Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shifting the Blame A blame calculus with delimited control Taro Sekiyama* Atsushi Igarashi Soichiro Ueda Kyoto University Gradual typing.

Published byMiles West Modified over 9 years ago

Similar presentations

Presentation on theme: "Shifting the Blame A blame calculus with delimited control Taro Sekiyama* Atsushi Igarashi Soichiro Ueda Kyoto University Gradual typing."— Presentation transcript:

1 Shifting the Blame A blame calculus with delimited control Taro Sekiyama* Atsushi Igarashi Soichiro Ueda Kyoto University Gradual typing

2 Two styles of typing Static typing Dynamic typing Consistency of programs is checked before their execution Good: Early bug detection/Optimization NG: Rejecting programs without no bugs E.g., ML, Haskell, Java, etc. Consistency of programs is checked during their execution Good: Flexible and rapid development : More burdens to detect bugs E.g., Scheme, Python, Perl, etc.

3 Two styles of typing Dynamic typing Gradual typing Static typing where … static and dynamic typing are integrated typed and untyped code coexist –Programs are annotated with types “gradually

4 Two styles of typing Dynamic typing Gradual typing Static typing where typed and untyped code coexist Programs are annotated with types “gradually”

5 Two styles of typing Dynamic typing Gradual typing Static typing

6 Gradual typing [Tobin-Hochstadt&Felleisen’06,Siek&Taha’07] Integration of static and dynamic typing Typed and untyped code can coexist and interact Program

7 Blame calculus [Tobin-Hochstadt&Felleisen’06,Wadler&Findler’09] A simply typed lambda calculus to model intermediate languages for gradual typing The Dynamic type (Dyn for short) –The type given to untyped code Casts (type coercions) t : S T –A device to interact typed and untyped code intDyn

8 Blame calculus [Tobin-Hochstadt&Felleisen’06,Wadler&Findler’09] A typed lambda calculus to model intermediate languages for gradual typing The Dynamic type (Dyn for short) –The type for untyped code Casts (type coercions) s : S T –A type-directed mechanism to monitor value flows between typed and untyped code Term s of type S is coerced to type T

9 Blame calculus [Tobin-Hochstadt&Felleisen’06,Wadler&Findler’09] A typed lambda calculus to model intermediate languages for gradual typing The Dynamic type (Dyn for short) –The type for untyped code Casts (type coercions) s : S T –coerce term s of type S to type T –are used to monitor value flows between typed and untyped code

10 Example let x = if … then succ else true let y : string = if x then “true” else “false” Gradually typed lang. let x : Dyn = if…then succ : int→int Dyn else true : bool Dyn let y : string = if (x : Dyn bool ) then “true” else “false” Blame calculus Untyped code is given Dyn Injection of typed values into untyped code Run-time test to check that the dynamic value is a Boolean

11 Cast semantics TypedUntyped 1 : intDyn

12 Cast semantics TypedUntyped Dyn : int1int

13 Cast semantics TypedUntyped Dyn : int1bool Cast fails! 1 is not a Boolean

14 This work Extending gradual typing with delimited- control operators shift/reset –An extension of blame calculus [Tobin-Hochstadt &Felleisen’06,Wadler&Findler’09] with a new form of cast Defining continuation passing style (CPS) transformation for the extended calculus Investigating three properties –Type soundness –Soundness of the CPS transformation –Blame Theorem

15 What blame calculus should guarantee If something wrong happens, it is detected as cast failure Type Soundness Statically typed terms are never sources of cast failure Blame Theorem E.g., an integer is called as a function

16 What gradual typing should guarantee If something wrong happens, it is detected as cast failure Well typed sides do not cause cast failure E.g., an integer is called as functions NOT trivial in a blame calculus with control operators

17 What gradual typing should guarantee If something wrong happens, it is detected as cast failure E.g., an integer is called as functions ? How should we design blame calculus to guarantee it?

