Selective Ownership: Combining Object and Type Hierarchies for - - PowerPoint PPT Presentation

Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing

Stephanie Balzer, Thomas R. Gross, and Peter Müller School of Computer Science, Carnegie Mellon University Department of Computer Science, ETH Zurich FOOL 2012

Ownership type systems

2

Ownership type systems

Structure program heap

• Facilitate reasoning about program

2

Ownership type systems

Structure program heap

• Facilitate reasoning about program

Application domains

• Thread synchronization
• Memory management
• Enforcement of architectural styles
• Program verification

2

Ownership type systems

Structure program heap

• Facilitate reasoning about program

Application domains

• Thread synchronization
• Memory management
• Enforcement of architectural styles
• Program verification

Proof obligations to verify, at compile-time, that invariants hold

2

Ownership-based verification

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 invariant on tree nodes

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 Owner of children nodes invariant on tree nodes

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 Owner of children nodes invariant on tree nodes

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 Owner of children nodes Owner of children nodes invariant on tree nodes

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 Owner of children nodes Owner of children nodes invariant on tree nodes

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7

Impose a tree topology on program heap

invariant on tree nodes

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7

Modifications of objects are initiated by their owners

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 modification

Modifications of objects are initiated by their owners

n2

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 modification

Modifications of objects are initiated by their owners

n2

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7 modification

Modifications of objects are initiated by their owners

n2

• wner-as-modifier

discipline

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7

No modifying call-backs into owners from owned objects

3

Ownership-based verification

n1 n2 n4 n5 n3 n6 n7

No modifying call-backs into owners from owned objects

✗

3

Ownership-based verification: summary

Guarantees by ownership

• Impose tree topology on program heap
• Owner-as-modifier discipline
• No modifying call-backs into owners from owned objects

4

Ownership-based verification: summary

Guarantees by ownership

• Impose tree topology on program heap
• Owner-as-modifier discipline
• No modifying call-backs into owners from owned objects

Sound, modular verification of invariants on owned objects

4

Ownership-based verification: summary

Guarantees by ownership

• Impose tree topology on program heap
• Owner-as-modifier discipline
• No modifying call-backs into owners from owned objects

Sound, modular verification of invariants on owned objects

However ...

4

Ownership-based verification: summary

Restrict sharing: modifying access only by owner and peers

4

Ownership-based verification: summary

n1 n2 n4 n5 n3 n6 n7

Restrict sharing: modifying access only by owner and peers

4

Ownership-based verification: summary

n1 n2 n4 n5 n3 n6 n7

Restrict sharing: modifying access only by owner and peers

modifying access

✗

4

About this paper

5

About this paper

Selective ownership

• Less rigid form of ownership
• Permits shared, modifying access to objects further “down” in

heap topology

5

About this paper

Selective ownership

• Less rigid form of ownership
• Permits shared, modifying access to objects further “down” in

heap topology

n1 n2 n4 n5 n3 n6 n7

5

About this paper

Selective ownership

• Less rigid form of ownership
• Permits shared, modifying access to objects further “down” in

heap topology

n1 n2 n4 n5 n3 n6 n7 modifying access

✔

5

About this paper

Selective ownership

• Less rigid form of ownership
• Permits shared, modifying access to objects further “down” in

heap topology

5

About this paper

Selective ownership

• Less rigid form of ownership
• Permits shared, modifying access to objects further “down” in

heap topology

Selective ownership-based verification

• Enables sound, modular verification of invariants over shared,

modifiable sub-structures

First-class relationships

• Naturally support selective ownership

5

Selective ownership in a nutshell

6

Selective ownership in a nutshell

Gives structure to program heap

6

Selective ownership in a nutshell

Gives structure to program heap

• By defining order on type declarations
• And, optionally, by imposing ownership on selected objects

6

Selective ownership in a nutshell

Gives structure to program heap

• By defining order on type declarations
• And, optionally, by imposing ownership on selected objects

E.g., subtyping, package structure

6

Selective ownership in a nutshell

Gives structure to program heap

• By defining order on type declarations
• And, optionally, by imposing ownership on selected objects

6

Selective ownership in a nutshell

6

Selective ownership := type order [+ object ownership]

Type order

7

Type order

A B C D E

7

Type order

A B C D E Legend: type

7

Type order

A B C D E Legend: type type order

7

Type order

A B C D E Legend: type type order

7

Type order

A B C D E Legend: type type order

7

Type order

A B C D E Legend: type type order

7

Type order

A B C D E Legend: type type order

7

Type order

A B C D E Legend: type type order

7

Type order

A B C D E Legend: type type order

7

{A ↦ D, B ↦ C, B ↦ E, C ↦ D, C ↦ E}

Type order

A B C D E Legend: type type order

7

Type order

A B C D E Legend: type type order

Type order forms a strict partial order

7

A B C D E

Type order

Legend: type type order

7

A B C D E

Type order

Legend: type type order instance

7

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance

7

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance

7

Modifying references comply with type order

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

Modifying references comply with type order

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

Modifying references comply with type order

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

Modifying references comply with type order

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

Modifying references comply with type order

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

Read-only references are unrestricted

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

Read-only references are unrestricted

read-only reference

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

Read-only references are unrestricted

read-only reference

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

7

A B C D E

Type order

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 Legend: type type order instance modifying reference

Heap forms DAG (w.r.t. modifying access)

7

Type order

Legend: type type order instance modifying reference A B C D E a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1

7

Type order + ownership

Legend: type type order instance modifying reference A B C D E a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1

8

Type order + ownership

Legend: type type order instance modifying reference A B C D E a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1

8

Type order + ownership

Legend: type type order instance modifying reference A B C D E a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1

