Presentation is loading. Please wait.

Presentation is loading. Please wait.

Filipe Militão 1,2 Filipe Militão 1,2 Jonathan Aldrich 1 Luís Caires 2 1 Carnegie Mellon University Pittsburgh, USA 2 CITI / Dep. Informática FCT-UNL,

Published byEdmund Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "Filipe Militão 1,2 Filipe Militão 1,2 Jonathan Aldrich 1 Luís Caires 2 1 Carnegie Mellon University Pittsburgh, USA 2 CITI / Dep. Informática FCT-UNL,"— Presentation transcript:

1 Filipe Militão 1,2 Filipe Militão 1,2 Jonathan Aldrich 1 Luís Caires 2 1 Carnegie Mellon University Pittsburgh, USA 2 CITI / Dep. Informática FCT-UNL, Portugal FTfJP 2010 – Maribor, Slovenia (June 22 nd 2010)

2 What is an object protocol ?What is an object protocol ?  Type-check Object-Oriented Languages  Some objects define protocols : clients are required to obey specific sequences in calls to that object  Example: File  call close after open, not before.  Goal: check protocol correctness statically 2

3 open() close() T YPE S TATE tracks protocolsT YPE S TATE tracks protocols  T YPES to reason about S TATE  File example ( P LAID –like syntax: explicit states ): none open()[ File >> OpenFile ] { … } File Open File Open File Closed File Closed File none close()[ OpenFile >> ClosedFile ] { … } 3 receiver pre -state receiver pre -state receiver post -state receiver post -state

4 The aliasing problemThe aliasing problem  How to handle state transitions if there are aliases ?  How to express aliasing information ? none openThese(File>>OpenFile a, File>>OpenFile b)[…]{ a.open(); b.open(); } What if a and b point to the same object? File 4

5 Aliasing descriptorsAliasing descriptors  aliasing descriptors – fixed number of tags  Example (access permissions): unique  full * pure unique File  full File * pure File  Each permission puts methods into separate sets  Are these permissions enough? More sets ?  Do we always need that many? Always meaningful?  Are they too complex to use? 5

6 Introducing V IEWS  Each V IEW is:  a portion/partition of the full object  unique (with only one single owner/alias)  checked separately of other views  V IEWS are small chunks of an object object view 6 client

7 Beyond unique V IEWS  Allow unbounded sharing of (replicable) V IEWS :  single owner  read + write  multiple owners  read  track sharing using fractions [Boyland2003] 7 R + W R R R R 1 1/ 2 1/ 4 collecting all restores write access 1/ 2 1/ 4

8 Goals of this workGoals of this work  Merge S TATE and A LIASING C ONTROL in a single abstraction: V IEWS  More generic ( …beyond aliasing descriptors )  Improved clarity ( more tightly modeling the designer’s intent )  More fine grained permission control  Type system  Type based verification of correct use of object protocols using views 8

9 Pair ExamplePair Example A Pair is a group of two elements: Left & Right 9

10 Pair InitializationPair Initialization E MPTY P AIR E MPTY L EFT E MPTY R IGHT L EFT R IGHT setLeftsetRight 10 Splits / Merges (symmetric) Transitions (asymmetric) N OT INITIALIZE D N OT INITIALIZE D

11 accessible fields ( private ) Syntax class EmptyPair { /* view declarations */ view EmptyLeft { none l; } view EmptyRight { none r; } view Pair { L l; R r; } view Right { R r; } view Left { L l; } /* view equations */ EmptyPair = EmptyLeft * EmptyRight Pair = Left * Right /* methods */ none setLeft(L>>none x)[EmptyLeft>>Left]{ this.l = x; } //... } V IEW D ECLARATIONS V IEW E QUATIONS M ETHOD D ECLARATIONS C LASS C ODE 11 new EmptyPair() contains union of all view fields initially set to null  empty type : none x taken by the method body! equations ( public ) checked for consistency

12 none auto_init(EmptyLeft>>Left l, EmptyRight>>Right r) [none>>none]{ l.setLeft( new L() ); r.setRight( new R() ); } r : EmptyRight l : EmptyLeft l : Leftr : EmptyRight l : Leftr : Right Transitions 12 No access to this

