Property Types for Mutable Data Structures in Java

Property Types are a kind of user-defined refinement type about variables and fields in a program. They are verified by discharging as many properties as possible using a scalable type checker. The remaining assertions are forwarded to a less scalable but more powerful deductive verification tool. However, the design and implementation by Lanzinger et al. cannot function in the presence of aliasing and mutability. In this thesis, we find that property checking can be performed safely on mutable data structures provided exclusive mutable access to the referenced object, which we define as property-safety. We study different approaches to aliasing control, including uniqueness, ownership and permissions. Based on this research, we present the Exclusivity Type System, which can be used to check the property-safety of program variables and class fields. Using flow-sensitive type refinement, we develop Mutable Property Types, which can track changes in a variable’s property type over time. Impure methods can be annotated to specify how they change the Property Types of their receiver and arguments. We explain how the original Property Checker’s program translation can be adapted to include correct assertions about the pre- and post-types of each method. We present a prototypical implementation of the Exclusivity Checker for Java programs using the Checker Framework. Our work provides many insights into the nature of property type verification on mutable data structures and we devise the theoretical groundwork for performing this verification. To corroborate the reasonableness of the presented approach, we suggest a thorough analysis of our systems through formal proofs

A Grounded Conceptual Model for Ownership Types in Rust

Programmers learning Rust struggle to understand ownership types, Rust's core mechanism for ensuring memory safety without garbage collection. This paper describes our attempt to systematically design a pedagogy for ownership types. First, we studied Rust developers' misconceptions of ownership to create the Ownership Inventory, a new instrument for measuring a person's knowledge of ownership. We found that Rust learners could not connect Rust's static and dynamic semantics, such as determining why an ill-typed program would (or would not) exhibit undefined behavior. Second, we created a conceptual model of Rust's semantics that explains borrow checking in terms of flow-sensitive permissions on paths into memory. Third, we implemented a Rust compiler plugin that visualizes programs under the model. Fourth, we integrated the permissions model and visualizations into a broader pedagogy of ownership by writing a new ownership chapter for The Rust Programming Language, a popular Rust textbook. Fifth, we evaluated an initial deployment of our pedagogy against the original version, using reader responses to the Ownership Inventory as a point of comparison. Thus far, the new pedagogy has improved learner scores on the Ownership Inventory by an average of 9% ($N = 342, d = 0.56$).Comment: Published at OOPSLA 202

Comprehending annotations on object-oriented programs using fractional permissions

Fractional permissions are a general system for managing access to mutable state. We show how fractional permis-sions can give semantics to a regimen of annotations includ-ing“unique,”“non-null,”“read-only,”ownership, and method effects. The unification supports new annotations: “unique-write ” and “from”. We also develop a model of object in-variants in the presence of inheritance using “nesting, ” an extension of “adoption.” 1

Modular session types for objects

Session types allow communication protocols to be specified type-theoretically so that protocol implementations can be verified by static type checking. We extend previous work on session types for distributed object-oriented languages in three ways. (1) We attach a session type to a class definition, to specify the possible sequences of method calls. (2) We allow a session type (protocol) implementation to be modularized, i.e. partitioned into separately-callable methods. (3) We treat session-typed communication channels as objects, integrating their session types with the session types of classes. The result is an elegant unification of communication channels and their session types, distributed object-oriented programming, and a form of typestate supporting non-uniform objects, i.e. objects that dynamically change the set of available methods. We define syntax, operational se-mantics, a sound type system, and a sound and complete type checking algorithm for a small distributed class-based object-oriented language with structural subtyping. Static typing guarantees that both sequences of messages on channels, and sequences of method calls on objects, conform to type-theoretic specifications, thus ensuring type-safety. The language includes expected features of session types, such as delegation, and expected features of object-oriented programming, such as encapsulation of local state.Comment: Logical Methods in Computer Science (LMCS), International Federation for Computational Logic, 201

Run-time Variability with First-class Contexts

Software must be regularly updated to keep up with changing requirements. Unfortunately, to install an update, the system must usually be restarted, which is inconvenient and costly. In this dissertation, we aim at overcoming the need for restart by enabling run-time changes at the programming language level. We argue that the best way to achieve this goal is to improve the support for encapsulation, information hiding and late binding by contextualizing behavior. In our approach, behavioral variations are encapsulated into context objects that alter the behavior of other objects locally. We present three contextual language features that demonstrate our approach. First, we present a feature to evolve software by scoping variations to threads. This way, arbitrary objects can be substituted over time without compromising safety. Second, we present a variant of dynamic proxies that operate by delegation instead of forwarding. The proxies can be used as building blocks to implement contextualization mechanisms from within the language. Third, we contextualize the behavior of objects to intercept exchanges of references between objects. This approach scales information hiding from objects to aggregates. The three language features are supported by formalizations and case studies, showing their soundness and practicality. With these three complementary language features, developers can easily design applications that can accommodate run-time changes

Ownership, uniqueness, and immutability

Programming in an object-oriented language demands a fine balance between flexibility and control. At one level, objects need to interact freely to achieve our implementation goals. At a higher level, architectural constraints that ensure the system can be understood by new developers and can evolve as requirements change must be met. To resolve this tension, researchers have developed type systems expressing ownership and behavioural restrictions such as immutability. This work reports on our consolidation of the resulting discoveries into a single programming language. Our language, Joe3, imposes little additional syntactic overhead, yet can encode powerful patterns such as fractional permissions and the reference modes of Flexible Alias Protection.status: publishe