Regions and Permissions for Data Invariants Romain Bardou and Claude - - PowerPoint PPT Presentation

regions and permissions for data invariants
SMART_READER_LITE
LIVE PREVIEW

Regions and Permissions for Data Invariants Romain Bardou and Claude - - PowerPoint PPT Presentation

Oct 08, 2023 11 likes •305 views

Regions and Permissions for Data Invariants Romain Bardou and Claude March e Septembre 2009 Regions and Permissions for Data Invariants 1 / 1 Motivation preservation of data invariants in pointer programs ownership system of Spec#

slide-1
SLIDE 1

Regions and Permissions for Data Invariants

Romain Bardou and Claude March´ e Septembre 2009

Regions and Permissions for Data Invariants 1 / 1

slide-2
SLIDE 2

Motivation

preservation of data invariants in pointer programs

◮ ownership system of Spec# [Barnett et al 04]

static typing instead of theorem provers

◮ Universe Types [Dietl, M¨

uller 05] how?

◮ regions [Tofte, Talpin, Jouvelot 91] ... [Banerjee et al 08] ◮ with permissions [Crary et al 99]

Regions and Permissions for Data Invariants 2 / 1

slide-3
SLIDE 3

Data Invariant Example

class PosInt { int value; //@ invariant this.value > 0; void double() { value := value + value; } }

Regions and Permissions for Data Invariants 3 / 1

slide-4
SLIDE 4

Core Language

functional style with references (e1 := e2, !e) type PosInt = int inv(this) = !this > 0 end val double(x: PosInt): unit = x := !x + !x focus on pointers and aliasing ignore inheritance and dynamic dispatch

Regions and Permissions for Data Invariants 4 / 1

slide-5
SLIDE 5

Problem: Pointer Aliasing

val f (x: PosInt, y: PosInt): unit = x := 0; x := 1 / !y what if x = y? x y

Regions and Permissions for Data Invariants 5 / 1

slide-6
SLIDE 6

Problem: Components

type SortedPair = PosInt × PosInt inv(this) = !this.1 < !this.2 end val double(x: PosInt): unit = x := !x + !x what if x is member of a SortedPair p? 4 x ( , ) p 7

Regions and Permissions for Data Invariants 6 / 1

slide-7
SLIDE 7

Regions

solution: group pointers by regions pointers of two different regions may not be aliased a b c d e f g h

Regions and Permissions for Data Invariants 7 / 1

slide-8
SLIDE 8

Permissions

permission = static linear information about a region “linear” means:

◮ permissions cannot be duplicated ◮ permissions depend on the program point ◮ operations may consume some permissions ◮ operations may produce other permissions

Regions and Permissions for Data Invariants 8 / 1

slide-9
SLIDE 9

Empty Regions

regions are created empty region ρ in this produces permission ρ∅: “ρ is empty”

Regions and Permissions for Data Invariants 9 / 1

slide-10
SLIDE 10

Allocation and Singleton Regions

pointers are allocated in empty regions new PosInt[ρ] this:

◮ consumes permission ρ∅ ◮ produces permission ρS: “ρ is singleton”

region ρ is no longer empty: it is singleton

Regions and Permissions for Data Invariants 10 / 1

slide-11
SLIDE 11

Group Regions

a singleton region ρ may be demoted to a group region this is implicit this:

◮ consumes permission ρS ◮ produces permission ρG: “ρ is group”

Regions and Permissions for Data Invariants 11 / 1

slide-12
SLIDE 12

Adoption

adoption moves a pointer from a singleton region to an already-existing group region if x is in region σ: adopt x in ρ this:

◮ consumes permissions σS and ρG ◮ produces permission ρG

Regions and Permissions for Data Invariants 12 / 1

slide-13
SLIDE 13

The Permission Diagram (so far)

σ∅ new σS σG adopt ρG

Regions and Permissions for Data Invariants 13 / 1

slide-14
SLIDE 14

Permissions for Invariants

use permissions to denote whether invariants hold

◮ ρ∅: empty region, no invariant ◮ ρ◦: open singleton region, invariant does not hold ◮ ρ×: closed singleton region, invariant holds ◮ ρG: group region, all invariants hold

  • nly pointers in open regions can be assigned

Regions and Permissions for Data Invariants 14 / 1

slide-15
SLIDE 15

Packing and Unpacking

pack x packing a pointer of ρ:

◮ consumes ρ◦ ◮ produces ρ× ◮ generates a proof obligation (the invariant)

unpack x unpacking is the opposite operation:

◮ consumes ρ× ◮ produces ρ◦

Regions and Permissions for Data Invariants 15 / 1

slide-16
SLIDE 16

The Permission Diagram (with packing)

