avoid a void
DESCRIPTION
Avoid a void. Bertrand Meyer With major contributions by Emmanuel Stapf & Alexander Kogtenkov (Eiffel Software) and the ECMA TG4 (Eiffel) committee, plus gratefully acknowleded influence of Spec#, especially through Erik Meijer & Rustan Leino. Basic O-O operation. x . f ( args ). - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/1.jpg)
Avoid a void
Bertrand Meyer
With major contributions by Emmanuel Stapf &
Alexander Kogtenkov (Eiffel Software)
and the ECMA TG4 (Eiffel) committee,plus gratefully acknowleded influence of Spec#, especially through Erik Meijer &
Rustan Leino
![Page 2: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/2.jpg)
2
Basic O-O operation
x.f (args)
… and basic issue studied here:
(If not, call produces an exception and usually termination)
Semantics: apply the feature f, with given args if any, to the object to which x is attached
How do we guarantee that x will always be “attached” to an object?
![Page 3: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/3.jpg)
3
I call it my billion-dollarmistake. It was the inventionof the null reference in 1965.I was designing the firstcomprehensive type systemfor references in an object-oriented language (ALGOL W).My goal was to ensure that alluse of references should besafe, checked by the compiler.
But I couldn't resist the temptation to put in a null reference, because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years.
![Page 4: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/4.jpg)
4
Plan
1. Context
2. New language constructs
3. Achieving void safety
4. Current status
![Page 5: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/5.jpg)
5
- 1 -
Context
![Page 6: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/6.jpg)
6
Source: Patrice Chalin
44% of Eiffel preconditions clauses are of the form
x /= Void
![Page 7: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/7.jpg)
7
The standards effort
ECMA standard for Eiffel
Approved June 2005, 2nd edition, June 2006
ISO standard, November 2006
Mechanism described here is in EiffelStudio 6.3, Nov 2008; libraries fully adapted in 6.4, May 2009
![Page 8: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/8.jpg)
8
Requirements
Minimal language extensionStatically, completely void safeSimple for programmer, no mysterious rulesReasonably simple for compilerHandles genericityDoesn’t limit expressivenessCompatibility or minimum change for existing
code1st-semester teachability
![Page 9: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/9.jpg)
9
Lessons from Spec# work
“Spec# stipulates the inference of non-[voidness] for local variables. This inference is performed as a dataflow analysis by the Spec# compiler.”
(Barnett, Leino, Schulte, Spec# paper)
x /= Void
![Page 10: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/10.jpg)
10
Subject: “I had a dream”
From:"Eric Bezault" [email protected]:"ECMA TC49-TG4" Date:Thu, 4 Jun 2009 11:21
Last night I had a dream. I was programming in Eiffel 5.7. The code was elegant. There was no need for defensive programming just by taking full advantage of design by contract. Thanks to these contracts the code was easy to reuse and to debug. I could hardly remember the last time I had a call-on-void-target. It was so pleasant to program with such a wonderful language.
This morning when I woke up I looked at the code that had been modified to comply with void-safety. This was a rude awakening. The code which was so elegant in my dream now looked convoluted, hard to follow. It looks like assertions are losing all their power and defensive programming is inviting itself again in the code. […]
![Page 11: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/11.jpg)
11
- 2 -
New language constructs
![Page 12: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/12.jpg)
12
New constructs
1. Object test
Replaces all “downcasting” (type narrowing)mechanisms
2. Type annotations: “attached” and “detachable”
New keywords: attached, detachable
(Plus: stable.)
![Page 13: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/13.jpg)
13
The Object Test (full form)
Boolean expression:
attached {T } exp as x
Value:True if value of exp is attached to an
object of type T or conforming
Plus: binds x to that value over scope of object test
Name (“Object-Test Local”)
TypeExpression
![Page 14: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/14.jpg)
14
Object Test example
if attached {T } exp as x then
… Arbitrary instructions… x .operation
… Other instructions …
end
Scope of x
![Page 15: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/15.jpg)
15
Object Test variants
attached {T } exp as x
attached exp as x
attached {T } exp
attached exp
Same semantics as exp /= Void
![Page 16: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/16.jpg)
16
Scope of x
Another example of Object Test scopefrom
…until not attached exp as x loop
… Arbitrary instructions …
x.some_operation
… Other instructions …end
![Page 17: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/17.jpg)
17
Scope of x
Object test in contractsmy_routine
requireattached exp as x and then
x.some_property
do…
end
![Page 18: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/18.jpg)
18
- 3 -
Achieving void safety
![Page 19: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/19.jpg)
19
A success story: static type checking
We allow
x.f (args)
only if we can guarantee that at run time:The object attached to x, if it exists, has a feature for f, able to handle the args.
