role analysis viktor kuncak patrick lam martin rinard mit lcs

Role Analysis

Viktor Kuncak

Patrick Lam

Martin Rinard

MIT LCS

2

Process Scheduler Example

Running Process

RPSP

Suspended Process

3


Running Process List

nextRP

RP

RP

RPnext

next next

prev

prev

prev prev

Running Process

SP

Suspended Process

4



nextRP

RP

RP

RPnext

next next

prev

prev

prev prev

R

SPSP

SP SP

left right

left right

Suspended Process Tree

Suspended Process

Running Process

5



nextRP

RP

RP

SP

next next

prev

prevprev

R

SPSP

SP SP

left right

left right


Suspended Process

Running Process

left

6

Remarks

• Desirable to capture distinction between suspended and running processes

• Standard types unsuitable– Type is fixed for lifetime of object– Scheduler suspends and resumes processes

• Concept of a role– Statically verifiable property of an object– Capture current conceptual purpose of object– Role changes as object's purpose changes

Goal

Develop a static type system in which each object is assigned a role

Program actions can change object roles

8

Challenges

Aliasing

Ensure that role changes performed using one alias are correctly reflected in roles

of other aliases

Procedures

Compositional interprocedural role system

9

Basic Approach

• Develop a role system in which role of each object depends on its heap aliases– Role provides aliasing information– Enables checker to ensure that role

changes are compatible with all aliases

• Role reflects object’s participation in different data structures

• Role changes as object moves between data structures

10

Role Definition for Running Processes

Running Process

RP

role RP { Sequence of heap referencing constraints}

11

Slot Constraints

Running Process

RP

role RP { slots RP.next,

RP.prev; ...}

Slot constraints identifythe complete set of heapaliases of the object

12

Slot Constraints

Running Process

RP

RP

RPnext

prev


RP.prev; ...}

Slot constraints identifythe complete set of heapaliases of the object

13

Field Constraints

Running Process

RP

RP

RPnext

prev


RP.prev; fields next : RP, prev : RP; ...}

Field constraints identifyroles of objects to which

fields refer

14

Field Constraints

Running Process

RP

RP

RPnext

prev


RP.prev; fields next : RP, prev : RP; ...}

RP

RP

nextprev

Field constraints identifyroles of objects to which

fields refer

15

Identity Constraints

Running Process

RP

RP

RPnext

prev


RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}

RP

RP

nextprev

Identities identify cycles of length two.

16

Identity Constraints

Running Process

RP

RP

RPnext

prev



next

prev

Identities identify cycles of length two.

17

nextRP

RP

RP

RPnext

next next

prev

prev

prev prev



Role Definition for Running Processes

RP

18

Roles as Constraints

• Each constraint C(o) is a predicate on objects

• Role is a logical conjunction of its defining constraints

• Constraints can be recursive!



19

Semantics of Role Constraints

• Constraint is interpreted in the context of a role assignment (mapping from objects to role names)

• Heap is role consistent iff there exists a role assignment in which every object satisfies its role

20

Roles for Suspended Processes

R

SPSP

SP SP

left right

left right


Suspended Process

role R {

}role SP {

slots

}

21


R

SPSP

SP SP

left right

left right


Suspended Process

role R {

}role SP {

slots R.left

}

22


R

SP

SP SP

left right

left right


Suspended Process

SP

role R {

}role SP {

slots R.left R.right

}

23


R

SP

left right

left right


Suspended Process

SP

SP

SP

role R {

}role SP {

slots R.left R.right SP.left

}

24


Rleft right

left right


Suspended Process

SP SP

role R {

}role SP {

slots R.left R.right SP.left SP.right

}

SP SP

25


Rleft right

left right


Suspended Process

SP SP

role R {

}role SP {

slots R.left | R.right | SP.left| SP.right;

}

SP SP

26


Rleft right

left right


Suspended Process

SP SP

role R {

}role SP { fields left : SP right: SP slots R.left | R.right | SP.left| SP.right;

}

SP SP

27


Rleft right

left right


Suspended Process

SP SP

role R {

}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right;

}

SPSP

28


Rleft right

left right


Suspended Process

SP SP

role R { fields left : SP|null, right: SP|null;}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right;

