Types and Programming Languages
Types and Programming Languages
Benjamin C. Pierce
The MIT Press Cambridge, Massach...

Author:
Benjamin C. Pierce

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Types and Programming Languages

Types and Programming Languages

Benjamin C. Pierce

The MIT Press Cambridge, Massachusetts London, England

©2002 Benjamin C. Pierce All rights reserved. No part of this book may be reproduced in any form by any electronic of mechanical means (including photocopying, recording, or information storage and retrieval) without permission in writing from the publisher. This book was set in Lucida Bright by the author using the LATEX document preparation system. Printed and bound in the United States of America.

Library of Congress Cataloging-in-Publication Data Pierce, Benjamin C. Types and programming languages / Benjamin C. Pierce p. cm. Includes bibliographical references and index. ISBN 0-262-16209-1 (hc. : alk. paper) 1. Programming languages (Electronic computers). I. Title. QA76.7 .P54 2002 005.13—dc21 2001044428

Contents

Preface 1

Introduction 1.1 1.2 1.3 1.4 1.5

2

xiii 1

Types in Computer Science 1 What Type Systems Are Good For 4 Type Systems and Language Design 9 Capsule History 10 Related Reading 12

Mathematical Preliminaries 2.1 2.2 2.3 2.4 2.5

Sets, Relations, and Functions Ordered Sets 16 Sequences 18 Induction 19 Background Reading 20

I Untyped Systems 3

15

21

Untyped Arithmetic Expressions 3.1 3.2 3.3 3.4 3.5 3.6

15

Introduction 23 Syntax 26 Induction on Terms 29 Semantic Styles 32 Evaluation 34 Notes 43

23

vi

Contents

4

An ML Implementation of Arithmetic Expressions 4.1 4.2 4.3

5

Terms and Contexts 76 Shifting and Substitution Evaluation 80

Terms and Contexts 83 Shifting and Substitution Evaluation 87 Notes 88

II Simple Types

75 78

91

Types 91 The Typing Relation 92 Safety = Progress + Preservation

Simply Typed Lambda-Calculus 9.1 9.2 9.3 9.4 9.5 9.6 9.7

85

89

Typed Arithmetic Expressions 8.1 8.2 8.3

9

58

An ML Implementation of the Lambda-Calculus 7.1 7.2 7.3 7.4

8

51

Basics 52 Programming in the Lambda-Calculus Formalities 68 Notes 73

Nameless Representation of Terms 6.1 6.2 6.3

7

49

The Untyped Lambda-Calculus 5.1 5.2 5.3 5.4

6

Syntax 46 Evaluation 47 The Rest of the Story

Function Types 99 The Typing Relation 100 Properties of Typing 104 The Curry-Howard Correspondence Erasure and Typability 109 Curry-Style vs. Church-Style 111 Notes 111

Contexts 113 Terms and Types 115 Typechecking 115

95

99

10 An ML Implementation of Simple Types 10.1 10.2 10.3

45

108

113

83

vii

Contents

11 Simple Extensions 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12

Base Types 117 The Unit Type 118 Derived Forms: Sequencing and Wildcards Ascription 121 Let Bindings 124 Pairs 126 Tuples 128 Records 129 Sums 132 Variants 136 General Recursion 142 Lists 146

12 Normalization 12.1 12.2

153

171

Raising Exceptions 172 Handling Exceptions 173 Exceptions Carrying Values

III Subtyping 15 Subtyping 15.1 15.2 15.3 15.4 15.5 15.6 15.7 15.8

149

Introduction 153 Typing 159 Evaluation 159 Store Typings 162 Safety 165 Notes 170

14 Exceptions 14.1 14.2 14.3

149

Normalization for Simple Types Notes 152

13 References 13.1 13.2 13.3 13.4 13.5 13.6

117

175

179 181

Subsumption 181 The Subtype Relation 182 Properties of Subtyping and Typing 188 The Top and Bottom Types 191 Subtyping and Other Features 193 Coercion Semantics for Subtyping 200 Intersection and Union Types 206 Notes 207

119

viii

Contents

16 Metatheory of Subtyping 16.1 16.2 16.3 16.4

209

Algorithmic Subtyping 210 Algorithmic Typing 213 Joins and Meets 218 Algorithmic Typing and the Bottom Type

17 An ML Implementation of Subtyping 17.1 17.2 17.3

225

What Is Object-Oriented Programming? 225 Objects 228 Object Generators 229 Subtyping 229 Grouping Instance Variables 230 Simple Classes 231 Adding Instance Variables 233 Calling Superclass Methods 234 Classes with Self 234 Open Recursion through Self 235 Open Recursion and Evaluation Order 237 A More Efficient Implementation 241 Recap 244 Notes 245

19 Case Study: Featherweight Java 19.1 19.2 19.3 19.4 19.5 19.6 19.7

221

Syntax 221 Subtyping 221 Typing 222

18 Case Study: Imperative Objects 18.1 18.2 18.3 18.4 18.5 18.6 18.7 18.8 18.9 18.10 18.11 18.12 18.13 18.14

220

247

Introduction 247 Overview 249 Nominal and Structural Type Systems Definitions 254 Properties 261 Encodings vs. Primitive Objects 262 Notes 263

251

ix

Contents

IV Recursive Types 20 Recursive Types 20.1 20.2 20.3 20.4

265 267

Examples 268 Formalities 275 Subtyping 279 Notes 279

21 Metatheory of Recursive Types 21.1 21.2 21.3 21.4 21.5 21.6 21.7 21.8 21.9 21.10 21.11 21.12

Induction and Coinduction 282 Finite and Infinite Types 284 Subtyping 286 A Digression on Transitivity 288 Membership Checking 290 More Efficient Algorithms 295 Regular Trees 298 µ-Types 299 Counting Subexpressions 304 Digression: An Exponential Algorithm Subtyping Iso-Recursive Types 311 Notes 312

V Polymorphism

317

Type Variables and Substitutions 317 Two Views of Type Variables 319 Constraint-Based Typing 321 Unification 326 Principal Types 329 Implicit Type Annotations 330 Let-Polymorphism 331 Notes 336

23 Universal Types 23.1 23.2 23.3 23.4 23.5 23.6

309

315

22 Type Reconstruction 22.1 22.2 22.3 22.4 22.5 22.6 22.7 22.8

281

339

Motivation 339 Varieties of Polymorphism 340 System F 341 Examples 344 Basic Properties 353 Erasure, Typability, and Type Reconstruction

354

x

Contents

23.7 23.8 23.9 23.10 23.11

Erasure and Evaluation Order Fragments of System F 358 Parametricity 359 Impredicativity 360 Notes 361

24 Existential Types 24.1 24.2 24.3 24.4

363

Motivation 363 Data Abstraction with Existentials Encoding Existentials 377 Notes 379

25 An ML Implementation of System F 25.1 25.2 25.3 25.4 25.5

368

381

Nameless Representation of Types 381 Type Shifting and Substitution 382 Terms 383 Evaluation 385 Typing 386

26 Bounded Quantification 26.1 26.2 26.3 26.4 26.5 26.6

357

389

Motivation 389 Definitions 391 Examples 396 Safety 400 Bounded Existential Types Notes 408

406

27 Case Study: Imperative Objects, Redux

411

28 Metatheory of Bounded Quantification

417

28.1 28.2 28.3 28.4 28.5 28.6 28.7 28.8

Exposure 417 Minimal Typing 418 Subtyping in Kernel F;

is either the trivial unit value with the tag none or else a number with the tag some—in other words, the type OptionalNat is isomorphic to Nat extended with an additional distinguished value none. For example, the type Table = Nat→OptionalNat;

represents finite mappings from numbers to numbers: the domain of such a mapping is the set of inputs for which the result is <some=n> for some n. The empty table emptyTable = λn:Nat. <none=unit> as OptionalNat; ñ

emptyTable : Table

is a constant function that returns none for every input. The constructor extendTable = λt:Table. λm:Nat. λv:Nat. λn:Nat. if equal n m then <some=v> as OptionalNat else t n; ñ

extendTable : Table → Nat → Nat → Table

takes a table and adds (or overwrites) an entry mapping the input m to the output <some=v>. (The equal function is defined in the solution to Exercise 11.11.1 on page 510.) We can use the result that we get back from a Table lookup by wrapping a case around it. For example, if t is our table and we want to look up its entry for 5, we might write x = case t(5) of <none=u> ⇒ 999 | <some=v> ⇒ v;

providing 999 as the default value of x in case t is undefined on 5. Many languages provide built-in support for options. OCaml, for example, predefines a type constructor option, and many functions in typical OCaml programs yield options. Also, the null value in languages like C, C++, and Java is actually an option in disguise. A variable of type T in these languages (where T is a “reference type”—i.e., something allocated in the heap)

138

11

Simple Extensions

can actually contain either the special value null or else a pointer to a T value. That is, the type of such a variable is really Ref(Option(T)), where Option(T) = <none:Unit,some:T>. Chapter 13 discusses the Ref constructor in detail.

Enumerations Two “degenerate cases” of variant types are useful enough to deserve special mention: enumerated types and single-field variants. An enumerated type (or enumeration) is a variant type in which the field type associated with each label is Unit. For example, a type representing the days of the working week might be defined as: Weekday = <monday:Unit, tuesday:Unit, wednesday:Unit, thursday:Unit, friday:Unit>;

The elements of this type are terms like <monday=unit> as Weekday. Indeed, since the type Unit has only unit as a member, the type Weekday is inhabited by precisely five values, corresponding one-for-one with the days of the week. The case construct can be used to define computations on enumerations. nextBusinessDay = λw:Weekday. case w of <monday=x> ⇒ as Weekday | ⇒ <wednesday=unit> as Weekday | <wednesday=x> ⇒ as Weekday | ⇒ as Weekday | ⇒ <monday=unit> as Weekday;

Obviously, the concrete syntax we are using here is not well tuned for making such programs easy to write or read. Some languages (beginning with Pascal) provide special syntax for declaring and using enumerations. Others—such as ML, cf. page 141—make enumerations a special case of the variants.

Single-Field Variants The other interesting special case is variant types with just a single label l: V = ;

Such a type might not seem very useful at first glance: after all, the elements of V will be in one-to-one correspondence with the elements of the field type T, since every member of V has precisely the form for some t : T. What’s important, though, is that the usual operations on T cannot be applied to elements of V without first unpackaging them: a V cannot be accidentally mistaken for a T.

11.10

Variants

139

For example, suppose we are writing a program to do financial calculations in multiple currencies. Such a program might include functions for converting between dollars and euros. If both are represented as Floats, then these functions might look like this: dollars2euros = λd:Float. timesfloat d 1.1325; ñ

dollars2euros : Float → Float euros2dollars = λe:Float. timesfloat e 0.883;

ñ

euros2dollars : Float → Float

(where timesfloat : Float→Float→Float multiplies floating-point numbers). If we then start with a dollar amount mybankbalance = 39.50;

we can convert it to euros and then back to dollars like this: euros2dollars (dollars2euros mybankbalance); ñ

39.49990125 : Float

All this makes perfect sense. But we can just as easily perform manipulations that make no sense at all. For example, we can convert my bank balance to euros twice: dollars2euros (dollars2euros mybankbalance); ñ

50.660971875 : Float

Since all our amounts are represented simply as floats, there is no way that the type system can help prevent this sort of nonsense. However, if we define dollars and euros as different variant types (whose underlying representations are floats) DollarAmount = <dollars:Float>; EuroAmount = <euros:Float>;

then we can define safe versions of the conversion functions that will only accept amounts in the correct currency: dollars2euros = λd:DollarAmount. case d of <dollars=x> ⇒ <euros = timesfloat x 1.1325> as EuroAmount; ñ

dollars2euros : DollarAmount → EuroAmount

140

11

Simple Extensions

euros2dollars = λe:EuroAmount. case e of <euros=x> ⇒ <dollars = timesfloat x 0.883> as DollarAmount; ñ

euros2dollars : EuroAmount → DollarAmount

Now the typechecker can track the currencies used in our calculations and remind us how to interpret the final results: mybankbalance = <dollars=39.50> as DollarAmount; euros2dollars (dollars2euros mybankbalance); ñ

<dollars=39.49990125> as DollarAmount : DollarAmount

Moreover, if we write a nonsensical double-conversion, the types will fail to match and our program will (correctly) be rejected: dollars2euros (dollars2euros mybankbalance); ñ

Error: parameter type mismatch

Variants vs. Datatypes A variant type T of the form is roughly analogous to the ML

l1 of T1 l2 of T2 ... ln of Tn

But there are several differences worth noticing. 1. One trivial but potentially confusing point is that the capitalization conventions for identifiers that we are assuming here are different from those of OCaml. In OCaml, types must begin with lowercase letters and datatype constructors (labels, in our terminology) with capital letters, so, strictly speaking, the datatype declaration above should be written like this: type t = L1 of t1 | ... | Ln of tn 7. This section uses OCaml’s concrete syntax for datatypes, for consistency with implementation chapters elsewhere in the book, but they originated in early dialects of ML and can be found, in essentially the same form, in Standard ML as well as in ML relatives such as Haskell. Datatypes and pattern matching are arguably one of the most useful advantages of these languages for day to day programming.

11.10

141

Variants

To avoid confusion between terms t and types T, we’ll ignore OCaml’s conventions for the rest of this discussion and use ours instead. 2. The most interesting difference is that OCaml does not require a type annotation when a constructor li is used to inject an element of Ti into the datatype T: we simply write li (t). The way OCaml gets away with this (and retains unique typing) is that the datatype T must be declared before it can be used. Moreover, the labels in T cannot be used by any other datatype declared in the same scope. So, when the typechecker sees l i (t), it knows that the annotation can only be T. In effect, the annotation is “hidden” in the label itself. This trick eliminates a lot of silly annotations, but it does lead to a certain amount of grumbling among users, since it means that labels cannot be shared between different datatypes—at least, not within the same module. In Chapter 15 we will see another way of omitting annotations that avoids this drawback. 3. Another convenient trick used by OCaml is that, when the type associated with a label in a datatype definition is just Unit, it can be omitted altogether. This permits enumerations to be defined by writing type Weekday = monday | tuesday | wednesday | thursday | friday

for example, rather than: type Weekday = | | | |

monday of Unit tuesday of Unit wednesday of Unit thursday of Unit friday of Unit

Similarly, the label monday all by itself (rather than monday applied to the trivial value unit) is considered to be a value of type Weekday. 4. Finally, OCaml datatypes actually bundle variant types together with several additional features that we will be examining, individually, in later chapters. • A datatype definition may be recursive—i.e., the type being defined is allowed to appear in the body of the definition. For example, in the standard definition of lists of Nats, the value tagged with cons is a pair whose second element is a NatList. type NatList = nil | cons of Nat * NatList

142

11

Simple Extensions

• An OCaml datatype can be [ parametric data type]parameterizedparametric!data type on a type variable, as in the general definition of the List datatype: type ’a List = nil | cons of ’a * ’a List

Type-theoretically, List can be viewed as a kind of function—called a type operator—that maps each choice of 0 a to a concrete datatype. . . Nat to NatList, etc. Type operators are the subject of Chapter 29.

Variants as Disjoint Unions Sum and variant types are sometimes called disjoint unions. The type T 1 +T2 is a “union” of T1 and T2 in the sense that its elements include all the elements from T1 and T2 . This union is disjoint because the sets of elements of T 1 or T2 are tagged with inl or inr, respectively, before they are combined, so that it is always clear whether a given element of the union comes from T 1 or T2 . The phrase union type is also used to refer to untagged (non-disjoint) union types, described in §15.7.

Type Dynamic Even in statically typed languages, there is often the need to deal with data whose type cannot be determined at compile time. This occurs in particular when the lifetime of the data spans multiple machines or many runs of the compiler—when, for example, the data is stored in an external file system or database, or communicated across a network. To handle such situations safely, many languages offer facilities for inspecting the types of values at run time. One attractive way of accomplishing this is to add a type Dynamic whose values are pairs of a value v and a type tag T where v has type T. Instances of Dynamic are built with an explicit tagging construct and inspected with a type safe typecase construct. In effect, Dynamic can be thought of as an infinite disjoint union, whose labels are types. See Gordon (circa 1980), Mycroft (1983), Abadi, Cardelli, Pierce, and Plotkin (1991b), Leroy and Mauny (1991), Abadi, Cardelli, Pierce, and Rémy (1995), and Henglein (1994).

11.11

General Recursion Another facility found in most programming languages is the ability to define recursive functions. We have seen (Chapter 5, p. 65) that, in the untyped

11.11

General Recursion

143

lambda-calculus, such functions can be defined with the aid of the fix combinator. Recursive functions can be defined in a typed setting in a similar way. For example, here is a function iseven that returns true when called with an even argument and false otherwise: ff = λie:Nat→Bool. λx:Nat. if iszero x then true else if iszero (pred x) then false else ie (pred (pred x)); ñ

ff : (Nat→Bool) → Nat → Bool iseven = fix ff;

ñ

iseven : Nat → Bool iseven 7;

ñ

false : Bool

The intuition is that the higher-order function ff passed to fix is a generator for the iseven function: if ff is applied to a function ie that approximates the desired behavior of iseven up to some number n (that is, a function that returns correct results on inputs less than or equal to n), then it returns a better approximation to iseven—a function that returns correct results for inputs up to n + 2. Applying fix to this generator returns its fixed point—a function that gives the desired behavior for all inputs n. However, there is one important difference from the untyped setting: fix itself cannot be defined in the simply typed lambda-calculus. Indeed, we will see in Chapter 12 that no expression that can lead to non-terminating computations can be typed using only simple types.8 So, instead of defining fix as a term in the language, we simply add it as a new primitive, with evaluation rules mimicking the behavior of the untyped fix combinator and a typing rule that captures its intended uses. These rules are written out in Figure 11-12. (The letrec abbreviation will be discussed below.) The simply typed lambda-calculus with numbers and fix has long been a favorite experimental subject for programming language researchers, since it is the simplest language in which a range of subtle semantic phenomena such as full abstraction (Plotkin, 1977, Hyland and Ong, 2000, Abramsky, Jagadeesan, and Malacaria, 2000) arise. It is often called PCF . 8. In later chapters—Chapter 13 and Chapter 20—we will see some extensions of simple types that recover the power to define fix within the system.

144

11

→ fix

Simple Extensions

Extends λ→ (9-1)

New syntactic forms t ::= ... fix t

New typing rules terms: fixed point of t t -→ t0

New evaluation rules

fix (λx:T1 .t2 ) (E-FixBeta) -→ [x , (fix (λx:T1 .t2 ))]t2 t1 -→ t01 fix t1 -→ fix t01

Γ `t:T

Γ ` t1 : T1 →T1 Γ ` fix t1 : T1

(T-Fix)

New derived forms letrec x :T1 =t1 in t2 def

= let x = fix (λx :T1 .t1 ) in t2

(E-Fix)

Figure 11-12: General recursion

11.11.1

Exercise [««]: Define equal, plus, times, and factorial using fix.

The fix construct is typically used to build functions (as fixed points of functions from functions to functions), but it is worth noticing that the type T in rule T-Fix is not restricted to function types. This extra power is sometimes handy. For example, it allows us to define a record of mutually recursive functions as the fixed point of a function on records (of functions). The following implementation of iseven uses an auxiliary function isodd; the two functions are defined as fields of a record, where the definition of this record is abstracted on a record ieio whose components are used to make recursive calls from the bodies of the iseven and isodd fields. ff = λieio:{iseven:Nat→Bool, isodd:Nat→Bool}. {iseven = λx:Nat. if iszero x then true else ieio.isodd (pred x), isodd = λx:Nat. if iszero x then false else ieio.iseven (pred x)}; ñ

ff : {iseven:Nat→Bool,isodd:Nat→Bool} → {iseven:Nat→Bool, isodd:Nat→Bool}

Forming the fixed point of the function ff gives us a record of two functions r = fix ff; ñ

r : {iseven:Nat→Bool, isodd:Nat→Bool}

11.11

145

General Recursion

and projecting the first of these gives us the iseven function itself: iseven = r.iseven; ñ

iseven : Nat → Bool iseven 7;

ñ

false : Bool

The ability to form the fixed point of a function of type T→T for any T has some surprising consequences. In particular, it implies that every type is inhabited by some term. To see this, observe that, for every type T, we can define a function divergeT as follows: divergeT = λ_:Unit. fix (λx:T.x); ñ

divergeT : Unit → T

Whenever divergeT is applied to a unit argument, we get a non-terminating evaluation sequence in which E-FixBeta is applied over and over, always yielding the same term. That is, for every type T, the term diverge T unit is an undefined element of T. One final refinement that we may consider is introducing more convenient concrete syntax for the common case where what we want to do is to bind a variable to the result of a recursive definition. In most high-level languages, the first definition of iseven above would be written something like this: letrec iseven : Nat→Bool = λx:Nat. if iszero x then true else if iszero (pred x) then false else iseven (pred (pred x)) in iseven 7; ñ

false : Bool

The recursive binding construct letrec is easily defined as a derived form: letrec x:T1 =t1 in t2 11.11.2

def

=

let x = fix (λx:T1 .t1 ) in t2

Exercise [«]: Rewrite your definitions of plus, times, and factorial from Exercise 11.11.1 using letrec instead of fix. Further information on fixed point operators can be found in Klop (1980) and Winskel (1993).

