a step-indexed model of substructural state

A Step-Indexed Model of Substructural State

Matthew Fluet

Cornell University

Amal Ahmed Greg Morrisett

Harvard University

A Step-Indexed Model of

Substructural State

Matthew Fluet

Cornell University

Amal Ahmed Greg Morrisett

Harvard University

Sept. 26, 2005 3

Introduction

• Mutable state is here to stay

Sept. 26, 2005 4

Introduction

• Mutable state is here to stay• high-level – I/O, data structures• low-level – virtual machines, garbage collector

Sept. 26, 2005 5

Introduction

• Mutable state is hard to control

Sept. 26, 2005 6

Introduction


• C / Java / SML – unrestricted objects

Sept. 26, 2005 7

Introduction


• Various forms of uniqueness have appeared as a means to “tame” state

Sept. 26, 2005 8

Introduction


• Various forms of uniqueness have appeared as a means to “tame” state• Clean – uniqueness types

• I/O operations in a purely-functional language

• Cyclone – unique pointers• fine-grained memory management

• Vault – unique keys• resource management protocols

Sept. 26, 2005 9

Introduction


• Various forms of uniqueness have appeared as a means to “tame” state• Clean – uniqueness types

• I/O operations in a purely-functional language

• Cyclone – unique pointers• fine-grained memory management

• Vault – unique keys• resource management protocols

Sept. 26, 2005 10

Introduction


• Unique objects alone are too restrictive

Sept. 26, 2005 11

Introduction


• Unique objects alone are too restrictive• Only tree-like data structures• Only single paths to a unique object

Sept. 26, 2005 12

Introduction



fun g () = … lr …

lr -- unique resource

fun f () = … lr …

Sept. 26, 2005 13

Introduction



fun g () = … lr …


fun f () = … lr …

Sept. 26, 2005 14

Introduction



• Cyclone and Vault allow programs to store unique objects in shared objects

Sept. 26, 2005 15

Introduction



• Cyclone and Vault allow programs to store unique objects in shared objects

fun g () = … ls …


lrls -- shared object

fun f () = … ls …

Sept. 26, 2005 16

Introduction



• Cyclone and Vault allow programs to store unique objects in shared objects• Safety of mixed objects requires some restrictions

Sept. 26, 2005 17

Introduction




Cyclone and Vault have different interpretations of “unique” and “shared”

Sept. 26, 2005 18

Introduction





So, they have different sets of restrictions(i.e., type-systems)

Sept. 26, 2005 19

Introduction






How do we compare and evaluate these languages?

Sept. 26, 2005 20

Introduction






Can we generalize the interpretations and restrictions?

Sept. 26, 2005 21

Introduction






Can we definean expressive

target language?

Sept. 26, 2005 22

Introduction

• We study a core language with mutable references

Sept. 26, 2005 23

Introduction

• We study a core language with mutable references• deallocation of references• strong (type-varying) updates• storage of unique objects in shared references

Sept. 26, 2005 24

Introduction

• We study a core language with mutable references of all qualifiers

Sept. 26, 2005 25

Introduction

• We study a core language with mutable references of all qualifiers• Unrestricted – like C / Java / SML

• Affine – like Clean and Cyclone• Linear – like Vault

Sept. 26, 2005 26

Introduction

• We study a core language with mutable references of all qualifiers• Unrestricted – like C / Java / SML• Relevant• Affine – like Clean and Cyclone• Linear – like Vault

Sept. 26, 2005 27

Introduction

• We study a core language with mutable references of all qualifiers• Unrestricted – like C / Java / SML• Relevant• Affine – like Clean and Cyclone• Linear – like Vault

