Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff, Alexander J. Summers (ETH Zurich)

Unbounded Counting with Fractional Permissions over ℚ General Framework for Proving Soundness of Permission Assumptions 2 Why Should You Pay Attention?

3 Modular Static Verification + Shared State foo(x)bar(x)

4 Modular Static Verification + Shared State foo(x)bar(x) ?

5 Modular Static Verification + Shared State foo(x)bar(x) ?

6 Permissions foo(x)bar(x)

7 Permission Transfer foo(x)bar(x) ?

8 Permission Transfer foo(x)bar(x) ?

9 Fractional Permissions foo(x)bar(x)

10 Splitting Fractional Permissions foo(x)bar(x) ? ℚ : ½ + ½ or ¼ + ¾ or …

11 Merging Fractional Permissions foo(x)bar(x) ?

12 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Start with v 1 per- missions to d.f

13 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Give each worker the same v 2 per- missions to d.f

14 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away?

15 Iterator Example Can (n+1) th v 2 still be given away? method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Fixing v 2 up-front not possible since n unbounded …

16 Iterator Example method visit(it: Iterator, d: Data) { var n: Int := 0 while (it.hasNext()) { fork worker(it.next(), d) n := n + 1 }... } method worker(e: Element, d: Data) { // reads d.f } Can (n+1) th v 2 still be given away? … on the other hand, for any n, a suitable v 2 can be chosen

17 Abstract Read Permissions (Heule et al., VMCAI’13) 1.Use symbolic values v i instead of concrete fractions 2.Constrain v i as verification proceeds to make it sufficiently small Existing Idea

18 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f }

19 Iterator Example with Abstract Read Permissions method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Enables ℚ to support unbounded counting

20 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Recursively fork visit  unbounded splitting

21 Other Permission Model Properties (Short Digression) method visit(it: Iterator, d: Data, v1: Perm) { var n: Int := 0 var v2: Perm := fresh() while (it.hasNext()) { assume v2 < v1 – n * v2 fork worker(it.next(), d, v2) n := n + 1 }... } method worker(e: Element, d: Data, v: Perm) { // reads d.f } Abstract predicates  permission multiplication

Permission Assumptions Sound? ⇔ Constraint System Satisfiable? 22 Problem

‐ Must avoid unsound assumptions (in a modular way) ‐ v < v ‐ v 1 < v 2 && v 2 < v 1 ‐ Factoring key property for constraint satisfiability out of general soundness proof is not straight- forward ‐ Heule et al. therefore allow only limited application of abstract read permissions ‐ Ensures satisfiable constraints ‐ Can’t support unbounded counting 23 Abstract Read Permissions (Heule et al., VMCAI’13)

24 Layered Constraints Key Property

25 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2

26 Layered Constraints ¼, ½, ¾, … q ∊ ℚ + 00 v1v1 v3v3 v7v7 v4v4 v6v6 v8v8 v5v5 v2v2 ≺

27 Partially ordered set of variables (V, ≺) v 2 ≺ v 1 ≙ “ v 2 layered below v 1 ” Extend ≺ to v ≺ E E ::= q | v | E + E | E * E | E – E | E / E Define layered for sets C of permission inequalities v < E    Layered Constraints

28 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

29 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v’ < E could be added to C

30 Extending ≺ to E q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Ensures that v is layered below v’

31 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · v ≺ E

32 Layered and Layerable Constraints ‐ A set C of permission inequalities v < E is layered w.r.t. to ≺ if ∀ (v < E) ∊ C · ∃ (v’ < E’) · (v’ < E’ ⇒ v < E) ∧ v’ ≺ E’ ‐ A set C is layerable if there exists a ≺ s.t. C is layered w.r.t. to ≺ Theorem: If a constraint system is layerable, then it is satisfiable Makes simple derivation system more expressive

33 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 is derivable

34 Iterator Example Revisited q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’ Constraint from iterator example v 2 < v 1 – n * v 2 is layered if v 2 ≺ v 1 – n * v 2 ⇔ v 2 < v 1 / (n + 1) is derivable

35 Iterator Example Revisited v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + q ∊ ℚ + v ≺ q v ≺ E 1 v ≺ E 2 v ≺ E 1 ⊚ E 2 with ⊚ ∊ {+, ∗, /} v ≺ v’ v’ ≺ E v ≺ E – v’

1.Define a suitable ≺ -relation, e.g., introduced after 2.Define a methodology for generating layered constraints w.r.t. to chosen ≺ (soundness proof) 3.Turn constraints into free assumptions 36 Using our Work method visit(v1: Perm) {... var v2: Perm := fresh()... }

37 Related Work ‐ Counting Permissions (Bornat et al., POPL’05) ‐ Neither divisibility nor multiplication ‐ Compound Models (Dockins et al., APLAS’09, Leino et al., ESOP’09) ‐ No multiplication ‐ Potentially slow due to disjunctions ‐ Z[ε] + (Boyland, LNCS Volume 7850, 2013) ‐ Satisfies all three properties ‐ Complex and subtle model ‐ No existing implementation (as far as we know)

38 Conclusion ‐ Identified a property that guarantees satisfiability of constraints over fractional permissions over ℚ ‐ Formalised a derivation system enforcing the property ‐ Enabled fractional permissions over ℚ to support unbounded counting ‐ Factor soundness proof for permission book- keeping out of general soundness proof ‐ Future work: define methodology for fully exploiting layerable constraints in a front-end tool

39 Questions?

40 Layered Constraints 1.Never lower-bound a v by a concrete fraction q 2.A v i may only occur in an upper bound of a v j if v j is layered (ordered) below v i Key Property

Given E permissions, can v be given away? 41 Adding Satisfiable Constraints Is { v < E} ∪ C satisfiable, i.e., can v < E be assumed? Is v ≺ E derivable? (Assuming that C is already layered) ⇓ ⇓ Is { v < E} ∪ C layered w.r.t to ≺ ? ⇕

v < E is satisfiable 42 Rewriting Expressions v’ ≺ E’ is derivable ⇐====== show that exists v' < E’ such that v < E ⇐ v' < E’ if if not possible v ≺ E is derivable and where

43 Iterator Example Revisited v 2 < v 1 – n * v 2 ⇔v 2 < v 1 / (n + 1) v 2 ≺ v 1 v 2 ≺ (n + 1) v 2 ≺ v 1 / (n + 1) (n + 1) ∊ ℚ + 1. Syntactic Transforma tion: 2. Derive: method visit(v1: Perm) {... var v2: Perm := fresh()... }

44 Rewriting is only Conceptual ‐ Simple derivation system ‐ Rewriting gains expressiveness ‐ Rewriting not necessary in, e.g., a verifier that constraints permissions by adding assumptions Important

‐ Use as part of the soundness proof for a verifier ‐ Verifier uses symbolic permission values with constraints ‐ Show that all generated constraints are layered ‐ Facilitates separating the soundness proof for book-keeping permissions from the rest ‐ General framework, e.g., applicable to ‐ Verification Condition Generation and Symbolic Execution ‐ Separation Logic and Implicit Dynamic Frames 45 Using our Derivation System

46 Future Work ‐ Extend Chalice source syntax such that ‐ Unbounded counting is supported ‐ While all generated constraints remain satisfiable ‐ Soundness proof ‐ Find examples where permission values must be constrained in different scopes (e.g., across methods)