Facilitating Pointer Program Verification with Stateful Views - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Facilitating Pointer Program Verification with Stateful Views

Description:

Facilitating Pointer Program Verification with Stateful Views. Dengping Zhu. Hongwei Xi ... Programming with Stateful Views. Related Work and Conclusion ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 27
Provided by: Deng78
Category:

less

Transcript and Presenter's Notes

Title: Facilitating Pointer Program Verification with Stateful Views


1
Facilitating Pointer Program Verification with
Stateful Views
  • Dengping Zhu
  • Hongwei Xi
  • Boston University

2
Outline
  • Introduction
  • Programming with Stateful Views
  • Related Work and Conclusion

3
Introduction
  • Direct memory manipulation
  • Useful. E.g., Pointers in C.
  • p n pointer arithmetic
  • Dangerous. No safety guarantee.
  • Dangling pointers
  • Segmentation faults, Bus errors,
  • X (pn) // potentially out-of-bounds
  • Difficult to debug!

4
Motivation
  • Use types to enforce more safety properties
  • Make programming with pointers safe
  • e.g
  • x p we want p not to be a dangling
    pointer
  • x (p n) we want n to be within the array
    bounds
  • How to achieve this?

5
Dependent Types
  • Can capture more program properties
  • e.g
  • 5 int(5) 3 int(3)
  • Add (Int, Int) -gt Int
  • With dependent types
  • Add ?m int. ? n int. (int(m), int(n)) -gt
    int(mn)

6
Dependent Types
  • list (T, I) the type for lists of length I in
    which each element is of type T.
  • List reversal
  • a type. ? n int. list (a, n) -gt list (a, n)

7
Guarded Asserting Types
  • Guarded types P ? T
  • e.g. factorial ?aint. a ? 0 ? (int(a) ? Int)
  • where Int ? ? a int. int(a) is the type for
    all integers.
  • Asserting types P ? T
  • Example a function from non-negative integers
    to negative integers
  • ?a int. a ? 0 ? (int(a) -gt ? a int. ( a lt
    0) ? int(a))

8
Stateful Views
  • To model memory data layouts
  • Primitive views T_at_L
  • T is a type
  • L is a memory address
  • A value of type T is stored at address L
  • E.g.
  • int(5) _at_ 100 5 is stored at address 100

100
5
9
Stateful Views
  • Other stateful views are built on top of
    primitive views
  • Adjacent views (T1_at_L, T2_at_L1)
  • A value of type T1 is stored at L
  • A value of type T2 is stored at L1
  • May be written as (T1, T2) _at_ L

L
L1
T1
T2
10
View Types (VT)
  • E.g. V ? T
  • Example
  • getVar ?atype. ?laddr. (a_at_l ? ptr(l)) ? (a_at_l ?
    a)
  • Read from a pointer
  • Prevent from reading dangling pointers!
  • setVar ? atype. ?laddr. (top_at_l ? (a, ptr(l)))
    ? (a_at_l ? 1)

11
Recursive Stateful Views
  • For instance array

arrayView (T, I, L) an array of type T
with length I is stored at address L
L
L
No Memory
No Memory
arrayView(T,0,L)
L1
L
L


T_at_L
arrayView(T,I,L1)
arrayView(T,I1,L)
12
View Change
  • A data structure can have different views.
  • How to switch? View change functions
  • e.g. split

arrayView(a,n,L)
L
Li
arrayView(a,i,L)
arrayView(a,n-i,Li)
?atype. ?nint. ?inat. ?laddr. i ? n ?
(arrayview (a, n, l) o (arrayview (a, i, l),
arrayView (a, n-i, li))
13
Persistent Stateful Views
  • Pointer sharing. How?
  • Intuition
  • linear (ephemeral) stateful views can be upgraded
    to persistent stateful views
  • Persistent views can be temporally downgraded to
    linear views
  • when returns, the view must be the same as the
    original one.

