DOCSLIB.ORG

Safe Programming at the C Level of Abstraction

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Safe Programming at the C Level of Abstraction SAFE PROGRAMMING AT THE C LEVEL OF ABSTRACTION A Dissertation Presented to the Faculty of the Graduate School of Cornell University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy by Daniel Joseph Grossman August 2003 c Daniel Joseph Grossman 2003 ALL RIGHTS RESERVED SAFE PROGRAMMING AT THE C LEVEL OF ABSTRACTION Daniel Joseph Grossman, Ph.D. Cornell University 2003 Memory safety and type safety are invaluable features for building robust software. However, most safe programming languages are at a high level of abstraction; pro- grammers have little control over data representation and memory management. This control is one reason C remains the de facto standard for writing systems software or extending legacy systems already written in C. The Cyclone language aims to bring safety to C-style programming without sacrificing the programmer control necessary for low-level software. A combination of advanced compile-time techniques, run-time checks, and modern language features helps achieve this goal. This dissertation focuses on the advanced compile-time techniques. A type system with quantified types and effects prevents incorrect type casts, dangling- pointer dereferences, and data races. An intraprocedural flow analysis prevents dereferencing NULL pointers and uninitialized memory, and extensions to it can prevent array-bounds violations and misused unions. Formal abstract machines and rigorous proofs demonstrate that these compile-time techniques are sound: The safety violations they address become impossible. A less formal evaluation establishes two other design goals of equal importance. First, the language remains expressive. Although it rejects some safe programs, it permits many C idioms regarding generic code, manual memory management, lock-based synchronization, NULL-pointer checking, and data initialization. Sec- ond, the language represents a unified approach. A small collection of techniques addresses a range of problems, indicating that the problems are more alike than they originally seem. BIOGRAPHICAL SKETCH Dan Grossman was born on January 20, 1975 in St. Louis, Missouri. Thus far, his diligent support of St. Louis sports teams has produced one World Series victory in three appearances and one Super Bowl victory in two appearances, but no Stanley Cup finals. Upon graduating from Parkway Central High School in 1993, Dan’s peers selected him as the male mostly likely to become a politician. Dan spent five summers working at the S-F Scout Ranch. For three years, he managed camp business operations with a typewriter, carbon paper, and an adding machine. In 1997, Dan received a B.A. in Computer Science and a B.S. in Electrical Engi- neering from Rice University. These awards signified the termination of convenient access to La Mexicana, a restaurant that produces the world’s best burritos. Also in 1997, Dan completed hiking the 2160-mile Appalachian Trail. To this day, he smirks when others describe somewhere as a, “really long walk.” For the last six years, Dan has lived primarily in Ithaca, New York while completing his doctorate in computer science at Cornell University. His ice-hockey skills have improved considerably. Dan has been to every state in the United States except Alaska, Hawaii, Nevada, Michigan, Minnesota, Wisconsin, and South Carolina. (He has been to airports in Michigan, Minnesota, Nevada, and South Carolina.) In his lifetime, Dan has eaten only two green olives. iii ACKNOWLEDGMENTS Attempting to acknowledge those who have helped me in endeavors that have led to this dissertation is an activity doomed to failure. In my six years of graduate school and twenty-two years of formal education, far too many people have shared a kind word, an intellectual insight, or a pint of beer for this summary to be complete. But rest assured: I thank you all. My advisor, Greg Morrisett, has been an irreplaceable source of advice, guid- ance, and encouragement. This dissertation clearly represents an outgrowth of his research vision. He has also shown an amazing ability to determine when my stubbornness is an asset and when it is a liability. This