146

11

11.12

Simple Extensions

Lists The typing features we have seen can be classified into base types like Bool and Unit, and type constructors like → and × that build new types from old ones. Another useful type constructor is List. For every type T, the type List T describes finite-length lists whose elements are drawn from T. Figure 11-13 summarizes the syntax, semantics, and typing rules for lists. Except for syntactic differences (List T instead of T list, etc.) and the explicit type annotations on all the syntactic forms in our presentation,9 these lists are essentially identical to those found in ML and other functional languages. The empty list (with elements of type T) is written nil[T]. The list formed by adding a new element t1 (of type T) to the front of a list t2 is written cons[T] t1 t2 . The head and tail of a list t are written head[T] t and tail[T] t. The boolean predicate isnil[T] t yields true iff t is empty. 10

11.12.1

Exercise [«««]: Verify that the progress and preservation theorems hold for the simply typed lambda-calculus with booleans and lists.

11.12.2

Exercise [««]: The presentation of lists here includes many type annotations that are not really needed, in the sense that the typing rules can easily derive the annotations from context. Can all the type annotations be deleted?

9. Most of these explicit annotations could actually be omitted (Exercise [«, 3]: which cannot); they are retained here to ease comparison with the encoding of lists in §23.4. 10. We adopt the “head/tail/isnil presentation” of lists here for simplicity. From the perspective of language design, it is arguably better to treat lists as a datatype and use case expressions for destructing them, since more programming errors can be caught as type errors this way.

11.12

147

Lists

→ B List

Extends λ→ (9-1) with booleans (8-1)

New syntactic forms t ::= ... nil[T] cons[T] t t isnil[T] t head[T] t tail[T] t

terms: empty list list constructor test for empty list head of a list tail of a list

t1 -→ t01

(E-Isnil)

isnil[T] t1 -→ isnil[T] t01 head[S] (cons[T] v1 v2 ) -→ v1

(E-HeadCons) t1 -→

t01

(E-Head)

head[T] t1 -→ head[T] t01 v ::= ... nil[T] cons[T] v v

values: empty list list constructor

T ::= ... List T

types: type of lists

tail[S] (cons[T] v1 v2 ) -→ v2 (E-TailCons) t1 -→

t01

tail[T] t1 -→ tail[T] t01

Γ `t:T

New typing rules t -→ t0

New evaluation rules t1 -→ t01 cons[T] t1 t2 -→ cons[T] t01 t2

(E-Cons1)

Γ ` nil [T1 ] : List T1 Γ ` t1 : T1

Γ ` t2 : List T1

Γ ` cons[T1 ] t1 t2 : List T1 t2 -→ t02 cons[T] v1 t2 -→ cons[T] v1 t02

(E-Cons2)

Γ ` t1 : List T11 Γ ` isnil[T11 ] t1 : Bool

isnil[S] (nil[T]) -→ true

(E-Tail)

(T-Nil) (T-Cons)

(T-Isnil)

(E-IsnilNil) Γ ` t1 : List T11

isnil[S] (cons[T] v1 v2 ) -→ false

Γ ` head[T11 ] t1 : T11

(T-Head)

(E-IsnilCons) Γ ` t1 : List T11 Γ ` tail[T11 ] t1 : List T11 Figure 11-13: Lists

(T-Tail)

12

Normalization

In this chapter, we consider another fundamental theoretical property of the pure simply typed lambda-calculus: the fact that the evaluation of a welltyped program is guaranteed to halt in a finite number of steps—i.e., every well-typed term is normalizable. Unlike the type-safety properties we have considered so far, the normalization property does not extend to full-blown programming languages, because these languages nearly always extend the simply typed lambda-calculus with constructs such as general recursion (§11.11) or recursive types (Chapter 20) that can be used to write nonterminating programs. However, the issue of normalization will reappear at the level of types when we discuss the metatheory of System Fω in §30-3: in this system, the language of types effectively contains a copy of the simply typed lambda-calculus, and the termination of the typechecking algorithm will hinge on the fact that a “normalization” operation on type expressions is guaranteed to terminate. Another reason for studying normalization proofs is that they are some of the most beautiful—and mind-blowing—mathematics to be found in the type theory literature, often (as here) involving the fundamental proof technique of logical relations. Some readers may prefer to skip this chapter on a first reading; doing so will not cause any problems in later chapters. (A full table of chapter dependencies appears on page xvi.)

12.1

Normalization for Simple Types The calculus we shall consider here is the simply typed lambda-calculus over a single base type A. Normalization for this calculus is not entirely trivial to prove, since each reduction of a term can duplicate redexes in subterms. The language studied in this chapter is the simply typed lambda-calculus (Figure 9-1) with a single base type A (11-1).

150

12

12.1.1

Normalization

Exercise [«]: Where do we fail if we attempt to prove normalization by a straightforward induction on the size of a well-typed term? The key issue here (as in many proofs by induction) is finding a strong enough induction hypothesis. To this end, we begin by defining, for each type T, a set RT of closed terms of type T. We regard these sets as predicates and write RT (t) for t ∈ RT .1

12.1.2

Definition: • RA (t) iff t halts. • RT1 →T2 (t) iff t halts and, whenever RT1 (s), we have RT2 (t s).

This definition gives us the strengthened induction hypothesis that we need. Our primary goal is to show that all programs—i.e., all closed terms of base type—halt. But closed terms of base type can contain subterms of functional type, so we need to know something about these as well. Moreover, it is not enough to know that these subterms halt, because the application of a normalized function to a normalized argument involves a substitution, which may enable more evaluation steps. So we need a stronger condition for terms of functional type: not only should they halt themselves, but, when applied to halting arguments, they should yield halting results. The form of Definition 12.1.2 is characteristic of the logical relations proof technique. (Since we are just dealing with unary relations here, we should more properly say logical predicates.) If we want to prove some property P of all closed terms of type A, we proceed by proving, by induction on types, that all terms of type A possess property P , all terms of type A→A preserve property P , all terms of type (A→A)→(A→A) preserve the property of preserving property P , and so on. We do this by defining a family of predicates, indexed by types. For the base type A, the predicate is just P . For functional types, it says that the function should map values satisfying the predicate at the input type to values satisfying the predicate at the output type. We use this definition to carry out the proof of normalization in two steps. First, we observe that every element of every set R T is normalizable. Then we show that every well-typed term of type T is an element of RT . The first step is immediate from the definition of R T : 12.1.3

Lemma: If RT (t), then t halts.

The second step is broken into two lemmas. First, we remark that membership in RT is invariant under evaluation. 1. The sets RT are sometimes called saturated sets or reducibility candidates.

12.1

12.1.4

Normalization for Simple Types

Lemma: If t : T and t -→ t0 , then RT (t) iff RT (t0 ).

151

Proof: By induction on the structure of the type T. Note, first, that it is clear that t halts iff t0 does. If T = A, there is nothing more to show. Suppose, on the other hand, that T = T1 →T2 for some T1 and T2 . For the “only if” direction ( =⇒) suppose that RT (t) and that RT1 (s) for some arbitrary s : T1 . By definition we have RT2 (t s). But t s -→ t0 s, from which the induction hypothesis for type T2 gives us RT2 (t0 s). Since this holds for an arbitrary s, the definition of RT gives us RT (t0 ). The argument for the “if” direction (⇐= ) is analogous. Next, we want to show that every term of type T belongs to RT . Here, the induction will be on typing derivations (it would be surprising to see a proof about well-typed terms that did not somewhere involve induction on typing derivations!). The only technical difficulty here is in dealing with the λabstraction case. Since we are arguing by induction, the demonstration that a term λx:T1 .t2 belongs to RT1 →T2 should involve applying the induction hypothesis to show that t2 belongs to RT2 . But RT2 is defined to be a set of closed terms, while t2 may contain x free, so this does not make sense. This problem is resolved by using a standard trick to suitably generalize the induction hypothesis: instead of proving a statement involving a closed term, we generalize it to cover all closed instances of an open term t. 12.1.5

Lemma: If x1 :T1 , . . . , xn :Tn ` t : T and v1 . . . , vn are closed values of types T1 ...Tn with RTi (vi ) for each i, then RT ([x1 , v1 ] · · · [xn , vn ]t). Proof: By induction on a derivation of x1 :T1 , . . . , xn :Tn ` t : T. (The most interesting case is the one for abstraction.) Case T-Var:

t = xi

T = Ti

Immediate. Case T-Abs:

t = λx:S1 .s2 T = S1 →S2

x1 :T1 , . . . , xn :Tn , x:S1 ` s2 : S2

Obviously, [x1 , v1 ] · · · [xn , vn ]t evaluates to a value, since it is a value already. What remains to show is that RS2 (([x1 , v1 ] · · · [xn , vn ]t) s) for any s : S1 such that RS1 (s). So suppose s is such a term. By Lemma 12.1.3, we have s -→∗ v for some v. By Lemma 12.1.4, R S1 (v). Now, by the induction hypothesis, RS2 ([x1 , v1 ] · · · [xn , vn ][x , v]s2 ). But -→∗

(λx:S1 . [x1 , v1 ] · · · [xn , vn ]s2 ) s [x1 , v1 ] · · · [xn , vn ][x , v]s2 ,

from which Lemma 12.1.4 gives us RS2 ((λx:S1 . [x1 , v1 ] · · · [xn , vn ]s2 ) s),

152

12

Normalization

that is, RS2 ((([x1 , v1 ] · · · [xn , vn ](λx:S1 . s2 )) s). Since s was chosen arbitrarily, the definition of RS1 →S2 gives us RS1 →S2 ([x1 , v1 ] · · · [xn , vn ](λx:S1 . s2 )). Case T-App:

t = t 1 t2 x1 :T1 , . . . , xn :Tn ` t1 : T11 →T12 x1 :T1 , . . . , xn :Tn ` t2 : T11 T = T12

The induction hypothesis gives us RT11 →T12 ([x1 , v1 ] · · · [xn , vn ]t1 ) and RT11 ([x1 , v1 ] · · · [xn , vn ]t2 ). By the definition of RT11 →T12 , RT12 (([x1 , v1 ] · · · [xn , vn ]t1 ) ([x1 , v1 ] · · · [xn , vn ]t2 )), i.e., RT12 ([x1 , v1 ] · · · [xn , vn ](t1 t2 )),.

We now obtain the normalization property as a corollary, simply by taking the term t to be closed in Lemma 12.1.5 and then recalling that all the elements of RT are normalizing, for every T. 12.1.6

Theorem [Normalization]: If ` t : T, then t is normalizable.

Proof: RT (t) by Lemma 12.1.5; t is therefore normalizable by Lemma 12.1.3. 12.1.7

12.2

Exercise [Recommended, «««]: Extend the proof technique from this chapter to show that the simply typed lambda-calculus remains normalizing when extended with booleans (Figure 3-1) and products (Figure 11-5).

Notes Normalization properties are most commonly formulated in the theoretical literature as strong normalization for calculi with full (non-deterministic) beta-reduction. The standard proof method was invented by Tait (1967), generalized to System F (cf. Chapter 23) by Girard (1972, 1989), and later simplified by Tait (1975). The presentation used here is an adaptation of Tait’s method to the call-by-value setting, due to Martin Hofmann (private communication). The classical references on the logical relations proof technique are Howard (1973), Tait (1967), Friedman (1975), Plotkin (1973, 1980), and Statman (1982, 1985a, 1985b). It is also discussed in many texts on semantics, for example those by Mitchell (1996) and Gunter (1992). Tait’s strong normalization proof corresponds exactly to an algorithm for evaluating simply typed terms, known as normalization by evaluation or typedirected partial evaluation (Berger, 1993; Danvy, 1998); also see Berger and Schwichtenberg (1991), Filinski (1999), Filinski (2001), Reynolds (1998a).

13

References

So far, we have considered a variety of pure language features, including functional abstraction, basic types such as numbers and booleans, and structured types such as records and variants. These features form the backbone of most programming languages—including purely functional languages such as Haskell, “mostly functional” languages such as ML, imperative languages such as C, and object-oriented languages such as Java. Most practical programming languages also include various impure features that cannot be described in the simple semantic framework we have used so far. In particular, besides just yielding results, evaluation of terms in these languages may assign to mutable variables (reference cells, arrays, mutable record fields, etc.), perform input and output to files, displays, or network connections, make non-local transfers of control via exceptions, jumps, or continuations, engage in inter-process synchronization and communication, and so on. In the literature on programming languages, such “side effects” of computation are more generally referred to as computational effects. In this chapter, we’ll see how one sort of computational effect—mutable references—can be added to the calculi we have studied. The main extension will be dealing explicitly with a store (or heap). This extension is straightforward to define; the most interesting part is the refinement we need to make to the statement of the type preservation theorem (13.5.3). We consider another kind of effect—exceptions and non-local transfer of control—in Chapter 14.

13.1

Introduction Nearly every programming language 1 provides some form of assignment operation that changes the contents of a previously allocated piece of storage. The system studied in this chapter is the simply typed lambda-calculus with Unit and references (Figure 13-1). The associated OCaml implementation is fullref. 1. Even “purely functional” languages such as Haskell, via extensions such as monads.

154

13

References

In some languages—notably ML and its relatives—the mechanisms for namebinding and those for assignment are kept separate. We can have a variable x whose value is the number 5, or a variable y whose value is a reference (or pointer) to a mutable cell whose current contents is 5, and the difference is visible to the programmer. We can add x to another number, but not assign to it. We can use y directly to assign a new value to the cell that it points to (by writing y:=84), but we cannot use it directly as an argument to plus. Instead, we must explicitly dereference it, writing !y to obtain its current contents. In most other languages—in particular, in all members of the C family, including Java—every variable name refers to a mutable cell, and the operation of dereferencing a variable to obtain its current contents is implicit. 2 For purposes of formal study, it is useful to keep these mechanisms separate;3 our development in this chapter will closely follow ML’s model. Applying the lessons learned here to C-like languages is a straightforward matter of collapsing some distinctions and rendering certain operations such as dereferencing implicit instead of explicit.

Basics The basic operations on references are allocation, dereferencing, and assignment. To allocate a reference, we use the ref operator, providing an initial value for the new cell. r = ref 5; ñ

r : Ref Nat

The response from the typechecker indicates that the value of r is a reference to a cell that will always contain a number. To read the current value of this cell, we use the dereferencing operator !. !r; ñ

5 : Nat

To change the value stored in the cell, we use the assignment operator. 2. Strictly speaking, most variables of type T in C or Java should actually be thought of as pointers to cells holding values of type Option(T), reflecting the fact that the contents of a variable can be either a proper value or the special value null. 3. There are also good arguments that this separation is desirable from the perspective of language design. Making the use of mutable cells an explicit choice rather than the default encourages a mostly functional programming style where references are used sparingly; this practice tends to make programs significantly easier to write, maintain, and reason about, especially in the presence of features like concurrency.

13.1

155

Introduction

r := 7; ñ

unit : Unit

(The result the assignment is the trivial unit value; see §11.2.) If we dereference r again, we see the updated value. !r; ñ

7 : Nat

Side Effects and Sequencing The fact that the result of an assignment expression is the trivial value unit fits nicely with the sequencing notation defined in §11.3, allowing us to write (r:=succ(!r); !r); ñ

8 : Nat

instead of the equivalent, but more cumbersome, (λ_:Unit. !r) (r := succ(!r)); ñ

9 : Nat

to evaluate two expressions in order and return the value of the second. Restricting the type of the first expression to Unit helps the typechecker to catch some silly errors by permitting us to throw away the first value only if it is really guaranteed to be trivial. Notice that, if the second expression is also an assignment, then the type of the whole sequence will be Unit, so we can validly place it to the left of another ; to build longer sequences of assignments: (r:=succ(!r); r:=succ(!r); r:=succ(!r); r:=succ(!r); !r); ñ

13 : Nat

References and Aliasing It is important to bear in mind the difference between the reference that is bound to r and the cell in the store that is pointed to by this reference. r =

13

156

13

References

If we make a copy of r, for example by binding its value to another variable s, s = r; ñ

s : Ref Nat

what gets copied is only the reference (the arrow in the diagram), not the cell: r =

s =

13

We can verify this by assigning a new value into s s := 82; ñ

unit : Unit

and reading it out via r: !r; ñ

82 : Nat

The references r and s are said to be aliases for the same cell. 13.1.1

Exercise [«]: Draw a similar diagram showing the effects of evaluating the expressions a = {ref 0, ref 0} and b = (λx:Ref Nat. {x,x}) (ref 0).

Shared State The possibility of aliasing can make programs with references quite tricky to reason about. For example, the expression (r:=1; r:=!s), which assigns 1 to r and then immediately overwrites it with s’s current value, has exactly the same effect as the single assignment r:=!s, unless we write it in a context where r and s are aliases for the same cell. Of course, aliasing is also a large part of what makes references useful. In particular, it allows us to set up “implicit communication channels”—shared state—between different parts of a program. For example, suppose we define a reference cell and two functions that manipulate its contents: c = ref 0; ñ

c : Ref Nat

13.1

Introduction

157

incc = λx:Unit. (c := succ (!c); !c); ñ

incc : Unit → Nat decc = λx:Unit. (c := pred (!c); !c);

ñ

decc : Unit → Nat

Calling incc incc unit; ñ

1 : Nat

results in changes to c that can be observed by calling decc: decc unit; ñ

0 : Nat

If we package incc and decc together into a record o = {i = incc, d = decc}; ñ

o : {i:Unit→Nat, d:Unit→Nat}

then we can pass this whole structure around as a unit and use its components to perform incrementing and decrementing operations on the shared piece of state in c. In effect, we have constructed a simple kind of object. This idea is developed in detail in Chapter 18.

References to Compound Types A reference cell need not contain just a number: the primitives above allow us to create references to values of any type, including functions. For example, we can use references to functions to give a (not very efficient) implementation of arrays of numbers, as follows. Write NatArray for the type Ref (Nat→Nat). NatArray = Ref (Nat→Nat);

To build a new array, we allocate a reference cell and fill it with a function that, when given an index, always returns 0. newarray = λ_:Unit. ref (λn:Nat.0); ñ

newarray : Unit → NatArray

158

13

References

To look up an element of an array, we simply apply the function to the desired index. ñ

lookup = λa:NatArray. λn:Nat. (!a) n; lookup : NatArray → Nat → Nat

The interesting part of the encoding is the update function. It takes an array, an index, and a new value to be stored at that index, and does its job by creating (and storing in the reference) a new function that, when it is asked for the value at this very index, returns the new value that was given to update, and on all other indices passes the lookup to the function that was previously stored in the reference.

ñ

13.1.2

update = λa:NatArray. λm:Nat. λv:Nat. let oldf = !a in a := (λn:Nat. if equal m n then v else oldf n); update : NatArray → Nat → Nat → Unit

Exercise [««]: If we defined update more compactly like this update = λa:NatArray. λm:Nat. λv:Nat. a := (λn:Nat. if equal m n then v else (!a) n);

would it behave the same?

References to values containing other references can also be very useful, allowing us to define data structures such as mutable lists and trees. (Such structures generally also involve recursive types, which we introduce in Chapter 20.)

Garbage Collection A last issue that we should mention before we move on formalizing references is storage deallocation. We have not provided any primitives for freeing reference cells when they are no longer needed. Instead, like many modern languages (including ML and Java) we rely on the run-time system to perform garbage collection, collecting and reusing cells that can no longer be reached by the program. This is not just a question of taste in language design: it is extremely difficult to achieve type safety in the presence of an explicit deallocation operation. The reason for this is the familiar dangling reference problem: we allocate a cell holding a number, save a reference to it in some data structure, use it for a while, then deallocate it and allocate a new cell holding a boolean, possibly reusing the same storage. Now we can have two names for the same storage cell—one with type Ref Nat and the other with type Ref Bool. 13.1.3

Exercise [««]: Show how this can lead to a violation of type safety.

