Rely-Guarantee Protocols for Safe Interference over Shared Memory
|
|
- Marilyn Lynch
- 5 years ago
- Views:
Transcription
1 Rely-Guarantee Protocols for Safe Interference over Shared Memory Thesis Defense Filipe Militão December 15, Co-advised by Jonathan Aldrich (CMU) and Luís Caires (UNL).
2 Software Defects Our over reliance on software aggravates the impact of software defects ( bugs ) on society: Mariner 1 Spacecraft (incorrect guidance signal transmission) Therac-25 radiation therapy machine (race condition) Patriot Missile Error (inaccurate tracking) Ariane 5 Flight 501 (overflow in 16-bit register) NASA s Mars Climate Orbiter (imperial to metrics conversion) Heathrow Terminal 5 Opening (baggage handling system) Microsoft Excel 2007 (wrong result on 850*77.1) Toyota vehicles (sudden unintended acceleration)... Thus, there is a clear and increasing need for mechanisms to improve software reliability. 2
3 Mutable State (I) Mutable state can be useful in certain cases such as to improve efficiency, clarity, or even to enable greater extensibility. We propose a new type-based technique to detect, at compile-time, a class of errors related to the unsafe use of shared mutable state. 3
4 Mutable State (II) We aim to precisely detect and avoid unsafe interference in the use of mutable state that is shared through aliasing. By precisely tracking the properties of mutable state we can avoid a class of state-related run-time errors and eliminates the need for some defensive run-time tests. 4
5 ! File file = new File( fillet );! file.write( foo );! file.close();! file.write( bar ); 5
6 ! File file = new File( fillet );! file.write( foo );! file.close();! file.write( bar ); Error: runtime exception! 6
7 ! File file = new File( fillet );! file.write( foo );! file.close();! file.write( bar ); 7
8 File file = new File( fillet ); file.write( foo ); file.close(); file.write( bar ); class File { FileDescriptor fd; File( File( string string filename filename ){ ){ fd fd = OS.createFile( OS.createFile( filename filename ); ); }} void write( string s ){ void if( fd write( == null string ) s ){ if( throw fd Exception( invalid == null ) file descriptor ); fd.write( throw Exception( invalid s ); file descriptor ); } fd.write( s ); void } close(){ void fd = close(){ null; } fd = null; } } } 8
9 File File File File File } class File { FileDescriptor fd; File( string filename ){ fd = OS.createFile( filename ); } void write( string s ){ if( fd == null ) throw Exception( invalid file descriptor ); fd.write( s ); } void close(){ fd = null; } The flat abstraction does not precisely express the changing properties of File s internal state (fd). 9
10 Closed class File { FileDescriptor fd; File( string filename ){ fd = OS.createFile( filename ); } void write( string s ){ if( fd == null ) throw Exception( invalid file descriptor ); fd.write( s ); Open Open Open Open } } void close(){ fd = null; } Unnecessary because we statically guarantee to only call write when Open. Types capture the precise, changing, type of the state. 10
11 Challenge: Interference Aliasing allows different names to refer to the same mutable state. YourFile MyFile TheirFile However, uncontrolled aliasing can lead to interference-related errors, where the actions of different aliases break each other s (precise) assumptions on the contents of the shared state. 11
12 x.open( ); x.write( ); x.read( ); 12
13 Open x.open( ); x.write( ); x.read( ); 13
14 Open x.open( ); x.write( ); x.read( ); 14
15 y.close( ); Open x.open( ); x.write( ); x.read( ); 15
16 y.close( ); Closed x.open( ); x.write( ); x.read( ); 16
17 Closed x.open( ); x.write( ); x.read( ); Broken local assumption: interference! 17
18 Thesis Statement Rely-Guarantee Protocols provide a modular, composable, expressive, and automatically verifiable mechanism to control the interference resulting from the interaction of non-local aliases that share access to mutable state. 18
19 Overview Aliasing Memory Locations Typestate Abstraction Sharing with Rely-Guarantee Protocols 19
20 Language Polymorphic λ-calculus with mutable references (and immutable records, tagged sums,...). We use a variant of L 3 [Ahmed, Fluet, and Morrisett. L 3 : A linear language with locations. Fundam. Inform ] adapted for usability and extended with new constructs, and our sharing mechanism. 20
21 State as a Linear Resource ref A 21
22 State as a Linear Resource ref A reference with contents of type A 21
23 State as a Linear Resource ref A reference with contents of type A ref p{ rw p A 21
24 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p ref p{ rw p A 21
25 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p p{ ref rw p A ref p ref p ref p ref p ref p ref p 21
26 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p p{ ref rw p A ref p ref p ref p ref p ref p ref p 21 linear read+write capability of location p with contents of type A
27 State as a Linear Resource ref A reference with contents of type A duplicable reference to location p p{ ref rw p A ref p ref p p ref p links ref to capability ref p ref p ref p 21 linear read+write capability of location p with contents of type A
28 x : ref p let y = x in x := 1; delete y; x := false end rw p string 22
29 let y = x in y : ref p x : ref p x := 1; delete y; x := false end rw p string 23
30 y : ref p x : ref p let y = x in x := 1; delete y; x := false end rw p int 24
31 y : ref p let y = x in x := 1; delete y; x : ref p x := false end 25
32 y : ref p x : ref p let y = x in x := 1; delete y; end x := false Type Error: Missing capability to location p. 25
33 How to use capabilities in functions? y : ref p x : ref p let y = x in x := 1; delete y; end x := false Type Error: Missing capability to location p. 26
34 left : ref l fun( i : int :: rw l [] ). left := i 27
35 left : ref l fun( i : int :: rw l [] ). i : int :: rw l [] left := i 28
36 fun( i : int :: rw l [] ). left : ref l i : int rw l [] left := i 29
37 fun( i : int :: rw l [] ). left := i left : ref l i : int rw l int 30
38 fun( i : int :: rw l [] ). left := i int :: rw l [] [] :: rw l int ( ) ( ) 31
39 How to build typestate abstractions? fun( i : int :: rw l [] ). left := i int :: rw l [] [] :: rw l int ( ) ( ) 32
40 Pair Typestate 33
41 Pair Typestate Left Right 34
42 Pair Typestate Initialize each component separately. Sum both components, and destroy the pair. 35
43 Pair Typestate Initialize each component separately. Sum both components, and destroy the pair. 36
44 Pair Typestate Initialize each component separately. initl Sum both components, and destroy the pair. 37
45 Pair Typestate Initialize each component separately. initl Sum both components, and destroy the pair. sum 38
46 initl : ( int :: rw l [] ) ( [] :: rw l int ) 39
47 [ initl : ( int :: rw l [] ) ( [] :: rw l int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l int * rw r int ) ) ( int :: ( rw l int * rw r int ) ), destroy : ( [] :: ( rw l int * rw r int ) ) [] ) ] 40
48 [ initl : ( int :: rw l [] ) ( [] :: rw l int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l int * rw r int ) ) ( int :: ( rw l int * rw r int ) ), destroy : ( [] :: ( rw l int * rw r int ) ) [] ) ] :: ( rw l [] * rw r [] ) 41
49 [ initl : ( int :: rw EL l [] ) ( [] :: rw l int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), ] sum : ( [] :: ( rw l int * rw r int ) ) ( int :: ( rw l int * rw r int ) ), destroy : ( [] :: ( rw l int * rw r int ) ) [] ) :: ( rw EL l [] * rw r [] ) 42
50 [ initl : ( int :: rw EL l [] ) ( [] :: rw l L int ), initr : ( int :: rw r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l L int * rw r int ) ) ( int :: ( rw l L int * rw r int ) ), destroy : ( [] :: ( rw l L int * rw r int ) ) [] ) ] :: ( rw EL l [] * rw r [] ) 43
51 [ initl : ( int :: rw EL l [] ) ( [] :: rw l L int ), initr : ( int :: rw ER r [] ) ( [] :: rw r int ), sum : ( [] :: ( rw l L int * rw r int ) ) ( int :: ( rw l L int * rw r int ) ), destroy : ( [] :: ( rw l L int * rw r int ) ) [] ) ] :: ( rw EL l [] * rw ER r [] ) 44
52 [ initl : ( int :: rw EL l [] ) ( [] :: rw l L int ), initr : ( int :: rw ER r [] ) ( [] :: rw r R int ), sum : ( [] :: ( rw l L int * rw r R int ) ) ( int :: ( rw l L int * rw r Rint ) ), destroy : ( [] :: ( rw l L int * rw r R int ) ) [] ) ] :: ( rw EL l [] * rw ER r [] ) 45
53 EL. L. ER. R.( [ initl :!( int :: EL [] :: L ), initr :!( int :: ER [] :: R ), sum :!( [] :: L * R int :: L * R ), destroy :!( [] :: L * R [] ) ] :: EL * ER ) 46
54 Pair Typestate newpair :!( [] EL. L. ER. R.(![ initl :!( int :: EL [] :: L ), initr :!( int :: ER [] :: R ), sum :!( [] :: L * R int :: L * R ), destroy :!( [] :: L * R [] ) ] :: EL * ER ) ) Type expresses the changing properties of the object s state, typestate (EmptyLeft, Left, EmptyRight and Right). The types states EL/L and ER/R correlate to separate (disjoint) internal state that can operate independently of the other. 47
55 So... Why sharing? The capability is linear: it cannot be used simultaneously from two different parts of the program. 48
56 So... Why sharing? The capability is linear: it cannot be used simultaneously from two different parts of the program. 48
57 Sharing We want to use state simultaneously, beyond linearly. We need a typing mechanism to safely coordinate access to shared state and avoid unsafe interference. 49
58 Sharing We want to use state simultaneously, beyond linearly. We need a typing mechanism to safely coordinate access to shared state and avoid unsafe interference. 49
59 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. I I Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. R G 50
60 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. R G 50
61 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Exit private use Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. R G 50
62 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Exit private use Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. Relied state R G 50
63 Sharing One solution is to have each alias preserve an initially held invariant, invariant-based sharing. Enter private use I I Exit private use Instead, we adapt the spirit of rely-guarantee reasoning, to enable more precise uses. Relied state R G Guaranteed state 50
64 Shared cell 51
65 Alias Local View Step1 ; Step2 ;... { rely-guarantee protocol 52
66 Alias Local View Relied type Empty Filled Guaranteed type Step1 ; Step2 ;... 53
67 Alias Local View Empty Filled Step1 ; Step2 ;... 54
68 Alias Local View Empty Filled Step1 ; Step2 ;... 55
69 Alias Local View Empty Filled Step1 ; Step2 ;... 56
70 Alias Local View Empty Filled Step1 ; Step2 ;... 57
71 Alias Local View Empty Filled Step1 ; Step2 ;... 58
72 Alias Local View Step2 ;... 59
73 Disjoint Linearity ensured the state was disjoint: only one capability to some cell may exist. A * B Sharing enables the same cell to be used through seemingly different name. Types that look disjoint, may in fact alias the same state - i.e. they are fictionally disjoint. 60
74 Fictionally Disjoint Linearity ensured the state was disjoint: only one capability to some cell may exist. shared A * B Sharing enables the same cell to be used through seemingly different name. Types that look disjoint, may in fact alias the same state - i.e. they are fictionally disjoint. 61
75 Alias Interleaving x := 1; dosomething();!x // what do we get? 62
76 Alias Interleaving dosomething : [] [] x := 1; dosomething();!x // what do we get? 63
77 Alias Interleaving fun().1 fun().x := false fun().delete x x := 1; dosomething();!x // what do we get? dosomething, although fictionally disjoint, may actually interleave zero or more uses of aliases to the same state as referenced by x. 64
78 Alias Interleaving x := 1; dosomething();!x // what do we get? Are the uses done in dosomething compatible with our local reasoning of how x changes? 65
79 Protocol Composition Checks if combining all local views creates a globally consistent, i.e. safe, use of the shared state mutable state independently of interleaving. ; ; 66
