Proving Copyless Message Passing Jules Villard 1 tienne Lozes 1 - PowerPoint PPT Presentation

Proving Copyless Message Passing Jules Villard 1 Étienne Lozes 1 Cristiano Calcagno 2 1 LSV, ENS Cachan, CNRS 2 Imperial College, London ANR PANDA – Sept. 10 – PPS

Outline Copyless Message Passing Language Highlights Contracts Local Reasoning for Copyless Message Passing Separation Logic Separation Logic Extended Proofs in Separation Logic. . . . . . Extended Proof Sketch Conclusion

Inspiration: Singularity [Fähndrich & al. ’06] Singularity: a research project and an operating system. ◮ No memory protection: all processes share the same address space ◮ Memory isolation is verified at compile time (Sing ♯ language) ◮ No shared resources. Instead, processes communicate by copyless message passing ◮ Communications are ruled by contracts ◮ Many guarantees ensured by the compiler: • race freedom (process isolation) • contract obedience • progress (?) 1 / 31

Sing ♯ communication model ◮ Channels are bidirectional and asynchronous channel = pair of FIFO queues ◮ Channels are made of two endpoints similar to socket model ◮ Endpoints are allocated, disposed of, and may be communicated through channels under some conditions, similar to internal mobility in π -calculus ◮ Communications are ruled by user-defined contracts similar to session types 2 / 31

Message Passing with copies x z y e f w m send(cell,e,m); *z = receive(cell,f); 3 / 31

Message Passing with copies x z y e f w m send(cell,e,m); *z = receive(cell,f); 3 / 31

Message Passing with copies m x z y e f w m send(cell,e,m); *z = receive(cell,f); 3 / 31

Message Passing with copies m x z y e f w m send(cell,e,m); *z = receive(cell,f); 3 / 31

Message Passing with copies m x z y e f w m send(cell,e,m); *z = receive(cell,f); 3 / 31

Message Passing with copies x z y e f m w m send(cell,e,m); *z = receive(cell,f); 3 / 31

Message Passing with copies x z y e f m w m send(cell,e,m); *z = receive(cell,f); 3 / 31

Copyless Message Passing (shared memory) x z y e f w m send(cell,e,m); *z = receive(cell,f); 4 / 31

Copyless Message Passing (shared memory) x z y e f w m send(cell,e,m); *z = receive(cell,f); 4 / 31

Copyless Message Passing (shared memory) m x z y e f w m send(cell,e,m); *z = receive(cell,f); 4 / 31

Copyless Message Passing (shared memory) m x z y e f w m send(cell,e,m); *z = receive(cell,f); 4 / 31

Copyless Message Passing (shared memory) x z y e f w m send(cell,e,m); *z = receive(cell,f); 4 / 31

Copyless Message Passing (shared memory) x z y e f w m send(cell,e,m); *z = receive(cell,f); 4 / 31

In this talk [APLAS’09] ◮ Define a simple model of this language ◮ Provide a proof system based on Separation Logic 5 / 31

In this talk [APLAS’09] ◮ Define a simple model of this language ◮ Provide a proof system based on Separation Logic • Validate programs w.r.t. ownership • Compositional approach • Provide a tool for annotated programs 5 / 31

Syntax of the Programming Language Expressions and Boolean Expressions E ::= x ∈ Var | ℓ ∈ Loc | ε ∈ Endpoint | v ∈ Val E = E | B and B | not B B ::= Atomic commands x = E c ::= | x = new() | dispose(x) | x = E → f | x → f = E | . . . Programs c | p ; p | p || p | if B then p else p | while B { p } | local x in p p ::= 6 / 31

Syntax of atomic commands (continued) c ::= ... | (e, f) = open(C) (creates a channel with endpoints e,f) | close(E,E’) (channel disposal) | send(m, E, E’) (sends message m over endpoint E) | x = receive(m, E) (receives message m over endpoint E) Comments ◮ m is a message identifier, not the value of the message ◮ both endpoints of a channel must be closed together 7 / 31

A very simple example local e,f in (e,f) = open(C); send(m,e,a); b = a; ≈ b = receive(m,f); close(e,f); 8 / 31

Channels, Contracts Processes communicate through channels. ◮ A channel is made of two endpoints. ◮ It is bidirectional and asynchronous. ◮ It must follow a contract. Contracts dictate which sequences of messages are admissible. ◮ It is a finite state machine, where arrows are labeled by a message’s name and a direction: send ( ! ) or receive ( ? ). ◮ Dual endpoints of a channel follow dual contracts ( ¯ C = C [? ↔ !] ). ◮ We consider leak-free contracts that ensure absence of memory leaks 9 / 31

Contract Example message ack message cell message close_me contract C { initial state transfer { !cell -> wait; !close_me -> end; } state wait { ?ack -> transfer; } final state end {} } ! cell C: wait_ack transfer ? ack end ! close _ me 10 / 31

Our tool heaps that hop!

