Safe Dynamic Memory Management in Ada and SPARK

Size: px

Start display at page:

Download "Safe Dynamic Memory Management in Ada and SPARK"

Lily Walton
5 years ago
Views:

AdaCore Ada-Europe June 19, 2018 SPARK Maroua

1 Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej, Tucker Taft, Yannick Moy AdaCore Ada-Europe June 19, 2018 Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 1/28

2 Why Try To Verify Use of Pointers? Automatic storage management Control unknown aliasing of names Use pointers in SPARK for formal verification How? Implement a variant of pointer Ownership Inspired from Rust Concurrent-Read-Exclusive-Write (CREW) policy Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 2/28

3 Quick Reminder 1/2 Named types: type Int Ptr is access Integer; X : Int Ptr; Anonymous types: Y : access Integer; General access types type Int Cst Ptr is access constant Integer; type Int Cst Ptr is access all Integer; Pool-specific access types No general access modifier appears Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 3/28

4 Quick Reminder 2/2 Access types X : Int Ptr; Composite types type Rec is record Data : Int Ptr; end record By-copy types Parameter passed by copy By-reference types Parameter passed by reference: a view on the actual parameter Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 4/28

5 Motivating Example: Swap Pointers 1 t y p e I n t P t r i s a c c e s s I n t e g e r ; 2 3 p r o c e d u r e Swap ( X Param, Y Param : i n o u t I n t P t r ) i s 4 Tmp : I n t P t r := X Param ; 5 b e g i n Dangling refs? 6 X Param : = Y Param ; 7 Y Param : = Tmp ; 8 end Swap ; Storage leaks? 9 10 X : I n t P t r := new I n t e g e r ; 11 Y : I n t P t r := new I n t e g e r ; Swap (X, Y) ; Correct result? Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 5/28

6 Pointer Ownership: Overview Idea: No more than one owning pointer to a given object Constraints: Composite types are by-reference types Always passed by reference Access types are pool-specific types Cannot point to stack Goal: Automatic storage management Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 6/28

7 Pointer Ownership: Overview Idea: No more than one owning pointer to a given object Constraints: Composite types are by-reference types Always passed by reference Access types are pool-specific types Cannot point to stack Goal: Automatic storage management Operations Move complete transfer of the ownership Borrow temporary transfer of the ownership Observe no owning object Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 6/28

8 Pointer Ownership: Overview Idea: No more than one owning pointer to a given object Constraints: Composite types are by-reference types Always passed by reference Access types are pool-specific types Cannot point to stack Goal: Automatic storage management Operations Move Borrow Observe Objects states Unrestricted Read Write Observed Read Only Borrowed No Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 6/28

9 Contents 1 Moving Operations 2 Borrowing Operations 3 Observing Operations 4 Formal Verification in SPARK 5 Conclusion Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 7/28

10 Moving Operations Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 8/28

11 Moving Access Values When: Assignment to named variables or return objects parameters of mode out/in-out Example: Y : Int Ptr; X : Int Ptr := Y; Conditions X, Y of named type X, Y unrestricted Results X unrestricted Old storage of X deallocated Y unrestricted, null Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 9/28

12 Moving Composite Types When: Assignment to variables or return objects parameters of mode out/in-out Example: R : Rec := (...); S : Rec := (...); S := R; Conditions R, S unrestricted Results S unrestricted Old S components deallocated R unrestricted; components null Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 10/28

13 Borrowing Operations Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 11/28

14 Borrowing Access Values When: Initializing in parameters stand-alone anonymous objects constants of an access-to-variable type Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 12/28

15 Borrowing Access Values When: Initializing in parameters stand-alone anonymous objects constants of an access-to-variable type Example: procedure f(x Param : in Int Ptr); f(x); Conditions X Param of mode in; access-to-variable type X unrestricted Results X Param unrestricted X borrowed Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 12/28

16 Borrowing Access Values When: Initializing in parameters anonymous stand-alone objects constants of an access-to-variable type Example: X : access Integer := Y Conditions X of an anonymous access-to-variable type Y unrestricted Results X unrestricted Y borrowed Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 13/28

17 Borrowing Access Values When: Initializing in parameters anonymous stand-alone objects constants of an access-to-variable type Example: X : access Integer := Y Conditions X of an anonymous access-to-variable type Y unrestricted Results X unrestricted Y borrowed Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 13/28

18 Borrowing Composite Objects When: Passing parameters of mode out or in-out Example: procedure f(x Param : in out Rec); f(x); Conditions X Param of mode in-out X passed by-reference Results X Param unrestricted X borrowed Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 14/28