80 Protocol Composition Checks if combining all local views creates a globally consistent, i.e. safe, use of the shared state mutable state independently of interleaving. possible interleaving { ; ; ; ; ; ; ; ; ; ; 67
81 Protocol Composition Checks if combining all local views creates a globally consistent, i.e. safe, use of the shared state mutable state independently of interleaving. ; ; ; ; ; Ok! ;;; ; ; 68
82 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 69
83 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 70
84 Protocol Specification 71
85 Protocol Specification 72
86 Protocol Specification 73
87 Protocol Specification 74
88 Protocol Specification States that it is safe to assume that shared state satisfies R, and requires the alias to obey the guarantee P. 75
89 Protocol Specification Requires the client to establish (guarantee) that the shared state satisfies R before continuing the use of the protocol as P. 76
90 Protocol Specification 77
91 Shared Pipe Shared by two aliases interacting via a common buffer, here modeled as a singly linked list. 1. The Producer alias may put new elements in or close the pipe. 2. The Consumer alias may only trytake elements from the buffer. The result of trytake is one of the following: either there was some Result, or NoResult, or the pipe is fully Depleted. 78
92 Pipe 79
93 Producer Consumer 80
94 Producer Producer Protocol Shared Buffer Consumer Protocol Consumer 81
95 Producer tail : T 82
96 Producer tail : Empty ( Filled Closed ) ; none 83
97 Producer tail : Empty ( Filled Closed ) ; none 84
98 Producer tail : none 85
99 Producer tail : Empty ( Filled Closed ) ; none 86
100 Producer tail : Empty ( Filled Closed ) ; none head : H Consumer 87
101 Producer tail : Empty ( Filled Closed ) ; none head : ( Empty Empty ; H ) ( Filled none ) ( Closed none ) Consumer 88
102 Producer tail : Empty ( Filled Closed ) ; none head : ( Empty Empty ; H ) ( Filled none ) ( Closed none ) Consumer 89
103 Producer tail : Empty ( Filled Closed ) ; none head : none Consumer 90
104 Producer tail : Empty ( Filled Closed ) ; none head : ( Empty Empty ; H ) ( Filled none ) ( Closed none ) Consumer 91
105 Types 92
106 Types 93
107 Types 94
108 Types 95
109 Types 96
110 Producer (tail) Protocol: T[t] = rw t Empty#[] ( ( rw t Node#[...] ) ( rw t Closed#[] ) ); none Consumer (head) Protocol: H[h] = ( rw h Empty#[] rw h Empty#[] ; H[h] ) ( rw h Node#[...] none ; none ) ( rw h Closed#[] none ; none ) 97
111 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) 98
112 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) 98
113 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) rw p p.((!ref p) :: T[p]) 98
114 Pipe Typestate P. C.(![ put :!( (!int :: P ) (![] :: P ) ), close :!( (![] :: P )![] ), trytake :!( (![] :: C ) Depleted#![] + NoResult#(![] :: C) + Result#(!int :: C) ) ] :: ( C * P ) ) rw p p.((!ref p) :: T[p]) rw c p.((!ref p) :: H[p]) 98
115 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 99
116 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 100
117 Syntax 101
118 102
119 2. Protocol Use Protocols are used through focus and defocus constructs. They serve two purposes: a) Hide privates changes from the other aliases of that shared state. b) Advance the step of the protocol, by obeying the constraints on public changes. 103
120 Focus / Defocus focus Empty... defocus 104
121 Focus / Defocus Empty Filled ; Next focus Empty... defocus 104
122 Focus / Defocus Empty Filled ; Next focus Empty... defocus 104
123 Focus / Defocus focused state Empty Filled ; Next focus Empty defocus-guarantee... defocus 105
124 Focus / Defocus Empty Filled ; Next focus Empty... defocus 106
125 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus 106
126 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next PartiallyFilled..., Filled ; Next defocus 107
127 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next 108
128 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next 109
129 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next 109
130 Focus / Defocus Empty Filled ; Next focus Empty Empty, Filled ; Next... defocus Filled, Filled ; Next Next 109
131 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 110
132 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 111
133 3. Protocol Composition Protocols are introduced explicitly, in pairs, through the share construct: share A as B C type A (either a capability or an existing protocol) can be safely split in types B and C (two protocols) Arbitrary aliasing is possible by continuing to split an existing protocol. share type checks only if the protocols compose safely (i.e. no unsafe interference is possible). 112
134 Checking share We must check that a protocol is aware of all possible states that may appear due to the interleaving of the actions of other aliases to that shared state. Checking a split is built from two components: a) simulating a single use of a protocols, a single focus-defocus block (i.e. a step of the protocol). b) ensuring that each protocol considers all possible protocol interleaving. 113
135 Protocol Composition Example share E as rec X.( E E;X N none C none ) E ( N C ) 114
136 Protocol Composition Example share E as Producer Consumer rec X.( E E;X N none C none ) E ( N C ) 114
137 Initial state. E C P C P C P C P C P 115
138 Initial state. E { possible interleaving C C C P P C P C P P 116
139 Initial state. { possible interleaving C C P E Up to this point protocols can only list a finite C number P of distinct Cstates, and P each protocol lists a finite number of distinct protocol steps. Thus, there is a finite number of different configurations representing the uses of the protocols. C P P 117
140 State: E Consumer Producer E E E N C C none N none Configurations: 118
141 State: Consumer Producer E E E N C C none N none Configurations: 118
142 State: Consumer Producer E E E N C C none N none Configurations: 118
143 State: E Consumer Producer E E E N C C none N none Configurations: 118
144 State: E Consumer Producer E E E N C C none N none Configurations: 119
