STATIC DETERMINATION OF DYNAMIC PROPERTIES OF ... - DI ENS

STATIC DETERMINATION OF DYNAMIC PROPERTIES OF GENERALIZED TYPE UNIONS Patrick Couso~and Radhia Couso~* Laboratoire d'Informatique, U.S.M.G., BP. 53 38041 Grenoble Cedex, France

Abstract. The classical programming languaqes such as PASCAL or ALGOL 88 do not provide {ull data type security. Run-time errors are not precluded on basic operations.

Type safety necessitates a

refinement of the data type notion which allows subtypes. The compiler must also be able to ensure that basic operations are applicable. This verification consists in determining a local subtype of g l o b a l l y declared variables or constants. This may be achieved by improved compiler capabilities to analyze the program properties or by language constructs which permit the expression of these properties. Both approaches are discussed and illustrated by the problems of access to records via pointers, records,

access to variants of record structures, d e t e r m i n a t i o n of d i s j o i n t collections of linked and d e t e r m i n a t i o n of integer subrenge. Both approaches are complementary and a balance

must be found between what must be specified by the programmer and what must be discovered by the compiler.

Key words and phrases

:

Type safety,

type unions,

subtype, data type, system of equations,

verification/discovery, error detection capabilities, abstract interpretation of programs, use of o o i n t e r s / v a r i a n t s of record;structures, domains/collections, 88, EUCLIO,

type

secure

integer subrange type, ALGOL

PASCAL.

CR categories

:

4.12, 4.13, 4.2,

5.4.

1. Introduction

reference ignores the fact that a reference may be dummy,

The type of an object defines how that object relates to other objects and which actions may be

In all these languages the p r o b l e m of subscript ran-

systems of ALGOL 801187S], PASCAL[1874], ALGOL 68

~e is not safely treated by the type concept, LiKe-

[1975] ... do not convey enough information to de-

wise,

termine staticly whether a given action applied For example, in AL-

CAL,

Attache de Recherche au C.N.R.S., L a b o r a t o i r e Associ~ N ° 7.

**

This work was supported by IRIA-SESORI under grants 75-035 and 78-180.

in PAS-

a pointer to a record must De considered as

potentially designating any record of a given type.

in ALGOL 88 the type

*

the classical type systems define only loose

relationships between objects. For example,

GOL 80 the type procedure does not include the type of acceptable parameters,

[variants of record

of erring on the current a l t e r n a t i v e of the union.

applied to it. U n f o r t u n a t e l y the classical tyoe

to a value will be meaningful.

in PASCAL type unions

structures) are unsafe because of the possibility

One cannot express the fact that two linked linear lists of the same type do not intermix. Finally, the rules of the language

or the programming discipline

accepted by the programmer are not statiely enfor-

77

cad by the compilers,

so that run-time

checks are

the widely used remedy.

However these expensive

time checks are usually

turned off before

programming

security

run-

linguistic

the "least"

In the interest of increased

flexible

reliability

framework

type properties),

error has been discovered.

ware products,

offered by full typing

[within a suitable

to properly

propagate

and the simplicity

Ibut incomplete)

classical

strong

offered by the type systems.

of soft-

the language designer may reply upon :

2. Nil and Non-nil Pointers - The design of a refined necessitates

and safe type system,

linguistic

constructs

te strong type oropertles.

which Among the objections

which propaga-

ters ere the faotsthat

The rules of the lan-

pe violations

guage must then be checkable by a mere textual scan of programs [1976] provide language

a secure

design

and baroque

le.g. ALGOL

68[1975]

approach may degenerate

programming

ranteeing

This

the type of the object pointed

[1974] except for.variant

to large

that pointers

languages.

heap cells The design of a refined compiler wkich performs a static proved

treatment of programs

error-detection

then remains simple

and provides

capabilities.

im-

and flexible,

but security

offered by compiler verifications

[e.g. EUCLIO

legality assertions which the compiler for the verifier]. may degenerate

is

generates

and mysterious

The comelier

comparable

the two approaches

re-

is not used).

