Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Data Groups to Specify and Check Side Effects K. Rustan M. Leino, Arnd Poetzsch- Heffter, and Yunhong Zhou Presented by Jonathan Aldrich.

Published byMeredith Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Data Groups to Specify and Check Side Effects K. Rustan M. Leino, Arnd Poetzsch- Heffter, and Yunhong Zhou Presented by Jonathan Aldrich."— Presentation transcript:

1 Using Data Groups to Specify and Check Side Effects K. Rustan M. Leino, Arnd Poetzsch- Heffter, and Yunhong Zhou Presented by Jonathan Aldrich

2 Outline The Problem –Checking effects in a modular and extensible way Data Groups Aliasing Restrictions Discussion

3 Effect Specifications proc p(x,y) modifies x.f,y.g {... } Describes the variables p might modify Uses –Optimizations –Bug finding –Semantics

4 Specification Challenges proc p(x,y) modifies x.f,y.g {... } Information hiding –Don’t want to reveal fields f and g Extensibility –proc subcls.p(x,y) modifies x.f,y.g,x.h Soundness –Does p(x,y) modify y.f ?

5 Outline The Problem Data Groups Aliasing Restrictions Discussion

6 Data Group A set of variables and nested data groups –Membership defined incrementally –A field/group can be part of multiple groups // class Collection group state group elems in state field array in elems // class Vector extends Collection field cnt in elems group elems group state field array field cnt

7 Effect Specifications proc add(coll,o) modifies coll.elems Information hiding –List data groups rather than fields –Can hide fields behind module interface Extensibility –Subclasses add new fields to existing groups –So, Vector.add can modify size What about soundness, expressiveness?

8 Pivot Fields // class Stack group contents field vec maps elems into contents proc push(stk,o) modifies stk.contents Provides hierarchy –Effect on vec specified through stk ’s group

9 Outline The Problem Data Groups Aliasing Restrictions Discussion

10 Aliasing Problem #1 proc m(st, r) modifies r.obj impl q() { var st := new(); var result := new(); m(st,result); var v := result.obj; var n := v.cnt; push(st, 3); assert (n=v.cnt); } impl m(st, r) { r.obj := st.vec } Modifies v.contents (including v.cnt) if v == st

11 Pivot Uniqueness Three restrictions –Pivot fields can only be assigned new or null –Can’t assign a pivot field to anything This avoid the previous problem –Can pass as parameter But can’t assign to/from formal parameters Aliasing Invariant –Pivot fields are unique Except for formal parameter aliases

12 Aliasing Problem #2 proc w(st, v) modifies st.contents impl w(st,v) { var n := v.cnt; push(st, 3); assert (n=v.cnt); } w(st, st.vec) Problem: st.vec is available through both st and v in w, but this alias is not obvious in w

13 Owner Exclusion Suppose f maps x into g If p(s) can modify t.g, then s != t.f –In particular, since w(st, v) can modify st.contents, then v != st.vec Question: how do they verify owner exclusion? –What about w(st1, st2.vec) where st1 == st2 ? –I think they would conservatively reject this, even in cases where st1 != st2 –To do better you’d have to track more (non-)aliasing

14 Outline The Problem Data Groups Aliasing Restrictions Discussion

15 Extensible Specifications Data groups –subclasses add new groups, new fields to existing groups Ownership –subclasses add new domains, new objects to existing domains Typestate –subclasses add new typestates, new predicates over added fields

16 Ownership vs. Data Groups Data groups can overlap –Allows a field to hold state that is conceptually part of two groups Ownership is more flexible –Can express iterator, observer idioms –How to specify effects for these idioms?

17 Ownership for Effect Specs Some work in this area already –[Clarke & Drossopolou] Ownership could support iterator effects –Call add on an Iterator in the c.iters domain –Effect is c.elems

18 S/W Arch. and Effect Specs Global Effect Problem –Notify callbacks can have large, arbitrary effects The Achilles' heel of existing effect systems –Specifying all effects does not scale –Specifying global effects causes coupling Solution: Local Effect Specs? –Specify only the “locally visible” effect within a component All effects on local and shared data All calls to external functions Document assumptions about locally-visible effects of external functions – Component composition must respect assumptions Global effects computed from local specs + architecture

Download ppt "Using Data Groups to Specify and Check Side Effects K. Rustan M. Leino, Arnd Poetzsch- Heffter, and Yunhong Zhou Presented by Jonathan Aldrich."

Similar presentations

Chapter 23 Organizing list implementations. This chapter discusses n The notion of an iterator. n The standard Java library interface Collection, and.

Chapter 23 Organizing list implementations. This chapter discusses n The notion of an iterator. n The standard Java library interface Collection, and.
Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.

Joint work with Mike Barnett, Robert DeLine, Manuel Fahndrich, and Wolfram Schulte Verifying invariants in object-oriented programs K. Rustan M. Leino.
Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 3 Summer school on Formal Models.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.
Lists and the Collection Interface Chapter 4. Chapter Objectives To become familiar with the List interface To understand how to write an array-based.

Lists and the Collection Interface Chapter 4. Chapter Objectives To become familiar with the List interface To understand how to write an array-based.
Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...

Objects and Classes David Walker CS 320. Advanced Languages advanced programming features –ML data types, exceptions, modules, objects, concurrency,...
Programming Languages and Paradigms

Programming Languages and Paradigms
Interprocedural Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12.

Interprocedural Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday
CSCC69: Operating Systems

CSCC69: Operating Systems
L12. Network optimization problems D. Moltchanov, TUT, Spring 2008 D. Moltchanov, TUT, Spring 2014.

L12. Network optimization problems D. Moltchanov, TUT, Spring 2008 D. Moltchanov, TUT, Spring 2014.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.

Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.
Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.

Working with JavaScript. 2 Objectives Introducing JavaScript Inserting JavaScript into a Web Page File Writing Output to the Web Page Working with Variables.
Architectural Reasoning in ArchJava Jonathan Aldrich Craig Chambers David Notkin University of Washington ECOOP ‘02, 13 June 2002.

Architectural Reasoning in ArchJava Jonathan Aldrich Craig Chambers David Notkin University of Washington ECOOP ‘02, 13 June 2002.
Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.

Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.
Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.

Using and Building an Automatic Program Verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Lecture 1 LASER.
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
XP 1 Working with JavaScript Creating a Programmable Web Page for North Pole Novelties Tutorial 10.

XP 1 Working with JavaScript Creating a Programmable Web Page for North Pole Novelties Tutorial 10.
Fall 2007CS 2251 Lists and the Collection Interface Chapter 4.

Fall 2007CS 2251 Lists and the Collection Interface Chapter 4.

Similar presentations

Ads by Google