145 State: E Consumer Producer E E E N C C none N none Configurations: 119
146 State: Consumer Producer E E E N C C none N none Configurations: 119
147 State: Consumer Producer E E E N C C none N none Configurations: 119
148 State: N C Consumer Producer E E E N C C none N none Configurations: 119
149 State: N C Consumer Producer E E none C none N none Configurations: 120
150 State: N C Consumer Producer E E none C none N none Configurations: 120
151 State: none Consumer Producer E E none C none N none Configurations: 120
152 State: none Consumer Producer none none Configurations: 121
153 Rely-Guarantee Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition 122
154 Protocols An interference-control mechanism, permission to mutate the shared state is conditioned on what actions the protocol allows. I will focus on presenting the following: 1. Protocol Specification 2. Protocol Use 3. Protocol Composition A few more details: Improved Locality of Protocol Specification Fork/Join Concurrency 123
155 T[t] = rw t Empty#[] ( ( rw t Node#[...] ) ( rw t Closed#[] ) ); none H[h] = ( rw h Empty#[] rw h Empty#[] ; H[h] ) ( rw h Node#[...] none ; none ) ( rw h Closed#[] none ; none ) 124
156 T[t] = rw t Empty#[] ( ( rw t Node#[...] ) ( rw t Closed#[] ) ); none From H s local perspective only the tag is important, not the tagged type. How can we model this? H[h] = ( rw h Empty#[] rw h Empty#[] ; H[h] ) ( rw h Node#[...] none ; none ) ( rw h Closed#[] none ; none ) 125
157 Protocol Specification
158 T = Empty# [] Full#int ; none H = ( Empty# [] Empty# []; H ) ( Full#int none ; none ) ( Close#[] none ; none ) 127
159 T = Empty# [] Full#int ; none H = X. ( Empty# X Empty# X; H ) ( Full#int none ; none ) ( Close#[] none ; none ) H no longer sees the content of Empty, and T can now use that part of the state unilaterally. 128
160 T = ( Empty# [] Empty# []; T ) & ( Empty# [] Full#int ; none) H = X. ( Empty# X Empty# X; H ) ( Full#int none ; none ) ( Close#[] none ; none ) 129
161 T remembers the local information. T is free to unilaterally change tagged type. T[Y] = ( Empty# Y Z.( Empty# Z ; T [ Z] ) ) & ( Empty# Y Full#int ; none) H = X. ( Empty# X Empty# X; H ) ( Full#int none ; none ) ( Close#[] none ; none ) 130
162 Improved Locality Protocols can be more generic and more isolated (decoupled) from other protocols actions, while remaining free from unsafe interference. Protocol re-splits can take advantage of this flexibility by means of more flexible specializations, such as via nested re-splits. 131
163 Protocol Specialization T[Y] = ( Empty# Y Z.( Empty# Z ; T [ Z] ) ) & ( Empty# Y Full#int ; none) re-split ( Empty#(Wait#[]) Empty#(Ready#int) ; none ) ( Empty#(Ready#int) Full#int ; none ) 132
164 Protocol Specialization T[Y] = ( Empty# Y Z.( Empty# Z ; T [ Z] ) ) & ( Empty# Y Full#int ; none) re-split ( Empty#(Wait#[]) Empty#(Ready#int) ; none ) ( Empty#(Ready#int) Full#int ; none ) Nesting, the specialization works within the original interference. 133
165 Protocol Composition 2.0 Configurations are checked symbolically, each representing a class of configurations, up to renaming and weakening. Q S P Well-formedness conditions on types ensures the number of different sub-terms of a type is bounded, guaranteeing decidability. 134 x Q[x] z Q[z] y Q[y]
166 Concurrency Protocol Composition protects against all possible interleaving that may occur. Same static set of possible interleaving, even if concurrency may non-deterministically pick different interleaving at run-time. focus/defocus >> lock/unlock, adds fork e Caveat: no deadlock avoidance, nor termination/liveness guarantees. 135
167 Overview of Main Technical Results Standard Progress and Preservation results. Data race freedom and memory safety (no dereference of null pointers, etc). Stepping of configurations preserves safe Protocol Composition. Protocol Composition is a partial commutative monoid. Protocol Composition is decidable. 136
168 Thesis also includes All technical details such as the axiomatic definition of Protocol Composition, algorithm, and formal system for sequential and concurrent settings. Additional examples, including: Full pipe code example Encoding (non-distributed) typeful message-passing concurrency (buyer-shipper-seller example) Soundness proof. Prototype implementations. 137
169 Prototypes JavaScript-based implementations, run in the browser. 138
170 Summary Typestates using existential abstraction. [Militão, Aldrich, Caires. Substructural Typestates. PLPV 14.] Rely-Guarantee Protocols for handling safe interference: 1. Protocol Specification ( local view on public changes ) 2. Protocol Use ( hidden, private changes ) 3. Protocol Composition ( ensure safe alias interleaving ) [Militão, Aldrich, Caires. Rely-Guarantee Protocols. ECOOP 14.] Safe, decidable composition of protocols even when parts of a protocol are abstracted. Interference control over sequential and concurrent settings. 139
Substructural Typestates
Programming Languages meets Program Verification 2014 Substructural Typestates Filipe Militão (CMU & UNL) Jonathan Aldrich (CMU) Luís Caires (UNL) Motivation! File file = new File( out.txt );! file.write(
More informationComposing Interfering Abstract Protocols
Composing Interfering Abstract Protocols Filipe Militão 1,2, Jonathan Aldrich 1, and Luís Caires 2 1 Carnegie Mellon University, Pittsburgh, USA filipe.militao@cs.cmu.edu, aldrich@cs.cmu.edu 2 Universidade
More informationRely-Guarantee Protocols
Rely-Guarantee Protocols Filipe Militão 1,2, Jonathan Aldrich 1, and Luís Caires 2 1 Carnegie Mellon University, Pittsburgh, USA 2 Universidade Nova de Lisboa, Lisboa, Portugal {filipe.militao,jonathan.aldrich}@cs.cmu.edu
More informationType Soundness and Race Freedom for Mezzo
Type Soundness and Race Freedom for Mezzo Thibaut Balabonski François Pottier Jonathan Protzenko INRIA FLOPS 2014 1 / 42 Mezzo in a few words Mezzo is a high-level programming language, equipped with:
More informationThe Mezzo case. Jonathan Protzenko. François Pottier FSFMA'13. Why design a new programming language?
