OXIDE: THE ESSENCE OF RUST Aaron J. Weiss Northeastern University - - PowerPoint PPT Presentation

OXIDE: THE ESSENCE OF RUST

Aaron J. Weiss Northeastern University

“

Rust’s rich type system and

• wnership model guarantee

memory-safety and thread-safety — enabling you to eliminate many classes of bugs at compile-time. – the official Rust website

BORROW CHECKING

WHAT IS A BORROW CHECKER?

struct State { ../ } fn main() { let mut state = State { ../ }; let init = read_state(&state); update_state(&mut state); let fin = read_state(&state); consume_state(state); /0 cannot use `state` anymore }

WHAT IS A BORROW CHECKER?

struct State { ../ } fn main() { let mut state = State { ../ }; let init = read_state(&state); update_state(&mut state); let fin = read_state(&state); consume_state(state); /0 cannot use `state` anymore } &state

borrow

WHAT IS A BORROW CHECKER?

struct State { ../ } fn main() { let mut state = State { ../ }; let init = read_state(&state); update_state(&mut state); let fin = read_state(&state); consume_state(state); /0 cannot use `state` anymore } &mut state

borrow mutable borrow

WHAT IS A BORROW CHECKER?

struct State { ../ } fn main() { let mut state = State { ../ }; let init = read_state(&state); update_state(&mut state); let fin = read_state(&state); consume_state(state); /0 cannot use `state` anymore } state

move borrow mutable borrow

WHAT IS A BORROW CHECKER?

fn update_state(state: &mut State) { if should_reset(state) { *state = State { ../ }; } else { (*state).count += 1 } }

A BORROW CHECKER IS...

Ownership & Flexible Alias Protection

📗 ✒

⊕

🧿

OXIDE IS OUR EFFORT TO FORMALIZE BORROW CHECKING

OUR EXAMPLE PROGRAM IN OXIDE

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state:;<'a>(&'a shrd state); update_state:;<'b>(&'b uniq state); let fin = read_state:;<'c>(&'c shrd state); consume_state(state); } }

OUR EXAMPLE PROGRAM IN OXIDE

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state:;<'a>(&'a shrd state); update_state:;<'b>(&'b uniq state); let fin = read_state:;<'c>(&'c shrd state); consume_state(state); } } shrd uniq shrd

OUR EXAMPLE PROGRAM IN OXIDE

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state:;<'a>(&'a shrd state); update_state:;<'b>(&'b uniq state); let fin = read_state:;<'c>(&'c shrd state); consume_state(state); } } letprov<'a, 'b, 'c> { } shrd uniq shrd

OUR EXAMPLE PROGRAM IN OXIDE

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state:;<'a>(&'a shrd state); update_state:;<'b>(&'b uniq state); let fin = read_state:;<'c>(&'c shrd state); consume_state(state); } } 'a 'b 'c letprov<'a, 'b, 'c> { } shrd uniq shrd

OUR EXAMPLE PROGRAM IN OXIDE

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state:;<'a>(&'a shrd state); update_state:;<'b>(&'b uniq state); let fin = read_state:;<'c>(&'c shrd state); consume_state(state); } } 'a 'b 'c 'a 'b 'c letprov<'a, 'b, 'c> { } shrd uniq shrd

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS

&'a shrd state &'b uniq state

A reference with type…

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS

&'a shrd state &'b uniq state

state

'a

points to A reference with type…

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS

&'a shrd state &'b uniq state

state

'a

points to

state

'b

points to A reference with type…

PROVENANCES AS A ‘POINTS-TO’ ANALYSIS

&'a shrd state &'b uniq state

Γ ::= ∙ | Γ ♮ ℱ ℱ ::= ∙ | ℱ, | ℱ, x : T 'a |-? { p1 … pn }

state

'a

points to

state

'b

points to A reference with type…

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state :;<'a>(&'a shrd state); update_state :;<'b>(&'b uniq state); let fin = read_state :;<'c>(&'c shrd state); consume_state(state); } }

TYPECHECKING A MOVE EXPRESSION

TYPECHECKING A MOVE EXPRESSION

consume_state(state);

TYPECHECKING A MOVE EXPRESSION

consume_state(state);

state is not aliased Γ(state) = State Δ; Γ ⊢ : state State

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state :;<'a>(&'a shrd state); update_state :;<'b>(&'b uniq state); let fin = read_state :;<'c>(&'c shrd state); consume_state(state); } }

