2009
Yearly Archive
February 26, 2009
What is the most basic building block for asynchronous message passing? I’ve found the answer in Concurrent Haskell. Not many people are fluent in Haskell, especially when monads are involved, so MVars may sound foreign to most. Not to worry–I’ll translate them into Java (as I did with synchronous CML channels in my previous post).
An MVar is an object with two methods, put and take. The sender calls put with a message and continues (it doesn’t block–that’s why this message-passing model is called “asynchronous”). The receiver, in another thread, calls take to remove the message from MVar. If there is no message, the receiver blocks until there is one.
An MVar can store a maximum of one message, so it’s an error to call put when there is an unclaimed message inside it. An MVar can thus be only in one of two states: empty or full.
Here’s a simple-minded implementation of MVar written in Java. (A lock-free implementation is possible–and closer to how Haskell implements it–but it’s harder to reason about.)
public class MVar<T> {
private T _obj;
private boolean _full;
public MVar(){
_full = false;
}
// put: asynchronous (non-blocking)
// Precondition: MVar must be empty
public synchronized void put(T obj) {
assert !_full;
assert _obj == null;
_obj = obj;
_full = true;
notify();
}
// take: if empty, blocks until full.
// Removes the object and switches to empty
public synchronized T take() throws InterruptedException {
while (!_full)
wait(); // may throw!
T ret = _obj;
_obj = null;
_full = false;
return ret;
}
}
You might think that it would be difficult to implement anything useful with MVars. After all it looks like a message queue of length one, which bombs when you try to put a second message in. Yet it is the simplest building block for more sophisticated structures. It is the atom of asynchronous message passing.
We’ve seen before how to implement asynchronous message passing using synchronous building blocks by spawning a thread. Now let’s see how we can implement a simple synchronous channel variable using asynchronous MVars. Remember, in a synchronous channel, if there is no receiver already waiting on the other side, a call to send (or write, in this example) will block.
The basic channel variable, or a channel of length one, is called a CVar in Haskell, and it contains two MVars, one to store the message, and the other for the acknowledgment. The acknowledgment MVar doesn’t really have to store anything–we are only interested in its state: empty or full. The reader will acknowledge the receipt of the message by setting it to full.
public class CVar<T> {
private MVar<T> _data;
private MVar<Object> _ack;
public CVar(){
_data = new MVar<T>();
_ack = new MVar<Object>();
_ack.put(null); // make _ack full
}
public void write(T obj) throws InterruptedException {
_ack.take(); // make _ack empty
_data.put(obj);
}
public T read() throws InterruptedException {
T data = _data.take();
_ack.put(null); // make _ack full
return data;
}
}
MVars can also be used to build a more useful asynchronous buffered channel that can store more than one message at a time. I will show you the construction, but it’s far from trivial. You might notice that it resembles a lot a lock-free FIFO queue (although I chose to use locks to implement the MVar). As with all lock-free data structures, one has to be very careful when reasoning about their correctness. I’ll leave it as an exercise to the reader 😉 .
Item and Stream are mutually recursive data structures forming a linked list. An Item points to a Stream–the tail of the list. A Stream is an MVar containing an Item. You may look at a Stream as a sequence of alternating MVars and Items. An empty MVar may serve as a sentinel.
class Item<T> {
private T _val;
private Stream<T> _tail;
public Item(T val, Stream<T> tail){
_val = val;
_tail = tail;
}
T value(){
return _val;
}
Stream<T> tail(){
return _tail;
}
}
// It's just a typedef for an MVar that stores an Item
class Stream<T> extends MVar<Item<T>> {}
A Channel contains the Stream linked list stored in an MVar, which is called _read because the head of the list is where we read messages. The other MVar points to the end of the list (really an empty sentinel Stream). This is the write end of the list. The methods put and get (which are not synchronized!) perform some intricate manipulations characteristic of lock-free algorithms, making sure that at every step the queue is in a consistent state for concurrent access. Notice that put will only block if another put is in progress. Otherwise it’s asynchronous–there is no waiting for a receiver.
public class Channel<T> {
private MVar<Stream<T>> _read;
private MVar<Stream<T>> _write;
public Channel() {
_read = new MVar<Stream<T>>();
_write = new MVar<Stream<T>>();
Stream<T> hole = new Stream<T>();
_read.put(hole);
_write.put(hole);
}
public void put(T val)throws InterruptedException {
Stream<T> newHole = new Stream<T>();
Stream<T> oldHole = _write.take();
_write.put(newHole);
oldHole.put(new Item<T>(val, newHole));
}
public T get()throws InterruptedException {
Stream<T> cts = _read.take();
Item<T> item = cts.take();
_read.put(item.tail());
return item.value();
}
}
In the next few installments I’m planning to talk a little about “choice” and then tackle the actor-based message-passing paradigm (Erlang and Scala).
