20050926-ICFP05.ppt
Download
Report
Transcript 20050926-ICFP05.ppt
A Step-Indexed Model of
Substructural State
Matthew Fluet
Cornell University
Amal Ahmed
Greg Morrisett
Harvard University
A Step-Indexed Model of
Substructural State
Matthew Fluet
Cornell University
Amal Ahmed
Greg Morrisett
Harvard University
Introduction
• Mutable state is here to stay
Sept. 26, 2005
3
Introduction
• Mutable state is here to stay
• high-level – I/O, data structures
• low-level – virtual machines, garbage collector
Sept. 26, 2005
4
Introduction
• Mutable state is hard to control
Sept. 26, 2005
5
Introduction
• Mutable state is hard to control
• C / Java / SML – unrestricted objects
Sept. 26, 2005
6
Introduction
• Mutable state is hard to control
• Various forms of uniqueness have
appeared as a means to “tame” state
Sept. 26, 2005
7
Introduction
• Mutable state is hard to control
• Various forms of uniqueness have
appeared as a means to “tame” state
• Clean – uniqueness types
• I/O operations in a purely-functional language
• Cyclone – unique pointers
• fine-grained memory management
• Vault – unique keys
• resource management protocols
Sept. 26, 2005
8
Introduction
• Mutable state is hard to control
• Various forms of uniqueness have
appeared as a means to “tame” state
• Clean – uniqueness types
• I/O operations in a purely-functional language
• Cyclone – unique pointers
• fine-grained memory management
• Vault – unique keys
• resource management protocols
Sept. 26, 2005
9
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
Sept. 26, 2005
10
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Only tree-like data structures
• Only single paths to a unique object
Sept. 26, 2005
11
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Only tree-like data structures
• Only single paths to a unique object
fun f () = … lr …
fun g () = … lr …
lr
Sept. 26, 2005
-- unique resource
12
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Only tree-like data structures
• Only single paths to a unique object
fun f () = … lr …
fun g () = … lr …
lr
Sept. 26, 2005
-- unique resource
13
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
store unique objects in shared objects
Sept. 26, 2005
14
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
store unique objects in shared objects
fun f () = … ls …
Sept. 26, 2005
fun g () = … ls …
ls lr
-- shared object
lr
-- unique resource
15
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
store unique objects in shared objects
• Safety of mixed objects requires some restrictions
Sept. 26, 2005
16
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
store unique objects in shared objects
• Safety of mixed objects requires some restrictions
Cyclone and Vault have
different interpretations
of “unique” and “shared”
Sept. 26, 2005
17
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
store unique objects in shared objects
• Safety of mixed objects requires some restrictions
Cyclone and Vault have
different interpretations
of “unique” and “shared”
Sept. 26, 2005
So, they have different
sets of restrictions
(i.e., type-systems)
18
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
store How
unique
in shared
doobjects
we compare
andobjects
• Safety
of mixedthese
objectslanguages?
requires some restrictions
evaluate
Cyclone and Vault have
different interpretations
of “unique” and “shared”
Sept. 26, 2005
So, they have different
sets of restrictions
(i.e., type-systems)
19
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
Canobjects
we generalize
store unique
in shared objects
interpretations
• Safety ofthe
mixed
objects requires some restrictions
and restrictions?
Cyclone and Vault have
different interpretations
of “unique” and “shared”
Sept. 26, 2005
So, they have different
sets of restrictions
(i.e., type-systems)
20
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to
Can
we define
store unique
objects
in shared objects
an expressive
• Safety of mixed
objects requires some restrictions
target language?
