Preservation of Type and Effect

In this section we show that the static types and effects bound the dynamic types and effects.

Valid environments: We first define the concept of a valid environment. An environment Γ is valid if its variables are bound to valid types and its parameters are constrained to be under valid RPLs:

ENV ∀(v, T ) ∈ Γ.Γ ⊢ T ∀ρ ⊆ R ∈ Γ.Γ ⊢ R

⊢ Γ

Technically, a valid environment should also be well-defined, in the sense that every variable has at most one binding. We omit this requirement from the definition of valid environments, because it obviously holds by the way that environments are constructed in the typing rules.

Next we have a lemma showing that, for a well-typed program, typing an expression in a valid environ- ment yields a valid type and a valid effect:

Lemma 4.2.1. For a well-typed program, letΓ be a valid environment, and let e be an expression such that Γ ⊢ e : T, E. Then Γ ⊢ T and Γ ⊢ E.

VAR, NEW-CLASS, and NEW-ARRAY: Obvious.

FIELD-ACCESS:Γ ⊢ T and Γ ⊢ Rf by rule Field.Γ ⊢readsRf by rule EFFECT-READS.

FIELD-ASSIGN: Γ ⊢ T because ⊢ Γ and (v, T ) ∈ Γ. Γ ⊢writesRf by rules FIELDand EFFECT-

WRITES.

ARRAY-ACCESS: Similar to FIELD-ACCESS. ARRAY-ASSIGN: Similar to FIELD-ASSIGN.

INVOKE: By rule METHOD, we have{(this, C<param(C)>)} ⊢ Tr, Em. Because⊢ Γ and (v, C<R>) ∈

Γ, we have Γ ⊢ R. Therefore we have Γ ⊢ σ(Tr), σ(Em), because it is clear from the rules in Section 4.1.2

that a valid RPL results when we replaceρ with a valid RPL in a valid RPL. The invocation effect is valid by rule EFFECT-INVOKES.

Now consider the inductive case:

LET: The claim is true for the first judgment on the top of the rule by the induction hypothesis (IH). ThereforeΓ ⊢ C<R>, so⊢ Γ ∪ {(x, C<R>)}, and the claim is also true for the second judgment on the top of the rule by the IH. Any RPL appearing inT′

orE′

must either not containx at all, or must consist of x followed by a sequence of elements r or*. Therefore, substitutingR:*forx results in a valid RPL, so σ(T′_{) and σ(E}′_{) are valid in Γ. Finally, E ∪ σ(E}′_{) is valid in Γ by rule E}

FFECT-UNION.

Valid dynamic environments: A valid dynamic environment is the dynamic analog of a valid static envi-

ronment:

Definition 4.2.2 (Valid dynamic environments). A dynamic environmentΣ is valid with respect to heap H (H ⊢ Σ) if the following hold:

1. For every binding(v, o) ∈ Σ, H ⊢ o : dT .

2. For every binding(ρ, dR) ∈ Σ, H ⊢ dR.

3. If(this, o) ∈ Σ, then H ⊢ o : C<dR>, and(param(C), dR) ∈ Σ.

This definition says that the bindings are to valid references and RPLs, and that the actual region of the object bound to thisis consistent with the binding for the class parameter specified in the environment. We can now define valid heaps:

Definition 4.2.3 (Valid heaps). A heapH is valid (⊢ H) if for each o ∈ Dom(H), one of the following holds:

1. (a)H ⊢ o : C<dR>and (b)H ⊢ C<dR>and (c) for each fieldT f inRf ∈def(C), if H(o)(f ) is

defined, thenH ⊢ H(o)(f ) : dT and H ⊢ dT and H ⊢ dT  T [o ←this][dR ←param(C)]; or 2. (a) H ⊢ o : dT[]<dR>#i and (b) H ⊢ dT[]<dR>#i and (c) if H(o)(n) is defined, then H ⊢

H(o)(n) : dT′

andH ⊢ dT and H ⊢ dT′ _{ dT [i ← n].}

This definition says that every object reference is well typed with a valid type, and every field of every object and every cell of every array contains a reference with a valid type that is bounded by its static type, translated to the dynamic environment.

Next we defineH ⊢ Σ  Γ (“Σ instantiates Γ in H”):

Definition 4.2.4 (Instantiation of static environments). A dynamic environmentΣ instantiates a static envi- ronmentΓ (H ⊢ Σ  Γ) if ⊢ Γ, ⊢ H, and H ⊢ Σ; the same variables appear inDom(Γ) as inDom(Σ); and for each pair(v, T ) ∈ Γ and (v, o) ∈ Σ, H ⊢ v : dT and H ⊢ dT  Σ(T ).

