Advanced Topics in Language-based Security, Spring 2005
Examples of effect systems
Lecture 1, Thursday February 17, 2005
• Call-tracking analysis.
Analyse for each subexpression in a program which function abstractions are
Introduction to effect systems and exception inference
applied during evaluation. Useful for higher-order dead code elimination.
• What is an effect system
• Region inference.
• Examples of effect systems
Organize memory as a stack of regions. Insert allocation and deallocation directives
• Exception inference for ML
in the program, based on an analysis that for each subexpression in the program
• Polymorphic exception inference
infers which regions are written into and which regions are read.
• Exception inference.
• Towards a substitution-based exception inference algorithm
Analyse for each subexpression in a program which exceptions may be raised
• Generative exceptions in Standard ML
during evaluation.
• Optional exercises
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-1
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-3
A language with exception support
v
|
What is an effect system
• An effect system extends a tradition type system to capture a safe approximation of what
w
c
::= v
|
happens when a program executes.
raise ε
e ::= x
• In a functional language setting, the arrow type for a function
τ → τ0
is extended with an effect
::= λx.e
ϕ, which captures a safe approximation of what happens when
the function is called:
Functions
Constant
c ∈ C
Constants
x ∈ V
Variables
ε ∈ Σ
Exceptions
Value
Raise exception
Variable
|
w
Value/Exception
|
e 1 e2
Application
|
e handle ε => e0
Exception handling
Example programs
ϕ
τ −−
→ τ0
• The program “(λx.raise ε) 5” raises the exception ε.
• The program “(λx.raise ε) 5 handle ε => 3” evaluates to the value 3.
• The program “(λx.raise ε0 ) 5 handle ε => 3” raises the exception ε0 .
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-2
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-4
The TypeOf function
We allow predefined functions and constants by the use of a function TypeOf
e ; v/raise ε
Big-step evaluation rules
e1 ; raise ε
e1 ; λx.e e2 ; v e[v/x] ; w
(1)
e1 e2 ; raise ε
(2)
Examples of predefined functions and constants:
e1 e2 ; w
e1 ; λx.e e2 ; raise ε
e ; raise ε0 ε0 6= ε
(3)
(4)
+, −, ∗ : int ∗ int −
→ int
w;w
e ; raise ε e0 ; w
(5)
e handle ε =>e0 ; raise ε0
{Div}
: int ∗ int −−−−→ int Integer division
div
e1 e2 ; raise ε
e handle ε =>e0 ; w
e;v
Integer addition, subtraction, multiplication
...
(6)
To model Standard ML precisely...
div
(7)
0
: C → T , which
maps constants to types.
e handle ε =>e ; v
{Div,Overflow}
: int ∗ int −−−−−−−−−−−→ int Integer division
+, −, ∗ : int ∗ int −−Overflow
−−−−−→ int
Integer addition, subtraction, multiplication
...
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-5
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-7
Simple type-and-effect system for exceptions
Effects
• An effect ϕ is a set of exceptions.
` e : τ, ϕ, which are read: In the type
environment Γ, the expression e has type τ and effect ϕ.
• Later we refine the notion of effect to allow for effect polymorphism.
Typing rules
Typing rules allow inference of sentences of the form Γ
Types
Γ ` e : τ, ϕ
Γ(x) = τ
• Types are defined according to the following grammar:
τ
::= int
|
ϕ
τ −−→ τ 0
ϕ
Γ ` e1 : τ −−→ τ 0 , ϕ1
(8)
Γ ` e 1 e2 : τ 0 , ϕ 1 ∪ ϕ 2 ∪ ϕ
Γ ` x : τ, ∅
(9)
(10)
Integers
Γ ` c : TypeOf(c), ∅
Function types
Γ + {x : τ } ` e : τ 0 , ϕ
• We use T to denote the set of all types.
ϕ
Γ ` λx.e : τ −−
→ τ 0, ∅
(11)
Γ ` e : τ, ϕ
• A type environment Γ : V → T maps program variables to types.
IT University of Copenhagen
(13)
Γ ` raise ε : τ, {ε}
Page 1-6
Advanced Topics in Language-based Security, Spring 2005
ϕ0 ⊇ ϕ
Γ ` e : τ, ϕ0
Type environments
Advanced Topics in Language-based Security, Spring 2005
Γ ` e2 : τ, ϕ2
Γ ` e : τ, ϕ
(12)
Γ ` e0 : τ, ϕ0
Γ ` e handle ε => e0 : τ, ϕ \ {ε} ∪ ϕ0
IT University of Copenhagen
(14)
Page 1-8
Refining exception inference to support polymorphism
Type and effect properties
• To support polymorphism, we assume denumerably sets of type variables (α) and
exception variables (ξ ).
The type and effect system approximates the dynamic effects of programs:
• Effects ϕ are refined to be sets of exceptions and exception variables.
Lemma 0 (Value substitution)
If {x
Types and type schemes
: τ } ` e : τ 0 , ϕ and ` v : τ, ∅ then ` e[v/x] : τ 0 , ϕ.
Proof: By induction on the derivation {x
• Types are now defined according to the following grammar:
: τ } ` e : τ 0 , ϕ.
τ
|
Lemma 1 (Type and effect soundness)
α
σ
1.
e ; v and ` v : τ, ∅; or
2.
e ; raise ε and ε ∈ ϕ
Proof: By induction on the derivation
Integers
Type variable
ϕ
τ −−→ τ 0
~
::= ∀~
αξ.τ
|
` e : τ, ϕ then either
If
::= int
Function types
Type schemes
• We use TS to denote the set of all type schemes and treat a type τ as a type scheme ∀.τ .
