Making software reliable is one of the most important technological challenges facing our society today. This thesis presents a new type system that addresses this problem by statically preventing several important classes of programming errors. If a program type checks, we guarantee at compile time that the program does not contain any of those errors. We designed our type system in the context of a Java-like object-oriented language; we call the resulting system SafeJava. The SafeJava type system offers significant software engineering benefits. Specifically, it provides a statically enforceable way of specifying object encapsulation and enables local reasoning about program correctness; it combines effects clauses with encapsulation to enable modular checking of methods in the presence of subtyping; it statically prevents data races and deadlocks in multithreaded programs, which are known to be some of the most difficult programming errors to detect, reproduce, and

Persistent object stores require a way to automatically upgrade persistent objects, to change their code and storage representation. Automatic upgrades are a challenge for such systems. Upgrades must be performed in a way that is efficient both in space and time, and that does not stop application access to the store. In addition, however, the approach must be modular: it must allow programmers to reason locally about the correctness of their upgrades similar to the way they would reason about regular code. This paper provides solutions to both problems. The paper first defines upgrade...

... object encapsulation and enable local reasoning about program correctness in object-oriented languages. However, a type system that enforces strict object encapsulation is too constraining: it does not allow efficient implementation of important constructs like iterators. This paper argues that the right way to solve the problem is to allow objects of classes defined in the same module to have privileged access to each other's representations; we show how to do this for inner classes. This approach allows programmers to express constructs like iterators and yet supports local reasoning about the correctness of the classes, because a class and its inner classes together can be reasoned about as a module. The paper also sketches how we use our variant of ownership types to enable efficient software upgrades in persistent object stores.

Object-oriented databases allow objects that are manipulated by programs to be stored reliably so that they can be used again later and shared with other programs. Since objects in the OODB may live a long time, there may be a need to upgrade them: to change their code and storage representation. This paper describes a technique for upgrading objects in an OODB. The approach preserves the database state by transforming objects to their new classes while retaining their state and their identity. The approach is efficient: we do not interrupt application execution to run an upgrade, but instead run the upgrade incrementally, one transform at a time. Objects are transformed lazily, but just in time; applications never observe non-upgraded objects. Laziness can sometimes lead to problems for the code that transforms objects, however; e.g., a transform might observe broken invariants or interfaces unknown at the time it was written. We define precisely when these problems arise, and we also provide mechanisms for avoiding them. Ours is the first work to provide a full analysis of these problems and to allow safe lazy upgrades even when problems arise. We have implemented our approach on the Thor OODB and we present performance results that show that the overhead of our infrastructure is low.