20050225-NEPLS.ppt
Download
Report
Transcript 20050225-NEPLS.ppt
A Model of
Substructural State
Matthew Fluet
Cornell University
Introduction
• Forms of “uniqueness” are appearing in
programming languages
Feb. 25, 2005
2
Introduction
• Forms of “uniqueness” are appearing in
programming languages
• Cyclone – affine pointers, which may be
discarded, but not duplicated
• allow fine grained memory management
• Vault – linear keys, which may be neither
discarded nor duplicated
• enforce resource management protocols
Feb. 25, 2005
3
Introduction
• Forms of “uniqueness” are appearing in
programming languages
• Cyclone – affine pointers, which may be
discarded, but not duplicated
• allow fine grained memory management
• Vault – linear keys, which may be neither
discarded nor duplicated
• enforce resource management protocols
• C / Java / SML – unrestricted objects that
may be both discarded and duplicated
Feb. 25, 2005
4
Introduction
• But, programming with only unique objects
is much too painful
• Both Cyclone and Vault allow a programmer to put
unique objects in shared objects
• Impose a variety of restrictions to ensure that
these mixed objects behave in a safe manner
Feb. 25, 2005
5
Introduction
• Natural to study a core language with
mutable references of all flavors
Feb. 25, 2005
6
Qualifiers
Linear
Affine
Relevant
Discard
Duplicate
Unrestricted
Discard,Duplicate
Feb. 25, 2005
7
Qualifiers
Unique objects –
may be “used”
at most once
Linear
Affine
Relevant
Discard
Duplicate
Unrestricted
Discard,Duplicate
Feb. 25, 2005
Shared objects –
may be copied
8
Qualifiers
Linear
must be “used”
at least once
Affine
Relevant
Discard
Duplicate
may be dropped
Unrestricted
Discard,Duplicate
Feb. 25, 2005
9
Introduction
• Natural to study a core language with
mutable references of all qualifiers
• Raises design questions:
• What does it mean to copy or drop a ref?
• What operations make sense on different refs?
• What combinations of qualifiers for a reference
and its contents make sense?
• Can one construct a reasonable model for such a
language?
Feb. 25, 2005
10
Outline
• A Substructural Type System
• … with References
• Model Teaser
Feb. 25, 2005
11
A Substructural Type System
• Qualifiers
q ::= U j R j A j L
• PreTypes
t ::= 1 j t1 t2 j t1 ( t2
• Types
t ::= qt
Feb. 25, 2005
12
A Substructural Type System
• Non-examples
•
•
Feb. 25, 2005
U(At
1
At
2),
U(Rt
1
Rt
2),
U(Lt
1
Lt
2)
13
A Substructural Type System
• Non-examples
•
•
U(At
1
At
2),
U(Rt
1
Rt
2),
U(Lt
1
Lt
2)
copy hv1,v2i ! hhv1,v2i,hv1,v2ii
v1 and v2 may be used more than once
Feb. 25, 2005
14
A Substructural Type System
• Non-examples
•
•
U(At
1
At
2),
U(Rt
1
Rt
2),
U(Lt
1
Lt
2)
copy hv1,v2i ! hhv1,v2i,hv1,v2ii
v1 and v2 may be used more than once
Feb. 25, 2005
15
A Substructural Type System
• Non-examples
•
•
U(At
1
At
2),
U(Rt
1
Rt
2),
U(Lt
1
Lt
2)
copy hv1,v2i ! hhv1,v2i,hv1,v2ii
v1 and v2 may be used more than once
drop hv1,v2i ! hi
v1 and v2 are not used
Feb. 25, 2005
16
A Substructural Type System
• Non-examples
•
•
U(At
1
At
2),
U(Rt
1
Rt
2),
U(Lt
1
Lt
2)
copy hv1,v2i ! hhv1,v2i,hv1,v2ii
v1 and v2 may be used more than once
drop hv1,v2i ! hi
v1 and v2 are not used
Feb. 25, 2005
17
… with References
• PreTypes
t ::= … j ref t
Feb. 25, 2005
18
… with References
• Examples?
