Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.

Stacks, Heaps and Regions:One Logic to Bind Them

David Walker

Princeton University

SPACE 2004

Stacks, Heaps and Regions:One Logic to Bind Them

David Walker

Princeton University

With: Amal Ahmed & Limin Jia

David Walker Stacks, Heaps and Regions: One Logic to Bind Them 3

Certifying Compilers

Certifying compilers produce:» machine code +» safety proof

• type safety• thread safety• memory safety

Uses:» trustworthy mobile

code» safety-critical systems» compiler debugging

Source Program

Certifying

Compiler

Machine Code + Safety Proof


Certifying Compilers

Low-level Typing Abstractions

Java C #ML

Transform, Optimize

Machine Code +

Safety Proof (Typing Invariants Encoded)

Low-level typing abstractions:» support diverse source

languages» support diverse

implementation & optimization strategies

» clean interface between compiler and mechanical safety checkers


TALx86 Lessons [Morrisett et al.]

Checking control-flow safety is fairly easy State & memory management is the hard part

» new typing algorithms for each new compiler trick• machine register state• heap memory (pointers, structs, ...) • stack memory (stack pointers, stack structs, ...)• user-managed memory (more pointers, aliasing info, ...)

Results:» complex, ad hoc axioms (type checker less trust-

worthy)» repeated work» abstractions not generally composable or reusable


A Goal for SPACE 20...

What we are looking for: A new proof-carrying code system/typed assembly language for safe memory management» More uniform; more general» Easier to understand (simpler semantics)» Allows reuse and composition of abstractions

A promising approach: Search for new logics that can capture common storage invariants» Following Ishtiaq, O’Hearn, Pym, Reynolds, and others

insights on storage semantics & separation logic» And Pfenning, CMU crew and others logical design

techniques & work on logical frameworks


This Talk…

What recurring properties of memory do we need to reason about in a proof-carrying code system?

Internalizing storage properties in a modal & substructural logic » Semantics of formulae

Using the logic to describe state in a low-level type system (briefly)

Related & Future work» This talk based on work at TLDI 03; LICS 03


The memory for the heap is separate from the memory for the stack

The register EAX is separate from register EBX (and ECX, etc...)

In general, memory A is separate from memory B if the domain of A does not overlap with the domain of B

Property #1: Separation

EAX EBX

7 8 9 1415 7475stack heap


The importance of separation:» If memory A is separate from memory B then updates to

A have no impact on B» Eg: updating the stack does not change values in the

heap» Eg: updating EAX does not change the contents of EBX» Eg: deallocating region r1 has no impact on region r2 (if

they are separate)

Present in» Linear type systems» TALx86» Ishtiaq, O’Hearn, Reynolds separation logic

Property #1: Separation


A struct is a sequence of adjacent locations An activation record is a sequence of adjacent

locations

A stack is a sequence of adjacent activation records

In general, A is adjacent to B if the greatest location in A is next to the least location in B, and A is separate from B

Property #2: Adjacency

7 8 9

a1 a2

toprest...


The importance of adjacency:» If memory A is adjacent to memory B and we can access

A then we can access B» Eg: using a pointer to the beginning of a struct, we can

access all of its elements» Eg: using a pointer to the top of the stack, we can

access the items in the current activation record

Present in» TALx86 » Foundational PCC (Appel et al)» Ordered type systems (Petersen et al.)

Property #2: Adjacency


Register EAX can contain an integer value (or a pointer value or other kinds of values)

A memory location (say, 7) can contain a sequence of 32 bits

A user-managed memory region may contain a collection of memory locations.

Property #3: Containment

3EAX

7 on0:

off1:

on31:...

R77 137 22


The importance of containment:» If A is contained in memory region r and region r has

property P then A has property P» Eg: EAX may contain an integer --- if so, we can add 3 to

the contents of EAX» Eg: Memory region R1 may contain live data --- if so, we

can dereference pointers into that region

Present in» Tofte & Talpin’s region calculus» Cardelli, Gardner, Ghelli Gordon’s ambient, tree & graph

logics» TALx86 (registers, static data segment, stack & heap)

Property #3: Containment


Two pointers are aliases of one another if they are the same location.

Aliasing information is important since changing memory at x changes memory at y

Present in» every system!!» Talx86 reasoned about heap aliases and stack aliases

Property #4: Aliasing

3

x y (x = y)


This Talk…

What recurring properties of memory are convenient for reasoning in a proof-carrying code system?


Using the logic to describe state in a low-level type system



Preliminaries - Memories

A memory is a mapping from locations to values. Each location may have a single successor. Successor relation gives rise to an ordering.

