A Step-Indexed Model of Substructural State Matthew Fluet Cornell University Amal Ahmed Greg Morrisett Harvard University

A Step-Indexed Model of Substructural State Matthew Fluet Cornell University Amal Ahmed Greg Morrisett Harvard University

Introduction Mutable state is here to stay Sept. 26, 2005

Introduction Mutable state is here to stay high-level – I/O, data structures low-level – virtual machines, garbage collector Sept. 26, 2005

Introduction Mutable state is hard to control Sept. 26, 2005

Introduction Mutable state is hard to control C / Java / SML – unrestricted objects Sept. 26, 2005

Introduction Mutable state is hard to control Various forms of uniqueness have appeared as a means to “tame” state Sept. 26, 2005

Introduction Mutable state is hard to control Various forms of uniqueness have appeared as a means to “tame” state Clean – uniqueness types I/O operations in a purely-functional language Cyclone – unique pointers fine-grained memory management Vault – unique keys resource management protocols Sept. 26, 2005

Introduction Mutable state is hard to control Various forms of uniqueness have appeared as a means to “tame” state Clean – uniqueness types I/O operations in a purely-functional language Cyclone – unique pointers fine-grained memory management Vault – unique keys resource management protocols Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Only tree-like data structures Only single paths to a unique object Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Only tree-like data structures Only single paths to a unique object fun f () = … lr … fun g () = … lr … lr -- unique resource Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Only tree-like data structures Only single paths to a unique object fun f () = … lr … fun g () = … lr … lr -- unique resource Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects fun f () = … ls … fun g () = … ls … ls lr -- shared object lr -- unique resource Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Sept. 26, 2005

Introduction Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” Sept. 26, 2005

So, they have different sets of restrictions (i.e., type-systems) Introduction Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) Sept. 26, 2005

Introduction How do we compare and evaluate these languages? Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) This is an important point for us as researchers: high-level design papers tout “unique under shared” as a technical contribution, we should be critical of these claims when the technical meaning of “unique” and “shared” are not made concrete Sept. 26, 2005

Introduction Can we generalize the interpretations and restrictions? Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) Sept. 26, 2005

Introduction Can we define an expressive target language? Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) Sept. 26, 2005

Introduction We study a core language with mutable references Sept. 26, 2005

Introduction We study a core language with mutable references deallocation of references strong (type-varying) updates storage of unique objects in shared references Sept. 26, 2005

Introduction We study a core language with mutable references of all qualifiers Sept. 26, 2005

Introduction We study a core language with mutable references of all qualifiers Unrestricted – like C / Java / SML Affine – like Clean and Cyclone Linear – like Vault Sept. 26, 2005

Introduction We study a core language with mutable references of all qualifiers Unrestricted – like C / Java / SML Relevant Affine – like Clean and Cyclone Linear – like Vault Sept. 26, 2005

Introduction We study a core language with mutable references of all qualifiers Unrestricted – like C / Java / SML Relevant Affine – like Clean and Cyclone Linear – like Vault Sept. 26, 2005

Outline A Substructural Type System … with References Model Teaser Sept. 26, 2005

Structural Properties Conventional type systems satisfy Exchange use typing assumptions in any order Contraction use typing assumptions more than once Weakening use typing assumptions less than once Sept. 26, 2005

Structural Properties Conventional type systems satisfy Exchange use typing assumptions in any order Contraction – Copy use typing assumptions more than once Weakening – Drop use typing assumptions less than once Sept. 26, 2005

Structural Properties Substructural type systems fail to satisfy Exchange use typing assumptions in any order Contraction – Copy use typing assumptions more than once Weakening – Drop use typing assumptions less than once Sept. 26, 2005

Structural Properties Substructural type systems fail to satisfy Exchange use typing assumptions in any order Contraction – Copy use typing assumptions more than once Weakening – Drop use typing assumptions less than once Sept. 26, 2005

Substructural Qualifiers Linear Affine Drop Relevant Copy Unrestricted Drop Copy Sept. 26, 2005

Substructural Qualifiers Unique objects – may be “used” at most once Linear Affine Drop Relevant Copy Unrestricted Drop Copy Shared objects – may be “used” more than once Sept. 26, 2005

Substructural Qualifiers Unique objects – may be “used” at most once Linear Affine Drop Relevant Copy Unrestricted Drop Copy Shared objects – may be “used” more than once Sept. 26, 2005

Substructural Qualifiers Unique objects – may be “used” at most once Linear Affine Drop Relevant Copy Unrestricted Drop Copy Shared objects – may be “used” more than once Sept. 26, 2005

