Hermes: A Tutorial and Reference Manual - Researcher - IBM

More documents

Recommendations

Info

initialized.Attheendofthethenclause,aftertheassignmentstoAandB, thediscussion,wewilllookonlyattypestateattributesrelatingtothe initializedstateofvariablesA,B,C,andL. isempty.AfterthecalltoGetLine,thetypestateisfinit(L)g|onlyLis Letusfollowtheanalysisoftypestatesintheaboveexample.Tosimplify Onentrytotheblock,noneofthevariablesisinitialized,sothetypestate 3.TypeandTypestateChecking57 clause,thetypestateisfinit(L),init(A),init(C)g. thetypestateisfinit(L),init(A),init(B)g.Attheendoftheelse toberun-timetestsofinitializedness|avariablemusteitherbeknownto werepossiblyinitialized,andpossiblynot.InHermes,wedonotwishthere entrytothemerge.SoallyouwouldknowaboutBandCwouldbethatthey analysis,youalwaysknowlessinformationatamergepointthanateither thiscase,thattypestateisfinit(L),init(A)g|variablesLandAwill atthemergepointiscomputedastheintersectionofthetypestates.1In beinitialized,BandCuninitialized. Attheendoftheifstatement,thetwopathsmerge.Thetypestate beinitializedorknowntobeuninitialized.Theintersectionruleimplies andCareinfactuninitializedatthispointregardlessoftheexecutionpath taken,thecompilerinsertscoercionoperations.Inthiscase,thecompiler thatBandCwillbeuninitializedatthemergepoint.TomakesurethatB Hereiswheretypestateanalysisgoesbeyonddataowanalysis.Indataow statementaftertheelseclause. willinsertadiscardBstatementafterthethenclauseandadiscardC issaidtobelower.Coercionoperationsalwaysconvertfromahighertypestatetoalowerone. finit(L)g(thirdcall).Theintersectionisthetypestatefg.Thecompiler secondcalltoGetLinetothehandler,anditinsertsanoperationtodiscard automaticallyinsertsoperationstodiscardLandAintothepathfromthe Atypestatewithastrictsubsetoftheattributesofasecondtypestate Therearethreepathstothathandler|onefromeachcalltoGetLine.The threetypestatesarefg(rstcall),finit(L),init(A)g(secondcall),and Lintothepathfromthethirdcall. Asimilarsituationprevailsattheexceptionhandleron(GetLineInterface.Endstream). Parms.GetLine(A),theGetLineIndenitionrequirestheargumenttobe ment,itischeckedthatbothLandAareinitialized.Inthestatementcall italsochecksforlegalityofprograms.Forinstance,attheinsertstate- operationdiscardAisinsertedsothatAwillbeuninitializedasexpected uninitialized,yetAisinitialized.Here,thetypestateistoohigh.Acoercion Typestateanalysisnotonlytracksthetypestateandperformscoercions, typestateislowerthantheotherifitisasubsetoftheother;themeetoftwo structurewheretheelements(typestatesinthiscase)arepartiallyordered,and typestatesistheirintersection. whereeverypairofelementshasameetorgreatestlowerbound.InHermes,one 1Mathematically,thesetoftypestatesisasemilattice|thatis,amathematical
583.TypeandTypestateChecking Thereisnocoerciontomakeatypestatehigher,sothisstatementmustbe beforethecall.InthestatementcallParms.PutLine(L)inthehandler, rejectedaserroneous.Thecompilerwillissueanerrormessagesayingthat attributeinit(L)wasrequiredbutnotpresent. Lisrequiredtobeinitialized,anditisnot,sothetypestateistoolow. ciency.Whenprogramsarewritteninunsafelanguages,eachuserhasto denedLcouldproduceunpredictableresults|possiblyevenaprogram trap.