Hostname: page-component-8448b6f56d-dnltx Total loading time: 0 Render date: 2024-04-19T03:55:50.529Z Has data issue: false hasContentIssue false
  • English
  • Français

Syntactic soundness proof of a type-and-capability system with hidden state

Part of: JFP Research Articles

Published online by Cambridge University Press:  10 October 2012

FRANÇOIS POTTIER
FRANÇOIS POTTIER*
Affiliation:
INRIA, BP 105, 78153 Le Chesnay Cedex, France (e-mail: Francois.Pottier@inria.fr)
Rights & Permissions [Opens in a new window]

Abstract

Core share and HTML view are not available for this content. However, as you have access to this content, a full PDF is available via the ‘Save PDF’ action button.

This paper presents a formal definition and machine-checked soundness proof for a very expressive type-and-capability system, that is, a low-level type system that keeps precise track of ownership and side effects. The programming language has first-class functions and references. The type system's features include the following: universal, existential, and recursive types; subtyping; a distinction between affine and unrestricted data; support for strong updates; support for naming values and heap fragments via singleton and group regions; a distinction between ordinary values (which exist at runtime) and capabilities (which do not); support for dynamic reorganizations of the ownership hierarchy by disassembling and reassembling capabilities; and support for temporarily or permanently hiding a capability via frame and anti-frame rules. One contribution of the paper is the definition of the type-and-capability system itself. We present the system as modularly as possible. In particular, at the core of the system, the treatment of affinity, in the style of dual intuitionistic linear logic, is formulated in terms of an arbitrary monotonic separation algebra, a novel axiomatization of resources, ownership, and the manner in which they evolve with time. Only the peripheral layers of the system are aware that we are dealing with a specific monotonic separation algebra, whose resources are references and regions. This semi-abstract organization should facilitate further extensions of the system with new forms of resources. The other main contribution is a machine-checked proof of type soundness. The proof is carried out in the Wright and Felleisen's syntactic style. This offers an evidence that this relatively simple-minded proof technique can scale up to systems of this complexity, and constitutes a viable alternative to more sophisticated semantic proof techniques. We do not claim that the syntactic technique is superior: We simply illustrate how it is used and highlight its strengths and shortcomings.

Type
Articles
Information
Journal of Functional Programming , Volume 23 , Issue 1 , January 2013 , pp. 38 - 144
Copyright
Copyright © Cambridge University Press 2012

