a model of substructural state

A Model of Substructural State

Matthew Fluet

Cornell University

Feb. 25, 2005 2

Introduction

• Forms of “uniqueness” are appearing in programming languages

Feb. 25, 2005 3

Introduction

• Forms of “uniqueness” are appearing in programming languages• Cyclone – affine pointers, which may be

discarded, but not duplicated• allow fine grained memory management

• Vault – linear keys, which may be neither discarded nor duplicated

• enforce resource management protocols

Feb. 25, 2005 4

Introduction

• Forms of “uniqueness” are appearing in programming languages• Cyclone – affine pointers, which may be

discarded, but not duplicated• allow fine grained memory management

• Vault – linear keys, which may be neither discarded nor duplicated

• enforce resource management protocols

• C / Java / SML – unrestricted objects that may be both discarded and duplicated

Feb. 25, 2005 5

Introduction

• But, programming with only unique objects is much too painful• Both Cyclone and Vault allow a programmer to put

unique objects in shared objects• Impose a variety of restrictions to ensure that

these mixed objects behave in a safe manner

Feb. 25, 2005 6

Introduction

• Natural to study a core language with mutable references of all flavors

Feb. 25, 2005 7

Qualifiers

AffineDiscard

RelevantDuplicate

UnrestrictedDiscard,Duplicate

Linear

Feb. 25, 2005 8

Qualifiers

AffineDiscard

RelevantDuplicate


Linear

Unique objects – may be “used”at most once

Shared objects –may be copied

Feb. 25, 2005 9

Qualifiers

AffineDiscard

RelevantDuplicate


Linear

must be “used”at least once

may be dropped

Feb. 25, 2005 10

Introduction

• Natural to study a core language with mutable references of all qualifiers

• Raises design questions:• What does it mean to copy or drop a ref?• What operations make sense on different refs?• What combinations of qualifiers for a reference

and its contents make sense?• Can one construct a reasonable model for such a

language?

Feb. 25, 2005 11

Outline

• A Substructural Type System

• … with References

• Model Teaser

Feb. 25, 2005 12

A Substructural Type System

• Qualifiers

q ::= U j R j A j L

• PreTypes

::= 1 j 1 2 j 1 ( 2

• Types

::= q

Feb. 25, 2005 13


• Non-examples• U(A1 A2), U(R1 R2), U(L1 L2)

•

Feb. 25, 2005 14



•

copy hv1,v2i ! hhv1,v2i,hv1,v2ii

v1 and v2 may be used more than once

Feb. 25, 2005 15



•



Feb. 25, 2005 16



•


drop hv1,v2i ! hi


v1 and v2 are not used

Feb. 25, 2005 17



•


drop hv1,v2i ! hi


v1 and v2 are not used

Feb. 25, 2005 18

… with References

• PreTypes

::= … j ref

Feb. 25, 2005 19

… with References

• Examples?• U(ref U), U(ref R), U(ref A), U(ref L)

Feb. 25, 2005 20

… with References

• Examples?• U(ref U), U(ref R), U(ref A), U(ref L)

copy l ! hl,li

drop l ! hi

l may be used more than once;but contents are not copied

l may is not used;and contents are dropped

Feb. 25, 2005 21

… with References

• Examples?• U(ref U), U(ref R), U(ref A), U(ref L)•

copy l ! hl,li

drop l ! hi

l may be used more than once;but contents are not copied

l may is not used;and contents are dropped

Feb. 25, 2005 22

Operations on Substructural State

OpsContents and Ops

Ref U R A L

shared

U newweak updates

readwriteswap

writeswap

R newweak updates

readwriteswap

read

swapwriteswap swap

unique

A new freestrong updates

readwriteswap

writeswap

L new freestrong updates

readwriteswap

read

swapwriteswap swap

Feb. 25, 2005 23


• Model a type as a set of tuples ofqualifier, value, and local store typing

«¬ ::= { (q,,v), …}

• Model a local store typing as a partial map from locations to qualifiers and types

::= { l (q,«¬), … }

Feb. 25, 2005 24


• Model a type as a set of tuples ofqualifier, value, and local store type

• Model a local store type as a partial map from locations to qualifiers and types

• Local store of v only defined on those locations that appear as sub-expressions of v

Feb. 25, 2005 25




• Local store of v only defined on those locations that appear as sub-expressions of v

• Further restrictions to rule out stores

Feb. 25, 2005 26


• Why only a local store type?• Storing a unique object in a shared reference

“hides” the unique object• Using the global store – difficult to identify the

“real” occurrence of a unique location

Feb. 25, 2005 27


• How can we check that a global store satisfies a local store type?