Why design a new programming language? The Mezzo case François Pottier francois.pottier@inria.fr Jonathan Protzenko jonathan.protzenko@inria.fr INRIA FSFMA'13 Jonathan Protzenko (INRIA) The Mezzo language
More informationHoare logic. A proof system for separation logic. Introduction. Separation logic
Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.
More informationCS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012
CS-XXX: Graduate Programming Languages Lecture 9 Simply Typed Lambda Calculus Dan Grossman 2012 Types Major new topic worthy of several lectures: Type systems Continue to use (CBV) Lambda Caluclus as our
More informationApplied Unified Ownership. Capabilities for Sharing Across Threads
Applied Unified Ownership or Capabilities for Sharing Across Threads Elias Castegren Tobias Wrigstad DRF transfer parallel programming AppliedUnified Ownership memory management placement in pools (previous
More informationCSE332: Data Abstractions Lecture 23: Programming with Locks and Critical Sections. Tyler Robison Summer 2010
CSE332: Data Abstractions Lecture 23: Programming with Locks and Critical Sections Tyler Robison Summer 2010 1 Concurrency: where are we Done: The semantics of locks Locks in Java Using locks for mutual
More informationRefinement Types for TypeScript
Refinement Types for TypeScript Panagiotis Vekris Benjamin Cosman Ranjit Jhala University of California, San Diego PLDI 16 Thursday, June 16 Extensible static analyses for modern scripting languages 2
More informationA Sophomoric Introduction to Shared-Memory Parallelism and Concurrency Lecture 5 Programming with Locks and Critical Sections
A Sophomoric Introduction to Shared-Memory Parallelism and Concurrency Lecture 5 Programming with Locks and Critical Sections Dan Grossman Last Updated: May 2012 For more information, see http://www.cs.washington.edu/homes/djg/teachingmaterials/
More informationReminder of the last lecture. Aliasing Issues: Call by reference, Pointer programs. Introducing Aliasing Issues. Home Work from previous lecture
Reminder of the last lecture Aliasing Issues: Call by reference, Pointer programs Claude Marché Cours MPRI 2-36-1 Preuve de Programme 18 janvier 2017 Additional features of the specification language Abstract
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationProgrammazione di sistemi multicore
Programmazione di sistemi multicore A.A. 2015-2016 LECTURE 14 IRENE FINOCCHI http://wwwusers.di.uniroma1.it/~finocchi/ Programming with locks and critical sections MORE BAD INTERLEAVINGS GUIDELINES FOR
More informationHoare logic. WHILE p, a language with pointers. Introduction. Syntax of WHILE p. Lecture 5: Introduction to separation logic
Introduction Hoare logic Lecture 5: Introduction to separation logic In the previous lectures, we have considered a language, WHILE, where mutability only concerned program variables. Jean Pichon-Pharabod
More informationWarm-Up Problem. Let be a set of well-formed Predicate logic formulas. Let be well-formed Predicate logic formulas. Prove or disprove the following.
Warm-Up Problem Let be a set of well-formed Predicate logic formulas Let be well-formed Predicate logic formulas Prove or disprove the following If then 1/35 Program Verification Carmen Bruni Lecture 18
More informationThe practice of Mezzo
The practice of Mezzo François Pottier INRIA IHP, April 2014 1 / 83 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin 2 / 83 Overview Two lectures
More informationHoare logic. Lecture 5: Introduction to separation logic. Jean Pichon-Pharabod University of Cambridge. CST Part II 2017/18
Hoare logic Lecture 5: Introduction to separation logic Jean Pichon-Pharabod University of Cambridge CST Part II 2017/18 Introduction In the previous lectures, we have considered a language, WHILE, where
More informationCSCI-GA Scripting Languages
CSCI-GA.3033.003 Scripting Languages 12/02/2013 OCaml 1 Acknowledgement The material on these slides is based on notes provided by Dexter Kozen. 2 About OCaml A functional programming language All computation
More informationThe theory of Mezzo. François Pottier. IHP, April 2014 INRIA
The theory of Mezzo François Pottier INRIA IHP, April 2014 1 / 94 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin. 2 / 94 Outline Introduction The
More informationSynchronization SPL/2010 SPL/20 1
Synchronization 1 Overview synchronization mechanisms in modern RTEs concurrency issues places where synchronization is needed structural ways (design patterns) for exclusive access 2 Overview synchronization
More informationProgram Verification (6EC version only)
Program Verification (6EC version only) Erik Poll Digital Security Radboud University Nijmegen Overview Program Verification using Verification Condition Generators JML a formal specification language
More informationPlural and : Protocols in Practice. Jonathan Aldrich Workshop on Behavioral Types April School of Computer Science
Plural and : Protocols in Practice Jonathan Aldrich Workshop on Behavioral Types April 2011 School of Computer Science Empirical Study: Protocols in Java Object Protocol [Beckman, Kim, & A to appear in
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationTypestate-Oriented Programming
Typestate-Oriented Programming Jonathan Aldrich Joshua Sunshine Darpan Saini Zachary Sparks Object-Oriented Modeling History: Simula 67 was created to facilitate modeling Object-orientation still works
More informationThread Safety. Review. Today o Confinement o Threadsafe datatypes Required reading. Concurrency Wrapper Collections
Thread Safety Today o Confinement o Threadsafe datatypes Required reading Concurrency Wrapper Collections Optional reading The material in this lecture and the next lecture is inspired by an excellent
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationThe Checker Framework: pluggable static analysis for Java
The Checker Framework: pluggable static analysis for Java http://checkerframework.org/ Werner Dietl University of Waterloo https://ece.uwaterloo.ca/~wdietl/ Joint work with Michael D. Ernst and many others.
