8 research outputs found
Behavioural Types for Memory and Method Safety in a Core Object-Oriented Language
open7siWork partially supported by the EU H2020 RISE programme under the Marie Sk lodowska-Curie grant agreement No. 778233 (BehAPI), the UK EPSRC grant EP/K034413/1 (ABCD), and by NOVA LINCS (UIDB/04516/2020) via FCT.We present a type-based analysis ensuring memory safety and object protocol completion in the Java-like language Mungo. Objects are annotated with usages, typestates-like specifications of the admissible sequences of method calls. The analysis entwines usage checking, controlling the order in which methods are called, with a static check determining whether references may contain null values. It prevents null pointer dereferencing in a typestate-aware manner and memory leaks and ensures that the intended usage protocol of every object is respected and completed. The type system admits an algorithm that infers the most general usage with respect to a simulation preorder. The type system is implemented in the form of a type checker and a usage inference tool.openBravetti M.; Francalanza A.; Golovanov I.; Huttel H.; Jakobsen M.S.; Kettunen M.K.; Ravara A.Bravetti M.; Francalanza A.; Golovanov I.; Huttel H.; Jakobsen M.S.; Kettunen M.K.; Ravara A
Resource Sharing via Capability-Based Multiparty Session Types
Multiparty Session Types (MPST) are a type formalism used to model communication protocols among components in distributed systems, by specifying type and direction of data transmitted. It is standard for multiparty session type systems to use access control based on linear or affine types. While useful in offering strong guarantees of communication safety and session fidelity, linearity and affinity run into the well-known problem of inflexible programming, excluding scenarios that make use of shared channels or need to store channels in shared data structures.
In this paper, we develop capability-based resource sharing for multiparty session types. In this setting, channels are split into two entities, the channel itself and the capability of using it. This gives rise to a more flexible session type system, which allows channel references to be shared and stored in persistent data structures. We illustrate our type system through a producer-consumer case study. Finally, we prove that the resulting language satisfies type safety
Typechecking Java Protocols with [St]Mungo
This is a tutorial paper on [St]Mungo, a toolchain based on multiparty session types and their connection to typestates for safe distributed programming in Java language.
The StMungo (“Scribble-to-Mungo”) tool is a bridge between multiparty session types and typestates. StMungo translates a communication protocol, namely a sequence of sends and receives of messages, given as a multiparty session type in the Scribble language, into a typestate specification and a Java API skeleton. The generated API skeleton is then further extended with the necessary logic, and finally typechecked by Mungo. The Mungo tool extends Java with (optional) typestate specifications. A typestate is a state machine specifying a Java object protocol, namely the permitted sequence of method calls of that object. Mungo statically typechecks that method calls follow the object’s protocol, as defined by its typestate specification. Finally, if no errors are reported, the code is compiled with javac and run as standard Java code.
In this tutorial paper we give an overview of the stages of the [St]Mungo toolchain, starting from Scribble communication protocols, translating to Java classes with typestates, and finally to typechecking method calls with Mungo. We illustrate the [St]Mungo toolchain via a real-world case study, the HTTP client-server request-response protocol over TCP. During the tutorial session, we will apply [St]Mungo to a range of examples having increasing complexity, with HTTP being one of them
Safe Session-Based Concurrency with Shared Linear State
Publisher Copyright: © 2023, The Author(s).We introduce CLASS, a session-typed, higher-order, core language that supports concurrent computation with shared linear state.publishersversionpublishe
Modular session types for objects
Session types allow communication protocols to be specified
type-theoretically so that protocol implementations can be verified by static
type checking. We extend previous work on session types for distributed
object-oriented languages in three ways. (1) We attach a session type to a
class definition, to specify the possible sequences of method calls. (2) We
allow a session type (protocol) implementation to be modularized, i.e.
