You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stackability means that all fields of a class are initialized at the end of the
112
115
class body. Scala enforces this property in syntax by demanding that all fields
@@ -159,41 +162,144 @@ Monotonicity is based on a well-known technique called _heap monotonic
159
162
typestate_ to ensure soundness in the presence of aliasing
160
163
[1]. Roughly speaking, it means initialization state should not go backwards.
161
164
162
-
Scopability means that there are no side channels to access to partially constructed objects. Control effects like coroutines, delimited
165
+
Scopability means that there are no side channels to access to partially
166
+
constructed objects. Control effects like coroutines, delimited
163
167
control, resumable exceptions may break the property, as they can transport a
164
168
value upper in the stack (not in scope) to be reachable from the current scope.
165
169
Static fields can also serve as a teleport thus breaks this property. In the
166
170
implementation, we need to enforce that teleported values are transitively
167
171
initialized.
168
172
169
-
The principles enable _local reasoning_ of initialization, which means:
173
+
The three principles above contribute to _local reasoning about initialization_,
174
+
which means:
170
175
171
176
> An initialized environment can only produce initialized values.
172
177
173
178
For example, if the arguments to an `new`-expression are transitively
174
179
initialized, so is the result. If the receiver and arguments in a method call
175
180
are transitively initialized, so is the result.
176
181
182
+
Local reasoning about initialization gives rise to a fast initialization
183
+
checker, as it avoids whole-program analysis.
184
+
185
+
The principle of authority goes hand-in-hand with monotonicity: the principle
186
+
of monotonicity stipulates that initialization states cannot go backwards, while
187
+
the principle of authority stipulates that the initialization states may not
188
+
go forward at arbitrary locations due to aliasing. In Scala, we may only
189
+
advance initialization states of objects in the class body when a field is
190
+
defined with a mandatory initializer or at local reasoning points when the object
191
+
becomes transitively initialized.
192
+
193
+
## Abstract Values
194
+
195
+
There are three fundamental abstractions for initialization states of objects:
196
+
197
+
-__Cold__: A cold object may have uninitialized fields.
198
+
-__Warm__: A warm object has all its fields initialized but may reach _cold_ objects.
199
+
-__Hot__: A hot object is transitively initialized, i.e., it only reaches warm objects.
200
+
201
+
In the initialization checker, the abstraction `Warm` is refined to handle inner
202
+
classes and multiple constructors:
203
+
204
+
-__Warm[C] { outer = V, ctor, args = Vs }__: A warm object of class `C`, where the immediate outer of `C` is `V`, the constructor is `ctor` and constructor arguments are `Vs`.
205
+
206
+
The initialization checker checks each concrete class separately. The abstraction `ThisRef`
207
+
represents the current object under initialization:
208
+
209
+
-__ThisRef[C]__: The current object of class `C` under initialization.
210
+
211
+
The initialization state of the current object is stored in the abstract heap as an
212
+
abstract object. The abstract heap also serves as a cache for the field values
213
+
of warm objects. `Warm` and `ThisRef` are "addresses" of the abstract objects stored
214
+
in the abstract heap.
215
+
216
+
Two more abstractions are introduced to support functions and conditional
217
+
expressions:
218
+
219
+
-__Fun(e, V, C)__: An abstract function value where `e` is the code, `V` is the
220
+
abstract value for `this` inside the function body and the function is located
221
+
inside the class `C`.
222
+
223
+
-__Refset(Vs)__: A set of abstract values `Vs`.
224
+
225
+
A value `v` is _effectively hot_ if any of the following is true:
226
+
227
+
-`v` is `Hot`.
228
+
-`v` is `ThisRef` and all fields of the underlying object are assigned.
229
+
-`v` is `Warm[C] { ... }` and
230
+
1.`C` does not contain inner classes; and
231
+
2. Calling any method on `v` encounters no initialization errors and the method return value is _effectively hot_; and
232
+
3. Each field of `v` is _effectively hot_.
233
+
-`v` is `Fun(e, V, C)` and calling the function encounters no errors and the
234
+
function return value is _effectively hot_.
235
+
- The root object (refered by `ThisRef`) is _effectively hot_.
236
+
237
+
An effectively hot value can be regarded as transitively initialized thus can
238
+
be safely leaked via method arguments or as RHS of an reassignment.
239
+
The initialization checker tries to promote non-hot values to effectively hot
240
+
whenenver possible.
241
+
177
242
## Rules
178
243
179
-
With the established principles and design goals, following rules are imposed:
244
+
With the established principles and design goals, the following rules are imposed:
180
245
181
-
1. In an assignment `o.x = e`, the expression `e` may only point to transitively initialized objects.
246
+
1. The field access `e.f` or method call `e.m()` is illegal if `e` is _cold_.
247
+
248
+
A cold value should not be used.
