proving correctness of a garbage collector via local
play

Proving Correctness of a Garbage Collector via Local Reasoning - PowerPoint PPT Presentation

Jan 11, 2024 •249 likes •958 views

Proving Correctness of a Garbage Collector via Local Reasoning Lars Birkedal [birkedal@itu.dk], Noah Torp-Smith [noah@itu.dk] The IT University of Copenhagen Joint work with John C. Reynolds, Carnegie Mellon University Spatial Logic Workshop,

  1. Proving Correctness of a Garbage Collector via Local Reasoning Lars Birkedal [birkedal@itu.dk], Noah Torp-Smith [noah@itu.dk] The IT University of Copenhagen Joint work with John C. Reynolds, Carnegie Mellon University Spatial Logic Workshop, Nottingham, March 2003 – p.1/32

  2. Motivation Spatial Logic Workshop, Nottingham, March 2003 – p.2/32

  3. Motivation • Copying garbage collectors widely used, for example in implementations of functional languages. Spatial Logic Workshop, Nottingham, March 2003 – p.2/32

  4. Motivation • Copying garbage collectors widely used, for example in implementations of functional languages. • A “non-toy” example. Yang’s proof of the Schoor-Waite algorithm is another such. Spatial Logic Workshop, Nottingham, March 2003 – p.2/32

  5. Motivation • Copying garbage collectors widely used, for example in implementations of functional languages. • A “non-toy” example. Yang’s proof of the Schoor-Waite algorithm is another such. • Proof Carrying Code theory assumes an underlying memory allocator, but doesn’t treat it further. Spatial Logic Workshop, Nottingham, March 2003 – p.2/32

  6. Preliminaries (1) Setup : A user language and an implemetation language , both standard while -languages, but with different memory interactions: ::= · · · | x := cons ( e 1 , e 2 ) | x.i := e | x := y.i C user ::= · · · | [ e ] := e | x := [ e ] C impl User language: No pointer arithmetic, “implicit type system”: Vals = Ints ⊎ Ptr , heaps map pointers to pairs of values. Implementation language: Pointer arithmetic, Heaps map lo- cations (a subset of integers) to integers. Spatial Logic Workshop, Nottingham, March 2003 – p.3/32

  7. Preliminaries (2) Interface (informal): The command cons ( e 1 , e 2 ) in the user language results in a call to alloc in implementation language. alloc( l , n 1 , n 2 ) { if ( any_space_left ) { allocate 2 heap cells; store( n 1 , n 2 ); return address; } else { Garbage collect; alloc( l , n 1 , n 2 ); } } Spatial Logic Workshop, Nottingham, March 2003 – p.4/32

  8. Preliminaries (3) • All values allocated by the user language at runtime (through cons -operations) are pairs of values, so the garbage collector only needs to deal with pairs of locations. A pointer is a first component of such a pair. Spatial Logic Workshop, Nottingham, March 2003 – p.5/32

  9. Preliminaries (3) • All values allocated by the user language at runtime (through cons -operations) are pairs of values, so the garbage collector only needs to deal with pairs of locations. A pointer is a first component of such a pair. • Pointers are divisible by 8. Spatial Logic Workshop, Nottingham, March 2003 – p.5/32

  10. Preliminaries (3) • All values allocated by the user language at runtime (through cons -operations) are pairs of values, so the garbage collector only needs to deal with pairs of locations. A pointer is a first component of such a pair. • Pointers are divisible by 8. • A simplifying assumption: Only one pointer in user language, call it root (more “root pointers” do not add anything interesting to the proof). Spatial Logic Workshop, Nottingham, March 2003 – p.5/32

  11. Preliminaries (4) So a picture might look like this: root 0 1 2 42 3 4 5 Spatial Logic Workshop, Nottingham, March 2003 – p.6/32

  12. Preliminaries (4) So a picture might look like this: root 0 1 2 42 3 4 5 Note that some cells cannot be “reached” from the root cell. These are ignored by copying collectors. Spatial Logic Workshop, Nottingham, March 2003 – p.6/32