More informationRely-Guarantee References for Refinement Types over Aliased Mutable Data
Rely-Guarantee References for Refinement Types over Aliased Mutable Data Colin S. Gordon, Michael D. Ernst, and Dan Grossman University of Washington PLDI 2013 Static Verification Meets Aliasing 23 x:ref
More informationWeiss Chapter 1 terminology (parenthesized numbers are page numbers)
Weiss Chapter 1 terminology (parenthesized numbers are page numbers) assignment operators In Java, used to alter the value of a variable. These operators include =, +=, -=, *=, and /=. (9) autoincrement
More informationType Systems Winter Semester 2006
Type Systems Winter Semester 2006 Week 9 December 13 December 13, 2006 - version 1.0 Plan PREVIOUSLY: unit, sequencing, let, pairs, sums TODAY: 1. recursion 2. state 3.??? NEXT: exceptions? NEXT: polymorphic
More informationProgramming Languages Lecture 15: Recursive Types & Subtyping
CSE 230: Winter 2008 Principles of Programming Languages Lecture 15: Recursive Types & Subtyping Ranjit Jhala UC San Diego News? Formalize first-order type systems Simple types (integers and booleans)
More informationSoftware Testing Lecture 1. Justin Pearson
Software Testing Lecture 1 Justin Pearson 2017 1 / 50 Four Questions Does my software work? 2 / 50 Four Questions Does my software work? Does my software meet its specification? 3 / 50 Four Questions Does
More informationProgram logics for relaxed consistency
Program logics for relaxed consistency UPMARC Summer School 2014 Viktor Vafeiadis Max Planck Institute for Software Systems (MPI-SWS) 1st Lecture, 28 July 2014 Outline Part I. Weak memory models 1. Intro
More informationCS558 Programming Languages
CS558 Programming Languages Fall 2016 Lecture 3a Andrew Tolmach Portland State University 1994-2016 Formal Semantics Goal: rigorous and unambiguous definition in terms of a wellunderstood formalism (e.g.
More informationFrom IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich
From IMP to Java Andreas Lochbihler ETH Zurich parts based on work by Gerwin Klein and Tobias Nipkow 2015-07-14 1 Subtyping 2 Objects and Inheritance 3 Multithreading 1 Subtyping 2 Objects and Inheritance
More informationTypestate Checking for Actionscript 3
Typestate Checking for Actionscript 3 Yun-En Liu and Qi Shan December 10, 2010 1 Introduction This project proposes a compile-time check for function calls in a game system written in Actionscript 3, based
More informationFormal Verification Techniques for GPU Kernels Lecture 1
École de Recherche: Semantics and Tools for Low-Level Concurrent Programming ENS Lyon Formal Verification Techniques for GPU Kernels Lecture 1 Alastair Donaldson Imperial College London www.doc.ic.ac.uk/~afd
More informationResource-Based Programming in. Jonathan Aldrich Carnegie Mellon University Fun and Interesting Thoughts Session PLDI June 8, 2010
Jonathan Aldrich Carnegie Mellon University Fun and Interesting Thoughts Session PLDI June 8, 2010 Resources and Composition Resource: stateful object whose use is constrained I/O: files, database connections,
More informationIntroduction to Concurrency Principles of Concurrent System Design
Introduction to Concurrency 4010-441 Principles of Concurrent System Design Texts Logistics (On mycourses) Java Concurrency in Practice, Brian Goetz, et. al. Programming Concurrency on the JVM, Venkat
More informationModular Reasoning about Aliasing using Permissions
Modular Reasoning about Aliasing using Permissions John Boyland University of Wisconsin- Milwaukee FOAL 2015 Summary Permissions are non-duplicable tokens that give access to state. Permissions give effective
More informationA3. Programming Languages for Writing Safety-Critical Software
A3. Programming Languages for Writing Safety-Critical Software (a) Overview. (b) SPARK Ada. Critical Systems, CS 411, Lent term 2002, Sec. A3 A3-1 (a) Overview Important Factors for Programming Languages
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More information'Safe' programming languages
Software Security Language-based Security: 'Safe' programming languages Erik Poll 1 Language-based security Security features & guarantees provided by programming language safety guarantees, incl. memory-safety,
More informationSharing Objects Ch. 3
Sharing Objects Ch. 3 Visibility What is the source of the issue? Volatile Dekker s algorithm Publication and Escape Thread Confinement Immutability Techniques of safe publication Assignment 1 Visibility
More informationStatic Analysis in C/C++ code with Polyspace
1 Static Analysis in C/C++ code with Polyspace Yongchool Ryu Application Engineer gary.ryu@mathworks.com 2016 The MathWorks, Inc. 2 Agenda Efficient way to find problems in Software Category of Static
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Pointers Pointers and
More informationChapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes
Chapter 13: Reference Why reference Typing Evaluation Store Typings Safety Notes References Computational Effects Also known as side effects. A function or expression is said to have a side effect if,
More informationA Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm
Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov
More informationAn overview of Mezzo
An overview of Mezzo François Pottier INRIA Bertinoro, June 2015 1 / 91 Acknowledgements Jonathan Protzenko, Thibaut Balabonski, Henri Chataing, Armaël Guéneau, Cyprien Mangin 2 / 91 What is Mezzo? An
More informationAssertions. Assertions - Example
References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 11/13/2003 1 Assertions Statements about input to a routine or state of a class Have two primary roles As documentation,
More informationTopics Covered Thus Far CMSC 330: Organization of Programming Languages
Topics Covered Thus Far CMSC 330: Organization of Programming Languages Names & Binding, Type Systems Programming languages Ruby Ocaml Lambda calculus Syntax specification Regular expressions Context free
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationGuaranteeing memory safety in Rust
Guaranteeing memory safety in Rust Nicholas D. Matsakis Mozilla Research 1 Hashtable in C / C++ template struct Hashtable { Bucket *buckets; unsigned num_buckets; template
More informationPart VI. Imperative Functional Programming
Part VI Imperative Functional Programming Chapter 14 Mutable Storage MinML is said to be a pure language because the execution model consists entirely of evaluating an expression for its value. ML is
More informationImplementing Symmetric Multiprocessing in LispWorks
Implementing Symmetric Multiprocessing in LispWorks Making a multithreaded application more multithreaded Martin Simmons, LispWorks Ltd Copyright 2009 LispWorks Ltd Outline Introduction Changes in LispWorks
More informationTradeoffs. CSE 505: Programming Languages. Lecture 15 Subtyping. Where shall we add useful completeness? Where shall we add completeness?
