generic ownership for generic java alex potanin, dave clarke (cwi) james noble, robert biddle...
TRANSCRIPT
![Page 1: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/1.jpg)
Generic Ownership for Generic Java
Alex Potanin, Dave Clarke (CWI)James Noble, Robert Biddle (Carleton)
![Page 2: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/2.jpg)
2
Introduction
• OO languages provide name-based encapsulation:
class Rectangle {private Point topLeft;
}
• Not a guarantee that an object pointed at by a private field is not referred to by another name (alias)
![Page 3: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/3.jpg)
3
Introduction
• Ownership allows a granular control of which objects are allowed to have references to which objects
Generic Ownership is a unified approach of providing ownership and generics in a programming language
![Page 4: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/4.jpg)
4
Aliasing (The Good)
• Aliasing is widely used in programming
• A lot of data structures and design patterns need it
List
Head
Node Node
Tail
Doubly Linked List
![Page 5: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/5.jpg)
5
Aliasing (The Bad)
class Rectangle {private Point topLeft;private int width, height;
}
...
Point p = new Point(100, 50);Rectangle r = new Rectangle(p,300,200);p.setX(400);
![Page 6: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/6.jpg)
6
Aliasing (The Ugly)
• Bug in Sun JDK v1.1.1• Reported by SIPG in ‘97
Identities[] all = SM.getAllSystemIdentities()Identities[] me = getSigners()// Say, item 42 is “allow all”me[0] = all[42];
java.security package
All SystemIdentities
IdentityIdentityIdentity
…
IdentityIdentityIdentityIdentityIdentityIdentityIdentity
Some Applet
IdentityIdentity
MaliciousApplet
IdentityIdentityIdentity
Malicious Applet
getAllSystemIdentities()
getSigners()
// Copy extra permissions// (Identities) from a// complete list to// applet specific list!
Example from Confined Types by Bokowski and Vitek (OOPSLA’99)
![Page 7: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/7.jpg)
7
Aliasing
“The big lie of object-oriented programming is that objects provide encapsulation”
John Hogg
Islands: Aliasing Protection in Object-Oriented Languages
OOPSLA’91
![Page 8: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/8.jpg)
8
Ownership
• Ownership Types allow us to ensure that objects can’t escape their owners because of irresponsible handling of references to them
class Rectangle<Owner extends World> {private Point<This> topLeft;
}
• This marks these fields as being accessible by the current instance of Rectangle only
Dave Clarke, John Potter, James Noble
Ownership Types for Flexible Aliasing Protection, OOPSLA’98
![Page 9: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/9.jpg)
9
Ownership
HelloWorld.java
LinkedList.java
![Page 10: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/10.jpg)
10
Java 1.4
Box
Book
Book
Book
Box
Box
Book
Book
Box
Box
![Page 11: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/11.jpg)
11
Java 5 Generics
![Page 12: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/12.jpg)
12
Java 5 Generics
![Page 13: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/13.jpg)
13
Java 5 Generics
![Page 14: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/14.jpg)
14
Java 5 Generics
Box (Bird)
Box (Book)
![Page 15: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/15.jpg)
15
Ownership
![Page 16: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/16.jpg)
16
Ownership
Book (Library)
![Page 17: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/17.jpg)
17
Ownership
Book (Robert)
![Page 18: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/18.jpg)
18
Ownership
Book (Me)
Book (Robert)
![Page 19: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/19.jpg)
19
Generic Ownership
Box of Robert’s Books
![Page 20: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/20.jpg)
20
Generic Ownership
Box of My Computer Books
![Page 21: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/21.jpg)
21
Question
• How do we get this into a language?
![Page 22: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/22.jpg)
22
Simple Map in Javaclass Node { . . . }public class Map { private Vector nodes; public Vector expose() { return this.nodes; } void put(Object key, Object value) { nodes.add(new Node(key, value)); } Object get(Object k) { Iterator i = nodes.iterator(); while (i.hasNext()) { Node mn = (Node) i.next(); if (mn.key.equals(k)) return mn.value; } return null; }}
Book
Book
Box
Map books = new Map();books.put(“Wisdom”, new Book());Object b = books.get(“Wisdom”); // Don’t know what get returns!Vector aliasedNodes = books.expose(); // Private field exposed!
public class Map {
![Page 23: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/23.jpg)
23
Generic Map in Java 5
Map<String, Book> books = new Map<String, Book>();books.put(“Wisdom”, new Book());Book b = books.get(“Wisdom”); // Type of Map knows what get returnsVector<Node<String, Book>> aliasedNodes = books.expose(); // Exposed!
class Node<Key, Value> { . . . }public class Map<Key, Value> { private Vector<Node<Key, Value>> nodes; public Vector<Node<Key, Value>> expose() { return this.nodes; } void put(Key key, Value value) { nodes.add(new Node<Key, Value>(key, value)); } Value get(Key k) { Iterator<Node<Key, Value>> i = nodes.iterator(); while (i.hasNext()) { Node<Key, Value> mn = i.next(); if (mn.key.equals(k)) return mn.value; } return null; }}
Box (Bird)
Box (Book)
Map books = new Map();books.put(“Wisdom”, new Book());Object b = books.get(“Wisdom”); // Don’t know what get returns!Vector aliasedNodes = books.expose(); // Private field exposed!
public class Map<Key, Value> {
![Page 24: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/24.jpg)
24
Ownership Map in Safe Java
Map<String, Book> books = new Map<String, Book>();books.put(“Wisdom”, new Book());Book b = books.get(“Wisdom”); // Type of Map knows what get returnsVector<Node<String, Book>> aliasedNodes = books.expose(); // Exposed!
