1 / 78

Stacks, Heaps and Regions: One Logic to Bind Them

Stacks, Heaps and Regions: One Logic to Bind Them. David Walker Princeton University SPACE 2004. Stacks, Heaps and Regions: One Logic to Bind Them. David Walker Princeton University With: Amal Ahmed & Limin Jia. Certifying Compilers. Source Program. Certifying compilers produce:

ginger-rogers
Download Presentation

Stacks, Heaps and Regions: One Logic to Bind Them

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stacks, Heaps and Regions:One Logic to Bind Them David Walker Princeton University SPACE 2004

  2. Stacks, Heaps and Regions:One Logic to Bind Them David Walker Princeton University With: Amal Ahmed & Limin Jia

  3. Certifying Compilers Source Program • Certifying compilers produce: • machine code + • safety proof • type safety • thread safety • memory safety • Uses: • trustworthy mobile code • safety-critical systems • compiler debugging Certifying Compiler Machine Code + Safety Proof Stacks, Heaps and Regions: One Logic to Bind Them

  4. Certifying Compilers • Low-level typing abstractions: • support diverse source languages • support diverse implementation & optimization strategies • clean interface between compiler and mechanical safety checkers ML Java C # Transform, Optimize Low-level Typing Abstractions Machine Code + Safety Proof (Typing Invariants Encoded) Stacks, Heaps and Regions: One Logic to Bind Them

  5. TALx86 Lessons [Morrisett et al.] • Checking control-flow safety is fairly easy • State & memory management is the hard part • new typing algorithms for each new compiler trick • machine register state • heap memory (pointers, structs, ...) • stack memory (stack pointers, stack structs, ...) • user-managed memory (more pointers, aliasing info, ...) • Results: • complex, ad hoc axioms (type checker less trust-worthy) • repeated work • abstractions not generally composable or reusable Stacks, Heaps and Regions: One Logic to Bind Them

  6. A Goal for SPACE 20... • What we are looking for: A new proof-carrying code system/typed assembly language for safe memory management • More uniform; more general • Easier to understand (simpler semantics) • Allows reuse and composition of abstractions • A promising approach: Search for new logics that can capture common storage invariants • Following Ishtiaq, O’Hearn, Pym, Reynolds, and others insights on storage semantics & separation logic • And Pfenning, CMU crew and others logical design techniques & work on logical frameworks Stacks, Heaps and Regions: One Logic to Bind Them

  7. This Talk… • What recurring properties of memory do we need to reason about in a proof-carrying code system? • Internalizing storage properties in a modal & substructural logic • Semantics of formulae • Using the logic to describe state in a low-level type system (briefly) • Related & Future work • This talk based on work at TLDI 03; LICS 03 Stacks, Heaps and Regions: One Logic to Bind Them

  8. Property #1: Separation • The memory for the heap is separate from the memory for the stack • The register EAX is separate from register EBX (and ECX, etc...) • In general, memory A is separate from memory B if the domain of A does not overlap with the domain of B 74 75 7 8 9 14 15 stack heap EAX EBX Stacks, Heaps and Regions: One Logic to Bind Them

  9. Property #1: Separation • The importance of separation: • If memory A is separate from memory B then updates to A have no impact on B • Eg: updating the stack does not change values in the heap • Eg: updating EAX does not change the contents of EBX • Eg: deallocating region r1 has no impact on region r2 (if they are separate) • Present in • Linear type systems • TALx86 • Ishtiaq, O’Hearn, Reynolds separation logic Stacks, Heaps and Regions: One Logic to Bind Them

  10. Property #2: Adjacency • A struct is a sequence of adjacent locations • An activation record is a sequence of adjacent locations • A stack is a sequence of adjacent activation records • In general, A is adjacent to B if the greatest location in A is next to the least location in B, and A is separate from B 7 8 9 a1 a2 rest... top Stacks, Heaps and Regions: One Logic to Bind Them

  11. Property #2: Adjacency • The importance of adjacency: • If memory A is adjacent to memory B and we can access A then we can access B • Eg: using a pointer to the beginning of a struct, we can access all of its elements • Eg: using a pointer to the top of the stack, we can access the items in the current activation record • Present in • TALx86 • Foundational PCC (Appel et al) • Ordered type systems (Petersen et al.) Stacks, Heaps and Regions: One Logic to Bind Them

