javari: adding reference immutability to java
DESCRIPTION
Javari: Adding Reference Immutability to Java. Matthew Tschantz & Michael Ernst (MIT) OOPSLA’05 Presented by Tali Shragai. Extension to Javari2004 [Birka]. Javari: Java + (C++ const) + more… Two new keywords: readonly , mutable OOPSLA’04: Initial Javari implementation - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/1.jpg)
1
Javari: Adding Reference Immutability to Java
Matthew Tschantz & Michael Ernst (MIT)
OOPSLA’05
Presented by Tali Shragai
![Page 2: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/2.jpg)
2
Extension to Javari2004 [Birka]
Javari: Java + (C++ const) + more… Two new keywords: readonly, mutable
OOPSLA’04: Initial Javari implementation Experience: 160,000 code lines
Better documentation Error detection and prevention Compatible with Java & existing JVMs
But: No Generics, serialization, reflection Confuses mutability & assignability
Javari 05: More keywords: assignable, romaybe Genericity, reflection, serialization Most important (?): mutability vs. assignability
![Page 3: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/3.jpg)
3
Protecting method arguments A library routine does not modify its arguments:
static void print(readonly Date d) { ... // Cannot modify d }
String toString() readonly { ... // Cannot modify the receiver}
![Page 4: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/4.jpg)
4
Protecting abstract state: observer methods
class Class {
private Object[] signers;
Object[] getSigners() { return signers; // JDK 1.1 security hole
}
}
myClass.getSigners()[0] = “Sun”;
![Page 5: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/5.jpg)
5
Protecting abstract state: observer methods (revised)
class Class {
private Object[] signers;
readonly Object[] getSigners() {
return signers; // Fixes JDK 1.1 bug
}
}
myClass.getSigners()[0] = “Sun”; // Error
![Page 6: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/6.jpg)
6
Reference vs. Object immutability Reference immutability
Object modification: Readonly reference: no! Other reference: yes.
Deep: cannot modify transitively reachable state Static type checking!
Dynamic checking for mutability downcasts Object immutability:
write protect from any reference
Graph temp = new Graph();// construct the graphreadonly Graph g = temp;temp = null;// further usage through read only reference…
Javari: object immutability emulated by reference immutability
![Page 7: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/7.jpg)
7
Related work Old trick: pass/return by value
pain for large objects C++: const, const_cast
Unsound (unchecked casts) Non-transitive! No immutability-based parameterization Leads to code duplication (const methods) No support for multidimensional arrays?
JAC [Kniesel 2001]: Implementation requires rewriting the code Unsound (subtyping, arrays) Return type mutability equals receiver's
![Page 8: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/8.jpg)
8
Protection methods
Level Java C++ JavariLevel 1
assignmentfinal Foo a const Foo *a final Foo a
Level 2 mutability
Foo const *a readonly Foo a
Level 3 const Foo const *a final readonly Foo a
… Level ∞ Transitive protection!
![Page 9: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/9.jpg)
9
Yield protection
Level Java C++ JavariLevel 1 mutable Foo *a assignable Foo a
Level 2 mutable Foo a
![Page 10: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/10.jpg)
10
Readonly
readonly Date rd = new Date();
rd.year = 2005; // Compile-time error
rd.incrementDay(); // Compile-time error
rd = new Foo(); // OK
![Page 11: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/11.jpg)
11
Mutability vs. Assignability
final Date fd = null;readonly Date rd = null; fd = new Date(); // Error: finalrd = null; // OKDate d1 = fd; // OKDate d2 = rd; // Error: wrong type
Mutability Assignabilitypart of the type not part of the type
may abstract state mutate?
can be lvalue in assignment?
readonly final
![Page 12: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/12.jpg)
12
Type system
Every type (mutable) T has readonly T as a supertype
readonly Object
readonly Date
/*mutable*/ Object
/*mutable*/ Date
![Page 13: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/13.jpg)
13
Immutable classes
A class/interface can be declared immutable using readonly in its class declaration. Non-static fields & methods readonly (default) Reference to its objects implicitly read-only Subclasses must be immutable too! readonly class String{…}/*readonly*/ String s1 = new String();readonly String s2 = new String();
S1 = s2; // OKS2 = s1; // OK
![Page 14: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/14.jpg)
14
Assignability May a reference be assigned to?