13 none init()[EmptyPair >> Pair] { this.auto_init(this,this); } Splitting & MergingSplitting & Merging this : EmptyPair this : none * EmptyLeft * EmptyRight this : none * Left * Right this : Pair //view equations EmptyPair = EmptyLeft * EmptyRight Pair = Left * Right this : none * EmptyPair 13 borrows each view

14 none method()[Pair>>Pair]{ this.destroyX(this.r); } none destroyX(R>>none x)[Pair>>Pair]{ … } Problem: Pack / UnpackProblem: Pack / Unpack  Disallow simultaneous access to this and its fields this XOR FIELDS illegal call! x would be a partial alias of this ! illegal call! x would be a partial alias of this ! 14 this: Pair this.r: R

15 none pair-method()[Pair>>Pair]{ this.inspectR(this.r); } none inspectR(R>>R x)[Left>>Left] { … } Pack / UnpackPack / Unpack 15 this: Pair this: Left * Rightthis: Left this.r: R Unpack only requires Left and not Pair legal call!

16 Lamp Example  Unique owner to modify the state of the Lamp  Unbounded reading of its light intensity value 16

17 Lamp class LampOff { view LampOn { Integer bulb; } view StaticLamp { const Integer bulb; } LampOn = StaticLamp! //… } const – immutable, safe to duplicate LampOn = StaticLamp! READ + WRITE READ ONLY full (1) StaticLamp partial (1/2) StaticLamp Single Writer XOR Multiple Readers 17 Replicable! All collected, full fraction All collected, full fraction

18 Fractions N!N! N/ * N/ N/ * N// * N// 18

19 Lamp class LampOff { view LampOn { Integer bulb; } view StaticLamp { const Integer bulb; } LampOn = StaticLamp! none turnOn() [ LampOff >> LampOn ] { … } none turnOff()[ LampOn >> LampOff ] { … } Integer getLightIntensity() [ StaticLamp? >> StaticLamp? ] { bulb } } works with any generic fraction (both full and partial) works with any generic fraction (both full and partial) 19

20 Cell Example  Cell containing one Lamp 20

21 Cell class EmptyCell { view ReadOnly { const StaticLamp! lamp; } view FilledCellOff { LampOff lamp; } view FilledCellOn { LampOn lamp; } FilledCellOn = ReadOnly! Integer readIntensity()[ReadOnly? >> ReadOnly?] { … } //… } field type must also be replicable (!) 21

22 Type SystemType System 22

23 none m1(ReadOnly! >> ReadOnly! x ) [none >> none]{ this.n(x,x,x); } x: ReadOnly! x: ReadOnly/ * ReadOnly/ x: ReadOnly/ * ReadOnly// * ReadOnly// x: ReadOnly/ * ReadOnly/ x: ReadOnly! none n( ReadOnly >> ReadOnly a, ReadOnly >> ReadOnly b, ReadOnly >> ReadOnly c )[none>>none] { … } Call ( ? Instantiation ) ? / // 23

24 none cell-method()[ReadOnly!>>ReadOnly!]{ this.checkLamp(this.lamp); } this: ReadOnly! this: ReadOnly/ * ReadOnly/ this: ReadOnly/ this.lamp const : StaticLamp/ this: ReadOnly/ none checkLamp( StaticLamp? >> StaticLamp? x)[ ReadOnly? >> ReadOnly? ] { … } view ReadOnly { const StaticLamp! lamp; } Pack / UnpackPack / Unpack 24

25 Related WorkRelated Work  Bierhoff & Aldrich, M ODULAR T YPE S TATE C HECKING O F A LIASED O BJECTS ( 2007 ).  Caires, S PATIAL -B EHAVIORAL T YPES F OR C ONCURRENCY A ND R ESOURCE C ONTROL I N D ISTRIBUTED S YSTEMS ( 2008 ).  Qi & Myers, M ASKED T YPES F OR S OUND O BJECT I NITIALIZATION ( 2009 ).  Leino, D ATA G ROUPS : S PECIFYING T HE M ODIFICATION O F E XTENDED S TATE ( 1998 ). 25

26 S INGLE C ELL S INGLE C ELL Future Work: coordination 26 READER WRITE R S HARED BUFFER Full Empt y coordinator

27 Future Work: coordination Full Empt y 27 READER WRITE R S HARED BUFFER coordinator E MPTY ? I can write ! E MPTY ? I can write ! F ULL ? I can read ! F ULL ? I can read !