  12. Property #3: Containment • Register EAX can contain an integer value (or a pointer value or other kinds of values) • A memory location (say, 7) can contain a sequence of 32 bits • A user-managed memory region may contain a collection of memory locations. EAX 3 31: 0: 1: ... 7 on on off 22 7 13 7 R7 Stacks, Heaps and Regions: One Logic to Bind Them

  13. Property #3: Containment • The importance of containment: • If A is contained in memory region r and region r has property P then A has property P • Eg: EAX may contain an integer --- if so, we can add 3 to the contents of EAX • Eg: Memory region R1 may contain live data --- if so, we can dereference pointers into that region • Present in • Tofte & Talpin’s region calculus • Cardelli, Gardner, Ghelli Gordon’s ambient, tree & graph logics • TALx86 (registers, static data segment, stack & heap) Stacks, Heaps and Regions: One Logic to Bind Them

  14. Property #4: Aliasing • Two pointers are aliases of one another if they are the same location. • Aliasing information is important since changing memory at x changes memory at y • Present in • every system!! • Talx86 reasoned about heap aliases and stack aliases (x = y) x y 3 Stacks, Heaps and Regions: One Logic to Bind Them

  15. This Talk… • What recurring properties of memory are convenient for reasoning in a proof-carrying code system? • Internalizing storage properties in a modal & substructural logic • Semantics of formulae • Using the logic to describe state in a low-level type system • Related & Future work • This talk based on work at TLDI 03; LICS 03 Stacks, Heaps and Regions: One Logic to Bind Them

  16. Preliminaries - Memories • A memory is a mapping from locations to values. • Each location may have a single successor. • Successor relation gives rise to an ordering. • Locations may be composite •  ::= ∗ | .n eg: *.R1.a7 *.R2.a14.b0 m 9 5 6 16 7 17 3 a 1 r2 r1 Stacks, Heaps and Regions: One Logic to Bind Them

  17. Formulae Predicates q ::= t | … Formulae F ::= q | … Semantics of formulae given by: m⊨ F @  “F describes memory m, whose contents are located in place ” ( acts like a constraint on the memory) Simplest case: m⊨ t @  iff dom(m)={} and ⊢ m() : t Stacks, Heaps and Regions: One Logic to Bind Them

  18. Formulae Example m⊨ int @ 3 if m 3 (notice: ⊢ m(3) : int ) 5 Stacks, Heaps and Regions: One Logic to Bind Them

  19. Formulae – Separation Predicates q ::= t| … Formulae F ::= q | F1⊗ F2| … m⊨ F1⊗ F2 @  iff exists disjoint m1 and m2 such that m1⊨ F1 @  and m2⊨ F2 @  and m=m1∪m2 Stacks, Heaps and Regions: One Logic to Bind Them

  20. Formulae – Separation Example m1⊨ F1 @ * m2⊨ F2 @ * m2 m1 3 16 17 7 8 9 7 r6 3 16 5 Stacks, Heaps and Regions: One Logic to Bind Them

  21. Formulae – Separation Example m1∪m2⊨ F1⊗ F2 @ * m1∪m2 3 16 17 7 8 9 7 r6 3 16 5 Stacks, Heaps and Regions: One Logic to Bind Them

  22. Formulae – Adjacency Predicates q ::= t| … Formulae F ::= q | F1⊗ F2| F1○ F2| … m⊨ F1○ F2 @  iff there exist adjacent (and disjoint) m1 , m2 such that m1⊨ F1 @  and m2⊨ F2 @  andm=m1∪m2 Stacks, Heaps and Regions: One Logic to Bind Them

  23. Formulae – Adjacency Example m1⊨ F1 @ * m2⊨ F2 @ * m2 m1 3 5 7 8 9 10 16 17 7 b c Stacks, Heaps and Regions: One Logic to Bind Them

  24. Formulae – Adjacency Example m1∪m2⊨ F1○ F2 @ * m1∪m2 3 5 7 8 9 10 16 17 7 b c Stacks, Heaps and Regions: One Logic to Bind Them

  25. Formulae – Containment Predicates q ::= t| … Formulae F ::= q | F1⊗ F2| F1○ F2 | n[F] | … m⊨ n[F] @  iff m⊨ F @ .n Stacks, Heaps and Regions: One Logic to Bind Them

