Alias Annotations for Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers...
Preview:
Citation preview
- Slide 1
- Alias Annotations for Program Understanding Jonathan Aldrich
Valentin Kostadinov Craig Chambers University of Washington
- Slide 2
- November 8, 2002AliasJava - OOPSLA '022 Building Big Systems is
Hard The ArchJava Project Software architecture for managing
complexity Previous work: control flow ICSE 02, ECOOP 02 This
paper: data sharing component Acomponent Bcomponent C calls shared
data
- Slide 3
- November 8, 2002AliasJava - OOPSLA '023 Why Specify Data
Sharing? Evolve programs Modify component A to update data lazily
Improves efficiency Must update component C as well! Might not be
obvious without sharing specification component Acomponent
Bcomponent C calls shared data
- Slide 4
- November 8, 2002AliasJava - OOPSLA '024 Maintain Invariants _
class SynchronizedSet { Set backingSet; synchronized boolean
add(Object o) { return backing.add(o); Synchronization wrappers
Wrap a collections methods Synchronize before invoking method
Wrapper invariant Must access backing set only through wrapper set
wrapper client X
- Slide 5
- November 8, 2002AliasJava - OOPSLA '025 Avoid Security Holes
(JDK 1.1.1) public class Class { public Object[] getSigners() {
return signers; } Returns an internal array, rather than a copy
Allows untrusted clients access Can change the list of signatures
for a class signers Class client X
- Slide 6
- November 8, 2002AliasJava - OOPSLA '026 Type-based Approaches
Many previous systems Uniqueness [Minsky, Boyland] Ownership types
[Clarke et al, Boyapati et al...] Advantages Modular, efficient
checking Documents aliasing in the code Challenges Express common
idioms Support for Java constructs Usability in practice
- Slide 7
- November 8, 2002AliasJava - OOPSLA '027 Outline AliasJava:
alias annotations for Java Combines uniqueness and ownership
Supports full language Arrays, casts, iterators, inner classes,
subtyping Algorithm infers annotations Guarantee of properties
Evaluated on library, application code
- Slide 8
- November 8, 2002AliasJava - OOPSLA '028 Annotations: Unique
static unique Set synchronizedSet(unique Set s) { return new
SynchronizedSet(s); } // s is dead after use in constructor // o
goes out of scope here unique objects have no persistent aliases
Newly allocated objects Can only use once Variable must be dead
after use set Unique reference
- Slide 9
- November 8, 2002AliasJava - OOPSLA '029 Annotations: Unique
static unique Set synchronizedSet(unique Set s) { return new
SynchronizedSet(s); } // s is dead after use in constructor // o
goes out of scope here unique objects have no persistent aliases
Newly allocated objects Can only use once Variable must be dead
after use setUnique reference X
- Slide 10
- November 8, 2002AliasJava - OOPSLA '0210 Annotations: Owned
private owned Object[] signers; public Object[] getSigners() {
return signers; } owned objects confined within their owner
Aliasing allowed within owner Cannot return owned state to clients
Making a copy fixes the security hole Compile-time error Class
signers client X
- Slide 11
- November 8, 2002AliasJava - OOPSLA '0211 Annotations: Owned
private owned Object[] signers; public unique Object[] getSigners()
{ return arraycopy(signers); } owned objects confined within their
owner Aliasing allowed within owner Cannot return owned state to
clients Making a copy fixes the security hole Class signers client
copy
- Slide 12
- November 8, 2002AliasJava - OOPSLA '0212 Annotations:
Parameters class ArrayList { private owned Object[elem_owner]
elems; void add(int i, elem_owner Object o) { elems[i] = o; }
Parameterized by element owner Method parameterization also
supported owner element List array
- Slide 13
- November 8, 2002AliasJava - OOPSLA '0213 Annotations: Shared
static shared Object singleton; unique Object[shared] getSigners()
{ return arraycopy(signers); } shared objects may be globally
aliased Singletons Static fields Global data Conceptually owned by
the system shared
- Slide 14
- November 8, 2002AliasJava - OOPSLA '0214 Annotations: Lent int
find(lent Object o) { for (int i = 0;...) { if elems[i] == o return
i; Temporary alias of unique/owned object Used for duration of
method Cannot store in fields Syntactically default
- Slide 15
- November 8, 2002AliasJava - OOPSLA '0215 Annotation Flow unique
Object uniq = new Object(); owned Object own = uniq; lent Object l
= own; shared Object sh = own; // error unique owned lent
sharedparam1 param2...
- Slide 16
- November 8, 2002AliasJava - OOPSLA '0216 Implementation
AliasJava supports all features of Java Subtyping Inner classes
Casts Interoperates with existing code Just annotate the interface
of legacy libraries Checking is dynamic only where Javas is
run-time type information for alias parameters checks at casts and
array writes
- Slide 17
- November 8, 2002AliasJava - OOPSLA '0217 Annotation Inference
class ArrayList { private owned Object elems[A]; void put(int i, A
Object o) { elems[i] = o; } Saves tedious annotation work Infers
general annotations Edit annotations to improve understandability
Future work: annotation assistant
- Slide 18
- November 8, 2002AliasJava - OOPSLA '0218 Properties: Ownership
Common property: owners-as-dominators All paths to owned objects go
through owner Prevents clients from accessing owned state Clarke et
al.: allow owned objects on stack Patterns like Observer are
prohibited Boyapati et al.: inner classes may access owned state
Cant implement Iterators/Observers with ordinary classes owned
array ClientArrayList X
- Slide 19
- November 8, 2002AliasJava - OOPSLA '0219 Properties: Ownership
Common property: owners-as-dominators All paths to owned objects go
through owner Problem: Iterators violate owners-as-dominators
Clarke et al.: allow Iterators on stack Patterns like Observer
prohibited Boyapati et al.: inner classes access owned state Cant
implement with ordinary classes owned array ClientArrayList
Iterator X
- Slide 20
- November 8, 2002AliasJava - OOPSLA '0220 Properties: Ownership
Common property: owners-as-dominators All paths to owned objects go
through owner Problem: Iterators violate owners-as-dominators
Clarke et al.: allow Iterators on stack Patterns like Command
prohibited Boyapati et al., Clarke: inner classes access owned
state Cant implement with ordinary classes state ClientDocument
Command X
- Slide 21
- November 8, 2002AliasJava - OOPSLA '0221 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability General model Owner grants
a capability to trusted objects
- Slide 22
- November 8, 2002AliasJava - OOPSLA '0222 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability class ArrayList { private
owned Object elems[elem_owner]; unique Iterator iterator() { return
new ArrayItr (elems); owned capability Access to ArrayLists owned
state Passed via static parameterization ArrayList controls who
accesses state
- Slide 23
- November 8, 2002AliasJava - OOPSLA '0223 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability class ArrayList { private
owned Object elems[elem_owner]; unique Iterator iterator() { return
new ArrayItr (elems); Compare annotations owned parameter lost by
subsumption Clients cannot access owned state
- Slide 24
- November 8, 2002AliasJava - OOPSLA '0224 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability int find(lent Object o)
lent capability Temporary permission to access owned state find can
access o for duration of call
- Slide 25
- November 8, 2002AliasJava - OOPSLA '0225 Properties: Uniqueness
If a variable is unique, it has no aliases other than lent
variables on the stack Reasoning No aliases in heap data structures
Still must track lent aliases on the stack Extension: Alias Burying
[Boyland] When a unique var is read, all aliases are dead Requires
read/write effect specifications
- Slide 26
- November 8, 2002AliasJava - OOPSLA '0226 AliasFJ : A Formal
Framework Based on Featherweight Java [OOPSLA 99] Includes unique,
owned, parameters, and lent Benefits Precise semantics Shows how
properties are enforced Theorems Type safety Ownership property
Uniqueness property
- Slide 27
- November 8, 2002AliasJava - OOPSLA '0227 Evaluation:
java.util.Hashtable public class Hashtable extends Dictionary {
value_owner Object get(key_owner Object k) {... Annotated and
checked Hashtable 1000 lines of code, 2.5 hours Annotated some
library functions Experience Annotations were natural, easy to add
Changed code in only one place
- Slide 28
- November 8, 2002AliasJava - OOPSLA '0228 Enforcing Library
Invariants static unique Set synchronizedSet (unique Set s) {
return new SynchronizedSet (s); } Javadoc comment: In order to
guarantee serial access, it is critical that all access to the
backing set is accomplished through the returned set. AliasJava:
argument is unique Therefore, there are no aliases to the backing
set
- Slide 29
- November 8, 2002AliasJava - OOPSLA '0229 Evaluation: Aphyds
Pedegogical circuit layout application Blackboard Architecture
Annotated functional core of system 7 classes, 3500 lines of code
Showed sharing of circuit elements Circuit DBPartition Place Route
Floorplan ChannelRoute
- Slide 30
- November 8, 2002AliasJava - OOPSLA '0230 Evaluation: Aphyds
Pedegogical circuit layout application Blackboard Architecture
Annotated functional core of system 7 classes, 3500 lines of code
Showed sharing of circuit elements Circuit DBPartition Place Route
Floorplan ChannelRoute circuit objects
- Slide 31
- November 8, 2002AliasJava - OOPSLA '0231 More in the Paper
Application to software architecture Detailed semantics
Implementation technique Inference algorithm Case study on 3000
lines of application code
- Slide 32
- November 8, 2002AliasJava - OOPSLA '0232 AliasJava Combines
object ownership and uniqueness Aids reasoning in large systems
Expressive enough to use in existing code Try out AliasJava!
http://www.archjava.org/