TYPECHECKING A BORROW EXPRESSION

TYPECHECKING A BORROW EXPRESSION

update_state:;<'b>(&'b uniq state);

TYPECHECKING A BORROW EXPRESSION

update_state:;<'b>(&'b uniq state);

state is not aliased Γ(state) = State Δ; Γ ⊢&'a uniq state : &'a uniq State

TYPECHECKING A BORROW EXPRESSION

update_state:;<'b>(&'b uniq state);

state is not aliased Γ(state) = State Δ; Γ ⊢&'a uniq state : &'a uniq State state is not uniquely aliased Γ(state) = State Δ; Γ ⊢&'a shrd state : &'a shrd State

OWNERSHIP SAFETY: “IS NOT ALIASED”

Δ; Γ ⊢ x ⇒ { … }

Δ; Γ ⊢ x ⇒ { … }

OWNERSHIP SAFETY: “IS NOT ALIASED”

Δ; Γ ⊢ω π ⇒ { p1 … pn }

ω ::= uniq | shrd π ::= x | π . n | π . f

Δ; Γ ⊢ x ⇒ { … }

Δ; Γ ⊢ x ⇒ { … }

OWNERSHIP SAFETY: “IS NOT ALIASED”

Δ; Γ ⊢ω π ⇒ { p1 … pn }

ω ::= uniq | shrd π ::= x | π . n | π . f

places

Δ; Γ ⊢ x ⇒ { … }

Δ; Γ ⊢ x ⇒ { … }

OWNERSHIP SAFETY: “IS NOT ALIASED”

Δ; Γ ⊢ω π ⇒ { p1 … pn }

ω ::= uniq | shrd π ::= x | π . n | π . f

places place expressions

Δ; Γ ⊢ x ⇒ { … }

Δ; Γ ⊢ x ⇒ { … }

THE STORY SO FAR

Γ(state) = State Δ; Γ ⊢ : state State Γ(state) = State Δ; Γ ⊢ &'a shrd state : &'a shrd State Γ(state) = State Δ; Γ ⊢&'a uniq state : &'a uniq State state is not aliased state is not aliased state is not uniquely aliased

THE STORY SO FAR

Γ(state) = State Δ; Γ ⊢ : state State Γ(state) = State Δ; Γ ⊢ &'a shrd state : &'a shrd State Γ(state) = State Δ; Γ ⊢&'a uniq state : &'a uniq State state Δ; Γ ⊢uniq ⇒ { } state state Δ; Γ ⊢uniq ⇒ { } state state Δ; Γ ⊢shrd ⇒ { } state

A BIT OF A SNAG

Γ(state) = State Δ; Γ ⊢ : state State state Δ; Γ ⊢uniq ⇒ { } state

Can we use state again?

A BIT OF A SNAG

Γ(state) = State Δ; Γ ⊢ : state State state Δ; Γ ⊢uniq ⇒ { } state

Can we use state again?

A CONVENTIONAL APPROACH... ?

⊢ Γ ↝ Γ1 ⊞ Γ2

Convention:

A CONVENTIONAL APPROACH... ?

⊢ Γ ↝ Γ1 ⊞ Γ2

Convention: Rust:

struct Point(i32, i32) let pt = Point(5, 6); ../ add_one(pt.0); ../ add_one(pt.1);

AN (UN)CONVENTIONAL APPROACH

Environment passing! Γ(state) = State state Δ; Γ ⊢uniq ⇒ { } state Δ; Γ ⊢ : state State

AN (UN)CONVENTIONAL APPROACH

Environment passing! Γ(state) = State state Δ; Γ ⊢uniq ⇒ { } state Δ; Γ ⊢ : state State

AN (UN)CONVENTIONAL APPROACH

Environment passing! Γ(state) = State state Δ; Γ ⊢uniq ⇒ { } state Δ; Γ ⊢ : state State ⇒ Γ[state |-? State ]

†

Δ; Γ ⊢ : state State

EXAMPLE: PROJECTING OUT OF A TUPLE

EXAMPLE: PROJECTING OUT OF A TUPLE

• ; x : (i32, i32)