February 14, 2009
Posted by Bartosz Milewski under
Concurrency,
Java,
ML
[10] Comments
What’s the lowest level primitive that can be used to build a concurrent message passing system? As I discussed in my previous post, there are two message passing paradigms, synchronous and asynchronous.
Let’s start with the atom of synchronous message passing. In its purest form it is implemented in Concurrent ML (CML) in the form of a channel. A channel has two methods, send and recv. A thread that calls send blocks until another thread calls recv on the same channel. Similarly, a thread that calls recv will block if there is no blocked send to rendezvous with.
CML channels are typed, i.e., a channel for passing integers has a different type than a channel for passing characters.
Since not everybody is familiar with ML, I decided to implement an equivalent of CML channels in Java. I considered C++ and D, but the Java implementation is the simplest. In C++ I would have to use a C++0x compiler, which I don’t have; in the D programming language, condition variables are not as easy to use as in Java (although that might change in the future). This implementation works only for point-to-point communications–it does not support multiple senders or receivers. [Following readers’ comments I modified the implementation to take into account the so-called spurious wakeups–exits from wait not caused by notify.]
public class Channel<T> {
private boolean _dataReady;
private boolean _received;
T _msg;
Channel(){
_dataReady = false;
_received = false;
}
public synchronized void send(T msg) throws InterruptedException {
while (_dataReady)
wait();
_msg = msg;
_dataReady = true;
notify();
while (!_received)
wait();
_received = false;
}
public synchronized T recv() throws InterruptedException {
while (!_dataReady)
wait();
T msg = _msg;
_dataReady = false;
_received = true;
notify();
return msg;
}
}
This is probably not the simplest implementation, but it illustrates the principle. Notice that internally the message is passed through shared memory (the data member _msg). This is standard for intra-process, and often inter-process, message passing.
Synchronous channels can be used as building blocks in the implementation of asynchronous message passing. The asynchronous sender simply creates a worker thread that calls send and possibly blocks. The calling thread is free to proceed immediately. The efficiency of this sort of implementation depends heavily on how cheap thread creation is (although worker threads can be cached in thread pools). Any language runtime that uses native threads (including Java) is handicapped in this respect. Interestingly enough, Erlang and Haskell, which use the asynchronous model, have cheap threads; the synchronous CML, paradoxically, uses native threads.
In the next installment, I’ll describe the atom of asynchronous message passing that can be found in Haskell (don’t worry, I’ll translate it into Java).
For completeness, here’s the program I used to test my channels:
public class RecvThread extends Thread {
private Channel<String> _ch;
long _waitTime;
public RecvThread(Channel<String> ch, long waitTime){
_ch = ch;
_waitTime = waitTime;
}
public void run()
{
try {
Thread.sleep(_waitTime);
String msg = _ch.recv();
System.out.println("Message received: " + msg);
} catch (InterruptedException e) {}
}
}
public class TestChannel {
public static void main(String[] args) {
try {
testReceiver();
testSender();
} catch (InterruptedException e) {
System.out.println("Interrupted Exception");
}
}
public static void testReceiver() throws InterruptedException
{
Channel<String> ch = new Channel<String>();
// send will happen first
RecvThread t = new RecvThread(ch, 1000);
t.start();
ch.send("Hello before rendezvous");
}
public static void testSender() throws InterruptedException
{
Channel<String> ch = new Channel<String>();
RecvThread t = new RecvThread(ch, 0);
t.start();
Thread.sleep(1000);
ch.send("Hello after sleep");
}
}
In the first test, the sender blocks; in the second, the receiver blocks.
