Featherweight Generic Ownership Alex Potanin, James Noble Victoria University of Wellington Dave Clarke CWI, Netherlands Robert Biddle Carlton University 19/7/2005 Encapsulation Seminar TAU 2006 Presented by Ziv Haddad

Outline Introduction FGO formal model and Guarantees OGJ Implementation Conclusion

A Java implementation of a Map class public class Map { private Vector nodes; void put(Comparable key, Object value) { nodes.add(new Node(key, value)); } Object get(Comparable k) { Iterator i = nodes.iterator(); while (i.hasNext()) { Node mn = (Node) i.next(); if (((Comparable) mn.key).equals(k)) return mn.value; } return null; } class Node { public Object key; public Object value; Node(Object key, Object value) { this.key = key; this.value = value; }

A Generic implementation of a Map class public class Map { private Vector > nodes; void put(Key key, Value value) { nodes.add(new Node (key, value)); } Value get(Key k) { Iterator > I = nodes.iterator(); while (i.hasNext()) { Node mn = i.next(); if (mn.key.equals(k)) return mn.value; } return null; } class Node { public Key key; public Value value; Node(Key key, Value value) { this.key = key; this.value = value; }

An Ownership Types implementation of a Map class public class Map { private Vector nodes; void put(Comparable key, Object value) { nodes.add(new Node (key, value)); } Object get(Comparable key) { Iterator i = nodes.iterator(); while (i.hasNext()) { Node mn = (Node ) i.next(); if (mn.key.equals(key)) return mn.value; } return null; } class Node public Comparable key; public Object value; Node(Comparable key, Object value) { this.key = key; this.value = value; }

A combined generic and ownership types implementation of a Map class public class Map [Key extends Comparable,Value ] { private Vector [Nodes [Key,Value ]] nodes; void put(Key key, Value value) { nodes.add(new Node [Key, Value ](key, value)); } Value get(Key key) { Iterator [Nodes [Key,Value ]] i = nodes.iterator(); while(i.hasNext()) { Node [Key,Value ] mn = i.next(); if (mn.key.equals(k)) return mn.value; } return null; } class Node [Key extends Comparable,Value ] { public Key key; public Value value; Node(Key key, Value value) { this.key = key; this.value = value; }

Generic Ownership A new linguistic mechanism that combines genericity and ownership into a simple language Treats ownership as an additional kind of generic type information Existing generic type systems can be extended to carry ownership information with only minimal changes Ownership Generic Java (OGJ) – Implemented as an extension to Java 5

Generic Ownership Implementation of map class public class Map { private Vector,This> nodes; public void put(Key key, Value value) { nodes.add(new Node (key, value)); } public Value get(Key key) { Iterator, This> i= nodes.iterator(); while (i.hasNext()) { Node mn = i.next(); if (mn.key.equals(key)) return mn.value; } return null; } class Node<Key extends Comparable, Value, Owner extends World> { public Key key; public Value value; Node(Key key, Value value) { this.key = key; this.value = value; }

Featherweight (Generic) Java A minimal core calculus for modeling Java’s type systems The design of FJ favors compactness over completeness Supports only five forms of expressions: object creation, method invocation, field access, casting and variables Featherweight Generic java adds generic types for FJ

FJ – Program Example

FJ – Syntax, Subtyping, and Auxiliary functions

Formalizing Generic Ownership Generic Ownership is formalized as an imperative extension of Featherweight Generic Java Last type parameter is used to record an object’s owner All FGO classes descend from a new parameterized root Object

Another Example class m.Main extends Object { m.Main() { super(); } p.OwnedStack,World> public() { return new p.OwnedStack,World>; } p.OwnedStack,M> confined() { return new p.OwnedStack,M>; } p.OwnedStack,This> private() { return new p.OwnedStack,This>; }

Manifest Ownership Manifest Ownership allow classes without explicit owner type parameters A manifest FGO class owner is fixed (all objects) class PublicStack extends p.OwnedStack {} Manifest ownership allows us to fit existing FGJ classes into the FGO class hierarchy class Object extends Object {} class Stack extends Object {}

FGO Classes and Owner Classes

Different Kinds of Ownership FGO supports deep ownership In addition FGO also support static (package) ownership – via package owner classes. FGO can be adjusted to support shallow ownership instead of deep ownership

FGO Type System

Ownership syntax Auxiliary Functions

FGO Judgments

Owner Lookup In the case of a manifest class the owner is found by traversing the class hierarchy

this Function Replaces occurrences of This. Used extensively during the typing of FGO expressions, to enforce valid use of owner classes. There are two use case for the this function

Class PhoneBook { … void fill(PhoneBook otherPhoneBook) { … otherPhoneBook.addRecord(new Record (…)); … } this Function – First use Used during the validation of class declaration Every expression containing a method call or a field access is checked to see if any of the types involved contain This as an owner class. If they do then the method call or field access is only allowed on this.

this Function – Second use Used during reduction of FGO expressions. The permission P given to this is the current location l Any occurrence of class This is replaced by a more appropriate location-specific This l.

Subtyping and Well formedness Highlighted bit is essential for deep ownership. Intuition: class MyList, P> extends List - OK class MyList, World> extends List - NOT OK

Visibility Rules FGO contributes FGJ a set of visibility rules which define owner and type visibility

Class and Method Typing rules

Type Soundness Proof: Using structural induction on the reduction rules Proof: Based on all the possible expression types. The Type Soundness is immediate from the Preservation and Progress Theorem.

Ownership Invariance Proof: By induction on the depth of the subtype hierarchy. By FGO class typing rules a FGO class has the same owner parameter as its superclass

Deep Ownership Invariance Proof (Sketch): Consider a class C and a variable v:T in that class. Owner(T) can be one of the following: This, World one of the formal method parameters one of the owners of the type parameters of C This < Owner < World For each owner O of one of the type parameters: Owner <: O Formal method parameters are enforced in the same way as type parameters

OGJ Implementation Implemented as an extension to Java 5 compiler. The extension includes added ownership domains and FGO formal system constraints enforcement The compiler creates owner classes automatically and disposes them when type checking is complete. Owner classes: World, This, Package, Class To implement confinement the compiler replaces every occurrence of ownership domain name with the appropriate owner class

OGJ Implementation – cont The compiler ensures that only expressions referring to the current instance can access types whose owner is a This domain owner class The compiler ensure that ownership information cannot be lost. Only preserving ownership type-casts are allowd.

Future Work and Conclusion Contribution summary: Generic Ownership, FGO formal model, Ownership Generic Java Implementation Programs using GO are slightly more complex than programs using just generic types In the future authors plan to develop a set of design patterns for programmers whishing to make use of ownership in their programs

The End