Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.

Slides:



Advertisements
Similar presentations
Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Advertisements

Lists and the Collection Interface Chapter 4. Chapter Objectives To become familiar with the List interface To understand how to write an array-based.
Generic programming in Java
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
External Uniqueness Presented by Nir Atias Dave Clarke Tobias Wrigstad Encapsulation Seminar 2006.
ISBN Chapter 11 Abstract Data Types and Encapsulation Concepts.
Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.
Architectural Reasoning in ArchJava Jonathan Aldrich Craig Chambers David Notkin University of Washington ECOOP ‘02, 13 June 2002.
OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.
Run time vs. Compile time
1 Generics and Using a Collection Generics / Parameterized Classes Using a Collection Customizing a Collection using Inheritance Inner Classes Use of Exceptions.
ArchJava Connecting Software Architecture to Implementation Jonathan Aldrich Craig Chambers David Notkin University of Washington ICSE ‘02, May 22, 2002.
1 Run time vs. Compile time The compiler must generate code to handle issues that arise at run time Representation of various data types Procedure linkage.
Lecture 9 Concepts of Programming Languages
Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631.
1 Contents. 2 Run-Time Storage Organization 3 Static Allocation In many early languages, notably assembly and FORTRAN, all storage allocation is static.
1 An introduction to design patterns Based on material produced by John Vlissides and Douglas C. Schmidt.
Subclasses and Subtypes CMPS Subclasses and Subtypes A class is a subclass if it has been built using inheritance. ▫ It says nothing about the meaning.
A Formal Model of Modularity in Aspect-Oriented Programming Jonathan Aldrich : Objects and Aspects Carnegie Mellon University.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Imperative Programming
Chapter 3 Introduction to Collections – Stacks Modified
Programming in Java Unit 2. Class and variable declaration A class is best thought of as a template from which objects are created. You can create many.
50.003: Elements of Software Construction Week 8 Composing Thread-safe Objects.
Chapter 21 Generics 1. Generics - Overview Generic Methods specify a set of related methods Generic classes specify a set of related types Software reuse.
Java Classes Appendix C © 2015 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Using Data Groups to Specify and Check Side Effects K. Rustan M. Leino, Arnd Poetzsch- Heffter, and Yunhong Zhou Presented by Jonathan Aldrich.
Question of the Day  On a game show you’re given the choice of three doors: Behind one door is a car; behind the others, goats. After you pick a door,
Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)
Generics and Collections. Introduction Generics New feature of J2SE 5.0 Provide compile-time type safety Catch invalid types at compile time Generic methods.
Java 5 Part 1 CSE301 University of Sunderland Harry Erwin, PhD.
1/20/03A2-1 CS494 Interfaces and Collection in Java.
User-defined type checkers for error detection and prevention in Java Michael D. Ernst MIT Computer Science & AI Lab
Design Patterns Gang Qian Department of Computer Science University of Central Oklahoma.
C++ Memory Overview 4 major memory segments Key differences from Java
A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods Alexander J Summers Sophia Drossopoulou Imperial College London Peter.
1 Generics Chapter 21 Liang, Introduction to Java Programming.
Topic 1 Object Oriented Programming. 1-2 Objectives To review the concepts and terminology of object-oriented programming To discuss some features of.
(c) University of Washington15-1 CSC 143 Java List Implementation via Arrays Reading: 13.
CSE 332: Design Patterns Review: Design Pattern Structure A design pattern has a name –So when someone says “Adapter” you know what they mean –So you can.
Spec# Andreas Vida. Motivation Correct and maintainable software Correct and maintainable software Cost effective software production Cost effective software.
A Type System for Borrowing Permissions Karl Naden, Rob Bocchino Jonathan Aldrich, Kevin Bierhoff POPL – January 27, 2012 School of Computer Science.
Featherweight Generic Ownership Alex Potanin, James Noble Victoria University of Wellington Dave Clarke CWI, Netherlands Robert Biddle Carlton University.
Chapter 10: Classes and Data Abstraction. Objectives In this chapter, you will: Learn about classes Learn about private, protected, and public members.
UMass Lowell Computer Science Java and Distributed Computing Prof. Karen Daniels Fall, 2000 Lecture 9 Java Fundamentals Objects/ClassesMethods Mon.
Final Review. From ArrayLists to Arrays The ArrayList : used to organize a list of objects –It is a class in the Java API –the ArrayList class uses an.
1 CSE 331 Generics (Parametric Polymorphism) slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia
©SoftMoore ConsultingSlide 1 Generics “Generics constitute the most significant change in the Java programming language since the 1.0 release.” – Cay Horstmann.
Just Enough Type Theory or, Featherweight Java A Simple Formal Model of Objects Jonathan Aldrich
Enterprise Java Java SE 5 TM Language Feature Enhancement Primary Source: New Features and Enhancements J2SE 5.0
SWE 4743 Abstract Data Types Richard Gesick. SWE Abstract Data Types Object-oriented design is based on the theory of abstract data types Domain.
Copyright (c) Systems and Computer Engineering, Carleton University * Object-Oriented Software Development Unit 13 The Collections Framework.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Chapter 10: Classes and Data Abstraction. Classes Object-oriented design (OOD): a problem solving methodology Objects: components of a solution Class:
Zach Tatlock / Winter 2016 CSE 331 Software Design and Implementation Lecture 13 Generics 1.
ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1.
CS 367 Introduction to Data Structures Charles N. Fischer Fall s367.html.
Collections Dwight Deugo Nesa Matic
UMass Lowell Computer Science Java and Distributed Computing Prof. Karen Daniels Fall, 2000 Lecture 10 Java Fundamentals Objects/ClassesMethods.
Value Types. 2 Objectives Discuss concept of value types –efficiency –memory management –value semantics –boxing –unboxing –simple types Introduce struct.
Creating and Using Objects, Exceptions, Strings
Types for Programs and Proofs
Java Programming: Guided Learning with Early Objects
Java Primer 1: Types, Classes and Operators
Java Collections Overview
Lecture 9 Concepts of Programming Languages
Objects and Aspects: What we’ve seen so far
Computer Science 340 Software Design & Testing
Lecture 9 Concepts of Programming Languages
Presentation transcript:

Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington

November 8, 2002AliasJava - OOPSLA '022 Building Big Systems is Hard The ArchJava Project –Software architecture for managing complexity –Previous work: control flow ICSE ’02, ECOOP ’02 –This paper: data sharing component Acomponent Bcomponent C calls shared data

November 8, 2002AliasJava - OOPSLA '023 Why Specify Data Sharing? Evolve programs –Modify component A to update data lazily Improves efficiency –Must update component C as well! Might not be obvious without sharing specification component Acomponent Bcomponent C calls shared data

November 8, 2002AliasJava - OOPSLA '024 Maintain Invariants _ class SynchronizedSet { Set backingSet; synchronized boolean add(Object o) { return backing.add(o); Synchronization wrappers –Wrap a collections methods –Synchronize before invoking method Wrapper invariant –Must access backing set only through wrapper set wrapper client X

November 8, 2002AliasJava - OOPSLA '025 Avoid Security Holes (JDK 1.1.1) public class Class { public Object[] getSigners() { return signers; } Returns an internal array, rather than a copy Allows untrusted clients access –Can change the list of signatures for a class signers Class client X

November 8, 2002AliasJava - OOPSLA '026 Type-based Approaches Many previous systems –Uniqueness [Minsky, Boyland…] –Ownership types [Clarke et al, Boyapati et al...] Advantages –Modular, efficient checking –Documents aliasing in the code Challenges –Express common idioms –Support for Java constructs –Usability in practice

November 8, 2002AliasJava - OOPSLA '027 Outline AliasJava: alias annotations for Java –Combines uniqueness and ownership Supports full language –Arrays, casts, iterators, inner classes, subtyping Algorithm infers annotations Guarantee of properties Evaluated on library, application code

November 8, 2002AliasJava - OOPSLA '028 Annotations: Unique static unique Set… synchronizedSet…(unique Set… s) { return new SynchronizedSet…(s); } // s is dead after use in constructor // o goes out of scope here unique objects have no persistent aliases –Newly allocated objects Can only use once –Variable must be dead after use set Unique reference

November 8, 2002AliasJava - OOPSLA '029 Annotations: Unique static unique Set… synchronizedSet…(unique Set… s) { return new SynchronizedSet…(s); } // s is dead after use in constructor // o goes out of scope here unique objects have no persistent aliases –Newly allocated objects Can only use once –Variable must be dead after use setUnique reference X

November 8, 2002AliasJava - OOPSLA '0210 Annotations: Owned private owned Object[…] signers; public Object[…] getSigners() { return signers; } owned objects confined within their owner –Aliasing allowed within owner Cannot return owned state to clients Making a copy fixes the security hole Compile-time error Class signers client X

November 8, 2002AliasJava - OOPSLA '0211 Annotations: Owned private owned Object[…] signers; public unique Object[…] getSigners() { return arraycopy(signers); } owned objects confined within their owner –Aliasing allowed within owner Cannot return owned state to clients Making a copy fixes the security hole Class signers client copy

November 8, 2002AliasJava - OOPSLA '0212 Annotations: Parameters class ArrayList { private owned Object[elem_owner] elems; void add(int i, elem_owner Object o) { elems[i] = o; } Parameterized by element owner Method parameterization also supported owner element List array

November 8, 2002AliasJava - OOPSLA '0213 Annotations: Shared static shared Object singleton; unique Object[shared] getSigners() { return arraycopy(signers); } shared objects may be globally aliased –Singletons –Static fields –Global data Conceptually “owned by the system” shared

November 8, 2002AliasJava - OOPSLA '0214 Annotations: Lent int find(lent Object o) { for (int i = 0;...) { if elems[i] == o return i; Temporary alias of unique/owned object –Used for duration of method –Cannot store in fields Syntactically default

November 8, 2002AliasJava - OOPSLA '0215 Annotation Flow unique Object uniq = new Object(); owned Object own = uniq; lent Object l = own; shared Object sh = own; // error unique owned lent sharedparam1 param2...

