Upload
bikita
View
24
Download
0
Embed Size (px)
DESCRIPTION
A Step-Indexed Model of Substructural State. Matthew Fluet Cornell University Amal Ahmed Greg Morrisett Harvard University. A Step-Indexed Model of Substructural State. Matthew Fluet Cornell University Amal Ahmed Greg Morrisett Harvard University. Introduction. - PowerPoint PPT Presentation
Citation preview
A Step-Indexed Model of Substructural State
Matthew Fluet
Cornell University
Amal Ahmed Greg Morrisett
Harvard University
A Step-Indexed Model of
Substructural State
Matthew Fluet
Cornell University
Amal Ahmed Greg Morrisett
Harvard University
Sept. 26, 2005 3
Introduction
• Mutable state is here to stay
Sept. 26, 2005 4
Introduction
• Mutable state is here to stay• high-level – I/O, data structures• low-level – virtual machines, garbage collector
Sept. 26, 2005 5
Introduction
• Mutable state is hard to control
Sept. 26, 2005 6
Introduction
• Mutable state is hard to control
• C / Java / SML – unrestricted objects
Sept. 26, 2005 7
Introduction
• Mutable state is hard to control
• Various forms of uniqueness have appeared as a means to “tame” state
Sept. 26, 2005 8
Introduction
• Mutable state is hard to control
• Various forms of uniqueness have appeared as a means to “tame” state• Clean – uniqueness types
• I/O operations in a purely-functional language
• Cyclone – unique pointers• fine-grained memory management
• Vault – unique keys• resource management protocols
Sept. 26, 2005 9
Introduction
• Mutable state is hard to control
• Various forms of uniqueness have appeared as a means to “tame” state• Clean – uniqueness types
• I/O operations in a purely-functional language
• Cyclone – unique pointers• fine-grained memory management
• Vault – unique keys• resource management protocols
Sept. 26, 2005 10
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
Sept. 26, 2005 11
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive• Only tree-like data structures• Only single paths to a unique object
Sept. 26, 2005 12
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive• Only tree-like data structures• Only single paths to a unique object
fun g () = … lr …
lr -- unique resource
fun f () = … lr …
Sept. 26, 2005 13
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive• Only tree-like data structures• Only single paths to a unique object
fun g () = … lr …
lr -- unique resource
fun f () = … lr …
Sept. 26, 2005 14
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects
Sept. 26, 2005 15
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects
fun g () = … ls …
lr -- unique resource
lrls -- shared object
fun f () = … ls …
Sept. 26, 2005 16
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects• Safety of mixed objects requires some restrictions
Sept. 26, 2005 17
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects• Safety of mixed objects requires some restrictions
Cyclone and Vault have different interpretations of “unique” and “shared”
Sept. 26, 2005 18
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects• Safety of mixed objects requires some restrictions
Cyclone and Vault have different interpretations of “unique” and “shared”
So, they have different sets of restrictions(i.e., type-systems)
Sept. 26, 2005 19
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects• Safety of mixed objects requires some restrictions
Cyclone and Vault have different interpretations of “unique” and “shared”
So, they have different sets of restrictions(i.e., type-systems)
How do we compare and evaluate these languages?
Sept. 26, 2005 20
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects• Safety of mixed objects requires some restrictions
Cyclone and Vault have different interpretations of “unique” and “shared”
So, they have different sets of restrictions(i.e., type-systems)
Can we generalize the interpretations and restrictions?
Sept. 26, 2005 21
Introduction
• Mutable state is hard to control
• Unique objects alone are too restrictive
• Cyclone and Vault allow programs to store unique objects in shared objects• Safety of mixed objects requires some restrictions
Cyclone and Vault have different interpretations of “unique” and “shared”
So, they have different sets of restrictions(i.e., type-systems)
Can we definean expressive
target language?