February 10, 2009
Recently I’ve been looking into message passing as a model for concurrency. It turns out that there are two warring camps in the message passing community. One believes that synchronous message passing is more fundamental, the other believes that asynchronous message passing is more basic. You might think that the discussion is moot, since one can be emulated by the other, but it’s not as simple as that.
Let me first explain the concepts. In message passing you have a sender and a receiver–they usually run in separate threads. The sender sends a message and the receiver receives it. All issues of memory sharing and concurrent access are hidden inside the communication channel. The client does no low level synchronization actions like locking. Which is a good thing–no low level races or deadlocks!
The receiver usually has a choice of synchronous or asynchronous access. It can block until a message is available, or it can peek to see if there is a message waiting. Usually both interfaces are available.
The major choice of paradigms is on the sender’s side.
- In the synchronous model, the sender blocks until the receiver picks up the message. The two have to rendezvous.
- In the asynchronous model, the sender drops the message and continues with its own business.
The synchronous model is used, among others, in CSP (Communicating Sequential Processes) and CML (Concurrent ML). The asynchronous one is used in Concurrent Haskell and in actor-based languages like Erlang or Scala.
Here’s the main argument of the synchronous camp: After calling send the sender has the guarantee that the message has been received by the receiver. The code after send may safely make this assumption. If you’re a believer in RPC (Remote Procedure Call) you’ll love this. Sending a message is just like making a function call, only the work is done in a separate thread.
To which the asynchronous camp answers: Yeah, but what about distribution? In a distributed system, the receiver may be in a different process on a different machine. There may be many reasons why the message doesn’t arrive at the recipient (the recipient is dead? a bulldozer cut the network cable?). In that case the sender will hang forever. The code after send may still assume safe delivery, but it will never be executed.
There is another, more subtle problem with synchronous message passing between machines–a network protocol might deliver messages in different order than they were sent. If the receiver’s code expects a certain sequence of messages, it might block forever if the messages are permuted.
All these problems may be overcome by queuing messages, building sophisticated protocols, and spawning helper threads. But is it really worth the trouble?
Yes, say the synchronous camp, if you want to formally prove the correctness of your programs. With synchronous message passing you can use the theoretical machinery of C.A.R Hoare’s CSP. That’s an important advantage if you are writing your Ph.D. thesis, but maybe less so if you’re maintaining millions of lines of Erlang code.
For my next installment I’m already working on translating Haskell’s MVar’s to Java. This will be fun!
You may vote on this article on reddit.
February 5, 2009
An immutable object never changes. You can bet your program on it. As I explained in my previous post, the same is not true for const objects (or readonly objects, in dialects of Java). They may be changed through mutable aliases. An immutable object has no mutable aliases. Ever!
Small print: this guarantee is predicated on the programmer not overriding the type system with casts and other escape mechanisms.
To my knowledge, immutability is currently available in the D programming language and in a Java dialect called IGJ (Immutability Generic Java). It is the default in functional languages.
The closest you can get to immutability in C++ is by using const as a storage class:
const double pi = 3.141592;
const char ERRORMSG[] = "Your bank went belly up.";
Here, the value of pi or ERRORMSG is guaranteed to never change. Global or static immutable values can be used at compile time (for instance as labels in a switch statement).
Creating Immutable Objects
Defining immutable numbers, arrays, or POD structs is pretty straightforward. But what about more complex objects that don’t have static initializers? How do you create an immutable linked list? In functional languages, lists are treated as built-in types; like arrays in general purpose languages. They can be statically initialized. But in C++ or Java the creation of a list involves memory allocations and reference manipulation. Since, by definition, we can’t manipulate an immutable list, it seems like we can never create one!
How about relaxing the constraints a little to allow mutation inside the constructor of an immutable object. Here’s a hypothetical example of a list in D (the current D compiler doesn’t fully implement immutability, so my examples are written in pseudo-D):
class IntList
{
public:
// default constructor
this() {} // _head is default-initialized to null
// one element constructor
this(int i) {
_head = new IntLink(i); // mutates _head
}
private:
IntLink _head;
}
// will this work?
immutable IntList oneList= new immutable IntList(1);
There is a significant problem with this solution. If this is not considered immutable inside the constructor then there is no guarantee that a mutable reference to this or any of its subobjects won’t escape its scope. Consider this example:
IntLink globalLink; // mutable!