  13. Preliminaries (5) • A weak heap isomorphism ϕ : ( s ′ , h ′ ) ∼ = ( s, h ) is a bijection ϕ : dom ( h ′ ) ∼ = dom ( h ) such that for all p ∈ dom ( h ′ ) , h ( ϕ ( p )) = ϕ ∗ ( h ′ ( p )) , where ϕ ∗ is the extension of ϕ to all integers (pointers and nonpointers) with the identity on nonpointers. If also ϕ ( s ′ ( root )) = s ( root ) , we call ϕ a heap isomorphism . Spatial Logic Workshop, Nottingham, March 2003 – p.7/32

  14. Preliminaries (5) • A weak heap isomorphism ϕ : ( s ′ , h ′ ) ∼ = ( s, h ) is a bijection ϕ : dom ( h ′ ) ∼ = dom ( h ) such that for all p ∈ dom ( h ′ ) , h ( ϕ ( p )) = ϕ ∗ ( h ′ ( p )) , where ϕ ∗ is the extension of ϕ to all integers (pointers and nonpointers) with the identity on nonpointers. If also ϕ ( s ′ ( root )) = s ( root ) , we call ϕ a heap isomorphism . • ( s, h ) is a garbage collected version of ( s ′ , h ′ ) , if there is a heap isomorphism ϕ : prune ( s, h ) ∼ = prune ( s ′ , h ′ ) . We do not have to remove anything. Spatial Logic Workshop, Nottingham, March 2003 – p.7/32

  15. Preliminaries (5) • A weak heap isomorphism ϕ : ( s ′ , h ′ ) ∼ = ( s, h ) is a bijection ϕ : dom ( h ′ ) ∼ = dom ( h ) such that for all p ∈ dom ( h ′ ) , h ( ϕ ( p )) = ϕ ∗ ( h ′ ( p )) , where ϕ ∗ is the extension of ϕ to all integers (pointers and nonpointers) with the identity on nonpointers. If also ϕ ( s ′ ( root )) = s ( root ) , we call ϕ a heap isomorphism . • ( s, h ) is a garbage collected version of ( s ′ , h ′ ) , if there is a heap isomorphism ϕ : prune ( s, h ) ∼ = prune ( s ′ , h ′ ) . We do not have to remove anything. • So if GC is our garbage collector, and if GC, s, h � s ′ , h ′ the requirement is that ( s ′ , h ′ ) is a garbage collected version of ( s, h ) . Spatial Logic Workshop, Nottingham, March 2003 – p.7/32

  16. Cheney’s Algorithm (1970) Spatial Logic Workshop, Nottingham, March 2003 – p.8/32

  17. Cheney’s Algorithm (1970) Assumes 2 contigous “semi-spaces” of equal size, and OLD = [ startOld , endOld [ NEW = [ startNew , endNew [ , s ( root ) ∈ OLD . ALIVE = { p | p is reachable } . Copies ALIVE to NEW in a “structure preserving way” and resumes allocation there. Spatial Logic Workshop, Nottingham, March 2003 – p.8/32

  18. Cheney’s Algorithm (1970) Assumes 2 contigous “semi-spaces” of equal size, and OLD = [ startOld , endOld [ NEW = [ startNew , endNew [ , s ( root ) ∈ OLD . ALIVE = { p | p is reachable } . Copies ALIVE to NEW in a “structure preserving way” and resumes allocation there. The example from before: � root 2 3 5 1 2 1 2 3 4 5 3 4 5 OLD scan root free NEW Spatial Logic Workshop, Nottingham, March 2003 – p.8/32

  19. An Example Initializing code : Copy the root cell and update the first component to point to the copy: root 1 2 3 4 5 scan free Spatial Logic Workshop, Nottingham, March 2003 – p.9/32

  20. An Example (2) Scanning a pointer-component (1) : If the first component of the cell it points to is not a pointer into NEW , we just copy the cell and update its first component. Then we update the component we are scanning: root 2 3 4 5 1 2 scan free Spatial Logic Workshop, Nottingham, March 2003 – p.10/32

