1. Using data groups to specify and check side effects K. Rustan M. Leino Microsoft Research Arnd Poetzsch-Heffter Universität Kaiserslautern Yunhong Zhou HP SRC Work done at Compaq SRC 18 June 2002 PLDI’02, Berlin, Germany

2. The Problem: Checking effects in a modular and extensible way. Motivation: Optimizations Error detection Aliasing Restrictions: Pivot uniqueness Owner exclusion Introduction

3. Modifies clause method p(x, y) modifies M; Grants the implementations of p the license to modify M Challenge: Soundness - Does p(x,y) modify only M?

4. Context Static program checker Program Warning messages Pieces of a Modular checking

5. Modular checking Modular checking Access to complete program not necessary Access to complete program not necessary Don’t assume availability of: implementations of called methods implementations of called methods all of the program’s variables all of the program’s variables Modular soundness Modular soundness Only interface properties of checked parts are needed to check extensions Only interface properties of checked parts are needed to check extensions Checking is sound for any extension of the program Checking is sound for any extension of the program

6. Extension of the code class Position { int x, y; virtual void update() modifies x,y {...} } class Position3D : Position { int z; void update() modifies(x,y,z) {...} }

7. Information hiding public private Buffer 32 8 17 q buf head size capacity method Enlarge() modifies capacity, …; method Enqueue(x) modifies ???; Queue

8. Data groups public private Buffer 32 8 17 q buf head size capacity method Enlarge() modifies capacity, …; method Enqueue(x) modifies contents; Queue group contents; method Enqueue(x) modifies ???;

9. Source code private Buffer buf maps capacity into contents; private int head in contents; private int size in contents; class Queue { public group contents; public void Enqueue(object x) modifies contents; head  contents size  contents buf.capacity  contents Note direction of declarations

10. Data Groups A set of variables and nested data groups A set of variables and nested data groups Membership defined incrementally Membership defined incrementally A field/group can be part of multiple groups A field/group can be part of multiple groups The license to modify a group implies the license to modify the members of the group The license to modify a group implies the license to modify the members of the group head size array capacity buf.elements group contents

11. Extension of the code - solution class Position3D : Position { int z in G; void update() {...} } class Position { GROUP G; int x in G, y in G; virtual void update() modifies G {...} } same modifies clause new field added to G

12. Inclusion types private Buffer buf maps capacity into contents; private int head in contents; private int size in contents; head  contents size  contents buf.capacity  contents buf capacity Queue “pivot field” “Local Inclusion” Buffer

13. Summary so far modular checking modular checking modifies clauses modifies clauses information hiding information hiding data groups! data groups! Extensibility Extensibility What about soundness? What about soundness? next: 2 problems and proposed solutions next: 2 problems and proposed solutions

14. Problem 1 Queue q = new Queue(); buf capacity size head Queue Buffer q b method Enqueue(x) modifies contents; group contents; method Buffer m() modifies ; method Buffer m() { return buf; } Buffer buf maps capacity into contents Buffer b = q.m(); int c = b.capacity; q.Enqueue(5); assert c == b.capacity; Client:

15. Solution 1: Pivot uniqueness restriction Make pivot fields unique Make pivot fields unique buf Queue Buffer group contents; capacity field buf maps capacity into contents Three restrictions: Pivot fields can only be assigned new or null Pivot fields can only be assigned new or null Can’t assign a pivot field to anything. This avoid the previous problem Can’t assign a pivot field to anything. This avoid the previous problem What about function parameters? What about function parameters?

16. Pivot uniqueness - cont results: Pivot fields are either null or unique (Except for formal parameter aliases on the call stack). Pivot fields are either null or unique (Except for formal parameter aliases on the call stack). Static checker will not complain the assertion in the client regardless of whether declaration of buf is available to it. Static checker will not complain the assertion in the client regardless of whether declaration of buf is available to it. permit aliasing with parameters, but do not allow assigning to/from formal parameters permit aliasing with parameters, but do not allow assigning to/from formal parameters method Enqueue ( object x ) { if ( size == buf.capacity ) { buf.Enlarge (); } … }

17. buf capacity size head Queue Buffer q b group contents; class Queue { … p(this, this.buf); … } Buffer buf maps capacity into contents = new Queue(); = q.m(); int c = b.capacity; q.Enqueue(5); assert c == b.capacity; method p(, ) modifies contents { } Queue q Buffer b Problem 2

18. Problem #2 analysis Can happen only when all three apply: The pivot field is passed as a parameter (otherwise pivot uniqueness prevents it) The pivot field is passed as a parameter (otherwise pivot uniqueness prevents it) The owner of the pivot value (q in the example) is accessible to the callee. The owner of the pivot value (q in the example) is accessible to the callee. q.contents is modified. q.contents is modified.

