Role analysis
Download
1 / 112

role analysis - PowerPoint PPT Presentation


  • 205 Views
  • Updated On :

Role Analysis. Viktor Kuncak Patrick Lam Martin Rinard. MIT LCS. Process Scheduler Example. RP. SP. Running Process. Suspended Process. Process Scheduler Example. Running Process List. next. RP. RP. prev. next. prev. prev. next. prev. RP. RP. SP. next. Running

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'role analysis' - Leo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Role analysis l.jpg

Role Analysis

Viktor Kuncak

Patrick Lam

Martin Rinard

MIT LCS


Slide2 l.jpg

Process Scheduler Example

RP

SP

Running

Process

Suspended

Process


Slide3 l.jpg

Process Scheduler Example

Running Process List

next

RP

RP

prev

next

prev

prev

next

prev

RP

RP

SP

next

Running

Process

Suspended

Process


Process scheduler example l.jpg
Process Scheduler Example

Running Process List

Suspended Process Tree

next

R

RP

RP

right

prev

left

SP

SP

next

prev

prev

next

right

left

prev

RP

RP

SP

SP

next

Running

Process

Suspended

Process


Slide5 l.jpg

Process Scheduler Example

Running Process List

Suspended Process Tree

next

R

RP

RP

right

prev

left

prev

SP

SP

next

prev

next

right

left

RP

SP

left

SP

SP

Running

Process

Suspended

Process


Remarks l.jpg
Remarks

  • Desirable to capture distinction between suspended and running processes

  • Standard types unsuitable

    • Type is fixed for lifetime of object

    • Scheduler suspends and resumes processes

  • Concept of a role

    • Statically verifiable property of an object

    • Capture current conceptual purpose of object

    • Role changes as object's purpose changes


Slide7 l.jpg

Goal

Develop a static type system in which each object is assigned a role

Program actions can change object roles


Challenges l.jpg
Challenges

Aliasing

Ensure that role changes performed using one alias are correctly reflected in roles of other aliases

Procedures

Compositional interprocedural role system


Basic approach l.jpg
Basic Approach

  • Develop a role system in which role of each object depends on its heap aliases

    • Role provides aliasing information

    • Enables checker to ensure that role changes are compatible with all aliases

  • Role reflects object’s participation in different data structures

  • Role changes as object moves between data structures


Slide10 l.jpg

Role Definition for Running Processes

role RP {

Sequence of heap

referencing constraints

}

RP

Running

Process


Slide11 l.jpg

Slot Constraints

role RP {

slots RP.next,

RP.prev;

...

}

Slot constraints identify

the complete set of heap

aliases of the object

RP

Running

Process


Slide12 l.jpg

Slot Constraints

role RP {

slots RP.next,

RP.prev;

...

}

RP

prev

Slot constraints identify

the complete set of heap

aliases of the object

RP

RP

next

Running

Process


Field constraints l.jpg
Field Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

...

}

RP

prev

RP

RP

next

Field constraints identify

roles of objects to which

fields refer

Running

Process


Slide14 l.jpg

Field Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

...

}

RP

RP

next

prev

RP

prev

RP

RP

next

Field constraints identify

roles of objects to which

fields refer

Running

Process


Slide15 l.jpg

Identity Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

RP

RP

next

prev

RP

prev

RP

RP

next

Running

Process

Identities identify cycles of length two.


Slide16 l.jpg

Identity Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

RP

prev

next

prev

RP

RP

next

Running

Process

Identities identify cycles of length two.


Role definition for running processes l.jpg
Role Definition for Running Processes

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

next

RP

RP

prev

next

prev

prev

next

prev

RP

RP

RP

next


Roles as constraints l.jpg
Roles as Constraints

  • Each constraint C(o) is a predicate on objects

  • Role is a logical conjunction of its defining constraints

  • Constraints can be recursive!

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}


Semantics of role constraints l.jpg
Semantics of Role Constraints

  • Constraint is interpreted in the context of a role assignment (mapping from objects to role names)

  • Heap is role consistent iff there exists a role assignment in which every object satisfies its role


Slide20 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slots

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide21 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slots R.left

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide22 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.left R.right

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide23 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.leftR.right

SP.left

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide24 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.leftR.right

SP.left SP.right

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide25 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide26 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

fields left : SP

right: SP

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide27 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

}

role SP {

fields left : SP|null,

right: SP|null;

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide28 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

fields left : SP|null,

right: SP|null;

}

role SP {

fields left : SP|null,

right: SP|null;

slotsR.left | R.right |

SP.left| SP.right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process


Slide29 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

fields left : SP|null,

right: SP|null;

}

role SP {

fields left : SP|null,

right: SP|null;

slotsR.left | R.right |

SP.left| SP.right;

acyclic left, right;

