Presentation is loading. Please wait.

Presentation is loading. Please wait.

Example to Type Check object World { var z : Boolean var u : Int def f(y : Boolean) : Int { z = y if (u > 0) { u = u – 1 var z : Int z = f(!y) + 3 z+z.

Published byMagdalen Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Example to Type Check object World { var z : Boolean var u : Int def f(y : Boolean) : Int { z = y if (u > 0) { u = u – 1 var z : Int z = f(!y) + 3 z+z."— Presentation transcript:

1 Example to Type Check object World { var z : Boolean var u : Int def f(y : Boolean) : Int { z = y if (u > 0) { u = u – 1 var z : Int z = f(!y) + 3 z+z } else { 0 } } ¡ 0 = { (z, Boolean), (u, Int), (f, Boolean  Int) } ¡ 1 = ¡ 0 © {(y, Boolean)} Exercise:

2 Overloading of Operators Not a problem for type checking from leaves to root Int £ Int  Int String £ String  String

3 Arrays Using array as an expression, on the right-hand side Assigning to an array

4 Example with Arrays def next(a : Array[Int], k : Int) : Int = { a[k] = a[a[k]] } Given ¡ = {(a, Array(Int)), (k, Int)}, check ¡ ` a[k] = a[a[k]]: Int

5 Type Rules (1) variable constant function application plus if assignment while

6 Type Rules (2) array use array assignment block

7 Type Rules (3) field use field assignment ¡ c - top-level environment of class C class C { var x: Int; def m(p: Int): Boolean = {…} } ¡ c = { (x, Int), (m, C £ Int  Boolean)} method invocation

8 DIVING DEEPER INTO TYPES

9 Meaning of Types Types can be viewed as named entities –explicitly declared classes, traits –their meaning is given by methods they have –constructs such as inheritance establish relationships between classes Types can be viewed as sets of values –Int = {..., -2, -1, 0, 1, 2,... } –Boolean = { false, true } –Int  Int = { f : Int -> Int | f is computable }

10 Types as Sets Sets so far were disjoint Sets can overlap Boolean true, false String “Richard” “cat” Int  Int Int  Pos Int Pos (1 2) Neg (-1) 16 bit class C class F class D class E F extends D, D extends C C ED F

11 SUBTYPING

12 Subtyping Subtyping corresponds to subset Systems with subtyping have non-disjoint sets T 1 <: T 2 means T 1 is a subtype of T 2 –corresponds to T 1 µ T 2 in sets of values Main rule for subtyping ¼ corresponds to

13 Types for Positive and Negative Ints Int = {..., -2, -1, 0, 1, 2,... } Pos = { 1, 2,... } (not including zero) Neg = {..., -2, -1 } (not including zero) Pos <: Int Neg <: Int Pos µ Int Neg µ Int (y not zero) (x/y well defined)

14 More Rules More rules for division?

15 Making Rules Useful Let x be a variable if (y > 0) { if (x > 0) { var z : Pos = x * y res = 10 / z } } type system proves: no division by zero

16 Subtyping Example def f(x:Int) : Pos = { if (x < 0) –x else x+1 } var p : Pos var q : Int q = f(p) Pos <: Int ¡ : f: Int  Pos Does this statement type check?

17 Using Subtyping def f(x:Pos) : Pos = { if (x < 0) –x else x+1 } var p : Int var q : Int q = f(p) - does not type check Pos <: Int ¡ : f: Pos  Pos

18 What Pos/Neg Types Can Do def multiplyFractions(p1 : Int, q1 : Pos, p2 : Int, q2 : Pos) : (Int,Pos) { (p1*q1, q1*q2) } def addFractions(p1 : Int, q1 : Pos, p2 : Int, q2 : Pos) : (Int,Pos) { (p1*q2 + p2*q1, q1*q2) } def printApproxValue(p : Int, q : Pos) = { print(p/q) // no division by zero } More sophisticated types can track intervals of numbers and ensure that a program does not crash with an array out of bounds error.