•
Feb. 25, 2005
U(ref Ut), U(ref Rt), U(ref At), U(ref Lt)
19
… with References
• Examples?
•
U(ref Ut), U(ref Rt), U(ref At), U(ref Lt)
copy l ! hl,li
l may be used more than once;
but contents are not copied
drop l ! hi
l may is not used;
and contents are dropped
Feb. 25, 2005
20
… with References
• Examples?
•
•
U(ref Ut), U(ref Rt), U(ref At), U(ref Lt)
copy l ! hl,li
l may be used more than once;
but contents are not copied
drop l ! hi
l may is not used;
and contents are dropped
Feb. 25, 2005
21
Operations on Substructural State
Contents and Ops
Ops
Ref
U
new
weak updates
shared
R
A
new
weak updates
new
free
strong updates
unique
L
Feb. 25, 2005
new
free
strong updates
U
R
A
L
read
write
swap
write
swap
swap
write
swap
swap
write
swap
write
swap
swap
read
write
swap
read
write
swap
read
write
swap
read
read
swap
22
A Model of Substructural State
• Model a type as a set of tuples of
qualifier, value, and local store typing
«t¬ ::= { (q,y,v), …}
• Model a local store typing as a partial map
from locations to qualifiers and types
y ::= { l a (q,«t¬), … }
Feb. 25, 2005
23
A Model of Substructural State
• Model a type as a set of tuples of
qualifier, value, and local store type
• Model a local store type as a partial map
from locations to qualifiers and types
• Local store of v only defined on those locations
that appear as sub-expressions of v
Feb. 25, 2005
24
A Model of Substructural State
• Model a type as a set of tuples of
qualifier, value, and local store type
• Model a local store type as a partial map
from locations to qualifiers and types
• Local store of v only defined on those locations
that appear as sub-expressions of v
• Further restrictions to rule out stores
Feb. 25, 2005
25
A Model of Substructural State
• Why only a local store type?
• Storing a unique object in a shared reference
“hides” the unique object
• Using the global store – difficult to identify the
“real” occurrence of a unique location
Feb. 25, 2005
26
A Model of Substructural State
• How can we check that a global store
satisfies a local store type?
• Use a Garbage Collector
Feb. 25, 2005
27
Store Satisfaction
store
s
l4 a v4
l7 a v7
y
l1 a v1
l5 a v5
l8 a v8
l1 a t1
l2 a v2
l3 a v3
Feb. 25, 2005
l9 a v9
l6 a v6
satisfies
l2 a t2
l3 a t3
28
Store Satisfaction
store
s
l4 a v4
l7 a v7
y
l1 a v1
l5 a v5
l8 a v8
l1 a t1
l2 a v2
l3 a v3
l9 a v9
satisfies
l2 a t2
l3 a t3
l6 a v6
These are the roots
Feb. 25, 2005
29
Store Satisfaction
store
s
l4 a v4
l7 a v7
y
l1 a v1
l5 a v5
l8 a v8
l1 a t1
l2 a v2
l3 a v3
l9 a v9
satisfies
l2 a t2
l3 a t3
l6 a v6
N
l4
l7
l5
if there exists a set of locations
l9
l6
These are the non-roots
Feb. 25, 2005
30
Store Satisfaction
and local store types yl (l 2 dom(y) ] N) that merge
These are the child locations
traced from the contents of l
Feb. 25, 2005
31
Store Satisfaction
and local store types yl (l 2 dom(y) ] N) that merge
