Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checking only read permissions when asserting function preconditions #877

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Checking only read permissions when asserting function preconditions #877

wants to merge 14 commits into from

Conversation

marcoeilers
Copy link
Contributor

Changes the meaning of permission amounts in functions:

  • When checking function preconditions, concrete permission amounts are ignored; instead, we only distinguish between zero and any positive amounts. Thus, the following assertions all have the same meaning in a function precondition: acc(x.f, write) or acc(x.f, wildcard) or acc(x.f, 1/2) or acc(x.f, b ? write : 1/2) or acc(x.f) && acc(x.f) or acc(x.f, 2/1) all just require checking that a caller has some positive permission amount to x.f. The same is true for predicate permissions.
  • However, we still distinguish between zero and positive amounts. Thus, acc(x.f, b ? write : none) is equivalent to acc(x.f, b ? 1/2 : none) and acc(x.f, b ? wildcard : none) but not to acc(x.f, write) or acc(x.f, none).
  • As a result, inside a function, we can no longer assume non-aliasing based on permission amounts.
  • Additionally, when verifying well-definedness of a function, again all permission amounts are ignored (with the exception of distinguishing between zero and something positive as stated before), so I can for example unfold a whole predicate inside a function whose precondition only asks for half that predicate.

The corresponding changes in Silver warn clients who rely on the current behavior, and we provide an alternative:

  • Clients that used function applications to check for specific permission amounts can use the new asserting expression instead.
  • Silver outputs consistency warnings when concrete fractions are used anywhere inside a function, since they are always meaningless (but not wrong)
  • The old behavior can be enabled via the new --respectFunctionPrecPermAmounts command line option

The implementation in Silicon should be more efficient than just substituting wildcards everywhere:

  • The implementation in Silicon adds a new flag to the state that expresses whether only read permission should be asserted. In that mode, we also no longer remove permission from the heap when consuming permissions, and we produce chunks with the amount written in the program; we do not introduce additional wildcards anywhere.
  • Additionally, assuming permission upper bounds is simply disabled inside functions.

This was referenced Oct 15, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@marcoeilers