Map<this, world, world> books = new Map<this, world, world>();books.put(“Wisdom”, new Book());Book<world> b = books.get(“Wisdom”); // Don’t know what get returns!Vector<this, this> aliasedNodes = books.expose(); // books. is not this.
class Node<nodeOwner, kOwner, vOwner> { . . . }public class Map<mOwner, kOwner, vOwner> { private Vector<this, this> nodes; public Vector<this, this> expose() { return this.nodes; } void put(Object<kOwner> key, Object<vOwner> value) { nodes.add(new Node<this, kOwner, vOwner>(key, value)); } Object<vOwner> get(Object<kOwner> key) { Iterator<this, this> i = nodes.iterator(); while (i.hasNext()) { Node<this, kOwner, vOwner> mn = (Node<this, kOwner, vOwner>) i.next(); if (mn.key.equals(key)) return mn.value; } return null; }}
Book (Me)
Book (Robert)
public class Map <mOwner, kOwner, vOwner> {
![Page 25: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/25.jpg)
25
Ownership + Generic Map
Map<this>[String<world>, Book<world>] books = new Map<this>[String<world>, Book<world>] ();books.put(“Wisdom”, new Book<world>());Book<world> b = books.get(“Wisdom”); // Map type knows what get returnsVector<this>[Node<this>[String<world>, Book<world>]] aliasedNodes = books.expose(); // books. is not this.
class Node<nodeOwner>[Key<kOwner>, Value<vOwner>] { . . . }public class Map<mOwner>[Key<kOwner>, Value<vOwner>] { private Vector<this>[Node<this>[Key<kOwner>, Value<vOwner>]] nodes; public Vector<this>[Node<this>[Key<kOwner>, Value<vOwner>]] expose() { return this.nodes; } void put(Key<kOwner> key, Value<vOwner> value) { nodes.add(new Node<this>[Key<kOwner>, Value<vOwner>](key, value)); } Value<vOwner> get(Key<kOwner> key) { Iterator<this>[Nodes<this>[Key<kOwner>, Value<vOwner>]] =
nodes.iterator(); while(i.hasNext()) { Node<this>[Key<kOwner>, Value<vOwner>] mn = i.next(); if (mn.key.equals(k)) return mn.value; } return null; }}
Map<this, world, world> books = new Map<this, world, world>();books.put(“Wisdom”, new Book());Book<world> b = books.get(“Wisdom”); // Don’t know what get returns!Vector<this, this> aliasedNodes = books.expose(); // books. is not this.
public class Map<mOwner> [Key<kOwner>, Value<vOwner>] {
![Page 26: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/26.jpg)
26
State of the Art
• Aliasing is endemic in object-oriented programming
• Ownership (and other schemes like confinement, universes, etc) allow us to control aliasing
• The current systems are not very usable by typical programmers
• Generics is a popular mechanism in modern OO languages
![Page 27: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/27.jpg)
27
Generic Ownership
• Generics and ownership are orthogonal and should not have anything to do with each other?
• Our claim:– Generics and ownership are complementary– Merged into one with Generic Ownership (GO)– GO is the most practical way of having
ownership in a modern OO programming language
![Page 28: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/28.jpg)
28
Ownership + Generic Map
Map<this>[String<world>, Book<world>] books = new Map<this>[String<world>, Book<world>] ();books.put(“Wisdom”, new Book<world>());Book<world> b = books.get(“Wisdom”); // Map type knows what get returnsVector<this>[Node<this>[String<world>, Book<world>]] aliasedNodes = books.expose(); // books. is not this.
class Node<nodeOwner>[Key<kOwner>, Value<vOwner>] { . . . }public class Map<mOwner>[Key<kOwner>, Value<vOwner>] { private Vector<this>[Node<this>[Key<kOwner>, Value<vOwner>]] nodes; public Vector<this>[Node<this>[Key<kOwner>, Value<vOwner>]] expose() { return this.nodes; } void put(Key<kOwner> key, Value<vOwner> value) { nodes.add(new Node<this>[Key<kOwner>, Value<vOwner>](key, value)); } Value<vOwner> get(Key<kOwner> key) { Iterator<this>[Nodes<this>[Key<kOwner>, Value<vOwner>]] =
nodes.iterator(); while(i.hasNext()) { Node<this>[Key<kOwner>, Value<vOwner>] mn = i.next(); if (mn.key.equals(k)) return mn.value; } return null; }}
![Page 29: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/29.jpg)
29
Generic OwnershipTM Mapclass Node<Key, Value, Owner extends World> { . . . }public class Map<Key, Value, Owner extends World> { private Vector<Node<Key, Value, This>, This> nodes; public Vector<Node<Key, Value, This>, This> expose() {
return this.nodes; } public void put(Key key, Value value) { nodes.add(new Node<Key, Value, This>(key, value)); } public Value get(Key key) { Iterator<Node<Key, Value, This>, This> i = nodes.iterator(); while (i.hasNext()) { Node<Key, Value, This> mn = i.next(); if (mn.key.equals(key)) return mn.value; } return null; }}
Box of My Computer Books
Map<String, Book, This> books = new Map<String, Book, This>();books.put(“Wisdom”, new Book());Book b = books.get(“Wisdom”); // Type of Map knows what get returnsVector<this, this> aliasedNodes = books.expose(); // books. is not this.
