chair of software engineering the alias calculus bertrand meyer itmo software engineering seminar...
TRANSCRIPT
![Page 1: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/1.jpg)
Chair of Software Engineering
The alias calculus
Bertrand MeyerITMO Software Engineering Seminar
June 2011
![Page 2: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/2.jpg)
Claims
Theory: Theory of aliasing Loss of precision is small New concepts, in particular inverse variables Abstract, does not mention stack & heap Simple, implementable Insights into the essence of object-oriented
programmingPractice:
Alias calculus Almost entirely automatic Implemented
2
![Page 3: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/3.jpg)
Reference
Steps Towards a Theory and Calculus of Aliasing
International Journal of Software and Informatics
July 2011
http://se.ethz.ch/~meyer/publications/aliasing/alias-revised.pdf
3
![Page 4: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/4.jpg)
The question under study
Given expressions e and f (of reference types) and a program location p :
At p , can e and f ever be attached to the same object?
4
(If so, we say that e and f are aliased to each other, meaning potentially aliased.)
e
f
![Page 5: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/5.jpg)
“Given” expressions only
Considerfrom y := x loop
y := y aend
5
x
a
a
a
a
y may become aliased to:x, x a, x a a, x a a a
etc.(infinite set of expressions!)
![Page 6: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/6.jpg)
An example of alias analysis
y
x
Consider two linked list structures known through x and y:
rightitem
Computing the alias relation shows that:
If x ≠ y, then no cell reachable from x ( or ) can be reached from y ( or ), and conversely
Without this assumption, such aliasing is possible 6
![Page 7: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/7.jpg)
Why alias analysis is important
1. Without it, cannot apply standard proof techniques to programs involving pointers
2. Concurrent program analysis, in particular deadlock3. Program optimization
7
-- y.a = b
x.set_a (c)
? a
x
y
set_a (c)
b
c-- x.a = c-- x.a = c
-- c = c, i.e. True
Understand as x.a := c
-- y.a = b
![Page 8: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/8.jpg)
Basic notionDefinition:
Not necessarily transitive:if c then
x := yelse
y := zend
8
A binary relation is an alias relationif it is symmetric and irreflexive
Can alias x to y
and y to z
but not x to z
![Page 9: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/9.jpg)
Formulae of interest
The calculus defines, for any instruction p and any
alias relation a,the value of
a » p
denoting:
The aliasing relation resulting from executing
p from an initial state in which the aliasing
relation is a
For an entire program: compute » p9
![Page 10: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/10.jpg)
The programming language
skip create x x := y forget x (p ; q) then p else q end
10
Eiffel: x := VoidJava etc.: x = null;
p, q, …: instructions
x, y, …: variables
cut x, y
pn -- for integer n
loop p end
r do p end call r
z := x y x r … Curren
t
E0: basic constructs
E1: cut
E4: O-O
E2: loops
E3: procedures
![Page 11: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/11.jpg)
Describing an alias relation
If r is a relation in E E, the following is an alias relation:
r (r r-1 ) ― Id [E]
Example: {[x, x], [x, y], [y, z]} =
Generalized to sets:
{x, y, z} =
=D
11
Set difference
Identity on E
Set of binary relations on E; formally: P (E x E)
{[x, y], [y, x], [y, z], [z, y]}
{[x, y], [y, x], [x, z], [z, x], [y, z], [z, y]}
“Complete” alias relation
![Page 12: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/12.jpg)
Canonical form & alias diagrams
Canonical form of an alias relation: union of complete alias relations, e.g.
