Separation algebras for C verification in Coq Robbert Krebbers ICIS, Radboud University Nijmegen, The Netherlands July 18, 2014 @ VSTTE, Vienna, Austria 1
Context of this talk Formalin (Krebbers & Wiedijk) ◮ Compiler independent C semantics in Coq ◮ Take underspecification by C11 seriously H H ◮ Operational semantics C11 ◮ Executable semantics O ◮ Typing and type checker ◮ Separation logic 2
Context of this talk Formalin (Krebbers & Wiedijk) ◮ Compiler independent C semantics in Coq ◮ Take underspecification by C11 seriously H H ◮ Operational semantics C11 ◮ Executable semantics O ◮ Typing and type checker ◮ Separation logic ⇒ topic of this talk 2
Why compiler (in)dependence matters int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } 3
Why compiler (in)dependence matters int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } Let us try some compilers ◮ Clang prints 4 7 , seems just left-right 3
Why compiler (in)dependence matters int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } Let us try some compilers ◮ Clang prints 4 7 , seems just left-right ◮ GCC prints 4 8 , does not correspond to any evaluation order 3
Why compiler (in)dependence matters int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } Let us try some compilers ◮ Clang prints 4 7 , seems just left-right ◮ GCC prints 4 8 , does not correspond to any evaluation order This program violates the sequence point restriction ◮ due to two unsequenced writes to x ◮ undefined behavior: garbage in, garbage out ⇒ all bets are off ◮ thus both compilers are right 3
Why compiler (in)dependence matters int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } Let us try some compilers ◮ Clang prints 4 7 , seems just left-right ◮ GCC prints 4 8 , does not correspond to any evaluation order This program violates the sequence point restriction ◮ due to two unsequenced writes to x ◮ undefined behavior: garbage in, garbage out ⇒ all bets are off ◮ thus both compilers are right Formalin should account for all undefined behavior 3
Separation logic for C [Krebbers, POPL’14] Observation : non-determinism corresponds to concurrency Idea : use the separation logic rule for parallel composition { P 1 } e 1 { Q 1 } { P 2 } e 2 { Q 2 } { P 1 ∗ P 2 } e 1 ⊚ e 2 { Q 1 ∗ Q 2 } 4
Separation logic for C [Krebbers, POPL’14] Observation : non-determinism corresponds to concurrency Idea : use the separation logic rule for parallel composition { P 1 } e 1 { Q 1 } { P 2 } e 2 { Q 2 } { P 1 ∗ P 2 } e 1 ⊚ e 2 { Q 1 ∗ Q 2 } What does this mean: ◮ Split the memory into two disjoint parts ◮ Prove that e 1 and e 2 can be executed safely in their part ◮ Now e 1 ⊚ e 2 can be executed safely in the whole memory 4
Separation logic for C [Krebbers, POPL’14] Observation : non-determinism corresponds to concurrency Idea : use the separation logic rule for parallel composition { P 1 } e 1 { Q 1 } { P 2 } e 2 { Q 2 } { P 1 ∗ P 2 } e 1 ⊚ e 2 { Q 1 ∗ Q 2 } What does this mean: ◮ Split the memory into two disjoint parts ◮ Prove that e 1 and e 2 can be executed safely in their part ◮ Now e 1 ⊚ e 2 can be executed safely in the whole memory Disjointness ⇒ no sequence point violation 4
Connectives of separation logic The connectives of separation logic are defined as: emp := λ m . m = ∅ P ∗ Q := λ m . ∃ m 1 m 2 . m = m 1 ∪ m 2 ∧ P m 1 ∧ Q m 2 5
Connectives of separation logic The connectives of separation logic are defined as: emp := λ m . m = ∅ P ∗ Q := λ m . ∃ m 1 m 2 . m = m 1 ∪ m 2 ∧ P m 1 ∧ Q m 2 Definition of is non-trivial: ◮ Complex memory based on structured trees ◮ Fractional permissions for share-accounting For example needed in x + x ◮ Existence permissions for pointer arithmetic For example needed in *(p + 1) = (*p = 1) ◮ Locked permissions for sequence point restriction 5
Connectives of separation logic The connectives of separation logic are defined as: emp := λ m . m = ∅ P ∗ Q := λ m . ∃ m 1 m 2 . m = m 1 ∪ m 2 ∧ P m 1 ∧ Q m 2 Definition of is non-trivial: ◮ Complex memory based on structured trees ◮ Fractional permissions for share-accounting For example needed in x + x ◮ Existence permissions for pointer arithmetic For example needed in *(p + 1) = (*p = 1) ◮ Locked permissions for sequence point restriction Use separation algebras [Calcagno et al. , LICS’07] to abstractly describe the permissions and memory 5
