Role Analysis Viktor Kuncak Patrick Lam Martin Rinard MIT LCS.
-
Upload
christopher-gibson -
Category
Documents
-
view
216 -
download
0
Transcript of Role Analysis Viktor Kuncak Patrick Lam Martin Rinard MIT LCS.
Role Analysis
Viktor Kuncak
Patrick Lam
Martin Rinard
MIT LCS
2
Process Scheduler Example
Running Process
RPSP
Suspended Process
3
Process Scheduler Example
Running Process List
nextRP
RP
RP
RPnext
next next
prev
prev
prev prev
Running Process
SP
Suspended Process
4
Process Scheduler Example
Running Process List
nextRP
RP
RP
RPnext
next next
prev
prev
prev prev
R
SPSP
SP SP
left right
left right
Suspended Process Tree
Suspended Process
Running Process
5
Process Scheduler Example
Running Process List
nextRP
RP
RP
SP
next next
prev
prevprev
R
SPSP
SP SP
left right
left right
Suspended Process Tree
Suspended Process
Running Process
left
6
Remarks
• Desirable to capture distinction between suspended and running processes
• Standard types unsuitable– Type is fixed for lifetime of object– Scheduler suspends and resumes processes
• Concept of a role– Statically verifiable property of an object– Capture current conceptual purpose of object– Role changes as object's purpose changes
Goal
Develop a static type system in which each object is assigned a role
Program actions can change object roles
8
Challenges
Aliasing
Ensure that role changes performed using one alias are correctly reflected in roles
of other aliases
Procedures
Compositional interprocedural role system
9
Basic Approach
• Develop a role system in which role of each object depends on its heap aliases– Role provides aliasing information– Enables checker to ensure that role
changes are compatible with all aliases
• Role reflects object’s participation in different data structures
• Role changes as object moves between data structures
10
Role Definition for Running Processes
Running Process
RP
role RP { Sequence of heap referencing constraints}
11
Slot Constraints
Running Process
RP
role RP { slots RP.next,
RP.prev; ...}
Slot constraints identifythe complete set of heapaliases of the object
12
Slot Constraints
Running Process
RP
RP
RPnext
prev
role RP { slots RP.next,
RP.prev; ...}
Slot constraints identifythe complete set of heapaliases of the object
13
Field Constraints
Running Process
RP
RP
RPnext
prev
role RP { slots RP.next,
RP.prev; fields next : RP, prev : RP; ...}
Field constraints identifyroles of objects to which
fields refer
14
Field Constraints
Running Process
RP
RP
RPnext
prev
role RP { slots RP.next,
RP.prev; fields next : RP, prev : RP; ...}
RP
RP
nextprev
Field constraints identifyroles of objects to which
fields refer
15
Identity Constraints
Running Process
RP
RP
RPnext
prev
role RP { slots RP.next,
RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}
RP
RP
nextprev
Identities identify cycles of length two.
16
Identity Constraints
Running Process
RP
RP
RPnext
prev
role RP { slots RP.next,
RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}
next
prev
Identities identify cycles of length two.
17
nextRP
RP
RP
RPnext
next next
prev
prev
prev prev
role RP { slots RP.next,
RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}
Role Definition for Running Processes
RP
18
Roles as Constraints
• Each constraint C(o) is a predicate on objects
• Role is a logical conjunction of its defining constraints
• Constraints can be recursive!