Locations may be composite

» ::= ∗ | .n eg: *.R1.a7 *.R2.a14.b0

m

a6

r1

7

r2

35

11617

9


Formulae

Predicates q ::= | …

Formulae F ::= q | …

Semantics of formulae given by: m ⊨ F @

“F describes memory m, whose contents are located in place ” ( acts like a constraint on the memory)

Simplest case:

m ⊨ @ iff dom(m)={} and ⊢ m() :


Formulae

Example

m ⊨ int @ 3 if

53

m(notice: ⊢ m(3) : int )


Formulae – Separation


Formulae F ::= q | F1 ⊗F2 | …

m ⊨ F1 ⊗F2 @ iff exists disjoint m1 and m2 such that

m1 ⊨ F1 @ and m2 ⊨ F2 @ and m=m1∪m2



Example

m1 ⊨ F1 @ * m2 ⊨ F2 @ *

73

m1

5

7 8 9

m21617

3 16r6



Example

m1∪m2 ⊨ F1 ⊗ F2 @ *

73

m1∪m2

5

7 8 9

1617

r6163


Formulae – Adjacency


Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | …

m ⊨ F1 ○F2 @ iff there exist adjacent (and disjoint)

m1 , m2 such that

m1 ⊨ F1 @ and m2 ⊨ F2 @

and m=m1∪m2



Example

m1 ⊨ F1 @ * m2 ⊨ F2 @ *

73

m1

b5 7 8 9

m2

c10 1617



Example

m1∪m2 ⊨ F1 ○ F2 @ *

73

b5 7 8 9

c10 1617

m1∪m2


Formulae – Containment


Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | n[F] | …

m ⊨ n[F] @ iff m ⊨ F @ .n


Formulae - Containment

Example

m ⊨ eax[int] @ * since m ⊨ int @ *.eax

5eax

since ⊢ m(*.eax) : int m



Example

m ⊨ eax[int] ⊗ebx[char] @ *

5eax

m

‘a’ebx



Example


since m1 ⊨ eax[int] @ * and m2 ⊨ ebx[char] @ *

5eax

m

‘a’ebx



Example


since m1 ⊨ eax[int] @ * and m2 ⊨ ebx[char] @ *

since m1 ⊨ int @ *.eax and m2 ⊨ char @ *.ebx

5eax

m

‘a’ebx


Aliasing

Types int | bool | S() | ...


Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | n[F] | …

⊢ v : S() iff v = (all values with type S() are

aliases of one another)


Aliasing

Example

m ⊨ eax[S(*.a2)] ⊗ ebx[S(*.a2)] ⊗ a2[int] @ *

eaxm

ebx

7a2

aliases


Simple Machine Memory Layout

( more⃖ ○hd [] ○ Ftail ○ Fheap ○ ap [’] ○ more⃗)

⊗r1 [1] ⊗r2 [2] ⊗⊗sp [S(hd)] ⊗ap [S(ap)]

. . .. . .hd

. . . . . .

ap

sp r1 r2ap

more⃖ Ftail Fheapmore⃗


More logic


Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | n[F] |

1 | F1 -o F2 |

F1 F2 | ㄒ | F1 ⊕F2 | 0 || b. F | b.F

Bindings b ::= :L | n:N | :T | :F

m ⊨ 1 iff dom(m) is empty

m ⊨ F1 F2 iff m ⊨ F1 and m ⊨ F2

m ⊨ ㄒ (holds for any memory m)....


Logical Deduction

Judgments have the form ∥⊢ F @

is a variable context – a list of free variables & their kinds

is a bunched context – trees rather than lists (O’Hearn & Pym, 1999)

. | (F @ ) |

object at a place

separate storage(exchange prop)

adjacent storage(no exchange prop)


The natural deduction rules are sound with respect to the storage semantics

Semantics of contexts : m ⊨

Theorem (Soundness)

If m ⊨ and ‧∥⊢ F @ then m ⊨ F @ .

Logical Deduction


This Talk…






Types ::= int | S() | live | dead |

(F @ ) →0

Integers 5 : int

Places : S()

Region status live : live dead : dead

Code Locations c : (F @ ) →0

Means it is safe to jump to c with a memory m such that m ⊨ F @

Mini-KAM Types


Mini-KAM – Simplified ML Kit Abstract Machine

Mini-KAM Store Hierarchy

∗

st[more⃖ ○ ak[-] ○ . . ○ a1[-] ○ ]R1[live ⊗ F ⊗ (a[-] ○ more⃗

acc1 acc2 sp stack R1 . . . Rn

current activation record

stack tail

live regiondescriptionof data in

region

regionallocationboundarystack area


Judgments of the form F @ can be used to describe the pre and postconditions of instructions

Instruction typing judgment: ∥F @ ⊢ : F’ @ ’

Using Formulae in Typing Rules


Judgment : ∥F @ ⊢ : F’ @ ’

In J, look up the type of place .n:

