Presentation is loading. Please wait.

Presentation is loading. Please wait.

Existential Types for Imperative Languages Dan Grossman Cornell University Eleventh European Symposium on Programming April 2002.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Existential Types for Imperative Languages Dan Grossman Cornell University Eleventh European Symposium on Programming April 2002."— Presentation transcript:

1 Existential Types for Imperative Languages Dan Grossman Cornell University Eleventh European Symposium on Programming April 2002

2 8 April 2002Existential Types for Imperative Languages2 Designing safe languages To design a strong-typed language: 1.Draw on acquired knowledge of well- behaved features 2.Model the parts you’re uncomfortable with (in practice, a simplification) 3.Hope/argue that the model captured everything interesting, so the language is type-safe

3 8 April 2002Existential Types for Imperative Languages3 But… Sometimes you are wrong due to a new combination of features You fix it You worry enough to model the fix You add to acquired knowledge Today’s combination: existential types, aliasing, and mutation

4 8 April 2002Existential Types for Imperative Languages4 How the story goes… Existential types in a safe low-level language –why –features (mutation, aliasing) The problem The solutions Some non-problems Related work

5 8 April 2002Existential Types for Imperative Languages5 Existential types Existential types (  α.  ) hide types’ identities while establishing equalities, e.g.,  α. { zero: α succ: α  α cmp: α  α  bool } That is, they describe abstract data types The standard tool for modeling data-hiding constructs (closures, objects)

6 8 April 2002Existential Types for Imperative Languages6 Low-level languages want  Cyclone (this work’s context) is a safe language at the C level of abstraction Major goal: expose data representation (no hidden fields, tags, environments,...) Don’t provide closures/objects; give programmers a powerful type system struct IntIntFn {  α. int (*f)(int, α); α env; }; C “call-backs” use void* ; we use 

7 8 April 2002Existential Types for Imperative Languages7 Normal  feature: Construction int add (int a, int b) {return a+b; } int addp(int a, char* b) {return a+*b;} struct IntIntFn x1 = IntIntFn(add, 37); struct IntIntFn x2 = IntIntFn(addp,"a"); Compile-time: check for appropriate witness type Type is just struct IntIntFn Run-time: create / initialize (no witness type) struct IntIntFn {  α. int (*f)(int, α); α env; };

8 8 April 2002Existential Types for Imperative Languages8 Normal  feature: Destruction Destruction via pattern matching: void apply(struct IntIntFn x) { let IntIntFn{.f=fn,.env=ev} = x; // ev : β, fn : int(*f)(int,β) fn(42,ev); } Clients use the data without knowing the type struct IntIntFn {  α. int (*f)(int, α); α env; };

9 8 April 2002Existential Types for Imperative Languages9 Low-level feature: Mutation Mutation, changing witness type struct IntIntFn fn1 = f(); struct IntIntFn fn2 = g(); fn1 = fn2; // record-copy Orthogonality encourages this feature Useful for registering new call-backs without allocating new memory Now memory is not type-invariant!

10 8 April 2002Existential Types for Imperative Languages10 Low-level feature: Address-of field Let client update fields of an existential package –access only through pattern-matching –variable pattern copies fields A reference pattern binds to the field’s address: void apply2(struct IntIntFn x) { let IntIntFn{.f=fn,.env=*ev} = x; // ev : β*, fn : int(*f)(int,β) fn(42,*ev); } C uses &x.env ; we use a reference pattern

11 8 April 2002Existential Types for Imperative Languages11 More on reference patterns Orthogonality: already allowed in Cyclone’s other patterns (e.g., tagged-union fields) Can be useful for existential types: struct Pr {  α. α fst; α snd; };  α. void swap(α* x, α* y); void swapPr(struct Pr pr) { let Pr{.fst=*a,.env=*b} = pr; swap(a,b); }

12 8 April 2002Existential Types for Imperative Languages12 Summary of features struct definition can bind existential type variables construction, destruction traditional mutation via struct assignment reference patterns for aliasing A nice adaptation of advanced type-systems to a “safe C” setting?