Y*
l4 a t4
l1 a t1
l5 a t5
l2 a t2
l3 a t3
l7 a t7
l9 a t9
l6 a t6
The global store type
Feb. 25, 2005
=y¯
¯
l 2 dom(y) ] N
yl
The local store types are
compatible (non-contradictory)
32
Store Satisfaction
and local store types yl (l 2 dom(y) ] N) that merge
Y*
l4 a t4
l1 a t1
l5 a t5
l2 a t2
l3 a t3
l7 a t7
l9 a t9
l6 a t6
The global store type
Feb. 25, 2005
=y¯
¯
l 2 dom(y) ] N
yl
Don’t trace a unique location
more than once
33
Store Satisfaction
to describe the store
s : Y*
l1 a v1 : t1
l4 a v4 : t4
l7 a v7 : t7
l5 a v5 : t5
l8 a v8
l2 a v2 : t2
l3 a v3 : t3
Feb. 25, 2005
l9 a v9 : t9
l6 a v6 : t6
34
Conclusion and Future Work
• Core language, type-system, and model
• Model more advanced features
• Cyclone – alias construct allows a unique
pointer to be treated as shared for a limited scope
• Vault – focus construct allows a shared object to
be treated as unique for a limited scope
Feb. 25, 2005
35
Feb. 25, 2005
36
Structural Lemmas
• Exchange:
• If G1,x1:t1,x2:t2,G2 ` e : t,
then G1,x2:t2,x1:t1,G2 ` e : t.
• Contraction:
• If G1,x1:tx,x2:tx,G2 ` e : t,
then G1,x:tx,G2 ` e[x/x1][x/x2] : t.
• Weakening:
• If G ` e : t,
then G,x:tx ` e : t.
Feb. 25, 2005
37
Structural Lemmas
• Exchange:
• If G1,x1:t1,x2:t2,G2 ` e : t,
then G1,x2:t2,x1:t1,G2 ` e : t.
• Contraction:
• If G1,x1:tx,x2:tx,G2 ` e : t,
then G1,x:tx,G2 ` e[x/x1][x/x2] : t.
• Weakening:
Duplicate
Discard
• If G ` e : t,
then G,x:tx ` e : t.
Feb. 25, 2005
38
Qualifiers
Linear
Exch
Affine
Relevant
Exch,Weak
Exch,Cntr
Unrestricted
Exch,Cntr,Weak
Feb. 25, 2005
39
Structural Lemmas Revisited
• Contraction:
• If q ¹ R and G1,x1:qtx,x2:qtx,G2 ` e : t,
then G1,x1:qtx,G2 ` e[x/x1][x/x2] : t.
• Weakening:
• If q ¹ A and G ` e : t,
then G,x:qtx ` e : t.
Feb. 25, 2005
40
Operational Semantics
s ::= {l1 a v1, …, ln a vn}
(s, new v) ! (s ] {l a v}, l)
(s ] {l a v}, free l) ! (s, v)
(s ] {l a v}, rd l) ! (s ] {l a v}, hl, vi)
(s ] {l a v1}, wr l v2) ! (s ] {l a v2}, l)
(s ] {l a v1}, sw l v2) ! (s ] {l a v2}, hl, v1i)
Feb. 25, 2005
41
A Model of Substructural State
• Model a type as a set of tuples of
qualifier, value, and local store type
• Model a local store type as a partial map
from locations to qualifiers and types
Feb. 25, 2005
42
A Model of Substructural State
• Model a type as a set of tuples
PreType = (Qual £ Value £ LocStore)
Type = PreType
• Model a local store type as a partial map
LocStore = Locs ! (Qual £ Type)?
• Cardinality problem is handled by stratifying
definitions with “# of steps to run the program”
Feb. 25, 2005
43
A Model of Substructural State
PreType = { c 2 (Qual £ Value £ LocStore) j
for all (q,v,y) 2 c, each location in y is
mapped to a qualifier ¹ q }
Type = { c 2 PreType j
all qualifiers in c are the same }
LocStore = { y 2 Locs ! (Qual £ Type)? j
each location is mapped to a type
consistent with the location’s qualifier }
Feb. 25, 2005
44