a machine-checked formalization of concrete object layout for c++...

A ma hine- he ked formalizationof on rete obje t layoutfor C++ multiple inheritan eTahina Ramananandro1 Xavier Leroy11Gallium Team-proje tINRIA Paris-Ro quen ourtFebruary 17th, 2010

Photo ourtesy of François Pottier

MotivationMany formal methods and tools exist to make program analysiseasier for obje t-oriented languages (JML, Jahob, Krakatoa, Spe ♯,...). But :

◮ most based upon Java/C♯, only allow single inheritan e andinterfa es◮ all restri ted to the sour e- ode level

Motivation◮ Our goal : link formal presentation of multiple inheritan e withan a tual, realisti low-level implementation

Motivation◮ Our goal : link formal presentation of multiple inheritan e withan a tual, realisti low-level implementation◮ Our ase study : C++ multiple inheritan e

◮ ombines two di�erent s hemes of multiple inheritan e◮ must take are of performan e◮ widely used... but often avoided for safety- riti al softwarebe ause of per eived omplexity

Motivation◮ Our goal : link formal presentation of multiple inheritan e withan a tual, realisti low-level implementation◮ Our ase study : C++ multiple inheritan e

◮ ombines two di�erent s hemes of multiple inheritan e◮ must take are of performan e◮ widely used... but often avoided for safety- riti al softwarebe ause of per eived omplexity

◮ Our ompanion : The Coq proof assistant !◮ a language and software to write mathemati al spe i� ationsand me hani ally prove theorems about those spe i� ations.(Other examples are ACL2, Isabelle/HOL, et .)◮ Proofs are not automati , but intera tive and the proverre he ks the proof input by the user.◮ Coq also allows to extra t trustworthy programs from proofs.

OutlineA brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tives

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesSingle inheritan e6

��>

@@I

Component(plug)PluggedDevi eClo k(time) (volume)Radio(swit h) s t r u t PluggedDev i e {i n t p lug ;}s t r u t Component : P luggedDev i e {i n t sw i t h ;}s t r u t Clo k : Component {i n t t ime ;}s t r u t Radio : Component {i n t volume ;}

Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesTwo kinds of multiple inheritan eClock

(time)Component

Component

PluggedDevice

(plug)

(alarmTime)

Alarm

(volume)

Radio

Component(switch)

(switch)

(switch)

s t r u t PluggedDev i e {i n t p lug ;}s t r u t Component : v i r t u a l PluggedDev i e {i n t sw i t h ;}s t r u t Clo k : Component {i n t t ime ;}s t r u t Radio : Component {i n t volume ;}s t r u t Alarm : Clo k , Radio , Component {i n t alarmTime ;}Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesThe algebra of subobje tsClock

(time)Component

Component

PluggedDevice

(plug)

(alarmTime)

Alarm

(volume)

Radio

Component(switch)

(switch)

(switch)

◮ Previous works :◮ Rossie & Friedman(OOPSLA'95)◮ Wasserrab, Nipkow & al.(OOPSLA'06)

◮ Path from the full lass or avirtual base, to the dynami type of the pointer, only throughnon-virtual inheritan e.◮ If D derives from B , then everyvirtual base of D is a virtualbase of B .Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesThe algebra of subobje tsClock

(time)Component

Component

PluggedDevice

(plug)

(alarmTime)

Alarm

(volume)

Radio

Component(switch)

(switch)

(switch)

◮ From Alarm to Component :◮ Alarm :: Clo k :: Component:: nil◮ Alarm :: Radio :: Component:: nil◮ Alarm :: Component :: nil

◮ From Alarm to PluggedDevi e :◮ PluggedDevi e :: nil


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesFormalization : abstra t obje t representationIndu tive value : Set :=| ...| Ref (heapBlo kID * list ident)| ...Re ord obje t : Set := makeObje t { lass : ident;fields : list(list ident * FieldSignature.t* value)}.Variable heap : heapBlo kID -> option obje t.Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesAbstra t obje t representation : �eld a ess and astAlarm ∗ a la rm = . . . ;Radio ∗ r a d i o =s t a t i _ a s t<Radio ∗>(a la rm ) ;i n t i = r ad i o−>volume ; Let alarm :=Ref (someBlo kID, lassAlarm :: nil).Let radio :=Ref (someBlo kID, lassAlarm :: lassRadio :: nil).Let i :=List.asso ( lassAlarm :: lassRadio :: nil,fieldVolume)(heap someBlo kID).fields.PluggedDev i e ∗ pda =s t a t i _ a s t<PluggedDev i e ∗>(a la rm ) ;P luggedDev i e ∗ pdr =s t a t i _ a s t<PluggedDev i e ∗>( ra d i o ) ; Let pda :=Ref (someBlo kID, lassPluggedDevi e :: nil).Let pdr :=Ref (someBlo kID, lassPluggedDevi e :: nil).Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesOur goal◮ Choose a on rete implementation for obje t layout◮ Formalize it in Coq using the Comp ert memory model◮ Formalize a ompilation of elementary obje t operations (�elda ess, ast, method all) to this on rete implementation◮ Show that this ompilation is sound wrt. abstra t obje trepresentation and high-level semanti s


