logical reasoning for disjoint permissions
TRANSCRIPT
![Page 1: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/1.jpg)
Logical Reasoning for Disjoint Permissions
Xuan-Bach Le Aquinas Hobor
ESOP 2018, Thessaloniki, Greece
![Page 2: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/2.jpg)
This talk is about ...
Permission reasoning in Concurrent Separation Logic
![Page 3: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/3.jpg)
3
Some notations
● Mapsto predicate
x
![Page 4: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/4.jpg)
4
Some notations
● Mapsto predicate
● Fractional mapsto predicate
x
x
![Page 5: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/5.jpg)
5
Some notations
● Mapsto predicate
● Fractional mapsto predicate
● Disjoint conjunction
x
x
![Page 6: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/6.jpg)
6
Predicate multiplication
permission predicate
![Page 7: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/7.jpg)
7
Ownership reasoning
class Example {
BinaryTree t;
void shareTree{
fork();
readTree(t);
wait();
deallocate(t);
}
}
![Page 8: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/8.jpg)
8
Ownership reasoning
class Example {
BinaryTree t;
void shareTree{
fork();
readTree(t);
wait();
deallocate(t);
}
}
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 9: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/9.jpg)
9
Case study: Rational permissions
● Model:
● Examples:
● Combine permissions:
![Page 10: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/10.jpg)
10
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 11: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/11.jpg)
11
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 12: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/12.jpg)
12
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 13: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/13.jpg)
13
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 14: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/14.jpg)
14
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 15: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/15.jpg)
15
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 16: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/16.jpg)
16
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 17: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/17.jpg)
17
Reasoning with rational permissions (expected result)
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 18: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/18.jpg)
18
Shortcomming of Rationals
![Page 19: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/19.jpg)
19
Shortcomming of Rationals
![Page 20: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/20.jpg)
20
Shortcomming of Rationals
The latter is always a tree possibly a DAG!
a
b
00
![Page 21: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/21.jpg)
21
Diagnosis
● Without permissions
is not satisfiable
x v x v
![Page 22: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/22.jpg)
22
Diagnosis
● Without permissions
● With permissions
is not satisfiable
is equivalent to
x v x v
x (v,1/2) x (v,1/2) x (v,1)
![Page 23: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/23.jpg)
23
Diagnosis
● Without permissions
● With permissions
is not satisfiable
is equivalent to
x v x v
x (v,1/2) x (v,1/2) x (v,1)
Rational permissions fail to preserve the disjointness property of Separation Logic!
![Page 24: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/24.jpg)
24
This talk
1. Disjoint permission model
2. Inference systems
3. Disjoint permission analysis
![Page 25: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/25.jpg)
25
Disjoint permission model
partial addition
total multiplication
additive identity
multiplicative identity
![Page 26: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/26.jpg)
26
Disjoint permission model
● Axioms from semiring:– Commutativity over addition
– Associativity over multiplication
– Right distributivity of multiplication over addition
– ...
● Disjointness axiom:
![Page 27: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/27.jpg)
27
Disjoint permission model
● Axioms from semiring:– Commutativity over addition
– Associativity over multiplication
– Right distributivity of multiplication over addition
– ...
● Disjointness axiom:
Not true with rationals!
![Page 28: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/28.jpg)
28
Enable efficient bi-abduction reasoning
● Complete a partial entailment
● With disjoint permissions
● Automatic tool ShareInfer
![Page 29: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/29.jpg)
29
Enable efficient bi-abduction reasoning
● Complete a partial entailment
● With disjoint permissions
● Automatic tool ShareInfer
![Page 30: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/30.jpg)
30
Enable efficient bi-abduction reasoning
● Complete a partial entailment
● With disjoint permissions
● Automatic tool ShareInfer
![Page 31: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/31.jpg)
31
Roadmap
● Predicate multiplication with disjoint permissions
● Inference systems
● Disjoint permissions analysis
![Page 32: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/32.jpg)
32
Overview of inference system● 10/13 rules are bidirectional
● Some rules don’t hold with rational permissions
![Page 33: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/33.jpg)
33
A closer look
Initiate the sharing mechanism
DOTFULL
![Page 34: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/34.jpg)
34
A closer look
Collapse nested permissions
DOTDOT
![Page 35: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/35.jpg)
35
A closer look
Splitting permissions over predicate
precise(P): P cannot hold in 2 subheaps simultaneously
DOTPLUS
![Page 36: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/36.jpg)
36
A closer look
Distribute permissions over predicates
uniform( ): all addresses have permission
DOTSTAR
![Page 37: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/37.jpg)
37
Inductive Reasoning(honourable mention)
● Inference system for inductive reasoning
– 8 inference rules
– Induction over finiteness of fractional heap
– Can prove side conditions precise, uniform
– Implementation: ShareInfer tool
![Page 38: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/38.jpg)
38
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
![Page 39: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/39.jpg)
39
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
![Page 40: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/40.jpg)
40
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
![Page 41: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/41.jpg)
41
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
![Page 42: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/42.jpg)
42
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotStar
![Page 43: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/43.jpg)
43
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotStar
![Page 44: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/44.jpg)
44
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotPlus
DotStar
![Page 45: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/45.jpg)
45
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotPlus
DotFull
DotStar
![Page 46: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/46.jpg)
46
Example
Parent process
fork()
readTree(t)
wait()
deallocate(t)
Child process
readTree(t)
wait()
DotFull
DotPlus
DotPlus
DotFull
DotStar
![Page 47: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/47.jpg)
47
Soundness
● Prove over fractional heap model:
a1
... ...