References

Abadi, M., Pierce, B. & Plotkin, G. (1991) Faithful ideal models for recursive polymorphic types. Int. J. Found. Comput. Sci 2 1, 121.CrossRefGoogle Scholar
Ahmed, A. J. (2004) Semantics of Types for Mutable State. Ph.D. thesis, Princeton University, Princeton, NJ.Google Scholar
Ahmed, A., Appel, A. W., Richards, C. D., Swadi, K. N., Tan, G. & Wang, D. C. (2010) Semantic foundations for typed assembly languages. ACM Trans. Program. Lang. Syst. 32 3, 7:167.CrossRefGoogle Scholar
Ahmed, Amal J., Fluet, M. & Morrisett, G. (2005) A step-indexed model of substructural state. In ACM International Conference on Functional Programming (ICFP), pp. 78–91.CrossRefGoogle Scholar
Ahmed, A., Fluet, M. & Morrisett, G. (2007) L 3: A linear language with locations. Fundam. Inform. 77 4, 397449.Google Scholar
Almeida, P. S. (1997) Balloon types: Controlling sharing of state in data types. In European Conference on Object-Oriented Programming, Lecture Notes in Computer Science, vol. 1241. New York: Springer, pp. 3259.Google Scholar
Amadio, R. M. & Cardelli, L. (1993) Subtyping recursive types. ACM Trans. Program. Lang. Syst. 15 4, 575631.CrossRefGoogle Scholar
Atkey, R. (2010) Amortised resource analysis with separation logic. In European Symposium on Programming (ESOP), Lecture Notes in Computer Science, vol. 6012. New York: Springer, pp. 85103.Google Scholar
Aydemir, B. E., Bohannon, A., Fairbairn, M., Foster, J. N., Pierce, Benjamin C., Sewell, P., Vytiniotis, D., Washburn, G., Weirich, S. & Zdancewic, S. (2005) Mechanized metatheory for the masses: The PoplMark challenge. In International Conference on Theorem Proving in Higher Order Logics (TPHOLs), Lecture Notes in Computer Science, vol. 3603. New York: Springer, pp. 5065.CrossRefGoogle Scholar
Barber, A. (1996) Dual Intuitionistic Linear Logic. Tech. Rep. ECS-LFCS-96-347. Laboratory for Foundations of Computer Science, School of Informatics at the University of Edinburgh, Edinburgh, UK.Google Scholar
Bell, C. J., Dockins, R., Hobor, A., Appel, A. W. & Walker, D. (2008) Comparing semantic and syntactic methods in mechanized proof frameworks.Proceedings of the International Workshop on Proof-Carrying Code (PCC), Carnegie Mellon University, Pittsburgh, PA.Google Scholar
Bierhoff, K. & Aldrich, J. (2007) Modular typestate checking of aliased objects. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pp. 301–320.CrossRefGoogle Scholar
Birkedal, L., Reus, B., Schwinghammer, J., Støvring, K., Thamsborg, J. & Yang, H. (2011) Step-indexed Kripke models over recursive worlds. In ACM Symposium on Principles of Programming Languages (POPL), pp. 119–132.CrossRefGoogle Scholar
Birkedal, L., Støvring, K. & Thamsborg, J. (2009) Realizability semantics of parametric polymorphism, general references, and recursive types. In International Conference on Foundations of Software Science and Computation Structures (FOSSACS), Lecture Notes in Computer Science, vol. 5504. New York: Springer, pp. 456470.Google Scholar
Birkedal, L., Støvring, K. & Thamsborg, J. (2010) Realisability semantics of parametric polymorphism, general references, and recursive types. Math. Struct. Comput. Sci. 20 4, 655703.CrossRefGoogle Scholar
Birkedal, L., Torp-Smith, N. & Yang, H. (2006) Semantics of separation-logic typing and higher-order frame rules for Algol-like languages. Logical Methods Comput. Sci. 2 5.Google Scholar
Blanqui, F. & Koprowski, A. (2011) CoLoR: A coq library on well-founded rewrite relations and its application to the automated verification of termination certificates. Math. Struct. Comput. Sci. 21 4, 827859.CrossRefGoogle Scholar
Boyapati, C., Lee, R. & Rinard, M. (2002) Ownership types for safe programming: Preventing data races and deadlocks. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pp. 211–230.Google Scholar
Boyland, J. T. (2010) Semantics of fractional permissions with nesting. ACM Trans. Program. Lang. Syst. 32 6, 22:133.CrossRefGoogle Scholar
Boyland, J. T. & Retert, W. (2005) Connecting effects and uniqueness with adoption. In ACM Symposium on Principles of Programming Languages (POPL), pp. 283–295.CrossRefGoogle Scholar
