Dave Clarke James Noble Tobias Wrigstad (Eds.) Aliasing in Object-Oriented Programming State-of-the-Art Survey LNCS 7850 123 Types, Analysis, and Verification www.it-ebooks.info Lecture Notes in Computer Science 7850 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbruecken, Germany www.it-ebooks.info Dave Clarke James Noble Tobias Wrigstad (Eds.) Aliasing in Object-Oriented Programming Types, Analysis, and Verification 13 www.it-ebooks.info Volume Editors Dave Clarke Katholieke Universiteit Leuven, Department of Computer Science Celestijnenlaan 200A, 3001 Heverlee, Belgium E-mail: dave.clarke@cs.kuleuven.be James Noble Victoria University of Wellington, School of Engineering and Computer Science Cotton Building, Gate 6, Kelburn Parade, Wellington 6140, New Zealand E-mail: kjx@ecs.vuw.ac.nz Tobias Wrigstad Uppsala University, Department of Information Technology Lägerhyddsvägen 2, 752 37 Uppsala, Sweden E-mail: tobias.wrigstad@it.uu.se ISSN 0302-9743 e-ISSN 1611-3349 ISBN 978-3-642-36945-2 e-ISBN 978-3-642-36946-9 DOI 10.1007/978-3-642-36946-9 Springer Heidelberg Dordrecht London New York Library of Congress Control Number: 2013932225 CR Subject Classification (1998): D.1.5, D.1.3, D.4.2, D.2.4-5, D.2.7, D.3.1-3, A.1, K.2 LNCS Sublibrary: SL 2 – Programming and Software Engineering © Springer-Verlag Berlin Heidelberg 2013 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in ist current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) www.it-ebooks.info Preface Aliasing is one of the key features of object-oriented programming languages, but it is both a blessing and a curse. On one hand it enables the expression of sophisticated designs involving sharing, but on the other hand it makes reasoning about programs difficult for programmers, for tools such as compilers, and for programming verification. This book presents a survey of the state of the art on techniques for dealing with aliasing in object-oriented programming. It marks the 20th anniversary of the paper “The Geneva Convention on The Treatment of Object Aliasing” by John Hogg, Doug Lea, Alan Wills, Dennis deChampeaux, and Richard Holt, which stressed the need for a systematic study of aliasing in object-oriented pro- gramming. Since that paper was published in 1992, several workshops have been devoted to this topic, including the Intercontinental Workshop on Aliasing in Object Oriented Systems (IWAOOS) in 1999 and five instalments of the Inter- national Workshop on Aliasing, Confinement and Ownership in object-oriented programming (IWACO) in 2003, 2007, 2008, 2009 and 2011. The most recent IWACO was dedicated to 20 years of aliasing in object- oriented languages and at that venue it was decided to produce a state-of-the- art LNCS volume dedicated to research in this field. This is the volume you are reading now.Papers were solicited from contributors to IWACO and other experts in the area. The result is a broad collection of papers covering many aspects of aliasing in object-oriented programming. Each paper has been exten- sively reviewed to ensure the highest quality. We hope that this collection will be a valuable addition to researchers’ bookshelves, and that it will be useful to both active researchers and graduate students alike. January 2013 Dave Clarke James Noble Tobias Wrigstad www.it-ebooks.info Table of Contents The Geneva Convention Beyond the Geneva Convention on the Treatment of Object Aliasing 1 Dave Clarke, James Noble, and Tobias Wrigstad The Geneva Convention on the Treatment of Object Aliasing 7 John Hogg, Doug Lea, Alan Wills, Dennis de Champeaux, and Richard Holt Ownership Ownership Types: A Survey 15 Dave Clarke, Johan ¨ Ostlund, Ilya Sergey, and Tobias Wrigstad Notions of Aliasing and Ownership 59 Alan Mycroft and Janina Voigt Understanding Ownership Types with Dependent Types 84 Nicholas Cameron, Sophia Drossopoulou, and James Noble Object Graphs with Ownership Domains: An Empirical Study 109 Radu Vanciu and Marwan Abi-Antoun Concurrency Alias Control for Deterministic Parallelism 156 Robert L. Bocchino Jr. Alias Analysis Alias Analysis for Object-Oriented Programs 196 Manu Sridharan, Satish Chandra, Julian Dolby, Stephen J. Fink, and Eran Yahav Controlling Effects Immutability 233 Alex Potanin, Johan ¨ Ostlund, Yoav Zibin, and Michael D. Ernst Fractional Permissions 270 John Boyland www.it-ebooks.info VIII Table of Contents Verification Object Ownership in Program Verification 289 Werner Dietl and Peter M¨uller State Based Encapsulation for Modular Reasoning about Behavior-Preserving Refactorings 319 Anindya Banerjee and David A. Naumann Separation Logic for Object-Oriented Programming 366 Matthew Parkinson and Gavin Bierman VeriFast for Java: A Tutorial 407 Jan Smans, Bart Jacobs, and Frank Piessens Programming Languages Confined Roles and Decapsulation in Object Teams — Contradiction or Synergy? 