Alias Annotations for Program Understanding

Alias Annotationsfor Program Understanding Jonathan Aldrich Valentin Kostadinov Craig Chambers University of Washington

Building Big Systems is Hard calls component A component B calls component C • The ArchJava Project • Software architecture for managing complexity • Previous work: control flow • ICSE ’02, ECOOP ’02 • This paper: data sharing shared data AliasJava - OOPSLA '02

Why Specify Data Sharing? calls component A component B calls component C • Evolve programs • Modify component A to update data lazily • Improves efficiency • Must update component C as well! • Might not be obvious without sharing specification shared data AliasJava - OOPSLA '02

wrapper Maintain Invariants _ X client set class SynchronizedSet { Set backingSet; synchronized boolean add(Object o) { return backing.add(o); • Synchronization wrappers • Wrap a collections methods • Synchronize before invoking method • Wrapper invariant • Must access backing set only through wrapper AliasJava - OOPSLA '02

Avoid Security Holes (JDK 1.1.1) public class Class { public Object[] getSigners() { return signers; } • Returns an internal array, rather than a copy • Allows untrusted clients access • Can change the list of signatures for a class Class X client signers AliasJava - OOPSLA '02

Type-based Approaches • Many previous systems • Uniqueness [Minsky, Boyland…] • Ownership types [Clarke et al, Boyapati et al...] • Advantages • Modular, efficient checking • Documents aliasing in the code • Challenges • Express common idioms • Support for Java constructs • Usability in practice AliasJava - OOPSLA '02

Outline • AliasJava: alias annotations for Java • Combines uniqueness and ownership • Supports full language • Arrays, casts, iterators, inner classes, subtyping • Algorithm infers annotations • Guarantee of properties • Evaluated on library, application code AliasJava - OOPSLA '02

Unique reference Annotations: Unique set static unique Set… synchronizedSet…(unique Set… s) { return new SynchronizedSet…(s); }// s is dead after use in constructor // o goes out of scope here • unique objects have no persistent aliases • Newly allocated objects • Can only use once • Variable must be dead after use AliasJava - OOPSLA '02

Annotations: Unique X Unique reference set static unique Set… synchronizedSet…(unique Set… s) { return new SynchronizedSet…(s); }// s is dead after use in constructor // o goes out of scope here • unique objects have no persistent aliases • Newly allocated objects • Can only use once • Variable must be dead after use AliasJava - OOPSLA '02

Class Annotations: Owned signers private owned Object[…] signers; public Object[…] getSigners() { return signers; } • owned objects confined within their owner • Aliasing allowed within owner • Cannot return owned state to clients • Making a copy fixes the security hole X client Compile-time error AliasJava - OOPSLA '02

Class Annotations: Owned signers private owned Object[…] signers; public unique Object[…] getSigners() { return arraycopy(signers); } • owned objects confined within their owner • Aliasing allowed within owner • Cannot return owned state to clients • Making a copy fixes the security hole client copy AliasJava - OOPSLA '02

owner Annotations: Parameters List array element class ArrayList<elem_owner> { private owned Object[elem_owner] elems; void add(int i, elem_owner Object o) { elems[i] = o; } } • Parameterized by element owner • Method parameterization also supported AliasJava - OOPSLA '02

Annotations: Shared shared static shared Object singleton; unique Object[shared] getSigners() { return arraycopy(signers); } • shared objects may be globally aliased • Singletons • Static fields • Global data • Conceptually “owned by the system” AliasJava - OOPSLA '02

Annotations: Lent int find(lent Object o) { for (int i = 0; ...) { if elems[i] == o return i; • Temporary alias of unique/owned object • Used for duration of method • Cannot store in fields • Syntactically default AliasJava - OOPSLA '02

Annotation Flow unique unique Object uniq = new Object(); owned Object own = uniq; lent Object l = own; shared Object sh = own;// error owned param1 param2 ... shared lent AliasJava - OOPSLA '02

Implementation • AliasJava supports all features of Java • Subtyping • Inner classes • Casts • Interoperates with existing code • Just annotate the interface of legacy libraries • Checking is dynamic only where Java’s is • run-time type information for alias parameters • checks at casts and array writes AliasJava - OOPSLA '02

Annotation Inference class ArrayList<A> { private owned Object elems[A]; void put(int i, A Object o) { elems[i] = o; } } • Saves tedious annotation work • Infers general annotations • Edit annotations to improve understandability • Future work: annotation assistant AliasJava - OOPSLA '02