Cyclone and Vault have
different interpretations
of “unique” and “shared”
Sept. 26, 2005
So, they have different
sets of restrictions
(i.e., type-systems)
21
Introduction
• We study a core language with
mutable references
Sept. 26, 2005
22
Introduction
• We study a core language with
mutable references
• deallocation of references
• strong (type-varying) updates
• storage of unique objects in shared references
Sept. 26, 2005
23
Introduction
• We study a core language with
mutable references of all qualifiers
Sept. 26, 2005
24
Introduction
• We study a core language with
mutable references of all qualifiers
• Unrestricted – like C / Java / SML
• Affine – like Clean and Cyclone
• Linear – like Vault
Sept. 26, 2005
25
Introduction
• We study a core language with
mutable references of all qualifiers
•
•
•
•
Sept. 26, 2005
Unrestricted – like C / Java / SML
Relevant
Affine – like Clean and Cyclone
Linear – like Vault
26
Introduction
• We study a core language with
mutable references of all qualifiers
•
•
•
•
Sept. 26, 2005
Unrestricted – like C / Java / SML
Relevant
Affine – like Clean and Cyclone
Linear – like Vault
27
Outline
• A Substructural Type System
• … with References
• Model Teaser
Sept. 26, 2005
28
Structural Properties
• Conventional type systems satisfy
• Exchange
• use typing assumptions in any order
• Contraction
• use typing assumptions more than once
• Weakening
• use typing assumptions less than once
Sept. 26, 2005
29
Structural Properties
• Conventional type systems satisfy
• Exchange
• use typing assumptions in any order
• Contraction – Copy
• use typing assumptions more than once
• Weakening – Drop
• use typing assumptions less than once
Sept. 26, 2005
30
Structural Properties
• Substructural type systems fail to satisfy
• Exchange
• use typing assumptions in any order
• Contraction – Copy
• use typing assumptions more than once
• Weakening – Drop
• use typing assumptions less than once
Sept. 26, 2005
31
Structural Properties
• Substructural type systems fail to satisfy
• Exchange
• use typing assumptions in any order
• Contraction – Copy
• use typing assumptions more than once
• Weakening – Drop
• use typing assumptions less than once
Sept. 26, 2005
32
Substructural Qualifiers
Linear
Affine
Relevant
Drop
Copy
Unrestricted
Drop
Sept. 26, 2005
Copy
33
Substructural Qualifiers
Unique objects –
may be “used”
at most once
Linear
Affine
Relevant
Drop
Copy
Unrestricted
Drop
Sept. 26, 2005
Copy
Shared objects –
may be “used”
more than once
34
Substructural Qualifiers
Unique objects –
may be “used”
at most once
Linear
Affine
Relevant
Drop
Copy
Unrestricted
Drop
Sept. 26, 2005
Copy
Shared objects –
may be “used”
more than once
35
Substructural Qualifiers
Unique objects –
may be “used”
at most once
Linear
Affine
Relevant
Drop
Copy
Unrestricted
Drop
Sept. 26, 2005
Copy
Shared objects –
may be “used”
more than once
36
Substructural Qualifiers
Unique objects –
may be “used”
at most once
Linear
Affine
Relevant
Drop
Copy
Unrestricted
Drop
Sept. 26, 2005
Copy
Shared objects –
may be “used”
more than once
37
Substructural Qualifiers
Linear
Affine
Relevant
Drop
Copy
Inessential objects –
may be “used”
less than once
Sept. 26, 2005
Essential objects –
must be “used”
at least once
Unrestricted
Drop
Copy
38
Substructural Qualifiers
Linear
Affine
Relevant
Drop
Copy
Inessential objects –
may be “used”
less than once
Sept. 26, 2005
Essential objects –
must be “used”
at least once
Unrestricted
Drop
Copy
39
Substructural Qualifiers
Linear
Affine
Relevant
Drop
Copy
Inessential objects –
may be “used”
less than once
Sept. 26, 2005
Essential objects –
must be “used”
at least once
Unrestricted
Drop
Copy
40
Substructural Qualifiers
Linear
Affine
Relevant
Drop
Copy
Inessential objects –
may be “used”
less than once
Sept. 26, 2005
Essential objects –
must be “used”
at least once
Unrestricted
Drop
Copy
41
A Substructural Type System
• Qualifiers
q ::= U j R j A j L
• PreTypes
t ::= 1 j t1 t2 j t1 ( t2
• Types
t ::= qt
Sept. 26, 2005
42
A Substructural Type System
• Qualifiers
q ::= U j R j A j L
• PreTypes
t ::= 1 j t1 t2 j t1 ( t2
How may
the value be used?
