A Step-Indexed Model of Substructural State

A Step-Indexed Model of Substructural State
Matthew Fluet Cornell University Amal Ahmed Greg Morrisett Harvard University

Introduction Mutable state is here to stay Sept. 26, 2005

Introduction Mutable state is here to stay
high-level – I/O, data structures low-level – virtual machines, garbage collector Sept. 26, 2005

Introduction Mutable state is hard to control Sept. 26, 2005

Introduction Mutable state is hard to control
C / Java / SML – unrestricted objects Sept. 26, 2005

Various forms of uniqueness have appeared as a means to “tame” state Sept. 26, 2005

Various forms of uniqueness have appeared as a means to “tame” state Clean – uniqueness types I/O operations in a purely-functional language Cyclone – unique pointers fine-grained memory management Vault – unique keys resource management protocols Sept. 26, 2005

Unique objects alone are too restrictive Sept. 26, 2005

Unique objects alone are too restrictive Only tree-like data structures Only single paths to a unique object Sept. 26, 2005

Unique objects alone are too restrictive Only tree-like data structures Only single paths to a unique object fun f () = … lr … fun g () = … lr … lr -- unique resource Sept. 26, 2005

Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Sept. 26, 2005

Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects fun f () = … ls … fun g () = … ls … ls lr -- shared object lr -- unique resource Sept. 26, 2005

Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Sept. 26, 2005

Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” Sept. 26, 2005

So, they have different sets of restrictions (i.e., type-systems)
Introduction Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) Sept. 26, 2005

Introduction How do we compare and evaluate these languages?
Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) This is an important point for us as researchers: high-level design papers tout “unique under shared” as a technical contribution, we should be critical of these claims when the technical meaning of “unique” and “shared” are not made concrete Sept. 26, 2005

Introduction Can we generalize the interpretations and restrictions?
Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) Sept. 26, 2005

Introduction Can we define an expressive target language?
Mutable state is hard to control Unique objects alone are too restrictive Cyclone and Vault allow programs to store unique objects in shared objects Safety of mixed objects requires some restrictions Cyclone and Vault have different interpretations of “unique” and “shared” So, they have different sets of restrictions (i.e., type-systems) Sept. 26, 2005

Introduction We study a core language with mutable references
Sept. 26, 2005

Introduction We study a core language with mutable references
deallocation of references strong (type-varying) updates storage of unique objects in shared references Sept. 26, 2005

Introduction We study a core language with mutable references of all qualifiers Sept. 26, 2005

Introduction We study a core language with mutable references of all qualifiers Unrestricted – like C / Java / SML Affine – like Clean and Cyclone Linear – like Vault Sept. 26, 2005

Introduction We study a core language with mutable references of all qualifiers Unrestricted – like C / Java / SML Relevant Affine – like Clean and Cyclone Linear – like Vault Sept. 26, 2005

Outline A Substructural Type System … with References Model Teaser
Sept. 26, 2005

Structural Properties
Conventional type systems satisfy Exchange use typing assumptions in any order Contraction use typing assumptions more than once Weakening use typing assumptions less than once Sept. 26, 2005

Conventional type systems satisfy Exchange use typing assumptions in any order Contraction – Copy use typing assumptions more than once Weakening – Drop use typing assumptions less than once Sept. 26, 2005

Substructural type systems fail to satisfy Exchange use typing assumptions in any order Contraction – Copy use typing assumptions more than once Weakening – Drop use typing assumptions less than once Sept. 26, 2005

Substructural Qualifiers
Linear Affine Drop Relevant Copy Unrestricted Drop Copy Sept. 26, 2005

Unique objects – may be “used” at most once Linear Affine Drop Relevant Copy Unrestricted Drop Copy Shared objects – may be “used” more than once Sept. 26, 2005

Linear Essential objects – must be “used” at least once Affine Drop Relevant Copy Inessential objects – may be “used” less than once Unrestricted Drop Copy Sept. 26, 2005

A Substructural Type System
Qualifiers q ::= U j R j A j L PreTypes t ::= 1 j t1 t2 j t1 ( t2 Types t ::= qt Sept. 26, 2005

