immutable objects
play

/*@ immutable @*/ objects Erik Poll SoS group (aka the LOOP group) - PowerPoint PPT Presentation

Feb 03, 2023 •36 likes •336 views

/*@ immutable @*/ objects Erik Poll SoS group (aka the LOOP group) Radboud University Nijmegen KeY workshop June 2005 yet another JML keyword... Java provides final ie. immutable - fields What about immutable objects? It

  1. /*@ immutable @*/ objects Erik Poll SoS group (aka the LOOP group) Radboud University Nijmegen KeY workshop – June 2005

  2. yet another JML keyword... • Java provides final – ie. immutable - fields What about immutable objects? • It would be nice to have a notion of immutable object, that – can be specified in JML, – statically enforced, – guarantees immutability, and – can be exploited in program verification... Erik Poll Immutable Objects 2

  3. overview • Why would we want immutable objects ? • How do we enforce immutability ? • How to exploit immutability ? Erik Poll Immutable Objects 3

  4. why immutability ? • Good software engineering practice “immutable objects greatly simplify your life” Knowing that an object is immutable rules out – problems with aliasing – problems with race conditions • Performance – compiler optimisations, no need for synchronisation • Specification – immutability is an important integrity property – eg. immutability of Strings, URLs, Permissions, etc. vital for security Erik Poll Immutable Objects 4

  5. why immutability ? Useful in program verification char[] a; String s; .... if (s.equals(“abc”)) { a[1]=‘d’; //@ assert s.equals(“abc”); } ... Knowing that strings are immutable allows us to prove this. Erik Poll Immutable Objects 5

  6. why immutability ? JML has a library of – supposedly immutable - model classes, for mathematical objects such as sets, relations, //@ public model JMLObjectSet s; //@ requires ! s.contains(o); //@ ensures s.equals(\old(s).union(o)); public void addListener(Object o) { ... } Erik Poll Immutable Objects 6

  7. Enforcing immutability

  8. starting point: pure JML has notion of pure to specify absence of side-effects: • pure method has no side-effects • pure constructor has no side-effects, except on newly allocated state • pure class only has pure methods, pure constructors, and pure sub-classes Erik Poll Immutable Objects 8

  9. pure does not imply immutable public /*@ pure @*/ class Integer{ public int i; public Integer(int j){ i = j; } public int getValue(){ return i; } } methods of an Integer object don’t have any side- effects, but maybe methods of some other class have side-effects an Integer object’s state Erik Poll Immutable Objects 9

  10. is this pure class immutable ? public /*@ immutable?? @*/ class Integer { private int i; public Integer(int j){ i = j; } public int getValue(){ return i; } } Still not immutable, because field i is not final: an object created with new Integer(5) may be observed to change from 0 to 5 in a multi-threaded program Erik Poll Immutable Objects 10

  11. counterexample Thread 1 creates object Thread 2 observes this object x = new Integer(5); int j = x.getValue(); This takes three steps: 5. a new Integer object is allocated, with i field 0 6. i field is set to 5 7. x is set to point to this newly allocated object Steps 2 and 3 can be reordered Thread 2 may observe value 0, by compiler or VM! namely if it observes x after 3 and before 2. Erik Poll Immutable Objects 11

  12. fields must be final to ensure immutability public /*@ immutable @*/ class Integer { private final int i; public Integer(int j){ i = j; } public int getValue(){ return i; } } This class has immutable objects, thanks to the newly revised Java Memory Model (JSR-133, 2004) People tend to forget final declarations... Erik Poll Immutable Objects 12

  13. final fields may still be mutable... public /*@ immutable?? @*/ class Integer { public static Integer latest; private final int i; public Integer(int j){ i = j; latest = this;} // leaks public int getValue(){ return i;) } Constructor leaks this , hence field i not immutable: Integer(5) may be observed to change from 0 to 5. There are a few more ways to leak this Erik Poll Immutable Objects 13