• Types
t ::= qt
Sept. 26, 2005
43
A Substructural Type System
• Qualifiers
q ::= U j R j A j L
How often may
the value be used?
• PreTypes
t ::= 1 j t1 t2 j t1 ( t2
How may
the value be used?
• Types
t ::= qt
Sept. 26, 2005
44
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U ( Lt Lt )
1
2
Sept. 26, 2005
U(At At )
1
2
45
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U ( Lt Lt )
1
2
U(At At )
1
2
hv1, v2i may be used more than once
Sept. 26, 2005
46
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U ( Lt Lt )
1
2
U(At At )
1
2
hv1, v2i may be used more than once
Sept. 26, 2005
47
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U ( Lt Lt )
1
2
U(At At )
1
2
v1 and v2 may be used more than once
Sept. 26, 2005
48
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U ( Lt Lt )
1
2
U(At At )
1
2
v1 and v2 may be used more than once
Sept. 26, 2005
49
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U ( Lt Lt )
1
2
Sept. 26, 2005
U(At At )
1
2
50
Copy with Pairs
copy UhAv1,Av2i ! hUhAv1,Av2i, UhAv1,Av2ii
U ( Lt Lt )
1
2
Sept. 26, 2005
U(At At )
1
2
51
Copy with Pairs
copy UhUv1,Uv2i ! hUhUv1,Uv2i, UhUv1,Uv2ii
U ( Lt Lt )
1
2
U(Ut Ut )
1
2
Sept. 26, 2005
U(At At )
1
2
52
Drop with Pairs
drop UhLv1,Lv2i ! hi
U ( Lt Lt )
1
2
Sept. 26, 2005
U(Rt Rt )
1
2
53
Drop with Pairs
drop UhLv1,Lv2i ! hi
U ( Lt Lt )
1
2
U(Rt Rt )
1
2
hv1, v2i is not used
Sept. 26, 2005
54
Drop with Pairs
drop UhLv1,Lv2i ! hi
U ( Lt Lt )
1
2
U(Rt Rt )
1
2
hv1, v2i is not used
Sept. 26, 2005
55
Drop with Pairs
drop UhLv1,Lv2i ! hi
U ( Lt Lt )
1
2
U(Rt Rt )
1
2
v1 and v2 are not used
Sept. 26, 2005
56
Drop with Pairs
drop UhLv1,Lv2i ! hi
U ( Lt Lt )
1
2
U(Rt Rt )
1
2
v1 and v2 are not used
Sept. 26, 2005
57
Drop with Pairs
drop UhLv1,Lv2i ! hi
U ( Lt Lt )
1
2
Sept. 26, 2005
U(Rt Rt )
1
2
58
Drop with Pairs
drop UhRv1,Rv2i ! hi
U ( Lt Lt )
1
2
Sept. 26, 2005
U(Rt Rt )
1
2
59
Drop with Pairs
drop UhUv1,Uv2i ! hi
U ( Lt Lt )
1
2
U(Ut Ut )
1
2
Sept. 26, 2005
U(Rt Rt )
1
2
60
… with References
• PreTypes
t ::= … j ref t
• Expressions
e ::= … j new e j free e
e ::= … j read e j write e1 e2 j swap e1 e2
Sept. 26, 2005
61
… with References
• PreTypes
t ::= … j ref t
• Raises design questions:
• What does it mean to copy or drop a ref?
• What operations make sense on different refs?
• What combinations make sense for the qualifier
and contents of a ref?
