http://www.diva-portal.org Postprint This is the accepted version of a paper presented at 33rd Annual ACM Symposium on Applied Computing (ACM SAC), Pau, France, April 9–13, 2018.. Citation for the original published paper: Castegren, E., Wrigstad, T. (2018) OOlong: An Extensible Concurrent Object Calculus In: Proceedings of SAC 2018: Symposium on Applied Computing (pp. 1022-1029). 33RD ANNUAL ACM SYMPOSIUM ON APPLIED COMPUTING https://doi.org/10.1145/3167132.3167243 N.B. When citing this work, cite the original published paper. Permanent link to this version: http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-335174 OOlong: An Extensible Concurrent Object Calculus Elias Castegren Tobias Wrigstad [email protected] [email protected] ABSTRACT Ott [20], and all type rules in this paper are generated from this We present OOlong, an object calculus with interface inheritance, definition. To make it easy for other researchers to build on OOlong, structured concurrency and locks. The goal of the calculus is exten- we are making the sources of both versions of the semantics publicly sibility and reuse. The semantics are therefore available in a version available. With the goal of extensibility and re-usability, we make the for LATEX typesetting (written in Ott), and a mechanised version for doing rigorous proofs in Coq. following contributions: KEYWORDS • We define the formal semantics of OOlong, motivate the Object Calculi, Semantics, Mechanisation, Concurrency choice of features, and prove type soundness (§ 2–5). ACM Reference format: • We provide a mechanised version of the full semantics and Elias Castegren and Tobias Wrigstad. 2018. OOlong: An Extensible Con- soundness proof, written in Coq (§ 6). current Object Calculus. In Proceedings of SAC 2018: Symposium on Applied • We provide Ott sources for easily extending the paper version Computing , Pau, France, April 9–13, 2018 (SAC 2018), 8 pages. of the semantics and generating type rules in LATEX (§ 7). https://doi.org/10.1145/3167132.3167243 • We give two examples of how OOlong can be extended; support for assertions, and more fine-grained locking based 1 INTRODUCTION on regions (§ 8). When reasoning about object-oriented programming, object calculi are a useful tool for abstracting away many of the complicated de- tails of a full-blown programming language. They provide a context 2 RELATED WORK for prototyping in which proving soundness or other interesting The main source of inspiration for OOlong is Welterweight Java by properties of a language is doable with reasonable effort. Östlund and Wrigstad [15], a concurrent core calculus for Java with The level of detail depends on which concepts are under study. ease of reuse as an explicit goal. Welterweight Java is also defined One of the most used calculi is Featherweight Java, which models in Ott, which facilitates simple extension and LATEX typesetting, but inheritance but completely abstracts away mutable state [12]. The only exists as a calculus on paper. There is no online resource for lack of state makes it unsuitable for reasoning about any language accessing the Ott sources, and no published proofs except for the feature which entails object mutation, and many later extensions of sketches in the original treatise. OOlong provides Ott sources and the calculus re-adds state as a first step. Other proposals have also is also fully mechanised in Coq, increasing reliability. Having a arisen as contenders for having “just the right level of detail” [3, 15, proof that can be extended along with the semantics also improves 21]. re-usability. Both the Ott sources and the mechanised semantics This paper introduces OOlong, a small, imperative object calculus are publicly available online [5]. OOlong is more lightweight than for the multi-core age. Rather than modelling a specific language, Welterweight Java by omitting mutable variables and using a single OOlong aims to model object-oriented programming in general, flat stack frame instead of modelling the call stack. Also, OOlongis with the goal of being extensible and reusable. To keep subtyping expression-based whereas Welterweight Java is statement-based, simple, OOlong uses interfaces and omits class inheritance and making the OOlong syntax more flexible. We believe that all these method overriding. This avoids tying the language to a specific things make OOlong easier to reason and prove things about, and model of class inheritance (e.g., Java’s), while still maintaining an more suitable for extension than Welterweight Java. object-oriented style of programming. Concurrency is modeled in Object calculi are used regularly as a means of exploring and a finish/async style, and synchronisation is handled via locks. proving properties about language semantics. These calculi are The semantics are provided both on paper and in a mechanised often tailored for some special purpose, e.g., the calculus of de- version written in Coq. The