object ownership in program verification
play

Object Ownership in Program Verification Werner Dietl - University - PowerPoint PPT Presentation

Jun 08, 2023 •255 likes •527 views

Object Ownership in Program Verification Werner Dietl - University of Washington Peter Mller - ETH Zrich Presentation by Roman Schmocker Motivation Object Ownership The basic concepts Goal: Information on Heap structuring

  1. Object Ownership in Program Verification Werner Dietl - University of Washington Peter Müller - ETH Zürich Presentation by Roman Schmocker

  2. Motivation

  3. Object Ownership The basic concepts ● Goal: Information on Heap structuring ○ Reasoning about aliasing linked_list ● Ownership topology node node ○ Objects can own other objects ○ At most one owner ○ Enforced by language item item ● Encapsulation ○ Protect owned objects from arbitrary modifications ○ Write access only for the owner ○ Readonly or no access for others

  4. Dynamic Ownership Ownership topology in Spec# linked_list ● Implicit ghost field: owner ○ Once set, cannot change node node ● Attributes on fields item item

  5. Dynamic Ownership Ownership topology in Spec# linked_list ● Owner set automatically node node item item

  6. Encapsulation ● Goal: Do not circumvent owner! ○ Write access needs "permission" of owner ● Object states ○ Valid: Invariant holds, read access ○ Mutable: Invariant can be broken, read/write access ○ Consistent: Valid, with mutable owner ● Encapsulation invariant ○ Never allow a mutable object with a valid owner!

  7. Encapsulation ● Heap topology ○ Forest of ownership trees ○ Belt of consistent objects ● expose(o) { ...} ○ o becomes mutable Mutable within code block ○ only possible on Consistent consistent objects Valid

  8. Encapsulation ● Mutating (impure) methods ○ Requires consistent receiver, argument, return value ○ Rationale: ■ May expose receiver ■ May call mutating methods on arguments ■ Caller should be able to modify return value ● Pure methods ○ Only requires valid receiver, argument, return value ○ Rationale: Not allowed to change values anyway

  9. Example this n head tail

  10. Example this n head tail

  11. Example this n head tail

  12. Example this n head tail

  13. Example this n head tail

  14. Example this n head tail

  15. Applications Framing

  16. Applications Framing ● Case 1: Shared node structures ● Case 2: a transitively owns b ● Case 3: a == b

  17. Applications Framing ● Case 1: Shared node structures ○ No: contradicts topology invariant (only one owner) ● Case 2: a transitively owns b ● Case 3: a == b

  18. Applications Framing ● Case 1: Shared node structures ○ No: contradicts topology invariant (only one owner) ● Case 2: a transitively owns b ○ No: Illegal call, since a and b cannot be both consistent ● Case 3: a == b

  19. Applications Framing ● Case 1: Shared node structures ○ No: contradicts topology invariant (only one owner) ● Case 2: a transitively owns b ○ No: Illegal call, since a and b cannot be both consistent ● Case 3: a == b ○ No: see precondition

  20. Applications Multi-Object Invariants ● Multi-Object Invariants ○ Invariants on state of referenced objects ● Problem ○ Objects may break the invariant of another object they didn't even know existed ○ Hard to check statically ○ A temporary break may actually be necessary

  21. Applications Multi-Object Invariants ● Admissible Invariants ○ Only allow multi-object invariants on [Rep] objects ○ Objects can only break invariant of their owner ○ OK, since owner is mutable anyway ● Modular invariant checking ○ At the end of expose() block ○ At the end of constructor

  22. Applications Immutable Objects ● Readonly interfaces ○ Can be casted away easily ● Wrapper classes ○ Make sure no mutable inner structure is leaked ○ Boilerplate code ○ (In Java:) Runtime checking, Exceptions ● Immutable objects ○ Only pure methods + constructor ○ Leaking still problematic ○ Inflexible object construction ○ Usually no inheritance allowed

  23. Applications Immutable Objects ● Freezer object ○ Cannot be exposed ● Ownership solution ○ Just set owner to the Freezer!

  24. Applications Immutable Objects ● Transitive for all owned objects ○ especially useful for data structures ● No boilerplate code necessary ○ Any object can become immutable ● Static checking ○ Inner structures safe from write access ● Allows complex initialization

  25. Conclusion ● Provides encapsulation for object structures ○ Statically checked! ● Some nice applications ○ Interesting ones shown in talk ○ Further applications: Termination proof, data race freedom, effect specialization ● Little annotation overhead ○ But also less flexibility ● Possible to integrate in other languages

  26. About the paper Historical Context ● 80s: Object-oriented programming emerges ○ Aliasing increasingly problematic ● 90s: Idea of Object ownership evolved ○ Most solutions inflexible and/or unsound ● 1998: Clarke et al: Ownership types ○ Flexible type system, soundness proven ● 2004: Microsoft releases Spec# ● 2012: This paper ○ Two implementations for Object ownership ○ Several applications

  27. About the paper ● Assessment ○ Well written, self-contained ○ Many comparisons to other solutions ○ Main concepts actually come from another paper ● Current status ○ Dynamic Ownership implemented in Spec# ○ Framing and Multi-object invariants work ○ Freezing objects not implemented yet ○ Try it online: http://rise4fun.com/SpecSharp

