1 / 17

Using data groups to specify and check side effects

Using data groups to specify and check side effects. K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou HP SRC Work done at Compaq SRC. 18 June 2002 PLDI’02, Berlin, Germany. Context. Static program checker. Pieces of a. Warning messages.

janette
Télécharger la présentation

Using data groups to specify and check side effects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou HP SRC Work done at Compaq SRC 18 June 2002PLDI’02, Berlin, Germany

  2. Context Staticprogramchecker Pieces of a Warningmessages Program Modularchecking

  3. Modular checking Don’t assume availability of: • implementations of called methods • all of the program’s variables • Modular soundness Checking is sound for any extension of the program

  4. Reasoning about a call method m(Queue q, T t) { t.x = new File(“input.txt”); q.Enqueue(t);char ch = t.x.ReadChar(); … …t.x = null;… null dereference ? Must know what the call can modify!

  5. Modifies clause method p(x, y)modifies M; Grants the implementations of pthe license to modify M

  6. Information hiding Queue q head 17 method Enqueue(x)modifies ???; Buffer size 8 capacity public 32 buf method Enlarge()modifies capacity, …; private

  7. Data groups Queue q A data group represents a set of variables and other (nested) data groups group contents; head 17 method Enqueue(x)modifiescontents; method Enqueue(x)modifies ???; Buffer size The license to modify a group implies the license to modify the members of the group 8 capacity public 32 buf method Enlarge()modifies capacity, …; private

  8. Queue Source code buf “pivot field” class Queue { publicgroup contents; publicvoid Enqueue(object x)modifies contents; Note direction of declarations Buffer capacity head  contents size  contents privateint head in contents;privateint size in contents; private Buffer buf maps capacity into contents; buf.capacity  contents

  9. Summary so far • modular checking • modifies clauses • information hiding • data groups! • next: 2 problems and proposed solutions

  10. Problem 0 group contents; Queue method Enqueue(x)modifies contents; Queue q = new Queue(); head method Buffer m()modifies ; Buffer b = q.m(); size int c = b.capacity; buf q.Enqueue(5); assert c == b.capacity; q Buffer method Buffer m() {return buf;} capacity b

  11. Solution 0: Pivot uniqueness restriction • Make pivot fields unique Queue Buffer capacity group contents; buf field buf maps capacity into contents • except permit aliasing with parameters method Enqueue(object x) {if (size == buf.capacity) { buf.Enlarge(); } …} • Restrict parameterslikewise

  12. int c = b.capacity; q.Enqueue(5); assert c == b.capacity; Problem 1 Queue = new Queue(); Queue q group contents; head method p( , ) { Buffer b = q.m(); size buf } q Buffer class Queue { … p(this, buf); … capacity b

  13. Solution 1: Owner exclusion restriction For any pivot field: field buf maps capacity into contents; and method: method m(…, T x, …)modifies …, E.contents, … ; add to m the following precondition: E.buf != x

  14. What’s in the paper • Sound formalization • a core object-oriented language (oolong ) • pivot uniqueness and owner exclusion restrictions • translation from oolong to verification conditions

  15. Related work • Modifies clauses • Larch, CLU, frame problem, … • Effect systems, effect inference, … • Abstraction • Theory work on Simula [Hoare 1972] • Aspect [Jackson 1995] • ESC/Modula-3 specifications [Leino & Nelson 1998] • Alias confinement • Islands, Balloons, Flexible alias protection, … • Linear types, Cqual, capabilities, Vault, … • Alias burying [Boyland 2001] • Universe types [Müller & Poetzsch-Heffter 2002]

  16. Summary of approach • modifies clauses • data groups • in, maps into • alias-confinement restrictions: • pivot uniqueness • owner exclusion

  17. Conclusion • Knowing side effects has many applications • Specifying and checking side effects in modular setting is a difficult problem • Data groups plus alias-confinement restrictions provide a solution • Sound formalization (oolong ) • Implemented checker (oolong ) • Current work: build checker for C# (with Viktor Kuncak) • Needs: extension to arrays, …?

More Related