November 8, 2002AliasJava - OOPSLA '0216 Implementation AliasJava supports all features of Java –Subtyping –Inner classes –Casts Interoperates with existing code –Just annotate the interface of legacy libraries Checking is dynamic only where Java’s is –run-time type information for alias parameters –checks at casts and array writes

November 8, 2002AliasJava - OOPSLA '0217 Annotation Inference class ArrayList { private owned Object elems[A]; void put(int i, A Object o) { elems[i] = o; } Saves tedious annotation work Infers general annotations –Edit annotations to improve understandability –Future work: annotation assistant

November 8, 2002AliasJava - OOPSLA '0218 Properties: Ownership Common property: owners-as-dominators All paths to owned objects go through owner Prevents clients from accessing owned state –Clarke et al.: allow owned objects on stack Patterns like Observer are prohibited –Boyapati et al.: inner classes may access owned state Can’t implement Iterators/Observers with ordinary classes owned array ClientArrayList X

November 8, 2002AliasJava - OOPSLA '0219 Properties: Ownership Common property: owners-as-dominators All paths to owned objects go through owner Problem: Iterators violate owners-as-dominators –Clarke et al.: allow Iterators on stack Patterns like Observer prohibited –Boyapati et al.: inner classes access owned state Can’t implement with ordinary classes owned array ClientArrayList Iterator X

November 8, 2002AliasJava - OOPSLA '0220 Properties: Ownership Common property: owners-as-dominators All paths to owned objects go through owner Problem: Iterators violate owners-as-dominators –Clarke et al.: allow Iterators on stack Patterns like Command prohibited –Boyapati et al., Clarke: inner classes access owned state Can’t implement with ordinary classes state ClientDocument Command X

November 8, 2002AliasJava - OOPSLA '0221 Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability General model –Owner grants a capability to trusted objects

November 8, 2002AliasJava - OOPSLA '0222 Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability class ArrayList { private owned Object elems[elem_owner]; unique Iterator iterator() { return new ArrayItr (elems); owned capability –Access to ArrayList’s owned state –Passed via static parameterization –ArrayList controls who accesses state

November 8, 2002AliasJava - OOPSLA '0223 Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability class ArrayList { private owned Object elems[elem_owner]; unique Iterator iterator() { return new ArrayItr (elems); Compare annotations –owned parameter lost by subsumption –Clients cannot access owned state

November 8, 2002AliasJava - OOPSLA '0224 Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability int find(lent Object o) lent capability –Temporary permission to access owned state –find can access o for duration of call

November 8, 2002AliasJava - OOPSLA '0225 Properties: Uniqueness If a variable is unique, it has no aliases other than lent variables on the stack Reasoning –No aliases in heap data structures –Still must track lent aliases on the stack Extension: Alias Burying [Boyland] –When a unique var is read, all aliases are dead –Requires read/write effect specifications

November 8, 2002AliasJava - OOPSLA '0226 AliasFJ : A Formal Framework Based on Featherweight Java [OOPSLA 99] –Includes unique, owned, parameters, and lent Benefits –Precise semantics –Shows how properties are enforced Theorems –Type safety –Ownership property –Uniqueness property

November 8, 2002AliasJava - OOPSLA '0227 Evaluation: java.util.Hashtable public class Hashtable extends Dictionary { value_owner Object get(key_owner Object k) {... Annotated and checked Hashtable –1000 lines of code, 2.5 hours –Annotated some library functions Experience –Annotations were natural, easy to add –Changed code in only one place

November 8, 2002AliasJava - OOPSLA '0228 Enforcing Library Invariants static unique Set synchronizedSet (unique Set s) { return new SynchronizedSet (s); } Javadoc comment: In order to guarantee serial access, it is critical that all access to the backing set is accomplished through the returned set. AliasJava: argument is unique –Therefore, there are no aliases to the backing set

November 8, 2002AliasJava - OOPSLA '0229 Evaluation: Aphyds Pedegogical circuit layout application –Blackboard Architecture Annotated functional core of system –7 classes, 3500 lines of code Showed sharing of circuit elements Circuit DBPartition Place Route Floorplan ChannelRoute

November 8, 2002AliasJava - OOPSLA '0230 Evaluation: Aphyds Pedegogical circuit layout application –Blackboard Architecture Annotated functional core of system –7 classes, 3500 lines of code Showed sharing of circuit elements Circuit DBPartition Place Route Floorplan ChannelRoute circuit objects

November 8, 2002AliasJava - OOPSLA '0231 More in the Paper Application to software architecture Detailed semantics Implementation technique Inference algorithm Case study on 3000 lines of application code

November 8, 2002AliasJava - OOPSLA '0232 AliasJava Combines object ownership and uniqueness Aids reasoning in large systems Expressive enough to use in existing code Try out AliasJava!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.