Alias Annotations for Program Understanding Jonathan Aldrich
Valentin Kostadinov Craig Chambers University of Washington
Slide 2
November 8, 2002AliasJava - OOPSLA '022 Building Big Systems is
Hard The ArchJava Project Software architecture for managing
complexity Previous work: control flow ICSE 02, ECOOP 02 This
paper: data sharing component Acomponent Bcomponent C calls shared
data
Slide 3
November 8, 2002AliasJava - OOPSLA '023 Why Specify Data
Sharing? Evolve programs Modify component A to update data lazily
Improves efficiency Must update component C as well! Might not be
obvious without sharing specification component Acomponent
Bcomponent C calls shared data
Slide 4
November 8, 2002AliasJava - OOPSLA '024 Maintain Invariants _
class SynchronizedSet { Set backingSet; synchronized boolean
add(Object o) { return backing.add(o); Synchronization wrappers
Wrap a collections methods Synchronize before invoking method
Wrapper invariant Must access backing set only through wrapper set
wrapper client X
Slide 5
November 8, 2002AliasJava - OOPSLA '025 Avoid Security Holes
(JDK 1.1.1) public class Class { public Object[] getSigners() {
return signers; } Returns an internal array, rather than a copy
Allows untrusted clients access Can change the list of signatures
for a class signers Class client X
Slide 6
November 8, 2002AliasJava - OOPSLA '026 Type-based Approaches
Many previous systems Uniqueness [Minsky, Boyland] Ownership types
[Clarke et al, Boyapati et al...] Advantages Modular, efficient
checking Documents aliasing in the code Challenges Express common
idioms Support for Java constructs Usability in practice
Slide 7
November 8, 2002AliasJava - OOPSLA '027 Outline AliasJava:
alias annotations for Java Combines uniqueness and ownership
Supports full language Arrays, casts, iterators, inner classes,
subtyping Algorithm infers annotations Guarantee of properties
Evaluated on library, application code
Slide 8
November 8, 2002AliasJava - OOPSLA '028 Annotations: Unique
static unique Set synchronizedSet(unique Set s) { return new
SynchronizedSet(s); } // s is dead after use in constructor // o
goes out of scope here unique objects have no persistent aliases
Newly allocated objects Can only use once Variable must be dead
after use set Unique reference
Slide 9
November 8, 2002AliasJava - OOPSLA '029 Annotations: Unique
static unique Set synchronizedSet(unique Set s) { return new
SynchronizedSet(s); } // s is dead after use in constructor // o
goes out of scope here unique objects have no persistent aliases
Newly allocated objects Can only use once Variable must be dead
after use setUnique reference X
Slide 10
November 8, 2002AliasJava - OOPSLA '0210 Annotations: Owned
private owned Object[] signers; public Object[] getSigners() {
return signers; } owned objects confined within their owner
Aliasing allowed within owner Cannot return owned state to clients
Making a copy fixes the security hole Compile-time error Class
signers client X
Slide 11
November 8, 2002AliasJava - OOPSLA '0211 Annotations: Owned
private owned Object[] signers; public unique Object[] getSigners()
{ return arraycopy(signers); } owned objects confined within their
owner Aliasing allowed within owner Cannot return owned state to
clients Making a copy fixes the security hole Class signers client
copy
Slide 12
November 8, 2002AliasJava - OOPSLA '0212 Annotations:
Parameters class ArrayList { private owned Object[elem_owner]
elems; void add(int i, elem_owner Object o) { elems[i] = o; }
Parameterized by element owner Method parameterization also
supported owner element List array
Slide 13
November 8, 2002AliasJava - OOPSLA '0213 Annotations: Shared
static shared Object singleton; unique Object[shared] getSigners()
{ return arraycopy(signers); } shared objects may be globally
aliased Singletons Static fields Global data Conceptually owned by
the system shared
Slide 14
November 8, 2002AliasJava - OOPSLA '0214 Annotations: Lent int
find(lent Object o) { for (int i = 0;...) { if elems[i] == o return
i; Temporary alias of unique/owned object Used for duration of
method Cannot store in fields Syntactically default
Slide 15
November 8, 2002AliasJava - OOPSLA '0215 Annotation Flow unique
Object uniq = new Object(); owned Object own = uniq; lent Object l
= own; shared Object sh = own; // error unique owned lent
sharedparam1 param2...
