Alias Annotations for Program Understanding

1
Alias Annotationsfor Program Understanding

• Jonathan Aldrich
• Valentin Kostadinov
• Craig Chambers
• University of Washington

2
Building Big Systems is Hard
calls
component A
component B
component C
calls
shared data

• The ArchJava Project
• Software architecture for managing complexity
• Previous work control flow
• ICSE 02, ECOOP 02
• This paper data sharing

3
Why Specify Data Sharing?
calls
component A
component B
component C
calls
shared data

• Evolve programs
• Modify component A to update data lazily
• Improves efficiency
• Must update component C as well!
• Might not be obvious without sharing specification

4
Maintain Invariants _
wrapper
X
set
client

• class SynchronizedSet
• Set backingSet
• synchronized boolean add(Object o)
• return backing.add(o)
• Synchronization wrappers
• Wrap a collections methods
• Synchronize before invoking method
• Wrapper invariant
• Must access backing set only through wrapper

5
Avoid Security Holes (JDK 1.1.1)

• public class Class
• public Object getSigners()
• return signers
• Returns an internal array, rather than a copy
• Allows untrusted clients access
• Can change the list of signatures for a class

Class
X
signers
client
6
Type-based Approaches

• Many previous systems
• Uniqueness Minsky, Boyland
• Ownership types Clarke et al, Boyapati et al...
• Advantages
• Modular, efficient checking
• Documents aliasing in the code
• Challenges
• Express common idioms
• Support for Java constructs
• Usability in practice

7
Outline

• AliasJava alias annotations for Java
• Combines uniqueness and ownership
• Supports full language
• Arrays, casts, iterators, inner classes,
  subtyping
• Algorithm infers annotations
• Guarantee of properties
• Evaluated on library, application code

8
Annotations Unique
Unique reference
set

• static unique Set synchronizedSet(unique Set
  s)
• return new SynchronizedSet(s)
• // s is dead after use in constructor
• // o goes out of scope here
• unique objects have no persistent aliases
• Newly allocated objects
• Can only use once
• Variable must be dead after use

9
Annotations Unique
X
set
Unique reference

• static unique Set synchronizedSet(unique Set
  s)
• return new SynchronizedSet(s)
• // s is dead after use in constructor
• // o goes out of scope here
• unique objects have no persistent aliases
• Newly allocated objects
• Can only use once
• Variable must be dead after use

10
Annotations Owned
Class
signers

• private owned Object signers
• public Object getSigners()
• return signers
• owned objects confined within their owner
• Aliasing allowed within owner
• Cannot return owned state to clients
• Making a copy fixes the security hole

X
client
Compile-time error
11
Annotations Owned
Class
signers

• private owned Object signers
• public unique Object getSigners()
• return arraycopy(signers)
• owned objects confined within their owner
• Aliasing allowed within owner
• Cannot return owned state to clients
• Making a copy fixes the security hole

client
copy
12
Annotations Parameters
owner
List
array
element

• class ArrayListltelem_ownergt
• private owned Objectelem_owner elems
• void add(int i, elem_owner Object o)
• elemsi o
• Parameterized by element owner
• Method parameterization also supported

13
Annotations Shared
shared

• static shared Object singleton
• unique Objectshared getSigners()
• return arraycopy(signers)
• shared objects may be globally aliased
• Singletons
• Static fields
• Global data
• Conceptually owned by the system

14
Annotations Lent

• int find(lent Object o)
• for (int i 0 ...)
• if elemsi o
• return i
• Temporary alias of unique/owned object
• Used for duration of method
• Cannot store in fields
• Syntactically default

15
Annotation Flow
unique
owned
shared
param1 param2 ...
lent

• unique Object uniq new Object()
• owned Object own uniq
• lent Object l own
• shared Object sh own // error

16
Implementation

• AliasJava supports all features of Java
• Subtyping
• Inner classes
• Casts
• Interoperates with existing code
• Just annotate the interface of legacy libraries
• Checking is dynamic only where Javas is
• run-time type information for alias parameters
• checks at casts and array writes

17
Annotation Inference

• class ArrayListltAgt
• private owned Object elemsA
• void put(int i, A Object o)
• elemsi o
• Saves tedious annotation work
• Infers general annotations
• Edit annotations to improve understandability
• Future work annotation assistant

