A Type System for Borrowing Permissions Karl Naden, Rob Bocchino Jonathan Aldrich, Kevin Bierhoff POPL – January 27, 2012 School of Computer Science.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

CPSC 388 – Compiler Design and Construction
Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
Chapter 10 Introduction to Arrays
Filipe Militão 1,2 Filipe Militão 1,2 Jonathan Aldrich 1 Luís Caires 2 1 Carnegie Mellon University Pittsburgh, USA 2 CITI / Dep. Informática FCT-UNL,
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
External Uniqueness Presented by Nir Atias Dave Clarke Tobias Wrigstad Encapsulation Seminar 2006.
Verifying Correct Usage of Atomic Blocks and Typestate Nels E. Beckman Nels E. Beckman, Kevin Bierhoff, and Jonathan Aldrich Carnegie Mellon University.
Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.
Chapter 2: Algorithm Discovery and Design
Strict Bidirectional Type Checking Adam Chlipala, Leaf Petersen, and Robert Harper.
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Modular Typestate Checking for Concurrent Java Programs Nels E. Beckman Carnegie Mellon University (Advised by Jonathan Aldrich)
1 Islands : Aliasing Protection In Object-Oriented Languages By : John Hogg OOPSLA 91 Aharon Abadi.
Programming Fundamentals (750113) Ch1. Problem Solving
Guide To UNIX Using Linux Third Edition
Introduction to Unix (CA263) Introduction to Shell Script Programming By Tariq Ibn Aziz.
Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631.
Chapter 2: Algorithm Discovery and Design
Chapter 2: Algorithm Discovery and Design
Chapter 3 Planning Your Solution
Cloud MapReduce : a MapReduce Implementation on top of a Cloud Operating System Speaker : 童耀民 MA1G Authors: Huan Liu, Dan Orban Accenture.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
INTRODUCTION TO PROGRAMMING STRUCTURE Chapter 4 1.
Copyright © 2000, Department of Systems and Computer Engineering, Carleton University 1 Introduction Structures are somewhat like an array in that.
Chapter 2: Algorithm Discovery and Design Invitation to Computer Science, C++ Version, Third Edition.
Aquinas Hobor and Cristian Gherghina (National University of Singapore) TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.:
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
Using Data Groups to Specify and Check Side Effects K. Rustan M. Leino, Arnd Poetzsch- Heffter, and Yunhong Zhou Presented by Jonathan Aldrich.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
©1999 Addison Wesley Longman Slide 1.1 Business Processes 3.
An Object-Oriented Approach to Programming Logic and Design Fourth Edition Chapter 5 Arrays.
Lesson 12: Using the Recycle Bin deleting files or folders what the Recycle Bin is restoring files from the Recycle Bin emptying the Recycle Bin identifying.
Introduction to Database Systems. RHS – Why databases are important Because we use databases all the time!! –Google –Youtube –Facebook –E-shopping.
A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods Alexander J Summers Sophia Drossopoulou Imperial College London Peter.
ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.
Chapter 6 Introduction to Defining Classes. Objectives: Design and implement a simple class from user requirements. Organize a program in terms of a view.
1 Alex Proctor and Brian Lee for CSCI 431 at UNCA, Fall 2002 ML (Meta Language) a brief introduction Alex Proctor and Brian Lee For CSCI 431 at the University.
Featherweight Generic Ownership Alex Potanin, James Noble Victoria University of Wellington Dave Clarke CWI, Netherlands Robert Biddle Carlton University.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
CPS120: Introduction to Computer Science Compiling a C++ Program From The Command Line.
Just Enough Type Theory or, Featherweight Java A Simple Formal Model of Objects Jonathan Aldrich
Types and Programming Languages Lecture 11 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Programming with Microsoft Visual Basic th Edition
Semantic Analysis II Type Checking EECS 483 – Lecture 12 University of Michigan Wednesday, October 18, 2006.
Paper Title Authors names Conference and Year Presented by Your Name Date.
The single most important skill for a computer programmer is problem solving Problem solving means the ability to formulate problems, think creatively.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
1 Verification of object-oriented programs with invariants Mike Barnett, Robert DeLine, Manuel Fahndrich, K. Rustan M. Leino, Wolfram Schulte ECOOP 2003.
CS412/413 Introduction to Compilers Radu Rugina Lecture 11: Symbol Tables 13 Feb 02.
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
VPERM: Variable Permissions for Concurrency Verification Duy-Khanh Le, Wei-Ngan Chin, Yong-Meng Teo ICFEM, Kyoto, Japan, Nov 2012.
Chapter 2: Algorithm Discovery and Design Invitation to Computer Science.
Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson
CSE Operating System Principles Protection.
Chapter 1: Preliminaries Lecture # 2. Chapter 1: Preliminaries Reasons for Studying Concepts of Programming Languages Programming Domains Language Evaluation.
Towards a Semantic Model for Java Wildcards Sophia Drossopoulou Mariangiola Dezani-Ciancaglini Imperial College London Università di Torino Italy Nicholas.
Object Invariants in Dynamic Contexts K.R.M. Leino and P. Muller : Objects and Aspects Presented by Jonathan Aldrich.
Automatic Memory Management Without Run-time Overhead Brian Brooks.
Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.
Chapter 14: System Protection
Chapter 9 :: Subroutines and Control Abstraction
Introduction to Computer Programming
Chap. 8 :: Subroutines and Control Abstraction
Chap. 8 :: Subroutines and Control Abstraction
Programming Fundamentals (750113) Ch1. Problem Solving
Chapter 14: Protection.
Mutation Testing The Mutants are Coming! Copyright © 2017 – Curt Hill.
Presentation transcript:

