• No results found

Proofs from Section 4.2

Open Issues

A.1 Proofs from Section 4.2

We first prove the Weakening Lemma. The result for systems, stated in the text, relies on similar results for threads and values.

PROPOSITION (4.5).

(a) IfΓ P and; Γ then P.

(b) IfΓÂwp and; Γ thenÂwp.

(c) IfΓÂwV:ζ and; Γ thenÂwV:ζ.

Proof. All three results are proved, in a straightforward manner, by judgment in-duction (i.e. by inin-duction on the length of the type inference). We give one example for each result.

(a) (A -aÕ 5&× ) SupposeΓÂÝ06C pD becauseΓ·0 :'( ) andΓÂæ p. Using the auxiliary results we obtain∆ 0 :'( ) and∆Âæ p. UsingA -aÖÕ 5&× , we have∆—06C pD . (b) (A -a

Ô

) SupposeΓÂwu?GX:ζI p because:

ΓÂwu:) 3 495 7 ζ8 and Γ+ wX:ζÂwp

Since we identify terms up to alpha-equivalence, the variables in X can also be chosen to be new to ∆, in which case ∆+ wX:ζ is well-defined, and it is easy to see that G+ wX:ζIõ; G Γ+ wX:ζI . So we may apply induction to the above two statements to obtain:

Âwu:) 3 495 7 ζ8 and ∆+ wX:ζÂwp

The ruleA -aÔ may now be employed to infer∆Âwu?GX:ζI p as required.

(c) (A ->² ) SupposeΓÂwu:ζbecauseΓGw+ uI£; ζ. Since∆; Γthen by transitivity we have∆Gw+uI•; ζ. UsingA ->² , one can the infer∆Âwu:ζ, as required. ¾ As corollaries we immediately have the following:

COROLLARY A.1. (a) IfΓ P thenΓ+ wV:ζ P.

(b) IfΓ+ wV:ξ P andζ; ξthenΓ+ wV:ζ P. ¾ Proposition 4.5 states that well-typing is preserved when the typing environ-ment is augenviron-mented. It is also preserved when the typing environenviron-ment is decreased by omitting all occurrences of identifiers that do not occur free in the system being typed. LetΓ> u denote the result of eliminating u from Γ, i.e. G Γ> uI G uI is unde-fined and GΓ> uI G w+ uI is undefined for every w. For any syntactic element t, let

“fidGtI ” return the free identifiers in t.

LEMMA A.2 (RESTRICTION).

(a) IfΓ P and uzL fidG PI thenΓ> u P.

(b) IfΓÂwp and u zL fidGpI É *

w/ thenΓ> uÂwp.

(c) IfΓÂwU:ξand u zL fidGUI É *

w/ thenΓ> uÂwU:ξ.

Proof. In each case the result follows by a straightforward judgment induction. We

leave the details to the interested reader. ¾

As a corollary we have that typing is preserved by scope extrusion:

COROLLARY A.3. Suppose e does not appear free in Q. ThenΓÂìG νeI GQE PI if and only ifΓÂ QEGνeI P

Proof. We examine the case when e is a channel; the case in which e is a location is similar. Suppose Γ G νa:ΛI GQE PI . Then using A -52B_`)h× and A -Q Aa × , we have thatΓ+ Λa  Q andΓ+Λa P. ApplyingLemma A.2to the first of these we obtain

GΓ+ ΛaI > a Q, i.e. Γ Â Q since a is new toΓ. Applying A -52B_`)× to the second statement we obtainΓ Gνa:ΛI and thereforeA -Q Aa× givesΓ QEG νa:ΛI P.

The converse uses the same arguments, in the reverse direction. ¾ As a step toward proving subject reduction, note that closed terms are preserved by reduction.

LEMMA A.4. If P is closed and Pd f PJ then PJ is closed.

Proof. By induction on the judgment P d f PJ. ¾

The proof of subject reduction for the typing system depends, as is often the case, on a substitution lemma. However in this case before the appropriate version can be proved we need the following technical Lemma.

LEMMA A.5.