public class Map<Key, Value, Owner extends World> {
![Page 30: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/30.jpg)
30
Generic Ownership
• Proposes the unification of parameterised and ownership types
• Starts with a generic type system and adds ownership
• The results are surprising: per-package ownership (confinement) comes basically for free and other kinds of ownership are not hard to implement
• Ownership shouldn’t be treated orthogonally to type information, rather there is a deep semantic connection between the two
• GO is the least intrusive introduction of ownership into a programming language
![Page 31: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/31.jpg)
31
Generic Ownership Results• Java 5 Extension: Ownership Generic Java:
http://www.mcs.vuw.ac.nz/~alex/ogj/• OGJ is backwards compatible with Java 5
and allows control of who is allowed to access which object
• Formalised based on extended FGJ showing that OGJ supports ownership:1. A “pure” FGJ+c system adds per-package
ownership without affecting the soundness of FGJ2. A “full” FGO system provides deep ownership
together with generics in a fully imperative setting
![Page 32: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/32.jpg)
32
Featherweight Generic Java (FGJ)class A extends Object { A() { super(); } }class B extends Object { B() { super(); } }
class Pair<X extends Object, Y extends Object>extends Object {
X fst; Y snd;Pair(X fst, Y snd) {
super(); this.fst = fst; this.snd = snd;}
<Z extends Object> Pair<Z,Y> setfst(Z newfst) {return new Pair<Z,Y>(newfst, this.snd);
}} Featherweight Java by Igarashi, Pierce, and Wadler in OOPSLA’99
![Page 33: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/33.jpg)
33
FGO: Imperative FGJ + Ownership
• Separate hierarchy of owner classes rooted in World that are used to carry ownership for each FGO type
• In addition to adding owners to types, we require:1. Owner Nesting: provides for owner parameter nesting that
enforces ownership
2. Owner Preservation: ensures owner invariance over subtyping
3. “This” Rule: prevents non-this access to types owned by particular instances
4. Placeholder Owners: an owner initialisation mechanism
FGJ=, null, ref’slocals, etc+ + Owners = FGO
![Page 34: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/34.jpg)
34
1. Owner Nesting
There is a standard approach to enforcing deep ownership:
“Every FGO type has its owner inside other owners involved in the type”
![Page 35: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/35.jpg)
35
2. Owner Preservation• The central idea of generic ownership is
preservation of owners over the subtyping
class Student<Owner extends World>extends Person<Owner> { ... }
• The owner parameter cannot be cast away or changed at any stage in the FGO program
![Page 36: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/36.jpg)
36
3. “This” RuleThis function is a mechanism preventing access to objects owned by the current object by anything other than this.*
class Bar<Owner extends World> {public Foo<this> secret = new Foo<this>();void m() {
Foo<this> f = this.secret; // OKBar<Owner> b = new Bar<Owner>();f = b.secret; // NOT OKb = this;f = b.secret; // ALSO NOT OK
}}
![Page 37: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/37.jpg)
37
4. Placeholder Owners• How do we allow a declaration of Map like
this, when Key and Value also have their separate owners?
class Map<Key, Value, Owner> { ... }
• We have a placeholder owners function that produces the missing owners for Key and Value used by the FGO type system
![Page 38: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/38.jpg)
38
State of the Generic Ownership
• Generic Ownership Compiler Prototype (done)• Per Package Ownership Formalism (done)• Generic Ownership Formalism (done)• Implementing OGJ in JavaCOP (done)• OGJ Applications (partially done)• Ownership Inference Formalism (partially done)• Eclipse Full Ownership Inference Tool (to do)• Corpus Analysis of OGJ Effects (to do)• Generalising the Approach (C#, not just Java)
![Page 39: Generic Ownership for Generic Java Alex Potanin, Dave Clarke (CWI) James Noble, Robert Biddle (Carleton)](https://reader035.vdocuments.site/reader035/viewer/2022062517/56649ede5503460f94bef1ef/html5/thumbnails/39.jpg)
40
Summary
• Ownership and Generics are closely complementary• Language support for ownership with generics is possible
(and easier than without generics!)• Generic Ownership is:
– First proposal to fully support ownership and generics
– Backed by a full formalism and a working compiler
– Adopted by other aliasing research groups
• OGJ (Ownership Generic Java) is a compiler providing this support
http://www.mcs.vuw.ac.nz/~alex/
O =G+