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesWhat is Comp ert ?Leroy et al., sin e 2005

◮ A veri�ed ompiler from C to PowerPC◮ Compiler proved in Coq and obtained by extra tionTheorem (Semanti s preservation)If P is a C program and if the ompiler produ es an assembly odePPPC , then any possible behavior of PC is also a possible behaviorof PPPC . Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesHypotheses indu ed by Comp ert◮ A memory model ommon to all intermediate languages◮ Calling onventions for pro edures in intermediate languages◮ PowerPC target : 32-bit ma hine integers and pointer o�sets


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesThe Comp ert memory modelLeroy and Blazy (2008)◮ Memory is a olle tion of blo ks◮ Ea h blo k is an array of byte ells◮ A value an span several byte ells◮ A pointer : blo k ID and o�set within this blo k

� -

� -

� -blo k3 o�set0 2 31Vint3218blo k 0 1 4 52 34 517.295 6 86

677 8Vint3242V�oat64 9Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesDefinition load : hunk -> mem -> Comp ert.blo kID -> Z-> option Comp ert.val := ...Definition store : hunk -> mem -> Comp ert.blo kID -> Z -> Comp ert.val-> option mem := ...Definition hunk_size : hunk -> Z := ...Theorem load_store_other :forall m hunk1 blo k1 offset1 val m',store hunk1 m blo k1 offset1 = Some m' ->forall hunk2 blo k2 offset2,blo k1 <> blo k2 \/offset1 + hunk_size hunk1 <= offset2 \/offset2 + hunk_size hunk2 <= offset1 ->load m' hunk2 blo k2 offset2 =load m hunk2 blo k2 offset2Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesA on rete implementation= 4 bytes�eld�eldint/ptr �eld�oat int/ptrOwn �elds (no inheritan e)Repeated inheritan e own �elds lass 1base base lass 2Virtual inheritan e�elds for non-virtualinheritan e virtual base 2virtual base 1(only non-virtual inheritan e �elds for ea h virtual base)Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesA on rete implementation : example�

�

�

� plugalarmTimevtablevtablevtablevtable swit hvolumetimeswit hswit h Componentown �elds Componentown �elds Componentown �eldsComponent Component

PluggedDevi eClo k own �eldsRadio own �elds Alarm

own �elds PluggedDevi e(non-virtual �elds)(non-virtual �elds) (non virtual �elds)(non virtual �elds)(non virtual �elds)(non-virtual �elds)Component

(non-virtual �elds)Alarm own �elds

RadioClo kPluggedDevi eAlarm::ComponentAlarm::RadioAlarm


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesMethodology◮ We axiomatize expe ted properties about obje t �eld o�sets(whi h are easily de idable).◮ The a tual o�sets are expe ted to be omputed by an externalora le.◮ The output of the ora le may be he ked by a formally veri�edvalidator.◮ The expe ted properties may leave �exibility wrt. alignmentand padding, or to allow the ora le to use a parti ular strategy.Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesOwn lass �eldsVariable own_offsets : ident -> FieldSignature.t -> Z.Hypothesis own_offsets_dont_overlap :forall lass f1 f2,f1 <> f2 ->own_offsets lass f1 + size f1 <= f2 \/own_offsets lass f2 + size f2 <= f1.Variable bound : ident -> Z.Hypothesis own_offsets_le_bound :forall lass f o,own_offsets lass f + size f <= bound lass.Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesRepeated inheritan e◮ As we already know for ea h lass a bound on the size of own�elds (without inheritan e), all it remains is to assign an o�setfor ea h immediate non-virtual base lass of the lass.◮ This step reserves extra spa e for pointer to virtual table.◮ Optimization : no extra spa e is reserved for the vtable pointerof the �rst non-virtual immediate base lass (�primary base�).


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesRepeated inheritan e6 66 6

Repeated inheritan e own �elds≥ 4= 0o�set lass 1 own �elds start total non virtual sizeo�setbase base lass 2

≥ o�set of b 1 + total non virtual size of b 1of b 2of b 1Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesField o�set for non-virtual inheritan eFixpoint non_virtual_offset (path : list ident) : Z :=mat h path with| _::nil => 0| a::b::q => offset_of_in b a + non_virtual_offset (b::q)end.