Qualifiers q ::= U j R j A j L PreTypes t ::= 1 j t1 t2 j t1 ( t2 Types t ::= qt How may the value be used? Sept. 26, 2005

Qualifiers q ::= U j R j A j L PreTypes t ::= 1 j t1 t2 j t1 ( t2 Types t ::= qt How often may the value be used? How may the value be used? Sept. 26, 2005

Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(Lt1 Lt2) U(At1 At2)  Sept. 26, 2005

hv1, v2i may be used more than once
Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 Lt2) U(At1 At2)  hv1, v2i may be used more than once Sept. 26, 2005

v1 and v2 may be used more than once
Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii U(Lt1 Lt2) U(At1 At2)  v1 and v2 may be used more than once Sept. 26, 2005

Copy with Pairs copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(Lt1 Lt2) U(At1 At2)  Sept. 26, 2005

Copy with Pairs copy UhAv1,Av2i ! hUhAv1,Av2i, UhAv1,Av2ii
U(Lt1 Lt2) U(At1 At2)  Sept. 26, 2005

Copy with Pairs copy UhUv1,Uv2i ! hUhUv1,Uv2i, UhUv1,Uv2ii
U(Lt1 Lt2) U(At1 At2)  U(Ut1 Ut2)  Sept. 26, 2005

Drop with Pairs drop UhLv1,Lv2i ! hi U(Lt1 Lt2) U(Rt1 Rt2) 
Sept. 26, 2005

hv1, v2i is not used Sept. 26, 2005

v1 and v2 are not used Sept. 26, 2005

Sept. 26, 2005

Drop with Pairs drop UhRv1,Rv2i ! hi U(Lt1 Lt2) U(Rt1 Rt2) 
Sept. 26, 2005

Drop with Pairs drop UhUv1,Uv2i ! hi U(Lt1 Lt2) U(Rt1 Rt2) 
U(Ut1 Ut2)  Sept. 26, 2005

… with References PreTypes Expressions t ::= … j ref t
e ::= … j new e j free e e ::= … j read e j write e1 e2 j swap e1 e2 Sept. 26, 2005

… with References PreTypes Raises design questions: t ::= … j ref t
What does it mean to copy or drop a ref? What operations make sense on different refs? What combinations make sense for the qualifier and contents of a ref? Sept. 26, 2005

Copy & Drop with References
copy Ul ! hUl, Uli drop Ul ! hi Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

copy Ul ! hUl, Uli drop Ul ! hi Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  l may be used more than once; but contents are not copied Sept. 26, 2005

copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  l is not used; and contents are (implicitly) dropped Sept. 26, 2005

copy Ul ! hUl, Uli drop Ul ! hi Lv Lv Lv Lv U(ref Ut) U(ref At)  U(ref Lt) U(ref Rt)  Sept. 26, 2005

copy Ul ! hUl, Uli drop Ul ! hi Rv Rv Rv Rv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

copy Ul ! hUl, Uli drop Ul ! hi Uv Uv Uv Uv U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

copy Ul ! hUl, Uli drop Ul ! hi Av Av Av Av U(ref Lt) U(ref Rt)  U(ref Ut) U(ref At)  Sept. 26, 2005

Deallocation qv free Ll ! qv free : L(ref t) ! t 
free : A(ref t) ! t  free : R(ref t) ! t  free : U(ref t) ! t  qv Sept. 26, 2005

Deallocation qv free Al ! qv free : L(ref t) ! t 

Deallocation qv free Ul ! qv free : L(ref t) ! t 

Deallocation qv free Rl ! qv free : L(ref t) ! t 

Swap swap ql v ! hql, v1i swap : q(ref t) ! t ! L(q(ref t) t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)  v1 v2 Sept. 26, 2005

Swap swap Ll v ! hLl, v1i swap : q(ref t) ! t ! L(q(ref t) t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)  v1 v2 Sept. 26, 2005

Swap swap Al v ! hAl, v1i swap : q(ref t) ! t ! L(q(ref t) t)  swap! : L(ref t1) ! t2 ! L(L(ref t2) t1)  swap! : A(ref t1) ! t2 ! L(A(ref t2) t1)  v1 v2 Sept. 26, 2005

