An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

Size: px

Start display at page:

Download "An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C"

Brittney Clark
5 years ago
Views:

1 An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers Radboud University Nijmegen January 22, POPL, San Diego, USA 1 / 16

2 What is this program supposed to do? int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } 2 / 16

3 What is this program supposed to do? int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } Let us try some compilers Clang prints 4 7, seems just left-right 2 / 16

4 What is this program supposed to do? int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } Let us try some compilers Clang prints 4 7, seems just left-right GCC prints 4 8, does not correspond to any evaluation order 2 / 16

5 What is this program supposed to do? int main() { int x; int y = (x = 3) + (x = 4); printf("%d %d\n", x, y); } Let us try some compilers Clang prints 4 7, seems just left-right GCC prints 4 8, does not correspond to any evaluation order This program violates the sequence point restriction due to two unsequenced writes to x resulting in undefined behavior thus both compilers are right 2 / 16

6 Undefined behavior in C Garbage in, garbage out principle Programs with undefined behavior are not statically excluded Undefined behavior all bets are off Allows compilers to omit (expensive) dynamic checks 3 / 16

7 Undefined behavior in C Garbage in, garbage out principle Programs with undefined behavior are not statically excluded Undefined behavior all bets are off Allows compilers to omit (expensive) dynamic checks A compiler independent C semantics should account for undefined behavior 3 / 16

8 Examples Side-effects are useful in a while, for, return,... while ((x = getchar())!= EOF) /* do something */ 4 / 16

9 Examples Side-effects are useful in a while, for, return,... while ((x = getchar())!= EOF) /* do something */ Non-determinism is subtle in innocent looking examples: *p = g (x, y, z); Here, g may change p, so the evaluation order matters 4 / 16

10 Examples Side-effects are useful in a while, for, return,... while ((x = getchar())!= EOF) /* do something */ Non-determinism is subtle in innocent looking examples: *p = g (x, y, z); Here, g may change p, so the evaluation order matters Interleaving of subexpressions is possible, for example printf("a") + (printf("b") + printf("c")); may print bac 4 / 16

11 Contribution A compiler independent small step operational, and axiomatic, semantics for non-determinism and sequence points, supporting: expressions with function calls, assignments, conditionals undefined behavior due to integer overflow parametrized by integer types dynamically allocated memory (malloc and free) non-local control (return and goto) local variables (and pointers to those) mutual recursion separation logic soundness proof fully checked by Coq 5 / 16

12 Contribution A compiler independent small step operational, and axiomatic, semantics for non-determinism and sequence points, supporting: expressions with function calls, assignments, conditionals undefined behavior due to integer overflow parametrized by integer types dynamically allocated memory (malloc and free) non-local control (return and goto) local variables (and pointers to those) mutual recursion separation logic soundness proof fully checked by Coq 5 / 16

13 Contribution A compiler independent small step operational, and axiomatic, semantics for non-determinism and sequence points, supporting: expressions with function calls, assignments, conditionals undefined behavior due to integer overflow parametrized by integer types dynamically allocated memory (malloc and free) non-local control (return and goto) local variables (and pointers to those) mutual recursion separation logic soundness proof fully checked by Coq 5 / 16

14 Contribution A compiler independent small step operational, and axiomatic, semantics for non-determinism and sequence points, supporting: expressions with function calls, assignments, conditionals undefined behavior due to integer overflow parametrized by integer types dynamically allocated memory (malloc and free) non-local control (return and goto) local variables (and pointers to those) mutual recursion separation logic soundness proof fully checked by Coq 5 / 16

15 Key idea Observation: non-determinism corresponds to concurrency Idea: use the separation logic rule for parallel composition {P 1 } e 1 {Q 1 } {P 2 } e 2 {Q 2 } {P 1 P 2 } e 1 e 2 {Q 1 Q 2 } 6 / 16

16 Key idea Observation: non-determinism corresponds to concurrency Idea: use the separation logic rule for parallel composition What does this mean: {P 1 } e 1 {Q 1 } {P 2 } e 2 {Q 2 } {P 1 P 2 } e 1 e 2 {Q 1 Q 2 } Split the memory into two disjoint parts Prove that e 1 and e 2 can be executed safely in their part Now e 1 e 2 can be executed safely in the whole memory 6 / 16

17 Key idea Observation: non-determinism corresponds to concurrency Idea: use the separation logic rule for parallel composition What does this mean: {P 1 } e 1 {Q 1 } {P 2 } e 2 {Q 2 } {P 1 P 2 } e 1 e 2 {Q 1 Q 2 } Split the memory into two disjoint parts Prove that e 1 and e 2 can be executed safely in their part Now e 1 e 2 can be executed safely in the whole memory Disjointness no sequence point violation 6 / 16

