A Model of Substructural State Matthew Fluet Cornell University
Introduction Forms of “uniqueness” are appearing in programming languages Feb. 25, 2005
Introduction Forms of “uniqueness” are appearing in programming languages Cyclone – affine pointers, which may be discarded, but not duplicated allow fine grained memory management Vault – linear keys, which may be neither discarded nor duplicated enforce resource management protocols Feb. 25, 2005
Introduction Forms of “uniqueness” are appearing in programming languages Cyclone – affine pointers, which may be discarded, but not duplicated allow fine grained memory management Vault – linear keys, which may be neither discarded nor duplicated enforce resource management protocols C / Java / SML – unrestricted objects that may be both discarded and duplicated Feb. 25, 2005
Introduction But, programming with only unique objects is much too painful Both Cyclone and Vault allow a programmer to put unique objects in shared objects Impose a variety of restrictions to ensure that these mixed objects behave in a safe manner Feb. 25, 2005
Introduction Natural to study a core language with mutable references of all flavors Feb. 25, 2005
Linear Affine Relevant Unrestricted Qualifiers Discard Duplicate Feb. 25, 2005
Unique objects – may be “used” at most once Qualifiers Unique objects – may be “used” at most once Linear Affine Discard Relevant Duplicate Unrestricted Discard,Duplicate Shared objects – may be copied Feb. 25, 2005
must be “used” at least once Qualifiers must be “used” at least once Linear Affine Discard Relevant Duplicate Unrestricted Discard,Duplicate may be dropped Feb. 25, 2005
Introduction Natural to study a core language with mutable references of all qualifiers Raises design questions: What does it mean to copy or drop a ref? What operations make sense on different refs? What combinations of qualifiers for a reference and its contents make sense? Can one construct a reasonable model for such a language? Feb. 25, 2005
Outline A Substructural Type System … with References Model Teaser Feb. 25, 2005
A Substructural Type System Qualifiers q ::= U j R j A j L PreTypes t ::= 1 j t1 t2 j t1 ( t2 Types t ::= qt Feb. 25, 2005
A Substructural Type System Non-examples U(At1 At2), U(Rt1 Rt2), U(Lt1 Lt2) Feb. 25, 2005
A Substructural Type System Non-examples U(At1 At2), U(Rt1 Rt2), U(Lt1 Lt2) copy hv1,v2i ! hhv1,v2i,hv1,v2ii v1 and v2 may be used more than once Feb. 25, 2005
A Substructural Type System Non-examples U(At1 At2), U(Rt1 Rt2), U(Lt1 Lt2) copy hv1,v2i ! hhv1,v2i,hv1,v2ii v1 and v2 may be used more than once Feb. 25, 2005
A Substructural Type System Non-examples U(At1 At2), U(Rt1 Rt2), U(Lt1 Lt2) copy hv1,v2i ! hhv1,v2i,hv1,v2ii drop hv1,v2i ! hi v1 and v2 may be used more than once v1 and v2 are not used Feb. 25, 2005
A Substructural Type System Non-examples U(At1 At2), U(Rt1 Rt2), U(Lt1 Lt2) copy hv1,v2i ! hhv1,v2i,hv1,v2ii drop hv1,v2i ! hi v1 and v2 may be used more than once v1 and v2 are not used Feb. 25, 2005
… with References PreTypes t ::= … j ref t Feb. 25, 2005
… with References Examples? U(ref Ut), U(ref Rt), U(ref At), U(ref Lt) Feb. 25, 2005
… with References Examples? U(ref Ut), U(ref Rt), U(ref At), U(ref Lt) copy l ! hl,li drop l ! hi l may be used more than once; but contents are not copied l may is not used; and contents are dropped Feb. 25, 2005
… with References Examples? U(ref Ut), U(ref Rt), U(ref At), U(ref Lt) copy l ! hl,li drop l ! hi l may be used more than once; but contents are not copied l may is not used; and contents are dropped Feb. 25, 2005
Operations on Substructural State Ops Contents and Ops Ref U R A L shared new weak updates read write swap write swap read swap swap unique new free strong updates Feb. 25, 2005
A Model of Substructural State Model a type as a set of tuples of qualifier, value, and local store typing «t¬ ::= { (q,y,v), …} Model a local store typing as a partial map from locations to qualifiers and types y ::= { l a (q,«t¬), … } Feb. 25, 2005
A Model of Substructural State Model a type as a set of tuples of qualifier, value, and local store type Model a local store type as a partial map from locations to qualifiers and types Local store of v only defined on those locations that appear as sub-expressions of v Feb. 25, 2005
