Behavioural Types for Memory and Method Safety in a Core Object-Oriented Language

open7siWork partially supported by the EU H2020 RISE programme under the Marie Sk lodowska-Curie grant agreement No. 778233 (BehAPI), the UK EPSRC grant EP/K034413/1 (ABCD), and by NOVA LINCS (UIDB/04516/2020) via FCT.We present a type-based analysis ensuring memory safety and object protocol completion in the Java-like language Mungo. Objects are annotated with usages, typestates-like specifications of the admissible sequences of method calls. The analysis entwines usage checking, controlling the order in which methods are called, with a static check determining whether references may contain null values. It prevents null pointer dereferencing in a typestate-aware manner and memory leaks and ensures that the intended usage protocol of every object is respected and completed. The type system admits an algorithm that infers the most general usage with respect to a simulation preorder. The type system is implemented in the form of a type checker and a usage inference tool.openBravetti M.; Francalanza A.; Golovanov I.; Huttel H.; Jakobsen M.S.; Kettunen M.K.; Ravara A.Bravetti M.; Francalanza A.; Golovanov I.; Huttel H.; Jakobsen M.S.; Kettunen M.K.; Ravara A

Resource Sharing via Capability-Based Multiparty Session Types

Multiparty Session Types (MPST) are a type formalism used to model communication protocols among components in distributed systems, by specifying type and direction of data transmitted. It is standard for multiparty session type systems to use access control based on linear or affine types. While useful in offering strong guarantees of communication safety and session fidelity, linearity and affinity run into the well-known problem of inflexible programming, excluding scenarios that make use of shared channels or need to store channels in shared data structures. In this paper, we develop capability-based resource sharing for multiparty session types. In this setting, channels are split into two entities, the channel itself and the capability of using it. This gives rise to a more flexible session type system, which allows channel references to be shared and stored in persistent data structures. We illustrate our type system through a producer-consumer case study. Finally, we prove that the resulting language satisfies type safety

Typechecking Java Protocols with [St]Mungo

This is a tutorial paper on [St]Mungo, a toolchain based on multiparty session types and their connection to typestates for safe distributed programming in Java language. The StMungo (“Scribble-to-Mungo”) tool is a bridge between multiparty session types and typestates. StMungo translates a communication protocol, namely a sequence of sends and receives of messages, given as a multiparty session type in the Scribble language, into a typestate specification and a Java API skeleton. The generated API skeleton is then further extended with the necessary logic, and finally typechecked by Mungo. The Mungo tool extends Java with (optional) typestate specifications. A typestate is a state machine specifying a Java object protocol, namely the permitted sequence of method calls of that object. Mungo statically typechecks that method calls follow the object’s protocol, as defined by its typestate specification. Finally, if no errors are reported, the code is compiled with javac and run as standard Java code. In this tutorial paper we give an overview of the stages of the [St]Mungo toolchain, starting from Scribble communication protocols, translating to Java classes with typestates, and finally to typechecking method calls with Mungo. We illustrate the [St]Mungo toolchain via a real-world case study, the HTTP client-server request-response protocol over TCP. During the tutorial session, we will apply [St]Mungo to a range of examples having increasing complexity, with HTTP being one of them

Safe Session-Based Concurrency with Shared Linear State

Publisher Copyright: © 2023, The Author(s).We introduce CLASS, a session-typed, higher-order, core language that supports concurrent computation with shared linear state.publishersversionpublishe

Modular session types for objects

Session types allow communication protocols to be specified type-theoretically so that protocol implementations can be verified by static type checking. We extend previous work on session types for distributed object-oriented languages in three ways. (1) We attach a session type to a class definition, to specify the possible sequences of method calls. (2) We allow a session type (protocol) implementation to be modularized, i.e. partitioned into separately-callable methods. (3) We treat session-typed communication channels as objects, integrating their session types with the session types of classes. The result is an elegant unification of communication channels and their session types, distributed object-oriented programming, and a form of typestate supporting non-uniform objects, i.e. objects that dynamically change the set of available methods. We define syntax, operational se-mantics, a sound type system, and a sound and complete type checking algorithm for a small distributed class-based object-oriented language with structural subtyping. Static typing guarantees that both sequences of messages on channels, and sequences of method calls on objects, conform to type-theoretic specifications, thus ensuring type-safety. The language includes expected features of session types, such as delegation, and expected features of object-oriented programming, such as encapsulation of local state.Comment: Logical Methods in Computer Science (LMCS), International Federation for Computational Logic, 201

