1 uwe nestmann, november 30, 1999migration = cloning ; aliasing uwe nestmann hans hüttel josva...

Uwe Nestmann, November 30, 1999

Migration = Cloning ; Aliasing 1

Migration = Cloning ; Aliasing

Uwe Nestmann Hans Hüttel Josva Kleist

BRICS@Aalborg University, Denmark

Massimo MerroINRIA@Sophia-Antipolis, France

http://www.cs.auc.dk/research/FS/ojeblik/



MotivationFile Migration in UnixObject Migration in ObliqFrom Migration to Surrogation What is Correctness?

Transparency!

OverviewAliasing Models for Mobile ObjectsConclusions



File “Migration” in Unix: mv = cp;rm

//AAA:

aa/

x

//BBB:

bb/

...

1) cp //AAA:aa/x //BBB:bb/2) rm //AAA:aa/x3) ln -s //BBB:bb/x //AAA:aa/ … ???



Distributed Mobile Computation in Obliq

Features (according to [Cardelli, POPL’95]):

distributed, but lexically scoped object-based, with aliasing, cloning, and method updateserialized and protected, based on self-inflictionuntyped and interpreted (based on Modula-3)

Computation Model/Paradigm

distributed objects and mobile agents (clients)secure use of distributed resourcesobject migration (servers) as a derived concept



Object “Migration” in Obliq

A B

Calling x.migrate_to(B) with x located at site A

x’

A B

turns x at A into a proxy for a copy x’ of itself located at site B

x

x



x

x

Surrogation =

Calling x.surrogate

turns x at A into a proxy for a copy x’ of itself

DistributionMigration

cloningaliasin

g

“self-inflictio

n”x’



Lexical Scoping

Computations are qualitatively location independent.

The binding of variables depends exclusively on the program text, not on the physical location in a distributed system.

The run-time system guarantees thatimmutable values are copied as is, whilemutable values are transmitted via network references.



Disclaimer

By abstracting away the distributed aspects of Obliq-style migration, resulting in surrogation, we define a feasible subset for reasoning about their correctness.Of course, positive results on surrogation do not tell everything about migration, but they give confidence on some essential aspects and, which is maybe more important, negative results carry over to Obliq !



Is Such Surrogation transparent ?

SERIALIZATION for ATOMICITYprevents from interference with other threads

PROTECTION for PERSISTENCYprevents from external overwriting of the aliased objectIs that enough for proving a

“natural” law

which tells that “an object before and after surrogation has identical behavior, up to the notion of equivalence =” ?

x = x.surrogate



Choose a feasible subset of Obliq: Øjeblik

Give a suitable formal semantics to Øjeblik

Gain confidence (e.g. by examples & properties)

Prove the theorem … not in this talk ...

Roadmap



MotivationOverview

Object CalculiSelf-Infliction, Protection,

SerializationFormal Semantics & Program

EquivalenceCrucial Observations & Main

ResultsAliasing Models for Mobile Objects Conclusions



Language: FOC IOC ØjeblikObliq

Object “Calculi”

methods cloning aliasing

distributionupdate let-bindings

concurrency advanced sync (fork/join) basic data

proceduresexceptions

engines, ...Semanticsdirect: S.O.S. S.O.S. S.O.S.“S.O.S.”translation:-calculus -calculus -calculus “Modula-3”

TalcottCardelli



Øjeblik Obliq

a,b ::= O| a.l (a1,...,an)| a.l m| a.alias (b)| a.clone| a.surrogate| s|x|y|z| let x=a in b end| fork(a)| join(b)

O ::= [ lj = mj ]{j ε J}

m ::= meth(s,x1,...,xn) a end

each object is protected & serializedeach object has surrogate method:

meth(s) s.alias(s.clone) end



k1

k2

k1

k2

an operation on an object is self-inflicted (or: internal), if the object is the same as the current self,

The Concept of Self-Infliction (I)

k1

k2

otherwise the operation is called external.

k1

k2



clone

l

The Concept of Self-Infliction (II)

let x= [ k = meth(s) s.l, l = id ]

in x.k

k

l

klet y= [ l = … ] in let x= [ k = meth(s) y.clone ] in x.k



Protection via Self-Infliction

Produce a run-time error, when an invocation of either of

cloneupdatealias

is carried out externally, and block the caller.

