From: moy@adacore.com
Subject: Re: Rust's temporal safety for Ada/SPARK
Date: Sun, 14 May 2017 14:28:34 -0700 (PDT)
Date: 2017-05-14T14:28:34-07:00 [thread overview]
Message-ID: <47791fc4-87b8-48d7-8d16-3e0407eb9dfe@googlegroups.com> (raw)
In-Reply-To: <cf1c1eb7-61cf-4ee5-8837-d4a95f95a4ba@googlegroups.com>
[I'm reposting here my answer to your message on ada Reddit.]
In fact, we currently have at AdaCore an intern working with us on the inclusion of Rust-like pointers in SPARK. He has reached a first milestone which was the description of suitable rules to include safe pointers in SPARK, which have convinced the SPARK Language Design Group at AdaCore and Altran UK (the small group working on the evolutions of the SPARK language).
He's now working with us and researchers from Inria team Toccata to give a mathematical semantics to the notions that we're using for these safe pointers: move (on assignment mostly), borrow (on parameter passing for mutable objects) and observe (on parameter passing for immutable objects). We have also started looking at the concrete implementation of these rules in GNATprove (the SPARK analysis tool).
In this work, we don't target everything that the Rust borrow checker does:
- we leave accessibility checking (the lifetime checking in Rust) to the compiler, using existing Ada rules, plus some restrictions in SPARK to avoid the need for dynamic accessibility checks
- we leave nullity checking to proof (a Verification Condition will be generated for dereference of possibly null pointers), with the help here of Ada non-null types that reduce the need for such proofs. Given that pointers are always initialized to null in Ada, there is no need to separately deal with initialization.
- we ignore the problem of memory leaks (which could be tackled later as an extension of the current scheme)
So the main issue that we really address with this work is the issue of non-aliasing. Or rather the issue of problematic interferences, when two names, one of which can be updated, are referring to the same memory location. We're focusing on this issue, because it is the one preventing inclusion of pointers in SPARK, as for formal analysis we rely on the ability to perform modular analysis, where we make assumptions on the absence of problematic interferences.
But since our solution to non-aliasing is based on this Rust-like notion of ownership of pointers, the same solution will also forbid use-after-free or double-free.
This work is ongoing, we will certainly let the community know about our progress after the summer.
next prev parent reply other threads:[~2017-05-14 21:28 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-13 20:33 Rust's temporal safety for Ada/SPARK digitalkevlar
2017-05-13 21:19 ` Jeffrey R. Carter
2017-05-14 10:19 ` Niklas Holsti
2017-05-15 19:07 ` Simon Wright
2017-05-15 19:30 ` Jeffrey R. Carter
2017-05-17 21:21 ` moy
2017-05-14 3:24 ` Robert Eachus
2017-05-14 16:46 ` digitalkevlar
2017-05-14 17:18 ` Dmitry A. Kazakov
2017-05-14 17:36 ` Jeffrey R. Carter
2017-05-14 19:59 ` Niklas Holsti
2017-05-14 20:43 ` Simon Wright
2017-05-15 7:27 ` Dmitry A. Kazakov
2017-05-14 22:20 ` Dennis Lee Bieber
2017-05-15 16:23 ` Jeffrey R. Carter
2017-05-15 23:19 ` Randy Brukardt
2017-05-16 16:45 ` Shark8
2017-05-16 21:36 ` Randy Brukardt
2017-05-16 23:37 ` Shark8
2017-05-14 21:28 ` moy [this message]
2017-05-15 22:59 ` digitalkevlar
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox