Preventing Cross-Type Aliasing for More Practical Reasoning

To reason about the correctness of a method when cross-type aliases are possible, one must not only consider all possible patterns of aliasing among the method’s arguments, but all possible ways in which these types’ abstract (specification-only) fields may be aliased. Because of the large number of such aliasing possibilities, and because of the complications they cause for reasoning, cross-type aliases make the use of method specifications impractical in reasoning about correctness. Hence, existing work on behavioral subtyping either ignores aliasing or prohibits the use of method specifications in reasoning We present a simple type system that prohibits cross-type aliases, and thus eliminates these problems. The “viewpoint restriction” enforced by this type system supports a less restrictive notion of behavioral subtyping — weak behavioral subtyping. Weak behavioral subtyping allows types with immutable objects (e.g., immutable sequences), to have behavioral subtypes with mutable objects (e.g., mutable arrays). Thus, besides permitting one to reason with method specifications, the viewpoint restriction also permits a more flexible and useful notion of behavioral subtyping.