}

SP

left

left

right

SP

SP

Suspended

Process

No cyclic paths of the form (left+right)*


Slide30 l.jpg

Roles for Suspended Processes

Suspended Process Tree

role R {

fields left : SP|null,

right: SP|null;

}

role SP {

fields left : SP|null,

right: SP|null;

slots R.left | R.right |

SP.left| SP.right;

acyclic left, right;

}

R

right

left

SP

SP

right

left

SP

SP

Suspended

Process



Role changes l.jpg
Role Changes

  • To suspend a process

    • Remove from running process list

    • Insert into suspended process tree

R

right

left

SP

SP

next

RP

RP

right

prev

prev

next

next

prev

SP

prev

RP

RP

next


Slide33 l.jpg

Role Changes

  • To suspend a process

    • Remove from running process list

    • Insert into suspended process tree

R

right

left

SP

SP

RP

I

right

next

prev

next

SP

prev

prev

RP

RP

next


Slide34 l.jpg

Role Changes

  • To suspend a process

    • Remove from running process list

    • Insert into suspended process tree

R

right

left

SP

SP

RP

I

right

next

prev

next

Isolated object:

SP

prev

role I { }

prev

RP

RP

next


Slide35 l.jpg

Role Changes

  • To suspend a process

    • Remove from running process list

    • Insert into suspended process tree

R

right

left

left

SP

SP

RP

SP

right

next

prev

next

SP

prev

prev

RP

RP

next


Removing a process from list l.jpg
Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

next

RP

RP

prev

prev

next

next

prev

prev

RP

RP

next


Slide37 l.jpg

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

next

RP

RP

prev

prev

next

pn

next

prev

prev

RP

RP

next


Slide38 l.jpg

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

RP

RP

prev

next

pn

next

prev

next

prev

prev

RP

RP

next


Slide39 l.jpg

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

RP

RP

pn

next

prev

next

prev

prev

RP

RP

next


Slide40 l.jpg

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

Programming model expects programmer to indicate role changes

RP

RP

next

prev

next

prev

prev

RP

RP

next


Slide41 l.jpg

Removing a Process from List

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

Programming model expects programmer to indicate role changes

RP

I

next

prev

next

prev

prev

RP

RP

next


Programming model based on instrumented semantics l.jpg
Programming Model Based On Instrumented Semantics

  • Role Assignment Part of Program State

    • Each object has a nominal role

    • setRole(p : R) updates role assignment

  • Programmer responsibilities

    • Specify intended role assignment

    • Write role-consistent program

  • Static role checking ensures

    • Programs are role-consistent

    • No dynamic overhead incurred


Slide43 l.jpg

Temporary Role Violations

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

Data structure updates often temporarily violate nominal roles of updated objects

RP

RP

prev

next

pn

prev

next

prev

prev

RP

RP

next


Slide44 l.jpg

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Temporary Role Violations

remove(p : RP) {

pp = p.prev; pn = p.next;

pp.next = pn; pn.prev = pp;

p.next = null; p.prev = null;

pp = null; pn = null;

setRole(p : I);

}

p

pp

What do nominal roles mean during these updates?

pn


Slide45 l.jpg

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Temporary Role Violations

Observation:

Objects with temporarily violated roles are referenced by local variables.

p

pp

pn


Slide46 l.jpg

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Onstage and Offstage Objects

onstage objects =

objects referenced by local variables.

onstage objects

p

pp

pn

offstage objects


Slide47 l.jpg

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Onstage and Offstage Objects

onstage objects =

objects referenced by local variables.

onstage objects

p

pp

Onstage objects may have their roles temporarily violated.

pn

offstage objects


Slide48 l.jpg

RP

RP

prev

next

prev

next

prev

prev

RP

RP

next

Onstage and Offstage Objects

onstage objects =

objects referenced by local variables.

onstage objects

p

pp

Roles of offstage objects must be correct assuming the nominal roles of onstage objects.

pn

offstage objects



Slide50 l.jpg

Procedure Interfaces

  • Each procedure has an interface

  • Precondition

    • Property of heap at start of procedure

    • Specifies initial dataflow fact for analysis

  • Abstraction of actions of procedure

    • Read Effects (accessed region of heap)

    • Write Effects

      • Changes to heap references

      • Nominal role changes


Two aspects of role checking l.jpg
Two Aspects of Role Checking

  • Verifying interface conformance

    • Assume precondition

    • Analyze procedure

    • Verify that procedure respects effects

  • Using interfaces at call sites to separate analysis of caller and callee

  • Each procedure analyzed exactly once


Slide52 l.jpg

Role Consistency Across Procedure Calls

foo(p) reads R { ...

}

c

d

p

When analyzing a procedure:

Assume that accessed objects have consistent roles.

Region R accessed by foo


Slide53 l.jpg

Role Consistency Across Procedure Calls

...

foo(p);

...