dissertation owes its credibility to the actual Cyclone implementation, which is joint work with Greg, Trevor Jim, Michael Hicks, James Cheney, and Yanling Wang. These people have all made significant intellectual contributions as well as doing grunt work I am glad I did not have to do. My thesis committee, Greg, Keshav Pingali, and Dexter Kozen (filling in for Jim West) have done a thorough and admirable job, especially considering this dissertation’s length. My research-group predecessors deserve accolades for serving as mentors, tu- tors, and collaborators. Moreover, they deserve individual mention for unique lessons such as the importance of morning coffee (Neal Glew), things to do in New Jersey (Fred Smith), fashion sense (Dave Walker), the joy of 8AM push-ups (Stephanie Weirich), and the proper placement of hyphens (Steve Zdancewic). My housemates (fellow computer scientists Amanda Holland-Minkley, Nick Howe, and Kevin O’Neill) deserve mention for helping from beginning (when I didn’t know where the grocery store was) to middle (when I couldn’t get a date to save my life) to end (when I spent all my time deciding what to do next). My officemates (Neal, Steve Zdancewic, Yanling Wang, Stephen Chong, and Alexa Sharp) would only occasionally roll their eyes at a whiteboard full of ` characters. (Not to mention an acknowledgments section with one.) I have benefitted from the watchful eye of many faculty members at Cornell, most notably Bob Constable, Jon Kleinberg, Dexter Kozen, Lillian Lee, and An- iv drew Myers. I also enjoyed great mentors during summer internships (John Reppy and Rob DeLine) and as an undergraduate (Matthias Felleisen). The Cornell Com- puter Science staff members, particularly Juanita Heyerman, have been a great help. Friends who cooked me dinner, bought me beer, played hockey or soccer or softball, went to the theatre, played bridge, or in some cases all of the above, have made my time in Ithaca truly special. Only one such person gets to see her name in this paragraph, though. In an effort to be brief, let me just say that Kate Forester is responsible for me leaving Ithaca a happier person than I arrived. My family has shown unwavering support in all my pursuits, so it should come as no surprise that they encouraged me throughout graduate school. They have occasionally even ignored my advice not to read my papers. But more importantly, they taught me the dedication, perseverance, and integrity that are prerequisites for an undertaking of this nature. Finally, I am grateful for the financial support of a National Science Foundation Graduate Fellowship and an Intel Graduate Fellowship. v vi TABLE OF CONTENTS 1 Introduction and Thesis 1 1.1 Safe C-Level Programming . 2 1.2 Relation of This Dissertation to Cyclone . 3 1.3 Explanation of Thesis . 6 1.4 Contributions . 10 1.5 Overview . 12 2 Examples and Techniques 14 2.1 Type Variables . 14 2.2 Singleton Integer Types . 18 2.3 Region Variables . 20 2.4 Lock Variables . 22 2.5 Summary of Type-Level Variables . 24 2.6 Definite Assignment . 25 2.7 NULL Pointers . 27 2.8 Checking Against Tag Variables . 28 2.9 Interprocedural Flow . 29 2.10 Summary of Flow-Analysis Applications . 30 3 Type Variables 31 3.1 Basic Constructs . 33 3.1.1 Universal Quantification . 33 3.1.2 Existential Quantification . 36 3.1.3 Type Constructors . 38 3.1.4 Default Annotations . 40 3.2 Size and Calling Convention . 42 3.3 Mutation . 44 3.3.1 Polymorphic References . 44 3.3.2 Mutable Existential Packages . 46 3.3.3 Informal Comparison of Problems . 48 vii 3.4 Evaluation . 48 3.4.1 Good News . 48 3.4.2 Bad News . 51 3.5 Formalism . 54 3.5.1 Syntax . 55 3.5.2 Dynamic Semantics . 57 3.5.3 Static Semantics . 62 3.5.4 Type Safety . 67 3.6 Related Work . 67 4 Region-Based Memory Management 71 4.1 Basic Constructs . 73 4.1.1 Region Terms . 73 4.1.2 Region Names . 74 4.1.3 Quantified Types and Type Constructors . 75 4.1.4 Subtyping . 78 4.1.5 Default Annotations . 79 4.2 Interaction With Type Variables . 81 4.2.1 Avoiding Effect Variables . 83 4.2.2 Using Existential Types . 84 4.3 Run-Time Support . 85 4.4 Evaluation . 86 4.4.1 Good News . 86 4.4.2 Bad News . 88 4.4.3 Advanced Examples . 91 4.5 Formalism . 94 4.5.1 Syntax . 95 4.5.2 Dynamic Semantics . 97 4.5.3 Static Semantics . 