partitioned into separately-callable methods. (3) We treat session-typed
communication channels as objects, integrating their session types with the
session types of classes. The result is an elegant unification of communication
channels and their session types, distributed object-oriented programming, and
a form of typestate supporting non-uniform objects, i.e. objects that
dynamically change the set of available methods. We define syntax, operational
se-mantics, a sound type system, and a sound and complete type checking
algorithm for a small distributed class-based object-oriented language with
structural subtyping. Static typing guarantees that both sequences of messages
on channels, and sequences of method calls on objects, conform to
type-theoretic specifications, thus ensuring type-safety. The language includes
expected features of session types, such as delegation, and expected features
of object-oriented programming, such as encapsulation of local state.Comment: Logical Methods in Computer Science (LMCS), International Federation
for Computational Logic, 201
Coping with the reality: adding crucial features to a typestate-oriented language
Detecting programming errors and vulnerabilities in software is increasingly important,
and building tools that help with this task is an area of investigation, crucial for the
industry these days. When programming in an object-oriented language, one naturally
defines stateful objects that are non-uniform, i.e., their methods’ availability depends
on their internal state. One might represent their intended usage protocol with an automaton
or a state machine. Behavioral types allow to statically check if all the code of a
program respects the usage protocol of each object.
In this thesis we present a tool that extends Java with typestate definitions. These
typestates are associated with Java classes and define the behavior of instances of those
classes, specifying the sequences of method calls allowed. This tool checks statically that
method calls happen in order, following the specified behavior.
The tool was implemented in Kotlin as a plugin for the Checker Framework. It is a
new implementation of the Mungo tool and supports prevention of null pointer errors,
state transitions depending on return values, assurance of protocol completion, droppable
states, and association of protocols with classes from the standard Java library or
from third-party libraries. Additionally, the tool integrates behavioral types with access
permissions, allowing objects to be shared in a controlled way using a language of
assertions. This language of assertions supports concepts like packing and unpacking,
including unpacking of aliases objects, and transferring of permissions between aliases.
To relieve the programmer from manually writing all the necessary assertions, the tool
implements an inference algorithm which analyzes the code statically and, given the uses
of objects, constructs all the required assertions.A deteção de erros de programação e vulnerabilidades no software é cada vez mais
importante, e a criação de ferramentas que ajudem nesta tarefa é uma área de investigação
crucial para a indústria atualmente. Ao programar numa linguagem orientada a
objetos, definem-se naturalmente objetos com estado que não são uniformes, ou seja, a
disponibilidade dos seus métodos depende do seu estado interno. Pode-se representar
o protocolo de uso pretendido com um autómato ou uma máquina de estados. Os tipos
comportamentais permitem verificar estaticamente se todo o código de um programa
respeita o protocolo de uso de cada objeto.
Nesta tese apresentamos uma ferramenta que estende o Java com definições de typestates.
Esses estão associados às classes Java e definem o comportamento das instâncias
dessas classes, especificando as sequências de chamadas de métodos permitidas. Esta ferramenta
verifica estaticamente se as chamadas de métodos ocorrem pela ordem correta,
seguindo o comportamento especificado.
A ferramenta foi implementada em Kotlin como um plugin para o Checker Framework.
É uma implementação nova da ferramenta Mungo e suporta a prevenção de erros de
ponteiro nulo, transições de estado dependendo de valores de retorno, asseguração da
conclusão dos protocolos, objetos que podem ser «largados», e a associação de protocolos
com classes da biblioteca padrão do Java ou de terceiros. Além disso, esta integra tipos
comportamentais com permissões de acesso, permitindo que objetos possam ser partilhados
por meio de uma linguagem de asserções. Esta linguagem de asserções oferece
suporte para conceitos como packing e unpacking, incluindo unpacking de objetos partilhados,
e transferência de permissões entre variáveis que apontam para o mesmo objeto.
Para aliviar o programador de escrever manualmente todas as asserções necessárias, a
ferramenta implementa um algoritmo de inferência que analisa o código estaticamente e,
consoante os usos dos objetos, constrói todas as asserções necessárias
CLASS: A Logical Foundation for Typeful Programming with Shared State
Software construction depends on imperative state sharing and concurrency, which are
naturally present in several application domains and are also exploited to improve the
structure and efficiency of computer programs. However, reasoning about concurrency
and shared mutable state is hard, error-prone and the source of many programming bugs,
such as memory leaks, data corruption, deadlocks and non-termination.
In this thesis, we develop CLASS: a core session-based language with a lightweight
substructural type system, that results from a principled extension of the propositions-astypes
correspondence with second-order classical linear logic. More concretely, CLASS
offers support for session-based communication, mutex-protected first-class reference cells,
dynamic state sharing, generic polymorphic algorithms, data abstraction and primitive
recursion.
