Object Capabilities and Lightweight Affinity in Scala: Implementation, Formalization, and Soundness

TL;DR

This paper introduces a novel approach to aliasing control in Scala using object capabilities, formalizes it as a sound type system, and demonstrates its practical integration and effectiveness on real-world code.

Contribution

It presents a minimal annotation-based aliasing control method in Scala, formalizes it with a sound type system, and implements it for full language support.

Findings

Minimal annotations needed for aliasing control

Formal proof of soundness for the type system

Empirical evaluation on 75,000 lines of Scala code

Abstract

Aliasing is a known source of challenges in the context of imperative object-oriented languages, which have led to important advances in type systems for aliasing control. However, their large-scale adoption has turned out to be a surprisingly difficult challenge. While new language designs show promise, they do not address the need of aliasing control in existing languages. This paper presents a new approach to isolation and uniqueness in an existing, widely-used language, Scala. The approach is unique in the way it addresses some of the most important obstacles to the adoption of type system extensions for aliasing control. First, adaptation of existing code requires only a minimal set of annotations. Only a single bit of information is required per class. Surprisingly, the paper shows that this information can be provided by the object-capability discipline, widely-used in program security. We formalize our approach as a type system and prove key soundness theorems. The type system is implemented for the full Scala language, providing, for the first time, a sound integration with Scala's local type inference. Finally, we empirically evaluate the conformity of existing Scala open-source code on a corpus of over 75,000 LOC.