19 Subtyping and Product Types

20 Using Subtyping def f(x:Pos) : Pos = { if (x < 0) –x else x+1 } var p : Int var q : Int q = f(p) - does not type check Pos <: Int ¡ : f: Pos  Pos

21 Subtyping for Products T 1 <: T 2 implies for all e: So, we might as well add: covariant subtyping for pairs Pair [ T 1, T 2 ] Type for a tuple:

22 Analogy with Cartesian Product A £ B = { (a, b) | a 2 A, b 2 B}

23 Subtyping and Function Types

24 Subtyping for Function Types Consequence: contravariance covariance T 1 <: T 2 implies for all e: Function [ T 1, T] contra- co- as if ¡ ` m: T 1 ’ £ … £ T n ’ \to T’

25 To get the appropriate behavior we need to assign sets to function types like this: T 1  T 2 = { f| 8 x. (x 2 T 1  f(x) 2 T 2 )} We can prove Function Space as Set contravariance because x 2 T 1 is left of implication  T1 £ T2 T1 £ T2 (: x 2 T 1 ) Ç f(x) 2 T 2

26 Proof T 1  T 2 = { f | 8 x 2 T 1  f(x) 2 T 2 } Let T 1 ’ µ T 1 and T 2 µ T 2 ’ and f 2 T 1  T 2 8 x. x 2 T 1  f(x) 2 T 2 Let x 2 T 1 ’. From T 1 ’ µ T 2, also x 2 T 1 f(x) 2 T 2. By T 2 µ T 2 ’, also f(x) 2 T s ’ 8 x. x 2 T 1 ’  f(x) 2 T 2 ’ Therefore, f 2 t 1 ’  T 2 ’ Thus, T 1  T 2 µ T 1 ’  T 2 ’

27 Subtyping for Classes Class C contains a collection of methods We view field var f: T as two methods –getF(this:C): T C  T –setF(this:C, x:T): void C x T  void For val f: T (immutable): we have only getF Class has all functionality of a pair of method We must require (at least) that methods named the same are subtypes If type T is generic, it must be invariant –as for mutable arrays

28 Example class C { def m(x : T 1 ) : T 2 = {...} } class D extends C { override def m(x : T’ 1 ) : T’ 2 = {...} } D <: C Therefore, we need to have: T 1 <: T’ 1 (argument behaves opposite) T’ 2 <: T 2 (result behaves like class)

29 Today More Subtyping Rules –product types (pairs) –function types –classes Soundness –motivating example –idea of proving soundness –operational semantics –a soundness proof Subtyping and generics

30 Example: Tootool 0.1 Language Tootool is a rural community in the central east part of the Riverina [New South Wales, Australia]. It is situated by road, about 4 kilometres east from French Park and 16 kilometres west from The Rock. Tootool Post Office opened on 1 August 1901 and closed in 1966. [Wikipedia]

31 Type System for Tootool 0.1 Pos <: Int Neg <: Int does it type check? def intSqrt(x:Pos) : Pos = {...} var p : Pos var q : Neg var r : Pos q = -5 p = q r = intSqrt(p) Runtime error: intSqrt invoked with a negative argument! unsound ¡ = {(p, Pos), (q, Neg), (r, Pos), (intSqrt, Pos  Pos)} assignment subtyping

32 What went wrong in Tootool 0.1 ? Pos <: Int Neg <: Int does it type check? – yes def intSqrt(x:Pos) : Pos = {...} var p : Pos var q : Neg var r : Pos q = -5 p = q r = intSqrt(p) assignment subtyping ¡ = {(p, Pos), (q, Neg), (r, Pos), (intSqrt, Pos  Pos)} x must be able to store any value from T e can have any value from T Cannot use ¡ ` to mean “x promises it can store any e 2 T” Runtime error: intSqrt invoked with a negative argument!

