Ownership, Pointer Arithmetic and Memory Separation Romain Bardou - PowerPoint PPT Presentation

Ownership, Pointer Arithmetic and Memory Separation Romain Bardou INRIA Saclay, France FTfJP2008 Ownership, Pointer Arithmetic, and Memory Separation 1 / 32

Introduction Jessie Ownership and Invariants Problems Our Approach Core Language Pointer Arithmetic Memory Separation Conclusion Ownership, Pointer Arithmetic, and Memory Separation Introduction 2 / 32

Jessie (1/2) Context: deductive verification INRIA Saclay: the Why platform to verify C or Java programs Ownership, Pointer Arithmetic, and Memory Separation Introduction Jessie 3 / 32

Jessie (2/2) ❈ ❏❛✈❛ ❈❛❞✉❝❡✉s ❑r❛❦❛t♦❛ ❏❡ss✐❡ ❲❤② ❱❈● ✳✳✳ ❙✐♠♣❧✐❢② ❆❧t✲❊r❣♦ ❈♦q ❩✸ ❨✐❝❡s Ownership, Pointer Arithmetic, and Memory Separation Introduction Jessie 4 / 32

Ownership and Invariants (1/2) Examples of invariants: ◮ x � = 0 ◮ t . size = length ( t . data ) ◮ Tree t is a search tree ◮ Tree t is balanced Ownership, Pointer Arithmetic, and Memory Separation Introduction Ownership and Invariants 5 / 32

Ownership and Invariants (2/2) Existing systems: ◮ Spec# / Boogie ◮ Universes type system ◮ Capabilities ◮ ... And in Jessie? Ownership, Pointer Arithmetic, and Memory Separation Introduction Ownership and Invariants 6 / 32

Problems Memory model of Jessie: ◮ Pointer arithmetic ◮ Used to encode arrays ◮ A single pointer may be shifted to access several others ◮ Memory separation ◮ Memory is split into several maps from pointers to values ◮ Simplifies pointer aliasing problems ◮ Global properties of the ownership system are harder to express Ownership, Pointer Arithmetic, and Memory Separation Introduction Problems 7 / 32

Our Approach ◮ Provide a small core language formalizing ownership and invariants ◮ Captures the core ideas of ownership ◮ Simple formalization usable in proofs ◮ Easy to extend ◮ Pointer arithmetic ◮ Express the global properties of the ownership system, in the logic , using assumptions Ownership, Pointer Arithmetic, and Memory Separation Introduction Our Approach 8 / 32

Introduction Core Language Syntax Semantics Example Pointer Arithmetic Memory Separation Conclusion Ownership, Pointer Arithmetic, and Memory Separation Core Language 9 / 32

Syntax ::= Values e v | x Variables | let x = e in e Binding | e ; e Sequence | Turing-completion while e do e | if e then e else e Test | new � e ; I ; r � Allocation | ! e Dereferencing | e := e Assignment | Packing pack e | unpack e Unpacking Ownership, Pointer Arithmetic, and Memory Separation Core Language Syntax 10 / 32

Semantics (1/4) Allocation ( p fresh in Γ): Γ , p = � v ; I ; r � ◦ ; p Γ; new � v ; I ; r � → Assignment: Γ , p = � v 1 ; I ; r � ◦ ; p := v 2 Γ , p = � v 2 ; I ; r � ◦ ; unit → Ownership, Pointer Arithmetic, and Memory Separation Core Language Semantics 11 / 32

Semantics (2/4) Packing (only if I holds in Γ): � p = � v ; I ; p 1 · · · p n � ◦ � Γ , ; pack p p 1 = R × 1 , · · · , p n = R × n → � p = � v ; I ; p 1 · · · p n � × � Γ , ; unit p 1 = R ⊗ 1 , · · · , p n = R ⊗ n Ownership, Pointer Arithmetic, and Memory Separation Core Language Semantics 12 / 32

Semantics (3/4) Unpacking: � p = � v ; I ; p 1 · · · p n � × � Γ , ; unpack p p 1 = R ⊗ 1 , · · · , p n = R ⊗ n → � p = � v ; I ; p 1 · · · p n � ◦ � Γ , ; unit p 1 = R × 1 , · · · , p n = R × n Ownership, Pointer Arithmetic, and Memory Separation Core Language Semantics 13 / 32

Semantics (4/4) Assignment can only be done on open (unpacked) pointers: Γ , p = � v 1 ; I ; r � ◦ ; p := v 2 Γ , p = � v 2 ; I ; r � ◦ ; unit → This ensures that invariants are not broken. Ownership, Pointer Arithmetic, and Memory Separation Core Language Semantics 14 / 32

Example (1/2) [M¨ uller, challenges in Java program verification] Let t be an array of integer of size n . int i, j, count = 0; for (i=0; i < t.length; i++) if (t[i] > 0) count++; int u[] = new int [count]; for (i=0, j=0; i < n; i++) if (t[i] > 0) u[j++] = t[i]; This copies the positive elements of t in the new array u . Problem: access u[j++] inside array bounds? Ownership, Pointer Arithmetic, and Memory Separation Core Language Example 15 / 32

Example (2/2) let i = new � 0; true; ∅� in let j = new � 0; true; ∅� in let count = new � 0; ( λ p . ! p = Card { i | t [ i ] > 0 } ); t [0 .. n ] � in while ! i ≤ n do ( if ! t [! i ] > 0 then count :=! count + 1; i :=! i + 1); pack count ; let u = new � 0; true; ∅� [! count ] in i := 0; while ! i ≤ n do ( if ! t [! i ] > 0 then ( u [! j ] :=! t [! i ]; j :=! j + 1)) i :=! i + 1) Ownership, Pointer Arithmetic, and Memory Separation Core Language Example 16 / 32

