Hermes: A Tutorial and Reference Manual - Researcher - IBM

More documents

Recommendations

Info

Clothes",calleduponlanguagedesignerstoenforcewhathecalledsecurity 3TypeandTypestateChecking C.A.R.Hoare,inhis1981TuringAwardLecture,\TheEmperor'sOld inprogramminglanguages,andcriticizedtherecentlyadoptedAdadesign fornotmeetingthisrequirement.Bysecurity,Hoaremeant\[t]heprinciple pilerandthateverysyntacticallycorrectprogramshouldgivearesultor thateverysyntacticallyincorrectprogramshouldberejectedbythecom- anerrormessagethatwaspredictableandcomprehensibleintermsofthe sourcelanguageprogramitself."Inasecurelanguage,abuginmoduleX shouldshowupasbadoutputfrommoduleX,notasacrash,orarandom guagerules.(We'rethatthelanguagehassomeconceptofmodularityin andtheymustkeeponrunningthegoodprogramseventhoughsomebad programshavebeenallowedtoexecute. multipleusers,theymaydynamicallyloadarbitraryuntestedprograms, mes.Programsarelong-livedsystems,theyincludemoduleswrittenby implementation-dependentperturbationtoapossiblyinnocentmoduleY. whichitisillegalforonemoduletoaccesstheprivatedataofanother.) erroneousexecutions.Erroneousexecutionsareuncheckedviolationsoflan- Let'sadoptAda'sterminologyandcallexecutionswhichviolatesecurity SecurityinHoare'ssenseisextremelyimportantforalanguagelikeHer- Inpractice,erroneousexecutionsaretheresultof:(1)accessingundened values,or(2)accessingdataofthewrongtype. afteranotherhasalreadycheckeditsdiscriminant.SinceHermeshasno formedvalueoftheappropriatetype.Oroneprocessmodiesavariant dataofthewrongtype.Theremainingsecurityproblemsinlanguageslike sharingandnoaliasing,thesepathologicalcasescannotarise. Adaaretheresultofaliasingandshareddata.Forexample,twoprocesses simultaneouslywriteintoasinglevariable,andtheresultisapossibly interleavedsuccessionofbytesfrombothvalues,whichmaynotbeawell- Conventionaltypecheckingavoidsmostoftheproblemsofaccessing fromthedeclaration.Everyoperationhasclassrules,whichlimitwhich familiesoftypestheoperandsmayhave|forexample,+mayonlybeused atypewhichisxedthroughoutitsscope,andwhichisdirectlyderived withintegerorrealtypes.Everyoperationhastypeinferencerules,which determinethetypeofoneoperandasafunctionofthetypeofanother|for insertCintoS,CmustbeoftypeChar.Thedeclaredtypesofvariables exampleifSisaCharstring,denedasorderedtableofChar,thenin andtheinferredtypesofexpressionsmust(1)determineauniquetypefor TheHermestypesystemisstraightforward.Everyvariablenamehas
563.TypeandTypestateChecking anerroneousexecution. thereforemaynotbeinstantiated).AHermescompilerwillrejectaprogram whosePascalorAdacounterpartwouldcompilesuccessfullybutproduce therbereadnorwritten),andwhereaprogramvalueisunchecked(and everyexpressionand(2)beconsistentwiththetyperules. notberead),whereavariantisinthewrongcase(andthereforemayneiing|ageneralizationofdataowanalysis..Hermescompilersusetypestatecheckingtotrackwhereavariableisuninitialized(andthereforemay Here'sanexampleoftypestatecheckingappliedtoasimple(andrather TheproblemofundenedvaluesissolvedinHermesbytypestatecheck- meaningless)programfragment: begin block callParms.GetLine(L); declare L:Charstring; A:Char; B:Charstring; C:Charstring; ifsizeofL=0 then else