This definition specifies a correspondence between static typing environments and dynamic execution environments, such that we can use the typing in the static environment to draw sound inferences about execution in the dynamic environment. Next we need some standard substitution lemmas, which say that under the correspondence established above, judgments about static RPLs, types, and effects carry over to their dynamic translations:

Lemma 4.2.5. IfH ⊢ Σ  Γ and Γ ⊢ R, then H ⊢ Σ(R); and similarly for types T and effects E.

Proof. Use induction on the height of the derivation Γ ⊢ R. In the base case, we used one of rules RPL- ROOT, RPL-VAR, RPL-PARAM-1, or RPL-PARAM-2. If we used RPL-ROOT, thenR = Σ(R) = Root, and the result follows by DYN-RPL-ROOT. If we used RPL-VAR, then by Definition 4.2.4,Σ substitutes a valid reference forv, so we can use DYN-RPL-REFto establish the result. If we used an RPL-PARAM

rule, thenR = P , and again by Definition 4.2.4, Σ takes ρ to a valid dynamic RPL. In the inductive case, either (1)R = R′

: r, Σ(R) = Σ(R′

):r, and RPL-NAMEis the last rule in the

derivation; or (2)R = R′

:[i],Σ(R) = Σ(R′

):[i], and RPL-INDEXis the last rule in the derivation; or (3)R = R′

:*,Σ(R) = Σ(R′

):*, and RPL-STARis the last rule. In any case, the IH gives usH ⊢ Σ(R′

and we can use DYN-RPL-NAME, DYN-RPL-INDEX, or DYN-RPL-STAR to complete the derivation of H ⊢ Σ(R).

The result for types and effects follows from the fact that the rules for valid types and effects are identical in the static and dynamic cases, up to substituting valid dynamic RPLs for valid static RPLs.

Lemma 4.2.6. IfH ⊢ Σ  Γ and Γ ⊢ R  R′

, thenH ⊢ Σ(R)  Σ(R′

); and similarly for Γ ⊢ R ⊆ R′

, Γ ⊢ T  T′

andΓ ⊢ E ⊆ E′

.

Proof. It suffices to prove the results for R  R′ _{and R ⊆ R}′_{; the results for types and effects then}

follow from the exact correspondence (Section 4.2.3) between the static and dynamic rules for subtyping and subeffect. Use induction on the height of the derivationΓ ⊢ R  R′

orΓ ⊢ R ⊆ R′

.

For nesting, in the base case, we used one of rules UNDER-ROOT, DYN-UNDER-VAR, or reflexivity. In the case of UNDER-ROOT or reflexivity the claim is obvious. In the case of DYN-UNDER-VAR, from the rule we haveΓ ⊢ v  R and (v, C<R>) ∈ Γ; and by H ⊢ Σ  Γ, we have (v, o) ∈ Σ with H ⊢ o : C<dR> and H ⊢ dR ⊆ Σ(R). The result follows by rules DYN-UNDER-REF and DYN-UNDER-INCLUDE. For inclusion, in the base case we used either reflexivity or rule INCLUDE-PARAM. For reflexivity, the claim is obvious, and for INCLUDE-PARAM, the claim follows from Definition 4.2.4.

Now consider the inductive case. For nesting, we used UNDER-NAME, UNDER-INDEX, UNDER-STAR,

or UNDER-INCLUDEas the last rule in the derivation, and the claim follows straightforwardly from the IH

and the corresponding rule for dynamic RPLs. Similarly for inclusion using INCLUDE-STAR, INCLUDE- NAME, INCLUDE-INDEX, or INCLUDE-FULLas the last rule. In the case of INCLUDE-FULL, we must have dR = dR′

, so the result follows by the reflexivity of the inclusion relation.

Finally, we state and prove the type and effect preservation result. Note that the initial heapH is valid by Definition 4.2.4 and the assumptionH ⊢ Σ  Γ.

Theorem 4.2.7 (Preservation). For a well-typed program, ifΓ ⊢ e : T, E and H ⊢ Σ  Γ and (e, Σ, H) → (o, H′

, dE), then (a) ⊢ H′

; and (b)H′ ⊢ dT  Σ(T ), where H′ ⊢ o : dT ; and (c) H′ ⊢ dE; and (d) H′ ⊢ dE ⊆ Σ(E).

Proof. The derivation of(e, Σ, H) → (o, H′_{, dE) is by the rules given in Section 4.2.2. Consider each}

DYN-VAR: (a) holds because the heap does not change. (b) holds because of rule Var, and by Defini- tion 4.2.4. (c) and (d) trivially hold.