13 8 April 2002Existential Types for Imperative Languages13 Explaining the problem Violation of type safety Two solutions (restrictions) Some non-problems

14 8 April 2002Existential Types for Imperative Languages14 Oops! struct T {  α. void (*f)(int, α); α env;}; void ignore(int x, int y) {} void assign(int x, int* p) { *p = x; } void f(int* ptr) { struct T pkg1 = T(ignore, 0xABCD);//α=int struct T pkg2 = T(assign, ptr); //α=int* let T{.f=fn,.env=*ev} = pkg2; //alias pkg2 = pkg1; //mutation fn(37, *ev); //write 37 to 0xABCD }

15 8 April 2002Existential Types for Imperative Languages15 With pictures… pkg1pkg2ignoreassign0xABCD let T{.f=fn,.env=*ev} = pkg2; //alias pkg1pkg2ignoreassign0xABCD assignfnev

16 8 April 2002Existential Types for Imperative Languages16 With pictures… pkg2 = pkg1; //mutation pkg1pkg2ignoreassign0xABCD assignfnev pkg1pkg2ignore 0xABCD assignfnev

17 8 April 2002Existential Types for Imperative Languages17 With pictures… pkg1pkg2ignore 0xABCD assignfnev fn(37, *ev); //write 37 to 0xABCD call assign with 0xABCD for p, the pointer: void assign(int x, int* p) {*p = x;}

18 8 April 2002Existential Types for Imperative Languages18 What happened? 1.β establishes a compile-time equality relating types of fn ( void(*f)(int,β) ) and ev ( β* ) 2.mutation makes this equality false 3.safety of call needs the equality we must rule out this program… let T{.f=fn,.env=*ev} = pkg2; //alias pkg2 = pkg1; //mutation fn(37, *ev); //write 37 to 0xABCD

19 8 April 2002Existential Types for Imperative Languages19 Two solutions Solution #1: Reference patterns do not match against fields of existential packages Note: Other reference patterns still allowed  cannot create the type equality Solution #2: Type of assignment cannot be an existential type (or have a field of existential type) Note: pointers to existentials are no problem  restores memory type-invariance

20 8 April 2002Existential Types for Imperative Languages20 Independent and easy Either solution is easy to implement They are independent: A language can have two styles of existential types, one for each restriction Cyclone takes solution #1 (no reference patterns for existential fields), making it a safe language without type-invariance of memory!

21 8 April 2002Existential Types for Imperative Languages21 Are the solutions sufficient (correct)? The paper develops a small formal language and proves type safety Highlights: –Both solutions –C-style memory (flattened record values) –C-style lvalue/rvalue distinction –Memory invariant includes novel “if a reference pattern is for a field, then that field never changes type”

22 8 April 2002Existential Types for Imperative Languages22 Non-problem: Pointers to witnesses struct T2 {  α. void (*f)(int, α); α* env; }; … let T2{.f=fn,.env=ev} = pkg2; pkg2 = pkg1; … pkg2assign fnev

23 8 April 2002Existential Types for Imperative Languages23 Non-problem: Pointers to packages struct T * p = &pkg1; p = &pkg2; pkg1pkg2ignoreassign0xABCD p Aliases are fine. Aliases at the “unpacked type” are not.

24 8 April 2002Existential Types for Imperative Languages24 Related work Existential types: –seminal use [Mitchell/Plotkin 1988] –closure/object encodings [Bruce et al, Minimade et al, …] –first-class types in Haskell [Läufer] None incorporate mutation Safe low-level languages with  –Typed Assembly Language [Morrisett et al] –Xanadu [Xi], uses  over ints (so does Cyclone) None have reference patterns or similar Linear types, e.g. Vault [DeLine, Fähndrich] No aliases, destruction destroys the package

25 8 April 2002Existential Types for Imperative Languages25 Polymorphic references — related? Well-known in ML that you must not give ref [] the type  α. α list ref Unsoundness involves mutation and aliasing Suggests the problem is dual, and there are similarities, but it’s unclear ML has memory type-invariance, unlike Cyclone

26 8 April 2002Existential Types for Imperative Languages26 Summary Existential types are the way to have data- hiding in a safe low-level language But type variables, mutation, and aliasing signal danger Developed two independent, simple restrictions that suffice for type safety Rigorous proof to help us think we’ve really fixed the problem New acquired knowledge to avoid future mistakes