18 Design criterion of blame calculus All value flows between typed and untyped parts should be monitored by casts All uses of dynamic values are completely monitored

19 Problem in introducing control operators naively The criterion is not satisfied Terms with control operators can: return a value capture a continuation call a continuation

20 Terms with control operators can: return a value capture a continuation call a continuation Problem in introducing control operators naively monitored by the early blame calculus The criterion is not satisfied

21 Terms with control operators can: return a value capture a continuation call a continuation Problem in introducing control operators naively monitored by the early blame calculus We design a system to monitor these actions The criterion is not satisfied

22 Problem in introducing control operators naively The criteria is invalidated Values can be passed via captured continuations not to be monitored by casts

23 This work Extending the blame calculus with delimited- control operators shift/reset –A new form of cast to satisfy the criteria Defining continuation passing style (CPS) transformation for the extended calculus Investigating three properties –Type soundness –Soundness of the CPS transformation –Blame Theorem

24 This work Extends the blame calculus with delimited- control operators shift/reset –A new form of cast to monitor capturing and calling continuations Defines continuation passing style (CPS) transformation for the extended calculus Investigates three properties –Type soundness –Blame Theorem –Soundness of the CPS transformation can implement various control effects

25 Challenge for Type Soundness All value flows between typed and untyped parts have to be monitored by casts Paraphrase of Type Soundness It isn’t trivial to satisfy this property

26 Challenge for Type Soundness Because terms with control operators can take more actions To return a value To capture a continuation To call a continuation Paraphrase of Type Soundness It isn’t trivial to satisfy this property All value flows between typed and untyped parts have to be monitored by casts

27 Because terms with control operators can take more actions To return a value To capture a continuation To call a continuation monitored by the early blame calculus Challenge for Type Soundness Paraphrase of Type Soundness It isn’t trivial to satisfy this property All value flows between typed and untyped parts have to be monitored by casts

28 Because terms with control operators can take more actions To return a value To capture a continuation To call a continuation monitored by the early blame calculus Challenge for Type Soundness Paraphrase of Type Soundness It isn’t trivial to satisfy this property All value flows between typed and untyped parts have to be monitored by casts We design a system to monitor these

29 Challenge in the presence of control operators All value flows between typed and untyped parts should be monitored by casts It isn’t trivial to satisfy the crucial property: All uses of dynamic values are completely monitored

30 Challenge in the presence of control operators All value flows between typed and untyped parts should be monitored by casts It isn’t trivial to satisfy the crucial property: Because terms with control operators can take more actions To return a value To capture a continuation To call a continuation All uses of dynamic values are completely monitored

31 Challenge in the presence of control operators All value flows between typed and untyped parts should be monitored by casts It isn’t trivial to satisfy the crucial property: All uses of dynamic values are completely monitored Because terms with control operators can take more actions To return a value To capture a continuation To call a continuation monitored by the early blame calculus

32 Challenge in the presence of control operators All value flows between typed and untyped parts should be monitored by casts It isn’t trivial to satisfy the crucial property: Because terms with control operators can take more actions To return a value To capture a continuation To call a continuation We design a system to monitor these monitored by the early blame calculus All uses of dynamic values are completely monitored

33 Problem in introducing control operators naively The criterion is not satisfied Terms with control operators can: return a value capture a continuation call a continuation

34 Terms with control operators can: return a value capture a continuation call a continuation Problem in introducing control operators naively monitored by the early blame calculus The criterion is not satisfied

35 Terms with control operators can: return a value capture a continuation call a continuation Problem in introducing control operators naively monitored by the early blame calculus We design a system to monitor these actions The criterion is not satisfied

36 This work Extending the blame calculus with delimited- control operators shift/reset –A new form of cast for shift/reset is supported Defining continuation passing style (CPS) transformation for the extended calculus Investigating three properties –Type soundness –Soundness of the CPS transformation –Blame Theorem

37 Outline 1.Introduction 2.Background: blame calculus (without shift/reset) 3.Problem with control operators 4.Our extension of the blame calculus with shift/reset

38 Blame calculus [Tobin-Hochstadt&Felleisen’06,Wadler&Findler’09] A simply typed lambda calculus to model intermediate languages for gradually typing The Dynamic type (Dyn for short) –The type given to untyped code Casts (type coercions) t : S T –A device to interact typed and untyped code intDyn

39 Blame calculus [Wadler&Findler’09] λ with Dyn and casts Types S, T ::= int | … | S → T | Dyn Terms s, t ::= 1 | + | … | λ x.s | s t | s : S T → the type for untyped code monitors that the value of s at S can behave as T

40 Cast semantics 1 : int Dyn 1 : int

41 Cast semantics 1 : int Dyn

42 Cast semantics 1 1

43 : Dyn int 1 : int 1 : Dyn bool 1 : int Cast fails! 1 is not a Boolean

44 Cast semantics : Dyn int 1

45 Cast semantics 1 Cast fails! 1 is not a Boolean : Dyn bool 1 1

46 Cast semantics λx.s λx. x+1 x λx. λx.s

47 Cast semantics ( ) v : int→int v’ let v (v’ <= int

48 Cast semantics v : (int→int) Dyn λx:Dyn.v (x :

49 Cast semantics v : (int→int) Dyn λx:Dyn.v (x :

50 Example Source let x = if … then

51 Example let x = if … then succ else true let y : string = if x then “true” else “false” Gradually typed lang. let x : Dyn = if…then succ : int→int Dyn else true : bool Dyn let y : string = if (x : Dyn bool ) then “true” else “false” Blame calculus