EXAMPLE: PROJECTING OUT OF A TUPLE

• ; x : (i32, i32)⊢

EXAMPLE: PROJECTING OUT OF A TUPLE

• ; x : (i32, i32)⊢ x.0 : i32

EXAMPLE: PROJECTING OUT OF A TUPLE

• ; x : (i32, i32)⊢ x.0 : i32 ⇒

EXAMPLE: PROJECTING OUT OF A TUPLE

• ; x : (i32, i32)⊢ x.0 : i32 ⇒ x : (i32, i32)

†

Δ; Γ ⊢ &'a shrd state : &'a shrd State Δ; Γ ⊢ &'a uniq state : &'a uniq State

GOOD FOR PROVENANCE TRACKING, TOO!

Γ(state) = State Γ(state) = State state Δ; Γ ⊢ uniq ⇒ { } state state Δ; Γ ⊢ shrd ⇒ { } state

Δ; Γ ⊢ &'a shrd state : &'a shrd State Δ; Γ ⊢ &'a uniq state : &'a uniq State

GOOD FOR PROVENANCE TRACKING, TOO!

Γ(state) = State Γ(state) = State state Δ; Γ ⊢ uniq ⇒ { } state Δ; Γ ⊢&'a uniq state : &'a uniq State ⇒ Γ['a |-? {state}] state Δ; Γ ⊢ shrd ⇒ { } state

Δ; Γ ⊢ &'a shrd state : &'a shrd State Δ; Γ ⊢ &'a uniq state : &'a uniq State

GOOD FOR PROVENANCE TRACKING, TOO!

Γ(state) = State Γ(state) = State state Δ; Γ ⊢ uniq ⇒ { } state Δ; Γ ⊢&'a uniq state : &'a uniq State ⇒ Γ['a |-? {state}] Δ; Γ ⊢ &'a shrd state : &'a shrd State⇒ Γ['a |-? {state}] state Δ; Γ ⊢ shrd ⇒ { } state

INTRODUCTIONS, IT’S A PLEASURE TO MEET YOU!

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state :;<'a>(&'a shrd state); update_state :;<'b>(&'b uniq state); let fin = read_state :;<'c>(&'c shrd state); consume_state(state); } }

INTRODUCTIONS, IT’S A PLEASURE TO MEET YOU!

letprov<'a, 'b, 'c> let state = State { ../ };

INTRODUCTIONS, IT’S A PLEASURE TO MEET YOU!

letprov<'a, 'b, 'c> let state = State { ../ };

'a is not in Γ Δ; Γ ⊢letprov<'a> { e } : T ⇒ Γ′ Δ; Γ, e : T ⊢ 'a |-? {} ⇒ Γ′ , 'a |-? {…}

INTRODUCTIONS, IT’S A PLEASURE TO MEET YOU!

letprov<'a, 'b, 'c> let state = State { ../ };

state is not in Γ Δ; Γ ⊢let state = State { ../ }; e : () Δ; Γ, e : T ⊢ state : State state : … Δ; Γ ⊢State { ../ } : State ⇒ Γ ⇒ Γ′ , ⇒ Γ′ 'a is not in Γ Δ; Γ ⊢letprov<'a> { e } : T ⇒ Γ′ Δ; Γ, e : T ⊢ 'a |-? {} ⇒ Γ′ , 'a |-? {…}

SEQUENCING IS STRAIGHTFORWARD

Δ; Γ ⊢e1; e2 : T2 ⇒ Γ2 Δ; Γ ⊢e1 : T1 ⇒ Γ1 Δ; Γ1 ⊢e2 : T2 ⇒ Γ2 Flow environments forward!

'a is not in Γ Δ; Γ ⊢letprov<'a> { e } : T ⇒ Γ′ Δ; Γ, e : T ⊢ 'a |-? {} ⇒ Γ′ , 'a |-? {…} state is not in Γ Δ; Γ ⊢let state = State { ../ }; e : () Δ; Γ, e : T ⊢ state : State state : … Δ; Γ ⊢State { ../ } : State ⇒ Γ ⇒ Γ′ , ⇒ Γ′

SEQUENCING IS STRAIGHTFORWARD

Δ; Γ ⊢e1; e2 : T2 ⇒ Γ2 Δ; Γ ⊢e1 : T1 ⇒ Γ1 Δ; Γ1 ⊢e2 : T2 ⇒ Γ2 Flow environments forward!

