“Typing-by-encoding” A reductionistic approach to building type systems Fran¸ cois Pottier Francois.Pottier@inria.fr Fran¸ cois Pottier July 2000
Overview • What is “typing-by-encoding”? • Encoding exceptions into sums (folklore). • Encoding Java-like stack inspection into sets (with S. Smith & C. Skalka). • Encoding information flow into labels (with S. Conchon). Fran¸ cois Pottier July 2000
“Typing-by-encoding” Assumptions: • A target calculus, with reduction → and administrative reduction → ∼ . • A source calculus, with reduction → . • A translation � · � from the latter to the former. • Soundness: e → e ′ implies � e � → ⋆ · ⋆ ∼ ← � e ′ � . • Completeness: If e is stuck, then � e � goes wrong. So far, everything is untyped . Fran¸ cois Pottier July 2000
A “type system factory” Then, any type system for the target calculus which satisfies • Subject Reduction: If e : t and e → f , then f : t . • Progress: No stuck expression is well-typed. • Administrative Subject Expansion: If f : t and f ∼ ← e , then e : t . gives rise to a type system for the source calculus, which satisfies Subject Reduction and Progress, defined by e : t ⇐ ⇒ � e � : t Fran¸ cois Pottier July 2000
(Core) ML Values v ::= λx.e Expressions e ::= x | λx.e | e e | let x = e in e ( λx.e ) v → e [ v/x ] let x = v in e → e [ v/x ] E [ e ′ ] when e → e ′ E [ e ] → E ::= [] | E e | v E | let x = E in e Fran¸ cois Pottier July 2000
ML+exceptions Values v ::= . . . | raise | try e Expressions e ::= . . . | raise | try e Answers a ::= v | raise v U [raise v ] → raise v when U � = [] try (raise v 1 ) v 2 → v 2 v 1 try v 1 v 2 → v 1 E ::= . . . | try E v U ::= [] | U e | v U | let x = U in e Fran¸ cois Pottier July 2000
ML+sums Values v ::= . . . | inl | inr | inl v | inr v | match | match v | match v v Expressions e ::= . . . | inl | inr | match match (inl v ) v 1 v 2 → v 1 v match (inr v ) v 1 v 2 → v 2 v Fran¸ cois Pottier July 2000
Encoding exceptions into sums � x � = inl x � λx.e � = inl λx. � e � � e 1 e 2 � = match � e 1 � ( λv 1 . match � e 2 � v 1 inr) inr � raise � = inl inr � try e � = inl λh. match � e � inl h � let x = e 1 in e 2 � = match � e 1 � ( λx. � e 2 � ) inr � let x = e 1 in e 2 � = let a = � e 1 � in match a ( λx. let x = match a ( λv.v ) ( λv. ⊥ ) in � e 2 � ) inr Fran¸ cois Pottier July 2000
Typing ML+sums ` a la Hindley/Milner inl : ∀ αβ.α → α + β inr : ∀ αβ.β → α + β match : ∀ αβγ.α + β → ( α → γ ) → ( β → γ ) → γ Fran¸ cois Pottier July 2000
Typing ML+exceptions, through the encoding Γ; x : t ⊢ e : t ′ , u Γ( x ) = σ σ � t u → t ′ , ⊥ Γ ⊢ x : t, ⊥ Γ ⊢ λx.e : t − u Γ ⊢ e 1 : t 2 − → t, u Γ ⊢ e 2 : t 2 , u t Γ ⊢ raise : t − → ⊥ , ⊥ Γ ⊢ e 1 e 2 : t, u Γ; x : Gen( t, Γ) ⊢ e 2 : t ′ , u Γ ⊢ e : t, u Γ ⊢ e 1 : t, u u ′ u ′ Γ ⊢ let x = e 1 in e 2 : t ′ , u Γ ⊢ try e : ( u − → t ) − → t, ⊥ → t ′ stands for t → t ′ + u ; ⊥ stands for a fresh u Notation: t, u stands for t + u ; t − meta-variable. Fran¸ cois Pottier July 2000
ML+Java-like stack inspection Principals P Resources R A : P → 2 R Access rights matrix f ::= p.e Signed expression e ::= x | λx.f | e e | let x = e in e “Signed ML” | r.e Enable privilege | r ! e Check privilege | f Fran¸ cois Pottier July 2000
ML+Java-like stack inspection (cont’d) Evaluation contexts E ::= . . . | r.E | p.E Stacks S ::= ǫ | rS | pS If P stands for { p ∈ P ; r ∈ A ( p ) } , then S ∈ ( P | R ) ⋆ P R ⋆ r ( P | R ) ⋆ S ⊢ r ⇐ ⇒ E [ r ! e ] → E [ e ] if E ⊢ r r.v → v p.v → v Fran¸ cois Pottier July 2000