class Appointment {final Date time; // Same as in Javaassignable int room;
}
Appointment appoint;
appoint.time = new Date(); // Errorappoint.room = 250; // OK
![Page 15: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/15.jpg)
15
Assignability modifiers
final: May never be assigned
assignable: May always be assigned (default for locals)
this-assignable: May be assigned through a mutable reference May not be assigned through a readonly reference Only applicable to fields (the default) The assignability depends on the mutability of the
enclosing object: “this”
![Page 16: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/16.jpg)
16
Assignability example
class Bicycle {
final int id; // Never changes
assignable int hashCode; // A cache
/*this-assign*/ int gear; // Abstract state
}
/*mutable*/ Bicycle b;
readonly Bicycle rb;
![Page 17: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/17.jpg)
17
final
class Bicycle { final int id; // Never changes assignable int hashCode; // A cache /*this-assign*/ int gear; // Abstract
state}/*mutable*/ Bicycle b;readonly Bicycle rb;b.id = 5; // Errorrb.id = 5;// Error Resolved assignability of ref.f
Declared assignability of f
Resolved mutability of ref
mutable readonly
final unassignable unassignable
![Page 18: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/18.jpg)
18
assignable
class Bicycle { final int id; // Never changes assignable int hashCode; // A cache /*this-assign*/ int gear; // Abstract state}/*mutable*/ Bicycle b;readonly Bicycle rb;b.hashCode = 5; // OKrb.hashCode = 5; // OK
Resolved assignability of ref.f
Declared assignability of f
Resolved mutability of ref
mutable readonly
final unassignable unassignable
assignable assignable assignable
![Page 19: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/19.jpg)
19
this-assignable
class Bicycle { final int id; // Never changes assignable int hashCode; // A cache /*this-assign*/ int gear; // Abstract state}/*mutable*/ Bicycle b;readonly Bicycle rb; b.gear = 5; // OK rb.gear = 5; // Error
Resolved assignability of ref.f
Declared assignability of f
Resolved mutability of ref
mutable readonly
final unassignable unassignable
assignable assignable assignable
this-assignable assignable unassignable
![Page 20: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/20.jpg)
20
Mutability
May the object’s transitive abstract state be modified?
class Date {
/*this-assignable*/ int year;
}
/*mutable*/ Date d;
readonly Date rd;
d.year = 2005; // OK
rd.year = 2005; // Error
![Page 21: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/21.jpg)
21
Mutability modifiers
readonly: May never be mutated
mutable: May always be mutated, the default for locals
this-mutable: May be mutated through mutable reference May not be mutated through readonly references Only applicable to fields (the default) The mutability depends on the mutability of the
enclosing class: “this”
![Page 22: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/22.jpg)
22
Mutability example
class Account { readonly Customer owner; mutable RequestLog requests; /*this-mut*/ Balance bal;}/*mutable*/ Account a;readonly Account ra;
![Page 23: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/23.jpg)
23
readonly
class Account { readonly Customer owner; mutable RequestLog requests; /*this-mut*/ Balance bal;}/*mutable*/ Account a;readonly Account ra;a.owner.setName(“Bob”); // Errorra.owner.setName(“Bob”); // Error
Mutability of ref.f
Declared mutability of f
Resolved mutability of ref
mutable readonly
readonly readonly readonly
![Page 24: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/24.jpg)
24
mutable
class Account { readonly Customer owner; mutable RequestLog requests; /*this-mut*/ Balance bal;}/*mutable*/ Account a;readonly Account ra;a.requests.add(“checkBalance”); // OKra.requests.add(“checkBalance”); // OK
Mutability of ref.f
Declared mutability of f
Resolved mutability of ref
mutable readonly
readonly readonly readonly
mutable mutable mutable
mutable excludes requests from the
abstract state of the object
![Page 25: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/25.jpg)
25
this-mutable
class Account { readonly Customer owner; mutable RequestLog requests; /*this-mut*/ Balance bal;}/*mutable*/ Account a;readonly Account ra;a.balance.withdraw(1000); // OK
Declared mutability of f
Resolved mutability of ref
mutable readonly
readonly readonly readonly
mutable mutable mutable
this-mutable mutable ?
![Page 26: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/26.jpg)
26
this-mutable
class Account { readonly Customer owner; mutable RequestLog requests; /*this-mut*/ Balance bal;}/*mutable*/ Account a;readonly Account ra;a.balance.withdraw(1000); // OKra.balance.withdraw(1000); // Error
Mutability of ref.f
Declared mutability of f
Resolved mutability of ref
mutable readonly
readonly readonly readonly
mutable mutable mutable
this-mutable mutable readonly?