Brandt, M. & Henglein, F. (1998) Coinductive axiomatization of recursive type equality and subtyping. Fundam. Inform. 33, 309338.CrossRefGoogle Scholar
Buisse, A., Birkedal, L. & Støvring, K. (2011) A step-indexed Kripke model of separation logic for storable locks. Electron. Notes Theor. Comput. Sci. 276, 121143.CrossRefGoogle Scholar
Calcagno, C., O'Hearn, P. W. & Yang, H. (2007) Local action and abstract separation logic. In IEEE Symposium on Logic in Computer Science (LICS), pp. 366–378.CrossRefGoogle Scholar
Charguéraud, A. (2012) The locally nameless representation. J. Autom. Reasoning 49 3, 363408.CrossRefGoogle Scholar
Charguéraud, A. & Pottier, F. (2008) Functional translation of a calculus of capabilities. In ACM International Conference on Functional Programming (ICFP), pp. 213–224.CrossRefGoogle Scholar
Clarke, D. G., Potter, J. M. & Noble, J. (1998) Ownership types for flexible alias protection. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pp. 48–64.Google Scholar
Crary, K., Walker, D. & Morrisett, G. (1999) Typed memory management in a calculus of capabilities. In ACM Symposium on Principles of Programming Languages (POPL), pp. 262–275.CrossRefGoogle Scholar
Danielsson, N. A. & Altenkirch, T. (2010) Subtyping, declaratively. In International Conference on Mathematics of Program Construction (MPC), Lecture Notes in Computer Science, vol. 6120. New York: Springer, pp. 100118.CrossRefGoogle Scholar
de Bruijn, N. G. (1972) Lambda-calculus notation with nameless dummies: A tool for automatic formula manipulation with application to the Church-Rosser theorem. Indag. Math. 34 5, 381392.CrossRefGoogle Scholar
DeLine, R. & Fähndrich, M. (2001) Enforcing high-level protocols in low-level software. In ACM Conference on Programming Language Design and Implementation (PLDI), pp. 59–69.CrossRefGoogle Scholar
Detlefs, D. L., Leino, K., Rustan, M. & Nelson, G. (1998) Wrestling with Rep Exposure. Res. Rep. 156, SRC, Palo Alto, CA.Google Scholar
Dietl, W. & Peter, M. (2005) Universes: Lightweight ownership for JML. J. Object Technol. 4 8, 532.CrossRefGoogle Scholar
Dinsdale-Young, T., Birkedal, L., Gardner, P., Parkinson, M. J. & Yang, H. (submitted) Views: Compositional Reasoning for Concurrent Programs.Google Scholar
Dinsdale-Young, T., Dodds, M., Gardner, P., Parkinson, M. & Vafeiadis, V. (2010) Concurrent Abstract Predicates. Tech. Rep., Computer Laboratory, University of Cambridge, Cambridge, UK.CrossRefGoogle Scholar
Dockins, R., Hobor, A. & Appel, A. W. (2009) A fresh look at separation algebras and share accounting. In Asian Symposium on Programming Languages and Systems (APLAS), Lecture Notes in Computer Science, vol. 5904. New York: Springer, pp. 161177.CrossRefGoogle Scholar
Fähndrich, M., Aiken, M., Hawblitzel, C., Hodson, O., Hunt, G., Larus, J. R. & Levi, S. (2006) Language support for fast and reliable message-based communication in Singularity OS. In Proceedings of the EuroSys, pp. 177–190.CrossRefGoogle Scholar
Fähndrich, M. & DeLine, R. (2002) Adoption and focus: Practical linear types for imperative programming. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pp. 13–24.CrossRefGoogle Scholar
Gapeyev, V., Levin, M. & Pierce, B. (2002) Recursive subtyping revealed. J. Funct. Program. 12 6, 511548.CrossRefGoogle Scholar
Gauthier, N. & Pottier, F. (2004) Numbering matters: First-order canonical forms for second-order recursive types. In Proceedings of the ACM International Conference on Functional Programming (ICFP), pp. 150–161.CrossRefGoogle Scholar
Gifford, D. K., Jouvelot, P., Sheldon, M. A. & O'Toole, J. W. (1992) Report on the FX-91 Programming Language. Tech. Rep. MIT/LCS/TR-531, Massachusetts Institute of Technology, Cambridge, MA.CrossRefGoogle Scholar
Girard, J.-Y. (1972) Interprétation Fonctionnelle et Élimination des Coupures de L'arithmétique D'ordre Supérieur. Thèse d'état, Université Paris 7.Google Scholar
Glew, N. (2002) A theory of second-order trees. In European Symposium on Programming (ESOP), Lecture Notes in Computer Science, vol. 2305. New York: Springer, pp. 147161.Google Scholar