However

have the nil value which points

to no element at all

; this is a source of frequent

summary of the meaningful

operations

as a static

the operations

prescribed

on that value.

by a syntactically

techniques

techniques,

It is shown that the language

value which happens

Cousot

since both

need a refinement

pe notion.

They differ by the fact that one needs

to be nil.

- the subtype of nil pointers type

(which happens

covery may be equivalent

only to pointers

type enforcement or dis(e.g.

the language

of non-nil

is not the case for infinite

pointers).

type systems

by the programming

checks

is really

ve-

[e.g. protection facilities.

However

time checkable. needed

syntactic

languages genera-

and ting code in master-mode

by appropriate

this hardware

detec-

constion is not always utilizable.

Moreover,

for

a means by which languamore complicated

can establish

system.

:

Ithese checks are usually

for system implementation

ge designers

this

ry cheap for pointers when using the hardware memory

are not compile

Finally we propose

Since

nil references,type

of non intermixing

type discovery

can be applied

subtype.

designer has three solutions

Run-time

can be facilitated

to that record

to have only one value)

The rule is that dereferencing

between

rule must be enforceable

In such a case

to that re-

the other uses a type dis-

We show that strong

which

pointers

type

cord type

type checking and discovery.

integer ranges),

to a record

- the subtype of non-nil

of the ty-

but we show the close connexion

collections

so

:

- the type of pointers

are strong-

meaning-

a pointer

type notion must then be refined

that one can distinguish

ra-

ly related

a type checker whereas

The pointer

design ap-

approach

are not always dynamically

ful. This is the case when dereferencing

by means of examples;

to program optimization

proach and the compiler design

tructs.

which

au-

e degree of sophistication

ther than program verification

This

cells)

they are no longer accessible

The type of a value may be viewed

techniques we propose for the static ana-

lysis of programshave

unions,

allocated

program verifiers.

We illustrate

coverer,

from variable

when "dispose"

valid construct

[1976].

and ensuring

a pointer may always

However tomatic

until

by gua-

at (PASCAL

errors.

This compiler design approach

into futurustic

(disjoint

IPASCALE1874]

The language

of records),

point only to explicitly

main allocated

ty-

and that they may be left dang-

ling. One can take care of these objections,

end EUCLIO

use of type unions).

(PL/I)

against the use of poin-

they can lead to serious

a balance

between the

scripting

78

these

examples run-time

such as array subchecks are very

expensive.

using a simole

Safe

of line (3). This reasoning is easily mechanized as follows : associate invarian~P1, P2, P3, P4 and P5

language

a type tion

design,

system

which

prescribed

truct

strong that

typing

valid

be dynamically

pointer types,

to

ooints

cons-

(i.e. forbid

rations

(i.e.

or non-nil

pointer9

and

check the correct use of opeauthorize

dereferencing

for non-

nil pointers only). -

Compile

time checks,

to recognize

the safe

language

PASCAL ( H o a r e

variants

are of

(1)

P1

[2)

P2 = (P1

= [at

(11)

respectively.

of

the

orogramming

and W i r t h [ 1 9 7 3 ] ) ,

as d e f i n e d

by

these

the

in-

subsequent

:

= L) or

(3)

P3 = [P2 and

P4 = P2 and

(5)

P5 = P3 o r --

[5)

and

P5)

(4)

(b

= true)

and

((pt

n i l )

(pt+.value [ot+.value

(~ p t '

= n))

and

(b

= false)

n)

I s°t'(p4) pt

and p t = o t ' + . n e x t )

has b e e n d e l i b e r a t e l y

see D e m b i n s k i

and b)

oversimplified,

and S c h w a r t z [ 1 9 7 6 ] ) .

now this last strategy. Since

2.1

related

equations

(Equation

use o£ a type scheme which is too tolerant. We illustrate

and

semantics

the type o£ an object

the type"non-nil

syntactically

(9)

the

disallow tyoe vio-

to be changed from the tyoe"nil pointer",to

to

between nil system

lations

[21,[4},(71,

According

algorithm from the test

meaningful.