Sept. 26, 2005 28

Outline

• A Substructural Type System

• … with References

• Model Teaser

Sept. 26, 2005 29

Structural Properties

• Conventional type systems satisfy

• Exchange• use typing assumptions in any order

• Contraction• use typing assumptions more than once

• Weakening• use typing assumptions less than once

Sept. 26, 2005 30


• Conventional type systems satisfy


• Contraction – Copy• use typing assumptions more than once

• Weakening – Drop• use typing assumptions less than once

Sept. 26, 2005 31


• Substructural type systems fail to satisfy




Sept. 26, 2005 32


• Substructural type systems fail to satisfy




Sept. 26, 2005 33

Substructural Qualifiers

AffineDrop

RelevantCopy

UnrestrictedDrop Copy

Linear

Sept. 26, 2005 34


AffineDrop

RelevantCopy


Linear

Unique objects – may be “used”at most once

Shared objects –may be “used” more than once

Sept. 26, 2005 35


AffineDrop

RelevantCopy


Linear



Sept. 26, 2005 36


AffineDrop

RelevantCopy


Linear



Sept. 26, 2005 37


AffineDrop

RelevantCopy


Linear



Sept. 26, 2005 38


AffineDrop

RelevantCopy


Linear

Essential objects – must be “used”at least once

Inessential objects –may be “used” less than once

Sept. 26, 2005 39


AffineDrop

RelevantCopy


Linear



Sept. 26, 2005 40


AffineDrop

RelevantCopy


Linear



Sept. 26, 2005 41


AffineDrop

RelevantCopy


Linear



Sept. 26, 2005 42

A Substructural Type System

• Qualifiers

q ::= U j R j A j L

• PreTypes

::= 1 j 1 2 j 1 ( 2

• Types

::= q

Sept. 26, 2005 43


• Qualifiers

q ::= U j R j A j L

• PreTypes

::= 1 j 1 2 j 1 ( 2

• Types

::= q

How maythe value be used?

Sept. 26, 2005 44


• Qualifiers

q ::= U j R j A j L

• PreTypes

::= 1 j 1 2 j 1 ( 2

• Types

::= q

How often maythe value be used?

How maythe value be used?

Sept. 26, 2005 45

Copy with Pairs

copy UhLv1,Lv2i ! hUhLv1,Lv2i, UhLv1,Lv2ii

U(L1 L2) U(A1 A2)

Sept. 26, 2005 46

Copy with Pairs


U(L1 L2) U(A1 A2) hv1, v2i may be used more than once

Sept. 26, 2005 47

Copy with Pairs


U(L1 L2) U(A1 A2) hv1, v2i may be used more than once

Sept. 26, 2005 48

Copy with Pairs


U(L1 L2) U(A1 A2) v1 and v2 may be used more than once

Sept. 26, 2005 49

Copy with Pairs


U(L1 L2) U(A1 A2) v1 and v2 may be used more than once

Sept. 26, 2005 50

Copy with Pairs


U(L1 L2) U(A1 A2)

Sept. 26, 2005 51

Copy with Pairs

copy UhAv1,Av2i ! hUhAv1,Av2i, UhAv1,Av2ii

U(L1 L2) U(A1 A2)

Sept. 26, 2005 52

Copy with Pairs

copy UhUv1,Uv2i ! hUhUv1,Uv2i, UhUv1,Uv2ii

U(L1 L2) U(A1 A2)

U(U1 U2)

Sept. 26, 2005 53

Drop with Pairs

drop UhLv1,Lv2i ! hi

U(L1 L2) U(R1 R2)

Sept. 26, 2005 54

Drop with Pairs


U(L1 L2) U(R1 R2) hv1, v2i is not used

Sept. 26, 2005 55

Drop with Pairs


U(L1 L2) U(R1 R2) hv1, v2i is not used

Sept. 26, 2005 56

Drop with Pairs


U(L1 L2) U(R1 R2) v1 and v2 are not used

Sept. 26, 2005 57

Drop with Pairs


U(L1 L2) U(R1 R2) v1 and v2 are not used

Sept. 26, 2005 58

Drop with Pairs


U(L1 L2) U(R1 R2)

Sept. 26, 2005 59

Drop with Pairs

drop UhRv1,Rv2i ! hi

U(L1 L2) U(R1 R2)

Sept. 26, 2005 60

Drop with Pairs

drop UhUv1,Uv2i ! hi

U(L1 L2) U(R1 R2)

U(U1 U2)

Sept. 26, 2005 61

… with References

• PreTypes

::= … j ref

• Expressions

e ::= … j new e j free e

e ::= … j read e j write e1 e2 j swap e1 e2

Sept. 26, 2005 62

… with References

• PreTypes

::= … j ref

• Raises design questions:• What does it mean to copy or drop a ref?• What operations make sense on different refs?• What combinations make sense for the qualifier

and contents of a ref?

Sept. 26, 2005 63

drop Ul ! hicopy Ul ! hUl, Uli

Copy & Drop with References

U(ref L) U(ref R)

U(ref U) U(ref A)

LvLv

Sept. 26, 2005 64



U(ref L) U(ref R)

U(ref U) U(ref A)

LvLv

l may be used more than once;but contents are not copied

Sept. 26, 2005 65



U(ref L) U(ref R)

U(ref U) U(ref A)

LvLvLv Lv

Sept. 26, 2005 66



U(ref L) U(ref R)

U(ref U) U(ref A)

LvLvLv Lv

l is not used;and contents are (implicitly) dropped

Sept. 26, 2005 67



U(ref L) U(ref R)

U(ref U) U(ref A)

LvLvLv Lv

Sept. 26, 2005 68



U(ref U) U(ref A)

U(ref L) U(ref R)

LvLvLv Lv

Sept. 26, 2005 69



U(ref L) U(ref R)

U(ref U) U(ref A)

LvLvLv Lv

Sept. 26, 2005 70



U(ref L) U(ref R)

U(ref U) U(ref A)

RvRvRv Rv

Sept. 26, 2005 71



U(ref L) U(ref R)

U(ref U) U(ref A)

UvUvUv Uv

Sept. 26, 2005 72



U(ref L) U(ref R)

U(ref U) U(ref A)

AvAvAv Av

Sept. 26, 2005 73

Deallocation

free Ll ! qv

free : L(ref ) ! free : A(ref ) ! free : R(ref ) ! free : U(ref ) !

qv

Sept. 26, 2005 74

Deallocation

free Ll ! qv


qv

Sept. 26, 2005 75

Deallocation

free Ll ! qv


qv

Sept. 26, 2005 76

Deallocation

free Ll ! qv


qv

Sept. 26, 2005 77

Deallocation

free Al ! qv


qv

Sept. 26, 2005 78

Deallocation

free Ul ! qv


qv

Sept. 26, 2005 79

Deallocation

free Ul ! qv


qv

Sept. 26, 2005 80

Deallocation

free Ul ! qv


qv

Sept. 26, 2005 81

Deallocation

free Rl ! qv


qv

Sept. 26, 2005 82

Swap

swap ql v2 ! hql, v1i

swap : q(ref ) ! ! L(q(ref ) ) swap! : L(ref 1) ! 2 ! L(L(ref 2) 1)

swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)

v1 v2

Sept. 26, 2005 83

Swap



swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)

v1 v2

Sept. 26, 2005 84

Swap



swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)

v1 v2

Sept. 26, 2005 85

Swap



swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)

v1 v2

Sept. 26, 2005 86

Swap

swap Ll v2 ! hLl, v1i


swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)

v1 v2

Sept. 26, 2005 87

Swap

swap Ll v2 ! hLl, v1i


swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)

v1 v2

Sept. 26, 2005 88

Swap

swap Al v2 ! hAl, v1i


swap! : A(ref 1) ! 2 ! L(A(ref 2) 1)

v1 v2

Sept. 26, 2005 89

Operations on Substructural State

Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Sept. 26, 2005 90


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Sept. 26, 2005 91


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Sept. 26, 2005 92


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Sept. 26, 2005 93


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

C Java SML

Sept. 26, 2005 94


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Clean Cyclone

Sept. 26, 2005 95


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Vault

Sept. 26, 2005 96


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Sept. 26, 2005 97

Type Safety

• No fundamental difficulty in pursuing a syntactic proof of type safety

Sept. 26, 2005 98

Type Safety


• In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach

Sept. 26, 2005 99

Type Safety


• In fact, we have carried out a proof using the Twelf logical framework, based on the standard syntactic approach

• But, syntactic proofs only go so far

Sept. 26, 2005 100

Type Safety

• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model

Sept. 26, 2005 101

Type Safety

• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules

• Store typing does not appear in judgments

Sept. 26, 2005 102

Type Safety

• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules• Stronger meta-theoretic results

• «8.¬: forall semantic types, not just syntactic types

Sept. 26, 2005 103

Type Safety

• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules• Stronger meta-theoretic results• Compatible with Appel’s FPCC project

• Well-founded, set-theoretic model amenable to formalization in higher-order logic

Sept. 26, 2005 104

Type Safety

• Type safety of the language may be proven by showing the soundness of the typing rules with respect to a model• Simpler typing rules• Stronger meta-theoretic results• Compatible with Appel’s FPCC project• Scales to binary logical relations

for proving equivalence of programs• [Ahmed POPL’06]

Sept. 26, 2005 105

A Model of Substructural State

• See paper for (many) more details

Sept. 26, 2005 106



• Key insights

Sept. 26, 2005 107



• Key insights• Local store typings

• types of locations that are sub-exprs of a value

Sept. 26, 2005 108





• Merge of local store typings• no unique locations in both local store typings

• identical types for shared locations in both

Sept. 26, 2005 109





• Merge of local store typings• no unique locations in both local store typings

• identical types for shared locations in both

• Step-indexed technique• [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03]

Sept. 26, 2005 110

Conclusion and Future Work

• Core language, type-system, and model• framework for comparing high-level designs

• Model more advanced features• Cyclone – alias construct allows a unique

pointer to be treated as shared for a limited scope• Vault – focus construct allows a shared object to

be treated as unique for a limited scope

Sept. 26, 2005 111

Sept. 26, 2005 112

Structural Lemmas

• Exchange:• If 1,x1:1,x2:2,2 ` e : ,

then 1,x2:2,x1:1,2 ` e : .

• Contraction:• If 1,x1:x,x2:x,2 ` e : ,

then 1,x:x,2 ` e[x/x1][x/x2] : .

• Weakening:• If ` e : ,

then ,x:x ` e : .

Sept. 26, 2005 113

Structural Lemmas

• Exchange:• If 1,x1:1,x2:2,2 ` e : ,

then 1,x2:2,x1:1,2 ` e : .

• Contraction: Duplicate• If 1,x1:x,x2:x,2 ` e : ,

then 1,x:x,2 ` e[x/x1][x/x2] : .

• Weakening: Discard• If ` e : ,

then ,x:x ` e : .

Sept. 26, 2005 114


AffineExch,Weak

RelevantExch,Cntr

UnrestrictedExch,Cntr,Weak

LinearExch

Sept. 26, 2005 115

Structural Lemmas Revisited

• Contraction:• If q ¹ R and 1,x1:qx,x2:qx,2 ` e : ,

then 1,x1:qx,2 ` e[x/x1][x/x2] : .

• Weakening:• If q ¹ A and ` e : ,

then ,x:qx ` e : .

Sept. 26, 2005 116


Contents and Ops

Ref U R A L

U

R

A

L

Sept. 26, 2005 117


shared

unique

Sept. 26, 2005 118


new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Sept. 26, 2005 119


Sept. 26, 2005 120


Contents and Ops

Ref U R A L

U

R

A

L

shared

unique

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

new freeswap!

read write!