(a) IfΓ k:K and Γ+ z:K+ zX:ζÂwp then Γ+ kX:ζÂw³ÚkÛz´Ú

p* EkL zE/ . (b) IfΓ k:K and Γ+ z:K+ zX:ζÂwU:ξ then Γ+ kX:ζÂw³ÚkÛz´Ú U

* E

kL zE/ :ξ.

Proof. For both results the proof is similar. Informally the proof proceeds, in the case of threads, by taking a derivation of the judgmentΓ+ z:K+ zX:ζÂwp, substitut-ing k for z throughout and thereby obtainsubstitut-ing a derivation of Γ+ kX:ζÂw³ÚkÛz´Ú p*EkL z/E . Formally it is a straightforward induction on type judgments. We omit the details.

¾

Proof of the Substitution Lemma

We present the proof for the extended type system of Section 6. For this proof only, we write  as shorthand for  JËJ. The proofs for the other type systems are somewhat simpler.

LEMMA (4.7). For any closed value V:

(a) IfΓÂvV:ζ and Γ+ vX:ζÂwp then ΓÂw³ÚVÛX´Ú p* EVL XE/ . (b) IfΓÂvV:ζ and Γ+ vX:ζÂwU:ξ then ΓÂw³ÚVÛX´Ú U*EVL XE/ :ξ.

Note that there is no corresponding substitution result for systems, because values must be typed at a specific location.

Throughout the proof we use primes to indicate terms in which the substitution has been performed; i.e. for t an element of any syntactic category, tJ denotes t* EVL XE/ .

We first prove the result (b) for values. The proof proceeds by induction on the structure of X. There are four cases: X may be w, X may be some identifier other than w, or X may have the the formX or zS NSxO.

First, suppose that X@ w. Because X@ w it must be that wJ @ V @ k for some k. We proceed by induction on U to show thatΓÂkUJ:ξ.

½ Suppose that U @ w and therefore UJ @ V @ k. The second premise may be writtenΓ+ vw:ζÂww:ξ. Here we know that ζ; ξand therefore the result follows by applying weakening to the first premise (Γ k:ζ).

½ Suppose that U @ u W@ w. The second premise may be writtenΓ+ vw:ζÂwu:ξ.

There are two possibilities. Ifξis a location type, we must have thatΓGuIY; ξ and thusΓÂku:ξ. Otherwiseζmust be of the form'( )2* u:ξJ +-,,,./ whereξJ ; ξ.

SinceΓÂvk:ζwe can therefore conclude thatΓÂku:ξ.

½ In the other cases, U @ SU:Sξand U @{06NbO:LNSBO, the result follows using the innermost induction.

Suppose, instead, that X@ x@W w. In this case it must be that wJ @ w. Again we proceed by induction on U to show thatΓÂwUJ:ξ.

½ Suppose that U @ x and therefore UJ @ V. Eitherξis a location type and so by the first premiseΓÂ V:ξ, orξis another type and so v must be equal to w and again the first premise give the required resultΓÂwV:ξ.

½ Suppose that U @ u W@ x. The result is immediate by applying the Restriction Lemma (Lemma A.2) to the second premise.

½ Again, the other cases follow by straightforward induction.

Suppose X @ X:S Sζ. Therefore V must have the formV and by assumption weS have that:

Γ ÂvV:S Sζ and Γ+ vX:S Sζ ÂwU:ξ We can rewrite this as:

Γ ÂvV11+,$,,.+ Vnn and Γ+ vX11+,,$,.+ vXnn ÂwU:ξ

Using induction we have:

Γ+ vX11+-,,,=+ vGXn? 1n? 1I Âw³ÚVnÛXn´Ú U* EVnL XnE/

Repeating this process n times yieldsΓÂwá UJ:ξ, as desired.

Finally, suppose X @ zNSxO:KNAS O. Therefore V must have the form kNSaO and by assumption we have that:

Γ ÂvkNSaO:KNSaO and Γ+ vkNSaO:KNSaO|ÂwU:ξ We can rewrite this as:

Γ Â k:K and Γ ÂkSa:AS and Γ+ z:K+ zSx:AS ÂwU:ξ UsingLemma A.5we have:

Γ+ kSx:AS Âw³ÚkÛz´Ú U

*E

kL z/E :ξ Applying induction yieldsΓÂwá UJ:ξ, as desired.