  26. Formulae - Containment Example m⊨ eax[int] @ * since m⊨ int @ *.eax since ⊢ m(*.eax) : int m eax 5 Stacks, Heaps and Regions: One Logic to Bind Them

  27. Formulae - Containment Example m⊨ eax[int] ⊗ ebx[char] @ * m eax ebx 5 ‘a’ Stacks, Heaps and Regions: One Logic to Bind Them

  28. Formulae - Containment Example m⊨ eax[int] ⊗ ebx[char] @ * since m1⊨ eax[int] @ * and m2⊨ ebx[char] @ * m eax ebx 5 ‘a’ Stacks, Heaps and Regions: One Logic to Bind Them

  29. Formulae - Containment Example m⊨ eax[int] ⊗ ebx[char] @ * since m1⊨ eax[int] @ * and m2⊨ ebx[char] @ * since m1⊨ int @ *.eaxand m2⊨ char @ *.ebx m eax ebx 5 ‘a’ Stacks, Heaps and Regions: One Logic to Bind Them

  30. Aliasing Types t ::= int | bool | S() | ... Predicates q ::= t| … Formulae F ::= q | F1⊗ F2| F1○ F2 | n[F] | … ⊢ v : S() iff v = (all values with type S() are aliases of one another) Stacks, Heaps and Regions: One Logic to Bind Them

  31. Aliasing aliases • Example • m⊨ eax[S(*.a2)] ⊗ ebx[S(*.a2)] ⊗ a2[int] @ * m eax ebx a2 7 Stacks, Heaps and Regions: One Logic to Bind Them

  32. One More Useful Predicate Types t ::= int | bool | S() | ... Predicates q ::= t| more⃖ | more⃗ Formulae F ::= q | F1⊗ F2| F1○ F2| n[F] | ... m⊨ more⃖ m⊨ more⃗ m m 4 5 6 7 8 9 14 15 16 17 18 19 . . . . . . Stacks, Heaps and Regions: One Logic to Bind Them

  33. Simple Machine Memory Layout ( more⃖ ○ hd[t] ○ Ftail○ Fheap○ap[t’] ○more⃗ ) • ⊗r1 [t1] ⊗r2 [t2] ⊗. . .⊗sp[S(hd)] ⊗ap[S(ap)] hd ap . . . . . . . . . . . . more⃖ Ftail Fheapmore⃗ sp r1 r2 ap Stacks, Heaps and Regions: One Logic to Bind Them

  34. More logic Predicates q ::= t| more⃖ | more⃗ Formulae F ::= q | F1⊗ F2| F1○ F2| n[F] | 1 |F1 -o F2 | F1& F2| ㄒ | F1⊕ F2| 0 | f| b. F | $b.F Bindings b ::= :L | n:N | a:T | f :F m⊨ 1 iff dom(m) is empty m⊨ F1& F2 iff m ⊨ F1 and m ⊨ F2 m⊨ ㄒ (holds for any memory m) .... Stacks, Heaps and Regions: One Logic to Bind Them

  35. Logical Deduction Judgments have the form q ∥ D ⊢ F @  • is a variable context – a list of free variables & their kinds • is a bunched context – trees rather than lists (O’Hearn & Pym, 1999)  ::= . | (F @) | ,  | ;  object at a place adjacent storage (no exchange prop) separate storage (exchange prop) Stacks, Heaps and Regions: One Logic to Bind Them

  36. Logical Deduction • The natural deduction rules are sound with respect to the storage semantics • Semantics of contexts : m ⊨ D • Theorem (Soundness) If m ⊨ D and ‧∥ D ⊢ F @  then m ⊨ F @ . Stacks, Heaps and Regions: One Logic to Bind Them

  37. This Talk… • What recurring properties of memory are convenient for reasoning in a proof-carrying code system? • Internalizing storage properties in a modal & substructural logic • Semantics of formulae • Using the logic to describe state in a low-level type system • Related & Future work • This talk based on work at TLDI 03; LICS 03 Stacks, Heaps and Regions: One Logic to Bind Them

  38. Mini-KAM – Simplified ML Kit Abstract Machine Registers r ::= acc1 | acc2 | sp Values v ::= .... Instructions i ::= immed1(v)| immed2(v)| add| sub | push| pop | selectStack(i)|storeStack(i)| select(i)| store(i)| letRgnInf | endRgnInf |alloc(i) register ops stack ops region ops Stacks, Heaps and Regions: One Logic to Bind Them