  21. An Example (3) ... and again: root 2 3 4 5 1 2 scan free Spatial Logic Workshop, Nottingham, March 2003 – p.11/32

  22. An Example (4) Scanning a non-pointer component : Nothing happens. root 2 3 4 5 1 2 scan free Spatial Logic Workshop, Nottingham, March 2003 – p.12/32

  23. An Example (5) Scanning two pointer components as before: root 2 3 5 1 2 3 4 5 scan free Spatial Logic Workshop, Nottingham, March 2003 – p.13/32

  24. An Example (6) Scanning a pointer-component (2) : If the first component of the cell it points to is a pointer into NEW , we do not make another copy; we just update the component, we are scanning appropriately: root 2 3 5 1 2 3 4 5 scan free Spatial Logic Workshop, Nottingham, March 2003 – p.14/32

  25. An Example (7) After this, nothing more interesting happens, and we update root : 2 3 5 1 2 3 4 5 scan root free Spatial Logic Workshop, Nottingham, March 2003 – p.15/32

  26. An Example (7) After this, nothing more interesting happens, and we update root : 2 3 5 1 2 3 4 5 scan root free ...and we’re done! Spatial Logic Workshop, Nottingham, March 2003 – p.15/32

  27. Extension of Separation Logic To formalize our partition, we extend the term language with finite sets of pointers : Spatial Logic Workshop, Nottingham, March 2003 – p.16/32

  28. Extension of Separation Logic To formalize our partition, we extend the term language with finite sets of pointers : · · · | m fs ⊕ e | m fs ⊖ e | Itv ( e, e ) | · · · ::= m Spatial Logic Workshop, Nottingham, March 2003 – p.16/32

  29. Extension of Separation Logic To formalize our partition, we extend the term language with finite sets of pointers : · · · | m fs ⊕ e | m fs ⊖ e | Itv ( e, e ) | · · · ::= m We will also need finite relations : ::= · · · | f ◦ g | f ⊚ g f Spatial Logic Workshop, Nottingham, March 2003 – p.16/32

  30. Extension of Separation Logic To formalize our partition, we extend the term language with finite sets of pointers : · · · | m fs ⊕ e | m fs ⊖ e | Itv ( e, e ) | · · · ::= m We will also need finite relations : ::= · · · | f ◦ g | f ⊚ g f Semantics for ⊚ : extension with identity on non-pointers: [ [ f ⊚ h ] ] = { ( p, n ) | (( p, n ) ∈ [ [ h ] ] s ∧ n �∈ Ptr ) ∨ ( ∃ p ′ ∈ Ptr. ( p, p ′ ) ∈ [ ] s ∧ ( p ′ , n ) ∈ [ [ h ] [ f ] ] s ) } Spatial Logic Workshop, Nottingham, March 2003 – p.16/32

  31. Extension of Separation Logic (2) We will also have new assertion forms. We mention some: Spatial Logic Workshop, Nottingham, March 2003 – p.17/32

Recommend

A Semi Preemptive Garbage A Semi Preemptive Garbage Collector for Solid State Collector

A Semi Preemptive Garbage A Semi Preemptive Garbage Collector for Solid State Collector

A Semi Preemptive Garbage A Semi Preemptive Garbage Collector for Solid State Collector for Solid State Collector for Solid State Collector for Solid State Drives Drives Junghee Lee, Youngjae Kim, Galen M. Shipman, Sarp Oral, Feiyi Wang,

540 views • 26 slides
Garbage Collection Jan Midtgaard Michael I. Schwartzbach Aarhus University The Garbage

Garbage Collection Jan Midtgaard Michael I. Schwartzbach Aarhus University The Garbage

Compilation 2010 Garbage Collection Jan Midtgaard Michael I. Schwartzbach Aarhus University The Garbage Collector A garbage collector is part of the runtime system It reclaims heap-allocated records (objects) that are no longer in use

959 views • 56 slides
Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

3/10/10 Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness: partial correctness + termination Partial correctness: Program implements its specification 1 3/10/10 Proving Partial Correctness

420 views • 13 slides
4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the

4.5: Proving the Correctness of Grammars In this section, we consider techniques for proving the correctness of grammars, i.e., for proving that grammars generate the languages we want them to. 1 / 21 Definition of Suppose G is a grammar and