Coping with the reality: adding crucial features to a typestate-oriented language

Detecting programming errors and vulnerabilities in software is increasingly important, and building tools that help with this task is an area of investigation, crucial for the industry these days. When programming in an object-oriented language, one naturally defines stateful objects that are non-uniform, i.e., their methods’ availability depends on their internal state. One might represent their intended usage protocol with an automaton or a state machine. Behavioral types allow to statically check if all the code of a program respects the usage protocol of each object. In this thesis we present a tool that extends Java with typestate definitions. These typestates are associated with Java classes and define the behavior of instances of those classes, specifying the sequences of method calls allowed. This tool checks statically that method calls happen in order, following the specified behavior. The tool was implemented in Kotlin as a plugin for the Checker Framework. It is a new implementation of the Mungo tool and supports prevention of null pointer errors, state transitions depending on return values, assurance of protocol completion, droppable states, and association of protocols with classes from the standard Java library or from third-party libraries. Additionally, the tool integrates behavioral types with access permissions, allowing objects to be shared in a controlled way using a language of assertions. This language of assertions supports concepts like packing and unpacking, including unpacking of aliases objects, and transferring of permissions between aliases. To relieve the programmer from manually writing all the necessary assertions, the tool implements an inference algorithm which analyzes the code statically and, given the uses of objects, constructs all the required assertions.A deteção de erros de programação e vulnerabilidades no software é cada vez mais importante, e a criação de ferramentas que ajudem nesta tarefa é uma área de investigação crucial para a indústria atualmente. Ao programar numa linguagem orientada a objetos, definem-se naturalmente objetos com estado que não são uniformes, ou seja, a disponibilidade dos seus métodos depende do seu estado interno. Pode-se representar o protocolo de uso pretendido com um autómato ou uma máquina de estados. Os tipos comportamentais permitem verificar estaticamente se todo o código de um programa respeita o protocolo de uso de cada objeto. Nesta tese apresentamos uma ferramenta que estende o Java com definições de typestates. Esses estão associados às classes Java e definem o comportamento das instâncias dessas classes, especificando as sequências de chamadas de métodos permitidas. Esta ferramenta verifica estaticamente se as chamadas de métodos ocorrem pela ordem correta, seguindo o comportamento especificado. A ferramenta foi implementada em Kotlin como um plugin para o Checker Framework. É uma implementação nova da ferramenta Mungo e suporta a prevenção de erros de ponteiro nulo, transições de estado dependendo de valores de retorno, asseguração da conclusão dos protocolos, objetos que podem ser «largados», e a associação de protocolos com classes da biblioteca padrão do Java ou de terceiros. Além disso, esta integra tipos comportamentais com permissões de acesso, permitindo que objetos possam ser partilhados por meio de uma linguagem de asserções. Esta linguagem de asserções oferece suporte para conceitos como packing e unpacking, incluindo unpacking de objetos partilhados, e transferência de permissões entre variáveis que apontam para o mesmo objeto. Para aliviar o programador de escrever manualmente todas as asserções necessárias, a ferramenta implementa um algoritmo de inferência que analisa o código estaticamente e, consoante os usos dos objetos, constrói todas as asserções necessárias

