Aliasing Contracts, a Novel, Dynamically-Checked Alias Protection Scheme for Object- Oriented Programming Languages
Total Page:16
File Type:pdf, Size:1020Kb
UCAM-CL-TR-880 Technical Report ISSN 1476-2986 Number 880 Computer Laboratory Access contracts: a dynamic approach to object-oriented access protection Janina Voigt February 2016 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2016 Janina Voigt This technical report is based on a dissertation submitted May 2014 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Trinity College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Abstract In object-oriented (OO) programming, variables do not contain objects directly but ad- dresses of objects on the heap. Thus, several variables can point to the same object; we call this aliasing. Aliasing is a central feature of OO programming that enables efficient sharing of objects across a system. This is essential for the implementation of many programming idioms, such as iterators. On the other hand, aliasing reduces modularity and encapsulation, making programs difficult to understand, debug and maintain. Much research has been done on controlling aliasing. Alias protection schemes (such as Clarke et al.’s influential ownership types) limit which references can exist, thus guar- anteeing the protection of encapsulated objects. Unfortunately, existing schemes are significantly restrictive and consequently have not been widely adopted by software de- velopers. This thesis makes three contributions to the area of alias protection. Firstly, it pro- poses aliasing contracts, a novel, dynamically-checked alias protection scheme for object- oriented programming languages. Aliasing contracts are highly flexible and expressive, addressing the limitations of existing work. We show that they can be used to model many existing alias protection schemes, providing a unifying approach to alias protection. Secondly, we develop a prototype implementation of aliasing contracts in Java and use it to quantify the run-time performance of aliasing contracts. Since aliasing con- tracts are checked dynamically, they incur run-time performance overheads; however, our performance evaluation shows that using aliasing contracts for testing and debugging is nevertheless feasible. Thirdly, we propose a static analysis which can verify simple aliasing contracts at compile time, including those contracts which model ownership types. Contracts which can be verified in this way can subsequently be removed from the program before it is executed. We show that such a combination of static and dynamic checking significantly improves the run-time performance of aliasing contracts. Author publications Parts of the work reported in this thesis have been published during the period of PhD study. In particular: • Chapter 2 contains extracts from a book chapter entitled “Notions of aliasing and ownership” by Alan Mycroft and Janina Voigt published in “Aliasing in Object- Oriented Programming” [70]. • Chapter 3 contains extracts from a technical report entitled “Aliasing contracts: a dynamic approach to alias protection” by Janina Voigt and Alan Mycroft published by the University of Cambridge Computer Laboratory [96]. • Chapter 5 contains extracts from a conference paper entitled “Dynamic alias pro- tection with aliasing contracts” by Janina Voigt and Alan Mycroft published in the proceedings of APLAS 2013 [97]. Acknowledgements My biggest thanks naturally go to my supervisor Alan Mycroft for his constant guidance and encouragement throughout the development of this thesis. His feedback and expertise have been invaluable to me and I have always found him willing to take time out of his busy schedule to teach me and help improve my work. I am particularly grateful for his frequent proofreading and his useful suggestions for improvements, in terms of both content and presentation. I would also like to thank the Cambridge Computer Laboratory, particularly the other students from the CPRG research group (Dominic, Raoul, Stephen, Raphael, Tomas, Peter and others). This work would not have been possible without the generous financial support of the Rutherford foundation of the Royal Society of New Zealand and the Cambridge Trust who supported me through the Cambridge-Rutherford memorial scholarship. I would also like to thank Trinity College for their academic and pastoral support and several very enjoyable feasts! Finally, I want to thank my friends and family who were always on hand to distract me from my work and make my life more fun and enjoyable. In my time at Cambridge, I have met so many amazing people that I can’t list them all, but I am sure they will know who they are! I want to particularly mention Steffen who helped proofread this thesis and Will whose expertise in theoretical computer science I required on more than one occasion and who was always keen to discuss his work or mine. Thanks also to Wal and Liz for frequent Skype conversations and constant encouragement. And of course a big thank you goes to my boyfriend Tobias for managing to put up with me on both good and bad days for the past years and for always finding ways to cheer me up when I was struggling with my work. Last but certainly not least, I want to thank my mother Angelica for her continued love and support through my many years at university (and of course beforehand). Contents 1 Introduction 13 1.1 Motivation.................................... 