Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou."— Presentation transcript:

1 Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou HP SRC Work done at Compaq SRC 18 June 2002 PLDI’02, Berlin, Germany

2 Context Static program checker Program Warning messages Pieces of a Modular checking

3 Modular checking Modular checking Don’t assume availability of: implementations of called methods implementations of called methods all of the program’s variables all of the program’s variables Modular soundness Modular soundness Checking is sound for any extension of the program

4 … t.x = null; … Reasoning about a call method m(Queue q, T t) { t.x = new File(“input.txt”); q.Enqueue(t); char ch = t.x.ReadChar(); … Must know what the call can modify! null dereference ?

5 Modifies clause method p(x, y) modifies M; Grants the implementations of p the license to modify M

6 Information hiding public private Buffer 32 8 17 q buf head size capacity method Enlarge() modifies capacity, …; method Enqueue(x) modifies ???; Queue

7 Data groups public private Buffer 32 8 17 q buf head size capacity method Enlarge() modifies capacity, …; method Enqueue(x) modifies contents; Queue group contents; method Enqueue(x) modifies ???; The license to modify a group implies the license to modify the members of the group A data group represents a set of variables and other (nested) data groups

8 Source code private Buffer buf maps capacity into contents; private int head in contents; private int size in contents; class Queue { public group contents; public void Enqueue(object x) modifies contents; head  contents size  contents buf.capacity  contents buf capacity Queue Buffer “pivot field” Note direction of declarations

9 Summary so far modular checking modular checking modifies clauses modifies clauses information hiding information hiding data groups! data groups! next: 2 problems and proposed solutions next: 2 problems and proposed solutions

10 Problem 0 Queue q = new Queue(); buf capacity size head Queue Buffer q b method Enqueue(x) modifies contents; group contents; method Buffer m() modifies ; method Buffer m() { return buf; } Buffer b = q.m(); int c = b.capacity; q.Enqueue(5); assert c == b.capacity;

11 Solution 0: Pivot uniqueness restriction Make pivot fields unique Make pivot fields unique except permit aliasing with parameters except permit aliasing with parameters Restrict parameters likewise Restrict parameters likewise buf Queue Buffer group contents; capacity field buf maps capacity into contents method Enqueue(object x) { if (size == buf.capacity) { buf.Enlarge(); } … }

12 buf capacity size head Queue Buffer q b group contents; class Queue { … p(this, buf); … = new Queue(); = q.m(); int c = b.capacity; q.Enqueue(5); assert c == b.capacity; method p(, ) { } Queue q Buffer b Problem 1

13 For any pivot field: field buf maps capacity into contents; and method: method m(…, T x, …) modifies …, E.contents, … ; add to m the following precondition: E.buf != x Solution 1: Owner exclusion restriction

14 What’s in the paper Sound formalization Sound formalization a core object-oriented language (oolong ) a core object-oriented language (oolong ) pivot uniqueness and owner exclusion restrictions pivot uniqueness and owner exclusion restrictions translation from oolong to verification conditions translation from oolong to verification conditions

15 Related work Modifies clauses Modifies clauses Larch, CLU, frame problem, … Larch, CLU, frame problem, … Effect systems, effect inference, … Effect systems, effect inference, … Abstraction Abstraction Theory work on Simula [Hoare 1972] Theory work on Simula [Hoare 1972] Aspect [Jackson 1995] Aspect [Jackson 1995] ESC/Modula-3 specifications [Leino & Nelson 1998] ESC/Modula-3 specifications [Leino & Nelson 1998] Alias confinement Alias confinement Islands, Balloons, Flexible alias protection, … Islands, Balloons, Flexible alias protection, … Linear types, Cqual, capabilities, Vault, … Linear types, Cqual, capabilities, Vault, … Alias burying [Boyland 2001] Alias burying [Boyland 2001] Universe types [Müller & Poetzsch-Heffter 2002] Universe types [Müller & Poetzsch-Heffter 2002]

16 Summary of approach modifies clauses modifies clauses data groups data groups in, maps into in, maps into alias-confinement restrictions: alias-confinement restrictions: pivot uniqueness pivot uniqueness owner exclusion owner exclusion

17 Conclusion Knowing side effects has many applications Knowing side effects has many applications Specifying and checking side effects in modular setting is a difficult problem Specifying and checking side effects in modular setting is a difficult problem Data groups plus alias-confinement restrictions provide a solution Data groups plus alias-confinement restrictions provide a solution Sound formalization (oolong ) Sound formalization (oolong ) Implemented checker (oolong ) Implemented checker (oolong ) Current work: build checker for C# (with Viktor Kuncak) Current work: build checker for C# (with Viktor Kuncak) Needs: extension to arrays, …? Needs: extension to arrays, …?

Download ppt "Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou."

Similar presentations

Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte Formal techniques.

Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte Formal techniques.
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,

Extended Static Checking for Java Cormac Flanagan K. Rustan M. Leino Mark Lillibridge Greg Nelson James B. Saxe Raymie Stata Compaq SRC 18 June 2002 PLDI02,
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 0 Summer school on Formal Models.
Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,

Spec# K. Rustan M. Leino Senior Researcher Programming Languages and Methods Microsoft Research, Redmond, WA, USA Microsoft Research faculty summit, Redmond,
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
CS3012: Formal Languages and Compilers Static Analysis the last of the analysis phases of compilation type checking - is an operator applied to an incompatible.

CS3012: Formal Languages and Compilers Static Analysis the last of the analysis phases of compilation type checking - is an operator applied to an incompatible.
The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.

The Spec# programming system K. Rustan M. Leino Microsoft Research, Redmond, WA, USA Distinguished Lecture Series Max Planck Institute for Software Systems.
Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.

Automated Software Verification with a Permission-Based Logic 20 th June 2014, Zürich Malte Schwerhoff, ETH Zürich.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.

ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.

Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.
Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.

Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.
K. Rustan M. Leino RiSE, Microsoft Research Typing, Analysis and Verification of Heap-Manipulating Programs Dagstuhl, Germany 20 July 2009.

K. Rustan M. Leino RiSE, Microsoft Research Typing, Analysis and Verification of Heap-Manipulating Programs Dagstuhl, Germany 20 July 2009.
JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.

JML and Class Specifications Class invariant JML definitions Queue example Running JML in Eclipse.
Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.

Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.

Similar presentations

Ads by Google