  39. Mini-KAM Types Types t ::= int | S() | live | dead | (F @ ) → 0 Integers 5 : int Places  : S() Region status live : livedead : dead Code Locations c : (F @ ) → 0 Means it is safe to jump to c with a memory m such that m ⊨ F @  Stacks, Heaps and Regions: One Logic to Bind Them

  40. Mini-KAM – Simplified ML Kit Abstract Machine Mini-KAM Store Hierarchy ∗ acc1 acc2 sp stack R1 . . . Rn R1[live ⊗ F⊗ (a[-] ○more⃗) ] st[more⃖ ○ ak[-] ○. . ○ a1[-] ○] current activation record description of data in region region allocation boundary live region stack area stack tail Stacks, Heaps and Regions: One Logic to Bind Them

  41. Using Formulae in Typing Rules Judgments of the form F@ can be used to describe the pre and postconditions of instructions Instruction typing judgment: q ∥ F @ ⊢i: F’ @ ’ Stacks, Heaps and Regions: One Logic to Bind Them

  42. Using Formulae in Typing Rules Judgment : q ∥ F @ ⊢i: F’ @ ’ In J, look up the type of place .n: J(.n) = Fif ‧∥ J ⊢(ㄒ ⊗n[F]) @  Rule for add instruction: (F @ )(∗.acc1) = int (F @ )(∗.acc2) = int q ∥ F @ ⊢add:F @  Stacks, Heaps and Regions: One Logic to Bind Them

  43. Using Formulae in Typing Rules Judgment q ∥ J ⊢i: J’ (where J is of the form F @ p) J(∗.sp)=S(∗.stack.n0) J(∗.acc1)=t q ∥ J ⊢storeStack(i) :J[∗.stack.no + i:= t ] ( storeStack) In J, update the type of place .no + i: J[.no+i := t] = (F1 ○ n0[-]○‧‧‧○ ni[t] ○ F2) ⊗F3@  if ‧∥ u:J ⊢((F1 ○ n0[-]○‧‧‧○ ni[-] ○ F2) ⊗F3) @  Stacks, Heaps and Regions: One Logic to Bind Them

  44. This Talk… • What recurring properties of memory are convenient for reasoning in a proof-carrying code system? • Internalizing storage properties in a modal & substructural logic • Semantics of formulae • Using the logic to describe state in a low-level type system • Related & Future work • This talk based on work at TLDI 03; LICS 03 Stacks, Heaps and Regions: One Logic to Bind Them

  45. Related Work • Reasoning about adjacency • Stack-based TAL (Morrisett et al., 1998) • Foundational PCC – reasoning about memory allocation (Appel et al.) • lord - calculus for reasoning about data layout at the frontier (Petersen et al., 2003) • Reasoning about aliasing • Long history . . . singleton types for aliasing (Smith, Walker & Morrisett) continue to be useful • Spatial logics : separation and/or containment • BI, separation logic (Ishtiaq, O’Hearn, Reynolds & others, 2000, 2001) • Ambient logic (Cardelli & Gordon, 2000) • Tree and graph logics (Cardelli, Gardner, Ghelli, 2002) Stacks, Heaps and Regions: One Logic to Bind Them

  46. Lots More Work to Do • Add inductive definitions & syntactic rules for reasoning about arrays, recursive data structures • Investigate encodings for common invariants • stack-allocation algorithms • region-allocation algorithms • aliasing patterns • Better understand the connection between modal (hybrid) logic & regions Stacks, Heaps and Regions: One Logic to Bind Them

  47. Conclusion • Described a unified framework for reasoning about • Separation • Adjacency • Containment • Aliasing • Semantics are sound, simple and uniform • Logic forms the basis for a sound and flexible low-level type system • See TLDI 03; LICS 03 for details Stacks, Heaps and Regions: One Logic to Bind Them

  48. Stacks, Heaps and Regions: One Logic to Bind Them

  49. Stacks, Heaps and Regions: One Logic to Bind Them

  50. May Alias Formula when two bits of storage (at a1 and a2) may alias: a1. a2. (a1[int] ⊗ㄒ) & (a2[int] ⊗ㄒ) both memories satisfy the formula: a1 a2 a 5 7 5 Stacks, Heaps and Regions: One Logic to Bind Them

More Related