52 Example let x = if … then succ else true let y : string = if x then “true” else “false” Gradually typed lang. let x = Dyn if…then succ : int→int Dyn else true : bool Dyn let y : string = if (x : Dyn bool ) then “true” else “false” Blame calculus

53 Example let x = if … then succ else true let y : string = if x then “true” else “false” Gradually typed lang. let x = Dyn if…then succ : int→int Dyn else true : bool Dyn let y : string = if (x : Dyn bool ) then “true” else “false” Blame calculus

54 Notation let x : Dyn = if…then succ : int→int Dyn else true : bool Dyn let y : string = if (x : Dyn bool ) then “true” else “false” Blame calculus typed code untyped code cast

55 Notation let x = Dyn if…then succ : int→int Dyn else true : bool Dyn let y : string = if (x : Dyn bool ) then “true” else “false” Blame calculus typed code untyped code cast

56 Notation let x = Dyn if…then succ : int→int Dyn else true : bool Dyn let y : string = if (x : Dyn bool ) then “true” else “false” Blame calculus typed code untyped code cast

57 Notation let x = Dyn if…then succ Dyn else true Dyn let y : string = if (x) then Dyn “true” else “false” Blame calculus typed code untyped code cast

58 Example let x = if … then succ else true let y : string = if x then “true” else “false” Gradually typed lang. let x = Dyn if…then succ Dyn else true Dyn let y : string = if x then Dyn “true” else “false” Blame calculus

59 Example let x = if … then succ else true let y : string = if x then “true” else “false” Gradually typed lang. let x = Dyn if…then succ Dyn else true Dyn let y : string = if x then Dyn “true” else “false” Blame calculus

60 let x = if … then … else First-order cast typed to untyped true true : bool Dyn Casts from base types to Dyn always succeeds Result values have the target value (true) and its type (bool)

61 Cast semantics true : bool Dyn Casts from base types to Dyn always succeed Result values have the target value (true) and its type (bool) true bool

62 Cast semantics : Dyn bool true Casts from Dyn succeed if the tagged type matches with the target type true bool

63 Cast semantics : Dyn int Casts from Dyn fail if the tagged type doesn’t match with the target type Cast failure bool ≠ int true bool

64 Cast semantics succ : (int→int) Dyn : Dyn→Dyn λx. succ x x : Dyn int (succ …) : int Dyn Casts from function types to Dyn generate wrappers of the target function All value flows between typed and untyped parts are monitored by casts

65 Cast semantics succ : (int→int) Dyn λx. succ x (succ …) : int Dyn Casts from function types to Dyn generate wrappers of the target function All value flows between typed and untyped parts are monitored by casts x : Dyn int Dyn→Dyn

66 Cast semantics succ : (int→int) Dyn λx. succ x (succ …) : int Dyn Casts from function types to Dyn generate wrappers of the target function All value flows between typed and untyped parts are monitored by casts x : Dyn int Func

67 Cast semantics succ : (int→int) Dyn λx. let y = succ in y x (let …) : int Dyn Casts from function types to Dyn generate wrappers of the target function All value flows between typed and untyped parts are monitored by casts x : Dyn int Func

68 Cast semantics ( ) v : int→int v’ let v (v’ <= int

69 Cast semantics 1 1

70 : Dyn int 1 : int 1 : Dyn bool 1 : int Cast fails! 1 is not a Boolean

71 Cast semantics : Dyn int 1

72 Cast semantics 1 Cast fails! 1 is not a Boolean : Dyn bool 1 1

73 Cast semantics λx.s λx. x+1 x λx. λx.s

74 Cast semantics ( ) v : int→int v’ let v (v’ <= int

75 Cast semantics v : (int→int) Dyn λx:Dyn.v (x :

76 Cast semantics v : (int→int) Dyn λx:Dyn.v (x :

77 Example Source let x = if … then

78 Cast semantics TypedUntyped Dyn 1 int

79 Cast semantics TypedUntyped Dyn : int1int

80 Cast semantics TypedUntyped Dyn : int1bool Cast fails! 1 is not a Boolean

81 Cast semantics TypedUntyped Dyn : int1 λ : int → bool

82 Cast semantics TypedUntyped λ x. : int → bool Dyn

83 Problem in the presence of control operators The standard cast semantics would overlook value flows between typed and untyped code STLC: functions interact with callers STLC with control operators: functions interact not only callers but also contexts

