1 / 35

Ownership and Immutability in Generic Java (OIGJ)

This work merges Ownership and Immutability concepts in Generic Java, addressing problems of representation exposure and unintended modifications. By combining these aspects, OIGJ ensures secure data handling and prevents unauthorized alterations. The proposed solutions involve defining ownership relationships and enforcing object immutability, tackling issues like leaking internal representations and inadvertent data changes in Java collections. The OIGJ framework introduces annotations like @Immutable, @Mutable, @ReadOnly, and @World to specify object states, access levels, and ownership rules. The novel idea of "Cookers" ensures that objects become immutable simultaneously with their owner's constructor finalization, enabling the creation of immutable cyclic structures efficiently. Through formalization and case studies, OIGJ demonstrates the practical benefits of integrating Ownership and Immutability concepts in Java programming, offering enhanced data security and type safety.

rosettam
Download Presentation

Ownership and Immutability in Generic Java (OIGJ)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. YoavZibin+, Alex Potanin* Paley Li*, Mahmood Ali^, and Michael Ernst$ +IBM *Victoria,NZ^MIT $U. of Washington Ownership and Immutability in Generic Java (OIGJ)

  2. Ownership + Immutability Our previous work OGJ: added Ownership to Generic Java IGJ: added Immutability to Generic Java This work OIGJ: combine Ownership + Immutability The sum is greater than its parts Immutable cyclic data-structures (e.g., bi-directional lists) IGJ could not type-check Java collections OIGJ can, without any code changes

  3. Problem 1: Representation exposure Internal representation leaks to the outside private doesn’t offer real protection! Real life example! class Class { private List signers; public List getSigners() { return this.signers; } } Forgot to copy signers! • http://java.sun.com/security/getSigners.html • Bug: the system thinks that code signed by one identity is signed by a different identity

  4. Solution for Representation Exposure Ownership: owner-as-dominator Class should own the list signers No outside alias can exist Ownership can be nested: note the tree structure Class X signers X … entry2 entryN entry1 X … signer1 signer2 signerN

  5. Problem 2: Unintended Modification Modification is not explicit in Java Can Map.get() modify the map? for (Object key : map.keySet()) map.get(key);throwsConcurrentModificationExceptionfor the following mapnew LinkedHashMap(100, 1, true) Reorders elements according to last-accessed (like a cache)

  6. Solution: Immutability Object immutability mutable / immutable Reference immutability mutable / immutable / readonly Example in IGJ syntax class Student { @ImmutableDate dateOfBirth; … void setTutor(@ReadOnlyStudent tutor) @Mutable{ … } } Method may modify the this object; Can only be called on mutable receivers

  7. Raw vs. Cooked Creation of an immutable object Raw state: Fields can be assigned Cooked state: Fields cannot be assigned When does an object become cooked? Traditionally An object is cooked when its constructor finishes

  8. OIGJ’s novel idea Connect ownership & immutability An object is cooked when its owner’s constructor finishes The outside world will not see this cooking phase The complex object and its representation become immutable simultaneously Enables creation of immutable cyclic structures

  9. Cooking LinkedList (1 of 2) Goal: No refactoring 1 :LinkedList(Collection<E> c){ 2 : this(); // Initializesthis.header 3 : Entry<E> succ = this.header, pred = succ.prev; 4 : for (E e : c) { 5 : Entry<E> entry = 6 : new Entry<E>(e,succ,pred); 7 : pred.next = entry; 8 : pred = entry; 9 : } 10: succ.prev = pred; 11: }

  10. Cooking LinkedList (2 of 2) 1 : LinkedList(@ReadOnlyCollection<E> c) @Raw{ 2 : this(); // Initializesthis.header 3 : @This @IEntry<E> succ = this.header, pred = succ.prev; 4 : for (E e : c) { 5 : @This @IEntry<E> entry = 6 : new @This @IEntry<E>(e,succ,pred); 7 : pred.next = entry; 8 : pred = entry; 9 : } 10: succ.prev = pred; 11: }

  11. OIGJ Annotations ReadOnly World Raw Immutable This Mutable Ownership hierarchy World – anyone can access This – this owns the object Immutability hierarchy ReadOnly– no modification Raw– object under construction

  12. Immutability 1:class Foo { 2: // An immutable reference to an immutable date. @ImmutableDate imD; 3: // A mutable reference to a mutable date. @MutableDate mutD; 4: // A readonly reference to any date. @ReadOnlyDate roD = ... ? imD : mutD; 5: // A reference to a date with the same immutability as this. @IDate sameI;6: // Can be called on any receiver; cannot mutate this. intreadonlyMethod() @ReadOnly{...} 7: // Can be called only on mutable receivers; can mutate this. void mutatingMethod() @Mutable{...} 8:}

