pluggable type systems reconsidered
play

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award - PowerPoint PPT Presentation

Jun 12, 2023 •28 likes •628 views

Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for Practical Pluggable Types for Java Michael D. Ernst University of Washington https://checkerframework.org/ Optional Type Checking int x = "hello world";

  1. Pluggable type systems reconsidered ISSTA 2018 Impact Paper Award for “Practical Pluggable Types for Java” Michael D. Ernst University of Washington https://checkerframework.org/

  2. Optional Type Checking int x = "hello world"; Compiler error

  3. Optional Type Checking Optional .java No errors Compiler Run Errors Guaranteed Optional behavior Optional Fix bugs Optional Type Checker Type Checker Change types Type Checker Errors Fix bugs Add/change annotations

  4. Impacts 160+ citations 40+ type systems built using the Checker Framework Used at Amazon, Google, Uber, startups, Wall Street, … Java has syntax to support the Checker Framework For practitioners : more robust and correct code For researchers : easier experimentation ⇒ better theory and more impact For both : appreciation of type systems

  5. Outline Credits Motivation Contributions Predicting impact Ideas and results Research approach

  6. Outline Credits Motivation Contributions Predicting impact Ideas and results Research approach

  7. Who deserves credit for this paper? Undergraduate Undergraduate Undergraduate Programmer Tenured

  8. Who deserves credit for this work? Abraham Lin, Alvin Abdagic, Anatoly Kupriyanov, Arie van Deursen, Arthur Baars, Ashish Rana, Asumu Takikawa, Atul Dada, Basil Peace, Bohdan Sharipov, Brian Corcoran, Calvin Loncaric, Charles Chen, Charlie Garrett, Christopher Mackie, Colin S. Gordon, Dan Brotherston, Dan Brown, David Lazar, David McArthur, Eric Spishak, Felipe R. Monteiro, Google Inc., Haaris Ahmed, Javier Thaine, Jeff Luo, Jianchu Li, Jiasen (Jason) Xu, Joe Schafer, John Vandenberg, Jonathan Burke, Jonathan Nieder, Kivanc Muslu, Konstantin Weitz, Lázaro Clapp, Liam Miller-Cushon, Luqman Aden, Mahmood Ali, Manu Sridharan, Mark Roberts, Martin Kellogg, Matt Mullen, Michael Bayne, Michael Coblenz, Michael Ernst, Michael Sloan, Mier Ta, Nhat Dinh, Nikhil Shinde, Pascal Wittmann, Patrick Meiring, Paulo Barros, Paul Vines, Philip Lai, Ravi Roshan, Renato Athaydes, René Just, Ruturaj Mohanty, Ryan Oblak, Sadaf Tajik, Shinya Yoshida, Stefan Heule, Steph Dietzel, Stuart Pernsteiner, Suzanne Millstein, Tony Wang, Trask Stalnaker, Jenny Xiang, Utsav Oza, Vatsal Sura, Vlastimil Dort, Werner Dietl.

  9. Who deserves credit for this work? Werner Dietl Suzanne Millstein

  10. Outline Credits Motivation Contributions Predicting impact Ideas and results Research approach

  11. Context for the paper 2001-2008 was Static Typing Winter Dynamic types: flexible, fast development Type systems: ● Hard to understand ● Many false positives ● Inapplicable to the most important problems Today: Type systems: ● Rich, expressive, precise type systems ● Simple, usable ● Address real-world problems ● Errors and security vulnerabilities matter

  12. Why did I work on pluggable type-checking? Project : automated SAT translation (idea: Kautz & Selman) Problem Problem solution Custom solver Problem SAT instance SAT solution Problem solution Encode SAT solver Decode a ∨ b ⋀ ¬a ∨ c ⋀ ... a=true, b=false, ... Implementation optimizations: sharing rather than purely functional Problem: undesired side effects Solution: integrate functional & imperative

