specs of shared_ptr #10
Conversation
…em to veify the following function:
int * testnew2() {
int *x=new int[2];
x[0]=1;
x[1]=2;
return x;
}
with spec:
cpp.spec "testnew2()" as testnew2spec with
(
\pre emp
\post{p:ptr}[Vptr p] dynAllocatedR "int[2]" p
** p |-> arrayR "int" (fun x => primR "int" 1 (Vint x)) [1;2]%Z
).
…atedR. testnnewarrdel has issues
aa755
force-pushed
the
aa755/shared_ptr_squashed
branch
from
a92f9be to
fffa0b2
Compare
|
Instead of specifying the contents of the shared pointer using the big sep of a number of pieces that are indexed by natural numbers, have you considered having the user provide a single predicate indexed by |
I dont see how your proposal is any different from this PR:
That is exactly what the user provides currently, except the logically irrelevant difference between
That's exactly what the current invariant does, it holds the pieces that have not been given out yet. Definition sptrInv (id: CtrlBlockId) (Rpiece : nat -> Rep) (ownedPtr:ptr) (pieceOut : nat ->bool) :=
let ctrVal := countLN pieceOut allPieceIds in
(dataLoc id),, ctrOffset |-> atomic.R "long" 1 (Z.of_N ctrVal)
** (if (bool_decide (ctrVal = 0))
then emp
else dynAllocatedR ty ownedPtr
** ([∗ list] ctid ∈ allPieceIds,
if pieceOut ctid then pieceRight id ctid else ownedPtr |-> Rpiece ctid)).When the reference count hits 0, I dont see what we gain by asking the user to do big_sep of pieces manually in the instantiation: as far as I can see that would only make it harder to state and operate on the invariant, e.g. using wands when taking out pieces: the pieces may not be taken out in sequence. Perhaps you meant something else, in which case, it would be best if you sketch the changes in concrete Coq code (need not be complete or compile fully).
You can already do that, by choosing I can add many more test/example proofs to illustrate how the spec covers various use cases |
aa755
force-pushed
the
aa755/shared_ptr_squashed
branch
from
334eab5 to
6b22d5b
Compare
|
What I see in your proposal is that a user of the specification instantiates it by providing What I'm suggesting is that the user provides two predicates, let us call them |
|
Actually, Do you still see any issue that needs to be fixed by introducing |
|
Ok, I'd like Inlining
Yes. My issue is that if the user's data is split using fractions, the set of parameters is suggesting a different decomposition. I think the interface should be more neutral. I'd like to move the |
That is a fundamental constraint of shared_ptr in my opinion. The resource split here captures how to split the ownership of the payload in between all the shared_ptr objects that refer to it. As there can be at most
The interface is already neutral. Do you have any example of a usecase that cannot be handled with the current specs? |
|
@simon-skylabs and I have been thinking about this and put together #13 with our current thoughts. It is a slightly different abstraction of the shared_ptr specification, in certain examples that we have looked at, it seems a bit more flexible, but the heavy reliance on fractions might be a bit clunky. Have you gotten very far using the specifications in this PR? Have you run into any issues? I am pretty sure that we could prove this setup on top of the low-level interface in that spec, but I don't think that it would work well on top of the higher-level interface because of the fixed fraction accounting that you are doing here. |
I have not been able to find the time to work on the proofs that use shared pointers. I have had more important proof tasks come up and they do not use shared pointers. I looked at your PR and it seems strictly less general than this as it enforces splitting via fractions vs the approach here of letting the user chose arbitrary ways to split. I didn't comment there because there is nothing new to add beyond the discussion in this PR. |
|
Thanks, @aa755! I missed the asymmetric sharing protocol; however, I think that this means that the code that you are referencing is using the array specialization of shared pointer, right? That is a little bit different than the setup in the regular shared pointer implementation (at least because it uses |
Right, the code uses array specialization. Yes, the implementation would be slightly different ( Even when shared_ptr is used with a non-scalar, non-array object, e.g. some class instance, I think there will be many applications where clients may use the different shared ptr objects protecting the object to write to different parts of the object concurrently. the fractional splitting approach does not seem to be usable for these proofs. |
|
Perhaps you can start with the client-chosen splitting approach in this spec and then derive on top your fractional splitting spec. |
3 participants
this PR also has the changes from #6 because there branch of that PR is not in this repo so I cannot select it as the base branch.
One way to ignore those already reviewed changes is to just look at the last commit