and a simple runtime(this isn't new, but it's notable)
We're about to talk about...
We should motivate that,
have a look at existing solutions, (plenty of cross-over between mutability and nullity),
settle on a model for initialization,
explore the technical details.
Generic nullity?
Runtime?
Typing judgements?
Imagine the following world...
We have people (people are good).
Some people have pets.
Pets have owners.
Pets and owners are mutually loyal (I keep my pet forever...)
So we write some classes...
class Person {
Pet pet;
}
class Turtle : Pet {
Person owner;
}
How do we write the code?
I would like to be able to write code like the following: (this is still in Java world)
void main() {
Person neil = new Person(); // Neil doesn't want a turtle (yet)
Person peter = new Person(); // Peter loves turtles.
Turtle tom = new Turtle(); // Tom needs an owner.
peter.pet = tom;
tom.owner = peter;
}
class Person {
Pet pet;
}
class Turtle : Pet {
Person owner;
}
This is far from expressive
void main() {
Person neil = new Person();
Person peter = new Person();
Turtle tom = new Turtle();
/* What if we just forget to set these?
* peter.pet = tom;
* tom.owner = peter;
*/
}
The type system doesn't distinguish people
with or without pets
The type system makes mutability difficult to
enforce (final doesn't cut it)
The type system never checks that Peter actually
gets given a pet
This is what my project is about.
We want to express nullity (Peter will definitely get a turtle)
We want to express mutability (Peter will keep his turtle)
We want it to be generic (Neil doesn't have to have a turtle)
... but he might get one later
We want to be able to express (and enforce) all of this through the type system.
And this is how it looks:
/* A Person is parametrized by its own mutability, and one more nullity constraint */ class Person[i]<,n1> {
/* pet shares the Person's mutability, and has parametrized nullity */
Pet[i, n1]<,> pet;
}
/* A Turtle is parametrized by its own nullity, and nothing else */ class Turtle[i]<,> : Pet {
/* A Turtle's owner must share its mutability */
Person[i, NotNull]<,NotNull> owner;
}
And this is how it looks:
...
/* Neil has a Nullable pet, but can change */
neil = new Person[Mutable, NotNull]<,Nullable>;
/* Peter has a NotNull pet, and can't change */
peter = new Person[Immutable, NotNull]<,NotNull>;
/* Tom is an Immutable pet */
tom = new Turtle[Immutable, NotNull]<,>;
/* Type error: Didn't initialize peter.pet or tom.owner */
class Person[i]<,n1> {
Pet[i, n1]<,> pet;
}
class Turtle[i]<,> : Pet {
Person[i, NotNull]<,NotNull> owner;
}
Context?
Type systems for nullity and mutability aren't a new thing.
Nullity
Real-world systems (Kotlin, Ceylon, Eiffel, ...)
(constructor based)
Freedom Before Commitment (Summers, Muller)
Context?
Type systems for nullity and mutability aren't a new thing.
Nullity
Real-world systems (Kotlin, Ceylon, Eiffel, ...)
(constructor based)
Freedom Before Commitment (Summers, Muller)
Mutability
Java's final?
Mandates initialization within the constructor
No genericity
C++'s const?
Aliasing concerns
Not really immutability
No genericity
Context?
Type systems for nullity and mutability aren't a new thing.
Immutable objects can be initialized until the end of their owner's constructor
Support for initializing heterogeneous cyclic structures
Mutability constraints are generic (this is the system on which we model our own)
(but doesn't have to tackle definite assignment)
Context?
Type systems for nullity and mutability aren't a new thing.
Nullity
Real-world systems (Kotlin, Ceylon, Eiffel, ...)
(constructor based)
Freedom Before Commitment (Summers, Muller)
Initialization
In systems for each, we have the challenge of initialization
Freedom Before Commitment
class Person {
Person() {
this.pet =
new Pet(this);
...