13.2

13.2

159

Typing

Typing The typing rules for ref, :=, and ! follow straightforwardly from the behaviors we have given them. Γ ` t1 : T1 Γ ` ref t1 : Ref T1 Γ ` t1 : Ref T1 Γ ` !t1 : T1 Γ ` t1 : Ref T1

Γ ` t2 : T1

Γ ` t1 :=t2 : Unit

13.3

(T-Ref)

(T-Deref)

(T-Assign)

Evaluation A more subtle aspect of the treatment of references appears when we consider how to formalize their operational behavior. One way to see why is to ask, “What should be the values of type Ref T?” The crucial observation that we need to take into account is that evaluating a ref operator should do something—namely, allocate some storage—and the result of the operation should be a reference to this storage. What, then, is a reference? The run-time store in most programming language implementations is essentially just a big array of bytes. The run-time system keeps track of which parts of this array are currently in use; when we need to allocate a new reference cell, we allocate a large enough segment from the free region of the store (4 bytes for integer cells, 8 bytes for cells storing Floats, etc.), mark it as being used, and return the index (typically, a 32- or 64-bit integer) of the start of the newly allocated region. These indices are references. For present purposes, there is no need to be quite so concrete. We can think of the store as an array of values, rather than an array of bytes, abstracting away from the different sizes of the run-time representations of different values. Furthermore, we can abstract away from the fact that references (i.e., indexes into this array) are numbers. We take references to be elements of some uninterpreted set L of store locations, and take the store to be simply a partial function from locations l to values. We use the metavariable µ to range over stores. A reference, then, is a location—an abstract index into the store. We’ll use the word location instead of reference or pointer from now on to emphasize this abstract quality.4 4. Treating locations abstractly in this way will prevent us from modeling the pointer arith-

160

13

References

Next, we need to extend our operational semantics to take stores into account. Since the result of evaluating an expression will in general depend on the contents of the store in which it is evaluated, the evaluation rules should take not just a term but also a store as argument. Furthermore, since the evaluation of a term may cause side effects on the store that may affect the evaluation of other terms in the future, the evaluation rules need to return a new store. Thus, the shape of the single-step evaluation relation changes from t -→ t0 to t | µ -→ t0 | µ 0 , where µ and µ 0 are the starting and ending states of the store. In effect, we have enriched our notion of abstract machines, so that a machine state is not just a program counter (represented as a term), but a program counter plus the current contents of the store. To carry through this change, we first need to augment all of our existing evaluation rules with stores: (λx:T11 .t12 ) v2 | µ -→ [x , v2 ]t12 | µ t1 | µ -→ t01 | µ 0 t1 t2 | µ -→ t01 t2 | µ 0 t2 | µ -→ t02 | µ 0 v1 t2 | µ -→ v1 t02 | µ 0

(E-AppAbs) (E-App1)

(E-App2)

Note that the first rule here returns the store µ unchanged: function application, in itself, has no side effects. The other two rules simply propagate side effects from premise to conclusion. Next, we make a small addition to the syntax of our terms. The result of evaluating a ref expression will be a fresh location, so we need to include locations in the set of things that can be results of evaluation—i.e., in the set of values: v ::= λx:T.t unit l

values: abstraction value unit value store location

Since all values are also terms, this means that the set of terms should include locations.

metic found in low-level languages such as C. This limitation is intentional. While pointer arithmetic is occasionally very useful (especially for implementing low-level components of run-time systems, such as garbage collectors), it cannot be tracked by most type systems: knowing that location n in the store contains a Float doesn’t tell us anything useful about the type of location n + 4. In C, pointer arithmetic is a notorious source of type safety violations.

13.3

161

Evaluation

t ::=

terms: variable abstraction application constant unit reference creation dereference assignment store location

x λx:T.t tt unit ref t !t t:=t l

Of course, making this extension to the syntax of terms does not mean that we intend programmers to write terms involving explicit, concrete locations: such terms will arise only as intermediate results of evaluation. In effect, the term language in this chapter should be thought of as formalizing an intermediate language, some of whose features are not made available to programmers directly. In terms of this expanded syntax, we can state evaluation rules for the new constructs that manipulate locations and the store. First, to evaluate a dereferencing expression !t 1 , we must first reduce t1 until it becomes a value: t1 | µ -→ t01 | µ 0 (E-Deref) !t1 | µ -→ !t01 | µ 0 Once t1 has finished reducing, we should have an expression of the form !l, where l is some location. A term that attempts to dereference any other sort of value, such as a function or unit, is erroneous. The evaluation rules simply get stuck in this case. The type safety properties in §13.5 assure us that well-typed terms will never misbehave in this way. µ(l) = v !l | µ -→ v | µ

(E-DerefLoc)

Next, to evaluate an assignment expression t 1 :=t2 , we must first evaluate t1 until it becomes a value (i.e., a location), t1 | µ -→ t01 | µ 0 t1 :=t2 | µ -→ t01 :=t2 | µ 0

(E-Assign1)

and then evaluate t2 until it becomes a value (of any sort): t2 | µ -→ t02 | µ 0 v1 :=t2 | µ -→ v1 :=t02 | µ 0

(E-Assign2)

Once we have finished with t1 and t2 , we have an expression of the form l:=v2 , which we execute by updating the store to make location l contain v2 : l:=v2 | µ -→ unit | [l , v2 ]µ

(E-Assign)

162

13

References

(The notation [l , v2 ]µ here means “the store that maps l to v2 and maps all other locations to the same thing as µ.” Note that the term resulting from this evaluation step is just unit; the interesting result is the updated store.) Finally, to evaluate an expression of the form ref t1 , we first evaluate t1 until it becomes a value: t1 | µ -→ t01 | µ 0 (E-Ref) ref t1 | µ -→ ref t01 | µ 0 Then, to evaluate the ref itself, we choose a fresh location l (i.e., a location that is not already part of the domain of µ) and yield a new store that extends µ with the new binding l , v1 . l ∉ dom(µ) ref v1 | µ -→ l | (µ, l , v1 )

(E-RefV)

The term resulting from this step is the name l of the newly allocated location. Note that these evaluation rules do not perform any kind of garbage collection: we simply allow the store to keep growing without bound as evaluation proceeds. This does not affect the correctness of the results of evaluation (after all, the definition of “garbage” is precisely parts of the store that are no longer reachable and so cannot play any further role in evaluation), but it means that a naive implementation of our evaluator will sometimes run out of memory where a more sophisticated evaluator would be able to continue by reusing locations whose contents have become garbage. 13.3.1

13.4

Exercise [«««]: How might our evaluation rules be refined to model garbage collection? What theorem would we then need to prove, to argue that this refinement is correct?

Store Typings Having extended our syntax and evaluation rules to accommodate references, our last job is to write down typing rules for the new constructs—and, of course, to check that they are sound. Naturally, the key question is, “What is the type of a location?” When we evaluate a term containing concrete locations, the type of the result depends on the contents of the store that we start with. For example, if we evaluate the term !l2 in the store (l1 , unit, l2 , unit), the result is unit; if we evaluate the same term in the store (l 1 , unit, l2 , λx:Unit.x), the result is λx:Unit.x. With respect to the former store, the location l2 has type Unit, and with respect to the latter it has type Unit→Unit. This observation leads us immediately to a first attempt at a typing rule for locations:

13.4

163

Store Typings

Γ ` µ(l) : T1 Γ ` l : Ref T1 That is, to find the type of a location l, we look up the current contents of l in the store and calculate the type T1 of the contents. The type of the location is then Ref T1 . Having begun in this way, we need to go a little further to reach a consistent state. In effect, by making the type of a term depend on the store, we have changed the typing relation from a three-place relation (between contexts, terms, and types) to a four-place relation (between contexts, stores, terms, and types). Since the store is, intuitively, part of the context in which we calculate the type of a term, let’s write this four-place relation with the store to the left of the turnstile: Γ | µ ` t : T. Our rule for typing references now has the form Γ | µ ` µ(l) : T1 Γ | µ ` l : Ref T1 and all the rest of the typing rules in the system are extended similarly with stores. The other rules do not need to do anything interesting with their stores—just pass them from premise to conclusion. However, there are two problems with this rule. First, typechecking is rather inefficient, since calculating the type of a location l involves calculating the type of the current contents v of l. If l appears many times in a term t, we will re-calculate the type of v many times in the course of constructing a typing derivation for t. Worse, if v itself contains locations, then we will have to recalculate their types each time they appear. For example, if the store contains (l1 l2 l3 l4 l5

, λx:Nat. , λx:Nat. , λx:Nat. , λx:Nat. , λx:Nat.

999, (!l1 ) (!l2 ) (!l3 ) (!l4 )

x, x, x, x),

then calculating the type of l5 involves calculating those of l4 , l3 , l2 , and l1 . Second, the proposed typing rule for locations may not allow us to derive anything at all, if the store contains a cycle. For example, there is no finite typing derivation for the location l2 with respect to the store (l1 , λx:Nat. (!l2 ) x, l2 , λx:Nat. (!l1 ) x), since calculating a type for l2 requires finding the type of l1 , which in turn involves l1 , etc. Cyclic reference structures do arise in practice (e.g., they can

164

13

References

be used for building doubly linked lists), and we would like our type system to be able to deal with them. 13.4.1

Exercise [«]: Can you find a term whose evaluation will create this particular cyclic store? Both of these problems arise from the fact that our proposed typing rule for locations requires us to recalculate the type of a location every time we mention it in a term. But this, intuitively, should not be necessary. After all, when a location is first created, we know the type of the initial value that we are storing into it. Moreover, although we may later store other values into this location, those other values will always have the same type as the initial one. In other words, we always have in mind a single, definite type for every location in the store, which is fixed when the location is allocated. These intended types can be collected together as a store typing—a finite function mapping locations to types. We’ll use the metavariable Σ to range over such functions. Suppose we are given a store typing Σ describing the store µ in which some term t will be evaluated. Then we can use Σ to calculate the type of the result of t without ever looking directly at µ. For example, if Σ is (l1 , Unit, l2 , Unit→Unit), then we may immediately infer that !l2 has type Unit→Unit. More generally, the typing rule for locations can be reformulated in terms of store typings like this: Σ(l) = T1 Γ | Σ ` l : Ref T1

(T-Loc)

Typing is again a four-place relation, but it is parameterized on a store typing rather than a concrete store. The rest of the typing rules are analogously augmented with store typings. Of course, these typing rules will accurately predict the results of evaluation only if the concrete store used during evaluation actually conforms to the store typing that we assume for purposes of typechecking. This proviso exactly parallels the situation with free variables in all the calculi we have seen up to this point: the substitution lemma (9.3.8) promises us that, if Γ ` t : T, then we can replace the free variables in t with values of the types listed in Γ to obtain a closed term of type T, which, by the type preservation theorem (9.3.9) will evaluate to a final result of type T if it yields any result at all. We will see in §13.5 how to formalize an analogous intuition for stores and store typings. Finally, note that, for purposes of typechecking the terms that programmers actually write, we do not need to do anything tricky to guess what store typing we should use. As we remarked above, concrete location constants

13.5

165

Safety

arise only in terms that are the intermediate results of evaluation; they are not in the language that programmers write. Thus, we can simply typecheck the programmer’s terms with respect to the empty store typing. As evaluation proceeds and new locations are created, we will always be able to see how to extend the store typing by looking at the type of the initial values being placed in newly allocated cells; this intuition is formalized in the statement of the type preservation theorem below (13.5.3). Now that we have dealt with locations, the typing rules for the other new syntactic forms are quite straightforward. When we create a reference to a value of type T1 , the reference itself has type Ref T1 . Γ | Σ ` t1 : T1 Γ | Σ ` ref t1 : Ref T1

(T-Ref)

Notice that we do not need to extend the store typing here, since the name of the new location will not be determined until run time, while Σ records only the association between already-allocated storage cells and their types. Conversely, if t1 evaluates to a location of type Ref T11 , then dereferencing t1 is guaranteed to yield a value of type T11 . Γ | Σ ` t1 : Ref T11 Γ | Σ ` !t1 : T11

(T-Deref)

Finally, if t1 denotes a cell of type Ref T11 , then we can store t2 into this cell as long as the type of t2 is also T11 : Γ | Σ ` t1 : Ref T11

Γ | Σ ` t2 : T11

Γ | Σ ` t1 :=t2 : Unit

(T-Assign)

Figure 13-1 summarizes the typing rules (and the syntax and evaluation rules, for easy reference) for the simply typed lambda-calculus with references.

13.5

Safety Our final job in this chapter is to check that standard type safety properties continue to hold for the calculus with references. The progress theorem (“well-typed terms are not stuck”) can be stated and proved almost as before (cf. 13.5.7); we just need to add a few straightforward cases to the proof, dealing with the new constructs. The preservation theorem is a bit more interesting, so let’s look at it first. Since we have extended both the evaluation relation (with initial and final stores) and the typing relation (with a store typing), we need to change the statement of preservation to include these parameters. Clearly, though, we

166

13

→ Unit Ref Syntax t ::=

Extends λ→ with Unit (9-1 and 11-2) t | µ -→ t0 | µ 0

Evaluation x λx:T.t tt unit ref t !t t:=t l

v ::= λx:T.t unit l

terms: variable abstraction application constant unit reference creation dereference assignment store location values: abstraction value constant unit store location

t1 | µ -→ t01 | µ 0 t1 t2 | µ -→ t01 t2 | µ 0 t2 | µ -→ t02 | µ 0 v1 t2 | µ -→ v1 t02 | µ 0

Γ

T→T Unit Ref T

types: type of functions unit type type of reference cells

∅ Γ , x:T

contexts: empty context term variable binding

::=

l ∉ dom(µ) ref v1 | µ -→ l | (µ, l , v1 ) t1 | µ -→ t01 | µ 0 ref t1 | µ -→ ref t01 | µ 0

!l | µ -→ v | µ t1 | µ -→ t01 | µ 0 !t1 | µ -→ !t01 | µ 0 l:=v2 | µ -→ unit | [l , v2 ]µ t1 | µ -→ t01 | µ 0 t1 :=t2 | µ -→ t01 :=t2 | µ 0

µ

::= ∅ µ, l = v

Σ

::= ∅ Σ, l:T

Figure 13-1: References

stores: empty store location binding store typings: empty store typing location typing

(E-App1)

(E-App2)

(λx:T11 .t12 ) v2 | µ -→ [x , v2 ]t12 | µ (E-AppAbs)

µ(l) = v T ::=

References

t2 | µ -→ t02 | µ 0 v1 :=t2 | µ -→ v1 :=t02 | µ 0

(E-RefV)

(E-Ref)

(E-DerefLoc)

(E-Deref) (E-Assign) (E-Assign1)

(E-Assign2)

continued . . .

13.5

167

Safety

Γ|Σ `t:T

Typing

Σ(l) = T1 Γ | Σ ` l : Ref T1

x:T ∈ Γ

(T-Var)

Γ |Σ `x:T

Γ | Σ ` t1 : T1

Γ , x:T1 | Σ ` t2 : T2 Γ | Σ ` λx:T1 .t2 : T1 →T2 Γ | Σ ` t1 : T11 →T12

(T-Loc)

(T-Abs)

Γ | Σ ` t2 : T11

(T-Ref)

Γ | Σ ` ref t1 : Ref T1 Γ | Σ ` t1 : Ref T11 Γ | Σ ` !t1 : T11

(T-Deref)

Γ | Σ ` t1 t2 : T12 (T-App) Γ | Σ ` unit : Unit

(T-Unit)

Γ | Σ ` t1 : Ref T11

Γ | Σ ` t2 : T11

Γ | Σ ` t1 :=t2 : Unit (T-Assign)

Figure 13-1: References (continued)

cannot just add stores and store typings without saying anything about how they are related. If Γ | Σ ` t : T and t | µ -→ t0 | µ 0 , then Γ | Σ ` t0 : T.

(Wrong!)

If we typecheck with respect to some set of assumptions about the types of the values in the store and then evaluate with respect to a store that violates these assumptions, the result will be disaster. The following requirement expresses the constraint we need. 13.5.1

Definition: A store µ is said to be well typed with respect to a typing context Γ and a store typing Σ, written Γ | Σ ` µ, if dom(µ) = dom(Σ) and Γ | Σ ` µ(l) : Σ(l) for every l ∈ dom(µ). Intuitively, a store µ is consistent with a store typing Σ if every value in the store has the type predicted by the store typing.

13.5.2

Exercise [««]: Can you find a context Γ , a store µ, and two different store typings Σ1 and Σ2 such that both Γ | Σ1 ` µ and Γ | Σ2 ` µ? We can now state something closer to the desired preservation property: If Γ |Σ`t:T t | µ -→ t0 | µ 0 Γ |Σ`µ

168

13

then Γ | Σ ` t0 : T.

References

(Less wrong.)

This statement is fine for all of the evaluation rules except the allocation rule E-RefV. The problem is that this rule yields a store with a larger domain than the initial store, which falsifies the conclusion of the above statement: if µ 0 includes a binding for a fresh location l, then l cannot be in the domain of Σ, and it will not be the case that t0 (which definitely mentions l) is typable under Σ. Evidently, since the store can increase in size during evaluation, we need to allow the store typing to grow as well. This leads us to the final (correct) statement of the type preservation property: 13.5.3

Theorem [Preservation]: If Γ |Σ`t:T Γ |Σ`µ t | µ -→ t0 | µ 0 then, for some Σ0 ⊇ Σ, Γ | Σ0 ` t0 : T Γ | Σ0 ` µ 0 .

Note that the preservation theorem merely asserts that there is some store typing Σ0 ⊇ Σ (i.e., agreeing with Σ on the values of all the old locations) such that the new term t0 is well typed with respect to Σ0 ; it does not tell us exactly what Σ0 is. It is intuitively clear, of course, that Σ0 is either Σ or else it is exactly (µ, l , T1 ), where l is a newly allocated location (the new element of the domain of µ 0 ) and T1 is the type of the initial value bound to l in the extended store (µ, l , v1 ), but stating this explicitly would complicate the statement of the theorem without actually making it any more useful: the weaker version above is already in the right form (because its conclusion implies its hypothesis) to “turn the crank” repeatedly and conclude that every sequence of evaluation steps preserves well-typedness. Combining this with the progress property, we obtain the usual guarantee that “well-typed programs never go wrong.” To prove preservation, we need a few technical lemmas. The first is an easy extension of the standard substitution lemma (9.3.8). 13.5.4

Lemma [Substitution]: If Γ , x:S | Σ ` t : T and Γ | Σ ` s : S, then Γ | Σ ` [x , s]t : T. Proof: Just like Lemma 9.3.8.

13.5

Safety

169

The next states that replacing the contents of a cell in the store with a new value of appropriate type does not change the overall type of the store. 13.5.5

Lemma: If Γ |Σ`µ Σ(l) = T Γ |Σ`v:T then Γ | Σ ` [l , v]µ.

Proof: Immediate from the definition of Γ | Σ ` µ.

Finally, we need a kind of weakening lemma for stores, stating that, if a store is extended with a new location, the extended store still allows us to assign types to all the same terms as the original. 13.5.6

Lemma: If Γ | Σ ` t : T and Σ0 ⊇ Σ, then Γ | Σ0 ` t : T.

Proof: Easy induction.

Now we can prove the main preservation theorem. Proof of 13.5.3: Straightforward induction on evaluation derivations, using the lemmas above and the inversion property of the typing rules (a straightforward extension of 9.3.1). The statement of the progress theorem (9.3.5) must also be extended to take stores and store typings into account: 13.5.7

Theorem [Progress]: Suppose t is a closed, well-typed term (that is, ∅ | Σ ` t : T for some T and Σ). Then either t is a value or else, for any store µ such that ∅ | Σ ` µ, there is some term t 0 and store µ 0 with t | µ -→ t0 | µ 0 . Proof: Straightforward induction on typing derivations, following the pattern of 9.3.5. (The canonical forms lemma, 9.3.4, needs two additional cases stating that all values of type Ref T are locations and similarly for Unit.)

13.5.8

Exercise [Recommended, «««]: Is the evaluation relation in this chapter normalizing on well-typed terms? If so, prove it. If not, write a well-typed factorial function in the present calculus (extended with numbers and booleans).

170

13

13.6

References

Notes The presentation in this chapter is adapted from a treatment by Harper (1994, 1996). An account in a similar style is given by Wright and Felleisen (1994). The combination of references (or other computational effects) with MLstyle polymorphic type inference raises some quite subtle problems (cf. §22.7) and has received a good deal of attention in the research literature. See Tofte (1990), Hoang et al. (1993), Jouvelot and Gifford (1991), Talpin and Jouvelot (1992), Leroy and Weis (1991), Wright (1992), Harper (1994, 1996), and the references cited there. Static prediction of possible aliasing is a long-standing problem both in compiler implementation (where it is called alias analysis) and in programming language theory. An influential early attempt by Reynolds (1978, 1989) coined the term syntactic control of interference. These ideas have recently seen a burst of new activity—see O’Hearn et al. (1995) and Smith et al. (2000). More general reasoning techniques for aliasing are discussed in Reynolds (1981) and Ishtiaq and O’Hearn (2001) and other references cited there. A comprehensive discussion of garbage collection can be found in Jones and Lins (1996). A more semantic treatment is given by Morrisett et al. (1995).

