9 research outputs found
Actris: session-type based reasoning in separation logic
Message passing is a useful abstraction to implement concurrent programs. For real-world systems, however, it is often combined with other programming and concurrency paradigms, such as higher-order functions, mutable state, shared-memory concurrency, and locks. We present Actris: a logic for proving functional correctness of programs that use a combination of the aforementioned features. Actris combines the power of modern concurrent separation logics with a first-class protocol mechanism - based on session types - for reasoning about message passing in the presence of other concurrency paradigms. We show that Actris provides a suitable level of abstraction by proving functional correctness of a variety of examples, including a distributed merge sort, a distributed load-balancing mapper, and a variant of the map-reduce model, using relatively simple specifications. Soundness of Actris is proved using a model of its protocol mechanism in the Iris framework. We mechanised the theory of Actris, together with tactics for symbolic execution of programs, as well as all examples in the paper, in the Coq proof assistant.Programming Language
Actris 2.0: Asynchronous Session-Type Based Reasoning in Separation Logic
Message passing is a useful abstraction for implementing concurrent programs.
For real-world systems, however, it is often combined with other programming
and concurrency paradigms, such as higher-order functions, mutable state,
shared-memory concurrency, and locks. We present Actris: a logic for proving
functional correctness of programs that use a combination of the aforementioned
features. Actris combines the power of modern concurrent separation logics with
a first-class protocol mechanism -- based on session types -- for reasoning
about message passing in the presence of other concurrency paradigms. We show
that Actris provides a suitable level of abstraction by proving functional
correctness of a variety of examples, including a channel-based merge sort, a
channel-based load-balancing mapper, and a variant of the map-reduce model,
using concise specifications. While Actris was already presented in a
conference paper (POPL'20), this paper expands the prior presentation
significantly. Moreover, it extends Actris to Actris 2.0 with a notion of
subprotocols -- based on session-type subtyping -- that permits additional
flexibility when composing channel endpoints, and that takes full advantage of
the asynchronous semantics of message passing in Actris. Soundness of Actris
2.0 is proven using a model of its protocol mechanism in the Iris framework. We
have mechanised the theory of Actris, together with custom tactics, as well as
all examples in the paper, in the Coq proof assistant.Comment: 60 pages, 24 figure
Actris 2.0: Asynchronous Session-Type Based Reasoning in Separation Logic
Message passing is a useful abstraction for implementing concurrent programs.
For real-world systems, however, it is often combined with other programming
and concurrency paradigms, such as higher-order functions, mutable state,
shared-memory concurrency, and locks. We present Actris: a logic for proving
functional correctness of programs that use a combination of the aforementioned
features. Actris combines the power of modern concurrent separation logics with
a first-class protocol mechanism -- based on session types -- for reasoning
about message passing in the presence of other concurrency paradigms. We show
that Actris provides a suitable level of abstraction by proving functional
correctness of a variety of examples, including a channel-based merge sort, a
channel-based load-balancing mapper, and a variant of the map-reduce model,
using concise specifications. While Actris was already presented in a
conference paper (POPL'20), this paper expands the prior presentation
significantly. Moreover, it extends Actris to Actris 2.0 with a notion of
subprotocols -- based on session-type subtyping -- that permits additional
flexibility when composing channel endpoints, and that takes full advantage of
the asynchronous semantics of message passing in Actris. Soundness of Actris
2.0 is proven using a model of its protocol mechanism in the Iris framework. We
have mechanised the theory of Actris, together with custom tactics, as well as
all examples in the paper, in the Coq proof assistant
Verifying Reliable Network Components in a Distributed Separation Logic with Dependent Separation Protocols
Publisher Copyright: © 2023 Owner/Author. We are grateful to Chet Murthy for helpful discussions. This work was supported in part by a Villum Investigator grant (no. 25804), Center for Basic Research in Program Verification (CPV), from the VILLUM Foundation.We present a foundationally verified implementation of a reliable communication library for asynchronous client-server communication, and a stack of formally verified components on top thereof. Our library is implemented in an OCaml-like language on top of UDP and features characteristic traits of existing protocols, such as a simple handshaking protocol, bidirectional channels, and retransmission/acknowledgement mechanisms. We verify the library in the Aneris distributed separation logic using a novel proof pattern - -dubbed the session escrow pattern - -based on the existing escrow proof pattern and the so-called dependent separation protocols, which hitherto have only been used in a non-distributed concurrent setting. We demonstrate how our specification of the reliable communication library simplifies formal reasoning about applications, such as a remote procedure call library, which we in turn use to verify a lazily replicated key-value store with leader-followers and clients thereof. Our development is highly modular - -each component is verified relative to specifications of the components it uses (not the implementation). All our results are formalized in the Coq proof assistant.publishersversionpublishe
Machine-Checked Semantic Session Typing
Session types- A family of type systems for message-passing concurrency-have been subject to many extensions, where each extension comes with a separate proof of type safety. These extensions cannot be readily combined, and their proofs of type safety are generally not machine checked, making their correctness less trustworthy. We overcome these shortcomings with a semantic approach to binary asynchronous affine session types, by developing a logical relations model in Coq using the Iris program logic. We demonstrate the power of our approach by combining various forms of polymorphism and recursion, asynchronous subtyping, references, and locks/mutexes. As an additional benefit of the semantic approach, we demonstrate how to manually prove typing judgements of racy, but safe, programs that cannot be type checked using only the rules of the type system. Programming Language
Trillium: Higher-Order Concurrent and Distributed Separation Logic for Intensional Refinement - Coq Artifact
<p>Expressive state-of-the-art separation logics rely on step-indexing to model semantically complex features and to support modular reasoning about imperative higher-order concurrent and distributed programs. Step-indexing comes, however, with an inherent cost: it restricts the adequacy theorem of program logics to a fairly simple class of safety properties.</p><p>In this work, we explore if and how <i>intensional refinement</i> is a viable methodology for strengthening higher-order concurrent (and distributed) separation logic to prove non-trivial safety and liveness properties. Specifically, we introduce Trillium, a language-agnostic separation logic framework for showing intensional refinement relations between <i>traces</i> of a program and a model. We instantiate Trillium with a concurrent language and develop Fairis, a concurrent separation logic, that we use to show liveness properties of concurrent programs under fair scheduling assumptions through a fair liveness-preserving refinement of a model. We also instantiate Trillium with a distributed language and obtain an extension of Aneris, a distributed separation logic, which we use to show refinement relations between distributed systems and TLA+ models.</p>
Intrinsically-Typed Definitional Interpreters for Linear, Session-Typed Languages
An intrinsically-typed definitional interpreter is a concise specification of dynamic semantics, that is executable and type safe by construction. Unfortunately, scaling intrinsically-typed definitional interpreters to more complicated object languages often results in definitions that are cluttered with manual proof work. For linearly-typed languages (including session-typed languages) one has to prove that the interpreter, as well as all the operations on semantic components, treat values linearly. We present new methods and tools that make it possible to implement intrinsically-typed definitional interpreters for linearly-typed languages in a way that hides the majority of the manual proof work. Inspired by separation logic, we develop reusable and composable abstractions for programming with linear operations using dependent types. Using these abstractions, we define interpreters for linear lambda calculi with strong references, concurrency, and session-typed communication in AgdaProgramming Language