33 Recall Our Type Derivation Pos <: Int Neg <: Int does it type check? – yes def intSqrt(x:Pos) : Pos = {...} var p : Pos var q : Neg var r : Pos q = -5 p = q r = intSqrt(p) assignment subtyping ¡ = {(p, Pos), (q, Neg), (r, Pos), (intSqrt, Pos  Pos)} Values from p are integers. But p did not promise to store all kinds of integers/ Only positive ones! Runtime error: intSqrt invoked with a negative argument!

34 Corrected Type Rule for Assignment Pos <: Int Neg <: Int does it type check? – yes def intSqrt(x:Pos) : Pos = {...} var p : Pos var q : Neg var r : Pos q = -5 p = q r = intSqrt(p) assignment subtyping ¡ = {(p, Pos), (q, Neg), (r, Pos), (intSqrt, Pos  Pos)} x must be able to store any value from T e can have any value from T ¡ stores declarations (promises) does not type check

35 How could we ensure that some other programs will not break? Type System Soundness

36 Today More Subtyping Rules –product types (pairs) –function types –classes Soundness –motivating example –idea of proving soundness –operational semantics –a soundness proof Subtyping and generics

37 Proving Soundness of Type Systems Goal of a sound type system: –if the program type checks, then it never “crashes” –crash = some precisely specified bad behavior e.g. invoking an operation with a wrong type dividing one string by another string “cat” / “frog trying to multiply a Window object by a File object e.g. not dividing an integer by zero Never crashes: no matter how long it executes –proof is done by induction on program execution

38 Proving Soundness by Induction Program moves from state to state Bad state = state where program is about to exhibit a bad operation ( “cat” / “frog” ) Good state = state that is not bad To prove: program type checks  states in all executions are good Usually need a stronger inductive hypothesis; some notion of very good (VG) state such that: program type checks  program’s initial state is very good state is very good  next state is also very good state is very good  state is good (not about to crash) VG Good VG

39 A Simple Programming Language

40 Program State var x : Pos var y : Int var z : Pos x = 3 y = -5 z = 4 x = x + z y = x / z z = z + x values of variables: x = 1 y = 1 z = 1 position in source Initially, all variables have value 1

41 Program State var x : Pos var y : Int var z : Pos x = 3 y = -5 z = 4 x = x + z y = x / z z = z + x values of variables: x = 3 y = 1 z = 1 position in source

42 Program State var x : Pos var y : Int var z : Pos x = 3 y = -5 z = 4 x = x + z y = x / z z = z + x values of variables: x = 3 y = -5 z = 1 position in source

43 Program State var x : Pos var y : Int var z : Pos x = 3 y = -5 z = 4 x = x + z y = x / z z = z + x values of variables: x = 3 y = -5 z = 4 position in source

44 Program State var x : Pos var y : Int var z : Pos x = 3 y = -5 z = 4 x = x + z y = x / z z = z + x values of variables: x = 7 y = -5 z = 4 position in source

45 Program State var x : Pos var y : Int var z : Pos x = 3 y = -5 z = 4 x = x + z y = x / z z = z + x values of variables: x = 7 y = 1 z = 4 position in source formal description of such program execution is called operational semantics

46 Definition of Simple Language var x 1 : Pos var x 2 : Int... var x n : Pos x i = x j x p = x q + x r x a = x b / x c... x p = x q + x r Programs: Type rules: ¡ = { (x 1, Pos), (x 2, Int), … (x n, Pos)} Pos <: int variable declarations var x: Pos or var x: Int followed by statements of one of 3 forms 1)x i = x j 2)x i = x j / x k 3)x i = x j + x k (No complex expressions)

47 Bad State: About to Divide by Zero (Crash) var x : Pos var y : Int var z : Pos x = 1 y = -1 z = x + y x = x + z y = x / z z = z + x values of variables: x = 1 y = -1 z = 0 Definition: state is bad if the next instruction is of the form x i = x j / x k and x k has value 0 in the current state. position in source

48 Good State: Not (Yet) About to Divide by Zero var x : Pos var y : Int var z : Pos x = 1 y = -1 z = x + y x = x + z y = x / z z = z + x values of variables: x = 1 y = -1 z = 1 Definition: state is good if it is not bad. Good Definition: state is bad if the next instruction is of the form x i = x j / x k and x k has value 0 in the current state. position in source

