IainMcGinniss

8/8/2019 IainMcGinniss

1/21

Iain McGinniss and Simon Gay

University of Glasgow


2/21

OverviewAPI design & enforcement

The mistakes programmers make

What is typestate?What is Hanoi?

Future work


3/21

API Specification Designer must be as precise as possible

What will be provided by an implementation

What will be expected in return from the client ... a contract!

Implementation and client code must each hold up theirend of the bargain

What happens when a contract is violated?


4/21

The API Police!


5/21

Contract constraints Legal method calls

What methods exist? With what parameters?

Can I pass a null as a parameter? Legal sequences of method calls

Can I call any methods after I call close()?

What are the consequences if I dont call close()?

Aliasing constraints Once I pass my reference as a parameter, can I use it

again?


6/21

Static type checkingWanted: guaranteed safety properties without running

the program

Types express what is legal, type checking enforces this

Java types do not convey everything that is important!

No specification of legal sequences

No specification of alias restrictions

No specification of concurrency restrictions ... etc.

So, we must informally document these constraints...


7/21

Did you read the fine print? Excerpt from the PC Pitstop Software EULA:

SPECIAL CONSIDERATION

A special consideration which may include financialcompensation will be awarded to a limited number ofauthorized licensee who read this section of the licenseagreement and contact PC Pitstop [email protected]. This offer can be withdrawn

at any time.

It took 4 months and 3000 downloads for someone tonotice and claim the $1000 prize!


8/21

An example with HashSetMutableInteger a = new MutableInteger(1);

MutableInteger b = new MutableInteger(1);

HashSet set = new HashSet();

set.add(a);

a.changeTo(2); // change internal value

out.println("a is in set: " + set.contains(a));

out.println("b is in set: " + set.contains(b));

What will this program output?


9/21

Survey says... a is in set: false

b is in set: false

Why? The fine print! Fromjava.util.Setsjavadoc:

Note: Great care must be exercised if mutable objectsare used as set elements. The behavior of a set is not

specified if the value of an object is changed in amanner that affects equals comparisons while theobject is an element in the set.


10/21

What about sequences?Iterator it = myList.iterator();

while(it.hasNext()) {

out.println(it.next());

}

it.remove(); // remove the last item

Is this code safe? Not if the list is empty!

Docs: Throws IllegalStateException - if the next methodhas not yet been called


11/21

What is Typestate?"Whereas the type of a data object determines the set

of operations ever permitted on the object, thetypestate determines the subset of these operations

which is permitted in a particular context"- Strom, Yemini 1986

Original idea: null reference is a state where nomethods are available

Concept, in principle, extends to more complex, userdefined state machines.


12/21

Upgrading our API Police


13/21

Focusing on sequences Many APIs have state machine like behaviour

Iterators

Databases Connection, ResultSet File & Network I/O

Difficult to document in a concise, human readable,machine verifiable form

Hanoi to the rescue!


14/21

What is Hanoi? Hanoi is a model for defining stateful behaviour in

objects Primary design goal: easy to read, easy to write

Hierarchical state machines Make retroactive definition of models possible

Avoided using annotations fragmented definitionsare hard to understand

Models are stored in a separate .state file next to the.java file

Or in a parallel directory structure mirroring thepackage, for existing compiled code


15/21

Hanoi model for IteratorNEXT_AVAILABLE {

next() -> CAN_REMOVE

}

CAN_REMOVE {

remove() -> DEFAULT

}

hasNext() :: true -> NEXT_AVAILABLE

hasNext() :: false ->


16/21

One slight complication... Consider the following code:

while(it.hasNext()) {

Object a = it.next();if(it.hasNext()) {

// what can we do here?

}

}

At this point we can call next()AND remove() Our model does not allow calling remove() at this point!


17/21

Refined model for IteratorNEXT_AVAILABLE {NEXT_AVAILABLE_CAN_REMOVE {

remove() -> NEXT_AVAILABLE

}

next() -> CAN_REMOVE}

CAN_REMOVE {

remove() -> DEFAULT

hasNext() :: true -> NEXT_AVAILABLE_CAN_REMOVE}

hasNext() :: true -> HAS_NEXT

hasNext() :: false ->


18/21

Enforcing the model Implemented as dynamic proxy in Java

Intercepts calls to an interface an object implements

Checks method call is legal in currently known state Uses return value to decide next state

If illegal method call detected, throw uncheckedexception

Implementation no longer needs to guard againstillegal usage!

Alternative: Log the event & stop monitoring


19/21

What about aliasing?Aliasing causes big problems for static analysis

Sharing the use of an iterator, even without threads, canlead to violations of the model

We need a way for programmers to declare the aliasingrestrictions on their objects

cannot be shared, can have one writer and manyreaders, etc. Many different forms of alias restriction

Fractional Permissions (Boyland 2003)

Dynamic checking is easier however as long as oneproxy is used!


20/21

Future Work Static analysis of Hanoi models

Difficult problem space, active research area

Include aliasing rules in model Parallel state machines

Partition models into independent parts

May help with aliasing

May help with modelling concurrently shared objects


21/21

Questions?

The API police are [email protected]

Documents

IainMcGinniss