  14. ensuring immutability A pure class is immutable if 1. all instance fields are final, and 2. constructors don’t leak this This definition is implicit in JSR-133, but it is not strong enough if we want immutable objects with immutable sub-objects Erik Poll Immutable Objects 14

  15. what about sub-objects? public /*@ immutable @*/ BankTransfer { final Integer amount; final byte[] transferID; final BankAccount src, dest; ... } • amount and transferID objects part of the Banktransfer object • src and dest objects probably not Erik Poll Immutable Objects 15

  16. what about sub-objects? public /*@ immutable @*/ BankTransfer { final Integer amount; final byte[] transferID; final BankAccount src, dest; ... } • amount and transferID objects part of the Banktransfer object, and should also be immutable • src and dest objects probably not, and may be mutable Erik Poll Immutable Objects 16

  17. specifying the “state” of an object public /*@ immutable @*/ BankTransfer { final /*@ rep @*/ Integer amount; final /*@ rep @*/ byte[] transferID; final BankAccount src, dest; ... } Sub-object amount and tranferID should be immutable. – This means transferID should not be aliased! – JML universes type system – or some other form of alias control/confinement/ownership – guarantees this. – amount can be aliased, because it’s immutable. Erik Poll Immutable Objects 17

  18. ensuring immutability A pure class is immutable if 1. all instance fields are final, and 2. constructors don’t leak this , and 3. all instance fields that are references either i. have immutable types, or ii. are part of the “state” and cannot be aliased, or iii. are excluded from the “state” Erik Poll Immutable Objects 18

  19. still not enough... public /*@ immutable?? @*/ StrangeInteger { private final int i; StrangeInteger(int j){ i = j; } int getValue(){ return SomeClass.someStaticField;} } As well as specifying and checking what a method writes (assignable aka modifies clauses) we also need to check what a method reads (readable clauses) Erik Poll Immutable Objects 19

  20. Ensuring immutability Def. A pure class is immutable if 1. all instance fields are final, and 2. constructors don’t leak this , and 3. all instance fields that are references i. have immutable types, or ii. are part of the state and cannot be aliased, or iii. are excluded from the “state” 4. its methods don’t read mutable state (outside its own state) Erik Poll Immutable Objects 20

  21. Related work on enforcing immutability • Javari [Birka & Ernst at MIT, OOPSLA’04] – proposal to add readonly modifier to Java – more refined notion of immutability, eg allowing both mutable and immutable (readonly) references to the same object – doesn’t deal with sub-objects (3) or reading mutable state(4) • Jan Schäfer at TU Kaiserslautern – system for enforcing immutability – forgets check on leaking this (2) Erik Poll Immutable Objects 21

  22. Exploiting immutability

  23. exploiting immutability Immutability is easily to exploit in • alias control system • relaxing synchronisation in multi-threaded programs How about exploiting immutability in verification ? Erik Poll Immutable Objects 23

  24. observational immutability • Example: bankTransfer.getAmount() is a constant • object is “observationally immutable” if we cannot observe any mutation by invoking its methods • if o is observationally immutable, then o.m(x1,...,xn) always returns the same result, if xi are primitive values or immutable objects Erik Poll Immutable Objects 24

  25. exploiting immutability in verification? A method C m(C1 x1, ..., Cn xn) is interpreted/modeled as function m : GlobalState×Ref×C1×..×Cn —> C For immutable objects we can omit state argument m : Ref×C1×..×Cn —> C if all Ci are primitive or immutable types Implemented by David Cok in ESC/Java2 Erik Poll Immutable Objects 25

  26. exploiting immutability in verification? public /*@ immutable @*/ class Integer { ... public Integer add(Integer i) { return new Integer(getValue()+i.getValue); } Here we get add: Ref x Ref —> Ref But this means i == j ⇒ k.add(i) == k.add(j) not i.equals(j) ⇒ k.add(i).equals(k.add(j)) which is what we’d really want... Erik Poll Immutable Objects 26