Sept. 26, 2005
62
Copy & Drop with References
Lv
Lv
copy Ul ! hUl, Uli
Sept. 26, 2005
drop Ul ! hi
U(ref Lt)
U(ref Rt)
U(ref Ut)
U(ref At)
63
Copy & Drop with References
Lv
Lv
copy Ul ! hUl, Uli
U(ref Lt)
U(ref Ut)
Sept. 26, 2005
U(ref Rt)
drop Ul ! hi
l may be used more than once;
but contents are not copied
U(ref At)
64
Copy & Drop with References
Lv
Lv
copy Ul ! hUl, Uli
Sept. 26, 2005
Lv
Lv
drop Ul ! hi
U(ref Lt)
U(ref Rt)
U(ref Ut)
U(ref At)
65
Copy & Drop with References
Lv
Lv
copy Ul ! hUl, Uli
U(ref Lt)
U(ref Rt)
Lv
Lv
drop Ul ! hi
l is not used;
and contents are (implicitly) dropped
U(ref Ut)
U(ref At)
Sept. 26, 2005
66
Copy & Drop with References
Lv
Lv
copy Ul ! hUl, Uli
Sept. 26, 2005
Lv
Lv
drop Ul ! hi
U(ref Lt)
U(ref Rt)
U(ref Ut)
U(ref At)
67
Copy & Drop with References
Lv
Lv
copy Ul ! hUl, Uli
Sept. 26, 2005
Lv
Lv
drop Ul ! hi
U(ref Ut)
U(ref At)
U(ref Lt)
U(ref Rt)
68
Copy & Drop with References
Lv
Lv
copy Ul ! hUl, Uli
Sept. 26, 2005
Lv
Lv
drop Ul ! hi
U(ref Lt)
U(ref Rt)
U(ref Ut)
U(ref At)
69
Copy & Drop with References
Rv
Rv
copy Ul ! hUl, Uli
Sept. 26, 2005
Rv
Rv
drop Ul ! hi
U(ref Lt)
U(ref Rt)
U(ref Ut)
U(ref At)
70
Copy & Drop with References
Uv
Uv
copy Ul ! hUl, Uli
Sept. 26, 2005
Uv
Uv
drop Ul ! hi
U(ref Lt)
U(ref Rt)
U(ref Ut)
U(ref At)
71
Copy & Drop with References
Av
Av
copy Ul ! hUl, Uli
Sept. 26, 2005
Av
Av
drop Ul ! hi
U(ref Lt)
U(ref Rt)
U(ref Ut)
U(ref At)
72
Deallocation
qv
free Ll
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
73
Deallocation
qv
free Ll
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
74
Deallocation
qv
free Ll
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
75
Deallocation
qv
free Ll
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
76
Deallocation
qv
free Al
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
77
Deallocation
qv
free Ul
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
78
Deallocation
qv
free Ul
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
79
Deallocation
qv
free Ul
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
80
Deallocation
qv
free Rl
free : L(ref t) ! t
free : A(ref t) ! t
free : R(ref t) ! t
free : U(ref t) ! t
Sept. 26, 2005
!
qv
81
Swap
v1
swap ql v2
v2
!
hql, v1i
swap : q(ref t) ! t ! L(q(ref t) t)
swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)
swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)
Sept. 26, 2005
82
Swap
v1
swap ql v2
v2
!
hql, v1i
swap : q(ref t) ! t ! L(q(ref t) t)
swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)
swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)
Sept. 26, 2005
83
Swap
v1
swap ql v2
v2
!
hql, v1i
swap : q(ref t) ! t ! L(q(ref t) t)
swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)
swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)
Sept. 26, 2005
84
Swap
v1
swap ql v2
v2
!
hql, v1i
swap : q(ref t) ! t ! L(q(ref t) t)
swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)
swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)
Sept. 26, 2005
85
Swap
v1
swap Ll v2
v2
!
hLl, v1i
swap : q(ref t) ! t ! L(q(ref t) t)
swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)
swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)
Sept. 26, 2005
86
Swap
v1
swap Ll v2
v2
!
hLl, v1i
swap : q(ref t) ! t ! L(q(ref t) t)
swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)
swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)
Sept. 26, 2005
87
Swap
v1
swap Al v2
v2
!
