Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsound package algorithm for magic wands #573

Open
tdardinier opened this issue Jul 28, 2021 · 0 comments
Open

Unsound package algorithm for magic wands #573

tdardinier opened this issue Jul 28, 2021 · 0 comments
Labels
bug Something isn't working critical magic-wands

Comments

@tdardinier
Copy link
Contributor

tdardinier commented Jul 28, 2021

The package algorithm used by Silicon computes a footprint for a wand that may conditions on facts that are not framed by the wand's footprint, which is unsound, as the example below (which is verified by Silicon) illustrates:

field f: Bool
 
method main(x: Ref, a: Ref, b: Ref)
 requires acc(x.f) && acc(a.f) && acc(b.f)
 ensures false
{
    package acc(x.f) && (x.f ? acc(a.f, 1/2) : acc(b.f, 1/2)) --* acc(a.f, 1/2) && acc(b.f, 1/2)
    assert (perm(a.f) == 1/1 && perm(b.f) == 1/2) || (perm(a.f) == 1/2 && perm(b.f) == 1/1)
    x.f := perm(a.f) != 1/1
    apply acc(x.f) && (x.f ? acc(a.f, 1/2) : acc(b.f, 1/2)) --* acc(a.f, 1/2) && acc(b.f, 1/2)
}

The footprint computed by Silicon for the wand acc(x.f) && (x.f ? acc(a.f, 1/2) : acc(b.f, 1/2)) --* acc(a.f, 1/2) && acc(b.f, 1/2) is x.f ? acc(b.f, 1/2) : acc(a.f, 1/2), which is not a theoretically valid footprint, since it conditions on the value of x.f, even though it holds no permission to it.

Note that Carbon suffers from the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working critical magic-wands
Projects
None yet
Development

No branches or pull requests

1 participant