Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Stacks, Heaps and Regions: One Logic to Bind Them David Walker Princeton University SPACE 2004.
Stacks, Heaps and Regions:One Logic to Bind Them
David Walker
Princeton University
With: Amal Ahmed & Limin Jia
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 3
Certifying Compilers
Certifying compilers produce:» machine code +» safety proof
• type safety• thread safety• memory safety
Uses:» trustworthy mobile
code» safety-critical systems» compiler debugging
Source Program
Certifying
Compiler
Machine Code + Safety Proof
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 4
Certifying Compilers
Low-level Typing Abstractions
Java C #ML
Transform, Optimize
Machine Code +
Safety Proof (Typing Invariants Encoded)
Low-level typing abstractions:» support diverse source
languages» support diverse
implementation & optimization strategies
» clean interface between compiler and mechanical safety checkers
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 5
TALx86 Lessons [Morrisett et al.]
Checking control-flow safety is fairly easy State & memory management is the hard part
» new typing algorithms for each new compiler trick• machine register state• heap memory (pointers, structs, ...) • stack memory (stack pointers, stack structs, ...)• user-managed memory (more pointers, aliasing info, ...)
Results:» complex, ad hoc axioms (type checker less trust-
worthy)» repeated work» abstractions not generally composable or reusable
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 6
A Goal for SPACE 20...
What we are looking for: A new proof-carrying code system/typed assembly language for safe memory management» More uniform; more general» Easier to understand (simpler semantics)» Allows reuse and composition of abstractions
A promising approach: Search for new logics that can capture common storage invariants» Following Ishtiaq, O’Hearn, Pym, Reynolds, and others
insights on storage semantics & separation logic» And Pfenning, CMU crew and others logical design
techniques & work on logical frameworks
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 7
This Talk…
What recurring properties of memory do we need to reason about in a proof-carrying code system?
Internalizing storage properties in a modal & substructural logic » Semantics of formulae
Using the logic to describe state in a low-level type system (briefly)
Related & Future work» This talk based on work at TLDI 03; LICS 03
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 8
The memory for the heap is separate from the memory for the stack
The register EAX is separate from register EBX (and ECX, etc...)
In general, memory A is separate from memory B if the domain of A does not overlap with the domain of B
Property #1: Separation
EAX EBX
7 8 9 1415 7475stack heap
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 9
The importance of separation:» If memory A is separate from memory B then updates to
A have no impact on B» Eg: updating the stack does not change values in the
heap» Eg: updating EAX does not change the contents of EBX» Eg: deallocating region r1 has no impact on region r2 (if
they are separate)
Present in» Linear type systems» TALx86» Ishtiaq, O’Hearn, Reynolds separation logic
Property #1: Separation
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 10
A struct is a sequence of adjacent locations An activation record is a sequence of adjacent
locations
A stack is a sequence of adjacent activation records
In general, A is adjacent to B if the greatest location in A is next to the least location in B, and A is separate from B
Property #2: Adjacency
7 8 9
a1 a2
toprest...
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 11
The importance of adjacency:» If memory A is adjacent to memory B and we can access
A then we can access B» Eg: using a pointer to the beginning of a struct, we can
access all of its elements» Eg: using a pointer to the top of the stack, we can
access the items in the current activation record
Present in» TALx86 » Foundational PCC (Appel et al)» Ordered type systems (Petersen et al.)
Property #2: Adjacency
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 12
Register EAX can contain an integer value (or a pointer value or other kinds of values)
A memory location (say, 7) can contain a sequence of 32 bits
A user-managed memory region may contain a collection of memory locations.
Property #3: Containment
3EAX
7 on0:
off1:
on31:...
R77 137 22
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 13
The importance of containment:» If A is contained in memory region r and region r has
property P then A has property P» Eg: EAX may contain an integer --- if so, we can add 3 to
the contents of EAX» Eg: Memory region R1 may contain live data --- if so, we
can dereference pointers into that region
Present in» Tofte & Talpin’s region calculus» Cardelli, Gardner, Ghelli Gordon’s ambient, tree & graph
logics» TALx86 (registers, static data segment, stack & heap)
Property #3: Containment
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 14
Two pointers are aliases of one another if they are the same location.
Aliasing information is important since changing memory at x changes memory at y
Present in» every system!!» Talx86 reasoned about heap aliases and stack aliases
Property #4: Aliasing
3
x y (x = y)
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 15
This Talk…
What recurring properties of memory are convenient for reasoning in a proof-carrying code system?