, meaning
None of the sets of expressionsis a subset of another
12
x, y, y, z, x, u, v
x
u, v
y
x
y, z
Make it canonical: x, x
, yy
{x, y} { y, z} {x, u, v}
(not canonical)
An alias diagram:
yy
![Page 13: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/13.jpg)
Alias calculus for basic operations (E0)
a » skip = a
a » (then p else q end ) = (a » p) (a » q)
a » (p ; q) = (a » p) » q
a » (forget x) = a \- {x}
a » (create x) = a \- {x}
a » (x := y) = a [x: y]
13
a deprived of all pairs involving x
e.g. x, y, y, z, x, u, v
\- {x, u}=
y, z, u, v Override, see next
![Page 14: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/14.jpg)
The forget rule
a » (forget x) = a \- {x}
14
y
x,
y, z
x,
u, v
x,
x,
y a deprived of allpairs involving x
![Page 15: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/15.jpg)
The assignment rule (E0)
a » (x := y) = a [x: y]
with:
a [x: y] = givenb = a \- {x}
then
b ({x} (b / y)) end
15
Symmetrize and de-reflect
a deprived of all pairs involving x
All pairs [x, u] where u is either aliased to y in b or y itself
![Page 16: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/16.jpg)
Operations on alias relations
For an alias relation a in E E, an expression x, and a set of expressions A E, the following are alias relations:
r \– A = r — E x A
a / y = {z: E | (z = y) [y, z] a}
16
“Quotient”, similar to equivalence class in equivalence relation
“Minus” Set of all
expressions
![Page 17: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/17.jpg)
The assignment rule (E0)
All u aliased to y in b, plus y itself
a [x: y] = givenb = a \- {x}
then
b ({x} ( b / y )) end
17
Symmetrize and de-reflect
a deprived of all pairs involving x
All pairs [x, u] where u is either aliased to y in b or y itself
Value of a » (x := y)
![Page 18: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/18.jpg)
z := x
Assignment example 1
18
x
u, vx,
, y
Before
, z
, z
After
![Page 19: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/19.jpg)
Assignment example 2
19
x
u, vx,
, yx, y
x := u
BeforeAfter
![Page 20: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/20.jpg)
Assignment example 3
20
x
u, vx,
, yx, y
x, z
x,
x := z
BeforeAfter
![Page 21: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/21.jpg)
The assignment rule (E0)
a [x: y] = givenb = a \- {x}
then
b ({x} (b / y)) end
21
Value of a » (x := y)
![Page 22: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/22.jpg)
The cut instruction
E1 is E0 plus the instruction
cut x, y
Semantics: remove aliasing, if any, between x and y
E0: basic constructs
E1: cut
22
![Page 23: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/23.jpg)
Cut example 1
23
x
u, vx,
, yx, y
cut x, y
BeforeAfter
![Page 24: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/24.jpg)
Cut example 2
24
x, y
u, vx,x,
x, v
cut x, u
BeforeAfter
![Page 25: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/25.jpg)
Cut rule
a » cut x, y = a ― x, y
25
Set difference
![Page 26: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/26.jpg)
The role of cut
cut x, y informs the alias calculus with non-alias properties coming from other sourcesExample:
if m < n then x := u else x := y endm := m + 1if m < n then z := x end
But here x cannot be aliased to y (only to u). The alias theory does not know this property!To take advantage of it, add the instruction
This expression represents
check x /= y end (Eiffel)assert x != y ; (JML, Spec#)
26
Alias relation:
x, u, z, x, y, z
x, u, x, y
cut x, y;
![Page 27: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/27.jpg)
Introducing repetitions
E2 is E1 plus:
pn (for integer n): n executions of p
(auxiliary notion)
loop p end : any sequence (incl. empty) of executions of p
27
E0: basic constructs
E1: cut
E2: loops
![Page 28: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/28.jpg)
E2 alias calculus
a » p0 = a
a » pn+1 = (a » pn) » p -- For n 0
-- Also equal to (a » p)
» pn
a » (loop p end) = (a » pn)
28
n N
![Page 29: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/29.jpg)
Loop aliasing theorem (1)
For any a and p, there exists a constant N N such that
a » (loop p end) = (a » pn)
Proof : the sequence
sn = (a » pk)
is non-decreasing (with respect to inclusion) on a finite set
More generally, for every construct p of E2, the functionl a | (a » p)
is non-decreasing 29
n: 0 N
k: 0 n
a » (loop p end) = (a » pn)
n N
![Page 30: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/30.jpg)
Loop aliasing theorem (2)
a » (loop p end) is also the fixpoint of the sequencet0 = a
tn+1 = tn (tn » p)
Gives a practical way to compute a » (loop p end)
Proof: by induction. If sn is original sequence (a »
pn), prove separately sn tn and tn sn
30
k: 0 n
![Page 31: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/31.jpg)
Introducing procedures: E3
A program is now a sequence of procedure definitions (one designated as main):
ri (f) do pi end
Instructions: as before, plus
call ri (a)
-- Procedure call
31
E0: basic constructs
E1: cut
E2: loops
E3: procedures
Alias calculus notations:
r denotes body of r (i.e. ri =
pi)
r denotes formals of r (here f)
![Page 32: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/32.jpg)
Handling arguments
The calculus will treat call r (a)
as r := a ; call r
(With recursion, possible loss of precision)
32
Generalize notation a [x: y] to lists: use
a [a : b]as abbreviation for
(…((a [a1: b1])[a2: b2]) …[an: bn]
For example: a [r : a]
i.e. formal1 := actual1;… ; formaln :=
actualn
![Page 33: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/33.jpg)
Call rule
Without arguments:
a » call r = a » r
33
Formal arguments of rWith arguments:
a » call r (v) = a [r: a] » r
Body of r
![Page 34: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/34.jpg)
Using the call rule
34
a » call r (a) = a [r: a] » r
Because of recursion, no longer just definition but equation
For entire set of procedures P, this gives a vector equation
a » P = AL (a » P)
Interpret as fixpoint equation and solve iteratively(Fixpoint exists: increasing sequence on finite set)
![Page 35: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/35.jpg)
Object-oriented mechanisms: E4
“General relativity”:
1. Qualified expressions: x y
Can be used as source (not target!) of assignments
x := y z
2. Qualified calls:
call x r (v)
3. Current
37
E0: basic constructs
E1: cut
E4: O-O
E2: loops
E3: procedures
![Page 36: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/36.jpg)
Assignment (original rule)
a [x: y] = given
b = a \- {x}
then
b ({x} (b / y) )
end
38
a deprived of all pairs involving x
This includes [x, y] !
