Presentation is loading. Please wait.

Presentation is loading. Please wait.

Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul.

Published byDonald Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul."— Presentation transcript:

1 Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul National University)

2 Modularity Without modularity, formal reasoning is doomed. Pointers can breach module boundaries. Rule out naughty pointers? Too debilitating. Separation logic: flexible protection of module internals. Module procedure 1 procedure n …. x

3 Proper Proof Rule for a Module Hoare (72) gave a proof rule for a module. The internal state is hidden from a client. Scoping restrictions protect internal resource from outside interference. But, with pointers, this proof rule is not sound. Our goal is to find a proof rule for a module such that 1. it works even with pointers, and 2. it hides the internals from a client.

4 Separation Logic by Examples Atomic assertions: emp, (1  0), (1  -) Separating conjunction p*q : (x  -)*(y  -) Tight interpretation of Hoare triples: {emp}[x]:=0{true} --- Invalid {x  -}[x]:=0{true} --- Valid

5 Toy Memory Manager alloc x free x Memory_Manager f nil global variable x

6 Toy Memory Manager alloc x free x Memory_Manager f nil global variable x

7 Implementations alloc x free x Memory_Manager f nil Implementations: alloc x = if (f=nil) then x:=new() else x:=f; f:=[f] free x = [x]:=f; f:=x Specifications: {emp*list(f)} alloc x {(x  -)*list(f)} {(x  -)*list(f)} free x {emp*list(f)}

8 Implementations alloc x free x Memory_Manager f nil Implementations: alloc x = if (f=nil) then x:=new() else x:=f; f:=[f] free x = [x]:=f; f:=x Specifications: {emp*list(f)} alloc x {(x  -)*list(f)} {(x  -)*list(f)} free x {emp*list(f)} Resource Invariant: list(f)

9 Client-side Reasoning alloc x free x Memory_Manager f alloc x ; [x] := y; free x ; nil

10 Client-side Reasoning alloc x free x Memory_Manager f {emp * list(f)} alloc x ; {(x  -) * list(f)} [x] := y; {(x  y) * list(f)} free x ; {emp * list(f)} nil

11 Client-side Reasoning alloc x free x Memory_Manager f {emp} alloc x ; {(x  -)} [x] := y; {(x  y)} free x ; {emp} nil

12 Client-side Reasoning alloc x free x Memory_Manager f {emp} alloc x ; {(x  -)} [x] := y; {(x  y)} free x ; {emp} [x] := x list(f) is not preserved. nil x

13 Towards Good Client-side Reasoning Confinement: Prevents a client from pointing to the internals of a module. Doesn’t work for the memory manager. Our approach: Well-specified programs mind their own business. Consequently, they don’t interfere with the module internals. Much more general.

14 Our Solution Modular Procedure Call ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*list(f)}let alloc x =C 1, free x =C 2 in C{q*list(f)}

15 Our Solution Modular Procedure Call ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*list(f)}let alloc x =C 1, free x =C 2 in C{q*list(f)} ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)}

16 Our Solution Modular Procedure Call ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*list(f)}let alloc x =C 1, free x =C 2 in C{q*list(f)} The internal list is absent in client-side reasoning. {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q}

17 Our Solution Modular Procedure Call ` {emp * slist(f)} C 1 {(x  -) * slist(f)} ` {(x  -) * slist(f)} C 2 {emp * slist(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*slist(f)}let alloc x =C 1, free x =C 2 in C{q*slist(f)} The internal list is absent in client-side reasoning. So, the same proof for the client works for different implementations. {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q}

18 Protection from Outside Interference Tie a cycle in the free list. alloc x ; free x ; [x] := x Failed proof attempt: {emp} alloc x ; {x  -} free x ; {emp} [x] := x {???} emp does not ensure that the heap cell x exists. Thus, ??? cannot be filled in.

19 Ownership Reading of a Triple In client-side reasoning, we use {x  -}free x {emp}. How can emp hold when the cell x still exists? Assertions describe owned local storage, not global storage. f x Cells owned by the client Cells owned by the module nil Heap Storage

20 Ownership Reading of a Triple In client-side reasoning, we use {x  -}free x {emp}. How can emp hold when the cell x still exists? Assertions describe owned local storage, not global storage. f x Cells owned by the client Cells owned by the module nil Heap Storage

21 Main Results Modular Procedure Rule  ` {p 1 *r}C 1 {q 1 *r} ……  ` {p n *r}C n {q n *r} , {p i }k i {q i } (i · n) ` {p}C{q}  ` {p*r}let k 1 =C 1,…,k n =C n in C{q*r} The modular procedure rule is sound for a fixed r iff r is precise. The modular procedure rule is sound for fixed p 1,…,p n iff all of p 1,…,p n are precise.

22 Conclusion Separation enables modularity and information hiding even with pointers. No special restrictions needed. Dangling pointers and address arithemetic all OK. Ownership transfer: sharp end of pointers.

Download ppt "Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Soundness of Higher-order Frame Rules (How did category theory help me?) Hongseok Yang Seoul National University Joint work with Lars Birkedal and Noah.

Soundness of Higher-order Frame Rules (How did category theory help me?) Hongseok Yang Seoul National University Joint work with Lars Birkedal and Noah.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 12.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 12.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Techniques for proving programs with pointers A. Tikhomirov.

Techniques for proving programs with pointers A. Tikhomirov.
Chapter 6 Data Types. 2 3 4 5 6 7 8 9 10.

Chapter 6 Data Types
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.

Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.
Adjunct Elimination in Context Logic for Trees Cristiano Calcagno Thomas Dinsdale-Young Philippa Gardner Imperial College, London.

Adjunct Elimination in Context Logic for Trees Cristiano Calcagno Thomas Dinsdale-Young Philippa Gardner Imperial College, London.
Memory Management Design & Implementation Segmentation Chapter 4.

Memory Management Design & Implementation Segmentation Chapter 4.
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.
CS 536 Spring 20011 Run-time organization Lecture 19.

CS 536 Spring Run-time organization Lecture 19.
3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.

3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.

Local Reasoning Peter O’Hearn John Reynolds Hongseok Yang.
Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv.

Separation Logic A Logic of Shared Mutable Data Structures John Reynolds CMU Extended subset Mooly Sagiv.
Run time vs. Compile time

Run time vs. Compile time
1 Islands : Aliasing Protection In Object-Oriented Languages By : John Hogg OOPSLA 91 Aharon Abadi.

1 Islands : Aliasing Protection In Object-Oriented Languages By : John Hogg OOPSLA 91 Aharon Abadi.
Run-time Environment and Program Organization

Run-time Environment and Program Organization

Similar presentations

Ads by Google