Internalizing storage properties in a modal & substructural logic » Semantics of formulae
Using the logic to describe state in a low-level type system
Related & Future work» This talk based on work at TLDI 03; LICS 03
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 16
Preliminaries - Memories
A memory is a mapping from locations to values. Each location may have a single successor. Successor relation gives rise to an ordering.
Locations may be composite
» ::= ∗ | .n eg: *.R1.a7 *.R2.a14.b0
m
a6
r1
7
r2
35
11617
9
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 17
Formulae
Predicates q ::= | …
Formulae F ::= q | …
Semantics of formulae given by: m ⊨ F @
“F describes memory m, whose contents are located in place ” ( acts like a constraint on the memory)
Simplest case:
m ⊨ @ iff dom(m)={} and ⊢ m() :
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 18
Formulae
Example
m ⊨ int @ 3 if
53
m(notice: ⊢ m(3) : int )
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 19
Formulae – Separation
Predicates q ::= | …
Formulae F ::= q | F1 ⊗F2 | …
m ⊨ F1 ⊗F2 @ iff exists disjoint m1 and m2 such that
m1 ⊨ F1 @ and m2 ⊨ F2 @ and m=m1∪m2
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 20
Formulae – Separation
Example
m1 ⊨ F1 @ * m2 ⊨ F2 @ *
73
m1
5
7 8 9
m21617
3 16r6
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 21
Formulae – Separation
Example
m1∪m2 ⊨ F1 ⊗ F2 @ *
73
m1∪m2
5
7 8 9
1617
r6163
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 22
Formulae – Adjacency
Predicates q ::= | …
Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | …
m ⊨ F1 ○F2 @ iff there exist adjacent (and disjoint)
m1 , m2 such that
m1 ⊨ F1 @ and m2 ⊨ F2 @
and m=m1∪m2
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 23
Formulae – Adjacency
Example
m1 ⊨ F1 @ * m2 ⊨ F2 @ *
73
m1
b5 7 8 9
m2
c10 1617
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 24
Formulae – Adjacency
Example
m1∪m2 ⊨ F1 ○ F2 @ *
73
b5 7 8 9
c10 1617
m1∪m2
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 25
Formulae – Containment
Predicates q ::= | …
Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | n[F] | …
m ⊨ n[F] @ iff m ⊨ F @ .n
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 26
Formulae - Containment
Example
m ⊨ eax[int] @ * since m ⊨ int @ *.eax
5eax
since ⊢ m(*.eax) : int m
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 27
Formulae - Containment
Example
m ⊨ eax[int] ⊗ebx[char] @ *
5eax
m
‘a’ebx
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 28
Formulae - Containment
Example
m ⊨ eax[int] ⊗ebx[char] @ *
since m1 ⊨ eax[int] @ * and m2 ⊨ ebx[char] @ *
5eax
m
‘a’ebx
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 29
Formulae - Containment
Example
m ⊨ eax[int] ⊗ebx[char] @ *
since m1 ⊨ eax[int] @ * and m2 ⊨ ebx[char] @ *
since m1 ⊨ int @ *.eax and m2 ⊨ char @ *.ebx
5eax
m
‘a’ebx
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 30
Aliasing
Types int | bool | S() | ...
Predicates q ::= | …
Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | n[F] | …
⊢ v : S() iff v = (all values with type S() are
aliases of one another)
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 31
Aliasing
Example
m ⊨ eax[S(*.a2)] ⊗ ebx[S(*.a2)] ⊗ a2[int] @ *
eaxm
ebx
7a2
aliases
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 32
One More Useful Predicate
Types int | bool | S() | ...
Predicates q ::= | more⃖ | more⃗
Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | n[F] | ...
m ⊨ more⃖ m ⊨ more⃗m
7 8 9654
. . .
m171819161514
. . .
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 33
Simple Machine Memory Layout
( more⃖ ○hd [] ○ Ftail ○ Fheap ○ ap [’] ○ more⃗)
⊗r1 [1] ⊗r2 [2] ⊗⊗sp [S(hd)] ⊗ap [S(ap)]
. . .. . .hd
. . . . . .
ap
sp r1 r2ap
more⃖ Ftail Fheapmore⃗
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 34
More logic
Predicates q ::= | more⃖ | more⃗
Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | n[F] |
1 | F1 -o F2 |
F1 F2 | ㄒ | F1 ⊕F2 | 0 || b. F | b.F
Bindings b ::= :L | n:N | :T | :F
m ⊨ 1 iff dom(m) is empty
m ⊨ F1 F2 iff m ⊨ F1 and m ⊨ F2
m ⊨ ㄒ (holds for any memory m)....
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 35
Logical Deduction
Judgments have the form ∥⊢ F @
is a variable context – a list of free variables & their kinds
is a bunched context – trees rather than lists (O’Hearn & Pym, 1999)
. | (F @ ) |
object at a place
separate storage(exchange prop)
adjacent storage(no exchange prop)
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 36
The natural deduction rules are sound with respect to the storage semantics
Semantics of contexts : m ⊨
Theorem (Soundness)
If m ⊨ and ‧∥⊢ F @ then m ⊨ F @ .
Logical Deduction
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 37
This Talk…
What recurring properties of memory are convenient for reasoning in a proof-carrying code system?
Internalizing storage properties in a modal & substructural logic » Semantics of formulae
Using the logic to describe state in a low-level type system
Related & Future work» This talk based on work at TLDI 03; LICS 03
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 38
Mini-KAM – Simplified ML Kit Abstract Machine
Registers r ::= acc1 | acc2 | sp
Values v ::= ....
Instructions ::= immed1(v)| immed2(v)| add | sub | push | pop | selectStack(i)| storeStack(i)| select(i)| store(i)| letRgnInf | endRgnInf | alloc(i)
register ops
stack ops
region ops
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 39
Types ::= int | S() | live | dead |
(F @ ) →0
Integers 5 : int
Places : S()
Region status live : live dead : dead
Code Locations c : (F @ ) →0
Means it is safe to jump to c with a memory m such that m ⊨ F @
Mini-KAM Types
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 40
Mini-KAM – Simplified ML Kit Abstract Machine
Mini-KAM Store Hierarchy
∗
st[more⃖ ○ ak[-] ○ . . ○ a1[-] ○ ]R1[live ⊗ F ⊗ (a[-] ○ more⃗
acc1 acc2 sp stack R1 . . . Rn
current activation record
stack tail
live regiondescriptionof data in
region
regionallocationboundarystack area
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 41
Judgments of the form F @ can be used to describe the pre and postconditions of instructions
Instruction typing judgment: ∥F @ ⊢ : F’ @ ’
Using Formulae in Typing Rules
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 42
Judgment : ∥F @ ⊢ : F’ @ ’
In J, look up the type of place .n:
J(.n) = F if ‧∥J ⊢( ㄒ ⊗ n[F] ) @
Rule for add instruction:
(F @ )(∗.acc1) = int (F @ )(∗.acc2) = int
∥F @ ⊢ add : F @
Using Formulae in Typing Rules
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 43
Judgment ∥J ⊢ : J’ (where J is of the form F @ p)
J(∗.sp)=S(∗.stack.n0) J(∗.acc1)=
∥J ⊢ storeStack(i) : J[∗.stack.no + i := ]
Using Formulae in Typing Rules
( storeStack)
In J, update the type of place .no + i:
J[.no+i := ] = (F1 ○n0[-] ○ ‧‧‧ ○ ni[] ○F2) ⊗ F3 @
if ‧∥u:J ⊢((F1 ○n0[-] ○ ‧‧‧ ○ ni[-] ○F2) ⊗ F3) @
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 44
This Talk…
What recurring properties of memory are convenient for reasoning in a proof-carrying code system?
Internalizing storage properties in a modal & substructural logic » Semantics of formulae
Using the logic to describe state in a low-level type system
Related & Future work» This talk based on work at TLDI 03; LICS 03
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 45
Related Work
Reasoning about adjacency» Stack-based TAL (Morrisett et al., 1998)» Foundational PCC – reasoning about memory allocation (Appel
et al.)» ord - calculus for reasoning about data layout at the frontier
(Petersen et al., 2003)
Reasoning about aliasing» Long history . . . singleton types for aliasing (Smith, Walker &
Morrisett) continue to be useful
Spatial logics : separation and/or containment» BI, separation logic (Ishtiaq, O’Hearn, Reynolds & others, 2000,
2001) » Ambient logic (Cardelli & Gordon, 2000) » Tree and graph logics (Cardelli, Gardner, Ghelli, 2002)
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 46
Lots More Work to Do
Add inductive definitions & syntactic rules for reasoning about arrays, recursive data structures
Investigate encodings for common invariants» stack-allocation algorithms» region-allocation algorithms» aliasing patterns
Better understand the connection between modal (hybrid) logic & regions
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 47
Conclusion
Described a unified framework for reasoning about» Separation» Adjacency» Containment» Aliasing
Semantics are sound, simple and uniform
Logic forms the basis for a sound and flexible low-level type system
See TLDI 03; LICS 03 for details
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 50
when two bits of storage (at a1 and a2) may alias:
a1. a2. (a1[int] ⊗ ㄒ ) & (a2[int] ⊗ ㄒ )
both memories satisfy the formula:
May Alias Formula
5a1
7a2
5a
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 51
Code Describing Formula
(b-stackgrow)(x 2) (b-unpack)(x 2) sub sp,sp,2
st sp[0],r1
st sp[1],r2
< Code for A >
ld r1,sp[0]
ld r2,sp[1]
add sp,sp,2
Example: Saving Temporaries on the Stack
(more○⃖ 1[1] ○ 2[2] ○ [] ○ F1)
⊗ sp[S()] ⊗ r1[1] ⊗ r2[2]
Fpre
(more○⃖ 1[1] ○ 2[2] ○ [] ○ F1)
⊗ sp[S(1)] ⊗ r1[1] ⊗ r2[2]
Fpost
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 52
Types ::= int | S(p) | (F @ p) →0
Informally, c : (F @ p) →0 means it is safe to jump to c with a memory m such that m ⊨ F @ p
Formulae Wrapped in Types
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 53
Motivation: Certifying Compilers
Source Program
Certifying
Compiler
Safety ProofMachine Code
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 54
Parse, Typecheck
Motivation: Certifying Compilers
Source Program
Safety ProofMachine Code
High-level Typed IL
Analysis, Optimization
Medium-level Typed IL
Code Generation
Typed Assembly Language
Assembler
Prover
Type- preserving Compiler
Hints
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 55
Motivation: Certifying Compilers
Java
Safety ProofMachine Code
Optimize Optimize Optimize
Medium-level Typed IL
Code Generation
Typed Assembly Language
Assembler
Prover
Type- preserving Compiler
Hints
High TIL High TIL High TIL
JavaML
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 56
Motivation: Proof-Carrying Code
The Princeton foundational PCC system (Appel et al.)
Scaling PCC to production compilers and realistic languages
Some requirements:» Multiple source languages, single target language» Core proof system must be general and flexible
• support for general language features• handle different implementation and optimization
strategies
» Trusted computing base should be small• to limit security bugs
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 57
PCC System – Layers of Abstraction
Higher-order logic
Machine spec
Semantics of types
Low-level typing abstractions
High-level typing abstractions
Compiler
support fora rangeof languagefeatures
general &flexible
interfaceto compiler
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 58
A Hard Problem (Semantics)
Semantics of memory updates and memory reuse
Semantic model of ML-style mutable references (Ahmed, Appel, Virga, 2002)
To handle ML function closures: » extended model with mutable references to
(impredicative) polymorphic types (Ahmed, Appel, Virga, 2003)
To allow memory reuse: » extended model to support region-based memory
management
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 59
Motivation: Certifying Compilers
Prover
Machine Code + Safety Proof
Typing abstractions (TAL)
Java C #ML
High-level Typed IL
Analysis, Optimization
Medium-level Typed IL
Should be general & flexible; support many• language features• implementation + optimization strategies
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 60
Typing Abstractions for Memory
Reasoning about memory is complicated» many different memory management strategies, aliasing
patterns, data layout possibilities, etc.
Systems for safe mobile code would benefit from » a unified framework for reasoning about a variety of
invariants » convenient abstractions that help structure proofs of
memory safety
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 61
Abstractions for Memory?
Machine Code + Safety Proof
TALx86
Source
High TIL
Medium TIL
CornellPopcorn & Cyclone
VCGen + Prover
Machine Code + Safety Proof
Source
High TIL
Medium TIL
Cedilla SystemsSpecial J
Prover
Machine Code + Safety Proof
LTAL
Source
High TIL
Medium TIL
PrincetonFoundational PCC
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 62
Abstractions for Memory?
Machine Code + Safety Proof
TALx86
Source
High TIL
Medium TIL
CornellPopcorn & Cyclone
VCGen + Prover
Machine Code + Safety Proof
Source
High TIL
Medium TIL
Cedilla SystemsSpecial J
Prover
Machine Code + Safety Proof
LTAL
Source
High TIL
Medium TIL
PrincetonFoundational PCC
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 63
Abstractions for Memory?
Reasoning aboutmemory iscomplicated:many differentmemorymanagementstrategies,aliasing patterns,data layoutpossibilities, etc.
Machine Code + Safety Proof
TALx86
Source
High TIL
Medium TIL
Cornell Popcorn, Cyclone
VCGen + Prover
Machine Code + Safety Proof
Source
High TIL
Medium TIL
Cedilla SystemsSpecial J
Prover
Machine Code + Safety Proof
LTAL
Source
High TIL
Medium TIL
PrincetonFoundational PCC
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 64
Typing Abstractions for Memory?
Reasoning about memory is complicated» many different memory management strategies, aliasing
patterns, data layout possibilities, etc.
Machine Code + Safety Proof
TALx86
Source
High TIL
Medium TIL
CornellPopcorn & Cyclone
VCGen + Prover
Machine Code + Safety Proof
Source
High TIL
Medium TIL
Cedilla SystemsSpecial J
Prover
Machine Code + Safety Proof
LTAL
Source
High TIL
Medium TIL
PrincetonFoundational PCC
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 65
Types ::= int | S(p) | (F @ p) →0
Informally, c : (F @ p) →0 means it is safe to jump to c with a memory m such that m ⊨ F @ p
Formulae Wrapped in Types
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 66
Lessons from Typed Assembly Language Lesson 1:
» Much of the type theory designed for higher-level languages can be reused to help verify machine code.
• TAL is “just” the closed, continuation-passing style polymorphic lambda calculus (++)
Lesson 2:» The hard part is memory management & memory
safety.
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 67
One Logic to Bind Them
New goals for general-purpose safe memory management» composable abstractions» reusable abstractions» orthogonal abstractions» comprehensible abstractions
A unified & composable framework for reasoning about » separation of objects (memory blocks)» adjacency of objects » aliasing of pointers» containment of one place in another
Proof that deduction in our logic is sound with respect to the memory model
Use logic in a type system for an IL for region-based memory management (Mini-KAM) and prove that the language is sound
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 68
This Talk…
Logical formulae and the memory model » Flat memory » Hierarchical memory
Type system for Mini-KAM (informally)
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 69
A Logical Approach to Memory Management
One logic for reasoning about key storage properties: » separation of objects (memory blocks)» adjacency of objects » containment of one place in another» aliasing of pointers
Logic comes with» orthogonal connectives to internalize key properties» syntactic proof rules » sound store semantics
Logic is incorporated into a typed abstract machine» safe stack, heap and region-based memory management
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 70
Formulae – Multiplicative Unit
Predicates q ::= [] | …
Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | 1 | …
m ⊨ 1 iff
m
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 71
Hierarchical Memories
R17 8 9
R21415
m
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 72
Path/place p ::= ∗ | p.n eg: *.R1.7
*.R2.14
Hierarchical Memories, Paths
R17 8 9
R21415
m ∗R1 R2
7 8 9 1415
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 73
Path/place p ::= ∗ | p.n eg: *.R1.7 *.R2.14
A hierarchical memory is a mapping from paths to values.
Hierarchical Memories, Paths
R17 8 9
R21415
m =A1 ∗R1 R2
7 8 9 1514
b0 b1 … b31
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 74
Formulae – Containment
Predicates q ::= | more⃖ | more⃗
Formulae F ::= q | F1 ⊗F2 | F1 ○F2 | 1 |
F1 F2 | ㄒ | F1 ⊕F2 | 0 |
| b. F | b.F | n[F]
Bindings b ::= p:P | n:N | :T | :F
Semantics given by: m ⊨ F @ p
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 75
Formula Semantics – Separation
Formulae F ::= … | F1 ⊗F2 | … | n[F]
m ⊨ (F1 ⊗F2) @ p iff there exist disjoint m1 and m2
m1 ⊨ F1 @ p and m2 ⊨ F2 @ p
and m=m1∪m2
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 76
Formula Semantics – Separation
Example
m1 ⊨ F1 @ ∗ m2 ⊨ F2 @ ∗
dom(m1)={∗.R5.3} dom(m2)={∗.R5.4}
R5
m1
33
R5
m2
43
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 77
Formula Semantics – Separation
Example
m1 ⊨ F1 @ ∗ m2 ⊨ F2 @ ∗
dom(m1)={∗.R5.3} dom(m2)={∗.R5.4}
R5
m1∪m2
33
R5 43
m1∪m2 ⊨ (F1 ⊗F2) @ ∗
David Walker Stacks, Heaps and Regions: One Logic to Bind Them 78
Sample Deductive Rules
Each connective is defined in terms of judgmental concepts only; no dependencies on other connectives
Simpler to understand & manipulate
∥ F @ p ⊢ F @ p(hypothesis)
∥ ⊢ n[F] @ p(n[] I)
∥ ⊢ F @ p.n
∥ ⊢ F @ p.n(n[] E)
∥ ⊢ n[F] @ p