A Type System for Borrowing Permissions Karl Naden, Rob Bocchino Jonathan Aldrich, Kevin Bierhoff POPL – January 27, 2012 School of Computer Science

OpenFile xy Aliasing 2 File x=…; File y=…; … x.close(); … y.read(); ClosedFile Trade off of aliases – Pros: flexibility, performance, fields – Cons: Global effects difficult to reason about Example : Files xy ClosedFile Illegal Access

OpenFile x:uniquey:immutable OpenFile Access Permissions 3 unique File x=…; immutable File y=…; … x.close(); //close() unique … y.read(); //read() immutable ClosedFile Safe Permission associated with each reference, indicating – Actions that can be taken with this reference – How many aliases might exist and their abilities Examples: – unique (linear/affine) – full access, no other aliases – immutable (non-linear) – non-modifying access, all other aliases non-modifying – shared (non-linear) – many aliases with modifying access

Permission Use Patterns Borrowing – Make a unique reference temporarily immutable – must track aliases to ensure none leftover when regain unique Fields Use permissions to objects in fields 4 unique immutable … unique immutable Both essential for use in practice!

Existing Solutions Borrowing – Characterize Heap Explicitly Alias Types Shape Analysis – Fractional Permissions – Both powerful, but difficult to reason about Fields – Swap (awkward) – Explicit unpacking annotations (flexible but heavyweight) 5 createIterator(immutable(x) >> immutable(x/2) Collection) {…} Iterator it = createIterator(c)

Contributions Local permissions: – Permission-based borrowing No artificial arithmetic No explicit heap model – Type system to track permission flow Counting of aliases under the covers Field Unpacking – Standard aliasing semantics – No additional syntax for field reads or assignments – Implicit unpacking handled by type system 6

Outline Introduction to local Permissions – Using – Checking Unpacking Fields In the paper and TR Conclusion 7

Outline Introduction to local Permissions – Using – Checking Unpacking Fields In the paper and TR Conclusion 8

Local Permissions 9 Design criteria: Permission-based borrowing – Extend ideas of permissions: Abilities and Guarantees Local modifier to non-linear permissions – Same access and aliasing guarantees – Additional promise to only create temporary aliases Cannot store to a field