49 Good State: Not (Yet) About to Divide by Zero var x : Pos var y : Int var z : Pos x = 1 y = -1 z = x + y x = x + z y = x / z z = z + x values of variables: x = 1 y = -1 z = 0 Definition: state is good if it is not bad. Good Definition: state is bad if the next instruction is of the form x i = x j / x k and x k has value 0 in the current state. position in source

50 Moved from Good to Bad in One Step! var x : Pos var y : Int var z : Pos x = 1 y = -1 z = x + y x = x + z y = x / z z = z + x values of variables: x = 1 y = -1 z = 0 Bad Definition: state is good if it is not bad. Being good is not preserved by one step, not inductive! It is very local property, does not take future into account. Definition: state is bad if the next instruction is of the form x i = x j / x k and x k has value 0 in the current state. position in source

51 Being Very Good: A Stronger Inductive Property var x : Pos var y : Int var z : Pos x = 1 y = -1 z = x + y x = x + z y = x / z z = z + x values of variables: x = 1 y = -1 z = 0 Definition: state is good if it is not about to divide by zero. Definition: state is very good if each variable belongs to the domain determined by its type (if z:Pos, then z is strictly positive). This state is already not very good. We took future into account. Pos = { 1, 2, 3,... } position in source ∉ Pos

52 If you are a little typed program, what will your parents teach you? If you type check and succeed: –you will be very good from the start. –if you are very good, then you will remain very good in the next step –If you are very good, you will not crash. Hence, type check and you will never crash! Soundnes proof = defining “very good” and checking the properties above.

53 Definition of Simple Language var x 1 : Pos var x 2 : Int... var x n : Pos x i = x j x p = x q + x r x a = x b / x c... x p = x q + x r Programs: Type rules: ¡ = { (x 1, Pos), (x 2, Int), … (x n, Pos)} Pos <: int variable declarations var x: Pos or var x: Int followed by statements of one of 3 forms 1)x i = x j 2)x i = x j / x k 3)x i = x j + x k (No complex expressions)

54 Checking Properties in Our Case Definition: state is very good if each variable belongs to the domain determined by its type (if z:Pos, then z is strictly positive). Holds: in initial state, variables are =1 If you type check and succeed: –you will be very good from the start. –if you are very good, then you will remain very good in the next step –If you are very good, you will not crash. If next state is x / z, type rule ensures z has type Pos Because state is very good, it means z 2 Pos so z is not 0, and there will be no crash. 1 2 Pos 1 2 Int

55 Example Case 1 var x : Pos var y : Pos var z : Pos y = 3 z = 2 z = x + y x = x + z y = x / z z = z + x values of variables: x = 1 y = 3 z = 2 the next statement is: z=x+y where x,y,z are declared Pos. Goal: prove that again each variable belongs to its type. variables other than z did not change, so belong to their type z is sum of two positive values, so it will have positive value Assume each variable belongs to its type. position in source

56 Example Case 2 var x : Pos var y : Int var z : Pos y = -5 z = 2 z = x + y x = x + z y = x / z z = z + x values of variables: x = 1 y = -5 z = 2 the next statement is: z=x+y where x,z declared Pos, y declared Int Goal: prove that again each variable belongs to its type. this case is impossible, because z=x+y would not type check How do we know it could not type check? Assume each variable belongs to its type. position in source

57 Must Carefully Check Our Type Rules var x : Pos var y : Int var z : Pos y = -5 z = 2 z = x + y x = x + z y = x / z z = z + x Conclude that the only types we can derive are: x : Pos, x : Int y : Int x + y : Int Cannot type check z = x + y in this environment. Type rules: ¡ = { (x 1, Pos), (x 2, Int), … (x n, Pos)} Pos <: int

58 We would need to check all cases (there are many, but they are easy)

59 Remark We used in examples Pos <: Int Same examples work if we have class Int {... } class Pos extends Int {... } and is therefore relevant for OO languages

