Regions and Permissions for Data Invariants Romain Bardou and Claude - PowerPoint PPT Presentation

Regions and Permissions for Data Invariants Romain Bardou and Claude March´ e Septembre 2009 Regions and Permissions for Data Invariants 1 / 1

Motivation preservation of data invariants in pointer programs ◮ ownership system of Spec# [Barnett et al 04] static typing instead of theorem provers ◮ Universe Types [Dietl, M¨ uller 05] how? ◮ regions [Tofte, Talpin, Jouvelot 91] ... [Banerjee et al 08] ◮ with permissions [Crary et al 99] Regions and Permissions for Data Invariants 2 / 1

Data Invariant Example class PosInt { int value; // @ invariant this . value > 0; void double () { value := value + value; } } Regions and Permissions for Data Invariants 3 / 1

Core Language functional style with references ( e 1 := e 2 , ! e ) type PosInt = int inv ( this ) = ! this > 0 end val double ( x : PosInt ): unit = x := ! x + ! x focus on pointers and aliasing ignore inheritance and dynamic dispatch Regions and Permissions for Data Invariants 4 / 1

Problem: Pointer Aliasing val f ( x : PosInt , y : PosInt ): unit = x := 0; x := 1 / ! y what if x = y ? y x 0 Regions and Permissions for Data Invariants 5 / 1

Problem: Components type SortedPair = PosInt × PosInt inv ( this ) = ! this . 1 < ! this . 2 end val double ( x : PosInt ): unit = x := ! x + ! x what if x is member of a SortedPair p ? p x ( , ) 4 7 Regions and Permissions for Data Invariants 6 / 1

Regions solution: group pointers by regions pointers of two different regions may not be aliased g a b d e c f h Regions and Permissions for Data Invariants 7 / 1

Permissions permission = static linear information about a region “linear” means: ◮ permissions cannot be duplicated ◮ permissions depend on the program point ◮ operations may consume some permissions ◮ operations may produce other permissions Regions and Permissions for Data Invariants 8 / 1

Empty Regions regions are created empty region ρ in this produces permission ρ ∅ : “ ρ is empty” Regions and Permissions for Data Invariants 9 / 1

Allocation and Singleton Regions pointers are allocated in empty regions new PosInt [ ρ ] this: ◮ consumes permission ρ ∅ ◮ produces permission ρ S : “ ρ is singleton” region ρ is no longer empty: it is singleton Regions and Permissions for Data Invariants 10 / 1

Group Regions a singleton region ρ may be demoted to a group region this is implicit this: ◮ consumes permission ρ S ◮ produces permission ρ G : “ ρ is group” Regions and Permissions for Data Invariants 11 / 1

Adoption adoption moves a pointer from a singleton region to an already-existing group region if x is in region σ : adopt x in ρ this: ◮ consumes permissions σ S and ρ G ◮ produces permission ρ G Regions and Permissions for Data Invariants 12 / 1

The Permission Diagram (so far) σ G σ ∅ new σ S ρ G adopt Regions and Permissions for Data Invariants 13 / 1

Permissions for Invariants use permissions to denote whether invariants hold ◮ ρ ∅ : empty region, no invariant ◮ ρ ◦ : open singleton region, invariant does not hold ◮ ρ × : closed singleton region, invariant holds ◮ ρ G : group region, all invariants hold only pointers in open regions can be assigned Regions and Permissions for Data Invariants 14 / 1

Packing and Unpacking pack x packing a pointer of ρ : ◮ consumes ρ ◦ ◮ produces ρ × ◮ generates a proof obligation (the invariant) unpack x unpacking is the opposite operation: ◮ consumes ρ × ◮ produces ρ ◦ Regions and Permissions for Data Invariants 15 / 1

The Permission Diagram (with packing) σ G σ G pack σ ◦ σ × σ × σ ∅ new ρ G ρ G unpack adopt Regions and Permissions for Data Invariants 16 / 1

