1 / 112

Role Analysis

Role Analysis. Viktor Kuncak Patrick Lam Martin Rinard. MIT LCS. Process Scheduler Example. RP. SP. Running Process. Suspended Process. Process Scheduler Example. Running Process List. next. RP. RP. prev. next. prev. prev. next. prev. RP. RP. SP. next. Running

Leo
Télécharger la présentation

Role Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Role Analysis Viktor Kuncak Patrick Lam Martin Rinard MIT LCS

  2. Process Scheduler Example RP SP Running Process Suspended Process

  3. Process Scheduler Example Running Process List next RP RP prev next prev prev next prev RP RP SP next Running Process Suspended Process

  4. Process Scheduler Example Running Process List Suspended Process Tree next R RP RP right prev left SP SP next prev prev next right left prev RP RP SP SP next Running Process Suspended Process

  5. Process Scheduler Example Running Process List Suspended Process Tree next R RP RP right prev left prev SP SP next prev next right left RP SP left SP SP Running Process Suspended Process

  6. Remarks • Desirable to capture distinction between suspended and running processes • Standard types unsuitable • Type is fixed for lifetime of object • Scheduler suspends and resumes processes • Concept of a role • Statically verifiable property of an object • Capture current conceptual purpose of object • Role changes as object's purpose changes

  7. Goal Develop a static type system in which each object is assigned a role Program actions can change object roles

  8. Challenges Aliasing Ensure that role changes performed using one alias are correctly reflected in roles of other aliases Procedures Compositional interprocedural role system

  9. Basic Approach • Develop a role system in which role of each object depends on its heap aliases • Role provides aliasing information • Enables checker to ensure that role changes are compatible with all aliases • Role reflects object’s participation in different data structures • Role changes as object moves between data structures

  10. Role Definition for Running Processes role RP { Sequence of heap referencing constraints } RP Running Process

  11. Slot Constraints role RP { slots RP.next, RP.prev; ... } Slot constraints identify the complete set of heap aliases of the object RP Running Process

  12. Slot Constraints role RP { slots RP.next, RP.prev; ... } RP prev Slot constraints identify the complete set of heap aliases of the object RP RP next Running Process

  13. Field Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; ... } RP prev RP RP next Field constraints identify roles of objects to which fields refer Running Process

  14. Field Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; ... } RP RP next prev RP prev RP RP next Field constraints identify roles of objects to which fields refer Running Process

  15. Identity Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; } RP RP next prev RP prev RP RP next Running Process Identities identify cycles of length two.

  16. Identity Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; } RP prev next prev RP RP next Running Process Identities identify cycles of length two.

  17. Role Definition for Running Processes role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; } next RP RP prev next prev prev next prev RP RP RP next

  18. Roles as Constraints • Each constraint C(o) is a predicate on objects • Role is a logical conjunction of its defining constraints • Constraints can be recursive! role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; }

  19. Semantics of Role Constraints • Constraint is interpreted in the context of a role assignment (mapping from objects to role names) • Heap is role consistent iff there exists a role assignment in which every object satisfies its role

  20. Roles for Suspended Processes Suspended Process Tree role R { } role SP { slots } R right left SP SP right left SP SP Suspended Process

  21. Roles for Suspended Processes Suspended Process Tree role R { } role SP { slots R.left } R right left SP SP right left SP SP Suspended Process

  22. Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.left R.right } R right left SP SP right left SP SP Suspended Process

  23. Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.leftR.right SP.left } R right left SP SP right left SP SP Suspended Process

  24. Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.leftR.right SP.left SP.right } R right left SP SP right left SP SP Suspended Process

  25. Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process

  26. Roles for Suspended Processes Suspended Process Tree role R { } role SP { fields left : SP right: SP slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process

  27. Roles for Suspended Processes Suspended Process Tree role R { } role SP { fields left : SP|null, right: SP|null; slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process

  28. Roles for Suspended Processes Suspended Process Tree role R { fields left : SP|null, right: SP|null; } role SP { fields left : SP|null, right: SP|null; slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process

  29. Roles for Suspended Processes Suspended Process Tree role R { fields left : SP|null, right: SP|null; } role SP { fields left : SP|null, right: SP|null; slotsR.left | R.right | SP.left| SP.right; acyclic left, right; } SP left left right SP SP Suspended Process No cyclic paths of the form (left+right)*

  30. Roles for Suspended Processes Suspended Process Tree role R { fields left : SP|null, right: SP|null; } role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right; acyclic left, right; } R right left SP SP right left SP SP Suspended Process

  31. Programming with Roles

  32. Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left SP SP next RP RP right prev prev next next prev SP prev RP RP next

  33. Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left SP SP RP I right next prev next SP prev prev RP RP next

  34. Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left SP SP RP I right next prev next Isolated object: SP prev role I { } prev RP RP next

  35. Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left left SP SP RP SP right next prev next SP prev prev RP RP next

  36. Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p next RP RP prev prev next next prev prev RP RP next

  37. Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp next RP RP prev prev next pn next prev prev RP RP next

  38. Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp RP RP prev next pn next prev next prev prev RP RP next

  39. Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp RP RP pn next prev next prev prev RP RP next

  40. Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p Programming model expects programmer to indicate role changes RP RP next prev next prev prev RP RP next

  41. Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p Programming model expects programmer to indicate role changes RP I next prev next prev prev RP RP next

  42. Programming Model Based On Instrumented Semantics • Role Assignment Part of Program State • Each object has a nominal role • setRole(p : R) updates role assignment • Programmer responsibilities • Specify intended role assignment • Write role-consistent program • Static role checking ensures • Programs are role-consistent • No dynamic overhead incurred

  43. Temporary Role Violations remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp Data structure updates often temporarily violate nominal roles of updated objects RP RP prev next pn prev next prev prev RP RP next

  44. RP RP prev next prev next prev prev RP RP next Temporary Role Violations remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp What do nominal roles mean during these updates? pn

  45. RP RP prev next prev next prev prev RP RP next Temporary Role Violations Observation: Objects with temporarily violated roles are referenced by local variables. p pp pn

  46. RP RP prev next prev next prev prev RP RP next Onstage and Offstage Objects onstage objects = objects referenced by local variables. onstage objects p pp pn offstage objects

  47. RP RP prev next prev next prev prev RP RP next Onstage and Offstage Objects onstage objects = objects referenced by local variables. onstage objects p pp Onstage objects may have their roles temporarily violated. pn offstage objects

  48. RP RP prev next prev next prev prev RP RP next Onstage and Offstage Objects onstage objects = objects referenced by local variables. onstage objects p pp Roles of offstage objects must be correct assuming the nominal roles of onstage objects. pn offstage objects

  49. Role Checking

  50. Procedure Interfaces • Each procedure has an interface • Precondition • Property of heap at start of procedure • Specifies initial dataflow fact for analysis • Abstraction of actions of procedure • Read Effects (accessed region of heap) • Write Effects • Changes to heap references • Nominal role changes

More Related