440 likes | 449 Vues
A Model of Substructural State. Matthew Fluet Cornell University. Introduction. Forms of “uniqueness” are appearing in programming languages. Introduction. Forms of “uniqueness” are appearing in programming languages Cyclone – affine pointers, which may be discarded, but not duplicated
E N D
A Model of Substructural State Matthew Fluet Cornell University
Introduction • Forms of “uniqueness” are appearing in programming languages
Introduction • Forms of “uniqueness” are appearing in programming languages • Cyclone – affine pointers, which may be discarded, but not duplicated • allow fine grained memory management • Vault – linear keys, which may be neither discarded nor duplicated • enforce resource management protocols
Introduction • Forms of “uniqueness” are appearing in programming languages • Cyclone – affine pointers, which may be discarded, but not duplicated • allow fine grained memory management • Vault – linear keys, which may be neither discarded nor duplicated • enforce resource management protocols • C / Java / SML – unrestricted objects that may be both discarded and duplicated
Introduction • But, programming with only unique objects is much too painful • Both Cyclone and Vault allow a programmer to put unique objects in shared objects • Impose a variety of restrictions to ensure that these mixed objects behave in a safe manner
Introduction • Natural to study a core language with mutable references of all flavors
Qualifiers Linear Affine Discard Relevant Duplicate Unrestricted Discard,Duplicate
Qualifiers Unique objects – may be “used”at most once Linear Affine Discard Relevant Duplicate Unrestricted Discard,Duplicate Shared objects – may be copied
Qualifiers must be “used”at least once Linear Affine Discard Relevant Duplicate Unrestricted Discard,Duplicate may be dropped
Introduction • Natural to study a core language with mutable references of all qualifiers • Raises design questions: • What does it mean to copy or drop a ref? • What operations make sense on different refs? • What combinations of qualifiers for a reference and its contents make sense? • Can one construct a reasonable model for such a language?
Outline • A Substructural Type System • … with References • Model Teaser
A Substructural Type System • Qualifiers q ::= U j R j A j L • PreTypes t::= 1jt1t2jt1(t2 • Types t::= qt
A Substructural Type System • Non-examples • U(At1At2), U(Rt1Rt2), U(Lt1Lt2)
A Substructural Type System • Non-examples • U(At1At2), U(Rt1Rt2), U(Lt1Lt2) • copyhv1,v2i!hhv1,v2i,hv1,v2ii v1 and v2 may be used more than once
A Substructural Type System • Non-examples • U(At1At2), U(Rt1Rt2), U(Lt1Lt2) • copyhv1,v2i!hhv1,v2i,hv1,v2ii v1 and v2 may be used more than once
A Substructural Type System • Non-examples • U(At1At2), U(Rt1Rt2), U(Lt1Lt2) • copyhv1,v2i!hhv1,v2i,hv1,v2ii drophv1,v2i!hi v1 and v2 may be used more than once v1 and v2 are not used
A Substructural Type System • Non-examples • U(At1At2), U(Rt1Rt2), U(Lt1Lt2) • copyhv1,v2i!hhv1,v2i,hv1,v2ii drophv1,v2i!hi v1 and v2 may be used more than once v1 and v2 are not used
… with References • PreTypes t::= … jreft
… with References • Examples? • U(refUt), U(refRt), U(refAt), U(refLt)
… with References • Examples? • U(refUt), U(refRt), U(refAt), U(refLt) copy l !hl,li drop l !hi l may be used more than once;but contents are not copied l may is not used;and contents are dropped
… with References • Examples? • U(refUt), U(refRt), U(refAt), U(refLt) • copy l !hl,li drop l !hi l may be used more than once;but contents are not copied l may is not used;and contents are dropped
A Model of Substructural State • Model a type as a set of tuples ofqualifier, value, and local store typing «t¬ ::= { (q,y,v), …} • Model a local store typing as a partial map from locations to qualifiers and types y::= { l a (q,«t¬), … }
A Model of Substructural State • Model a type as a set of tuples ofqualifier, value, and local store type • Model a local store type as a partial map from locations to qualifiers and types • Local store of v only defined on those locations that appear as sub-expressions of v