Owned Regions problem: invariants about other pointers? type SortedPair � ρ 1 , ρ 2 � = ρ 1 PosInt [ ρ 1 ] × PosInt [ ρ 2 ] !x.1 inv ( this ) = ! this . 1 < ! this . 2 end ρ x val bad ( x : SortedPair � ρ 1 , ρ 2 � [ ρ ]) consumes ρ × , ρ 1 ◦ , ρ 2 ◦ produces ρ × , ρ 1 ◦ , ρ 2 ◦ = !x.2 ! x . 1 := 69; ρ 2 ! x . 2 := 42 Regions and Permissions for Data Invariants 17 / 1

Owned Regions solution: owned regions ρ.ρ 1 !x.1 type SortedPair = own ρ 1 , ρ 2 ρ x PosInt [ ρ 1 ] × PosInt [ ρ 2 ] inv ( this ) = ! this . 1 < ! this . 2 end !x.2 ρ.ρ 2 Regions and Permissions for Data Invariants 18 / 1

The Permission Diagram (with owned regions) pack σ G σ G σ ◦ own ( σ ) G own ( σ ) G σ ∅ new σ × σ × ρ G ρ G adopt unpack Regions and Permissions for Data Invariants 19 / 1

Group to Singleton? problem: how to modify a pointer of a group region? σ G σ × ? ρ G adopt Regions and Permissions for Data Invariants 20 / 1

Group to Singleton? solution: extract the pointer to a singleton region problem: what happens to the group region? ◮ what if several pointers are extracted? ◮ what if a pointer is extracted several times? solution: group region temporarily disabled Regions and Permissions for Data Invariants 21 / 1

Linear Implication σ −◦ ρ ρ is disabled temporarily σ × must be given to enable ρ allows temporary extraction from ρ to σ Regions and Permissions for Data Invariants 22 / 1

Focus if y in region ρ : focus y in σ this: ◮ consumes σ ∅ and ρ G ◮ produces σ × and σ −◦ ρ region σ now also contains y Regions and Permissions for Data Invariants 23 / 1

Unfocus if y in region σ : unfocus y in ρ this: ◮ consumes σ × and σ −◦ ρ ◮ produces ρ G region σ is disabled definitely Regions and Permissions for Data Invariants 24 / 1

Focus and Unfocus Usage if x in group region ρ : { σ ∅ , ρ G } region σ in { σ × , σ −◦ ρ } let x f = ( focus x in σ ) in { σ ◦ , σ −◦ ρ } unpack x f ; { σ ◦ , σ −◦ ρ } x f := · · · ; { σ × , σ −◦ ρ } pack x f ; { ρ G } unfocus x f in ρ x = x f , but: ◮ x is in ρ ◮ x f is in σ Regions and Permissions for Data Invariants 25 / 1

Soundness Definition heap is coherent w.r.t. ¯ Σ: ◮ invariants of closed pointers hold ◮ ... Theorem If: ◮ e is well-typed w.r.t. types, regions, permissions ◮ when given permissions ¯ Σ, e gives back ¯ Σ ′ ◮ e and heap H reduce to e ′ and H ′ ◮ H is coherent w.r.t. ¯ Σ then: ◮ H ′ is coherent w.r.t. ¯ Σ ′ Regions and Permissions for Data Invariants 26 / 1

Conclusion static type system with regions and permissions guarantees invariant preservation ◮ only VCs: invariants, when packing ownership at the level of regions can handle examples such as observer pattern can handle some form of abstraction ◮ owned regions can be hidden Regions and Permissions for Data Invariants 27 / 1

Need for Inference inference of region annotations val f (): PosInt [ ρ ] = region σ in let x = new PosInt [ σ ] in x := 5; pack x ; val f (): PosInt = let x = ( adopt x in ρ ) in let x = new PosInt in region σ y in x := 5; let y = ( focus x in σ y ) in x := 7; unpack y ; x y := 7; pack y ; unfocus y in ρ ; y Regions and Permissions for Data Invariants 28 / 1

Future Works more powerful abstraction using refinement approaches inference ◮ current direction: given function prototypes and focus annotations, infer remaining annotations Regions and Permissions for Data Invariants 29 / 1