Substructural Qualifiers Unique objects – may be “used” at most once Linear Affine Drop Relevant Copy Unrestricted Drop Copy Shared objects – may be “used” more than once Sept. 26, 2005

Substructural Qualifiers Linear Essential objects – must be “used” at least once Affine Drop Relevant Copy Inessential objects – may be “used” less than once Unrestricted Drop Copy Sept. 26, 2005

Substructural Qualifiers Linear Essential objects – must be “used” at least once Affine Drop Relevant Copy Inessential objects – may be “used” less than once Unrestricted Drop Copy Sept. 26, 2005

Substructural Qualifiers Linear Essential objects – must be “used” at least once Affine Drop Relevant Copy Inessential objects – may be “used” less than once Unrestricted Drop Copy Sept. 26, 2005

Substructural Qualifiers Linear Essential objects – must be “used” at least once Affine Drop Relevant Copy Inessential objects – may be “used” less than once Unrestricted Drop Copy Sept. 26, 2005

A Substructural Type System Qualifiers q ::= U j R j A j L PreTypes t ::= 1 j t1 ­ t2 j t1 ( t2 Types t ::= qt Sept. 26, 2005

A Substructural Type System Qualifiers q ::= U j R j A j L PreTypes t ::= 1 j t1 ­ t2 j t1 ( t2 Types t ::= qt How may the value be used? Sept. 26, 2005

A Substructural Type System Qualifiers q ::= U j R j A j L PreTypes t ::= 1 j t1 ­ t2 j t1 ( t2 Types t ::= qt How often may the value be used? How may the value be used? Sept. 26, 2005

Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  Sept. 26, 2005

hv1, v2i may be used more than once Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  hv1, v2i may be used more than once Sept. 26, 2005

hv1, v2i may be used more than once Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  hv1, v2i may be used more than once Sept. 26, 2005

v1 and v2 may be used more than once Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  v1 and v2 may be used more than once Sept. 26, 2005

v1 and v2 may be used more than once Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  v1 and v2 may be used more than once Sept. 26, 2005

Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  Sept. 26, 2005

Copy with Pairs copy UhAv1,Av2i ! hUhAv1,Av2i, UhAv1,Av2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  Sept. 26, 2005

Copy with Pairs copy UhUv1,Uv2i ! hUhUv1,Uv2i, UhUv1,Uv2ii U(Lt1 ­ Lt2) U(At1 ­ At2)  U(Ut1 ­ Ut2)  Sept. 26, 2005

Drop with Pairs drop UhLv1,Lv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  Sept. 26, 2005

Drop with Pairs drop UhLv1,Lv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  hv1, v2i is not used Sept. 26, 2005

Drop with Pairs drop UhLv1,Lv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  hv1, v2i is not used Sept. 26, 2005

Drop with Pairs drop UhLv1,Lv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  v1 and v2 are not used Sept. 26, 2005

Drop with Pairs drop UhLv1,Lv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  v1 and v2 are not used Sept. 26, 2005

Drop with Pairs drop UhLv1,Lv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  Sept. 26, 2005

Drop with Pairs drop UhRv1,Rv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  Sept. 26, 2005

Drop with Pairs drop UhUv1,Uv2i ! hi U(Lt1 ­ Lt2) U(Rt1 ­ Rt2)  U(Ut1 ­ Ut2)  Sept. 26, 2005

… with References PreTypes Expressions t ::= … j ref t e ::= … j new e j free e e ::= … j read e j write e1 e2 j swap e1 e2 Sept. 26, 2005

… with References PreTypes Raises design questions: t ::= … j ref t What does it mean to copy or drop a ref? What operations make sense on different refs? What combinations make sense for the qualifier and contents of a ref? Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  l may be used more than once; but contents are not copied Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  l is not used; and contents are (implicitly) dropped Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Ut) U(ref At)  U(ref Lt) U(ref Rt)  Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Rv Rv Rv Rv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Uv Uv Uv Uv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Copy & Drop with References copy Ul ! hUl, Uli drop Ul ! hi Av Av Av Av U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Deallocation qv free Ll ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Ll ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Ll ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Ll ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Al ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Ul ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Ul ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Ul ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Rl ! qv free : L(ref t) ! t  free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Swap swap ql v2 ! hql, v1i swap : q(ref t) ! t ! L(q(ref t) ­ t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) ­ t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) ­ t1)  v1 v2 Sept. 26, 2005

Swap swap ql v2 ! hql, v1i swap : q(ref t) ! t ! L(q(ref t) ­ t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) ­ t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) ­ t1)  v1 v2 Sept. 26, 2005

Swap swap ql v2 ! hql, v1i swap : q(ref t) ! t ! L(q(ref t) ­ t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) ­ t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) ­ t1)  v1 v2 Sept. 26, 2005

Swap swap ql v2 ! hql, v1i swap : q(ref t) ! t ! L(q(ref t) ­ t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) ­ t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) ­ t1)  v1 v2 Sept. 26, 2005

Swap swap Ll v2 ! hLl, v1i swap : q(ref t) ! t ! L(q(ref t) ­ t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) ­ t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) ­ t1)  v1 v2 Sept. 26, 2005

Swap swap Ll v2 ! hLl, v1i swap : q(ref t) ! t ! L(q(ref t) ­ t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) ­ t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) ­ t1)  v1 v2 Sept. 26, 2005

Swap swap Al v2 ! hAl, v1i swap : q(ref t) ! t ! L(q(ref t) ­ t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) ­ t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) ­ t1)  v1 v2 Sept. 26, 2005

Operations on Substructural State  new free swap! read write! Contents and Ops Ref U R A L shared unique Sept. 26, 2005

Operations on Substructural State  new free swap! read write! Contents and Ops Ref U R A L shared unique Sept. 26, 2005

Operations on Substructural State  new free swap! read write! Contents and Ops Ref U R A L shared unique Sept. 26, 2005

Operations on Substructural State  new free swap! read write! Contents and Ops Ref U R A L shared unique Sept. 26, 2005

Operations on Substructural State C Java SML Operations on Substructural State  new free swap! read write! shared unique Contents and Ops Ref U R A L Sept. 26, 2005

Operations on Substructural State Clean Cyclone Operations on Substructural State  new free swap! read write! shared unique Contents and Ops Ref U R A L Sept. 26, 2005

Operations on Substructural State Vault Operations on Substructural State  new free swap! read write! shared unique Contents and Ops Ref U R A L Sept. 26, 2005

Operations on Substructural State  new free swap! read write! Contents and Ops Ref U R A L shared unique Sept. 26, 2005

Type Safety No fundamental difficulty in pursuing a syntactic proof of type safety Sept. 26, 2005

Type Safety No fundamental difficulty in pursuing a syntactic proof of type safety In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach Sept. 26, 2005

Type Safety No fundamental difficulty in pursuing a syntactic proof of type safety In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach But, syntactic proofs only go so far Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Store typing does not appear in judgments Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Stronger meta-theoretic results «8a.t¬: forall semantic types, not just syntactic types Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Stronger meta-theoretic results Compatible with Appel’s FPCC project Well-founded, set-theoretic model amenable to formalization in higher-order logic Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Stronger meta-theoretic results Compatible with Appel’s FPCC project Scales to binary logical relations for proving equivalence of programs [Ahmed POPL’06] Sept. 26, 2005

A Model of Substructural State See paper for (many) more details Sept. 26, 2005

A Model of Substructural State See paper for (many) more details Key insights Sept. 26, 2005

A Model of Substructural State See paper for (many) more details Key insights Local store typings types of locations that are sub-exprs of a value Sept. 26, 2005

A Model of Substructural State See paper for (many) more details Key insights Local store typings types of locations that are sub-exprs of a value Merge of local store typings no unique locations in both local store typings identical types for shared locations in both Sept. 26, 2005

A Model of Substructural State See paper for (many) more details Key insights Local store typings types of locations that are sub-exprs of a value Merge of local store typings no unique locations in both local store typings identical types for shared locations in both Step-indexed technique [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03] Sept. 26, 2005

Conclusion and Future Work Core language, type-system, and model framework for comparing high-level designs Model more advanced features Cyclone – alias construct allows a unique pointer to be treated as shared for a limited scope Vault – focus construct allows a shared object to be treated as unique for a limited scope Sept. 26, 2005

Sept. 26, 2005

Structural Lemmas Exchange: Contraction: Weakening: If G1,x1:t1,x2:t2,G2 ` e : t, then G1,x2:t2,x1:t1,G2 ` e : t. Contraction: If G1,x1:tx,x2:tx,G2 ` e : t, then G1,x:tx,G2 ` e[x/x1][x/x2] : t. Weakening: If G ` e : t, then G,x:tx ` e : t. Sept. 26, 2005

Structural Lemmas Exchange: Contraction: Duplicate Weakening: Discard If G1,x1:t1,x2:t2,G2 ` e : t, then G1,x2:t2,x1:t1,G2 ` e : t. Contraction: Duplicate If G1,x1:tx,x2:tx,G2 ` e : t, then G1,x:tx,G2 ` e[x/x1][x/x2] : t. Weakening: Discard If G ` e : t, then G,x:tx ` e : t. Sept. 26, 2005