callParms.PutLine(B); B:="EmptyLine"; A:='NUL'; on(GetLineInterface.EndStream) insertAintoL; callParms.GetLine(L); endif; callParms.GetLine(C); A:=L[0]; endblock; Fornow,letuslookonlyatthesimplestapplicationoftypestate| callParms.PutLine(L); callParms.PutLine(C); tributeinit(A)ispresentinthetypestate;otherwisetheattributeisab- sent.Typestateanalysiscomputesatypestateforeachprogrampoint.This initializedoruninitialized.WedonotallowAtobeinitializedalongsome meansthatatagivenprogrampointvariableAmustbeknowntobeeither avariableisinitializedoruninitialized.IfvariableAisinitialized,theat- asasetofattributesdescribingpropertiesofvariables,suchaswhether pathsandnotothers. keepingtrackofwhichvariablesareinitialized:Atypestateisrepresented
Page 1 and 2:
DavidF.BaconArthurP.GoldbergAndyLow
Page 3 and 4:
Preface Thisdocumentcontainsatutori
Page 5 and 6:
iv3TypeandTypestateChecking 5Resear
Page 8:
Tutorial PartI 1
Page 11 and 12: ortransactions.AHermesmoduleisastra
Page 13 and 14: 61.2.GettingStarted|ASimpleHermesPr
Page 15 and 16: 81.2.GettingStarted|ASimpleHermesPr
Page 17 and 18: 101.2.GettingStarted|ASimpleHermesP
Page 19 and 20: 121.4.PuttingProcessesTogether thec
Page 21 and 22: 141.4.PuttingProcessesTogether newI
Page 23 and 24: fullycheckedfortypeandtypestateerro
Page 25 and 26: constructs:thenewinput-port,connect
Page 27 and 28: 201.5.DeclarationsandDenitions whil
Page 29 and 30: 221.5.DeclarationsandDenitions Stan
Page 31 and 32: whichtheoutputportconnects|calledth
Page 33 and 34: 261.6.ASimpleServer begin QuitCM:Qu
Page 35 and 36: 281.6.ASimpleServer towritedataabst
Page 37 and 38: toaservice,whileretainingtheability
Page 39 and 40: 322.1.Requirements PutLine PutLine
Page 41 and 42: 342.3.Interfaces WMInterface:callme
Page 43 and 44: asmallchangetotheinterfaceFilter.Re
Page 45 and 46: 382.5.Front-endProcess callParms.Ge
Page 47 and 48: 402.5.Front-endProcess paringavalue
Page 49 and 50: ationtable[expr].Wehaveencounteredt
Page 51 and 52: ishiddenandinnowayaectsthesemantics
Page 53 and 54: 462.7.TheWindowManager callCurrentW
Page 55 and 56: name.Ifwewaitedtobuildtheapplicatio
Page 57 and 58: 502.8.CreatingaWindowApplication re
Page 59 and 60: 522.8.CreatingaWindowApplication be
Page 61: examplesillustratedhere. errorhandl
Page 65 and 66: 583.TypeandTypestateChecking Therei
Page 67 and 68: 604.1.ExpressionBlocks anexpression
Page 69 and 70: 624.3.Variants thevariantcomponents
Page 71 and 72: thetypestate(i.e.addattributes),but
Page 73 and 74: accesscontrol{anyonecangetit. 664.4
Page 75 and 76: 685.ResearchDirectionsinHermes
Page 78 and 79: 6Introduction Thereferencemanualpre
Page 80 and 81: 7LexicalandSyntacticRules lectionso
Page 82 and 83: 8Resolution name,attributename,exce
Page 84 and 85: 8.1.2ComponentNames eachhaveacompon
Page 86 and 87: onthehandlerandusedontheexitstateme
Page 88 and 89: theelementwillalsobeknownbyapplying
Page 90 and 91: documentationpurposesevenwheretheya
Page 92 and 93: ments.Therstargumenttocasemustbeava
Page 94 and 95: Ifinit(CM)ispresentandCMisacallmess
Page 96 and 97: 6.Determinethepostconditionsforeach
Page 98 and 99: droppedattributesafternormalcomplet
Page 100 and 101: 11 HermesOperations Throughoutthere
Page 102 and 103: Thediscardstatementremovesthevaluef
Page 104 and 105: Ifnoneoftheclausescanexitsnormally,
Page 106 and 107: Ifthereisanoptionalselectexpression
Page 108 and 109: stmemberisanatomwithprintnamematchi