A Model of Substructural State • Model a type as a set of tuples ofqualifier, value, and local store type • Model a local store type as a partial map from locations to qualifiers and types • Local store of v only defined on those locations that appear as sub-expressions of v • Further restrictions to rule out stores
A Model of Substructural State • Why only a local store type? • Storing a unique object in a shared reference “hides” the unique object • Using the global store – difficult to identify the “real” occurrence of a unique location
A Model of Substructural State • How can we check that a global store satisfies a local store type? • Use a Garbage Collector
Store Satisfaction store satisfies s l4a v4 l7a v7 y l1a v1 l5a v5 l8a v8 l1at1 l2a v2 l9a v9 l2at2 l3a v3 l6a v6 l3at3
Store Satisfaction store satisfies s l4a v4 l7a v7 y l1a v1 l5a v5 l8a v8 l1at1 l2a v2 l9a v9 l2at2 l3a v3 l6a v6 l3at3 These are the roots
Store Satisfaction store satisfies s l4a v4 l7a v7 y l1a v1 l5a v5 l8a v8 l1at1 l2a v2 l9a v9 l2at2 l3a v3 l6a v6 l3at3 if there exists a set of locations N l4 l7 l5 l9 l6 These are the non-roots
Store Satisfaction and local store types yl (l 2 dom(y) ] N) that merge These are the child locations traced from the contents of l
Store Satisfaction and local store types yl (l 2 dom(y) ] N) that merge = y¯¯l 2 dom(y) ] Nyl Y* l4at4 l7at7 l1at1 l5at5 l2at2 l9at9 l3at3 l6at6 The global store type The local store types are compatible (non-contradictory)
Store Satisfaction and local store types yl (l 2 dom(y) ] N) that merge = y¯¯l 2 dom(y) ] Nyl Y* l4at4 l7at7 l1at1 l5at5 l2at2 l9at9 l3at3 l6at6 The global store type Don’t trace a unique location more than once
s : Y* l4a v4 : t4 l7a v7 : t7 l1a v1 : t1 l5a v5 : t5 l8a v8 l2a v2 : t2 l9a v9 : t9 l3a v3 : t3 l6a v6 : t6 Store Satisfaction to describe the store
Conclusion and Future Work • Core language, type-system, and model • Model more advanced features • Cyclone – alias construct allows a unique pointer to be treated as shared for a limited scope • Vault – focus construct allows a shared object to be treated as unique for a limited scope
Structural Lemmas • Exchange: • If G1,x1:t1,x2:t2,G2` e : t,then G1,x2:t2,x1:t1,G2` e : t. • Contraction: • If G1,x1:tx,x2:tx,G2` e : t,then G1,x:tx,G2` e[x/x1][x/x2] : t. • Weakening: • If G` e : t, then G,x:tx` e : t.
Structural Lemmas • Exchange: • If G1,x1:t1,x2:t2,G2` e : t,then G1,x2:t2,x1:t1,G2` e : t. • Contraction: Duplicate • If G1,x1:tx,x2:tx,G2` e : t,then G1,x:tx,G2` e[x/x1][x/x2] : t. • Weakening: Discard • If G` e : t, then G,x:tx` e : t.
Qualifiers Linear Exch Affine Exch,Weak Relevant Exch,Cntr Unrestricted Exch,Cntr,Weak
Structural Lemmas Revisited • Contraction: • If q ¹ R and G1,x1:qtx,x2:qtx,G2` e : t,then G1,x1:qtx,G2` e[x/x1][x/x2] : t. • Weakening: • If q ¹ A and G` e : t,then G,x:qtx` e : t.
Operational Semantics s ::= {l1 a v1, …, ln a vn} (s, new v) ! (s ] {l a v}, l) (s ] {l a v}, free l) ! (s, v) (s ] {l a v}, rd l) ! (s ] {l a v}, hl, vi) (s ] {l a v1}, wr l v2) ! (s ] {l a v2}, l) (s ] {l a v1}, sw l v2) ! (s ] {l a v2}, hl, v1i)
A Model of Substructural State • Model a type as a set of tuples ofqualifier, value, and local store type • Model a local store type as a partial map from locations to qualifiers and types
A Model of Substructural State • Model a type as a set of tuples PreType = Ã(Qual £ Value £ LocStore) Type = PreType • Model a local store type as a partial map LocStore = Locs ! (Qual £ Type)? • Cardinality problem is handled by stratifying definitions with “# of steps to run the program”
A Model of Substructural State PreType = { c2Ã(Qual £ Value £ LocStore) jfor all (q,v,y) 2c, each location in y is mapped to a qualifier ¹ q } Type = { c2 PreType jall qualifiers in c are the same } LocStore = { y2 Locs ! (Qual £ Type)?jeach location is mapped to a type consistent with the location’s qualifier }