Safe Initialization of Objects Fengyun Liu, Ondˇrej Lhoták, Aggelos Biboudis, Paolo G. Giarrusso, Martin Odersky Technical Report É COLE P OLYTECHNIQUE F ÉDÉRALEDE L AUSANNE July, 2020 Contents 1 Introduction 6 1.1 The Problem........................................7 1.2 Theoretical Challenges..................................7 1.3 Practical Challenges....................................9 1.4 Engineering Challenges.................................. 10 1.5 Existing Work....................................... 10 1.5.1 Industrial Languages............................... 11 1.5.2 Masked Types................................... 11 1.5.3 The Freedom Model............................... 12 1.6 Contribution........................................ 13 2 Principles: Monotonicity, Authority, Stackability and Scopability 15 2.1 Principles.......................................... 15 2.1.1 Monotonicity................................... 15 2.1.2 Authority...................................... 16 2.1.3 Stackability..................................... 17 2.1.4 Scopability..................................... 18 2.2 Design of Constructors.................................. 19 2.2.1 A Critique of Traditional Constructors..................... 19 2.2.2 Class Parameters and Mandatory Field Initializers.............. 20 2.3 Related Work........................................ 21 2.4 Conclusion......................................... 22 3 Local Reasoning 23 3.1 A Small Language..................................... 23 3.2 Abstractions: Cold, Warm, Hot.............................. 24 3.2.1 Intuition...................................... 24 3.2.2 Formal Definitions................................ 26 3.3 Formal Local Reasoning................................. 27 3.3.1 Three Concepts of Monotonicity........................ 27 3.3.2 Stackability..................................... 28 3.3.3 Scopability..................................... 29 3.3.4 Local Reasoning.................................. 31 2 3.4 Proof of Scopability.................................... 32 3.4.1 Lemmas...................................... 32 3.4.2 Theorem...................................... 34 3.5 Proof of Weak Monotonicity............................... 38 3.5.1 Lemmas...................................... 38 3.5.2 Theorem...................................... 38 3.6 Proof of Stackability.................................... 40 3.6.1 Lemmas...................................... 40 3.6.2 Theorem...................................... 41 3.7 Mechanization....................................... 44 3.8 Discussion......................................... 44 3.9 Conclusion......................................... 45 4 The Basic Model 46 4.1 The Formal Language................................... 46 4.2 Type System........................................ 47 4.2.1 Subtyping..................................... 47 4.2.2 Definition Typing................................. 47 4.2.3 Expression Typing................................. 47 4.2.4 Typing Example.................................. 50 4.3 Extension.......................................... 50 4.4 Discussion......................................... 51 4.4.1 Promotion before Commitment......................... 51 4.4.2 Authority, Flow-Insensitivity and Typestate Polymorphism......... 51 4.5 Related Work........................................ 52 4.6 Conclusion......................................... 55 5 Meta-Theory: The Basic Model 56 5.1 Approach.......................................... 56 5.2 Definitions......................................... 56 5.3 Over-Approximation Lemmas.............................. 59 5.4 Monotonicity Lemmas.................................. 60 5.5 Authority Lemmas..................................... 60 5.6 Stackability Lemmas................................... 61 5.7 Local Reasoning...................................... 61 5.8 Selection Lemmas..................................... 62 5.9 Initialization Lemmas................................... 62 5.10 Theorem.......................................... 63 5.11 Discussion......................................... 67 5.11.1 Monotonicity................................... 67 5.11.2 Stackability..................................... 68 5.11.3 Local Reasoning.................................. 68 5.12 Conclusion......................................... 68 3 6 An Inference System 69 6.1 Motivation......................................... 69 6.2 A Practical Fragment................................... 70 6.3 The Design......................................... 71 6.3.1 Potentials and Effects............................... 71 6.3.2 Two-Phase Checking............................... 73 6.3.3 Full-Construction Analysis............................ 73 6.3.4 Cyclic Data Structures.............................. 74 6.4 Formalization....................................... 74 6.4.1 Syntax and Semantics.............................. 74 6.4.2 Effects and Potentials............................... 75 6.4.3 Expression Typing................................. 77 6.4.4 Definition Typing................................. 79 6.4.5 Effect Checking.................................. 80 6.5 Discussions........................................ 80 6.5.1 Why restrict the length of potentials?...................... 80 6.5.2 Why the cold annotation?............................ 82 6.6 Extension: Functions................................... 83 6.7 Related Work........................................ 83 6.8 Conclusion......................................... 84 7 Meta-Theory: The Inference System 85 7.1 Definitions......................................... 85 7.2 Monotonicity Lemmas.................................. 88 7.3 Closure Lemmas...................................... 89 7.4 Potential Lemmas..................................... 90 7.5 Effect Lemmas....................................... 91 7.6 Local Reasoning...................................... 92 7.7 Selection Lemmas..................................... 93 7.8 Method Call Lemmas................................... 94 7.9 Expression Soundness.................................. 94 7.10 Discussion......................................... 101 7.11 Conclusion......................................... 101 8 Implementation and Evaluation 102 8.1 Motivation......................................... 102 8.2 Design........................................... 104 8.3 Formalization....................................... 106 8.3.1 Syntax and Semantics.............................. 106 8.3.2 Effects and Potentials............................... 108 8.3.3 Expression Typing................................. 110 8.3.4 Definition Typing................................. 110 8.3.5 Effect Checking.................................. 114 4 8.3.6 Potential Propagation.............................. 115 8.3.7 View Change.................................... 118 8.3.8 Termination.................................... 120 8.4 Implementation...................................... 121 8.4.1 Lazy Summarization............................... 121 8.4.2 Separate Compilation.............................. 121 8.4.3 Debuggability................................... 122 8.4.4 Functions..................................... 122 8.4.5 Properties..................................... 122 8.4.6 Traits........................................ 123 8.4.7 Local Classes.................................... 123 8.5 Evaluation......................................... 124 8.5.1 Experimental Result............................... 124 8.5.2 Discovered Bugs.................................. 126 8.5.3 Challenging Examples.............................. 128 8.6 Open Challenges..................................... 129 8.7 Related Work........................................ 129 8.8 Conclusion......................................... 130 Bibliography 131 A A Step-Indexed Interpreter in Coq 134 A.1 Syntax............................................ 134 A.2 Semantics......................................... 135 A.3 Typing............................................ 137 A.4 Properties......................................... 141 A.5 Some Helpers....................................... 141 5 Chapter 1 Introduction Life is too short to spend time chasing down irreproducible bugs, and money is too valuable to waste on the purchase of flaky software. — Andrew W. Appel, Modern Compiler Implementation in ML Object-oriented programming is unsafe if objects cannot be initialized safely. The following code shows a simple initialization problem 1: 1 class Hello { 2 val message="hello," + name 3 val name="Alice" 4 } 5 println(new Hello().message)) The code above at runtime will print “hello, null” instead of “hello, Alice”, as the field name is not initialized, thus holds the value null, when it is used in the second line. Software that are vulnerable to such errors crash or misbehave at runtime and may incur financial loss or cause safety accidents. The errors, sometimes simple sometimes subtle, require programmer efforts to debug and fix, which drains valuable engineering resources and harms programmer productivity. Such errors have come into existence since the inception of object-oriented programming 60 years ago. Despite the fact that object-oriented programming has become the dominant programming paradigm in the software industry for more than 30 years, programmers are still frequently bothered and frustrated by initialization errors in software development. Joe Duffy, in his popular blog post on partially constructed objects