  13. Controlling side effects Project: programmer-controlled, statically-enforced immutability A type system must be: ● Sound: proofs ● Useful: experiments, integration with a language 2001: compiler implementation (Java extension) 2002-2009: 7 more compilers, for 5 languages Problem: huge implementation effort Solution: framework for defining a type system

  14. Pluggable type-checking Project: Type system implementation framework Goals: expressiveness for rich type systems conciseness when possible Express the four parts of a type system: ● Type hierarchy ● Type rules ● Type introduction ● Type refinement Problem: No syntax for pluggable types Solution: Change the language (Java)

  15. Type qualifiers in Java Project: Java language extension 2004: Proposal 2006: Proposal accepted 2005-2014: Implement in javac, draft Java specification 2014: Approved Today: Consulting on spec and implementation @Present Optional<String> maidenName; Type qualifier Java basetype Type @Untainted String query; List< @NonNull String> strings; myGraph = ( @Immutable Graph) tmp; class UnmodifiableList<T> implements @Readonly List<T> {}

  16. Motivation #2: Formal verification ⊇ type systems Program Proof Property Verification Beautiful, compelling idea Provides guarantees that testing cannot Many research papers show successes Not used in practice I tried to use it and couldn’t Exception: Type systems ● Lightweight, practical, familiar ● Partial verification Can this bring verification to all programmers?

  17. Type systems Specification and verification Specifications can be complicated Verification is hard; complex reasoning Programmers are reluctant Not appropriate for every project Benefits: ● Reliability ● Documentation ● Efficiency ● Reasoning ● IDE tooling ● Leads to simpler designs

  18. Motivation #2a: Teaching Don’t teach methodology without practical application Don’t teach methodology without tool support Experiment: Students using the Checker Framework had more correct programs and higher grades ● No difference in time spent

  19. Motivation #3: Research methodology A type system must have two properties: ● Sound ○ Provides a guarantee ○ No loopholes (except explicit ones) ○ Precision is essential ○ Formal proofs can be useful

  20. Formalizations

  21. Too much research omits one! Motivation #3: Research methodology A type system must have two properties: ● Sound ● Useful ○ Provides a guarantee Solves a real problem ○ ○ No loopholes (except explicit ○ Simple to explain ones) ○ Low usage burden ○ Precision is essential ○ Applicable to real languages, ○ Formal proofs can be useful programs, development model ○ Evaluated experimentally Goal: Make implementation easy Better experimentation ⇒ better theory Helmuth von Moltke the Elder

  22. Outline Credits Motivation Contributions Predicting impact Ideas and results Research approach

  24. Implementing a type system Example: Ensure encrypted communication void send(@Encrypted String msg) { … } @Encrypted String msg1 = ...; send(msg1); // OK String msg2 = ....; send(msg2); // Warning! The complete checker: @Target(ElementType.TYPE_USE) @SubtypeOf(Unqualified.class) public @interface Encrypted {}

  25. Today, 4 KLOC

  26. Easy to use Not too verbose Not too many false positives Better than competing tools

  28. Our mistakes Analysis on AST ● Common approach ● Solution: build a CFG ● Our dataflow analysis was adopted by Google, Uber, etc. Poor performance ● Compilation time doubles or worse ● We lost users Limitation: Generics ● Complex specification ● Difficult to implement correctly

  29. Example type systems Null dereferences ( @NonNull) >200 errors in javac, Google Collections, ... Equality tests ( @Interned ) >200 problems in Lucene, Xerces, ... Concurrency / locking ( @GuardedBy ) >500 errors in Guava, Tomcat, BitcoinJ, Derby, ... Fake enumerations / typedefs ( @Fenum ) problems in Swing, JabRef Array indexing ( @IndexFor ) 89 bugs in Guava, JFreeChart, plume-lib

