Safe Programming with Pointers in ATS

1
Safe Programming with Pointers in ATS

• Dengping Zhu
• Hongwei Xi
• Boston University

2
Outline

• Introduction
• Our approach
• Examples
• Related work and conclusion

3
What is ATS?

• ATS (Applied Type System)
• Designed (by H. Xi) to support
• Functional programming
• OO programming
• Imperative programming
• Modular programming
• Meta-programming
• E.t.c
• Prototype implementation on-line

4
Introduction

• Direct memory manipulation
• Useful. E.g., Pointers in C.
• p n pointer arithmetic
• Dangerous. No safety guarantee.
• Dangling pointers
• Segmentation fault
• X p X (pn)
• Difficult to debug!!!

5
Programming with pointers

• Convert array to linked list in-place

100
108
116
124
104
112
120
128
1
8
2
3
4
5
6
7
1
108
3
116
5
124
7
0
Good!
100
108
116
124
104
112
120
128
1
8
2
3
4
5
6
7
1
112
3
120
5
128
7
0
OOPS!
6
Question

• How to develop reliable software???
• Model checking
• Expensive state space explosion etc
• Floyd-Hoare logic
• Difficult to scale
• Testing
• Time-consuming
• Can not prove the absence of errors

7
Other approaches

• Type checking
• Can enforce some safety properties.
• e.g 1 abc type error!!!
• Weak in verifying program correctness.
• e.g fun increaseByOne (x) x 1 Wrong!!!
• Weak in pointer programming

8
Motivation

• Use type system to enforce more safety properties
• Capture more program invariants
• Make pointer programming safe
• e.g array2list does return a linked list

9
Outline

• Introduction
• Our approach
• Examples
• Related work and conclusion

10
Dependent Types

• Can capture more program properties
• e.g
• 5 int(5) 3 int(3)
• Add (int, int) -gt int
• With dependent types
• Add mint, nint. (int(m), int(n)) -gt int(mn)

11
Guarded Types

• Type guards P
• e.g. n gt 0
• Guarded types P ? T
• e.g.
• factorial ?aint. a ? 0 ? (int(a) ? Int)
• Int ? ? a int. int(a)

12
Stateful Views

• To model memory layout
• Primitive views T_at_L
• getVar ?atype. ?laddr. (a_at_l ptr(l)) ? (a_at_l
  a)
• Prevent from reading dangling pointers!!!
• Address polymorphism
• Question how to treat recursive data structures?

13
Recursive Stateful Views

• For instance arrayView (a, n1, L)

L1
L
L


a_at_l
arrayView(a,n,l1)
arrayView(a,n1,l)
The other direction

L1
L
L


a_at_l
arrayView(a,n,l1)
arrayView(a,n1,l)
14
View Change

• A data structure can have different views.
• How to switch? View change functions
• e.g. split

arrayView(a,n,L)
L
Li
arrayView(a,i,L)
arrayView(a,n-i,Li)
?atype. ?nint. ?inat. ?laddr. i ? n ?
(arrayview (a, n, l) o (arrayview (a, I, l),
arrayView (a, n-i, li))
15
Outline

• Introduction
• Our approach
• Examples
• Related work and conclusion

16
Array

• dataview arrayView (type, int, addr)
• atype, laddr ArrayNone (a, 0, l)
• atype, nnat, laddr
• ArraySome (a, n1, l) of (a_at_l, arrayView (a, n,
  l1))

L1
L
L


a_at_l
arrayView(a,n,l1)
arrayView(a,n1,l)
17
Singly-linked list
List Segment
elt1
elt2
eltn
L1
L2
dataview slseg (type, int, addr, addr)
atype, laddr SlsegNone (a, 0, l, l)
atype, nnat, first,next,last first ltgt null
SlsegSome (a, n1, first, last) of (a,
ptr(next)) _at_ first, slseg (a, n, next, last))
18
Singly-linked list
elt1
elt2
eltn
L1
Viewdef sllist (a, n, l) slseg (a, n, l, null)
19
Array to list
100
108
116
124
1
8
2
3
4
5
6
7
1
108
3
116
5
124
7
0
Sllist (int, 1, 124)
Sllist (int, 2, 116)
Sllist (int, 3, 108)
Sllist (int, 4, 100)
Void array2sllist (int p, int size) int
s for (s size s gt 1 s s 1)
(p1) p2 p p2 (p1) 0
Void array2sllist (int p, int size) int
s for (s size s gt 1 s s 1)
(p1) p3 p p2 (p1) 0
20
Array to List

• fun array2sllist laddr, nnat ngt1, l ltgt
  null
• (pf arrayView (top, nn, l) p ptr(l), s
  int(n))
• (sllist (top, n, l) unit)
• if s ieq 1 then
• let
• prval ArraySome (pf0, ArraySome (pf1,
  ArrayNone)) pf
• val (pf1 _ ) setVar (pf1 p1, null)
• in (Slsegsome ((pf0, pf1), SlsegNone)
  ()) end
• else
• let prval ArraySome (pf0, ArraySome (pf1, pf))
  pf
• val (pf1 _) setVar (pf1 p1,
  p2)
• val (rest _) array2sllist (pf,
  p2, s-1)
• in (SlsegSome ((pf0, pf1), rest) ())
  end

21
Array Allocation and Initialization

• Hard to separate for the sake of memory safety
• Easy to do in ATS
• Allocation arrayView (top, n, l)
• Initialization
• ?atype. ?btype. ?nnat. ?laddr
• (arrayView (a, n, l) ptr(l), a -gt b) -gt
• (arrayView (b, n, l) ptr(l))

22
Cyclic Buffer
last
slseg (a, m , first, last)
slseg (a, n-m , last, first)
first
elt1
elt2
eltm

• viewdef bufferView (a type, m int, n int,
  first addr, last addr)
• (slseg (a, m, first, last),
• slseg (top, n-m, last, first))

23
Cyclic Buffer
(a, ptr(last)) _at_ last
(top, ptr(last)) _at_ last
last
Last
slseg (a, m , first, last)
slseg (a, n-m , last, first)
slseg (a, n-m-1 , last, first)
slseg (a, m1 , first, last)
first
elt1
elt2
eltm
eltm1

• ?atype. ?mnat. ?nnat. ?l1 addr. ?l2 addr. m
  lt n ?
• (bufferView (a, m, n, l1, l2) a, ptr(l2)) -gt
• ?l3 addr. (bufferView (a, m1, n, l1, l3)
  ptr(l3))

24
Outline

• Introduction
• Our approach
• Examples
• Related work and conclusion

25
Related Work

• Xanadu by H. Xi, 2000.
• Shape analysis. Sagiv, Reps and Wihelm, 1998.
• Alias types. Walker and Morrisett, 2000.
• A type theory for memory allocation and data
  layout. Petersen, L., R. Harper, K. Crary and F.
  Pfenning, 2003.
• Type refinements. Mandelbaum, Y., D. Walker and
  R. Harper, 2003.
• E.t.c

26
Conclusion

• the notion stateful views and view change
• Memory layout
• Can enforce more safety properties
• Safe programming with pointers