(ImagineLimplementedasapointertoastringbuer.)Thiswould Second,wegetearlydetectionofnonsenseprograms.Third,wegete- AllowingastatementlikecallParms.PutLine(L)toexecutewithanun- beputinaseparateaddressspacesothatoneuser'serroneousprogram befatal,especiallyifourprogramisamulti-usersystem.Andifwedidn't detecttheerroratcompile-time,we'dhavetocheckforitatrun-time. WhatbenetsdowegetfromtypestatecheckingFirst,wegetsecurity. maticallygenerateddiscardsofvalues.Forinstance,wesawthatwhenthe otherwisehave.Finally,wegetfreegarbagecollectionintheformofauto- EndStreamexceptionwasraised,theappropriatevariableswerediscarded beforeenteringtheexceptionhandler. addressspace.Becausetheimplementationissecure,wegettheprotection ofaddressspacesattherun-timecostoflightweightprocesses.Andon can'thurtanotheruser.ButwecanrunmultipleHermesprocessesinone machineslackingmemorymapping,wegetprotectionwhichwewouldnot youcankeeptheinterface\inyourhead",youmayconsiderwritingextra Ifyou'rewritingaprocedurewhichnoonebutyourselfisgoingtouseand systems,soitfavorstherstpointofviewoverthesecond. declarationsaburden.Hermesisdesignedprimarilyforlarge,long-lived someoneelse'smodules,theextradocumentationontheinterfaceisuseful. typestatesofcallparametersoninterfaces.Thiscanbeviewedaseithera burdenorabenetdependinguponyourpointofview.Ifyou'repickingup WhatpricedowepayYouhavetodeclarethepre-callandpost-call
Page 1 and 2:
DavidF.BaconArthurP.GoldbergAndyLow
Page 3 and 4:
Preface Thisdocumentcontainsatutori
Page 5 and 6:
iv3TypeandTypestateChecking 5Resear
Page 8:
Tutorial PartI 1
Page 11 and 12:
ortransactions.AHermesmoduleisastra
Page 13 and 14: 61.2.GettingStarted|ASimpleHermesPr
Page 15 and 16: 81.2.GettingStarted|ASimpleHermesPr
Page 17 and 18: 101.2.GettingStarted|ASimpleHermesP
Page 19 and 20: 121.4.PuttingProcessesTogether thec
Page 21 and 22: 141.4.PuttingProcessesTogether newI
Page 23 and 24: fullycheckedfortypeandtypestateerro
Page 25 and 26: constructs:thenewinput-port,connect
Page 27 and 28: 201.5.DeclarationsandDenitions whil
Page 29 and 30: 221.5.DeclarationsandDenitions Stan
Page 31 and 32: whichtheoutputportconnects|calledth
Page 33 and 34: 261.6.ASimpleServer begin QuitCM:Qu
Page 35 and 36: 281.6.ASimpleServer towritedataabst
Page 37 and 38: toaservice,whileretainingtheability
Page 39 and 40: 322.1.Requirements PutLine PutLine
Page 41 and 42: 342.3.Interfaces WMInterface:callme
Page 43 and 44: asmallchangetotheinterfaceFilter.Re
Page 45 and 46: 382.5.Front-endProcess callParms.Ge
Page 47 and 48: 402.5.Front-endProcess paringavalue
Page 49 and 50: ationtable[expr].Wehaveencounteredt
Page 51 and 52: ishiddenandinnowayaectsthesemantics
Page 53 and 54: 462.7.TheWindowManager callCurrentW
Page 55 and 56: name.Ifwewaitedtobuildtheapplicatio
Page 57 and 58: 502.8.CreatingaWindowApplication re
Page 59 and 60: 522.8.CreatingaWindowApplication be
Page 61 and 62: examplesillustratedhere. errorhandl
Page 63: 563.TypeandTypestateChecking anerro
Page 67 and 68: 604.1.ExpressionBlocks anexpression
Page 69 and 70: 624.3.Variants thevariantcomponents
Page 71 and 72: thetypestate(i.e.addattributes),but
Page 73 and 74: accesscontrol{anyonecangetit. 664.4
Page 75 and 76: 685.ResearchDirectionsinHermes
Page 78 and 79: 6Introduction Thereferencemanualpre
Page 80 and 81: 7LexicalandSyntacticRules lectionso
Page 82 and 83: 8Resolution name,attributename,exce
Page 84 and 85: 8.1.2ComponentNames eachhaveacompon
Page 86 and 87: onthehandlerandusedontheexitstateme
Page 88 and 89: theelementwillalsobeknownbyapplying
Page 90 and 91: documentationpurposesevenwheretheya
Page 92 and 93: ments.Therstargumenttocasemustbeava
Page 94 and 95: Ifinit(CM)ispresentandCMisacallmess
Page 96 and 97: 6.Determinethepostconditionsforeach
Page 98 and 99: droppedattributesafternormalcomplet
Page 100 and 101: 11 HermesOperations Throughoutthere
