1 / 51

Checking and Inference of Reference Immutability and Method Purity

This paper presents ReIm and ReImInfer, tools for checking and inferring reference immutability and method purity in Java programs.

lugo
Download Presentation

Checking and Inference of Reference Immutability and Method Purity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ReIm & ReImInfer:Checking and Inferenceof Reference Immutabilityand Method Purity Wei Huang1,Ana Milanova1, Werner Dietl2, Michael D. Ernst2 1Rensselaer Polytechnic Institute 2University ofWashington

  2. Reference Immutability md rd • Mutable Date • Readonly Date Date rd.setHours(2); md.setHours(3); ✓ ✗

  3. Motivating Example • class Class{ • private Object [] signers; • public Object • return signers; • } • } • ... • Object [] getSigners() { [] signers = getSigners(); • signers[0] = maliciousClass; A real security flaw in Java 1.1

  4. Reference Immutability Solution • class Class{ • private Object [] signers; • public Object • return signers; • } • } • ... • Object readonly [] getSigners() { readonly [] signers = getSigners(); ✗ • signers[0] = maliciousClass;

  5. Contributions ReIm: Acontext-sensitive type system for reference immutability ReImInfer: An inferencealgorithm for ReIm Method purity − an application of ReIm Implementation and evaluation

  6. Motivation for ReIm and ReImInfer • Concrete need for method purity • Available tools unstable and/or imprecise • Javari [Tschantz & Ernst OOPSLA’05]and Javarifier[Quinonez et al. ECOOP’08]separate immutability of a container from its elements • Unsuitable for purity inference • Javarifiercan be slow

  7. Overview Preference Ranking over Qualifiers Source Code Set-based Solution Maximal Typing Extract Concrete Typing ReIm Typing Rules Set-based Solver Type Checking

  8. Immutability Qualifiers readonlyC x = …; x.f = z; // not allowed x.setField(z); // not allowed • mutable • A mutable reference can be used to mutate the referent • readonly • A readonly reference cannot be used to mutate the referent

  9. Context-insensitive Typing class DateCell { mutableDate date; mutableDate getDate(mutableDateCellthis){ return this.date; } void setHours(mutableDateCellthis) { Date md = this.getDate(); md.hours = 1; } intgetHours(mutableDateCellthis) { Date rd = this.getDate(); inthour = rd.hours; return hour; } } mutable mutable mutable mutable mutable mutable readonly It could have been readonly

  10. Immutability Qualifiers class C { polyreadD f; ... } ... mutableC c1 = ...; c1.f.g = 0; // allowed readonly C c2 = ...; c2.f.g = 0; // not allowed • polyread • The mutability of a polyread reference depends on the context

  11. ReIm Typing Instantiated to mutable class DateCell { polyread Date date; polyreadDate getDate(polyreadDateCell this){ return this.date; } void setHours(mutableDateCellthis) { mutable Date md = md.hour = 1; } intgetHours(readonlyDateCellthis) { readonlyDate rd= int hour = rd.hour; return hour; } } • this.getDate(); • this.getDate(); Instantiated to readonly It is readonly

  12. Viewpoint Adaptation O1 O3 O2 • Encodes context sensitivity • Adapts a typefrom the viewpoint of another type • Viewpoint adaptation operation:

  13. Generalizes Viewpoint Adaptation • Traditional viewpoint adaptation [Dietl & Müller JOT’05] • Always adapts from the viewpoint of receiver • x in field access x.f • y in method call y.m(z) • ReIm adapts from different viewpoints • receiverat field access • x in x.f • left-hand-side of call assignment at method call • x in x = y.m(z)

  14. Viewpoint Adaptation Example class DateCell { polyreadDate date; polyreadDate getDate(DateCell this){ return } void setHours(mutableDateCellthis) { mutableDate md = md.hour = 1; } intgetHours(readonlyDateCellthis) { readonly Date rd= int hour = rd.hour; return hour; } } polyread polyread polyread polyread this.date; mutable • this.getDate(); readonly • this.getDate();

  15. Subtyping Hierarchy mutable Object mo; polyread Object po; readonlyObject ro; ro = po; ✓po= ro; ✗ ro = mo; ✓mo= ro; ✗ po = mo; ✓mo = po; ✗ mutable <: polyread <: readonly

  16. Typing Rules (TREAD) (TWRITE) (TCALL) T T T

  17. Outline ReIm type system Inference algorithm for ReIm Method purity inference Implementation and evaluation

  18. Set-based Solver • Set Mapping S: • variable {readonly, polyread, mutable} • Iterates over statements s • fsremoves infeasible qualifiers for each variable in saccording to the typingrule • Until • Reaches a fixpoint

  19. Inference Example class DateCell { Date date; Date getDate( DateCellthis){ return this.date; } void setHours( DateCellthis) { Date md = this.getDate(); md.hour = 2; } } {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} 19

  20. Inference Example class DateCell { Date date; Date getDate( DateCellthis){ return this.date; } void setHours( DateCellthis) { Date md = this.getDate(); md.hour = 2; } } {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} 20

  21. Inference Example class DateCell { Date date; Date getDate( DateCellthis){ return this.date; } void setHours( DateCellthis) { Date md = this.getDate(); md.hour = 2; } } {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} 21

  22. Inference Example class DateCell { Date date; Date getDate( DateCellthis){ return this.date; } void setHours( DateCellthis) { Date md = this.getDate(); md.hour = 2; } } {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} 22