Operations on Substructural State
 new free swap! read write! Contents and Ops Ref U R A L shared unique Sept. 26, 2005

C Java SML Operations on Substructural State  new free swap! read write! shared unique Contents and Ops Ref U R A L Sept. 26, 2005

Clean Cyclone Operations on Substructural State  new free swap! read write! shared unique Contents and Ops Ref U R A L Sept. 26, 2005

Vault Operations on Substructural State  new free swap! read write! shared unique Contents and Ops Ref U R A L Sept. 26, 2005

Type Safety No fundamental difficulty in pursuing a syntactic proof of type safety Sept. 26, 2005

Type Safety No fundamental difficulty in pursuing a syntactic proof of type safety In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach Sept. 26, 2005

Type Safety No fundamental difficulty in pursuing a syntactic proof of type safety In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach But, syntactic proofs only go so far Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Store typing does not appear in judgments Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Stronger meta-theoretic results «8a.t¬: forall semantic types, not just syntactic types Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Stronger meta-theoretic results Compatible with Appel’s FPCC project Well-founded, set-theoretic model amenable to formalization in higher-order logic Sept. 26, 2005

Type Safety Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model Simpler typing rules Stronger meta-theoretic results Compatible with Appel’s FPCC project Scales to binary logical relations for proving equivalence of programs [Ahmed POPL’06] Sept. 26, 2005

A Model of Substructural State
See paper for (many) more details Sept. 26, 2005

See paper for (many) more details Key insights Sept. 26, 2005

See paper for (many) more details Key insights Local store typings types of locations that are sub-exprs of a value Sept. 26, 2005

See paper for (many) more details Key insights Local store typings types of locations that are sub-exprs of a value Merge of local store typings no unique locations in both local store typings identical types for shared locations in both Sept. 26, 2005

See paper for (many) more details Key insights Local store typings types of locations that are sub-exprs of a value Merge of local store typings no unique locations in both local store typings identical types for shared locations in both Step-indexed technique [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03] Sept. 26, 2005

Conclusion and Future Work
Core language, type-system, and model framework for comparing high-level designs Model more advanced features Cyclone – alias construct allows a unique pointer to be treated as shared for a limited scope Vault – focus construct allows a shared object to be treated as unique for a limited scope Sept. 26, 2005

Sept. 26, 2005

Structural Lemmas Exchange: Contraction: Weakening:
If G1,x1:t1,x2:t2,G2 ` e : t, then G1,x2:t2,x1:t1,G2 ` e : t. Contraction: If G1,x1:tx,x2:tx,G2 ` e : t, then G1,x:tx,G2 ` e[x/x1][x/x2] : t. Weakening: If G ` e : t, then G,x:tx ` e : t. Sept. 26, 2005

Structural Lemmas Exchange: Contraction: Duplicate Weakening: Discard
If G1,x1:t1,x2:t2,G2 ` e : t, then G1,x2:t2,x1:t1,G2 ` e : t. Contraction: Duplicate If G1,x1:tx,x2:tx,G2 ` e : t, then G1,x:tx,G2 ` e[x/x1][x/x2] : t. Weakening: Discard If G ` e : t, then G,x:tx ` e : t. Sept. 26, 2005

Linear Exch Affine Exch,Weak Relevant Exch,Cntr Unrestricted Exch,Cntr,Weak Sept. 26, 2005

Structural Lemmas Revisited
Contraction: If q ¹ R and G1,x1:qtx,x2:qtx,G2 ` e : t, then G1,x1:qtx,G2 ` e[x/x1][x/x2] : t. Weakening: If q ¹ A and G ` e : t, then G,x:qtx ` e : t. Sept. 26, 2005

Contents and Ops Ref U R A L Sept. 26, 2005

shared unique Sept. 26, 2005

new free swap! read write! Sept. 26, 2005

 Sept. 26, 2005

Model a type as a set of tuples of qualifier, value, and local store typing «t¬ ::= { (q,v,y), …} Model a local store typing as a partial map from locations to qualifiers and types y ::= { l → (q,«t¬), … } Sept. 26, 2005