hAl, v1i
swap : q(ref t) ! t ! L(q(ref t) t)
swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)
swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)
Sept. 26, 2005
88
Operations on Substructural State
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
89
Operations on Substructural State
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
90
Operations on Substructural State
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
91
Operations on Substructural State
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
92
Operations on Substructural State
C Java
SML
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
93
Operations on Substructural State
Clean
Cyclone
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
94
Operations on Substructural State
Vault
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
95
Operations on Substructural State
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
96
Type Safety
• No fundamental difficulty in pursuing a
syntactic proof of type safety
Sept. 26, 2005
97
Type Safety
• No fundamental difficulty in pursuing a
syntactic proof of type safety
• In fact, we have carried out a proof using
the Twelf logical framework, based on the
standard syntactic approach
Sept. 26, 2005
98
Type Safety
• No fundamental difficulty in pursuing a
syntactic proof of type safety
• In fact, we have carried out a proof using
the Twelf logical framework, based on the
standard syntactic approach
• But, syntactic proofs only go so far
Sept. 26, 2005
99
Type Safety
• Type safety of the language may be
proven by showing the soundness of the
typing rules with respect to a model
Sept. 26, 2005
100
Type Safety
• Type safety of the language may be
proven by showing the soundness of the
typing rules with respect to a model
• Simpler typing rules
• Store typing does not appear in judgments
Sept. 26, 2005
101
Type Safety
• Type safety of the language may be
proven by showing the soundness of the
typing rules with respect to a model
• Simpler typing rules
• Stronger meta-theoretic results
• «8a.t¬: forall semantic types, not just syntactic types
Sept. 26, 2005
102
Type Safety
• Type safety of the language may be
proven by showing the soundness of the
typing rules with respect to a model
• Simpler typing rules
• Stronger meta-theoretic results
• Compatible with Appel’s FPCC project
• Well-founded, set-theoretic model amenable to
formalization in higher-order logic
Sept. 26, 2005
103
Type Safety
• Type safety of the language may be
proven by showing the soundness of the
typing rules with respect to a model
•
•
•
•
Simpler typing rules
Stronger meta-theoretic results
Compatible with Appel’s FPCC project
Scales to binary logical relations
for proving equivalence of programs
• [Ahmed POPL’06]
Sept. 26, 2005
104
A Model of Substructural State
• See paper for (many) more details
Sept. 26, 2005
105
A Model of Substructural State
• See paper for (many) more details
• Key insights
Sept. 26, 2005
106
A Model of Substructural State
• See paper for (many) more details
• Key insights
• Local store typings
• types of locations that are sub-exprs of a value
Sept. 26, 2005
107
A Model of Substructural State
• See paper for (many) more details
• Key insights
• Local store typings
• types of locations that are sub-exprs of a value
• Merge of local store typings
• no unique locations in both local store typings
• identical types for shared locations in both
Sept. 26, 2005
108
A Model of Substructural State
• See paper for (many) more details
• Key insights
• Local store typings
• types of locations that are sub-exprs of a value
• Merge of local store typings
• no unique locations in both local store typings
• identical types for shared locations in both
• Step-indexed technique
• [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03]
Sept. 26, 2005
109
Conclusion and Future Work
• Core language, type-system, and model
• framework for comparing high-level designs
• Model more advanced features
• Cyclone – alias construct allows a unique
pointer to be treated as shared for a limited scope
• Vault – focus construct allows a shared object to
be treated as unique for a limited scope
Sept. 26, 2005
110
Sept. 26, 2005
111
Structural Lemmas
• Exchange:
• If G1,x1:t1,x2:t2,G2 ` e : t,
then G1,x2:t2,x1:t1,G2 ` e : t.
• Contraction:
• If G1,x1:tx,x2:tx,G2 ` e : t,
then G1,x:tx,G2 ` e[x/x1][x/x2] : t.
• Weakening:
• If G ` e : t,
then G,x:tx ` e : t.