At Call Site:

Use read effects of the procedure to verify that region accessed by the procedure has consistent roles

(even for onstage objects)

c

d

p

Region R accessed by foo


Slide54 l.jpg

Role Consistency Across Procedure Calls

foo(p) reads R { ...

}

c

d

p

When analyzing the procedure:

Verify that only objects declared in callee’s read effects are accessed.

Assume that accessed objects have correct roles.

Region R accessed by foo


Slide55 l.jpg

Role Consistency Across Procedure Calls

...

foo(p);

...

After Call Site:

The role checking assumes that region accessed in the procedure is left in a role consistent state.

c

d

p

Region R accessed by foo


Slide56 l.jpg

Role Consistency Across Procedure Calls

foo(p) reads R { ...

}

c

d

p

After analyzing the procedure:

Verify that objects in accessed region are left in role consistent state (implicit postcondition)

Region R accessed by foo



Slide58 l.jpg

Analysis Abstraction

Concrete Heap

(objects and references)

Analysis Representation:

Role Graph

(nodes and edges)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p


Slide59 l.jpg

Role Graph

Concrete Heap

Role Graph

Onstage node

(represents a single onstage object)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p


Slide60 l.jpg

Role Graph

Concrete Heap

Role Graph

Summary Offstage Node (represents any number of objects)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p


Slide61 l.jpg

Abstraction Relation

Concrete Heap

Role Graph

Each onstage object represented by an onstage node

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p


Slide62 l.jpg

Abstraction Relation

Concrete Heap

Analysis Representation:

Role Graph

Offstage objects are represented by offstage nodes

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p


Slide63 l.jpg

Abstraction Relation

  • The function is

  • a graph homomorphism

  • isomorphism between onstage objects and nodes

  • role preserving: role(h(o)) = role(o)

p

p

n

RP

RP

RP

n

p

p

p

n

p

n

p

p

RP

RP

RP

n

n

n

p


Slide64 l.jpg

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Initial Role Graph

p

RP

RP


Slide65 l.jpg

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Initial Role Graph

p

RP

RP


Slide66 l.jpg

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

Initial Role Graph

p

RP

RP


Slide67 l.jpg

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Initial Role Graph

p

RP

RP


Slide68 l.jpg

Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

Initial Role Graph

p

RP

RP


Slide69 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Load statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide70 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement

  • expansion

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

RP


Slide71 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement

  • expansion

  • read effect check

  • succeeds:

  • RP in read effects

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

RP


Slide72 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement

  • expansion

  • read effect check

  • succeeds:

  • RP in read effects

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

RP


Slide73 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Load statement

  • expansion

  • read effect check

  • succeeds:

  • RP in read effects

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide74 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Store statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide75 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement

  • strong update

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide76 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement

  • strong update

  • verify write effect

  • succeeds:

  • RP.next = RP

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide77 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Store statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide78 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement

  • strong update

  • verify write effect

  • succeeds:

  • RP.prev = RP

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide79 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

Store statement

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide80 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement

  • strong update

  • verify write effect

  • succeeds:

  • p.next=null

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide81 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Store statement

  • strong update

  • verify write effect

  • succeeds:

  • p.prev=null

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

pp

p

RP

RP

pn

RP

RP


Slide82 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Local variable assignment

  • remove local variable

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

pn

RP

RP


Slide83 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Local variable assignment

  • remove local variable (node goes offstage)

  • check role is correct

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP

pn

RP

RP


Slide84 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Local variable assignment

  • remove local variable (node goes offstage)

  • check role is correct

  • merge node into offstage

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

pn

RP

RP


Slide85 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null;pn=null;

setRole(p : I);

}

  • Local variable assignment

  • remove local variable (node goes offstage)

  • check role is correct

  • merge node into offstage

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide86 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • setRole

  • change the nominal role

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

I

RP


Slide87 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • setRole

  • change the nominal role

  • check that the role change is in the interface

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

I

RP


Slide88 l.jpg

Verifying Interface for remove

remove(p) {

pp=p.prev; pn=p.next;

pp.next=pn; pn.prev=pp;

p.next=null; p.prev=null;

pp=null; pn=null;

setRole(p : I);

}

  • Postcondition check:

  • all accessed nodes have referencing relationships consistent with their roles

  • even onstage nodes

Initial roles: p : RP

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

I

RP


Details of analysis l.jpg
Details of Analysis

  • Dataflow fact is set of role graphs

  • Merge is union of role graph sets

  • Predicative analysis - filters out graphs that do not satisfy the test in conditional

  • Builds on ideas from shape analysis

    • Expansion and contraction

    • May reachability (from onstage nodes) prevents excessive merging of nodes



Example remove procedure call l.jpg
Example: remove procedure call

Role graph before the call:

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide92 l.jpg

Context Matching

Role graph before the call:

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide93 l.jpg

Role Check in Accessed Region

Role graph before the call:

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide94 l.jpg

Applying Must Write Effects

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide95 l.jpg

Applying Must Write Effects

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide96 l.jpg

Applying May Write Effects

p

. . .

remove(p);

. . .

