Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Heapster any permission #1651

Merged
merged 5 commits into from
May 2, 2022
Merged

The Heapster any permission #1651

merged 5 commits into from
May 2, 2022

Conversation

eddywestbrook
Copy link
Contributor

This PR adds a new false / inconsistent permission any, which translates to the SAW core unit type. This is as opposed to the false permission, which translates to the inconsistent False type. The reason we need any is in order to combine inconsistent permissions whose translations are not inconsistent types. For instance, if we have permissions

x : eq(llvmword(0)) or ptr((W,0) |-> p1) , x:ptr((W,8) |-> p2)

we know in the Heapster type system that x cannot have permission eq(0), because the second permission ensures x is a pointer. The translation of these permissions is the type (unit + [| p1 |]) * [| p2 |], however, where the second element of the pair does not in any way guarantee the the first element is not a left-hand element of the sum type. This sort of situation comes up in Rust functions with Option of reference return values, like this one:

pub fn list64_head_mut <'a> (l:&'a mut List64) -> Option<&'a mut u64> {
    match l {
        List64::Nil64 => None,
        List64::Cons64 (h,_) => Some (h),
    }
}

The input lifetime ownership permission for this function is something like a:lowned (l:List64 -o l:List64), while the output permission is a:lowned (ret: eq(0) or ptr((W,0) |-> u64) -o l:List64). In order to prove the output lifetime ownership permission from the input one in the Some case, we have a situation like the above for the contravariant implication needed for the input permissions of the lowned permissions, where we have to prove ret: eq(0) or ptr(...) plus the ptr permission for ret implies l:List64.

Eddy Westbrook added 3 commits April 27, 2022 17:36
added the any permission
3c7b0e7
added implication rules for the any permission
1c613c6
updated proveVarEq to instantiate evars in expressions when proving e…
4e415ba 
…qualities using an any permission; updated proveVarLLVMBlocks2 to allow proving block permissions of fixed static size from any permissions
@eddywestbrook eddywestbrook added the subsystem: heapster Issues specifically related to memory verification using Heapster label Apr 29, 2022
@eddywestbrook eddywestbrook requested a review from m-yac April 29, 2022 21:43
ChrisEPhifer
ChrisEPhifer reviewed May 2, 2022
View reviewed changes
heapster-saw/src/Verifier/SAW/Heapster/Implication.hs
if exprsUnequal e1 e2 then
distPerms2 x (ValPerm_Eq e1) x (ValPerm_Eq e2)
else
error "simplImplIn: SImpl_IntroAnyEqEq: expressions not unequal"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Totally a minor nitpick - the double-negative phrasing in the error message ("not unequal") seems awkward here. At the same time, though, I see the intent... I'm not sure how to make it clearer. Maybe "expected unequal expressions"? It probably doesn't really matter since this is a halt-and-catch-fire situation anyway.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Huh, I see what you mean. I hadn't thought about "unequal" as a negative thing, because in this context it is a positive, in that we are trying to prove unequality and in this case that proof failed. In the end, though, I think you're right, it probably doesn't really matter. The main content of the error message is actually just the name of the rule that failed...

ChrisEPhifer
ChrisEPhifer approved these changes May 2, 2022
View reviewed changes
Copy link
Member

@ChrisEPhifer ChrisEPhifer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me - I left a comment on an error message that maybe could have been phrased better, but approved the changes since it doesn't matter that much / the intent behind the original phrasing is clear.

@eddywestbrook eddywestbrook added the PR: ready to merge Magic flag for pull requests to ask Mergify to merge given an approval and a successful CI run label May 2, 2022
@mergify mergify bot merged commit 80c475b into master May 2, 2022
@mergify mergify bot deleted the heapster/any-perm branch May 2, 2022 15:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChrisEPhifer ChrisEPhifer ChrisEPhifer approved these changes

@m-yac m-yac Awaiting requested review from m-yac

Assignees
No one assigned
Labels
PR: ready to merge Magic flag for pull requests to ask Mergify to merge given an approval and a successful CI run subsystem: heapster Issues specifically related to memory verification using Heapster
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eddywestbrook @ChrisEPhifer