CLASS: A Logical Foundation for Typeful Programming with Shared State

Software construction depends on imperative state sharing and concurrency, which are naturally present in several application domains and are also exploited to improve the structure and efficiency of computer programs. However, reasoning about concurrency and shared mutable state is hard, error-prone and the source of many programming bugs, such as memory leaks, data corruption, deadlocks and non-termination. In this thesis, we develop CLASS: a core session-based language with a lightweight substructural type system, that results from a principled extension of the propositions-astypes correspondence with second-order classical linear logic. More concretely, CLASS offers support for session-based communication, mutex-protected first-class reference cells, dynamic state sharing, generic polymorphic algorithms, data abstraction and primitive recursion. CLASS expresses and types significant realistic programs, that manipulate memoryefficient linked data structures (linked lists, binary search trees) with support for updates in-place, shareable concurrent ADTs (counters, stacks, functional and imperative queues), resource synchronisation methods (fork-joins, barriers, dining philosophers, generic corecursive protocols). All of these examples are guaranteed to be safe, a result that follows by the logical approach. The linear logical foundations guarantee that well-typed CLASS programs do not go wrong: they never deadlock on communication or reference cell acquisition, do not leak memory and always terminate, even if they share complex data structures protected by synchronisation primitives. Furthermore, since we follow a propositions-as-types approach, we can reason about the behaviour of concurrent stateful processes by algebraic program manipulation. The feasibility of our approach is witnessed by the implementation of a type checker and interpreter for CLASS, which validates and guides the development of many realistic programs. The implementation is available with an open-source license, together with several examples.A construção de software depende de estado partilhado imperativo e concorrência, que estão naturalmente presentes em vários domínios de aplicação e que também são explorados para melhorar o a estrutura e o desempenho dos programas. No entanto, raciocinar sobre concorrência e estado mutável partilhado é difícil e propenso à introdução de erros e muitos bugs de programação, tais como fugas de memória, corrupção de dados, programas bloqueados e programas que não terminam a sua execução. Nesta tese, desenvolvemos CLASS: uma linguagem baseada em sessões, com um sistema de tipos leve e subestrutural, que resulta de uma extensão metodológica da correspondência proposições-como-tipos com a lógica linear clássica de segunda ordem. Mais concretamente, a linguagem CLASS oferece suporte para comunicação baseada em sessões, células de memória protegidas com mutexes de primeira classe, partilha dinâmica de estado, algoritmos polimórficos genéricos, abstração de dados e recursão primitiva. A linguagem CLASS expressa e tipifica programas realistas significativos, que manipulam estruturas de dados ligadas eficientes (listas ligadas, árvores de pesquisa binária) suportando actualização imperativa local, TDAs partilhados e concorrentes (contadores, pilhas, filas funcionais e imperativas), métodos de sincronização e partilha de recursos (bifurcar-juntar, barreiras, jantar de filósofos, protocolos genéricos corecursivos). Todos estes exemplos são seguros, uma garantia que resulta da nossa abordagem lógica. Os fundamentos, baseados na lógica linear, garantem que programas em CLASS bem tipificados não incorrem em erros: nunca bloqueiam, quer na comunicação, quer na aquisição de células de memória, nunca causam fugas de memória e terminam sempre, mesmo que compartilhem estruturas de dados complexas protegidas por primitivas de sincronização. Além disso, uma vez que seguimos uma abordagem de proposições-comotipos, podemos raciocinar sobre o comportamento de processos concorrentes, que usam estado, através de manipulação algébrica. A viabilidade da nossa abordagem é evidenciada pela implementação de um verificador de tipos e interpretador para a linguagem CLASS, que valida e orienta o desenvolvimento de vários programs realistas. A implementação está disponível com uma licença de acesso livre, juntamente com inúmeros exemplos

Aliasing Control with View-Based Typestate

Tracking the state of an object (in the sense of how a File can be in an Open or Closed state) is difficult not just because of the problem of managing state transitions but also due to the complexity introduced by aliasing. Unchecked duplication of object references makes local reasoning impossible by allowing situations where transitions can be triggered unexpectedly (for instance, passing aliased parameters to a method that expects unaliased parameters, or calling a method that has a side effect through an alias deeply nested in a data structure). We propose a generalization of access permissions that goes beyond a fixed set of permissions to an object. In this paper we present a new aliasing control mechanism that uses a small set of permissions as building block for the creation of views that capture a projection of an object with specific access constraints to its fields and/or methods. This makes permission tracking more fine grained while also making the designer’s intent more explicit. We present a few meaningful examples of how these views handle situations such as: separating different sections of an object for safe initialization; and access with either an unbounded number of readers or a single writer (multiple readers or unique writer). Finally, we show a type system for checking correctness of state use in the presence of this kind of controlled aliasing