Find out the cause of this effect, Or rather say, the cause of this defect, For this effect defective comes by cause. The finger pointing at the moon is not the moon.

—Hamlet II, ii, 101 —Buddhist saying

14

Exceptions

In Chapter 13 we saw how to extend the simple operational semantics of the pure simply typed lambda-calculus with mutable references and considered the effect of this extension on the typing rules and type safety proofs. In this chapter, we treat another extension to our original computational model: raising and handling exceptions. Real-world programming is full of situations where a function needs to signal to its caller that it is unable to perform its task for some reason—because some calculation would involve a division by zero or an arithmetic overflow, a lookup key is missing from a dictionary, an array index went out of bounds, a file could not be found or opened, some disastrous event occurred such as the system running out of memory or the user killing the process, etc. Some of these exceptional conditions can be signaled by making the function return a variant (or option), as we saw in §11.10. But in situations where the exceptional conditions are truly exceptional, we may not want to force every caller of our function to deal with the possibility that they may occur. Instead, we may prefer that an exceptional condition causes a direct transfer of control to an exception handler defined at some higher-level in the program—or indeed (if the exceptional condition is rare enough or if there is nothing that the caller can do anyway to recover from it) simply aborts the program. We first consider the latter case (§14.1), where an exception is a whole-program abort, then add a mechanism for trapping and recovering from exceptions (§14.2), and finally refine both of these mechanisms to allow extra programmer-specified data to be passed between exception sites and handlers (§14.3).

The systems studied in this chapter are the simply typed lambda-calculus (Figure 9-1) extended with various primitives for exceptions and exception handling (Figures 14-1 and 14-2). The OCaml implementation of the first extension is fullerror. The language with exceptions carrying values (Figure 14-3) is not implemented.

172

14

→ error

Exceptions

Extends λ→ (9-1)

New syntactic forms

New typing rules

t ::= ... error

terms: run-time error

Γ ` error : T

Γ `t:T (T-Error)

t -→ t0

New evaluation rules error t2 -→ error

(E-AppErr1)

v1 error -→ error

(E-AppErr2)

Figure 14-1: Errors

14.1

Raising Exceptions Let us start by enriching the simply typed lambda-calculus with the simplest possible mechanism for signaling exceptions: a term error that, when evaluated, completely aborts evaluation of the term in which it appears. Figure 14-1 details the needed extensions. The main design decision in writing the rules for error is how to formalize “abnormal termination” in our operational semantics. We adopt the simple expedient of letting error itself be the result of a program that aborts. The rules E-AppErr1 and E-AppErr2 capture this behavior. E-AppErr1 says that, if we encounter the term error while trying to reduce the left-hand side of an application to a value, we should immediately yield error as the result of the application. Similarly, E-AppErr2 says that, if we encounter an error while we are working on reducing the argument of an application to a value, we should abandon work on the application and immediately yield error. Observe that we have not included error in the syntax of values—only the syntax of terms. This guarantees that there will never be an overlap between the left-hand sides of the E-AppAbs and E-AppErr2 rules—i.e., there is no ambiguity as to whether we should evaluate the term (λx:Nat.0) error by performing the application (yielding 0 as result) or aborting: only the latter is possible. Similarly, the fact that we used the metavariable v 1 (rather than t1 , ranging over arbitrary terms) in E-AppErr2 forces the evaluator to wait until the left-hand side of an application is reduced to a value before aborting

14.2

Handling Exceptions

173

it, even if the right-hand side is error. Thus, a term like (fix (λx:Nat.x)) error will diverge instead of aborting. These conditions ensure that the evaluation relation remains deterministic. The typing rule T-Error is also interesting. Since we may want to raise an exception in any context, the term error form is allowed to have any type whatsoever. In (λx:Bool.x) error;

it has type Bool. In (λx:Bool.x) (error true);

it has type Bool→Bool. This flexibility in error’s type raises some difficulties in implementing a typechecking algorithm, since it breaks the property that every typable term in the language has a unique type (Theorem 9.3.3). This can be dealt with in various ways. In a language with subtyping, we can assign error the minimal type Bot (see §15.4), which can be promoted to any other type as necessary. In a language with parametric polymorphism (see Chapter 23), we can give error the polymorphic type ∀X.X, which can be instantiated to any other type. Both of these tricks allow infinitely many possible types for error to be represented compactly by a single type. 14.1.1

Exercise [«]: Wouldn’t it be simpler just to require the programmer to annotate error with its intended type in each context where it is used? The type preservation property for the language with exceptions is the same as always: if a term has type T and we let it evaluate one step, the result still has type T. The progress property, however, needs to be refined a little. In its original form, it said that a well-typed program must evaluate to a value (or diverge). But now we have introduced a non-value normal form, error, which can certainly be the result of evaluating a well-typed program. We need to restate progress to allow for this.

14.1.2

14.2

Theorem [Progress]: Suppose t is a closed, well-typed normal form. Then either t is a value or t = error.

Handling Exceptions The evaluation rules for error can be thought of as “unwinding the call stack,” discarding pending function calls until the error has propagated all

174

14

→ error

try

Exceptions

Extends λ→ with errors (14-1)

New syntactic forms t ::= ... try t with t New evaluation rules try v1 with t2 -→ v1 try error with t2 -→ t2

terms: trap errors t -→ t0 (E-TryV)

t1 -→ t01 try t1 with t2 -→ try t01 with t2

Γ `t:T

New typing rules Γ ` t1 : T

(E-Try)

Γ ` t2 : T

Γ ` try t1 with t2 : T

(T-Try)

(E-TryError)

Figure 14-2: Error handling

the way to the top level. In real implementations of languages with exceptions, this is exactly what happens: the call stack consists of a set of activation records, one for each active function call; raising an exception causes activation records to be popped off the call stack until it becomes empty. In most languages with exceptions, it is also possible to install exception handlers in the call stack. When an exception is raised, activation records are popped off the call stack until an exception handler is encountered, and evaluation then proceeds with this handler. In other words, the exception functions as a non-local transfer of control, whose target is the most recently installed exception handler (i.e., the nearest one on the call stack). Our formulation of exception handlers, summarized in Figure 14-2, is similar to both ML and Java. The expression try t 1 with t2 means “return the result of evaluating t1 , unless it aborts, in which case evaluate the handler t2 instead.” The evaluation rule E-TryV says that, when t1 has been reduced to a value v1 , we may throw away the try, since we know now that it will not be needed. E-TryError, on the other hand, says that, if evaluating t1 results in error, then we should replace the try with t2 and continue evaluating from there. E-Try tells us that, until t1 has been reduced to either a value or error, we should just keep working on it and leave t2 alone. The typing rule for try follows directly from its operational semantics. The result of the whole try can be either the result of the main body t1 or else the result of the handler t2 ; we simply need to require that these have the same type T, which is also the type of the try. The type safety property and its proof remain essentially unchanged from the previous section.

14.3

175

Exceptions Carrying Values

→ exceptions

Extends λ→ (9-1)

New syntactic forms t ::= ... raise t try t with t New evaluation rules

try v1 with t2 -→ v1

terms: raise exception handle exceptions

try raise v11 with t2 -→ t2 v11

v1 (raise v21 ) -→ raise v21 (E-AppRaise2)

try t1 with t2 -→ try t01 with t2 New typing rules Γ ` t1 : Texn

t1 -→ t01 raise t1 -→ raise t01

Γ ` raise t1 : T

(E-Raise)

Γ ` t1 : T raise (raise v11 ) -→ raise v11

(E-TryRaise)

t1 -→ t01

t -→ t0

(raise v11 ) t2 -→ raise v11 (E-AppRaise1)

(E-TryV)

(E-RaiseRaise)

Γ ` t2 : Texn →T

Γ ` try t1 with t2 : T

(E-Try) Γ `t:T (T-Exn)

(T-Try)

Figure 14-3: Exceptions carrying values

14.3

Exceptions Carrying Values The mechanisms introduced in §14.1 and §14.2 allow a function to signal to its caller that “something unusual happened.” It is generally useful to send back some extra information about which unusual thing has happened, since the action that the handler needs to take—either to recover and try again or to present a comprehensible error message to the user—may depend on this information. Figure 14-3 shows how our basic exception handling constructs can be enriched so that each exception carries a value. The type of this value is written Texn . For the moment, we leave the precise nature of this type open; below, we discuss several alternatives. The atomic term error is replaced by a term constructor raise t, where t is the extra information that we want to pass to the exception handler. The syntax of try remains the same, but the handler t 2 in try t1 with t2 is now interpreted as a function that takes the extra information as an argument. The evaluation rule E-TryRaise implements this behavior, taking the extra information carried by a raise from the body t1 and passing it to the handler t2 . E-AppRaise1 and E-AppRaise2 propagate exceptions through applications, just like E-AppErr1 and E-AppErr2 in Figure 14-1. Note, however, that these

176

14

Exceptions

rules are allowed to propagate only exceptions whose extra information is a value; if we attempt to evaluate a raise with extra information that itself requires some evaluation, these rules will block, forcing us to use E-Raise to evaluate the extra information first. E-RaiseRaise propagates exceptions that may occur while we are evaluating the extra information that is to be sent along in some other exception. E-TryV tells us that we can throw away a try once its main body has reduced to a value, just as we did in §14.2. E-Try directs the evaluator to work on the body of a try until it becomes either a value or a raise. The typing rules reflect these changes in behavior. In T-Raise we demand that the extra information has type Texn ; the whole raise can then be given any type T that may be required by the context. In T-Try, we check that the handler t2 is a function that, given the extra information of type Texn , yields a result of the same type as t1 . Finally, let us consider some alternatives for the type Texn . 1. We can take Texn to be just Nat. This corresponds to the errno convention used, for example, by Unix operating system functions: each system call returns a numeric “error code,” with 0 signaling success and other values reporting various exceptional conditions. 2. We can take Texn to be String, which avoids looking up error numbers in tables and allows exception-raising sites to construct more descriptive messages if they wish. The cost of this extra flexibility is that error handlers may now have to parse these strings to find out what happened. 3. We can keep the ability to pass more informative exceptions while avoiding string parsing if we define Texn to be a variant type: Texn

=

Unit, Unit, String, String,

This scheme allows a handler to distinguish between kinds of exceptions using a simple case expression. Also, different exceptions can carry different types of additional information: exceptions like divideByZero need no extra baggage, fileNotFound can carry a string indicating which file was being opened when the error occurred, etc. The problem with this alternative is that it is rather inflexible, demanding that we fix in advance the complete set of exceptions that can be raised by

14.3

177

Exceptions Carrying Values

any program (i.e., the set of tags of the variant type T exn ). This leaves no room for programmers to declare application-specific exceptions. 4. The same idea can be refined to leave room for user-defined exceptions by taking Texn to be an extensible variant type. ML adopts this idea, providing a single extensible variant type called exn. 1 The ML declaration exception l of T can be understood, in the present setting, as “make sure that l is different from any tag already present in the variant type T exn ,2 and from now on let Texn be , where l1 :T1 through ln :tn were the possible variants before this declaration.” The ML syntax for raising exceptions is raise l(t), where l is an exception tag defined in the current scope. This can be understood as a combination of the tagging operator and our simple raise: raise l(t)

def

=

raise ( as Texn )

Similarly, the ML try construct can be desugared using our simple try plus a case. try t with l(x) → h

def

=

try t with λe:Texn . case e of ⇒ h | _ ⇒ raise e

The case checks whether the exception that has been raised is tagged with l. If so, it binds the value carried by the exception to the variable x and evaluates the handler h. If not, it falls through to the else clause, which re-raises the exception. The exception will keep propagating (and perhaps being caught and re-raised) until it either reaches a handler that wants to deal with it, or else reaches the top level and aborts the whole program. 5. Java uses classes instead of extensible variants to support user-defined exceptions. The language provides a built-in class Throwable; an instance of Throwable or any of its subclasses can be used in a throw (same as our raise) or try...catch (same as our try...with) statement. New exceptions can be declared simply by defining new subclasses of Throwable. There is actually a close correspondence between this exception-handling mechanism and that of ML. Roughly speaking, an exception object in Java 1. One can go further and provide extensible variant types as a general language feature, but the designers of ML have chosen to simply treat exn as a special case. 2. Since the exception form is a binder, we can always ensure that l is different from the tags already used in Texn by alpha-converting it if necessary.

178

14

Exceptions

is represented at run time by a tag indicating its class (which corresponds directly to the extensible variant tag in ML) plus a record of instance variables (corresponding to the extra information labeled by this tag). Java exceptions go a little further than ML in a couple of respects. One is that there is a natural partial order on exception tags, generated by the subclass ordering. A handler for the exception l will actually trap all exceptions carrying an object of class l or any subclass of l. Another is that Java distinguishes between exceptions (subclasses of the built-in class Exception—a subclass of Throwable), which application programs might want to catch and try to recover from, and errors (subclasses of Error—also a subclass of Throwable), which indicate serious conditions that should normally just terminate execution. The key difference between the two lies in the typechecking rules, which demand that methods explicitly declare which exceptions (but not which errors) they might raise. 14.3.1

Exercise [«««]: The explanation of extensible variant types in alternative 4 above is rather informal. Show how to make it precise.

14.3.2

Exercise [««««]: We noted above that Java exceptions (those that are subclasses of Exception) are a bit more strictly controlled than exceptions in ML (or the ones we have defined here): every exception that might be raised by a method must be declared in the method’s type. Extend your solution to Exercise 14.3.1 so that the type of a function indicates not only its argument and result types, but also the set of exceptions that it may raise. Prove that your system is typesafe.

14.3.3

Exercise [«««]: Many other control constructs can be formalized using techniques similar to the ones we have seen in this chapter. Readers familiar with the “call with current continuation” (call/cc) operator of Scheme (see Clinger, Friedman, and Wand, 1985; Kelsey, Clinger, and Rees, 1998; Dybvig, 1996; Friedman, Wand, and Haynes, 2001) may enjoy trying to formulate typing rules based on a type Cont T of T-continuations—i.e., continuations that expect an argument of type T.

Part III

Subtyping

15

Subtyping

We have spent the last several chapters studying the typing behavior of a variety of language features within the framework of the simply typed lambdacalculus. This chapter addresses a more fundamental extension: subtyping (sometimes called subtype polymorphism). Unlike the features we have studied up to now, which could be formulated more or less orthogonally to each other, subtyping is a cross-cutting extension, interacting with most other language features in non-trivial ways. Subtyping is characteristically found in object-oriented languages and is often considered an essential feature of the object-oriented style. We will explore this connection in detail in Chapter 18; for now, though, we present subtyping in a more economical setting with just functions and records, where most of the interesting issues already appear. §15.5 discusses the combination of subtyping with some of the other features we have seen in previous chapters. In the final section (15.6) we consider a more refined semantics for subtyping, in which the use of suptyping corresponds to the insertion of run-time coercions.

15.1

Subsumption Without subtyping, the rules of the simply typed lambda-calculus can be annoyingly rigid. The type system’s insistence that argument types exactly match the domain types of functions will lead the typechecker to reject many programs that, to the programmer, seem obviously well-behaved. For example, recall the typing rule for function application: Γ ` t1 : T11 →T12

Γ ` t2 : T11

Γ ` t1 t2 : T12

(T-App)

The calculus studied in this chapter is λ =c then TmVar(fi,x+d,n+d) else TmVar(fi,x,n+d)) (typeShiftAbove d) c t let termShift d t = termShiftAbove d 0 t

On term variables, we check the cutoff and construct a new variable, just as we did in typeShiftAbove. For types, we call the type shifting function defined in the previous section.

25.4

385

Evaluation

The function for substituting one term into another is similar. let termSubst j s t = tmmap (fun fi j x n → if x=j then termShift j s else TmVar(fi,x,n)) (fun j tyT → tyT) j t

Note that type annotations are not changed by termSubst (types cannot contain term variables, so a term substitution will never affect them). We also need a function for substituting a type into a term—used, for example, in the evaluation rule for type applications: (λX.t12 ) [T2 ] -→ [X , T2 ]t12

(E-TappTabs)

This one can also be defined using the term mapper: let rec tytermSubst tyS j t = tmmap (fun fi c x n → TmVar(fi,x,n)) (fun j tyT → typeSubst tyS j tyT) j t

This time, the function that we pass to tmmap for dealing with term variables is the identity (it just reconstructs the original term variable); when we reach a type annotation, we perform a type-level substitution on it. Finally, as we did for types, we define convenience functions packaging the basic substitution functions for use by eval and typeof. let termSubstTop s t = termShift (-1) (termSubst 0 (termShift 1 s) t) let tytermSubstTop tyS t = termShift (-1) (tytermSubst (typeShift 1 tyS) 0 t)

25.4

Evaluation The extensions to the eval function are straightforward transcriptions of the evaluation rules introduced in Figures 23-1 and 24-1. The hard work is done by the substitution functions defined in the previous section. let rec eval1 ctx t = match t with ... | TmTApp(fi,TmTAbs(_,x,t11),tyT2) → tytermSubstTop tyT2 t11 | TmTApp(fi,t1,tyT2) → let t1’ = eval1 ctx t1 in TmTApp(fi, t1’, tyT2)

386

25

An ML Implementation of System F

| TmUnpack(fi,_,_,TmPack(_,tyT11,v12,_),t2) when isval ctx v12 → tytermSubstTop tyT11 (termSubstTop (termShift 1 v12) t2) | TmUnpack(fi,tyX,x,t1,t2) → let t1’ = eval1 ctx t1 in TmUnpack(fi,tyX,x,t1’,t2) | TmPack(fi,tyT1,t2,tyT3) → let t2’ = eval1 ctx t2 in TmPack(fi,tyT1,t2’,tyT3) ...

25.4.1

25.5

Exercise [«]: Why is the termShift needed in the first TmUnpack case?

Typing The new clauses of the typeof function also follow directly from the typing rules for type abstraction and application and for packing and opening existentials. We show the full definition of typeof, so that the new TmTAbs and TmTApp clauses may be compared with the old clauses for ordinary abstraction and application. let rec typeof ctx t = match t with TmVar(fi,i,_) → getTypeFromContext fi ctx i | TmAbs(fi,x,tyT1,t2) → let ctx’ = addbinding ctx x (VarBind(tyT1)) in let tyT2 = typeof ctx’ t2 in TyArr(tyT1, typeShift (-1) tyT2) | TmApp(fi,t1,t2) → let tyT1 = typeof ctx t1 in let tyT2 = typeof ctx t2 in (match tyT1 with TyArr(tyT11,tyT12) → if (=) tyT2 tyT11 then tyT12 else error fi "parameter type mismatch" | _ → error fi "arrow type expected") | TmTAbs(fi,tyX,t2) → let ctx = addbinding ctx tyX TyVarBind in let tyT2 = typeof ctx t2 in TyAll(tyX,tyT2) | TmTApp(fi,t1,tyT2) → let tyT1 = typeof ctx t1 in (match tyT1 with TyAll(_,tyT12) → typeSubstTop tyT2 tyT12 | _ → error fi "universal type expected")

25.5

Typing

387

| TmPack(fi,tyT1,t2,tyT) → (match tyT with TySome(tyY,tyT2) → let tyU = typeof ctx t2 in let tyU’ = typeSubstTop tyT1 tyT2 in if (=) tyU tyU’ then tyT else error fi "doesn’t match declared type" | _ → error fi "existential type expected") | TmUnpack(fi,tyX,x,t1,t2) → let tyT1 = typeof ctx t1 in (match tyT1 with TySome(tyY,tyT11) → let ctx’ = addbinding ctx tyX TyVarBind in let ctx” = addbinding ctx’ x (VarBind tyT11) in let tyT2 = typeof ctx” t2 in typeShift (-2) tyT2 | _ → error fi "existential type expected")

The most interesting new clause is the one for TmUnpack. It involves the following steps. (1) We check the subexpression t 1 and ensure that it has an existential type {∃X.T11 }. (2) We extend the context Γ with a type-variable binding X and a term-variable binding x:T 11 , and check that t2 has some type T2 . (3) We shift the indices of free variables in T 2 down by two, so that it makes sense with respect to the original Γ . (4) We return the resulting type as the type of the whole let...in... expression. Clearly, if X occurs free in T2 , then the shift in step (3) will yield a nonsensical type containing free variables with negative indices; typechecking must fail at this point. We can ensure this by redefining typeShiftAbove so that it notices when it is about to construct a type variable with a negative index and signals an error instead of returning nonsense. let typeShiftAbove d c tyT = tymap (fun c x n → if x>=c then if x+d

Types and Programming Languages

Benjamin C. Pierce

The MIT Press Cambridge, Massachusetts London, England

©2002 Benjamin C. Pierce All rights reserved. No part of this book may be reproduced in any form by any electronic of mechanical means (including photocopying, recording, or information storage and retrieval) without permission in writing from the publisher. This book was set in Lucida Bright by the author using the LATEX document preparation system. Printed and bound in the United States of America.