  27. exploiting immutability in verification? • Trick to exploit immutability by ommiting state argument is perfect if arguments and result have primitive types • But if result is a reference type, it may not be sound. Eg add always returns the same result, but here the same means the same modulo == , not . equals • If an argument is of reference type, it is not complete Eg add always returns the same result for .equal arguments, not just == arguments Erik Poll Immutable Objects 27

  28. alternative approaches • We could specify the properties of an immutable type as axioms to the back-end theorem prover. • We could also give a native implementation of the immutable Integer class in our back-end theorem prover. • But how do we know this is sound ? Erik Poll Immutable Objects 28

  29. maybe we also want /*@constant@*/ methods? (Mutable) object can have “constant” methods which always return the same result For example public class Object { ... public /*@ constant @*/ int hashCode(){...}; public /*@ constant @*/ Class getClass(){...}; ... } Erik Poll Immutable Objects 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Strings and File I/O Strings Java String objects are immutable Common methods include:

Strings and File I/O Strings Java String objects are immutable Common methods include:

Strings and File I/O Strings Java String objects are immutable Common methods include: boolean equalsIgnoreCase(String str) String toLowerCase() String substring(int offset, int endIndex) String replace(char oldChar,

638 views • 11 slides
Immutable deployments: the new classic way for service deployment Adopt the new immutable

Immutable deployments: the new classic way for service deployment Adopt the new immutable

Immutable deployments: the new classic way for service deployment Adopt the new immutable infrastructure paradigm using your old toolbox. Matteo Valentini @_Amygos Warning! The events depicted in this talk are real. Any similarity to any

824 views • 37 slides
Intro to Strings Lecture 7 COP 3252 Summer 2017 May 23, 2017 Strings in Java In Java, a

Intro to Strings Lecture 7 COP 3252 Summer 2017 May 23, 2017 Strings in Java In Java, a

Intro to Strings Lecture 7 COP 3252 Summer 2017 May 23, 2017 Strings in Java In Java, a string is an object. It is not a primitive type. The String class is used to create and store immutable strings. Immutable objects are objects

465 views • 20 slides
Immutable Database Infrastructure with PXC Satoshi Mitani | @mita2 Yahoo Japan Corporation

Immutable Database Infrastructure with PXC Satoshi Mitani | @mita2 Yahoo Japan Corporation

Immutable Database Infrastructure with PXC Satoshi Mitani | @mita2 Yahoo Japan Corporation Agenda Yahoo! JAPAN Introduction Demo What is Immutable Infrastructure Architecture Why Percona XtraDB Cluster Disadvantages of

352 views • 32 slides
#7: Aliasing, 2D Lists, and Objects SAMS SENIOR CS TRACK Last Time Utilize lists as data

#7: Aliasing, 2D Lists, and Objects SAMS SENIOR CS TRACK Last Time Utilize lists as data

#7: Aliasing, 2D Lists, and Objects SAMS SENIOR CS TRACK Last Time Utilize lists as data structures when writing programs Use indexing and slicing on strings while writing functions Understand the difference between mutable and immutable

489 views • 26 slides
61A Lecture 12 Announcements Objects (Demo) Objects 4 Objects Objects represent

61A Lecture 12 Announcements Objects (Demo) Objects 4 Objects Objects represent

61A Lecture 12 Announcements Objects (Demo) Objects 4 Objects Objects represent information 4 Objects Objects represent information They consist of data and behavior, bundled together to create abstractions 4 Objects

1.66k views • 132 slides
Mutable Values Announcements Objects (Demo) Objects 4 Objects Objects represent

Mutable Values Announcements Objects (Demo) Objects 4 Objects Objects represent

Mutable Values Announcements Objects (Demo) Objects 4 Objects Objects represent information 4 Objects Objects represent information They consist of data and behavior, bundled together to create abstractions 4 Objects