Page 102 and 103: Thediscardstatementremovesthevaluef
Page 104 and 105: Ifnoneoftheclausescanexitsnormally,
Page 106 and 107: Ifthereisanoptionalselectexpression
Page 108 and 109: stmemberisanatomwithprintnamematchi
Page 110 and 111: types.Additionally,theoperations\an
Page 112 and 113: Less,Less-equal,Greater,Greater-equ
Page 114 and 115:
RecordTypeFamily 11.5RecordOperatio
Page 116 and 117:
valueofthetable,ifany,isdiscarded.
Page 118 and 119:
thetableisordered,theelementisinser
Page 120 and 121:
notallowedonconstantcopies.Avariabl
Page 122 and 123:
thereisnoselectedelement,aNotFounde
Page 124 and 125:
willbeuninitialized,andthedestinati
Page 126 and 127:
Itistheabilityforprogramstosendandr
Page 128 and 129:
Connect Theconnectstatementhastwoop
Page 130 and 131:
possible,andstoresitinadestinationv
Page 132 and 133:
incompatiblewiththeinputporttypeoft
Page 134 and 135:
Inspect-polymorph willincludefinit(
Page 136 and 137:
theprogramwhichembedsit.Thereforeth
Page 138 and 139:
type).Ifthecheckfails,theexceptionD
Page 140 and 141:
isusuallygeneratedasacoercionwhenme
Page 142 and 143:
A.1LexicalRules Webeginwiththerules
Page 144 and 145:
accuracy against andy assert drop e
Page 146 and 147:
Thesimplestatements: simple{stateme
Page 148 and 149:
oolean{guard event{guard::=eventinp
Page 150 and 151:
::=(expression)AppendixA.HermesConc
Page 152 and 153:
user{exception constant{parameters
Page 154 and 155:
formal{variable module{name::=ident
Page 156 and 157:
Typestatesappearinginparticularcont
Page 158 and 159:
destination,source,andposition.Some
Page 160 and 161:
operandwillnolongerbeinitialized. B
Page 162 and 163:
Followingaretheinferencefunctionsap
Page 164 and 165:
lowestentrycondition(message,port):
Page 166 and 167:
copy(source,destination):Foreachatt
Page 168 and 169:
assert(continued) Description:Evalu
Page 170 and 171:
case(continued) Description:Copythe
Page 172 and 173:
copy(continued) Preconditions: unco
Page 174 and 175:
drop(continued) SpecialRules:Thenum
Page 176 and 177:
exists(continued) SpecialRules:Thes
Page 178 and 179:
forall(continued) Description:Ifeve
Page 180 and 181:
greater(continued) Description:Ifso
Page 182 and 183:
insert{at(table,element,position) T
Page 184 and 185:
integer{literal(result) TypeRules:
Page 186 and 187:
merge{at(continued) Description:Rem
Page 188 and 189:
not(result,source) TypeRules: Appen
Page 190 and 191:
print(variable) TypeRules:None Prec
Page 192 and 193:
emove(element,table) TypeRules: App
Page 194 and 195:
select(continued) SpecialRules:Allt
Page 196 and 197:
subtract(result,source1,source2) Ty
Page 198 and 199:
unary{minus(result,source) TypeRule
Page 200 and 201:
wrap(continued) Preconditions: var(
Page 202 and 203:
definitions predefined:using() Appe
Page 204 and 205:
);'named'->typename:typenameffullg
Page 206 and 207:
{{Specicinformationneededtocomplete
Page 208 and 209:
attrdefinition:record( attributeid:
Page 210 and 211:
statement:record( id:statementid, o
Page 212 and 213:
{{Ablockstatementqualieridentiesthe
Page 214 and 215:
{{expressionisfalse. ifqualifier:re
Page 216 and 217:
{{expression.The'element'rootvariab
Page 218 and 219:
[ASU88]AlfredV.Aho,RaviSethi,andJer
Page 220 and 221:
[SYB87a]RobertE.Strom,ShaulaAlexand
Page 222 and 223:
AppendixC.PredenedModule215 coercio
Page 224 and 225:
AppendixC.PredenedModule217 dening,
Page 226:
variablename discarded,29 variant,6
show all

Hermes: A Tutorial and Reference Manual - Researcher - IBM

Create successful ePaper yourself

Delete template?

Save as template?