  30. String contents Regular expression syntax ( @Regex ) 56 errors in Apache, etc.; 200 annotations required printf format strings ( @Format ) 104 errors, only 107 annotations in 2.8 MLOC Method signature format ( @FullyQualified ) 28 errors in OpenJDK, ASM, AFU Compiler messages ( @CompilerMessageKey ) 8 wrong keys in Checker Framework

  31. Security type systems Command injection vulnerabilities ( @OsTrusted ) 5 missing validations in Hadoop Information flow privacy ( @Source ) SPARTA detected malware in Android apps Industrial use You can write your own type system! Many problems can be expressed as a type system No run-time overhead; standard VM and tools

  32. Previous work CQual: Jeff Foster, Alex Aiken, others (1999-2006) Type qualifiers for the C programming language “Pluggable type systems” term: Gilad Bracha (2004) ESC/Java: Cormac Flanagan, Rustan Leino, others (2002) Lightweight verification, programmer-written partial specs Chose the problem and approach on my own Closely read to learn lessons, avoid repeating mistakes, give credit, make comparisons

  33. https://checkerframework.org/ Create, evaluate, and use custom type systems An effective verification methodology For practitioners : more robust and correct code For researchers : easier experimentation ⇒ better theory and more impact

  34. Outline Credits Motivation Contributions Predicting impact Ideas and results Research approach

  35. Reaction at ISSTA 2008 My ISSTA 2008 paper received expedited journal publication (“best paper honorable mention”)

  36. Reaction at ISSTA 2008 Reviews: “There is nothing particularly novel” “The general idea of pluggable types is not new” “JQual is superior ... [very incomplete list of JQual limitations] ... JQual could be easily enhanced to handle them” Useful reviews!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel,

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel,

Building and Using Pluggable Type-Checkers Werner M. Dietl Joint work with: Stephanie Dietzel, Michael D. Ernst, Kvan Mulu, and Todd W. Schiller 1 Software still has errors 2 Static type systems 0 errors, Crashes 0 warnings Source

624 views • 29 slides
Preventing errors before they happen: Lightweight verification via pluggable type-checking

Preventing errors before they happen: Lightweight verification via pluggable type-checking

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing errors before they happen: Lightweight verification via pluggable type-checking Michael D. Ernst University of Washington (Seattle, WA, USA) University of Buenos

600 views • 48 slides
Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr.,

void print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Practical pluggable types via the Checker Framework Matthew Papi, Mahmood Ali, Telmo Correa Jr., Jeff Perkins, Michael Ernst MIT Problem 1: Javas type checking Type

801 views • 37 slides
Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with

print( @Readonly Object x) { List&lt; @NonNull String&gt; lst; } Preventing bugs with pluggable type checking Michael Ernst University of Washington Joint work with Mahmood Ali and Matthew Papi Motivation java.lang.NullPointerException

561 views • 30 slides
The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java

The Design, Implementation and Evaluation of a Pluggable Type Checker for Thread-Locality in Java By: Amanj Sherwany 2011 http://www.amanj.me Background Loci is a static checker for thread- Informationsteknologi locality for Java-like

931 views • 50 slides
1 Type systems are the most widely used form of sta;c

1 Type systems are the most widely used form of sta;c

{HEADSHOT} This lesson introduces a popular kind of sta;c analysis called type systems. Type systems are o?en specified as part of the programming

923 views • 66 slides
Shareholder Value Reconsidered Simon Deakin and Ajit Singh Centre for Business Research

Shareholder Value Reconsidered Simon Deakin and Ajit Singh Centre for Business Research

Shareholder Value Reconsidered Simon Deakin and Ajit Singh Centre for Business Research University of Cambridge CBR Summit: 29-30 March 2006 Innovation and Governance Shareholder value reconsidered Defining shareholder value and

427 views • 29 slides
Using CORBA Asynchronous Messaging, Pluggable Protocols and the Real-Time Event Service in a

Using CORBA Asynchronous Messaging, Pluggable Protocols and the Real-Time Event Service in a

