Presentation is loading. Please wait.

Presentation is loading. Please wait.

Avoid a void Bertrand Meyer With major contributions by Emmanuel Stapf & Alexander Kogtenkov (Eiffel Software)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Avoid a void Bertrand Meyer With major contributions by Emmanuel Stapf & Alexander Kogtenkov (Eiffel Software)"— Presentation transcript:

1 Avoid a void Bertrand Meyer With major contributions by Emmanuel Stapf & Alexander Kogtenkov (Eiffel Software)

2 2 Basic O-O operation x. f (args) … and basic issue studied here: (If not, call produces an exception and usually termination) Semantics: apply the feature f, with given args if any, to the object to which x is attached How do we guarantee that x will always be “attached” to an object?

3 I call it my billion-dollar mistake. It was the invention of the null reference in 1965. I was designing the first comprehensive type system for references in an object- oriented language (ALGOL W). My goal was to ensure that all use of references should be safe, checked by the compiler. But I couldn't resist the temptation to put in a null reference, because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years. 3

4 Plan 1.Context 2.New language constructs 3.Achieving void safety 4.Current status 4

5 5 - 1 - Context

6 6 Source: Patrice Chalin 44.4% of Eiffel preconditions clauses are of the form x /= Void

7 7 The standards effort ECMA standard for Eiffel Approved June 2005, 2 nd edition, June 2006 ISO standard, November 2006 Mechanism described here is in EiffelStudio 6.3, Nov 2008; libraries fully adapted in 6.4, May 2009

8 8 Requirements  Minimal language extension  Statically, completely void safe  Simple for programmer, no mysterious rules  Reasonably simple for compiler  Handles genericity  Doesn’t limit expressiveness  Compatibility or minimum change for existing code  1 st -semester teachability

9 9 Lessons from Spec# work “Spec# stipulates the inference of non- [voidness] for local variables. This inference is performed as a dataflow analysis by the Spec# compiler.” (Barnett, Leino, Schulte, Spec# paper) x /= Void

10 Subject: “I had a dream” From:"Eric Bezault" ericb@gobosoft.comericb@gobosoft.com To:"ECMA TC49-TG4" Date:Thu, 4 Jun 2009 11:21 Last night I had a dream. I was programming in Eiffel 5.7. The code was elegant. There was no need for defensive programming just by taking full advantage of design by contract. Thanks to these contracts the code was easy to reuse and to debug. I could hardly remember the last time I had a call-on-void-target. It was so pleasant to program with such a wonderful language. This morning when I woke up I looked at the code that had been modified to comply with void-safety. This was a rude awakening. The code which was so elegant in my dream now looked convoluted, hard to follow. It looks like assertions are losing all their power and defensive programming is inviting itself again in the code. […] 10

11 11 - 2 - New language constructs

12 New constructs 1.Object test Replaces all “downcasting” (type narrowing) mechanisms 2. Type annotations: “attached” and “detachable” New keywords: attached, detachable (Plus: stable.) 12

13 13 The Object Test (full form) Boolean expression: attached {T } exp as x Value: True if value of exp is attached to an object of type T or conforming Plus: binds x to that value over scope of object test Name (“Object-Test Local”) Type Expression

14 14 Object Test example if attached {T } exp as x then … Arbitrary instructions… x. operation … Other instructions … end Scope of x

15 15 Object Test variants attached {T } exp as x attached exp as x attached {T } exp attached exp Same semantics as exp /= Void

16 16 Scope of x Another example of Object Test scope from … until not attached exp as x loop … Arbitrary instructions … x. some_operation … Other instructions … end

17 17 Scope of x Object test in contracts my_routine require attached exp as x and then x. some_property do … end

18 18 - 3 - Achieving void safety

19 19 A success story: static type checking We allow x. f (args) only if we can guarantee that at run time: The object attached to x, if it exists, has a feature for f, able to handle the args. Basic ideas:  Accept it only if type of x has a feature f  Assignment x := y requires conformance (based on inheritance) What if x is void?

20 20 Generalizing static type checking The goal (“void safety”): at compile time, allow x. f (args) only if we can guarantee that at run time: x is not void.

21 21 The basic rule x. f (args) is permitted only if x is attached where “attached” is a static property The rest of this discussion is about various ways to ensure that x is attached

22 22 Components of the solution 1. Some patterns guaranteed void-safe (“Certified Attachment Patterns” or CAPS) 2. Object test 3. Attached type (Issue here: initialization) 4. Rule for generic parameters

23 23 Components of the solution 1. Some patterns guaranteed void-safe (“Certified Attachment Patterns” or CAPS) 2. Object test 3. Attached type (Issue here: initialization) 4. Rule for generic parameters

24 Certified Attachment Patterns CAP: a program scheme that guarantees the void-safety of a call 24

25 25 CAP 1: conditional Consider a variable or expression e Can this be guaranteed void-safe? if e /= Void then e. operation end Answer: only if e is a local variable! (or formal argument) Not for an attribute, or a general expression. other_instructions (args) (Assume e is a variable) not assigning to e What about multithreading?