A Model of Substructural State Model a type as a set of tuples of qualifier, value, and local store type Model a local store type as a partial map from locations to qualifiers and types Local store of v only defined on those locations that appear as sub-expressions of v Further restrictions to rule out stores Feb. 25, 2005
A Model of Substructural State Why only a local store type? Storing a unique object in a shared reference “hides” the unique object Using the global store – difficult to identify the “real” occurrence of a unique location Feb. 25, 2005
A Model of Substructural State How can we check that a global store satisfies a local store type? Use a Garbage Collector Feb. 25, 2005
Store Satisfaction store satisfies Feb. 25, 2005 s l4 a v4 l7 a v7 y l1 a t1 l2 a v2 l9 a v9 l2 a t2 l3 a v3 l6 a v6 l3 a t3 Feb. 25, 2005
Store Satisfaction store satisfies These are the roots Feb. 25, 2005 s l4 a v4 l7 a v7 y l1 a v1 l5 a v5 l8 a v8 l1 a t1 l2 a v2 l9 a v9 l2 a t2 l3 a v3 l6 a v6 l3 a t3 These are the roots Feb. 25, 2005
Store Satisfaction store satisfies if there exists a set of locations l4 a v4 l7 a v7 y l1 a v1 l5 a v5 l8 a v8 l1 a t1 l2 a v2 l9 a v9 l2 a t2 l3 a v3 l6 a v6 l3 a t3 if there exists a set of locations N l4 l7 l5 l9 l6 These are the non-roots Feb. 25, 2005
Store Satisfaction and local store types yl (l 2 dom(y) ] N) that merge These are the child locations traced from the contents of l Feb. 25, 2005
The local store types are compatible (non-contradictory) Store Satisfaction and local store types yl (l 2 dom(y) ] N) that merge = y ¯ ¯l 2 dom(y) ] N yl Y* l4 a t4 l7 a t7 l1 a t1 l5 a t5 l2 a t2 l9 a t9 l3 a t3 l6 a t6 The global store type The local store types are compatible (non-contradictory) Feb. 25, 2005
Don’t trace a unique location more than once Store Satisfaction and local store types yl (l 2 dom(y) ] N) that merge = y ¯ ¯l 2 dom(y) ] N yl Y* l4 a t4 l7 a t7 l1 a t1 l5 a t5 l2 a t2 l9 a t9 l3 a t3 l6 a t6 The global store type Don’t trace a unique location more than once Feb. 25, 2005
Store Satisfaction to describe the store Feb. 25, 2005 l1 a v1 : t1 s : Y* l2 a v2 : t2 l3 a v3 : t3 l4 a v4 : t4 l5 a v5 : t5 l6 a v6 : t6 l7 a v7 : t7 l8 a v8 l9 a v9 : t9 Feb. 25, 2005
Conclusion and Future Work Core language, type-system, and model Model more advanced features Cyclone – alias construct allows a unique pointer to be treated as shared for a limited scope Vault – focus construct allows a shared object to be treated as unique for a limited scope Feb. 25, 2005
Feb. 25, 2005
Structural Lemmas Exchange: Contraction: Weakening: If G1,x1:t1,x2:t2,G2 ` e : t, then G1,x2:t2,x1:t1,G2 ` e : t. Contraction: If G1,x1:tx,x2:tx,G2 ` e : t, then G1,x:tx,G2 ` e[x/x1][x/x2] : t. Weakening: If G ` e : t, then G,x:tx ` e : t. Feb. 25, 2005
Structural Lemmas Exchange: Contraction: Duplicate Weakening: Discard If G1,x1:t1,x2:t2,G2 ` e : t, then G1,x2:t2,x1:t1,G2 ` e : t. Contraction: Duplicate If G1,x1:tx,x2:tx,G2 ` e : t, then G1,x:tx,G2 ` e[x/x1][x/x2] : t. Weakening: Discard If G ` e : t, then G,x:tx ` e : t. Feb. 25, 2005
Linear Affine Relevant Unrestricted Qualifiers Exch Exch,Weak Exch,Cntr Unrestricted Exch,Cntr,Weak Feb. 25, 2005
Structural Lemmas Revisited Contraction: If q ¹ R and G1,x1:qtx,x2:qtx,G2 ` e : t, then G1,x1:qtx,G2 ` e[x/x1][x/x2] : t. Weakening: If q ¹ A and G ` e : t, then G,x:qtx ` e : t. Feb. 25, 2005
Operational Semantics s ::= {l1 a v1, …, ln a vn} (s, new v) ! (s ] {l a v}, l) (s ] {l a v}, free l) ! (s, v) (s ] {l a v}, rd l) ! (s ] {l a v}, hl, vi) (s ] {l a v1}, wr l v2) ! (s ] {l a v2}, l) (s ] {l a v1}, sw l v2) ! (s ] {l a v2}, hl, v1i) Feb. 25, 2005
A Model of Substructural State Model a type as a set of tuples of qualifier, value, and local store type Model a local store type as a partial map from locations to qualifiers and types Feb. 25, 2005
A Model of Substructural State Model a type as a set of tuples PreType = Ã(Qual £ Value £ LocStore) Type = PreType Model a local store type as a partial map LocStore = Locs ! (Qual £ Type)? Cardinality problem is handled by stratifying definitions with “# of steps to run the program” Feb. 25, 2005
A Model of Substructural State PreType = { c 2 Ã(Qual £ Value £ LocStore) j for all (q,v,y) 2 c, each location in y is mapped to a qualifier ¹ q } Type = { c 2 PreType j all qualifiers in c are the same } LocStore = { y 2 Locs ! (Qual £ Type)? j each location is mapped to a type consistent with the location’s qualifier } Feb. 25, 2005