role RP { slots RP.next,
RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}
19
Semantics of Role Constraints
• Constraint is interpreted in the context of a role assignment (mapping from objects to role names)
• Heap is role consistent iff there exists a role assignment in which every object satisfies its role
20
Roles for Suspended Processes
R
SPSP
SP SP
left right
left right
Suspended Process Tree
Suspended Process
role R {
}role SP {
slots
}
21
Roles for Suspended Processes
R
SPSP
SP SP
left right
left right
Suspended Process Tree
Suspended Process
role R {
}role SP {
slots R.left
}
22
Roles for Suspended Processes
R
SP
SP SP
left right
left right
Suspended Process Tree
Suspended Process
SP
role R {
}role SP {
slots R.left R.right
}
23
Roles for Suspended Processes
R
SP
left right
left right
Suspended Process Tree
Suspended Process
SP
SP
SP
role R {
}role SP {
slots R.left R.right SP.left
}
24
Roles for Suspended Processes
Rleft right
left right
Suspended Process Tree
Suspended Process
SP SP
role R {
}role SP {
slots R.left R.right SP.left SP.right
}
SP SP
25
Roles for Suspended Processes
Rleft right
left right
Suspended Process Tree
Suspended Process
SP SP
role R {
}role SP {
slots R.left | R.right | SP.left| SP.right;
}
SP SP
26
Roles for Suspended Processes
Rleft right
left right
Suspended Process Tree
Suspended Process
SP SP
role R {
}role SP { fields left : SP right: SP slots R.left | R.right | SP.left| SP.right;
}
SP SP
27
Roles for Suspended Processes
Rleft right
left right
Suspended Process Tree
Suspended Process
SP SP
role R {
}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right;
}
SPSP
28
Roles for Suspended Processes
Rleft right
left right
Suspended Process Tree
Suspended Process
SP SP
role R { fields left : SP|null, right: SP|null;}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right;
}
SP SP
29
Roles for Suspended Processes
SP
SP SP
left right
Suspended Process Tree
Suspended Process
left
role R { fields left : SP|null, right: SP|null;}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right; acyclic left, right;} No cyclic paths of the form (left+right)*
30
Roles for Suspended Processes
R
SPSP
SP SP
left right
left right
Suspended Process Tree
Suspended Process
role R { fields left : SP|null, right: SP|null;}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right; acyclic left, right;}
Programming with Roles
32
Role Changes
• To suspend a process– Remove from running process list– Insert into suspended process tree
RP
RP
RPnext
next
prev
prev
nextRP prev
prev
R
SPSP
SP
left right
right
next
33
Role Changes
• To suspend a process– Remove from running process list– Insert into suspended process tree
RP
I
RPnext
prevprev
RP
prev
R
SPSP
SP
left right
right
nextnext
34
Role Changes
• To suspend a process– Remove from running process list– Insert into suspended process tree
RP RPnext
prevprev
RP
prev
R
SPSP
SP
left right
right
nextnext
role I { }
Isolated object:
I
35
Role Changes
• To suspend a process– Remove from running process list– Insert into suspended process tree
RP
SP
RPnext
prevprev
RP
prev
R
SPSP
SP
left right
right
next
left
next
36
Removing a Process from List
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}
RP
RP
RPnext
next
prev
prev
nextRP prev
prev
p
next
37
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}
Removing a Process from List
RP
RP
RPnext
next
prev
prev
nextRP prev
prev
ppp
pnnext
38
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}
RP
RP
RPnext
next
prevprev
RP prev
prev next
ppp
pn
Removing a Process from List
next
39
RP
RP
RP
RPnext
prevprev
prev nextnext
ppp
pn
Removing a Process from List
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}
40
RP
RP
RP
RPnext
prevprev
prev nextnext
p
Removing a Process from List
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}Programming model expects programmer
to indicate role changes
41
RP
RP
I
RPnext
prevprev
prev nextnext
p
Removing a Process from List
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}Programming model expects programmer
to indicate role changes
42
Programming Model Based On Instrumented Semantics
• Role Assignment Part of Program State– Each object has a nominal role– setRole(p : R) updates role assignment
• Programmer responsibilities– Specify intended role assignment– Write role-consistent program
• Static role checking ensures– Programs are role-consistent– No dynamic overhead incurred
43
RP
RP
RPnext
next
prevprev
RP prev
prev next
ppp
pn
Temporary Role Violations
Data structure updates often
temporarily violate nominal roles of updated objects
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}
44
RP
RP
RPnext
next
prevprev
RP prev
prev next
ppp
pn
Temporary Role Violations
What do nominal roles mean during
these updates?
remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}
45
RP
RP
RPnext
next
prevprev
RP prev
prev next
ppp
pn
Temporary Role Violations
Observation:
Objects with temporarily violated roles are referenced by local variables.
46
onstage objects = objects referenced by local variables.
onstage objects
offstage objectsRP
RP
RPnext
next
prevprev
RP prev
prev next
ppp
pn
Onstage and Offstage Objects
47
Onstage objects may have their
roles temporarily violated.
onstage objects
offstage objectsRP
RP
RPnext
next
prevprev
RP prev
prev next
ppp
pn
Onstage and Offstage Objects
onstage objects = objects referenced by local variables.
48
Roles of offstage objects must be
correct assuming the nominal roles of
onstage objects.
onstage objects
offstage objectsRP
RP
RPnext
next
prevprev
RP prev
prev next
ppp
pn
Onstage and Offstage Objects
onstage objects = objects referenced by local variables.