100 4.5.4 Type Safety . 108 4.6 Related Work . 108 5 Type-Safe Multithreading 112 5.1 Basic Constructs . 115 5.1.1 Multithreading Terms . 115 5.1.2 Multithreading Types . 116 5.1.3 Multithreading Kinds . 119 5.1.4 Default Annotations . 120 5.2 Interaction With Type Variables . 121 5.3 Interaction With Regions . 123 viii 5.3.1 Comparing Locks and Regions . 123 5.3.2 Combining Locks and Regions . 124 5.4 Run-Time Support . 125 5.5 Evaluation . 126 5.5.1 Good News . 126 5.5.2 Bad News . 128 5.6 Formalism . 130 5.6.1 Syntax . 131 5.6.2 Dynamic Semantics . 133 5.6.3 Static Semantics . 137 5.6.4 Type Safety . 144 5.7 Related Work . 144 6 Uninitialized Memory and NULL Pointers 148 6.1 Background and Contributions . 149 6.1.1 A Basic Analysis . 150 6.1.2 Reasoning About Pointers . 151 6.1.3 Evaluation Order . 152 6.2 The Analysis . 154 6.2.1 Abstract States . 154 6.2.2 Expressions . 155 6.2.3 Statements .
Load more

Recommended publications
  • A Polymorphic Type System for Extensible Records and Variants
    A Polymorphic Typ e System for Extensible Records and Variants Benedict R. Gaster and Mark P. Jones Technical rep ort NOTTCS-TR-96-3, November 1996 Department of Computer Science, University of Nottingham, University Park, Nottingham NG7 2RD, England. fbrg,[email protected] Abstract b oard, and another indicating a mouse click at a par- ticular p oint on the screen: Records and variants provide exible ways to construct Event = Char + Point : datatyp es, but the restrictions imp osed by practical typ e systems can prevent them from b eing used in ex- These de nitions are adequate, but they are not par- ible ways. These limitations are often the result of con- ticularly easy to work with in practice. For example, it cerns ab out eciency or typ e inference, or of the di- is easy to confuse datatyp e comp onents when they are culty in providing accurate typ es for key op erations. accessed by their p osition within a pro duct or sum, and This pap er describ es a new typ e system that reme- programs written in this way can b e hard to maintain. dies these problems: it supp orts extensible records and To avoid these problems, many programming lan- variants, with a full complement of p olymorphic op era- guages allow the comp onents of pro ducts, and the al- tions on each; and it o ers an e ective type inference al- ternatives of sums, to b e identi ed using names drawn gorithm and a simple compilation metho d.
    [Show full text]
  • Automatic Detection of Uninitialized Variables
    Automatic Detection of Uninitialized Variables Thi Viet Nga Nguyen, Fran¸cois Irigoin, Corinne Ancourt, and Fabien Coelho Ecole des Mines de Paris, 77305 Fontainebleau, France {nguyen,irigoin,ancourt,coelho}@cri.ensmp.fr Abstract. One of the most common programming errors is the use of a variable before its definition. This undefined value may produce incorrect results, memory violations, unpredictable behaviors and program failure. To detect this kind of error, two approaches can be used: compile-time analysis and run-time checking. However, compile-time analysis is far from perfect because of complicated data and control flows as well as arrays with non-linear, indirection subscripts, etc. On the other hand, dynamic checking, although supported by hardware and compiler tech- niques, is costly due to heavy code instrumentation while information available at compile-time is not taken into account. This paper presents a combination of an efficient compile-time analysis and a source code instrumentation for run-time checking. All kinds of variables are checked by PIPS, a Fortran research compiler for program analyses, transformation, parallelization and verification. Uninitialized array elements are detected by using imported array region, an efficient inter-procedural array data flow analysis. If exact array regions cannot be computed and compile-time information is not sufficient, array elements are initialized to a special value and their utilization is accompanied by a value test to assert the legality of the access. In comparison to the dynamic instrumentation, our method greatly reduces the number of variables to be initialized and to be checked. Code instrumentation is only needed for some array sections, not for the whole array.
