Background Memspec Paper The New Specification Next Steps

A Specification for Memory Operations onStructured Data

Presented by: David Bergvelt

University of Illinois

Friday 6 May 2016

Background Memspec Paper The New Specification Next Steps

Background

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptr

MiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Overview

Longterm Goals

Expand specification of LLVM semantics in Isabelle to includeoperations on structured data

e.g. getelementptrMiniLLVM only supports int and pointer types

Use expanded specification to prove correctness oftransformations on programs that use structured data

Current Goals

Define an abstract specification for sequential memory modelsthat give semantics for operations on structured data

”Abstract” so as to allow us to reason about memory withoutconstraining ourselves to a particular implementation

Prove that the axiomatic specification for sequential memorymodels defined by Mansky et al. is a specific instance of ourspecification

Background Memspec Paper The New Specification Next Steps

Memspec Paper

Background Memspec Paper The New Specification Next Steps

Memspec

An Axiomatic Specification for Sequential Memory Models byMansky, Garbuzov, and Zdancewic

”Most” operational memory models that support theoperations read, write, alloc, and free are instances of thisspecification

Provides guarantees about the behavior of programs that usethese operations and are consistent with a memory model thatis an instance of this specification

Background Memspec Paper The New Specification Next Steps

Memspec

An Axiomatic Specification for Sequential Memory Models byMansky, Garbuzov, and Zdancewic

”Most” operational memory models that support theoperations read, write, alloc, and free are instances of thisspecification

Provides guarantees about the behavior of programs that usethese operations and are consistent with a memory model thatis an instance of this specification

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single value

Each memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single valueEach memory operation targets exactly one location

An operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec

Specification

Set L of distinct locations, and set V of values

A single location can store a single valueEach memory operation targets exactly one locationAn operation that modifies one location should not have aneffect on any others

For some ` ∈ L and some v ∈ V, define memory operationsas: access = read(`, v) | write(`, v) | alloc(`) | free(`)

Define a predicate can do on a sequence of memoryoperations m and a single operation op. This predicatedescribes an operational memory model and holds if op is avalid operation to follow m, according to a set of axioms.

If can do holds at each step in the sequence of memoryoperations performed by a program, we can say the program isconsistent with the memory model.

Background Memspec Paper The New Specification Next Steps

Memspec Axioms

Background Memspec Paper The New Specification Next Steps

Another View

Background Memspec Paper The New Specification Next Steps

The New Specification

Background Memspec Paper The New Specification Next Steps

If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?

Things to change

Need an ordering on locations

Support for types of different sizes would be nice

Less restrictive axioms (”can’t read”, specifically)

Need to define a way to reason about the ”geography” ofmemory containing structured data.

Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution

Background Memspec Paper The New Specification Next Steps

If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?

Things to change

Need an ordering on locations

Support for types of different sizes would be nice

Less restrictive axioms (”can’t read”, specifically)

Need to define a way to reason about the ”geography” ofmemory containing structured data.

Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution

Background Memspec Paper The New Specification Next Steps

If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?

Things to change

Need an ordering on locations

Support for types of different sizes would be nice

Less restrictive axioms (”can’t read”, specifically)

Need to define a way to reason about the ”geography” ofmemory containing structured data.

Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution

Background Memspec Paper The New Specification Next Steps

If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?

Things to change

Need an ordering on locations

Support for types of different sizes would be nice

Less restrictive axioms (”can’t read”, specifically)

Need to define a way to reason about the ”geography” ofmemory containing structured data.

Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution

Background Memspec Paper The New Specification Next Steps

If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?

Things to change

Need an ordering on locations

Support for types of different sizes would be nice

Less restrictive axioms (”can’t read”, specifically)

Need to define a way to reason about the ”geography” ofmemory containing structured data.

Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution

Background Memspec Paper The New Specification Next Steps

If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?

Things to change

Need an ordering on locations

Support for types of different sizes would be nice

Less restrictive axioms (”can’t read”, specifically)

Need to define a way to reason about the ”geography” ofmemory containing structured data.

Define rules for what constitutes a valid memory

Finally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution

Background Memspec Paper The New Specification Next Steps

If we want to create a specification for memory models describingoperations on structured data, how should it differ from the onegiven by Mansky et al.?

Things to change

Need an ordering on locations

Support for types of different sizes would be nice

Less restrictive axioms (”can’t read”, specifically)

Need to define a way to reason about the ”geography” ofmemory containing structured data.

Define rules for what constitutes a valid memoryFinally, we should be able to make guarantees about thebehavior of programs that have valid memories (according toour specification) at each step of execution

Background Memspec Paper The New Specification Next Steps

Geography

Background Memspec Paper The New Specification Next Steps

Memory Structure Locale

Background Memspec Paper The New Specification Next Steps

Checking Validity

Background Memspec Paper The New Specification Next Steps

Some lemmas

Background Memspec Paper The New Specification Next Steps

Memory Access Datatype

Background Memspec Paper The New Specification Next Steps

Next Steps

Background Memspec Paper The New Specification Next Steps

Get memory access datatype working

Define axioms for a can do predicate to describe how to thememory operations we have defined are used in a validprogram

Prove that the Mansky et al. specification is an instance ofour specification

Background Memspec Paper The New Specification Next Steps

Get memory access datatype working

Define axioms for a can do predicate to describe how to thememory operations we have defined are used in a validprogram

Prove that the Mansky et al. specification is an instance ofour specification

Background Memspec Paper The New Specification Next Steps

Get memory access datatype working

Define axioms for a can do predicate to describe how to thememory operations we have defined are used in a validprogram

Prove that the Mansky et al. specification is an instance ofour specification