All pairs [x, u] where u is either aliased to y in b or y itself
All u aliased to y in b, plus y itself
Example:
x := y z
Value of a » (x := y)
![Page 37: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/37.jpg)
Assigning a qualified expression
:= x y
39
x yx
x
z
x does not get aliased to x y!
(only to any z that was aliased to x
y)
x := x y
![Page 38: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/38.jpg)
Assignment rule revisited
a [x: y] = given
b = a \– {x} then
b ({x} (b / y)) end
40
a deprived of all pairs involving xor an expression starting with x
Example:
x := y z
Value of a » (x := y)
![Page 39: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/39.jpg)
Alias diagrams (E0 to E3)
41
x
u, v
y, z
x,
, y
Source node Value nodesValue nodesValue nodesSingle source node(represents stack)
Each value node represents a set of possible run-time values
Links: only from source tovalue nodes (will becomemore interesting with E4!)
Edge label: set ofvariables; indicates theycan all be aliased to each other
![Page 40: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/40.jpg)
Alias diagrams (E4)
:= x y
42
x yx
x
z
Links may now exist between value nodes(now called object nodes)
Cycles possible (see next)
Source node
Value nodesValue nodesObject nodes
![Page 41: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/41.jpg)
New laws, inverse variables
x Current = x
Current x = x
x’ x = Current
x x’ = Current
Current’ = Current
43
![Page 42: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/42.jpg)
New form of call: qualified
In E4:
call x r (a, b, …)
44
![Page 43: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/43.jpg)
Distribution operator:
For a list a = <u, v, w, …>:
x a = <x u, x v, x v, …>
For a relation r in E E :
x r = {[x u, x v] | [u, v] r}
Example:
x ( u, v, w, u, y ) = x u, x v, x w, x u, x
y
45
![Page 44: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/44.jpg)
Handling arguments (unqualified call)
a » call r (a) = a [r : a] » r
46
![Page 45: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/45.jpg)
Handling arguments: unqualified call
a » call r (a) = a [ ` r : a] » call r )
47
Was written r
![Page 46: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/46.jpg)
Handling arguments: qualified call
a » call x r (a) = a [ x r : a] » call x r )
Treatcall x r (v)
asx formals := a ; call x r
48
x x’
Current
target
![Page 47: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/47.jpg)
Handling arguments: an example
Eiffel: x r (a, b)
With, in a class C:
r (t: T ; u: U)
Handled as:
x t := ax u := bcall x r
x x’
Current
target
![Page 48: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/48.jpg)
Without arguments: unqualified call rule
a » call r = a » r
50
Body of r
![Page 49: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/49.jpg)
Qualified call rule
a » call x r = x ((x’ a) » r)
51
Example: d := c x r (d)
with r (u: U)
do
v := u end
Handled as: d := c call
with r
do
v := u end
u := x’
d
x r
xx
’
c
u, v
, d
target
Current
Inverse variable
![Page 50: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/50.jpg)
The rule in action
a » call x r = x ((x’ a) » r)
52
Alias relation:
c, d
x’ c, x’ d
Prefix with x’
:
u, x’ c, x’
d
d := c callwith r
do
v := u end
u := x’
c
x r
v, u, x’ c, x’
d
Prefix with x :
x v, x u, c, d
xx
’
c
u,
x’ c, x’ d
v,x
x
x
x
c,d
Current
c
x’
c,x c, x’ c, x’ dx d
u,v,
x
x
, d, d
target
Current
x
’
![Page 51: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/51.jpg)
About the qualified call rule
a » call x r = x ((x’ a) » r)
Thus we are permitted to prove that the unqualified call creates certain aliasings, on the assumption that it starts in its own alias environment but has access to the caller’s environment through the inverted variable, and then to assert categorically that the qualified call has the same aliasings transposed back to the original environment. This change of environment to prove the unqualified property, followed by a change back to the original environment to prove the qualified property, explains well the aura of magic which attends a programmer's first introduction to object-oriented programming.