26 26 CAP 2: loop from... until x = Void loop... Any instructions not assigning to x... … (except possibly last instruction) … end x must again be a local variable or a formal argument! A CAP for x

27 27 A typical loop, now safe from x := first_element until x = Void or else Result loop Result := (x. item = sought) x := x. right end Zurich JFK Logan itemrightitemrightitemright first_element

28 CAP 3: check instruction Consider a class with the invariant and the routine r require not after do active. some_operation end 28 check active /= Void end Semantics of check  end: compiler must either prove that  holds or generate code that triggers exception if it doesn’t 0index1 after before "Boston" countcount+1 active (after) implies (active = Void)

29 29 The CAP catalog About 6 CAPs specified in the ECMA standard. Above threeare the most important. Another example: x in x /= Void implies x. some_property Criterion: simple; easy to understand; provably and obviously correct Need to be approved by committee Mathematical, machine-checked proofs desirable

30 30 CAP variant: stable attributes if e /= Void then e. operation end other_instructions not assigning to e What about multithreading? OK if e is a “stable attribute”: no routine of the class assigns to it e : SOME_TYPE note stable attribute end

31 31 Components of the solution 1. Some patterns guaranteed void-safe (“Certified Attachment Patterns” or CAPS) 2. Object test 3. Attached type (Issue here: initialization) 4. Rule for generic parameters

32 32 Using an object test for void safety if attached {T } exp as x then … Arbitrary instructions… x. operation … Other instructions … end Scope of x

33 33 The remaining goal… Minimize use of Object Test! General but impractical solution: protect every qualified feature call by an Object Test! Instead of exp. operation write if attached {T } exp as x then x. operation end

34 34 Components of the solution 1. Some patterns guaranteed void-safe (“Certified Attachment Patterns” or CAPS) 2. Object test 3. Attached type (Issue here: initialization) 4. Rule for generic parameters

35 35 Attached and detachable types For any type T, a variable declared as just x : T-- or: x : attachedT cannot be void! Type T is attached To allow void values, declare x : detachable T Type detachable T is detachable

36 Default policy Attached as a default because of “business objects”, e.g bank accounts, persons, planes… Void is useful for “Knuthware”, specifically linked structures 36

37 37 The remaining problem… How to ensure that variables declared of an attached type x : T meet that declaration, i.e. can never become void!

38 38 Conservation of attachment In x := y or r (y) -- Where formal argument is x if type of x is attached, y must be attached.

39 39 If assignment & argument passing are OK… … there remains initialization!

40 40 The initialization problem In previous Eiffel:  Basic types initialized to standard values (zero, False, null character)  Other expanded types must have default_create from ANY  References initialized to Void

41 41 Initializing variables  An attribute is attached if every creation procedure sets it.  A local variable is initialized if the beginning of the routine sets it. Scheme 1: CAP

42 42 Initializing variables Scheme 1: CAP Scheme 2: Self-initializing attributes

43 43 Digression: attributes bounding_rectangle: RECTANGLE -- Smallest rectangle including whole of current figure

44 44 Digression: attributes with contracts! bounding_rectangle: RECTANGLE -- Smallest rectangle including whole of current figure require bounded attribute ensure Result. height = height Result. width = width Result. lower_left = lower_left Result. contains (Current) end

45 45 Self-initializing attributes bounding_rectangle: FIGURE -- Smallest rectangle including whole of current figure -- (Computed only if needed) require bounded attribute create Result.set (lower_left, width, height) ensure Result. height = height Result. width = width Result. lower_left = lower_left Result. contains (Current) end … As before …

46 46 Initializing variables What if an attribute is not self-initializing? Scheme 1: CAP Scheme 2: Self-initializing attributes Scheme 3: Properly set variables

47 47 Properly set variables At any place where it is accessed, a variable must be properly set

48 48 Components of the solution 1. Some patterns guaranteed void-safe (“Certified Attachment Patterns” or CAPS) 2. Object test 3. Attached type (Issue here: initialization) 4. Rule for generic parameters

49 49 Variables of a formal generic type In class C [G ], what about variables such as x : G ? Example generic derivations: C [INTEGER ] C [EMPLOYEE ]

50 Meaning of a formal generic parameter Constrained genericity: class C [G -> T ] … Generic derivation must be C [U ], where U conforms to T Unconstrained genericity:class C [G ]  In pre-void-safe Eiffel: abbreviation for class C [G -> ANY] …  Now: abbreviation for class C [G -> detachable ANY ] … Can also use class C [G -> attached T ] 50

51 The remaining issue: arrays a : ARRAY [T ]-- Assume T is an attached type Array creation (old): create a  make (1, n) Not void-safe! 51 i j ? a (y)(y) Creation procedure now required for attached types: create a  make (1, n, default) Creation issue: classes inheriting from ARRAY.