  23. Inference Example class DateCell { Date date; Date getDate( DateCellthis){ return this.date; } void setHours( DateCellthis) { Date md = this.getDate(); md.hour = 2; } } {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} 23

  24. Maximal Typing Ranking: readonly > polyread > mutable class DateCell { Date date; Date getDate( DateCellthis){ return this.date; } void setHours( DateCellthis) { Date md = this.getDate(); md.hour = 2; } } {readonly,polyread,mutable} {readonly,polyread,mutable} {readonly,polyread,mutable} Maximal Typing: Pick the maximal qualifier from each set {readonly,polyread,mutable} {readonly,polyread,mutable} Maximal Typing always provably type checks! 24

  25. Outline ReIm type system Inference algorithm for ReIm Method purity inference Implementation and evaluation

  26. Purity • A method is pure if it does not mutate any object that exists in prestates[Sălcianu& Rinard VMCAI’05] • If a method does not access static states • Theprestates are from parameters • If any of the parameters is mutable, the method is impure; otherwise, it is pure

  27. Purity Example class List { Node head; intlen; void add(mutable Node this, mutable Node n) { n.next = this.head; this.head = n; this.len++; } intsize(readonlyNode this) { return this.len; } } impure pure

  28. Outline ReIm type system Inference algorithm for ReIm Method purity inference Implementation and evaluation

  29. Implementation • Built on top of the Checker Framework [Papi et al. ISSTA’08, Dietl et al. ICSE’11] • Extends the framework to specify: • Ranking over qualifiers • Viewpoint adaptation operation • Publicly available at • http://code.google.com/p/type-inference/

  30. Reference Immutability Evaluation • 13 benchmarks, comprising 766K LOC in total • 4 whole Java programs and 9 Java libraries • Comparison with Javarifier [Quinonez et al. ECOOP’08] • Equally precise results • Differences are due to different semantics of Javari and ReIm • Better scalability

  31. Reference Immutability Results

  32. Performance Comparison

  33. Purity Evaluation • Comparison with JPPA [Sălcianu& Rinard VMCAI’05] and JPure[Pearce CC’11] • Equal or better precision • Differences are due to different definitions of purity • Works with both whole programs and libraries • More robust!

  34. Purity Inference Results

  35. Related Work • Javari [Tschantz & Ernst OOPSLA’05]and Javarifier[Quinonez et al. ECOOP’08] • Javari allows excluding fields from state • Handles generics and arrays differently • JPPA [Sălcianu& Rinard VMCAI’05] • Relies on pointer and escape analysis • Works on whole program • JPure[PearceCC’11] • Modular purity system for Java • Exploits freshness and locality

  36. Conclusions • A type system for reference immutability • An efficient type inference algorithm • Method purity inference • Evaluation on 766 kLOC • Publicly available at • http://code.google.com/p/type-inference/

  37. Conclusions • A type system for reference immutability • An efficient type inference algorithm • Method purity inference • Evaluation on 766 kLOC • Publicly available at • http://code.google.com/p/type-inference/

  38. Benchmarks

  39. Precision Evaluation on JOlden

  40. Precision Comparison • Compare with Javarifier [Quinonez et al. ECOOP’08] • JOlden benchmark • 34differences from Javarifier, out of 758 identifiable references • Other benchmarks • Randomly select 4 classes from each benchmarks • 2differences from Javarifier, out of 868 identifiable references

  41. Method Purity • A method is pure if it does not mutate any object that exists in prestates • Applications • Compiler optimization [Lhoták & Hendren CC’05] • Model checking [Tkachuk& DwyerESEC/FSE’03] • Atomicity [Flanagna et al. TOSE’05]

  42. Prestates From Static Fields qget = polyread polyread X static get() { return sf;} ... polyread X x = get(); x.f = 0; • Static immutability type for each method • can be • mutable: m mutates static states • readonly: m never mutates static states • polyread: m never mutates static states, but the static states it returns to its callers are mutated

  43. Extended Typing Rules (TSWRITE) (TSREAD) T T Extends ReIm typing rules to enforce static immutability types

  44. Example void m() { // a staticfieldread y = x.f; z = id(y); z.g = 0; ... } x = sf; Extended typing rule (TSREAD) enforce Because qx is mutable, then qm is mutable

  45. Infer Purity qmis inferred as immutability types Each method m is mapped to S(m) = {readonly, polyread, mutable}and solved by the set-based solver The purity of m is decided by:

  46. Precision Comparison • Compare with Javarifier [Quinonez et al. ECOOP’08] • 36differences from Javarifier, out of 1526 identifiable references • Due to different semantics of Javari and ReIm

  47. Summary ReImInfer produces equally precise results ReImInfer scales better than Javarifier

  48. Precision Comparison with JPPA • 59differences from JPPA out of 326 user methods for JOlden benchmark • 4 are due to differences in definitions/assumptions • 51 are due to limitations/bugs in JPPA • 4 are due to limitations in ReImInfer

  49. Precision Comparison with JPure • 60 differences from JPure out of 257 user methods for JOlden benchmark, excluding the BH program • 29 differences are caused by different definitions/assumptions • 29 differences are caused by limitations/bugs in JPure • 2are caused by limitationsin ReImInfer

  50. Summary ReImInfer shows good precision compared to JPPA and JPure ReImInfer scales well to large programs ReImInfer works with both whole programs and libraries ReImInfer is robust!

More Related