The MIT Flex Project and the DARPA PCES Program
Some of our Flex research is funded under the
DARPA
Program Composition for Embedded Systems (PCES) program , in the
DARPA Information Technology Office (ITO) .
Much of the technology is being made available in our
Flex Compiler System, with source
code and documentation currently available for download.
Role Analysis and Verification
The goal of the role analysis and verification research is to develop
a verified formalism for describing the changing roles that objects
play during the course of the computation. We have identified several
different role classification principles:
- Relative Role Classification: The role of an object
is often determined by the data structures in which it participates.
So the referencing relationships between objects determine the
roles that objects play. Role changes correspond to movements between
data structures, which in turn correspond to changes in the object's
referencing behavior.
- Content-Based Role Classification: The role of an object
can also be determined by the values of its fields. A common programming
practice, for example, is to set a flag in the object to reflect its
current state. Role changes correspond to changes in the values of fields.
- History-Based Role Classification: Finally,
the role of an object can also be determined by the history of
operations applied to the object. Role changes correspond to
executing operations on the object.
One can view roles as an extension of the type system in which
the type of an object changes as it participates in the computation.
In a standard type system, an object's type is tied to its class,
which is the same for the entire lifetime of the object. Roles enable
a more precise concept of type that more closely reflects the application
semantics.
Our basic approach is to acquire role information, from the programmer,
from a dynamic analysis, or from a combination of these sources, and
automatically verify the information. We plan to use the information
for a variety of purposes:
- Interaction Analysis: To analyze the interactions
in a distributed system in which the components interact using
a publish/subscribe event notification system and a shared object
space. The interaction analysis can leverage the role information
to extract precise information, matching publishers with subscribers and
role changes with movements of objects between compononents.
- Failure Propagation and Elimination:
Because object referencing relationships determine the interaction patterns,
which in turn determine how failures propagate through components,
relative role classification can enhance the precision of the
static failure propagation analysis. Potential uses include
providing the programmer with information about how failures propagate,
certifying the absence of failure propagation between components,
and preemptively moving or replicating objects to eliminate windows of
failure vulnerability.
- Safety Checks: Roles can serve as a convenient linguistic
mechanism to express application-dependent safety checks. For example,
it may be illegal to apply an operation to an object unless it is
currently playing a specific role. These checks can be applied
either statically or dynamically.
- Memory Management: Because relative role classification
provides precise information about object referencing relationships,
the implementation can leverage role information to apply safe
explicit deallocation.
Real-Time Java
Java is a safe, widely used programming language. The goal of the Real-Time
Specification for Java is to adjust Java for use in real-time systems,
providing predictable memory management and real-time scheduling
support. We are developing an implementation of Real-Time Java, based
on the following principles:
- Safe Scoped Memories: Scoped memories eliminate the
memory allocation pauses often associated with garbage collection.
The basic idea is to provide a region of memory whose lifetime is
associated with a given computation, and allow the computation to
allocate its objects in that region. When the computation terminates,
the entire region is deallocated without garbage collection overhead.
To ensure the absence of dangling references, the Real-Time Java
Specification calls for dynamic checks to prevent the program
from creating a reference from one object to another allocated
in a region with a shorter lifetime. We have developed a
combined pointer and escape analysis for multithreaded programs
that can statically detect that the program correctly uses
regions and that the checks are superfluous.
- Compiler-Controlled Scheduling: The goal is to
support real-time thread and event scheduling in the compiler.
The compiler inserts scheduling checks into the generated code.
These checks detect the need for preemption, invoking primitives
that switch threads or execute actions triggered by asynchronous events.
Presentations
Here are several presentations and quad charts we have prepared as part
of our participation in the PCES program.