Sept. 26, 2005
112
Structural Lemmas
• Exchange:
• If G1,x1:t1,x2:t2,G2 ` e : t,
then G1,x2:t2,x1:t1,G2 ` e : t.
• Contraction:
• If G1,x1:tx,x2:tx,G2 ` e : t,
then G1,x:tx,G2 ` e[x/x1][x/x2] : t.
• Weakening:
Duplicate
Discard
• If G ` e : t,
then G,x:tx ` e : t.
Sept. 26, 2005
113
Substructural Qualifiers
Linear
Exch
Affine
Relevant
Exch,Weak
Exch,Cntr
Unrestricted
Exch,Cntr,Weak
Sept. 26, 2005
114
Structural Lemmas Revisited
• Contraction:
• If q ¹ R and G1,x1:qtx,x2:qtx,G2 ` e : t,
then G1,x1:qtx,G2 ` e[x/x1][x/x2] : t.
• Weakening:
• If q ¹ A and G ` e : t,
then G,x:qtx ` e : t.
Sept. 26, 2005
115
Operations on Substructural State
Contents and Ops
Ref
U
R
A
L
U
R
A
L
Sept. 26, 2005
116
Operations on Substructural State
shared
unique
Sept. 26, 2005
117
Operations on Substructural State
Sept. 26, 2005
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
118
Operations on Substructural State
Sept. 26, 2005
119
Operations on Substructural State
Contents and Ops
Ref
U
R
A
L
U
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
R
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
A
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
L
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
new free
swap!
read write!
shared
unique
Sept. 26, 2005
120
A Model of Substructural State
• Model a type as a set of tuples
of qualifier, value, and local store typing
«t¬ ::= { (q,v,y), …}
• Model a local store typing as a partial map
from locations to qualifiers and types
y ::= { l → (q,«t¬), … }
Sept. 26, 2005
121
A Model of Substructural State
• Model a type as a set of tuples
Type = (Qual £ Value £ LocalStore)
• Model a local store typing as a partial map
LocalStore = Locs ! (Qual £ Type)
Sept. 26, 2005
122
A Model of Substructural State
• Model a type as a set of tuples
Type = (Qual £ Value £ LocalStore)
• Model a local store typing as a partial map
LocalStore = Locs ! (Qual £ Type)
Sept. 26, 2005
123
A Model of Substructural State
• Model a type as a set of tuples
Type = (Qual £ Value £ LocalStore)
• Model a local store typing as a partial map
LocalStore = Locs ! (Qual £ Type)
• Cardinality problem is handled by stratifying
definitions with “# of steps to run the program”
• [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03]
Sept. 26, 2005
124
A Model of Substructural State
• Model a type as a set of tuples
of qualifier, value, and local store typing
• Model a local store typing as a partial map
from locations to qualifiers and types
• Local store y of a value v only defined on those
locations that appear as sub-expressions of v
Sept. 26, 2005
125
A Model of Substructural State
• Model a type as a set of tuples
of qualifier, value, and local store typing
• Model a local store typing as a partial map
from locations to qualifiers and types
• Local store y of a value v only defined on those
locations that appear as sub-expressions of v
• Further restrictions to rule out references
Sept. 26, 2005
126
A Model of Substructural State
• Why only a local store typing?
Sept. 26, 2005
127
A Model of Substructural State
• Why only a local store typing?
hx, yi
l1
Sept. 26, 2005
l2
L
l3
U
l4
A
L
128
A Model of Substructural State
• Why only a local store typing?
• A global store typing …
hx, yi
Y = Yx = Yy = Yl1 = Yl2 = …
l1
l9
Sept. 26, 2005
L
l2
L
l3
U
l4
A
L
129
A Model of Substructural State
• Why only a local store typing?
• A global store typing does not distinguish the “real”
occurrence of a unique reference
hx, yi
Y = Yx = Yy = Yl1 = Yl2 = …
l1
l9
Sept. 26, 2005
L
l2
L
l3
U
l4
A
L
130
A Model of Substructural State
• Why only a local store typing?