443 Stephan Herrmann Location Types for Safe Programming with Near and Far References 471 Yannick Welsch, Jan Sch¨afer, and Arnd Poetzsch-Heffter Visions The Future of Aliasing in Parallel Programming 501 Robert L. Bocchino Jr. Aliasing Visions: Ownership and Location 503 Alan Mycroft Alias Analysis: Beyond the Code 505 Manu Sridharan How, Then, Should We Program? 507 James Noble A Retrospective on Aliasing Type Systems: 2012-2022 509 Jonathan Aldrich Structured Aliasing 512 Tobias Wrigstad Author Index . 515 www.it-ebooks.info Beyond the Geneva Convention on the Treatment of Object Aliasing Dave Clarke 1 ,JamesNoble 2 , and Tobias Wrigstad 3 1 iMinds-DistriNet, Dept. Computer Sciences, KU Leuven, Belgium 2 Victoria University of Wellington, New Zealand 3 Department of Information Technology, Uppsala University, Sweden Aliasing must be detected when it occurs, advertised when it is possible, prevented where it is not wanted, and controlled where it is needed. Hogg, Lea, Wills, deChampeaux, and Holt [13]. 1 Introduction Aliasing occurs when two or more references to an object exist within the object graph of a running program. Although aliasing is essential in object-oriented programming as it allows programmers to implement designs involving sharing, it is problematic because its presence makes it difficult to reason about the object at the end of an alias—via an alias, an object’s state can change underfoot. Around 20 years ago, John Hogg, Doug Lea, Alan Wills, Dennis deChampeaux and Richard Holt drafted a clear account of the problems of aliasing in object- oriented programming. The resulting document, The Geneva Convention on the Treatment of Object Aliasing [13,14], identified four ways of managing aliasing to make it easier to reason about: detection — statically or dynamically detect aliasing, advertisement — provide declarations to modularise aliasing properties, prevention — develop statically-checkable means for disallowing aliasing, and control — offer means to isolate the effects of aliasing. Although the original document focused on verification, the problems of aliasing are equally applicable whenever a programmer or compiler needs to reason about a program, to understand it, to optimise it, to refactor it, or to check that it has no data races or deadlocks. Since the writing of the Geneva Convention, a vast amount of research on aliasing in object-oriented programming has been done. Some early techniques such as Islands [12] and Balloons [2] offered new insights into the problem, by suggesting that objects be grouped into their internal, external and boundary components, but it was not until the invention of Flexible Alias Protection [17] and Ownership Types [9] that work in the field really did blossom. The verifica- tion community relied heavily on ideas of ownership [15] and separation [18] in D. Clarke et al. (Eds.): Aliasing in Object-Oriented P rogramming, LNCS 7850, pp. 1–6, 2013. c  Springer-Verlag Berlin Heidelberg 2013 www.it-ebooks.info 2 D. Clarke, J. Noble, and T. Wrigstad order to develop more feasible verification techniques. These alias control mecha- nisms have found application concurrency control [5], program visualisation and understanding [1], among other areas. All the while, techniques for alias analysis are being developed and improved upon in the compiler-writer community [22], and a cross-fertilisation of ideas is starting to occur. This book is dedicated to the state-of-the-art on aliasing in object-oriented programming, It consists of fifteen chapters, written by the leading researchers in their respective fields, and six short vision chapters presenting the views of researchers on the future of aliasing in object-oriented programming. 2TheChapters The first chapter, The Geneva Convention On The Treatment of Object Aliasing by John Hogg and Doug Lea and Alan Wills and Dennis deChampeaux and Richard Holt [14], is a reprint of the original Geneva Convention paper. It dis- cusses problems with the treatment of aliasing in object-oriented languages, and argues that means for handling aliasing available in programming languages at the time (circa 1990) fail to address the complexities introduced by objects. As mentioned above, the paper introduces four classes of solutions to the aliasing problem: detection, advertisement, prevention and control. The paper analyses these four approaches and discusses existing approaches from the literature. The paper concludes with the pithy quote given at the start of this introduction. Ownership Types were one of the significant contributions that changed