18 Definition of the memory Given a set of permissions P, we define: m mem := index fin (val P) b index := N v val ::= indet int τ n ptr b NULL Integer types: unsigned char, signed int,... 7 / 16

19 Permission systems Actual permissions contains: Locked flag to catch sequence point violations Assignment: lock memory location Sequence point: unlock memory locations A fraction (0, 1] Q to allow sharing Block scope variable or allocated with malloc flag 8 / 16

20 Permission systems Actual permissions contains: Locked flag to catch sequence point violations Assignment: lock memory location Sequence point: unlock memory locations A fraction (0, 1] Q to allow sharing Block scope variable or allocated with malloc flag A permission system P abstracts from these details., \ : P P P, : P P Prop kind : P {Free, Write, Read, Locked} lock, unlock : P P satisfying certain axioms 8 / 16

21 Permission systems Actual permissions contains: Locked flag to catch sequence point violations Assignment: lock memory location Sequence point: unlock memory locations A fraction (0, 1] Q to allow sharing Block scope variable or allocated with malloc flag A permission system P abstracts from these details., \ : P P P, : P P Prop kind : P {Free, Write, Read, Locked} lock, unlock : P P satisfying certain axioms 8 / 16

22 Permission systems Actual permissions contains: Locked flag to catch sequence point violations Assignment: lock memory location Sequence point: unlock memory locations A fraction (0, 1] Q to allow sharing Block scope variable or allocated with malloc flag A permission system P abstracts from these details., \ : P P P, : P P Prop kind : P {Free, Write, Read, Locked} lock, unlock : P P satisfying certain axioms 8 / 16

23 Permission systems Actual permissions contains: Locked flag to catch sequence point violations Assignment: lock memory location Sequence point: unlock memory locations A fraction (0, 1] Q to allow sharing Block scope variable or allocated with malloc flag A permission system P abstracts from these details., \ : P P P, : P P Prop kind : P {Free, Write, Read, Locked} lock, unlock : P P satisfying certain axioms We lift these operations to memories index fin (val P) 8 / 16

24 The language Our language binop ::= == <= + - * / %... e expr ::= x i [v] Ω e 1 := e 2 f ( e) load e alloc free e e 1 e 2 e 1? e 2 : e 3 (τ) e s stmt ::= e skip goto l return e block c s s 1 ; s 2 l : s while(e) s if (e) s 1 else s 2 9 / 16

25 The language Our language binop ::= == <= + - * / %... e expr ::= x i [v] Ω e 1 := e 2 f ( e) load e alloc free e e 1 e 2 e 1? e 2 : e 3 (τ) e s stmt ::= e skip goto l return e block c s s 1 ; s 2 l : s while(e) s if (e) s 1 else s 2 Values [v] Ω carry a set Ω of indexes (memory locations) to be unlocked at the next sequence point 9 / 16

26 Operational semantics Head reduction for expressions (e, m) h (e, m ) (9 rules) 10 / 16

27 Operational semantics Head reduction for expressions (e, m) h (e, m ) (9 rules) On assignments: locked index b added to Ω 1 Ω 2 ([ptr b] Ω1 :=[v] Ω2, m) h ([v] {b} Ω1 Ω 2, lock b (m[b :=v])) On sequence points: Ω unlocked in memory ([v] Ω? e 2 : e 3, m) h (e 2, unlock Ω m) provided / 16

28 Operational semantics Head reduction for expressions (e, m) h (e, m ) (9 rules) On assignments: locked index b added to Ω 1 Ω 2 ([ptr b] Ω1 :=[v] Ω2, m) h ([v] {b} Ω1 Ω 2, lock b (m[b :=v])) On sequence points: Ω unlocked in memory ([v] Ω? e 2 : e 3, m) h (e 2, unlock Ω m) provided... Gives a local treatment of sequence points 10 / 16

29 Operational semantics Head reduction for expressions (e, m) h (e, m ) (9 rules) On assignments: locked index b added to Ω 1 Ω 2 ([ptr b] Ω1 :=[v] Ω2, m) h ([v] {b} Ω1 Ω 2, lock b (m[b :=v])) On sequence points: Ω unlocked in memory ([v] Ω? e 2 : e 3, m) h (e 2, unlock Ω m) provided... Gives a local treatment of sequence points Small step reduction S(k, φ, m) S(k, φ, m ) (k, φ) gives the position in the whole program Uses evaluation contexts to lift head reduction Different φs for expressions, statements, function calls (33 rules) 10 / 16

30 Assertions of separation logic Defined using a shallow embedding: P, Q assert := stack mem Prop Maps variables to indexes in memory 11 / 16

31 Assertions of separation logic Defined using a shallow embedding: P, Q assert := stack mem Prop Maps variables to indexes in memory Some assertions: (P Q) ρ m := m 1 m 2. m = m 1 m 2 m 1 m 2 P ρ m 1 Q ρ m 2 11 / 16

