Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyzing objects Daniel Jackson (joint work with Mandana Vaziri & Allison Waingold) MIT Lab for Computer Science NDIST · December 5, 2001.

Published byBeverly Shields Modified over 9 years ago

Similar presentations

Presentation on theme: "Analyzing objects Daniel Jackson (joint work with Mandana Vaziri & Allison Waingold) MIT Lab for Computer Science NDIST · December 5, 2001."— Presentation transcript:

1 analyzing objects Daniel Jackson (joint work with Mandana Vaziri & Allison Waingold) MIT Lab for Computer Science NDIST · December 5, 2001

2 2 problem want a simple framework ·for specifying & analyzing OO programs ·at the design level (like types) ·automatic (like model checking) desiderata ·handles tricky cases ·helpful reports (eg, counterexamples) ·unlikely to miss errors ·modular: no whole-program assumption

3 3 what goes wrong? //extends the map m with arbitrary key/val pairs //taken from ks and vs, until one of ks and vs is empty static void zippish (Map m, Set ks, Set vs) { Iterator ki = ks.iterator (); Iterator vi = vs.iterator (); while (ki.hasNext() && vi.hasNext()) { m.put (ki.next(), vi.next()); ki.remove (); vi.remove (); }

4 4 failure conditions ks contains a key of m ·map is overwritten ks, vs or m is null ·null pointer exception ks or vs is a key of m ·rep invariant of m broken, unpredictable effect ks, vs, m aliased ks is a view of vs, or vice versa ks or vs is a view of m ·comodification exception thrown static void zippish (Map m, Set ks, Set vs) { Iterator ki = keys.iterator (); Iterator vi = vs.iterator (); while (ki.hasNext() && vi.hasNext()) { m.put (ki.next(), vi.next()); ki.remove (); vi.remove (); }

5 5 roadmap why views? modelling the heap & mutation modelling execution modelling views underlying theme simple first-order model of execution use constraint solver to find counterexample traces

6 6 why views? decouples client from irrelevant aspect of datatype ·by weakening specification interface Map {… Set keySet (); … } ParserActions HashTable SetMap Parser KeySetHashTable Actions on stylesstylemap

7 7 modelling the heap & mutation two kinds of atoms ·references -- slots that hold objects ·objects -- values that go in slots sig Ref {} sig Obj {} sig State { refs: set Ref, obj: refs ->? Obj } sig X extends Obj {f: Ref} fun op (s, s’: State, p, q: Ref) { p.(s’.obj).f = q } Obj0 s.obj f Ref0 Ref1Ref2 Obj1 s’.obj f p q

8 8 frame conditions sig Set extends Obj {elts: set Ref} sig SetRef extends Ref {} fact {SetRef.(State.obj) in Set} fun modifies (s, s’: State, rs: set Ref) { all r: s.refs - rs | r.(s.obj) = r.(s’.obj) } fun add (this: SetRef, s, s’: State, e: Ref) { this.(s’.obj).elts = this.(s.obj).elts + e modifies (s, s’, this) }

9 9 modelling execution each statement ·modelled as a parameterized formula ·relating pre- and post-state ·instantiated with states at each point BODY =stmt0 (s, s1, …)&& stmt1 (s1, s2, …)&& …&& stmtN (sN, s’, …) every state satisfies a condition ·all s, s1, …, s’: State | Pre(s) && BODY => P(sK) method satisfies spec ·all s, s1, …, s’: State | Pre(s) && BODY => Post(s’)

10 10 modelling views views are not projections ·map is also view of keyset ·say v is view of b when change to b is propagated to v not all views are bidirectional ·keyset/map is two-way ·iterator/set is one-way ·model bidirectional case with two views ·modification of view which does not back another view invalidates it keysetmap KeySetView KeySetView’

11 11 modelling views (generic) state holds view relationships sig State { refs: set Ref, obj: refs ->! Object, views: ViewType -> refs -> refs } frame condition propagates changes to view fun modifies (s, s’: State, rs: set Ref) { let vr = ViewType.(s.views), mods = rs.*vr { all r: s.refs - mods | r.(s.obj) = r.(s’.obj) all b: mods, v: s.refs, t: ViewType | b->v in t.(s.views) => viewFrame (t, v.(s.obj), v.(s’.obj), b.(s’.obj)) }}

12 12 modelling views (view-specific) disj sig KeySetView, KeySetView’, IteratorView extends ViewType {} fun viewFrame (t: ViewType, v, v', b': Object) { t in KeySetView => v'.elts = dom (b'.map) t in KeySetView' => b'.elts = dom (v'.map) t in KeySetView' => domRestrict (b'.elts, v.map) = domRestrict (b'.elts, v'.map) t in IteratorView => v'.elts = b'.left + b'.done }

13 13 demo: a counterexample generated pre-state: ks and vs aliased

14 14 after: ki = ks.iterator ()

15 15 after: vi = vs.iterator ()

16 16 after: k = ki.next ()

17 17 after: v = vi.next ()

18 18 after: m.put (k,v)

19 19 after: ki.remove()Ref_2 gets invalidated

20 20 conclusions scenario ·write specs for API’s (and perhaps for program) ·extract relevant code skeleton ·use constraint solver to find bugs unlike most other analyses ·doesn’t require whole program ·can find subtle errors but … ·will analysis scale enough? ·will specs still be too much work? ·will false alarms become a problem?

Download ppt "Analyzing objects Daniel Jackson (joint work with Mandana Vaziri & Allison Waingold) MIT Lab for Computer Science NDIST · December 5, 2001."

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Concrete collections in Java library

Concrete collections in Java library
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Visit at MIT: Daniel Jackson’s Lectures on Coupling Karl Lieberherr

Visit at MIT: Daniel Jackson’s Lectures on Coupling Karl Lieberherr
Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.

Expert System Human expert level performance Limited application area Large component of task specific knowledge Knowledge based system Task specific knowledge.
1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.

1 Integrating Influence Mechanisms into Impact Analysis for Increased Precision Ben Breech Lori Pollock Mike Tegtmeyer University of Delaware Army Research.
ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.

ECI 2007: Specification and Verification of Object-Oriented Programs Lecture 2 Courtesy: K. Rustan M. Leino and Wolfram Schulte.
Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,

Lecture 2 Towards a Verifying Compiler: Logic of Object oriented Programs Wolfram Schulte Microsoft Research Formal Methods 2006 Objects, references, heaps,
1 From Yesterday private = accessible only to the class that declares it public = accessible to any class at all protected = accessible to the class and.

1 From Yesterday private = accessible only to the class that declares it public = accessible to any class at all protected = accessible to the class and.
Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.

Building a program verifier K. Rustan M. Leino Microsoft Research, Redmond, WA 10 May 2006 Guest lecture, Shaz Qadeer’s cse599f, Formal Verification of.
Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger.

Counterexample Generation for Separation-Logic-Based Proofs Arlen Cox Samin Ishtiaq Josh Berdine Christoph Wintersteiger.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Similar presentations

Ads by Google