ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1.

Slides:



Advertisements
Similar presentations
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Advertisements

Effective Static Deadlock Detection
Identity and Equality Based on material by Michael Ernst, University of Washington.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.
Object and Reference Immutability using Java Generics Yoav Zibin, Alex Potanin(*), Mahmood Ali, Shay Artzi, Adam Kiezun, and Michael D. Ernst MIT Computer.
Preventing bugs with pluggable type checking Michael D. Ernst University of Washington Object x)
Generic programming in Java
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.
Purity Analysis : Abstract Interpretation Formulation Ravichandhran Madhavan, G. Ramalingam, Kapil Vaswani Microsoft Research, India.
Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
1 Control Flow Analysis Mooly Sagiv Tel Aviv University Textbook Chapter 3
A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.
Compile-Time Deallocation of Individual Objects Sigmund Cherem and Radu Rugina International Symposium on Memory Management June, 2006.
Templates. Objectives At the conclusion of this lesson, students should be able to Explain how function templates are used Correctly create a function.
Javari: Adding Reference Immutability to Java Matthew Tschantz and Michael Ernst MIT CSAIL.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University STATIC ANALYSES FOR JAVA IN THE PRESENCE OF DISTRIBUTED COMPONENTS AND.
Control Flow Resolution in Dynamic Language Author: Štěpán Šindelář Supervisor: Filip Zavoral, Ph.D.
Inference and Checking of Object Ownership Wei Huang 1, Werner Dietl 2, Ana Milanova 1, Michael D. Ernst 2 1 Rensselaer Polytechnic Institute 2 University.
1 Effective Static Race Detection for Java Mayur, Alex, CS Department Stanford University Presented by Roy Ganor 14/2/08 Point-To Analysis Seminar.
Preventing bugs with pluggable type checking Michael Ernst and Mahmood Ali University of Washington and MIT OOPSLA 2009 tutorial Object.
Inferring Specifications to Detect Errors in Code Mana Taghdiri Presented by: Robert Seater MIT Computer Science & AI Lab.
Ownership and Immutability in Generic Java (OIGJ) Yoav Zibin +, Alex Potanin * Paley Li *, Mahmood Ali ^, and Michael Ernst $ Presenter: Yossi Gil + +
Existential Quantification for Variant Ownership Nicholas Cameron Sophia Drossopoulou Imperial College London (Victoria University of Wellington)‏
Java Objects and Classes. Overview n Creating objects that belong to the classes in the standard Java library n Creating your own classes.
MD – Object Model Domain eSales Checker Presentation Régis Elling 26 th October 2005.
DoubleChecker: Efficient Sound and Precise Atomicity Checking Swarnendu Biswas, Jipeng Huang, Aritra Sengupta, and Michael D. Bond The Ohio State University.
User-defined type checkers for error detection and prevention in Java Michael D. Ernst MIT Computer Science & AI Lab
Design Patterns Gang Qian Department of Computer Science University of Central Oklahoma.
Java Programming: Guided Learning with Early Objects Chapter 11 Recursion.
C/C++ 3 Yeting Ge. Static variables Static variables is stored in the static storage. Static variable will be initialized once. 29.cpp 21.cpp.
IDENTIFYING SEMANTIC DIFFERENCES IN ASPECTJ PROGRAMS Martin Görg and Jianjun Zhao Computer Science Department, Shanghai Jiao Tong University.
Adapting Side-Effects Analysis for Modular Program Model Checking M.S. Defense Oksana Tkachuk Major Professor: Matthew Dwyer Support US National Science.
11th Nov 2004PLDI Region Inference for an Object-Oriented Language Wei Ngan Chin 1,2 Joint work with Florin Craciun 1, Shengchao Qin 1,2, Martin.
Javari: Adding Reference Immutability to Java Rauno Ots Matthew S. Tschantz Michael D. Ernst MIT CSAIL 2005.
3C-1 Purity Typing Language semantics Inheritance model  Single vs. Multiple inheritance  Common root Modular mechanisms Generics Object Oriented Languages.
Reducing Combinatorics in Testing Product Lines Chang Hwan Peter Kim, Don Batory, and Sarfraz Khurshid University of Texas at Austin.
Difficult Specifications in Javari Immutability Inference Jaime Quinonez Program Analysis Group April 20, 2007.
CS 343 presentation Concrete Type Inference Department of Computer Science Stanford University.
LECTURE 20: RECURSION CSC 212 – Data Structures. Humorous Asides.
1 Javari: Adding Reference Immutability to Java Matthew Tschantz & Michael Ernst (MIT) OOPSLA’05 Presented by Tali Shragai.
Java Annotations for Types and Expressions Mathias Ricken October 24, 2008 COMP 617 Seminar.
STL CSSE 250 Susan Reeder. What is the STL? Standard Template Library Standard C++ Library is an extensible framework which contains components for Language.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
5/7/03ICSE Fragment Class Analysis for Testing of Polymorphism in Java Software Atanas (Nasko) Rountev Ohio State University Ana Milanova Barbara.
Sept 12ICSM'041 Precise Identification of Side-Effect-Free Methods in Java Atanas (Nasko) Rountev Ohio State University.
JAVA: An Introduction to Problem Solving & Programming, 6 th Ed. By Walter Savitch ISBN © 2012 Pearson Education, Inc., Upper Saddle River,
Zach Tatlock / Winter 2016 CSE 331 Software Design and Implementation Lecture 13 Generics 1.
Static Resolution of Implicit Control Flow for Reflection and Message-Passing Paulo Barros, René Just, Suzanne Millstein, Paul Vines, Werner Dietl, Marcelo.
Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi Object.
Preventing bugs with pluggable type-checking Michael Ernst MIT
ECE 750 Topic 8 Meta-programming languages, systems, and applications Automatic Program Specialization for J ava – U. P. Schultz, J. L. Lawall, C. Consel.
Optimization Simone Campanoni
Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,
TK1924 Program Design & Problem Solving Session 2011/2012
Javarifier: inference of reference immutability
Combined Static and Dynamic Mutability Analysis
Compositional Pointer and Escape Analysis for Java Programs
Points-to Analysis for Java Using Annotated Constraints
JPure: a Modular Purity System for Java
자바 언어를 위한 정적 분석 (Static Analyses for Java) ‘99 한국정보과학회 가을학술발표회 튜토리얼
Presentation transcript:

ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1 Rensselaer Polytechnic Institute 2 University of Washington 1

Reference Immutability 2 Date rd md rd.setHours(2); ✗ Readonly Date md.setHours(3); ✓ Mutable Date

Motivating Example 3 class Class{ private Object [] signers; public Object return signers; }... Object [] getSigners() { [] signers = getSigners(); signers[0] = maliciousClass; A real security flaw in Java 1.1

Reference Immutability Solution 4 class Class{ private Object [] signers; public Object return signers; }... Object readonly [] getSigners() { [] signers = getSigners(); readonly ✗ signers[0] = maliciousClass;

Contributions ReIm: A context-sensitive type system for reference immutability ReImInfer: An inference algorithm for ReIm Method purity − an application of ReIm Implementation and evaluation 5

Motivation for ReIm and ReImInfer Concrete need for method purity ◦ Available tools unstable and/or imprecise Javari [Tschantz & Ernst OOPSLA’05] and Javarifier [Quinonez et al. ECOOP’08] separate immutability of a container from its elements ◦ Unsuitable for purity inference Javarifier can be slow 6

Overview Source Code Set-based Solver Extract Concrete Typing Preference Ranking over Qualifiers Type Checkin g 7 ReIm Typing Rules Set-based Solution Maximal Typing

Immutability Qualifiers mutable ◦ A mutable reference can be used to mutate the referent readonly ◦ A readonly reference cannot be used to mutate the referent 8 readonly C x = …; x.f = z; // not allowed x.setField(z); // not allowed

Context-insensitive Typing 9 class DateCell { mutable Date date; mutable Date getDate(mutable DateCell this){ return this.date; } void setHours(mutable DateCell this) { Date md = this.getDate(); md.hours = 1; } int getHours(mutable DateCell this) { Date rd = this.getDate(); int hour = rd.hours; return hour; } mutable readonly mutable It could have been readonly

Immutability Qualifiers polyread ◦ The mutability of a polyread reference depends on the context 10 class C { polyread D f;... }... mutable C c1 =...; c1.f.g = 0; // allowed readonly C c2 =...; c2.f.g = 0; // not allowed

