Presentation is loading. Please wait.

Presentation is loading. Please wait.

Safe Programming with Pointers through Stateful Views Dengping Zhu Hongwei Xi Boston University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Safe Programming with Pointers through Stateful Views Dengping Zhu Hongwei Xi Boston University."— Presentation transcript:

1 Safe Programming with Pointers through Stateful Views Dengping Zhu Hongwei Xi Boston University

2 Safe Programming with Pointers through Stateful Views2 Outline Introduction Programming with Stateful Views Related Work and Conclusion

3 Safe Programming with Pointers through Stateful Views3 Introduction Direct memory manipulation –Useful. E.g., Pointers in C. p + n : pointer arithmetic –Dangerous. No safety guarantee. Dangling pointers Segmentation faults, Bus errors, … X = * (p+n) // potentially out-of-bounds –Difficult to debug!

4 Safe Programming with Pointers through Stateful Views4 Motivation Use types to enforce more safety properties Make programming with pointers safe e.g: x = * p : we want p not to be a dangling pointer x = * (p + n) : we want n to be within the array bounds How to achieve this?

5 Safe Programming with Pointers through Stateful Views5 Dependent Types Can capture more program properties e.g: 5: int(5); 3: int(3); Add: (Int, Int) -> Int With dependent types: Add:  m: int.  n: int. (int(m), int(n)) -> int(m+n)

6 Safe Programming with Pointers through Stateful Views6 Dependent Types list (T, I) : the type for lists of length I in which each element is of type T. List reversal:  a: type.  n: int. list (a, n) -> list (a, n)

7 Safe Programming with Pointers through Stateful Views7 Guarded Types Type guards: P e.g.: n > 0 Guarded types: P  T e.g. : factorial :  a:int. a  0  (int(a)  Int) where Int   a: int. int(a) is the type for all integers.

8 Safe Programming with Pointers through Stateful Views8 Asserting types The form: P  T Example: a function from non-negative integers to negative integers  a : int. a  0  (int(a) ->  a’ : int. ( a’ < 0)  int(a’))

9 Safe Programming with Pointers through Stateful Views9 Stateful Views To model memory data layouts Primitive views: T@L –T is a type –L is a memory address –A value of type T is stored at address L –E.g.: int(5) @ 100 : 5 is stored at address 100 5 100

10 Safe Programming with Pointers through Stateful Views10 Stateful Views Other stateful views are built on top of primitive views Adjacent views: (T1@L, T2@L+1) –A value of type T1 is stored at L –A value of type T2 is stored at L+1 –May be written as (T1, T2) @ L T1T2 LL+1

11 Safe Programming with Pointers through Stateful Views11 Stateful Views Example: getVar:  a:type.  l:addr. (a@l  ptr(l))  (a@l  a) –Read from a pointer –Prevent from reading dangling pointers! –Address polymorphism setVar:  a:type.  l:addr. (top@l  a, ptr(l))  (a@l  1) Question: how to treat recursive data structures?

12 Safe Programming with Pointers through Stateful Views12 Recursive Stateful Views For instance: array … L L+1 T@LarrayView(T,I,L+1) … L arrayView(T,I+1,L) arrayView(T,0,L) L No Memory L arrayView (T, I, L) : an array of type T with length I is stored at address L

13 Safe Programming with Pointers through Stateful Views13 View Change A data structure can have different views. How to switch? – View change functions e.g.: split L arrayView(a,n,L) L+i arrayView(a,i,L)arrayView(a,n-i,L+i)  a:type.  n:int.  i:nat.  l:addr. i  n  (arrayview (a, n, l) –o (arrayview (a, i, l), arrayView (a, n-i, l+i))

14 Safe Programming with Pointers through Stateful Views14 Outline Introduction Programming with Stateful Views Related Work and Conclusion

