Information y=&w

[nformation Processing Letters 51 (1994) 201-206

A simplified account of polymorphic references

Robert Harper School of Computer Science, Carnegie Mellon Universily, Pittsburgh, PA 15213-3891, USA

Communicated by R. Bird; received 2 February 1994

Abstract

A proof of the soundness of Tofte’s imperative type discipline with respect to a structured operational semantics is given. The presentation is based on a semantic formalism that combines the benefits of the approaches considered by Wright and Felleisen, and by Tofte, leading to a particularly simple proof of soundness of Tofte’s type discipline.

Key words: Formal semantics; Functional programming; Programming languages; Type theory; References and assignment

1. Introduction

The extension of Damas and Milner’s polymorphic type system for pure functional programs [2] to accomodate mutable cells has proved to be problematic. The naiive extension of the pure language with operations to allocate a cell, and to retrieve and modify its contents is unsound [ill. The problem has received considerable attention, notably by Damas [3], Tofte [lO,ll], and Leroy and Weiss [7]. Tofte’s solution is based on a greatest fixed point construction to define the semantic typing relation [ 111 (see also [81X This method has been subsequently used by Leroy and Weiss [7] and Talpin and Jouvelot [9]. It was subsequently noted by Wright and Felleisen [13] that the proof of soundness can be substantially simplified if the argument is made by induction on the length of an execution sequence, rather than on the structure of the typing derivation. Using this method they establish the soundness of a restriction of the language to require that let-bound expressions be values. In this note we present an alternative proof of the soundness of Tofte’s imperative type discipline using a semantic framework that is intermediate between that of Wright and Felleisen and that of Tofte. The formalism considered admits a very simple and intuitively appealing proof of the soundness of Tofte’s type discipline, and may be of some use in subsequent studies of this and related problems.

2. A language with mutable data structures

The syntax of our illustrative language is given by the following grammar:

expressions e :: = x 1 I I unit I ref e I e, := e2 1 !e I Ax . e I e1e2 I let x be e, in e2

values ~1 :: = x ( 1 I unit I hx.e

0020-1090/94/$07.00 0 1994 Elsevier Science B.V. All rights reserved SSDI 0020-0190(94)00090-L

202 R. Harper/Information Processing Letters 51 (1994) 201-206

The meta-variable x ranges over a countably infinite set of variables, and the meta-variable 1 ranges over a countably infinite set of locations. In the above grammar unit is a constant, ref and ! are one-argument primitive operations, and := is a two-argument primitive operation. Capture-avoiding substitution of a value c’ for a free variable x in an expression e is written [v/x]e.

The syntax of type expressions is given by the following grammar:

monotypes 7 ::= tIunit(7ref(7,p72

~&typ~~ u .:= 71vt.a

The meta-variable t ranges over a countably infinite set of type variables. The symbol unit is a distinguished base type, and types of the form T ref stand for the type of references to values of type T.

The set FTV((r) of type variables occurring freely in a polytype (T is defined as usual, as is the operation of capture-avoiding substitution of a monotype T for free occurrences of a type variable t in a polytype (T, written [~/flu.

A variable typing is a function mapping a finite set of variables to polytypes. The meta-variable y ranges over variable typings. The polytype assigned to a variable x in a variable typing y is y(x), and the variable typing y[ x:a] is defined so that the variable x is assigned the polytype U, and a variable x’ # x is assigned the polytype y(x’). The set of type variables occuring freely in a variable typing y, written FTV( y), is defined to be lJ x E dom(y) FTV(y(x)). A location typing is a function mapping a finite set of locations to monotypes. The meta-variable A ranges over location typings. Notational conventions similar to those for variable typings are used for location typings.

Polymorphic type assignment is defined by a set of rules for deriving judgements of the form A;y + e : T, with the intended meaning that the expression e has type T under the assumption that the locations in e have the monotypes ascribed by A, and the free variables in e have the polytypes ascribed by y. The rules of inference are given in Table 1. These rules make use of two auxiliary notions. The polymorphic instance relation (T > r is defined to hold iff v is a polytype of the form Vt, . . .V~,,.T' and T

is a monotype of the form [T,, . . . ,7,/t,, . . , tn#r', where r,, . . . , T, are monotypes. This relation is extended to polytypes by defining u > u’ iff u > r whenever u’ 2 T. The polymorphic generalization of a monotype T relative to a location typing A and variable typing y, Close,;,(r), is the polytype Vt, . . . Vtn.~,

where FTV(r)\(FTV(A) U FTV(y)) = {t,, . . , t,}. As a notational convenience, we sometimes write A + e : T for A;@ E e : T and Close,(r) for Close,;fl(r).

The following lemma summarizes some important properties of the type system:

Lemma 2.1. (1) (Weakening) Suppose that A;y + e: T. If 1 P dam(A), then A[l:~l;y k e: T, and if x CL

dam(y), then A;y[x:ul I- e : T. (2) (Substitution) Zf A;y E v : T and A;y[x;ul + e’ : T', and if Close,;,(r) > u, then A;y F [v/xle’ : 7’. (3) (Specialization) If A; y c e : T and Close,;,(T) > r’, then A; y k e : T'.

The proofs are routine inductions on the structure of typing derivations. Substitution is stated only for values, in recognition of the fact that in a call-by-value language only values are ever substituted for variables during evaluation.

3. Semantics and soundness

A memory p is a partial function mapping a finite set of locations to values. The contents of a location 1 E dam(p) is the value p(I), and we write p[I := u] for the memory which assigns to location 1 the value 13 and to a location 1’ # 1 the value ~(1’). Notice that the result may either be an update of p (if 1 E dam(p)) or an extension of p (if 165 dam(p)).

R. Harper/Information Processing Letters 51 (1994) 201-206 203

Table 1 Polymorphic type assignment

A;y t-x: 7 (y(x) >, 7)

A;y+f:~ref (N)=T)

h;y F unit: unit

h;y F e : 7

h;y + ref e : 7 ref

A;y E e, : 7 ref A;y E e, : T

A;Y k e, := e, : Unit

A; y E e : 7 ref

A;y E !e : 7

(VAN

(LOC)

(TRIV)

(REF)

(ASSIGN)

(RETRIEVE)

h;Y[ x:T,] k e : TV

A;y + Ax.e : 7, + Tz (x $ dom( y>> CABS)

A;y + e, : TV + 7 A; y t- e, : r2

A;y + e,e2 : 7 (AR’)

A;y Fe, : 7, A;y [ x:Close,,,(rr 11 I- e2 : T2

A;Y k let x be e, in e2 : 72 cx @ dam(y))

(LET)

The operational semantics of the language is defined by a collection of rules for deriving judgements of the form p l-e * v,$, with the intended meaning that the closed expression e, when evaluated in memory CL, results in value u and memory k. The rules of the semantics are given in Table 2.

The typing relation is extended to memories and location typings by defining p : A to hold iff dam(p) = dam(A), and for every 1 E dam(p), A I- 1: A(E). Notice that the typing relation is defined so that k(I) may mention locations whose type is defined by A. (Compare Tofte’s account [ll].) For example, suppose that cr. is the memory sending location I, to Ax.x + 1, and location 1, to Ay.(!l,)y + 1, and suppose that A is the location typing assigning the type int + int to both I, and 1,. The verification that w : A requires checking that A + Ay.(!r,)y + 1: int + int, which requires determining the type assigned to location I, by A. As pointed out by Tofte [ill, the memory p’ which assigns ~(1,) to both I,, and I, can arise as a result of an assignment statement. To verify that 4 : A requires checking that A I- I: A(l,,), which itself relies on A(/,)! Tofte employs a “greatest fixed point” construction to account for this possibility, but no such machinery is needed here. This is the principal advantage of our formalism. (A similar advantage accrues to Wright and Felleisen’s approach [13] and was suggested to us by them.)

We now turn to the question of soundness of the type system.

Conjecture 3.1. If F t- e * u,p’, and A t- e : T, with F : A, then there exists A’ such that A c A’, p’ : A’, and

A’ k L' : 7.

204 R. Harper / Informatian Processing Letters 51 (1994) 201-206

Table 2 Operatoinal semantics for references

p Erefe-1,p’[l:=~l (I E dom(p’u’)) (ALLOC)

p k e, =) Ax.e;,p, pl E e2 - 1’2,~2 p2 F [ Ls2/xle; * L’,P’

w t- e,ez - r~,j-L (APPLY)

p F let x be e, in e, =) l’z,w2 (BIND)

The intention is to capture the preservation of typing under evaluation, taking account of the fact that evaluation may allocate storage, and hence introduce “new” locations that are not governed by the initial location typing A. Thus the location typing A’ is to be constructed as a function of the evaluation of e, as will become apparent in the sequel.