the way aliasing was considered in object-oriented languages. Ownership Types pro- vide a way of encapsulating the so-called representation objects of an aggregate object so that aliases to such objects cannot exist outside of the aggregate that owns them. This is all done in a statically checkable fashion. A large number of papers have extended, adapted or applied Ownership Types, or have taken similar ideas as the basis of an alias control mechanism. In the second chapter, Ownership Types: A Survey [8], Dave Clarke, Johan ¨ Ostlund, Ilya Sergey and Tobias Wrigstad survey this body of work. In their chapter, Notions of Aliasing and Ownership [16], Alan Mycroft and Janina Voigt present an alternative survey of aliasing and ownership, which draws from a wide range of work, including linear logic and operating systems, before focusing on some of the core approaches to alias control. After their review and critique of these approaches, the chapter concludes that a more holistic approach to aliasing is required. The chapter hints of a notion of aliasing contract, which mediates access to fields and variables—access is allowed only when the contract is satisfied. Ownership Types are not phrased in terms of traditional type-theoretic ma- chinery. To obtain a better understanding of their nature, Nicholas Cameron, Sophia Drossopoulou, and James Noble explore the underlying types-depend-on- owners property in terms of dependent type theory in Understanding Ownership Types with Dependent Types [7] Their encoding also reveals the phantom type nature of Ownership Types. After addressing a vanilla Ownership Types system, www.it-ebooks.info Beyond the Geneva Convention on the Treatment of Object Aliasing 3 several extensions are also considered, though the soundness of the encoding is a conjecture left for future work. Object Graphs with Ownership Domains: an Empirical Study by Radu Vanciu and Marwan Abi-Antoun [23] presents empirical evaluation of the Ownership Domains type system on a number of larger programs. These programs were annotated and type checked, and then static analysis was used to extract hierar- chical Ownership Object Graphs (OOGs). OOGs provide an abstract view of the ownership structure within a program, offerings a better view on a system than a flat object graph. The results include numerous metrics which help understand the ownership relationships present in code. Robert L. Bocchino Jr. describes alias control techniques for achieving de- terministic parallelism in his chapter Alias Control for Deterministic Paral- lelism [4], which concerns programs that produce the same output on every execution for a given input, irrespective of how its threads are scheduled. Such programs are easier to write, understand, debug and maintain. Aliasing is a core hurdle to achieving deterministic parallelism, as it creates the possibility of data races. This chapter surveys program annotation techniques for controlling aliasing in order to support deterministic parallelism. Alias analysis techniques are used within compilers and other program under- standing tools to determine the aliasing structure between objects. Such informa- tion is essential for performing various compiler optimisations and for performing program transformations safely. The chapter AliasAnalysisforObject-Oriented Programs by Manu Sridharan, Satish Chandra, Julian Dolby, Stephen J. Fink, and Eran Yahav [22] presents a survey of alias analysis for object-oriented pro- grams, including points-to analysis, flow sensitive techniques, and whole-program alias analysis and its limitations. The discussion is framed in the context of the authors’ experience in developing industrial-strength analyses for Java. One of the core ways of reducing that the impact of aliasing is by reducing the effect of mutable references. This falls under the alias control categorisation of the Geneva Convention. Immutability by Alex Potanin, Johan ¨ Ostlund, Yoav Zibin, Michael D. Ernst [20] surveys immutability in the context of object-oriented programming languages. The point of departure is final fields in Java and const references in C++. These are argued to be inadequate, as they offer only shallow notions of immutability. The chapter then surveys a number of recent proposals, including Javari, IGJ, Joe 3 , and OIGJ, that overcome the weaknesses of final and const. Fractional Permissions are a novel idea that allows precise resource tracking in type systems and specification logics. The key idea is that a whole permission allows unique write access to an object, but that this can be split (and later rejoined) into multiple read permissions. Fractional Permissions by John Boy- land [6] describes the motivation for Fractional Permission and gives a survey of various models of Fractional Permissions, including those supporting nesting. Object Ownership in Program Verification by Werner Dietl and Peter M¨uller [10] surveys the key role played by ownership in program verification in two dif- ferent realisations: Universe Types and Dynamic Ownership, in the context of www.it-ebooks.info [...]