Tradeoffs CSE 505: Programming Languages Lecture 15 Subtyping Zach Tatlock Autumn 2017 Desirable type system properties (desiderata): soundness - exclude all programs that get stuck completeness - include
More informationTesting and Debugging Lecture 11
Testing and Debugging Lecture 11 Waterford Institute of Technology February 29, 2016 John Fitzgerald Waterford Institute of Technology, Testing and Debugging Lecture 11 1/23 Presentation Outline Estimated
More informationHierarchical Pointer Analysis for Distributed Programs
Hierarchical Pointer Analysis for Distributed Programs Amir Kamil Computer Science Division, University of California, Berkeley kamil@cs.berkeley.edu April 14, 2006 1 Introduction Many distributed, parallel
More informationStatic Analysis for Safe Concurrency
Static Analysis for Safe Optional Reading: Assuring and Evolving Concurrent Programs: Annotations and Policy 17-355/17-655: Program Analysis Jonathan Aldrich 2 Example: java.util.logging.logger [Source:
More informationPrinciples of Software Construction: Objects, Design and Concurrency. Static Analysis. toad Spring 2013
Principles of Software Construction: Objects, Design and Concurrency Static Analysis 15-214 toad Spring 2013 Christian Kästner Charlie Garrod School of Computer Science 2012-13 C Garrod, C Kästner, J Aldrich,
More informationWriting better code Loop invariants Correctness. John Edgar 2
Writing better code Loop invariants Correctness John Edgar 2 Not all code is equal Correct and reliable code is one of our goals Is a new car correct or reliable? Other characteristics of good code Affordable
More informationExercise 11 Ownership Types and Non-null Types December 8, 2017
Concepts of Object-Oriented Programming AS 2017 Exercise 11 Ownership Types and Non-null Types December 8, 2017 Task 1 Consider the following method signatures: peer Object foo(any String el); peer Object
More informationHarvard School of Engineering and Applied Sciences CS 152: Programming Languages
Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 18 Thursday, April 3, 2014 1 Error-propagating semantics For the last few weeks, we have been studying type systems.
More informationGuidelines for Writing C Code
Guidelines for Writing C Code Issue 01-bugfix Martin Becker Institute for Real-Time Computer Systems (RCS) Technische Universität München becker@rcs.ei.tum.de June 9, 2014 Contents 1 Introduction 1 2 Pragmatic
More informationThreads and Java Memory Model
Threads and Java Memory Model Oleg Šelajev @shelajev oleg@zeroturnaround.com October 6, 2014 Agenda Threads Basic synchronization Java Memory Model Concurrency Concurrency - several computations are executing
More informationPierce Ch. 3, 8, 11, 15. Type Systems
Pierce Ch. 3, 8, 11, 15 Type Systems Goals Define the simple language of expressions A small subset of Lisp, with minor modifications Define the type system of this language Mathematical definition using
More informationPrinciples of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems)
Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub )Systems) More Analysis for Functional Correctness Jonathan Aldrich Charlie Garrod School of Computer Science
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationAaron Turon! Mozilla Research
Aaron Turon Mozilla Research C/C++ ML/Haskell Rust Safe systems programming Why Mozilla? Browsers need control. Browsers need safety. Servo: Next-generation browser built in Rust. C++ What is control?