IntList.this(int i) {
_head = new IntLink(i);
globalLink = _head; // escape!
}
immutable IntList immList= new immutable IntList(1);
globalLink.setValue(2); // mutates immList!
Here, an immutable object immList has been mutated through an alias globalLink. We can’t allow this!
It’s true that a compiler could perform escape analysis on the constructor of IntList, provided it has access to its source code; which might not always be true when it’s compiling the statement that creates the immutable object. After all, class IntList might be implemented in a third-party library.
In the absence of source code, the only other possibility is to include immutability information in the type signature of the constructor. When an immutable object is created, the compiler would use an immutable constructor, and it would fail if one didn’t exist. Conversely, an immutable constructor would not compile if it allowed a mutable reference to escape. This bad code would not compile:
IntList.this(int i) immutable {
_head = new IntLink(i);
globalLink = _head; // error!
}
Of course, no mutable methods may be called from inside an immutable constructor–they couldn’t guarantee the non-escape of mutable aliases.
This solution works, even if it’s not perfect. It often leads to code duplication (the immutable constructor being identical to the mutable one, as in the IntList example). Moreover, it prevents some forms of refactoring. Even though, inside an immutable constructor, you may initialize an object’s fields, you can’t delegate this task to a (perforce immutable) method of the object.
Assignment is not the same as Mutation
The key to immutable construction is the observation that, when constructing an immutable object, it’s okay to assign the object’s fields but not to mutate them. During construction only such “shallow” mutation should be possible.
In my example, the assignment to _head is okay, but the mutation of the IntLink object attached to it should be prohibited. Indeed, I don’t need to mutate the head link once it’s constructed. Of course the construction of an immutable IntLink follows the same rules. Here’s the relevant code:
class IntLink
{
this(int i) immutable {
// _next is default-initialized to null
_val = i; // field assignment
}
int _val;
IntLink _next;
}
With this understanding, it’s actually possible to minimize code duplication. To this end, IGJ introduces a new type modifier, AssignFields. A constructor or a method that performs no other mutation but field assignment may be declared AssignFields. Since AssignFields methods and AssignFields constructors can also be used in mutable contexts, they don’t have to be duplicated. Expanding on the above example:
class IntLink
{
this(int i) assignfields {
// _next is default-initialized to null
SetValue(i); // Ok: it's an assignfields method
}
void SetValue(int i) assignfields {
_val = i; // field assignment
}
int _val;
IntLink _next;
}
As you can see, I was even able to refactor the part of the constructor that does the assignment to _val. I can now use the same constructor in both, mutable and immutable, contexts. The SetValue method can only be called in a mutable or assignfields context.
immutable IntLink iLink = new immutable IntLink(1);
IntLink mLink = new IntLink(2);
mLink.SetValue(3);
Subtyping relationships
It is okay to pass an immutable object to a function that expects a const object. After all, such a function will not mutate the object. If a reference to the object escapes the function, it can only be a const reference. And again, const reference cannot be used to mutate the object, so we’re fine.
The compiler will allow this subsumption if we establish that immutable is a subtype of const (more precisely, for any type T, immutable T is a subtype of const T). This is very similar to the compiler allowing the passing a derived class object to a function that accepts a base class objects–the Liskov substitution principle.
The full subtyping hierarchy between various mutability annotations is as follows:
- immutable is a subtype of const: You can pass an immutable object to a function taking a const argument.
- assignfields is a subtype of const: You can call a const method from an assignfields method (subsumption of this).
- mutable is a subtype of assignfields. You can call an assignfields method on a mutable object (as in mLink.SetValue()).
Because of transitivity, mutable is also a subtype of const. You can pass a mutable object to a function that takes a const argument (you do it in C++ without much thinking).
Conclusion
There is some advantage to introducing yet another type modifier, assignfields, to smooth out the process of constructing immutable objects. On the other hand, is it worth additional complexity? How often does one construct non-trivial immutable objects? If it’s not a common programming pattern then maybe we can live with current restrictions and some code duplication. We still have very little experience in using immutable in D, so we might have to wait and see.
Recent news: A video of my talk to the Vancouver C++ Users group was just posted. The black shadow in front of the bright screen talking about memory fences is yours truly.
If you found this post interesting, please register your vote on reddit, so that more people can find it.
January 26, 2009
Why const?