32 Assertions of separation logic Defined using a shallow embedding: Some assertions: P, Q assert := stack mem Prop Maps variables to indexes in memory (P Q) ρ m := m 1 m 2. m = m 1 m 2 m 1 m 2 P ρ m 1 Q ρ m 2 γ (e 1 e2 ) ρ m := b v. [[ e 1 ]] ρ,m = ptr b [[ e 2 ]] ρ,m = v m = {(b, (v, γ))} (with e 1 and e 2 side-effect free) 11 / 16

33 Assertions of separation logic Defined using a shallow embedding: Some assertions: P, Q assert := stack mem Prop Maps variables to indexes in memory (P Q) ρ m := m 1 m 2. m = m 1 m 2 m 1 m 2 P ρ m 1 Q ρ m 2 γ (e 1 e2 ) ρ m := b v. [[ e 1 ]] ρ,m = ptr b [[ e 2 ]] ρ,m = v m = {(b, (v, γ))} (P ) ρ m := P ρ (unlock (locks m)m) (with e 1 and e 2 side-effect free) 11 / 16

34 The Hoare triples Statement judgment ; J; R {P} s {Q} Function conditions Goto/return conditions 12 / 16

35 The Hoare triples Statement judgment ; J; R {P} s {Q} Function conditions Goto/return conditions Q : assert Expression judgment {P} e {Q} Q : val assert In the semantics: if P holds beforehand, then e does not crash Q v holds afterwards when terminating with v with framing memories that can change at each step 12 / 16

36 The axiomatic semantics 24 separation logic proof rules, e.g.: For assignments: Write kind γ {P 1 } e 1 {Q 1 } {P 2 } e 2 {Q 2 } av. ((Q 1 a Q 2 v) ((a γ ) R a v)) {P 1 P 2 } e 1 := e 2 {λv. a. (a lock γ v) R a v} 13 / 16

37 The axiomatic semantics 24 separation logic proof rules, e.g.: For assignments: Write kind γ {P 1 } e 1 {Q 1 } {P 2 } e 2 {Q 2 } av. ((Q 1 a Q 2 v) ((a γ ) R a v)) For dereferencing: {P 1 P 2 } e 1 := e 2 {λv. a. (a lock γ v) R a v} kind γ Locked {P} e {λa. v. Q a v (a γ v)} {P} load e {λv. a. Q a v (a γ v)} 13 / 16

38 The axiomatic semantics 24 separation logic proof rules, e.g.: For assignments: Write kind γ {P 1 } e 1 {Q 1 } {P 2 } e 2 {Q 2 } av. ((Q 1 a Q 2 v) ((a γ ) R a v)) For dereferencing: For the conditional: {P 1 P 2 } e 1 := e 2 {λv. a. (a lock γ v) R a v} kind γ Locked {P} e {λa. v. Q a v (a γ v)} {P} load e {λv. a. Q a v (a γ v)} {P} e 1 {λv. v indet P v } { v. istrue v P v} e 2 {Q}... {P} e 1? e 2 : e 3 {Q} 13 / 16

39 The axiomatic semantics 24 separation logic proof rules, e.g.: For assignments: Write kind γ {P 1 } e 1 {Q 1 } {P 2 } e 2 {Q 2 } av. ((Q 1 a Q 2 v) ((a γ ) R a v)) For dereferencing: For the conditional: {P 1 P 2 } e 1 := e 2 {λv. a. (a lock γ v) R a v} kind γ Locked {P} e {λa. v. Q a v (a γ v)} {P} load e {λv. a. Q a v (a γ v)} {P} e 1 {λv. v indet P v } { v. istrue v P v} e 2 {Q}... {P} e 1? e 2 : e 3 {Q} Common separation logic and more complex rules can be derived 13 / 16

40 Formalization in Coq Based on [Krebbers/Wiedijk, FoSSaCS 13] Extremely useful for debugging Notations close to those on paper Various extensions of the separation logic Uses lots of automation lines of code Lemma ax_load A γ e P Q : perm_kind γ Locked \ A e {{ P }} e {{ λ a, v, Q a v valc a {γ} valc v }} \ A e {{ P }} load e {{ λ v, a, Q a v valc a {γ} valc v }}. 14 / 16

41 Future research Integration with the C type system [Krebbers, CPP 13] Integration with non-aliasing restrictions [Krebbers, CPP 13] Interpreter in Coq Verification condition generator in Coq Automation of separation logic 15 / 16

42 Questions Sources: 16 / 16

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C

An Operational and Axiomatic Semantics for Non-determinism and Sequence Points in C Robbert Krebbers ICIS, Radboud University Nijmegen, The Netherlands mail@robbertkrebbers.nl Abstract The C11 standard