This type scheme must distinguish and non-nil

i.e.

any opera-

by a syntactically

always

will

with ensures

propagation

in

general

systems

it

solution

to

consider

simplifications

is

such

undecidable

as t h e

to

one a b o v e ,

find

a

we m u s t

Static Correctness Check of Access to Records [to

the

prejudice

of

the

via Pointers precision of our results), Consider

the simple

record with value

ignore

problem of searching for a

"n" in a linked

the existence of the boolean variable b, of"

the fields "value"

linear list L :

For that purpose we will

and thus focusing

in records o£ the linear list, on pointers.

Moreover,

consider only the pointer variable value

next lowing mredicates

L

we will

pt, and the fol-

,F-Fq__Tq?

....

respectively

solution

as follows

:

:

pt = nil, pt nil,

dicates The PASCAL

on st

is given by PASCALF1974]

(p. 64)

gram

denoted by nil,

form a complete

.is

(at = nil) or (pt nil) non-nil,T

. These pre-

lattice whose HASSE's die-

: T

[1)

pt := L; b := true;

(2)

{P1}

[3)

while

L

(4)

[pt

n i l )

=

nil /

~non-nil

and b do

({P2}

Where i is used to denote (5]

i~

pt+.value

Known about the variable (6)

b

(7)

{P3}

(8)

the fact that nothing

is

= n then

pt.

:= f a l s e

Since we are only considering

else

subset Of the set of predicates,

(9)

{P4}

(10)

pt

(11)

{P5});

tions can be simplified

an oversimplified

our system of equa-

accordingly

:

:= p t + . n e x t ; (1')

P1

= T

(2')

P2 = (PI or P5) and non-nil

(3')

P3

= P2

(4')

P4

= P2

[5')

P5 = P3 o r

The above piece of program is correct with regard

to accesses

to records via pointers,

pt is not nil when dereferenced

at lines

since T

(5) and (In

(10). This fact is established by the programmer

79

equation

(1)

we c o n s i d e r

(pt

= L)

since

L may

be an e m o t y or n o n - e m p t y nil) or

[pt nil]

only consider

Our

F is

complete

has

a

PI,

lattice

[5

theorem

least

complete

T, in e q u a t i o n

(pt =

Kleene's

[5] we

tions.

'next'

a (nil or non-nil]

oointer

PS> = F [ < P 1 ,

P2,

PI,

application

in

Therefore,

states

that

the

:

P4,

[Tarski[1955]).

from the

L s in itself, this least

= T,

P2

= [P1

=

Knas-

P3

F

fixpoint

P4

oreviously established)

~ [2,

can

5]]

and

non-nil

and

non-nil

non-nil

P5 = P3 o r T

Kleene

non-nil

±

l

±

l

or T

= [PI o r P5] or T ]

[T

or ±]

end

non-nil,

l

,[±

end non-nil

>

i

±

l

i

T

l

i

,(l or T]>

I

±

T

and

>

Kildall[1973]

=

Unsafe Type Unions in PASCAL

if value of ot'=n then false

true]

aT different types. The type of this variable is

fi,

then said to be the union of the types of these va-

false

lues. In PASCAL[1974] the concept of type unions is embodied in the form of variants of record struc-

eSaO

do skip od;

tures : a record type may be specified as consisting of several variants, optionally discriminated

This program is safe, since in ALGOL 88 the by a tag field. non-safe coercion of pt from mode union [ref cell, void]

Example

to mode ref cell has to be made explicit by

a conformity case construct.

type mode

The idea is therefore

= [int, char];

type charint =

to force the p r o g r a m m e r to explicitly perform the

record

run-time tests, which in this example is dictated anyway by the logic of the problem

:

case tag : mode of

{the rewritten

version admittedly looks a bit cumbersome, but more

int : [i : integer];

convenient ways of expressing such a flow of con-

char : (c : character]

trol may be exhibited

end;

[Oijkstra[1875]]].

vat digit,

2.3

Remarks

letter, a l p h a n u m : charint

In a program containing these declarations

the

occurrence of a variable designator alohanum.c is It is remarkable that both approaches necessionly valid,

if at this point that variable is of

tate the same secure type system, yet they differ type character.