Outline Copyless Message Passing Language Highlights Contracts Local Reasoning for Copyless Message Passing Separation Logic Separation Logic Extended Proofs in Separation Logic. . . . . . Extended Proof Sketch Conclusion

Separation Logic Separation Logic [O’Hearn 01, Reynolds 02, . . . ] ◮ An assertion language to describe states ◮ An extension of Hoare Logic 13 / 31

Assertion Language Syntax ::= x | n ∈ N expressions E stack predicates A ::= E 1 = E 2 | E 1 � = E 2 | emp h | E 1 �→ E 2 heap predicates formulas | A 1 ∧ A 2 | A 1 ∗ A 2 Semantics iff � E 1 � s = � E 2 � s ( s , h ) � E 1 = E 2 emp h iff dom ( h ) = ∅ ( s , h ) � E 1 �→ E 2 iff dom ( h ) = { � E 1 � s } & h ( � E 1 � s ) = � E 2 � s ( s , h ) � iff ( s , h ) � A 1 & ( s , h ) � A 2 ( s , h ) � A 1 ∧ A 2 iff ∃ h 1 , h 2 . dom ( h 1 ) ∩ dom ( h 2 ) = ∅ ( s , h ) � A 1 ∗ A 2 & h = h 1 ∪ h 2 & ( s , h 1 ) � A 1 & ( s , h 2 ) � A 2 14 / 31

Assertion Language (extension) Syntax (continued) ::= A . . . | emp ep | E peer endpoints’ predicates �→ ( C { a } , E ′ ) Intuitively E �→ ( C { a } , E ′ ) means : peer ◮ E is an allocated endpoint ◮ its peer is E ′ ◮ it is ruled by contract C ◮ it currently is in contract’s state a 15 / 31

True/False 1. x �→ d : 10 ∗ y �→ d : 11 satisfiable, 2 cells 2. x �→ d : 10 ∧ y �→ d : 11 false 3. x �→ d : 10 ∧ y �→ d : 10 satisfiable, x = y false 4. x �→ − ∧ x peer �→ ( − , − ) 16 / 31

Soundness Theorem 1 (Soundness) If a Hoare triple { A } p { B } is provable, then if the program p starts in a state satisfying A and terminates, 1. p does not fault on memory accesses 2. p does not leak memory 3. the final state satisfies B 17 / 31

Proof System Standard Hoare Logic { A ′ } p ′ { B } { A } p { A ′ } { A } p ; p ′ { B } . . . Local Reasoning Rules { A ′ } p ′ { B ′ } { A } p { B } { A } p { B } { A ∗ A ′ } p || p ′ { B ∗ B ′ } { A ∗ F } p { B ∗ F } Small Axioms { A } x = E { A [ x ← x ′ ] ∧ x = E [ x ← x ′ ] } { emp } x = new() {∃ v . x �→ v } . . . 18 / 31

Proof of Programs { x �→ d : 10 } y = new (); { x �→ d : 10 ∗ y �→ − } y->d = 42; { x �→ d : 10 ∗ y �→ d : 42 } dispose(x); { y �→ d : 42 } x = y; { x �→ d : 42 ∧ x = y } 19 / 31

Proof System (extended) Standard Hoare Logic Unchanged. Local Reasoning Rules Unchanged. Small Axioms Small axioms added for new commands. 20 / 31

Annotating Messages ◮ We have to know the contents of messages ◮ Each message m appearing in a contract is described by a formula I m of our logic. ◮ I m may refer to two special variables: • val will denote the location of the message in memory • src will denote the location of the sending endpoint 21 / 31

Small Axioms for Communications Receive rule: ? m a − → b ∈ C { E peer �→ ( C { a } , f ) } x = receive(m, E) { E peer �→ ( C { b } , f ) ∗ I m ( x , f ) } 22 / 31

Small Axioms for Communications Send rules: ! m a − → b ∈ C { E peer �→ ( C { a } , − ) ∗ I m ( E ′ , E ) } send(E.m,E’) { E peer �→ ( C { b } , − ) } ! m − → b ∈ C a ∗ I m ( E ′ , E )) } { E peer �→ ( C { a } , − ) ∗ ( E peer �→ ( C { b } , − ) − − send(E.m,E’) { emp } 22 / 31

Small Axioms for Communications Open and Close rules: i = init ( C ) �→ (¯ { emp } (e, f) = open(C) { e peer peer �→ ( C { i } , f ) ∗ f C { i } , e ) } f ∈ final ( C ) �→ (¯ { E peer �→ ( C { f } , E ′ ) ∗ E ′ peer C { f } , E ) } close(E,E’) { emp } 22 / 31

Back to Contracts ◮ Why is the close rule sound? f ∈ final ( C ) �→ (¯ C { f } , E ) } close(E,E’) { emp } { E peer �→ ( C { f } , E ′ ) ∗ E ′ peer Leak-free Contracts A contract C is leak-free if whenever both ends of a channel ruled by C are in the same final state, there are no pending messages in the channel. 23 / 31

Properties of Contracts Definition 2 (Synchronizing state) A state s is synchronizing if every cycle that goes through it contains at least one send and one receive. ! m 1 ! m 1 a a b b ! m 2 ? m 2 24 / 31

Properties of Contracts Definition 2 (Synchronizing state) Definition 3 (Determinism) Two distinct edges in a contract must be labeled by different messages. b b ! m b ! m ! m a a a c c c ! m ! m ′ ? m 24 / 31