• Use a Garbage Collector

Feb. 25, 2005 28

Store Satisfaction

store satisfiesl1 v1

s

l2 v2

l3 v3

l4 v4

l5 v5

l6 v6

l7 v7

l8 v8

l9 v9

l1 1

l2 2

l3 3

Feb. 25, 2005 29

Store Satisfaction

These are the roots

store satisfiesl1 v1

s

l2 v2

l3 v3

l4 v4

l5 v5

l6 v6

l7 v7

l8 v8

l9 v9

l1 1

l2 2

l3 3

Feb. 25, 2005 30

Store Satisfaction

l1 v1

s

l2 v2

l3 v3

l4 v4

l5 v5

l6 v6

l7 v7

l8 v8

l9 v9

l1 1

l2 2

l3 3

store satisfies

if there exists a set of locations

N l4

l5

l6

l7

l9

These are the non-roots

Feb. 25, 2005 31

Store Satisfaction

and local store types l (l 2 dom() ] N) that merge

These are the child locations traced from the contents of l

Feb. 25, 2005 32

Store Satisfaction


l1 1

l2 2

l3 3

l4 4

l5 5

l6 6

l7 7

l9 9= ¯ ¯l 2 dom() ] N l

The local store types are compatible (non-contradictory)

The global store type

Feb. 25, 2005 33

Store Satisfaction


l1 1

l2 2

l3 3

l4 4

l5 5

l6 6

l7 7

l9 9= ¯ ¯l 2 dom() ] N l

Don’t trace a unique location more than once

The global store type

Feb. 25, 2005 34

Store Satisfaction

to describe the store

l1 v1 : 1

s : *

l2 v2 : 2

l3 v3 : 3

l4 v4 : 4

l5 v5 : 5

l6 v6 : 6

l7 v7 : 7

l8 v8

l9 v9 : 9

Feb. 25, 2005 35

Conclusion and Future Work

• Core language, type-system, and model

• Model more advanced features• Cyclone – alias construct allows a unique

pointer to be treated as shared for a limited scope• Vault – focus construct allows a shared object to

be treated as unique for a limited scope

Feb. 25, 2005 36

Feb. 25, 2005 37

Structural Lemmas

• Exchange:• If 1,x1:1,x2:2,2 ` e : ,

then 1,x2:2,x1:1,2 ` e : .

• Contraction:• If 1,x1:x,x2:x,2 ` e : ,

then 1,x:x,2 ` e[x/x1][x/x2] : .

• Weakening:• If ` e : ,

then ,x:x ` e : .

Feb. 25, 2005 38

Structural Lemmas

• Exchange:• If 1,x1:1,x2:2,2 ` e : ,

then 1,x2:2,x1:1,2 ` e : .

• Contraction: Duplicate• If 1,x1:x,x2:x,2 ` e : ,

then 1,x:x,2 ` e[x/x1][x/x2] : .

• Weakening: Discard• If ` e : ,

then ,x:x ` e : .

Feb. 25, 2005 39

Qualifiers

AffineExch,Weak

RelevantExch,Cntr

UnrestrictedExch,Cntr,Weak

LinearExch

Feb. 25, 2005 40

Structural Lemmas Revisited

• Contraction:• If q ¹ R and 1,x1:qx,x2:qx,2 ` e : ,

then 1,x1:qx,2 ` e[x/x1][x/x2] : .

• Weakening:• If q ¹ A and ` e : ,

then ,x:qx ` e : .

Feb. 25, 2005 41

Operational Semantics

s ::= {l1 a v1, …, ln a vn}

(s, new v) ! (s ] {l a v}, l)

(s ] {l a v}, free l) ! (s, v)

(s ] {l a v}, rd l) ! (s ] {l a v}, hl, vi)

(s ] {l a v1}, wr l v2) ! (s ] {l a v2}, l)

(s ] {l a v1}, sw l v2) ! (s ] {l a v2}, hl, v1i)

Feb. 25, 2005 42




Feb. 25, 2005 43


• Model a type as a set of tuples PreType = (Qual £ Value £ LocStore)

Type = PreType

• Model a local store type as a partial map LocStore = Locs ! (Qual £ Type)?

• Cardinality problem is handled by stratifying definitions with “# of steps to run the program”

Feb. 25, 2005 44


PreType = { 2 (Qual £ Value £ LocStore) j for all (q,v,) 2 , each location in is mapped to a qualifier ¹ q }

Type = { 2 PreType j all qualifiers in are the same }

LocStore = { 2 Locs ! (Qual £ Type)? j each location is mapped to a type consistent with the location’s qualifier }

a model of substructural state

Documents

uref rt

uref ut

uref lt copy

ult1 lt2 copy hv1

urt1 rt2

j ref t

j lpretypes t

u j r j