    [Show full text]
  • Bounds Checking on GPU
    Noname manuscript No. (will be inserted by the editor) Bounds Checking on GPU Troels Henriksen Received: date / Accepted: date Abstract We present a simple compilation strategy for safety-checking array indexing in high-level languages on GPUs. Our technique does not depend on hardware support for abnormal termination, and is designed to be efficient in the non-failing case. We rely on certain properties of array languages, namely the absence of arbitrary cross-thread communication, to ensure well-defined execution in the presence of failures. We have implemented our technique in the compiler for the functional array language Futhark, and an empirical eval- uation on 19 benchmarks shows that the geometric mean overhead of checking array indexes is respectively 4% and 6% on two different GPUs. Keywords GPU · functional programming · compilers 1 Introduction Programming languages can be divided roughly into two categories: unsafe languages, where programming errors can lead to unpredictable results at run- time; and safe languages, where all risky operations are guarded by run-time checks. Consider array indexing, where an invalid index will lead an unsafe lan- guage to read from an invalid memory address. At best, the operating system will stop the program, but at worst, the program will silently produce invalid results. A safe language will perform bounds checking to verify that the array index is within the bounds of the array, and if not, signal that something is amiss. Some languages perform an abnormal termination of the program and print an error message pointing to the offending program statement. Other languages throw an exception, allowing the problem to be handled by the pro- gram itself.
    [Show full text]
  • Safety Properties Liveness Properties
    Computer security Goal: prevent bad things from happening PLDI’06 Tutorial T1: Clients not paying for services Enforcing and Expressing Security Critical service unavailable with Programming Languages Confidential information leaked Important information damaged System used to violate laws (e.g., copyright) Andrew Myers Conventional security mechanisms aren’t Cornell University up to the challenge http://www.cs.cornell.edu/andru PLDI Tutorial: Enforcing and Expressing Security with Programming Languages - Andrew Myers 2 Harder & more important Language-based security In the ’70s, computing systems were isolated. Conventional security: program is black box software updates done infrequently by an experienced Encryption administrator. Firewalls you trusted the (few) programs you ran. System calls/privileged mode physical access was required. Process-level privilege and permissions-based access control crashes and outages didn’t cost billions. The Internet has changed all of this. Prevents addressing important security issues: Downloaded and mobile code we depend upon the infrastructure for everyday services you have no idea what programs do. Buffer overruns and other safety problems software is constantly updated – sometimes without your knowledge Extensible systems or consent. Application-level security policies a hacker in the Philippines is as close as your neighbor. System-level security validation everything is executable (e.g., web pages, email). Languages and compilers to the rescue! PLDI Tutorial: Enforcing
    [Show full text]
  • An In-Depth Study with All Rust Cves
    Memory-Safety Challenge Considered Solved? An In-Depth Study with All Rust CVEs HUI XU, School of Computer Science, Fudan University ZHUANGBIN CHEN, Dept. of CSE, The Chinese University of Hong Kong MINGSHEN SUN, Baidu Security YANGFAN ZHOU, School of Computer Science, Fudan University MICHAEL R. LYU, Dept. of CSE, The Chinese University of Hong Kong Rust is an emerging programing language that aims at preventing memory-safety bugs without sacrificing much efficiency. The claimed property is very attractive to developers, and many projects start usingthe language. However, can Rust achieve the memory-safety promise? This paper studies the question by surveying 186 real-world bug reports collected from several origins which contain all existing Rust CVEs (common vulnerability and exposures) of memory-safety issues by 2020-12-31. We manually analyze each bug and extract their culprit patterns. Our analysis result shows that Rust can keep its promise that all memory-safety bugs require unsafe code, and many memory-safety bugs in our dataset are mild soundness issues that only leave a possibility to write memory-safety bugs without unsafe code. Furthermore, we summarize three typical categories of memory-safety bugs, including automatic memory reclaim, unsound function, and unsound generic or trait. While automatic memory claim bugs are related to the side effect of Rust newly-adopted ownership-based resource management scheme, unsound function reveals the essential challenge of Rust development for avoiding unsound code, and unsound generic or trait intensifies the risk of introducing unsoundness. Based on these findings, we propose two promising directions towards improving the security of Rust development, including several best practices of using specific APIs and methods to detect particular bugs involving unsafe code.
