Results 1 - 10
of
27
Abstract predicates and mutable ADTs in Hoare type theory
- IN PROC. ESOP’07, VOLUME 4421 OF LNCS
, 2007
"... Hoare Type Theory (HTT) combines a dependently typed, higher-order language with monadically encapsulated, stateful computations. The type system incorporates pre- and post-conditions, in a fashion similar to Hoare and Separation Logic, so that programmers can modularly specify the requirements and ..."
Abstract
-
Cited by 50 (21 self)
- Add to MetaCart
(Show Context)
Hoare Type Theory (HTT) combines a dependently typed, higher-order language with monadically encapsulated, stateful computations. The type system incorporates pre- and post-conditions, in a fashion similar to Hoare and Separation Logic, so that programmers can modularly specify the requirements and effects of computations within types. This paper extends HTT with quantification over abstract predicates (i.e., higher-order logic), thus embedding into HTT the Extended Calculus of Constructions. When combined with the Hoare-like specifications, abstract predicates provide a powerful way to define and encapsulate the invariants of private state; that is, state which may be shared by several functions, but is not accessible to their clients. We demonstrate this power by sketching a number of abstract data types and functions that demand ownership of mutable memory, including an idealized custom memory manager.
Generic ownership for generic Java
- In Object-Oriented Programming Systems, Languages, and Applications (OOPSLA
, 2006
"... Ownership types enforce encapsulation in object-oriented programs by ensuring that objects cannot be leaked beyond object(s) that own them. Existing ownership programming languages either do not support parametric polymorphism (type genericity) or attempt to add it on top of ownership restrictions. ..."
Abstract
-
Cited by 49 (14 self)
- Add to MetaCart
(Show Context)
Ownership types enforce encapsulation in object-oriented programs by ensuring that objects cannot be leaked beyond object(s) that own them. Existing ownership programming languages either do not support parametric polymorphism (type genericity) or attempt to add it on top of ownership restrictions. Generic Ownership provides perobject ownership on top of a sound generic imperative language. The resulting system not only provides ownership guarantees comparable to established systems, but also requires few additional language mechanisms due to full reuse of parametric polymorphism. We formalise the core of Generic Ownership, highlighting that only restriction ofthis calls and owner subtype preservation are required to achieve deep ownership. Finally we describe how Ownership Generic Java (OGJ) was implemented as a minimal extension to Generic Java in the hope of bringing ownership types into mainstream programming.
Multiple Ownership
- In OOPSLA
, 2007
"... Existing ownership type systems require objects to have precisely one primary owner, organizing the heap into an ownership tree. Unfortunately, a tree structure is too restrictive for many programs, and prevents many common design patterns where multiple objects interact. Multiple Ownership is an ow ..."
Abstract
-
Cited by 44 (13 self)
- Add to MetaCart
(Show Context)
Existing ownership type systems require objects to have precisely one primary owner, organizing the heap into an ownership tree. Unfortunately, a tree structure is too restrictive for many programs, and prevents many common design patterns where multiple objects interact. Multiple Ownership is an ownership type system where objects can have more than one owner, and the resulting ownership structure forms a DAG. We give a straightforward model for multiple ownership, focusing in particular on how multiple ownership can support a powerful effects system that determines when two computations interfere — in spite of the DAG structure. We present a core programming language MOJO, Multiple Ownership for Java-like Objects, including a type and effects system, and soundness proof. In comparison to other systems, MOJO imposes absolutely no restrictions on pointers, modifications or programs’ structure, but in spite of this, MOJO’s effects can be used to reason about or describe programs ’ behaviour.
How is aliasing used in systems software?
, 2006
"... We present a study of all sources of aliasing in over one million lines of C code, identifying in the process the common patterns of aliasing that arise in practice. We find that aliasing has a great deal of structure in real programs and that just nine programming idioms account for nearly all alia ..."
Abstract
-
Cited by 33 (8 self)
- Add to MetaCart
We present a study of all sources of aliasing in over one million lines of C code, identifying in the process the common patterns of aliasing that arise in practice. We find that aliasing has a great deal of structure in real programs and that just nine programming idioms account for nearly all aliasing in our study. Our study requires an automatic alias analysis that both scales to large systems and has a low false positive rate. To this end, we also present a new context-, flow-, and partially path-sensitive alias analysis that, together with a new technique for object naming, achieves a false aliasing rate of 26.2 % on our benchmarks.
Distributed programming with distributed authorization
, 2009
"... We propose a programming language, called PCML5, for building distributed applications with distributed access control. Target applications include web-based systems in which programs must compute with stipulated resources at different sites. In such a setting, access control policies are decentrali ..."
Abstract
-
Cited by 24 (2 self)
- Add to MetaCart
We propose a programming language, called PCML5, for building distributed applications with distributed access control. Target applications include web-based systems in which programs must compute with stipulated resources at different sites. In such a setting, access control policies are decentralized (each site may impose restrictions on access to its resources without the knowledge of or cooperation with other sites) and spatially distributed (each site may store its policies locally). To enforce such policies PCML5 employs a distributed proof-carrying authorization framework in which sensitive resources are governed by reference monitors that authenticate principals and demand logical proofs of compliance with site-specific access control policies. The language provides primitive operations for authentication, and acquisition of proofs from local policies. The type system of PCML5 enforces locality restrictions on resources, ensuring that they can only be accessed from the site at which they reside, and enforces the authentication and authorization obligations required to comply with local access control policies. This ensures that a well-typed PCML5 program cannot incur a runtime access control violation at a reference monitor for a controlled resource.