/* this.pet is still [Free]*/
}
}
class Pet {
Pet([Free] Person owner) {
this.owner = owner;
}
}
Commitment points
Type systems (for nullity or immutability) introduce commitment points
In immutability systems, this means the point at which we will begin enforcing constraints
In nullity systems, this means the point by which the programmer must initialize an object's not-null fields
Putting mutability and nullity together
We want to guarantee immutability as soon as possible
We want to be able to put off initialization until as late as possible
The natural solution is to enforce immutability constraints at the same time as we require the programmer to have fulfilled nullity constraints.
Putting mutability and nullity together
We want to guarantee immutability as soon as possible
We want to be able to put off initialization until as late as possible
Explicit commitment:
"delay the invariants..." (this is like Fähndrich & Haack's systems)
...
delayt { /* Enter an initialization scope, parametrized by t */
neil = new <t> Person[Mutable, NotNull]<,Nullable>;
peter = new <t> Person[Immutable, NotNull]<,NotNull>;
tom = new <t> Turtle[Immutable, NotNull]<,>;
/* Type error: Didn't initialize peter.pet or tom.owner by the end of their initialization scope */
}
Explicit commitment:
"delay the invariants..." (this is like Fähndrich & Haack's systems)
...
delayt { /* Enter an initialization scope, parametrized by t */
neil = new <t> Person[Mutable, NotNull]<,Nullable>;
peter = new <t> Person[Immutable, NotNull]<,NotNull>;
tom = new <t> Turtle[Immutable, NotNull]<,>;
/* Can still mutate the Immutable objects peter and tom while we finish their initialization */
peter.pet = tom; tom.owner = peter;
}
Now after initialization:
Explicit commitment:
"delay the invariants..." (this is like Fähndrich & Haack's systems)
...
delayt { /* Enter an initialization scope, parametrized by t */
neil = new <t> Person[Mutable, NotNull]<,Nullable>;
peter = new <t> Person[Immutable, NotNull]<,NotNull>;
tom = new <t> Turtle[Immutable, NotNull]<,>;
/* Can still mutate the Immutable objects peter and tom while we finish their initialization */
peter.pet = tom; tom.owner = peter;
}
Now after initialization:
/* Type error: neil is Mutable, and expects his pet to be...*/
neil.pet = tom;
Explicit commitment:
"delay the invariants..." (this is like Fähndrich & Haack's systems)
...
delayt { /* Enter an initialization scope, parametrized by t */
neil = new <t> Person[Mutable, NotNull]<,Nullable>;
peter = new <t> Person[Immutable, NotNull]<,NotNull>;
tom = new <t> Turtle[Immutable, NotNull]<,>;
/* Can still mutate the Immutable objects peter and tom while we finish their initialization */
peter.pet = tom; tom.owner = peter;
}
Now after initialization:
/* This is okay though: neil is Mutable, neil.pet can be null */
neil.pet = null;
Explicit commitment:
"delay the invariants..." (this is like Fähndrich & Haack's systems)
...
delayt { /* Enter an initialization scope, parametrized by t */
neil = new <t> Person[Mutable, NotNull]<,Nullable>;
peter = new <t> Person[Immutable, NotNull]<,NotNull>;
tom = new <t> Turtle[Immutable, NotNull]<,>;
/* Can still mutate the Immutable objects peter and tom while we finish their initialization */
peter.pet = tom; tom.owner = peter;
}
Now after initialization:
/* Type error: peter is Immutable: no field assignment please! */
peter.pet = ...
peter.pet.owner = ...
Explicit commitment:
"delay the invariants..." (this is like Fähndrich & Haack's systems)
...
delayt { /* Enter an initialization scope, parametrized by t */
neil = new <t> Person[Mutable, NotNull]<,Nullable>;
peter = new <t> Person[Immutable, NotNull]<,NotNull>;
tom = new <t> Turtle[Immutable, NotNull]<,>;
/* Can still mutate the Immutable objects peter and tom while we finish their initialization */
peter.pet = tom; tom.owner = peter;
}
Now after initialization:
/* Type error: tom is Immutable */
tom.owner = ...
Something totally new: Generic Nullity
What do we gain?
Genericity! (of course)
Can use the same (class) definition in different of ways
This is what we saw with Peter and Neil
We can make this more concrete...