54
![Page 52: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/52.jpg)
The full qualified call rule
As two separate rules:
a » call x r = x ((x’ a) » r)
a » call x r (a) = a [x r : a] » call x r )
As a single rule:
a » call x r (a) = x (x’ a [ r : x’ a]) » r) \– x r
55
Hide internals of r
![Page 53: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/53.jpg)
Termination?
The original termination argument does not hold any more
Considerfrom y := x loop
y := y aend
y may become aliased to:x, x a, x a a, x a a a etc.
(infinite set of expressions!)
56
x
a
a
a
a
![Page 54: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/54.jpg)
Termination: the question under study
Given expressions e and f (of reference types) and a program location p :
At p , can e and f ever be attached to the same object?
57
![Page 55: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/55.jpg)
The alias calculus
a » skip = a
a » (then p else q end) = (a » p) (a » q)
a » (p ; q) = (a » p) » q
a » (forget x) = a \- {x}
a » (create x) = a \- {x}
a » (x := y) = a [x: y]
a » cut x, y = a – x, y
a » p0 = a
a » pn+1 = (a » pn) » p
a » (loop p end) = (a » pn)
a » call r (a) = (a [ r : a]) » r
a » call x r (a) = x (x’ (a [x r : a]) » r) \– x r
58
n N
Plus:x Current = xCurrent x = xx’ x =
Current x x’ =
CurrentCurrent’= Current
a [x: y] = given b = a\- {x} then
b ({x} x (b/y))
end
![Page 56: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/56.jpg)
There is no backward alias calculus
Consider
create y
create z
x := y
59
x, y
?
x := z
x, z ?
![Page 57: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/57.jpg)
Notation
Targets of an instruction p:
p
This is the set of variables that p may modify
e.g.
(x :=y ; y := z) = {x, y}
60
![Page 58: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/58.jpg)
Semantics of the alias calculus
Let Var be the set of variables and a an alias relation, the following assertion expresses that there is no aliasing except as implied by a:
Weak soundness of definition of » for an instruction p:
Soundness has less demanding precondition but assumes some white-box knowledge:
61
a– x ≠ y =D
[x, y] (Var Var) – Id – a
{(a )– } p {(a » p)– }
{(a)– } p {(a » p)– }
We may ignore variables modified by p
\- p
![Page 59: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/59.jpg)
There is no backward rule!
Consider the definition of weak soundness:
62
It is possible to reconstruct a from a–, but not from a– \- p
(Same for strong soundess)
{(a)– } p {(a » p)– }
![Page 60: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/60.jpg)
Why alias analysis is important
1. Without it, cannot apply standard proof techniques to programs involving pointers
2. Concurrent program analysis, in particular deadlock3. Program optimization
63
![Page 61: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/61.jpg)
An application:deadlock avoidance
(sketch)
![Page 62: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/62.jpg)
Coffman deadlock
Consider a set of processors and a set of resources. At every execution time t, for every processor p, two disjoint sets of resources are defined:
Ht (p) -- Has set: resources that p has
acquired Wt (p) -- Wait set: resources that p has
requested
A deadlock exists if for some set D of processors:
p: D | p’ : D | Wt (p) Ht (p’) ≠
(In such a case p ≠ p’)
65
Not the same thing as reverse of liveness
![Page 63: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/63.jpg)
Absolute deadlock freedom
A system, made of a set of program elements E, is absolutely deadlock-free if for all times t
r: E | r’ : E | Wt (r) Ht (r’) =
(Works for r = r’ since Wt (r) Ht (r) = )
Can also be written:
r: E | r’ : E | a: Wt (r) | a Ht (r’)
66
![Page 64: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/64.jpg)
Strategy for detecting deadlock
For every program element r: Compute W (r) and H (r) Determine with which other elements r’ it can run
parallel
67
r, r’: E | r // r’ (W (r) H (r’) = )
![Page 65: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/65.jpg)
The SCOOP model
A primary characteristic of SCOOP is that the model removes the distinction between resources and processorsProperties:
Any processor p is such that p H (p) Any variable or expression e has an associated
processor, its handler <e> Any execution of a qualified call x f (a, b, …)
(separate or not) satisfies x H (<Current>) For any call r of actual arguments args including
uncontrolled arguments U, W (r) is {<a> | a U} Without lock passing, H (r) for any program
element r in a routine or formal separate arguments S is <Current> {<a> | a S}
68
![Page 66: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/66.jpg)
