Iris from the ground up: A modular foundation for higher-order concurrent separation logic

Jung, Ralf; Krebbers, Robbert; Jourdan, Jacques-Henri; Bizjak, Aleš; Birkedal, Lars; Dreyer, Derek

doi:10.1017/s0956796818000151

Cited by 237 publications

(277 citation statements)

References 68 publications

(123 reference statements)

Supporting

Mentioning

277

Contrasting

Order By: Relevance

“…This has the important technical advantage that our proof technique can be naturally integrated with existing separation logics and verification tools supporting SL-style reasoning. We consider a standard sequential SL in this section, but our technique can also be directly integrated with a concurrent SL such as RGSep (as we show in §4.5) or frameworks such as Iris [21] supporting (ghost) resources ranging over user-defined separation algebras.…”

Section: Proof Techniquementioning

confidence: 99%

Local Reasoning for Global Graph Properties

Krishna

Summers

Wies

2020

Programming Languages and Systems

View full text Add to dashboard Cite

Separation logics are widely used for verifying programs that manipulate complex heap-based data structures. These logics build on so-called separation algebras, which allow expressing properties of heap regions such that modifications to a region do not invalidate properties stated about the remainder of the heap. This concept is key to enabling modular reasoning and also extends to concurrency. While heaps are naturally related to mathematical graphs, many ubiquitous graph properties are non-local in character, such as reachability between nodes, path lengths, acyclicity and other structural invariants, as well as data invariants which combine with these notions. Reasoning modularly about such graph properties remains notoriously difficult, since a local modification can have side-effects on a global property that cannot be easily confined to a small region. In this paper, we address the question: What separation algebra can be used to avoid proof arguments reverting back to tedious global reasoning in such cases? To this end, we consider a general class of global graph properties expressed as fixpoints of algebraic equations over graphs. We present mathematical foundations for reasoning about this class of properties, imposing minimal requirements on the underlying theory that allow us to define a suitable separation algebra. Building on this theory we develop a general proof technique for modular reasoning about global graph properties over program heaps, in a way which can be integrated with existing separation logics. To demonstrate our approach, we present local proofs for two challenging examples: a priority inheritance protocol and the non-blocking concurrent Harris list. S. Krishna et al. 1 method acquire(p: Node, r: Node) { 2 if (r.next == null) { 3 r.next := p; update(p, -1, r.curr_prio) 4 } else { 5 p.next := r; update(r, -1, p.curr_prio) 6 } 7 } 8 method update(n: Node, from: Int, to: Int) { 9 n.prios := n.prios \ {from} 10 if (to >= 0) n.prios := n.prios ∪ {to} 11 from := n.curr_prio 12 n.curr_prio := max(n.prios ∪ {n.def_prio}) 13 to := n.curr_prio; 14 if (from != to && n.next != null) { 15 update(n.next, from, to) 16 } 17 }

show abstract

Section: Proof Techniquementioning

confidence: 99%

Local Reasoning for Global Graph Properties

Krishna

Summers

Wies

2020

Programming Languages and Systems

View full text Add to dashboard Cite

show abstract

“…RustBelt [32] aims to formally prove high-level safety properties for Rust libraries with unsafe internal implementation, using manual reasoning on the higher-order concurrent separation logic Iris [35,33] on the Coq Proof Assistant [15]. Although their framework is flexible, the automation of the reasoning on 29 For example, inc-some/2 takes two mutable references in a list and increments on them; inc-all-t destructively increments all elements in a tree.…”

Section: Related Workmentioning

confidence: 99%

“…-If there exists a variable x that occurs only once in the pre-resolutive configurationK, then replace it with any value of the suitable sort. 33 We have carefully designed SLDC resolution to match it with abstract operational semantics, which assists the proof of Theorem 2.…”

Section: C3 Sldc Resolutionmentioning

confidence: 99%

RustHorn: CHC-Based Verification for Rust Programs

Matsushita¹,

Tsukada²,

Kobayashi³

2020

Programming Languages and Systems

View full text Add to dashboard Cite

Reduction to the satisfiablility problem for constrained Horn clauses (CHCs) is a widely studied approach to automated program verification. The current CHC-based methods for pointer-manipulating programs, however, are not very scalable. This paper proposes a novel translation of pointer-manipulating Rust programs into CHCs, which clears away pointers and heaps by leveraging ownership. We formalize the translation for a simplified core of Rust and prove its correctness. We have implemented a prototype verifier for a subset of Rust and confirmed the effectiveness of our method. 17 The first character of each variable indicates the pointer kind (o/m corresponds to own/mutα). We swap the branches of the match statement in take-max, to fit the order to C/Rust's if.

show abstract

“…A Hoare spec is also immediately useful in proofs, whereas with linearizability, one also has to verify the sequential program itself. Second, in linearizability it has traditionally been difficult to address ownership transfer of heaps between data structures [Cerone et al 2014;Gotsman and Yang 2012], whereas for us (and other extensions of CSL [da Rocha Pinto et al 2014;Dinsdale-Young et al 2010;Jung et al 2018Jung et al , 2015Liang and Feng 2013]), ownership transfer is directly inherited from separation logic. We also inherit from separation logic a way to dynamically nest parallel compositions of threads, whereas linearizability is typically considered on programs with a fixed, though arbitrary, number of threads.…”

Section: Related Workmentioning

confidence: 99%

Specifying concurrent programs in separation logic: morphisms and simulations

Nanevski

Banerjee

Delbianco

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

In addition to pre-and postconditions, program specifications in recent separation logics for concurrency have employed an algebraic structure of resources-a form of state transition systems-to describe the state-based program invariants that must be preserved, and to record the permissible atomic changes to program state. In this paper we introduce a novel notion of resource morphism, i.e. structure-preserving function on resources, and show how to effectively integrate it into separation logic, using an associated notion of morphism-specific simulation. We apply morphisms and simulations to programs verified under one resource, to compositionally adapt them to operate under another resource, thus facilitating proof reuse. lock = do x ← CAS(r , false, true) while ¬x 1 The idea of bounding the interference is the foundation behind the classic rely-guarantee method [Jones 1983] as well. In fact, resources may be seen as structuring and compactly representing-in the form of transitions-the rely and guarantee relations of the rely-guarantee method. 2 The Compare-and-Set variant of CAS(r, a, b) [Herlihy and Shavit 2008] atomically sets the pointer r to b if r contains a, otherwise leaves r unchanged. It moreover returns a Boolean value denoting the success or failure of the operation.

show abstract

Iris from the ground up: A modular foundation for higher-order concurrent separation logic

Cited by 237 publications

References 68 publications

Local Reasoning for Global Graph Properties

Local Reasoning for Global Graph Properties

RustHorn: CHC-Based Verification for Rust Programs

Specifying concurrent programs in separation logic: morphisms and simulations

Contact Info

Product

Resources

About