A proof by induction on the structure of the derivation of /1 t e d rl,d goes through for all cases but BIND. For example, consider the expression ref e. We have p E ref e =) I,p’[l[l := rl] by ALLOC‘, A F ref e : T ref by REF, and F : A. It follows from the definition of ALLOC that p be = l%,r_i, and from the definition of REF that A E e : T. So by induction there is a location typing A’ 2 A such that p’ : A’ and A’ k L’ : T. To complete the proof we need only check that the location typing A” = A’[/ := 71 satisfies the conditions that I*‘[/ := l,] : A” and that A” k 1: T ref, both of which follow from the assumptions and Lemma 2.1(l). The other cases follow a similar pattern, with the exception of rule BIND. To see where the proof breaks down, let us consider the obvious attempt to carry it through. Our assumption is that p k let x be e, in e7 =) L’J.L’ by BIND, A k let x be e, in e2 : r2 by LET, and p : A. It follows that p t-e, * rl,,~, for some value l’, and some memory p,, and that ~1, E [L’,/x]ez * c,k. We also have that A E e, : T, for some monotype T, , and that A;x:Close,(r,) b e2 : 72 for some monotype TV. By induction there is a location typing A, IA such that w,:A, and A, El’,:r,. To complete the proof it suffices to show that

A, + [r~,,'x]e,:~~. This would follow from the typing assumptions governing I’, and e2 by an application of Lemma 2.1(2), provided that we could show that Close,l(r,) > Close,$r,). But this holds iff FTV(A,) 2 FTV(A), which does not necessarily obtain. For example, if e, = reKAx.x) and T, has the form (t + t jref, where t does not occur in A, then Close,(r, 1 generalizes t, whereas Close,$r, I does not. (This observation is due to Tofte, who also goes on to provide a counterexample to the theorem [ll].)

The simplest approach to recovering soundness is to preclude polymorphic generalization on the type of a let-bound expression unless that expression is a value. Under this restriction the proof goes through, for WC can readily see that if p + I’ =P II’+‘, then ~1’ = 11 and d==, and that if p:A and p:A,, with A, 2 A, then A, = A. Consequently, Close,l(r,) = Close,(r, I in the above proof sketch, and this is sufficient to complete the proof. Following Tofte [ll], we deem an expression e non-expansil’e iff

R. Harper/Information Processing Letters 51 (I 994) 201-206 205

p E e * v,$ implies ji = p. By restricting the BIND rule so that e, is non-expansive, we ensure that A, = A, which suffices for the proof. Unfortunately in any interesting language this condition is recursively undecidable, and hence some conservative approximation must be used. Tofte chooses the simple and memorable condition that e, be a (syntactic) value.

The requirement that polymorphic let’s bind values is rather restrictive. Following ideas of MacQueen (unpublished) and Damas [3], Tofte introduced a modification to the type system that admits a more flexible use of polymorphism, without sacrificing soundness. Tofte’s idea is to employ a marking of type variables so as to maintain the invariant that if a type variable can occur in the type of a location in the store, then generalization on that type variable is suppressed. The set of type variables is divided into two countably infinite disjoint subsets, the imperative and the applicative type variables. A monotype is called imperative iff all type variables occurring within it are imperative. The typing rule for ref is constrained so that the type r of e in rule REF is required to be imperative. Polymorphic generalization must preserve the imperative/applicative distinction, and polymorphic instantiation is defined so that an imperative type variable may only be instantiated to an imperative monotype. In addition a restricted form of generalization, written AppClose,;,(r), is defined similarly to Close,,,(r), with the exception that only applicative type variables are generalized in the result; any imperative type variables remain free.

With the machinery of applicative and imperative types in hand, Tofte replaces the BIND rule with the following two rules:

h;y~v,:T, A;y[ x:Close,,,( T1)] I- e2 : fr2

A;yt-let x be v, in e2:-r2 (x E dam(y)) (BIND-VAL)

A;yke,:~, A;y[ x:AppClose,,,( ri)] + e2 : TV

A;y k lot x be e, in e2 : T2 (x~dOm(d) ( BIND-0RD)

Thus if the let-bound expression is a value, it may be used polymorphically without restriction; otherwise only the applicative type variables may be generalized.

The idea behind these modifications is to maintain a conservative approximation to the set of type variables that may occur in the type of a value stored in memory. This is achieved by ensuring that if a type variable occurs freely in the memory, then it is imperative. The converse cannot, of course, be effectively maintained since the location typing in the soundness theorem is computed as a function of the evaluation trace. We say that a location typing is imperative iff the type assigned to every location is imperative.