Page 110 and 111: types.Additionally,theoperations\an
Page 112 and 113:
Less,Less-equal,Greater,Greater-equ
Page 114 and 115:
RecordTypeFamily 11.5RecordOperatio
Page 116 and 117:
valueofthetable,ifany,isdiscarded.
Page 118 and 119:
thetableisordered,theelementisinser
Page 120 and 121:
notallowedonconstantcopies.Avariabl
Page 122 and 123:
thereisnoselectedelement,aNotFounde
Page 124 and 125:
willbeuninitialized,andthedestinati
Page 126 and 127:
Itistheabilityforprogramstosendandr
Page 128 and 129:
Connect Theconnectstatementhastwoop
Page 130 and 131:
possible,andstoresitinadestinationv
Page 132 and 133:
incompatiblewiththeinputporttypeoft
Page 134 and 135:
Inspect-polymorph willincludefinit(
Page 136 and 137:
theprogramwhichembedsit.Thereforeth
Page 138 and 139:
type).Ifthecheckfails,theexceptionD
Page 140 and 141:
isusuallygeneratedasacoercionwhenme
Page 142 and 143:
A.1LexicalRules Webeginwiththerules
Page 144 and 145:
accuracy against andy assert drop e
Page 146 and 147:
Thesimplestatements: simple{stateme
Page 148 and 149:
oolean{guard event{guard::=eventinp
Page 150 and 151:
::=(expression)AppendixA.HermesConc
Page 152 and 153:
user{exception constant{parameters
Page 154 and 155:
formal{variable module{name::=ident
Page 156 and 157:
Typestatesappearinginparticularcont
Page 158 and 159:
destination,source,andposition.Some
Page 160 and 161:
operandwillnolongerbeinitialized. B
Page 162 and 163:
Followingaretheinferencefunctionsap
Page 164 and 165:
lowestentrycondition(message,port):
Page 166 and 167:
copy(source,destination):Foreachatt
Page 168 and 169:
assert(continued) Description:Evalu
Page 170 and 171:
case(continued) Description:Copythe
Page 172 and 173:
copy(continued) Preconditions: unco
Page 174 and 175:
drop(continued) SpecialRules:Thenum
Page 176 and 177:
exists(continued) SpecialRules:Thes
Page 178 and 179:
forall(continued) Description:Ifeve
Page 180 and 181:
greater(continued) Description:Ifso
Page 182 and 183:
insert{at(table,element,position) T
Page 184 and 185:
integer{literal(result) TypeRules:
Page 186 and 187:
merge{at(continued) Description:Rem
Page 188 and 189:
not(result,source) TypeRules: Appen
Page 190 and 191:
print(variable) TypeRules:None Prec
Page 192 and 193:
emove(element,table) TypeRules: App
Page 194 and 195:
select(continued) SpecialRules:Allt
Page 196 and 197:
subtract(result,source1,source2) Ty
Page 198 and 199:
unary{minus(result,source) TypeRule
Page 200 and 201:
wrap(continued) Preconditions: var(
Page 202 and 203:
definitions predefined:using() Appe
Page 204 and 205:
);'named'->typename:typenameffullg
Page 206 and 207:
{{Specicinformationneededtocomplete
Page 208 and 209:
attrdefinition:record( attributeid:
Page 210 and 211:
statement:record( id:statementid, o
Page 212 and 213:
{{Ablockstatementqualieridentiesthe
Page 214 and 215:
{{expressionisfalse. ifqualifier:re
Page 216 and 217:
{{expression.The'element'rootvariab
Page 218 and 219:
[ASU88]AlfredV.Aho,RaviSethi,andJer
Page 220 and 221:
[SYB87a]RobertE.Strom,ShaulaAlexand
Page 222 and 223:
AppendixC.PredenedModule215 coercio
Page 224 and 225:
AppendixC.PredenedModule217 dening,
Page 226:
variablename discarded,29 variant,6
show all

Hermes: A Tutorial and Reference Manual - Researcher - IBM

Create successful ePaper yourself

Delete template?

Save as template?