Ownership, Encapsulation and the Disjointness of Type and Effect Dave Clarke, Sophia Drossopoulou/2002 Encapsulation seminar Dec Sharon Goldschlager

2 Aim Static reasoning about the program. Aliasing. Non-interference of expressions.

3 Road Map Aim Aliasing to previous lectures General Idea Basic definitions Static rules Dynamic rules Summary

4 Aliasing to previous lectures Islands(Hogg) – prevent static(heap) aliasing using read(destructive) only references, access through a single bridge. Confined types(Bokowski) relate to security – all references are confined to preset space. These methods impose great limitations on the programmer, implementation overhead – cannot have direct reference.

5 General Idea Encapsulation – placing boundary around object properties. Boundary of ownership, instead of containment. Extension of Ownership with effects and effect shapes. Ownership instead of uniqueness.

6 Ownership Owner(context) - another object, “Container”. Object’s Representation – the objects it owns. Induces tree-shaped ordering. owners-as-dominators, all paths from the root of the object graph to an object pass through its owner.

7 Context and Classes Classes parameterized by context, subclasses keep owner. Types c. Context – in text source (p). –Actual – per object (k) in run time. –Variables (z). –this (owner of representation). –world – root context.

8 Example class List { Link head; void add(Data d) writes under(this) { head = new Link (d, head); } class Main<> { List list; Main() writes this { list = new List ; } void populate() writes under(this.1) { list.add(new Data ); } static void main() writes under(world) { Main<> main = new Main<>; main.populate(); } this is current object. 1 st parameter is owner context. No parameter means World is the owner. Owner this restricts access to current object and objects inside it. no reference into the inside.

9 Representation Representation – objects owned by this. Representation context – representation of context. Example representation of previous program:

10 Simple Alias Deduction using Ownership List shared; List encaps; Shared, encaps cannot be aliases. Their Link objects are disjoint. Their Data objects are disjoint.

11 Method Effects And Their Shapes Effect can be read or write (implying read). Shape denotes collection of contexts. Methods must specify (1 or 2) pairs. Example void exmpl_method() reads p writes under p.2 { … }

12 Dynamic Aliasing Dynamic aliases - created during program execution when a reference is changed (iterator). Break (briefly) owners-as-dominators for stack, local variables. bool equals(List other) { Link thislink = this.head; Link otherlink = other.head;... thislink.data.equal(otherlink.data)... }

13 Dynamic Aliasing owners-as-dominators property enforces deep ownership. Type of each dynamic alias contains the name of the aliased representation entity. List list = new List ; Iterator iter = list.makeIterator(); Conclusion Dynamic aliases cannot be stored in an object’s field.

14 Formalism Notation - Static

15 Formalism Notation - Dynamic ActualContext – world and one for each object created.

16 Semantics Blocks Environment E assigns types to free variables, locations, context variables constraints. Binding B map context variables to actual Contexts, and variables to values.

17 Formalism Notation

18 means directly inside. is the transitive closure of. is the reflexive transitive closure of. Context Relations Relational inclusion

19 Valid Contexts CTX-VAR: context variable should be related to a context. CTX-REP: variable/location may denote representation context. CTX-WORLD: world is a valid context.

20 Context Ordering Representation context directly inside owner Relational composition

21 Effect Shapes

22 Subshaping Set Rules Simple set theory properties.

23 Subshaping Geometric Rules SUBSHAPE-UNDER: ordering of under effects, under effect at a particular level contains all deeper under effects.

24 Effects and Subeffecting Subeffect Write imply read

25 Type Rules

26 Values VAL-NULL: null can have any type. VAL-W: Type of variables, locations as in environment. EXP-FROMVAL: variable can be seen as expression with no effect.

27 Expressions EXPR-NEW: Produces no effect. EXP-FIELD: Type of expression is field type with parameter substitution. EXR-UPDATE: Likewise, rhs,lhs matching types.

28 Let Expression Dynamic Alias Effect rd x, x not in scope at end  under-approximation: super-effect rd a.1. What’s the effect of

29 Expressions EXP-SUB: Expression of some type is of its super-type, and effect need not be accurate. EXP-CALL: Matching of types, and binding of formal-actual parameter.

30 Inheritance Rules

31 Method, Program PROG: Well-formed program contains only well-formed classes. METHOD: Type, effect of body match declaration.

32 Extension Lemma E’>>E: E’ extends E, i.e. E is subsequence in E’. B’>>B: B’ extends B, i.e. B is subsequence in B’. Lemma: Assume E:B├ ή If E’>>E and E’:B├ ◊, then E’:B├ ή. (extention) If B’>>B and E:B’├ ◊, then E:B’├ ή. (substitution)

33 Dynamic Notation CMAP: map from class context parameters where method m is declared to the actual contexts, for correct evaluation of the method body e.

34 Evaluation relation an expression configuration to a final configuration. Dynamic Relations Computation relation a computation configuration to a final configuration.

35 Evaluation Rules EV-LET: 1 st computation, bind value to x, then evaluate expression with new heap, binding. EV-VAR: Variables - lookup in binding list.

36 Computation Rules - Field COMP-FIELD: Effect reading object in i. COMP-UPDATE: Write value to field. Effect writing object in i.

37 Computation Rules - New COMP-NEW: New heap location bound to object. Fields initialized to null. Object type is determined by parameter lookup in binding list B. No effect!

38 Computation Rules - Call COMP-CALL: object from binding, determine type c, method lookup. Binding of class parameters to actual, this, method formal parameter to actual’s value.

39 Reasoning Basics Fields/variables of disjoint types cannot be aliases. Disjointness of effect shapes determine whether expressions potentially interfere. Disjointness according to Tree-shaped partial order. Non-overlapping places in the inheritance hierarchy.

40 Disjointness Notation Rules are valid for all valid bindings B of free variables.

41 Disjointness of Context DCTX-NEQ: Different related context are not equal. DCTX-TYPE: Representation context of non- aliases are disjoint. DCTX-LOC: Disjoint locations – clearly.

42 Disjointness of Type DTYPE-CLASS: Non inherited – disjoint. DTYPE-CTX: Same position argument. DTYPE-SUB: Subtypes preserve disjointness.

43 Disjointness of Effect Shape Based on Set theory. DFX-0: Good effect shape disjoint from empty. DFX-SUB: Subshape of a disjoint is also disjoint. DFX-UNION: Union of shapes disjoint to other, is disjoint.

44 Disjointness of Effect Shape

45 Effect Shapes Based Non-Interference Deduction Interference - one reads, another writes or both write to same location. Expressions with non-interfering effects imply non-interfering execution: the evaluation order is immaterial, same results, same heap.

46 Non-Interference Example Assume E p#q  E list #list  wr under(list1)#wr under list2

47 Deduction Implications Loop fusion leads to optimization.

48 Summary of Contributions Ownership as basis for reasoning. Support inheritance and dynamic aliases. Computational effects. Aliasing and interference deduction. Formal semantics and analysis framework.

49 The End