Properties: Ownership • Common property: owners-as-dominators All paths to owned objects go through owner • Prevents clients from accessing owned state • Clarke et al.: allow owned objects on stack • Patterns like Observer are prohibited • Boyapati et al.: inner classes may access owned state • Can’t implement Iterators/Observers with ordinary classes ArrayList Client X owned array AliasJava - OOPSLA '02

Client Properties: Ownership • Common property: owners-as-dominators All paths to owned objects go through owner • Problem: Iterators violate owners-as-dominators • Clarke et al.: allow Iterators on stack • Patterns like Observer prohibited • Boyapati et al.: inner classes access owned state • Can’t implement with ordinary classes ArrayList X owned array Iterator AliasJava - OOPSLA '02

Client Properties: Ownership • Common property: owners-as-dominators All paths to owned objects go through owner • Problem: Iterators violate owners-as-dominators • Clarke et al.: allow Iterators on stack • Patterns like Command prohibited • Boyapati et al., Clarke: inner classes access owned state • Can’t implement with ordinary classes Document X state Command AliasJava - OOPSLA '02

Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability • General model • Owner grants a capability to trusted objects AliasJava - OOPSLA '02

Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability class ArrayList<elem_owner> { private owned Object elems[elem_owner]; unique Iterator<elem_owner> iterator() { return new ArrayItr<elem_owner,owned>(elems); • owned capability • Access to ArrayList’s owned state • Passed via static parameterization • ArrayList controls who accesses state AliasJava - OOPSLA '02

Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability class ArrayList<elem_owner> { private owned Object elems[elem_owner]; unique Iterator<elem_owner> iterator() { return new ArrayItr<elem_owner,owned>(elems); • Compare annotations • ownedparameter lost by subsumption • Clients cannot access owned state AliasJava - OOPSLA '02

Ownership Capability Model Owned objects are only accessible by their owner and the objects to which it grants a capability int find(lent Object o) • lent capability • Temporary permission to access owned state • find can access o for duration of call AliasJava - OOPSLA '02

Properties: Uniqueness If a variable is unique, it has no aliases other than lent variables on the stack • Reasoning • No aliases in heap data structures • Still must track lent aliases on the stack • Extension: Alias Burying [Boyland] • When a unique var is read, all aliases are dead • Requires read/write effect specifications AliasJava - OOPSLA '02

AliasFJ : A Formal Framework • Based on Featherweight Java [OOPSLA 99] • Includes unique, owned, parameters, and lent • Benefits • Precise semantics • Shows how properties are enforced • Theorems • Type safety • Ownership property • Uniqueness property AliasJava - OOPSLA '02

Evaluation: java.util.Hashtable public class Hashtable<key_owner, value_owner...> extends Dictionary<key_owner, value_owner> { value_owner Object get(key_owner Object k) {... • Annotated and checked Hashtable • 1000 lines of code, 2.5 hours • Annotated some library functions • Experience • Annotations were natural, easy to add • Changed code in only one place AliasJava - OOPSLA '02

Enforcing Library Invariants static unique Set<elements> synchronizedSet<elements>(unique Set<elements> s) { return new SynchronizedSet<…>(s); } • Javadoc comment: In order to guarantee serial access, it is critical that all access to the backing set is accomplished through the returned set. • AliasJava: argument is unique • Therefore, there are no aliases to the backing set AliasJava - OOPSLA '02

Evaluation: Aphyds Partition Circuit DB ChannelRoute • Pedegogical circuit layout application • Blackboard Architecture • Annotated functional core of system • 7 classes, 3500 lines of code • Showed sharing of circuit elements Route Floorplan Place AliasJava - OOPSLA '02

Evaluation: Aphyds Partition Circuit DB ChannelRoute • Pedegogical circuit layout application • Blackboard Architecture • Annotated functional core of system • 7 classes, 3500 lines of code • Showed sharing of circuit elements Route circuit objects Floorplan Place AliasJava - OOPSLA '02

More in the Paper • Application to software architecture • Detailed semantics • Implementation technique • Inference algorithm • Case study on 3000 lines of application code AliasJava - OOPSLA '02

AliasJava • Combines object ownership and uniqueness • Aids reasoning in large systems • Expressive enough to use in existing code • Try out AliasJava! http://www.archjava.org/ AliasJava - OOPSLA '02

Alias Annotations for Program Understanding

Alias Annotations for Program Understanding

Presentation Transcript

alias model

alias STRUCTURE

Alias Grace

Annotations

Annotations for the ALA

ANNOTATIONS

Annotations

Alias Grace

ANNOTATIONS

Annotations

Annotations

Annotations

Annotations

Annotations

Program Understanding

alias STRUCTURE

Alias Analysis

Annotations

Program understanding

Annotations for AOM

Alias Resolution

Program Understanding