    [Show full text]
  • Project Snowflake: Non-Blocking Safe Manual Memory Management in .NET
    Project Snowflake: Non-blocking Safe Manual Memory Management in .NET Matthew Parkinson Dimitrios Vytiniotis Kapil Vaswani Manuel Costa Pantazis Deligiannis Microsoft Research Dylan McDermott Aaron Blankstein Jonathan Balkind University of Cambridge Princeton University July 26, 2017 Abstract Garbage collection greatly improves programmer productivity and ensures memory safety. Manual memory management on the other hand often delivers better performance but is typically unsafe and can lead to system crashes or security vulnerabilities. We propose integrating safe manual memory management with garbage collection in the .NET runtime to get the best of both worlds. In our design, programmers can choose between allocating objects in the garbage collected heap or the manual heap. All existing applications run unmodified, and without any performance degradation, using the garbage collected heap. Our programming model for manual memory management is flexible: although objects in the manual heap can have a single owning pointer, we allow deallocation at any program point and concurrent sharing of these objects amongst all the threads in the program. Experimental results from our .NET CoreCLR implementation on real-world applications show substantial performance gains especially in multithreaded scenarios: up to 3x savings in peak working sets and 2x improvements in runtime. 1 Introduction The importance of garbage collection (GC) in modern software cannot be overstated. GC greatly improves programmer productivity because it frees programmers from the burden of thinking about object lifetimes and freeing memory. Even more importantly, GC prevents temporal memory safety errors, i.e., uses of memory after it has been freed, which often lead to security breaches. Modern generational collectors, such as the .NET GC, deliver great throughput through a combination of fast thread-local bump allocation and cheap collection of young objects [63, 18, 61].
    [Show full text]
  • Ensuring the Spatial and Temporal Memory Safety of C at Runtime
    MemSafe: Ensuring the Spatial and Temporal Memory Safety of C at Runtime Matthew S. Simpson, Rajeev K. Barua Department of Electrical & Computer Engineering University of Maryland, College Park College Park, MD 20742-3256, USA fsimpsom, [email protected] Abstract—Memory access violations are a leading source of dereferencing pointers obtained from invalid pointer arith- unreliability in C programs. As evidence of this problem, a vari- metic; and dereferencing uninitialized, NULL or “manufac- ety of methods exist that retrofit C with software checks to detect tured” pointers.1 A temporal error is a violation caused by memory errors at runtime. However, these methods generally suffer from one or more drawbacks including the inability to using a pointer whose referent has been deallocated (e.g. with detect all errors, the use of incompatible metadata, the need for free) and is no longer a valid object. The most well-known manual code modifications, and high runtime overheads. temporal violations include dereferencing “dangling” point- In this paper, we present a compiler analysis and transforma- ers to dynamically allocated memory and freeing a pointer tion for ensuring the memory safety of C called MemSafe. Mem- more than once. Dereferencing pointers to automatically allo- Safe makes several novel contributions that improve upon previ- ous work and lower the cost of safety. These include (1) a method cated memory (stack variables) is also a concern if the address for modeling temporal errors as spatial errors, (2) a compati- of the referent “escapes” and is made available outside the ble metadata representation combining features of object- and function in which it was defined.