ReIm Typing 11 class DateCell { polyread Date date; polyread Date getDate(polyread DateCell this){ return this.date; } void setHours(mutable DateCell this) { mutable Date md = md.hour = 1; } int getHours(readonly DateCell this) { readonly Date rd = int hour = rd.hour; return hour; } this.getDate(); Instantiated to mutable Instantiated to readonly It is readonly

Viewpoint Adaptation Encodes context sensitivity ◦ Adapts a type from the viewpoint of another type ◦ Viewpoint adaptation operation: 12 O1O1 O1O1 O2O2 O2O2 O3O3 O3O3

Generalizes Viewpoint Adaptation Traditional viewpoint adaptation [Dietl & Müller JOT’05] ◦ Always adapts from the viewpoint of receiver  x in field access x.f  y in method call y.m(z) ReIm adapts from different viewpoints ◦ receiver at field access  x in x.f ◦ left-hand-side of call assignment at method call  x in x = y.m(z) 13

Viewpoint Adaptation Example 14 class DateCell { polyread Date date; polyread Date getDate( DateCell this){ return } void setHours(mutable DateCell this) { mutable Date md = md.hour = 1; } int getHours(readonly DateCell this) { readonly Date rd = int hour = rd.hour; return hour; } this.getDate(); this.date; polyread mutable readonly polyread

Subtyping Hierarchy mutable <: polyread <: readonly 15 mutable Object mo; polyread Object po; readonly Object ro; ro = po; ✓ po = ro; ✗ ro = mo; ✓ mo = ro; ✗ po = mo; ✓ mo = po; ✗

Typing Rules 16 (TREAD) T ( TCALL ) T (TWRITE) T

Outline ReIm type system Inference algorithm for ReIm Method purity inference Implementation and evaluation 17

Set-based Solver Set Mapping S : ◦ variable  {readonly, polyread, mutable} Iterates over statements s ◦ f s removes infeasible qualifiers for each variable in s according to the typing rule Until ◦ Reaches a fixpoint 18

Inference Example 19 class DateCell { Date date; Date getDate( DateCell this){ return this.date; } void setHours( DateCell this) { Date md = this.getDate(); md.hour = 2; } {readonly,polyread,mutable}

Inference Example 20 class DateCell { Date date; Date getDate( DateCell this){ return this.date; } void setHours( DateCell this) { Date md = this.getDate(); md.hour = 2; } {readonly,polyread,mutable}

Inference Example 21 class DateCell { Date date; Date getDate( DateCell this){ return this.date; } void setHours( DateCell this) { Date md = this.getDate(); md.hour = 2; } {readonly,polyread,mutable}

Inference Example 22 class DateCell { Date date; Date getDate( DateCell this){ return this.date; } void setHours( DateCell this) { Date md = this.getDate(); md.hour = 2; } {readonly,polyread,mutable}

Inference Example 23 class DateCell { Date date; Date getDate( DateCell this){ return this.date; } void setHours( DateCell this) { Date md = this.getDate(); md.hour = 2; } {readonly,polyread,mutable}

Maximal Typing 24 class DateCell { Date date; Date getDate( DateCell this){ return this.date; } void setHours( DateCell this) { Date md = this.getDate(); md.hour = 2; } {readonly,polyread,mutable} Ranking: readonly > polyread > mutable Ranking: readonly > polyread > mutable Maximal Typing: Pick the maximal qualifier from each set Maximal Typing: Pick the maximal qualifier from each set Maximal Typing always provably type checks!

Outline ReIm type system Inference algorithm for ReIm Method purity inference Implementation and evaluation 25

Purity A method is pure if it does not mutate any object that exists in prestates [S ă lcianu & Rinard VMCAI’05] If a method does not access static states ◦ The prestates are from parameters ◦ If any of the parameters is mutable, the method is impure; otherwise, it is pure 26

Purity Example 27 class List { Node head; int len; void add(mutable Node this, mutable Node n) { n.next = this.head; this.head = n; this.len++; } int size(readonly Node this) { return this.len; } impure pure

Outline ReIm type system Inference algorithm for ReIm Method purity inference Implementation and evaluation 28

Implementation Built on top of the Checker Framework [Papi et al. ISSTA’08, Dietl et al. ICSE’11] Extends the framework to specify: ◦ Ranking over qualifiers ◦ Viewpoint adaptation operation Publicly available at ◦ 29