Using CORBA Asynchronous Messaging, Pluggable Protocols and the Real-Time Event Service in a Real-Time Embedded System Bruce Trask Contact Systems 50 Miry Brook Rd Danbury, CT 06810 btrask@contactsystems.com mature one that is currently

309 views • 9 slides
INF 212/CS 253 Type Systems Instructors: Harry Xu Crista Lopes What is a Data Type? A type

INF 212/CS 253 Type Systems Instructors: Harry Xu Crista Lopes What is a Data Type? A type

INF 212/CS 253 Type Systems Instructors: Harry Xu Crista Lopes What is a Data Type? A type is a collection of computational entities that share some common property Programming languages are designed to help programmers organize

803 views • 32 slides
Type Systems Authored By Luca Cardelli ACM Computing Surveys, 1996 Type Systems - Why, What

Type Systems Authored By Luca Cardelli ACM Computing Surveys, 1996 Type Systems - Why, What

Type Systems Authored By Luca Cardelli ACM Computing Surveys, 1996 Type Systems - Why, What &amp; How? (Informally) Why : to prevent forbidden(all untrapped and some trapped) errors OR to prove the absence of certain program behaviour

358 views • 11 slides
In Industries wit ithout Smokestacks In Industrialization in in Afr frica Reconsidered

In Industries wit ithout Smokestacks In Industrialization in in Afr frica Reconsidered

In Industries wit ithout Smokestacks In Industrialization in in Afr frica Reconsidered Richard Newfarmer, John Page and Finn Tarp UN WIDER September 13, 2018 Overview ideas In spite of recent income growth in Africa, manufacturing has

336 views • 19 slides
I WANT YOU TO FIGHT BAD CODE! Get the tools &amp; demos from: http://types.cs.washington.edu/

I WANT YOU TO FIGHT BAD CODE! Get the tools &amp; demos from: http://types.cs.washington.edu/

I WANT YOU TO FIGHT BAD CODE! Get the tools &amp; demos from: http://types.cs.washington.edu/ checker-framework/2012-oscon/ Developing and Using Pluggable Type Systems Werner M. Dietl Michael D. Ernst University of Washington Computer

582 views • 26 slides
Hybrid Type Systems Jose A. Lopes Max Planck Institute for Software Systems (MPI-SWS) MOVEP 2012

Hybrid Type Systems Jose A. Lopes Max Planck Institute for Software Systems (MPI-SWS) MOVEP 2012

Hybrid Type Systems Jose A. Lopes Max Planck Institute for Software Systems (MPI-SWS) MOVEP 2012 Type systems Type systems are a lightweight verification method Common in programming languages Increase software reliability Verify

588 views • 21 slides
Teaching old type systems Teaching old type systems new tricks with type providers new tricks

Teaching old type systems Teaching old type systems new tricks with type providers new tricks

Teaching old type systems Teaching old type systems new tricks with type providers new tricks with type providers Tomas Petricek Tomas Petricek University of Kent and The Alan Turing Institute http://tomasp.net tomas@tomasp.net @tomaspetricek

839 views • 38 slides
Type Systems Lecture 3 Nov. 3rd, 2004 Sebastian Maneth

Type Systems Lecture 3 Nov. 3rd, 2004 Sebastian Maneth

Type Systems Lecture 3 Nov. 3rd, 2004 Sebastian Maneth http://lampwww.epfl.ch/teaching/typeSystems/2004 Today: into the types 1. A Type System for Arithmetic Expressions 2. Proving Type Safety 3. Simply Typed Lambda Calculus

988 views • 50 slides
. While several substructural type systems have been proposed and implemented, these either

. While several substructural type systems have been proposed and implemented, these either

. . Substructural logics provide a framework for designing resource-aware type systems. . While several substructural type systems have been proposed and implemented, these either have been developed for a special purpose or have been too

