role analysis
Download
Skip this Video
Download Presentation
Role Analysis

Loading in 2 Seconds...

play fullscreen
1 / 112

role analysis - PowerPoint PPT Presentation


  • 205 Views
  • Uploaded on

Role Analysis. Viktor Kuncak Patrick Lam Martin Rinard. MIT LCS. Process Scheduler Example. RP. SP. Running Process. Suspended Process. Process Scheduler Example. Running Process List. next. RP. RP. prev. next. prev. prev. next. prev. RP. RP. SP. next. Running

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'role analysis' - Leo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
role analysis

Role Analysis

Viktor Kuncak

Patrick Lam

Martin Rinard

MIT LCS

slide2

Process Scheduler Example

RP

SP

Running

Process

Suspended

Process

slide3

Process Scheduler Example

Running Process List

next

RP

RP

prev

next

prev

prev

next

prev

RP

RP

SP

next

Running

Process

Suspended

Process

process scheduler example
Process Scheduler Example

Running Process List

Suspended Process Tree

next

R

RP

RP

right

prev

left

SP

SP

next

prev

prev

next

right

left

prev

RP

RP

SP

SP

next

Running

Process

Suspended

Process

slide5

Process Scheduler Example

Running Process List

Suspended Process Tree

next

R

RP

RP

right

prev

left

prev

SP

SP

next

prev

next

right

left

RP

SP

left

SP

SP

Running

Process

Suspended

Process

remarks
Remarks
  • Desirable to capture distinction between suspended and running processes
  • Standard types unsuitable
    • Type is fixed for lifetime of object
    • Scheduler suspends and resumes processes
  • Concept of a role
    • Statically verifiable property of an object
    • Capture current conceptual purpose of object
    • Role changes as object\'s purpose changes
slide7

Goal

Develop a static type system in which each object is assigned a role

Program actions can change object roles

challenges
Challenges

Aliasing

Ensure that role changes performed using one alias are correctly reflected in roles of other aliases

Procedures

Compositional interprocedural role system

basic approach
Basic Approach
  • Develop a role system in which role of each object depends on its heap aliases
    • Role provides aliasing information
    • Enables checker to ensure that role changes are compatible with all aliases
  • Role reflects object’s participation in different data structures
  • Role changes as object moves between data structures
slide10

Role Definition for Running Processes

role RP {

Sequence of heap

referencing constraints

}

RP

Running

Process

slide11

Slot Constraints

role RP {

slots RP.next,

RP.prev;

...

}

Slot constraints identify

the complete set of heap

aliases of the object

RP

Running

Process

slide12

Slot Constraints

role RP {

slots RP.next,

RP.prev;

...

}

RP

prev

Slot constraints identify

the complete set of heap

aliases of the object

RP

RP

next

Running

Process

field constraints
Field Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

...

}

RP

prev

RP

RP

next

Field constraints identify

roles of objects to which

fields refer

Running

Process

slide14

Field Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

...

}

RP

RP

next

prev

RP

prev

RP

RP

next

Field constraints identify

roles of objects to which

fields refer

Running

Process

slide15

Identity Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

RP

RP

next

prev

RP

prev

RP

RP

next

Running

Process

Identities identify cycles of length two.

slide16

Identity Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

RP

prev

next

prev

RP

RP

next

Running

Process

Identities identify cycles of length two.

role definition for running processes
Role Definition for Running Processes

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

next

RP

RP

prev

next

prev

prev

next

prev

RP

RP

RP

next

roles as constraints
Roles as Constraints
  • Each constraint C(o) is a predicate on objects
  • Role is a logical conjunction of its defining constraints
  • Constraints can be recursive!

