A Step-indexed Semantics of Imperative Objects C t lin Hri cu and - PowerPoint PPT Presentation

R E S V I T I N A U S S S I A S R N A E V I A Step-indexed Semantics of Imperative Objects C � t � lin Hri � cu and Jan Schwinghammer Saarland University, Saarbrücken, Germany Workshop on Foundations of Object-Oriented Languages (FOOL'08) 13 January 2008, San Francisco, California 1

Imperative object calculus [Abadi and Cardelli, ‘96] a, b ::= x | [m d = ς ( x d ) b d ] d ∈ D | a. m | a. m := ς ( x ) b | clone a | λ ( x ) b | a b v ::= { m d = l d } d ∈ D | λ ( x ) b 2

Imperative object calculus [Abadi and Cardelli, ‘96] a, b ::= x | [m d = ς ( x d ) b d ] d ∈ D | a. m | a. m := ς ( x ) b | clone a | λ ( x ) b | a b v ::= { m d = l d } d ∈ D | λ ( x ) b heap stores code recursion dynamic allocation involves heap Obj �∅ , [m= ς ( x ) x. m] . m � − → Inv → � { { l �→ λ ( x ) x. m } } , { m= l } . m � − → Beta → � { { l �→ λ ( x ) x. m } } , ( λ ( x ) x. m) { m= l } � − → Inv → � { { l �→ λ ( x ) x. m } } , { m = l } . m � − → . . . 2

Imperative object calculus [Abadi and Cardelli, ‘96] a, b ::= x | [m d = ς ( x d ) b d ] d ∈ D | a. m | a. m := ς ( x ) b | clone a | λ ( x ) b | a b v ::= { m d = l d } d ∈ D | λ ( x ) b dynamically-allocated, higher-order store + expressive type system • Object types and subtyping • Impredicative second-order types • Recursive types 2

Hard to find good semantic models • For domain-theoretic models ... • Higher-order store • Solving recursive domain equations • + Dynamic allocation - possible-worlds models • Recursively defined functor categories over CPOs • Existing domain-theoretic models [Levi, ’02] [Reus & Schwinghammer, ’06] • Despite being complex are not abstract enough • + Polymorphic values on the heap (impredicative) • No domain-theoretic models known, in general! 3

Types and heap typings • In a set-theoretic term model of our calculus are types just sets of values? • No! Our values depend on the heap, e.g. { m d = l d } d ∈ D • so semantic types depend on heap typings • heap typings are maps from locations to semantic types • Model types as sets of pairs? Type = P ( HeapTyping × CVal ) HeapTyping = Loc ⇀ fin Type • There are no set-theoretic solutions to this! 4

Step-indexed models • Alternative to subject-reduction [Appel & Felty, ‘00] • Simpler machine-checkable proofs of type soundness • Much simpler than the domain-theoretic models • Only based on a small-step operational semantics • Model of types for the lambda calculus with recursive types [Appel & McAllester, ‘01] • Later extended to general references and impredicative polymorphism [Ahmed, ‘04] • We further extended it with object types and subtyping • Used it to prove the soundness of an expressive, standard type system for the imperative object calculus 5

Types and heap typings • Circular definition Type = P ( HeapTyping × CVal ) HeapTyping = Loc ⇀ fin Type • We can solve this by a stratified construction Type k +1 = P ( j ∈ [0 , k ] × HeapTyping j × CVal ) HeapTyping j = Loc ⇀ fin Type j • k -th approximation: ⌊ τ ⌋ k = { � j, Ψ , v � ∈ τ | j < k } • We have that ⌊ τ ⌋ k ∈ Type k • Stratification invariant: • ⌊ α ⌋ k +1 is only defined in terms of and ⌊ Ψ ⌋ k ⌊ τ ⌋ k 6

Semantic approximation • Semantic types are sets of triples • if executes for at least steps without � k, Ψ , v � ∈ τ k v getting stuck in every context of type , for every h : k Ψ τ • Example: � 1 , ∅ , ( λ x. true ) � ∈ Nat → Nat � 2 , ∅ , ( λ x. true ) � �∈ Nat → Nat , C [ · ] = ([ · ] 42) + 2 7

Semantic types • Sequences of increasingly accurate approximations ... 4 3 2 1 0 8

Semantic types • Sequences of increasingly accurate approximations Limit ... 4 3 2 1 0 “False Positives” • In the end we are only interested in the limit • Approximation crucial for well-founded construction + Extremely useful when giving recursive definitions of types 8

State extension • Heaps evolve during computation • Dynamic allocation, no deallocation, weak updates � Heap typings can only “grow” • The precision of our approximation decreases with each reduction step • State extension relation: ( k, Ψ ) ⊑ ( j, Ψ ′ ) • Closure under state extension (Kripke monotonicity) � k, Ψ , v � ∈ α ∧ ( k, Ψ ) ⊑ ( j, Ψ ′ ) ⇒ � j, Ψ ′ , v � ∈ α • Semantic types must be closed under state extension • Possible-worlds model 9

The type of arbitrary terms • For a closed term , iff a a : k, Ψ τ � h , a � → j � h ′ , b � � , for any j < k, h : k Ψ , b, and h ′ ⇒ � k − j, Ψ ′ , b � ∈ τ , for some Ψ ′ such that ( k, Ψ ) ⊑ ( k − j, Ψ ′ ) and h ′ : k − j Ψ ′ • Semantic typing judgement Σ | = a : α ⇔ ∀ k ≥ 0 . ∀ Ψ . ∀ σ : k, Ψ Σ . σ ( a ) : k, Ψ α • Typing open terms; not approximative • This definition directly enforces type safety • Still need to prove the soundness of the typing rules 10

