Safe Programming with Pointers through Stateful Views Dengping Zhu Hongwei Xi Boston University.

Safe Programming with Safe Programming with PointersPointers

through Stateful Views through Stateful Views

Dengping ZhuHongwei Xi

Boston University

Safe Programming with Pointers througSafe Programming with Pointers through Stateful Viewsh Stateful Views

22

OutlineOutline

• Introduction • Programming with Stateful Views• Related Work and Conclusion


33

IntroductionIntroduction

• Direct memory manipulation– Useful. E.g., Pointers in C.

p + n : pointer arithmetic

– Dangerous. No safety guarantee.• Dangling pointers• Segmentation faults, Bus errors, …• X = * (p+n) // potentially out-of-bounds

– Difficult to debug!


44

MotivationMotivation

• Use types to enforce more safety properties

• Make programming with pointers safee.g:

x = * p : we want p not to be a dangling pointerx = * (p + n) : we want n to be within the array bounds

• How to achieve this?


55

Dependent TypesDependent Types

• Can capture more program propertiese.g:

5: int(5); 3: int(3);

• Add: (Int, Int) -> Int

With dependent types: Add: m: int. n: int. (int(m), int(n)) ->

int(m+n)


66

Dependent TypesDependent Types

• list (T, I) : the type for lists of length I in which each element is of type T.

• List reversal: a: type. n: int. list (a, n) -> list (a, n)


77

Guarded TypesGuarded Types

• Type guards: P e.g.: n > 0

• Guarded types: P Te.g. :

factorial : a:int. a 0 (int(a) Int) where Int a: int. int(a) is the type for all integers.


88

Asserting typesAsserting types

• The form: P T• Example: a function from non-negative

integers to negative integersa : int. a 0 (int(a) -> a’ : int. ( a’ < 0)

int(a’))


99

Stateful ViewsStateful Views

• To model memory data layouts• Primitive views: T@L

– T is a type– L is a memory address – A value of type T is stored at address L– E.g.:

int(5) @ 100 : 5 is stored at address 1005

100


1010

Stateful ViewsStateful Views

• Other stateful views are built on top of primitive views

• Adjacent views: (T1@L, T2@L+1)– A value of type T1 is stored at L– A value of type T2 is stored at L+1 – May be written as (T1, T2) @ L

T1 T2

L L+1


1111

Stateful ViewsStateful Views• Example:

getVar: a:type. l:addr. (a@l ptr(l)) (a@l a)– Read from a pointer– Prevent from reading dangling pointers!– Address polymorphism

setVar: a:type. l:addr. (top@l a, ptr(l)) (a@l 1)

• Question: how to treat recursive data structures?


1212

Recursive Stateful ViewsRecursive Stateful Views

• For instance: array

…L L+1

T@L arrayView(T,I,L+1)

…L

arrayView(T,I+1,L)

arrayView(T,0,L)

L

No Memory

L

No Memory

arrayView (T, I, L) :

an array of type T with length I is stored at address L


1313

View ChangeView Change

• A data structure can have different views. • How to switch? – View change functions

e.g.: split L arrayView(a,n,L)L+i

arrayView(a,i,L)

arrayView(a,n-i,L+i)

a:type. n:int. i:nat. l:addr. i n

(arrayview (a, n, l) –o

(arrayview (a, i, l), arrayView (a, n-i, l+i))


1414

OutlineOutline



1515

SwapSwapswap: t1:type. t2:type. l1:addr. l2:addr.

(t1@l1, t2@l2 ptr(l1), ptr(l2)) -> (t2@l1, t1@l2 unit)

let val (pf1’ tmp1) = getVar (pf1 p1) val (pf2’ tmp2) = getVar (pf2 p2) val (pf1’’ _ ) = setVar (pf1’ tmp2, p1) val (pf2’’ _) = setVar (pf2’ tmp1, p2) in (pf1’’, pf2’’ ‘())end

t1 t2

l1 l2

fun swap {t1:type, t2:type, l1:addr, l2:addr} (pf1: t1@l1, pf2: t2@l2 p1: ptr(l1), p2: ptr(l2)) : (t2 @ l1, t1 @ l2 unit) =

pf1 pf2

t2

pf1’

t1

pf2’pf1’’ pf2’’