σ× σG ρG σ∅ new σ◦ pack unpack σ× σG adopt ρG

Regions and Permissions for Data Invariants 16 / 1

slide-17
SLIDE 17

Owned Regions

problem: invariants about other pointers? type SortedPair ρ1, ρ2 = PosInt[ρ1] × PosInt[ρ2] inv(this) = !this.1 < !this.2 end val bad(x: SortedPairρ1, ρ2[ρ]) consumes ρ×, ρ1 ◦, ρ2 ◦ produces ρ×, ρ1 ◦, ρ2 ◦ = !x.1 := 69; !x.2 := 42 x ρ !x.1 ρ1 !x.2 ρ2

Regions and Permissions for Data Invariants 17 / 1

slide-18
SLIDE 18

Owned Regions

solution: owned regions type SortedPair =

  • wn ρ1, ρ2

PosInt[ρ1] × PosInt[ρ2] inv(this) = !this.1 < !this.2 end x ρ !x.1 ρ.ρ1 !x.2 ρ.ρ2

Regions and Permissions for Data Invariants 18 / 1

slide-19
SLIDE 19

The Permission Diagram (with owned regions)

σ× σG ρG

  • wn(σ)G

σ∅ new σ◦

  • wn(σ)G

pack unpack σ× σG adopt ρG

Regions and Permissions for Data Invariants 19 / 1

slide-20
SLIDE 20

Group to Singleton?

problem: how to modify a pointer of a group region? σ× σG adopt ρG ?

Regions and Permissions for Data Invariants 20 / 1

slide-21
SLIDE 21

Group to Singleton?

solution: extract the pointer to a singleton region problem: what happens to the group region?

◮ what if several pointers are extracted? ◮ what if a pointer is extracted several times?

solution: group region temporarily disabled

Regions and Permissions for Data Invariants 21 / 1

slide-22
SLIDE 22

Linear Implication

σ −◦ ρ ρ is disabled temporarily σ× must be given to enable ρ allows temporary extraction from ρ to σ

Regions and Permissions for Data Invariants 22 / 1

slide-23
SLIDE 23

Focus

if y in region ρ: focus y in σ this:

◮ consumes σ∅ and ρG ◮ produces σ× and σ −◦ ρ

region σ now also contains y

Regions and Permissions for Data Invariants 23 / 1

slide-24
SLIDE 24

Unfocus

if y in region σ: unfocus y in ρ this:

◮ consumes σ× and σ −◦ ρ ◮ produces ρG

region σ is disabled definitely

Regions and Permissions for Data Invariants 24 / 1

slide-25
SLIDE 25

Focus and Unfocus Usage

if x in group region ρ: region σ in { σ∅, ρG } let xf = (focus x in σ) in { σ×, σ −◦ ρ } unpack xf ; { σ◦, σ −◦ ρ } xf := · · ·; { σ◦, σ −◦ ρ } pack xf ; { σ×, σ −◦ ρ } unfocus xf in ρ { ρG } x = xf , but:

◮ x is in ρ ◮ xf is in σ

Regions and Permissions for Data Invariants 25 / 1

slide-26
SLIDE 26

Soundness

Definition

heap is coherent w.r.t. ¯ Σ:

◮ invariants of closed pointers hold ◮ ...

Theorem

If:

◮ e is well-typed w.r.t. types, regions, permissions

◮ when given permissions ¯

Σ, e gives back ¯ Σ′

◮ e and heap H reduce to e′ and H′ ◮ H is coherent w.r.t. ¯

Σ then:

◮ H′ is coherent w.r.t. ¯

Σ′

Regions and Permissions for Data Invariants 26 / 1

slide-27
SLIDE 27

Conclusion

static type system with regions and permissions guarantees invariant preservation

◮ only VCs: invariants, when packing

  • wnership at the level of regions

can handle examples such as observer pattern can handle some form of abstraction

◮ owned regions can be hidden

Regions and Permissions for Data Invariants 27 / 1

slide-28
SLIDE 28

Need for Inference

inference of region annotations val f (): PosInt[ρ] = region σ in let x = new PosInt[σ] in x := 5; pack x; let x = (adopt x in ρ) in region σy in let y = (focus x in σy) in unpack y; y := 7; pack y; unfocus y in ρ; y val f (): PosInt = let x = new PosInt in x := 5; x := 7; x

Regions and Permissions for Data Invariants 28 / 1

slide-29
SLIDE 29

Future Works

more powerful abstraction using refinement approaches inference

◮ current direction: given function prototypes and focus

annotations, infer remaining annotations

Regions and Permissions for Data Invariants 29 / 1