    [Show full text]
  • Cyclone: a Type-Safe Dialect of C∗
    Cyclone: A Type-Safe Dialect of C∗ Dan Grossman Michael Hicks Trevor Jim Greg Morrisett If any bug has achieved celebrity status, it is the • In C, an array of structs will be laid out contigu- buffer overflow. It made front-page news as early ously in memory, which is good for cache locality. as 1987, as the enabler of the Morris worm, the first In Java, the decision of how to lay out an array worm to spread through the Internet. In recent years, of objects is made by the compiler, and probably attacks exploiting buffer overflows have become more has indirections. frequent, and more virulent. This year, for exam- ple, the Witty worm was released to the wild less • C has data types that match hardware data than 48 hours after a buffer overflow vulnerability types and operations. Java abstracts from the was publicly announced; in 45 minutes, it infected hardware (“write once, run anywhere”). the entire world-wide population of 12,000 machines running the vulnerable programs. • C has manual memory management, whereas Notably, buffer overflows are a problem only for the Java has garbage collection. Garbage collec- C and C++ languages—Java and other “safe” lan- tion is safe and convenient, but places little con- guages have built-in protection against them. More- trol over performance in the hands of the pro- over, buffer overflows appear in C programs written grammer, and indeed encourages an allocation- by expert programmers who are security concious— intensive style. programs such as OpenSSH, Kerberos, and the com- In short, C programmers can see the costs of their mercial intrusion detection programs that were the programs simply by looking at them, and they can target of Witty.
    [Show full text]
  • Cs164: Introduction to Programming Languages and Compilers
    Lecture 19 Flow Analysis flow analysis in prolog; applications of flow analysis Ras Bodik Hack Your Language! CS164: Introduction to Programming Ali and Mangpo Languages and Compilers, Spring 2013 UC Berkeley 1 Today Static program analysis what it computes and how are its results used Points-to analysis analysis for understanding flow of pointer values Andersen’s algorithm approximation of programs: how and why Andersen’s algorithm in Prolog points-to analysis expressed via just four deduction rules Andersen’s algorithm via CYK parsing (optional) expressed as CYK parsing of a graph representing the pgm Static Analysis of Programs definition and motivation 3 Static program analysis Computes program properties used by a range of clients: compiler optimizers, static debuggers, security audit tools, IDEs, … Static analysis == at compile time – that is, prior to seeing the actual input ==> analysis answer must be correct for all possible inputs Sample program properties: does variable x has a constant value (for all inputs)? does foo() return a table (whenever called, on all inputs)? 4 Client 1: Program Optimization Optimize program by finding constant subexpressions Ex: replace x[i] with x[1] if we know that i is always 1. This optimizations saves the address computation. This analysis is called constant propagation i = 2 … i = i+2 … if (…) { …} … x[i] = x[i-1] 5 Client 2: Find security vulnerabilities One specific analysis: find broken sanitization In a web server program, as whether a value can flow from POST (untrusted source) to the SQL interpreter (trusted sink) without passing through the cgi.escape() sanitizer? This is taint analysis.
    [Show full text]
  • Advanced Practical Programming for Scientists
    Advanced practical Programming for Scientists Thorsten Koch Zuse Institute Berlin TU Berlin SS2017 The Zen of Python, by Tim Peters (part 1) ▶︎ Beautiful is better than ugly. ▶︎ Explicit is better than implicit. ▶︎ Simple is better than complex. ▶︎ Complex is better than complicated. ▶︎ Flat is better than nested. ▶︎ Sparse is better than dense. ▶︎ Readability counts. ▶︎ Special cases aren't special enough to break the rules. ▶︎ Although practicality beats purity. ▶︎ Errors should never pass silently. ▶︎ Unless explicitly silenced. ▶︎ In the face of ambiguity, refuse the temptation to guess. Advanced Programming 78 Ex1 again • Remember: store the data and compute the geometric mean on this stored data. • If it is not obvious how to compile your program, add a REAME file or a comment at the beginning • It should run as ex1 filenname • If you need to start something (python, python3, ...) provide an executable script named ex1 which calls your program, e.g. #/bin/bash python3 ex1.py $1 • Compare the number of valid values. If you have a lower number, you are missing something. If you have a higher number, send me the wrong line I am missing. File: ex1-100.dat with 100001235 lines Valid values Loc0: 50004466 with GeoMean: 36.781736 Valid values Loc1: 49994581 with GeoMean: 36.782583 Advanced Programming 79 Exercise 1: File Format (more detail) Each line should consists of • a sequence-number, • a location (1 or 2), and • a floating point value > 0. Empty lines are allowed. Comments can start a ”#”. Anything including and after “#” on a line should be ignored.