15 Safe Programming with Pointers through Stateful Views15 Swap swap:  t1:type.  t2:type.  l1:addr.  l2:addr. (t1@l1, t2@l2  ptr(l1), ptr(l2)) -> (t2@l1, t1@l2  unit) let val (pf1’  tmp1) = getVar (pf1  p1) val (pf2’  tmp2) = getVar (pf2  p2) val (pf1’’  _ ) = setVar (pf1’  tmp2, p1) val (pf2’’  _) = setVar (pf2’  tmp1, p2) in (pf1’’, pf2’’  ‘()) end t1t2 l1l2 fun swap {t1:type, t2:type, l1:addr, l2:addr} (pf1: t1@l1, pf2: t2@l2  p1: ptr(l1), p2: ptr(l2)) : (t2 @ l1, t1 @ l2  unit) = pf1pf2 t2 pf1’ t1 pf2’pf1’’pf2’’

16 Safe Programming with Pointers through Stateful Views16 Swap Certain proofs can be consumed and generated implicitly For instance: fun swap {t1:type, t2:type, l1:addr, l2:addr} (pf1: t1@l1, pf2: t2@l2  p1: ptr(l1), p2: ptr(l2)) : (t2 @ l1, t1 @ l2  unit) = let val tmp := !p1 in p1 := !p2; p2 := tmp end

17 Safe Programming with Pointers through Stateful Views17 Array dataview arrayView (type, int, addr) = | {a:type, l:addr} ArrayNone (a, 0, l) | {a:type, n:nat, l:addr} ArraySome (a, n+1, l) of (a@l, arrayView (a, n, l+1)) ArrayNone :  a: type.  l:addr. () –o arrayView (a, 0, l) ArraySome :  a: type.  l:addr.  n: nat. (a@l, arrayView(a, n, l+1)) –o arrayView (a, n+1, l)

18 Safe Programming with Pointers through Stateful Views18 Array getFirst ( get out the first element of a nonempty array ):  a: type.  n: int.  l: addr. n > 0  (arrayView (a, n, l) | ptr(l)) -> (arrayView (a, n, l) | a) fun getFirst {a:type, n:int, l:addr | n > 0} (pf : arrayView (a, n, l) | p : ptr(l)) : (arrayView (a, n, l) | a) = let prval ArraySome (pf1, pf2) = pf val (pf1’ | x) = getVar (pf1 | p) in (ArraySome (pf1’, pf2) | x) end … a@larrayView(a,n-1,l+1) … l arrayView(a,n,l) l l+1 pf1pf2 pf1’

19 Safe Programming with Pointers through Stateful Views19 Array Safe subscripting function:  a:type.  n: int.  i: nat.  l: addr. n > i  ((arrayView (a, n, l) | ptr(l), int(i))  (arrayView (a, n, l) | a) How to implement? Pseudo-code for a na ï ve implementation: fun sub (p, offset) = if offset = 0 then getFirst p else sub (p+1, offset – 1) Safe! But, O(i)-time !!!

20 Safe Programming with Pointers through Stateful Views20 Array An implementation in C int sub (int [ ] p, int offset) = * (p + offset) O(1)-time. But, unsafe. We want: O(1)-time + safe How to do it?

21 Safe Programming with Pointers through Stateful Views21 Array View Change For any 0  i  n, an array of size n at address L can be viewed as two arrays: –One of size i at L –The other of size n – i at L+i The split function The unsplit function L arrayView(a,n,L) L+i arrayView(a,i,L) arrayView(a,n-i,L+i)

22 Safe Programming with Pointers through Stateful Views22 Array Our implementation fun sub {a: type, n: int, i: nat, l: addr | n > i} (pf: arrayView (a, n, l) | p: ptr(l), i: int(i)) : (arrayView (a, n, l) | a) = let // the following line is erased before execution prval (pf1, pf2) = split (pf) val (pf2’ | x) = getFirst (pf2 | p + i) in // ‘unsplit’ is erased // before execution (unsplit (pf1, pf2’) | x) end l arrayView(a,n,l) L+i arrayView(a,i,l) arrayView(a,n-i,l+i) pf1pf2 pf pf2’