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

semantics of role constraints
Semantics of Role Constraints
  • Constraint is interpreted in the context of a role assignment (mapping from objects to role names)
  • Heap is role consistent iff there exists a role assignment in which every object satisfies its role
slide20

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slots

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide21

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slots R.left

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide22

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.left R.right

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide23

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.leftR.right

SP.left

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide24

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.leftR.right

SP.left SP.right

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide25

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide26

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

fields left : SP

right: SP

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide27

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

fields left : SP|null,

right: SP|null;

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide28

Roles for Suspended Processes

Suspended Process Tree

role R {

fields left : SP|null,

right: SP|null;

}

role SP {

fields left : SP|null,

right: SP|null;

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

slide29

Roles for Suspended Processes

Suspended Process Tree

role R {

fields left : SP|null,

right: SP|null;

}

role SP {

fields left : SP|null,

right: SP|null;

slotsR.left | R.right |

SP.left| SP.right;

acyclic left, right;

}

SP

left

left

right

SP

SP

Suspended

Process

No cyclic paths of the form (left+right)*

slide30

Roles for Suspended Processes

Suspended Process Tree

role R {

fields left : SP|null,

right: SP|null;

}

role SP {

fields left : SP|null,

right: SP|null;

slots R.left | R.right |

SP.left| SP.right;

acyclic left, right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process

role changes
Role Changes
  • To suspend a process
    • Remove from running process list
    • Insert into suspended process tree

R

right

left

SP

SP

next

RP

RP

right

prev

prev

next

next

prev

SP

prev

RP

RP

next

slide33

Role Changes

  • To suspend a process
    • Remove from running process list
    • Insert into suspended process tree

R

right

left

SP

SP

RP

I

right

next

prev

next

SP

prev

prev

RP

RP

next

slide34

Role Changes

  • To suspend a process
    • Remove from running process list
    • Insert into suspended process tree

R

right

left

SP

SP

RP

I

right

next

prev

next

Isolated object:

SP

prev

role I { }

prev

RP

RP

next

slide35

Role Changes

  • To suspend a process
    • Remove from running process list
    • Insert into suspended process tree

R

right

left

left

SP

SP

RP

SP

right

next

prev

next

SP

prev

prev

RP

RP

next

removing a process from list
Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

next

RP

RP

prev

prev

next

next

prev

prev

RP

RP

next

slide37

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

next

RP

RP

prev

prev

next

pn

next

prev

prev

RP

RP

next

slide38

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

RP

RP

prev

next

pn

next

prev

next

prev

prev

RP

RP

next

slide39

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

RP

RP

pn

next

prev

next

prev

prev

RP

RP

next

slide40

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

Programming model expects programmer to indicate role changes

RP

RP

next

prev

next

prev

prev

RP

RP

next

slide41

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

Programming model expects programmer to indicate role changes

RP

I

next

prev

next

prev

prev

RP

RP

next

programming model based on instrumented semantics
Programming Model Based On Instrumented Semantics
  • Role Assignment Part of Program State
    • Each object has a nominal role
    • setRole(p : R) updates role assignment
  • Programmer responsibilities
    • Specify intended role assignment
    • Write role-consistent program
  • Static role checking ensures
    • Programs are role-consistent
    • No dynamic overhead incurred
slide43

Temporary Role Violations

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

Data structure updates often temporarily violate nominal roles of updated objects

RP

RP

prev

next

pn

prev

next

prev

prev

RP

RP

next

slide44

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Temporary Role Violations

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

What do nominal roles mean during these updates?

pn

slide45

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Temporary Role Violations

Observation:

Objects with temporarily violated roles are referenced by local variables.

p

pp

pn

slide46

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Onstage and Offstage Objects

onstage objects =

objects referenced by local variables.

onstage objects

p

pp

pn

offstage objects

slide47

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Onstage and Offstage Objects

onstage objects =

objects referenced by local variables.

onstage objects

p

pp

Onstage objects may have their roles temporarily violated.

pn

offstage objects

slide48

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Onstage and Offstage Objects

onstage objects =

objects referenced by local variables.

onstage objects

p

pp

Roles of offstage objects must be correct assuming the nominal roles of onstage objects.

pn

offstage objects

slide50

Procedure Interfaces

  • Each procedure has an interface
  • Precondition
    • Property of heap at start of procedure
    • Specifies initial dataflow fact for analysis
  • Abstraction of actions of procedure
    • Read Effects (accessed region of heap)
    • Write Effects
      • Changes to heap references
      • Nominal role changes
two aspects of role checking
Two Aspects of Role Checking
  • Verifying interface conformance
    • Assume precondition
    • Analyze procedure
    • Verify that procedure respects effects
  • Using interfaces at call sites to separate analysis of caller and callee
  • Each procedure analyzed exactly once
slide52

Role Consistency Across Procedure Calls

foo(p) reads R { ...