RP

RP

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide97 l.jpg

Applying Must Role Change

p

. . .

remove(p);

. . .

RP

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide98 l.jpg

Enforcing Role Constraints

p

. . .

remove(p);

. . .

RP

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide99 l.jpg

Enforcing Role Constraints

p

. . .

remove(p);

. . .

RP

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Slide100 l.jpg

Merge

p

. . .

remove(p);

. . .

Role graph after the call:

I

c

RP

RP

remove interface:

Read effects: p, RP

Must write effects:

p.next = null,

p.prev = null

May write effects:

RP.next = RP,

RP.prev = RP

Must role changes: p : I

p

RP

RP


Key ideas in analysis l.jpg
Key Ideas in Analysis

  • Role of object characterizes its aliases

    • Enables analysis to find aliases

    • Verify new role consistent with all aliases

  • Precise effects in procedure interfaces

    • Full precision for parameters (or even fixed region surrounding parameters)

    • Role consistency/may effects for rest of heap


Slide102 l.jpg

Multiple Simultaneous Roles

Running Processes

Suspended Processes

R

RP

RP

SP

SP

SP

SP

RP

RP


Multiple simultaneous roles l.jpg
Multiple Simultaneous Roles

Running Processes

Suspended Processes

R

RP

RP

SP

SP

SP

SP

RP

RP

proc

proc

proc

proc

LP

LP

HP

HP

High Priority Process List

Low Priority Process List


Complete slot constraints l.jpg
Complete Slot Constraints

role RP {

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

  • This slot constraint specifies ALL aliases

  • Aliases from high or low priority process lists violate role


Slide105 l.jpg

Partial Slot Constraints

role RP {

next, prev,

right, left:

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

  • This slot constraint specifies aliases from next, prev, right, and left fields ONLY

  • Aliases from high or low priority process lists can be used in new role definitions for high and low priority processes


Slide106 l.jpg

Multiple Simultaneous Roles

Can have a running high priority process, a running low priority process, etc.

role RP {

next, prev,

right, left :

slots RP.next,

RP.prev;

fields next : RP,

prev : RP;

identities

next.prev,

prev.next;

}

role HighPriority {

proc :

slots HPL.proc;

}

role LowPriority {

proc :

slots LPL.proc;

}


Benefits of roles l.jpg
Benefits of Roles

  • Data structure consistency properties

  • Object usage constraints

    • Procedures specify roles of parameters

    • Object's interface changes as its role changes

  • Roles crystallize useful perspective

    • Provide useful information to maintainers

    • Basis for exploration of the behavior of program via dynamic role discovery

    • Help programmers conceptualize relationships between objects



Typestate l.jpg
Typestate

  • Strom, Yemini ’86: Typestate

    • object initialization, no aliasing

  • DeLine, Fähndrich ’01: High-Level Protocols

    • linear types for heap references

  • Xu, Miller, Reps ’00: Typestate for machine code


Dynamically changing classes l.jpg
Dynamically Changing Classes

  • Chambers ‘93: Predicate Classes

  • Ghelli, Palmerini ‘99: Fibonacci

  • Drossopoulou et al. ’01: Fickle

Alias Control in OOP

  • Hogg ’91: Islands

  • Almeida ’97: Balloon Types

  • Clarke, Potter, Noble ’98: Ownership Types

  • Banerjee, Naumann ’02: Confinement

  • Boyapati, Rinard ’01: Unique References

  • Boyland: Alias Burying


Specifying verifying heap invariants l.jpg
Specifying/Verifying Heap Invariants

  • Smith, Walker, Morrisett ’00: Alias Types

  • Møller, Schwartzbach ’01: PALE

  • Fradet, Metayer ’97: Shape Types

  • Larus, Hilfinger ’88: Conflicts in structure accesses

  • Chase, Wegman, Zadeck ’90: SSG

  • Hendren ’90: Interference analysis

  • Hendren, Hummel, Nicolau ’94: APM / ADDS

  • Sagiv, Reps, Wilhelm ’99: TVLA

  • Rinetzky, Sagiv ’01: Noncompositional interprocedural analysis


Conclusion l.jpg
Conclusion

  • Statically checked role system

    • Role changes reflect changes in purpose of object in computation

    • Full support for role changes and aliasing

  • Key aspects of design

    • Role characterizes aliases

    • Procedure abstraction choices

  • Multiple simultaneous roles


ad