991 views • 74 slides
GENERAL/REGIONAL Date Treaty Basin Signatories Treaty Name August 7, 2000 SADC Region

GENERAL/REGIONAL Date Treaty Basin Signatories Treaty Name August 7, 2000 SADC Region

GENERAL/REGIONAL Date Treaty Basin Signatories Treaty Name August 7, 2000 SADC Region Angola; Botswana; Congo, Revised protocol on shared Democratic Republic of; Lesotho; watercourses in the Southern African Malawi; Mauritius;

726 views • 3 slides
Seismic Hazard in the East African Rift system (EARS): challenges in Disaster Risk Management

Seismic Hazard in the East African Rift system (EARS): challenges in Disaster Risk Management

Seismic Hazard in the East African Rift system (EARS): challenges in Disaster Risk Management Atalay Ayele Institute of Geophysics Space Science and Astronomy Addis Ababa University GeoPRISMS TEI RIE Initative 3/2/2017 Albuquerque, 2017

483 views • 22 slides
wit ith the Generalized Benford's 's Law Arnaud Soulet, Arnaud Giacometti, Batrice Markhoff

wit ith the Generalized Benford's 's Law Arnaud Soulet, Arnaud Giacometti, Batrice Markhoff

Representativeness of Knowledge Bases wit ith the Generalized Benford's 's Law Arnaud Soulet, Arnaud Giacometti, Batrice Markhoff and Fabian M. Suchanek University of Tours Telecom ParisTech Reliability of f queries on Knowledge Bases

530 views • 29 slides
- - Vanderbilt University Peterson Jesse 4 8Th cosy The 26 &quot; 2020 May , and Ruth

- - Vanderbilt University Peterson Jesse 4 8Th cosy The 26 &quot; 2020 May , and Ruth

Equivalence Neumann Von - - Vanderbilt University Peterson Jesse 4 8Th cosy The 26 &quot; 2020 May , and Ruth Lauren Ishan Ishan with joint work Ornstein - Weiss ' 80 : All infinite ii T &amp; A ' 93 ) : groups

314 views • 7 slides
WEM Reform Implementation Group (WRIG) Meeting #4 27 August 2020 Ground rules and virtual

WEM Reform Implementation Group (WRIG) Meeting #4 27 August 2020 Ground rules and virtual

WEM Reform Implementation Group (WRIG) Meeting #4 27 August 2020 Ground rules and virtual meeting protocols Please place your microphone on mute, unless you are asking a question or making a comment. Please keep questions relevant

313 views • 14 slides
The West low homogeneity and low consistency (Labov, Ash, Boberg 2006:277)

The West low homogeneity and low consistency (Labov, Ash, Boberg 2006:277)

T HE L INGUISTIC E FFECTS OF A C HANGING T IMBER I NDUSTRY L ANGUAGE C HANGE IN C OWLITZ C OUNTY , WA Joseph A. Stanley University of Georgia @joey_stan joeystanley.com The 4th Annual Linguistics Conference at UGA October 6, 2017 Athens,

536 views • 35 slides
Logistics At the top right corner of your screen: Show your control panel to submit questions and

Logistics At the top right corner of your screen: Show your control panel to submit questions and

Logistics At the top right corner of your screen: Show your control panel to submit questions and see answers All phones/microphones are muted for the duration of the webinar. Toggle between full screen/window screen view Control Panel:

463 views • 35 slides
Intrinsics, Metadata and Attributes: Now, more than ever! 2014 LLVM Developers Meeting Hal

Intrinsics, Metadata and Attributes: Now, more than ever! 2014 LLVM Developers Meeting Hal

Intrinsics, Metadata and Attributes: Now, more than ever! 2014 LLVM Developers Meeting Hal Finkel Goals of This Presentation: To review LLVM's concepts of intrinsics, metadata and attributes To introduce some recent addition to these

520 views • 23 slides

More recommend