t Dave Clarke r A - James Noble e h Tobias Wrigstad (Eds.) t - f o y -e e v t ar u t SS Aliasing 0 5 in Object-Oriented 8 7 S C Programming N L Types, Analysis, and Verification 123 Lecture Notes in Computer Science 7850 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen TUDortmundUniversity,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum MaxPlanckInstituteforInformatics,Saarbruecken,Germany Dave Clarke James Noble Tobias Wrigstad (Eds.) Aliasing in Object-Oriented Programming Types, Analysis, and Verification 1 3 VolumeEditors DaveClarke KatholiekeUniversiteitLeuven,DepartmentofComputerScience Celestijnenlaan200A,3001Heverlee,Belgium E-mail:[email protected] JamesNoble VictoriaUniversityofWellington,SchoolofEngineeringandComputerScience CottonBuilding,Gate6,KelburnParade,Wellington6140,NewZealand E-mail:[email protected] TobiasWrigstad UppsalaUniversity,DepartmentofInformationTechnology Lägerhyddsvägen2,75237Uppsala,Sweden E-mail:[email protected] ISSN0302-9743 e-ISSN1611-3349 ISBN978-3-642-36945-2 e-ISBN978-3-642-36946-9 DOI10.1007/978-3-642-36946-9 SpringerHeidelbergDordrechtLondonNewYork LibraryofCongressControlNumber:2013932225 CRSubjectClassification(1998):D.1.5,D.1.3,D.4.2,D.2.4-5,D.2.7,D.3.1-3, A.1,K.2 LNCSSublibrary:SL2–ProgrammingandSoftwareEngineering ©Springer-VerlagBerlinHeidelberg2013 Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, inistcurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,etc.inthispublicationdoesnotimply, evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantprotectivelaws andregulationsandthereforefreeforgeneraluse. Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Aliasing is one of the key features of object-oriented programming languages, but it is both a blessing and a curse. On one hand it enables the expression of sophisticateddesignsinvolvingsharing,butontheotherhanditmakesreasoning about programs difficult for programmers, for tools such as compilers, and for programming verification. This book presents a survey of the state of the art on techniques for dealing with aliasing in object-oriented programming. It marks the 20th anniversary of the paper “The Geneva Convention on The Treatment of Object Aliasing” by John Hogg, Doug Lea, Alan Wills, Dennis deChampeaux, and Richard Holt, whichstressedtheneedforasystematicstudyofaliasinginobject-orientedpro- gramming.Sincethatpaperwaspublishedin1992,severalworkshopshavebeen devoted to this topic, including the Intercontinental Workshop on Aliasing in Object Oriented Systems (IWAOOS) in 1999 and five instalments of the Inter- national Workshop on Aliasing, Confinement and Ownership in object-oriented programming (IWACO) in 2003, 2007, 2008,2009 and 2011. The most recent IWACO was dedicated to 20 years of aliasing in object- oriented languages and at that venue it was decided to produce a state-of-the- art LNCS volume dedicated to research in this field. This is the volume you are reading now.Papers were solicited from contributors to IWACO and other experts in the area. The result is a broad collection of papers covering many aspects of aliasing in object-orientedprogramming.Eachpaper has been exten- sively reviewed to ensure the highest quality. We hope that this collection will be a valuable addition to researchers’ bookshelves, and that it will be useful to both active researchersand graduate students alike. January 2013 Dave Clarke James Noble Tobias Wrigstad Table of Contents The Geneva Convention Beyond the Geneva Convention on the Treatment of Object Aliasing ... 1 Dave Clarke, James Noble, and Tobias Wrigstad The Geneva Convention on the Treatment of Object Aliasing.......... 7 John Hogg, Doug Lea, Alan Wills, Dennis de Champeaux, and Richard Holt Ownership Ownership Types: A Survey....................................... 15 Dave Clarke, Johan O¨stlund, Ilya Sergey, and Tobias Wrigstad Notions of Aliasing and Ownership................................. 59 Alan Mycroft and Janina Voigt Understanding Ownership Types with Dependent Types .............. 84 Nicholas Cameron, Sophia Drossopoulou, and James Noble Object Graphs with Ownership Domains: An Empirical Study......... 109 Radu Vanciu and Marwan Abi-Antoun Concurrency Alias Control for Deterministic Parallelism .......................... 156 Robert L. Bocchino Jr. Alias Analysis Alias Analysis for Object-Oriented Programs ........................ 196 Manu Sridharan, Satish Chandra, Julian Dolby, Stephen J. Fink, and Eran Yahav Controlling Effects Immutability .................................................... 233 Alex Potanin, Johan O¨stlund, Yoav Zibin, and Michael D. Ernst Fractional Permissions............................................ 270 John Boyland VIII Table of Contents Verification Object Ownership in ProgramVerification .......................... 289 Werner Dietl and Peter Mu¨ller State Based Encapsulation for Modular Reasoning about Behavior-PreservingRefactorings .................................. 