ML+sets Values v ::= . . . | R | . r | ∨ R | ∧ R Expressions e ::= . . . | R | . r | ∨ R | ∧ R R.r → R if r ∈ R R 1 ∨ R 2 → R 1 ∪ R 2 R 1 ∧ R 2 → R 1 ∩ R 2 Fran¸ cois Pottier July 2000
Encoding ML+stack inspection into ML+sets: security-passing style � x � p = x � λx.f � p = λx.λs. � f � � e 1 e 2 � p = � e 1 � p � e 2 � p s � let x = e 1 in e 2 � p = let x = � e 1 � p in � e 2 � p � r.e � p = let s = s ∨ ( { r } ∩ A ( p )) in � e � p � r ! e � p = let = s.r in � e � p � f � p = � f � � p.e � = let s = s ∧ A ( p ) in � e � p � e � = � e � p 0 [ ∅ /s ] Fran¸ cois Pottier July 2000
Typing ML+sets ` a la Hindley/Milner/R´ emy [ − − − − → { r 1 , . . . , r n } : r i : Pre ; Abs ] . r : ∀ ρ. [ r : Pre ; ρ ] → [ r : Pre ; ρ ] r i : ϕ i ; ρ ] → [ − − − − → ∀ ρ − → ϕ i . [ − − − → ∨ { r 1 ,...,r n } : r i : Pre ; ρ ] ∀ ρ − → ϕ i . [ − r i : ϕ i ; ρ ] → [ − − − → − − → ∧ { r 1 ,...,r n } : r i : ϕ i ; Abs ] Fran¸ cois Pottier July 2000
Typing ML+stack inspection, through the encoding (excerpts) s s 2 , (Γ; x : t 1 ) ⊢ f : t 2 p, s, Γ ⊢ e 1 : t 2 − → t p, s, Γ ⊢ e 2 : t 2 s 2 p, s 1 , Γ ⊢ λx.f : t 1 − → t 2 p, s, Γ ⊢ e 1 e 2 : t p, [ r : Pre ; rt ] , Γ ⊢ e : t r ∈ A ( p ) p, [ r : Pre ; rt ] , Γ ⊢ e : t p, [ r : ft ; rt ] , Γ ⊢ r.e : t p, [ r : Pre ; rt ] , Γ ⊢ r ! e : t p 0 , [ Abs ] , ǫ ⊢ e : t e : t → t ′ stands for t → s → t ′ . s Notation: t − Fran¸ cois Pottier July 2000
ML+dependency Expressions e ::= . . . | l : e ( l ∈ L ) Evaluation contexts arbitrary ( l : e 1 ) e 2 → l : ( e 1 e 2 ) Stability: If e → ⋆ f and ⌊ f ⌋ L = f , then ⌊ e ⌋ L → ⋆ f . Fran¸ cois Pottier July 2000
ML+pairs+labels Expressions e ::= . . . | � e, e � | fst | snd | l | @ ( l ∈ L ) Evaluation contexts arbitrary fst � e 1 , e 2 � → e 1 snd � e 1 , e 2 � → e 2 l @ m → l ⊔ L m ( e 1 @ e 2 ) @ e 3 → @ e 1 @ ( e 2 @ e 3 ) ǫ @ e → @ e Fran¸ cois Pottier July 2000
Encoding dependencies into labels � x � = � fst x, snd x � � λx.e � = � λx. � e � , ⊥ L � � e 1 e 2 � = letp � x, t � = � e 1 � in letp � y, u � = x � e 2 � in � y, t @ u � � let x = e 1 in e 2 � = let x = � e 1 � in � e 2 � � l : e � = letp � x, t � = � e � in � x, l @ t � Fran¸ cois Pottier July 2000
The “type system factory” Equip ML+pairs+labels with a compositional type system such that • → and → @ preserve types; • labels may be viewed as types, and l : m implies l ≤ L m . This defines a type system for ML+dependency which enjoys Subject Reduction and Non-Interference: If e : int × l and e → ⋆ v , where v is a value, then ⌊ e ⌋ ↓ l → ⋆ v . Fran¸ cois Pottier July 2000
= let fix ff ( fun f x → ff ( f f ) x ) ( fun f x → ff ( f f ) x ) let exists = fix ( fun exists predicate list → match list with Nil → false — Cons ( element , rest ) → if predicate element then true else exists predicate rest ) Fran¸ cois Pottier July 2000
Equip ML+pairs+labels with a subtyping-constraint-based type system. Then, the (inferred) type of exists is ∀ αψζ | { ζ ≤ [ Nil | Cons of ( α ϕ × ζ ) ψ ] ψ } . ψ → ζ → bool ψ ( α ϕ → bool ψ ) Fran¸ cois Pottier July 2000
let users = Cons ( { login = "Pam" ; pw = Sys : "7nuggets" } , Cons ( { login = "Sam" ; pw = Sys : "" } , Nil )) let query1 = exists ( fun r → r . login = Priv : "Monica" ) users let query2 = exists ( fun r → r . pw = "" ) users Fran¸ cois Pottier July 2000
Recommend
More recommend