Recommend

Boundaries of Formal Program Verification Yannick Moy AdaCore SPARK the language strong

Boundaries of Formal Program Verification Yannick Moy AdaCore SPARK the language strong

Boundaries of Formal Program Verification Yannick Moy AdaCore SPARK the language strong typing low level programming generics object orientation concurrency Abstract_State pointers Initializes Core Ada exception handlers

730 views • 17 slides
Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie

Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie

Selective Ownership: Combining Object and Type Hierarchies for Flexible Sharing Stephanie Balzer, Thomas R. Gross, and Peter Mller School of Computer Science, Carnegie Mellon University Department of Computer Science, ETH Zurich FOOL 2012

1.53k views • 130 slides
Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions &

Program Verification (Rosen, Sections 5.5) TOPICS Program Correctness Preconditions & Postconditions Program Verification Assignments Composition Conditionals Loops Proofs about Programs Why

537 views • 36 slides
Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with

A Unified Framework for Verification Techniques for Object Invariants Peter Mller Microsoft Research Joint work with Sophia Drossopoulou and Adrian Francalanza 2 Object Invariants Express consistency criteria of objects Support

503 views • 18 slides
Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual

Verification of Object-Oriented Programs with Invariants Mike Barnett, Robert DeLine, Manual Fahndrich, K. Rustan M. Leino an Wolfram Shulte 1 Overview Goal : design a sound methodology for specifying object invariants that can then be

809 views • 33 slides
Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History

Program Verification as a Toolbox David Cock Is Your System Correct? Verified Systems Program Verification as a Toolbox 2005Now Todays Verification A Brief, Subjective History Toolbox Whats Next? David Cock January 23, 2015 1

432 views • 32 slides
From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91

From Program Verification to Program Synthesis Overview Jaak Ristioja March 30, 2010 1 / 91 Reference From Program Verification to Program Synthesis. @ POPL10; January 17-23, 2010 Saurabh Srivastava , University of Maryland, College Park

1.21k views • 91 slides
Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive

The Center for Verification and Evaluation (CVE) Preparing for Re-Verification Brief Mr. Terrence Moultrie Chief, Verification and Executive Support Services Agenda What is Re-Verification? o Simplified Reverification Program VIP

320 views • 21 slides
Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification

Towards full verification of concurrent libraries Viktor Vafeiadis Program verification Programs considered: Small (<100 LOC) Medium (KLOC) Large (MLOC) Simple

577 views • 45 slides
Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of

Quo Vadis Program Verification Krzysztof R. Apt CWI, Amsterdam, the Netherlands , University of Amsterdam Quo Vadis Program Verification p. 1/1 One Page Summary Assertional approach to program verification is here to stay. Gap between

629 views • 19 slides
Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic

Specification and Verification of Multithreaded Object-Oriented Programs with Separation Logic Cl ement Hurlin INRIA Sophia Antipolis M editerran ee, France Universiteit Twente, The Netherlands Soutenance de th` ese Th` ese

1.68k views • 130 slides
DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification

DIVS DL/ID Verification Systems Verification of Legal Status DIVS Passport Verification Projects Birth Record Verification State to State Verification DIVS State to State Verification Service (S2S) Program Benefits Mission

349 views • 8 slides
Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and

Verification & Validation Verification is getting the system right : Verification and Validation Does the program you built do what you designed it to do? Dr. James A. Bednar Validation is getting the right system : jbednar@inf.ed.ac.uk

331 views • 8 slides
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen

Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language for Java Used for the

620 views • 41 slides
7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester

7. Refined Verification Condition Generation Program Verification ETH Zurich, Spring Semester 2018 Alexander J. Summers 158 Weakest Preconditions So Far Weakest preconditions provide a means of reducing the question: does a program have

339 views • 16 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.29k views • 106 slides
The ESC/Java2 Calculi and Object Logics Implications on Specification and Verification Joseph

The ESC/Java2 Calculi and Object Logics Implications on Specification and Verification Joseph

The ESC/Java2 Calculi and Object Logics Implications on Specification and Verification Joseph Kiniry Department of Computer Science University College Dublin ESC/Java2 ESC/Java2 is an extended static checker based upon DEC/Compaq SRC

278 views • 27 slides
Principles of Everything is an object Computer Science II Program is a bunch of objects

Principles of Everything is an object Computer Science II Program is a bunch of objects

Object-Oriented Programming Principles of Everything is an object Computer Science II Program is a bunch of objects Tell each other what to do by sending messages (calling methods) Each object has its own memory made up of other

319 views • 4 slides
Paycheck Protection Program: the latest updates on forgiveness, change in ownership and audits,

Paycheck Protection Program: the latest updates on forgiveness, change in ownership and audits,

Paycheck Protection Program: the latest updates on forgiveness, change in ownership and audits, and whats next October 29, 2020 Disclaimer All information, content, and materials contained in this publication/program are for informational

483 views • 23 slides
Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code

Program Generation Workflow C**program compiler assembly*code nd* library*object*code assembler de. . object*code on* linker bels* executable *how* Sean Barker 1 Linking Schematic Executable*file Object*file main:*****

390 views • 4 slides
Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens when we try to synchronize across mul$ple objects in a large program? Each object

607 views • 31 slides
Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens when we try to synchronize across mul$ple objects in a large program? Each object

1.14k views • 47 slides

More recommend