Separation and Information Hiding
description
Transcript of Separation and Information Hiding
Separation and Information Hiding
Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University)
Hongseok Yang (Seoul National University)
Modularity
Without modularity, formal reasoning is doomed.
Pointers can breach module boundaries. Rule out naughty pointers? Too
debilitating. Separation logic: flexible protection of
module internals.
Module procedure1
proceduren
….
x
Proper Proof Rule for a Module
Hoare (72) gave a proof rule for a module. The internal state is hidden from a client. Scoping restrictions protect internal resource
from outside interference. But, with pointers, this proof rule is not sound.
Our goal is to find a proof rule for a module such that
1. it works even with pointers, and2. it hides the internals from a client.
Separation Logic by Examples
Atomic assertions:emp, (1 0), (1 -)
Separating conjunction p*q:(x -)*(y -)
Tight interpretation of Hoare triples:{emp}[x]:=0{true} --- Invalid {x -}[x]:=0{true} --- Valid
Toy Memory Manager
allocx
freex
Memory_Manager
f
nil
global variable x
Toy Memory Manager
allocx
freex
Memory_Manager
f
nil
global variable x
Implementations
allocx
freex
Memory_Manager
f
nil
Implementations:allocx = if (f=nil) then x:=new()
else x:=f; f:=[f]freex = [x]:=f; f:=x
Specifications:{emp*list(f)} allocx {(x-)*list(f)}
{(x-)*list(f)} freex {emp*list(f)}
Implementations
allocx
freex
Memory_Manager
f
nil
Implementations:allocx = if (f=nil) then x:=new()
else x:=f; f:=[f]freex = [x]:=f; f:=x
Specifications:{emp*list(f)} allocx {(x-)*list(f)}
{(x-)*list(f)} freex {emp*list(f)}
Resource Invariant:list(f)
Client-side Reasoning
allocx
freex
Memory_Manager
f
allocx;
[x] := y;
freex;
nil
Client-side Reasoning
allocx
freex
Memory_Manager
f
{emp * list(f)}allocx;
{(x -) * list(f)}[x] := y;
{(x y) * list(f)}freex;
{emp * list(f)}
nil
Client-side Reasoning
allocx
freex
Memory_Manager
f
{emp}allocx;
{(x -)}[x] := y;
{(x y)}freex;
{emp}
nil
Client-side Reasoning
allocx
freex
Memory_Manager
f
{emp}allocx;
{(x -)}[x] := y;
{(x y)}freex;
{emp}[x] := x
list(f) is not preserved.
nil
x
Towards Good Client-side Reasoning
Confinement: Prevents a client from pointing to the
internals of a module. Doesn’t work for the memory manager.
Our approach: Well-specified programs mind their own
business. Consequently, they don’t interfere with the
module internals. Much more general.
Our Solution
Modular Procedure Call
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*list(f)}let allocx=C1, freex=C2 in C{q*list(f)}
Our Solution
Modular Procedure Call
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*list(f)}let allocx=C1, freex=C2 in C{q*list(f)}
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
Our Solution
Modular Procedure Call
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*list(f)}let allocx=C1, freex=C2 in C{q*list(f)}
The internal list is absent in client-side reasoning.
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
Our Solution
Modular Procedure Call
` {emp * slist(f)} C1 {(x -) * slist(f)}
` {(x -) * slist(f)} C2 {emp * slist(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*slist(f)}let allocx=C1, freex=C2 in C{q*slist(f)}
The internal list is absent in client-side reasoning. So, the same proof for the client works for different i
mplementations.
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
Protection from Outside Interference
Tie a cycle in the free list.
allocx; freex; [x] := x
Failed proof attempt:
{emp} allocx;{x -} freex;{emp} [x] := x{???}
emp does not ensure that the heap cell x exists. Thus, ??? cannot be filled in.
Ownership Reading of a Triple
In client-side reasoning, we use{x -}freex{emp}.
How can emp hold when the cell x still exists? Assertions describe owned local storage, not global st
orage.
f x
Cells owned by the client
Cells owned by the module nil
Heap Storage
Ownership Reading of a Triple
In client-side reasoning, we use{x -}freex{emp}.
How can emp hold when the cell x still exists? Assertions describe owned local storage, not global st
orage.
f x
Cells owned by the client
Cells owned by the module nil
Heap Storage
Main Results
Modular Procedure Rule
` {p1*r}C1{q1*r} ……
` {pn*r}Cn{qn*r}
, {pi}ki{qi}(i · n) ` {p}C{q}
` {p*r}let k1=C1,…,kn=Cn in C{q*r}
The modular procedure rule is sound for a fixed r iff r is precise.
The modular procedure rule is sound for fixed p1,…,pn iff all of p1,…,pn are precise.
Conclusion
Separation enables modularity and information hiding even with pointers.
No special restrictions needed. Dangling pointers and address arithemetic all OK.
Ownership transfer: sharp end of pointers.