Using data groups to specify and check side effects

1
Using data groups to specify and check side
effects

• K. Rustan M. Leino
• Microsoft Research
• Arnd Poetzsch-Heffter
• Universität Kaiserslautern
• Yunhong Zhou
• HP SRC
• Work done at Compaq SRC

18 June 2002PLDI02, Berlin, Germany
2
Context
Staticprogramchecker
Pieces of a
Warningmessages
Program
Modular checking
3

• Modular checking
• Dont assume availability of
• implementations of called methods
• all of the programs variables
• Modular soundness
• Checking is sound for any extension of the
  program

4
Reasoning about a call
method m(Queue q, T t) t.x new
File(input.txt) q.Enqueue(t) char ch
t.x.ReadChar()
t.x null
null dereference ?
Must know what the call can modify!
5
Modifies clause
method p(x, y) modifies M
Grants the implementations of pthe license to
modify M
6
Information hiding
Queue
q
head
17
method Enqueue(x) modifies ???
Buffer
size
8
capacity
public
32
buf
method Enlarge() modifies capacity,
private
7
Data groups
Queue
q
A data group represents a set of variables and
other (nested) data groups
group contents
head
17
method Enqueue(x) modifies contents
method Enqueue(x) modifies ???
Buffer
size
The license to modify a group implies the license
to modify the members of the group
8
capacity
public
32
buf
method Enlarge() modifies capacity,
private
8
Source code
Queue
buf
pivot field
class Queue public group contents public
void Enqueue(object x) modifies contents
Note direction of declarations
Buffer
capacity
head ? contents size ? contents
private int head in contents private int size
in contents
private Buffer buf maps capacity into contents
buf.capacity ? contents
9
Summary so far

• modular checking
• modifies clauses
• information hiding
• data groups!
• next 2 problems and proposed solutions

10
Problem 0
group contents
Queue
method Enqueue(x) modifies contents
Queue q new Queue()
head
method Buffer m() modifies
Buffer b q.m()
size
int c b.capacity
buf
q.Enqueue(5)
assert c b.capacity
q
Buffer
method Buffer m() return buf
capacity
b
11
Solution 0 Pivot uniqueness restriction

• Make pivot fields unique

Queue
Buffer
capacity
group contents
buf
field buf maps capacity into contents

• except permit aliasing with parameters

method Enqueue(object x) if (size
buf.capacity) buf.Enlarge()

• Restrict parameters likewise

12
Problem 1
Queue
new Queue()
Queue q
group contents
head
method p( , )
q.m()
Buffer b
size
buf

q
Buffer
class Queue p(this, buf)
capacity
b
13
Solution 1 Owner exclusion restriction
For any pivot field field buf maps capacity
into contents and method method m(, T x,
) modifies , E.contents, add to m the
following precondition E.buf ! x
14
Whats in the paper

• Sound formalization
• a core object-oriented language (oolong )
• pivot uniqueness and owner exclusion restrictions
• translation from oolong to verification conditions

15
Related work

• Modifies clauses
• Larch, CLU, frame problem,
• Effect systems, effect inference,
• Abstraction
• Theory work on Simula Hoare 1972
• Aspect Jackson 1995
• ESC/Modula-3 specifications Leino Nelson 1998
• Alias confinement
• Islands, Balloons, Flexible alias protection,
• Linear types, Cqual, capabilities, Vault,
• Alias burying Boyland 2001
• Universe types Müller Poetzsch-Heffter 2002

16
Summary of approach

• modifies clauses
• data groups
• in, maps into
• alias-confinement restrictions
• pivot uniqueness
• owner exclusion

17
Conclusion

• Knowing side effects has many applications
• Specifying and checking side effects in modular
  setting is a difficult problem
• Data groups plus alias-confinement restrictions
  provide a solution
• Sound formalization (oolong )
• Implemented checker (oolong )
• Current work build checker for C (with Viktor
  Kuncak)
• Needs extension to arrays, ?