Role Checking
50
Each procedure has an interface
• Precondition• Property of heap at start of procedure• Specifies initial dataflow fact for analysis
• Abstraction of actions of procedure– Read Effects (accessed region of heap)– Write Effects
• Changes to heap references • Nominal role changes
Procedure Interfaces
51
Two Aspects of Role Checking
• Verifying interface conformance– Assume precondition– Analyze procedure– Verify that procedure respects effects
• Using interfaces at call sites to separate analysis of caller and callee
• Each procedure analyzed exactly once
52
Role Consistency Across Procedure Calls
p
c
When analyzing a procedure:
Assume that accessed objects have consistent roles.
d
Region R accessed by
foo
foo(p) reads R { ...
}
53
Role Consistency Across Procedure Calls
At Call Site:
Use read effects of the procedure to verify that region accessed by the procedure has consistent roles
(even for onstage objects)
p
c
d
...
foo(p);
...
Region R accessed by
foo
54
Role Consistency Across Procedure Calls
p
c
When analyzing the procedure:
Verify that only objects declared in callee’s read effects are accessed.
Assume that accessed objects have correct roles.
d
Region R accessed by
foo
foo(p) reads R { ...
}
55
Role Consistency Across Procedure Calls
p
c
d
After Call Site:
The role checking assumes that region accessed in the procedure is left in a role consistent state.
...
foo(p);
...
Region R accessed by
foo
56
Role Consistency Across Procedure Calls
p
c
After analyzing the procedure:
Verify that objects in accessed region are left in role consistent state (implicit postcondition)
d
foo(p) reads R { ...
}
Region R accessed by
foo
Verifying Interface Conformance
58
RP
RP
RPn
p
RP
n p
p
Analysis Abstraction
RP
n
p
n
p
p
RPn
p
np
n
p
Concrete Heap
(objects and references)
Analysis Representation:Role Graph
(nodes and edges)
59
RP
RP
RPn
p
RP
n p
p
Role Graph
RP
n
p
n
p
p
RPn
p
np
n
p
Concrete Heap Role Graph
Onstage node(represents a
single onstage object)
60
RP
RP
RPn
p
RP
n p
p
Role Graph
RP
n
p
n
p
p
RPn
p
np
n
p
Summary Offstage Node (represents any
number of objects)
Concrete Heap Role Graph
61
RP
RP
RPn
p
RP
n p
p
Abstraction Relation
RP
n
p
n
p
p
RPn
p
np
n
p
Each onstage object represented by an
onstage node
Concrete Heap Role Graph
62
RP
RP
RPn
p
RP
n p
p
Abstraction Relation
RP
n
p
n
p
p
RPn
p
np
n
p
Concrete Heap Analysis Representation:Role GraphOffstage objects are
represented by offstage nodes
63
RP
RP
RPn
p
RP
n p
p
Abstraction Relation
RP
n
p
n
p
p
RPn
p
np
n
p
The function is• a graph homomorphism• isomorphism between onstage objects and nodes• role preserving: role(h(o)) = role(o)
64
Initial roles: p : RP
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Interface for remove
RPp
RP
Initial Role Graph
65
Initial roles: p : RPRead effects: p, RP
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Interface for remove
RPp
RP
Initial Role Graph
66
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = null
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Interface for remove
RPp
RP
Initial Role Graph
67
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Interface for remove
RPp
RP
Initial Role Graph
68
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Interface for remove
RPp
RP
Initial Role Graph
69
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
Load statement
70
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
Load statement
• expansion
RPpp
71
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
Load statement
• expansion
• read effect check succeeds: RP in read effects
RPp
RP
RPpp
72
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
Load statement
• expansion
• read effect check succeeds: RP in read effects
73
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Load statement
• expansion
• read effect check succeeds: RP in read effects
74
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
75
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
• strong update
76
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
• strong update
• verify write effect succeeds: RP.next = RP
77
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
78
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
• strong update
• verify write effect succeeds: RP.prev = RP
79
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
80
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
• strong update
• verify write effect succeeds: p.next=null
81
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RPpp
RPpn
Store statement
• strong update
• verify write effect succeeds: p.prev=null
82
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RP
RPpn
Local variable assignment
• remove local variable
83
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
RP
RPpn
Local variable assignment
• remove local variable (node goes offstage)
• check role is correct
84
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP RPpn
Local variable assignment
• remove local variable (node goes offstage)
• check role is correct
• merge node into offstage
85
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
RPp
RP
Local variable assignment
• remove local variable (node goes offstage)
• check role is correct
• merge node into offstage
86
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
Ip
RP
setRole
• change the nominal role
87
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
Ip
RP
setRole
• change the nominal role
• check that the role change is in the interface
88
Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);
}
Verifying Interface for remove
Ip
RP
Postcondition check:
• all accessed nodes have referencing relationships consistent with their roles
• even onstage nodes
89
Details of Analysis
• Dataflow fact is set of role graphs
• Merge is union of role graph sets
• Predicative analysis - filters out graphs that do not satisfy the test in conditional
• Builds on ideas from shape analysis– Expansion and contraction– May reachability (from onstage nodes)
prevents excessive merging of nodes
Using Interfaces at Call Sites
91
Example: remove procedure call . . .