... (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 319–365 Springer, Heidelberg (2013) 4 Bocchino Jr., R.L.: Alias Control for Deterministic Parallelism In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 156–195 Springer, Heidelberg (2013) 5 Boyapati, C., Lee, R., Rinard, M.C.: Ownership types for safe programming: preventing data... M¨ller, P.: Object Ownership in Program Verification In: Clarke, D., u Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 289–318 Springer, Heidelberg (2013) 11 Herrmann, S.: Confined Roles and Decapsulation in Object Teams — Contradiction or Synergy? In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in ObjectOriented Programming LNCS, vol 7850, pp 443–470 Springer,... (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 7–14 Springer, Heidelberg (2013) 15 M¨ller, P.: Modular Specification and Verification of Object- Oriented Programs u LNCS, vol 2262 Springer, Heidelberg (2002) 16 Mycroft, A., Voigt, J.: Notions of Aliasing and Ownership In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 59–83 Springer,... Dolby, J., Fink, S.J., Yahav, E.: Alias Analysis for Object- Oriented Programs In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 196–232 Springer, Heidelberg (2013) 23 Vanciu, R., Abi-Antoun, M.: Object Graphs with Ownership Domains: An Empirical Study In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol... can mesh well with mainstream object oriented programming techniques 4.4 Alias Control Aliasing prevention is not sufficient in itself because aliasing is not avoidable under the conventional object- oriented paradigm There will remain cases in which the effects of aliasing cannot be determined without taking into account the runtime state of a system Under these circumstances, aliasing control must be... 20 Potanin, A., Ostlund, J., Zibin, Y., Ernst, M.D.: Immutability In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 233–269 Springer, Heidelberg (2013) 21 Smans, J., Jacobs, B., Piessens, F.: VeriFast for Java: A Tutorial In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 407–442 Springer, Heidelberg... deadlocks In: OOPSLA, pp 211–230 (2002) 6 Boyland, J.: Fractional Permissions In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in Object- Oriented Programming LNCS, vol 7850, pp 270–288 Springer, Heidelberg (2013) 7 Cameron, N., Drossopoulou, S., Noble, J.: Understanding Ownership Types with Dependent Types In: Clarke, D., Noble, J., Wrigstad, T (eds.) Aliasing in ObjectOriented Programming LNCS,... suggesting some directions for future work Aliasing is endemic in object- oriented programming Noble, Vitek, Potter [112] 1 Introduction Object aliasing is one of the key challenges that must be addressed when constructing large software systems using an object- oriented language Bugs due to unintentional aliases are notoriously difficult to track down and can lead to unexpected side-effects, invalidated invariants,... within the UPMARC Linnaeus centre of Excellence and the project Structured Aliasing D Clarke et al (Eds.): Aliasing in Object- Oriented Programming, LNCS 7850, pp 15–58, 2013 c Springer-Verlag Berlin Heidelberg 2013 16 D Clarke et al aliases beyond favouring references instead of pointers, and providing automatic garbage collection (although one Scala plugin does offer support for Uniqueness and Borrowing... regions in the region calculus [134] Objects in such a heap can refer, in principle, to any object in the main heap or any object in the heap associated with a preexisting stack frame, so long as the appropriate permissions have been passed in This is depicted in Figure 2 Boyapati’s SafeJava [20,22] relaxes owners-as-dominators for instances of Java inner classes In Java, an inner class is always instantiated . of aliasing in object- oriented pro- gramming. Since that paper was published in 1992, several workshops have been devoted to this topic, including the Intercontinental Workshop on Aliasing in Object. [13]. 1 Introduction Aliasing occurs when two or more references to an object exist within the object graph of a running program. Although aliasing is essential in object- oriented programming as. problems of aliasing in object- oriented programming. The resulting document, The Geneva Convention on the Treatment of Object Aliasing [13,14], identified four ways of managing aliasing to make