14
Persistent Stateful Views
Linear
Persistent
Linear
upgrade
Return
a_at_L
!(a_at_L)
a_at_L
borrow
a_at_L
b_at_L
Linear
Linear
15
Outline
  • Introduction
  • Programming with Stateful Views
  • Related Work and Conclusion

16
ATS (the language)
Type System
Proof System
Proof Language
Programming Language
All Proofs are erased after type checking.
17
Swap
  • swap ?t1type. ?t2type. ?l1addr. ?l2addr.
  • (t1_at_l1, t2_at_l2) ? (ptr(l1), ptr(l2)) -gt (t2_at_l1,
    t1_at_l2) ? unit

fun swap t1type, t2type, l1addr, l2addr
(pf1 t1_at_l1, pf2 t2_at_l2 ? p1 ptr(l1), p2
ptr(l2)) (t2 _at_ l1, t1 _at_ l2 ? unit)
let val (pf1 ? tmp1) getVar (pf1 ?
p1) val (pf2 ? tmp2) getVar (pf2 ?
p2) val (pf1 ? _ ) setVar (pf1 ?
tmp2, p1) val (pf2 ? _) setVar
(pf2 ? tmp1, p2) in (pf1, pf2
? ()) end
l1
l2
t1
t2
t2
t1
pf1
pf2
pf2
pf1
pf2
pf1
18
Array
  • dataview arrayView (type, int, addr)
  • atype, laddr ArrayNone (a, 0, l)
  • atype, nnat, laddr
  • ArraySome (a, n1, l) of (a_at_l, arrayView (a, n,
    l1))

ArrayNone ?a type. ?laddr. () o arrayView
(a, 0, l)
ArraySome ?a type. ?laddr. ? n nat.
(a_at_l, arrayView(a, n, l1)) o arrayView (a,
n1, l)
19
Array
  • getFirst (get out the first element of a nonempty
    array)
  • ?a type. ?n int. ?l addr. n gt 0 ?
  • (arrayView (a, n, l) ? ptr(l)) -gt (arrayView (a,
    n, l) ? a)
  • fun getFirst atype, nint, laddr n gt 0
  • (pf arrayView (a, n, l) p ptr(l))
  • (arrayView (a, n, l) a)
  • let
  • prval ArraySome (pf1, pf2) pf
  • val (pf1 x) getVar (pf1 p)
  • in
  • (ArraySome (pf1, pf2) x)
  • end

arrayView(a,n,l)
l
l
l1


a_at_l
arrayView(a,n-1,l1)
pf1
pf1
pf2
20
Array
  • Safe subscripting function
  • ?atype. ?n int. ?i nat. ?l addr. n gt i ?
  • ((arrayView (a, n, l) ? ptr(l), int(i)) ?
    (arrayView (a, n, l) ? a)
  • How to implement?
  • Pseudo-code for a naïve implementation
  • fun sub (p, offset)
  • if offset 0 then getFirst p
  • else sub (p1, offset 1)
  • Safe! But, O(i)-time !!!

21
Array
  • An implementation in C
  • int sub (int p, int offset) (p offset)
  • O(1)-time. But, unsafe.
  • We want O(1)-time safe
  • How to do it?

View Change
22
Array
  • Our implementation
  • fun sub a type, n int, i nat, l addr n gt
    i
  • (pf arrayView (a, n, l) ? p ptr(l), i int(i))
  • (arrayView (a, n, l) ? a)
  • let
  • // the following line is erased before
    execution
  • prval (pf1, pf2) split (pf)
  • val (pf2 x) getFirst (pf2 p i)
  • in
  • // unsplit is erased
  • // before execution
  • (unsplit (pf1, pf2) x)
  • end

pf
arrayView(a,n,l)
l
Li
arrayView(a,i,l)
arrayView(a,n-i,li)
pf1
pf2
pf2
23
More Examples
  • Find more on-line
  • Singly-linked lists cyclic buffer,
  • Doubly-linked lists
  • Doubly-linked binary trees splay trees,
  • Implementation is done in ATS
  • http//www.cs.bu.edu/hwxi/ATS/

24
Outline
  • Introduction
  • Programming with Stateful Views
  • Related Work and Conclusion

25
Some Related Work
  • Separation logic. Reynolds, 2002.
  • Shape analysis. Sagiv, Reps and Wihelm, 1998.
  • Alias types. Walker and Morrisett, 2000.
  • A type theory for memory allocation and data
    layout. Petersen, L., R. Harper, K. Crary and F.
    Pfenning, 2003.
  • Adoption and Focus. M. Fahndrich and R. Deline,
    2002.
  • Xanadu. H. Xi, 2000.

26
Conclusion
  • The notion of stateful views provides a general
    and flexible approach to safe programming with
    pointers
  • The need for view changes during programming
  • The use of dataviews in describing memory layouts
  • Separation between memory allocation and
    initialization
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Facilitating Pointer Program Verification with Stateful Views" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!