types and programming languages lecture 12 simon gay department of computing science university of...
TRANSCRIPT
Types and Programming Languages
Lecture 12
Simon GayDepartment of Computing Science
University of Glasgow
2006/07
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 2
Type Safety: Unique Use
In order to prove that every value is used exactly once, we needto define an alternative operational semantics which allows usto see values being “consumed”.
The idea is to explicitly represent every value as being stored inmemory and accessed by a pointer. Then we can definereductions on Store , Term configurations so that every valueis removed from the store when it is first used.
Then we will prove that when executing a well-typed term, wenever get a dangling pointer, and that at the end of execution,there is nothing left in the store except the final value.
The system will look like what we would get in lambda calculuswith references, if we put ref around every value.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 3
Linear Lambda Calculus: Syntax
v ::= integer literal | true | false | x:T.e | m (not top-level syntax)e ::= v | x | e + e | e == e | e & e | if e then e else e | ee
The same as before, plus store locations (pointers) m,n,…
T ::= int | bool | T T
Store S ::= m=v,…
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 4
Linear Lambda Calculus: Semantics
First define removal of a location from the store:
(S, m=v, S’) – m = S,S’
Now define reductions of the form
S , e S’ , e’
Evaluating a value creates a store location and returns it:
S , true S+[m=true] , mS , false S+[m=false] , mS , v S+[m=v] , mS , x:T.e S+[m=x:T.e] , m
In each case, m is a fresh location.
v is a integer literal
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 5
Linear Lambda Calculus: Semantics
t,mSe else t then m if,Strue)m(S
e,mSe else t then m if,Sfalse)m(S
p],wp[)nmS(nm,Sv and u of sum the is w vS(n) u)m(S
Next we define reductions which consume values.
]x/n[e,mSmn,Se.T:x)m(S
m,n different
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 6
Linear Lambda Calculus: Semantics
f'e,'Sfe,S'e,'Se,S
'em,'Sem,S
'e,'Se,S
Finally we define reductions within expressions, as usual.
Similarly for the other operators.
e else t then c' if,'Se else t thenc if,S'c,'Sc,S
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 7
Example
, (x:int. x+1)2
m = x:int. x+1 , m 2
(m = x:int. x+1 , n = 2) , m n
n = 2 , n+1
(n = 2 , p = 1) , n+p
q = 3 , q
FINAL RESULT
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 8
Example
, (x:int. (x+1)+x)2
m = x:int. (x+1)+x , m 2
(m = x:int. (x+1)+x , n = 2) , m n
n = 2 , (n+1)+n
(n = 2 , p = 1) , (n+p)+n
q = 3 , q+n
STUCK: n is a “dangling pointer”
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 9
Exercise
We now have two different semantics for (essentially) the samelanguage: lambda calculus. The original semantics is based onreductions of expressions. The new semantics uses a store(and destroys values after their first use).
Try to prove the following theorem, relating the semantics:
If , e * S,m=v, m in the linear lambda calculus semantics, then e * v in the standard lambda calculus semantics.
Why don’t we expect the converse to be true?
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 10
Proving Type Safety: Unique Use
Just as in the case of lambda calculus with references, we needthe idea of a store typing , so that we can give a type to theexpression m (store location).
The store typing must be treated in the same way as theenvironment , so that in a typing judgement | e:Tthe and describe exactly the variables and locations used by e.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 11
Linear Lambda Calculus with Store Typings
| true : bool | false : bool | v : int if v is an integer literal
int:fe',|,int:f'|int:e|
(LS-Plus)
T:felseethencif',|,T:f'|T:e'|bool:c|
(LS-If)
UoT:e.T:x|U:e|T:x,
(LS-Abs) U:'ee',|,
T:'e'|UoT:e|
(LS-App)
(LS-Var)x : T | x : T (LS-Loc) | m:T m : T
similarly &, ==
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 12
Well-Typed StoresJust as we saw for references, we need the idea of a well-typedstore. We write S :: and define it by the following rules:
:: T:m,::vmS,
T:v|,::S
2
121
This is rather subtle. The store typing describes the storelocations that are available for use, i.e. not already used withinother parts of the store.
