This paper describes a compositional shape analysis, where each procedure is analyzed independently of its callers. The analysis uses an abstract domain based on a restricted fragment of separation logic, and assigns a collection of Hoare triples to each procedure; the triples provide an over-approximation of data structure usage. Compositionality brings its usual benefits – increased potential to scale, ability to deal with unknown calling contexts, graceful way to deal with imprecision – to shape analysis, for the first time. The analysis rests on a generalized form of abduction (inference of explanatory hypotheses) which we call bi-abduction. Biabduction displays abduction as a kind of inverse to the frame problem: it jointly infers anti-frames (missing portions of state) and frames (portions of state not touched by an operation), and is the basis of a new interprocedural analysis algorithm. We have implemented

{kevin.bierhoff,nbeckman,jonathan.aldrich} @ cs.cmu.edu. Reusable APIs often define usage protocols. We previously developed a sound modular type system that checks compliance with typestate-based protocols while affording a great deal of aliasing flexibility. We also developed Plural, a prototype tool that embodies our approach as an automated static analysis and includes several extensions we found useful in practice. This paper evaluates our approach along the following dimensions: (1) We report on experience in specifying relevant usage rules for a large Java standard API with our approach. We also specify several other Java APIs and identify recurring patterns. (2) We summarize two case studies in verifying third-party open-source code bases with few false positives using our tool. We discuss how tool shortcomings can be addressed either with code refactorings or extensions to the tool itself.

Session types allow communication protocols to be specified typetheoretically so that protocol implementations can be verified by static type-checking. We extend previous work on session types for distributed object-oriented languages in three ways. (1) We attach a session type to a class definition, to specify the possible sequences of method calls. (2) We allow a session type (protocol) implementation to be modularized, i.e. separated into separately-callable methods. (3) We treat session-typed communication channels as objects, integrating their session types with the session types of classes. The result is an elegant unification of communication channels and their session types, distributed object-oriented programming, and a form of typestates supporting non-uniform objects, i.e. objects that dynamically change the set of available methods. We define syntax, operational semantics, a sound type system, and a correct

A number of type systems have used typestates to specify and statically verify protocol compliance. Aliasing is a major challenge for these systems. This paper proposes a modular type system for a core object-oriented language that leverages linear logic for verifying compliance to more expressive protocol specifications than previously supported. The system improves reasoning about aliased objects by associating references with access permissions that systematically capture what aliases know about and can do to objects. Permissions grant full, shared, or read-only access to a certain part of object state and allow aliasing both on the stack and in the heap. The system supports dynamic state tests, arbitrary callbacks, and open recursion. The system’s expressiveness is illustrated with examples from the Java I/O library.

Abstract: Modern information systems development is a complex task for it must fulfill a large variety of applicationand architecture-oriented requirements. Furthermore, such requirements often are a moving target for the developer, not only because the system has to stay open to a constantly changing application domain, but also because new requirements are added during the extremely long lifetime of such information systems. To make things worse, modern information systems are operated in a 24x7-modus which generates the pressure of highly dynamic, almost online system evolution. A main source of problems such development projects struggle with originates from the lack of a systematic subdivision of large software systems into manageable modules. As a consequence developers are traditionally involved in a complex patchwork of manual efforts to keep the various parts of the system in sync with each other and with the system’s requirements. In this paper we outline our approach to information system development which is based on a model for Conceptual Content Management (CCM). Our CCM approach profits from the dynamic, model-driven generation of smaller modules, which can be combined automatically into the full system. The generation process uses a CCM model of the application domain(s) from which our compiler framework dynamically generates the schema-dependent parts of the system. Due to the dynamic nature of this generation process, we are able to provide adequate support for both schema evolution and personalization of such a system. We have successfully employed the CCM approach to the development of complex web information systems. We give a brief account of CCM development and present an application example. 1

This paper extends static typestate analysis to temporal specifications of groups of interacting objects, which are expressed using tracematches. Unlike typestate, a tracematch state may change due to operations on any of a set of objects bound by the tracematch. The paper proposes a lattice-based operational semantics which is proved equivalent to the original tracematch semantics but is better suited to static analysis. The static analysis is presented next, and is proved sound with respect to the semantics. The analysis computes precise local points-to sets and tracks the flow of individual objects, thereby enabling strong state updates. A fully context-sensitive version of the analysis has been implemented as instances of the IFDS and IDE algorithms. The analysis was evaluated on tracematches used in earlier work and found to be very precise. Remaining imprecisions could be eliminated with more precise modeling of references from the heap and of exceptional control flow. 1

This thesis represents an attempt to improve the state of the art in our ability to understand and check object protocols, with a particular emphasis on concurrent programs. Object protocols are the patterns of use imposed on clients of APIs in objectoriented programs. We show through an empirical study of open-source objectoriented programs that object protocols are quite common. We then present “Syncor-Swim,” a methodology and suite of accompanying tools for checking at compiletime that object protocols are used and implemented correctly. This methodology is based upon the existing access permissions method of alias control, which is here extended to be sound in the face of shared-memory concurrency. The analysis is formalized as a type system for an object-oriented calculus, and then proven to be free from false-negatives using a proof of type safety. The type system is extended with parametric polymorphism, or “generics, ” in order to increase its ability to check commonly occurring patterns. An implementation of the approach, a static analysis for programs written in the Java programming language, is presented. This implementation

Abstract. An active area of research in computer science is the prevention of violations of object protocols, i.e., restrictions on temporal orderings of method calls on an object. However, little is understood about object protocols in practice. This paper describes an empirical study of object protocols in some popular open-source Java programs. In our study, we have attempted to determine how often object protocols are defined, and how often they are used, while also developing a taxonomy of similar protocols. In the open-source projects in our study, comprising almost two million lines of code, approximately 7.2 % of all types defined protocols, while 13 % of classes were clients of types defining protocols. (For comparison, 2.5 % of the types in the Java library define type parameters usingJava Generics.) This suggests thatprotocol checkingtools are widely applicable. 1

Abstract—Purity Analysis is the problem of determining whether or not a method may have side-effects. This has many applications, including automatic parallelisation, extended static checking, and more. We present a novel algorithm for inferring the purity of methods in Java. Our algorithm exploits two properties, called freshness and locality, which, when combined together, enable more precise purity analysis. Our algorithm also differs from the majority of previous attempts at purity analysis, in that it is modularly checkable. That is, the algorithm produces annotations which can be checked without the need for an expensive and costly interprocedural analysis. We evaluate our analysis against several packages from the Java Standard Library. Our results indicate that it is possible to uncover significant amounts of purity efficiently. I.

Objects model the world, and state is fundamental to a faithful modeling. Engineers use state machines to understand and reason about state transitions, but programming languages provide little support for building software based on state abstractions. We propose Plaid, a language in which objects are modeled not just in terms of classes, but in terms of changing abstract states. Each state may have its own representation, as well as methods that may transition the object into a new state. A formal model precisely defines the semantics of core Plaid constructs such as state transition and trait-like state composition. We evaluate Plaid through a series of examples taken from the Plaid compiler and the standard libraries of Smalltalk and Java. These examples show how Plaid can more closely model state-based designs, enhancing understandability, enhancing dynamic error checking, and providing reuse benefits. 1.