84 Outline 1.Introduction 2.Background: blame calculus (without shift/reset) 3.Problem with control operators 4.Our extension of the blame calculus with shift/reset

85 Problem with control operators Cast semantics has to be extended to deal with types of contexts STLC: functions interact with callers STLC with control operators: functions interact not only callers but also contexts Cf. Takikawa et al. [ESOP’13]

86 Problem with control operators All value flows between typed and untyped code are NOT monitored Values can be passed via captured continuations not to be monitored by casts

87 Problem with control operators NOT all value flows between typed and untyped code are monitored because the standard cast semantics cannot monitor capturing and calling continuations

88 Shift and reset CPS-based operators to manipulate “delimited” continuations Reset 〈 s 〉 delimits continuations in s Shift (S k. s) captures continuations up to the closest reset as k 〈 E[S k. s] 〉 〈 s[k:=λx. 〈 E[x] 〉 ] 〉 where E is an evaluation context without reset used to impl. exceptions, backtracking, monads, etc. 〈 v 〉 v

89 Shift and reset CPS-based operators to manipulate “delimited” continuations Reset 〈 s 〉 delimits continuations in s Shift (S k. s) captures continuations up to the closest reset as k 〈 E[S k. s] 〉 〈 s[k:=λx. 〈 E[x] 〉 ] 〉 where E is an evaluation context without reset used to impl. exceptions, backtracking, monads, etc.

90 Reduction example 〈 3 + (S k. (k 1) == 4) 〉 = 〈 E[S k. (k 1) == 4] 〉 where E = 3 + [] 〈 (k 1) == 4 〉 λx. 〈 3 + x 〉 〈〈 3+1 〉 == 4 〉 * true

91 1) == 4 〉 (λx. 〈 3 + x 〉 ) k Reduction example 〈 3 + (S k. (k 1) == 4) 〉 = 〈 E[S k. (k 1) == 4] 〉 where E = 3 + [] 〈(〈( captured continuation 〈〈 3+1 〉 == 4 〉 * true

92 1) == 4 〉 k Reduction example 〈 3 + (S k. (k 1) == 4) 〉 = 〈 E[S k. (k 1) == 4] 〉 where E = 3 + [] 〈(〈(

93 1) == 4 〉 (λx. 〈 3 + x 〉 ) k Reduction example 〈 3 + (S k. (k 1) == 4) 〉 = 〈 E[S k. (k 1) == 4] 〉 where E = 3 + [] 〈(〈( captured continuation 〈〈 3+1 〉 == 4 〉 * true

94 Reduction example 〈 3 + (S k. (k 1) == 4) 〉 = 〈 E[S k. (k 1) == 4] 〉 where E = 3 + [] 〈 ( k 1) == 4 〉

95 v = λx:int. 3 + (S k. (k 1) == x) Problem of the standard cast semantics in the presence of shift/reset v : (int→int) Dyn λy. v y Func

96 Problem of the standard cast semantics in the presence of shift/reset v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy. ) 4) 〉 v y 〈 f ( ) 〉 v 4 : Dyn int 4 〈 f ( ) 〉 v 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) v : (int→int) Dyn Typed function v is called under the untyped context (“context” is the body of the reset)

97 Problem of the standard cast semantics in the presence of shift/reset v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy. ) 4) 〉 v y 〈 f ( ) 〉 v 4 : Dyn int 4 〈 f ( ) 〉 v 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) v : (int→int) Dyn

98 Problem of the standard cast semantics in the presence of shift/reset … 〈 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) k ( 〉

99 Problem of the standard cast semantics in the presence of shift/reset … 〈 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) k ( 〉 captured continuation

100 Problem of the standard cast semantics in the presence of shift/reset … 〈 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) k ( 〉 captured continuation

101 Problem of the standard cast semantics in the presence of shift/reset … 〈 ( ) 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) ( 〉 あいう λz. 〈 〉 f ( ) 3 + z captured continuation

102 λz. 〈 〉 Problem of the standard cast semantics in the presence of shift/reset … 〈 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) All value flows between typed and untyped parts are NOT monitored k ( captured continuation 〉 f ( ) 3 + z

103 λz. 〈 〉 Problem of the standard cast semantics in the presence of shift/reset … 〈 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) All value flows between typed and untyped parts are NOT monitored 1) == 4 〉 (λx. 〈 3 + x 〉 ) k ( captured continuation 〉 f ( ) 3 + z