It is so,

[if and] only if alpha-

in the choices of making it available or not to the num.tag = char. H o w e v e r this is not staticly veriprogrammer. fied by the PASCAL compilers for the following reaThe refined type system considers the pointer type as the onion of two sybtypes

: pure

sons

:

[non-nil) The tag field of a variant record definition

pointers and dummy (nil) pointers.

Type safety is is optional, and may exist only in the pro-

guaranteed by requiring strong typing : the type grammer's mind. of a value determines which operations may be mea-

ningfully applied to it.

When present,

the tag field may be assigned,

thus allowing to realize implicit type transIn both cases the type correctness has to be fer functions. For instance,

a variable of

verified or established by the compiler. For that type character : purpose an [often implicit) system of equations is used.

equations has to be found by the compiler, other

alphanum.tag

In one case the solution to that system of

alphanum.c

in the

case the c o m p i l e r simply verifies that the

~= char;

:= 'H';

may be interpreted as being of type integer

solution supplied by the programmer [by means of

for the purpose of printing the internal

8]

representation

- No a s s i g n m e n t s

:

alphanum.tag

:= int~

once

they

to the

have

been

tag f i e l d s

are

authorized

initialized.

writeln[alohanum.i]; - U n i t i n Z is a l l o w e d (Note

that

the

tag

is a p p r o p r i a t e l y

about

its

value

set,

and

alphanum care

one

can w r i t e

as well

::

:

:= letter~

: is

alphanum.c

safe

but without legal,

because

the

type

of

the

right

hand

side

'H'; value

eharint[char]

may

be c o e r c e d

to the

type

writeln[alphanum.i]:] of

the

left

hand

side

t~b e c h a r i n t [ a n y ]

3.2

Safe Type Unions in ALGOL 68/EUCLID

variable

permits

charint[any]

a l o h a n u m to h o l d

v a l u e of t y p e c h a r i n t [ c h a r ]

(the either a

o r a v a l u e of t y p e

charint

[int]]. Suggestions structures i.e.

have

which

compile-time

assignments determine

been

ensure

Such

ta Z f i e l d s

the c u r r e n t similar

to p r o v i d e

type-unions

checkable.

to the

a statement

made

that

to the

features

and

tag v a l u e

syntactic

are

let

from

"inspect

the

-

forbid

were

using

when", of S I M U L A

68 ~ 9 7 5 ]

we w o u l d

charint

= union

mode

integer

digit

charint

alohanum~

tag

field

which

in

original

its

is

:

(integer,

~ character

character]~

letter

safe

case

from

the

usin Z conformity

and

clauses.

The

antagonism

type-safe, lows

with

which ALGOL

PASCAL

handles

68-1ike

manner.

parameterized-tyoes,

a formal

parameter

of

: [int,

char]

is m o r e

variant

This

the

the

type

obvious

records

Since

al-

usually

declaration

mode

type

charint

[ta Z

: mode]

char end end

When

~>

vat c

: character

the

that

the

:: x ~ end

letter

run-time

:= x

check

type

transfer

tested

on

it case

:

tag of

int

; end

char

statement

o£ w h i c h

out

carried

by

ensures

variant

a cam-

of a record

the

to the

compiler

checks for

which

all

can

non-union

Static Treatment of Type Unions

char

has

been

vide

flexible

rity

[Wirth [1975]]

be

able

type

deliberately

unions

to d i s c e r n

following

abstract

Record

of

the r e c o r d

actual

tag

type

parameter

"charint" may

is

be a c o n s -

designed

at the

expense

: however,

a wise

the

programs

secure

interpretation

vat digit

which vat

: charint

letter

lint]