paper version of OOlong is defined in pendent object types [1], which aims to act as a core calculus for Scala, or OrcO [16], which adds objects to the concurrent-by-default Publication rights licensed to ACM. ACM acknowledges that this contribution was language Orc. While these calculi serve their purposes well, their authored or co-authored by an employee, contractor or affiliate of a national govern- ment. As such, the Government retains a nonexclusive, royalty-free right to publish or tailoring also make them fit less well as a basis for extension when reproduce this article, or to allow others to do so, for Government purposes only. reasoning about languages which do not build upon the same fea- SAC 2018, April 9–13, 2018, Pau, France tures. OOlong aims to act as a calculus for common object-oriented © 2018 Copyright held by the owner/author(s). Publication rights licensed to Associa- tion for Computing Machinery. languages in order to facilitate reasoning about extensions for such ACM ISBN 978-1-4503-5191-1/18/04...$15.00 languages. https://doi.org/10.1145/3167132.3167243 SAC 2018, April 9–13, 2018, Pau, France E. Castegren & T. Wrigstad FJ ClJ ConJ MJ LJ WJ OOlong P ::= Ids Cds e (Programs) State × × × × × × Id ::= interface I {Msiдs} (Interfaces) Statements × × × j interface I extends I1; I2 Expressions × × × × × Cd ::= class C implements I {Fds Mds} (Classes) Class Inheritance × × × × × × Msiд ::= m¹x : t1º : t2 (Signatures) Interfaces × × Fd ::= f : t (Fields) Concurrency × × × Md ::= def Msiд {e} (Methods) × × Stack e ::= v j x j x:f j x:f = e (Expressions) Mechanised ×∗ × × j x:m¹eº j let x = e1 in e2 j new C j ¹tº e LATEX sources × × × j finish{async{e1} async{e2}}; e3 j lock¹xº in e j locked {e} Figure 1: A comparison between Featherweight Java, ι ClassicJava, ConcurrentJava, Middleweight Java, Light- v ::= null j ι (Values) weight Java, Welterweight Java and OOlong. The original t ::= C j I j Unit (Types) formulation of Featherweight Java was not mechanised, but Γ ::= ϵ j Γ; x : t j Γ; ι : C (Typing environment) later extensions have been mechanised in Coq [14]. Figure 2: Syntax of OOlong. Ids, Cds, Fds, Mds and Msiдs are sequences of zero or more of their singular counterparts. Terms in grey boxes are not part of the surface syntax but 2.1 Java-based Calculi only appear during evaluation. There are many object calculi which aim to act as a core calculus for Java. While OOlong does not aim to model Java, it does not actively avoid being similar to Java. A Java programmer should feel comfortable looking at OOlong code, but a researcher using OOlong does not need to use Java as the model. Figure 1 surveys the main never mechanised. Strniša proposes Lightweight Java as a simpli- differences between different Java core calculi and OOlong. Incon- fication of Middleweight Java [21], omitting block scoping, type trast to many of the Java-based calculi, OOlong ignores inheritance casts, constructors, expressions, and modelling of the call stack, between classes and instead uses only interfaces. While inheritance while still being a proper subset of Java. Like Welterweight Java it is an important concept in Java, we believe that subtyping is a much is purely based on statements, and does not include interfaces. Like more important concept for object-oriented programming in gen- OOlong, Lightweight Java is defined in Ott, but additionally uses eral. Interfaces provide a simple way to achieve subtyping without Ott to generate a mechanised formalism in Isabelle/HOL. A later having to include concepts like overriding. With interfaces in place, extension of Lightweight Java was also mechanised in Coq (∼800 extending the calculus to model other inheritance techniques like lines generated from Ott, and another ∼5800 lines of proofs) [9]. mixins [11] or traits [19] becomes easier. Last, some language models go beyond the surface language The smallest proposed candidate for a core Java calculus is and execution. One such model is Jinja by Klein and Nipkow [13], probably Featherweight Java [12], which omits all forms of as- which models (parts of) the entire Java architecture, including signment and object state, focusing on a functional core of Java. the virtual machine and compilation from Java to byte code. To While this is enough for reasoning about Java’s type system, the handle the complexity of such a system, Jinja is fully mechanised lack of mutable state precludes reasoning about object-oriented in Isabelle/HOL. The focus of Jinja is different than that of calculi programming in a realistic way. Extensions of this calculus often like OOlong, and is therefore not practical for exploring language re-add state as a first step (e.g., [2, 14, 18]). The original formula- extensions which do not alter the underlying runtime. tion of Featherweight Java was not mechanised, but a later varia- tion omitting casts and introducing assignment was mechanised in Coq (∼2300 lines) [14].