Owning and Borrowing a Car 10 Ownership – Owner has unique permission – Selling transfers the unique permission to another Person Borrowing – A person without a car can temporarily borrow one taking a local immutable permission Use – Owners or borrowers can drive a car (local immutable) – Duplicating a key creates an immutable reference class Person { borrow(local immutable Car c) {…} sell(unique >> none Car c, Person p) {…} } class Car { drive() local immutable {…} newKey() immutable {…} }

theCar:uniquetheCar:borrow(unique,1) Borrowing Solution 11 Person roger = new Person; Person sarah = new Person; Person josh = new Person; unique Car theCar = new Car(); //josh’s car roger.borrow(theCar); //borrow(local immutable) josh.sell(theCar, sarah) //sell(unique >> none, --) theCar:unique CodeTracked Permissions theCar:none Internal Permission Only Typechecks!

Incorrect Use 12 class CarThief extends Person { borrow(local immutable Car c) { c.makeKey() //makeKey() immutable } } CodeTracked Permissions c:local immutable immutable a stronger permission than local immutable – Cannot get an immutable from a local immutable TypeError – Not enough Permission!

Correct Use 13 class Inconsiderate extends Person { borrow(local immutable Car c) { local immutable Car a = c; a.drive()//drive() local immutable this.sister.borrow(c) //borrow(local immutable) //local variable ‘a’ leaves scope } } CodeTracked Permissions c:local immutablec:borrow(immutable,1) a:local immutable a:borrow(immutable,1) c:borrow(immutable,1) a:local immutable c:borrow(immutable,2) c:borrow(immutable,1) a:local immutable c:local immutable Typechecks!

Benefits of Local 14 Programmer can keep thinking in terms of permissions – What kind of permission should be provided? Do permanent aliases need to be created? Simple – No fractions or arithmetic Tracking handled by system, not by programmer – No need to try and visualize/characterize the heap

Outline Introduction to local Permissions – Using – Checking Unpacking Fields In the paper and TR Conclusion 15

Fields 16 Motivation – Using fields creates aliases! – Changes permission of references in fields Design criteria – Standard aliasing semantics – No extra syntax Implicit unpacking – Read and assign as normal – Type system tracks unpacking of fields individually

Fields 17 What is the type of ‘g’ after it no longer has a unique permission in the field ‘p1’? – Still unique, – but not a complete Garage – What about the Car in field ‘p2’? class Garage { unique Car p1; unique Car p2; } josh.sell(g.p1,sarah); //sell(unique>>none,--) g:unique Garageg:? Tracked Permissions

Unpacking Unique 18 josh.sell(g.p1,sarah); //sell(unique>>none,--) g.p2.drive(); //drive() local immutable g.p1 = new Car; me.sellG(g,sarah); //sellG(unique>>none garage, Person) g:unique Garageg:(unique;p1:none) Type Error – g not packed g:(unique;p1:none) CodeTracked Permissions g:unique g:(unique;p1:none) g:(unique;p1:none, p2:borrow(unique,1)) Typechecks! g:none Internal Only

Unpacking local 19 borrowGarage (local immutable Garage g) { local immutable Car c = g.p2; c.drive(); //drive() local immutable // c goes out of scope } g:local immutable CodeTracked Permissions g:(local immutable; p2:borrow(unique,1)) c:local immutable c:borrow(immutable,1) g:(local immutable; p2:borrow(unique,1)) c:local immutable g:local immutable Typechecks!

Benefits of Implicit Unpacking 20 Simple – No extra annotations – Natural aliasing semantics

Outline Introduction to local Permissions – Using – Checking Unpacking Fields In the paper and TR Conclusion 21

More in the Paper 22 Complete System – Shared permissions – Control flow (match) Formal System – typing rules Soundness claims – Proof in the TR Issues with published system – Several inconsistencies found post-publication – TR details problems and includes updated rules and proof

Conclusion 23 Contributions – Local permissions support borrowing in consistent simple manner No complex fractions No heap visualizations – Fields unpacked implicitly Normal aliasing semantics No extra annotations – Sound type system tracks access permissions Restore unique permission after borrowing Tracks unpacked fields Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.