: charint

allows

alphanum

type

(char]

are

to p r o -

of

secu-

compiler by

of t h e s e

a single

record

with

since

tide

[the

numerous

record

tag

is of e n u m e r a t e d

should

using

the

programs:

which

represents

[any]

at

moments

This

the

of p r o g r a m

a program

identified

to n e s t e d

T which set

program

represented

is a f i n i t e

is a u g m e n t e d

non-initialized point,

execution,

but

at

with

by

by

The set a null

value.

two d i f f e -

two d i f f e r e n t

dealin Z with

:

82

may

be

assumed

by

a tag

field

a

variants

is s t r a i g h t f o r w a r d ] .

type

value

same

variants

types

Since

the

consider

generalization

and

values type unions

ta Z,

:

when

abstractly

We will

values.

type-safe

be

tag f i e l d s .

rent 68 or E U C L I D

will

of d i s c r e t e

unions

: charint

values

by t h e i r

single

:

vat

ALGOL

to r e t r i e v e

case

a variable

or any,

digit

an

:

int

~ end

and

ta Z is e x p l i c i t l y

d i s c r i m a t i n g case

PASCAL

~ end

ensures

corresponding

=

i : integer

united

is in use,

charint

declared, tant

var

to r e t r i e v e

tyoes~

tag of

int ~ >

type-checking

be

record case

of way

is by a d i s c r i m i n a t i n g

be

3.3 type

been

only

in

in a

EUCLIO

tag w i l l

The

the

~>

if

case

olete

EUCLID[1978]

principle

type

This

int = >

programmer,

since

discriminatin Z x : alphanum

;

end

has

since

char

is h i d d e n

checked

write

the

object

coercion,

:: a l p h a n u m

be v i o l a t e d .

statement.

In A L G O L

m a y be

allowed,

would

[I 974 ].

The

is no d e - u n i t i n g letter

compiler

context

There

safe,

of a r e c o r d

variable,

a s t a t i c s u m m a r y of the p o t e n t i a l

gram executions must consider tag fields. variables

(More g e n e r a l l y ,

o{ e n u m e r a t e d

a set of values

type].

over,

is a f i n l t e

Thus the a b s t r a c t in 2 T, the p o w e r -

complete

if the p r o g r a m c o n t a i n s

enumerated

lattice.

to take

c o u n t of t h e m in the p r o g r a m a b s t r a c t

m simple

Finally,

(2 T x ... x 2 T] m times.

programs

{null}

{null}

{null}

the a s s i g n m e n t

{male}

5)

Since

this space

can be p e r f o r m e d

at c o m p i l e

this g i v e s

rise

un-

to two e x e c u t i o n

paths

[6] and [8] : I

[6)

{male}

I {female}

{null}

i

is

[7]

of

time.

{male}

[ {female}

[8)

{male}

{female}

9]

{male}

{female}

10]

The two e x e c u t i o n

Example :

= {mole}

=

{male} {null} {female}

paths

are j o i n e d

together:

i female}u{female}i{male} '

{male}u{male}

type o e r s o n

I{null}

the value of the test is s t a t l c l y

Known,

is a com-

the a b s t r a c t e x e c u t i o n

is i g n o r e d

to m a r y . a g e is ignored.

the a s s i g n m e n t

interpreta-

space

to p a u l . a g e

I {female}

Since

if the p r o g r a m c o n t a i n s

with tag of type T, o u r a b s t r a c t d a t a

lattice,

{null}

{male}

ac-

v a r i a b l e s of type T or record v a r i a b l e s

plete f i n i t e

{null}

[2)

[4)

of

senior

mary

[I)