Sept. 26, 2005 22
Introduction
• We study a core language with mutable references
Sept. 26, 2005 23
Introduction
• We study a core language with mutable references• deallocation of references• strong (type-varying) updates• storage of unique objects in shared references
Sept. 26, 2005 24
Introduction
• We study a core language with mutable references of all qualifiers
Sept. 26, 2005 25
Introduction
• We study a core language with mutable references of all qualifiers• Unrestricted – like C / Java / SML
• Affine – like Clean and Cyclone• Linear – like Vault
Sept. 26, 2005 26
Introduction
• We study a core language with mutable references of all qualifiers• Unrestricted – like C / Java / SML• Relevant• Affine – like Clean and Cyclone• Linear – like Vault
Sept. 26, 2005 27
Introduction
• We study a core language with mutable references of all qualifiers• Unrestricted – like C / Java / SML• Relevant• Affine – like Clean and Cyclone• Linear – like Vault
Sept. 26, 2005 28
Outline
• A Substructural Type System
• … with References
• Model Teaser
Sept. 26, 2005 29
Structural Properties
• Conventional type systems satisfy
• Exchange• use typing assumptions in any order
• Contraction• use typing assumptions more than once
• Weakening• use typing assumptions less than once
Sept. 26, 2005 30
Structural Properties
• Conventional type systems satisfy
• Exchange• use typing assumptions in any order
• Contraction – Copy• use typing assumptions more than once
• Weakening – Drop• use typing assumptions less than once
Sept. 26, 2005 31
Structural Properties
• Substructural type systems fail to satisfy
• Exchange• use typing assumptions in any order
• Contraction – Copy• use typing assumptions more than once
• Weakening – Drop• use typing assumptions less than once
Sept. 26, 2005 32
Structural Properties
• Substructural type systems fail to satisfy
• Exchange• use typing assumptions in any order
• Contraction – Copy• use typing assumptions more than once
• Weakening – Drop• use typing assumptions less than once
Sept. 26, 2005 33
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Sept. 26, 2005 34
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Unique objects – may be “used”at most once
Shared objects –may be “used” more than once
Sept. 26, 2005 35
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Unique objects – may be “used”at most once
Shared objects –may be “used” more than once
Sept. 26, 2005 36
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Unique objects – may be “used”at most once
Shared objects –may be “used” more than once
Sept. 26, 2005 37
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Unique objects – may be “used”at most once
Shared objects –may be “used” more than once
Sept. 26, 2005 38
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Essential objects – must be “used”at least once
Inessential objects –may be “used” less than once
Sept. 26, 2005 39
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Essential objects – must be “used”at least once
Inessential objects –may be “used” less than once
Sept. 26, 2005 40
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Essential objects – must be “used”at least once
Inessential objects –may be “used” less than once
Sept. 26, 2005 41
Substructural Qualifiers
AffineDrop
RelevantCopy
UnrestrictedDrop Copy
Linear
Essential objects – must be “used”at least once
Inessential objects –may be “used” less than once
Sept. 26, 2005 42
A Substructural Type System
• Qualifiers
q ::= U j R j A j L
• PreTypes
::= 1 j 1 2 j 1 ( 2
• Types
::= q
Sept. 26, 2005 43
A Substructural Type System
• Qualifiers
q ::= U j R j A j L
• PreTypes
::= 1 j 1 2 j 1 ( 2
• Types
::= q
How maythe value be used?
Sept. 26, 2005 44
A Substructural Type System
• Qualifiers
q ::= U j R j A j L
• PreTypes
::= 1 j 1 2 j 1 ( 2
• Types
::= q
How often maythe value be used?
How maythe value be used?
Sept. 26, 2005 45
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(L1 L2) U(A1 A2)
Sept. 26, 2005 46
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(L1 L2) U(A1 A2) hv1, v2i may be used more than once
Sept. 26, 2005 47
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(L1 L2) U(A1 A2) hv1, v2i may be used more than once
Sept. 26, 2005 48
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(L1 L2) U(A1 A2) v1 and v2 may be used more than once
Sept. 26, 2005 49
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(L1 L2) U(A1 A2) v1 and v2 may be used more than once
Sept. 26, 2005 50
Copy with Pairs
copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii
U(L1 L2) U(A1 A2)
Sept. 26, 2005 51
Copy with Pairs
copy UhAv1,Av2i ! hUhAv1,Av2i, UhAv1,Av2ii
U(L1 L2) U(A1 A2)
Sept. 26, 2005 52
Copy with Pairs
copy UhUv1,Uv2i ! hUhUv1,Uv2i, UhUv1,Uv2ii
U(L1 L2) U(A1 A2)
U(U1 U2)
Sept. 26, 2005 53
Drop with Pairs
drop UhLv1,Lv2i ! hi
U(L1 L2) U(R1 R2)
Sept. 26, 2005 54
Drop with Pairs
drop UhLv1,Lv2i ! hi
U(L1 L2) U(R1 R2) hv1, v2i is not used
Sept. 26, 2005 55
Drop with Pairs
drop UhLv1,Lv2i ! hi
U(L1 L2) U(R1 R2) hv1, v2i is not used
Sept. 26, 2005 56
Drop with Pairs
drop UhLv1,Lv2i ! hi
U(L1 L2) U(R1 R2) v1 and v2 are not used
Sept. 26, 2005 57
Drop with Pairs
drop UhLv1,Lv2i ! hi
U(L1 L2) U(R1 R2) v1 and v2 are not used
Sept. 26, 2005 58
Drop with Pairs
drop UhLv1,Lv2i ! hi
U(L1 L2) U(R1 R2)
Sept. 26, 2005 59
Drop with Pairs
drop UhRv1,Rv2i ! hi
U(L1 L2) U(R1 R2)
Sept. 26, 2005 60
Drop with Pairs
drop UhUv1,Uv2i ! hi
U(L1 L2) U(R1 R2)
U(U1 U2)
Sept. 26, 2005 61
… with References
• PreTypes
::= … j ref
• Expressions
e ::= … j new e j free e
e ::= … j read e j write e1 e2 j swap e1 e2
Sept. 26, 2005 62
… with References
• PreTypes
::= … j ref
• Raises design questions:• What does it mean to copy or drop a ref?• What operations make sense on different refs?• What combinations make sense for the qualifier
and contents of a ref?
