Separation logic is a powerful program logic for the static modular verification of imperative programs. However, dynamic checking of separation logic contracts on the boundaries between verified and untrusted modules is hard because it requires one to enforce (among other things) that outcalls from a verified to an untrusted module do not access memory resources currently owned by the verified module. This paper proposes an approach to dynamic contract checking by relying on support for capabilities, a well-studied form of unforgeable memory pointers that enables fine-grained, efficient memory access control. More specifically, we rely on a form of capabilities called linear capabilities for which the hardware enforces that they cannot be copied. We formalize our approach as a fully abstract compiler from a statically verified source language to an unverified target language with support for linear capabilities. The key insight behind our compiler is that memory resources described by spatial separation logic predicates can be represented at run time by linear capabilities. The compiler is separation-logic-proof-directed: it uses the separation logic proof of the source program to determine how memory accesses in the source program should be compiled to linear capability accesses in the target program. The full abstraction property of the compiler essentially guarantees that compiled verified modules can interact with untrusted target language modules as if they were compiled from verified code as well. This article is an extended version of one that was presented at ICFP 2019 (Van Strydonck et al., 2019).

中文翻译：

---

用于完全抽象编译分离逻辑验证代码的线性功能

分离逻辑是一种强大的程序逻辑，用于命令式程序的静态模块化验证。然而，动态的检查已验证模块和不受信任模块之间边界上的分离逻辑合约很困难，因为它需要强制（除其他外）从已验证模块到不受信任模块的呼出不会访问已验证模块当前拥有的内存资源。本文提出了一种基于能力支持的动态合同检查方法，这是一种经过充分研究的不可伪造内存指针形式，可实现细粒度、高效的内存访问控制。更具体地说，我们依赖于一种称为能力的形式线性的硬件强制它们不能被复制的能力。我们将我们的方法形式化为一个完全抽象的编译器，从静态验证的源语言到支持线性功能的未经验证的目标语言。我们编译器背后的关键见解是，由空间分离逻辑谓词描述的内存资源可以在运行时由线性能力表示。编译器是分离逻辑证明导向：它使用源程序的分离逻辑证明来确定如何将源程序中的内存访问编译为目标程序中的线性能力访问。编译器的完全抽象属性本质上保证了编译后的验证模块可以与不受信任的目标语言模块交互，就好像它们也是从验证代码编译的一样。本文是 ICFP 2019（Van Strydonck 等人，2019 年）上发表的一篇文章的扩展版本。