Slide 16
November 8, 2002AliasJava - OOPSLA '0216 Implementation
AliasJava supports all features of Java Subtyping Inner classes
Casts Interoperates with existing code Just annotate the interface
of legacy libraries Checking is dynamic only where Javas is
run-time type information for alias parameters checks at casts and
array writes
Slide 17
November 8, 2002AliasJava - OOPSLA '0217 Annotation Inference
class ArrayList { private owned Object elems[A]; void put(int i, A
Object o) { elems[i] = o; } Saves tedious annotation work Infers
general annotations Edit annotations to improve understandability
Future work: annotation assistant
Slide 18
November 8, 2002AliasJava - OOPSLA '0218 Properties: Ownership
Common property: owners-as-dominators All paths to owned objects go
through owner Prevents clients from accessing owned state Clarke et
al.: allow owned objects on stack Patterns like Observer are
prohibited Boyapati et al.: inner classes may access owned state
Cant implement Iterators/Observers with ordinary classes owned
array ClientArrayList X
Slide 19
November 8, 2002AliasJava - OOPSLA '0219 Properties: Ownership
Common property: owners-as-dominators All paths to owned objects go
through owner Problem: Iterators violate owners-as-dominators
Clarke et al.: allow Iterators on stack Patterns like Observer
prohibited Boyapati et al.: inner classes access owned state Cant
implement with ordinary classes owned array ClientArrayList
Iterator X
Slide 20
November 8, 2002AliasJava - OOPSLA '0220 Properties: Ownership
Common property: owners-as-dominators All paths to owned objects go
through owner Problem: Iterators violate owners-as-dominators
Clarke et al.: allow Iterators on stack Patterns like Command
prohibited Boyapati et al., Clarke: inner classes access owned
state Cant implement with ordinary classes state ClientDocument
Command X
Slide 21
November 8, 2002AliasJava - OOPSLA '0221 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability General model Owner grants
a capability to trusted objects
Slide 22
November 8, 2002AliasJava - OOPSLA '0222 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability class ArrayList { private
owned Object elems[elem_owner]; unique Iterator iterator() { return
new ArrayItr (elems); owned capability Access to ArrayLists owned
state Passed via static parameterization ArrayList controls who
accesses state
Slide 23
November 8, 2002AliasJava - OOPSLA '0223 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability class ArrayList { private
owned Object elems[elem_owner]; unique Iterator iterator() { return
new ArrayItr (elems); Compare annotations owned parameter lost by
subsumption Clients cannot access owned state
Slide 24
November 8, 2002AliasJava - OOPSLA '0224 Ownership Capability
Model Owned objects are only accessible by their owner and the
objects to which it grants a capability int find(lent Object o)
lent capability Temporary permission to access owned state find can
access o for duration of call
Slide 25
November 8, 2002AliasJava - OOPSLA '0225 Properties: Uniqueness
If a variable is unique, it has no aliases other than lent
variables on the stack Reasoning No aliases in heap data structures
Still must track lent aliases on the stack Extension: Alias Burying
[Boyland] When a unique var is read, all aliases are dead Requires
read/write effect specifications
Slide 26
November 8, 2002AliasJava - OOPSLA '0226 AliasFJ : A Formal
Framework Based on Featherweight Java [OOPSLA 99] Includes unique,
owned, parameters, and lent Benefits Precise semantics Shows how
properties are enforced Theorems Type safety Ownership property
Uniqueness property
Slide 27
November 8, 2002AliasJava - OOPSLA '0227 Evaluation:
java.util.Hashtable public class Hashtable extends Dictionary {
value_owner Object get(key_owner Object k) {... Annotated and
checked Hashtable 1000 lines of code, 2.5 hours Annotated some
library functions Experience Annotations were natural, easy to add
Changed code in only one place
Slide 28
November 8, 2002AliasJava - OOPSLA '0228 Enforcing Library
Invariants static unique Set synchronizedSet (unique Set s) {
return new SynchronizedSet (s); } Javadoc comment: In order to
guarantee serial access, it is critical that all access to the
backing set is accomplished through the returned set. AliasJava:
argument is unique Therefore, there are no aliases to the backing
set
Slide 29
November 8, 2002AliasJava - OOPSLA '0229 Evaluation: Aphyds
Pedegogical circuit layout application Blackboard Architecture
Annotated functional core of system 7 classes, 3500 lines of code
Showed sharing of circuit elements Circuit DBPartition Place Route
Floorplan ChannelRoute
Slide 30
November 8, 2002AliasJava - OOPSLA '0230 Evaluation: Aphyds
Pedegogical circuit layout application Blackboard Architecture
Annotated functional core of system 7 classes, 3500 lines of code
Showed sharing of circuit elements Circuit DBPartition Place Route
Floorplan ChannelRoute circuit objects
Slide 31
November 8, 2002AliasJava - OOPSLA '0231 More in the Paper
Application to software architecture Detailed semantics
Implementation technique Inference algorithm Case study on 3000
lines of application code
Slide 32
November 8, 2002AliasJava - OOPSLA '0232 AliasJava Combines
object ownership and uniqueness Aids reasoning in large systems
Expressive enough to use in existing code Try out AliasJava!
http://www.archjava.org/