Library of Congress Cataloging-in-Publication Data Pierce, Benjamin C. Types and programming languages / Benjamin C. Pierce p. cm. Includes bibliographical references and index. ISBN 0-262-16209-1 (hc. : alk. paper) 1. Programming languages (Electronic computers). I. Title. QA76.7 .P54 2002 005.13—dc21 2001044428

Contents

Preface 1

Introduction 1.1 1.2 1.3 1.4 1.5

2

xiii 1

Types in Computer Science 1 What Type Systems Are Good For 4 Type Systems and Language Design 9 Capsule History 10 Related Reading 12

Mathematical Preliminaries 2.1 2.2 2.3 2.4 2.5

Sets, Relations, and Functions Ordered Sets 16 Sequences 18 Induction 19 Background Reading 20

I Untyped Systems 3

15

21

Untyped Arithmetic Expressions 3.1 3.2 3.3 3.4 3.5 3.6

15

Introduction 23 Syntax 26 Induction on Terms 29 Semantic Styles 32 Evaluation 34 Notes 43

23

vi

Contents

4

An ML Implementation of Arithmetic Expressions 4.1 4.2 4.3

5

Terms and Contexts 76 Shifting and Substitution Evaluation 80

Terms and Contexts 83 Shifting and Substitution Evaluation 87 Notes 88

II Simple Types

75 78

91

Types 91 The Typing Relation 92 Safety = Progress + Preservation

Simply Typed Lambda-Calculus 9.1 9.2 9.3 9.4 9.5 9.6 9.7

85

89

Typed Arithmetic Expressions 8.1 8.2 8.3

9

58

An ML Implementation of the Lambda-Calculus 7.1 7.2 7.3 7.4

8

51

Basics 52 Programming in the Lambda-Calculus Formalities 68 Notes 73

Nameless Representation of Terms 6.1 6.2 6.3

7

49

The Untyped Lambda-Calculus 5.1 5.2 5.3 5.4

6

Syntax 46 Evaluation 47 The Rest of the Story

Function Types 99 The Typing Relation 100 Properties of Typing 104 The Curry-Howard Correspondence Erasure and Typability 109 Curry-Style vs. Church-Style 111 Notes 111

Contexts 113 Terms and Types 115 Typechecking 115

95

99

10 An ML Implementation of Simple Types 10.1 10.2 10.3

45

108

113

83

vii

Contents

11 Simple Extensions 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12

Base Types 117 The Unit Type 118 Derived Forms: Sequencing and Wildcards Ascription 121 Let Bindings 124 Pairs 126 Tuples 128 Records 129 Sums 132 Variants 136 General Recursion 142 Lists 146

12 Normalization 12.1 12.2

153

171

Raising Exceptions 172 Handling Exceptions 173 Exceptions Carrying Values

III Subtyping 15 Subtyping 15.1 15.2 15.3 15.4 15.5 15.6 15.7 15.8

149

Introduction 153 Typing 159 Evaluation 159 Store Typings 162 Safety 165 Notes 170

14 Exceptions 14.1 14.2 14.3

149

Normalization for Simple Types Notes 152

13 References 13.1 13.2 13.3 13.4 13.5 13.6

117

175

179 181

Subsumption 181 The Subtype Relation 182 Properties of Subtyping and Typing 188 The Top and Bottom Types 191 Subtyping and Other Features 193 Coercion Semantics for Subtyping 200 Intersection and Union Types 206 Notes 207

119

viii

Contents

16 Metatheory of Subtyping 16.1 16.2 16.3 16.4

209

Algorithmic Subtyping 210 Algorithmic Typing 213 Joins and Meets 218 Algorithmic Typing and the Bottom Type

17 An ML Implementation of Subtyping 17.1 17.2 17.3

225

What Is Object-Oriented Programming? 225 Objects 228 Object Generators 229 Subtyping 229 Grouping Instance Variables 230 Simple Classes 231 Adding Instance Variables 233 Calling Superclass Methods 234 Classes with Self 234 Open Recursion through Self 235 Open Recursion and Evaluation Order 237 A More Efficient Implementation 241 Recap 244 Notes 245

19 Case Study: Featherweight Java 19.1 19.2 19.3 19.4 19.5 19.6 19.7

221

Syntax 221 Subtyping 221 Typing 222

18 Case Study: Imperative Objects 18.1 18.2 18.3 18.4 18.5 18.6 18.7 18.8 18.9 18.10 18.11 18.12 18.13 18.14

220

247

Introduction 247 Overview 249 Nominal and Structural Type Systems Definitions 254 Properties 261 Encodings vs. Primitive Objects 262 Notes 263

251

ix

Contents

IV Recursive Types 20 Recursive Types 20.1 20.2 20.3 20.4

265 267

Examples 268 Formalities 275 Subtyping 279 Notes 279

21 Metatheory of Recursive Types 21.1 21.2 21.3 21.4 21.5 21.6 21.7 21.8 21.9 21.10 21.11 21.12

Induction and Coinduction 282 Finite and Infinite Types 284 Subtyping 286 A Digression on Transitivity 288 Membership Checking 290 More Efficient Algorithms 295 Regular Trees 298 µ-Types 299 Counting Subexpressions 304 Digression: An Exponential Algorithm Subtyping Iso-Recursive Types 311 Notes 312

V Polymorphism

317

Type Variables and Substitutions 317 Two Views of Type Variables 319 Constraint-Based Typing 321 Unification 326 Principal Types 329 Implicit Type Annotations 330 Let-Polymorphism 331 Notes 336

23 Universal Types 23.1 23.2 23.3 23.4 23.5 23.6

309

315

22 Type Reconstruction 22.1 22.2 22.3 22.4 22.5 22.6 22.7 22.8

281

339

Motivation 339 Varieties of Polymorphism 340 System F 341 Examples 344 Basic Properties 353 Erasure, Typability, and Type Reconstruction

354

x

Contents

23.7 23.8 23.9 23.10 23.11

Erasure and Evaluation Order Fragments of System F 358 Parametricity 359 Impredicativity 360 Notes 361

24 Existential Types 24.1 24.2 24.3 24.4

363

Motivation 363 Data Abstraction with Existentials Encoding Existentials 377 Notes 379

25 An ML Implementation of System F 25.1 25.2 25.3 25.4 25.5

368

381

Nameless Representation of Types 381 Type Shifting and Substitution 382 Terms 383 Evaluation 385 Typing 386

26 Bounded Quantification 26.1 26.2 26.3 26.4 26.5 26.6

357

389

Motivation 389 Definitions 391 Examples 396 Safety 400 Bounded Existential Types Notes 408

406

27 Case Study: Imperative Objects, Redux

411

28 Metatheory of Bounded Quantification

417

28.1 28.2 28.3 28.4 28.5 28.6 28.7 28.8

Exposure 417 Minimal Typing 418 Subtyping in Kernel F;

is either the trivial unit value with the tag none or else a number with the tag some—in other words, the type OptionalNat is isomorphic to Nat extended with an additional distinguished value none. For example, the type Table = Nat→OptionalNat;

represents finite mappings from numbers to numbers: the domain of such a mapping is the set of inputs for which the result is <some=n> for some n. The empty table emptyTable = λn:Nat. <none=unit> as OptionalNat; ñ

emptyTable : Table

is a constant function that returns none for every input. The constructor extendTable = λt:Table. λm:Nat. λv:Nat. λn:Nat. if equal n m then <some=v> as OptionalNat else t n; ñ

extendTable : Table → Nat → Nat → Table

takes a table and adds (or overwrites) an entry mapping the input m to the output <some=v>. (The equal function is defined in the solution to Exercise 11.11.1 on page 510.) We can use the result that we get back from a Table lookup by wrapping a case around it. For example, if t is our table and we want to look up its entry for 5, we might write x = case t(5) of <none=u> ⇒ 999 | <some=v> ⇒ v;

providing 999 as the default value of x in case t is undefined on 5. Many languages provide built-in support for options. OCaml, for example, predefines a type constructor option, and many functions in typical OCaml programs yield options. Also, the null value in languages like C, C++, and Java is actually an option in disguise. A variable of type T in these languages (where T is a “reference type”—i.e., something allocated in the heap)

138

11

Simple Extensions

can actually contain either the special value null or else a pointer to a T value. That is, the type of such a variable is really Ref(Option(T)), where Option(T) = <none:Unit,some:T>. Chapter 13 discusses the Ref constructor in detail.

Enumerations Two “degenerate cases” of variant types are useful enough to deserve special mention: enumerated types and single-field variants. An enumerated type (or enumeration) is a variant type in which the field type associated with each label is Unit. For example, a type representing the days of the working week might be defined as: Weekday = <monday:Unit, tuesday:Unit, wednesday:Unit, thursday:Unit, friday:Unit>;

The elements of this type are terms like <monday=unit> as Weekday. Indeed, since the type Unit has only unit as a member, the type Weekday is inhabited by precisely five values, corresponding one-for-one with the days of the week. The case construct can be used to define computations on enumerations. nextBusinessDay = λw:Weekday. case w of <monday=x> ⇒ as Weekday | ⇒ <wednesday=unit> as Weekday | <wednesday=x> ⇒ as Weekday | ⇒ as Weekday | ⇒ <monday=unit> as Weekday;

Obviously, the concrete syntax we are using here is not well tuned for making such programs easy to write or read. Some languages (beginning with Pascal) provide special syntax for declaring and using enumerations. Others—such as ML, cf. page 141—make enumerations a special case of the variants.

Single-Field Variants The other interesting special case is variant types with just a single label l: V = ;

Such a type might not seem very useful at first glance: after all, the elements of V will be in one-to-one correspondence with the elements of the field type T, since every member of V has precisely the form for some t : T. What’s important, though, is that the usual operations on T cannot be applied to elements of V without first unpackaging them: a V cannot be accidentally mistaken for a T.

11.10

Variants

139

For example, suppose we are writing a program to do financial calculations in multiple currencies. Such a program might include functions for converting between dollars and euros. If both are represented as Floats, then these functions might look like this: dollars2euros = λd:Float. timesfloat d 1.1325; ñ

dollars2euros : Float → Float euros2dollars = λe:Float. timesfloat e 0.883;

ñ

euros2dollars : Float → Float

(where timesfloat : Float→Float→Float multiplies floating-point numbers). If we then start with a dollar amount mybankbalance = 39.50;

we can convert it to euros and then back to dollars like this: euros2dollars (dollars2euros mybankbalance); ñ

39.49990125 : Float

All this makes perfect sense. But we can just as easily perform manipulations that make no sense at all. For example, we can convert my bank balance to euros twice: dollars2euros (dollars2euros mybankbalance); ñ

50.660971875 : Float

Since all our amounts are represented simply as floats, there is no way that the type system can help prevent this sort of nonsense. However, if we define dollars and euros as different variant types (whose underlying representations are floats) DollarAmount = <dollars:Float>; EuroAmount = <euros:Float>;

then we can define safe versions of the conversion functions that will only accept amounts in the correct currency: dollars2euros = λd:DollarAmount. case d of <dollars=x> ⇒ <euros = timesfloat x 1.1325> as EuroAmount; ñ

dollars2euros : DollarAmount → EuroAmount

140

11

Simple Extensions

euros2dollars = λe:EuroAmount. case e of <euros=x> ⇒ <dollars = timesfloat x 0.883> as DollarAmount; ñ

euros2dollars : EuroAmount → DollarAmount

Now the typechecker can track the currencies used in our calculations and remind us how to interpret the final results: mybankbalance = <dollars=39.50> as DollarAmount; euros2dollars (dollars2euros mybankbalance); ñ

<dollars=39.49990125> as DollarAmount : DollarAmount

Moreover, if we write a nonsensical double-conversion, the types will fail to match and our program will (correctly) be rejected: dollars2euros (dollars2euros mybankbalance); ñ

Error: parameter type mismatch

Variants vs. Datatypes A variant type T of the form

l1 of T1 l2 of T2 ... ln of Tn

But there are several differences worth noticing. 1. One trivial but potentially confusing point is that the capitalization conventions for identifiers that we are assuming here are different from those of OCaml. In OCaml, types must begin with lowercase letters and datatype constructors (labels, in our terminology) with capital letters, so, strictly speaking, the datatype declaration above should be written like this: type t = L1 of t1 | ... | Ln of tn 7. This section uses OCaml’s concrete syntax for datatypes, for consistency with implementation chapters elsewhere in the book, but they originated in early dialects of ML and can be found, in essentially the same form, in Standard ML as well as in ML relatives such as Haskell. Datatypes and pattern matching are arguably one of the most useful advantages of these languages for day to day programming.

11.10

141

Variants

To avoid confusion between terms t and types T, we’ll ignore OCaml’s conventions for the rest of this discussion and use ours instead. 2. The most interesting difference is that OCaml does not require a type annotation when a constructor li is used to inject an element of Ti into the datatype T: we simply write li (t). The way OCaml gets away with this (and retains unique typing) is that the datatype T must be declared before it can be used. Moreover, the labels in T cannot be used by any other datatype declared in the same scope. So, when the typechecker sees l i (t), it knows that the annotation can only be T. In effect, the annotation is “hidden” in the label itself. This trick eliminates a lot of silly annotations, but it does lead to a certain amount of grumbling among users, since it means that labels cannot be shared between different datatypes—at least, not within the same module. In Chapter 15 we will see another way of omitting annotations that avoids this drawback. 3. Another convenient trick used by OCaml is that, when the type associated with a label in a datatype definition is just Unit, it can be omitted altogether. This permits enumerations to be defined by writing type Weekday = monday | tuesday | wednesday | thursday | friday

for example, rather than: type Weekday = | | | |

monday of Unit tuesday of Unit wednesday of Unit thursday of Unit friday of Unit

Similarly, the label monday all by itself (rather than monday applied to the trivial value unit) is considered to be a value of type Weekday. 4. Finally, OCaml datatypes actually bundle variant types together with several additional features that we will be examining, individually, in later chapters. • A datatype definition may be recursive—i.e., the type being defined is allowed to appear in the body of the definition. For example, in the standard definition of lists of Nats, the value tagged with cons is a pair whose second element is a NatList. type NatList = nil | cons of Nat * NatList

142

11

Simple Extensions

• An OCaml datatype can be [ parametric data type]parameterizedparametric!data type on a type variable, as in the general definition of the List datatype: type ’a List = nil | cons of ’a * ’a List

Type-theoretically, List can be viewed as a kind of function—called a type operator—that maps each choice of 0 a to a concrete datatype. . . Nat to NatList, etc. Type operators are the subject of Chapter 29.

Variants as Disjoint Unions Sum and variant types are sometimes called disjoint unions. The type T 1 +T2 is a “union” of T1 and T2 in the sense that its elements include all the elements from T1 and T2 . This union is disjoint because the sets of elements of T 1 or T2 are tagged with inl or inr, respectively, before they are combined, so that it is always clear whether a given element of the union comes from T 1 or T2 . The phrase union type is also used to refer to untagged (non-disjoint) union types, described in §15.7.

Type Dynamic Even in statically typed languages, there is often the need to deal with data whose type cannot be determined at compile time. This occurs in particular when the lifetime of the data spans multiple machines or many runs of the compiler—when, for example, the data is stored in an external file system or database, or communicated across a network. To handle such situations safely, many languages offer facilities for inspecting the types of values at run time. One attractive way of accomplishing this is to add a type Dynamic whose values are pairs of a value v and a type tag T where v has type T. Instances of Dynamic are built with an explicit tagging construct and inspected with a type safe typecase construct. In effect, Dynamic can be thought of as an infinite disjoint union, whose labels are types. See Gordon (circa 1980), Mycroft (1983), Abadi, Cardelli, Pierce, and Plotkin (1991b), Leroy and Mauny (1991), Abadi, Cardelli, Pierce, and Rémy (1995), and Henglein (1994).

11.11

General Recursion Another facility found in most programming languages is the ability to define recursive functions. We have seen (Chapter 5, p. 65) that, in the untyped

11.11

General Recursion

143

lambda-calculus, such functions can be defined with the aid of the fix combinator. Recursive functions can be defined in a typed setting in a similar way. For example, here is a function iseven that returns true when called with an even argument and false otherwise: ff = λie:Nat→Bool. λx:Nat. if iszero x then true else if iszero (pred x) then false else ie (pred (pred x)); ñ

ff : (Nat→Bool) → Nat → Bool iseven = fix ff;

ñ

iseven : Nat → Bool iseven 7;

ñ

false : Bool

The intuition is that the higher-order function ff passed to fix is a generator for the iseven function: if ff is applied to a function ie that approximates the desired behavior of iseven up to some number n (that is, a function that returns correct results on inputs less than or equal to n), then it returns a better approximation to iseven—a function that returns correct results for inputs up to n + 2. Applying fix to this generator returns its fixed point—a function that gives the desired behavior for all inputs n. However, there is one important difference from the untyped setting: fix itself cannot be defined in the simply typed lambda-calculus. Indeed, we will see in Chapter 12 that no expression that can lead to non-terminating computations can be typed using only simple types.8 So, instead of defining fix as a term in the language, we simply add it as a new primitive, with evaluation rules mimicking the behavior of the untyped fix combinator and a typing rule that captures its intended uses. These rules are written out in Figure 11-12. (The letrec abbreviation will be discussed below.) The simply typed lambda-calculus with numbers and fix has long been a favorite experimental subject for programming language researchers, since it is the simplest language in which a range of subtle semantic phenomena such as full abstraction (Plotkin, 1977, Hyland and Ong, 2000, Abramsky, Jagadeesan, and Malacaria, 2000) arise. It is often called PCF . 8. In later chapters—Chapter 13 and Chapter 20—we will see some extensions of simple types that recover the power to define fix within the system.

144

11

→ fix

Simple Extensions

Extends λ→ (9-1)

New syntactic forms t ::= ... fix t

New typing rules terms: fixed point of t t -→ t0

New evaluation rules

fix (λx:T1 .t2 ) (E-FixBeta) -→ [x , (fix (λx:T1 .t2 ))]t2 t1 -→ t01 fix t1 -→ fix t01

Γ `t:T

Γ ` t1 : T1 →T1 Γ ` fix t1 : T1

(T-Fix)

New derived forms letrec x :T1 =t1 in t2 def

= let x = fix (λx :T1 .t1 ) in t2

(E-Fix)

Figure 11-12: General recursion

11.11.1

Exercise [««]: Define equal, plus, times, and factorial using fix.

The fix construct is typically used to build functions (as fixed points of functions from functions to functions), but it is worth noticing that the type T in rule T-Fix is not restricted to function types. This extra power is sometimes handy. For example, it allows us to define a record of mutually recursive functions as the fixed point of a function on records (of functions). The following implementation of iseven uses an auxiliary function isodd; the two functions are defined as fields of a record, where the definition of this record is abstracted on a record ieio whose components are used to make recursive calls from the bodies of the iseven and isodd fields. ff = λieio:{iseven:Nat→Bool, isodd:Nat→Bool}. {iseven = λx:Nat. if iszero x then true else ieio.isodd (pred x), isodd = λx:Nat. if iszero x then false else ieio.iseven (pred x)}; ñ

ff : {iseven:Nat→Bool,isodd:Nat→Bool} → {iseven:Nat→Bool, isodd:Nat→Bool}

Forming the fixed point of the function ff gives us a record of two functions r = fix ff; ñ

r : {iseven:Nat→Bool, isodd:Nat→Bool}

11.11

145

General Recursion

and projecting the first of these gives us the iseven function itself: iseven = r.iseven; ñ

iseven : Nat → Bool iseven 7;

ñ

false : Bool

The ability to form the fixed point of a function of type T→T for any T has some surprising consequences. In particular, it implies that every type is inhabited by some term. To see this, observe that, for every type T, we can define a function divergeT as follows: divergeT = λ_:Unit. fix (λx:T.x); ñ

divergeT : Unit → T

Whenever divergeT is applied to a unit argument, we get a non-terminating evaluation sequence in which E-FixBeta is applied over and over, always yielding the same term. That is, for every type T, the term diverge T unit is an undefined element of T. One final refinement that we may consider is introducing more convenient concrete syntax for the common case where what we want to do is to bind a variable to the result of a recursive definition. In most high-level languages, the first definition of iseven above would be written something like this: letrec iseven : Nat→Bool = λx:Nat. if iszero x then true else if iszero (pred x) then false else iseven (pred (pred x)) in iseven 7; ñ

false : Bool

The recursive binding construct letrec is easily defined as a derived form: letrec x:T1 =t1 in t2 11.11.2

def

=

let x = fix (λx:T1 .t1 ) in t2

Exercise [«]: Rewrite your definitions of plus, times, and factorial from Exercise 11.11.1 using letrec instead of fix. Further information on fixed point operators can be found in Klop (1980) and Winskel (1993).