This behavior protects the internal state of an object such that it can only be changed in a self-inflicted way, i.e., by itself.

clone

l



Serialization via Self-infliction (as in Modula-3)

Serialization: grab an object’s mutex, when operating on it.

Self-Serialization: don’t grab the mutex, when calling self-inflicted.

k1

k2

k1

k2

k1

k2

k1

k2

Allows for self-recursion!Forbids mutual recursion!



Equivalence & Formal Study

a = b, if they have the same convergence behavior in all closing program contexts C[ ], i.e., C[a] iff C[b].

•give configuration-style semantics•choose program equivalence

•compare example programs •compare their behavior w.r.t. different semantics

correction of semantics & implementation formal proofs using -calculus



Observations

calls for surrogation, like all method invocations, can occur externally or internally

this is undecidable

In fact, the external-internal distinction precisely indicates different behavior of our example programswhen protection and serialization apply.



Main Results

(TRANS) For all C[ ] in CON (:=INT+EXT), C[x] iff C[x.surrogate].

INT/EXT: Contexts that lead to internal/external access to x.

(NEG1): for Obliq’s implementation, (TRANS) does not hold;for Talcott’s semantics, (TRANS) does not hold;this is true even if we restrict CON to EXT.

(NEG2): for INT-contexts, (TRANS) cannot hold.

(POS): in our repaired semantics with forwarder aliasing model (TRANS) holds for EXT-contexts.



MotivationOverview Aliasing Models for Mobile Objects

Counterexamples for External Surrogation

Problematic Examples for Internal SurrogationConclusions



y=xk

l

x y=x.surrogatek

l

k

l

C[x.surrogate] blocks (run-time error) for Cardelli, but not for Talcott !

C[ ] == let x= [ k=meth(s,z) z.l, l=id ] inlet y= [ ] in y.k(x)

External Surrogation (I): Cardelli

C[x] in all models.



y=xk

clone clone

x y=x.surrogatek k

clone

C[ ] == let x= [ k=meth(s,z) z.clone ] inlet y= [ ] in y.k(x)

External Surrogation (II): Talcott

C[x.surrogate] blocks (run-time error) for both Cardelli and Talcott !

C[x] in all models.



C[ ] == [ k=meth(s) let y=[ ] in y.clone ].k

Internal Surrogation (I): target clone

y=sk

clone clone

s y=s.surrogatek k

clone

C[s.surrogate] blocks (run-time error) in all models

C[s] in all models.



C[ ] == [ k=meth(s) let y=[ ] in s.k id ].k

Internal Surrogation (II): source update

y=sk

update

s y=s.surrogatek k

updateupdate

C[s.surrogate] blocks (run-time error) in all models

C[s] in all models.



C[ ] == let x = [ l=Ω, k=Ω ] in [ l=id, k=meth(s) let y=[ ] in s.alias(x) ; y.l ].k

Internal Surrogation (III): re-alias

y=sk

xk

l lΩ

Ω

s y=s.surrogatek k

l l

xk

lΩ

Ω

idid

C[s] diverges !

C[s.surrogate]



MotivationOverview Aliasing Models for Mobile Objects Conclusions

Further Work



Further Work

•prototype implementation•static type system•syntactic criteria to exclude INT-contexts

OKOKOK

•proofs of more equations•consistency among the S.O.S. and the -calculus•mobile objects in more “commercial” languages

type system refinement

1 uwe nestmann, november 30, 1999migration = cloning ; aliasing uwe nestmann hans hüttel josva...

Documents