More informationChecking Program Properties with ESC/Java
Checking Program Properties with ESC/Java 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich 1 ESC/Java A checker for Java programs Finds null pointers, array dereferences Checks Hoare logic
More informationLecture Notes on Memory Layout
Lecture Notes on Memory Layout 15-122: Principles of Imperative Computation Frank Pfenning André Platzer Lecture 11 1 Introduction In order to understand how programs work, we can consider the functions,
More informationSubtyping (cont) Lecture 15 CS 565 4/3/08
Subtyping (cont) Lecture 15 CS 565 4/3/08 Formalization of Subtyping Inversion of the subtype relation: If σ
More informationMutable References. Chapter 1
Chapter 1 Mutable References In the (typed or untyped) λ-calculus, or in pure functional languages, a variable is immutable in that once bound to a value as the result of a substitution, its contents never
More informationA Deterministic Concurrent Language for Embedded Systems
A Deterministic Concurrent Language for Embedded Systems Stephen A. Edwards Columbia University Joint work with Olivier Tardieu SHIM:A Deterministic Concurrent Language for Embedded Systems p. 1/30 Definition
More informationCSE 403: Software Engineering, Fall courses.cs.washington.edu/courses/cse403/16au/ Static Analysis. Emina Torlak
CSE 403: Software Engineering, Fall 2016 courses.cs.washington.edu/courses/cse403/16au/ Static Analysis Emina Torlak emina@cs.washington.edu Outline What is static analysis? How does it work? Free and
More informationHoare Logic and Model Checking
Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft Introduction In the
More information3/25/14. Lecture 25: Concurrency. + Today. n Reading. n P&C Section 6. n Objectives. n Concurrency
+ Lecture 25: Concurrency + Today n Reading n P&C Section 6 n Objectives n Concurrency 1 + Concurrency n Correctly and efficiently controlling access by multiple threads to shared resources n Programming
More informationRepresentation Invariants and Abstraction Functions
Representation Invariants and Abstraction Functions Outline Reasoning about ADTs Representation invariants (rep invariants) Representation exposure Checking rep invariants Abstraction functions CSCI 2600
More informationSecure coding practices
Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing Secure coding practices Writing good code is an art but equally important
More informationQuestion 1. Notes on the Exam. Today. Comp 104: Operating Systems Concepts 11/05/2015. Revision Lectures
Comp 104: Operating Systems Concepts Revision Lectures Today Here are a sample of questions that could appear in the exam Please LET ME KNOW if there are particular subjects you want to know about??? 1
More informationHoare Logic and Model Checking. A proof system for Separation logic. Introduction. Separation Logic
Introduction Hoare Logic and Model Checking In the previous lecture we saw the informal concepts that Separation Logic is based on. Kasper Svendsen University of Cambridge CST Part II 2016/17 This lecture
More informationChapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes
Chapter 13: Reference Why reference Typing Evaluation Store Typings Safety Notes References Mutability So far, what we discussed does not include computational effects (also known as side effects). In
More informationCostly software bugs that could have been averted with type checking
Type Checking Class Notes from Lectures 6 and 7 Lahav Yeffet and Ori Folger The material in these lectures is based on the textbook Types and Programming Languages by Benjamin Pierce. Here is a list of
More informationCSE 374 Programming Concepts & Tools
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2017 Lecture 22 Shared-Memory Concurrency 1 Administrivia HW7 due Thursday night, 11 pm (+ late days if you still have any & want to use them) Course
More informationSubtyping (cont) Formalization of Subtyping. Lecture 15 CS 565. Inversion of the subtype relation:
Subtyping (cont) Lecture 15 CS 565 Formalization of Subtyping Inversion of the subtype relation:! If "
More informationProgramming Languages Lecture 14: Sum, Product, Recursive Types
CSE 230: Winter 200 Principles of Programming Languages Lecture 4: Sum, Product, Recursive Types The end is nigh HW 3 No HW 4 (= Final) Project (Meeting + Talk) Ranjit Jhala UC San Diego Recap Goal: Relate
More informationIntro to Proving Absence of Errors in C/C++ Code
Intro to Proving Absence of Errors in C/C++ Code Develop high quality embedded software Kristian Lindqvist Senior Pilot Engineer MathWorks 2016 The MathWorks, Inc. 1 The Cost of Failure Ariane 5: Overflow
More informationIntroduction to CBMC. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel December 5, 2011
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 December 5, 2011 based on slides by Daniel Kroening Bug Catching with SAT-Solvers Main Idea: Given a program and a claim use
More informationVerification and Test with Model-Based Design
Verification and Test with Model-Based Design Flight Software Workshop 2015 Jay Abraham 2015 The MathWorks, Inc. 1 The software development process Develop, iterate and specify requirements Create high
More informationProgramming Paradigms for Concurrency Lecture 3 Concurrent Objects
Programming Paradigms for Concurrency Lecture 3 Concurrent Objects Based on companion slides for The Art of Multiprocessor Programming by Maurice Herlihy & Nir Shavit Modified by Thomas Wies New York University
More informationCounterexample Guided Abstraction Refinement in Blast
Counterexample Guided Abstraction Refinement in Blast Reading: Checking Memory Safety with Blast 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich 1 How would you analyze this? * means something
More informationSimon Peyton Jones (Microsoft Research) Tokyo Haskell Users Group April 2010
Simon Peyton Jones (Microsoft Research) Tokyo Haskell Users Group April 2010 Geeks Practitioners 1,000,000 10,000 100 1 The quick death 1yr 5yr 10yr 15yr Geeks Practitioners 1,000,000 10,000 100 The slow
More informationPointers. 1 Background. 1.1 Variables and Memory. 1.2 Motivating Pointers Massachusetts Institute of Technology
Introduction to C++ Massachusetts Institute of Technology ocw.mit.edu 6.096 Pointers 1 Background 1.1 Variables and Memory When you declare a variable, the computer associates the variable name with a
More information6.821 Jeopardy: The Home Version The game that turns into 6.82fun!
6.821 Programming Languages Handout Fall 2002 MASSACHVSETTS INSTITVTE OF TECHNOLOGY Department of Electrical Engineering and Compvter Science 6.821 Jeopardy: The Home Version The game that turns 6.821
More informationA Deterministic Concurrent Language for Embedded Systems
A Deterministic Concurrent Language for Embedded Systems Stephen A. Edwards Columbia University Joint work with Olivier Tardieu SHIM:A Deterministic Concurrent Language for Embedded Systems p. 1/38 Definition
More informationStatic program checking and verification
Chair of Software Engineering Software Engineering Prof. Dr. Bertrand Meyer March 2007 June 2007 Slides: Based on KSE06 With kind permission of Peter Müller Static program checking and verification Correctness
More informationTokens, Expressions and Control Structures
3 Tokens, Expressions and Control Structures Tokens Keywords Identifiers Data types User-defined types Derived types Symbolic constants Declaration of variables Initialization Reference variables Type
More informationType Checking and Type Inference
Type Checking and Type Inference Principles of Programming Languages CSE 307 1 Types in Programming Languages 2 Static Type Checking 3 Polymorphic Type Inference Version: 1.8 17:20:56 2014/08/25 Compiled
More information