Reference Immutability Evaluation benchmarks, comprising 766K LOC in total ◦ 4 whole Java programs and 9 Java libraries Comparison with Javarifier [Quinonez et al. ECOOP’08] ◦ Equally precise results  Differences are due to different semantics of Javari and ReIm ◦ Better scalability

Reference Immutability Results 31

Performance Comparison 32

Purity Evaluation Comparison with JPPA [S ă lcianu & Rinard VMCAI’05] and JPure [Pearce CC’11] ◦ Equal or better precision  Differences are due to different definitions of purity ◦ Works with both whole programs and libraries ◦ More robust! 33

Purity Inference Results 34

Related Work Javari [Tschantz & Ernst OOPSLA’05] and Javarifier [Quinonez et al. ECOOP’08] ◦ Javari allows excluding fields from state ◦ Handles generics and arrays differently JPPA [S ă lcianu & Rinard VMCAI’05] ◦ Relies on pointer and escape analysis ◦ Works on whole program JPure [Pearce CC’11] ◦ Modular purity system for Java ◦ Exploits freshness and locality 35

Conclusions A type system for reference immutability An efficient type inference algorithm Method purity inference Evaluation on 766 kLOC Publicly available at ◦ 36

Conclusions A type system for reference immutability An efficient type inference algorithm Method purity inference Evaluation on 766 kLOC Publicly available at ◦ 37

Benchmarks 38

Precision Evaluation on JOlden 39

Precision Comparison Compare with Javarifier [Quinonez et al. ECOOP’08] JOlden benchmark ◦ 34 differences from Javarifier, out of 758 identifiable references Other benchmarks ◦ Randomly select 4 classes from each benchmarks ◦ 2 differences from Javarifier, out of 868 identifiable references 40

Method Purity A method is pure if it does not mutate any object that exists in prestates Applications ◦ Compiler optimization [ Lhoták & Hendren CC’05 ] ◦ Model checking [ Tkachuk & Dwyer ESEC/FSE’03 ] ◦ Atomicity [ Flanagna et al. TOSE’05 ] 41

Prestates From Static Fields Static immutability type for each method can be ◦ mutable: m mutates static states ◦ readonly: m never mutates static states ◦ polyread: m never mutates static states, but the static states it returns to its callers are mutated 42 polyread X static get() { return sf;}... polyread X x = get(); x.f = 0; q get = polyread

Extended Typing Rules 43 (TSWRITE) T (TSREAD) T Extends ReIm typing rules to enforce static immutability types

Example 44 void m() { // a static field read y = x.f; z = id(y); z.g = 0;... } x = sf; Extended typing rule (TSREAD) enforce Because q x is mutable, then q m is mutable

Infer Purity q m is inferred as immutability types Each method m is mapped to S (m) = {readonly, polyread, mutable} and solved by the set-based solver The purity of m is decided by: 45

Precision Comparison Compare with Javarifier [ Quinonez et al. ECOOP’08 ] 36 differences from Javarifier, out of 1526 identifiable references ◦ Due to different semantics of Javari and ReIm 46

Summary ReImInfer produces equally precise results ReImInfer scales better than Javarifier 47

Precision Comparison with JPPA 59 differences from JPPA out of 326 user methods for JOlden benchmark ◦ 4 are due to differences in definitions/assumptions ◦ 51 are due to limitations/bugs in JPPA ◦ 4 are due to limitations in ReImInfer 48

Precision Comparison with JPure 60 differences from JPure out of 257 user methods for JOlden benchmark, excluding the BH program ◦ 29 differences are caused by different definitions/assumptions ◦ 29 differences are caused by limitations/bugs in JPure ◦ 2 are caused by limitations in ReImInfer 49

Summary ReImInfer shows good precision compared to JPPA and JPure ReImInfer scales well to large programs ReImInfer works with both whole programs and libraries ReImInfer is robust! 50

Viewpoint Adaptation Example 51 class DateCell { polyread Date date; polyread Date getDate( DateCell this){ return } void setHours(mutable DateCell this) { mutable Date md = md.hour = 1; } int getHours(readonly DateCell this) { readonly Date rd = int hour = rd.hour; return hour; } this.getDate(); this.date; polyread polyread mutable readonly polyread

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.