Logical Reasoning for Disjoint Permissions Xuan-Bach Le Aquinas Hobor ESOP 2018, Thessaloniki, Greece
Logical Reasoning for Disjoint Permissions
Xuan-Bach Le Aquinas Hobor
ESOP 2018, Thessaloniki, Greece
This talk is about ...
Permission reasoning in Concurrent Separation Logic
3
Some notations
● Mapsto predicate
x
4
Some notations
● Mapsto predicate
● Fractional mapsto predicate
x
x
5
Some notations
● Mapsto predicate
● Fractional mapsto predicate
● Disjoint conjunction
x
x
6
Predicate multiplication
permission predicate
7
Ownership reasoning
class Example {
BinaryTree t;
void shareTree{
fork();
readTree(t);
wait();
deallocate(t);
}
}
8
Ownership reasoning
class Example {
BinaryTree t;
void shareTree{
fork();
readTree(t);
wait();
deallocate(t);
}
}
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
9
Case study: Rational permissions
● Model:
● Examples:
● Combine permissions:
10
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
11
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
12
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
13
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
14
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
15
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
16
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
17
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
18
Shortcomming of Rationals
19
Shortcomming of Rationals
20
Shortcomming of Rationals
The latter is always a tree possibly a DAG!
a
b
00
21
Diagnosis
● Without permissions
is not satisfiable
x v x v
22
Diagnosis
● Without permissions
● With permissions
is not satisfiable
is equivalent to
x v x v
x (v,1/2) x (v,1/2) x (v,1)
23
Diagnosis
● Without permissions
● With permissions
is not satisfiable
is equivalent to
x v x v
x (v,1/2) x (v,1/2) x (v,1)
Rational permissions fail to preserve the disjointness property of Separation Logic!
24
This talk
1. Disjoint permission model
2. Inference systems
3. Disjoint permission analysis
25
Disjoint permission model
partial addition
total multiplication
additive identity
multiplicative identity
26
Disjoint permission model
● Axioms from semiring:– Commutativity over addition
– Associativity over multiplication
– Right distributivity of multiplication over addition
– ...
● Disjointness axiom:
27
Disjoint permission model
● Axioms from semiring:– Commutativity over addition
– Associativity over multiplication
– Right distributivity of multiplication over addition
– ...
● Disjointness axiom:
Not true with rationals!
28
Enable efficient bi-abduction reasoning
● Complete a partial entailment
● With disjoint permissions
● Automatic tool ShareInfer
29
Enable efficient bi-abduction reasoning
● Complete a partial entailment
● With disjoint permissions
● Automatic tool ShareInfer
30
Enable efficient bi-abduction reasoning
● Complete a partial entailment
● With disjoint permissions
● Automatic tool ShareInfer
31
Roadmap
● Predicate multiplication with disjoint permissions
● Inference systems
● Disjoint permissions analysis
32
Overview of inference system● 10/13 rules are bidirectional
● Some rules don’t hold with rational permissions
33
A closer look
Initiate the sharing mechanism
DOTFULL
34
A closer look
Collapse nested permissions
DOTDOT
35
A closer look
Splitting permissions over predicate
precise(P): P cannot hold in 2 subheaps simultaneously
DOTPLUS
36
A closer look
Distribute permissions over predicates
uniform( ): all addresses have permission
DOTSTAR
37
Inductive Reasoning(honourable mention)
● Inference system for inductive reasoning
– 8 inference rules
– Induction over finiteness of fractional heap
– Can prove side conditions precise, uniform
– Implementation: ShareInfer tool
38
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
39
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
40
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
41
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
42
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotStar
43
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotStar
44
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotPlus
DotStar
45
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotPlus
DotFull
DotStar
46
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotPlus
DotFull
DotStar
47
Soundness
● Prove over fractional heap model:
a1
... ...
an
48
Soundness
● Prove over fractional heap model:
a1
... ...
an
a1
... ...
an
a1
... ...
an
● Heap multiplication:
49
Soundness
● Prove over fractional heap model:
a1
... ...
an
a1
... ...
an
a1
... ...
an
● Heap multiplication:
● Predicate multiplication:
50
Soundness
disjoint permission axioms inference rules
51
Soundness
disjoint permission axioms inference rules
Example:
Associativity of
52
Roadmap
● Predicate multiplication with disjoint permissions
● Inference systems
● Disjoint permissions analysis
53
Inference rules force permission axioms
inference rules disjoint permission axioms
54
Inference rules force permission axioms
inference rules disjoint permission axioms
DOTFULL
Example:
55
Inference rules force permission axioms
inference rules disjoint permission axioms
Proof sketch: Let P be and .
By definition,
As , we also have Thus . QED
x
x
DOTFULL
Example:
56
Disjointness in a multiplicative setting
● Disjointness axiom (D)
● Left distributivity (LD)
● Right distributivity (RD)
57
Disjointness in a multiplicative setting
● Disjointness axiom (D)
● Left distributivity (LD)
● Right distributivity (RD)
D + LD + RD + other standard axioms Trivial models
58
Disjointness in a multiplicative setting
● Disjointness axiom (D)
● Left distributivity (LD)
● Right distributivity (RD)
D + LD + RD + other standard axioms Good models
59
Disjointness in a multiplicative setting
Multiplicative left inverse (LI):
60
Disjointness in a multiplicative setting
Multiplicative left inverse (LI):
D + (LD or RD) + LI + other axioms Trivial models
61
Disjointness in a multiplicative setting
Multiplicative left inverse (LI):
D + (LD or RD) + LI + other axioms Good models
62
Scaling separation algebra
Capture characteristics of fractional heaps
Heap components Permission components
63
Scaling separation algebra
Capture characteristics of fractional heaps
a1
a2
a1
a3
a1
a2
a3
Heap join:
64
Scaling separation algebra
Capture characteristics of fractional heaps
mul( , )
a1
... ...
an
a1
... ...
an
Heap mul:
65
Scaling separation algebra
Capture characteristics of fractional heaps
Heap force:
force( , )
a1
... ...
an
a1
... ...
an
66
Scaling separation algebra
14 axioms for scaling separation algebra
Axioms for fractional heaps
67
A graphical summary
Disjoint permission axioms
Inference rules for predicate multiplication
Scaling separationalgebra
68
Conclusion
● We proposed inference systems (with tool support) for predicate multiplication with disjoint permissions.
● Our soundness proof is verified in Coq using fractional heap model and Scaling Separation Algebra.
● We justified why certain properties of disjoint permissions cannot hold simultaneously.
● Future work: further investigation for permission algebra and Scaling Separation Algebra.
Thank you!