S.: Existential Quantification for Variant Ownership
, 2009
"... Abstract. Ownership types characterize the topology of objects in the heap, through a characterization of the context to which an object be-longs. They have been used to support reasoning, memory management, concurrency, etc. Subtyping is traditionally invariant w.r.t. contexts, which has often prov ..."
Abstract
-
Cited by 9 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Ownership types characterize the topology of objects in the heap, through a characterization of the context to which an object be-longs. They have been used to support reasoning, memory management, concurrency, etc. Subtyping is traditionally invariant w.r.t. contexts, which has often proven inflexible in some situations. Recent work has introduced restricted forms of subtype variance and unknown context, but in a rather ad-hoc and restricted way. We develop Jo∃, a calculus which supports parameterisation of types, as well as contexts, and allows variant subtyping of contexts based on exis-tential quantification. Jo ∃ is more expressive, general, and uniform than previous works which add variance to ownership languages. Our explicit use of existential types makes the connection to type-theoretic founda-tions from existential types more transparent. We prove type soundness for Jo ∃ and extend it to Jo∃deep which enforces the owners-as-dominators property. 1
Towards an effects system for ownership domains
- In ECOOP Workshop - FTfJP 2005
, 2005
"... Abstract. Effects systems can capture the parts of the heap affecting or affected by some predicate or execution. Comparison of such effects can demonstrate the ‘independence ’ of expressions and predicates thus allowing expressions to be safely re-ordered or assuring the preservation of predicates ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
Abstract. Effects systems can capture the parts of the heap affecting or affected by some predicate or execution. Comparison of such effects can demonstrate the ‘independence ’ of expressions and predicates thus allowing expressions to be safely re-ordered or assuring the preservation of predicates by execution. We develop an effects system for Aldrich and Chambers ’ ownership domains based on the Joe system of Clarke and Drossopoulou. We demonstrate our effects through an example, discuss some limitations of the system and suggest extensions. 1
Originally published
, 1927
"... We present a language for access control. The language is organized around the notion of execution on behalf of a principal. This is characterized using an indexed lax modality. Central to the language is the idea of manifest security – accessing a resource requires presenting a proof of accessibili ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
We present a language for access control. The language is organized around the notion of execution on behalf of a principal. This is characterized using an indexed lax modality. Central to the language is the idea of manifest security – accessing a resource requires presenting a proof of accessibility to the resource monitor. Proofs are generated at runtime by actions such as typing in password, looking up an access-control list or by composing other proofs etc. In the present work, we consider a simplified setting in which the access-control theory is static. In such a case proofs can be regarded as static entities. Proof generation can be hoisted away from resource access since proofs become permanent. Also, the actual proofs are irrelevant. The results of runtime checks can therefore be reflected as types and the program can be verified statically to ensure that relevant runtime checks would be passed before accessing any resource. We prove a theorem stating that the language is safe in terms of how all a principal can get to access a resource.
A Parameterized Type System for Simple Loose Ownership Domains
, 2002
"... Ownership Domains generalize ownership types. They support programming patterns such as iterators that are not possible with ordinary ownership types. However, they are still too restrictive for cases in which an object X wants to access the public domains of an arbitrary number of other objects, wh ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
Ownership Domains generalize ownership types. They support programming patterns such as iterators that are not possible with ordinary ownership types. However, they are still too restrictive for cases in which an object X wants to access the public domains of an arbitrary number of other objects, which often happens in observer scenarios. To overcome this restriction, we develop so-called loose domains which abstract over several precise domains. Similar to the relation between supertypes and subtypes, we get a relation between loose and precise domains. In addition, we simplify ownership domains by reducing the number of domains per object to two and hard-wiring the access permissions between domains. We formalize the resulting type system for an OO core language and prove type soundness and a fundamental accessibility property.
A language for access control
, 2007
"... We present a language for access control. The language is organized around the notion of execution on behalf of a principal. This is characterized using an indexed lax modality. Central to the language is the idea of manifest security – accessing a resource requires presenting a proof of accessibili ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
We present a language for access control. The language is organized around the notion of execution on behalf of a principal. This is characterized using an indexed lax modality. Central to the language is the idea of manifest security – accessing a resource requires presenting a proof of accessibility to the resource monitor. Proofs are generated at runtime by actions such as typing in password, looking up an access-control list or by composing other proofs etc. In the present work, we consider a simplified setting in which the access-control theory is static. In such a case proofs can be regarded as static entities. Proof generation can be hoisted away from resource access since proofs become permanent. Also, the actual proofs are irrelevant. The results of runtime checks can therefore be reflected as types and the program can be verified statically to ensure that relevant runtime checks would be passed before accessing any resource. We prove a theorem stating that the language is safe in terms of how all a principal can get to access a resource.