With judicious use of const you can catch many bugs and improve code documentation and maintenance. For me the classic example is reading from and writing to files. Look at these two interfaces in stylized C++:
bool Read(File & file, char * buffer, unsigned & size)
bool Write(File & file, char const * buffer, unsigned const & size);
The first one tells me that the buffer may be modified by the function. In fact, the Read function will most likely write characters into it. It is also allowed to modify the parameter size, putting the number of characters read into it. The incorrect call
Read("abc", 3);
will not compile.
The second declaration promises that the buffer will not be modified and neither will size. So the following (correct) call will compile:
Write("abc", 3);
What’s more, when compiling the implementation of Write, the compiler will ensure that the arguments are not modified (unless the programmer subverts the type system using const_cast).
What does const guarantee? Not much!
This optimistic picture is marred by a few gotchas. You’d think that if you call a function taking a const reference, the object you are passing won’t change (assume there’s no use of const_cast or mutable members). Think again!
- In a multithreaded program, another thread might change the object concurrently. You may avoid this problem by preventing concurrent access using critical sections.
- But even in a single threaded program there is no guarantee the const object won’t change. That’s because there might be a non-const alias to the argument you’re passing. This alias might be accessible to the function either through a global variable, or through another argument. The classic example is copying elements between overlapping ranges. The source for the copy is passed as const, the target as non-const, but if they point at overlapping regions, the source may end up modified.
There is a stronger version of constness that might guarantee immutability. The qualifier is usually called immutable and it’s available in the D programming language and in some dialects of Java. I’ll come back to it later.
- On top of those gotchas, even in a single-threaded C++ program with no aliasing of arguments, a const function argument might get mutated. That’s because constness is shallow–it doesn’t protect indirect data members (pointers or references). See next section.
Transitivity or “deep” const
Consider a list that is defined recursively:
class List {
public:
List * GetNext() const { return _next; }
void SetNext(List * next) { _next = next; }
private:
List * _next;
};
void clip(List const * list) {
List * next = list.GetNext();
if (next)
next.SetNext(0);
}
Function clip takes a const list and blatantly modifies it. That’s because the indirect member, _next, of a const List is not const. C++ constness is not transitive! This fact is reflected in GetNext being a const method and returning a non-const pointer to _next. So even if this is const inside GetNext, indirect parts of this are open to modification.
I always found the non-transitive definition of const counter-intuitive, and made sure that in my code constness was always transitive. For instance, I would implement GetNext to return a const pointer:
List const * GetNext() const { return _next; }
and maybe provide another non-const method that returns a non-const pointer. Notice the need for code duplication in this approach.
The depths of immutability
I have an even larger problem with non-transitive immutability (as opposed to constness). I expect a const method of an immutable object to leave the object unchanged. In particular I expect such method to behave like a pure function (not to be confused with pure virtual function). A pure function returns the same value every time it’s called with the same arguments. I expect the length of an immutable string to never change. Every call to size should return the same value. I would even expect the compiler to eliminate redundant calls to size is such a case. Here’s a hypothetical example:
immutable string("Hello!");
doSomething(string.data(), string.size());
doSomethingElse(string.data(), string.size());
A smart compiler could cache the results of data and size from the first set of calls and reuse them when calling doSomethingElse. However, if immutable is not transitive, such an optimization is incorrect. Just imagine a bizarre implementation of string that stores the length indirectly:
class string {
public:
string(char const * src) {
_length = new unsigned;
*_length = strlen(src);
...
}
unsigned size() const {
++*_length;
return *_length;
}
private:
unsigned * _length;
};
The D-language model
Taking all the above arguments into account, we decided to implement both const and immutable as transitive type modifiers in the D programming language. This enabled a lot of interesting compiler optimizations.
Making const and immutable transitive is essential for D’s support for functional-style programming. It’s important that const methods of an immutable object be pure functions. It’s also important to let the compiler optimize functional-style code, which otherwise tends to be less efficient than its imperative-style equivalent.
Functional programming is one of the safest paradigms for concurrency. Pure functions and immutable objects don’t require locking.
The price of transitivity
Having said that, transitivity of const imposes some constraints on the programming style. It enforces the view that anything reachable from an object is part of the object. When you are given a const linked list, all links in it must necessarily be const. That makes logical sense–the links are part of the list.
