ref{τ P}[R,G] and y:ref{τ P }[R,G ] Relies summarize guarantees (#4): G R, G R Ensured by splitting semantics and folding Actions in x.g are included in alias y s y.r, and thus by stability preserves y.p

Outline Concurrent Reasoning for Aliases Typechecking Rely-Guarantee References Technical Challenge: Nested References Intuition for Soundness Conclusions

Future Work We ve worked out a core system Route to a full system: Non-atomic updates Internalizing proof terms (in progress) Better datatype definitions Borrowing Concurrency (in progress) More examples / experience

Related Work Rely-guarantee program logics Mostly concurrent Explicit Stabilization (Wickerson 10) used for malloc We apply RG at a much finer granularity Reference Immutability, Ownership Notion of per-reference read-only Tschantz 05, Zibin 07, Dietl 07, Zibin 10, Gordon 12 We generalize read-only to arbitrary relations Dependent types for imperative programs Types depend only on immutable data (DML, etc.) Or bake in a low-level program logic (Ynot / Hoare Type Theory) Our types directly treat interference

Conclusion Rely-Guarantee References Directly address alias interference Key challenge: nested references Apply concurrent verification insights to aliasing We applied rely-guarantee Other correspondences exist Promising early results Modest proof burden Backwards compatible with more traditional systems https://github.com/csgordon/rgref/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback