RustBelt: Securing the Foundations of the Rust Programming Language
|
|
- Irene Cook
- 5 years ago
- Views:
Transcription
1 RustBelt: Securing the Foundations of the Rust Programming Language Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, Derek Dreyer POPL 2018 in Los Angeles, USA Max Planck Institute for Software Systems (MPI-SWS), TU Delft 1
2 Rust Mozilla s replacement for C/C++ A safe & modern systems PL 2
3 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types 2
4 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types Control over resource management (e.g., memory allocation and data layout) 2
5 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types Control over resource management (e.g., memory allocation and data layout) Strong type system guarantees: Type & memory safety; absence of data races 2
6 Rust Mozilla s replacement for C/C++ A safe & modern systems PL First-class functions Polymorphism/generics Traits Type classes incl. associated types Goal of RustBelt project: Control over Prove resource safetymanagement of Rust and its (e.g., memory allocation standardand library. data layout) Strong type system guarantees: Type & memory safety; absence of data races 2
7 Contributions λ Rust : Core calculus representing a fragment of Rust and its type system Semantic soundness proof using logical relation in Iris Safety proof of some important unsafe libraries 3
8 Rust 101 4
9 Rust 101 Aliasing + Mutation 4
10 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); 5
11 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); // Send v to another thread send(v); Ownership transferred to send: fn send(vec<i32>) 5
12 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); // Send v to another thread send(v); // Let's try to use v again v.push(5); Error: v has been moved. Prevents possible data race. 5
13 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); // Send v to another thread send(v); x: T expresses ownership of x at type T Mutation allowed, no aliasing We can deallocate x 5
14 Ownership // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; v.push(4); Why is v not moved? // Send v to another thread send(v); 5
15 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); // Send v to another thread send(v); Method call was just sugar. &mut v creates a reference. 6
16 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); Pass-by-reference: Vec::push borrows ownership temporarily // Send v to another thread send(v); Pass-by-value: Ownership moved to send permanently 6
17 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); Pass-by-reference: Vec::push borrows ownership temporarily // Send v to another thread send(v); 6
18 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); // Send v to another thread send(v); Type of push: fn Vec::push<'a>(&'a mut Vec<i32>, i32) 6
19 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; Vec::push(&mut v, 4); // Send v to another thread send(v); Type of push: fn Vec::push<'a>(&'a mut Vec<i32>, i32) Lifetime 'a is inferred by Rust. 6
20 Borrowing and lifetimes // Allocate v on the heap let mut v : Vec<i32> = vec![1, 2, 3]; &mut Vec::push(&mut x creates a mutable v, 4); reference of type &'a mut T: Ownership temporarily borrowed // Send v to another thread send(v); Borrow lasts for inferred lifetime 'a Mutation, no aliasing Unique pointer 6
21 Shared Borrowing let mut x = 1; join ( println!("thread 1: {}", &x), println!("thread 2: {}", &x);) x = 2; 7
22 Shared Borrowing let mut x = 1; join ( println!("thread 1: {}", &x), println!("thread 2: {}", &x)); x = 2; &x creates a shared reference of type &'a T Ownership borrowed for lifetime 'a Can be aliased Does not allow mutation 7
23 Shared Borrowing let mut x = 1; join ( println!("thread 1: {}", &x), println!("thread 2: {}", &x)); x = 2; After 'a has ended, x is writeable again. 7
24 Rust s type system is based on ownership: 1. Full ownership: T 2. Mutable borrowed reference: &'a mut T 3. Shared borrowed reference: &'a T Aliasing + Mutation Lifetimes 'a decide how long borrows last. 8
25 But what if I need aliased mutable state? Synchronization mechanisms: Locks, channels,... Memory management: Reference counting,... 9
26 let m = Mutex::new(1); // m : Mutex<i32> // Concurrent increment: // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10
27 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) // Concurrent increment: -> LockResult<MutexGuard<'a, i32>> // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10
28 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) // Concurrent increment: -> &'a mut i32 // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10
29 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) -> &'a mut i32 // Concurrent increment: Interior mutability // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10
30 Type of lock: let m = Mutex::new(1); // m : Mutex<i32> fn lock<'a>(&'a Mutex<i32>) -> &'a mut i32 // Concurrent increment: Interior mutability // Acquire lock, mutate, release (implicit) join ( *(&m).lock().unwrap() += 1, *(&m).lock().unwrap() += 1); Aliasing? + Mutation // Unique owner: no need to lock println!("{}", m.get_mut().unwrap()) 10
31 unsafe fn lock<'a>(&'a self) -> LockResult<MutexGuard<'a, T>> { unsafe { libc::pthread_mutex_lock(self.inner.get()); MutexGuard::new(self) } } 11
32 unsafe fn lock<'a>(&'a self) -> LockResult<MutexGuard<'a, T>> { } unsafe { } Mutex has an unsafe implementation. But the interface (API) is safe: libc::pthread_mutex_lock(self.inner.get()); fn MutexGuard::new(self) lock<'a>(&'a Mutex<i32>) -> &'a mut T 11
33 unsafe fn lock<'a>(&'a self) -> LockResult<MutexGuard<'a, T>> { } Mutex has an unsafe implementation. But the interface (API) is safe: unsafe fn lock<'a>(&'a { Mutex<i32>) -> &'a mut T libc::pthread_mutex_lock(self.inner.get()); Similar MutexGuard::new(self) for join: unsafely implemented user } library, safe interface. 11
34 Goal: Prove safety of Rust and its standard library. Safety proof needs to be extensible. 12
35 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... 13
36 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Typing context assigns types to paths p (denoting fields of structures) 13
37 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Core substructural typing judgments: Γ E; L T 1 I x. T 2 Γ E; L K, T F Typing individual instructions I (E and L track lifetimes) Typing whole functions F (K tracks continuations) 13
38 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Core substructural typing judgments: Γ E; L T 1 I x. T 2 Γ E; L K, T F 13
39 The λ Rust type system τ ::= bool int own n τ & κ mut τ & κ shr τ Πτ Στ... T ::= T, p τ... Core substructural typing judgments: Γ E; L T 1 I x. T 2 Γ E; L K, T F 13
40 Syntactic type safety E; L K, T F = F is safe Usually proven by progress and preservation. But what about unsafe code? 14
41 Syntactic type safety E; L K, T F = F is safe Usually proven by progress and preservation. But what about unsafe code? Use a semantic approach based on logical relations. 14
42 The logical relation Ownership predicate for every type τ: τ.own(t, v) 15
43 The logical relation Ownership predicate for every type τ: τ.own(t, v) Owning thread s ID Data in memory 15
44 The logical relation Ownership predicate for every type τ: τ.own(t, v) Owning thread s ID Data in memory We use Iris to define ownership: Concurrent separation logic Designed to derive new reasoning principles inside the logic 15
45 The logical relation Ownership predicate for every type τ: τ.own(t, v) Lift to semantic contexts T (t): p 1 τ 1, p 2 τ 2 (t) := τ 1.own(t, [p 1 ]) τ 2.own(t, [p 2 ]) 15
46 The logical relation Ownership predicate for every type τ: τ.own(t, v) Lift to semantic contexts T (t): p 1 τ 1, p 2 τ 2 (t) := τ 1.own(t, [p 1 ]) τ 2.own(t, [p 2 ]) Separating conjunction 15
47 = The logical relation Ownership predicate for every type τ: τ.own(t, v) Lift to semantic typing judgments: E; L T 1 = I T 2 := t. { E L T 1 (t)} I { E L T 2 (t)} 15
48 Compatibility lemmas Connect logical relation to type system: Semantic versions of all syntactic typing rules. Γ E; L κ alive Γ E; L p 1 & κ mut τ, p 2 τ p 1 := p 2 p 1 & κ mut τ E; L T 1 I x. T 2 E; L K; T 2, T F E; L K; T 1, T let x = I in F 16
49 = Compatibility lemmas Connect logical relation to type system: Semantic versions of all syntactic typing rules. Γ E; L = κ alive Γ E; L p 1 & κ mut τ, p 2 τ = p 1 := p 2 p 1 & κ mut τ E; L T 1 = I x. T 2 E; L K; T 2, T = F = E; L K; T 1, T = let x = I in F 16
50 Compatibility lemmas Connect logical relation to type system: Semantic versions of all syntactic typing rules. Well-typed programs can t go wrong Γ E; L = κ alive No data race Γ E; L p 1 & κ mut τ, p 2 τ = p 1 := p 2 p 1 & κ mut τ No invalid memory access E; L T 1 = I x. T 2 E; L K; T 2, T = F = = E; L K; T 1, T = let x = I in F 16
51 Linking with unsafe code unsafe 17
52 Linking with unsafe code unsafe 17
53 Linking with unsafe code The whole program is safe if the unsafe pieces are safe! unsafe 17
54 How do we define τ.own(t, v)? 18
55 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... 19
56 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... 19
57 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... & κ mut τ.own(t, v) := l. v = [l] & κ ( full w. l w τ.own(t, w) ) 19
58 own n τ.own(t, v) := l. v = [l] ( w. l w τ.own(t, w) )... & κ mut τ.own(t, v) := l. v = [l] & κ ( full w. l w τ.own(t, w) ) Lifetime logic connective 19
59 Traditionally, P Q splits ownership in space. Lifetime logic allows splitting ownership in time! 20
60 P & κ full P ( [ κ] P ) now [ κ] time κ alive κ dead 21
61 P & κ full P ( [ κ] P ) Access to P while κ lasts now [ κ] time 21
62 P & κ full P ( [ κ] P ) Access to P while κ lasts now Access to P when κ has ended [ κ] time 21
63 P & κ full P ( [ κ] P ) Access to P while κ lasts The lifetime logic has been fully derived inside Iris. now Access to P when κ has ended [ κ] time 21
64 What else is in the paper? More details about λ Rust, the type system, and the lifetime logic How to handle interior mutability that is safe for subtle reasons (e.g., mutual exclusion) Mutex<T>, Cell<T> 22
65 What else is in the paper? More details about λ Rust, the type system, and the lifetime logic How to handle interior mutability that is safe for subtle reasons (e.g., mutual exclusion) Mutex<T>, Cell<T>, RefCell<T>, Rc<T>, Arc<T>, RwLock<T> (found a bug),... 22
66 What else is in the paper? More details about λ Rust, the type system, and the lifetime logic How to handle interior mutability that is safe for subtle reasons (e.g., mutual exclusion) Mutex<T>, Cell<T>, RefCell<T>, Rc<T>, Arc<T>, RwLock<T> (found a bug),... Still missing from RustBelt: Trait objects (existential types), weak memory, drop,... 22
67 Logical relations can be used to prove safety of languages with unsafe operations. Advances in separation logic (as embodied in Iris) make this possible for even a language as sophisticated as Rust! 23
Aaron Turon! Mozilla Research
Aaron Turon Mozilla Research C/C++ ML/Haskell Rust Safe systems programming Why Mozilla? Browsers need control. Browsers need safety. Servo: Next-generation browser built in Rust. C++ What is control?
More informationAdvances in Programming Languages
Advances in Programming Languages Lecture 18: Concurrency and More in Rust Ian Stark School of Informatics The University of Edinburgh Friday 24 November 2016 Semester 1 Week 10 https://blog.inf.ed.ac.uk/apl16
More informationNicholas Matsakis! Mozilla Research
Nicholas Matsakis! Mozilla Research Parallel! Systems programming without the hassle crashes! heisenbugs! fear 2 C/C++: efficiency first! destructors memory layout smart pointers monomorphization Research
More informationCMSC 330: Organization of Programming Languages. Ownership, References, and Lifetimes in Rust
CMSC 330: Organization of Programming Languages Ownership, References, and Lifetimes in Rust CMSC330 Spring 2018 1 Memory: the Stack and the Heap The stack constant-time, automatic (de)allocation Data
More informationRust for C++ Programmers
Rust for C++ Programmers Vinzent Steinberg C++ User Group, FIAS April 29, 2015 1 / 27 Motivation C++ has a lot of problems C++ cannot be fixed (because of backwards compatibility) Rust to the rescue! 2
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationRust intro. (for Java Developers) JFokus #jfokus 1. 1
Rust intro (for Java Developers) JFokus 2017 - #jfokus 1. 1 Hi! Computer Engineer Programming Electronics Math
More informationAn Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C
An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, 2014 @ POPL, San Diego, USA 1 / 16 What is this program supposed
More informationThe Concept of Ownership in Rust and Swift
The Concept of Ownership in Rust and Swift The Concept of Ownership in Rust and Swift By Elaf A Alhazmi, M.Sc. A Thesis Submitted to The Department of Computing and Software and the School of Graduate
More informationCS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012
CS-XXX: Graduate Programming Languages Lecture 9 Simply Typed Lambda Calculus Dan Grossman 2012 Types Major new topic worthy of several lectures: Type systems Continue to use (CBV) Lambda Caluclus as our
More informationGuaranteeing memory safety in Rust
Guaranteeing memory safety in Rust Nicholas D. Matsakis Mozilla Research 1 Hashtable in C / C++ template struct Hashtable { Bucket *buckets; unsigned num_buckets; template
More informationOutline. Introduction Concepts and terminology The case for static typing. Implementing a static type system Basic typing relations Adding context
Types 1 / 15 Outline Introduction Concepts and terminology The case for static typing Implementing a static type system Basic typing relations Adding context 2 / 15 Types and type errors Type: a set of
More informationType Soundness and Race Freedom for Mezzo
Type Soundness and Race Freedom for Mezzo Thibaut Balabonski François Pottier Jonathan Protzenko INRIA FLOPS 2014 1 / 42 Mezzo in a few words Mezzo is a high-level programming language, equipped with:
More informationRust. A safe, concurrent, practical language. Graydon Hoare October 2012
Rust A safe, concurrent, practical language Graydon Hoare October 2012 This is not a marketing talk Purpose: Convince you there's something interesting here Provide some technical
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationNext Gen Networking Infrastructure With Rust
Next Gen Networking Infrastructure With Rust Hi, I m @carllerche Let s write a database! Most newer databases are written in a language that includes a runtime. C / C++ Memory management we ll do it live
More informationThe Case for Building a Kernel
The Case for Building a Kernel in Rust Amit Levy Brad Campbell Branden Ghena Pat Pannuto Philip Levis Prabal Dutta Stanford University & University of Michigan September 2nd 2017 Memory and type safety
More informationMutable References. Chapter 1
Chapter 1 Mutable References In the (typed or untyped) λ-calculus, or in pure functional languages, a variable is immutable in that once bound to a value as the result of a substitution, its contents never
More informationVerifying Concurrent Programs with VST
Verifying Concurrent Programs with VST William Mansky 1 Introduction As of version 2.1, VST includes support for verifying concurrent programs with userdefined ghost state, as in modern concurrent separation
More informationRegion-based Memory Management. Advanced Operating Systems Lecture 10
Region-based Memory Management Advanced Operating Systems Lecture 10 Lecture Outline Rationale Stack-based memory management Region-based memory management Ownership Borrowing Benefits and limitations
More informationSynchronising Threads
Synchronising Threads David Chisnall March 1, 2011 First Rule for Maintainable Concurrent Code No data may be both mutable and aliased Harder Problems Data is shared and mutable Access to it must be protected
More informationCorrections made in this version not in first posting:
1 Changelog 1 Corrections made in this version not in first posting: 12 April 2017: slide 15: correct arrow from B-freed to D-freed 12 April 2017: slide 42: correct phrasing on what is borrowed fuzzing
More informationWhat is the Race Condition? And what is its solution? What is a critical section? And what is the critical section problem?
What is the Race Condition? And what is its solution? Race Condition: Where several processes access and manipulate the same data concurrently and the outcome of the execution depends on the particular
More informationChapter 1. Introduction
1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in
More informationAn introduction to weak memory consistency and the out-of-thin-air problem
An introduction to weak memory consistency and the out-of-thin-air problem Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) CONCUR, 7 September 2017 Sequential consistency 2 Sequential
More informationCMSC 330: Organization of Programming Languages
CMSC 330: Organization of Programming Languages Smart Pointers in Rust CMSC330 Spring 2018 Copyright 2018 Michael Hicks, the University of Maryland. Some material based on https://doc.rustlang.org/book/second-edition/index.html
More informationThe theory of Mezzo. François Pottier. IHP, April 2014 INRIA
The theory of Mezzo François Pottier INRIA IHP, April 2014 1 / 94 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin. 2 / 94 Outline Introduction The
More informationNext Gen Networking Infrastructure With Rust
Next Gen Networking Infrastructure With Rust Hi, I m @carllerche You may remember me from Most newer databases are written in a language that includes a runtime C / C++ Memory management we ll do it live
More informationTHREADS: (abstract CPUs)
CS 61 Scribe Notes (November 29, 2012) Mu, Nagler, Strominger TODAY: Threads, Synchronization - Pset 5! AT LONG LAST! Adversarial network pong handling dropped packets, server delays, overloads with connection
More informationTypes and Programming Languages. Lecture 6. Normalization, references, and exceptions
Types and Programming Languages Lecture 6. Normalization, references, and exceptions Xiaojuan Cai cxj@sjtu.edu.cn BASICS Lab, Shanghai Jiao Tong University Fall, 2016 Coming soon One more language features:
More informationThe Case for N-Body Simulations in Rust
Int'l Conf. Scientific Computing CSC'16 3 The Case for N-Body Simulations in Rust A. Hansen, M. C. Lewis Department of Computer Science, Trinity University, San Antonio, Texas, United States Abstract In
More informationApplied Unified Ownership. Capabilities for Sharing Across Threads
Applied Unified Ownership or Capabilities for Sharing Across Threads Elias Castegren Tobias Wrigstad DRF transfer parallel programming AppliedUnified Ownership memory management placement in pools (previous
More informationRecency Types for Dynamically-Typed, Object-Based Languages
Recency Types for Dynamically-Typed, Object-Based Languages Phillip Heidegger, Peter Thiemann Albert-Ludwigs-Universität Freiburg 15.10.2008 Task: Maintenance Finding bugs in JavaScript programs Understanding
More informationTypes for References, Exceptions and Continuations. Review of Subtyping. Γ e:τ τ <:σ Γ e:σ. Annoucements. How s the midterm going?
Types for References, Exceptions and Continuations Annoucements How s the midterm going? Meeting 21, CSCI 5535, Spring 2009 2 One-Slide Summary Review of Subtyping If τ is a subtype of σ then any expression
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More informationRust for high level applications. Lise Henry
Rust for high level applications Lise Henry Who am I Elisabeth Henry A.k.a Lizzie Crowdagger Computer science background Semi-professional fantasy writer I like Rust, but not really into systems programming
More informationProgramming Languages Lecture 14: Sum, Product, Recursive Types
CSE 230: Winter 200 Principles of Programming Languages Lecture 4: Sum, Product, Recursive Types The end is nigh HW 3 No HW 4 (= Final) Project (Meeting + Talk) Ranjit Jhala UC San Diego Recap Goal: Relate
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationCMSC 336: Type Systems for Programming Languages Lecture 5: Simply Typed Lambda Calculus Acar & Ahmed January 24, 2008
CMSC 336: Type Systems for Programming Languages Lecture 5: Simply Typed Lambda Calculus Acar & Ahmed January 24, 2008 Contents 1 Solution to the Exercise 1 1.1 Semantics for lambda calculus.......................
More informationHybrid Verification in SPARK 2014: Combining Formal Methods with Testing
IEEE Software Technology Conference 2015 Hybrid Verification in SPARK 2014: Combining Formal Methods with Testing Steve Baird Senior Software Engineer Copyright 2014 AdaCore Slide: 1 procedure Array_Indexing_Bug
More informationSimply-Typed Lambda Calculus
#1 Simply-Typed Lambda Calculus #2 Back to School What is operational semantics? When would you use contextual (small-step) semantics? What is denotational semantics? What is axiomatic semantics? What
More informationTyped Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts
Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts Toshiyuki Maeda and Akinori Yonezawa University of Tokyo Quiz [Environment] CPU: Intel Xeon X5570 (2.93GHz)
More informationCS6202: Advanced Topics in Programming Languages and Systems Lecture 0 : Overview
CS6202: Advanced Topics in Programming Languages and Systems Lecture 0 : Overview Advanced Language Features and Foundations Lecturer : Chin Wei Ngan Email : chinwn@comp.nus.edu.sg Office : S15 06-01 CS6202
More informationIt turns out that races can be eliminated without sacrificing much in terms of performance or expressive power.
The biggest two problems in multi-threaded programming are races and deadlocks. Races reached new levels with the introduction of relaxed memory processors. It turns out that races can be eliminated without
More informationCS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011
CS152: Programming Languages Lecture 11 STLC Extensions and Related Topics Dan Grossman Spring 2011 Review e ::= λx. e x e e c v ::= λx. e c τ ::= int τ τ Γ ::= Γ, x : τ (λx. e) v e[v/x] e 1 e 1 e 1 e
More informationCSE505, Fall 2012, Midterm Examination October 30, 2012
CSE505, Fall 2012, Midterm Examination October 30, 2012 Rules: The exam is closed-book, closed-notes, except for one side of one 8.5x11in piece of paper. Please stop promptly at Noon. You can rip apart
More informationWe defined congruence rules that determine the order of evaluation, using the following evaluation
CS 4110 Programming Languages and Logics Lectures #21: Advanced Types 1 Overview In this lecture we will extend the simply-typed λ-calculus with several features we saw earlier in the course, including
More informationRust. A new systems programming language. 1.0 was released on May 15th. been in development 5+ years. releases every 6 weeks
1 Rust A new systems programming language 1.0 was released on May 15th been in development 5+ years releases every 6 weeks Pursuing the trifecta: safe, concurrent, fast Gone through many radical iterations
More informationCSE 153 Design of Operating Systems
CSE 153 Design of Operating Systems Winter 19 Lecture 7/8: Synchronization (1) Administrivia How is Lab going? Be prepared with questions for this weeks Lab My impression from TAs is that you are on track
More informationProgramming Languages
: Winter 2010 Principles of Programming Languages Lecture 1: Welcome, etc. Ranjit Jhala UC San Diego Computation & Interaction Precisely expressed by PL Dependence means need for analysis Safety Security
More informationCS 153 Design of Operating Systems Winter 2016
CS 153 Design of Operating Systems Winter 2016 Lecture 7: Synchronization Administrivia Homework 1 Due today by the end of day Hopefully you have started on project 1 by now? Kernel-level threads (preemptable
More informationVerifying Concurrent Memory Reclamation Algorithms with Grace
Verifying Concurrent Memory Reclamation Algorithms with Grace Alexey Gotsman, Noam Rinetzky, and Hongseok Yang 1 IMDEA Software Institute 2 Tel-Aviv University 3 University of Oxford Abstract. Memory management
More informationCS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011
CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic
More informationRust Advanced Topics
Rust Advanced Topics Adapted from https://skade.github.io/rust-three-dayscourse/presentation/toc/english.html Generic Functions 1. fn takes_anything(thing: T) -> T { 2. thing 3. } 4. fn main() { 5.
More informationStatic Lock Capabilities for Deadlock-Freedom
Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu University of Washington TLDI, January 28, 2012 Joint work with Michael D. Ernst and Dan Grossman Colin S. Gordon
More information1 Introduction. 3 Syntax
CS 6110 S18 Lecture 19 Typed λ-calculus 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic semantics,
More informationProgramming Languages Lecture 15: Recursive Types & Subtyping
CSE 230: Winter 2008 Principles of Programming Languages Lecture 15: Recursive Types & Subtyping Ranjit Jhala UC San Diego News? Formalize first-order type systems Simple types (integers and booleans)
More informationCMSC 330: Organization of Programming Languages
CMSC 330: Organization of Programming Languages Multithreading Multiprocessors Description Multiple processing units (multiprocessor) From single microprocessor to large compute clusters Can perform multiple
More informationChapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes
Chapter 13: Reference Why reference Typing Evaluation Store Typings Safety Notes References Computational Effects Also known as side effects. A function or expression is said to have a side effect if,
More informationFrom IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich
From IMP to Java Andreas Lochbihler ETH Zurich parts based on work by Gerwin Klein and Tobias Nipkow 2015-07-14 1 Subtyping 2 Objects and Inheritance 3 Multithreading 1 Subtyping 2 Objects and Inheritance
More informationCSE 451: Operating Systems Winter Lecture 7 Synchronization. Steve Gribble. Synchronization. Threads cooperate in multithreaded programs
CSE 451: Operating Systems Winter 2005 Lecture 7 Synchronization Steve Gribble Synchronization Threads cooperate in multithreaded programs to share resources, access shared data structures e.g., threads
More informationCSE 505: Concepts of Programming Languages
CSE 505: Concepts of Programming Languages Dan Grossman Fall 2009 Lecture 4 Proofs about Operational Semantics; Pseudo-Denotational Semantics Dan Grossman CSE505 Fall 2009, Lecture 4 1 This lecture Continue
More informationProgram logics for relaxed consistency
Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014 Outline Part I. Weak memory models 1. Intro
More informationDeadlock. Concurrency: Deadlock and Starvation. Reusable Resources
Concurrency: Deadlock and Starvation Chapter 6 Deadlock Permanent blocking of a set of processes that either compete for system resources or communicate with each other No efficient solution Involve conflicting
More informationMemory Management. Advanced Operating Systems (M) Lecture 3
Memory Management Advanced Operating Systems (M) Lecture 3 This work is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/4.0/
More informationParallel Programming in Distributed Systems Or Distributed Systems in Parallel Programming
Parallel Programming in Distributed Systems Or Distributed Systems in Parallel Programming Philippas Tsigas Chalmers University of Technology Computer Science and Engineering Department Philippas Tsigas
More informationAmit Levy SITP Retreat, June 22, Tock: A Secure Operating System for Microcontrollers
Amit Levy SITP Retreat, June 22, 2018 Tock: A Secure Operating System for Microcontrollers Limitations of Microcontroller Sofware Low memory: ~64 kb RAM No virtual memory Can t use Linux! No isolation
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers Pointers and
More informationReview. CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Let bindings (CBV) Adding Stuff. Booleans and Conditionals
Review CS152: Programming Languages Lecture 11 STLC Extensions and Related Topics e ::= λx. e x ee c v ::= λx. e c (λx. e) v e[v/x] e 1 e 2 e 1 e 2 τ ::= int τ τ Γ ::= Γ,x : τ e 2 e 2 ve 2 ve 2 e[e /x]:
More informationSynchronization SPL/2010 SPL/20 1
Synchronization 1 Overview synchronization mechanisms in modern RTEs concurrency issues places where synchronization is needed structural ways (design patterns) for exclusive access 2 Overview synchronization
More informationCSolve: Verifying C With Liquid Types
CSolve: Verifying C With Liquid Types Patrick Rondon, Alexander Bakst, Ming Kawaguchi, and Ranjit Jhala University of California, San Diego {prondon, abakst, mwookawa, jhala@cs.ucsd.edu Abstract. We present
More informationTRELLYS and Beyond: Type Systems for Advanced Functional Programming
TRELLYS and Beyond: Type Systems for Advanced Functional Programming Aaron Stump Computer Science The University of Iowa Joint work with Tim Sheard, Vilhelm Sjöberg, and Stephanie Weirich. Supported by
More informationTaming release-acquire consistency
Taming release-acquire consistency Ori Lahav Nick Giannarakis Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) POPL 2016 Weak memory models Weak memory models provide formal sound semantics
More informationConcurrency. Glossary
Glossary atomic Executing as a single unit or block of computation. An atomic section of code is said to have transactional semantics. No intermediate state for the code unit is visible outside of the
More informationPractical Affine Types and Typestate-Oriented Programming
Practical Affine Types and Typestate-Oriented Programming Philipp Haller KTH Royal Institute of Technology Stockholm, Sweden Dagstuhl Seminar 17051 Theory and Applications of Behavioural Types Schloss
More informationHigh-level languages
High-level languages High-level languages are not immune to these problems. Actually, the situation is even worse: the source language typically operates over mixed-size values (multi-word and bitfield);
More informationProgramming Languages (PL)
1 2 3 4 5 6 7 8 9 10 11 Programming Languages (PL) Programming languages are the medium through which programmers precisely describe concepts, formulate algorithms, and reason about solutions. In the course
More informationCMSC 330: Organization of Programming Languages. Strings, Slices, Vectors, HashMaps in Rust
CMSC 330: Organization of Programming Languages Strings, Slices, Vectors, HashMaps in Rust CMSC330 Spring 2018 1 String Representation Rust s String is a 3-tuple A pointer to a byte array (interpreted
More informationOperating systems. Lecture 3 Interprocess communication. Narcis ILISEI, 2018
Operating systems Lecture 3 Interprocess communication Narcis ILISEI, 2018 Goals for today Race Condition Critical Region Mutex / Monitor Semaphore Inter-process communication (IPC) A mechanism that allows
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationControlling Mutation and Aliases with Fractional Permissions
Controlling Mutation and Aliases with Fractional Permissions John Boyland University of Wisconsin- Milwaukee ECOOP 12 Outline of Session I. Fractional Permissions II. Applications III. Problems I. Fractional