• A “reachable” store typing …
hx, yi
Yx
l1
Sept. 26, 2005
l2
L
l3
U
l4
A
L
131
A Model of Substructural State
• Why only a local store typing?
• A “reachable” store typing …
hx, yi
Yy
l1
Sept. 26, 2005
l2
L
l3
U
l4
A
L
132
A Model of Substructural State
• Why only a local store typing?
• A “reachable” store typing …
hx, yi
Yx
l1
Sept. 26, 2005
Yy
l2
L
l3
U
l4
A
L
133
A Model of Substructural State
• Why only a local store typing?
• A “reachable” store typing does not distinguish
shared and exclusive unique references
hx, yi
Yx
l1
Sept. 26, 2005
Yy
l2
L
l3
U
l4
A
L
134
A Model of Substructural State
• Why only a local store typing?
• A “reachable” store typing does not distinguish
shared and exclusive unique references
hx, yi
l1
l2
L
L
Yl1
Sept. 26, 2005
l3
U
l4
A
135
A Model of Substructural State
• Why only a local store typing?
• A “reachable” store typing does not distinguish
shared and exclusive unique references
hx, yi
l1
l2
L
L
Yl2
Sept. 26, 2005
l3
U
l4
A
136
A Model of Substructural State
• Why only a local store typing?
• A “reachable” store typing does not distinguish
shared and exclusive unique references
hx, yi
l1
Yl3
Sept. 26, 2005
l2
L
l3
U
l4
A
L
137
A Model of Substructural State
• Local store typing
hx, yi
yx
l1
Sept. 26, 2005
yy
l2
L
l3
U
l4
A
L
138
A Model of Substructural State
• Local store typing
hx, yi
yx
l1
yy
l2
L
yl2
yl1
yl3
Sept. 26, 2005
L
l3
U
l4
A
139
A Model of Substructural State
• Local store typing
• Storing a unique object in a shared reference
• “hides” the unique object
hx, yi
yx
l1
yy
l2
L
yl2
yl1
yl3
Sept. 26, 2005
L
l3
U
l4
A
140
A Model of Substructural State
• Local store typing
• Storing a unique object in a shared reference
• the unique object becomes local to the reference
hx, yi
yx
l1
yy
l2
L
yl2
yl1
yl3
Sept. 26, 2005
L
l3
U
l4
A
141
A Model of Substructural State
• Local store typing
• Storing a unique object in a shared reference
• the unique object becomes local to the reference
hx, yi
y
y
When does
a global store
s
satisfy a local
y?
L store l typing
L
l
x
y
1
2
yl2
yl1
yl3
Sept. 26, 2005
l3
U
l4
A
142
Store Satisfaction
s:y
when
• there exists a set of locations
• reachable from dom(y)
• such that the local store typings of all reachable
locations merge in a compatible manner
• into a global store typing that describes the store
Sept. 26, 2005
143
Store Satisfaction
s:y
when
• there exists a set of locations
• reachable from dom(y)
• such that the local store typings of all reachable
locations merge in a compatible manner
• into a global store typing that describes the store
A unique location may not
appear more than once
Sept. 26, 2005
144
Store Satisfaction
s:y
when
• there exists a set of locations
• reachable from dom(y)
• such that the local store typings of all reachable
locations merge in a compatible manner
• into a global store typing that describes the store
A shared location must
appear with the same type
Sept. 26, 2005
145
Store Satisfaction
s:y
when
• there exists a set of locations
• reachable from dom(y)
• such that the local store typings of all reachable
locations merge in a compatible manner
• into a global store typing that describes the store
• Similar to a Garbage Collector
Sept. 26, 2005
146
Store Satisfaction
s:y
when
These are the roots
• there exists a set of locations
• reachable from dom(y)
• such that the local store typings of all reachable
locations merge in a compatible manner
• into a global store typing that describes the store
• Similar
Sept. 26, 2005
These are the child locations
traced from the contents
to of
a aGarbage
Collector
reachable location
147