![Page 27: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/27.jpg)
27
this-mutable fields reached through a readonly reference
readonly, right?
![Page 28: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/28.jpg)
28
this-mutable fields reached through a readonly reference
readonly, right? NO, would result in type loophole allowing one to
convert a readonly reference to a mutable reference:
![Page 29: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/29.jpg)
29
this-mutable fields reached through a readonly reference
class Student { assignable /*this-mut*/ GradeReport grades;}/*mutable*/ Student s = new Student();readonly Student rs = s;readonly GradeReport rg;/*mutable*/ GradeReport g;
rs.grades = rg; //readonly assigned to this-mutableg = s.grades; //this-mutable assigned to mutable
Downcast
rs
s
grades
Non-readonly
Readonly
Readonly??assignable
![Page 30: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/30.jpg)
30
this-mutable fields reached through a readonly reference
Solution: Disallow readonly references to be assigned to a this-mutable field
this-mutable fields through readonly reference are: readonly as rvalue (may only be assigned to a
readonly reference) mutable as lvalue (may only be assigned with
mutable reference)
Notation: <? readonly GradeReport>
![Page 31: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/31.jpg)
31
Uses of parametric classes
Local variable declarations:
/*mut*/ List</*mut*/ Date> a; // add, mutate
/*mut*/ List<readonly Date> b; // add
readonly List</*mut*/ Date> c; // mutate
readonly List<readonly Date> d; // neither
![Page 32: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/32.jpg)
32
Inside parametric classes
Type arguments include mutability
Library cannot write:
class C<T> { mutable T x; }
C<readonly Date> y; // Conflicting types
Library can force a mutable type using a bound:
;
class C<T extends mutable Object> { T x; }
![Page 33: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/33.jpg)
33
this-mutable type argumentsclass Device { /*this-mut*/ List</*this-mut*/ Driver> drivers;}
/*mutable*/ Device d;readonly Device rd;
d.drivers has type /*mut*/ List</*mut*/ Driver>
/*mut*/ List</*mut*/Driver> dl = d.drivers; // OK
![Page 34: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/34.jpg)
34
this-mutable type arguments
class Device { /*this-mut*/ List</*this-mut*/ Driver> drivers;}
/*mutable*/ Device d;readonly Device rd;
rd.drivers has type ? readonly List<? readonly Driver>
readonly List<? readonly Driver> x = rd. drivers; //OKreadonly List<readonly Driver> y = rd. drivers; //Errorreadonly List</*mutable*/Driver> z = rd. drivers; //Error
![Page 35: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/35.jpg)
35
Serialization
Add a readonly-ness bit to the serialized form.
De-serialization done using 2 versions of ObjectInputStream.readObject: readObjectReadonly – returns a read-only
object, without checking. readObject – returns a mutable objects, but
throws an exception if the readonly-ness bit is set.
![Page 36: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/36.jpg)
36
Reducing code duplication
In Java, each class definition defines exactly one type. In Javari, by contrast, a class C actually denotes 2 type: C and readonly C.
romaybe keyword templates over methods
class Conference { /*this-mutable*/ Date d;
We wish to write two (overloaded) methods:
readonly Date getDate() readonly { return d;} /*mutable*/ Date getDate() /*mutable*/{ return d;}
Syntactic sugar:
romaybe Date getDate() romaybe { return d;}}
![Page 37: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/37.jpg)
37
Downcasts
Javari guarantees that a readonly reference cannot be used, directly or indirectly, to modify its referent.
Down-casting a reference from readonly to mutable triggers run-time checks, which disallow any modifications done through the casted reference.
![Page 38: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/38.jpg)
38
Downcast example
class Foo{Date d;void setD() /*mutable*/{
d = new Date();}
}Foo f1 = new Foo();
readonly Foo rf = f1;Foo f2 = (mutable)rf;
f1.d = new Date(); // OKf2.d = new Date(); // run-time errorf1.setD(); // OKF2.setD(); // run-time error
![Page 39: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/39.jpg)
39
Contributions
Transitive reference immutability Distinguishes assignability and mutability Formal model (not shown here) Type system for full Java 5.0 including
parametric polymorphism, reflection, and serialization
Templates to reduce code duplication Interoperable with Java Still to come: type inference…
![Page 40: Javari: Adding Reference Immutability to Java](https://reader034.vdocument.in/reader034/viewer/2022051315/568131be550346895d982794/html5/thumbnails/40.jpg)
40
The End!
Thank you for listening…