object ownership in program verification
play

Object Ownership in Program Verification Werner Dietl - University - PowerPoint PPT Presentation

Jun 08, 2023 •255 likes •527 views

Object Ownership in Program Verification Werner Dietl - University of Washington Peter Mller - ETH Zrich Presentation by Roman Schmocker Motivation Object Ownership The basic concepts Goal: Information on Heap structuring

  1. Object Ownership in Program Verification Werner Dietl - University of Washington Peter Müller - ETH Zürich Presentation by Roman Schmocker

  2. Motivation

  3. Object Ownership The basic concepts ● Goal: Information on Heap structuring ○ Reasoning about aliasing linked_list ● Ownership topology node node ○ Objects can own other objects ○ At most one owner ○ Enforced by language item item ● Encapsulation ○ Protect owned objects from arbitrary modifications ○ Write access only for the owner ○ Readonly or no access for others

  4. Dynamic Ownership Ownership topology in Spec# linked_list ● Implicit ghost field: owner ○ Once set, cannot change node node ● Attributes on fields item item

  5. Dynamic Ownership Ownership topology in Spec# linked_list ● Owner set automatically node node item item

  6. Encapsulation ● Goal: Do not circumvent owner! ○ Write access needs "permission" of owner ● Object states ○ Valid: Invariant holds, read access ○ Mutable: Invariant can be broken, read/write access ○ Consistent: Valid, with mutable owner ● Encapsulation invariant ○ Never allow a mutable object with a valid owner!

  7. Encapsulation ● Heap topology ○ Forest of ownership trees ○ Belt of consistent objects ● expose(o) { ...} ○ o becomes mutable Mutable within code block ○ only possible on Consistent consistent objects Valid

  8. Encapsulation ● Mutating (impure) methods ○ Requires consistent receiver, argument, return value ○ Rationale: ■ May expose receiver ■ May call mutating methods on arguments ■ Caller should be able to modify return value ● Pure methods ○ Only requires valid receiver, argument, return value ○ Rationale: Not allowed to change values anyway

  9. Example this n head tail

  10. Example this n head tail

  11. Example this n head tail

  12. Example this n head tail

  13. Example this n head tail

  14. Example this n head tail

  15. Applications Framing

  16. Applications Framing ● Case 1: Shared node structures ● Case 2: a transitively owns b ● Case 3: a == b

  17. Applications Framing ● Case 1: Shared node structures ○ No: contradicts topology invariant (only one owner) ● Case 2: a transitively owns b ● Case 3: a == b

  18. Applications Framing ● Case 1: Shared node structures ○ No: contradicts topology invariant (only one owner) ● Case 2: a transitively owns b ○ No: Illegal call, since a and b cannot be both consistent ● Case 3: a == b

  19. Applications Framing ● Case 1: Shared node structures ○ No: contradicts topology invariant (only one owner) ● Case 2: a transitively owns b ○ No: Illegal call, since a and b cannot be both consistent ● Case 3: a == b ○ No: see precondition

  20. Applications Multi-Object Invariants ● Multi-Object Invariants ○ Invariants on state of referenced objects ● Problem ○ Objects may break the invariant of another object they didn't even know existed ○ Hard to check statically ○ A temporary break may actually be necessary

  21. Applications Multi-Object Invariants ● Admissible Invariants ○ Only allow multi-object invariants on [Rep] objects ○ Objects can only break invariant of their owner ○ OK, since owner is mutable anyway ● Modular invariant checking ○ At the end of expose() block ○ At the end of constructor

  22. Applications Immutable Objects ● Readonly interfaces ○ Can be casted away easily ● Wrapper classes ○ Make sure no mutable inner structure is leaked ○ Boilerplate code ○ (In Java:) Runtime checking, Exceptions ● Immutable objects ○ Only pure methods + constructor ○ Leaking still problematic ○ Inflexible object construction ○ Usually no inheritance allowed

  23. Applications Immutable Objects ● Freezer object ○ Cannot be exposed ● Ownership solution ○ Just set owner to the Freezer!

  24. Applications Immutable Objects ● Transitive for all owned objects ○ especially useful for data structures ● No boilerplate code necessary ○ Any object can become immutable ● Static checking ○ Inner structures safe from write access ● Allows complex initialization

  25. Conclusion ● Provides encapsulation for object structures ○ Statically checked! ● Some nice applications ○ Interesting ones shown in talk ○ Further applications: Termination proof, data race freedom, effect specialization ● Little annotation overhead ○ But also less flexibility ● Possible to integrate in other languages

  26. About the paper Historical Context ● 80s: Object-oriented programming emerges ○ Aliasing increasingly problematic ● 90s: Idea of Object ownership evolved ○ Most solutions inflexible and/or unsound ● 1998: Clarke et al: Ownership types ○ Flexible type system, soundness proven ● 2004: Microsoft releases Spec# ● 2012: This paper ○ Two implementations for Object ownership ○ Several applications

  27. About the paper ● Assessment ○ Well written, self-contained ○ Many comparisons to other solutions ○ Main concepts actually come from another paper ● Current status ○ Dynamic Ownership implemented in Spec# ○ Framing and Multi-object invariants work ○ Freezing objects not implemented yet ○ Try it online: http://rise4fun.com/SpecSharp

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Boundaries of Formal Program Verification Yannick Moy AdaCore SPARK the language strong

Boundaries of Formal Program Verification Yannick Moy AdaCore SPARK the language strong

Boundaries of Formal Program Verification Yannick Moy AdaCore SPARK the language strong typing low level programming generics object orientation concurrency Abstract_State pointers Initializes Core Ada exception handlers