Gotsman, A., Berdine, J., Cook, B., Rinetzky, N. & Sagiv, M. (2007) Local Reasoning for Storable Locks and Threads. Tech. Rep. MSR-TR-2007-39. Microsoft Research.CrossRefGoogle Scholar
Harper, R. (1994) A simplified account of polymorphic references. Inf. Process. Lett. 51 4, 201206.CrossRefGoogle Scholar
Hoare, C. A. R. (1972) Proof of correctness of data representations. Acta Inform. 4, 271281.CrossRefGoogle Scholar
Hobor, A., Appel, A. W. & ZappaNardelli, F. Nardelli, F. (2008) Oracle semantics for concurrent separation logic. In European Symposium on Programming (ESOP), Lecture Notes in Computer Science, vol. 4960. New York: Springer, pp. 353367.Google Scholar
Hofmann, M. (2000) A type system for bounded space and functional in-place update. Nord. J. Comput. 7 4, 258289.Google Scholar
Hogg, J. (1991) Islands: Aliasing protection in object-oriented languages. In Proceedings of the ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), pp. 271–285.CrossRefGoogle Scholar
Ishtiaq, Samin S. & O'Hearn, Peter W. (2001) BI as an assertion language for mutable data structures. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL), pp. 14–26.CrossRefGoogle Scholar
Launchbury, J. & Jones, S. P. (1995) State in Haskell. LISP Symb. Comput. 8 4, 293341.Google Scholar
Levy, P. B. (2002) Possible world semantics for general storage in call-by-value. Computer Science Logic, Lecture Notes in Computer Science, vol. 2471. New York: Springer.Google Scholar
MacQueen, D. B., Plotkin, G. D. & Sethi, R. (1986) An ideal model for recursive polymorphic types. Inf. Control 71 (1–2), 95130.CrossRefGoogle Scholar
Mazurak, K., Zhao, J. & Zdancewic, S. (2010) Lightweight linear types in system F°. In Workshop on Types in Language Design and Implementation (TLDI), pp. 77–88.CrossRefGoogle Scholar
Mitchell, John C. (1988) Polymorphic-type inference and containment. Inf. Comput. 76 (2–3), 211249.CrossRefGoogle Scholar
Monnier, S. (2008) Statically Tracking State with Typed Regions. Draft.Google Scholar
Müller, P. & Poetzsch-Heffter, A. (2001) Universes: A Type System for Alias and Dependency Control. Tech. Rep. 279, Fernuniversität Hagen, Germany.Google Scholar
Nanevski, A., Morrisett, G. & Birkedal, L. (2008) -type theory, polymorphism and separation. J. Funct. Program. 18 (5–6), 865911.CrossRefGoogle Scholar
Nanevski, A., Vafeiadis, V. & Berdine, J. (2010) Structuring the verification of heap-manipulating programs. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL), pp. 261–274.CrossRefGoogle Scholar
O'Hearn, Peter W. (2007) Resources, concurrency and local reasoning. Theor. Comput. Sci. 375 (1–3), 271307.CrossRefGoogle Scholar
O'Hearn, P. W., Yang, H. & Reynolds, J. C. (2004) Separation and information hiding. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL), pp. 268–280.Google Scholar
PeytonJones, S. Jones, S. & Wadler, P. (1993) Imperative functional programming. In Proceedings of the ACM Symposium on Principles of Programming Languages (POPL), pp. 71–84.Google Scholar
Pilkiewicz, A. & Pottier, F. (2011) The essence of monotonic state. Workshop on Types in Language Design and Implementation (TLDI), Philadelphia, PA.Google Scholar
Pollack, R., Sato, M. & Ricciotti, W. (2012) A canonical locally named representation of binding. J. Autom. Reasoning 49 2, 185207.CrossRefGoogle Scholar
Pottier, F. (2008) Hiding local state in direct style: A higher-order anti-frame rule. In IEEE Symposium on Logic in Computer Science (LICS), pp. 331–340.CrossRefGoogle Scholar
Pottier, F. (2009a) Generalizing the higher-order frame and anti-frame rules. Unpublished manuscript.Google Scholar
Pottier, F. (2009b). Three comments on the anti-frame rule. Unpublished manuscript.Google Scholar
Pottier, F. (2012a) Accompanying Coq scripts; for browsing [online]. Available at: http://gallium.inria.fr/~fpottier/ssphs/. Accessed 21 September 2012.Google Scholar
Pottier, F. (2012b) Accompanying Coq scripts; for downloading [online]. Available at: http://gallium.inria.fr/~fpottier/ssphs/ssphs.tar.gz and also as an online supplement at http://www.cambridge.org/. . . . Accessed 21 September 2012.Google Scholar