  13. Ownership 1: //A date with the same owner and immutability as this @O @IDate sameD; 2: // A date owned by this; it cannot leak. @This @IDate ownedD; 3: // Anyone can access this date. @World @IDate publicD; class LinkedList<E> { @This @I Entry<E> header; ... } class Entry<E> { @O @I Entry<E> next, prev; ... }

  14. Formalization: Featherweight OIGJ • Novel idea: Cookers • Every object in the heap is of the form: • yis the owner of x • zis the cooker of x, i.e., x becomes cooked when the constructor of z finishes • Formalism tracks the ongoing constructors • Subtyping rules connect cookers and owners or xFoo<y,Mutable> xFoo<y,Immutable > z • Proved soundness and type preservation

  15. Case studies • Implementation uses the Checkers Framework • Only 1600 lines of code (but still a prototype) • Requires type annotations available in JSR 308 • Java Collections case study • 77 classes, 33K lines of code • Only 85 ownership-related annotations • Only 46 immutability-related annotations

  16. Case studies conclusions • Verified that collections own their representation • Method clone does not typecheck • It’s broken: shallow copy breaks ownership • Suggestion: sheep clone • Ownership-aware copy: between shallow and deep copy • Compiler-generated clone that nullifies fields, and then calls a user-defined copy method

  17. Previous Work Universes Relaxed owner-as-dominator to owner-as-modifier Reference immutability: C++’s const Javari Initialization & Immutability X10, Frozen objects, Flexible Initialization Ownership & Immutability JOE3 , MOJO, Delayed types

  18. Future work Inferring ownership and immutability annotations Further case studies Extending OIGJ owner-as-modifier uniqueness or external uniqueness ownership transfer concurrency

  19. Conclusions • Ownership Immutability Generic Java (OIGJ) • Simple, intuitive, static, backward compatible • Connected ownership & immutability • Case study showing usefulness • Formal proof of soundness • Link: • http://code.google.com/p/ownership-immutability/ • Questions?

  20. Contributions No refactoring of existing code Prototype implementation No syntax changes (uses type-annotations in JSR 308) No runtime overhead Backward compatible Verified encapsulation of Java collections Few annotations More Flexible Cyclic immutable structures, the factory and visitor design patterns Formalization and soundness proof

  21. OIGJ typing rules Ownership nesting Field access Field assignment Method invocation Method guards Raw parameter can be used only in method guards (see the paper for all rules, such as inner classes, covariant subtyping)

  22. Ownership example in OGJ This-owned fields/methods can be accessed only via this class Class { @This List signers; // This-owned field public @This List getSigners1() { return this.signers; } public @World List getSigners2() { return new @World LinkedList(this.signers); } public void example(Class other) { this.signers = …; // Ok other.signers = …; // Illegal this.getSigners1(); // Ok other.getSigners1(); // Illegal other.getSigners2(); // Ok }

  23. OIGJ syntax: fields (1 of 2) Two new generic parameters were added 1:class Foo<O extends World, I extends ReadOnly> { 2: // An immutable reference to an immutable date. Date<O,Immut>imD = new Date<O,Immut>(); 3: // A mutable reference to a mutable date. Date<O,Mutable>mutD = new Date<O,Mutable>(); 4: // A readonly reference to any date. Both roD and imD cannot mutate // their referent, however the referent of roD might be mutated by an // alias, whereas the referent of imD is immutable. Date<O,ReadOnly>roD = ... ? imD : mutD; 5: // A date with the same owner and immutability as this Date<O,I>sameD; 6: // A date owned by this; it cannot leak. Date<This,I>ownedD; 7: // Anyone can access this date. Date<World,I>publicD;

  24. OIGJ syntax: methods (2 of 2) Method guard <T extends U>?has a dual purpose: The method is included only if T extends U Inside the method, the bound of Tis U. 8 : // Can be called on any receiver; cannot mutate this. <I extends ReadOnly>? intreadonlyMethod(){...} 9 : // Can be called only on mutable receivers; can mutate this. <I extends Mutable>? void mutatingMethod(){...} 10: // Constructor that can create (im)mutable objects. <I extends Raw>? Foo(Date<O,I> d) { 11: this.sameD = d; 12: this.ownedD = new Date<This,I>(); 13: // Illegal, because sameDcame from the outside. // this.sameD.setTime(...); 14: // OK, because Raw is transitive for owned fields. this.ownedD.setTime(...); 15: }

  25. LinkedList Example 1 : class Entry<O,I,E> { 2 : E element; 3 : Entry<O,I,E> next, prev; … 4 : } 5 : class LinkedList<O,I,E> { 6 : Entry<This,I,E> header; … 7 : <I extends Raw>?LinkedList( 8 : Collection<?,ReadOnly,E> c) { 9 : this(); this.addAll(c); 10: } 11: <I extends Raw>? void addAll( 12: Collection<?,ReadOnly,E> c) { 13: Entry<This,I,E> succ = this.header, 14: pred = succ.prev; 15: for (E e : c) { 16: Entry<This,I,E> en = 17: new Entry<This,I,E>(e,succ,pred); 18: pred.next = en; pred = en; } 19: succ.prev = pred; 20: }