an
![Page 48: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/48.jpg)
48
Soundness
● Prove over fractional heap model:
a1
... ...
an
a1
... ...
an
a1
... ...
an
● Heap multiplication:
![Page 49: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/49.jpg)
49
Soundness
● Prove over fractional heap model:
a1
... ...
an
a1
... ...
an
a1
... ...
an
● Heap multiplication:
● Predicate multiplication:
![Page 50: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/50.jpg)
50
Soundness
disjoint permission axioms inference rules
![Page 51: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/51.jpg)
51
Soundness
disjoint permission axioms inference rules
Example:
Associativity of
![Page 52: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/52.jpg)
52
Roadmap
● Predicate multiplication with disjoint permissions
● Inference systems
● Disjoint permissions analysis
![Page 53: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/53.jpg)
53
Inference rules force permission axioms
inference rules disjoint permission axioms
![Page 54: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/54.jpg)
54
Inference rules force permission axioms
inference rules disjoint permission axioms
DOTFULL
Example:
![Page 55: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/55.jpg)
55
Inference rules force permission axioms
inference rules disjoint permission axioms
Proof sketch: Let P be and .
By definition,
As , we also have Thus . QED
x
x
DOTFULL
Example:
![Page 56: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/56.jpg)
56
Disjointness in a multiplicative setting
● Disjointness axiom (D)
● Left distributivity (LD)
● Right distributivity (RD)
![Page 57: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/57.jpg)
57
Disjointness in a multiplicative setting
● Disjointness axiom (D)
● Left distributivity (LD)
● Right distributivity (RD)
D + LD + RD + other standard axioms Trivial models
![Page 58: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/58.jpg)
58
Disjointness in a multiplicative setting
● Disjointness axiom (D)
● Left distributivity (LD)
● Right distributivity (RD)
D + LD + RD + other standard axioms Good models
![Page 59: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/59.jpg)
59
Disjointness in a multiplicative setting
Multiplicative left inverse (LI):
![Page 60: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/60.jpg)
60
Disjointness in a multiplicative setting
Multiplicative left inverse (LI):
D + (LD or RD) + LI + other axioms Trivial models
![Page 61: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/61.jpg)
61
Disjointness in a multiplicative setting
Multiplicative left inverse (LI):
D + (LD or RD) + LI + other axioms Good models
![Page 62: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/62.jpg)
62
Scaling separation algebra
Capture characteristics of fractional heaps
Heap components Permission components
![Page 63: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/63.jpg)
63
Scaling separation algebra
Capture characteristics of fractional heaps
a1
a2
a1
a3
a1
a2
a3
Heap join:
![Page 64: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/64.jpg)
64
Scaling separation algebra
Capture characteristics of fractional heaps
mul( , )
a1
... ...
an
a1
... ...
an
Heap mul:
![Page 65: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/65.jpg)
65
Scaling separation algebra
Capture characteristics of fractional heaps
Heap force:
force( , )
a1
... ...
an
a1
... ...
an
![Page 66: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/66.jpg)
66
Scaling separation algebra
14 axioms for scaling separation algebra
Axioms for fractional heaps
![Page 67: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/67.jpg)
67
A graphical summary
Disjoint permission axioms
Inference rules for predicate multiplication
Scaling separationalgebra
![Page 68: Logical Reasoning for Disjoint Permissions](https://reader034.vdocuments.us/reader034/viewer/2022050115/626d11319eaf766f9f1cab45/html5/thumbnails/68.jpg)
68
Conclusion
● We proposed inference systems (with tool support) for predicate multiplication with disjoint permissions.
● Our soundness proof is verified in Coq using fractional heap model and Scaling Separation Algebra.
● We justified why certain properties of disjoint permissions cannot hold simultaneously.
● Future work: further investigation for permission algebra and Scaling Separation Algebra.
Thank you!