[3)

More-

simple v a r i a b l e s

type T, it is c o n v e n i e n t

tion process.

i

line i paul

for

this is the case for

v a l u e s o{ the tag will be c h o s e n set of T, w h i c h

pro-

= {female}

u {Female}

= {mole, female}

record case

sex

: (male,

female]

of Note that at line may have

end ; vat paul,

mary,

senior

don't appreciate

: person;

[10]

tag v a l u e s

senior.sex

it is c l e a r that "senior"

"male"

or "female".

the qact that = if p a u l . a g e

paul,sex

else

:= male;

but n e i t h e r do A L G O L 68 n o r EUCLIO. paul.age

:=

...;

mary.sex

:= female;

mary.age

:= ...;

guages

(3} (4)

union

(S) if p a u l . a g e

£ mary.age

then

(6) senior

it is e v i d e n t

that in some

m e r k n o w s p e r f e c t l y well

:= paul;

type is used,

{7)

female {i With

cases

these

but is u n a b l e

of a

to e x p l o i t

this

statement.

This same

limitation

t r e a t m e n t of p r o g r a m s ,

lan-

the p r o g r a m -

which alternative

since he m u s t use a d i s c r i m i n a t i n g

exist

else

then male

Knowledge,

static

we

: ~ mary.age

(1) (2}

However,

case

a r i s e s w i t h our

more powerful

schemes

[Sintzoff[1975]].

(6} senior

:=

mary;

Finally,

(9)

useful

end; [10]

in the s t a t i c

information

tements, and if s t a t e m e n t s , mity

The symbolic execution

of

that piece of

used

f r o m case sta-

as A L G O L 68 c o n f o r -

tests.

Example

program would be :

t r e a t m e n t of p r o g r a m s

will be g a t h e r e d

{Paul

:

= {male}

; Mary

= {Female}

; Senior

= {Male,

Female}} if S e n i o r . S e x ...

[I)

...

[2)

...

else ... fi

83

= Paul.sex

then

The abstract i n t e r p r e t a t i o n of a test (A = B) in a

1.1

Static variants to describe classes of data

context where A and B are variables which may as-

which are different but yet closely related.

sume set of values S A and S B delivers a context

For examole, Men and W o m e n may be described

w h e r e A and B may assume the set of values S A n S B

as Persons d e p e n d i n g on their sex, thus

on the true path.

EUCLIO authorizes

(Thus in {I) we get Paul = Senior

= (Male} n {Male, Female}

= {Male}).The context De-

livered for the false path is

type Person

:

(Sex = {Male, Female))

= ...

type Man = Person(Male) type Woman

A = i__f (ISA nSBI = 1) and not (SAc S8) then SA - SB

= Person(Female)

In PASCAL however, variables of abstract

else S A f i (Thus in (2] we get Paul

:

type Man and Woman may be staticly recogni-

: {male} and Senior = {Fe-

zed when their tag values never change.

male}). 1.2

Dynamic variants,

to describe objects whose

When this abstract interpretation of programs components depend on a possibly is terminated we can recognize secure programs by the following facts

:

stopped,

There are no assignments to tag fields, other than

changing

state. For example a car may be m o v i n g or thus EUCLID authorizes

type Car

for i n i t i a l i z a t i o n ( w h i c h is recognized

{State

: {moving, stopped, des-

troyed))

by the fact that the tag value is changed from

:

= ...

vat mycar : Car{an__~)

null to some value). We can also authorize useless tag assignments,

Since the actual oarameter supolied for the

i.e. those which assign

tag is any,

to a tag w i t h o u t c h a n g i n g its value.

the variable can be changed from

one variant to another d u r i n g execution, by The unsafe de-uniting coercions must be checked. assigning values of d i f f e r e n t variants to This cannot occur when a record variable is assigned to another,

the variable. However,

since all record variables

are considered to be of union types.

no r e f i n e m e n t is al-

lowed, and no proper subset of the possible

(Note that

tag values can be used

such an assignment may indirectly modify a

:

vat m y c a r : Car({moving,

stopped})

tag value, but this is safe). Oe-uniting coerThis fact may be discovered by a static ana-

cions only occur when accessing a field in a

lysis of the program, and might be useful

record. This is safe only if the tag has been

in memory allocation.

staticly established to be of correct value. Otherwise,

a w a r n i n g is reported to the ueer,

2. Storage S h a r i n g (Overlays). This implies the use

and a run-time check inserted in the program.

of the same storage area (expressed in the language as "the same actual variable") for diffe-

3.4

Flexibility Versus Security

rent purposes i.e. for r e p r e s e n t i n g different abstract variables whose lifetimes are d i s j o i n t

This compiler aoproach has the advantage of fle-

{block structure is not incorporated in PASCAL).

xibility over the secure language approach. It

This is a typical case of free union, where no

is clear that all EUCLIO orograms translated in-

tag will be carried along to indicate the cur-

to PASCAL will be recognized to be safe by this

rently valid variant. This tag may be staticly

technique.

simulated,

Following Wirth[1975] there appear to be three

fields of the variant. Unsafe a s s i g n m e n t s will

d i f f e r e n t motivations behind the desire for variants of record structures

provided that one ensures an appro-

priate setting of the tag upon assignment to

be identified and therefore the m u t a t i o n from

:

one abstract variable to another may be reported I. The need for heterogeneous structures, in two main cases

to the user.

:

84

3. R e a l i z a t i o n EUCLID

of i m p l i c i t

in r e c o g n i t i o n

led b r e a c h e s necessary, by m e a n s

of the Tact that c o n t r o l -

provides

unchecked

oT type c o n v e r t e r s

the o r o z r a m

elements

never refer

:

seen how a P A S C A L

it is c l e a r

: d o m a i n of elem;

comoiler might

0S2

: d o m a i n of elem;

that P A S C A L

provides

fle-

soecify

that DS1

dynamic

variables,

into d i f f e r e n t

We h a v e shown

: + DSI~

$2

: + OS2;

The r e s u l t s

of this s t a t i c

z r a m s m i g h t also be useful we get a s o p h i s t i c a t e d It is o b v i o u s

constructs

can be simoly

cessitate language

the p r o g r a m m e r

lan-

to

scan

intentions

is the case

examole concerning dynamic

two p o i n t e r s

which

may ne-

be sets of d i s j o i n t

i£ $I and $2 are p o i n t e r s

records

of the same

between

of the linked s t r u c t u r e ,

to d i f f e r e n t

type.

a pointer

only in the p r o g r a m m e r ' s

$I and $2 o o i n t

of the program-

c a u g h t by c o m o i l e r s

This

that

; the d e c l a r a t i o n s

:

the c o n f u s i o n

the f i r s t e l e m e n t list is v a l i d

has no

Now,

to d i f f e r e n t

Unfortunately

for e x p r e s s i n g his i n t e n -

rich and not n e c e s s a ~ l y e a s y constructs.

they o e i n t

Thus

that the p r o g r a m s will

since

H o w e v e r some simple

mer which

of pro-

c o m p i l e r for a s i m p l e

then,

not be v e r y readable,

treatment

in c o d e g e n e r a t i o n .

and OS2 will

domains

$1

tions.

now n e c e s s a r y

o n e can s p e c i f y

0SI

tructs h a v e been used in e i t h e r s e c u r e or i n s e c u r e

preestablished

is

to the same record

that a c o m p i l e r m a y r e p o r t to the user w h i c h c o n s -

guage.

it

code of the c h a r a c t e r

x i b i l i t y at the e x p e n s e of security.

ways.

and

to s t a t e the c o n t r a r y .

In L I S [ 1 9 7 4 ]

type c o n v e r s i o n s ,

this fact to the user.

Finally,

share

all