Post on 14-Jan-2016
description
transcript
An Open Framework for Foundational Proof-Carrying Code
Xinyu FengYale University
Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and
Yu Guo (USTC)
Motivation
How to build fully certified software systems?Source-level code Libraries and runtime+
References with weak upd.Dynamic mem. alloc.
Functions, exceptions, …
Concurrency
I/O
Garbage collectors
malloc() (strong update)
Stacks, code pointers
Context switching & SchedulerDevice drivers
Motivation All concurrency verification
assumes built-in concurrency Assume-Guarantee (A-G) reasoning Concurrent Separation logic (CSL) …
Context switching, scheduler Too low-level to be certified
in these logics
[Yu&Shao, ICFP’04]
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
Threads & schedulers have never been modularly certified!
Motivation Certify all code in a single type system/program logic?
Hard to combine all features weak vs. strong update, functions/exceptions vs. goto’s, threa
ds vs. thread contexts May not be modular Very complex, hard to use Don’t know how to design such a logic
Certify modules using the most appropriate logic!
Modules do not use all the features at the same time It is simpler to use specialized logic for each module
An Open Framework
Certify different modules using different verification systems!
Proof ofSP
C1
C2
C1L1 k Ck
LkCk
CC1C2
Ck
. . .C2:L2
Challenges Extensibility and openness
not designed for certain specific interoperationsBut can we just use MLFs, e.g. Coq?
Expressiveness type safety, concurrency properties, partial correctness, …
A general and uniform model of control flow Allow functions certified in different systems to call each other the key for modularity: separate verification & proof reuse
Principled interoperation with clear meta-property properties of the whole system composed of modules
Not readily supported in Coq!
Our contributions OCAP: an open framework
Embedding of different systems TAL, non-CPS Hoare-logic, A-G reasoning, …
Open & Extensible Modularity with first-class code pointers [Ni&Shao POPL’06] Soundness
Type safety, & preservation of invariants in foreign systems
Applications TAL + memory allocation libs. Threads + Scheduler
The first time to modularly certify both sides …
Outline
OCAP Framework
Certifying Threads & Schedulers
OCAP Rules
Ln…
OCAP : Overview
OCAPSoundness
Mechanized Meta-Logic (CiC)
Modeling of the machineTCB
Sound
L1
( )L1 ( )LnSound
Mechanized Meta-Logic (CiC)
Modeling of the machine
…C1 Cn
The Machine
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P::=(C,S,pc)
::=(H,R)::={f I}*
pc
The OCAP Logic : Overview
Hoare-style program logic for assembly
CPS-style reasoning Assign a precondition to each basic block
Similar to TAL [Morrisett et al. POPL’98]
The OCAP Logic : Overview
I1f1:
I2f2:
I3f3:
…
(code heap) C
0
r1
1 2 …
r2 r3 … rn
(data heap) H
(register file) R
(state) S
addu … lw … sw … … j f
(instr. seq.) I
(program) P::=(C,S,pc)
::=(H,R)::={f I}*
pc
a1
a2
a3
(spec) ::= {f a}*
a
OCAP: Code pointers
codeptr(f,a) (f) = a (Spec) ::= {f a}*
acodeptr
Not well-founded!
