1. Background Memspec Paper The New Specification Next Steps
A Specification for Memory Operations on
Structured Data
Presented by: David Bergvelt
University of Illinois
Friday 6 May 2016
4. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
5. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
e.g. getelementptr
6. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
e.g. getelementptr
MiniLLVM only supports int and pointer types
7. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
e.g. getelementptr
MiniLLVM only supports int and pointer types
Use expanded specification to prove correctness of
transformations on programs that use structured data
8. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
e.g. getelementptr
MiniLLVM only supports int and pointer types
Use expanded specification to prove correctness of
transformations on programs that use structured data
Current Goals
9. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
e.g. getelementptr
MiniLLVM only supports int and pointer types
Use expanded specification to prove correctness of
transformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory models
that give semantics for operations on structured data
10. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
e.g. getelementptr
MiniLLVM only supports int and pointer types
Use expanded specification to prove correctness of
transformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory models
that give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory without
constraining ourselves to a particular implementation
11. Background Memspec Paper The New Specification Next Steps
Overview
Longterm Goals
Expand specification of LLVM semantics in Isabelle to include
operations on structured data
e.g. getelementptr
MiniLLVM only supports int and pointer types
Use expanded specification to prove correctness of
transformations on programs that use structured data
Current Goals
Define an abstract specification for sequential memory models
that give semantics for operations on structured data
”Abstract” so as to allow us to reason about memory without
constraining ourselves to a particular implementation
Prove that the axiomatic specification for sequential memory
models defined by Mansky et al. is a specific instance of our
specification
13. Background Memspec Paper The New Specification Next Steps
Memspec
An Axiomatic Specification for Sequential Memory Models by
Mansky, Garbuzov, and Zdancewic
”Most” operational memory models that support the
operations read, write, alloc, and free are instances of this
specification
14. Background Memspec Paper The New Specification Next Steps
Memspec
An Axiomatic Specification for Sequential Memory Models by
Mansky, Garbuzov, and Zdancewic
”Most” operational memory models that support the
operations read, write, alloc, and free are instances of this
specification
Provides guarantees about the behavior of programs that use
these operations and are consistent with a memory model that
is an instance of this specification
16. Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
17. Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single value
18. Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single value
Each memory operation targets exactly one location
19. Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single value
Each memory operation targets exactly one location
An operation that modifies one location should not have an
effect on any others
20. Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single value
Each memory operation targets exactly one location
An operation that modifies one location should not have an
effect on any others
For some ∈ L and some v ∈ V, define memory operations
as: access = read( , v) | write( , v) | alloc( ) | free( )
21. Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single value
Each memory operation targets exactly one location
An operation that modifies one location should not have an
effect on any others
For some ∈ L and some v ∈ V, define memory operations
as: access = read( , v) | write( , v) | alloc( ) | free( )
Define a predicate can do on a sequence of memory
operations m and a single operation op. This predicate
describes an operational memory model and holds if op is a
valid operation to follow m, according to a set of axioms.
22. Background Memspec Paper The New Specification Next Steps
Memspec
Specification
Set L of distinct locations, and set V of values
A single location can store a single value
Each memory operation targets exactly one location
An operation that modifies one location should not have an
effect on any others
For some ∈ L and some v ∈ V, define memory operations
as: access = read( , v) | write( , v) | alloc( ) | free( )
Define a predicate can do on a sequence of memory
operations m and a single operation op. This predicate
describes an operational memory model and holds if op is a
valid operation to follow m, according to a set of axioms.
If can do holds at each step in the sequence of memory
operations performed by a program, we can say the program is
consistent with the memory model.
26. Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describing
operations on structured data, how should it differ from the one
given by Mansky et al.?
Things to change
27. Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describing
operations on structured data, how should it differ from the one
given by Mansky et al.?
Things to change
Need an ordering on locations
28. Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describing
operations on structured data, how should it differ from the one
given by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
29. Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describing
operations on structured data, how should it differ from the one
given by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
30. Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describing
operations on structured data, how should it differ from the one
given by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” of
memory containing structured data.
31. Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describing
operations on structured data, how should it differ from the one
given by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” of
memory containing structured data.
Define rules for what constitutes a valid memory
32. Background Memspec Paper The New Specification Next Steps
If we want to create a specification for memory models describing
operations on structured data, how should it differ from the one
given by Mansky et al.?
Things to change
Need an ordering on locations
Support for types of different sizes would be nice
Less restrictive axioms (”can’t read”, specifically)
Need to define a way to reason about the ”geography” of
memory containing structured data.
Define rules for what constitutes a valid memory
Finally, we should be able to make guarantees about the
behavior of programs that have valid memories (according to
our specification) at each step of execution
40. Background Memspec Paper The New Specification Next Steps
Get memory access datatype working
Define axioms for a can do predicate to describe how to the
memory operations we have defined are used in a valid
program
41. Background Memspec Paper The New Specification Next Steps
Get memory access datatype working
Define axioms for a can do predicate to describe how to the
memory operations we have defined are used in a valid
program
Prove that the Mansky et al. specification is an instance of
our specification
