![Page 1: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/1.jpg)
Ownership Types for Object Encapsulation
Authors: Chandrasekhar Boyapati
Barbara Liskov
Liuba Shrira
Presented by: Charles Lin
Course: CMSC 631
![Page 2: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/2.jpg)
A brief digression: const
Consider the following C++ code:
Produces following errors:
class Foo { int x ; int go( const Bar & bar ) const { x = bar.mutate() ; } }
foo.cpp: In method `void Foo::foo(const Bar &) const':
foo.cpp:20: passing `const Bar' as `this' argument of
`int Bar::mutate()' discards qualifiers
foo.cpp:20: assignment of member `Foo::x' in
read-only structure
![Page 3: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/3.jpg)
The burden of annotation
Given const errors, what might a programmer do?
const tells compiler that an object is not mutated
Programmers may ignore this: bad!
Even if programmers don’t need to do much annotation, they must know what to do
![Page 4: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/4.jpg)
Modular reasoning
Want to reason about programs to perform updates
Want to reason on individual modules (e.g., a Java file)
Want to avoid interference from objects in other modules (e.g., by object encapsulation)
![Page 5: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/5.jpg)
Encapsulation
Goal of encapsulation is to hide implementation
private hides implementation…or does it? class Foo {
private Bar b ;
public Bar getBar() {
return b ; // leaks out private data member
}
}
![Page 6: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/6.jpg)
Object Encapsulation
Want to enforce encapsulation, i.e., can’t directly access encapsulated objects
Consider Set class, implemented with ArrayList.
arrListarrList ~~~~setset oo
![Page 7: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/7.jpg)
“depends on”:Criteria for Encapsulation
Objects often contain subobjects
Object x depends on subobject s if mutations of s affect invariants of x
Thus, s should encapsulate x
![Page 8: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/8.jpg)
Example: Set
Set should encapsulate ArrayList If set elements are immutable, then Set
doesn’t have to encapsulate elements.
setsetarrListarrList
aa bb cc dd
![Page 9: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/9.jpg)
Problem with Encapsulation
Iterators need access to internal representation of object
setsetarrListarrList
iteriter
Solution: only allow violations within same module (e.g., Java inner classes)
![Page 10: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/10.jpg)
Solution: Ownership Types
Allows programmer to declare owners of objects
If v is owner of s, then outside objects can not access s, except possibly through v
Want to do this check statically
![Page 11: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/11.jpg)
Rules for Ownership Types
Every object has a (single) owner
The owner can be another object or world
The owner of an object does not change over time
The ownership relation forms a tree rooted at world
![Page 12: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/12.jpg)
Diagram of Ownership Tree
Note: ownership is not transitive. o1 owns o2, but o1 does not own o3
worldworld
o1o1
o2o2
o3o3
o4o4o5o5
o6o6
o7o7
![Page 13: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/13.jpg)
What Can Objects Access?
Itself and objects it owns
Its ancestors in the ownership tree, and objects they own
Anything owned by world (recall, no transitivity of ownership)
![Page 14: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/14.jpg)
How to Annotate
class TStack<stackOwner, TOwner> { TNode<this, TOwner> head ; }// Nodes in stack class TNode<nodeOwner, TOwner> { TNode<nodeOwner, TOwner> next ; T<TOwner> value ;}// Dataclass T<TOwner> {...}
![Page 15: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/15.jpg)
What does annotation mean?
Syntax looks like templates, but contains ownership types instead
First parameter is “real” owner. Remaining parameters pass ownership types to subobjects
Rule:
Object<o1, o2, … on>
o1 <= oi, for 1 < i <= n where x <= y means x is descendant of y in
ownership tree
![Page 16: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/16.jpg)
Example: TStack
TStackTStack
TNodeTNode
TT
ClientClient
worldworld
![Page 17: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/17.jpg)
Inner Classes: Handling Iterators
Allow inner classes to break encapsulation
Inner classes have type annotations just like outer classes
Inner classes do not “inherit” type annotations from outer class
![Page 18: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/18.jpg)
Methods can have ownership types
Allows wrapper objects to have “freer” ownership types than objects they wrap.
See example with elements() method class TStack<stackOwner, TOwner> {
TStackEnum<enumOwner, TOwner>
elements<enumOwner> ()
where (enumOwner <= TOwner) {…}
..}
![Page 19: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/19.jpg)
Encapsulation Theorem
x can access an object owned by o only if (x <= o) or
x is an inner class of object o
Proof is due to restrictions placed on ownership type parameter list
![Page 20: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/20.jpg)
Type Rules
The proof is left to the interested reader
![Page 21: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/21.jpg)
Applications
Upgrades in persistent object stores TF(x) only accesses objects owned by x
Controlling aliasing
Data races
Extension: ownership types combined with region types
![Page 22: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/22.jpg)
Key people in Ownership Types
Chandrasekhar Boyapatiwww.eecs.umich.edu/~bchandra
Dave Clarkewww.cs.uu.nl/people/dave
![Page 23: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/23.jpg)
Thoughts
Annotation Burden? (System uses type inferencing, but still requires 1 in 30 lines must be annotated)
Copy constructors? Can one object access subobjects of the same type?
What if we don’t care about encapsulation everywhere?
Seems simple…why are type rules complex?
![Page 24: Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d7e5503460f94a60d01/html5/thumbnails/24.jpg)
Conclusion
Ownership types aren’t magic. As with any type system, you must apply them so they are useful.
In particular, you must determine the “depends on” relation to apply ownership correctly.