Sept. 26, 2005 63
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
LvLv
Sept. 26, 2005 64
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
LvLv
l may be used more than once;but contents are not copied
Sept. 26, 2005 65
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
LvLvLv Lv
Sept. 26, 2005 66
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
LvLvLv Lv
l is not used;and contents are (implicitly) dropped
Sept. 26, 2005 67
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
LvLvLv Lv
Sept. 26, 2005 68
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref U) U(ref A)
U(ref L) U(ref R)
LvLvLv Lv
Sept. 26, 2005 69
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
LvLvLv Lv
Sept. 26, 2005 70
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
RvRvRv Rv
Sept. 26, 2005 71
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
UvUvUv Uv
Sept. 26, 2005 72
drop Ul ! hicopy Ul ! hUl, Uli
Copy & Drop with References
U(ref L) U(ref R)
U(ref U) U(ref A)
AvAvAv Av
Sept. 26, 2005 73
Deallocation
free Ll ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 74
Deallocation
free Ll ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 75
Deallocation
free Ll ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 76
Deallocation
free Ll ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 77
Deallocation
free Al ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 78
Deallocation
free Ul ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 79
Deallocation
free Ul ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 80
Deallocation
free Ul ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 81
Deallocation
free Rl ! qv
free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !
qv
Sept. 26, 2005 82
Swap
swap ql v2 ! hql, v1i
swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)
swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)
v1 v2
Sept. 26, 2005 83
Swap
swap ql v2 ! hql, v1i
swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)
swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)
v1 v2
Sept. 26, 2005 84
Swap
swap ql v2 ! hql, v1i
swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)
swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)
v1 v2
Sept. 26, 2005 85
Swap
swap ql v2 ! hql, v1i
swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)
swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)
v1 v2
Sept. 26, 2005 86
Swap
swap Ll v2 ! hLl, v1i
swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)
swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)
v1 v2
Sept. 26, 2005 87
Swap
swap Ll v2 ! hLl, v1i
swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)
swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)
v1 v2
Sept. 26, 2005 88
Swap
swap Al v2 ! hAl, v1i
swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)
swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)
v1 v2
Sept. 26, 2005 89
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Sept. 26, 2005 90
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Sept. 26, 2005 91
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Sept. 26, 2005 92
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Sept. 26, 2005 93
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
C Java SML
Sept. 26, 2005 94
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Clean Cyclone
Sept. 26, 2005 95
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Vault
Sept. 26, 2005 96
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Sept. 26, 2005 97
Type Safety
• No fundamental difficulty in pursuing a syntactic proof of type safety
Sept. 26, 2005 98
Type Safety
• No fundamental difficulty in pursuing a syntactic proof of type safety
• In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach
Sept. 26, 2005 99
Type Safety
• No fundamental difficulty in pursuing a syntactic proof of type safety
• In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach
• But, syntactic proofs only go so far
Sept. 26, 2005 100
Type Safety
• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model
Sept. 26, 2005 101
Type Safety
• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules
• Store typing does not appear in judgments
Sept. 26, 2005 102
Type Safety
• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules• Stronger meta-theoretic results
• «8.¬: forall semantic types, not just syntactic types
Sept. 26, 2005 103
Type Safety
• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules• Stronger meta-theoretic results• Compatible with Appel’s FPCC project
• Well-founded, set-theoretic model amenable to formalization in higher-order logic
Sept. 26, 2005 104
Type Safety
• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules• Stronger meta-theoretic results• Compatible with Appel’s FPCC project• Scales to binary logical relations
for proving equivalence of programs• [Ahmed POPL’06]
Sept. 26, 2005 105
A Model of Substructural State
• See paper for (many) more details
Sept. 26, 2005 106
A Model of Substructural State
• See paper for (many) more details
• Key insights
Sept. 26, 2005 107
A Model of Substructural State
• See paper for (many) more details
• Key insights• Local store typings
• types of locations that are sub-exprs of a value
Sept. 26, 2005 108
A Model of Substructural State
• See paper for (many) more details
• Key insights• Local store typings
• types of locations that are sub-exprs of a value
• Merge of local store typings• no unique locations in both local store typings
• identical types for shared locations in both
Sept. 26, 2005 109
A Model of Substructural State
• See paper for (many) more details
• Key insights• Local store typings
• types of locations that are sub-exprs of a value
• Merge of local store typings• no unique locations in both local store typings
• identical types for shared locations in both
• Step-indexed technique• [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03]
Sept. 26, 2005 110
Conclusion and Future Work
• Core language, type-system, and model• framework for comparing high-level designs
• Model more advanced features• Cyclone – alias construct allows a unique
pointer to be treated as shared for a limited scope• Vault – focus construct allows a shared object to
be treated as unique for a limited scope
Sept. 26, 2005 111
Sept. 26, 2005 112
Structural Lemmas
• Exchange:• If 1,x1:1,x2:2,2 ` e : ,
then 1,x2:2,x1:1,2 ` e : .
• Contraction:• If 1,x1:x,x2:x,2 ` e : ,
then 1,x:x,2 ` e[x/x1][x/x2] : .
• Weakening:• If ` e : ,
then ,x:x ` e : .
Sept. 26, 2005 113
Structural Lemmas
• Exchange:• If 1,x1:1,x2:2,2 ` e : ,
then 1,x2:2,x1:1,2 ` e : .
• Contraction: Duplicate• If 1,x1:x,x2:x,2 ` e : ,
then 1,x:x,2 ` e[x/x1][x/x2] : .
• Weakening: Discard• If ` e : ,
then ,x:x ` e : .
Sept. 26, 2005 114
Substructural Qualifiers
AffineExch,Weak
RelevantExch,Cntr
UnrestrictedExch,Cntr,Weak
LinearExch
Sept. 26, 2005 115
Structural Lemmas Revisited
• Contraction:• If q ¹ R and 1,x1:qx,x2:qx,2 ` e : ,
then 1,x1:qx,2 ` e[x/x1][x/x2] : .
• Weakening:• If q ¹ A and ` e : ,
then ,x:qx ` e : .
Sept. 26, 2005 116
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
Sept. 26, 2005 117
Operations on Substructural State
shared
unique
Sept. 26, 2005 118
Operations on Substructural State
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Sept. 26, 2005 119
Operations on Substructural State
Sept. 26, 2005 120
Operations on Substructural State
Contents and Ops
Ref U R A L
U
R
A
L
shared
unique
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
new freeswap!
read write!
Sept. 26, 2005 121
A Model of Substructural State
• Model a type as a set of tuplesof qualifier, value, and local store typing
«¬ ::= { (q,v,), …}
• Model a local store typing as a partial map from locations to qualifiers and types
::= { l → (q,«¬), … }
Sept. 26, 2005 122
A Model of Substructural State
• Model a type as a set of tuples
Type = (Qual £ Value £ LocalStore)
• Model a local store typing as a partial map
LocalStore = Locs ! (Qual £ Type)
Sept. 26, 2005 123
A Model of Substructural State
• Model a type as a set of tuples
Type = (Qual £ Value £ LocalStore)
• Model a local store typing as a partial map
LocalStore = Locs ! (Qual £ Type)
Sept. 26, 2005 124
A Model of Substructural State
• Model a type as a set of tuples
Type = (Qual £ Value £ LocalStore)
• Model a local store typing as a partial map
LocalStore = Locs ! (Qual £ Type)
• Cardinality problem is handled by stratifying definitions with “# of steps to run the program” • [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03]
Sept. 26, 2005 125
A Model of Substructural State
• Model a type as a set of tuplesof qualifier, value, and local store typing
• Model a local store typing as a partial map from locations to qualifiers and types
• Local store of a value v only defined on those locations that appear as sub-expressions of v
Sept. 26, 2005 126
A Model of Substructural State
• Model a type as a set of tuplesof qualifier, value, and local store typing
• Model a local store typing as a partial map from locations to qualifiers and types
• Local store of a value v only defined on those locations that appear as sub-expressions of v
• Further restrictions to rule out references
Sept. 26, 2005 127
A Model of Substructural State
• Why only a local store typing?
