enablingthestaticmodularmanipulationofstatefulobjectsHoweversharingsuchasbyaliasingtheseresourcesmustbecarefullycontrolledtoavoidpotentiallydestructiveinterferencethatmayresultfrommixingincompatiblec ID: 884266
Download Pdf The PPT/PDF document "1451320thatarevitaltothecorrectnessofman..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1 1,4,5,13,20]thatarevitaltothecorrectness
1,4,5,13,20]thatarevitaltothecorrectnessofmanyprograms[3].Forexample,consideraPipeabstractionthatisusedtocommunicatebetweentwopartsoftheprogram.Apipeisopenwhilethecommunicationisongoing,butwhenthepipeisnolongerneededitisclosed )enablingthestaticmodularmanipulationofstatefulobjects.However,sharing(suchasbyaliasing)theseresourcesmustbecarefullycontrolledtoavoidpotentiallydestructiveinterfer
2 -encethatmayresultfrommixingincompatible
-encethatmayresultfrommixingincompatiblechangestoapparentlyunrelatedobjectsthat,inreality,areconnectedtothesameunderlyingrun-timeobject.Thisworkaimstoprovideanintuitiveandgeneral-purposeextensiontothetypestatemodelbyexploiting(coordination)protocolsatthesharedstateleveltoallowÞne-grainedandßexibleusesofaliasedstate.Therefore,bymodelingtheinteractions |Filled#[v,next]#//doesnotreturndelete
3 first;//ownershiptotheprotocolbuffer.hea
first;//ownershiptotheprotocolbuffer.head:=next;Result#vendendBydistributingthesefunctionsbetweentwoaliases,weareabletocreateindependentproducerandconsumercomponentsofthepipethatshareacommonbu"er(modeledasasingly-linkedlist).Observehowtheinteraction,thatoccursthroughaliasesofthebu"erÕsnodes,obeysawell-deÞnedprotocol:theproduceralias(throughtheputfunc-tion)insertsanelementintothelast(empty
4 )nodeofthebu"erandthenimmediatelyforfeit
)nodeofthebu"erandthenimmediatelyforfeitsthatcell(i.e.itisnolongerusedbythatalias);whiletheconsumeralias(usingtryTake)proceedsbytestingtheÞrstnodeand,whenitdetectsithasbeenFilled(thus,whentheotheraliasissuretonolongeruseit),recoversownershipofthatnode,whichenablesthealiastosafelydeletethatcell(first)sinceitisnolongershared.1.1ApproachinaNutshellInterferenceduetoaliasingisanalogoustotheint
5 erferencecausedbythreadinterleav-ing[15,
erferencecausedbythreadinterleav-ing[15,33].Thisoccursbecausemutablestatemaybesharedbyaliasesinunknownornon-localprogramcontexts.Suchboundarye"ectivelynegatestheuseofstaticmecha-nismstotrackexactlywhichothervariablesaliassomestate.Therefore,weareunabletoknowpreciselyifthesharedstatealiasedbyalocalvariablewillbeusedwhentheexecutionjumpso"(e.g.throughafunctioncall)tonon-localprogramcontexts
6 .How-ever,ifthatstateisused,thenthealias
.How-ever,ifthatstateisused,thenthealiasesmaychangethestateinwaysthatinvalidatethelocalaliasÕassumptionsonthecurrentcontentsofthesharedstate.Thisinterfer-encecausedbyÒaliasinterleavingÓoccursevenwithoutconcurrency,butisanalogoustohowthreadinterleavingmaya"ectsharedstate.Consequently,techniquestoreasonaboutthreadinterference(suchas /destructiveinterference)sincecon-formanceattestedthateach
7 protocol,inisolation,isawareofallobserva
protocol,inisolation,isawareofallobservablee" bymodelingsharinginteractionsbothatthereferencelevelandalsoattheabstractstatelevel.Therefore,sharingdoesnot tÓtomeanareferencetoalocationt,wheretheinformationaboutthecontentsofthatlocationisstoredinthecapabilityfort.OurcapabilitiesfollowtheformatÒrwtAÓmeaningar consumer-producerstyleofinteraction(usingasharedinternalbu"erasmediator),oftenusedi
8 naconcurrentprogrambuthereusedinasingle-
naconcurrentprogrambuthereusedinasingle-threadedenvironment.Thesharedinternalbu"erisimplementedasashared ),clientsofthepipecanworkinde- #=rwt$p.(refp::T[p]),...6rwhexistsp.(refp::H[p]),//packsatype,thecapabilitytolocationÕhÕ7rwtexistsp.( tryTake=fun(_:[]::rwhexistsp.(refp::H[p]))./%...%/47}::(rwhexistsp.(refp::H[p])*rwtexistsp.(refp::T[p]))48end49end50endThefunctioncreates