Simple semantic types • Base types Bool � { � k, Ψ , v � | k ∈ N , Ψ ∈ HeapTyping k , v ∈ { true , false }} Nat � { � k, Ψ , n � | k ∈ N , Ψ ∈ HeapTyping k , n ∈ N } • Procedure types α → β � { � k, Ψ , λ ( x ) b � | ∀ j<k. ∀ Ψ ′ . ∀ v. ( k, Ψ ) ⊑ ( j, Ψ ′ ) ∧ � j, v � ∈ α ⇒ { { x �→ v } } ( b ) : j, Ψ ′ β } • Reference types ref τ = { � k, Ψ , l � | ⌊ Ψ ( l ) ⌋ k = ⌊ τ ⌋ k } 11

Object types and subtyping 12

Subtyping • Since types are sets, subtyping is set inclusion • Subtyping forms a lattice on types ⊤ α ∪ β β α α ∩ β ⊥ = ∅ • Simple, but not orthogonal to the other features • e.g. non-trivial interaction with object types 13

Definition of object types • Methods stored in the heap as procedures and self- application semantics of method invocation suggest [m d : τ d ] d ∈ D ≈ µ ( α ) . { m d : ref ( α → τ d ) } d ∈ D • This validates all typing rules for objects • Let α = [ m d : τ d ] d ∈ D (Obj) ∀ d ∈ D. Σ [ x d �→ α ] | = b d : τ d Σ | = a : α (Clone) Σ | = [ m d = ς ( x d ) b d ] d ∈ D : α Σ | = clone a : α (Inv) Σ | = a : α (Upd) Σ | = a : α Σ [ x �→ α ] | = b : τ e e ∈ D e ∈ D = a.m e := ς ( x ) b : α Σ | = a.m e : τ e Σ | • But none of the subtyping rules! 14

Subtyping in width • Object types with more methods are subtypes of object types with less methods • Assuming the same type for the common methods E ⊆ D [ m d : τ d ] d ∈ D ⊆ [ m e : τ e ] e ∈ E [] [ m 2 : α ] [ m 1 : α ] [ m 3 : α ] [ m 1 : α , m 2 : α ] [ m 2 : α , m 3 : α ] 15

Subtyping in width [m d : τ d ] d ∈ D ≈ µ ( α ) . { m d : ref ( α → τ d ) } d ∈ D • Subtyping in width fails because: • positions of recursion variable are invariant • even without reference positions contravariant • they should be covariant! (see below) ∀ d ∈ D. ref ( α → τ d ) ⊆ ref ( β → τ d ) E ⊆ D { m d : ref ( α → τ d ) } d ∈ D ⊆ { m e : ref ( β → τ e ) } e ∈ E α ⊆ β ⇒ µ ( α ) . { m d : ref ( α → τ d ) } d ∈ D ⊆ µ ( β ) . { m e : ref ( β → τ e ) } e ∈ E 16

Subtyping in width • We force covariance for recursion variable using a bounded existential ∀ τ ⊆ α . F ( τ ) ⊆ G ( τ ) α ⊆ β ∃ α ′ ⊆ α .F ( α ′ ) ⊆ ∃ β ′ ⊆ β .G ( β ′ ) [m d : τ d ] d ∈ D ≈ µ ( α ) . ∃ α ′ ⊆ α . { m d : ref ( α ′ → τ d ) } d ∈ D • can be viewed as the “true” type of the object α ′ • Similar to some encodings of the functional obj. calculus [Abadi & Cardelli, ’96] and [Abadi, Cardelli & Viswanathan, ’96] 17

Subtyping in depth • Our methods can be both invoked and updated • They need to be invariant (o) • Still, if we mark methods with their desired variance and restrict invocations and updates accordingly • Covariant subtyping for invoke-only methods (+) • Contravariant subtyping for update-only methods (-) • Moreover, we would like that [m : + α ] [m : − α ] [m : ◦ α ] 18

Extending reference types • However, the usual reference types are invariant ref ◦ τ = { � k, Ψ , l � | ⌊ Ψ ⌋ k ( l ) = ⌊ τ ⌋ k } • The type of the location is precisely known • So both reading and writing are safe at type τ • If we only give a bound on then only one of Ψ ( l ) these operations is safe at a meaningful type • Readable reference type ref + τ = { � k, Ψ , l � | ⌊ Ψ ⌋ k ( l ) ⊆ ⌊ τ ⌋ k } • This is not read-only! • Writable reference types ref − τ = { � k, Ψ , l � | ⌊ τ ⌋ k ⊆ ⌊ Ψ ⌋ k ( l ) } 19

Extending reference types α ⊆ β • Readable reference type is covariant ref + α ⊆ ref + β β ⊆ α • Writable reference type is contravariant ref − α ⊆ ref − β • The usual reference types can actually be defined as , so clearly ref ◦ τ = ref + τ ∩ ref − τ ref + τ ref − τ ref ◦ τ • Not really new [Reynolds, ‘88] [Pierce & Sangiorgi, ’96] 20