The picture gets muddier when the object contains references to some external services. Just by calling them “external,” I’m admitting that they are not part of the object.
Can an object that contains a Windows handle be const? Is it enough that it doesn’t modify the handle itself? Or shouldn’t it also refrain from modifying the window or the file behind the handle? Handles are often implemented as opaque pointers so, strictly speaking, constness should propagate through them. But how do I know which APIs don’t mutate the state of Windows and which do? This is an extreme example, but there are many in-between cases.
In an editor you might have an undo stack that stores editing commands. When you call the undo method of the command object, you may pass it a reference to the document object on which it is to operate. In that case undo may be declared as const. But if you store a reference to the document within each command, the undo method can no longer be const–it modifies the document. The classic Command Pattern uses the latter approach.
It hasn’t been decided yet if and how D will support an escape mechanism from const transitivity (and constness in general). Following C++, D could use the mutable type qualifier for that purpose. This would also solve the problem of memoizing and caching inside a const object.
In the next installment, I’ll describe more complexities of immutability and discuss a dialect of Java that supports immutability constraints.
You can vote for this article on reddit
January 18, 2009
Strong typing–you either love it or hate it! Elaborate type systems catch a lot of programming errors at compile time. On the other hand they impose the burden of type annotation on the programmer, and they sometimes disallow valid programs or force type casting.
In Java there’s been a never-ending discussion about the lack of support for const types. People coming from the C++ background see it as a major flaw. Others would defend Java from constness with their own bodies.
I’m always on the lookout for solutions that let programmers have a cake and eat it too. Pluggable types are just the thing. You want const enforcement? Add a constness plug to your compiler. You want compile time null reference checks? Add another plug.
How is it possible?
Java annotations as type modifiers
Did you know that Java had a system of user-defined annotations (C# has a similar thing)? Annotations start with the @ sign and can be used, for instance, to annotate classes or variables. The Java compiler doesn’t do much with them other then embed them as metadata in class files. They can be retrieved at runtime as part of the reflection mechanism.
I never thought of annotations as more than an ad hoc curiosity until I read Matthew Papi’s Ph.D. thesis, Practical pluggable types for Java. The paper proposes the use annotations to extend the Java type system. This work contributed to the JSR 308 proposal, which allows annotations to appear anywhere types are used. For instance, you could annotate a declaration of an object with the @NonNull qualifier:
@NonNull Object nnObj;
or declare a read-only list of read-only elements:
class UnmodifiableList<T>
implements @ReadOnly List<@ReadOnly T>
{ ... }
What distinguishes such annotations from bona fide comments is that they can be type checked by user-defined checkers. These checkers can be plugged into the compiler and run during compilation. They get access to abstract syntax trees (ASTs) produced by the language parser, so they can also do semantic checks (e.g., detect method calls through a potentially null pointer).
Examples of type system extensions
A simple NonNull checker detects assignments of potentially null objects to non-null objects, as in:
Object obj;
@NonNull Object nnObj = obj; // warning!
The checker must know that the default qualifier is @Nullable (potentially null) and @NonNull is a “subtype” of @Nullable (strinctly speaking, @NonNull T is a subtype of @Nullable T). In fact, simple type annotations of the @Nullable variety may be defined within the program and type-checked by the generic Basic Type Checker provided as part of the type checker framework. For instance, the subtyping relationship may expressed declaratively as:
@TypeQualifier
@SubtypeOf( { Nullable.class } )
public @interface NonNull { }
However, a specialized checker can do more than just check type correctness. The NonNull checker, for instance, issues a warning every time the program tries to dereference a @Nullable object (remember that @Nullable is the default implicit annotation).
An even more useful checker enforces immutability constraints (the generalization of const types). The IGJ checker (Immutability Generic Java) introduces, among others, the following annotations:
- @Mutable: The default. Allows the object to be modified.
- @ReadOnly: An object cannot be modified through this reference. This is analogous to C++ const reference.
- @Immutable: An object may not be modified through any reference (not only the current one). Java Strings are immutable.
Incidentally, similar immutability constraints are built into the type system of the D programming language, except that D’s const and immutable (formerly known as invariant) are transitive.
Try it!
