Our research into object-oriented programming languages in the context of the L1 Project led to the formulation of a new idea known as attribute types [1]. These are used to complement object types analogous to the way adjectives qualify nouns in natural language. They can be used to achieve a well-defined form of multiple inheritance, adding additional specialised features to a more general object type.
As an illustration of the general idea we could define an attribute type loanable with features such as the date of a loan, the due date for return and the name of the loanee. This could then be used for example to qualify objects of type book (resulting in a new type library book) and/or of type car (resulting in a new type hire car).
Not all adjectives can be defined simply in terms of additional features. An adjective such as synchronised requires that code be added to existing features. This is achieved by allowing an attribute type also to have bracket routines, which allow the features of an object, when invoked, to be bracketed by the defined bracket code. A bracket routine can be used to bracket all features, particular features or just an individual feature of an object. In L1 for example a distinction was made between operations (which change the state of an object), enquiries (which return information about an object's state without modifying it) and constructors (which construct new objects). These could be bracketed as separate categories. Thus an attribute type reader_writer_synchronised can be defined for example with appropriate semaphore variables as internal data, which are initialised in a constructor bracket, while an operation bracket provides writer synchronisation code and an enquiry bracket supplies reader synchronisation code.
In a bracket routine the explicitly called feature of the bracketed object is invoked via a special statement body at the appropriate point in the code. Thus for example attribute reader_writer_synchronised might be implemented as follows:
impl rws1 for reader_writer_synchronised
var sem, mutex: semaphore
readcount: int
bracket constr
begin
body -- first call the synchronised object's constructor
sem:= 1 -- then initialise the attribute variables
mutex:= 1
readcount:= 0
end bracket constr
bracket op -- used to bracket writers of the object
begin
P(sem) -- claim the object
body -- enter the object's writer operation
V(sem) -- release the object
end bracket op
bracket enq
begin
P(mutex) -- synchronise access to the variable "readcount"
readcount:= readcount + 1 -- add 1 to count of readers
if readcount = 1 then
P(sem) -- if first reader then claim object
endif
V(mutex) -- release control of "readcount"
body -- enter the object's reader operation
P(mutex) -- synchronise access to the variable "readcount"
readcount:= readcount - 1 -- reduce count of readers by one
if readcount = 0 then
V(sem) -- if last reader then release object
endif
V(mutex) -- release control of "readcount"
end bracket enq
end rws1
|
This implementation reflects the solution published by Courtois, Heymans and Parnas [2].
It will be seen that this technique can also be used for example to define an attribute logged, which logs information about calls to modules:
write_log(date, time, caller_id)
body
which can be a useful enhancement to the security of a system. (It can of course also be used to produce transaction logs, etc.) Even more powerful security mechanisms can be built by including the body statement in a conditional statement, e.g.
if <protection check successful> then
body
else
write_log("illegal access attempt by ", caller_id)
endif
Here we see how attribute types with bracket routines can be used to implement very powerful, user-programmable protection mechanisms. The actual protection check could be of almost any conceivable kind (e.g. a password challenge and response, an access control list, membership of some society).
In the SPEEDOS system this mechanism complements the basic capability based protection mechanism (as was used in Monads) and can thus be used to solve the capability revocation problem (by checking whether the caller is included in a revocation list, i.e. a negative access control list). In fact it can be used to support any kind of rule-based access control, provided that the mechanisms to support a particular rule are available. It can for example be used to solve most forms of the confinement problem.
An extension of the bracket routine technique, which allows bracket code to be carried out before and after the execution of a call to another module, is described in another note. This allows an even finer form of confinement controls.
A realisation of this protection mechanism for the major modules of a persistent system requires an implementation in the Kernel. The SPEEDOS Kernel therefore recognises both object-like and attribute-like units as major modules and provides not only the mechanisms to call explicit features of these modules but also to link attribute modules dynamically to object modules and to invoke (implicitly) the bracket routines associated with the features of an object when they are called.
[1] Keedy, J. L., Evered, M., Schmolitzky, A. and Menger, G. "Attribute Types and Bracket Implementations", Proceedings of the Conference on Technology of Object-Oriented Languages and Systems, TOOLS 25, Melbourne, Australia 1997, IEEE Computer Society, pp.325-339.
[2] P. J. Courtois, F. Heymans and D. L. Parnas "Concurrent Control with Readers and Writers", Communications of the ACM, 14, 10, pp. 667-668, 1971.
© 1999 J. L. Keedy. Comments and corrections welcome to keedy@informatik.uni-ulm.de.