249
+
250
+
2. The field access `e.f` is invalid if `e` has the value `ThisRef` and `f` is not initialized.
251
+
252
+
3. In an assignment `o.x = e`, the expression `e` must be _effectively hot_.
182
253
183
254
This is how monotonicity is enforced in the system. Note that in an
184
-
initialization `val f: T = e`, the expression `e` may point to an object
185
-
under initialization. This requires a distinction between mutation and
186
-
initialization in order to enforce different rules. Scala
187
-
has different syntax for them, it thus is not an issue.
255
+
initialization `val f: T = e`, the expression `e` may point to a non-hot
256
+
value.
188
257
189
-
2. Objects under initialization may not be passed as arguments to method calls.
258
+
4. Arguments to method calls must be _effectively hot_.
190
259
191
260
Escape of `this` in the constructor is commonly regarded as an anti-pattern.
192
-
However, escape of `this` as constructor arguments are allowed, to support
261
+
262
+
However, passing non-hot values as argument to another constructor is allowed, to support
193
263
creation of cyclic data structures. The checker will ensure that the escaped
194
264
non-initialized object is not used, i.e. calling methods or accessing fields
195
265
on the escaped object is not allowed.
196
266
267
+
An exception is for calling synthetic `apply`s of case classes. For example,
268
+
the method call `Some.apply(e)` will be interpreted as `new Some(e)`, thus
269
+
is valid even if `e` is not hot.
270
+
271
+
Another exception to this rule is parametric method calls. For example, in
272
+
`List.apply(e)`, the argument `e` may be non-hot. If that is the case, the
273
+
result value of the parametric method call is taken as _cold_.
274
+
275
+
5. Method calls on hot values with effectively hot arguments produce hot results.
276
+
277
+
This rule is assured by local reasoning about initialization.
278
+
279
+
6. Method calls on `ThisRef` and warm values will be resolved statically and the
280
+
corresponding method bodies are checked.
281
+
282
+
7. In a new expression `new p.C(args)`, if the values of `p` and `args` are
283
+
effectively hot, then the result value is also hot.
284
+
285
+
This is assured by local reasoning about initialization.
286
+
287
+
8. In a new expression `new p.C(args)`, if any value of `p` and `args` is not
288
+
effectively hot, then the result value takes the form `Warm[C] { outer = Vp, args = Vargs }`. The initialization code for the class `C` is checked again to make
289
+
sure the non-hot values are used properly.
290
+
291
+
In the above, `Vp` is the widened value of `p` --- the widening happens if `p`
292
+
is a warm value `Warm[D] { outer = V, args }` and we widen it to
293
+
`Warm[D] { outer = Cold, args }`.
294
+
295
+
The variable `Vargs` represents values of `args` with non-hot values widened
296
+
to `Cold`.
297
+
298
+
The motivation for the widening is to finitize the abstract domain and ensure
299
+
termination of the initialization check.
300
+
301
+
9. The scrutinee in a pattern match and the values in return and throw statements must be _effectively hot_.
302
+
197
303
## Modularity
198
304
199
305
The analysis takes the primary constructor of concrete classes as entry points.
@@ -206,7 +312,7 @@ tightly coupled. For example, adding a method in the superclass requires
206
312
recompiling the child class for checking safe overriding.
207
313
208
314
Initialization is no exception in this respect. The initialization of an object
209
-
essentially invovles close interaction between subclass and superclass. If the
315
+
essentially involves close interaction between subclass and superclass. If the
210
316
superclass is defined in another project, the crossing of project boundary
211
317
cannot be avoided for soundness of the analysis.
212
318
@@ -233,4 +339,5 @@ mark some fields as lazy.
233
339
## References
234
340
235
341
1. Fähndrich, M. and Leino, K.R.M., 2003, July. [_Heap monotonic typestates_](https://www.microsoft.com/en-us/research/publication/heap-monotonic-typestate/). In International Workshop on Aliasing, Confinement and Ownership in object-oriented programming (IWACO).
236
-
2. Fengyun Liu, Ondřej Lhoták, Aggelos Biboudis, Paolo G. Giarrusso, and Martin Odersky. 2020. [_A type-and-effect system for object initialization_](https://dl.acm.org/doi/10.1145/3428243). OOPSLA, 2020.
342
+
2. Fengyun Liu, Ondřej Lhoták, Aggelos Biboudis, Paolo G. Giarrusso, and Martin Odersky. [_A type-and-effect system for object initialization_](https://dl.acm.org/doi/10.1145/3428243). OOPSLA, 2020.
0 commit comments