104 λz. 〈 〉 f ( ) Problem of the standard cast semantics in the presence of shift/reset … 〈 〉 (k 1) == 4 3 + z 〈 f ( ) 〉 3 + (S k. (k 1) == 4) All value flows between typed and untyped parts are NOT monitored

105 Problem of the standard cast semantics in the presence of shift/reset v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy. ) 4) 〉 let z = v in z y v : (int→int) Dyn

106 Problem of the standard cast semantics in the presence of shift/reset v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy. ) 4) 〉 v y 〈 f ( ) 〉 v 4 : Dyn int 4 〈 f ( ) 〉 v 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) v : (int→int) Dyn Since (let x = e in x) ≈ e

107 Problem of the standard cast semantics in the presence of shift/reset v = λx:int. 3 + (S k. (k 1) == x) 〈 f ( ) 〉 v 4 : Dyn int 4 〈 f ( ) 〉 v 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〈 f ( 4) 〉 v 〈 f ((λy. ) 4) 〉 v y

108 Problem of the standard cast semantics in the presence of shift/reset … 〈 (k 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〉

109 Problem of the standard cast semantics in the presence of shift/reset … 〈 (k 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〉 captured continuation

110 Problem of the standard cast semantics in the presence of shift/reset … 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〈 ( 1) == 4 〉 k

111 Problem of the standard cast semantics in the presence of shift/reset … 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〈 ( 1) == 4 〉 k captured continuation

112 Problem of the standard cast semantics in the presence of shift/reset … 〈 ( 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〉 ( λz. 〈 〉 ) f ( ) 3 + z captured continuation

113 Problem of the standard cast semantics in the presence of shift/reset … 〈 ( 1) == 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〉 ( λz. 〈 〉 ) f ( ) 3 + z NOT all value flows between typed and untyped parts are monitored

114 Our solution 〈 f (v’ 4) 〉 In an ideal semantics: Changing the cast semantics so that typed and untyped functions are called in typed and untyped contexts, resp. v : int→int Dyn y 〈 let x = v in 〉

115 Outline 1.Introduction 2.Background: blame calculus (without shift/reset) 3.Problem with control operators 4.Our extension of the blame calculus with shift/reset

116 How does the problem happen? … v = λx:int. 3 + (S k. (k 1) == x) An untyped continuation is captured and sent to typed code 〈 f ( ) 〉 3 + (S k. (k 1) == 4) Captured continuations are expected to be typed The captured continuation is untyped f ( ) 3 + z

117 Our solution Changing the cast semantics so that: Typed code captures only typed continuations Untyped code captures only untyped continuations

118 Our solution Changing the cast semantics so that: Typed code captures only typed continuations Untyped code captures only untyped continuations

119 Ideal cast semantics 〈 f (v’ 4) 〉 v : int→int Dyn 〈 let x = v in 〉 4 Typed function v should be called in the typed context f x The cast for the argument type 〈〉 Untyped function f should be called in the untyped context The cast for the return type Appropriate casts should be inserted 〜 〈 f (v 4) 〉 (if all casts are ignored)

120 Our cast semantics 〈 f (v’ 4) 〉 v : int→int Dyn 〈 let x = v in 〉 4 f x 〈〉 The cast for the return type 〈 f (v 4) 〉 (if all casts are ignored) guarantees captured continuations in untyped function f are untyped Appropriate casts are inserted The result of v is passed to f guarantees captured continuations in typed function v are typed ≈ How is type information for additional casts obtained? By following Danvy&Filinski’s type system for shift/reset

121 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ 〈 f (v’ 4) 〉 v : int→int Dyn

122 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ 〈 f (v’ 4) 〉 v : int→int Dyn

123 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ v 4 〈 f (v’ 4) 〉 v : int→int Dyn The target function v is called with the argument to v’

124 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ v 4 〈 f (v’ 4) 〉 v : int→int Dyn The cast for the argument type

125 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ 〈〉 〈 f (v’ 4) 〉 v : int→int Dyn guarantees captured continuations in typed function v are typed

126 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ f x 〈 f (v’ 4) 〉 v : int→int Dyn The result x of v is passed to f

127 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ f x 〈 f (v’ 4) 〉 v : int→int Dyn The cast for the return type

128 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ 〈〉 〈 f (v’ 4) 〉 v : int→int Dyn guarantees captured continuations in untyped function f are untyped

129 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ 〈 f (v’ 4) 〉 v : int→int Dyn Additional casts are constructed by using type information given in Danvy&Filinski’s type system