Sept. 26, 2005 128
A Model of Substructural State
• Why only a local store typing?
l4 A
l3 U
l1 L
hx, yi
l2 L
Sept. 26, 2005 129
A Model of Substructural State
• Why only a local store typing?• A global store typing …
l4 A
l3 U
l1 L
hx, yi
l2 L
l9 L
= x = y = l1 = l2 = …
Sept. 26, 2005 130
A Model of Substructural State
• Why only a local store typing?• A global store typing does not distinguish the “real”
occurrence of a unique reference
l4 A
l3 U
l1 L
hx, yi
l2 L
l9 L
= x = y = l1 = l2 = …
Sept. 26, 2005 131
A Model of Substructural State
• Why only a local store typing?• A “reachable” store typing …
l4 A
l3 U
l1 L
hx, yi
l2 L
x
Sept. 26, 2005 132
A Model of Substructural State
• Why only a local store typing?• A “reachable” store typing …
l4 A
l3 U
l1 L
hx, yi
l2 L
y
Sept. 26, 2005 133
yx
A Model of Substructural State
• Why only a local store typing?• A “reachable” store typing …
l4 A
l3 U
l1 L
hx, yi
l2 L
Sept. 26, 2005 134
yx
A Model of Substructural State
• Why only a local store typing?• A “reachable” store typing does not distinguish
shared and exclusive unique references
l4 A
l3 U
l1 L
hx, yi
l2 L
Sept. 26, 2005 135
A Model of Substructural State
• Why only a local store typing?• A “reachable” store typing does not distinguish
shared and exclusive unique references
l4 A
l3 U
l1 L
hx, yi
l2 L
l1
Sept. 26, 2005 136
A Model of Substructural State
• Why only a local store typing?• A “reachable” store typing does not distinguish
shared and exclusive unique references
l4 A
l3 U
l1 L
hx, yi
l2 L
l2
Sept. 26, 2005 137
A Model of Substructural State
• Why only a local store typing?• A “reachable” store typing does not distinguish
shared and exclusive unique references
l4 A
l3 U
l1 L
hx, yi
l2 L
l3
Sept. 26, 2005 138
yx
A Model of Substructural State
• Local store typing
l4 A
l3 U
l1 L
hx, yi
l2 L
Sept. 26, 2005 139
l1
x y
A Model of Substructural State
• Local store typing
l4 A
l3 U
l1 L
hx, yi
l2 L
l2
l3
Sept. 26, 2005 140
l1
x y
A Model of Substructural State
• Local store typing• Storing a unique object in a shared reference
• “hides” the unique object
l4 A
l3 U
l1 L
hx, yi
l2 L
l2
l3
Sept. 26, 2005 141
l1
x y
A Model of Substructural State
• Local store typing• Storing a unique object in a shared reference
• the unique object becomes local to the reference
l4 A
l3 U
l1 L
hx, yi
l2 L
l2
l3
Sept. 26, 2005 142
l1
x y
A Model of Substructural State
• Local store typing• Storing a unique object in a shared reference
• the unique object becomes local to the reference
l4 A
l3 U
l1 L
hx, yi
l2 L
l2
l3
When does a global store s satisfy a local store typing ?
Sept. 26, 2005 143
Store Satisfaction
s : when
• there exists a set of locations• reachable from dom()• such that the local store typings of all reachable
locations merge in a compatible manner• into a global store typing that describes the store
Sept. 26, 2005 144
Store Satisfaction
s : when
• there exists a set of locations• reachable from dom()• such that the local store typings of all reachable
locations merge in a compatible manner• into a global store typing that describes the store
A unique location may not appear more than once
Sept. 26, 2005 145
Store Satisfaction
s : when
• there exists a set of locations• reachable from dom()• such that the local store typings of all reachable
locations merge in a compatible manner• into a global store typing that describes the store
A shared location mustappear with the same type
Sept. 26, 2005 146
Store Satisfaction
s : when
• there exists a set of locations• reachable from dom()• such that the local store typings of all reachable
locations merge in a compatible manner• into a global store typing that describes the store
• Similar to a Garbage Collector
Sept. 26, 2005 147
Store Satisfaction
s : when
• there exists a set of locations• reachable from dom()• such that the local store typings of all reachable
locations merge in a compatible manner• into a global store typing that describes the store
• Similar to a Garbage Collector
These are the child locations traced from the contentsof a reachable location
These are the roots