9 apipebyallocatinganinitialnodefortheinte
apipebyallocatinganinitialnodefortheinternalbu"er,acelltobesharedbythe HandT3.Eachprotocolisthenassignedtotheheadandtail p::T[p]).Finally,althoughwehavenotyetshowntheimplementation,thetypeoftheelidedrecord([...])containsfunctiontypesthatshouldbeunsurprisingnotingthateachargumentandreturntypehastherespectivecapabilitiesforthehead/ Closed#[]);noneÓwhichreliesonncontainingEmpty#[],ensuresnth
10 encontainseitherNode#RorClosed#[],andthe
encontainseitherNode#RorClosed#[],andthenlosesaccesston.BothÒ!ÓandÒ;Ó(andR)willbediscussedindetailinSection4. Fieldsx(VariablesX( A2(share)| structs(focusanddefocus).Weuseaßattypegrammar(Fig.2)wherebothcapabilities(i.e.typingartifactswithoutvalues,whichincludesourrely-guaranteeprotocols)andstandardtypes(usedtotypevalues)coexist.Ourdesigndoesnotneedtomakeasyntacticdistinctionbe-tweenthetwo
11 kindssincethetypesystemensuresthepropers
kindssincethetypesystemensurestheproperseparationintheiruse.Wenowoverviewthebasictypes,leavingtherelyandguaranteetypestobepresentedinthefollowingSectiontogetherwiththediscussiononsharing.Puretypes!Aenablealineartypetobeusedmultipletimes. f:A](record) 0+e:A,#1statingthatwithlexicalenvironment"andlinearresources#0weassigntheexpressioneatypeAandproducee"ectsthatresultin#1.Thetypingenvironmen
12 tsareasfollows:" syntacticallyrestricts#
tsareasfollows:" syntacticallyrestricts#tonotincludeadefocus-guarantee(asharingfeature,seeSection4.3).Su!cestonotethatthisrestrictionensuresthatdefocus-guaranteesarenestedontherightofandthat,ateachlevel,thereexistsonlyonependingdefocus-guarantee.#Gisalsousedtoforbidcaptureofdefocus-guaranteesbyfunctionsandotherconstructsthatcankeeppartofthelineartypingenvironmentforthemselves.Themaintypin
13 grulesareshowninFig.3,butthelastfourtypi
grulesareshowninFig.3,butthelastfourtypingrulesareonlydiscussedinSection4.Allvalues(whichincludesfunctions,taggedvalues,etc.)havenoresultinge"ect()since,operationally,theyhavenopendingcomputations.Allocat-inganewcellresultsinatype,$t.(reft::rwtA),thatabstractsthefreshlocationthatwascreated(t),andincludesbothareferencetothatlocationandthecapabilitytothatlocation.Toassociateavalue(suchasref
14 t)withsomecapability(suchasthecapabil-it
t)withsomecapability(suchasthecapabil-itytoaccesslocationt),weuseastackingoperator::.Naturally,tobeabletousetheexistentiallocation,wemustÞrstopenthatabstractionbygivingitalocationvariabletorefertheabstractedlocation,besidestheusualvariabletoreferthecontentsoftheexistentialtype.Readingthecontentofacellcanbeeitherdestructiveornot,depending ,á"|á+v:!A,á(t:Pure-Elim)",x:A0|#0+e:A1,#1"|#0,x:!A
15 0+e:A1,#1(t:Tag)"|#+v:A,á"|#+l#v:l#A,á(t
0+e:A1,#1(t:Tag)"|#+v:A,á"|#+l#v:l#A,á(t v:A{p/t} +v:refp,#1,rwpA"|#0+!v:A,#1,rwp[](t:Assign)" 0(A"|A0!A1+focusA:[],A0,A1%á(t:Defocus-Guarantee)"|#0,A0,A0;A1%#1+defocus:[],#0,A1, :A1Subtypingontypes,(st:*)( /recX.A}:recX.A(st:Rec #1A0:A1#0,x:A0:#1,x:A1(sd:Type Thisconditionsissafebecauseitamountstoignoringthee )withthetypesthatmayappearinaprotocol,P.P::=recX.P|X|P"P|P&P|A!P|A;P|noneArely-
16 guaranteeprotocolisatypeofcapability(i.e
guaranteeprotocolisatypeofcapability(i.e.hasnovalue)consistingofpotentiallymanysteps,eachoftheformAC!AP.EachsuchstepstatesthatitissafeforthecurrentclienttoassumethatthesharedstatesatisÞesACandisrequiredtoobeytheguaranteeAP,usuallyoftheformA)C;A)Pwhichinturnrequirestheclienttoestablish(guarantee)thatthesharedstatesatisÞesA)Cbeforeallowingtheprotocoltocontinuetobeusedas #[]);noneThisprotoco
17 lexpressesthattheclientcodecansafelyassu