130 Our cast semantics 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ 〈 f (v’ 4) 〉 v : int→int Dyn

131 Our cast semantics 〈 f (v’ 4) 〉 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ v : int/ int →int/ bool Dyn requires that the closest reset’s body at call point result in an integer 〈 … 〉 : Dyn int to check the outer reset’s body returns an integer

132 Our cast semantics 〈 f (v’ 4) 〉 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ v : int/ int →int/ bool Dyn guarantees that the closest reset at call point returns a Boolean 〈 … 〉 : bool Dyn to inject Boolean values to untyped code

133 Our cast semantics 〈 f (v’ 4) 〉 〈 let x = v in 〉 4 f x 〈〉 〈 f (v 4) 〉 (if all casts are ignored) ≈ v : int/ int →int/ bool Dyn

134 Our cast semantics 〈 f (v’ 4) 〉 v : int→int Dyn v 4 The cast for the argument type Rewritten to (let x = v 4 in x) ( e ≈ (let x = e in x) )

135 Our cast semantics 〈 f (v’ 4) 〉 v : int→int Dyn 〈 let x = v in 〉 4 f x 〈〉 The cast for the return type 〈 f (v 4) 〉 (if all casts are ignored) guarantees captured continuations in untyped function f are untyped Appropriate casts are inserted with help of Danvy&Filisnki’ type system The result of v is passed to f guarantees captured continuations in typed function v are typed ≈

136 Challenges to achieve the ideal cast semantics How to manipulate the context where the cast result is used How to obtain type information for the additional casts By following Danvy&Filinski’s type system for shift/reset By manipulating the context captured by shift ✔

137 Our solution 〈 f (v’ 4) 〉 In an ideal semantics: Changing the cast semantics so that typed and untyped functions are called in typed and untyped contexts, resp. v : S Dyn y 〈 〈f〉〈f〉 x let x = v in 〉

138 Outline

139 Program syntax Types S, T, α, β ::= int | … | Dyn | S / α → T / β Terms s, t ::= 1 | + | … | λx.s | s t | s : S T | S k. s | 〈 s 〉

140 Type system for shift/reset [Danvy&Filinski’89] Γ; α├ s : T ; β the type of the closest reset’s body the result type of the closest reset Example: 〈 1 + (S k. …) 〉 && false ; ├ S k. … : ; int bool int

141 Type system for shift/reset [Danvy&Filinski’89] Γ; α├ s : T ; β the type of the closest reset’s body the result type of the closest reset Example: 〈 1 + (S k. …) 〉 && false ; ├ S k. … : ; ? ? ?

142 Type system for shift/reset [Danvy&Filinski’89] Γ; α├ s : T ; β the type of the closest reset’s body the result type of the closest reset Example: 〈 1 + (S k. …) 〉 && false ; ├ S k. … : ; ? ? int

143 Type system for shift/reset [Danvy&Filinski’89] Γ; α├ s : T ; β the type of the closest reset’s body the result type of the closest reset Example: 〈 1 + (S k. …) 〉 && false ; ├ S k. … : ; int ?

144 Type system for shift/reset [Danvy&Filinski’89] Γ; α├ s : T ; β the type of the closest reset’s body the result type of the closest reset Example: 〈 1 + (S k. …) 〉 && false ; ├ S k. … : ; int bool int

145 S / α → T / β the result type of the closest reset at call point the type of the closest reset’s body at call point Type system for shift/reset [Danvy&Filinski’89]

146 Issues to achieve the ideal cast semantics How to manipulate the context where the cast result is used How to obtain type information for the additional casts By following Danvy&Filinski’s type system for shift/reset By manipulating the context captured by shift ✔ ✔

147 λx. Cast semantics v : (S/α→T/β) Dyn 〈 〉〈 〉 k (v ) x S k. The type of the body of the reset The return type of the body of the reset Func 〈 … 〉 : β Dyn k (…) : Dyn α

148 The problematic reduction is resolved v = λx:int. 3 + (S k. (k 1) == x) 〈 f ( 4) 〉 * s* s 〜 〈 let x = v in 〉 v v : int/int→int/bool Dyn 〉 4 〈f〉〈f〉 x 〈 … 〉 : bool Dyn (corresp. to β Dyn) 〈 … 〉 : Dyn int (corresp. to Dyn α) corresponds to the continuation captured by the cast result

149 Our cast semantics 〈 f (v’ 4) 〉 v : int/ int →int/ bool Dyn 〈 let x = v in 〉 4 f x 〈〉 〈 … 〉 : Dyn int (corresp. to Dyn α) since α is the type of the reset’s body 〈 … 〉 : bool Dyn (corresp. to β Dyn) since β is the result type of the reset

150 : Dyn/Dyn→Dyn/Dyn λx. Cast semantics v : (S/α→T/β) Dyn (v ) x x : Dyn S(v …) : T Dyn

151 : Dyn/Dyn→Dyn/Dyn λx. Cast semantics v : (S/α→T/β) Dyn (v ) x

152 : Dyn/Dyn→Dyn/Dyn λx. Cast semantics v : (S/α→T/β) Dyn 〈 〉〈 〉 k (v ) x S k.