'a is not in Γ Δ; Γ ⊢letprov<'a> { e } : T ⇒ Γ′ Δ; Γ, e : T ⊢ 'a |-? {} ⇒ Γ′ , 'a |-? {…} state is not in Γ Δ; Γ ⊢let state = State { ../ }; e : () Δ; Γ, e : T ⊢ state : State state : … Δ; Γ ⊢State { ../ } : State ⇒ Γ ⇒ Γ′ , ⇒ Γ′

SEQUENCING IS STRAIGHTFORWARD

Δ; Γ ⊢e1; e2 : T2 ⇒ Γ2 Δ; Γ ⊢e1 : T1 ⇒ Γ1 Δ; Γ1 ⊢e2 : T2 ⇒ Γ2 Flow environments forward! Environment ordering matters!

BRANCHES CAUSE INFORMATION LOSS

Δ; Γ ⊢if e1 { e2 } else { e3 } : T ⇒ Γ2 ⋓ Γ3 Δ; Γ ⊢ e1 : Bool⇒ Γ1 Δ; Γ1 ⊢e2 : T ⇒ Γ2 Δ; Γ1 ⊢e3 : T ⇒ Γ3

BRANCHES CAUSE INFORMATION LOSS

Δ; Γ ⊢if e1 { e2 } else { e3 } : T ⇒ Γ2 ⋓ Γ3 Δ; Γ ⊢ e1 : Bool⇒ Γ1 Δ; Γ1 ⊢e2 : T ⇒ Γ2 Δ; Γ1 ⊢e3 : T ⇒ Γ3

BRANCHES CAUSE INFORMATION LOSS

Δ; Γ ⊢if e1 { e2 } else { e3 } : T ⇒ Γ2 ⋓ Γ3 Δ; Γ ⊢ e1 : Bool⇒ Γ1 Δ; Γ1 ⊢e2 : T ⇒ Γ2 Δ; Γ1 ⊢e3 : T ⇒ Γ3

if cond { &'a uniq x } else { &'a uniq y } /0 'a |-? {x, y}

BRANCHES CAUSE INFORMATION LOSS

Δ; Γ ⊢if e1 { e2 } else { e3 } : T ⇒ Γ2 ⋓ Γ3 Δ; Γ ⊢ e1 : Bool⇒ Γ1 Δ; Γ1 ⊢e2 : T ⇒ Γ2 Δ; Γ1 ⊢e3 : T ⇒ Γ3

if cond { &'a uniq x } else { &'a uniq y } /0 'a |-? {x, y}

x

'a

y

SOME SIMPLE SUBTYPING

Types can differ in their provenances!

Δ; Γ ⊢T1 <; T2

SOME SIMPLE SUBTYPING

Types can differ in their provenances! Combine provenances when they do!

Δ; Γ ⊢T1 <; T2 ⇒ Γ′

SOME SIMPLE SUBTYPING

Types can differ in their provenances! Combine provenances when they do!

Δ; Γ ⊢T1 <; T2 ⇒ Γ′ Δ; Γ ⊢&'a shrd State <; &'b shrd State ⇒ Γ′ Δ; Γ ⊢'a :? 'b ⇒ Γ′ Δ; Γ ⊢State <; State ⇒ Γ′

SUBTYPING BY EXAMPLE

if cond { &'a uniq x /0 'a |-? {x}, 'b |-? {} } else { &'b uniq y /0 'a |-? {}, 'b |-? {y} } /0 'a |-? {x, y}, 'b |-? {x, y}

ASSIGNMENT “REGAINS” INFORMATION

ASSIGNMENT “REGAINS” INFORMATION

• ; x : i32, y : i32, 'a |-? { x, y }, z : &'a uniq i32 ⊢

ASSIGNMENT “REGAINS” INFORMATION

• ; x : i32, y : i32, 'a |-? { x, y }, z : &'a uniq i32 ⊢

*z :> x : ()

ASSIGNMENT “REGAINS” INFORMATION

• ; x : i32, y : i32, 'a |-? { x, y }, z : &'a uniq i32 ⊢

*z :> x : ()

⇒

ASSIGNMENT “REGAINS” INFORMATION

• ; x : i32, y : i32, 'a |-? { x, y }, z : &'a uniq i32 ⊢

*z :> x : ()