146

11

11.12

Simple Extensions

Lists The typing features we have seen can be classified into base types like Bool and Unit, and type constructors like → and × that build new types from old ones. Another useful type constructor is List. For every type T, the type List T describes finite-length lists whose elements are drawn from T. Figure 11-13 summarizes the syntax, semantics, and typing rules for lists. Except for syntactic differences (List T instead of T list, etc.) and the explicit type annotations on all the syntactic forms in our presentation,9 these lists are essentially identical to those found in ML and other functional languages. The empty list (with elements of type T) is written nil[T]. The list formed by adding a new element t1 (of type T) to the front of a list t2 is written cons[T] t1 t2 . The head and tail of a list t are written head[T] t and tail[T] t. The boolean predicate isnil[T] t yields true iff t is empty. 10

11.12.1

Exercise [«««]: Verify that the progress and preservation theorems hold for the simply typed lambda-calculus with booleans and lists.

11.12.2

Exercise [««]: The presentation of lists here includes many type annotations that are not really needed, in the sense that the typing rules can easily derive the annotations from context. Can all the type annotations be deleted?

9. Most of these explicit annotations could actually be omitted (Exercise [«, 3]: which cannot); they are retained here to ease comparison with the encoding of lists in §23.4. 10. We adopt the “head/tail/isnil presentation” of lists here for simplicity. From the perspective of language design, it is arguably better to treat lists as a datatype and use case expressions for destructing them, since more programming errors can be caught as type errors this way.

11.12

147

Lists

→ B List

Extends λ→ (9-1) with booleans (8-1)

New syntactic forms t ::= ... nil[T] cons[T] t t isnil[T] t head[T] t tail[T] t

terms: empty list list constructor test for empty list head of a list tail of a list

t1 -→ t01

(E-Isnil)

isnil[T] t1 -→ isnil[T] t01 head[S] (cons[T] v1 v2 ) -→ v1

(E-HeadCons) t1 -→

t01

(E-Head)

head[T] t1 -→ head[T] t01 v ::= ... nil[T] cons[T] v v

values: empty list list constructor

T ::= ... List T

types: type of lists

tail[S] (cons[T] v1 v2 ) -→ v2 (E-TailCons) t1 -→

t01

tail[T] t1 -→ tail[T] t01

Γ `t:T

New typing rules t -→ t0

New evaluation rules t1 -→ t01 cons[T] t1 t2 -→ cons[T] t01 t2

(E-Cons1)

Γ ` nil [T1 ] : List T1 Γ ` t1 : T1

Γ ` t2 : List T1

Γ ` cons[T1 ] t1 t2 : List T1 t2 -→ t02 cons[T] v1 t2 -→ cons[T] v1 t02

(E-Cons2)

Γ ` t1 : List T11 Γ ` isnil[T11 ] t1 : Bool

isnil[S] (nil[T]) -→ true

(E-Tail)

(T-Nil) (T-Cons)

(T-Isnil)

(E-IsnilNil) Γ ` t1 : List T11

isnil[S] (cons[T] v1 v2 ) -→ false

Γ ` head[T11 ] t1 : T11

(T-Head)

(E-IsnilCons) Γ ` t1 : List T11 Γ ` tail[T11 ] t1 : List T11 Figure 11-13: Lists

(T-Tail)

12

Normalization

In this chapter, we consider another fundamental theoretical property of the pure simply typed lambda-calculus: the fact that the evaluation of a welltyped program is guaranteed to halt in a finite number of steps—i.e., every well-typed term is normalizable. Unlike the type-safety properties we have considered so far, the normalization property does not extend to full-blown programming languages, because these languages nearly always extend the simply typed lambda-calculus with constructs such as general recursion (§11.11) or recursive types (Chapter 20) that can be used to write nonterminating programs. However, the issue of normalization will reappear at the level of types when we discuss the metatheory of System Fω in §30-3: in this system, the language of types effectively contains a copy of the simply typed lambda-calculus, and the termination of the typechecking algorithm will hinge on the fact that a “normalization” operation on type expressions is guaranteed to terminate. Another reason for studying normalization proofs is that they are some of the most beautiful—and mind-blowing—mathematics to be found in the type theory literature, often (as here) involving the fundamental proof technique of logical relations. Some readers may prefer to skip this chapter on a first reading; doing so will not cause any problems in later chapters. (A full table of chapter dependencies appears on page xvi.)

12.1

Normalization for Simple Types The calculus we shall consider here is the simply typed lambda-calculus over a single base type A. Normalization for this calculus is not entirely trivial to prove, since each reduction of a term can duplicate redexes in subterms. The language studied in this chapter is the simply typed lambda-calculus (Figure 9-1) with a single base type A (11-1).

150

12

12.1.1

Normalization

Exercise [«]: Where do we fail if we attempt to prove normalization by a straightforward induction on the size of a well-typed term? The key issue here (as in many proofs by induction) is finding a strong enough induction hypothesis. To this end, we begin by defining, for each type T, a set RT of closed terms of type T. We regard these sets as predicates and write RT (t) for t ∈ RT .1

12.1.2

Definition: • RA (t) iff t halts. • RT1 →T2 (t) iff t halts and, whenever RT1 (s), we have RT2 (t s).

This definition gives us the strengthened induction hypothesis that we need. Our primary goal is to show that all programs—i.e., all closed terms of base type—halt. But closed terms of base type can contain subterms of functional type, so we need to know something about these as well. Moreover, it is not enough to know that these subterms halt, because the application of a normalized function to a normalized argument involves a substitution, which may enable more evaluation steps. So we need a stronger condition for terms of functional type: not only should they halt themselves, but, when applied to halting arguments, they should yield halting results. The form of Definition 12.1.2 is characteristic of the logical relations proof technique. (Since we are just dealing with unary relations here, we should more properly say logical predicates.) If we want to prove some property P of all closed terms of type A, we proceed by proving, by induction on types, that all terms of type A possess property P , all terms of type A→A preserve property P , all terms of type (A→A)→(A→A) preserve the property of preserving property P , and so on. We do this by defining a family of predicates, indexed by types. For the base type A, the predicate is just P . For functional types, it says that the function should map values satisfying the predicate at the input type to values satisfying the predicate at the output type. We use this definition to carry out the proof of normalization in two steps. First, we observe that every element of every set R T is normalizable. Then we show that every well-typed term of type T is an element of RT . The first step is immediate from the definition of R T : 12.1.3

Lemma: If RT (t), then t halts.

The second step is broken into two lemmas. First, we remark that membership in RT is invariant under evaluation. 1. The sets RT are sometimes called saturated sets or reducibility candidates.

12.1

12.1.4

Normalization for Simple Types

Lemma: If t : T and t -→ t0 , then RT (t) iff RT (t0 ).

151

Proof: By induction on the structure of the type T. Note, first, that it is clear that t halts iff t0 does. If T = A, there is nothing more to show. Suppose, on the other hand, that T = T1 →T2 for some T1 and T2 . For the “only if” direction ( =⇒) suppose that RT (t) and that RT1 (s) for some arbitrary s : T1 . By definition we have RT2 (t s). But t s -→ t0 s, from which the induction hypothesis for type T2 gives us RT2 (t0 s). Since this holds for an arbitrary s, the definition of RT gives us RT (t0 ). The argument for the “if” direction (⇐= ) is analogous. Next, we want to show that every term of type T belongs to RT . Here, the induction will be on typing derivations (it would be surprising to see a proof about well-typed terms that did not somewhere involve induction on typing derivations!). The only technical difficulty here is in dealing with the λabstraction case. Since we are arguing by induction, the demonstration that a term λx:T1 .t2 belongs to RT1 →T2 should involve applying the induction hypothesis to show that t2 belongs to RT2 . But RT2 is defined to be a set of closed terms, while t2 may contain x free, so this does not make sense. This problem is resolved by using a standard trick to suitably generalize the induction hypothesis: instead of proving a statement involving a closed term, we generalize it to cover all closed instances of an open term t. 12.1.5

Lemma: If x1 :T1 , . . . , xn :Tn ` t : T and v1 . . . , vn are closed values of types T1 ...Tn with RTi (vi ) for each i, then RT ([x1 , v1 ] · · · [xn , vn ]t). Proof: By induction on a derivation of x1 :T1 , . . . , xn :Tn ` t : T. (The most interesting case is the one for abstraction.) Case T-Var:

t = xi

T = Ti

Immediate. Case T-Abs:

t = λx:S1 .s2 T = S1 →S2

x1 :T1 , . . . , xn :Tn , x:S1 ` s2 : S2

Obviously, [x1 , v1 ] · · · [xn , vn ]t evaluates to a value, since it is a value already. What remains to show is that RS2 (([x1 , v1 ] · · · [xn , vn ]t) s) for any s : S1 such that RS1 (s). So suppose s is such a term. By Lemma 12.1.3, we have s -→∗ v for some v. By Lemma 12.1.4, R S1 (v). Now, by the induction hypothesis, RS2 ([x1 , v1 ] · · · [xn , vn ][x , v]s2 ). But -→∗

(λx:S1 . [x1 , v1 ] · · · [xn , vn ]s2 ) s [x1 , v1 ] · · · [xn , vn ][x , v]s2 ,

from which Lemma 12.1.4 gives us RS2 ((λx:S1 . [x1 , v1 ] · · · [xn , vn ]s2 ) s),

152

12

Normalization

that is, RS2 ((([x1 , v1 ] · · · [xn , vn ](λx:S1 . s2 )) s). Since s was chosen arbitrarily, the definition of RS1 →S2 gives us RS1 →S2 ([x1 , v1 ] · · · [xn , vn ](λx:S1 . s2 )). Case T-App:

t = t 1 t2 x1 :T1 , . . . , xn :Tn ` t1 : T11 →T12 x1 :T1 , . . . , xn :Tn ` t2 : T11 T = T12

The induction hypothesis gives us RT11 →T12 ([x1 , v1 ] · · · [xn , vn ]t1 ) and RT11 ([x1 , v1 ] · · · [xn , vn ]t2 ). By the definition of RT11 →T12 , RT12 (([x1 , v1 ] · · · [xn , vn ]t1 ) ([x1 , v1 ] · · · [xn , vn ]t2 )), i.e., RT12 ([x1 , v1 ] · · · [xn , vn ](t1 t2 )),.

We now obtain the normalization property as a corollary, simply by taking the term t to be closed in Lemma 12.1.5 and then recalling that all the elements of RT are normalizing, for every T. 12.1.6

Theorem [Normalization]: If ` t : T, then t is normalizable.

Proof: RT (t) by Lemma 12.1.5; t is therefore normalizable by Lemma 12.1.3. 12.1.7

12.2

Exercise [Recommended, «««]: Extend the proof technique from this chapter to show that the simply typed lambda-calculus remains normalizing when extended with booleans (Figure 3-1) and products (Figure 11-5).

Notes Normalization properties are most commonly formulated in the theoretical literature as strong normalization for calculi with full (non-deterministic) beta-reduction. The standard proof method was invented by Tait (1967), generalized to System F (cf. Chapter 23) by Girard (1972, 1989), and later simplified by Tait (1975). The presentation used here is an adaptation of Tait’s method to the call-by-value setting, due to Martin Hofmann (private communication). The classical references on the logical relations proof technique are Howard (1973), Tait (1967), Friedman (1975), Plotkin (1973, 1980), and Statman (1982, 1985a, 1985b). It is also discussed in many texts on semantics, for example those by Mitchell (1996) and Gunter (1992). Tait’s strong normalization proof corresponds exactly to an algorithm for evaluating simply typed terms, known as normalization by evaluation or typedirected partial evaluation (Berger, 1993; Danvy, 1998); also see Berger and Schwichtenberg (1991), Filinski (1999), Filinski (2001), Reynolds (1998a).

13

References

So far, we have considered a variety of pure language features, including functional abstraction, basic types such as numbers and booleans, and structured types such as records and variants. These features form the backbone of most programming languages—including purely functional languages such as Haskell, “mostly functional” languages such as ML, imperative languages such as C, and object-oriented languages such as Java. Most practical programming languages also include various impure features that cannot be described in the simple semantic framework we have used so far. In particular, besides just yielding results, evaluation of terms in these languages may assign to mutable variables (reference cells, arrays, mutable record fields, etc.), perform input and output to files, displays, or network connections, make non-local transfers of control via exceptions, jumps, or continuations, engage in inter-process synchronization and communication, and so on. In the literature on programming languages, such “side effects” of computation are more generally referred to as computational effects. In this chapter, we’ll see how one sort of computational effect—mutable references—can be added to the calculi we have studied. The main extension will be dealing explicitly with a store (or heap). This extension is straightforward to define; the most interesting part is the refinement we need to make to the statement of the type preservation theorem (13.5.3). We consider another kind of effect—exceptions and non-local transfer of control—in Chapter 14.

13.1

Introduction Nearly every programming language 1 provides some form of assignment operation that changes the contents of a previously allocated piece of storage. The system studied in this chapter is the simply typed lambda-calculus with Unit and references (Figure 13-1). The associated OCaml implementation is fullref. 1. Even “purely functional” languages such as Haskell, via extensions such as monads.

154

13

References

In some languages—notably ML and its relatives—the mechanisms for namebinding and those for assignment are kept separate. We can have a variable x whose value is the number 5, or a variable y whose value is a reference (or pointer) to a mutable cell whose current contents is 5, and the difference is visible to the programmer. We can add x to another number, but not assign to it. We can use y directly to assign a new value to the cell that it points to (by writing y:=84), but we cannot use it directly as an argument to plus. Instead, we must explicitly dereference it, writing !y to obtain its current contents. In most other languages—in particular, in all members of the C family, including Java—every variable name refers to a mutable cell, and the operation of dereferencing a variable to obtain its current contents is implicit. 2 For purposes of formal study, it is useful to keep these mechanisms separate;3 our development in this chapter will closely follow ML’s model. Applying the lessons learned here to C-like languages is a straightforward matter of collapsing some distinctions and rendering certain operations such as dereferencing implicit instead of explicit.

Basics The basic operations on references are allocation, dereferencing, and assignment. To allocate a reference, we use the ref operator, providing an initial value for the new cell. r = ref 5; ñ

r : Ref Nat

The response from the typechecker indicates that the value of r is a reference to a cell that will always contain a number. To read the current value of this cell, we use the dereferencing operator !. !r; ñ

5 : Nat

To change the value stored in the cell, we use the assignment operator. 2. Strictly speaking, most variables of type T in C or Java should actually be thought of as pointers to cells holding values of type Option(T), reflecting the fact that the contents of a variable can be either a proper value or the special value null. 3. There are also good arguments that this separation is desirable from the perspective of language design. Making the use of mutable cells an explicit choice rather than the default encourages a mostly functional programming style where references are used sparingly; this practice tends to make programs significantly easier to write, maintain, and reason about, especially in the presence of features like concurrency.

13.1

155

Introduction

r := 7; ñ

unit : Unit

(The result the assignment is the trivial unit value; see §11.2.) If we dereference r again, we see the updated value. !r; ñ

7 : Nat

Side Effects and Sequencing The fact that the result of an assignment expression is the trivial value unit fits nicely with the sequencing notation defined in §11.3, allowing us to write (r:=succ(!r); !r); ñ

8 : Nat

instead of the equivalent, but more cumbersome, (λ_:Unit. !r) (r := succ(!r)); ñ

9 : Nat

to evaluate two expressions in order and return the value of the second. Restricting the type of the first expression to Unit helps the typechecker to catch some silly errors by permitting us to throw away the first value only if it is really guaranteed to be trivial. Notice that, if the second expression is also an assignment, then the type of the whole sequence will be Unit, so we can validly place it to the left of another ; to build longer sequences of assignments: (r:=succ(!r); r:=succ(!r); r:=succ(!r); r:=succ(!r); !r); ñ

13 : Nat

References and Aliasing It is important to bear in mind the difference between the reference that is bound to r and the cell in the store that is pointed to by this reference. r =

13

156

13

References

If we make a copy of r, for example by binding its value to another variable s, s = r; ñ

s : Ref Nat

what gets copied is only the reference (the arrow in the diagram), not the cell: r =

s =

13

We can verify this by assigning a new value into s s := 82; ñ

unit : Unit

and reading it out via r: !r; ñ

82 : Nat

The references r and s are said to be aliases for the same cell. 13.1.1

Exercise [«]: Draw a similar diagram showing the effects of evaluating the expressions a = {ref 0, ref 0} and b = (λx:Ref Nat. {x,x}) (ref 0).

Shared State The possibility of aliasing can make programs with references quite tricky to reason about. For example, the expression (r:=1; r:=!s), which assigns 1 to r and then immediately overwrites it with s’s current value, has exactly the same effect as the single assignment r:=!s, unless we write it in a context where r and s are aliases for the same cell. Of course, aliasing is also a large part of what makes references useful. In particular, it allows us to set up “implicit communication channels”—shared state—between different parts of a program. For example, suppose we define a reference cell and two functions that manipulate its contents: c = ref 0; ñ

c : Ref Nat

13.1

Introduction

157

incc = λx:Unit. (c := succ (!c); !c); ñ

incc : Unit → Nat decc = λx:Unit. (c := pred (!c); !c);

ñ

decc : Unit → Nat

Calling incc incc unit; ñ

1 : Nat

results in changes to c that can be observed by calling decc: decc unit; ñ

0 : Nat

If we package incc and decc together into a record o = {i = incc, d = decc}; ñ

o : {i:Unit→Nat, d:Unit→Nat}

then we can pass this whole structure around as a unit and use its components to perform incrementing and decrementing operations on the shared piece of state in c. In effect, we have constructed a simple kind of object. This idea is developed in detail in Chapter 18.

References to Compound Types A reference cell need not contain just a number: the primitives above allow us to create references to values of any type, including functions. For example, we can use references to functions to give a (not very efficient) implementation of arrays of numbers, as follows. Write NatArray for the type Ref (Nat→Nat). NatArray = Ref (Nat→Nat);

To build a new array, we allocate a reference cell and fill it with a function that, when given an index, always returns 0. newarray = λ_:Unit. ref (λn:Nat.0); ñ

newarray : Unit → NatArray

158

13

References

To look up an element of an array, we simply apply the function to the desired index. ñ

lookup = λa:NatArray. λn:Nat. (!a) n; lookup : NatArray → Nat → Nat

The interesting part of the encoding is the update function. It takes an array, an index, and a new value to be stored at that index, and does its job by creating (and storing in the reference) a new function that, when it is asked for the value at this very index, returns the new value that was given to update, and on all other indices passes the lookup to the function that was previously stored in the reference.

ñ

13.1.2

update = λa:NatArray. λm:Nat. λv:Nat. let oldf = !a in a := (λn:Nat. if equal m n then v else oldf n); update : NatArray → Nat → Nat → Unit

Exercise [««]: If we defined update more compactly like this update = λa:NatArray. λm:Nat. λv:Nat. a := (λn:Nat. if equal m n then v else (!a) n);

would it behave the same?

References to values containing other references can also be very useful, allowing us to define data structures such as mutable lists and trees. (Such structures generally also involve recursive types, which we introduce in Chapter 20.)

Garbage Collection A last issue that we should mention before we move on formalizing references is storage deallocation. We have not provided any primitives for freeing reference cells when they are no longer needed. Instead, like many modern languages (including ML and Java) we rely on the run-time system to perform garbage collection, collecting and reusing cells that can no longer be reached by the program. This is not just a question of taste in language design: it is extremely difficult to achieve type safety in the presence of an explicit deallocation operation. The reason for this is the familiar dangling reference problem: we allocate a cell holding a number, save a reference to it in some data structure, use it for a while, then deallocate it and allocate a new cell holding a boolean, possibly reusing the same storage. Now we can have two names for the same storage cell—one with type Ref Nat and the other with type Ref Bool. 13.1.3

Exercise [««]: Show how this can lead to a violation of type safety.