CLASS expresses and types significant realistic programs, that manipulate memoryefficient
linked data structures (linked lists, binary search trees) with support for updates
in-place, shareable concurrent ADTs (counters, stacks, functional and imperative queues),
resource synchronisation methods (fork-joins, barriers, dining philosophers, generic corecursive
protocols). All of these examples are guaranteed to be safe, a result that follows
by the logical approach.
The linear logical foundations guarantee that well-typed CLASS programs do not
go wrong: they never deadlock on communication or reference cell acquisition, do not
leak memory and always terminate, even if they share complex data structures protected
by synchronisation primitives. Furthermore, since we follow a propositions-as-types
approach, we can reason about the behaviour of concurrent stateful processes by algebraic
program manipulation.
The feasibility of our approach is witnessed by the implementation of a type checker
and interpreter for CLASS, which validates and guides the development of many realistic
programs. The implementation is available with an open-source license, together with
several examples.A construção de software depende de estado partilhado imperativo e concorrência, que
estão naturalmente presentes em vários domínios de aplicação e que também são explorados
para melhorar o a estrutura e o desempenho dos programas. No entanto, raciocinar
sobre concorrência e estado mutável partilhado é difícil e propenso à introdução de erros e
muitos bugs de programação, tais como fugas de memória, corrupção de dados, programas
bloqueados e programas que não terminam a sua execução.
Nesta tese, desenvolvemos CLASS: uma linguagem baseada em sessões, com um
sistema de tipos leve e subestrutural, que resulta de uma extensão metodológica da
correspondência proposições-como-tipos com a lógica linear clássica de segunda ordem.
Mais concretamente, a linguagem CLASS oferece suporte para comunicação baseada em
sessões, células de memória protegidas com mutexes de primeira classe, partilha dinâmica
de estado, algoritmos polimórficos genéricos, abstração de dados e recursão primitiva.
A linguagem CLASS expressa e tipifica programas realistas significativos, que manipulam
estruturas de dados ligadas eficientes (listas ligadas, árvores de pesquisa binária)
suportando actualização imperativa local, TDAs partilhados e concorrentes (contadores,
pilhas, filas funcionais e imperativas), métodos de sincronização e partilha de recursos
(bifurcar-juntar, barreiras, jantar de filósofos, protocolos genéricos corecursivos). Todos
estes exemplos são seguros, uma garantia que resulta da nossa abordagem lógica.
Os fundamentos, baseados na lógica linear, garantem que programas em CLASS bem
tipificados não incorrem em erros: nunca bloqueiam, quer na comunicação, quer na
aquisição de células de memória, nunca causam fugas de memória e terminam sempre,
mesmo que compartilhem estruturas de dados complexas protegidas por primitivas de
sincronização. Além disso, uma vez que seguimos uma abordagem de proposições-comotipos,
podemos raciocinar sobre o comportamento de processos concorrentes, que usam
estado, através de manipulação algébrica.
A viabilidade da nossa abordagem é evidenciada pela implementação de um verificador
de tipos e interpretador para a linguagem CLASS, que valida e orienta o desenvolvimento
de vários programs realistas. A implementação está disponível com uma licença
de acesso livre, juntamente com inúmeros exemplos
Aliasing Control with View-Based Typestate
Tracking the state of an object (in the sense of how a File can be in an Open or Closed state) is difficult not just because of the problem of managing state transitions but also due to the complexity introduced by aliasing. Unchecked duplication of object references makes local reasoning impossible by allowing situations where transitions can be triggered unexpectedly (for instance, passing aliased parameters to a method that expects unaliased parameters, or calling a method that has a side effect through an alias deeply nested in a data structure). We propose a generalization of access permissions that goes beyond a fixed set of permissions to an object. In this paper we present a new aliasing control mechanism that uses a small set of permissions as building block for the creation of views that capture a projection of an object with specific access constraints to its fields and/or methods. This makes permission tracking more fine grained while also making the designer’s intent more explicit. We present a few meaningful examples of how these views handle situations such as: separating different sections of an object for safe initialization; and access with either an unbounded number of readers or a single writer (multiple readers or unique writer). Finally, we show a type system for checking correctness of state use in the presence of this kind of controlled aliasing