remove(p);
. . .RP
p
RP
RPRP
c
Role graph before the call:
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
92
Context Matching . . .
remove(p);
. . .RP
p
RP
RPRP
c
Role graph before the call:
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
93
Role Check in Accessed Region . . .
remove(p);
. . .RP
p
RP
RPRP
c
Role graph before the call:
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
94
Applying Must Write Effects . . .
remove(p);
. . .RP
p
RP
RPRP
c
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
95
Applying Must Write Effects . . .
remove(p);
. . .RP
p
RP
RPRP
c
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
96
Applying May Write Effects . . .
remove(p);
. . .RP
p
RP
RPRP
c
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
97
Applying Must Role Change . . .
remove(p);
. . .I
p
RP
RPRP
c
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
98
Enforcing Role Constraints . . .
remove(p);
. . .
p
RP
RPRP
c
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
I
99
Enforcing Role Constraints . . .
remove(p);
. . .
p
RP
RPRP
c
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
I
100
Merge . . .
remove(p);
. . .
p
RPRP
c
RP
RP
p
Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:
RP.next = RP, RP.prev = RP
Must role changes: p : I
remove interface:
Role graph after the call:
I
101
Key Ideas in Analysis
• Role of object characterizes its aliases– Enables analysis to find aliases– Verify new role consistent with all aliases
• Precise effects in procedure interfaces– Full precision for parameters
(or even fixed region surrounding parameters)
– Role consistency/may effects for rest of heap
102
Multiple Simultaneous Roles
RP
RP
RP
RP
R
SP SP
SP SP
Running Processes Suspended Processes
103
Multiple Simultaneous Roles
RP
RP
RP
RP
R
SP SP
SP SP
Running Processes Suspended Processes
HP
High Priority Process List
HP
Low Priority Process List
LP LP
proc proc proc proc
104
Complete Slot Constraints
• This slot constraint specifies ALL aliases
• Aliases from high or low priority process lists violate role
role RP { slots RP.next,
RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}
105
Partial Slot Constraints
• This slot constraint specifies aliases from next, prev, right, and left fields ONLY
• Aliases from high or low priority process lists can be used in new role definitions for high and low priority processes
role RP { next, prev, right, left: slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}
106
role RP { next, prev, right, left : slots RP.next,
RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}
role HighPriority { proc : slots HPL.proc;}
role LowPriority { proc : slots LPL.proc;}
Multiple Simultaneous Roles
Can have a running high priority process, a running low priority process, etc.
107
Benefits of Roles• Data structure consistency properties• Object usage constraints
– Procedures specify roles of parameters– Object's interface changes as its role
changes
• Roles crystallize useful perspective– Provide useful information to maintainers– Basis for exploration of the behavior of
program via dynamic role discovery – Help programmers conceptualize
relationships between objects
Related Work
109
Typestate
• Strom, Yemini ’86: Typestate– object initialization, no aliasing
• DeLine, Fähndrich ’01: High-Level Protocols– linear types for heap references
• Xu, Miller, Reps ’00: Typestate for machine code
110
Dynamically Changing Classes• Chambers ‘93: Predicate Classes
• Ghelli, Palmerini ‘99: Fibonacci
• Drossopoulou et al. ’01: Fickle
Alias Control in OOP• Hogg ’91: Islands• Almeida ’97: Balloon Types• Clarke, Potter, Noble ’98: Ownership Types• Banerjee, Naumann ’02: Confinement• Boyapati, Rinard ’01: Unique References• Boyland: Alias Burying
111
Specifying/Verifying Heap Invariants
• Smith, Walker, Morrisett ’00: Alias Types• Møller, Schwartzbach ’01: PALE• Fradet, Metayer ’97: Shape Types• Larus, Hilfinger ’88: Conflicts in structure accesses• Chase, Wegman, Zadeck ’90: SSG• Hendren ’90: Interference analysis• Hendren, Hummel, Nicolau ’94: APM / ADDS• Sagiv, Reps, Wilhelm ’99: TVLA• Rinetzky, Sagiv ’01: Noncompositional
interprocedural analysis
112
Conclusion
• Statically checked role system– Role changes reflect changes in purpose of
object in computation– Full support for role changes and aliasing
• Key aspects of design– Role characterizes aliases– Procedure abstraction choices
• Multiple simultaneous roles