Basic ideas:Accept it only if type of x has a feature fAssignment x := y requires conformance (based
on inheritance)
What if x is void?
![Page 20: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/20.jpg)
20
Generalizing static type checking
The goal (“void safety”): at compile time, allow
x.f (args)
only if we can guarantee that at run time:
x is not void.
![Page 21: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/21.jpg)
21
The basic rule
x.f (args) is permitted only if x is attached
where “attached” is a static property
The rest of this discussion is about various ways to ensure that x is attached
![Page 22: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/22.jpg)
22
Components of the solution
1. Some patterns guaranteed void-safe(“Certified Attachment Patterns” or CAPS)
2. Object test
3. Attached type(Issue here: initialization)
4. Rule for generic parameters
![Page 23: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/23.jpg)
23
Components of the solution
1. Some patterns guaranteed void-safe(“Certified Attachment Patterns” or CAPS)
2. Object test
3. Attached type(Issue here: initialization)
4. Rule for generic parameters
![Page 24: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/24.jpg)
24
Certified Attachment Patterns
CAP: a program scheme that guarantees the void-safety of a call
![Page 25: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/25.jpg)
25
CAP 1: conditional
Consider a variable or expression e
Can this be guaranteed void-safe?
if e /= Void then
e.operationend
Answer: only if e is a local variable! (or formal argument)Not for an attribute, or a general expression.
other_instructions(args)
(Assume e is a variable)
not assigning to eWhat about
multithreading?
![Page 26: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/26.jpg)
26
CAP 2: loop
from...
untilx = Void
loop... Any instructions not assigning to x ...… (except possibly last instruction) …
end
x must again be a local variable or a formal argument!
A CAP for x
![Page 27: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/27.jpg)
27
A typical loop, now safe
fromx := first_element
untilx = Void or else Result
loopResult := (x.item = sought)x := x.right
end
Zurich JFK Logan
item right item right item right
first_element
![Page 28: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/28.jpg)
28
CAP 3: check instructionConsider a class with the invariant
and the routiner
requirenot after
do
active.some_operationend
check active /= Void end
Semantics of check a end: compiler must either prove that a holds or generate code that triggers exception if it doesn’t
0 index1
afterbefore
"Boston"count count+1
active
(after) implies (active = Void)
![Page 29: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/29.jpg)
29
The CAP catalog
About 6 CAPs specified in the ECMA standard. Above threeare the most important.
Another example: x in
x /= Void implies x.some_property
Criterion: simple; easy to understand; provably and obviously correct
Need to be approved by committeeMathematical, machine-checked proofs desirable
![Page 30: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/30.jpg)
30
CAP variant: stable attributes
if e /= Void then
e.operationend
other_instructions not assigning to e
What aboutmultithreading
?
OK if e is a “stable attribute”: no routine of the class assigns to it
e : SOME_TYPEnote
stableattributeend
![Page 31: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/31.jpg)
31
Components of the solution
1. Some patterns guaranteed void-safe(“Certified Attachment Patterns” or CAPS)
2. Object test
3. Attached type(Issue here: initialization)
4. Rule for generic parameters
![Page 32: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/32.jpg)
32
Using an object test for void safety
if attached {T } exp as x then
… Arbitrary instructions… x .operation
… Other instructions …
end
Scope of x
![Page 33: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/33.jpg)
33
The remaining goal…Minimize use of Object Test!
General but impractical solution: protect every qualified feature call by an Object Test!Instead of
exp .operationwrite
if attached {T } exp as x then x .operation
end
![Page 34: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/34.jpg)
34
Components of the solution
1. Some patterns guaranteed void-safe(“Certified Attachment Patterns” or CAPS)
2. Object test
3. Attached type(Issue here: initialization)
4. Rule for generic parameters
![Page 35: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/35.jpg)
35
Attached and detachable types
For any type T, a variable declared as just
x : T -- or: x : attachedT
cannot be void!Type T is attached
To allow void values, declare
x : detachable TType detachable T is
detachable
![Page 36: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/36.jpg)
36
Default policy
Attached as a default because of “business objects”, e.g bank accounts, persons, planes…
Void is useful for “Knuthware”, specifically linked structures
![Page 37: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/37.jpg)
37
The remaining problem…
How to ensure that variables declared of an attached type
x : T meet that declaration, i.e. can never become void!
![Page 38: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/38.jpg)
38
Conservation of attachment
Inx := y
orr (y) -- Where formal argument is x
if type of x is attached, y must be attached.
![Page 39: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/39.jpg)
39
If assignment & argument passing are OK…
… there remains initialization!