1616

SwapSwap

• Certain proofs can be consumed and generated implicitly

• For instance:

fun swap {t1:type, t2:type, l1:addr, l2:addr}

(pf1: t1@l1, pf2: t2@l2 p1: ptr(l1), p2: ptr(l2))

: (t2 @ l1, t1 @ l2 unit) =

let val tmp := !p1 in p1 := !p2; p2 := tmp end


1717

ArrayArray

• dataview arrayView (type, int, addr) =| {a:type, l:addr} ArrayNone (a, 0, l)| {a:type, n:nat, l:addr}

ArraySome (a, n+1, l) of (a@l, arrayView (a, n, l+1))

ArrayNone : a: type. l:addr. () –o arrayView (a, 0, l)

ArraySome:

a: type. l:addr. n: nat.

(a@l, arrayView(a, n, l+1)) –o arrayView (a, n+1, l)


1818

ArrayArray• getFirst (get out the first element of a nonempty

array):a: type. n: int. l: addr. n > 0

(arrayView (a, n, l) | ptr(l)) -> (arrayView (a, n, l) | a)

fun getFirst {a:type, n:int, l:addr | n > 0}

(pf : arrayView (a, n, l) | p : ptr(l)) : (arrayView (a, n, l) | a) = let

prval ArraySome (pf1, pf2) = pf val (pf1’ | x) = getVar (pf1 | p)

in (ArraySome (pf1’, pf2) | x)

end

…a@l

arrayView(a,n-1,l+1)

…l arrayView(a,n,l)l l+1

pf1 pf2pf1’


1919

ArrayArray

• Safe subscripting function:a:type. n: int. i: nat. l: addr. n > i

((arrayView (a, n, l) | ptr(l), int(i)) (arrayView (a, n, l) | a)

• How to implement? Pseudo-code for a naïve implementation: fun sub (p, offset) =

if offset = 0 then getFirst p else sub (p+1, offset – 1)

• Safe! But, O(i)-time !!!


2020

ArrayArray

• An implementation in Cint sub (int [ ] p, int offset) = * (p + offset)

• O(1)-time. But, unsafe. • We want: O(1)-time + safe• How to do it?


2121

ArrayArray

• View Change• For any 0 i n, an array of size n at address L

can be viewed as two arrays: – One of size i at L – The other of size n – i at L+i

• The split function• The unsplit function

L arrayView(a,n,L)L+i

arrayView(a,i,L)

arrayView(a,n-i,L+i)


2222

ArrayArray• Our implementation

fun sub {a: type, n: int, i: nat, l: addr | n > i}(pf: arrayView (a, n, l) | p: ptr(l), i: int(i))

: (arrayView (a, n, l) | a) = let // the following line is erased before execution prval (pf1, pf2) = split (pf)

val (pf2’ | x) = getFirst (pf2 | p + i) in // ‘unsplit’ is erased // before execution (unsplit (pf1, pf2’) | x) end

l arrayView(a,n,l)L+i

arrayView(a,i,l)

arrayView(a,n-i,l+i)pf1 pf2

pf

pf2’


2323

More ExamplesMore Examples

• Find more on-line– Singly-linked lists : cyclic buffer, …– Doubly-linked lists– Doubly-linked binary trees: splay trees,

…– ……

• Implementation is done in ATS

http://www.cs.bu.edu/~hwxi/ATS/


2424

OutlineOutline



2525

ConclusionConclusion

• The notion of stateful views provides a general and flexible approach to safe programming with pointers– The need for view changes during

programming– The use of dataviews in describing

memory layouts– Separation between memory allocation

and initialization– ……


2626

Some Related WorkSome Related Work

• Separation logic. Reynolds, 2002. • Shape analysis. Sagiv, Reps and Wihelm, 1998. • Alias types. Walker and Morrisett, 2000.• A type theory for memory allocation and data

layout. Petersen, L., R. Harper, K. Crary and F. Pfenning, 2003.

• Type refinements. Mandelbaum, Y., D. Walker and R. Harper, 2003.

• Xanadu. H. Xi, 2000. • ……

Safe Programming with Pointers through Stateful Views Dengping Zhu Hongwei Xi Boston University.

Documents

Transcript of Safe Programming with Pointers through Stateful Views Dengping Zhu Hongwei Xi Boston University.