Sept. 26, 2005 121


• Model a type as a set of tuplesof qualifier, value, and local store typing

«¬ ::= { (q,v,), …}

• Model a local store typing as a partial map from locations to qualifiers and types

::= { l → (q,«¬), … }

Sept. 26, 2005 122


• Model a type as a set of tuples

Type = (Qual £ Value £ LocalStore)

• Model a local store typing as a partial map

LocalStore = Locs ! (Qual £ Type)

Sept. 26, 2005 123






Sept. 26, 2005 124






• Cardinality problem is handled by stratifying definitions with “# of steps to run the program” • [Appel-McAllester ’01], [Ahmed-Appel-Virga ’03]

Sept. 26, 2005 125




• Local store of a value v only defined on those locations that appear as sub-expressions of v

Sept. 26, 2005 126




• Local store of a value v only defined on those locations that appear as sub-expressions of v

• Further restrictions to rule out references

Sept. 26, 2005 127


• Why only a local store typing?

Sept. 26, 2005 128


• Why only a local store typing?

l4 A

l3 U

l1 L

hx, yi

l2 L

Sept. 26, 2005 129


• Why only a local store typing?• A global store typing …

l4 A

l3 U

l1 L

hx, yi

l2 L

l9 L

= x = y = l1 = l2 = …

Sept. 26, 2005 130


• Why only a local store typing?• A global store typing does not distinguish the “real”

occurrence of a unique reference

l4 A

l3 U

l1 L

hx, yi

l2 L

l9 L

= x = y = l1 = l2 = …

Sept. 26, 2005 131


• Why only a local store typing?• A “reachable” store typing …

l4 A

l3 U

l1 L

hx, yi

l2 L

x

Sept. 26, 2005 132



l4 A

l3 U

l1 L

hx, yi

l2 L

y

Sept. 26, 2005 133

yx



l4 A

l3 U

l1 L

hx, yi

l2 L

Sept. 26, 2005 134

yx


• Why only a local store typing?• A “reachable” store typing does not distinguish

shared and exclusive unique references

l4 A

l3 U

l1 L

hx, yi

l2 L

Sept. 26, 2005 135




l4 A

l3 U

l1 L

hx, yi

l2 L

l1

Sept. 26, 2005 136




l4 A

l3 U

l1 L

hx, yi

l2 L

l2

Sept. 26, 2005 137




l4 A

l3 U

l1 L

hx, yi

l2 L

l3

Sept. 26, 2005 138

yx


• Local store typing

l4 A

l3 U

l1 L

hx, yi

l2 L

Sept. 26, 2005 139

l1

x y


• Local store typing

l4 A

l3 U

l1 L

hx, yi

l2 L

l2

l3

Sept. 26, 2005 140

l1

x y


• Local store typing• Storing a unique object in a shared reference

• “hides” the unique object

l4 A

l3 U

l1 L

hx, yi

l2 L

l2

l3

Sept. 26, 2005 141

l1

x y



• the unique object becomes local to the reference

l4 A

l3 U

l1 L

hx, yi

l2 L

l2

l3

Sept. 26, 2005 142

l1

x y



• the unique object becomes local to the reference

l4 A

l3 U

l1 L

hx, yi

l2 L

l2

l3

When does a global store s satisfy a local store typing ?

Sept. 26, 2005 143

Store Satisfaction

s : when

• there exists a set of locations• reachable from dom()• such that the local store typings of all reachable

locations merge in a compatible manner• into a global store typing that describes the store

Sept. 26, 2005 144

Store Satisfaction

s : when



A unique location may not appear more than once

Sept. 26, 2005 145

Store Satisfaction

s : when



A shared location mustappear with the same type

Sept. 26, 2005 146

Store Satisfaction

s : when



• Similar to a Garbage Collector

Sept. 26, 2005 147

Store Satisfaction

s : when



• Similar to a Garbage Collector

These are the child locations traced from the contentsof a reachable location

These are the roots

a step-indexed model of substructural state

Documents