Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul National University)

Modularity Without modularity, formal reasoning is doomed. Pointers can breach module boundaries. Rule out naughty pointers? Too debilitating. Separation logic: flexible protection of module internals. Module procedure 1 procedure n …. x

Proper Proof Rule for a Module Hoare (72) gave a proof rule for a module. The internal state is hidden from a client. Scoping restrictions protect internal resource from outside interference. But, with pointers, this proof rule is not sound. Our goal is to find a proof rule for a module such that 1. it works even with pointers, and 2. it hides the internals from a client.

Separation Logic by Examples Atomic assertions: emp, (1  0), (1  -) Separating conjunction p*q : (x  -)*(y  -) Tight interpretation of Hoare triples: {emp}[x]:=0{true} --- Invalid {x  -}[x]:=0{true} --- Valid

Toy Memory Manager alloc x free x Memory_Manager f nil global variable x

Toy Memory Manager alloc x free x Memory_Manager f nil global variable x

Implementations alloc x free x Memory_Manager f nil Implementations: alloc x = if (f=nil) then x:=new() else x:=f; f:=[f] free x = [x]:=f; f:=x Specifications: {emp*list(f)} alloc x {(x  -)*list(f)} {(x  -)*list(f)} free x {emp*list(f)}

Implementations alloc x free x Memory_Manager f nil Implementations: alloc x = if (f=nil) then x:=new() else x:=f; f:=[f] free x = [x]:=f; f:=x Specifications: {emp*list(f)} alloc x {(x  -)*list(f)} {(x  -)*list(f)} free x {emp*list(f)} Resource Invariant: list(f)

Client-side Reasoning alloc x free x Memory_Manager f alloc x ; [x] := y; free x ; nil

Client-side Reasoning alloc x free x Memory_Manager f {emp * list(f)} alloc x ; {(x  -) * list(f)} [x] := y; {(x  y) * list(f)} free x ; {emp * list(f)} nil

Client-side Reasoning alloc x free x Memory_Manager f {emp} alloc x ; {(x  -)} [x] := y; {(x  y)} free x ; {emp} nil

Client-side Reasoning alloc x free x Memory_Manager f {emp} alloc x ; {(x  -)} [x] := y; {(x  y)} free x ; {emp} [x] := x list(f) is not preserved. nil x

Towards Good Client-side Reasoning Confinement: Prevents a client from pointing to the internals of a module. Doesn’t work for the memory manager. Our approach: Well-specified programs mind their own business. Consequently, they don’t interfere with the module internals. Much more general.

Our Solution Modular Procedure Call ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*list(f)}let alloc x =C 1, free x =C 2 in C{q*list(f)}

Our Solution Modular Procedure Call ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*list(f)}let alloc x =C 1, free x =C 2 in C{q*list(f)} ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)}

Our Solution Modular Procedure Call ` {emp * list(f)} C 1 {(x  -) * list(f)} ` {(x  -) * list(f)} C 2 {emp * list(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*list(f)}let alloc x =C 1, free x =C 2 in C{q*list(f)} The internal list is absent in client-side reasoning. {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q}

Our Solution Modular Procedure Call ` {emp * slist(f)} C 1 {(x  -) * slist(f)} ` {(x  -) * slist(f)} C 2 {emp * slist(f)} {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q} ` {p*slist(f)}let alloc x =C 1, free x =C 2 in C{q*slist(f)} The internal list is absent in client-side reasoning. So, the same proof for the client works for different implementations. {emp}alloc x {x  -},{x  -}free x {emp} ` {p} C {q}

Protection from Outside Interference Tie a cycle in the free list. alloc x ; free x ; [x] := x Failed proof attempt: {emp} alloc x ; {x  -} free x ; {emp} [x] := x {???} emp does not ensure that the heap cell x exists. Thus, ??? cannot be filled in.

Ownership Reading of a Triple In client-side reasoning, we use {x  -}free x {emp}. How can emp hold when the cell x still exists? Assertions describe owned local storage, not global storage. f x Cells owned by the client Cells owned by the module nil Heap Storage

Ownership Reading of a Triple In client-side reasoning, we use {x  -}free x {emp}. How can emp hold when the cell x still exists? Assertions describe owned local storage, not global storage. f x Cells owned by the client Cells owned by the module nil Heap Storage

Main Results Modular Procedure Rule  ` {p 1 *r}C 1 {q 1 *r} ……  ` {p n *r}C n {q n *r} , {p i }k i {q i } (i · n) ` {p}C{q}  ` {p*r}let k 1 =C 1,…,k n =C n in C{q*r} The modular procedure rule is sound for a fixed r iff r is precise. The modular procedure rule is sound for fixed p 1,…,p n iff all of p 1,…,p n are precise.

Conclusion Separation enables modularity and information hiding even with pointers. No special restrictions needed. Dangling pointers and address arithemetic all OK. Ownership transfer: sharp end of pointers.