}

c

d

p

When analyzing a procedure:

Assume that accessed objects have consistent roles.

Region R accessed by foo

slide53

Role Consistency Across Procedure Calls

...

foo(p);

...

At Call Site:

Use read effects of the procedure to verify that region accessed by the procedure has consistent roles

(even for onstage objects)

c

d

p

Region R accessed by foo

slide54

Role Consistency Across Procedure Calls

foo(p) reads R { ...

}

c

d

p

When analyzing the procedure:

Verify that only objects declared in callee’s read effects are accessed.

Assume that accessed objects have correct roles.

Region R accessed by foo

slide55

Role Consistency Across Procedure Calls

...

foo(p);

...

After Call Site:

The role checking assumes that region accessed in the procedure is left in a role consistent state.

c

d

p

Region R accessed by foo

slide56

Role Consistency Across Procedure Calls

foo(p) reads R { ...

}

c

d

p

After analyzing the procedure:

Verify that objects in accessed region are left in role consistent state (implicit postcondition)

Region R accessed by foo

slide58

Analysis Abstraction

Concrete Heap

(objects and references)

Analysis Representation:

Role Graph

(nodes and edges)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p

slide59

Role Graph

Concrete Heap

Role Graph

Onstage node

(represents a single onstage object)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p

slide60

Role Graph

Concrete Heap

Role Graph

Summary Offstage Node (represents any number of objects)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p

slide61

Abstraction Relation

Concrete Heap

Role Graph

Each onstage object represented by an onstage node

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p

slide62

Abstraction Relation

Concrete Heap

Analysis Representation:

Role Graph

Offstage objects are represented by offstage nodes

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p

slide63

Abstraction Relation

  • The function is
  • a graph homomorphism
  • isomorphism between onstage objects and nodes
  • role preserving: role(h(o)) = role(o)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p

slide64

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Initial Role Graph

p

RP

RP

slide65

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Initial Role Graph

p

RP

RP

slide66

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

Initial Role Graph

p

RP

RP

slide67

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Initial Role Graph

p

RP

RP

slide68

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

Initial Role Graph

p

RP

RP

slide69

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Load statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide70

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement
  • expansion

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

RP

slide71

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement
  • expansion
  • read effect check
  • succeeds:
  • RP in read effects

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

RP

slide72

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement
  • expansion
  • read effect check
  • succeeds:
  • RP in read effects

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

RP

slide73

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement
  • expansion
  • read effect check
  • succeeds:
  • RP in read effects

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide74

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Store statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide75

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement
  • strong update

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide76

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement
  • strong update
  • verify write effect
  • succeeds:
  • RP.next = RP

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide77

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Store statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide78

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement
  • strong update
  • verify write effect
  • succeeds:
  • RP.prev = RP

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide79

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Store statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide80

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement
  • strong update
  • verify write effect
  • succeeds:
  • p.next=null

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide81

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement
  • strong update
  • verify write effect
  • succeeds:
  • p.prev=null

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP

slide82

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Local variable assignment
  • remove local variable

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

pn

RP

RP

slide83

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Local variable assignment
  • remove local variable (node goes offstage)
  • check role is correct

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

pn

RP

RP

slide84

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Local variable assignment
  • remove local variable (node goes offstage)
  • check role is correct
  • merge node into offstage

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

pn

RP

RP

slide85

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null;pn=null;

setRole(p : I);

}

  • Local variable assignment
  • remove local variable (node goes offstage)
  • check role is correct
  • merge node into offstage

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide86

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • setRole
  • change the nominal role

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

I

RP

slide87

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • setRole
  • change the nominal role
  • check that the role change is in the interface

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

I

RP

slide88

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Postcondition check:
  • all accessed nodes have referencing relationships consistent with their roles
  • even onstage nodes

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

I

RP

details of analysis
Details of Analysis
  • Dataflow fact is set of role graphs
  • Merge is union of role graph sets
  • Predicative analysis - filters out graphs that do not satisfy the test in conditional
  • Builds on ideas from shape analysis
    • Expansion and contraction
    • May reachability (from onstage nodes) prevents excessive merging of nodes
example remove procedure call
Example: remove procedure call

Role graph before the call:

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide92

Context Matching

Role graph before the call:

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide93

Role Check in Accessed Region

Role graph before the call:

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide94

Applying Must Write Effects

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide95

Applying Must Write Effects

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide96

Applying May Write Effects

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide97

Applying Must Role Change

p

. . .

remove(p);

. . .

