A module system ought to enable assembly-line programming using separate compilation and an expressive linking language. Separate compilation allows programmers to develop parts of a program independently. A linking language gives programmers precise control over the assembly of parts into a whole. This paper presents models of program units, MzScheme's module language for assembly-line programming. Units support separate compilation, independent module reuse, cyclic dependencies, hierarchical structuring, and dynamic linking. The models explain how to integrate units with untyped and typed languages such as Scheme and ML.

Module and class systems have evolved to meet the demand for reuseable software components. Considerable effort has been invested in developing new module and class systems, and in demonstrating how each promotes code reuse. However, relatively little has been said about the interaction of these constructs, and how using modules and classes together can improve programs. In this paper, we demonstrate the synergy of a particular form of modules and classes—called units and mixins, respectively—for solving complex reuse problems in a natural manner.

Much research has been devoted to studies of and algorithms for memory management based on garbage collection or explicit allocation and deallocation. An alternative approach, region-based memory management, has been known for decades, but has not been wellstudied. In a region-based system each allocation specifies a region, and memory is reclaimed by destroying a region, freeing all the storage allocated therein. We show that on a suite of allocation-intensive C programs, regions are competitive with malloc/free and sometimes substantially faster. We also show that regions support safe memory management with low overhead. Experience with our benchmarks suggests that modifying many existing programs to use regions is not difficult. 1 Introduction The two most popular memory management techniques are explicit allocation and deallocation, as in C's malloc/free, and various forms of garbagecollection [Wil92]. Both have well-known advantages and disadvantages, discussed further below. A t...

Sharing and transfer of references is difficult to control in object-oriented languages. As information security is increasingly becoming software dependent, this difficulty poses serious problems for writing secure components. In this paper, we present a set of inexpensive syntactic constraints that strengthen encapsulation in object-oriented programs and facilitate the implementation of secure systems. We introduce two mechanisms: con ned types to impose static scoping on dynamic object references and anonymous methods which do not reveal the identity of the current instance (this). Confined types protect objects from use by untrusted code, while anonymous methods allow standard classes to be reused from con ned classes. We have implemented a verifier which performs a modular analysis of Java programs and provides a static guarantee that confinement is respected. We present security related programming examples.

Jalape~no is a virtual machine for Java TM servers written in Java. A running Java program involves four layers of functionality: the user code, the virtual-machine, the operating system, and the hardware. By drawing the Java / non-Java boundary below the virtual machine rather than above it, Jalape~no reduces the boundary-crossing overhead and opens up more opportunities for optimization. To get Jalape~no started, a boot image of a working Jalape ~no virtual machine is concocted and written to a file. Later, this file can be loaded into memory and executed. Because the boot image consists entirely of Java objects, it can be concocted by a Java program that runs in any JVM. This program uses reflection to convert the boot image into Jalape~no's object format. A special Magic class allows unsafe casts and direct access to the hardware. Methods of this class are recognized by Jalape~no's three compilers, which ignore their bytecodes and emit special-purpose machine code. User code w...

While class-based object-oriented programming languages provide a flexible mechanism for re-using and managing related pieces of code, they typically lack linguistic facilities for specifying a uniform extension of many classes with one set of fields and methods. As a result, programmers are unable to express certain abstractions over classes. In this paper we develop a model of class-to-class functions that we refer to as mixins. A mixin function maps a class to an extended class by adding or overriding fields and methods. Programming with mixins is similar to programming with single inheritance classes, but mixins more directly encourage programming to interfaces. The paper develops these ideas within the context of Java. The results are 1. an intuitive model of an essential Java subset; 2. an extension that explains and models mixins; and 3. type soundness theorems for these languages. 1 Organizing Programs with Functions and Classes Object-oriented programming languages offer classes, inheritance, and overriding to parameterize over program pieces for management purposes and re-use. Functional programming languages provide various flavors of functional abstractions for the same purpose. The latter model was developed from a well-known, highly developed mathematical theory. The former grew in response to the need to manage large programs and to re-use as many components as possible. Each form of parameterization is useful for certain situations. With higherorder functions, a programmer can easily define many functions that share a similar core but differ in a few details. As many language designers and programmers readily acknowledge, however, the functional approach to parameterization is best used in situations with a relatively small number of parameters. When ...