Processor abstraction
In SCOOP: Any variable or expression e has an associated
processor, its handler <e>
The computation of H and W sets only involves the handlerStrategy:
Processor abstraction: identify every variable or expression e with its processor <e>
Perform alias analysis Use it to compute H and W sets as unions for all
possible aliases Check W (r) H (r’) = for any two calls r, r’,
including when they are the same call 69
![Page 67: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/67.jpg)
Dining philosophersclass MEAL create make feature
p1, p2: separate PHILOSOPHER ; f1, f2: separate FORKmake do create f1; create f2
create p1 make (f1, f2); create p2 make (f2, f1) end
go_right (a, b: separate PHILOSOPHER)do p1 eat_right; p2 eat_right end
go_wrong (a, b: separate PHILOSOPHER)do p1 eat_wrong; p2 eat_wrong end
endclass PHILOSOPHER create make feature
left, right: separate FORKmake (u, v: separate FORK) do left:= u ; right := v endeat_right do pick_two (left, right) endpick_two (x, y: separate FORK) do x use; y use endeat_wrong do pick_in_turn (left) endpick_in_turn (z: separate FORK) do pick_two (z, right)
endend 70
H = {x, y},H = {f1, f2, …}W =
H = {z}, W = {right},H = {f1, f2, …},W = {f1, f2, …}
![Page 68: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/68.jpg)
Claims
Theory: Theory of aliasing Loss of precision is small New concepts, in particular inverse variables Abstract, does not mention stack & heap Simple, implementable Insights into the essence of object-oriented
programmingPractice:
Alias calculus Almost entirely automatic Implemented
71
![Page 69: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/69.jpg)
Approaches for comparison
Separation logic
Shape analysis (with abstract interpretation)
Ownership
Dynamic frames
72
![Page 70: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/70.jpg)
73
Hoare-style reasoning
Assignment rule:
{P (e)} x := e {P (x)}
![Page 71: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/71.jpg)
74
Hoare-style reasoning
require
do
:= whatever + 10000
y := y + 1ensure
endy < 3
-- y + 1 < 3-- y + 1 < 3
xx
y + 1 < 3
y + 1 < 3-- y + 1 < 3
Assignment rule:
{P (e)} x := e {P (x)}
require
ensure y <
3
![Page 72: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/72.jpg)
75
The effect of pointers (references)
-- y.a = bx.set_a (c)
?
a
x
y
set_a (c)
b
c
-- x.a = c-- x.a = c
-- True
Understand as x.a := c
-- y.a = b
![Page 73: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/73.jpg)
The question under study
Given expressions e and f (of reference types) and a program location p :
At p , can e and f ever be attached to the same object?
76
![Page 74: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/74.jpg)
77
The effect of pointers : with alias analysis
x.set_a (c)-- y.a = b
a
x
y
set_a (c)
b
c
-- x, y
-- x.a = b-- x.a = b
Understand as x.a := c
--.c = b
-- x, y
x may be aliased to y
![Page 75: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/75.jpg)
Alias relationsRelation of interest:
“In the computation, e might become aliased to f”Definition:
Not necessarily transitive:if c then
x := yelse
y := zend
78
A binary relation is an alias relationif it is symmetric and irreflexive
Can alias x to y
and y to z
but not x to z
![Page 76: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/76.jpg)
Alias diagrams (E0 to E3)
79
x
u, v
y, z
x,
, y
Source node Value nodesValue nodesValue nodesSingle source node(represents stack)
Each value node represents a set of possible run-time values
Links: only from source tovalue nodes (will becomemore interesting with E4!)
Edge label: set ofexpressions; indicates theycan all be aliased to each otherIn canonical form: no label is subset ofanother; each label has at least 2 expressions
![Page 77: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/77.jpg)
Approaches for comparison
Separation logic
Shape analysis
Ownership
Dynamic frames
80
![Page 78: Chair of Software Engineering The alias calculus Bertrand Meyer ITMO Software Engineering Seminar June 2011](https://reader035.vdocument.in/reader035/viewer/2022062803/56649c7e5503460f94933a1b/html5/thumbnails/78.jpg)
Achievements
Theory of aliasingSimple (about a dozen rules)New concepts: inverse variables, modeling CurrentGraphical formalism (alias diagrams), canonical formImplementedAlmost entirely automatic (except for occasional cut)Small loss of precision, i.e. not too conservativeAbstract: does not mention stack and heapCovers object-oriented programmingFaithful to O-O spirit; see qualified call rule
Can cover full modern O-O languagePotential solution to “frame problem”
81
a » call x f = x ((x’ a) » call f)