  26. Ownership nesting The main owner parameter must be inside any other owner parameter. List<This, I,Date<World,I>> l1; // Legal nesting List<World,I,Date<This, I>> l2; // Illegal! It’s illegal because we can store l2 in this variable: public static Object<World,ReadOnly> alias_l2;

  27. Field access/assignment this-owned fields can be accessed/assigned only via this 1: class Foo<O extends World, I extends ReadOnly> { 2: Date<This,I> ownedD; // this-owned field 3: Date<O,I> sameD; 4: <I extends Mutable>? void bar(Foo<This,I> other) { 5: this.ownedD = …; // Legal: assign via this 6: other.ownedD = …; // Illegal: not via this 7: other.sameD = …; // Legal: not this-owned 8: }

  28. Field assignment A field can be assigned only if the object is Raw or Mutable. If it is Raw, then the object must be this or this-owned. 1 : class Foo<O extends World, I extends ReadOnly> { 2 : Date<O,I> sameD; 3 : <I extends Raw>? void bar( 4 : Foo<?,Mutable> mutableFoo, 5 : Foo<?,ReadOnly> readonlyFoo, 6 : Foo<?,I> rawFoo1, 7 : Foo<This,I> rawFoo2) { 8 : mutableFoo.sameD = …; // Legal: object is Mutable 9 : readonlyFoo.sameD = …; // Illegal: object is not Raw nor Mutable 10: rawFoo1.sameD = …; // Illegal: object is not this nor this-owned 11: rawFoo2.sameD = …; // Legal: object is Raw and this-owned 12: this.sameD = …; // Legal: object is Raw and this 13: }

  29. Method invocation Method invocation is the same as field access/assignment: If any parameter is this-owned, then the receiver must be this. If the guard is Raw and the object is Raw, then the receiver must be this or this-owned. 1 : class Foo<O extends World, I extends ReadOnly> { 2 : Date<This,I> m1() { … } // Parameter is this-owned 3 : <I extends Raw>? void m2() { … } 4 : <I extends Raw>? void bar( 5 : Foo<?,I> rawFoo1, 6 : Foo<This,I> rawFoo2) { 7 : this.m1(); // Legal: object is this 8 : rawFoo2.m1(); // Illegal: object is not this 9 : rawFoo1.m2(); // Illegal: object is not this nor this-owned 10: rawFoo2.m2(); // Legal: both Raw and object is this-owned 11: this.m2(); // Legal: both Raw and object is this 12: }

  30. Method guards Guard “<T extends U>?” has a dual purpose: The receiver’s T must be a subtype of U. Inside the method, the bound of T is U. 1: class Foo<O extends World, I extends ReadOnly> { 2: <I extends Raw>? void rawM() { … } 3: <I extends Mutable>? void bar( 4: Foo<?,ReadOnly> readonlyFoo, 5: Foo<?,I> mutableFoo) { 6: readonlyFoo.rawM(); // Illegal: ReadOnly is not a subtype of Raw // The bound of I in this method is Mutable 7: mutableFoo.rawM(); // Legal: Mutableis a subtype of Raw 8: this.rawM(); // Legal: Mutable is a subtype of Raw 9: } Conditional Java (cJ) proposed method guards for Java

  31. Challenge: Cyclic Immutability • Cooking a cyclic data-structure is complicated • Many objects must be raw simultaneously to manipulate backward pointers • Then everything must become immutable simultaneously • OIGJ’s novel idea: • Prolong the cooking phase by using ownership information • Enables creation of immutable cyclic structures

  32. Outline Ownership Motivating problem Owner-as-dominator Immutability Motivating problem Class immutability, object immutability, readonly references Challenge: cyclic immutability OIGJ language Formalism Case studies

  33. Ownership: Owner-as-dominator Dominators in graph theory Given: a directed rooted graph X dominates Y if any path from the root to Y passes X Owner-as-dominator Object graph; roots are the static variables An object cannot leak outside its owner, i.e., Any path from a root to an object passes its owner Conclusion: No aliases to internal state

  34. Ownership 1: //A date with the same owner and immutability as this @O @IDate sameD; 2: // A date owned by this; it cannot leak. @This @IDate ownedD; 3: // Anyone can access this date. @World @IDate publicD; 4: // Constructor that can create mutable or immutable objects. Foo(@O @IDate d) @Raw{ 5: this.sameD = d; 6: this.ownedD = new @This @IDate (); 7: }

More Related