324 views • 21 slides
Bounding Pause Times in a Regional Garbage Collector Felix S Klock II Thesis Advisor: Will

Bounding Pause Times in a Regional Garbage Collector Felix S Klock II Thesis Advisor: Will

Bounding Pause Times in a Regional Garbage Collector Felix S Klock II Thesis Advisor: Will Clinger 1 1 What is Garbage Collection? Automated reclamation of unreachable storage (Tracing) Garbage collection Mutator : Main application apart

1.13k views • 99 slides
Prioritized Garbage Collection Using the Garbage Collector to Support Caching Diogenes Nunez ,

Prioritized Garbage Collection Using the Garbage Collector to Support Caching Diogenes Nunez ,

Prioritized Garbage Collection Using the Garbage Collector to Support Caching Diogenes Nunez , Samuel Z. Guyer, Emery D. Berger Tufts University, University of Massachusetts Amherst November 2, 2016 D. Nunez, S. Guyer, E. Berger Prioritized GC

1.04k views • 80 slides
iCSI : A Cloud Garbage VM Collector for Addressing Inactive VM with Machine Learning In Kee Kim

iCSI : A Cloud Garbage VM Collector for Addressing Inactive VM with Machine Learning In Kee Kim

iCSI : A Cloud Garbage VM Collector for Addressing Inactive VM with Machine Learning In Kee Kim + , Sai Zeng * , Christopher Young * , Jinho Hwang * , and Marty Humphrey + + University of Virginia * IBM T.J. Watson Research Center 1 Motivation

514 views • 28 slides
Distributed Garbage Collection for General Graphs Basic Approaches to Garbage Collection

Distributed Garbage Collection for General Graphs Basic Approaches to Garbage Collection

Distributed Garbage Collection for General Graphs Basic Approaches to Garbage Collection The Brownbridge Collector SWP Collector

1.16k views • 88 slides
Proving Correctness of a KRK Chess Endgame Strategy by SAT-based Constraint Solving Marko

Proving Correctness of a KRK Chess Endgame Strategy by SAT-based Constraint Solving Marko

Introduction Reduction to SAT and URSA system Chess Endgame Strategies and Bratkos Strategy for KRK URSA Specification of KRK Endgame and of Strategy Correctness of Strategy Discussion and Conclusions Proving Correctness of a KRK Chess

390 views • 27 slides
Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick Universitt Oldenburg February 2017 Intro Correctness Results Rel. Work Conclusion Extras Outline Correctness and Graph Programs 1

354 views • 24 slides
Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri

Verifying a Concurrent Garbage Collector Delphine Demange Suresh Jagannathan Gustavo Petri David Pichardie Jan Vitek Yannick Zakowski Why are high level languages difficult to compile? Easy to compile in C Obj.f := v What about Java? A

1.17k views • 73 slides
Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof Wolfgang Goerigk Christian-Albrechts-Universit at zu Kiel, Germany wg@informatik.uni-kiel.de wg/

297 views • 28 slides
Quicksort [4] In the last class Recursive Procedures Proving Correctness of Recursive

Quicksort [4] In the last class Recursive Procedures Proving Correctness of Recursive

Algorithm : Design & Analysis Quicksort [4] In the last class Recursive Procedures Proving Correctness of Recursive Procedures Deriving recurrence equations Solution of the Recurrence equations Guess and proving

615 views • 38 slides
What problem did the paper address? Big Picture Problem Proving correctness of communication

What problem did the paper address? Big Picture Problem Proving correctness of communication

Review of Model Checking Large Network Protocol Implementations Madanlal Musuvathi Dawson Engler By Vamsi Kambhampati 7 th March 2006 What problem did the paper address? Big Picture Problem Proving correctness of communication protocols

341 views • 5 slides
Objec&ves Proving correctness of Stable Matching algorithm Analyzing algorithms

Objec&ves Proving correctness of Stable Matching algorithm Analyzing algorithms

1/12/18 Objec&ves Proving correctness of Stable Matching algorithm Analyzing algorithms Asympto&c running &mes If youre interested, join the W&L Computer Science Facebook Group! Jan 12, 2018 Sprenkle - CSCI211 1