Model a type as a set of tuples Type = Ã(Qual £ Value £ LocalStore) Model a local store typing as a partial map LocalStore = Locs ! (Qual £ Type) Sept. 26, 2005

Model a type as a set of tuples Type = Ã(Qual £ Value £ LocalStore) Model a local store typing as a partial map LocalStore = Locs ! (Qual £ Type) Cardinality problem is handled by stratifying definitions with “# of steps to run the program” [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03] Sept. 26, 2005

Model a type as a set of tuples of qualifier, value, and local store typing Model a local store typing as a partial map from locations to qualifiers and types Local store y of a value v only defined on those locations that appear as sub-expressions of v Sept. 26, 2005

Model a type as a set of tuples of qualifier, value, and local store typing Model a local store typing as a partial map from locations to qualifiers and types Local store y of a value v only defined on those locations that appear as sub-expressions of v Further restrictions to rule out  references Sept. 26, 2005

Why only a local store typing? Sept. 26, 2005

Why only a local store typing? hx, yi l1 L l2 L l3 U l4 A Sept. 26, 2005

Why only a local store typing? A global store typing … hx, yi Y = Yx = Yy = Yl1 = Yl2 = … l1 L l2 L l3 U l9 L l4 A Sept. 26, 2005

Why only a local store typing? A global store typing does not distinguish the “real” occurrence of a unique reference hx, yi Y = Yx = Yy = Yl1 = Yl2 = … l1 L l2 L l3 U l9 L l4 A Sept. 26, 2005

Why only a local store typing? A “reachable” store typing … hx, yi Yx l1 L l2 L l3 U l4 A Sept. 26, 2005

Why only a local store typing? A “reachable” store typing … hx, yi Yy l1 L l2 L l3 U l4 A Sept. 26, 2005

Why only a local store typing? A “reachable” store typing … hx, yi Yx Yy l1 L l2 L l3 U l4 A Sept. 26, 2005

Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi Yx Yy l1 L l2 L l3 U l4 A Sept. 26, 2005

Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi l1 L l2 L Yl1 l3 U l4 A Sept. 26, 2005

Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi l1 L l2 L Yl2 l3 U l4 A Sept. 26, 2005

Why only a local store typing? A “reachable” store typing does not distinguish shared and exclusive unique references hx, yi l1 L l2 L l3 U Yl3 l4 A Sept. 26, 2005

Local store typing hx, yi yx yy l1 L l2 L l3 U l4 A Sept. 26, 2005

Local store typing hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

Local store typing Storing a unique object in a shared reference “hides” the unique object hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

Local store typing Storing a unique object in a shared reference the unique object becomes local to the reference hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

When does a global store s satisfy a local store typing y? Local store typing Storing a unique object in a shared reference the unique object becomes local to the reference hx, yi yx yy l1 L l2 L yl1 yl2 l3 U yl3 l4 A Sept. 26, 2005

Store Satisfaction s : y when there exists a set of locations
reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store Sept. 26, 2005

A unique location may not appear more than once
Store Satisfaction s : y when there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store A unique location may not appear more than once Sept. 26, 2005

A shared location must appear with the same type
Store Satisfaction s : y when there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store A shared location must appear with the same type Sept. 26, 2005

Store Satisfaction s : y when Similar to a Garbage Collector
there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store Similar to a Garbage Collector Sept. 26, 2005

Store Satisfaction s : y when Similar to a Garbage Collector
there exists a set of locations reachable from dom(y) such that the local store typings of all reachable locations merge in a compatible manner into a global store typing that describes the store Similar to a Garbage Collector These are the roots These are the child locations traced from the contents of a reachable location Sept. 26, 2005

A Step-Indexed Model of Substructural State

Similar presentations

Presentation on theme: "A Step-Indexed Model of Substructural State"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

A Step-Indexed Model of Substructural State

Similar presentations

Presentation on theme: "A Step-Indexed Model of Substructural State"— Presentation transcript:

Similar presentations

About project

Feedback