Towards a Semantic Model for Java Wildcards Sophia Drossopoulou Mariangiola Dezani-Ciancaglini Imperial College London Università di Torino Italy Nicholas Cameron Alexander J. Summers Victoria Univ. of Wellington New Zealand ETH Zurich Zürich

Outline  Java Wildcards & Existential Types  Semantic Model for Existential Types  Soundness & (In-)Completeness  Weak Independence & Completeness  Conclusions

Outline  Java Wildcards & Existential Types  Semantic Model for Existential Types  Soundness & (In-)Completeness  Weak Independence & Completeness  Conclusions

Wildcards in Java ►Based on Java Generics (since Java 5.0) – Parameterised types : List, List >, etc. ►Generic types are subtype invariant – List and List are incomparable ►Wildcards introduce “hiding” of type parameters – List is a type (a List of “something”) – List subtype of List ►Bounded wildcards allow subtype variance – List subtype of List

Existential Types ►Existential types allow type information to be hidden ►Bounded existentials expose some information about hidden type, e.g.,  X:[String Object].C ►Standard representation of wildcard types –C represented by  X:[  Object].C –C represented by  X:[B Object].C ►For Java, introduction and elimination of existential types is handled implicitly (by subtyping). ►Java has f-bounded types (type variables may occur in each other’s bounds, mutually)

Why use Existential Types? ►Not all types that can occur during type checking of Java programs can be written using the Java syntax ►i.e., there are types that are expressible but not denotable in Java ►Not true for existential types –All Java types can be denoted using existential types –e.g.,  X.Pair can arise during type-checking (but Pair corresponds to  X,Y.Pair )

Syntactic Type Assignment ►Types and type environments are defined by: Class types N ::= C types T ::= X | ∃ Δ.N type bounds B ::= T | ⊥ type environments Δ ::= X : [B B] ►We use σ for type substitutions, and use a judgement Δ ⊢ σ to express that σ maps the type variables in Δ to types within their declared bounds ►Syntactic subtyping Δ ⊢ T 1 ≤ T 2 handles subclassing, existential types and their bounds ►e.g., Δ, Δ 1 ⊢ σ ⇒ Δ ⊢ σ(N) ≤ ∃ Δ 1.N

Outline  Java Wildcards & Existential Types  Semantic Model for Existential Types  Soundness & (In-)Completeness  Weak Independence & Completeness  Conclusions

Our semantics for types ►Idea: interpret existential types as unions –all the possible concrete types the existential might “hide” ►What are “concrete types”? –One idea: use structural types to describe fields and methods guaranteed to exist in the runtime object –but Java uses a nominal type system –allows use of fields and methods based only on class type –Each runtime object has an associated closed class type –We use these as the “concrete types” of our model

Our semantics for types ►Semantic types S are sets of closed class types –all the possible runtime types the type might permit ►We give a semantic interpretation of closed types –open types will be dealt with later ►We map closed types to semantic types as follows: [[ N ]] = { N ’ | N ’ ⊑ N } [[ ⊥ ]] = ∅ [[ ∃Δ.N ]] = U σ with Δ ⊢ σ [[ σ(N) ]]

Our semantics for types [[ N ]] = { N ’ | N ’ ⊑ N } [[ ⊥ ]] = ∅ [[ ∃Δ.N ]] = U σ with Δ ⊢ σ [[ σ(N) ]] ►For example... [[ Object ]] = { Object, String, List, … } [[ ∃X : [String Object], ∃Y : [X Object]. Pair ]] = { Pair, Pair, Pair }

Semantic subtyping ►We define subtyping on semantic types simply as S 1 ≤ S 2 ⇔ S 1 ⊆ S 2 ►We extend this notion to syntactic types, as follows: Δ ⊨ T 1 ≤ T 2 ⇔ ∀ σ, Δ ⊢ σ ⇒ [[ σ( T 1 ) ]] ⊆ [[ σ( T 2 ) ]] ►We now have two subtyping judgements: syntactic Δ ⊢ T 1 ≤ T 2 and semantic subtyping Δ ⊨ T 1 ≤ T 2 ►Is syntactic subtyping sound? Δ ⊢ T 1 ≤ T 2 ⇒ Δ ⊨ T 1 ≤ T 2 ? ►Is syntactic subtyping complete? Δ ⊢ T 1 ≤ T 2 ⇐ Δ ⊨ T 1 ≤ T 2 ?

Outline  Java Wildcards & Existential Types  Semantic Model for Existential Types  Soundness & (In-)Completeness  Weak Independence & Completeness  Conclusions

Soundness ►Since type soundness for Java Wildcards is known [Cameron et al. 2008] we would hope that soundness of subtyping holds. ►In fact, we proved this (Theorem 1 in paper): Soundness: Δ ⊢ T 1 ≤ T 2 ⇒ Δ ⊨ T 1 ≤ T 2 ►By defining a suitable semantic type assignment we extended the soundness result to the type system ►Completeness could be reasonably expected: –result w.r.t. nominal subtyping (weaker than structural) –decidability of the syntactic type system is open ►However, completeness turns out not to hold

Incompleteness 1 ►Consider the type ∃X : [C C]. List ►The semantic model “knows” that X must hide C : –[[ ∃X : [C C]. List ]] = {List } = [[List ]] ►In particular, ⊨ ∃X : [C C]. List ≤ List holds ►This subtyping cannot be derived syntactically –syntactic rules cannot identify the “uniqueness” of X ►What if we add a rule specifically for such cases? Δ ⊢ ∃X : [B U]. N ≤ N{B/X} Δ ⊢ B ≤ U Δ ⊢ U ≤ B (eq)

Incompleteness 2 ►This is still not enough. Consider now the types T 1 = ∃X : [ ⊥ Y], ∃Y : [X Object]. Pair T 2 = ∃Z : [ ⊥ Object]. Pair ►The bounds on X and Y can only be satisfied if the same (closed class) type is chosen to replace each –the model shows this: [[ T 1 ]] = [[ T 2 ]] ►In particular, ⊨ T 1 ≤ T 2 holds, but not syntactically ►Further examples make completeness unfeasible ►But, could we find a restricted type language for which completeness does hold?