Examples:
m=2, n=x:int. x+m :: n:intint
m=2, n=true :: m:int, n:bool
Empty Next
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 13
Well-Typed Stores
We will need the following fact about well-typed stores.
Lemma: If S,m=v :: ,m:T and | ’ v : T then S :: ,’
This might seem trivial, but the effect is that we can use ruleNext (previous slide) in reverse even when m was not the lastlocation to be added.
It can be proved (exercise) by induction on the derivation of S,m=v :: ,m:T . The base case is trivial and the inductivecase breaks into two sub-cases, depending on whether or notm is the last location added.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 14
Substitution Lemma
As usual we need a substitution lemma. Because of the way theoperational semantics is defined, we only need to considersubstituting a store location for a variable.
Lemma: If , x:T | e:U then | ,n:T e[n/x] : U
Proof (outline):
e cannot be a boolean or integer literal or a store location (why?)
If e is a variable then it must be x (why?) and and must be (why?) so the desired conclusion is | n:T n:T which follows from rule LS-Loc.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 15
Substitution Lemma
int:fe',|T:x,int:f'|int:e| 21
Proof (continued):
The other cases use the induction hypothesis in a similar way tothe Substitution Lemma for simply typed lambda calculus. Thedifference is that the substitution only goes into one part of theexpression.
If e is t+u then we have
where T:x,, 21
and we consider two cases, depending on whether x is used ine or in f.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 16
Type Preservation
Theorem: If | e:T and S :: and S , e S’ , e’ then there exists ’ such that | ’ e’:T and S’ :: ’ .
Proof: By induction on the derivation of S , e S’ , e’ .
1. S , true S+[m=true] , m
We have | true:bool so = (why?) and S= (why?).
Taking ’ = m:bool gives | ’ m:bool and S’ :: ’as required.
Therefore S’ = (m=true) .
The cases of the other values are similar. For y:U.e we can’tsay that = and S= because e may use locations.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 17
Type Preservation
T:'eelseethenmif,|T:'e|T:e|bool:m|
21
221
bool:m1
2. S , if m then e else e’ S-m , e because S(m)=true .
We have
therefore
Taking 221 m),(' we have | ’ e:T
and we just need S-m :: ’
which follows from the Lemma on slide 13.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 18
Type Preservation
3. S , mn S-m , e[n/x] because S(m)= x:T.e .
We haveU:mnT:n,UoT:m|
T:nT:n|UoT:mUoT:m|
and S :: m:T —o U, n:T
By the lemma on slide 13, S-m :: ,n:T
where | x:T.e : TU
This typing is justified by x:T | e : U
from which the Substitution Lemma gives | ,n:T e[n/x] : U
as required.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 19
Type Preservation
4. The remaining cases, such as
f'e,'Sfe,S'e,'Se,S
'em,'Sem,S
'e,'Se,S
follow from straightforward uses of the induction hypothesis.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 20
Progress
Finally we can also prove
Progress Theorem
If S :: and | e:T then either S , e S’ , e’(for some S’) or e is a store location.
very easily, by checking that for every potentially reducing term(e.g. if m then t else e), the typing and the store typing meanthat one of the reduction rules applies.
2006/07 Types and Programming Languages Lecture 12 - Simon Gay 21
The Final Value
Combining Progress and Preservation, we see that reduction ofa typed term in a typed store terminates with S , m and one ofthe following cases applies:
1. S is m=true2. S is m=false3. S is m=v for some integer literal v4. S(m) = x:T.e and S-m :: and x:T | e : U
i.e. S contains just m and the locations referred to by e
Exercise: work out the complete reduction sequence for
(x:int.y:int.x+y)3