More informationKey-value store with eventual consistency without trusting individual nodes
basementdb Key-value store with eventual consistency without trusting individual nodes https://github.com/spferical/basementdb 1. Abstract basementdb is an eventually-consistent key-value store, composed
More informationThe Rule of Constancy(Derived Frame Rule)
The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation
More informationCSE-321 Programming Languages 2011 Final
Name: Hemos ID: CSE-321 Programming Languages 2011 Final Prob 1 Prob 2 Prob 3 Prob 4 Prob 5 Prob 6 Total Score Max 15 15 10 17 18 25 100 There are six problems on 18 pages in this exam, including one extracredit
More informationSynchronization COMPSCI 386
Synchronization COMPSCI 386 Obvious? // push an item onto the stack while (top == SIZE) ; stack[top++] = item; // pop an item off the stack while (top == 0) ; item = stack[top--]; PRODUCER CONSUMER Suppose
More informationHiding local state in direct style: a higher-order anti-frame rule
1 / 65 Hiding local state in direct style: a higher-order anti-frame rule François Pottier January 28th, 2008 2 / 65 Contents Introduction Basics of the type system A higher-order anti-frame rule Applications
More information1: /////////////// 2: // 1. Basics // 3: /////////////// 4: 5: // Functions. i32 is the type for 32-bit signed integers 6: fn add2(x: i32, y: i32) ->
1: /////////////// 2: // 1. Basics // 3: /////////////// 4: 5: // Functions. i32 is the type for 32-bit signed integers 6: fn add2(x: i32, y: i32) -> i32 { 7: // Implicit return (no semicolon) 8: x + y
More informationCSE-321 Programming Languages 2012 Midterm
Name: Hemos ID: CSE-321 Programming Languages 2012 Midterm Prob 1 Prob 2 Prob 3 Prob 4 Prob 5 Prob 6 Total Score Max 14 15 29 20 7 15 100 There are six problems on 24 pages in this exam. The maximum score
More informationM4 Parallelism. Implementation of Locks Cache Coherence
M4 Parallelism Implementation of Locks Cache Coherence Outline Parallelism Flynn s classification Vector Processing Subword Parallelism Symmetric Multiprocessors, Distributed Memory Machines Shared Memory
More informationLinear Logic, Heap-shape Patterns and Imperative Programming
Linear Logic, Heap-shape Patterns and Imperative Programming Limin Jia Princeton University ljia@cs.princeton.edu David Walker Princeton University dpw@cs.princeton.edu Abstract In this paper, we propose
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology,
More informationCSE 451: Operating Systems Winter Lecture 7 Synchronization. Hank Levy 412 Sieg Hall
CSE 451: Operating Systems Winter 2003 Lecture 7 Synchronization Hank Levy Levy@cs.washington.edu 412 Sieg Hall Synchronization Threads cooperate in multithreaded programs to share resources, access shared
More information11/19/2013. Imperative programs
if (flag) 1 2 From my perspective, parallelism is the biggest challenge since high level programming languages. It s the biggest thing in 50 years because industry is betting its future that parallel programming
More informationCache Coherence and Atomic Operations in Hardware
Cache Coherence and Atomic Operations in Hardware Previously, we introduced multi-core parallelism. Today we ll look at 2 things: 1. Cache coherence 2. Instruction support for synchronization. And some
More informationProgramming Languages
TECHNISCHE UNIVERSITÄT MÜNCHEN FAKULTÄT FÜR INFORMATIK Programming Languages Concurrency: Atomic Executions, Locks and Monitors Dr. Michael Petter Winter term 2016 Atomic Executions, Locks and Monitors
More informationQWeSST. Type-Safe Web Programming. Thierry Sans and Iliano Cervesato. Carnegie Mellon University Qatar
QWeSST Type-Safe Web Programming Thierry Sans and Iliano Cervesato Carnegie Mellon University Qatar Katholieke Universiteit Leuven, Belgium 2 August 2011 Project Goal Study the foundations of web programming
More informationModular Reasoning about Aliasing using Permissions
Modular Reasoning about Aliasing using Permissions John Boyland University of Wisconsin- Milwaukee FOAL 2015 Summary Permissions are non-duplicable tokens that give access to state. Permissions give effective
More informationSymmetric Multiprocessors: Synchronization and Sequential Consistency
Constructive Computer Architecture Symmetric Multiprocessors: Synchronization and Sequential Consistency Arvind Computer Science & Artificial Intelligence Lab. Massachusetts Institute of Technology November
More informationRepresentation Independence, Confinement and Access Control
Representation Independence, Confinement and Access Control Anindya Banerjee and David Naumann ab@cis.ksu.edu and naumann@cs.stevens-tech.edu Kansas State University and Stevens Institute of Technology
More information