RP

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide98

Enforcing Role Constraints

p

. . .

remove(p);

. . .

RP

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide99

Enforcing Role Constraints

p

. . .

remove(p);

. . .

RP

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

slide100

Merge

p

. . .

remove(p);

. . .

Role graph after the call:

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

key ideas in analysis
Key Ideas in Analysis
  • Role of object characterizes its aliases
    • Enables analysis to find aliases
    • Verify new role consistent with all aliases
  • Precise effects in procedure interfaces
    • Full precision for parameters (or even fixed region surrounding parameters)
    • Role consistency/may effects for rest of heap
slide102

Multiple Simultaneous Roles

Running Processes

Suspended Processes

R

RP

RP

SP

SP

SP

SP

RP

RP

multiple simultaneous roles
Multiple Simultaneous Roles

Running Processes

Suspended Processes

R

RP

RP

SP

SP

SP

SP

RP

RP

proc

proc

proc

proc

LP

LP

HP

HP

High Priority Process List

Low Priority Process List

complete slot constraints
Complete Slot Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

  • This slot constraint specifies ALL aliases
  • Aliases from high or low priority process lists violate role
slide105

Partial Slot Constraints

role RP {

next, prev,

right, left:

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

  • This slot constraint specifies aliases from next, prev, right, and left fields ONLY
  • Aliases from high or low priority process lists can be used in new role definitions for high and low priority processes
slide106

Multiple Simultaneous Roles

Can have a running high priority process, a running low priority process, etc.

role RP {

next, prev,

right, left :

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

role HighPriority {

proc :

slots HPL.proc;

}

role LowPriority {

proc :

slots LPL.proc;

}

benefits of roles
Benefits of Roles
  • Data structure consistency properties
  • Object usage constraints
    • Procedures specify roles of parameters
    • Object\'s interface changes as its role changes
  • Roles crystallize useful perspective
    • Provide useful information to maintainers
    • Basis for exploration of the behavior of program via dynamic role discovery
    • Help programmers conceptualize relationships between objects
typestate
Typestate
  • Strom, Yemini ’86: Typestate
    • object initialization, no aliasing
  • DeLine, Fähndrich ’01: High-Level Protocols
    • linear types for heap references
  • Xu, Miller, Reps ’00: Typestate for machine code
dynamically changing classes
Dynamically Changing Classes
  • Chambers ‘93: Predicate Classes
  • Ghelli, Palmerini ‘99: Fibonacci
  • Drossopoulou et al. ’01: Fickle

Alias Control in OOP

  • Hogg ’91: Islands
  • Almeida ’97: Balloon Types
  • Clarke, Potter, Noble ’98: Ownership Types
  • Banerjee, Naumann ’02: Confinement
  • Boyapati, Rinard ’01: Unique References
  • Boyland: Alias Burying
specifying verifying heap invariants
Specifying/Verifying Heap Invariants
  • Smith, Walker, Morrisett ’00: Alias Types
  • Møller, Schwartzbach ’01: PALE
  • Fradet, Metayer ’97: Shape Types
  • Larus, Hilfinger ’88: Conflicts in structure accesses
  • Chase, Wegman, Zadeck ’90: SSG
  • Hendren ’90: Interference analysis
  • Hendren, Hummel, Nicolau ’94: APM / ADDS
  • Sagiv, Reps, Wilhelm ’99: TVLA
  • Rinetzky, Sagiv ’01: Noncompositional interprocedural analysis
conclusion
Conclusion
  • Statically checked role system
    • Role changes reflect changes in purpose of object in computation
    • Full support for role changes and aliasing
  • Key aspects of design
    • Role characterizes aliases
    • Procedure abstraction choices
  • Multiple simultaneous roles
ad