The implementation of our access control mechanism consists of 1000 lines of well-documented Modula-3 interfaces and 2400 lines of Modula-3 code, with an additional 50 lines of changes to other parts of the static SPIN core.
We have modified the Modula-3 runtime so that the security identifier associated with an object is stored in the object header.
Table I lists the three kinds of memory references in Modula-3 programs, their names, and a short description of each.(1) Without loss of generality, we assume that all pointer dereferences are explicit and that a variable declared to be of object or array type actually contains the object or array rather than a pointer to the object or array.
In Modula-3 and other type-safe languages, a variable of type REF T can legally point to objects of type Subtypes(T).
In Modula-3 or Java, the programmer must declare a set E of exceptions that the function argument to map may raise; map, then, may raise the same exceptions E.
In this section, we list the main requirements for an effective exception analysis for ML, and show that they go much beyond what can be expressed by exception declarations in Modula-3 or Java.
Using an earlier version of Eraser that detected race conditions in multithreaded Modula-3
programs, we found that the Lockset algorithm reported false alarms for Trestle programs [Manasse and Nelson 1991] that protected shared locations with multiple locks, because each of two readers could access the location while holding two different locks.
Modula-3 [Nelson 1991] in particular contains interesting facilities for dynamic typing, benefiting from experience with languages such as Simula-67, CLU, Cedar/Mesa, Amber, and Modula-2+ [Birtwistle et al.
RAISE PrintError END END Print; [is less than]/TB[is greater than] A disadvantage of the Modula-3 scheme is the overhead it places on programs in terms of needing to maintain ubiquitous type tags in the run-time; every traced pointer value must have a type tag for the above operations.
uses the statement exception to declare an exception and the statement raise to raise an exception in conjunction with an argument.
The terminal symbol code stands for a fragment of Modula-3
or C code.
Similarly to C++ with signatures, ML, Modula-2, and Modula-3
allow a clean separation of specification and implementation.