Suppose you are a fan of immutability constraints and you want to try them right now. First, download the JSR 308 compiler and checkers from the pluggable types web site. To compile your annotated program, use the command line:
javac -processor checkers.IGJ.IGJChecker <source-files>
If your program doesn’t obey immutability constraints specified in your source code, you’ll see a bunch of warnings and errors.
Now for the annotations. You might want to do them bottom up:
- Annotate methods that don’t modify this:
void foo() @ReadOnly;
These methods may only call other @ReadOnly methods of the same object (the checker will tell you if you break this rule).
- Annotate arguments that are not modified by a method, e.g.,
void foo(@ReadOnly Bar bar);
- Annotate objects that never change after creation:
@Immutable Bar bar = new @Immutable Bar();
And so on…
You can pass @Immutable as well as @Mutable objects to methods that take @ReadOnly arguments, but not the other way around.
Of course, any attempt to modify a @ReadOnly or @Immutable object will be flagged as error by the checker.
Nullness checker
The nullness checker protects your program from dereferencing uninitialized objects. For instance, you can only call a method or access a property of an object that is typed as @NonNull.
Since the implicit default annotation is @Nullable, the following code will be flagged as an error:
Bar bar;
bar.toString();
There are some interesting issues related to nullness. For instance, during object construction, this cannot be considered @NonNull. Consequently you cannot call regular methods from an object’s constructor. To remedy this situation without compromising the type system, a special annotation @Raw was added. Inside the constructor, this (and all @NonNull subobjects under construction) are considered @Raw. So if you want to call an object’s method from inside its constructor, such method must be annotated @Raw.
Polymorphism
It’s possible to overload functions based on their nullness annotation. For instance, if you know that a function’s argument is @NonNull, you might want to skip a null test:
String stringize(Bar bar)
{
if (bar != null)
return bar.toString();
else
return "";
}
// Specialized version
String stringize(@NonNull Bar bar)
{
return bar.toString();
}
Interestingly, since the compiler does flow analysis, it knows that inside the if statement bar is not null, even though it’s (implicitly) declared as @Nullable, so it won’t flag it as an error. (This is called flow-dependent typing–I implemented something like that in my Dr. Dobb’s article using local variable shadowing.)
Let’s try something more challenging–declaring the identity function, a function that simply returns its argument. The naive declaration
T identity(T x);
has a problem when nullability annotations are in force. Since the default annotation is @Nullable, the above is equivalent to
@Nullable T identity(@Nullable T x);
When called with a @NonNull argument, this function will return a @Nullable result. That’s not good! You can ameliorate this situation by declaring a separate overload:
@NonNull T identity(@NonNull T x);
The problem is that, when you keep adding new kinds of type annotations to your system, the number of overloads of identity starts growing exponentially.
Enter polymorphic annotation @PolyNull. The identity function can pass the nullness annotation through, if you declare it as follows:
@PolyNull T identity(@PolyNull T x);
Amazingly enough, @PolyNull will also work with multiple arguments. Consider the max function:
@PolyNull T max(@PolyNull T x, @PolyNull T y);
Through the magic of type unification, this declaration does the right thing. The nullability annotations of both arguments are unified to the lowest common denominator–the most derived annotation in the subtyping hierarchy to which both types can be implicitly converted. So, if both arguments are @NonNull, their unification is @NonNull, and the result is @NonNull. But if even one of the arguments is @Nullable, then the result is @Nullable. Notice that this declaration covers four possible overloads:
@NonNull T max(@NonNull T x, @NonNull T y);
@NullableT max(@NonNull T x, @NullableT y);
@NullableT max(@NullableT x, @NonNull T y);
@Nullable T max(@NullableT x, @NullableT y);
For non-static methods, the annotation of this may also take part in the unification:
@PolyNull T foo(@PolyNull T x) @PolyNull;
Shortcomings
One of the limitation of user-defined type annotations is that they can’t take part in program optimization. That’s because the type checker is not allowed to modify the AST. (See Walter Bright’s blog in Dr. Dobbs about optimization opportunities based on immutability in the D programming language.)
Acknowledgments
Michael Ernst, who was Matthew Papi’s doctoral adviser, clarified some of the issues for me. Since I’m attending his seminar, I’ll be blogging more about his work.
« Previous Page
Bartosz Milewski's Programming Cafe 