8

Type order + ownership

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 A B C F D E G Legend: type type order instance modifying reference

8

Type order + ownership

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 A B C F D E G Legend: type type order instance modifying reference

8

Type order + ownership

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 A B C F D E G Legend: type type order instance modifying reference f1 f2 g1

8

Type order + ownership

a1 a2 c1 c2 e1 e2 e3 b1 b2 b3 d1 A B C F D E G Legend: type type order instance modifying reference f1 f2 g1

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G Legend: type type order instance modifying reference

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G c1 Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G c1

✗

Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G c1 Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G b2 Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G b2

✗

Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G b2 Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b3 g1 d1 A B C F D E G b2 Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b3 g1 d1 A B C F D E G b2 b3 Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A B C F D E G b2 b3 Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A B C F D E G b2 b3

Heap forms DAG with “sub-trees” (w.r.t. modifying access)

Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A B C F D E G b2 b3

Heap forms DAG with “sub-trees” (w.r.t. modifying access) restricted, modifying access

Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Type order + ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A B C F D E G b2 b3

shared, modifying access Heap forms DAG with “sub-trees” (w.r.t. modifying access) restricted, modifying access

Legend: type type order instance modifying reference

• wnership (modifying ref)

8

Recap

9

Recap

OO verification challenges

• Visible-state semantics in presence of call-backs
• Modular verification of multi-object invariants

Ownership-based verification

• Leverages tree topology to prevent modifying call-backs
• Leverages tree topology to encapsulate ownership-based invariants

9

Recap

OO verification challenges

• Visible-state semantics in presence of call-backs
• Modular verification of multi-object invariants

Ownership-based verification

• Leverages tree topology to prevent modifying call-backs
• Leverages tree topology to encapsulate ownership-based invariants

Selective ownership

• Leverages type order to prevent modifying call-backs
• Leverages ownership to encapsulate ownership-based invariants

9

Verification: type order

F

10

Verification: type order

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

10

Verification: type order

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

No transitive call-backs

10

Verification: type order

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

No transitive call-backs

e3

✗

10

Verification: type order

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

10

Verification: type order

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

invariant (b2)

b2

10

Verification: type order

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

Visible-state semantics for single-object invariants is sound invariant (b2)

b2

10

Verification: type order + object ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

11

Verification: type order + object ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

11

Verification: type order + object ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 b2 b3 g1 d1 A B C F D E G

11

B

Verification: type order + object ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A C F D E G b2 b3

11

B

Verification: type order + object ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A C F D E G b2 b3

invariant (b2)

b2

11

B

Verification: type order + object ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A C F D E G b2 b3

invariant (b2)

b2 f1

invariant (b2,d1)

11

B

Verification: type order + object ownership

a1 a2 c1 c2 f1 f2 e1 e2 e3 b1 g1 d1 A C F D E G b2 b3

Modular verification of multi-object invariants invariant (b2)

b2 f1

invariant (b2,d1)

11

Relationships & selective ownership

12

Relationships & selective ownership

Relationship-based programming languages

• Successors to OO languages
• Relationships as first-class citizens

First-class relationships

• Naturally give rise to a type order

12

Relationships & selective ownership

Relationship-based programming languages

• Successors to OO languages
• Relationships as first-class citizens

First-class relationships

• Naturally give rise to a type order

Naturally support selective ownership

12

In the paper

Rumer

• Relationship-based programming and specification language

Running example: tree

• Specification in Rumer
• Tree invariants
• Selective ownership-based verification

13

Relationships & type order

14

Relationships & type order

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order Relates class or

relationships instances

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

Type order defined by relationship declarations

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

Type order defined by relationship declarations

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

Type order defined by relationship declarations {Tree ↦ Parent

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

Type order defined by relationship declarations {Tree ↦ Parent {Tree ↦ Parent, Tree ↦ Node

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

Type order defined by relationship declarations {Tree ↦ Parent {Tree ↦ Parent, Tree ↦ Node

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & type order

Type order defined by relationship declarations {Tree ↦ Parent {Tree ↦ Parent, Tree ↦ Node {Tree ↦ Parent, Tree ↦ Node, Parent ↦ Node}

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node root, Set<Parent> tree) { void appendTree(Tree t, Node p) {...} }

14

Relationships & instance ownership

15

Relationships & instance ownership

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node r, owned Set<Parent> t) { void appendTree(Tree t, Node p) {...} }

15

Relationships & instance ownership

Ownership relation must be subset of type order

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node r, owned Set<Parent> t) { void appendTree(Tree t, Node p) {...} }

15

Relationships & instance ownership

Ownership relation must be subset of type order

class Node {...} relationship Parent participants (Node child, Node parent) { void link(Node c, Node p) {...} } relationship Tree participants (Node r, owned Set<Parent> t) { void appendTree(Tree t, Node p) {...} }

15

Conclusions

16

Conclusions

Selective ownership = type [+ object ownership]

• Leverages type order to prevent modifying call-backs
• Leverages ownership to encapsulate ownership-based invariants

16

Conclusions

Selective ownership = type [+ object ownership]

• Leverages type order to prevent modifying call-backs
• Leverages ownership to encapsulate ownership-based invariants

Sound modular verification of multi-object invariants

16

Conclusions

Selective ownership = type [+ object ownership]

• Leverages type order to prevent modifying call-backs
• Leverages ownership to encapsulate ownership-based invariants

Sound modular verification of multi-object invariants Permits shared, modifying access to objects further down

16

Conclusions

Selective ownership = type [+ object ownership]

• Leverages type order to prevent modifying call-backs
• Leverages ownership to encapsulate ownership-based invariants

Sound modular verification of multi-object invariants Permits shared, modifying access to objects further down Type order naturally arises from first-class relationships

16

Thank you for your attention!