18
Properties Ownership

• Common property owners-as-dominators
• All paths to owned objects go through owner
• Prevents clients from accessing owned state
• Clarke et al. allow owned objects on stack
• Patterns like Observer are prohibited
• Boyapati et al. inner classes may access owned
  state
• Cant implement Iterators/Observers with ordinary
  classes

Client
ArrayList
X
owned array
19
Properties Ownership

• Common property owners-as-dominators
• All paths to owned objects go through owner
• Problem Iterators violate owners-as-dominators
• Clarke et al. allow Iterators on stack
• Patterns like Observer prohibited
• Boyapati et al. inner classes access owned state
• Cant implement with ordinary classes

ArrayList
X
owned array
Iterator
20
Properties Ownership

• Common property owners-as-dominators
• All paths to owned objects go through owner
• Problem Iterators violate owners-as-dominators
• Clarke et al. allow Iterators on stack
• Patterns like Command prohibited
• Boyapati et al., Clarke inner classes access
  owned state
• Cant implement with ordinary classes

Document
X
state
Command
21
Ownership Capability Model

• Owned objects are only accessible by their owner
  and the objects to which it grants a capability
• General model
• Owner grants a capability to trusted objects

22
Ownership Capability Model

• Owned objects are only accessible by their owner
  and the objects to which it grants a capability
• class ArrayListltelem_ownergt
• private owned Object elemselem_owner
• unique Iteratorltelem_ownergt iterator()
• return new ArrayItrltelem_owner,ownedgt(elems)
• owned capability
• Access to ArrayLists owned state
• Passed via static parameterization
• ArrayList controls who accesses state

23
Ownership Capability Model

• Owned objects are only accessible by their owner
  and the objects to which it grants a capability
• class ArrayListltelem_ownergt
• private owned Object elemselem_owner
• unique Iteratorltelem_ownergt iterator()
• return new ArrayItrltelem_owner,ownedgt(elems)
• Compare annotations
• owned parameter lost by subsumption
• Clients cannot access owned state

24
Ownership Capability Model

• Owned objects are only accessible by their owner
  and the objects to which it grants a capability
• int find(lent Object o)
• lent capability
• Temporary permission to access owned state
• find can access o for duration of call

25
Properties Uniqueness

• If a variable is unique, it has no aliases other
  than lent variables on the stack
• Reasoning
• No aliases in heap data structures
• Still must track lent aliases on the stack
• Extension Alias Burying Boyland
• When a unique var is read, all aliases are dead
• Requires read/write effect specifications

26
AliasFJ A Formal Framework

• Based on Featherweight Java OOPSLA 99
• Includes unique, owned, parameters, and lent
• Benefits
• Precise semantics
• Shows how properties are enforced
• Theorems
• Type safety
• Ownership property
• Uniqueness property

27
Evaluation java.util.Hashtable

• public class Hashtableltkey_owner, value_owner...gt
• extends Dictionaryltkey_owner, value_ownergt
• value_owner Object get(key_owner Object k) ...
• Annotated and checked Hashtable
• 1000 lines of code, 2.5 hours
• Annotated some library functions
• Experience
• Annotations were natural, easy to add
• Changed code in only one place

28
Enforcing Library Invariants

• static unique Setltelementsgt
• synchronizedSetltelementsgt(unique Setltelementsgt
  s)
• return new SynchronizedSetltgt(s)
• Javadoc comment
• In order to guarantee serial access, it is
  critical that all access to the backing set is
  accomplished through the returned set.
• AliasJava argument is unique
• Therefore, there are no aliases to the backing set

29
Evaluation Aphyds
Circuit DB
Partition
ChannelRoute

• Pedegogical circuit layout application
• Blackboard Architecture
• Annotated functional core of system
• 7 classes, 3500 lines of code
• Showed sharing of circuit elements

Route
Floorplan
Place
30
Evaluation Aphyds
Circuit DB
Partition
ChannelRoute

• Pedegogical circuit layout application
• Blackboard Architecture
• Annotated functional core of system
• 7 classes, 3500 lines of code
• Showed sharing of circuit elements

Route
circuit objects
Floorplan
Place
31
More in the Paper

• Application to software architecture
• Detailed semantics
• Implementation technique
• Inference algorithm
• Case study on 3000 lines of application code

32
AliasJava

• Combines object ownership and uniqueness
• Aids reasoning in large systems
• Expressive enough to use in existing code
• Try out AliasJava!
• http//www.archjava.org/