60 Today More Subtyping Rules –product types (pairs) –function types –classes Soundness –motivating example –idea of proving soundness –operational semantics –a soundness proof Subtyping and generics

61 Simple Parametric Class class Ref[T](var content : T) Can we use the subtyping rule var x : Ref[Pos] var y : Ref[Int] var z : Int x.content = 1 y.content = -1 y = x y.content = 0 z = z / x.content ¡ type checks

62 Simple Parametric Class class Ref[T](var content : T) Can we use the subtyping rule var x : Ref[Pos] var y : Ref[Int] var z : Int x.content = 1 y.content = -1 y = x y.content = 0 z = z / x.content 1 Ref[Pos] Ref[Int] x y

63 Simple Parametric Class class Ref[T](var content : T) Can we use the subtyping rule var x : Ref[Pos] var y : Ref[Int] var z : Int x.content = 1 y.content = -1 y = x y.content = 0 z = z / x.content 1 Ref[Pos] Ref[Int] x y

64 Simple Parametric Class class Ref[T](var content : T) Can we use the subtyping rule var x : Ref[Pos] var y : Ref[Int] var z : Int x.content = 1 y.content = -1 y = x y.content = 0 z = z / x.content 0 Ref[Pos] Ref[Int] x y CRASHES

65 Analogously class Ref[T](var content : T) Can we use the converse subtyping rule var x : Ref[Pos] var y : Ref[Int] var z : Int x.content = 1 y.content = -1 x = y y.content = 0 z = z / x.content 1 0 Ref[Pos] Ref[Int] x y CRASHES

66 Mutable Classes do not Preserve Subtyping class Ref[T](var content : T) Even if T <: T’, Ref[T] and Ref[T’] are unrelated types var x : Ref[T] var y : Ref[T’]... x = y... type checks only if T=T’

67 Same Holds for Arrays, Vectors, all mutable containers var x : Array[Pos](1) var y : Array[Int](1) var z : Int x[0] = 1 y[0] = -1 y = x y[0] = 0 z = z / x[0] Even if T <: T’, Array[T] and Array[T’] are unrelated types

68 Case in Soundness Proof Attempt class Ref[T](var content : T) Can we use the subtyping rule var x : Ref[Pos] var y : Ref[Int] var z : Int x.content = 1 y.content = -1 y = x y.content = 0 z = z / x.content prove each variable belongs to its type: variables other than y did not change.. (?!) 1 Ref[Pos] Ref[Int] x y

69 Mutable vs Immutable Containers Immutable container, Coll[T] –has methods of form e.g. get(x:A) : T –if T <: T’, then Coll[T’] hasget(x:A) : T’ –we have (A  T) <: (A  T’) covariant rule for functions, so Coll[T] <: Coll[T’] Write-only data structure have –setter-like methods, set(v:T) : B –if T <: T’, then Container[T’] hasset(v:T) : B –would need (T  B) <: (T’  B) contravariance for arguments, so Coll[T’] <: Coll[T] Read-Write data structure need both, so they are invariant, no subtype on Coll if T <: T’

Download ppt "Example to Type Check object World { var z : Boolean var u : Int def f(y : Boolean) : Int { z = y if (u > 0) { u = u – 1 var z : Int z = f(!y) + 3 z+z."

Similar presentations

CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi – 110 025

CH4.1 Type Checking Md. Fahim Computer Engineering Department Jamia Millia Islamia (A Central University) New Delhi –
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 4 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>

Exercise 1 Generics and Assignments. Language with Generics and Lots of Type Annotations Simple language with this syntax types:T ::= Int | Bool | T =>
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
Discrete Mathematics Math 6A Homework 9 Solution.

Discrete Mathematics Math 6A Homework 9 Solution.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.

This Week Finish relational semantics Hoare logic Interlude on one-point rule Building formulas from programs.
Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.

Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Type Checking.

Type Checking.
Compiler Construction

Compiler Construction
Introduction to Computability Theory

Introduction to Computability Theory
1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.

1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.

Similar presentations

Ads by Google