52 52 - 4 - Current status

53 6.4, May 2009 Full mechanism supported Libraries entirely converted Environment (EiffelStudio) partly converted Compatibility option Did not switch the defaults yet 53

54 54 Basic O-O operation x. f (args) … and basic issue studied here: (If not, call produces an exception and usually termination) Semantics: apply the feature f, with given args if any, to the object to which x is attached How do we guarantee that x will always be “attached” to an object?

55 Subject: “I had a dream” From:"Eric Bezault" ericb@gobosoft.comericb@gobosoft.com To:"ECMA TC49-TG4" Date:Thu, 4 Jun 2009 11:21 Last night I had a dream. I was programming in Eiffel 5.7. The code was elegant. There was no need for defensive programming just by taking full advantage of design by contract. Thanks to these contracts the code was easy to reuse and to debug. I could hardly remember the last time I had a call-on-void-target. It was so pleasant to program with such a wonderful language. This morning when I woke up I looked at the code that had been modified to comply with void-safety. This was a rude awakening. The code which was so elegant in my dream now looked convoluted, hard to follow. It looks like assertions are losing all their power and defensive programming is inviting itself again in the code. […] 55

56 56 Requirements  Minimal language extension  Statically, completely void safe  Simple for programmer, no mysterious rules  Reasonably simple for compiler  Handles genericity  Doesn’t limit expressiveness  Compatibility or minimum change for existing code  1 st -semester teachability

57 I call it my billion-dollar mistake. It was the invention of the null reference in 1965. I was designing the first comprehensive type system for references in an object- oriented language (ALGOL W). My goal was to ensure that all use of references should be safe, checked by the compiler. But I couldn't resist the temptation to put in a null reference, because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years. 57

Download ppt "Avoid a void Bertrand Meyer With major contributions by Emmanuel Stapf & Alexander Kogtenkov (Eiffel Software)"

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Exercise Session 5.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Exercise Session 5.
Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.

Building Bug-Free O-O Software: An Introduction to Design By Contract A presentation about Design By Contract and the Eiffel software development tool.
SCOOP: Simple Concurrent Object-Oriented Programming Extend the pure, strongly typed, object-oriented language Eiffel with a general and powerful concurrency.

SCOOP: Simple Concurrent Object-Oriented Programming Extend the pure, strongly typed, object-oriented language Eiffel with a general and powerful concurrency.
Eiffel: Analysis, Design and Programming Bertrand Meyer (Nadia Polikarpova) Chair of Software Engineering.

Eiffel: Analysis, Design and Programming Bertrand Meyer (Nadia Polikarpova) Chair of Software Engineering.
© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.

© Bertrand Meyer and Yishai Feldman Notice Some of the material is taken from Object-Oriented Software Construction, 2nd edition, by Bertrand Meyer (Prentice.
Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.

Control Structures Ranga Rodrigo. Control Structures in Brief C++ or JavaEiffel if-elseif-elseif-else-end caseinspect for, while, do-whilefrom-until-loop-end.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Adapted from Scott, 20061 Chapter 6:: Control Flow Programming Language Pragmatics Michael L. Scott.

Adapted from Scott, Chapter 6:: Control Flow Programming Language Pragmatics Michael L. Scott.
Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Exercise Session 1: Eiffel Introduction.

Chair of Software Engineering Concurrent Object-Oriented Programming Prof. Dr. Bertrand Meyer Exercise Session 1: Eiffel Introduction.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 7: References and Assignment.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 7: References and Assignment.
Chair of Software Engineering OOSC - Summer Semester 2005 1 Object-Oriented Software Construction Bertrand Meyer Lecture 3: Abstract Data Types.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer Lecture 3: Abstract Data Types.
Chair of Software Engineering Constants, once routines, and helper functions these slides contain advanced material and are optional.

Chair of Software Engineering Constants, once routines, and helper functions these slides contain advanced material and are optional.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Chair of Software Engineering OOSC - Summer Semester 2004 1 Object-Oriented Software Construction Bertrand Meyer.

Chair of Software Engineering OOSC - Summer Semester Object-Oriented Software Construction Bertrand Meyer.
Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 17: Topological Sort Algorithm.

Chair of Software Engineering Einführung in die Programmierung Introduction to Programming Prof. Dr. Bertrand Meyer Lecture 17: Topological Sort Algorithm.

Similar presentations

Ads by Google