28 Summary  V IEWS - new abstraction merges state and aliasing  multiple readers  single writer  readers counted using fractions  brief introduction of the type system  more details in the paper: Filipe Militão, Jonathan Aldrich, Luís Caires Aliasing control with view-based typestate 28

Download ppt "Filipe Militão 1,2 Filipe Militão 1,2 Jonathan Aldrich 1 Luís Caires 2 1 Carnegie Mellon University Pittsburgh, USA 2 CITI / Dep. Informática FCT-UNL,"

Similar presentations

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Chapter 3 – Lists A list is just what the name implies, a finite, ordered sequence of items. Order indicates each item has a position. A list of size 0.

Chapter 3 – Lists A list is just what the name implies, a finite, ordered sequence of items. Order indicates each item has a position. A list of size 0.
Lecture 5: Interfaces.

Lecture 5: Interfaces.
CS18000: Problem Solving and Object-Oriented Programming.

CS18000: Problem Solving and Object-Oriented Programming.
Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,

Constraint Semantics for Abstract Read Permissions 28 th July 2014, FTfJP, Uppsala John Tang Boyland (UW-Milwaukee/ETH Zurich) Peter Müller, Malte Schwerhoff,
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Chapter 10 Introduction to Arrays

Chapter 10 Introduction to Arrays
Lightweight Abstraction for Mathematical Computation in Java 1 Pavel Bourdykine and Stephen M. Watt Department of Computer Science Western University London.

Lightweight Abstraction for Mathematical Computation in Java 1 Pavel Bourdykine and Stephen M. Watt Department of Computer Science Western University London.
Inferring Object Invariants Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 21, 2005 AIOOL 2005 Paris,

Inferring Object Invariants Bor-Yuh Evan ChangK. Rustan M. Leino University of California, BerkeleyMicrosoft Research January 21, 2005 AIOOL 2005 Paris,
INLS 560 – D ICTIONARIES Instructor: Jason Carter.

INLS 560 – D ICTIONARIES Instructor: Jason Carter.
AN EXCEPTION AWARE BEHAVIORAL TYPE SYSTEM FOR OBJECT-ORIENTED PROGRAMS Filipe Militão and Luís Caires CITI / Departamento de Informática Universidade Nova.

AN EXCEPTION AWARE BEHAVIORAL TYPE SYSTEM FOR OBJECT-ORIENTED PROGRAMS Filipe Militão and Luís Caires CITI / Departamento de Informática Universidade Nova.
Verifying Correct Usage of Atomic Blocks and Typestate Nels E. Beckman Nels E. Beckman, Kevin Bierhoff, and Jonathan Aldrich Carnegie Mellon University.

Verifying Correct Usage of Atomic Blocks and Typestate Nels E. Beckman Nels E. Beckman, Kevin Bierhoff, and Jonathan Aldrich Carnegie Mellon University.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
Introduction to Sets. A set is just a collection of stuff But the stuff must be written inside curly braces Each item in the curly braces is separated.

Introduction to Sets. A set is just a collection of stuff But the stuff must be written inside curly braces Each item in the curly braces is separated.
Modular Typestate Checking for Concurrent Java Programs Nels E. Beckman Carnegie Mellon University (Advised by Jonathan Aldrich)

Modular Typestate Checking for Concurrent Java Programs Nels E. Beckman Carnegie Mellon University (Advised by Jonathan Aldrich)
Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 9: Contracts and Inheritance (based on work with.

Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Lecture 9: Contracts and Inheritance (based on work with.

Similar presentations

Ads by Google