    [Show full text]
  • A Nominal Theory of Objects with Dependent Types
    A Nominal Theory of Objects with Dependent Types Martin Odersky, Vincent Cremet, Christine R¨ockl, Matthias Zenger Ecole´ Polytechnique F´ed´eralede Lausanne INR Ecublens 1015 Lausanne, Switzerland Technical Report IC/2002/070 Abstract Simula 67 [DMN70], whereas virtual or abstract types are present in BETA [MMPN93], as well as more recently in We design and study νObj, a calculus and dependent type gbeta [Ern99], Rune [Tor02] and Scala [Ode02]. An es- system for objects and classes which can have types as mem- sential ingredient of these systems are objects with type bers. Type members can be aliases, abstract types, or new members. There is currently much work that explores types. The type system can model the essential concepts the uses of this concept in object-oriented programming of Java’s inner classes as well as virtual types and family [SB98, TT99, Ern01, Ost02]. But its type theoretic foun- polymorphism found in BETA or gbeta. It can also model dations are just beginning to be investigated. most concepts of SML-style module systems, including shar- As is the case for modules, dependent types are a promis- ing constraints and higher-order functors, but excluding ap- ing candidate for a foundation of objects with type mem- plicative functors. The type system can thus be used as a bers. Dependent products can be used to represent functors basis for unifying concepts that so far existed in parallel in in SML module systems as well as classes in object sys- advanced object systems and in module systems. The paper tems with virtual types [IP02].
    [Show full text]
  • Generic Programming
    Generic Programming July 21, 1998 A Dagstuhl Seminar on the topic of Generic Programming was held April 27– May 1, 1998, with forty seven participants from ten countries. During the meeting there were thirty seven lectures, a panel session, and several problem sessions. The outcomes of the meeting include • A collection of abstracts of the lectures, made publicly available via this booklet and a web site at http://www-ca.informatik.uni-tuebingen.de/dagstuhl/gpdag.html. • Plans for a proceedings volume of papers submitted after the seminar that present (possibly extended) discussions of the topics covered in the lectures, problem sessions, and the panel session. • A list of generic programming projects and open problems, which will be maintained publicly on the World Wide Web at http://www-ca.informatik.uni-tuebingen.de/people/musser/gp/pop/index.html http://www.cs.rpi.edu/˜musser/gp/pop/index.html. 1 Contents 1 Motivation 3 2 Standards Panel 4 3 Lectures 4 3.1 Foundations and Methodology Comparisons ........ 4 Fundamentals of Generic Programming.................. 4 Jim Dehnert and Alex Stepanov Automatic Program Specialization by Partial Evaluation........ 4 Robert Gl¨uck Evaluating Generic Programming in Practice............... 6 Mehdi Jazayeri Polytypic Programming........................... 6 Johan Jeuring Recasting Algorithms As Objects: AnAlternativetoIterators . 7 Murali Sitaraman Using Genericity to Improve OO Designs................. 8 Karsten Weihe Inheritance, Genericity, and Class Hierarchies.............. 8 Wolf Zimmermann 3.2 Programming Methodology ................... 9 Hierarchical Iterators and Algorithms................... 9 Matt Austern Generic Programming in C++: Matrix Case Study........... 9 Krzysztof Czarnecki Generative Programming: Beyond Generic Programming........ 10 Ulrich Eisenecker Generic Programming Using Adaptive and Aspect-Oriented Programming .
    [Show full text]