1.12k likes | 1.14k Views
Role Analysis. Viktor Kuncak Patrick Lam Martin Rinard. MIT LCS. Process Scheduler Example. RP. SP. Running Process. Suspended Process. Process Scheduler Example. Running Process List. next. RP. RP. prev. next. prev. prev. next. prev. RP. RP. SP. next. Running
E N D
Role Analysis Viktor Kuncak Patrick Lam Martin Rinard MIT LCS
Process Scheduler Example RP SP Running Process Suspended Process
Process Scheduler Example Running Process List next RP RP prev next prev prev next prev RP RP SP next Running Process Suspended Process
Process Scheduler Example Running Process List Suspended Process Tree next R RP RP right prev left SP SP next prev prev next right left prev RP RP SP SP next Running Process Suspended Process
Process Scheduler Example Running Process List Suspended Process Tree next R RP RP right prev left prev SP SP next prev next right left RP SP left SP SP Running Process Suspended Process
Remarks • Desirable to capture distinction between suspended and running processes • Standard types unsuitable • Type is fixed for lifetime of object • Scheduler suspends and resumes processes • Concept of a role • Statically verifiable property of an object • Capture current conceptual purpose of object • Role changes as object's purpose changes
Goal Develop a static type system in which each object is assigned a role Program actions can change object roles
Challenges Aliasing Ensure that role changes performed using one alias are correctly reflected in roles of other aliases Procedures Compositional interprocedural role system
Basic Approach • Develop a role system in which role of each object depends on its heap aliases • Role provides aliasing information • Enables checker to ensure that role changes are compatible with all aliases • Role reflects object’s participation in different data structures • Role changes as object moves between data structures
Role Definition for Running Processes role RP { Sequence of heap referencing constraints } RP Running Process
Slot Constraints role RP { slots RP.next, RP.prev; ... } Slot constraints identify the complete set of heap aliases of the object RP Running Process
Slot Constraints role RP { slots RP.next, RP.prev; ... } RP prev Slot constraints identify the complete set of heap aliases of the object RP RP next Running Process
Field Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; ... } RP prev RP RP next Field constraints identify roles of objects to which fields refer Running Process
Field Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; ... } RP RP next prev RP prev RP RP next Field constraints identify roles of objects to which fields refer Running Process
Identity Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; } RP RP next prev RP prev RP RP next Running Process Identities identify cycles of length two.
Identity Constraints role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; } RP prev next prev RP RP next Running Process Identities identify cycles of length two.
Role Definition for Running Processes role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; } next RP RP prev next prev prev next prev RP RP RP next
Roles as Constraints • Each constraint C(o) is a predicate on objects • Role is a logical conjunction of its defining constraints • Constraints can be recursive! role RP { slots RP.next, RP.prev; fields next : RP, prev : RP; identities next.prev, prev.next; }
Semantics of Role Constraints • Constraint is interpreted in the context of a role assignment (mapping from objects to role names) • Heap is role consistent iff there exists a role assignment in which every object satisfies its role
Roles for Suspended Processes Suspended Process Tree role R { } role SP { slots } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { } role SP { slots R.left } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.left R.right } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.leftR.right SP.left } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.leftR.right SP.left SP.right } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { } role SP { slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { } role SP { fields left : SP right: SP slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { } role SP { fields left : SP|null, right: SP|null; slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { fields left : SP|null, right: SP|null; } role SP { fields left : SP|null, right: SP|null; slotsR.left | R.right | SP.left| SP.right; } R right left SP SP right left SP SP Suspended Process
Roles for Suspended Processes Suspended Process Tree role R { fields left : SP|null, right: SP|null; } role SP { fields left : SP|null, right: SP|null; slotsR.left | R.right | SP.left| SP.right; acyclic left, right; } SP left left right SP SP Suspended Process No cyclic paths of the form (left+right)*
Roles for Suspended Processes Suspended Process Tree role R { fields left : SP|null, right: SP|null; } role SP { fields left : SP|null, right: SP|null; slots R.left | R.right | SP.left| SP.right; acyclic left, right; } R right left SP SP right left SP SP Suspended Process
Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left SP SP next RP RP right prev prev next next prev SP prev RP RP next
Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left SP SP RP I right next prev next SP prev prev RP RP next
Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left SP SP RP I right next prev next Isolated object: SP prev role I { } prev RP RP next
Role Changes • To suspend a process • Remove from running process list • Insert into suspended process tree R right left left SP SP RP SP right next prev next SP prev prev RP RP next
Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p next RP RP prev prev next next prev prev RP RP next
Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp next RP RP prev prev next pn next prev prev RP RP next
Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp RP RP prev next pn next prev next prev prev RP RP next
Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp RP RP pn next prev next prev prev RP RP next
Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p Programming model expects programmer to indicate role changes RP RP next prev next prev prev RP RP next
Removing a Process from List remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p Programming model expects programmer to indicate role changes RP I next prev next prev prev RP RP next
Programming Model Based On Instrumented Semantics • Role Assignment Part of Program State • Each object has a nominal role • setRole(p : R) updates role assignment • Programmer responsibilities • Specify intended role assignment • Write role-consistent program • Static role checking ensures • Programs are role-consistent • No dynamic overhead incurred
Temporary Role Violations remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp Data structure updates often temporarily violate nominal roles of updated objects RP RP prev next pn prev next prev prev RP RP next
RP RP prev next prev next prev prev RP RP next Temporary Role Violations remove(p : RP) { pp = p.prev; pn = p.next; pp.next = pn; pn.prev = pp; p.next = null; p.prev = null; pp = null; pn = null; setRole(p : I); } p pp What do nominal roles mean during these updates? pn
RP RP prev next prev next prev prev RP RP next Temporary Role Violations Observation: Objects with temporarily violated roles are referenced by local variables. p pp pn
RP RP prev next prev next prev prev RP RP next Onstage and Offstage Objects onstage objects = objects referenced by local variables. onstage objects p pp pn offstage objects
RP RP prev next prev next prev prev RP RP next Onstage and Offstage Objects onstage objects = objects referenced by local variables. onstage objects p pp Onstage objects may have their roles temporarily violated. pn offstage objects
RP RP prev next prev next prev prev RP RP next Onstage and Offstage Objects onstage objects = objects referenced by local variables. onstage objects p pp Roles of offstage objects must be correct assuming the nominal roles of onstage objects. pn offstage objects
Procedure Interfaces • Each procedure has an interface • Precondition • Property of heap at start of procedure • Specifies initial dataflow fact for analysis • Abstraction of actions of procedure • Read Effects (accessed region of heap) • Write Effects • Changes to heap references • Nominal role changes