13 1.2 Aliasingcontracts................................ 16 1.3 Thesisstructure................................. 16 2 Background 19 2.1 Aliasprotection................................. 20 2.1.1 Aliasingpolicies............................. 20 2.1.1.1 Fullencapsulation . 20 2.1.1.2 Uniquenessandlinearity . 23 2.1.1.3 Ownership: owners-as-dominators and owners-as-modifiers 25 2.1.1.4 Moduleencapsulation . 33 2.1.1.5 Systems supporting multiple policies . 35 2.1.2 Othercharacteristics . 37 2.1.2.1 Referencesandobjectaccesses . 37 2.1.2.2 Staticanddynamicchecking . 38 2.1.2.3 Temporalandspatialaliasing . 38 2.1.2.4 Staticanddynamicaliasing . 39 2.1.2.5 Sharing ............................ 39 2.1.2.6 Borrowing........................... 40 2.1.2.7 Immutability ......................... 40 2.1.3 Limitationsofexistingwork . 41 2.2 Aliasandpointeranalysis . 42 2.3 Summary .................................... 45 3 Aliasingcontracts:overviewandsemantics 47 3.1 Overviewofaliasingcontracts . .... 47 3.1.1 Encapsulationgroups. 51 3.1.2 Contractparameters . 53 3.1.3 Contractsuspension . 55 3.1.4 Checkingaliasingcontracts . 57 3.2 Formalisationofaliasingcontracts. ....... 57 3.2.1 Syntax.................................. 57 3.2.2 Operationalsemantics . 59 3.2.2.1 Notation............................ 59 3.2.2.2 Contractevaluation . 62 3.2.2.3 Contracttransfer . 67 3.2.2.4 Methodandconstructorcalls . 67 3.2.2.5 The in operator ....................... 68 3.2.2.6 Conditionals, sequences and boolean operators . .... 68 3.2.2.7 Evaluationcontexts . 68 3.3 Casestudy.................................... 69 3.4 Summary .................................... 72 4 Comparison of aliasing contracts with existing alias protection schemes 73 4.1 Referencesandobjectaccesses . .... 73 4.2 Staticanddynamicchecking. .. 74 4.3 Temporalandspatialaliasing . ... 74 4.4 Staticanddynamicaliasing . .. 74 4.5 Sharing ..................................... 75 4.6 Borrowing .................................... 76 4.7 Immutability .................................. 77 4.8 Multipleownership ............................... 77 4.9 Ownershiptransfer ............................... 78 4.10Aliasingpolicies................................ 79 4.10.1 Fullencapsulation. 79 4.10.2 Owners-as-dominators and owners-as-modifiers . ........ 80 4.10.2.1 Strict owners-as-dominators and owners-as-modifiers . 80 4.10.2.2 Peer owners-as-dominators and owners-as-modifiers.... 81 4.10.2.3 Transitive owners-as-dominators and owners-as-modifiers . 81 4.10.2.4 Clarke-styleownershiptypes. 82 4.10.3 Uniquenessandlinearity . 83 4.10.4 Moduleencapsulation . 84 4.10.5 Capabilities ............................... 85 4.11 Using aliasing contracts to compare full encapsulation and Clarke-style ownership types 86 4.12Summary .................................... 87 5 JaCon: a prototype implementation of aliasing contracts for Java 89 5.1 Extensions of aliasing contracts for real-life OO languages.......... 89 5.2 Description of JaCon ............................. 90 5.2.1 Prototypefeatures ........................... 90 5.2.1.1 Optimisations. 95 5.2.2 Knownissues .............................. 96 5.3 Performance evaluation of JaCon ....................... 96 5.3.1 Performanceofasingleobjectaccess . ... 97 5.3.1.1 Method ............................ 97 5.3.1.2 Results ............................ 98 5.3.2 Performanceofencapsulationgroups . ... 99 5.3.2.1 Method ............................ 99 5.3.2.2 Results ............................100 5.3.3 Empirical study with open-source Java programs . .101 5.3.3.1 Casestudy1: unittestmeasurements . 102 5.3.3.2 Case study 2: A real usage scenario for FindBugs . 111 5.4 Summary ....................................112 6 Staticverificationofaliasingcontracts 115 6.1 Overviewofthestaticanalysis. .116 6.2 Formalisation: aliasing graphs and contract verification ...........116 6.2.1 Definitions................................117 6.2.2 Staticrootedpathsanddynamicobjects . 118 6.2.3 Aliasinggraph..............................119 6.2.3.1 Examples ...........................121