Dynamic storage allocation has become increasingly important in many applications, in part due to the use of the object-oriented paradigm. At the same time, processor speeds are increasing faster than memory speeds and programs are increasing in size faster than memories. In this paper, we investigate e#orts to predict heap object reference and lifetime behavior at the time objects are allocated. Our approach uses profile-based optimization, and considers a variety of di#erent information sources present at the time of object allocation to predict the object's reference frequency and lifetime. Our results, based on measurements of six allocation intensive programs, show that program references to heap objects are highly predictable and that our prediction methods can successfully predict the behavior of these heap objects. We show that our methods can decrease the page fault rate of the programs measured, sometimes dramatically, in cases where the physical memory available to the progr...

Abstract. In this paper, we provide a theoretical foundation and improvements to the existing bytecode verification technology, a critical component of the Java security model, for mobile code used with the Java “micro edition ” (J2ME) which is intended for embedded computing devices. In Java, remotely loaded “bytecode ” class files are required to be bytecode verified before execution, i.e., to undergo a static type analysis that protects the platform’s Java run-time system from so-called “type confusion ” attacks such as pointer manipulation. The data flow analysis which performs the verification, however, is beyond the capacity of most embedded devices because of the memory requirements which the typical algorithm will need. We propose to take a Proof-Carrying Code (PCC) approach to data flow analysis in defining an alternative technique called “Lightweight Analysis ” which uses the notion of a “certificate ” to reanalyze a previously analyzed data flow problem, even on poorly resourced platforms. We formally prove that the technique provides the same guarantees as standard bytecode safety verification analysis, in particular that it is “tamper proof ” in the sense that the guarantees provided by the analysis, cannot be broken by crafting a “false ” certificate or by altering the analyzed code. We show how the Java bytecode verifier fits into this framework for an important subset of the Java Virtual Machine; we also show how the resulting “lightweight bytecode verification ” technique generalizes and simulates the J2ME verifier (to be expected as Sun’s J2ME “K-Virtual machine ” verifier was directly based on an early version of this work), as well as Leroy’s “on-card bytecode verifier ” which is specifically targeted for Java Cards. 1.

This dissertation analyzes the usefulness of existing "conventional" collaboration-transparency systems, which permit the shared use of legacy, single-user applications. I find that conventional collaboration-transparency systems do not use network resources efficiently, and they impose an inflexible, tightly coupled style of collaboration because they do not adequately support important groupware principles: concurrent work, relaxed WYSIWIS, group awareness, and inherently collaborative tasks. This dissertation proposes and explores solutions to those deficiencies. The primary goal of this work is to maintain the benefits of collaboration transparency while relieving some of its disadvantages. To that end, I present an alternate implementation approach that provides many features previously seen only in applications specifically designed to support cooperative work, called collaboration-aware applications. The new approach uses a replicated architecture, in which a copy of the application resides on each user's machine, and the users' input events are broadcast to each copy. I discuss solutions to certain key problems in replicated architectures, such as maintaining consistency, unanticipated sharing, supporting late-joiners, and replicating system resources (e.g., files, sockets, and random number generators). To enhance the collaborative usability of a legacy application, the new approach transparently replaces selected single-user interface objects with multi-user versions at runtime. There are four requirements of an application platform needed to implement this approach: process migration, run-time object replacement, dynamic binding, and the ability to intercept and introduce low-level user input events. As an instance of this approach, I describe its incorpor...

Today, CORBA architecture brings the major industrial solution for achieving the interoperability between distributed software components in heterogeneous environments. While the CORBA project attempts to federate distributed mechanisms within a unique architecture, its internal model is not very flexible and seems not to be suitable for future evolutions. In this paper, we present OpenCorba, a reflective open broker, enabling users to adapt dynamically the representation and the execution policies of the software bus. We first expose the reflective foundations underlying the implementation of OpenCorba: i) metaclasses which provide a better separation of concerns in order to improve the class reuse; ii) a protocol which enables the dynamic changing of metaclass in order to allow run-time adaptation of systems. Based on this reflective environment, OpenCorba enables the adaptability of the internal characteristics of the broker in order to change its run-time behavior (e...