separation and information hiding

Separation and Information Hiding

Peter W. O’Hearn (Queen Mary, University of London) John C. Reynolds (Carnegie Mellon University)

Hongseok Yang (Seoul National University)

Modularity

Without modularity, formal reasoning is doomed.

Pointers can breach module boundaries. Rule out naughty pointers? Too

debilitating. Separation logic: flexible protection of

module internals.

Module procedure1

proceduren

….

x

Proper Proof Rule for a Module

Hoare (72) gave a proof rule for a module. The internal state is hidden from a client. Scoping restrictions protect internal resource

from outside interference. But, with pointers, this proof rule is not sound.

Our goal is to find a proof rule for a module such that

1. it works even with pointers, and2. it hides the internals from a client.

Separation Logic by Examples

Atomic assertions:emp, (1 0), (1 -)

Separating conjunction p*q:(x -)*(y -)

Tight interpretation of Hoare triples:{emp}[x]:=0{true} --- Invalid {x -}[x]:=0{true} --- Valid

Toy Memory Manager

allocx

freex

Memory_Manager

f

nil

global variable x

Implementations

allocx

freex

Memory_Manager

f

nil

Implementations:allocx = if (f=nil) then x:=new()

else x:=f; f:=[f]freex = [x]:=f; f:=x

Specifications:{emp*list(f)} allocx {(x-)*list(f)}

{(x-)*list(f)} freex {emp*list(f)}

Implementations

allocx

freex

Memory_Manager

f

nil

Implementations:allocx = if (f=nil) then x:=new()

else x:=f; f:=[f]freex = [x]:=f; f:=x

Specifications:{emp*list(f)} allocx {(x-)*list(f)}

{(x-)*list(f)} freex {emp*list(f)}

Resource Invariant:list(f)

Client-side Reasoning

allocx

freex

Memory_Manager

f

allocx;

[x] := y;

freex;

nil


allocx

freex

Memory_Manager

f

{emp * list(f)}allocx;

{(x -) * list(f)}[x] := y;

{(x y) * list(f)}freex;

{emp * list(f)}

nil


allocx

freex

Memory_Manager

f

{emp}allocx;

{(x -)}[x] := y;

{(x y)}freex;

{emp}

nil


allocx

freex

Memory_Manager

f

{emp}allocx;

{(x -)}[x] := y;

{(x y)}freex;

{emp}[x] := x

list(f) is not preserved.

nil

x

Towards Good Client-side Reasoning

Confinement: Prevents a client from pointing to the

internals of a module. Doesn’t work for the memory manager.

Our approach: Well-specified programs mind their own

business. Consequently, they don’t interfere with the

module internals. Much more general.

Our Solution

Modular Procedure Call

` {emp * list(f)} C1 {(x -) * list(f)}

` {(x -) * list(f)} C2 {emp * list(f)}

{emp}allocx{x -},{x -}freex{emp} `{p} C {q}

` {p*list(f)}let allocx=C1, freex=C2 in C{q*list(f)}

Our Solution








Our Solution






The internal list is absent in client-side reasoning.


Our Solution


` {emp * slist(f)} C1 {(x -) * slist(f)}

` {(x -) * slist(f)} C2 {emp * slist(f)}


` {p*slist(f)}let allocx=C1, freex=C2 in C{q*slist(f)}

The internal list is absent in client-side reasoning. So, the same proof for the client works for different i

mplementations.


Protection from Outside Interference

Tie a cycle in the free list.

allocx; freex; [x] := x

Failed proof attempt:

{emp} allocx;{x -} freex;{emp} [x] := x{???}

emp does not ensure that the heap cell x exists. Thus, ??? cannot be filled in.

Ownership Reading of a Triple

In client-side reasoning, we use{x -}freex{emp}.

How can emp hold when the cell x still exists? Assertions describe owned local storage, not global st

orage.

f x

Cells owned by the client

Cells owned by the module nil

Heap Storage

Main Results

Modular Procedure Rule

` {p1*r}C1{q1*r} ……

` {pn*r}Cn{qn*r}

, {pi}ki{qi}(i · n) ` {p}C{q}

` {p*r}let k1=C1,…,kn=Cn in C{q*r}

The modular procedure rule is sound for a fixed r iff r is precise.

The modular procedure rule is sound for fixed p1,…,pn iff all of p1,…,pn are precise.

Conclusion

Separation enables modularity and information hiding even with pointers.

No special restrictions needed. Dangling pointers and address arithemetic all OK.

Ownership transfer: sharp end of pointers.

separation and information hiding

Documents