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesVirtual inheritan e◮ If D inherits from B , then every virtual base of B is a virtualbase of D.◮ So it is wise to treat virtual inheritan e only when thenon-virtual inheritan e tree is entirely treated.◮ For ea h lass D, the ora le is expe ted to give an o�set(relatively to D) of every virtual base of D.Virtual inheritan e�elds for non-virtualinheritan e virtual base 2virtual base 1(only non-virtual inheritan e �elds for ea h virtual base)Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesVirtual o�set and �eld o�setDefinition virtual_offset( l : ident) (p : list ident) : Z :=virtual_offset_of_in (first p) l+ non_virtual_offset p.Definition field_offset ( l : ident)(p : list ident)(f : FieldSignature.t) : Z :=virtual_offset l p+ own_fields_start (last p)+ own_field_offset (last p) f.A lass is never a virtual base of itself, but its o�set relatively toitself is onsidered to be 0, so as to treat non-virtual inheritan e.Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesCompilation of �eld a essA on rete state holds a on rete memory along with a orresponden e between an abstra t heap blo k (abstra t obje tslot) and an o�set within the on rete heap in the on rete memory.Re ord state : Set := make_state {heap_blo k : Comp ert.blo kID;m : mem;blo k_mat hing : heapBlo kID -> Comp ert.blo kID}.Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesCompilation of �eld a essDefinition a ess_field(objRef : heapBlo kID)(path : list ident)(f : FieldSignature.t)(abstra t_heap : heap -> option obje t)(s : state)option Comp ert.val :=mat h abstra t_heap objRef with| Some obje t =>load (sizeof f) s.m s.heap_blo k(s.blo k_mat hing objRef+ field_offset obje t. lass path f)| None => Noneend. Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesMat hing valuesIndu tive mat h_values(abstra t_heap : heapBlo kID -> option obje t)(s : state) :value -> Comp ert.val -> Prop :=| ...| mat h_value_ref : forall objRef obje t path,abstra t_heap objRef = Some obje t ->offset = Ma hineInteger.repr (s.blo k_mat hing objRef+ virtual_offset obje t. lass path) ->mat h_values(Ref objRef path)(Vptr s.heap_blo k offset)| ... Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesSoundness of �eld a essTheoremThe following invariant :forall abstra t_heap objRef obje t,abstra t_heap objRef = Some obje t ->forall path field absval,List.asso (path, field) obje t.fields = Some absval ->forall state, exists onval,a ess_field objRef path field abstra t_heap state= Some onval/\ mat h_values abstra t_heap state absval onval.holds when a �eld is modi�ed.Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesGood �elds propertyThe most te hni al lemma.Theorem fields_do_not_overlap :forall l : ident,forall p1 p2 : list ident,forall f1 f2 : FieldSignature.t,(p1, f1) <> (p2, f2) ->forall o1 o2,field_offset l p1 f1 + size f1<= field_offset l p2 f2\/field_offset l p2 f2 + size f2<= field_offset l p1 f1.Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesProof sket h◮ fields_do_not_overlap proved step by step : �rst onsidertwo �elds of the same lass (trivial), then two �elds in thenon-virtual inheritan e tree, then two �elds in the wholeinheritan e tree.◮ Additional bounding properties about �eld o�sets are ne essaryto onvert Z integers into ma hine integers.


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesVtable pointersThe same way, we show :TheoremField modi� ation does not hange pointers to virtual tables.


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesCasts◮ Stati asts without virtual inheritan e OK (arithmeti s).◮ Up asts with virtual inheritan e need additional hypotheses onvirtual tables.


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesDynami method dispat h◮ Dynami dispat h needs hypotheses on virtual tables.◮ Thunks are urrently not supported : Comp ert and itsintermediate languages seem to model no onvenient way ofoptimizing them (e.g. fun tions with multiple entry points)◮ this pointer adjustment o�set assumed present along withmethod pointer in the virtual table. Under su h hypotheses,OK. However, it is ostly (additional memory a ess needed atea h method all, even though onstant-time).


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesWhat has been done◮ Our hoi e of on rete obje t layout is realisti insofar as ittakes onstant-time �eld a ess and stati asts into a ount.◮ Our hoi e of obje t layout is sound wrt �eld a ess(read/write).◮ All stati asts are sound without virtual inheritan e.


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesWhat still remains to do◮ Optimization of virtual method all : maybe use of optimized�tail all� ?◮ Obje t onstru tion and destru tion (virtual tables are not thesame during onstru tion as during the �normal� life of theobje t)◮ Dynami ast : either use a swit h, or formalize RTTI


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesOur work, a �rst step towards...◮ A veri�ed ompiler based on Comp ert (Work in progress froma subset of C++ to the RTL intermediate language, anassembly-like language with an unbounded number ofregisters).◮ Formal veri� ation of real-world Appli ation Binary Interfa es(ABI)


A brief overview of C++ multiple inheritan eA on rete implementationResultsCon lusion and perspe tivesThank you !

In Texas there are lots of �elds...Ramananandro & Leroy Con rete obje t layout for C++ multiple inheritan e in Coq

a machine-checked formalization of concrete object layout for c++...

Documents