Using data groups to Using data groups to specify and check side specify and check side

effectseffectsK. Rustan M. LeinoMicrosoft Research

Arnd Poetzsch-HeffterUniversität Kaiserslautern

Yunhong ZhouHP SRC

Work done at Compaq SRC

18 June 2002PLDI’02, Berlin, Germany

ContextContext

Staticprogramchecker

Program Warningmessages

Pieces of a

Modular checking

Modular checkingModular checkingDon’t assume availability of:Don’t assume availability of:

implementations of called methodsimplementations of called methods all of the program’s variablesall of the program’s variables

Modular soundnessModular soundnessChecking is sound for any Checking is sound for any extension of the programextension of the program

…t.x = null;…

Reasoning about a callReasoning about a call

method m(Queue q, T t) {

t.x = new File(“input.txt”);q.Enqueue(t);char ch = t.x.ReadChar();

…

Must know what the call can modify!null dereference ?

Modifies clauseModifies clause

method p(x, y)modifies M;

Grants the implementations of pthe license to modify M

Information hidingInformation hiding

publicprivate

Buffer

328

17

q

buf

head

size capacity

method Enlarge() modifies capacity, …;

method Enqueue(x) modifies ???;

Queue

Data groupsData groups

publicprivate

Buffer

328

17

q

buf

head

size capacity

method Enlarge() modifies capacity, …;

method Enqueue(x) modifies contents;

Queue

group contents;

method Enqueue(x) modifies ???;

The license to modify a group implies the license to modify the

members of the group

A data group represents a set of

variables and other (nested) data groups

Source codeSource code

private Buffer buf maps capacity into contents;

private int head in contents;private int size in contents;

class Queue {

public group contents;

public void Enqueue(object x)modifies contents;

head contentssize contents

buf.capacity contents

buf

capacity

Queue

Buffer

“pivot field”

Note direction

of declarations

Summary so farSummary so far

modular checkingmodular checking modifies clausesmodifies clauses information hidinginformation hiding data groups!data groups!

next: 2 problems and proposed next: 2 problems and proposed solutionssolutions

Problem 0Problem 0

Queue q = new Queue();

buf

capacity

size

head

Queue

Buffer

q

b

method Enqueue(x) modifies contents;

group contents;

method Buffer m() modifies ;

method Buffer m() {return buf;

}

Buffer b = q.m();int c = b.capacity;q.Enqueue(5);assert c == b.capacity;

Solution 0: Pivot uniqueness restrictionSolution 0: Pivot uniqueness restriction

Make pivot fields uniqueMake pivot fields unique

except permit aliasing with except permit aliasing with parametersparameters

Restrict parametersRestrict parameters likewiselikewise

buf

Queue Buffergroup contents; capacity

field buf maps capacity into contents

method Enqueue(object x) {if (size == buf.capacity) {

buf.Enlarge();}…

}

buf

capacity

size

head

Queue

Buffer

q

b

group contents;

class Queue {…p(this, buf);…

= new Queue(); = q.m();int c = b.capacity;q.Enqueue(5);assert c == b.capacity;

method p( , ) {

}

Queue qBuffer b

Problem 1Problem 1

For any pivot field:For any pivot field:

fieldfield buf buf mapsmaps capacity capacity intointo contents; contents;

and method:and method:

methodmethod m(…, T x, …) m(…, T x, …)modifiesmodifies …, E.contents, … ; …, E.contents, … ;

add to add to mm the following precondition: the following precondition:

E.buf != xE.buf != x

Solution 1: Owner exclusion restrictionSolution 1: Owner exclusion restriction

What’s in the paperWhat’s in the paper

Sound formalizationSound formalization a core object-oriented language (a core object-oriented language (oolong oolong

)) pivot uniqueness and owner exclusion pivot uniqueness and owner exclusion

restrictionsrestrictions translation from oolong to verification translation from oolong to verification

conditionsconditions

Related workRelated work Modifies clausesModifies clauses

Larch, CLU, frame problem, …Larch, CLU, frame problem, … Effect systems, effect inference, …Effect systems, effect inference, …

AbstractionAbstraction Theory work on Simula [Hoare 1972]Theory work on Simula [Hoare 1972] Aspect [Jackson 1995]Aspect [Jackson 1995] ESC/Modula-3 specifications [Leino & Nelson ESC/Modula-3 specifications [Leino & Nelson

1998]1998] Alias confinementAlias confinement

Islands, Balloons, Flexible alias protection, Islands, Balloons, Flexible alias protection, …… Linear types, Cqual, capabilities, Vault, Linear types, Cqual, capabilities, Vault, …… Alias burying [Boyland 2001]Alias burying [Boyland 2001] Universe types [MUniverse types [Müller & Poetzsch-Heffter üller & Poetzsch-Heffter 2002]2002]

Summary of approachSummary of approach

modifies clausesmodifies clauses data groupsdata groups in, maps intoin, maps into alias-confinement restrictions:alias-confinement restrictions:

pivot uniquenesspivot uniqueness owner exclusionowner exclusion

ConclusionConclusion Knowing side effects has many applicationsKnowing side effects has many applications Specifying and checking side effects in Specifying and checking side effects in

modular setting is a difficult problemmodular setting is a difficult problem Data groups plus alias-confinement Data groups plus alias-confinement

restrictions provide a solutionrestrictions provide a solution

Sound formalization (Sound formalization (oolong oolong )) Implemented checker (Implemented checker (oolong oolong )) Current work: build checker for C# Current work: build checker for C# (with Viktor (with Viktor

Kuncak)Kuncak)

Needs: extension to arrays, …?Needs: extension to arrays, …?