Tweaked version of separation algebras in Coq Def: A simple separation algebra consists of a set A , with: ◮ An element ∅ : A ◮ A predicate valid : A → Prop ◮ Binary relations ⊥ , ⊆ : A → A → Prop ◮ Binary operations ∪ , \ : A → A → A 6
Tweaked version of separation algebras in Coq Def: A simple separation algebra consists of a set A , with: ◮ An element ∅ : A ◮ A predicate valid : A → Prop ◮ Binary relations ⊥ , ⊆ : A → A → Prop ◮ Binary operations ∪ , \ : A → A → A Total instead of partial 6
Tweaked version of separation algebras in Coq Def: A simple separation algebra consists of a set A , with: ◮ An element ∅ : A ◮ A predicate valid : A → Prop ◮ Binary relations ⊥ , ⊆ : A → A → Prop ◮ Binary operations ∪ , \ : A → A → A Total instead of partial Disjointness 6
Tweaked version of separation algebras in Coq Def: A simple separation algebra consists of a set A , with: ◮ An element ∅ : A ◮ A predicate valid : A → Prop ◮ Binary relations ⊥ , ⊆ : A → A → Prop ◮ Binary operations ∪ , \ : A → A → A To avoid subset types Total instead of partial Disjointness 6
Tweaked version of separation algebras in Coq Def: A simple separation algebra consists of a set A , with: ◮ An element ∅ : A ◮ A predicate valid : A → Prop ◮ Binary relations ⊥ , ⊆ : A → A → Prop ◮ Binary operations ∪ , \ : A → A → A To avoid subset types Total instead of partial Disjointness Satisfying the following laws: 1. If x ⊥ y , then y ⊥ x and x ∪ y = y ∪ x 2. If valid x , then ∅ ⊥ x and ∅ ∪ x = x 3. Associative, non-empty, cancellative, positive, . . . 6
Example: fractional separation algebra Fractional permissions [0 , 1] Q [Boyland, SAS’09] Read-only No access Exclusive access 0 1 Rational numbers make it possible to split Read-only permissions 7
Example: fractional separation algebra Fractional permissions [0 , 1] Q [Boyland, SAS’09] Read-only No access Exclusive access 0 1 Rational numbers make it possible to split Read-only permissions Def: The simple fractional separation algebra Q is defined as: valid x := 0 ≤ x ≤ 1 ∅ := 0 x ⊥ y := 0 ≤ x , y ∧ x + y ≤ 1 x ∪ y := x + y x ⊆ y := 0 ≤ x ≤ y ≤ 1 x \ y := x − y 7
Organization of permissions Separation logic: ∪ main connective (from separation algebra) Operational semantics: need to know what is allowed 8
Organization of permissions Separation logic: ∪ main connective (from separation algebra) Operational semantics: need to know what is allowed Def: Lattice of permission kinds (pkind , ⊆ k ) ◮ Freeable: reading, writing, deallocation Freeable Writable Readable Locked Existing ⊥ 8
Organization of permissions Separation logic: ∪ main connective (from separation algebra) Operational semantics: need to know what is allowed Def: Lattice of permission kinds (pkind , ⊆ k ) ◮ Freeable: reading, writing, deallocation Freeable ◮ Writable: reading, writing Writable Readable Locked Existing ⊥ 8
Organization of permissions Separation logic: ∪ main connective (from separation algebra) Operational semantics: need to know what is allowed Def: Lattice of permission kinds (pkind , ⊆ k ) ◮ Freeable: reading, writing, deallocation Freeable ◮ Writable: reading, writing ◮ Readable: reading Writable Readable Locked Existing ⊥ 8
Organization of permissions Separation logic: ∪ main connective (from separation algebra) Operational semantics: need to know what is allowed Def: Lattice of permission kinds (pkind , ⊆ k ) ◮ Freeable: reading, writing, deallocation Freeable ◮ Writable: reading, writing ◮ Readable: reading Writable ◮ Existing: existence permissions , only pointer arithmetic Readable Locked Existing ⊥ 8
Organization of permissions Separation logic: ∪ main connective (from separation algebra) Operational semantics: need to know what is allowed Def: Lattice of permission kinds (pkind , ⊆ k ) ◮ Freeable: reading, writing, deallocation Freeable ◮ Writable: reading, writing ◮ Readable: reading Writable ◮ Existing: existence permissions , only pointer arithmetic Readable Locked ◮ Locked: temporarily locked until next sequence point Existing Example: (x = 3) + (*p = 4); Undefined behavior if &x == p ⊥ 8
Recommend
More recommend