2.23k views • 197 slides
F# Overview: Immutable Data + Pure Func7ons

F# Overview: Immutable Data + Pure Func7ons

F# Overview: Immutable Data + Pure Func7ons Acknowledgements Authored by Thomas Ball, MSR Redmond Includes content from the F# team

644 views • 46 slides
Joseph Wilk The Clojure Inside Why Clojure? It was Functional Immutable there! Simple LISP

Joseph Wilk The Clojure Inside Why Clojure? It was Functional Immutable there! Simple LISP

Joseph Wilk The Clojure Inside Why Clojure? It was Functional Immutable there! Simple LISP Concurrency It was Functional Immutable there! Simple LISP Concurrency Programming Language Computer LISP Hurts (Pick languages that

703 views • 58 slides
Internet Technologies 9 - Servlets and JavaBeans F. Ricci 2010/2011 Content p Implementing

Internet Technologies 9 - Servlets and JavaBeans F. Ricci 2010/2011 Content p Implementing

Internet Technologies 9 - Servlets and JavaBeans F. Ricci 2010/2011 Content p Implementing session tracking from scratch p The session-tracking API p Storing immutable objects vs. storing mutable objects p Examples of usage of the

792 views • 63 slides
CPL 2016, week 11 Clojure immutable data structures Oleg Batrashev Institute of Computer

CPL 2016, week 11 Clojure immutable data structures Oleg Batrashev Institute of Computer

CPL 2016, week 11 Clojure immutable data structures Oleg Batrashev Institute of Computer Science, Tartu, Estonia April 25, 2016 Overview Last week Clojure language core This week Immutable data structures Next weeks Clojure

507 views • 39 slides
61A Lecture 12 Announcements Objects (Demo) Objects Objects represent information They

61A Lecture 12 Announcements Objects (Demo) Objects Objects represent information They

61A Lecture 12 Announcements Objects (Demo) Objects Objects represent information They consist of data and behavior, bundled together to create abstractions Objects can represent things, but also properties, interactions, &

521 views • 16 slides
Objects & Inheritance Section 7 Implementing Objects in 401 Ways of implementing objects:

Objects & Inheritance Section 7 Implementing Objects in 401 Ways of implementing objects:

Objects & Inheritance Section 7 Implementing Objects in 401 Ways of implementing objects: Use closures as objects Use tables as objects Closures as Objects Datatype name Datatype fields function myObject (field1, field2,

265 views • 10 slides
PRESIDENTIAL CAMPAIGNS & IMMUTABLE INFRASTRUCTURE Or, how we learned to stop worrying and

PRESIDENTIAL CAMPAIGNS & IMMUTABLE INFRASTRUCTURE Or, how we learned to stop worrying and

PRESIDENTIAL CAMPAIGNS & IMMUTABLE INFRASTRUCTURE Or, how we learned to stop worrying and love the cloud Michael E Fisher JUNE 28, 2017 F r a n k e n b u m p hello BUT FIRST, HOW DID WE GET HERE? MONTH DD, YYYY 6 feel:

660 views • 44 slides
CMSC 131 Fall 2018 Announcements Project #5 has been posted Mutability What does it mean

CMSC 131 Fall 2018 Announcements Project #5 has been posted Mutability What does it mean

CMSC 131 Fall 2018 Announcements Project #5 has been posted Mutability What does it mean for a class to be mutable? Immutable? Can we look at a class and tell? Always document whether your class is mutable or immutable! Why is immutable

233 views • 8 slides
Transforming Objects Ray : R(t) = s + c t Objects : Sphere, box, cone etc. We assume the objects

Transforming Objects Ray : R(t) = s + c t Objects : Sphere, box, cone etc. We assume the objects

Transforming Objects Ray : R(t) = s + c t Objects : Sphere, box, cone etc. We assume the objects to be normalized so that the ray-object intersection test is easier. e.g. Sphere is x 2 + y 2 + z 2 = 1 Now while instantiating the objects in our