19 Observing Operations Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 15/28

20 Observing Access Values When: Initializing in parameters anonymous stand-alone objects of an access-to-constant type Example: X : access constant Integer := Y; Conditions X of an anonymous access-to-constant type Y unrestricted or observed Results X observed Read Only Y observed Read Only Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 16/28

21 Observing Access Values When: Initializing in parameters anonymous stand-alone objects of an access-to-constant type Example: X : access constant Integer := Y; Conditions X of an anonymous access-to-constant type Y unrestricted or observed Results X observed Read Only Y observed Read Only Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 16/28

22 Observing Composite Types When: Initializing constant stand-alone objects parameters of mode in Example: procedure f(x Param : in Rec); f(x); Conditions X Param of mode in X passed by-reference Results X Param observed RO X observed RO Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 17/28

23 Observing Composite Types When: Initializing constant stand-alone objects parameters of mode in Example: procedure f(x Param : in Rec); f(x); Conditions X Param of mode in X passed by-reference Results X Param observed RO X observed RO Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 17/28

24 Example Cont d: Swap Pointers 1 t y p e I n t P t r i s a c c e s s I n t e g e r ; 2 3 p r o c e d u r e Swap ( X Param, Y Param : i n o u t I n t P t r ) i s 4 Tmp : Int Ptr := X Param ; 5 b e g i n 6 X Param := Y Param ; 7 Y Param := Tmp ; 8 end Swap ; 9 10 X : I n t P t r := new I n t e g e r ; 11 Y : I n t P t r := new I n t e g e r ; Swap ( X, Y ) ; Tmp is the new owning object No dangling reference, cannot dereference the old value of X Param Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 18/28

25 Formal Verification in SPARK Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 19/28

26 SPARK - What it is? A programming language A subset of Ada, designed for static verification Additional features to enhance program specification Ada SP ARK Ada F eatures outside the SP ARK subset Core language common to Ada and SP ARK Additional SP ARK aspects A set of program verification tools Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 20/28

27 Why Aliasing Matters in SPARK? 1 t y p e I n t P t r i s a c c e s s I n t e g e r ; 2 3 p r o c e d u r e Add One ( X Param, Y Param : i n I n t P t r ) w ith 4 P o s t => X Param. a l l = X Param. a l l Old and Y Param. a l l = Y Param. a l l Old i s 7 b e g i n 8 X Param. a l l := X Param. a l l + 1 ; 9 Y Param. a l l := Y Param. a l l + 1 ; 10 end Add One ; Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 21/28

28 Why Aliasing Matters in SPARK? 1 t y p e I n t P t r i s a c c e s s I n t e g e r ; 2 3 p r o c e d u r e Add One ( X Param, Y Param : i n I n t P t r ) w ith 4 P o s t => X Param. a l l = X Param. a l l Old and Y Param. a l l = Y Param. a l l Old i s 7 b e g i n 8 X Param. a l l := X Param. a l l + 1 ; 9 Y Param. a l l := Y Param. a l l + 1 ; 10 end Add One ; If SPARK ignored aliasing: 1 X : I n t P t r := new I n t e g e r ( 3 ) ; 2 (... ) 3 4 Add One (X, X) ; 5 pragma A s s e r t (X. a l l = 4) ; i n c o r r e c t a s s e r t i o n Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 21/28

29 With Ownership Types: Alias Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 22/28

30 With Ownership Types: Alias Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 23/28

31 With Ownership Types: Alias Free Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 24/28

32 Conclusion Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 25/28

33 Conclusion Pointer Ownership Approach Inspired from Rust Safe pointers w.r.t to CREW policy: full ownership (read/write access); partial ownership (read-only access) Pointer Ownership Goals For Ada No storage leaks No dangling references For SPARK No hidden aliasing Can verify correctness of algorithms Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 26/28

34 Supporting Pointers in SPARK: Steps Borrowing Safe Pointers From Rust to SPARK 1 SPARK Formal Verification: Prototype SPARK Formal Verification: In Production Access Value Ownership 2 Ada 2020? Georges-Axel Jaloyan, Yannick Moy, and Andrei Paskevich. Borrowing Safe Pointers From Rust in SPARK url: 2 AdaCore. Access value ownership and parameter aliasing url: Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 27/28

35 Questions? Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 28/28

Safe Dynamic Memory Management in Ada and SPARK

Safe Dynamic Memory Management in Ada and SPARK Maroua Maalej 1, Tucker Taft 2, Yannick Moy 1 1 AdaCore Paris, France maalej@adacore.com, moy@adacore.com 2 Adacore New York, USA taft@adacore.com Abstract.