Are We Ready for a Safer Construction Environment

1
Are We Ready for a Safer Construction Environment?

• Thesis seminar
• by Tali Shragai
• Advisor Yossi Gil
• Department of Computer Science, Technion

2
Quiz The Magical Moments of Birth

• How long does a birth take?
• 8
• A day or two
• 12 hours
• 20 minutes
• Some ? gt 0
• Whats the name of the deliverable?
• Baby
• The father of man
• Infant
• Embryo?

3
Objects are no Different!

• At the beginning there was raw memory
• Cells, cells, cells, but not an organ, not a
  creature
• At the end, there was an object!
• What happened in the meantime?
• When do cells stop being cells?
• When do they become an object?
• Which object are they?

4
An Example
class Ape

• Evolution, the Java way
• Memory allocation
• Memory clear
• Constructor of Ape
• Constructor of Man
• Evolution, the C way
• Memory allocation
• Constructor of Ape
• Constructor of Man

class Man extends Ape
Ape m new Man()
5
When Does an Ape Become a Man?

• Java right from the start!
• C it has to finish being an ape first!

A man is born!
abstract class Ape public Ape() proclaim()
public void proclaim() print "An
ape is born!" class Man extends Ape
public Man() // Will implicitly call the
constructor Ape.Ape() public void proclaim()
print "A man is born!" ... Ape a
new Man()
Java
An ape is born!
C
6
Static vs. Dynamic Binding Semantics within
Constructors

• Which methods shall a partially-created object
  call?
• Static semantics (C) methods of the current
  object.
• Safe cannot use uninitialized fields.
• Unsafe may crash, if called method is abstract!
• Real life example from the worlds most common
  web browser ?
• static binding ? compromise static type safety

7
Static vs. Dynamic Binding Semantics within
Constructors cont.

• Dynamic semantics (Java, C) methods of the
  target object
• Safe will not invoke abstract methods
• Unsafe may use uninitialized fields
• They are zero, but not initialized properly.
• An overriding method in the derived class may
  have (wrong!) assumptions of the base classs
  fields
• A problem for language extensions such as
  immutability and non-null.

8
Research Question

• Does this ever occur in practice?
• In other words, is birth really infinitesimally
  short?
• YES answer the world is in trouble now!
• No way of doing OO computation in a safe way ?
• NO answer the end of the world still may still
  come soon!!!
• who knows whether our students will abide by our
  good habits.
• Prevention by Birth control
• Make sure that no strange things happen while an
  object is being created

9
Birth Control

• AKA Safe Construction no binding question within
  constructors!
• Only allow calls which have the same behavior in
  both semantics.
• Rule which methods can be called from a
  constructor?
• final methods
• private methods
• static methods
• Semi-static methods
• Nothing else!
• Semi-static methods our proposed language
  extension
• Like static methods
• Cannot access object fields and methods
• Like non-static methods
• Have dynamic binding semantics
• Modesty rule Thy Shall not expose THYSELF in
  public!

10
Conjectures

• Unsafe construction rare
• Unsafe construction repairable
• When exists, it can be quickly fixed, maybe even
  semi-automatically

11
Results

• Bad news inconclusive
• we think that unsafe construction is both rare
  and correctable
• Good news cannot hope to be more conclusive
• No established research methodology in our field
• Scope Cannot examine all code in the world
• Sample The notion of research sampling is
  undefined
• Definition
• Weight is one problem every 100 lines rare or
  frequent?
• Location where is the problem located (two
  classes are involved)
• Counting does an error in two constructors of
  the same class, be counted once or twice?
• Potential how should one deal with a constructor
  calling an override-able method (non-final,
  non-static method)

12
Software Corpus

• 12 Projects JRE, Eclipse, JBOSS, Poseidon,
  Tomcat, Scala, JML, ANT, MJC, JEdit, ESC, KOA.
• Size 3600 packages, 76,000 types, 85,000
  constructors.
• Range 40 classes in the smallest project, 19,000
  in the largest.
• The crisp boundary problem where does one
  project start and where does it end?
• Method sampling projects used in previous
  empirical research. Some new ones of our own.

13
Empirical Findings

• About 1.3 constructors per class.
• Our automatic analysis of Java bytecode includes
  at least the compiler-generated constructor per
  class.
• About 14 of the classes are base classes.
• Often a class in one project will inherit from a
  class in another project
• About 18 of all constructors are base
  constructors

14
Analysis Method

• Mostly automatic analysis
• Using JTL, our Java analysis language.
• Conservative queries were used to detect all
  unsafe cases.
• Verified manually.
• In order to remove false positives

15
Definitions and Results

• Polymorphic constructor calls a method which is
  overridden in a derived class.
• 3 of all constructors
• Polymorphic fall constructor refines a
  polymorphic constructor.
• 1.5 of all constructors
• Polymorphic pitfall constructor calls a method
  which might be overridden in a derived class
• 8 of all constructors

16
Construction Patterns

• Manual analysis (600 polymorphic constructors,
  in the JRE and the Eclipse project)
• Total of 8 patterns
• Constant initializer (40)
• Function object (20)
• Inline delta (10)
• .

17
Constant Initializer - example
abstract class Father public Father ()
System.out.print(myName()) abstract
string myName()
class Son extends Father public Son() //
implicitly call Father() string
myName() return Son
class Daughter extends Father public
Daughter() // implicitly call Father()
string myName( return Daughter)
18
Constant Initializer the safe way!
abstract class Father public Father (string
name) System.out.print(name)
class Son extends Father public Son()
super(Son)// Father(string) is called
explicitly!
class Daughter extends Father public
Daughter() super(Daughter)// Father(string)
is called explicitly!
19
Immodesty and Self Exposition
Client will see a half baked object

• A constructor exposing the this identity to
  external code
• Difficult to detect (alias analysis).
• Difficult to protect (where is this external
  code?)

class Strip public Strip ()
Client.see(this) class Tease extends
Strip ... Strip gypsy new Tease()
class Client static see(Strip t) // What is
the runtime type of t?
20
Definitions and Results

• Immodest constructor (i) exposes the this
  pointer, (ii) is refined
• 6 of all constructors
• Immodest fall constructor refines an immodest
  constructor
• 5 of all constructors
• Immodest pitfall constructors exposes the this
  pointer
• 7.5 of all constructors

21
Conclusions

• Life is tough
• We do not know how to measure.
• Our results may be considered for new language
  design
• Forcing safe construction
• For current languages the solution is not always
  trivial

22
Thanks for listening?