Having established the result for values, we now prove the result (a) for threads:

ΓÂvV:ζ and Γ+ vX:ζÂwp imply ΓÂwá pJ

Again we proceed by induction on the structure of X. The inductive cases are as before, so we only present the base case where X is an identifier x. This case is established by a secondary induction on the judgmentΓ+ vX:ζÂwp. Most of the cases in the secondary induction are straightforward, the exceptions being the cases for input and channel restriction. We show these two cases.

First consider the case forA -aJËJÔ . Our proof obligation is to show:

ΓÂvV:ζ and Γ+ vx:ζÂwu?GY:ξI q imply ΓÂwá uJ?G Y:ξI qJ (*) There are two cases to consider, x@ w and x W@ w. First suppose that x@ w. Hereζ must be a location type, sayKand therefore V must be a location name, say k. The premises in (*) may therefore be written:

ΓÂ k:K and Γ+ w:KÂwu?GY:ξI q FromA -aJËJÔ we have:

Γ+ w:K Âwu:)3 4656* a 7ξ8 / and Γ+ w:K+ wY:ξ Âwq

UsingLemma A.5twice, we obtain:

Γ ÂkuJ:)3 4656* a 7ξ8 / and Γ+ kY:ξ ÂkqJ

Finally,A -ašJËJÔ can be applied to arrive at the desired conclusion,ΓÂkuJ?G Y:ξI qJ. Continuing the case forA -aJƒJÔ , suppose xW@ w. This case is a standard application of induction. The details are as follows. Using the second premise of (*) andA -aJËJÔ , we can conclude that: Now we may use the inner induction to conclude:

Γ ÂwuJ:

)3 4656*

a 7

ξ8 / and Γ+ wY:ξ ÂwqJ Therefore usingA -aÔJËJ we have, as desired,ΓÂwuJ?G Y:ξI qJ.

Now consider the case for channel restriction A -52B_`) JƒJÔ . In this case the proof obligation is:

ΓÂvV:ζ and Γ+ vx:ζÂw G νa:AI q imply ΓÂwá Gνa:AI qJ (**) Using the second premise of (**) andA

-52B_|)

JƒJ

Ô , we can conclude that:

Γ+ vx:ζ+ wa:AÂwq (***)

At this point we must consider two cases, either x W@ w or x@ w. First suppose that x@W w. Then (***) can be rewritten asΓ+ wa:A+ vx:ζÂwq and we can apply induction to getΓ+ wa:AÂwá qJ and thenA -52B_`) J¬JÔ to getΓÂwá Gνa:AI qJ, as required.

On the other hand if x@ w, then we must useLemma A.5. Since x@ w, it must be that V is a location name and thus V @ k and ζ@ K for some k, K. We can therefore rewrite the first premise of (**) and the statement (***) as:

ΓÂ k:K and Γ+ w:K+ wa:AÂwq

These can be applied toLemma A.5to yieldΓ+ ka:AÂkqJ and thus, usingA -52B_|) JƒJÔ , ΓÂk G νa:AI qJ, as required.

Proof of the Subject Reduction Theorem THEOREM (4.6).

(a) If Pn PJ thenΓÂ P if and only ifΓÂ PJ. (b) If P d f PJ thenΓÂ P impliesΓÂ PJ.

The first statement is proved by induction on the proof of Pn PJ. The main axiom, scope extrusion Q -By Aa , is covered by theCorollary A.3. The other axioms and rules are straightforward calculations left to the interested reader.

The second statement is proved by induction on the proof of P d2f PJ. The rule a-Q Aa follows from the first part the remaining rules are, again, straightforward calculations. We give two examples.

½ a-b (c2B states 06Cu :: pD›d2f kC pD . By supposition Γ Â‰09Cu :: pD . Then using hypothesis, which entailsΓÂæ a!

7

V8 p. Using the hypothesis and the rules for typing it must also be that:

ΓÂæ V:ζ ΓÂæ a:)3 46517 ζ8 ΓÂæ a:)3 46517 ζ8 Γ+

o

X:ζÂæ q

Note here that V is a closed value. We can apply the Substitution Lemma to obtainΓÂæ q*EVL XE/ , as required.

Download now "Resource Access Contro..."

Outline

Related documents