1 / 22

Separation and Information Hiding

Separation and Information Hiding. Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul National University). Modularity. Module. procedure 1. Without modularity, formal reasoning is doomed.

keenan
Download Presentation

Separation and Information Hiding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul National University)

  2. Modularity Module procedure1 • Without modularity, formal reasoning is doomed. • Pointers can breach module boundaries. • Rule out naughty pointers? Too debilitating. • Separation logic: flexible protection of module internals. …. x proceduren

  3. Proper Proof Rule for a Module • Hoare (72) gave a proof rule for a module. • The internal state is hidden from a client. • Scoping restrictions protect internal resource from outside interference. • But, with pointers, this proof rule is not sound. • Our goal is to find a proof rule for a module such that • it works even with pointers, and • it hides the internals from a client.

  4. Separation Logic by Examples • Atomic assertions: emp, (1  0), (1  -) • Separating conjunctionp*q: (x  -)*(y  -) • Tight interpretation of Hoare triples: {emp}[x]:=0{true} --- Invalid {x  -}[x]:=0{true} --- Valid

  5. Toy Memory Manager Memory_Manager allocx global variablex f nil freex

  6. Toy Memory Manager Memory_Manager allocx global variablex f nil freex

  7. Implementations • Implementations: allocx = if (f=nil) then x:=new() else x:=f; f:=[f] freex = [x]:=f; f:=x • Specifications: {emp*list(f)} allocx {(x-)*list(f)} {(x-)*list(f)} freex {emp*list(f)} Memory_Manager allocx f nil freex

  8. Implementations • Implementations: allocx = if (f=nil) then x:=new() else x:=f; f:=[f] freex = [x]:=f; f:=x • Specifications: {emp*list(f)} allocx {(x-)*list(f)} {(x-)*list(f)} freex {emp*list(f)} • Resource Invariant: list(f) Memory_Manager allocx f nil freex

  9. Client-side Reasoning allocx; [x] := y; freex; Memory_Manager allocx f nil freex

  10. Client-side Reasoning {emp * list(f)} allocx; {(x  -) * list(f)} [x] := y; {(x  y) * list(f)} freex; {emp * list(f)} Memory_Manager allocx f nil freex

  11. Client-side Reasoning {emp} allocx; {(x  -)} [x] := y; {(x  y)} freex; {emp} Memory_Manager allocx f nil freex

  12. Client-side Reasoning {emp} allocx; {(x  -)} [x] := y; {(x  y)} freex; {emp} [x] := x • list(f)is not preserved. Memory_Manager allocx f nil freex x

  13. Towards Good Client-side Reasoning • Confinement: • Prevents a client from pointing to the internals of a module. • Doesn’t work for the memory manager. • Our approach: • Well-specified programs mind their own business. • Consequently, they don’t interfere with the module internals. • Much more general.

  14. Our Solution Modular Procedure Call `{emp*list(f)}C1{(x  -)*list(f)} `{(x  -)*list(f)}C2{emp*list(f)} {emp}allocx{x  -},{x  -}freex{emp}`{p}C{q} `{p*list(f)}let allocx=C1,freex=C2 in C{q*list(f)}

  15. Our Solution Modular Procedure Call `{emp*list(f)}C1{(x  -)*list(f)} `{(x  -)*list(f)}C2{emp*list(f)} {emp}allocx{x  -},{x  -}freex{emp}`{p}C{q} `{p*list(f)}let allocx=C1,freex=C2 in C{q*list(f)} `{emp*list(f)}C1{(x  -)*list(f)} `{(x  -)*list(f)}C2{emp*list(f)}

  16. Our Solution Modular Procedure Call `{emp*list(f)}C1{(x  -)*list(f)} `{(x  -)*list(f)}C2{emp*list(f)} {emp}allocx{x  -},{x  -}freex{emp}`{p}C{q} `{p*list(f)}let allocx=C1,freex=C2 in C{q*list(f)} • The internal list is absent in client-side reasoning. {emp}allocx{x  -},{x  -}freex{emp}`{p}C{q}

  17. Our Solution Modular Procedure Call `{emp*slist(f)}C1{(x  -)*slist(f)} `{(x  -)*slist(f)}C2{emp*slist(f)} {emp}allocx{x  -},{x  -}freex{emp}`{p}C{q} `{p*slist(f)}let allocx=C1,freex=C2 in C{q*slist(f)} • The internal list is absent in client-side reasoning. • So, the same proof for the client works for different implementations. {emp}allocx{x  -},{x  -}freex{emp}`{p}C{q}

  18. Protection from Outside Interference • Tie a cycle in the free list. allocx; freex; [x] := x • Failed proof attempt: {emp} allocx; {x  -} freex; {emp} [x] := x {???} • empdoes not ensure that the heap cell x exists. Thus, ??? cannot be filled in.

  19. Ownership Reading of a Triple • In client-side reasoning, we use {x  -}freex{emp}. How canemphold when the cellxstill exists? • Assertions describe owned local storage, not global storage. x f Heap Storage Cells owned by the module Cells owned by the client nil

  20. Ownership Reading of a Triple • In client-side reasoning, we use {x  -}freex{emp}. How canemphold when the cellxstill exists? • Assertions describe owned local storage, not global storage. x f Heap Storage Cells owned by the module Cells owned by the client nil

  21. Main Results Modular Procedure Rule ` {p1*r}C1{q1*r} …… ` {pn*r}Cn{qn*r} , {pi}ki{qi}(i · n)` {p}C{q} ` {p*r}let k1=C1,…,kn=Cnin C{q*r} • The modular procedure rule is sound for a fixedriffris precise. • The modular procedure rule is sound for fixedp1,…,pniff all ofp1,…,pnare precise.

  22. Conclusion • Separation enables modularity and information hiding even with pointers. • No special restrictions needed. Dangling pointers and address arithemetic all OK. • Ownership transfer: sharp end of pointers.

More Related