⇒ x : i32, y : i32, 'a |-? { x }, z : &'a uniq i32

FUNCTIONS AND APPLICATION

struct State { ../ } fn main() { letprov<'a, 'b, 'c> { let state = State { ../ }; let init = read_state :;<‘a>(&'a shrd state); update_state :;<'b>(&'b uniq state); let fin = read_state :;<'c>(&'c state); consume_state(state); } }

FUNCTIONS AND APPLICATION

read_state:;<‘a>(&'a shrd state)

FUNCTIONS AND APPLICATION

read_state:;<‘a>(&'a shrd state)

Δ; Γ ⊢read_state:;<'a>(&'a shrd state) : T ⇒ Γ′ read_state : ∀<'p>(&'p shrd State) -? T Δ; Γ ⊢ ⇒ Γf &'a shrd state :&'a shrd State Δ; Γf ⊢ ⇒ Γ′

FUNCTIONS AND APPLICATION

read_state:;<‘a>(&'a shrd state)

Δ; Γ ⊢read_state:;<'a>(&'a shrd state) : T ⇒ Γ′ read_state : ∀<'p>(&'p shrd State) -? T Δ; Γ ⊢ ⇒ Γf &'a shrd state :&'a shrd State Δ; Γf ⊢ ⇒ Γ′ read_state : ∀<'p>(&'p shrd State) -? T Δ; Γ ⊢ ⇒ Γf

FUNCTIONS AND APPLICATION

read_state:;<‘a>(&'a shrd state)

Δ; Γ ⊢read_state:;<'a>(&'a shrd state) : T ⇒ Γ′ read_state : ∀<'p>(&'p shrd State) -? T Δ; Γ ⊢ ⇒ Γf &'a shrd state :&'a shrd State Δ; Γf ⊢ ⇒ Γ′ read_state : ∀<'p>(&'p shrd State) -? T Δ; Γ ⊢ ⇒ Γf Σ; Σ(read_state) = fn update_state<'p>(state: &'p shrd State) -? T { e }

FUNCTIONS AND APPLICATION

read_state:;<‘a>(&'a shrd state)

Δ; Γ ⊢read_state:;<'a>(&'a shrd state) : T ⇒ Γ′ read_state : ∀<'p>(&'p shrd State) -? T Δ; Γ ⊢ ⇒ Γf &'a shrd state :&'a shrd State Δ; Γf ⊢ ⇒ Γ′ Σ; Σ; Σ; read_state : ∀<'p>(&'p shrd State) -? T Δ; Γ ⊢ ⇒ Γf Σ; Σ(read_state) = fn update_state<'p>(state: &'p shrd State) -? T { e }

CLOSURES MOVE THEIR FREE VARIABLES

free-vars(|y: i32| -? i32 { x + y }) = x ℱ

Σ; Δ; Γ ♮ ℱ

Σ; Δ; Γ ⊢|y: i32| -? i32 { x + y } : (i32) -? i32 ⇒ Γ′ ℱ

CLOSURES MOVE THEIR FREE VARIABLES

free-vars(|y: i32| -? i32 { x + y }) = x ℱ

Σ; Δ; Γ ♮ ℱ

Σ; Δ; Γ ⊢|y: i32| -? i32 { x + y } : (i32) -? i32 ⇒ Γ′ ℱ

Σ; Δ; Γ ⊢add_x(5) : i32 ⇒ Γf add_x : (i32) -? i32 Σ; Δ; Γ ⊢ ⇒ Γf 5 : i32 Σ; Δ; Γf ⊢ ⇒ Γf ℱ

LET’S STEP BACK A BIT

REBORROWING

struct Point(i32, i32) letprov<'r, 'x, 'y> { let pt = Point(5, 6); let r = &'r uniq pt; /0 'r |-? { pt } let x = &'x uniq (*r).0; /0 'x |-? { pt, (*r).0 } let y = &'y uniq (*r).1; /0 'y |-? { pt, (*r).1 } r }

REBORROWING

struct Point(i32, i32) letprov<'r, 'x, 'y> { let pt = Point(5, 6); let r = &'r uniq pt; /0 'r |-? { pt } let x = &'x uniq (*r).0; /0 'x |-? { pt, (*r).0 } let y = &'y uniq (*r).1; /0 'y |-? { pt, (*r).1 } r }

