Download - may2016presentation
Background Memspec Paper The New Specification Next Steps
A Specification for Memory Operations onStructured Data
Presented by: David Bergvelt
University of Illinois
Friday 6 May 2016
Background Memspec Paper The New Specification Next Steps
Background
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptr
MiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to includeoperations on structured data
e.g. getelementptrMiniLLVM only supports int and pointer types
Use expanded specification to prove correctness oftransformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification
Background Memspec Paper The New Specification Next Steps
Memspec Paper
Background Memspec Paper The New Specification Next Steps
Memspec
An Axiomatic Specification for Sequential Memory Models byMansky, Garbuzov, and Zdancewic
”Most” operational memory models that support theoperations read, write, alloc, and free are instances of thisspecification
Provides guarantees about the behavior of programs that usethese operations and are consistent with a memory model thatis an instance of this specification
Background Memspec Paper The New Specification Next Steps
Memspec
An Axiomatic Specification for Sequential Memory Models byMansky, Garbuzov, and Zdancewic
”Most” operational memory models that support theoperations read, write, alloc, and free are instances of thisspecification
Provides guarantees about the behavior of programs that usethese operations and are consistent with a memory model thatis an instance of this specification
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single value
Each memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single valueEach memory operation targets exactly one location
An operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others
For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)
Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.
Background Memspec Paper The New Specification Next Steps
Memspec Axioms
Background Memspec Paper The New Specification Next Steps
Another View
Background Memspec Paper The New Specification Next Steps
The New Specification
Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” ofmemory containing structured data.
Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution
Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” ofmemory containing structured data.
Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution
Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” ofmemory containing structured data.
Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution
Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” ofmemory containing structured data.
Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution
Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” ofmemory containing structured data.
Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution
Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” ofmemory containing structured data.
Define rules for what constitutes a valid memory
Finally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution
Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” ofmemory containing structured data.
Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution
Background Memspec Paper The New Specification Next Steps
Geography
Background Memspec Paper The New Specification Next Steps
Memory Structure Locale
Background Memspec Paper The New Specification Next Steps
Checking Validity
Background Memspec Paper The New Specification Next Steps
Some lemmas
Background Memspec Paper The New Specification Next Steps
Memory Access Datatype
Background Memspec Paper The New Specification Next Steps
Next Steps
Background Memspec Paper The New Specification Next Steps
Get memory access datatype working
Define axioms for a can do predicate to describe how to thememory operations we have defined are used in a validprogram
Prove that the Mansky et al. specification is an instance ofour specification
Background Memspec Paper The New Specification Next Steps
Get memory access datatype working
Define axioms for a can do predicate to describe how to thememory operations we have defined are used in a validprogram
Prove that the Mansky et al. specification is an instance ofour specification
Background Memspec Paper The New Specification Next Steps
Get memory access datatype working
Define axioms for a can do predicate to describe how to thememory operations we have defined are used in a validprogram
Prove that the Mansky et al. specification is an instance ofour specification