Verifying event-driven programs using ramified frame properties

Krishnaswami, Neel; Birkedal, Lars; Aldrich, Jonathan

doi:10.1145/1708016.1708025

Cited by 23 publications

(10 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More recently, Mehnert et al and Krishnaswami et al have used some form of ramification to verify respectively implementations of snapshottable trees [MSBS12] and programs that follow the subjectobserver pattern [KBA10], both of which involved unspecified sharing. Their ramifications are restricted to ad-hoc "ramification operators" tailored for each example, and the logic itself is domainspecific and done modulo a predicate on the global heap.…”

Section: Related Workmentioning

confidence: 99%

The ramifications of sharing in data structures

HoborAquinas

Villard

2013

SIGPLAN Not.

View full text Add to dashboard Cite

Programs manipulating mutable data structures with intrinsic sharing present a challenge for modular verification. Deep aliasing inside data structures dramatically complicates reasoning in isolation over parts of these objects because changes to one part of the structure (say, the left child of a dag node) can affect other parts (the right child or some of its descendants) that may point into it. The result is that finding intuitive and compositional proofs of correctness is usually a struggle. We propose a compositional proof system that enables local reasoning in the presence of sharing.While the AI "frame problem" elegantly captures the reasoning required to verify programs without sharing, we contend that natural reasoning about programs with sharing instead requires an answer to a different and more challenging AI problem, the "ramification problem": reasoning about the indirect consequences of actions. Accordingly, we present a RAMIFY proof rule that attacks the ramification problem head-on and show how to reason with it. Our framework is valid in any separation logic and permits sound compositional and local reasoning in the context of both specified and unspecified sharing. We verify the correctness of a number of examples, including programs that manipulate dags, graphs, and overlaid data structures in nontrivial ways.

show abstract

Section: Related Workmentioning

confidence: 99%

The ramifications of sharing in data structures

HoborAquinas

Villard

2013

SIGPLAN Not.

View full text Add to dashboard Cite

show abstract

“…Early models of logically (but not physically) separable resources like fractional permissions [7,10] and trees [9] treat those resources as primitive, either baking them into the operational semantics or, in simple cases, relying on a fixed interpretation into an underlying heap. To handle higher-level notions of separation, Krishnaswami et al [23] embedded "domain-specific separation logics" into higher-order separation logic, and DinsdaleYoung, Gardner, and Wheelhouse named the general phenomenon "fictional disjointness" and justified its support of local reasoning by employing data refinement and axiomatic semantics [14].…”

Section: Related Workmentioning

confidence: 99%

Superficially substructural types

et al. 2012

View full text Add to dashboard Cite

Many substructural type systems have been proposed for controlling access to shared state in higher-order languages. Central to these systems is the notion of a resource, which may be split into disjoint pieces that different parts of a program can manipulate independently without worrying about interfering with one another. Some systems support a logical notion of resource (such as permissions), under which two resources may be considered disjoint even if they govern the same piece of state. However, in nearly all existing systems, the notions of resource and disjointness are fixed at the outset, baked into the model of the language, and fairly coarsegrained in the kinds of sharing they enable.In this paper, inspired by recent work on "fictional disjointness" in separation logic, we propose a simple and flexible way of enabling any module in a program to create its own custom type of splittable resource (represented as a commutative monoid), thus providing fine-grained control over how the module's private state is shared with its clients. This functionality can be incorporated into an otherwise standard substructural type system by means of a new typing rule we call the sharing rule, whose soundness we prove semantically via a novel resource-oriented Kripke logical relation.

show abstract

“…CSL has been extended to deal with dynamically-allocated locks [11,14,15] and re-entrant locks [12]. Others have extended separation logic or similar logics with primitive channels [13,1,24,18], and event driven programs [17].…”

Section: Related Work and Conclusionmentioning

confidence: 99%

Modular reasoning for deterministic parallelism

Dodds

Jagannathan

Parkinson

2011

Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

View full text Add to dashboard Cite

NOTICE:We've been made aware that there's a bug in this paper that renders the reasoning unsound in certain corner-cases. We believe that the specifications can be fixed, and we're currently working on a solution. Please get in touch if you need more details. Thanks to Kasper Svendsen (kasv@itu.dk) for finding the bug.-Mike, Suresh and Matthew. Modular Reasoning for Deterministic Parallelism AbstractWeaving a concurrency control protocol into a program is difficult and error-prone. One way to alleviate this burden is deterministic parallelism. In this well-studied approach to parallelisation, a sequential program is annotated with sections that can execute concurrently, with automatically injected control constructs used to ensure observable behaviour consistent with the original program. This paper examines the formal specification and verification of these constructs. Our high-level specification defines the conditions necessary for correct execution; these conditions reflect program dependencies necessary to ensure deterministic behaviour. We connect the high-level specification used by clients of the library with the low-level library implementation, to prove that a client's requirements for determinism are enforced. Significantly, we can reason about program and library correctness without breaking abstraction boundaries.To achieve this, we use concurrent abstract predicates, based on separation logic, to encapsulate racy behaviour in the library's implementation. To allow generic specifications of libraries that can be instantiated by client programs, we extend the logic with higherorder parameters and quantification. We show that our high-level specification abstracts the details of deterministic parallelism by verifying two different low-level implementations of the library.

show abstract

Verifying event-driven programs using ramified frame properties

Cited by 23 publications

References 21 publications

The ramifications of sharing in data structures

The ramifications of sharing in data structures

Superficially substructural types

Modular reasoning for deterministic parallelism

Contact Info

Product

Resources

About