Γ ⊢ &'a uniq state : &’a uniq State Γ(pt.0) = i32 (*r).0 Δ; Γ ⊢uniq ⇒ { } pt, (*r).0 Δ; Γ ⊢&'x uniq (*r).0 : &'x uniq Point ⇒ Γ['x |-? { pt, (*r).0 }]

NON-LEXICAL LIFETIMES IN OXIDE

struct Point(i32, i32) fn main() { letprov<'x, 'y> { let pt = Point(6, 9); let x = &'x uniq pt; drop:;<&'x uniq Point>(x); let y = &'y uniq pt; } } drop:;<&'x uniq Point>(x);

NON-LEXICAL LIFETIMES IN OXIDE

struct Point(i32, i32) fn main() { letprov<'x, 'y> { let pt = Point(6, 9); let x = &'x uniq pt; drop:;<&'x uniq Point>(x); let y = &'y uniq pt; } } drop:;<&'x uniq Point>(x); /0 drop:;<&'x uniq Point>(x);

PROVING TYPE SAFETY FOR OXIDE

Progress Preservation

PROVING TYPE SAFETY FOR OXIDE

Σ; ∙ ; Γ ⊢ e : T ⇒ Γ′ Σ ⊢ σ : Γ ∃σ′ , ′ . Σ ⊢ (σ; ) → (σ′ ; ′ ) e e e e is a value, e is an error term, or If and , then Progress Preservation

PROVING TYPE SAFETY FOR OXIDE

Σ; ∙ ; Γ ⊢ e : T ⇒ Γ′ Σ ⊢ σ : Γ ∃σ′ , ′ . Σ ⊢ (σ; ) → (σ′ ; ′ ) e e e e is a value, e is an error term, or If and , then Progress Preservation Σ; ∙ ; Γ ⊢ e : T ⇒ Γ′ Σ ⊢ σ : Γ If , and , then Σ; Γ ⊨ σ Σ ⊢ (σ; ) → (σ′ ; ′ ) e e , , ∃Γi . Σ; ∙ ; Γi ⊢e’ : T ⇒ Γ′ Σ ⊢ σ′ : Γi , , and Σ; Γi ⊨ σ′

ONCE MORE, WITH FEELING

free-vars(|y: i32| -? i32 { x + y }) = x ℱ

Σ; Δ; Γ ♮ ℱ

Σ; Δ; Γ ⊢|y: i32| -? i32 { x + y } : (i32) -? i32 ⇒ Γ′ ℱ

read_state : ∀<'p>(&'p shrd State) -? T Σ; Δ; Γ ⊢ ⇒ Γf Σ(read_state) = fn update_state<'p>(state: &'p shrd State) -? T { e } 'a is not in Γ Σ; Δ; Γ ⊢letprov<'a> { e } : T ⇒ Γ′ Σ; Δ; Γ, e : T ⊢ 'a |-? {} ⇒ Γ′ , 'a |-? {…} state is not in Γ Σ; Δ; Γ ⊢let state = State { ../ }; e : () Σ; Δ; Γ, e : T ⊢ state : State state : … Σ; Δ; Γ ⊢State { ../ } : State ⇒ Γ ⇒ Γ′ , ⇒ Γ′ Σ; Δ; Γ ⊢ e1; e2 : T2 ⇒ Γ2 Σ; Δ; Γ ⊢e1 : T1 ⇒ Γ1 Σ; Δ; Γ1 ⊢e2 : T2 ⇒ Γ2 Γ(state) = State state Δ; Γ ⊢ ω ⇒ { } state Σ; Δ; Γ ⊢&'a ω state : &'a ω State ⇒ Γ['a |-? {state}]

TAKEAWAYS

TAKEAWAYS

OXIDE IS A FORMALIZATION OF BORROW CHECKING

TAKEAWAYS

OXIDE IS A FORMALIZATION OF BORROW CHECKING

BORROW CHECKING COMBINES OWNERSHIP & ALIAS PROTECTION 📗 ✒

⊕

🧿

TAKEAWAYS

OXIDE IS A FORMALIZATION OF BORROW CHECKING

BORROW CHECKING COMBINES OWNERSHIP & ALIAS PROTECTION 📗 ✒

⊕

🧿 👸 BORROW CHECKING IS SAFE