Type environments
` e : τ, ϕ using Lemma 0 in the case of rule 9.
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
• A type environment Γ : V → TS now maps program variables to type schemes.
Page 1-9
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-11
Polymorphism
• Polymorphism allows a generic function to take a different type in different contexts.
• Effect polymorphism allows higher-order functions to take functions with different effects as
arguments.
Substitutions
• A type substitution St maps type variables to types.
• Without effect polymorphism, the type of a let-bound function is forced to depend on the
call sites.
• An effect substitution Se maps effect variables to effects.
• A substitution S = (St , Se ) is a tuple of a type substitution and an effect substitution.
Examples
• The effect of applying a substitution to some object is the effect of applying the type
• Generic constants:
hd
tl
substitution and the effect substitution on the object simultaneously.
{Empty}
: ∀α.α list −−−−−−−→ α
Head of a list
Instantiation
{Empty}
: ∀α.α list −−−−−−−→ α list Tail of a list
~ 0 , written σ τ , if there exists a
= ∀~
αξ.τ
~ , for some ~τ and ϕ
τ /~
α], [~
ϕ/ξ])
~ , such that S(τ 0 ) = τ .
substitution S = ([~
A type τ is an instance of a type scheme σ
...
• The apply function λf.λx.f x can be given the type
{ξ}
{ξ}
∀αβξ.(α −−−→ β) −−∅→ α −−−→ β
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-10
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-12
Let-polymorphism
Towards a substitution-based exception inference algorithm
To allow polymorphism in programs, we extend the language with a let-construct with
Problem with the typing rules:
appropriate evaluation rules:
• In an algorithm based on the typing rules, it is not clear when to apply rule 12.
e ; v/raise ε
A solution:
0
e ; raise ε
(15)
0
let x = e in e ; raise ε
e ; v e [v/x] ; w
0
ξ.ϕ
• Refine the notion of function types to take the form τ −−−→ τ 0 .
(16)
let x = e in e ; w
• Refine the notion of substitution to map effect variables ξ to arrow effects ξ 0 .ϕ.
Refined typing rules
S(ξ.ϕ) = ξ 0 .(S(ϕ) ∪ ϕ0 ) where S(ξ) = ξ 0 .ϕ0
With addition of a typing rule for the let-construct, only the typing rule for variables need be
• In this way substitutions can work as unifiers.
modified:
~ ∩ fv(Γ, ϕ, ϕ0 ) = ∅
{~
αξ}
~ } ` e 0 : τ 0 , ϕ0
Γ + {x : ∀~
αξ.τ
Γ ` e : τ, ϕ
Γ(x) τ
(17)
Γ`x:τ
0
0
Γ ` let x = e in e : τ , ϕ ∪ ϕ
Advanced Topics in Language-based Security, Spring 2005
0
IT University of Copenhagen
Example:
• The substitution {ξ 7→ ξ.{Overflow}, ξ 0 7→ ξ.{Div}} is a unifier for the two arrow
effects ξ.{Div} and ξ 0 .{Overflow}.
(18)
Page 1-13
Properties of the refined system
τ then S(σ) S(τ ), for any substitution S .
• Unary exception constructors — i.e., exception constructors that carry values as
arguments, as in ML
• Generative exceptions as in Standard ML
` e : τ, ϕ then S(Γ) ` e : S(τ ), S(ϕ).
The first two extensions are covered by
Lemma 4 (Value substitution)
If {x
Page 1-15
• First class exception constructors, as in ML
Lemma 3 (Typing judgments are closed under substitution)
If Γ
IT University of Copenhagen
Possible extensions to basic exception inference
Lemma 2 (Instantiation is closed under substitution)
If σ
Advanced Topics in Language-based Security, Spring 2005
• Francois Pessaux and Xavier Leroy, "Type-based analysis of uncaught exceptions", in
: σ} ` e : τ 0 , ϕ and ` v : τ, ∅ and σ τ then ` e[v/x] : τ 0 , ϕ.
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of
Lemma 5 (Type soundness)
If
` e : τ, ϕ then either
1.
e ; v and ` v : τ, ∅; or
2.
e ; raise ε and ε ∈ ϕ
Proof: By induction on the derivation
Advanced Topics in Language-based Security, Spring 2005
programming languages. January 1999.
Other related work include
• Manuel Fähndrich, Jeffrey S. Foster, Alexander Aiken, and Jason Cu, "Tracking down
Exceptions in Standard ML Programs", Computer Science Division Tech Report
` e : τ, ϕ.
UCB//CSD-98-996. University of California, Berkeley. February 1998.
IT University of Copenhagen
Page 1-14
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-16
Generative exceptions in Standard ML
• In Standard ML, exception constructors are introduced by explicit exception declarations:
exception E;
• When such a declaration is evaluated, a new distinct exception name is associated with
the exception constructor E at runtime.
• Matches in handle-constructs look up exception names at runtime to identify exceptions.
• Generative exceptions are necessary for type safety in Standard ML.
Example
fun f x = let
in
end
val a = #1 (f
val g = #2 (f
val ? = g a
exception E
(E, fn y => (raise y) handle E => x)
5)
10)
Advanced Topics in Language-based Security, Spring 2005
IT University of Copenhagen
Page 1-17
IT University of Copenhagen
Page 1-18
Optional exercises
1. Add pairs and conditionals to the system
2. Prove Lemma 1 on slide 1-9
3. More advanced: prove the lemmas on slide 1-14.
Advanced Topics in Language-based Security, Spring 2005