319 views • 18 slides
GC Assertions: Using the Garbage Collector to check heap properties Shirley Gracelyn February

GC Assertions: Using the Garbage Collector to check heap properties Shirley Gracelyn February

GC Assertions: Using the Garbage Collector to check heap properties Shirley Gracelyn February 16, 2011 Motivation 1 Automatic memory management frees some burden from programmers 2 Fewer memory management errors Motivation 1 Automatic memory

278 views • 26 slides
Data Checking at Dropbox David Mah Dropbox Problems we are tackling Examples of Checkers

Data Checking at Dropbox David Mah Dropbox Problems we are tackling Examples of Checkers

Data Checking at Dropbox David Mah Dropbox Problems we are tackling Examples of Checkers Generic Model for a Checker Our garbage collector had a rarely hit off by one bug Our garbage collector had a rarely hit off by one bug that resulted

451 views • 33 slides
Customised Induction Rules for Proving Correctness of Imperative Programs Angela Wallenburg

Customised Induction Rules for Proving Correctness of Imperative Programs Angela Wallenburg

Customised Induction Rules for Proving Correctness of Imperative Programs Angela Wallenburg angelaw@cs.chalmers.se 4th International Symposium June 9, 2005, L okeberg Outline 1. Problem: Induction and Loops 2. First approach: Use idea

821 views • 34 slides
15-150 Fall 2020 Stephen Brookes Lecture 4 Proving correctness Last time Specification

15-150 Fall 2020 Stephen Brookes Lecture 4 Proving correctness Last time Specification

15-150 Fall 2020 Stephen Brookes Lecture 4 Proving correctness Last time Specification format for a function F type assumption (REQUIRES) guarantee (ENSURES) For all (properly typed ) x satisfying the assumption , F x satisfies

1.28k views • 102 slides
NG2C: Pretenuring Garbage Collector with Dynamic Generations for HotSpot Big Data Apps Rodrigo

NG2C: Pretenuring Garbage Collector with Dynamic Generations for HotSpot Big Data Apps Rodrigo

NG2C: Pretenuring Garbage Collector with Dynamic Generations for HotSpot Big Data Apps Rodrigo Bruno*, Lus Picciochi Oliveira + , Paulo Ferreira* rodrigo.bruno@tecnico.ulisboa.pt, luis.oliveira@feedzai.com, paulo.ferreira@inesc-id.pt *INESC-ID

665 views • 52 slides
Proving the correctness of a compiler Xavier Leroy Coll` ege de France and Inria EUTypes Summer

Proving the correctness of a compiler Xavier Leroy Coll` ege de France and Inria EUTypes Summer

Proving the correctness of a compiler Xavier Leroy Coll` ege de France and Inria EUTypes Summer School 2019 1 The compilation process In general: any translation from a computer language to another. More specifically: automatic translation

1.65k views • 133 slides
FOX Garbage Collection FOX / GC Example 1 ex1: garbage at end let x = (1, 2) , y = let tmp =

FOX Garbage Collection FOX / GC Example 1 ex1: garbage at end let x = (1, 2) , y = let tmp =

FOX Garbage Collection FOX / GC Example 1 ex1: garbage at end let x = (1, 2) , y = let tmp = (10, 20) in tmp[0] + tmp[1] , p0 = x[0] + y , p1 = x[1] + y in (p0, p1) ebp 0x00 0x04 0x08 0x0c 0x10 0x14 0x18 0x1c 0x20 0x24 esi

1.36k views • 122 slides
Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen,

Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen,

u n i v e r s i t y o f c o p e n h a g e n d e p a r t m e n t o f c o m p u t e r s c i e n c e Faculty of Science Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen, Department of Computer

965 views • 68 slides
Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen,

Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen,

u n i v e r s i t y o f c o p e n h a g e n d e p a r t m e n t o f c o m p u t e r s c i e n c e Faculty of Science Proving Correctness of Compilers Using Structured Graphs Patrick Bahr University of Copenhagen, Department of Computer

628 views • 21 slides

More recommend