13.2

13.2

159

Typing

Typing The typing rules for ref, :=, and ! follow straightforwardly from the behaviors we have given them. Γ ` t1 : T1 Γ ` ref t1 : Ref T1 Γ ` t1 : Ref T1 Γ ` !t1 : T1 Γ ` t1 : Ref T1

Γ ` t2 : T1

Γ ` t1 :=t2 : Unit

13.3

(T-Ref)

(T-Deref)

(T-Assign)

Evaluation A more subtle aspect of the treatment of references appears when we consider how to formalize their operational behavior. One way to see why is to ask, “What should be the values of type Ref T?” The crucial observation that we need to take into account is that evaluating a ref operator should do something—namely, allocate some storage—and the result of the operation should be a reference to this storage. What, then, is a reference? The run-time store in most programming language implementations is essentially just a big array of bytes. The run-time system keeps track of which parts of this array are currently in use; when we need to allocate a new reference cell, we allocate a large enough segment from the free region of the store (4 bytes for integer cells, 8 bytes for cells storing Floats, etc.), mark it as being used, and return the index (typically, a 32- or 64-bit integer) of the start of the newly allocated region. These indices are references. For present purposes, there is no need to be quite so concrete. We can think of the store as an array of values, rather than an array of bytes, abstracting away from the different sizes of the run-time representations of different values. Furthermore, we can abstract away from the fact that references (i.e., indexes into this array) are numbers. We take references to be elements of some uninterpreted set L of store locations, and take the store to be simply a partial function from locations l to values. We use the metavariable µ to range over stores. A reference, then, is a location—an abstract index into the store. We’ll use the word location instead of reference or pointer from now on to emphasize this abstract quality.4 4. Treating locations abstractly in this way will prevent us from modeling the pointer arith-

160

13

References

Next, we need to extend our operational semantics to take stores into account. Since the result of evaluating an expression will in general depend on the contents of the store in which it is evaluated, the evaluation rules should take not just a term but also a store as argument. Furthermore, since the evaluation of a term may cause side effects on the store that may affect the evaluation of other terms in the future, the evaluation rules need to return a new store. Thus, the shape of the single-step evaluation relation changes from t -→ t0 to t | µ -→ t0 | µ 0 , where µ and µ 0 are the starting and ending states of the store. In effect, we have enriched our notion of abstract machines, so that a machine state is not just a program counter (represented as a term), but a program counter plus the current contents of the store. To carry through this change, we first need to augment all of our existing evaluation rules with stores: (λx:T11 .t12 ) v2 | µ -→ [x , v2 ]t12 | µ t1 | µ -→ t01 | µ 0 t1 t2 | µ -→ t01 t2 | µ 0 t2 | µ -→ t02 | µ 0 v1 t2 | µ -→ v1 t02 | µ 0

(E-AppAbs) (E-App1)

(E-App2)

Note that the first rule here returns the store µ unchanged: function application, in itself, has no side effects. The other two rules simply propagate side effects from premise to conclusion. Next, we make a small addition to the syntax of our terms. The result of evaluating a ref expression will be a fresh location, so we need to include locations in the set of things that can be results of evaluation—i.e., in the set of values: v ::= λx:T.t unit l

values: abstraction value unit value store location

Since all values are also terms, this means that the set of terms should include locations.

metic found in low-level languages such as C. This limitation is intentional. While pointer arithmetic is occasionally very useful (especially for implementing low-level components of run-time systems, such as garbage collectors), it cannot be tracked by most type systems: knowing that location n in the store contains a Float doesn’t tell us anything useful about the type of location n + 4. In C, pointer arithmetic is a notorious source of type safety violations.

13.3

161

Evaluation

t ::=

terms: variable abstraction application constant unit reference creation dereference assignment store location

x λx:T.t tt unit ref t !t t:=t l

Of course, making this extension to the syntax of terms does not mean that we intend programmers to write terms involving explicit, concrete locations: such terms will arise only as intermediate results of evaluation. In effect, the term language in this chapter should be thought of as formalizing an intermediate language, some of whose features are not made available to programmers directly. In terms of this expanded syntax, we can state evaluation rules for the new constructs that manipulate locations and the store. First, to evaluate a dereferencing expression !t 1 , we must first reduce t1 until it becomes a value: t1 | µ -→ t01 | µ 0 (E-Deref) !t1 | µ -→ !t01 | µ 0 Once t1 has finished reducing, we should have an expression of the form !l, where l is some location. A term that attempts to dereference any other sort of value, such as a function or unit, is erroneous. The evaluation rules simply get stuck in this case. The type safety properties in §13.5 assure us that well-typed terms will never misbehave in this way. µ(l) = v !l | µ -→ v | µ

(E-DerefLoc)

Next, to evaluate an assignment expression t 1 :=t2 , we must first evaluate t1 until it becomes a value (i.e., a location), t1 | µ -→ t01 | µ 0 t1 :=t2 | µ -→ t01 :=t2 | µ 0

(E-Assign1)

and then evaluate t2 until it becomes a value (of any sort): t2 | µ -→ t02 | µ 0 v1 :=t2 | µ -→ v1 :=t02 | µ 0

(E-Assign2)

Once we have finished with t1 and t2 , we have an expression of the form l:=v2 , which we execute by updating the store to make location l contain v2 : l:=v2 | µ -→ unit | [l , v2 ]µ

(E-Assign)

162

13

References

(The notation [l , v2 ]µ here means “the store that maps l to v2 and maps all other locations to the same thing as µ.” Note that the term resulting from this evaluation step is just unit; the interesting result is the updated store.) Finally, to evaluate an expression of the form ref t1 , we first evaluate t1 until it becomes a value: t1 | µ -→ t01 | µ 0 (E-Ref) ref t1 | µ -→ ref t01 | µ 0 Then, to evaluate the ref itself, we choose a fresh location l (i.e., a location that is not already part of the domain of µ) and yield a new store that extends µ with the new binding l , v1 . l ∉ dom(µ) ref v1 | µ -→ l | (µ, l , v1 )

(E-RefV)

The term resulting from this step is the name l of the newly allocated location. Note that these evaluation rules do not perform any kind of garbage collection: we simply allow the store to keep growing without bound as evaluation proceeds. This does not affect the correctness of the results of evaluation (after all, the definition of “garbage” is precisely parts of the store that are no longer reachable and so cannot play any further role in evaluation), but it means that a naive implementation of our evaluator will sometimes run out of memory where a more sophisticated evaluator would be able to continue by reusing locations whose contents have become garbage. 13.3.1

13.4

Exercise [«««]: How might our evaluation rules be refined to model garbage collection? What theorem would we then need to prove, to argue that this refinement is correct?

Store Typings Having extended our syntax and evaluation rules to accommodate references, our last job is to write down typing rules for the new constructs—and, of course, to check that they are sound. Naturally, the key question is, “What is the type of a location?” When we evaluate a term containing concrete locations, the type of the result depends on the contents of the store that we start with. For example, if we evaluate the term !l2 in the store (l1 , unit, l2 , unit), the result is unit; if we evaluate the same term in the store (l 1 , unit, l2 , λx:Unit.x), the result is λx:Unit.x. With respect to the former store, the location l2 has type Unit, and with respect to the latter it has type Unit→Unit. This observation leads us immediately to a first attempt at a typing rule for locations:

13.4

163

Store Typings

Γ ` µ(l) : T1 Γ ` l : Ref T1 That is, to find the type of a location l, we look up the current contents of l in the store and calculate the type T1 of the contents. The type of the location is then Ref T1 . Having begun in this way, we need to go a little further to reach a consistent state. In effect, by making the type of a term depend on the store, we have changed the typing relation from a three-place relation (between contexts, terms, and types) to a four-place relation (between contexts, stores, terms, and types). Since the store is, intuitively, part of the context in which we calculate the type of a term, let’s write this four-place relation with the store to the left of the turnstile: Γ | µ ` t : T. Our rule for typing references now has the form Γ | µ ` µ(l) : T1 Γ | µ ` l : Ref T1 and all the rest of the typing rules in the system are extended similarly with stores. The other rules do not need to do anything interesting with their stores—just pass them from premise to conclusion. However, there are two problems with this rule. First, typechecking is rather inefficient, since calculating the type of a location l involves calculating the type of the current contents v of l. If l appears many times in a term t, we will re-calculate the type of v many times in the course of constructing a typing derivation for t. Worse, if v itself contains locations, then we will have to recalculate their types each time they appear. For example, if the store contains (l1 l2 l3 l4 l5

, λx:Nat. , λx:Nat. , λx:Nat. , λx:Nat. , λx:Nat.

999, (!l1 ) (!l2 ) (!l3 ) (!l4 )

x, x, x, x),

then calculating the type of l5 involves calculating those of l4 , l3 , l2 , and l1 . Second, the proposed typing rule for locations may not allow us to derive anything at all, if the store contains a cycle. For example, there is no finite typing derivation for the location l2 with respect to the store (l1 , λx:Nat. (!l2 ) x, l2 , λx:Nat. (!l1 ) x), since calculating a type for l2 requires finding the type of l1 , which in turn involves l1 , etc. Cyclic reference structures do arise in practice (e.g., they can

164

13

References

be used for building doubly linked lists), and we would like our type system to be able to deal with them. 13.4.1

Exercise [«]: Can you find a term whose evaluation will create this particular cyclic store? Both of these problems arise from the fact that our proposed typing rule for locations requires us to recalculate the type of a location every time we mention it in a term. But this, intuitively, should not be necessary. After all, when a location is first created, we know the type of the initial value that we are storing into it. Moreover, although we may later store other values into this location, those other values will always have the same type as the initial one. In other words, we always have in mind a single, definite type for every location in the store, which is fixed when the location is allocated. These intended types can be collected together as a store typing—a finite function mapping locations to types. We’ll use the metavariable Σ to range over such functions. Suppose we are given a store typing Σ describing the store µ in which some term t will be evaluated. Then we can use Σ to calculate the type of the result of t without ever looking directly at µ. For example, if Σ is (l1 , Unit, l2 , Unit→Unit), then we may immediately infer that !l2 has type Unit→Unit. More generally, the typing rule for locations can be reformulated in terms of store typings like this: Σ(l) = T1 Γ | Σ ` l : Ref T1

(T-Loc)

Typing is again a four-place relation, but it is parameterized on a store typing rather than a concrete store. The rest of the typing rules are analogously augmented with store typings. Of course, these typing rules will accurately predict the results of evaluation only if the concrete store used during evaluation actually conforms to the store typing that we assume for purposes of typechecking. This proviso exactly parallels the situation with free variables in all the calculi we have seen up to this point: the substitution lemma (9.3.8) promises us that, if Γ ` t : T, then we can replace the free variables in t with values of the types listed in Γ to obtain a closed term of type T, which, by the type preservation theorem (9.3.9) will evaluate to a final result of type T if it yields any result at all. We will see in §13.5 how to formalize an analogous intuition for stores and store typings. Finally, note that, for purposes of typechecking the terms that programmers actually write, we do not need to do anything tricky to guess what store typing we should use. As we remarked above, concrete location constants

13.5

165

Safety

arise only in terms that are the intermediate results of evaluation; they are not in the language that programmers write. Thus, we can simply typecheck the programmer’s terms with respect to the empty store typing. As evaluation proceeds and new locations are created, we will always be able to see how to extend the store typing by looking at the type of the initial values being placed in newly allocated cells; this intuition is formalized in the statement of the type preservation theorem below (13.5.3). Now that we have dealt with locations, the typing rules for the other new syntactic forms are quite straightforward. When we create a reference to a value of type T1 , the reference itself has type Ref T1 . Γ | Σ ` t1 : T1 Γ | Σ ` ref t1 : Ref T1

(T-Ref)

Notice that we do not need to extend the store typing here, since the name of the new location will not be determined until run time, while Σ records only the association between already-allocated storage cells and their types. Conversely, if t1 evaluates to a location of type Ref T11 , then dereferencing t1 is guaranteed to yield a value of type T11 . Γ | Σ ` t1 : Ref T11 Γ | Σ ` !t1 : T11

(T-Deref)

Finally, if t1 denotes a cell of type Ref T11 , then we can store t2 into this cell as long as the type of t2 is also T11 : Γ | Σ ` t1 : Ref T11

Γ | Σ ` t2 : T11

Γ | Σ ` t1 :=t2 : Unit

(T-Assign)

Figure 13-1 summarizes the typing rules (and the syntax and evaluation rules, for easy reference) for the simply typed lambda-calculus with references.

13.5

Safety Our final job in this chapter is to check that standard type safety properties continue to hold for the calculus with references. The progress theorem (“well-typed terms are not stuck”) can be stated and proved almost as before (cf. 13.5.7); we just need to add a few straightforward cases to the proof, dealing with the new constructs. The preservation theorem is a bit more interesting, so let’s look at it first. Since we have extended both the evaluation relation (with initial and final stores) and the typing relation (with a store typing), we need to change the statement of preservation to include these parameters. Clearly, though, we

166

13

→ Unit Ref Syntax t ::=

Extends λ→ with Unit (9-1 and 11-2) t | µ -→ t0 | µ 0

Evaluation x λx:T.t tt unit ref t !t t:=t l

v ::= λx:T.t unit l

terms: variable abstraction application constant unit reference creation dereference assignment store location values: abstraction value constant unit store location

t1 | µ -→ t01 | µ 0 t1 t2 | µ -→ t01 t2 | µ 0 t2 | µ -→ t02 | µ 0 v1 t2 | µ -→ v1 t02 | µ 0

Γ

T→T Unit Ref T

types: type of functions unit type type of reference cells

∅ Γ , x:T

contexts: empty context term variable binding

::=

l ∉ dom(µ) ref v1 | µ -→ l | (µ, l , v1 ) t1 | µ -→ t01 | µ 0 ref t1 | µ -→ ref t01 | µ 0

!l | µ -→ v | µ t1 | µ -→ t01 | µ 0 !t1 | µ -→ !t01 | µ 0 l:=v2 | µ -→ unit | [l , v2 ]µ t1 | µ -→ t01 | µ 0 t1 :=t2 | µ -→ t01 :=t2 | µ 0

µ

::= ∅ µ, l = v

Σ

::= ∅ Σ, l:T

Figure 13-1: References

stores: empty store location binding store typings: empty store typing location typing

(E-App1)

(E-App2)

(λx:T11 .t12 ) v2 | µ -→ [x , v2 ]t12 | µ (E-AppAbs)

µ(l) = v T ::=

References

t2 | µ -→ t02 | µ 0 v1 :=t2 | µ -→ v1 :=t02 | µ 0

(E-RefV)

(E-Ref)

(E-DerefLoc)

(E-Deref) (E-Assign) (E-Assign1)

(E-Assign2)

continued . . .

13.5

167

Safety

Γ|Σ `t:T

Typing

Σ(l) = T1 Γ | Σ ` l : Ref T1

x:T ∈ Γ

(T-Var)

Γ |Σ `x:T

Γ | Σ ` t1 : T1

Γ , x:T1 | Σ ` t2 : T2 Γ | Σ ` λx:T1 .t2 : T1 →T2 Γ | Σ ` t1 : T11 →T12

(T-Loc)

(T-Abs)

Γ | Σ ` t2 : T11

(T-Ref)

Γ | Σ ` ref t1 : Ref T1 Γ | Σ ` t1 : Ref T11 Γ | Σ ` !t1 : T11

(T-Deref)

Γ | Σ ` t1 t2 : T12 (T-App) Γ | Σ ` unit : Unit

(T-Unit)

Γ | Σ ` t1 : Ref T11

Γ | Σ ` t2 : T11

Γ | Σ ` t1 :=t2 : Unit (T-Assign)

Figure 13-1: References (continued)

cannot just add stores and store typings without saying anything about how they are related. If Γ | Σ ` t : T and t | µ -→ t0 | µ 0 , then Γ | Σ ` t0 : T.

(Wrong!)

If we typecheck with respect to some set of assumptions about the types of the values in the store and then evaluate with respect to a store that violates these assumptions, the result will be disaster. The following requirement expresses the constraint we need. 13.5.1

Definition: A store µ is said to be well typed with respect to a typing context Γ and a store typing Σ, written Γ | Σ ` µ, if dom(µ) = dom(Σ) and Γ | Σ ` µ(l) : Σ(l) for every l ∈ dom(µ). Intuitively, a store µ is consistent with a store typing Σ if every value in the store has the type predicted by the store typing.

13.5.2

Exercise [««]: Can you find a context Γ , a store µ, and two different store typings Σ1 and Σ2 such that both Γ | Σ1 ` µ and Γ | Σ2 ` µ? We can now state something closer to the desired preservation property: If Γ |Σ`t:T t | µ -→ t0 | µ 0 Γ |Σ`µ

168

13

then Γ | Σ ` t0 : T.

References

(Less wrong.)

This statement is fine for all of the evaluation rules except the allocation rule E-RefV. The problem is that this rule yields a store with a larger domain than the initial store, which falsifies the conclusion of the above statement: if µ 0 includes a binding for a fresh location l, then l cannot be in the domain of Σ, and it will not be the case that t0 (which definitely mentions l) is typable under Σ. Evidently, since the store can increase in size during evaluation, we need to allow the store typing to grow as well. This leads us to the final (correct) statement of the type preservation property: 13.5.3

Theorem [Preservation]: If Γ |Σ`t:T Γ |Σ`µ t | µ -→ t0 | µ 0 then, for some Σ0 ⊇ Σ, Γ | Σ0 ` t0 : T Γ | Σ0 ` µ 0 .

Note that the preservation theorem merely asserts that there is some store typing Σ0 ⊇ Σ (i.e., agreeing with Σ on the values of all the old locations) such that the new term t0 is well typed with respect to Σ0 ; it does not tell us exactly what Σ0 is. It is intuitively clear, of course, that Σ0 is either Σ or else it is exactly (µ, l , T1 ), where l is a newly allocated location (the new element of the domain of µ 0 ) and T1 is the type of the initial value bound to l in the extended store (µ, l , v1 ), but stating this explicitly would complicate the statement of the theorem without actually making it any more useful: the weaker version above is already in the right form (because its conclusion implies its hypothesis) to “turn the crank” repeatedly and conclude that every sequence of evaluation steps preserves well-typedness. Combining this with the progress property, we obtain the usual guarantee that “well-typed programs never go wrong.” To prove preservation, we need a few technical lemmas. The first is an easy extension of the standard substitution lemma (9.3.8). 13.5.4

Lemma [Substitution]: If Γ , x:S | Σ ` t : T and Γ | Σ ` s : S, then Γ | Σ ` [x , s]t : T. Proof: Just like Lemma 9.3.8.

13.5

Safety

169

The next states that replacing the contents of a cell in the store with a new value of appropriate type does not change the overall type of the store. 13.5.5

Lemma: If Γ |Σ`µ Σ(l) = T Γ |Σ`v:T then Γ | Σ ` [l , v]µ.

Proof: Immediate from the definition of Γ | Σ ` µ.

Finally, we need a kind of weakening lemma for stores, stating that, if a store is extended with a new location, the extended store still allows us to assign types to all the same terms as the original. 13.5.6

Lemma: If Γ | Σ ` t : T and Σ0 ⊇ Σ, then Γ | Σ0 ` t : T.

Proof: Easy induction.

Now we can prove the main preservation theorem. Proof of 13.5.3: Straightforward induction on evaluation derivations, using the lemmas above and the inversion property of the typing rules (a straightforward extension of 9.3.1). The statement of the progress theorem (9.3.5) must also be extended to take stores and store typings into account: 13.5.7

Theorem [Progress]: Suppose t is a closed, well-typed term (that is, ∅ | Σ ` t : T for some T and Σ). Then either t is a value or else, for any store µ such that ∅ | Σ ` µ, there is some term t 0 and store µ 0 with t | µ -→ t0 | µ 0 . Proof: Straightforward induction on typing derivations, following the pattern of 9.3.5. (The canonical forms lemma, 9.3.4, needs two additional cases stating that all values of type Ref T are locations and similarly for Unit.)

13.5.8

Exercise [Recommended, «««]: Is the evaluation relation in this chapter normalizing on well-typed terms? If so, prove it. If not, write a well-typed factorial function in the present calculus (extended with numbers and booleans).

170

13

13.6

References

Notes The presentation in this chapter is adapted from a treatment by Harper (1994, 1996). An account in a similar style is given by Wright and Felleisen (1994). The combination of references (or other computational effects) with MLstyle polymorphic type inference raises some quite subtle problems (cf. §22.7) and has received a good deal of attention in the research literature. See Tofte (1990), Hoang et al. (1993), Jouvelot and Gifford (1991), Talpin and Jouvelot (1992), Leroy and Weis (1991), Wright (1992), Harper (1994, 1996), and the references cited there. Static prediction of possible aliasing is a long-standing problem both in compiler implementation (where it is called alias analysis) and in programming language theory. An influential early attempt by Reynolds (1978, 1989) coined the term syntactic control of interference. These ideas have recently seen a burst of new activity—see O’Hearn et al. (1995) and Smith et al. (2000). More general reasoning techniques for aliasing are discussed in Reynolds (1981) and Ishtiaq and O’Hearn (2001) and other references cited there. A comprehensive discussion of garbage collection can be found in Jones and Lins (1996). A more semantic treatment is given by Morrisett et al. (1995).