153 : Dyn/Dyn→Dyn/Dyn λx. Cast semantics v : (S/α→T/β) Dyn 〈 〉〈 〉 k (v ) x S k.

154 : Dyn/Dyn→Dyn/Dyn λx. Cast semantics v : (S/α→T/β) Dyn 〈 〉〈 〉 k (v ) x S k. k (…) : Dyn α

155 : Dyn/Dyn→Dyn/Dyn λx. Cast semantics v : (S/α→T/β) Dyn 〈 〉〈 〉 k (v ) x S k. k (…) : Dyn α 〈 … 〉 : β Dyn

156 : Dyn/Dyn→Dyn/Dyn λx. S k. 〈 〉〈 〉 k Cast semantics v : (S/α→T/β) Dyn x : Dyn int (succ …) : int Dyn (v ) x

157 The problematic reduction is resolved v : (int/int→int/bool) Dyn λy. S k. v = λx:int. 3 + (S k. (k 1) == x) 〈〉〈〉 k (v ) y : Dyn/Dyn→Dyn/Dyn

158 The problematic reduction is resolved v : (int/int→int/bool) Dyn λy. S k. v = λx:int. 3 + (S k. (k 1) == x) 〈〉〈〉 k (v ) y : Dyn/Dyn→Dyn/Dyn

159 The problematic reduction is resolved v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy.S k. ) 4) 〉 〈〉〈〉 k (v ) y * s* s 〜 〈 (k 1) == 4 〉 λz. 〈 f 〉 (3 + z) 〈 … 〉 : bool Dyn (corresp. to β Dyn) 〈 … 〉 : Dyn int (corresp. to Dyn α)

160 The problematic reduction is resolved v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy.S k. ) 4) 〉 〈〉〈〉 k (v ) y * 〈 f ((λy. ) 4) 〉 v y λz. 〈 〉 f ( ) 〈 〉 (k 1) == 4 3 + z

161 The problematic reduction is resolved v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy.S k. ) 4) 〉 λz. 〈 f z 〉 v 4 〈 f ( ) 〉 v 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4) 〈〉〈〉 k (v ) y 〈 f (S k. ) 〉 〈〉〈〉 k (v ) 4 〈 〉 〈〉〈〉 k (v ) 4

162 Problem of the standard cast semantics in the presence of shift/reset … All value flows between typed and untyped parts are NOT monitored 〈 〉 〈〉〈〉 k (v ) 4 λz. 〈 f z 〉 v = λx:int. 3 + (S k. (k 1) == x)

163 The problematic reduction is resolved v = λx:int. 3 + (S k. (k 1) == x) 〈 f ((λy. ) 4) 〉 v y 〈 f ( ) 〉 v 4 v 4 〈 f ( ) 〉 3 + (S k. (k 1) == 4)

164 Our calculus Program syntax: Types S, T, α, β ::= int | … | Dyn | S/α → T/β Terms s, t ::= 1 | + | … | λx.s | s t | s : S T | S k. s | 〈 s 〉 Type system: Semantics: shift/reset + our cast semantics Γ; α├ s : T ; β

165 Type soundness If 〈 s 〉 is a well typed, closed term, then: 〈 s 〉 diverges; 〈 s 〉 v for some v; or some cast in 〈 s 〉 fails * via Progress and Preservation If something wrong happens, it is detected as cast failure

166 Outline 1.Introduction 2.Background: blame calculus (without shift/reset) 3.Problem with control operators 4.Our extension of the blame calculus with shift/reset 5.Properties a.Soundness of CPS transformation b.Blame Theorem

167 In the paper… A formal system including run-time terms Support for “blame” Blame Theorem –Statically typed terms are never responsible for cast failure CPS transformation Sounenss of the CPS transformation –Preservation of Type –Preservation of Equality responsibility for cast failure

168 CPS transformation A technique to implement control operators –Programs with control operators are transformed to ones without them CPS transformation for shift/reset is well studied