23 Safe Programming with Pointers through Stateful Views23 More Examples Find more on-line –Singly-linked lists : cyclic buffer, … –Doubly-linked lists –Doubly-linked binary trees: splay trees, … –…… Implementation is done in ATS http://www.cs.bu.edu/~hwxi/ATS/

24 Safe Programming with Pointers through Stateful Views24 Outline Introduction Programming with Stateful Views Related Work and Conclusion

25 Safe Programming with Pointers through Stateful Views25 Conclusion The notion of stateful views provides a general and flexible approach to safe programming with pointers –The need for view changes during programming –The use of dataviews in describing memory layouts –Separation between memory allocation and initialization –……

26 Safe Programming with Pointers through Stateful Views26 Some Related Work Separation logic. Reynolds, 2002. Shape analysis. Sagiv, Reps and Wihelm, 1998. Alias types. Walker and Morrisett, 2000. A type theory for memory allocation and data layout. Petersen, L., R. Harper, K. Crary and F. Pfenning, 2003. Type refinements. Mandelbaum, Y., D. Walker and R. Harper, 2003. Xanadu. H. Xi, 2000. ……

Download ppt "Safe Programming with Pointers through Stateful Views Dengping Zhu Hongwei Xi Boston University."

Similar presentations

Automated Verification with HIP and SLEEK Asankhaya Sharma.

Automated Verification with HIP and SLEEK Asankhaya Sharma.
Introduction to Programming Lecture 15. In Today’s Lecture Pointers and Arrays Manipulations Pointers and Arrays Manipulations Pointers Expression Pointers.

Introduction to Programming Lecture 15. In Today’s Lecture Pointers and Arrays Manipulations Pointers and Arrays Manipulations Pointers Expression Pointers.
The Semantic Soundness of a Type System for Interprocedural Register Allocation and Constructor Registration Torben Amtoft Kansas State University joint.

The Semantic Soundness of a Type System for Interprocedural Register Allocation and Constructor Registration Torben Amtoft Kansas State University joint.
Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.

Imperative Programming with Dependent Types Hongwei Xi University of Cincinnati.
1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
534 534534 534 534 534 534 A Type Theory for Memory Allocation and Data Layout Leaf Petersen, Robert Harper, Karl Crary and Frank Pfenning Carnegie Mellon.

A Type Theory for Memory Allocation and Data Layout Leaf Petersen, Robert Harper, Karl Crary and Frank Pfenning Carnegie Mellon.
Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.

Chapter 5: Elementary Data Types Properties of types and objects –Data objects, variables and constants –Data types –Declarations –Type checking –Assignment.
Compiler Construction

Compiler Construction
1 CPS Transform for Dependent ML Hongwei Xi University of Cincinnati and Carsten Schürmann Yale University.

1 CPS Transform for Dependent ML Hongwei Xi University of Cincinnati and Carsten Schürmann Yale University.
ISBN 0- 0-321-49362-1 Chapter 10 Implementing Subprograms.

ISBN Chapter 10 Implementing Subprograms.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
May 1, 2003May 1, 2003 1 Imperative Programming with Dependent Types Hongwei Xi Boston University.

May 1, 2003May 1, Imperative Programming with Dependent Types Hongwei Xi Boston University.
Facilitating Program Verification with Dependent Types Hongwei Xi Boston University.

Facilitating Program Verification with Dependent Types Hongwei Xi Boston University.
ISBN 0-321-19362-8 Chapter 10 Implementing Subprograms.

ISBN Chapter 10 Implementing Subprograms.
1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.

1 Motivation Dynamically allocated storage and pointers are an essential programming tools –Object oriented –Modularity –Data structure But –Error prone.
ISBN 0- 0-321-49362-1 Chapter 10 Implementing Subprograms.

ISBN Chapter 10 Implementing Subprograms.
1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.

1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University.
Semantics of Calls and Returns

Semantics of Calls and Returns
1 Dependent Types in Practical Programming Hongwei Xi University of Cincinnati.

1 Dependent Types in Practical Programming Hongwei Xi University of Cincinnati.

Similar presentations

Ads by Google