separation and information hiding peter w. o’hearn (queen mary, university of london) john c....
TRANSCRIPT
![Page 1: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/1.jpg)
Separation and Information Hiding
Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University)
Hongseok Yang (Seoul National University)
![Page 2: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/2.jpg)
Modularity
Without modularity, formal reasoning is doomed.
Pointers can breach module boundaries. Rule out naughty pointers? Too
debilitating. Separation logic: flexible protection of
module internals.
Module procedure1
proceduren
….
x
![Page 3: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/3.jpg)
Proper Proof Rule for a Module
Hoare (72) gave a proof rule for a module. The internal state is hidden from a client. Scoping restrictions protect internal resource
from outside interference. But, with pointers, this proof rule is not sound.
Our goal is to find a proof rule for a module such that
1. it works even with pointers, and2. it hides the internals from a client.
![Page 4: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/4.jpg)
Separation Logic by Examples
Atomic assertions:emp, (1 0), (1 -)
Separating conjunction p*q:(x -)*(y -)
Tight interpretation of Hoare triples:{emp}[x]:=0{true} --- Invalid {x -}[x]:=0{true} --- Valid
![Page 5: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/5.jpg)
Toy Memory Manager
allocx
freex
Memory_Manager
f
nil
global variable x
![Page 6: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/6.jpg)
Toy Memory Manager
allocx
freex
Memory_Manager
f
nil
global variable x
![Page 7: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/7.jpg)
Implementations
allocx
freex
Memory_Manager
f
nil
Implementations:allocx = if (f=nil) then x:=new()
else x:=f; f:=[f]freex = [x]:=f; f:=x
Specifications:{emp*list(f)} allocx {(x-)*list(f)}
{(x-)*list(f)} freex {emp*list(f)}
![Page 8: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/8.jpg)
Implementations
allocx
freex
Memory_Manager
f
nil
Implementations:allocx = if (f=nil) then x:=new()
else x:=f; f:=[f]freex = [x]:=f; f:=x
Specifications:{emp*list(f)} allocx {(x-)*list(f)}
{(x-)*list(f)} freex {emp*list(f)}
Resource Invariant:list(f)
![Page 9: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/9.jpg)
Client-side Reasoning
allocx
freex
Memory_Manager
f
allocx;
[x] := y;
freex;
nil
![Page 10: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/10.jpg)
Client-side Reasoning
allocx
freex
Memory_Manager
f
{emp * list(f)}allocx;
{(x -) * list(f)}[x] := y;
{(x y) * list(f)}freex;
{emp * list(f)}
nil
![Page 11: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/11.jpg)
Client-side Reasoning
allocx
freex
Memory_Manager
f
{emp}allocx;
{(x -)}[x] := y;
{(x y)}freex;
{emp}
nil
![Page 12: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/12.jpg)
Client-side Reasoning
allocx
freex
Memory_Manager
f
{emp}allocx;
{(x -)}[x] := y;
{(x y)}freex;
{emp}[x] := x
list(f) is not preserved.
nil
x
![Page 13: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/13.jpg)
Towards Good Client-side Reasoning
Confinement: Prevents a client from pointing to the
internals of a module. Doesn’t work for the memory manager.
Our approach: Well-specified programs mind their own
business. Consequently, they don’t interfere with the
module internals. Much more general.
![Page 14: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/14.jpg)
Our Solution
Modular Procedure Call
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*list(f)}let allocx=C1, freex=C2 in C{q*list(f)}
![Page 15: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/15.jpg)
Our Solution
Modular Procedure Call
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*list(f)}let allocx=C1, freex=C2 in C{q*list(f)}
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
![Page 16: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/16.jpg)
Our Solution
Modular Procedure Call
` {emp * list(f)} C1 {(x -) * list(f)}
` {(x -) * list(f)} C2 {emp * list(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*list(f)}let allocx=C1, freex=C2 in C{q*list(f)}
The internal list is absent in client-side reasoning.
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
![Page 17: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/17.jpg)
Our Solution
Modular Procedure Call
` {emp * slist(f)} C1 {(x -) * slist(f)}
` {(x -) * slist(f)} C2 {emp * slist(f)}
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
` {p*slist(f)}let allocx=C1, freex=C2 in C{q*slist(f)}
The internal list is absent in client-side reasoning. So, the same proof for the client works for different i
mplementations.
{emp}allocx{x -},{x -}freex{emp} `{p} C {q}
![Page 18: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/18.jpg)
Protection from Outside Interference
Tie a cycle in the free list.
allocx; freex; [x] := x
Failed proof attempt:
{emp} allocx;{x -} freex;{emp} [x] := x{???}
emp does not ensure that the heap cell x exists. Thus, ??? cannot be filled in.
![Page 19: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/19.jpg)
Ownership Reading of a Triple
In client-side reasoning, we use{x -}freex{emp}.
How can emp hold when the cell x still exists? Assertions describe owned local storage, not global st
orage.
f x
Cells owned by the client
Cells owned by the module nil
Heap Storage
![Page 20: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/20.jpg)
Ownership Reading of a Triple
In client-side reasoning, we use{x -}freex{emp}.
How can emp hold when the cell x still exists? Assertions describe owned local storage, not global st
orage.
f x
Cells owned by the client
Cells owned by the module nil
Heap Storage
![Page 21: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/21.jpg)
Main Results
Modular Procedure Rule
` {p1*r}C1{q1*r} ……
` {pn*r}Cn{qn*r}
, {pi}ki{qi}(i · n) ` {p}C{q}
` {p*r}let k1=C1,…,kn=Cn in C{q*r}
The modular procedure rule is sound for a fixed r iff r is precise.
The modular procedure rule is sound for fixed p1,…,pn iff all of p1,…,pn are precise.
![Page 22: Separation and Information Hiding Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University) Hongseok Yang (Seoul](https://reader035.vdocuments.us/reader035/viewer/2022062409/5697bf721a28abf838c7ea86/html5/thumbnails/22.jpg)
Conclusion
Separation enables modularity and information hiding even with pointers.
No special restrictions needed. Dangling pointers and address arithemetic all OK.
Ownership transfer: sharp end of pointers.