169 Our CPS transformation [[ ・ ]] [[ ・ ]] transforms terms/types in our calculus to ones in the simply typed blame calculus The definition is standard except for casts [[s : S T]] := λk. [[s]] (λx. x : [[S]] [[T]]) [[Dyn]] := Dyn [[S/α→T/β]] := [[S]]→([[T]]→[[α]])→[[β]]

170 Soundness of the CPS transformation If s t, then [[s]] 〜 [[t]] where 〜 is an equational system with usual call- by-value axioms and a few additional axiomas If Γ;α├ s : T ; β, then [[Γ]]├ [[s]] : ([[T]]→[[α]])→[[β]] Preservation of Equality Preservation of Type

171 Blame Theorem (Cf. [Tobin-Hochstadt&Felleisen’06,Wadler&Findler’09] Cast failure is always triggered by untyped code That is, in a fully typed program, cast failure never happens

172 In the paper… A formal system including run-time terms and typing rules CPS transformation for run-time terms Support for “blame” Blame Theorem –More precisely typed sides are never blamed responsibility of cast failure

173 Related work Constraining delimited control with contracts [Takikawa et al., ESOP’13] studies “macro” gradual typing with: Control operators not based on CPS –powerful enough to express shift/reset Contract system –allows refined type information to be represented Modules are fully typed or fully untyped

174 Conclusion An extension of blame calculus with shift/reset Cast semantic to monitor capturing and calling continuations Three properties investigated –Type soundness –Blame Theorem –Soundness of the CPS transformation

Download ppt "Shifting the Blame A blame calculus with delimited control Taro Sekiyama* Atsushi Igarashi Soichiro Ueda Kyoto University Gradual typing."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 13 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.

Types and Programming Languages Lecture 7 Simon Gay Department of Computing Science University of Glasgow 2006/07.
Static Contract Checking for Haskell Dana N. Xu University of Cambridge Ph.D. Supervisor: Simon Peyton Jones Microsoft Research Cambridge.

Static Contract Checking for Haskell Dana N. Xu University of Cambridge Ph.D. Supervisor: Simon Peyton Jones Microsoft Research Cambridge.
- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.

- Vasvi Kakkad.  Formal -  Tool for mathematical analysis of language  Method for precisely designing language  Well formed model for describing and.
The lambda calculus David Walker CS 441. the (untyped) lambda calculus a language of functions e ::= x | \x.e | e1 e2 v ::= \x.e there are several different.

The lambda calculus David Walker CS 441. the (untyped) lambda calculus a language of functions e ::= x | \x.e | e1 e2 v ::= \x.e there are several different.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Control Structures Any mechanism that departs from straight-line execution: –Selection: if-statements –Multiway-selection: case statements –Unbounded iteration:

Control Structures Any mechanism that departs from straight-line execution: –Selection: if-statements –Multiway-selection: case statements –Unbounded iteration:
1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.

1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Introduction to Programming Languages Nai-Wei Lin Department of Computer Science and Information Engineering National Chung Cheng University.

Introduction to Programming Languages Nai-Wei Lin Department of Computer Science and Information Engineering National Chung Cheng University.
Type checking © Marcelo d’Amorim 2010.

Type checking © Marcelo d’Amorim 2010.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
CSE 341, Winter 2010 1 Type Systems Terms to learn about types: –Type –Type system –Statically typed language –Dynamically typed language –Type error –Strongly.

CSE 341, Winter Type Systems Terms to learn about types: –Type –Type system –Statically typed language –Dynamically typed language –Type error –Strongly.
1 Space-Efficient Gradual Typing David Herman Northeastern University Aaron Tomb, Cormac Flanagan University of California, Santa Cruz.

1 Space-Efficient Gradual Typing David Herman Northeastern University Aaron Tomb, Cormac Flanagan University of California, Santa Cruz.
Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.

Denotational Semantics Syntax-directed approach, generalization of attribute grammars: –Define context-free abstract syntax –Specify syntactic categories.
Control Flow Analysis Mooly Sagiv Tel Aviv University 640-6706 Sunday 18-21 Scrieber 8 Monday 10-12 Schrieber.

Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Misc. Announcements Assignment available end of the day today –Due back in 11/03 (after break) Will also update slides on website –Today Midterm next week.

Misc. Announcements Assignment available end of the day today –Due back in 11/03 (after break) Will also update slides on website –Today Midterm next week.
Type Checking in Cool Alex Aiken (Modified by Mooly Sagiv)

Type Checking in Cool Alex Aiken (Modified by Mooly Sagiv)

Similar presentations

Ads by Google