19. For any pivot field: field buf maps capacity into contents; and method: method m(…, T x, …) modifies …, E.contents, … ; add to m the following precondition: E.buf != x Solution 2: Owner exclusion restriction

20. What’s in the paper Sound formalization Sound formalization a core object-oriented language (oolong ) a core object-oriented language (oolong ) pivot uniqueness and owner exclusion restrictions pivot uniqueness and owner exclusion restrictions translation from oolong to verification conditions translation from oolong to verification conditions

21. The Semantic Model Object store: S (q.buf) = b Object store: S (q.buf) = b Define transitive inclusion relation: _ in _ : Attrib x Group bool _ maps _ into _ : Field x Attrib x Group bool q buf group contents; capacity b X.F Y.G  S X = Y /\ F in G \/ X, Z, B, H :: B maps F into H /\ Z.H Y.G S /\ X = S(Z.B) S(q.buf).capacity q.Contents S

22. Semantic Model - Field update Field update commands require that their targets be assignable according to the modifies list w evaluated in the store S. Field update commands require that their targets be assignable according to the modifies list w evaluated in the store S. Mod(X.A, w, S)  ¬ alive(S,X) V incl (X.A, w, S) alive(S,X) : true if X was allocated in store S alive(S,X) : true if X was allocated in store S incl (X.A, w, S)  ( E,f | E.f  w incl (X.A, w, S)  ( E,f | E.f  w /\ X.A E.f ) S

23. Semantic Model – Owner Exclusion Let p(r) modifies V.a be a method spec. Owner exclusion for a call p(x) : ( Y.H S(V).a ) For Y, B, G, H: B maps G into H /\ x = S(Y.B) /\ x ≠ null => S ownExcl(x,V.a,S)  The pivot field buf of object q can be passed as a parameter to method p only if p doesn’t have permission to modify q.contents. Check ownExcl at every call site, and assume it at entry to the function buf capacity contents q.buf q.contents

24. Modular checker Object store – track values of object attributes and allocated objects. Object store – track values of object attributes and allocated objects. Inclusion relation – between locations. track compositions of inclusions (transitive). Inclusion relation – between locations. track compositions of inclusions (transitive). Check a function is side-effect correct (Mod) Check a function is side-effect correct (Mod) Check owner inclusion precondition (ownExcl) Check owner inclusion precondition (ownExcl) Check assignments of pivot fields and formal parameters Check assignments of pivot fields and formal parameters Check assert statements (effect of function call) using ¬Mod. Check assert statements (effect of function call) using ¬Mod.

25. Example field c field d field f Group g Proc p(t) modifies t.c.d.g Proc q(u) modifies u.g Impl p (t){ Assume t≠null var y in y:=t.f q(t.c.d) assert y=t.f end } At p function entry: ownExcl( t, t.c.d.g, S) At q function call: Mod( u.g, t.c.d.g, S) ownExcl( u, u.g, S) At assert: ¬ Mod( t.f, u.g, S)

26. Conclusion Knowing side effects has many applications Knowing side effects has many applications Specifying and checking side effects in modular setting is a difficult problem Specifying and checking side effects in modular setting is a difficult problem Data groups plus alias-confinement restrictions provide a solution Data groups plus alias-confinement restrictions provide a solution Sound formalization (oolong ) Sound formalization (oolong ) Implemented checker (oolong ) Implemented checker (oolong ) Current work: build checker for C# (with Viktor Kuncak) Current work: build checker for C# (with Viktor Kuncak)

27. Limitations Syntactic aliasing discipline too strict Syntactic aliasing discipline too strict Array support not implemented : when an object is implemented in terms of an array of underlying objects. Array support not implemented : when an object is implemented in terms of an array of underlying objects.

28. Limitations Cyclic dependencies not handled effectively: infinite looping of ‘Simplify’,the theorem prover. Cyclic dependencies not handled effectively: infinite looping of ‘Simplify’,the theorem prover. class Node { public: group g; group g; void updateAll() modifies g; void updateAll() modifies g; private : int value in g; int value in g; Node next maps g into g; Node next maps g into g;} void updateAll(){ value = value + 1; value = value + 1; If (next != null) If (next != null) next->updateAll(); next->updateAll();}

29. The End!