}

SP SP

29


SP

SP SP

left right


Suspended Process

left

role R { fields left : SP|null, right: SP|null;}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right; acyclic left, right;} No cyclic paths of the form (left+right)*

30


R

SPSP

SP SP

left right

left right


Suspended Process

role R { fields left : SP|null, right: SP|null;}role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right; acyclic left, right;}

Programming with Roles

32

Role Changes

• To suspend a process– Remove from running process list– Insert into suspended process tree

RP

RP

RPnext

next

prev

prev

nextRP prev

prev

R

SPSP

SP

left right

right

next

33

Role Changes


RP

I

RPnext

prevprev

RP

prev

R

SPSP

SP

left right

right

nextnext

34

Role Changes


RP RPnext

prevprev

RP

prev

R

SPSP

SP

left right

right

nextnext

role I { }

Isolated object:

I

35

Role Changes


RP

SP

RPnext

prevprev

RP

prev

R

SPSP

SP

left right

right

next

left

next

36

Removing a Process from List

remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}

RP

RP

RPnext

next

prev

prev

nextRP prev

prev

p

next

37



RP

RP

RPnext

next

prev

prev

nextRP prev

prev

ppp

pnnext

38


RP

RP

RPnext

next

prevprev

RP prev

prev next

ppp

pn


next

39

RP

RP

RP

RPnext

prevprev

prev nextnext

ppp

pn



40

RP

RP

RP

RPnext

prevprev

prev nextnext

p


remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}Programming model expects programmer

to indicate role changes

41

RP

RP

I

RPnext

prevprev

prev nextnext

p


remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I);}Programming model expects programmer

to indicate role changes

42

Programming Model Based On Instrumented Semantics

• Role Assignment Part of Program State– Each object has a nominal role– setRole(p : R) updates role assignment

• Programmer responsibilities– Specify intended role assignment– Write role-consistent program

• Static role checking ensures– Programs are role-consistent– No dynamic overhead incurred

43

RP

RP

RPnext

next

prevprev

RP prev

prev next

ppp

pn

Temporary Role Violations

Data structure updates often

temporarily violate nominal roles of updated objects


44

RP

RP

RPnext

next

prevprev

RP prev

prev next

ppp

pn


What do nominal roles mean during

these updates?


45

RP

RP

RPnext

next

prevprev

RP prev

prev next

ppp

pn


Observation:

Objects with temporarily violated roles are referenced by local variables.

46

onstage objects = objects referenced by local variables.

onstage objects

offstage objectsRP

RP

RPnext

next

prevprev

RP prev

prev next

ppp

pn

Onstage and Offstage Objects

47

Onstage objects may have their

roles temporarily violated.

onstage objects

offstage objectsRP

RP

RPnext

next

prevprev

RP prev

prev next

ppp

pn



48

Roles of offstage objects must be

correct assuming the nominal roles of

onstage objects.

onstage objects

offstage objectsRP

RP

RPnext

next

prevprev

RP prev

prev next

ppp

pn



Role Checking

50

Each procedure has an interface

• Precondition• Property of heap at start of procedure• Specifies initial dataflow fact for analysis

• Abstraction of actions of procedure– Read Effects (accessed region of heap)– Write Effects

• Changes to heap references • Nominal role changes

Procedure Interfaces

51

Two Aspects of Role Checking

• Verifying interface conformance– Assume precondition– Analyze procedure– Verify that procedure respects effects

• Using interfaces at call sites to separate analysis of caller and callee

• Each procedure analyzed exactly once

52

Role Consistency Across Procedure Calls

p

c

When analyzing a procedure:

Assume that accessed objects have consistent roles.

d

Region R accessed by

foo

foo(p) reads R { ...

}

53


At Call Site:

Use read effects of the procedure to verify that region accessed by the procedure has consistent roles

(even for onstage objects)

p

c

d

...

foo(p);

...


foo

54


p

c

When analyzing the procedure:

Verify that only objects declared in callee’s read effects are accessed.

Assume that accessed objects have correct roles.

d


foo


}

55


p

c

d

After Call Site:

The role checking assumes that region accessed in the procedure is left in a role consistent state.