Theorem 3.2. If p k e - v,p’, and A + e : T, with p : A and A imperative, then there exists A’ such that A’ is imperative, A c A’, $ : A”, and A’ F ~1 : T.

The proof proceeds by induction on the structure of the derivation of p + e 3 v,~‘. Consider the evaluation rule ALLOC. The restriction on rule REF ensures that if ref e : T ref, then 7 is imperative. Consequently, the location typing A” = A’[x : 71 is imperative since, by supposition, A is imperative, and, by induction, A’ is imperative. The significance of maintaining the imperative invariant on location typings becomes apparent in the case of the BIND rules. The rule BIND-VAL is handled as sketched above: since v, is a value, it is non-expansive consequently A, = A, which suffices for the proof. The rule BIND-• RD is handled by observing that regardless of whether A, is a proper extension of A or not, we must have ClOSeAl a AppClose,(T,), for if a type variable t occurs freely in A, but not in A, it must be (by induction hypothesis) imperative, and hence is not generalized in AppClose,(T,) (by definition of AppClose). This is sufficient to complete the proof.

206 R. Harper / Informution Processing Letters 51 (1994) 201-206

4. Conclusion

We have presented a simplified proof of the soundness of Tofte’s type discipline for combining polymorphism and mutable references in ML. The main contribution is the elimination of the need for the maximal fixed point argument used by Tofte [ll]. The methods considered here have been subsequently employed by Greiner to establish to soundness of the “weak polymorphism” type discipline implemented in the Standard ML of New Jersey compiler [ 11. Our approach was influenced by the work of Wright and Felleisen [13] who pioneered the use of reduction semantics to prove soundness of type assignment systems.

Several important studies of the problem of combining polymorphic type inference and computational effects (including mutable references) have been conducted in recent years. The interested reader is referred to the work of Gifford, Jouvelot and Talpin [6,91, Leroy and Weiss [7], Wright [121, Hoang, Mitchell, and Viswanathan [5], and Greiner [4] for further details and references.

The author is grateful to Matthias Felleisen, Andrew Wright, and John Greiner for their comments and suggestions.

References

[I] A.W. Appel and D.B. MacQueen, Standard ML of New

Jersey, in: J. Maluszynski and M. Wirsing, eds., Proc. 3rd

Internat. Symp. on Programming Languages, Implementa-

tion and Logic Programming (Springer, New York, 1991) 1-13.

[2] L. Damas and R. Milner, Principal type schemes for

functional programs, in: Proc. 9th ACM Symp. on Princi-

ples of Programming Languages (1982) 207-212.

[3] L.M.M. Damas, Types assignment in programming lan- guages, Ph.D. Thesis, Edinburgh University, 1985.

[4] J. Greiner, Standard ML weak polymorphism can be

sound, Tech. Rept. CMU-CS-93-160, School of Com- puter Science, Carnegie Mellon University, Pittsburgh,

PA, 1993. [S] M. Hoang, J. Mitchell and R. Viswanathan, Standard

ML-NJ weak polymorphism and imperative constructs,

in: Proc. 8th Symposium on Logic in Computer Science,

1993.

[6] P. Jouvelot and D. Gifford, Algebraic reconstruction of

types and effects, in: Proc. 18th ACM Symp. on Principles

of Programming Lunguages (1991) 303-310. [7] X. Leroy and P. Weis, Polymorphic type inference and

assignment, in: Proc. 18th ACM Symp. on Principles of

Programming Languages (1991) 291-302.

[S] R. Mimer and M. Tofte, Co-induction in relational se-

mantics, Techn. Rept. ECS-LFCS-8X-65. Laboratory for

the Foundations of Computer Science, Edinburgh Uni- versity, Edinburgh, 1988.

[9] J.-P. Talpin and P. Jouvelot, The type and effect disci-

pline, in: Proc. 7th Symp. on Logic in Computer Science (1992) 162-173.

[lo] M. Tofte, Operational semantics and polymorphic type

inference, Ph.D. Thesis, Tech. Rept. ECS-LFCS-X8-54,

Laboratory for Foundations of Computer Science, Edin- burgh University, 1988.

[Ill M. Tofte, Type inference for polymorphic references, Inform. and Comput. 89 (1990) l-34.

[12] A. Wright, Typing references by effect inference, in: Proc. European Symp. on Progrumming, 1992.

[13] A.K. Wright and M. Felleisen, A syntactic approach to

type soundness, Tech. Rept. TR91-160, Dept. of Com- puter Science, Rice University, 1991: Inform. Comput., to appear.