lexpressesthattheclientcodecansafelyassume(onfocus)acapabilitystatingthatlocationpinitiallyholdstypeEmpty#[].Itthenrequiresthecodethatusessuchstatetoleaveit(ondefocus)inoneoftwopossiblealternatives(")dependingonwhethertheproducerchoosestoclosethepipeorinsertanewelementtothebu"er.Tosignalthatthenodeisthelastelementofthepipe,theproducercanjustassignitavalueoftypeClosed#[].Insertionsaresligh
18 tlymorecomplicatedbecausethatactionimpli
tlymorecomplicatedbecausethatactionimpliesthatthetailelementofthelistwillbechanged.Therefore,aftercreatingthenewnode, ])](apairofanintegerandareferencetothenextsharednodeofthebu"er,asseenfromthehead AÓasatypedeÞnition(Q)wherewecanapplyalocationwithoutrequiring*tobeavalue,suchaslocationqinQ[q].TheTandHtypesaredeÞnedasfollows:T$*p.(E!(N"C)) P'#&A),P)'Step,(step:*)(step:None)&A,none'#&A,none
19 '(step:Step)&A0,A0!A1;P'#&A1,P'(step:A-P
'(step:Step)&A0,A0!A1;P'#&A1,P'(step:A-P)&A0,P0'#&A1,P2'&A0,P0"P1'#&A1,P2'(step:A (0'.ThismeansthatthereisasetSofconÞgurations&A,& S.Therefore,if&A,&%# A),')'implies #&A),()',andforallA),(),&A,('#&A),()'implies ,&)%#')||('(S,or;Ð&A,('#&A),() ThedeÞnitionyieldsthatallconÞgurationsmuststep(i.e.nevergetstuck)andthatastepinoneoftheprotocols('or()mustalsosteptheoriginalprotocol(&)suchthatthere
20 sultitselfstillconforms.Conformanceensur
sultitselfstillconforms.Conformanceensuresthatallinterleavingsarecoherent.ThisalsomeansthateachprotocolÒviewÓofthesharedstatecanworkindependentlyinasafewayÑevenwhentheotheraliasestothatsharedstateareneverused.Ownershiprecoverydoesnotrequireanyspecialtreatmentsinceitjustexpressesthatthefocusedcapabilityisnotreturnedbacktotheprotocol,enablingittoremaininthelocalcontext.Wenowapplyprotocolcon
21 formancetoourrunningexample,asfollows: b
formancetoourrunningexample,asfollows: butleave#unmodiÞed(i.e.itisjustthreadedthrough).ThenextexamplesshowconformanceinasimpliÞedway,withonlythestateandthetworesultingprotocolsofaconÞguration.RememberthatEistheabbreviationfor#[]that,justliketheabbreviationsCandN,weredeÞnedabove.Thus,the o]12focus(rwoEmpty#[]);# rwoClosed#[]);none%á13share(rwlEmpty#[])asH[l]||T[l];# p])17end18 #=rwt[],T[l]
22 21deletetail;#=T[l]22focus(rwlEmpty#[]);
21deletetail;#=T[l]22focus(rwlEmpty#[]);#=rwlEmpty % operationthattakesintoaccountframedefocus-guaranteesuptoacertaindepth.Thismeansthatonecanalwaysconsiderextensionsofthecurrentfootprintaslongasanyaddedsharedstateishiddenfromallfocusedstate.Byconservativelyhidingitbehindadefocus-guarantee,weensurethatsuchstatecannotbetouched.Thisenableslocality #)=#n,#)n,#))swhere:(a)#)) ,A0,A1+focusE:[]
23 , ely).Notethatframemayaddelementstothet
, ely).Notethatframemayaddelementstothetypingenvironmentthatcannotbeinstan-tiatedintovalidheaps.Thatis,theconclusionoftheframerulestatesthatanhypothesiswiththeextendedenvironmenttypecheckstheexpressionwiththesametypeandresult-inge"ects.Notallsuchextensionsobeystoretypingjustlikesuchtypingruleenablesaddingmultiplecapabilitiestoonesamelocationthatcanneverberealizedinanactual, C[f]!none[c]#
24 ,none;none afterdefocusandjuston ])34NoR
,none;none afterdefocusandjuston ])34NoResult#{}: p]))//assumeautostacked[a]#=á45end46end Theprogressstatementensuresthatallwell-typedexpressionsareeithervaluesor,ifthereisaheapthatobeysthetypingassumptions,theexpressioncansteptosomeother Thetheoremaboverequirestheinitialexpressione0tobeclosedsothatitisready *T.[]!$E.$NE.![push:T::E"NE![]::NE,pop:[]::NE!T::E"NE,isEmpty:[]::E"NE!Empty#([]:
25 :E lag(usedtocommunicatetheinfor-mationo
:E lag(usedtocommunicatetheinfor-mationonthekindofcontentstoredinthecontainer)isinaseparatecell.TherawvalueistypedwithAandtheprocessedvaluehastypeB.Thetypesandprotocolsare: Theprotocolontherightisthenfurthersplit,anditsownershiprecoverystepfurther 19],programmer-suppliedpermissionsandpredicatesareusedtoshow ,2013.6.C.Calcagno,P.W.OÕHearn,andH.Yang.Localactionandabstractseparationlogic.In