J(.n) = F if ‧∥J ⊢( ㄒ ⊗ n[F] ) @

Rule for add instruction:

(F @ )(∗.acc1) = int (F @ )(∗.acc2) = int

∥F @ ⊢ add : F @



Judgment ∥J ⊢ : J’ (where J is of the form F @ p)

J(∗.sp)=S(∗.stack.n0) J(∗.acc1)=

∥J ⊢ storeStack(i) : J[∗.stack.no + i := ]


( storeStack)

In J, update the type of place .no + i:

J[.no+i := ] = (F1 ○n0[-] ○ ‧‧‧ ○ ni[] ○F2) ⊗ F3 @

if ‧∥u:J ⊢((F1 ○n0[-] ○ ‧‧‧ ○ ni[-] ○F2) ⊗ F3) @


This Talk…






Related Work

Reasoning about adjacency» Stack-based TAL (Morrisett et al., 1998)» Foundational PCC – reasoning about memory allocation (Appel

et al.)» ord - calculus for reasoning about data layout at the frontier

(Petersen et al., 2003)

Reasoning about aliasing» Long history . . . singleton types for aliasing (Smith, Walker &

Morrisett) continue to be useful

Spatial logics : separation and/or containment» BI, separation logic (Ishtiaq, O’Hearn, Reynolds & others, 2000,

2001) » Ambient logic (Cardelli & Gordon, 2000) » Tree and graph logics (Cardelli, Gardner, Ghelli, 2002)


Lots More Work to Do

Add inductive definitions & syntactic rules for reasoning about arrays, recursive data structures

Investigate encodings for common invariants» stack-allocation algorithms» region-allocation algorithms» aliasing patterns

Better understand the connection between modal (hybrid) logic & regions


Conclusion

Described a unified framework for reasoning about» Separation» Adjacency» Containment» Aliasing

Semantics are sound, simple and uniform

Logic forms the basis for a sound and flexible low-level type system

See TLDI 03; LICS 03 for details


when two bits of storage (at a1 and a2) may alias:

a1. a2. (a1[int] ⊗ ㄒ ) & (a2[int] ⊗ ㄒ )

both memories satisfy the formula:

May Alias Formula

5a1

7a2

5a


Code Describing Formula

(b-stackgrow)(x 2) (b-unpack)(x 2) sub sp,sp,2

st sp[0],r1

st sp[1],r2

< Code for A >

ld r1,sp[0]

ld r2,sp[1]

add sp,sp,2

Example: Saving Temporaries on the Stack

(more○⃖ 1[1] ○ 2[2] ○ [] ○ F1)

⊗ sp[S()] ⊗ r1[1] ⊗ r2[2]

Fpre

(more○⃖ 1[1] ○ 2[2] ○ [] ○ F1)

⊗ sp[S(1)] ⊗ r1[1] ⊗ r2[2]

Fpost


Types ::= int | S(p) | (F @ p) →0

Informally, c : (F @ p) →0 means it is safe to jump to c with a memory m such that m ⊨ F @ p

Formulae Wrapped in Types


Motivation: Certifying Compilers

Source Program

Certifying

Compiler

Safety ProofMachine Code


Parse, Typecheck


Source Program


High-level Typed IL

Analysis, Optimization

Medium-level Typed IL

Code Generation

Typed Assembly Language

Assembler

Prover

Type- preserving Compiler

Hints



Java


Optimize Optimize Optimize


Code Generation

Typed Assembly Language

Assembler

Prover

Type- preserving Compiler

Hints

High TIL High TIL High TIL

JavaML


Motivation: Proof-Carrying Code

The Princeton foundational PCC system (Appel et al.)

Scaling PCC to production compilers and realistic languages

Some requirements:» Multiple source languages, single target language» Core proof system must be general and flexible

• support for general language features• handle different implementation and optimization

strategies

» Trusted computing base should be small• to limit security bugs


PCC System – Layers of Abstraction

Higher-order logic

Machine spec

Semantics of types

Low-level typing abstractions

High-level typing abstractions

Compiler

support fora rangeof languagefeatures

general &flexible

interfaceto compiler


A Hard Problem (Semantics)

Semantics of memory updates and memory reuse

Semantic model of ML-style mutable references (Ahmed, Appel, Virga, 2002)

To handle ML function closures: » extended model with mutable references to

(impredicative) polymorphic types (Ahmed, Appel, Virga, 2003)

To allow memory reuse: » extended model to support region-based memory

management



Prover


Typing abstractions (TAL)

Java C #ML

High-level Typed IL

Analysis, Optimization


Should be general & flexible; support many• language features• implementation + optimization strategies


Typing Abstractions for Memory

Reasoning about memory is complicated» many different memory management strategies, aliasing

patterns, data layout possibilities, etc.