Find out the cause of this effect, Or rather say, the cause of this defect, For this effect defective comes by cause. The finger pointing at the moon is not the moon.

—Hamlet II, ii, 101 —Buddhist saying

14

Exceptions

In Chapter 13 we saw how to extend the simple operational semantics of the pure simply typed lambda-calculus with mutable references and considered the effect of this extension on the typing rules and type safety proofs. In this chapter, we treat another extension to our original computational model: raising and handling exceptions. Real-world programming is full of situations where a function needs to signal to its caller that it is unable to perform its task for some reason—because some calculation would involve a division by zero or an arithmetic overflow, a lookup key is missing from a dictionary, an array index went out of bounds, a file could not be found or opened, some disastrous event occurred such as the system running out of memory or the user killing the process, etc. Some of these exceptional conditions can be signaled by making the function return a variant (or option), as we saw in §11.10. But in situations where the exceptional conditions are truly exceptional, we may not want to force every caller of our function to deal with the possibility that they may occur. Instead, we may prefer that an exceptional condition causes a direct transfer of control to an exception handler defined at some higher-level in the program—or indeed (if the exceptional condition is rare enough or if there is nothing that the caller can do anyway to recover from it) simply aborts the program. We first consider the latter case (§14.1), where an exception is a whole-program abort, then add a mechanism for trapping and recovering from exceptions (§14.2), and finally refine both of these mechanisms to allow extra programmer-specified data to be passed between exception sites and handlers (§14.3).

The systems studied in this chapter are the simply typed lambda-calculus (Figure 9-1) extended with various primitives for exceptions and exception handling (Figures 14-1 and 14-2). The OCaml implementation of the first extension is fullerror. The language with exceptions carrying values (Figure 14-3) is not implemented.

172

14

→ error

Exceptions

Extends λ→ (9-1)

New syntactic forms

New typing rules

t ::= ... error

terms: run-time error

Γ ` error : T

Γ `t:T (T-Error)

t -→ t0

New evaluation rules error t2 -→ error

(E-AppErr1)

v1 error -→ error

(E-AppErr2)

Figure 14-1: Errors

14.1

Raising Exceptions Let us start by enriching the simply typed lambda-calculus with the simplest possible mechanism for signaling exceptions: a term error that, when evaluated, completely aborts evaluation of the term in which it appears. Figure 14-1 details the needed extensions. The main design decision in writing the rules for error is how to formalize “abnormal termination” in our operational semantics. We adopt the simple expedient of letting error itself be the result of a program that aborts. The rules E-AppErr1 and E-AppErr2 capture this behavior. E-AppErr1 says that, if we encounter the term error while trying to reduce the left-hand side of an application to a value, we should immediately yield error as the result of the application. Similarly, E-AppErr2 says that, if we encounter an error while we are working on reducing the argument of an application to a value, we should abandon work on the application and immediately yield error. Observe that we have not included error in the syntax of values—only the syntax of terms. This guarantees that there will never be an overlap between the left-hand sides of the E-AppAbs and E-AppErr2 rules—i.e., there is no ambiguity as to whether we should evaluate the term (λx:Nat.0) error by performing the application (yielding 0 as result) or aborting: only the latter is possible. Similarly, the fact that we used the metavariable v 1 (rather than t1 , ranging over arbitrary terms) in E-AppErr2 forces the evaluator to wait until the left-hand side of an application is reduced to a value before aborting

14.2

Handling Exceptions

173

it, even if the right-hand side is error. Thus, a term like (fix (λx:Nat.x)) error will diverge instead of aborting. These conditions ensure that the evaluation relation remains deterministic. The typing rule T-Error is also interesting. Since we may want to raise an exception in any context, the term error form is allowed to have any type whatsoever. In (λx:Bool.x) error;

it has type Bool. In (λx:Bool.x) (error true);

it has type Bool→Bool. This flexibility in error’s type raises some difficulties in implementing a typechecking algorithm, since it breaks the property that every typable term in the language has a unique type (Theorem 9.3.3). This can be dealt with in various ways. In a language with subtyping, we can assign error the minimal type Bot (see §15.4), which can be promoted to any other type as necessary. In a language with parametric polymorphism (see Chapter 23), we can give error the polymorphic type ∀X.X, which can be instantiated to any other type. Both of these tricks allow infinitely many possible types for error to be represented compactly by a single type. 14.1.1

Exercise [«]: Wouldn’t it be simpler just to require the programmer to annotate error with its intended type in each context where it is used? The type preservation property for the language with exceptions is the same as always: if a term has type T and we let it evaluate one step, the result still has type T. The progress property, however, needs to be refined a little. In its original form, it said that a well-typed program must evaluate to a value (or diverge). But now we have introduced a non-value normal form, error, which can certainly be the result of evaluating a well-typed program. We need to restate progress to allow for this.

14.1.2

14.2

Theorem [Progress]: Suppose t is a closed, well-typed normal form. Then either t is a value or t = error.

Handling Exceptions The evaluation rules for error can be thought of as “unwinding the call stack,” discarding pending function calls until the error has propagated all

174

14

→ error

try

Exceptions

Extends λ→ with errors (14-1)

New syntactic forms t ::= ... try t with t New evaluation rules try v1 with t2 -→ v1 try error with t2 -→ t2

terms: trap errors t -→ t0 (E-TryV)

t1 -→ t01 try t1 with t2 -→ try t01 with t2

Γ `t:T

New typing rules Γ ` t1 : T

(E-Try)

Γ ` t2 : T

Γ ` try t1 with t2 : T

(T-Try)

(E-TryError)

Figure 14-2: Error handling

the way to the top level. In real implementations of languages with exceptions, this is exactly what happens: the call stack consists of a set of activation records, one for each active function call; raising an exception causes activation records to be popped off the call stack until it becomes empty. In most languages with exceptions, it is also possible to install exception handlers in the call stack. When an exception is raised, activation records are popped off the call stack until an exception handler is encountered, and evaluation then proceeds with this handler. In other words, the exception functions as a non-local transfer of control, whose target is the most recently installed exception handler (i.e., the nearest one on the call stack). Our formulation of exception handlers, summarized in Figure 14-2, is similar to both ML and Java. The expression try t 1 with t2 means “return the result of evaluating t1 , unless it aborts, in which case evaluate the handler t2 instead.” The evaluation rule E-TryV says that, when t1 has been reduced to a value v1 , we may throw away the try, since we know now that it will not be needed. E-TryError, on the other hand, says that, if evaluating t1 results in error, then we should replace the try with t2 and continue evaluating from there. E-Try tells us that, until t1 has been reduced to either a value or error, we should just keep working on it and leave t2 alone. The typing rule for try follows directly from its operational semantics. The result of the whole try can be either the result of the main body t1 or else the result of the handler t2 ; we simply need to require that these have the same type T, which is also the type of the try. The type safety property and its proof remain essentially unchanged from the previous section.

14.3

175

Exceptions Carrying Values

→ exceptions

Extends λ→ (9-1)

New syntactic forms t ::= ... raise t try t with t New evaluation rules

try v1 with t2 -→ v1

terms: raise exception handle exceptions

try raise v11 with t2 -→ t2 v11

v1 (raise v21 ) -→ raise v21 (E-AppRaise2)

try t1 with t2 -→ try t01 with t2 New typing rules Γ ` t1 : Texn

t1 -→ t01 raise t1 -→ raise t01

Γ ` raise t1 : T

(E-Raise)

Γ ` t1 : T raise (raise v11 ) -→ raise v11

(E-TryRaise)

t1 -→ t01

t -→ t0

(raise v11 ) t2 -→ raise v11 (E-AppRaise1)

(E-TryV)

(E-RaiseRaise)

Γ ` t2 : Texn →T

Γ ` try t1 with t2 : T

(E-Try) Γ `t:T (T-Exn)

(T-Try)

Figure 14-3: Exceptions carrying values

14.3

Exceptions Carrying Values The mechanisms introduced in §14.1 and §14.2 allow a function to signal to its caller that “something unusual happened.” It is generally useful to send back some extra information about which unusual thing has happened, since the action that the handler needs to take—either to recover and try again or to present a comprehensible error message to the user—may depend on this information. Figure 14-3 shows how our basic exception handling constructs can be enriched so that each exception carries a value. The type of this value is written Texn . For the moment, we leave the precise nature of this type open; below, we discuss several alternatives. The atomic term error is replaced by a term constructor raise t, where t is the extra information that we want to pass to the exception handler. The syntax of try remains the same, but the handler t 2 in try t1 with t2 is now interpreted as a function that takes the extra information as an argument. The evaluation rule E-TryRaise implements this behavior, taking the extra information carried by a raise from the body t1 and passing it to the handler t2 . E-AppRaise1 and E-AppRaise2 propagate exceptions through applications, just like E-AppErr1 and E-AppErr2 in Figure 14-1. Note, however, that these

176

14

Exceptions

rules are allowed to propagate only exceptions whose extra information is a value; if we attempt to evaluate a raise with extra information that itself requires some evaluation, these rules will block, forcing us to use E-Raise to evaluate the extra information first. E-RaiseRaise propagates exceptions that may occur while we are evaluating the extra information that is to be sent along in some other exception. E-TryV tells us that we can throw away a try once its main body has reduced to a value, just as we did in §14.2. E-Try directs the evaluator to work on the body of a try until it becomes either a value or a raise. The typing rules reflect these changes in behavior. In T-Raise we demand that the extra information has type Texn ; the whole raise can then be given any type T that may be required by the context. In T-Try, we check that the handler t2 is a function that, given the extra information of type Texn , yields a result of the same type as t1 . Finally, let us consider some alternatives for the type Texn . 1. We can take Texn to be just Nat. This corresponds to the errno convention used, for example, by Unix operating system functions: each system call returns a numeric “error code,” with 0 signaling success and other values reporting various exceptional conditions. 2. We can take Texn to be String, which avoids looking up error numbers in tables and allows exception-raising sites to construct more descriptive messages if they wish. The cost of this extra flexibility is that error handlers may now have to parse these strings to find out what happened. 3. We can keep the ability to pass more informative exceptions while avoiding string parsing if we define Texn to be a variant type: Texn

=

Unit, Unit, String, String,

This scheme allows a handler to distinguish between kinds of exceptions using a simple case expression. Also, different exceptions can carry different types of additional information: exceptions like divideByZero need no extra baggage, fileNotFound can carry a string indicating which file was being opened when the error occurred, etc. The problem with this alternative is that it is rather inflexible, demanding that we fix in advance the complete set of exceptions that can be raised by

14.3

177

Exceptions Carrying Values

any program (i.e., the set of tags of the variant type T exn ). This leaves no room for programmers to declare application-specific exceptions. 4. The same idea can be refined to leave room for user-defined exceptions by taking Texn to be an extensible variant type. ML adopts this idea, providing a single extensible variant type called exn. 1 The ML declaration exception l of T can be understood, in the present setting, as “make sure that l is different from any tag already present in the variant type T exn ,2 and from now on let Texn be , where l1 :T1 through ln :tn were the possible variants before this declaration.” The ML syntax for raising exceptions is raise l(t), where l is an exception tag defined in the current scope. This can be understood as a combination of the tagging operator and our simple raise: raise l(t)

def

=

raise ( as Texn )

Similarly, the ML try construct can be desugared using our simple try plus a case. try t with l(x) → h

def

=

try t with λe:Texn . case e of ⇒ h | _ ⇒ raise e

The case checks whether the exception that has been raised is tagged with l. If so, it binds the value carried by the exception to the variable x and evaluates the handler h. If not, it falls through to the else clause, which re-raises the exception. The exception will keep propagating (and perhaps being caught and re-raised) until it either reaches a handler that wants to deal with it, or else reaches the top level and aborts the whole program. 5. Java uses classes instead of extensible variants to support user-defined exceptions. The language provides a built-in class Throwable; an instance of Throwable or any of its subclasses can be used in a throw (same as our raise) or try...catch (same as our try...with) statement. New exceptions can be declared simply by defining new subclasses of Throwable. There is actually a close correspondence between this exception-handling mechanism and that of ML. Roughly speaking, an exception object in Java 1. One can go further and provide extensible variant types as a general language feature, but the designers of ML have chosen to simply treat exn as a special case. 2. Since the exception form is a binder, we can always ensure that l is different from the tags already used in Texn by alpha-converting it if necessary.

178

14

Exceptions

is represented at run time by a tag indicating its class (which corresponds directly to the extensible variant tag in ML) plus a record of instance variables (corresponding to the extra information labeled by this tag). Java exceptions go a little further than ML in a couple of respects. One is that there is a natural partial order on exception tags, generated by the subclass ordering. A handler for the exception l will actually trap all exceptions carrying an object of class l or any subclass of l. Another is that Java distinguishes between exceptions (subclasses of the built-in class Exception—a subclass of Throwable), which application programs might want to catch and try to recover from, and errors (subclasses of Error—also a subclass of Throwable), which indicate serious conditions that should normally just terminate execution. The key difference between the two lies in the typechecking rules, which demand that methods explicitly declare which exceptions (but not which errors) they might raise. 14.3.1

Exercise [«««]: The explanation of extensible variant types in alternative 4 above is rather informal. Show how to make it precise.

14.3.2

Exercise [««««]: We noted above that Java exceptions (those that are subclasses of Exception) are a bit more strictly controlled than exceptions in ML (or the ones we have defined here): every exception that might be raised by a method must be declared in the method’s type. Extend your solution to Exercise 14.3.1 so that the type of a function indicates not only its argument and result types, but also the set of exceptions that it may raise. Prove that your system is typesafe.

14.3.3

Exercise [«««]: Many other control constructs can be formalized using techniques similar to the ones we have seen in this chapter. Readers familiar with the “call with current continuation” (call/cc) operator of Scheme (see Clinger, Friedman, and Wand, 1985; Kelsey, Clinger, and Rees, 1998; Dybvig, 1996; Friedman, Wand, and Haynes, 2001) may enjoy trying to formulate typing rules based on a type Cont T of T-continuations—i.e., continuations that expect an argument of type T.

Part III

Subtyping

15

Subtyping

We have spent the last several chapters studying the typing behavior of a variety of language features within the framework of the simply typed lambdacalculus. This chapter addresses a more fundamental extension: subtyping (sometimes called subtype polymorphism). Unlike the features we have studied up to now, which could be formulated more or less orthogonally to each other, subtyping is a cross-cutting extension, interacting with most other language features in non-trivial ways. Subtyping is characteristically found in object-oriented languages and is often considered an essential feature of the object-oriented style. We will explore this connection in detail in Chapter 18; for now, though, we present subtyping in a more economical setting with just functions and records, where most of the interesting issues already appear. §15.5 discusses the combination of subtyping with some of the other features we have seen in previous chapters. In the final section (15.6) we consider a more refined semantics for subtyping, in which the use of suptyping corresponds to the insertion of run-time coercions.

15.1

Subsumption Without subtyping, the rules of the simply typed lambda-calculus can be annoyingly rigid. The type system’s insistence that argument types exactly match the domain types of functions will lead the typechecker to reject many programs that, to the programmer, seem obviously well-behaved. For example, recall the typing rule for function application: Γ ` t1 : T11 →T12

Γ ` t2 : T11

Γ ` t1 t2 : T12

(T-App)

The calculus studied in this chapter is λ =c then TmVar(fi,x+d,n+d) else TmVar(fi,x,n+d)) (typeShiftAbove d) c t let termShift d t = termShiftAbove d 0 t

On term variables, we check the cutoff and construct a new variable, just as we did in typeShiftAbove. For types, we call the type shifting function defined in the previous section.

25.4

385

Evaluation

The function for substituting one term into another is similar. let termSubst j s t = tmmap (fun fi j x n → if x=j then termShift j s else TmVar(fi,x,n)) (fun j tyT → tyT) j t

Note that type annotations are not changed by termSubst (types cannot contain term variables, so a term substitution will never affect them). We also need a function for substituting a type into a term—used, for example, in the evaluation rule for type applications: (λX.t12 ) [T2 ] -→ [X , T2 ]t12

(E-TappTabs)

This one can also be defined using the term mapper: let rec tytermSubst tyS j t = tmmap (fun fi c x n → TmVar(fi,x,n)) (fun j tyT → typeSubst tyS j tyT) j t

This time, the function that we pass to tmmap for dealing with term variables is the identity (it just reconstructs the original term variable); when we reach a type annotation, we perform a type-level substitution on it. Finally, as we did for types, we define convenience functions packaging the basic substitution functions for use by eval and typeof. let termSubstTop s t = termShift (-1) (termSubst 0 (termShift 1 s) t) let tytermSubstTop tyS t = termShift (-1) (tytermSubst (typeShift 1 tyS) 0 t)

25.4

Evaluation The extensions to the eval function are straightforward transcriptions of the evaluation rules introduced in Figures 23-1 and 24-1. The hard work is done by the substitution functions defined in the previous section. let rec eval1 ctx t = match t with ... | TmTApp(fi,TmTAbs(_,x,t11),tyT2) → tytermSubstTop tyT2 t11 | TmTApp(fi,t1,tyT2) → let t1’ = eval1 ctx t1 in TmTApp(fi, t1’, tyT2)

386

25

An ML Implementation of System F

| TmUnpack(fi,_,_,TmPack(_,tyT11,v12,_),t2) when isval ctx v12 → tytermSubstTop tyT11 (termSubstTop (termShift 1 v12) t2) | TmUnpack(fi,tyX,x,t1,t2) → let t1’ = eval1 ctx t1 in TmUnpack(fi,tyX,x,t1’,t2) | TmPack(fi,tyT1,t2,tyT3) → let t2’ = eval1 ctx t2 in TmPack(fi,tyT1,t2’,tyT3) ...

25.4.1

25.5

Exercise [«]: Why is the termShift needed in the first TmUnpack case?

Typing The new clauses of the typeof function also follow directly from the typing rules for type abstraction and application and for packing and opening existentials. We show the full definition of typeof, so that the new TmTAbs and TmTApp clauses may be compared with the old clauses for ordinary abstraction and application. let rec typeof ctx t = match t with TmVar(fi,i,_) → getTypeFromContext fi ctx i | TmAbs(fi,x,tyT1,t2) → let ctx’ = addbinding ctx x (VarBind(tyT1)) in let tyT2 = typeof ctx’ t2 in TyArr(tyT1, typeShift (-1) tyT2) | TmApp(fi,t1,t2) → let tyT1 = typeof ctx t1 in let tyT2 = typeof ctx t2 in (match tyT1 with TyArr(tyT11,tyT12) → if (=) tyT2 tyT11 then tyT12 else error fi "parameter type mismatch" | _ → error fi "arrow type expected") | TmTAbs(fi,tyX,t2) → let ctx = addbinding ctx tyX TyVarBind in let tyT2 = typeof ctx t2 in TyAll(tyX,tyT2) | TmTApp(fi,t1,tyT2) → let tyT1 = typeof ctx t1 in (match tyT1 with TyAll(_,tyT12) → typeSubstTop tyT2 tyT12 | _ → error fi "universal type expected")

25.5

Typing

387

| TmPack(fi,tyT1,t2,tyT) → (match tyT with TySome(tyY,tyT2) → let tyU = typeof ctx t2 in let tyU’ = typeSubstTop tyT1 tyT2 in if (=) tyU tyU’ then tyT else error fi "doesn’t match declared type" | _ → error fi "existential type expected") | TmUnpack(fi,tyX,x,t1,t2) → let tyT1 = typeof ctx t1 in (match tyT1 with TySome(tyY,tyT11) → let ctx’ = addbinding ctx tyX TyVarBind in let ctx” = addbinding ctx’ x (VarBind tyT11) in let tyT2 = typeof ctx” t2 in typeShift (-2) tyT2 | _ → error fi "existential type expected")

The most interesting new clause is the one for TmUnpack. It involves the following steps. (1) We check the subexpression t 1 and ensure that it has an existential type {∃X.T11 }. (2) We extend the context Γ with a type-variable binding X and a term-variable binding x:T 11 , and check that t2 has some type T2 . (3) We shift the indices of free variables in T 2 down by two, so that it makes sense with respect to the original Γ . (4) We return the resulting type as the type of the whole let...in... expression. Clearly, if X occurs free in T2 , then the shift in step (3) will yield a nonsensical type containing free variables with negative indices; typechecking must fail at this point. We can ensure this by redefining typeShiftAbove so that it notices when it is about to construct a type variable with a negative index and signals an error instead of returning nonsense. let typeShiftAbove d c tyT = tymap (fun c x n → if x>=c then if x+d

Our partners will collect data and use cookies for ad personalization and measurement. Learn how we and our ad partner Google, collect and use data. Agree & close