![Page 40: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/40.jpg)
40
The initialization problem
In previous Eiffel:
Basic types initialized to standard values (zero, False, null character)
Other expanded types must have default_create from ANY
References initialized to Void
![Page 41: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/41.jpg)
41
Initializing variables
An attribute is attached if every creation procedure sets it.
A local variable is initialized if the beginning of the routine sets it.
Scheme 1: CAP
![Page 42: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/42.jpg)
42
Initializing variablesScheme 1: CAPScheme 2: Self-initializing attributes
![Page 43: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/43.jpg)
43
Digression: attributesbounding_rectangle: RECTANGLE
-- Smallest rectangle including whole of current figure
![Page 44: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/44.jpg)
44
Digression: attributes with contracts!bounding_rectangle: RECTANGLE
-- Smallest rectangle including whole of current figure
requirebounded
attribute
ensureResult.height = heightResult.width = widthResult.lower_left = lower_leftResult.contains (Current)
end
![Page 45: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/45.jpg)
45
Self-initializing attributesbounding_rectangle: FIGURE
-- Smallest rectangle including whole of current figure
-- (Computed only if needed)require
boundedattribute
create Result.set (lower_left, width, height)ensure
Result.height = heightResult.width = widthResult.lower_left = lower_leftResult.contains (Current)
end
… As before …
![Page 46: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/46.jpg)
46
Initializing variables
What if an attribute is not self-initializing?
Scheme 1: CAPScheme 2: Self-initializing attributes Scheme 3: Properly set variables
![Page 47: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/47.jpg)
47
Properly set variables
At any place where it is accessed, a variable must be properly set
![Page 48: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/48.jpg)
48
Components of the solution
1. Some patterns guaranteed void-safe(“Certified Attachment Patterns” or CAPS)
2. Object test
3. Attached type(Issue here: initialization)
4. Rule for generic parameters
![Page 49: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/49.jpg)
49
Variables of a formal generic type
In class C [G ], what about variables such as
x : G ?
Example generic derivations: C [INTEGER ]
C [EMPLOYEE ]
![Page 50: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/50.jpg)
Meaning of a formal generic parameter
Constrained genericity: class C [G -> T ] …
Generic derivation must be C [U ], where U conforms to T
Unconstrained genericity: class C [G ] In pre-void-safe Eiffel: abbreviation for
class C [G -> ANY] …Now: abbreviation for
class C [G -> detachable ANY ] …
Can also use class C [G -> attached T ]
50
![Page 51: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/51.jpg)
51
The remaining issue: arrays
a : ARRAY [T ] -- Assume T is an attached type
Array creation (old):
create a make (1, n)
Not void-safe!
i
j
?
a
(y)
Creation procedure now required for attached types:
create a make_filled (1, n, default)
Creation issue: classes inheriting from ARRAY .
![Page 52: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/52.jpg)
52
- 4 -
Current status
![Page 53: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/53.jpg)
53
6.4, May 2009
Full mechanism supported
Libraries entirely converted
Environment (EiffelStudio) partly converted
Compatibility option
Did not switch the defaults yet
![Page 54: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/54.jpg)
54
Basic O-O operation
x.f (args)
… and basic issue studied here:
(If not, call produces an exception and usually termination)
Semantics: apply the feature f, with given args if any, to the object to which x is attached
How do we guarantee that x will always be “attached” to an object?
![Page 55: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/55.jpg)
55
Subject: “I had a dream”
From:"Eric Bezault" [email protected]:"ECMA TC49-TG4" Date:Thu, 4 Jun 2009 11:21
Last night I had a dream. I was programming in Eiffel 5.7. The code was elegant. There was no need for defensive programming just by taking full advantage of design by contract. Thanks to these contracts the code was easy to reuse and to debug. I could hardly remember the last time I had a call-on-void-target. It was so pleasant to program with such a wonderful language.
This morning when I woke up I looked at the code that had been modified to comply with void-safety. This was a rude awakening. The code which was so elegant in my dream now looked convoluted, hard to follow. It looks like assertions are losing all their power and defensive programming is inviting itself again in the code. […]
![Page 56: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/56.jpg)
56
Requirements
Minimal language extensionStatically, completely void safeSimple for programmer, no mysterious rulesReasonably simple for compilerHandles genericityDoesn’t limit expressivenessCompatibility or minimum change for existing
code1st-semester teachability
![Page 57: Avoid a void](https://reader033.vdocuments.net/reader033/viewer/2022050911/568163f2550346895dd573c6/html5/thumbnails/57.jpg)
57
I call it my billion-dollarmistake. It was the inventionof the null reference in 1965.I was designing the firstcomprehensive type systemfor references in an object-oriented language (ALGOL W).My goal was to ensure that alluse of references should besafe, checked by the compiler.
But I couldn't resist the temptation to put in a null reference, because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years.