Substructural Qualifiers Linear Exch Affine Exch,Weak Relevant Exch,Cntr Unrestricted Exch,Cntr,Weak Sept. 26, 2005

Structural Lemmas Revisited Contraction: If q ¹ R and G1,x1:qtx,x2:qtx,G2 ` e : t, then G1,x1:qtx,G2 ` e[x/x1][x/x2] : t. Weakening: If q ¹ A and G ` e : t, then G,x:qtx ` e : t. Sept. 26, 2005

Operations on Substructural State Contents and Ops Ref U R A L Sept. 26, 2005

Operations on Substructural State shared unique Sept. 26, 2005

Operations on Substructural State new free swap! read write! Sept. 26, 2005

Operations on Substructural State  Sept. 26, 2005

Operations on Substructural State  new free swap! read write! Contents and Ops Ref U R A L shared unique Sept. 26, 2005

A Model of Substructural State Model a type as a set of tuples of qualifier, value, and local store typing «t¬ ::= { (q,v,y), …} Model a local store typing as a partial map from locations to qualifiers and types y ::= { l → (q,«t¬), … } Sept. 26, 2005

A Model of Substructural State Model a type as a set of tuples Type = Ã(Qual £ Value £ LocalStore) Model a local store typing as a partial map LocalStore = Locs ! (Qual £ Type) Sept. 26, 2005

A Model of Substructural State Model a type as a set of tuples Type = Ã(Qual £ Value £ LocalStore) Model a local store typing as a partial map LocalStore = Locs ! (Qual £ Type) Sept. 26, 2005

A Model of Substructural State Model a type as a set of tuples Type = Ã(Qual £ Value £ LocalStore) Model a local store typing as a partial map LocalStore = Locs ! (Qual £ Type) Cardinality problem is handled by stratifying definitions with “# of steps to run the program” [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03] Sept. 26, 2005

A Model of Substructural State Model a type as a set of tuples of qualifier, value, and local store typing Model a local store typing as a partial map from locations to qualifiers and types Local store y of a value v only defined on those locations that appear as sub-expressions of v Sept. 26, 2005

A Model of Substructural State Model a type as a set of tuples of qualifier, value, and local store typing Model a local store typing as a partial map from locations to qualifiers and types Local store y of a value v only defined on those locations that appear as sub-expressions of v Further restrictions to rule out  references Sept. 26, 2005

A Model of Substructural State Why only a local store typing? Sept. 26, 2005

A Model of Substructural State Why only a local store typing? hx, yi l1 L l2 L l3 U l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A global store typing … hx, yi Y = Yx = Yy = Yl1 = Yl2 = … l1 L l2 L l3 U l9 L l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A global store typing does not distinguish the “real” occurrence of a unique reference hx, yi Y = Yx = Yy = Yl1 = Yl2 = … l1 L l2 L l3 U l9 L l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A “reachable” store typing … hx, yi Yx l1 L l2 L l3 U l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A “reachable” store typing … hx, yi Yy l1 L l2 L l3 U l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A “reachable” store typing … hx, yi Yx Yy l1 L l2 L l3 U l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi Yx Yy l1 L l2 L l3 U l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi l1 L l2 L Yl1 l3 U l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi l1 L l2 L Yl2 l3 U l4 A Sept. 26, 2005

A Model of Substructural State Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi l1 L l2 L l3 U Yl3 l4 A Sept. 26, 2005

A Model of Substructural State Local store typing hx, yi yx yy l1 L l2 L l3 U l4 A Sept. 26, 2005

A Model of Substructural State Local store typing hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

A Model of Substructural State Local store typing Storing a unique object in a shared reference “hides” the unique object hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

A Model of Substructural State Local store typing Storing a unique object in a shared reference the unique object becomes local to the reference hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

A Model of Substructural State When does a global store s satisfy a local store typing y? Local store typing Storing a unique object in a shared reference the unique object becomes local to the reference hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

Store Satisfaction s : y when there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store Sept. 26, 2005

A unique location may not appear more than once Store Satisfaction s : y when there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store A unique location may not appear more than once Sept. 26, 2005

A shared location must appear with the same type Store Satisfaction s : y when there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store A shared location must appear with the same type Sept. 26, 2005

Store Satisfaction s : y when Similar to a Garbage Collector there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store Similar to a Garbage Collector Sept. 26, 2005

Store Satisfaction s : y when Similar to a Garbage Collector there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store Similar to a Garbage Collector These are the roots These are the child locations traced from the contents of a reachable location Sept. 26, 2005