27 8 April 2002Existential Types for Imperative Languages27 [End of Presentation -- Some “backup slides” follow]

28 8 April 2002Existential Types for Imperative Languages28 Future work — Threads For very similar reasons, threads require: –atomic assignment (witness-change) of existential packages –atomic pattern-matching (destruction) of existential packages Else pattern-match could get fields with different witness types, violating type equality Future: Type system will enforce a programmer-controlled locking system

29 8 April 2002Existential Types for Imperative Languages29 What is a good witness? Without (hidden) run-time types, we must know the size of (values of) abstract types struct IntIntFn {  α. int (*f)(int, α); α env; }; struct IntIntFn {  α. int (*f)(int, α*); α* env; }; α must be int or pointer α can be any type Interesting & orthogonal issue — come back tomorrow

Download ppt "Existential Types for Imperative Languages Dan Grossman Cornell University Eleventh European Symposium on Programming April 2002."

Similar presentations

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Type Analysis and Typed Compilation Stephanie Weirich Cornell University.

Type Analysis and Typed Compilation Stephanie Weirich Cornell University.
Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.

Control-Flow Graphs & Dataflow Analysis CS153: Compilers Greg Morrisett.
CSE341: Programming Languages Lecture 16 Datatype-Style Programming With Lists or Structs Dan Grossman Winter 2013.

CSE341: Programming Languages Lecture 16 Datatype-Style Programming With Lists or Structs Dan Grossman Winter 2013.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Chapter 5 Types. 5-2 Topics in this Chapter Values vs. Variables Types vs. Representations Type Definition Operators Type Generators SQL Facilities.

Chapter 5 Types. 5-2 Topics in this Chapter Values vs. Variables Types vs. Representations Type Definition Operators Type Generators SQL Facilities.
Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 3: Basic Cyclone-Style Region-

Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 3: Basic Cyclone-Style Region-
Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 2: Quantified-Types in C Dan.

Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 2: Quantified-Types in C Dan.
Data Abstraction COS 441 Princeton University Fall 2004.

Data Abstraction COS 441 Princeton University Fall 2004.
PSUCS322 HM 1 Languages and Compiler Design II Parameter Passing Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU.

PSUCS322 HM 1 Languages and Compiler Design II Parameter Passing Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU.
A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.

A Type-Checked Restrict Qualifier Jeff Foster OSQ Retreat May 9-10, 2001.
Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,

Region-Based Memory Management in Cyclone Dan Grossman Cornell University June 2002 Joint work with: Greg Morrisett, Trevor Jim (AT&T), Michael Hicks,
Review on pointers and dynamic objects. Memory Management  Static Memory Allocation  Memory is allocated at compiling time  Dynamic Memory  Memory.

Review on pointers and dynamic objects. Memory Management  Static Memory Allocation  Memory is allocated at compiling time  Dynamic Memory  Memory.
Run-time Environment and Program Organization

Run-time Environment and Program Organization
Advanced Type Systems for Low-Level Languages Greg Morrisett Cornell University.

Advanced Type Systems for Low-Level Languages Greg Morrisett Cornell University.
Playing With Fire: Mutation and Quantified Types CIS670, University of Pennsylvania 2 October 2002 Dan Grossman Cornell University.

Playing With Fire: Mutation and Quantified Types CIS670, University of Pennsylvania 2 October 2002 Dan Grossman Cornell University.
Virtual Functions Junaed Sattar November 10, 2008 Lecture 10.

Virtual Functions Junaed Sattar November 10, 2008 Lecture 10.
Shallow Versus Deep Copy and Pointers Shallow copy: when two or more pointers of the same types point to the same memory – They point to the same data.

Shallow Versus Deep Copy and Pointers Shallow copy: when two or more pointers of the same types point to the same memory – They point to the same data.
CSE341: Programming Languages Lecture 11 Type Inference Dan Grossman Winter 2013.

CSE341: Programming Languages Lecture 11 Type Inference Dan Grossman Winter 2013.

Similar presentations

Ads by Google