319 Anindya Banerjee and David A. Naumann Separation Logic for Object-Oriented Programming .................. 366 Matthew Parkinson and Gavin Bierman VeriFast for Java: A Tutorial ...................................... 407 Jan Smans, Bart Jacobs, and Frank Piessens Programming Languages Confined Roles and Decapsulation in Object Teams — Contradiction or Synergy? ..................................................... 443 Stephan Herrmann Location Types for Safe Programmingwith Near and Far References ... 471 Yannick Welsch, Jan Sch¨afer, and Arnd Poetzsch-Heffter Visions The Future of Aliasing in ParallelProgramming ..................... 501 Robert L. Bocchino Jr. Aliasing Visions: Ownership and Location........................... 503 Alan Mycroft Alias Analysis: Beyond the Code................................... 505 Manu Sridharan How, Then, Should We Program?.................................. 507 James Noble A Retrospective on Aliasing Type Systems: 2012-2022 ................ 509 Jonathan Aldrich Structured Aliasing .............................................. 512 Tobias Wrigstad Author Index.................................................. 515 Beyond the Geneva Convention on the Treatment of Object Aliasing Dave Clarke1, James Noble2, and Tobias Wrigstad3 1 iMinds-DistriNet, Dept.Computer Sciences, KU Leuven,Belgium 2 Victoria Universityof Wellington, New Zealand 3 Department of Information Technology, Uppsala University,Sweden Aliasing must be detected when it occurs, advertised when it is possible, prevented where it is not wanted, and controlled where it is needed. Hogg, Lea, Wills, deChampeaux, and Holt [13]. 1 Introduction Aliasingoccurswhentwoormorereferencestoanobjectexistwithintheobject graph of a running program. Although aliasing is essential in object-oriented programming as it allows programmers to implement designs involving sharing, itisproblematicbecauseitspresencemakesitdifficulttoreasonabouttheobject at the end of an alias—via an alias, an object’s state can change underfoot. Around20yearsago,JohnHogg,DougLea,AlanWills,DennisdeChampeaux and Richard Holt drafted a clear account of the problems of aliasing in object- orientedprogramming.Theresultingdocument,The Geneva Convention on the Treatment of Object Aliasing [13,14], identified four ways of managing aliasing to make it easier to reason about: detection — statically or dynamically detect aliasing, advertisement — provide declarations to modularise aliasing properties, prevention — develop statically-checkable means for disallowing aliasing, and control — offer means to isolate the effects of aliasing. Althoughtheoriginaldocumentfocusedonverification,theproblemsofaliasing areequallyapplicablewheneveraprogrammerorcompilerneedstoreasonabout aprogram,to understandit, tooptimise it, torefactorit, ortocheckthatithas no data races or deadlocks. Since the writing of the Geneva Convention, a vast amount of research on aliasing in object-oriented programming has been done. Some early techniques such as Islands [12] and Balloons [2] offered new insights into the problem, by suggesting that objects be grouped into their internal, external and boundary components, but it was not until the invention of Flexible Alias Protection [17] andOwnershipTypes [9] that workin the field reallydid blossom. The verifica- tion community relied heavily on ideas of ownership [15] and separation [18] in D.Clarkeetal.(Eds.):AliasinginObject-OrientedProgramming,LNCS7850,pp.1–6,2013. (cid:2)c Springer-VerlagBerlinHeidelberg2013 2 D. Clarke, J. Noble, and T. Wrigstad ordertodevelopmorefeasibleverificationtechniques.Thesealiascontrolmecha- nismshavefoundapplicationconcurrencycontrol[5], programvisualisationand understanding[1],amongotherareas.Allthewhile,techniquesforaliasanalysis are being developed and improved upon in the compiler-writer community [22], and a cross-fertilisation of ideas is starting to occur. This book is dedicated to the state-of-the-art on aliasing in object-oriented programming, It consists of fifteen chapters, written by the leading researchers in their respective fields, and six short vision chapters presenting the views of researchers on the future of aliasing in object-oriented programming. 