Karl Naden
Jonathan Aldrich
ABSTRACT
In object-oriented programming, unique permissions to object references are useful for checking correctness properties such as consistency of typestate and noninterference of concurrency. To be usable, unique permissions must be borrowed --- for example, one must be able to read a unique reference out of a field, use it for something, and put it back. While one can null out the field and later reassign it, this paradigm is ungainly and requires unnecessary writes, potentially hurting cache performance. Therefore, in practice borrowing must occur in the type system, without requiring memory updates. Previous systems support borrowing with external alias analysis and/or explicit programmer management of fractional permissions. While these approaches are powerful, they are also awkward and difficult for programmers to understand. We present an integrated language and type system with unique, immutable, and shared permissions, together with new local permissions that say that a reference may not be stored to the heap. Our system also includes change permissions such as unique>>unique and unique>>none that describe how permissions flow in and out of method formal parameters. Together, these features support common patterns of borrowing, including borrowing multiple local permissions from a unique reference and recovering the unique reference when the local permissions go out of scope, without any explicit management of fractions in the source language. All accounting of fractional permissions is done by the type system "under the hood." We present the syntax and static and dynamic semantics of a formal core language and state soundness results. We also illustrate the utility and practicality of our design by using it to express several realistic examples.
Supplemental Material
- J. Aldrich, V. Kostadinov, and C. Chambers. Alias Annotations for Program Understanding. In OOPSLA, 2002. Google Scholar
Digital Library
- K. Bierhoff. Automated program verification made SYMPLAR: SYMbolic Permissions for Lightweight Automated Reasoning. In Onward!, 2011. Google ScholarDigital Library
- K. Bierhoff and J. Aldrich. Modular typestate checking of aliased objects. In OOPSLA, 2007. Google ScholarDigital Library
- K. Bierhoff, N. E. Beckman, and J. Aldrich. Practical API protocol checking with access permissions. In OOPSLA, 2009. Google ScholarDigital Library
- B. Bokowski and J. Vitek. Confined types. In OOPSLA, 1999. Google ScholarDigital Library
- C. Boyapati, R. Lee, and M. Rinard. Ownership types for safe programming: preventing data races and deadlocks. In OOPSLA, 2002. Google ScholarDigital Library
- J. Boyland. Alias Burying: Unique Variables without Destructive Reads. Software Practice and Experience, 6 (31): 533--553, 2001. Google ScholarDigital Library
- J. Boyland. Checking interference with fractional permissions. In Static Analysis Symposium, 2003. Google ScholarDigital Library
- J. Boyland, J. Noble, and W. Retert. Capabilities for sharing: A generalisation of uniqueness and read-only. In ECOOP, 2001. Google ScholarDigital Library
- J. T. Boyland and W. Retert. Connecting Effects and Uniqueness With Adoption. In POPL, 2005. Google ScholarDigital Library
- R. DeLine and M. Fahndrich. Enforcing high-level protocols in low-level software. In PLDI, 2001. Google ScholarDigital Library
- R. DeLine and M. Fahndrich. Typestates for objects. In ECOOP, 2004.Google ScholarCross Ref
- M. Fahndrich and R. DeLine. Adoption and focus: Practical linear types for imperative programming. In PLDI, 2002. Google ScholarDigital Library
- J.-Y. Girard. Linear logic. Theoretical Comp. Sci., 50 (1): 1--102, 1987. Google ScholarDigital Library
- D. Grossman, G. Morrisett, T. Jim, M. Hicks, Y. Wang, and J. Cheney. Region-based memory management in cyclone. In PLDI, 2002. Google ScholarDigital Library
- D. Harms and B. Weide. Copying and Swapping: Influences on the design of reusable software components. Trans. Software Engineering, 17 (5): 424--435, May 1991. Google ScholarDigital Library
- S. Heule, R. Leino, P. Müller, and A. Summers. Fractional permissions without the fractions. In FTfFP, 2011. Google ScholarDigital Library
- M. Hicks, G. Morrisett, D. Grossman, and T. Jim. Experience with safe manual memory-management in cyclone. In ISMM, 2004. Google ScholarDigital Library
- J. Hogg. Islands: Aliasing Protection in Object-Oriented Languages. In OOPSLA, 1991. Google ScholarDigital Library
- R. C. Holt, P. A. Matthews, J. A. Rosselet, and J. R. Cordy. The Turing Language: Design and Definition. Prentice-Hall, 1988. Google ScholarDigital Library
- B. Jacobs, J. Smans, P. Philippaerts, F. Vogels, W. Penninckx, and F. Piessens. VeriFast: A Powerful, Sound, Predictable, Fast Verifier for C and Java. In NASA Formal Methods, 2011. Google ScholarDigital Library
- N. H. Minsky. Towards alias-free pointers. In ECOOP, 1996. Google ScholarDigital Library
- K. Naden, R. Bocchino, J. Aldrich, and K. Bierhoff. A type system for borrowing permissions. Technical Report Carnegie Mellon University-CS-11--142, Computer Science Department, Carnegie Mellon University, December 2011.Google Scholar
- J. Noble, J. Vitek, and J. Potter. Flexible alias protection. In ECOOP. Springer, 1998. Google ScholarDigital Library
- S. Smetsers, E. Barendsen, M. van Eekelen, and R. Plasmeijer. Guaranteeing safe destructive updates through a type system with uniqueness information for graphs. In Dagstuhl Seminar on Graph Transformations in Comp. Sci., volume 776 of LNCS. Springer, 1994. Google ScholarDigital Library
- J. A. Tov and R. Pucella. Practical affine types. In POPL, 2011. Google ScholarDigital Library
- P. Wadler. Linear types can change the world! In Working Conf. on Programming Concepts and Methods, 1990.Google Scholar
- R. Wolff, R. Garcia, Éric Tanter, and J. Aldrich. Gradual typestate. In ECOOP, 2011. Google ScholarDigital Library
Index Terms
- A type system for borrowing permissions
Recommendations
A type system for borrowing permissions
POPL '12In object-oriented programming, unique permissions to object references are useful for checking correctness properties such as consistency of typestate and noninterference of concurrency. To be usable, unique permissions must be borrowed --- for example,...
Plaid: a permission-based programming language
OOPSLA '11: Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companionAccess permissions (permissions for short) are a lightweight way to specify how an object may be aliased and whether aliases allow mutation. Prior work has demonstrated the value of permissions for addressing many software engineering concerns, ...
Permission-based programming languages (NIER track)
ICSE '11: Proceedings of the 33rd International Conference on Software EngineeringLinear permissions have been proposed as a lightweight way to specify how an object may be aliased, and whether those aliases allow mutation. Prior work has demonstrated the value of permissions for addressing many software engineering concerns, ...
Comments