What do we gain?
Genericity! (of course)
class List[i]<,n1> {
/* The nullity of next is parametrized */
next : List[i,n1]<,n1>
...
void add, get, ...
}
What do we gain?
Genericity! (of course)
class List[i]<,n1> {
/* The nullity of next is parametrized */
next : List[i,n1]<,n1>
...
void add, get, ...
}
delayt {
/* Just a normal recursive list */
normal = new <t> List[Mutable,NotNull]<,Nullable>
}
normal.add(...); normal.get(...); ...
What do we gain?
class List[i]<,n1> {
/* The nullity of next is parametrized */
next : List[i,n1]<,n1>
...
void add(List[Mutable, NotNull]<,n1> this, ...) {
...
}
}
delayt {
/* Just a normal recursive list */
normal = new <t> List[Mutable,NotNull]<,Nullable>
}
normal.add(...); normal.get(...); ...
What do we gain?
class List[i]<,n1> {
/* The nullity of next is parametrized */
next : List[i,n1]<,n1>
...
void add(List[Mutable, NotNull]<,n1> this, ...) {
...
}
}
delayt {
cycliclist = new <t> List[Mutable,NotNull]<,NotNull>
/* Type error! Cycles are enforced by the type system*/
}
What do we gain?
class List[i]<,n1> {
/* The nullity of next is parametrized */
next : List[i,n1]<,n1>
...
void add(List[Mutable, NotNull]<,n1> this, ...) {
...
}
}
class List[i]<,n1> {
/* The nullity of next is parametrized */
next : List[i,n1]<,n1>
...
void add(List[Mutable, NotNull]<,n1> this, ...) {
...
}
}
delayt {
immutcycliclist = new <t> List[Immutable,NotNull]<,NotNull>
cycliclist.next = cycliclist;
}
/* Type error! add expects a mutable list! */
immutcycliclist.add(...);
What do we gain?
class List[i]<,n1> {
/* The nullity of next is parametrized */
next : List[i,n1]<,n1>
...
void get(List[i, NotNull]<,n1> this, ...) {
...
}
}
delayt {
immutcycliclist = new <t> List[Immutable,NotNull]<,NotNull>
cycliclist.next = cycliclist;
}
/* Notice get is still fine... */
immutcycliclist.get(...);
Generic Nullity
NotNull will not do in place of Nullable
(or, sometimes it won't do...)
In other systems for nullity this is fine
(this is a new problem for generic nullity)
Nullity parameters are not covariant
I say that I expect you to pass me either a cat or nothing:
delayt {
box = new <t>
Box[Mutable, NotNull]<,NotNull>;
box.cat = new <t>
Cat[Mutable, NotNull]<,>;
}
quantum_box(..., box, ...);
Nullity parameters are not covariant
It's not fine for you to pass me a box that you know definitely has a cat in it!
void quantum_box(..., Box[Mutable, NotNull]<,Nullable> box, ...) {
/* Fine, since I see the box as having a Nullable cat */
box.cat = null;
}
delayt {
box = new <t> Box[Mutable, NotNull]<,NotNull>;
box.cat = new <t> Cat[Mutable, NotNull]<,>;
}
quantum_box(..., box, ...);
Nullity parameters are not covariant
It's not fine for you to pass me a box that you know definitely has a cat in it!
void quantum_box(..., Box[Mutable, NotNull]<,Nullable> box, ...) {
/* Fine, since I see the box as having a Nullable cat */
box.cat = null;
}
delayt {
box = new <t> Box[Mutable, NotNull]<,NotNull>;
box.cat = new <t> Cat[Mutable, NotNull]<,>;
}
quantum_box(..., box, ...);
/* We expect box.cat to be NotNull! */
box.cat = ...?
Nullity parameters are not covariant
So while nullity of the reference itself is covariant, treating the parameters in the same way is not sound.
We create a least upper bound (<? extends Nullable>)
C[Immutable, NotNull]<,> /* can be used for */ C[Immutable, Nullable]<,>
C[Immutable, NotNull]<,NotNull> /* can't be used for */ C[Immutable, NotNull]<,Nullable>
Nullity parameters are not covariant
So while nullity of the reference itself is covariant, treating the parameters in the same way is not sound.