304 views • 15 slides
Translating Specifications from Nominal Logic to CIC with the Theory of Contexts Marino Miculan

Translating Specifications from Nominal Logic to CIC with the Theory of Contexts Marino Miculan

Metalogics Motivations Nominal signatures NS in NL NS in CIC/ToC NINL( S ) into CIC/ToC( S ) Derivability Conclusion Translating Specifications from Nominal Logic to CIC with the Theory of Contexts Marino Miculan Ivan Scagnetto Furio

280 views • 24 slides
Enforcing Behavioral Constraints in Evolving Aspect-Oriented Programs Raffi Khatchadourian 1* ,

Enforcing Behavioral Constraints in Evolving Aspect-Oriented Programs Raffi Khatchadourian 1* ,

Enforcing Behavioral Constraints in Evolving Aspect-Oriented Programs Raffi Khatchadourian 1* , Johan Dovland 2 , and Neelam Soundarajan 1 1 The Ohio State University, USA 2 University of Oslo, Norway * Partially administered during visit to

368 views • 33 slides
Computational Logic A Motivational Introduction 1 Computational Logic programming algorithms

Computational Logic A Motivational Introduction 1 Computational Logic programming algorithms

Computational Logic A Motivational Introduction 1 Computational Logic programming algorithms logic lambda calculus verification logic and AI logic programming knowledge representation functional programming logic of programming

475 views • 25 slides
Finite Quanti fi cation in Hierarchic Theorem Proving Peter Baumgartner Uwe Waldmann Joshua Bax

Finite Quanti fi cation in Hierarchic Theorem Proving Peter Baumgartner Uwe Waldmann Joshua Bax

Finite Quanti fi cation in Hierarchic Theorem Proving Peter Baumgartner Uwe Waldmann Joshua Bax Overall Goal Theorem Proving in Hierarchic Combinations of Speci fi cations Foreground Speci fi cation (FG) Axioms: Lists, Arrays De fi nitions:

474 views • 25 slides
lecture 4 projections - orthographic - parallel - perspective + vanishing points view

lecture 4 projections - orthographic - parallel - perspective + vanishing points view

lecture 4 projections - orthographic - parallel - perspective + vanishing points view volume (frustum) Orthographic projection How to map 3D scene point (say in camera coordinates) to a 2D image point? The simplest method: just drop

567 views • 42 slides
Viewing/Projections IV Week 4, Fri Feb 1 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2008 News

Viewing/Projections IV Week 4, Fri Feb 1 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2008 News

University of British Columbia CPSC 314 Computer Graphics Jan-Apr 2008 Tamara Munzner Viewing/Projections IV Week 4, Fri Feb 1 http://www.ugrad.cs.ubc.ca/~cs314/Vjan2008 News extra TA office hours in lab next week to answer questions

583 views • 32 slides
Mechanical Engineering Drawing MECH 211/M / Lecture #1 Chapters 1 and 6 p Dr. John Cheung

Mechanical Engineering Drawing MECH 211/M / Lecture #1 Chapters 1 and 6 p Dr. John Cheung

Mechanical Engineering Drawing MECH 211/M / Lecture #1 Chapters 1 and 6 p Dr. John Cheung Technical vs. Artistic Drawings 2 What makes a good technical What makes a good technical drawing? 3 What makes a good technical What makes a good

587 views • 32 slides
Scaling 4x4 matrix s 0 0 0 x 0 s 0 0 1 1 1 y 1 S

Scaling 4x4 matrix s 0 0 0 x 0 s 0 0 1 1 1 y 1 S

Scaling 4x4 matrix s 0 0 0 x 0 s 0 0 1 1 1 y 1 S S ( s , s , s ) S ( , , ) = = x y z 0 0 s 0 s s s z x y z 0 0 0 1 Non-rigid

964 views • 62 slides

More recommend