DYN-NEW: By rule New, we have Γ ⊢ C<R>. Therefore H′

⊢ C<Σ(R)> by Lemma 4.2.5; and because omitting stars from a valid RPL yields a valid RPL by rule RPL-STAR, H′ _{⊢ C}

<Σ(σ(R))>. Further, we are extending the heap with a valid reference, and we initialize all the object fields with null references of the correct type. This establishes (a). (b) holds becauseH ⊢ Σ(σ(R)) ⊆ Σ(R) by repeated applications of rules DYN-INCLUDE-STAR and DYN-INCLUDE-NAME. (c) and (d) trivially hold.

DYN-FIELD-ACCESS: (a) holds because the heap does not change. (b) holds because ⊢ H. (c) holds

because Γ ⊢ Rf by rule FIELD, and by Lemma 4.2.5. (d) holds by comparing the reported effect in rule

FIELD-ACCESSwith the actual effect in rule DYN-FIELD-ACCESS.

DYN-FIELD-ASSIGN: (b) holds by rule FIELD-ASSIGN and by Definition 4.2.4. (a) holds because rule

FIELD-ASSIGN requiresΓ ⊢ T  T′

, and by the transitivity of subtyping. (c) holds becauseΓ ⊢ Rf by

rule Field. (d) holds by comparing the reported effect in rule FIELD-ASSIGN with the actual effect in rule DYN-FIELD-ASSIGN.

DYN-ARRAY-ACCESS: Similar to DYN-FIELD-ACCESS. DYN-ARRAY-ASSIGN: Similar to DYN-FIELD-ASSIGN. Now consider the possibilities for the inductive case:

DYN-LET: First, apply the IH to the left-hand reduction on the top of rule LET. This yieldsH′ ⊢ dT 

T , where dT is the dynamic type of o, and T is the static type of e. That result implies H′

⊢ Σ ∪ {(x, o)}  Γ ∪ T , which allows us to apply the IH to the right-hand reduction on the top of LET. Now (a) and (c) hold by the IH and the correspondence between the top of rules LETand DYN-LET. Further, by the IH, (b) holds for the type ofe′

, so it also holds for the weaker type obtained by substitutingR:*forx in rule LET. A similar argument for the effects establishes (d).

DYN-INVOKE: LetΣ′

be the dynamic environment we used to evaluate the method bodye in rule DYN- INVOKE, and letΓ′

be the environment we used to typee in rule METHOD. We need to showH ⊢ Σ′ _{ Γ}′

. The only hard part is showing H ⊢ dT′ _{ Σ}′_(T

x), where H ⊢ o′ : dT′; we do this as follows. By

hypothesis, H ⊢ dT′

 Σ(T′

), where Σ is the dynamic environment appearing on the bottom of rule DYN-INVOKE, and T′

is the type of variable v′

in the environment Γ appearing on the bottom of rule

INVOKE. Now construct the dynamic environmentΣ′′

appearing in rule INVOKE, and dR is the RPL in the type of o as shown in rule DYN-INVOKE. Then H ⊢ Σ′′

 Γ ∪ {ρ ⊆ R}, so from rule INVOKE and by Lemma 4.2.6, we have Σ′′

(T′

)  Σ′′

(σ′

(Tx)).

Because ρ is a fresh parameter that does not appear in T′

, on the LHS we have Σ(T′

) = Σ′′

(T′

). And because σ′

takesparam(C) to ρ and Σ′′

takes ρ to dR, while Σ′

takesparam(C) to dR, on the RHS we haveΣ′′

(σ′

(Tx)) = Σ′(Tx). Putting all this together yields H ⊢ dT′  Σ(T′)  Σ′(Tx), which is the result

we wanted.

Now by the induction hypothesis, rule METHOD, and Lemma 4.2.6, we have (a)⊢ H′; (b)H′ ⊢ dT′′

Σ′

(Tr), where H′ ⊢ o′′: dT′′; (c)H′⊢ dE; and (d) H′⊢ dE ⊆ Σ′(E), where Tris the return type ofm and

E is the declared effect of m. We just need to show H′

⊢ Σ′

(Tr)  Σ(σ(Tr)) and H′⊢ Σ′(E) ⊆ Σ(σ(E)),

whereσ is the substitution specified in rule INVOKE. Because neitherTrnorE contains the variable x (see

rule METHOD), the substitutionΣ′

is effectively{(this, o), (param(C), dR)}, while the substitution Σ◦σ is{(this, o), (param(C), Σ(R))} Further, because H′ _{⊢ Σ  Γ, we have H}′ _{⊢ dR ⊆ Σ(R). Therefore}

the types and effects are the same up to substituting a covering RPL fordR on the RHS, so the required subtyping and subeffect relations hold.

In document An effect system and language for deterministic-by-default parallel programming (Page 84-89)