We create a least upper bound (<? extends Nullable>)
C[Immutable, NotNull]<,Nullable> /* can be used for */ C[Immutable, NotNull]<,<? extends Nullable>>
C[Immutable, NotNull]<,NotNull>/* can be used for */ C[Immutable, NotNull]<,<? extends Nullable>>
Nullity parameters are not covariant
So while nullity of the reference itself is covariant, treating the parameters in the same way is not sound.
We create a least upper bound (<? extends Nullable>)
C[Immutable, NotNull]<,> /* can be used for */ C[<? extends ReadOnly>, Nullable]<,>
C[Mutable, NotNull]<,> /* can be used for */ C[<? extends ReadOnly>, Nullable]<,>
Now let's talk about the formal system
I promised a simple runtime
We just define a standard heap/stack-based runtime.
A value is either an address, ι, or null
A stack, ϕ, is just a map from variable names to values
A heap, Ψ, maps addresses to objects
An object is a pair of a class identifier and a map from fields to addresses
I promised a simple runtime
The runtime semantics...
Runtime semantics are exactly how you'd imagine;
Judgements look like:
Typing judgements are a little more complex
So far everything is simple
But the tricky part of the project is developing the type rules
They're a bit more involved...
Typing judgements...
When an object is committed:
Just check the type of the receiver,
check it's not null,
then look up the field type directly from the class definition
Typing judgements...
When an object is committed:
delayt {
box = new <t>
Box[Immutable,NotNull]
<,Nullable>
}
/* Type Error! box.cat isn't typed NotNull! */
box.cat.fur
Typing judgements...
When an object is committed:
delayt {
box = new <t>
Box[Immutable,NotNull]
<,NotNull>
}
/* This is fine */
box.cat.fur
Typing judgements...
When it's not committed, things are a bit more involved...
When the field isn't in the list of those that might be uninitialized, do as before, but:
The result is also not committed;
Must assume all the fields of the returned object might be null
Typing judgements...
When it's not committed and the field is listed as uninitialized, the returned value might be null!
Typing judgements...
A lot like field lookup...
But what's that at the bottom?
Typing judgements... (FieldType(...))
The rule FieldType(...) says that the field being assigned to:
Can't have < ? extends ReadOnly>
or < ? extends Nullable>
anywhere in the type
These types mean "we don't know"; they exist as upper bounds
on other possibilities
Now let's discuss soundness
In terms of paths through the heap
We basically want all the types for these different paths to be in some way compatible.
(what this means is not intuitive)
Defining a well-formed heap...
This is hard to show
Paths through the heap
We assume all these paths are fine (consistent) to begin with (they are), then have to show that all operations preserve them...
Most cases are trivial induction
But field assignment and method call are not
Field assignment
Field assignment
Field assignment
Field assignment
We basically need to show that:
all the blue dotted paths are the same as the original path (that we type-checked)
and that all the red (dashed) paths are equivalent
and that the red paths are just all equivalent extensions of the blue paths
Evaluation
We saw at the start that we were able to expressively type data-structures and perform non-trivial initialization
We can also initialize e.g. arbitrarily sized cyclic structures without any problems
Paths typed as NotNull will not evaluate to null
Paths typed as Immutable will not have Mutable aliases
The soundness arguments presented in the report were incomplete:
Did not formalize method call
Made some (probably reasonable) assumptions (e.g. generation lemma)
Challenges
Covariance (nullity and mutability)
Commitment points (seems simple now)
Keeping track of time (how to track future commitment points, passed between methods)
The result is...
an expressive type system for generic mutability and nullity in an object-oriented system, with flexible initialization.
There's still work to be done: e.g. we have the basic argument for method call, but I'd like to finish this off!
Maybe then I'll write a compiler...
The important bits:
First time nullity has had a full generic treatment (found some interesting "gotchas").
No erasable state / extra runtime constructs required to express and argue soundness
Exploration of the cross-over between two concepts which both concern initialization