2 The Chapters Thefirstchapter,The Geneva Convention OnThe Treatment of Object Aliasing by John Hogg and Doug Lea and Alan Wills and Dennis deChampeaux and Richard Holt [14], is a reprint of the original Geneva Convention paper. It dis- cussesproblemswiththetreatmentofaliasinginobject-orientedlanguages,and argues that means for handling aliasing available in programming languages at the time (circa 1990) fail to address the complexities introduced by objects. As mentioned above, the paper introduces four classes of solutions to the aliasing problem: detection, advertisement, prevention and control. The paper analyses thesefourapproachesanddiscussesexistingapproachesfromtheliterature.The paper concludes with the pithy quote given at the start of this introduction. Ownership Types were one of the significant contributions that changed the wayaliasingwasconsideredinobject-orientedlanguages.OwnershipTypespro- vide a way of encapsulating the so-calledrepresentationobjects of an aggregate object so that aliases to such objects cannot exist outside of the aggregate that owns them. This is all done in a statically checkable fashion. A large number of papers have extended, adapted or applied Ownership Types, or have taken similar ideas as the basis of an alias control mechanism. In the second chapter, Ownership Types: A Survey [8], Dave Clarke, Johan O¨stlund, Ilya Sergey and Tobias Wrigstad survey this body of work. In their chapter, Notions of Aliasing and Ownership [16], Alan Mycroft and Janina Voigt present an alternative survey of aliasing and ownership, which draws from a wide range of work, including linear logic and operating systems, beforefocusingonsomeofthecoreapproachestoaliascontrol.Aftertheirreview and critique of these approaches, the chapter concludes that a more holistic approachtoaliasingisrequired.Thechapterhintsofanotionofaliasingcontract, which mediates access to fields and variables—access is allowed only when the contract is satisfied. Ownership Types are not phrased in terms of traditional type-theoretic ma- chinery. To obtain a better understanding of their nature, Nicholas Cameron, SophiaDrossopoulou,andJamesNobleexploretheunderlyingtypes-depend-on- ownerspropertyintermsofdependenttypetheoryinUnderstanding Ownership Types with Dependent Types [7] Their encoding also reveals the phantom type natureofOwnershipTypes.AfteraddressingavanillaOwnershipTypessystem, Beyond theGeneva Convention on theTreatment of Object Aliasing 3 several extensions are also considered, though the soundness of the encoding is a conjecture left for future work. Object Graphs with Ownership Domains: an Empirical Study byRaduVanciu and Marwan Abi-Antoun [23] presents empirical evaluation of the Ownership Domains type system on a number of larger programs. These programs were annotatedandtypechecked,andthenstaticanalysiswasusedtoextracthierar- chicalOwnershipObjectGraphs(OOGs).OOGsprovideanabstractviewofthe ownershipstructure within a program, offerings a better view on a system than aflatobjectgraph.Theresultsincludenumerousmetricswhichhelpunderstand the ownership relationships present in code. Robert L. Bocchino Jr. describes alias control techniques for achieving de- terministic parallelism in his chapter Alias Control for Deterministic Paral- lelism [4], which concerns programs that produce the same output on every execution for a given input, irrespective of how its threads are scheduled. Such programs are easier to write, understand, debug and maintain. Aliasing is a corehurdle to achievingdeterministic parallelism,asit createsthe possibility of data races. This chapter surveys program annotation techniques for controlling aliasing in order to support deterministic parallelism. Aliasanalysistechniquesareusedwithincompilersandotherprogramunder- standingtoolstodeterminethealiasingstructurebetweenobjects.Suchinforma- tionisessentialforperformingvariouscompileroptimisationsandforperforming programtransformationssafely. The chapter Alias Analysis for Object-Oriented Programs by Manu Sridharan, Satish Chandra, Julian Dolby, Stephen J. Fink, and Eran Yahav [22] presents a survey of alias analysis for object-oriented pro- grams,includingpoints-toanalysis,flowsensitivetechniques,andwhole-program alias analysis and its limitations. The discussion is framed in the context of the authors’ experience in developing industrial-strength analyses for Java. Oneofthecorewaysofreducingthattheimpactofaliasingisbyreducingthe effectofmutablereferences.Thisfallsunderthealiascontrolcategorisationofthe Geneva Convention.Immutability by Alex Potanin,JohanO¨stlund, Yoav Zibin, Michael D. Ernst [20] surveys immutability in the context of object-oriented programming languages. The point of departure is final fields in Java and constreferencesin C++. These are arguedto be inadequate, as they offer only shallow notions of immutability. The chapter then surveys a number of recent proposals,includingJavari,IGJ,Joe , andOIGJ,thatovercomethe weaknesses 3 of final and const. Fractional Permissions are a novel idea that allows precise resource tracking intype systemsandspecificationlogics.Thekeyideaisthatawholepermission allows unique write access to an object, but that this can be split (and later rejoined) into multiple read permissions. Fractional Permissions by John Boy- land[6] describesthe motivationforFractionalPermissionandgivesasurveyof various models of Fractional Permissions, including those supporting nesting. Object Ownership in Program Verification by Werner Dietl and Peter Mu¨ller [10] surveysthe key role playedby ownershipin programverificationin two dif- ferent realisations: Universe Types and Dynamic Ownership, in the context of