Support of first-class code pointers:
OCAP: Code Pointers
A generic specification:
(CdSpec) ::= …
(Assert) a Spec State Prop
(Spec) ::= {f }*
() ,S. …
No interoperation between multiple systems…
acodeptr
a
codeptr
()
OCAP: Foreign Languages
(LangTy) L ::= CiC Terms Type
(CodeSpec) ::= CiC Terms L
Inductive TalType : Type :=
T_int : TalType
T_pair: TalType -> TalType-> TalType
…
Inductive Tal2Type : Type :=
T2_int : TalType
T2_pair: TalType -> TalType-> TalType
…
L ::= TalType | Tal2Type | …1 ::= T_int | T_pair 1 1 | … TalType
2 ::= T2_int | T2_pair 2 2 | … Tal2Type
OCAP: Specifications
(OCdSpec) ::= <L,( )L,> L.(L Assert)*L
(Spec) ::= {(f1,1), … (fn,n)}
(Assert) a Spec State Prop
(Interp) ( )L L Assert
(LangTy) L ::= CiC Terms Type
(CodeSpec) ::= CiC Terms L
Not well-founded:
( )L
a
OCAP: Specifications
(OCdSpec) ::= <,L,( )L,>
(Spec) ::= {(f1,1), … (fn,n)}
(Assert) a Spec State Prop
(Interp) ( )L L Assert
(LangTy) L ::= CiC Terms Type(CodeSpec) ::= CiC Terms L
(LangID) ::= n nat
(LangDict) D ::= {1<L1,( )L1>,…, n<Ln,( )Ln>}
LangID (L.L Assert)
( )L
a
Selected OCAP Rules
D1D2; 12┝ C1C2 : 1’2’
D1;1┝ C1:1’ (link)D2;2┝ C2:2’ …
D┝ {a}jr r
,S.a S .(codeptr(S.R(r),)a’) S
(jr)a’ = [[[ ]]]D
codeptr(f,) ,S. (f)=
[[[ ]]]D ,S. ( )L.(D()=<L, ( )L>)(()L S)
= <,L,>
Outline
OCAP Framework
Certifying Threads & Schedulers
Threads and Scheduler
Thread code C1,…,Cn
Certified following CCAP [Yu&Shao, ICFP’04]
Assume-Guarantee reasoning Thread modularity Do not know about thread queue
H
RC1
pc1
T1
{(A1, G1)}
Cn
pcn
Tn
{(An, Gn)}
i
. . .
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
SCAPCCAP +
Scheduler CS
Certified in SCAP [Feng et al. PLDI’06]
as sequential code Manages thread queue TQ Do not touch H
Scheduler in SCAP
yield:
pick one word (pci) from TQ
swap pci and r31
jr r31
H1 pc
1
pcn…
TQ
r31
r0
H1 pc
1
pcn…
TQ
r31
r0
…
jal yield
ct: …
Thread code:
ct
ct
Scheduler in SCAP
yield: (ps, gs)
pick one word (pci) from TQ
swap pci and r31
jr r31
gs
gs (r{r1,…,r30}.[r]=[r]’) Q, Q’.
p’.
Q{[r31]} = Q’{[r31]’}
WFTQ(Q)*p’WFTQ(Q’)*p’
H1 pc
1
pcn…
TQ
r31
r0
H1 pc
1
pcn…
TQ
r31
r0
ct
ct
ps Q.WFTQ(Q) * True
Embedding SCAP
((p,g))Dscap …
jr $ra
g
p
…
D
Soundness:
scap┝scap C:’scap
(scap)Dscap D Dscap,┝ C:
’’ (’scap)Dsc
ap
Dscap {scap <Lscap, (_)scap> }
Threads: Assume-Guarantee
S
p1 p2
S’
Spec. for threads: (p, A, G)p: State Prop
p’1 p2 ?
A, G: State State Prop
Stability of p:
pi S Ai S S’ pi S’
G1 A2
A1, G1 A2, G2
CCAP embedding
ccap┝ccap Ci:’ccap
Dall {ccap <Lccap, (_)ccap>,
scap <Lscap, (_)scap> }
Dall; cy┝ Ci: ’c
y {yield <scap ,Lscap,(ps, gs)>}
c (ccap) ccap ’c (’ccap) c
cap
((p,A,G))ccap ,S. …
Certify the code
H
RC1 Cn
. . .
. . .
CS
pc
ctxt
1
ctxt
n
TQ
ccap┝ccap Ci:’ccapscap┝scap Cs:’scap
Dall {ccap <Lccap, (_)ccap>,
scap <Lscap, (_)scap> }
Dall; y┝ Cs: ’y Dall; cy┝ Ci: ’c
SCAPCCAP
the “link” rule
Dall; cy┝ Ci Cs : ’c ’y
Summary It is simpler and natural to certify different module
s using different logics OCAP: framework for interoperation Embedding
TAL: type system SCAP: non-cps logic for assembly CCAP: Assume-guarantee reasoning
Interoperation TAL + newpair Threads + Scheduler TAL + GC (ongoing work by Lin, McCreight, et al.)
Future work
Explore the applicability of OCAP
Interoperation of different languages Currently just for assembly language
But logics are at different levels (TAL, CCAP, …)
May support C + inlined assembly
Thank you!