Introduction Core Language Pointer Arithmetic Pointer Shifting Extending Allocation Examples Memory Separation Conclusion Ownership, Pointer Arithmetic, and Memory Separation Pointer Arithmetic 17 / 32

Pointer Shifting We axiomatize pointer shifting ⊕ : p ⊕ i = p ⇐ ⇒ i = 0 ( p ⊕ i ) ⊕ j = p ⊕ ( i + j ) Pointers do not have to be all related together by ⊕ . · · · p · · · p ⊕ − 1 p ⊕ 1 p ⊕ 2 Ownership, Pointer Arithmetic, and Memory Separation Pointer Arithmetic Pointer Shifting 18 / 32

Extending Allocation new λ o . � v ; I ( o ); r ( o ) � [ n ] allocates the following fresh pointers: p ⊕ o = � v ; I ( o ); r ( o ) � where o ∈ { 0 , · · · , n − 1 } . All these pointers are known to be related by ⊕ . Ownership, Pointer Arithmetic, and Memory Separation Pointer Arithmetic Extending Allocation 19 / 32

Examples (1/3) An array of positive integers: new λ o . � 0; ( λ p . ! p ≥ 0); ∅� [ n ] ≥ 0 ≥ 0 · · · ≥ 0 · · · n − 1 0 1 Ownership, Pointer Arithmetic, and Memory Separation Pointer Arithmetic Examples 20 / 32

Examples (2/3) A pointer on an array of positive integers: let p = new λ o . � 0; true; ∅� [ n ] in new � 0; ( ∀ o , !(! p ⊕ o ) ≥ 0); p ⊕ [0 .. ( n − 1)] � ❛❧❧ ≥ 0 · · · n − 1 0 1 Ownership, Pointer Arithmetic, and Memory Separation Pointer Arithmetic Examples 21 / 32

Examples (3/3) let i = new � 0; true; ∅� in let j = new � 0; true; ∅� in let count = new � 0; ( λ p . ! p = Card { i | t ⊕ i > 0 } ); t ⊕ [0 .. n ] � in while ! i ≤ n do ( if ! t ⊕ ! i > 0 then count :=! count + 1; i :=! i + 1); pack count ; let u = new λ o . � 0; true; ∅� [! count ] in i := 0; while ! i ≤ n do ( if ! t ⊕ ! i > 0 then ( u ⊕ ! j :=! t ⊕ ! i ; j :=! j + 1)) i :=! i + 1) Ownership, Pointer Arithmetic, and Memory Separation Pointer Arithmetic Examples 22 / 32

Introduction Core Language Pointer Arithmetic Memory Separation With One Heap With Multiple Memories Linking Memories Example Conclusion Ownership, Pointer Arithmetic, and Memory Separation Memory Separation 23 / 32

With One Heap (1/3) Global ownership properties: ◮ p is closed = ⇒ Inv ( p ) ◮ p is closed = ⇒ reps of p are owned ◮ Owner of p is unique Axioms? Depends on the heap. In Spec# / Boogie: IsHeap ∀ h . IsHeap ( h ) = ⇒ Global ownership properties ( h ) Ownership, Pointer Arithmetic, and Memory Separation Memory Separation With One Heap 24 / 32

With One Heap (2/3) Another point of view: assumptions The following code: x :=! y becomes, at the Boogie or Why level: assume Global ownership properties ( h ) h := store ( h , x , select ( h , y )) assume Global ownership properties ( h ) Ownership, Pointer Arithmetic, and Memory Separation Memory Separation With One Heap 25 / 32

With One Heap (3/3) Suppose a free variable x . let y = new � 0; ( λ p . ! p > ! x ); x � in y :=! x + 1; pack y ; y Post-condition: ! y > ! x Resulting proof obligation (simplified): ∀ h , x , y   IsHeap ( h )  = ⇒ select ( h , y ) > select ( h , x ) closed ( h , y ) Ownership, Pointer Arithmetic, and Memory Separation Memory Separation With One Heap 26 / 32

With Multiple Memories The heap h is split into several maps from pointers to values.  ∀ h x , h y , x , y  IsHeap (???)  = ⇒ select ( h y , y ) > select ( h x , x ) closed ( h y , y ) Ownership, Pointer Arithmetic, and Memory Separation Memory Separation With Multiple Memories 27 / 32

Linking Memories (1/2) Axiom: ∀ h , h x , h y .    linked ( h , h x )  = ⇒ Global ownership properties ( h , h x , h y ) linked ( h , h y )   IsHeap ( h )  Proof obligation: ∀ h , h x , h y , x , y    linked ( h , h x )    ⇒ select ( h y , y ) > select ( h x , x ) linked ( h , h y ) = IsHeap ( h )     closed ( h y , y )  This is inconsistent! Ownership, Pointer Arithmetic, and Memory Separation Memory Separation Linking Memories 28 / 32

Linking Memories (2/2) Solution: use the assumption point of view. ...some code... assume Global ownership properties ( Current heap x , Current heap y ) ...some code... Proof obligation: ∀ h x , h y , x , y   Global ownership properties ( h x , h y )  ⇒ select ( h y , y ) > select ( h x , x ) closed ( h y , y ) Ownership, Pointer Arithmetic, and Memory Separation Memory Separation Linking Memories 29 / 32