...

foo(p);

...


foo

56


p

c

After analyzing the procedure:

Verify that objects in accessed region are left in role consistent state (implicit postcondition)

d


}


foo

Verifying Interface Conformance

58

RP

RP

RPn

p

RP

n p

p

Analysis Abstraction

RP

n

p

n

p

p

RPn

p

np

n

p

Concrete Heap

(objects and references)

Analysis Representation:Role Graph

(nodes and edges)

59

RP

RP

RPn

p

RP

n p

p

Role Graph

RP

n

p

n

p

p

RPn

p

np

n

p

Concrete Heap Role Graph

Onstage node(represents a

single onstage object)

60

RP

RP

RPn

p

RP

n p

p

Role Graph

RP

n

p

n

p

p

RPn

p

np

n

p

Summary Offstage Node (represents any

number of objects)


61

RP

RP

RPn

p

RP

n p

p

Abstraction Relation

RP

n

p

n

p

p

RPn

p

np

n

p

Each onstage object represented by an

onstage node


62

RP

RP

RPn

p

RP

n p

p


RP

n

p

n

p

p

RPn

p

np

n

p

Concrete Heap Analysis Representation:Role GraphOffstage objects are

represented by offstage nodes

63

RP

RP

RPn

p

RP

n p

p


RP

n

p

n

p

p

RPn

p

np

n

p

The function is• a graph homomorphism• isomorphism between onstage objects and nodes• role preserving: role(h(o)) = role(o)

64

Initial roles: p : RP

remove(p) {pp=p.prev; pn=p.next;pp.next=pn; pn.prev=pp;p.next=null; p.prev=null;pp=null; pn=null;setRole(p : I);

}

Interface for remove

RPp

RP

Initial Role Graph

65

Initial roles: p : RPRead effects: p, RP


}


RPp

RP

Initial Role Graph

66

Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = null


}


RPp

RP

Initial Role Graph

67

Initial roles: p : RPRead effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:

RP.next = RP, RP.prev = RP


}


RPp

RP

Initial Role Graph

68



Must role changes: p : I


}


RPp

RP

Initial Role Graph

69





}

Verifying Interface for remove

RPp

RP

Load statement

70





}


RPp

RP

Load statement

• expansion

RPpp

71





}


Load statement

• expansion

• read effect check succeeds: RP in read effects

RPp

RP

RPpp

72





}


RPp

RP

RPpp

Load statement

• expansion


73





}


RPp

RP

RPpp

RPpn

Load statement

• expansion


74





}


RPp

RP

RPpp

RPpn

Store statement

75





}


RPp

RP

RPpp

RPpn

Store statement

• strong update

76





}


RPp

RP

RPpp

RPpn

Store statement

• strong update

• verify write effect succeeds: RP.next = RP

77





}


RPp

RP

RPpp

RPpn

Store statement

78





}


RPp

RP

RPpp

RPpn

Store statement

• strong update

• verify write effect succeeds: RP.prev = RP

79





}


RPp

RP

RPpp

RPpn

Store statement

80





}


RPp

RP

RPpp

RPpn

Store statement

• strong update

• verify write effect succeeds: p.next=null

81





}


RPp

RP

RPpp

RPpn

Store statement

• strong update

• verify write effect succeeds: p.prev=null

82





}


RPp

RP

RP

RPpn

Local variable assignment

• remove local variable

83





}


RPp

RP

RP

RPpn


• remove local variable (node goes offstage)

• check role is correct

84





}


RPp

RP RPpn




• merge node into offstage

85





}


RPp

RP




• merge node into offstage

86





}


Ip

RP

setRole

• change the nominal role

87





}


Ip

RP

setRole

• change the nominal role

• check that the role change is in the interface

88





}


Ip

RP

Postcondition check:

• all accessed nodes have referencing relationships consistent with their roles

• even onstage nodes

89

Details of Analysis

• Dataflow fact is set of role graphs

• Merge is union of role graph sets

• Predicative analysis - filters out graphs that do not satisfy the test in conditional

• Builds on ideas from shape analysis– Expansion and contraction– May reachability (from onstage nodes)

prevents excessive merging of nodes

Using Interfaces at Call Sites

91

Example: remove procedure call . . .

remove(p);

. . .RP

p

RP

RPRP

c

Role graph before the call:

RP

RP

p

Read effects: p, RPMust write effects: p.next = null, p.prev = nullMay write effects:



remove interface:

92

Context Matching . . .

remove(p);

. . .RP

p

RP

RPRP

c


RP

RP

p




remove interface:

93

Role Check in Accessed Region . . .

remove(p);

. . .RP

p

RP

RPRP

c


RP

RP

p




remove interface:

94

Applying Must Write Effects . . .

remove(p);

. . .RP

p

RP

RPRP

c

RP

RP

p




remove interface:

95

Applying Must Write Effects . . .

remove(p);

. . .RP

p

RP

RPRP

c

RP

RP

p




remove interface:

96

Applying May Write Effects . . .

remove(p);

. . .RP

p

RP

RPRP

c

RP

RP

p




remove interface:

97

Applying Must Role Change . . .

remove(p);

. . .I

p

RP

RPRP

c

RP

RP

p




remove interface:

98

Enforcing Role Constraints . . .

remove(p);

. . .

p

RP

RPRP

c

RP

RP

p




remove interface:

I

99

Enforcing Role Constraints . . .

remove(p);

. . .

p

RP

RPRP

c

RP

RP

p




remove interface:

I

100

Merge . . .

remove(p);

. . .

p

RPRP

c

RP

RP

p




remove interface:

Role graph after the call:

I

101

Key Ideas in Analysis

• Role of object characterizes its aliases– Enables analysis to find aliases– Verify new role consistent with all aliases

• Precise effects in procedure interfaces– Full precision for parameters

(or even fixed region surrounding parameters)

– Role consistency/may effects for rest of heap

102

Multiple Simultaneous Roles

RP

RP

RP

RP

R

SP SP

SP SP

Running Processes Suspended Processes

103


RP

RP

RP

RP

R

SP SP

SP SP

Running Processes Suspended Processes

HP

High Priority Process List

HP

Low Priority Process List

LP LP

proc proc proc proc

104

Complete Slot Constraints

• This slot constraint specifies ALL aliases

• Aliases from high or low priority process lists violate role



105

Partial Slot Constraints

• This slot constraint specifies aliases from next, prev, right, and left fields ONLY

• Aliases from high or low priority process lists can be used in new role definitions for high and low priority processes

role RP { next, prev, right, left: slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next;}

106

role RP { next, prev, right, left : slots RP.next,


role HighPriority { proc : slots HPL.proc;}

role LowPriority { proc : slots LPL.proc;}


Can have a running high priority process, a running low priority process, etc.

107

Benefits of Roles• Data structure consistency properties• Object usage constraints

– Procedures specify roles of parameters– Object's interface changes as its role

changes

• Roles crystallize useful perspective– Provide useful information to maintainers– Basis for exploration of the behavior of

program via dynamic role discovery – Help programmers conceptualize

relationships between objects

Related Work

109

Typestate

• Strom, Yemini ’86: Typestate– object initialization, no aliasing

• DeLine, Fähndrich ’01: High-Level Protocols– linear types for heap references

• Xu, Miller, Reps ’00: Typestate for machine code

110

Dynamically Changing Classes• Chambers ‘93: Predicate Classes

• Ghelli, Palmerini ‘99: Fibonacci

• Drossopoulou et al. ’01: Fickle

Alias Control in OOP• Hogg ’91: Islands• Almeida ’97: Balloon Types• Clarke, Potter, Noble ’98: Ownership Types• Banerjee, Naumann ’02: Confinement• Boyapati, Rinard ’01: Unique References• Boyland: Alias Burying

111

Specifying/Verifying Heap Invariants

• Smith, Walker, Morrisett ’00: Alias Types• Møller, Schwartzbach ’01: PALE• Fradet, Metayer ’97: Shape Types• Larus, Hilfinger ’88: Conflicts in structure accesses• Chase, Wegman, Zadeck ’90: SSG• Hendren ’90: Interference analysis• Hendren, Hummel, Nicolau ’94: APM / ADDS• Sagiv, Reps, Wilhelm ’99: TVLA• Rinetzky, Sagiv ’01: Noncompositional

interprocedural analysis

112

Conclusion

• Statically checked role system– Role changes reflect changes in purpose of

object in computation– Full support for role changes and aliasing

• Key aspects of design– Role characterizes aliases– Procedure abstraction choices

• Multiple simultaneous roles

role analysis viktor kuncak patrick lam martin rinard mit lcs

Documents

slots rp

rp identities

prev fields

role namesheap

role assignment mapping

role consistent iff

objects participation

data structuresrole