Outline  Java Wildcards & Existential Types  Semantic Model for Existential Types  Soundness & (In-)Completeness  Weak Independence & Completeness  Conclusions

Completeness? When does Δ ⊨ T 1 ≤ T 2 ⇒ Δ ⊢ T 1 ≤ T 2 hold ?

Completeness? When does Δ ⊨ T 1 ≤ T 2 ⇒ Δ ⊢ T 1 ≤ T 2 hold ?

Completeness? When does Δ ⊨ T 1 ≤ T 2 ⇒ Δ ⊢ T 1 ≤ T 2 hold ?

Completeness? ⊨ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ⇒ ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ?

Completeness? ⊨ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ⇒ ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ? [[ ∃Δ 1.N 1 ]] ⊆ [[ ∃Δ 2.N 2 ]] ⇒ ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ? U σ 1 with Δ 1 ⊢ σ 1 [[ σ 1 (N 1 ) ]] ⊆ U σ 2 with Δ 2 ⊢ σ 2 [[ σ 2 (N 2 ) ]] ⇒ ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ?

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ?

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ?

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ?

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y = Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y = Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y = Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y = Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y = Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y = Y

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? Y = Y X X

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? X X Y = Y X X

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ ? Y = Y X X X X

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ there exists σ 3 with Δ 2 ⊢ σ 3 such that N 1 = σ 3 (N 2 ) Y = Y X X X X

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ there exists σ 3 with Δ 2 ⊢ σ 3 such that N 1 = σ 3 (N 2 ) ⇒ ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 Y = Y X X X X

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ there exists σ 3 with Δ 2 ⊢ σ 3 such that N 1 = σ 3 (N 2 ) ►The red property below is sufficient to deduce completeness ( Δ 1 is “rich” in the language of paper) ►Previous pictures suggest it is enough for there to be “sufficiently different” instantiations for Δ 1 ►This is not quite enough, with multiple variables ►e.g., Δ 1 = X : [ ⊥ C], Y : [X X] and Δ 2 = Z : [ ⊥ C] and N 1 = Pair and N 2 = Pair

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇒ there exists σ 3 with Δ 2 ⊢ σ 3 such that N 1 = σ 3 (N 2 ) ►The red property below is sufficient to deduce completeness ( Δ 1 is “rich” in the language of paper) ►Previous pictures suggest it is enough for there to be “sufficiently different” instantiations for Δ 1 ►This is not quite enough, with multiple variables ►e.g., Δ 1 = X : [ ⊥ C], Y : [X X] and Δ 2 = Z : [ ⊥ C] and N 1 = Pair and N 2 = Pair

Completeness? (forall σ 1 with Δ 1 ⊢ σ 1 there exists σ 2 with Δ 2 ⊢ σ 2 such that σ 1 (N 1 ) = σ 2 (N 2 )) ⇏ there exists σ 3 with Δ 2 ⊢ σ 3 such that N 1 = σ 3 (N 2 ) ►The red property below is sufficient to deduce completeness ( Δ 1 is “rich” in the language of paper) ►Previous pictures suggest it is enough for there to be “sufficiently different” instantiations for Δ 1 ►This is not quite enough, with multiple variables ►e.g., Δ 1 = X : [ ⊥ C], Y : [X X] and Δ 2 = Z : [ ⊥ C] and N 1 = Pair and N 2 = Pair

Completeness? ►The red property below is sufficient to deduce completeness ( Δ 1 is “rich” in the language of paper) ►Previous pictures suggest it is enough for there to be “sufficiently different” instantiations for Δ 1 ►This is not quite enough, with multiple variables ►e.g., Δ 1 = X : [ ⊥ C], Y : [X X] and Δ 2 = Z : [ ⊥ C] and N 1 = Pair and N 2 = Pair ►We need that each variable in Δ 1 gets sufficiently varied instantiations independently of the others...

Weak Independence ►We define two types to be sufficiently different if the uppermost class types in their structure differ ►We say Δ 1 is weakly independent if for each variable X in Δ 1 there exist two substitutions σ 1, σ 2 such that σ 1 (X) is sufficiently different from σ 2 (X) and for all other variables Y in Δ 1, σ 1 (Y) = σ 2 (Y) ►Essentially, each variable gets the chance to vary independently of the others ►e.g., X : [ ⊥ C], Y : [X X] is not weakly independent, but X : [String Object], Y : [X Object] is

Weak Completeness ►We proved a weak completeness result: If ⊨ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 and Δ 1 is weakly independent, then ⊢ ∃Δ 1.N 1 ≤ ∃Δ 2.N 2 ►Recall: all types can be written in the form ∃Δ.N (in which Δ is possibly empty) – this is not a restriction ►The result does not apply (yet) to open types (those featuring type parameters of the enclosing class) ►However, for closed types with weakly independent environments, syntactic subtyping is sound and complete with respect to our semantic model

Conclusions and Future Work ►Defined a semantic model for Java Wildcards ►Proved soundness of Java subtyping w.r.t. model ►Completeness does not hold in general ►Identified a restriction (weakly-independent environments) under which completeness holds ►For future work, open types should be handled ►Can we find a weaker restriction for completeness? ►Can non-trivial incompleteness arise in Java? ►we conjecture not, which would give us strong soundness and completeness results for Java subtyping

Finally… ►Thank you for listening! Y = Y X X X X