Pottier, F. & Protzenko, J. (2012) Programming with permissions: An introduction to Mezzo. Unpublished manuscript.CrossRefGoogle Scholar
Reus, B. & Schwinghammer, J. (2006) Separation logic for higher-order store. In Computer Science Logic, Lecture Notes in Computer Science, vol. 4207. New York: Springer, pp. 575590.CrossRefGoogle Scholar
Reynolds, John C. (1974) Towards a theory of type structure. In Colloque sur la Programmation, Lecture Notes in Computer Science, vol. 19. New York: Springer, pp. 408425.Google Scholar
Reynolds, John C. (2002) Separation logic: A logic for shared mutable data structures. In IEEE Symposium on Logic in Computer Science (LICS), pp. 55–74.CrossRefGoogle Scholar
Schwinghammer, J., Birkedal, L., Pottier, F., Reus, B., Støvring, K. & Yang, H. (2012) A step-indexed Kripke model of hidden state. Math. Struct. Comput. Sci. Available at: http://dx.doi.org/10.1017/S0960129512000035.CrossRefGoogle Scholar
Schwinghammer, J., Birkedal, L., Reus, B. & Yang, H. (2009) Nested Hoare triples and frame rules for higher-order store. In Computer Science Logic, Lecture Notes in Computer Science, vol. 5771. New York: Springer, pp. 440454.CrossRefGoogle Scholar
Schwinghammer, J., Birkedal, L. & Støvring, K. (2011) A step-indexed Kripke model of hidden state via recursive properties on recursively defined metric spaces. In International Conference on Foundations of Software Science and Computation Structures (FOSSACS), Lecture Notes in Computer Science, no. 6604. New York: Springer, pp. 305319.Google Scholar
Schwinghammer, J., Yang, H., Birkedal, L., Pottier, F. & Reus, B. (2010) A semantic foundation for hidden state. In International Conference on Foundations of Software Science and Computation Structures (FOSSACS), Lecture Notes in Computer Science, vol. 6014. New York: Springer, pp. 217.Google Scholar
Smith, F., Walker, D. & Morrisett, G. (2000) Alias types. In European Symposium on Programming (ESOP), Lecture Notes in Computer Science, vol. 1782. New York: Springer, pp. 366381.Google Scholar
Swamy, N., Hicks, M., Morrisett, G., Grossman, D. & Jim, T. (2006) Safe manual memory management in Cyclone. Sci. Comput. Program. 62 2, 122144.CrossRefGoogle Scholar
Talpin, J.-P. & Jouvelot, P. (1994) The type and effect discipline. Inf. Comput. 11 2, 245296.CrossRefGoogle Scholar
Tan, G., Shao, Z., Feng, X. & Cai, H. (2009) Weak updates and separation logic. In Asian Symposium on Programming Languages and Systems (APLAS), Lecture Notes in Computer Science, vol. 5904. New York: Springer, pp. 178193.CrossRefGoogle Scholar
Tofte, M. & Talpin, J.-P. (1997) Region-based memory management. Inf. Comput. 132 2, 109176.CrossRefGoogle Scholar
Tov, J. A. & Pucella, R. (2010) Stateful contracts for affine types. In European Symposium on Programming (ESOP), Lecture Notes in Computer Science, vol. 6012. New York: Springer, pp. 550569.Google Scholar
Tov, J. A. & Pucella, R. (2011) Practical affine types. In ACM Symposium on Principles of Programming Languages (POPL), pp. 447–458.CrossRefGoogle Scholar
Urban, C. (2008) Nominal techniques in Isabelle/HOL. J. Autom. Reason. 40 4, 327356.CrossRefGoogle Scholar
Vouillon, J. & Melliès, P.-A. (2004) Semantic types: A fresh look at the ideal model for types. In ACM Symposium on Principles of Programming Languages (POPL), pp. 52–63.CrossRefGoogle Scholar
Walker, D. (2005) Substructural type systems. In Advanced Topics in Types and Programming Languages, Pierce, B. C. (ed). Cambridge, MA: MIT Press, Chap. 1, pp. 343.Google Scholar
Walker, D. & Morrisett, G. (2000) Alias types for recursive data structures. In Workshop on Types in Compilation (TIC), Lecture Notes in Computer Science, vol. 2071. New York: Springer, pp. 177206.Google Scholar
Wright, A. K. (1995) Simple imperative polymorphism. LISP Symb. Comput. 8 4, 343356.Google Scholar
Wright, A. K. & Felleisen, M. (1994) A syntactic approach to type soundness. Inf. Comput. 115 1, 3894.CrossRefGoogle Scholar
Supplementary material: File

POTTIER Supplementary Material

Appendix

Download POTTIER Supplementary Material(File)
File 539 KB
Submit a response

Discussions

No Discussions have been published for this article.