Access contracts: a dynamic approach to object-oriented access protection

In object-oriented (OO) programming, variables do not contain objects directly but ad-dresses of objects on the heap. Thus, several variables can point to the same object; wecall this aliasing.Aliasing is a central feature of OO programming that enables efficient sharing of objectsacross a system. This is essential for the implementation of many programming idioms,such as iterators. On the other hand, aliasing reduces modularity and encapsulation,making programs difficult to understand, debug and maintain.Much research has been done on controlling aliasing. Alias protection schemes (suchas Clarke et al.’s influential ownership types) limit which references can exist, thus guar-anteeing the protection of encapsulated objects. Unfortunately, existing schemes aresignificantly restrictive and consequently have not been widely adopted by software de-velopers.This thesis makes three contributions to the area of alias protection. Firstly, it pro-poses aliasing contracts, a novel, dynamically-checked alias protection scheme for object-oriented programming languages. Aliasing contracts are highly flexible and expressive,addressing the limitations of existing work. We show that they can be used to modelmany existing alias protection schemes, providing a unifying approach to alias protection.Secondly, we develop a prototype implementation of aliasing contracts in Java anduse it to quantify the run-time performance of aliasing contracts. Since aliasing con-tracts are checked dynamically, they incur run-time performance overheads; however, ourperformance evaluation shows that using aliasing contracts for testing and debugging isnevertheless feasible.Thirdly, we propose a static analysis which can verify simple aliasing contracts atcompile time, including those contracts which model ownership types. Contracts whichcan be verified in this way can subsequently be removed from the program before it isexecuted. We show that such a combination of static and dynamic checking significantlyimproves the run-time performance of aliasing contracts.