Systems for safe mobile code would benefit from » a unified framework for reasoning about a variety of

invariants » convenient abstractions that help structure proofs of

memory safety


Abstractions for Memory?


TALx86

Source

High TIL

Medium TIL

CornellPopcorn & Cyclone

VCGen + Prover


Source

High TIL

Medium TIL

Cedilla SystemsSpecial J

Prover


LTAL

Source

High TIL

Medium TIL

PrincetonFoundational PCC




TALx86

Source

High TIL

Medium TIL


VCGen + Prover


Source

High TIL

Medium TIL


Prover


LTAL

Source

High TIL

Medium TIL




Reasoning aboutmemory iscomplicated:many differentmemorymanagementstrategies,aliasing patterns,data layoutpossibilities, etc.


TALx86

Source

High TIL

Medium TIL

Cornell Popcorn, Cyclone

VCGen + Prover


Source

High TIL

Medium TIL


Prover


LTAL

Source

High TIL

Medium TIL



Typing Abstractions for Memory?

Reasoning about memory is complicated» many different memory management strategies, aliasing

patterns, data layout possibilities, etc.


TALx86

Source

High TIL

Medium TIL


VCGen + Prover


Source

High TIL

Medium TIL


Prover


LTAL

Source

High TIL

Medium TIL



Types ::= int | S(p) | (F @ p) →0

Informally, c : (F @ p) →0 means it is safe to jump to c with a memory m such that m ⊨ F @ p

Formulae Wrapped in Types


Lessons from Typed Assembly Language Lesson 1:

» Much of the type theory designed for higher-level languages can be reused to help verify machine code.

• TAL is “just” the closed, continuation-passing style polymorphic lambda calculus (++)

Lesson 2:» The hard part is memory management & memory

safety.


One Logic to Bind Them

New goals for general-purpose safe memory management» composable abstractions» reusable abstractions» orthogonal abstractions» comprehensible abstractions

A unified & composable framework for reasoning about » separation of objects (memory blocks)» adjacency of objects » aliasing of pointers» containment of one place in another

Proof that deduction in our logic is sound with respect to the memory model

Use logic in a type system for an IL for region-based memory management (Mini-KAM) and prove that the language is sound


This Talk…

Logical formulae and the memory model » Flat memory » Hierarchical memory

Type system for Mini-KAM (informally)


A Logical Approach to Memory Management

One logic for reasoning about key storage properties: » separation of objects (memory blocks)» adjacency of objects » containment of one place in another» aliasing of pointers

Logic comes with» orthogonal connectives to internalize key properties» syntactic proof rules » sound store semantics

Logic is incorporated into a typed abstract machine» safe stack, heap and region-based memory management


Formulae – Multiplicative Unit

Predicates q ::= [] | …

Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | 1 | …

m ⊨ 1 iff

m


Hierarchical Memories

R17 8 9

R21415

m


Path/place p ::= ∗ | p.n eg: *.R1.7

*.R2.14

Hierarchical Memories, Paths

R17 8 9

R21415

m ∗R1 R2

7 8 9 1415


Path/place p ::= ∗ | p.n eg: *.R1.7 *.R2.14

A hierarchical memory is a mapping from paths to values.

Hierarchical Memories, Paths

R17 8 9

R21415

m =A1 ∗R1 R2

7 8 9 1514

b0 b1 … b31


Formulae – Containment


Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | 1 |

F1 F2 | ㄒ | F1 ⊕F2 | 0 |

| b. F | b.F | n[F]

Bindings b ::= p:P | n:N | :T | :F

Semantics given by: m ⊨ F @ p


Formula Semantics – Separation

Formulae F ::= … | F1 ⊗F2 | … | n[F]

m ⊨ (F1 ⊗F2) @ p iff there exist disjoint m1 and m2

m1 ⊨ F1 @ p and m2 ⊨ F2 @ p

and m=m1∪m2



Example

m1 ⊨ F1 @ ∗ m2 ⊨ F2 @ ∗

dom(m1)={∗.R5.3} dom(m2)={∗.R5.4}

R5

m1

33

R5

m2

43



Example

m1 ⊨ F1 @ ∗ m2 ⊨ F2 @ ∗

dom(m1)={∗.R5.3} dom(m2)={∗.R5.4}

R5

m1∪m2

33

R5 43

m1∪m2 ⊨ (F1 ⊗F2) @ ∗


Sample Deductive Rules

Each connective is defined in terms of judgmental concepts only; no dependencies on other connectives

Simpler to understand & manipulate

∥ F @ p ⊢ F @ p(hypothesis)

∥ ⊢ n[F] @ p(n[] I)

∥ ⊢ F @ p.n

∥ ⊢ F @ p.n(n[] E)

∥ ⊢ n[F] @ p

Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.

Documents

Transcript of Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.