730 views • 17 slides
Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie

Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie

Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie Balzer, Thomas R. Gross, and Peter Mller School of Computer Science, Carnegie Mellon University Department of Computer Science, ETH Zurich FOOL 2012

1.53k views • 130 slides
Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions & Postconditions Program Verification Assignments Composition Conditionals Loops Proofs about Programs Why

537 views • 36 slides
Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

A Unified Framework for Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with Sophia Drossopoulou and Adrian Francalanza 2 Object Invariants Express consistency criteria of objects Support

503 views • 18 slides
Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual Fahndrich, K. Rustan M. Leino an Wolfram Shulte 1 Overview Goal : design a sound methodology for specifying object invariants that can then be

809 views • 33 slides
Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History Toolbox Whats Next? David Cock January 23, 2015 1

432 views • 32 slides
From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91 Reference From Program Verification to Program Synthesis. @ POPL10; January 17-23, 2010 Saurabh Srivastava , University of Maryland, College Park

1.21k views • 91 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification Programs considered: Small (<100 LOC) Medium (KLOC) Large (MLOC) Simple

577 views • 45 slides
Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam Quo Vadis Program Verification p. 1/1 One Page Summary Assertional approach to program verification is here to stay. Gap between

629 views • 19 slides
Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic Cl ement Hurlin INRIA Sophia Antipolis M editerran ee, France Universiteit Twente, The Netherlands Soutenance de th` ese Th` ese

1.68k views • 130 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and Validation Does the program you built do what you designed it to do? Dr. James A. Bednar Validation is getting the right system : jbednar@inf.ed.ac.uk

331 views • 8 slides
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language for Java Used for the

620 views • 41 slides
7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester 2018 Alexander J. Summers 158 Weakest Preconditions So Far Weakest preconditions provide a means of reducing the question: does a program have

339 views • 16 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
Ownership and Immutability in Generic Java (OIGJ) Yoav Zibin + , Alex Potanin * Paley Li * ,

Ownership and Immutability in Generic Java (OIGJ) Yoav Zibin + , Alex Potanin * Paley Li * ,

Ownership and Immutability in Generic Java (OIGJ) Yoav Zibin + , Alex Potanin * Paley Li * , Mahmood Ali ^ , and Michael Ernst $ Presenter: Yossi Gil + + IBM * Victoria,NZ ^ MIT $ Washington Ownership + Immutability Our previous work OGJ:

517 views • 22 slides
JavaD: Bringing Ownership Domains to Mainstream Java Marwan Abi-Antoun Ph.D. Project

JavaD: Bringing Ownership Domains to Mainstream Java Marwan Abi-Antoun Ph.D. Project

JavaD: Bringing Ownership Domains to Mainstream Java Marwan Abi-Antoun Ph.D. Project Presentation 17-754: Analysis of Software Artifacts Some slides adapted from a talk by Neelakantan Krishnaswami

628 views • 11 slides
Building Your Personal Brand IT REALLY IS ALL ABOUT YOU! Discover and Create your own brand

Building Your Personal Brand IT REALLY IS ALL ABOUT YOU! Discover and Create your own brand

Building Your Personal Brand IT REALLY IS ALL ABOUT YOU! Discover and Create your own brand Lets do our own research: How many brands of shampoo can you name? Lets do our own research: How many brands of shampoo can you name? The

590 views • 47 slides
Setting DBMS must allow concurrent access to databases. Imagine a bank where account

Setting DBMS must allow concurrent access to databases. Imagine a bank where account

Setting DBMS must allow concurrent access to databases. Imagine a bank where account information is Database Transactions stored in a database not allowing concurrent access. Then only one person could do a withdrawal in an ATM machine

583 views • 9 slides
Whats next for Traditional Functional QA Managers? JIM TRENTADUE OCTOBER 2017

Whats next for Traditional Functional QA Managers? JIM TRENTADUE OCTOBER 2017

NW SOFTW ARE QUALITY CIFIC CONFERENCE A P Whats next for Traditional Functional QA Managers? JIM TRENTADUE OCTOBER 2017 JIM.TRENTADUE@OUTLOOK.COM PNSQC NW SOFTW ARE QUALITY CIFIC CONFERENCE A P Agenda Agile evolution

631 views • 15 slides
Leadership via Leadership via Shared Ownership Shared Ownership An Approach to Co-Managing a

Leadership via Leadership via Shared Ownership Shared Ownership An Approach to Co-Managing a

Leadership via Leadership via Shared Ownership Shared Ownership An Approach to Co-Managing a An Approach to Co-Managing a An Approach to Co-Managing a Digital Scholarship Center Hello! Were the Freedman Center team Jared Amanda

589 views • 21 slides
CS 188: Artificial Intelligence Nave Bayes Instructors: Sergey Levine and Stuart Russell ---

CS 188: Artificial Intelligence Nave Bayes Instructors: Sergey Levine and Stuart Russell ---

CS 188: Artificial Intelligence Nave Bayes Instructors: Sergey Levine and Stuart Russell --- University of California, Berkeley [These slides were created by Dan Klein, Pieter Abbeel, Sergey Levine, with some materials from A. Farhadi. All

771 views • 45 slides
Overlap Number of Graphs Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu

Overlap Number of Graphs Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu

Overlap Number of Graphs Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu Slides available on my preprint page Joint with Nitish Korula, Tim LeSaulnier, Kevin Milans Chris Stocker, Jenn Vandenbussche, and Doug West

1.39k views • 80 slides

More recommend