Static and Dynamic Type Checking: A Synopsis. Ronald Garcia University of British Columbia

Transcription

1 Static and Dynamic Type Checking: A Synopsis Ronald Garcia University of British Columbia 1

2 Trends in Functional Programming, Volume 8 Selected papers from the Eighth Symposium on Trends in Functional Programming (TFP07), New York City, USA, April 2-4, Marco T. Morazán (editor) Intellect, Bristol, UK. ISBN Table of Contents Space-Efficient Gradual Typing 1-18 Best Student David Herman and Aaron Tomb and Cormac Flanagan Paper A Metalanguage for Structural Operational Semantics Matthew Lakin and Andrew Pitts AHA: Amortized Heap Space Usage Analysis Marko van Eekelen and Olha Shkaravska and Ron van Kesteren and Bart Jacobs and Erik Poll and Sjaak Smetsers Unifying Hybrid Types and Contracts Jessica Gronski and Cormac Flanagan 2

3 Trends in Functional Programming, Volume 8 Selected papers from the Eighth Symposium on Trends in Functional Programming (TFP07), New York City, USA, April 2-4, Marco T. Morazán (editor) Intellect, Bristol, UK. ISBN Table of Contents Space-Efficient Gradual Typing 1-18 Best Student David Herman and Aaron Tomb and Cormac Flanagan Paper A Metalanguage for Structural Operational Semantics Matthew Lakin and Andrew Pitts AHA: Amortized Heap Space Usage Analysis Marko van Eekelen and Olha Shkaravska and Ron van Kesteren and Bart Jacobs and Erik Poll and Sjaak Smetsers Unifying Hybrid Types and Contracts Jessica Gronski and Cormac Flanagan 3

4 Trends in Functional Programming, Volume 8 Selected papers from the Eighth Symposium on Trends in Functional Programming (TFP07), New York City, USA, April 2-4, Marco T. Morazán (editor) Intellect, Bristol, UK. ISBN Table of Contents Space-Efficient Gradual Typing 1-18 Best Student David Herman and Aaron Tomb and Cormac Flanagan Paper A Metalanguage for Structural Operational Semantics Matthew Lakin and Andrew Pitts AHA: Amortized Heap Space Usage Analysis Marko van Eekelen and Olha Shkaravska and Ron van Kesteren and Bart Jacobs and Erik Poll and Sjaak Smetsers Unifying Hybrid Types and Contracts Jessica Gronski and Cormac Flanagan 4

5 Gradual Typing Static Checking: (Robustness) Dynamic Checking: (Agility) Complementary Disciplines 5

6 Typing, Gradually struct Point { x } fun move(p, dx) { } Point(p.x + dx) let a = 1 p = Point(7) in move(p,a) 6

7 Typing, Gradually struct Point { x : int } fun move(p, dx) { } Point(p.x + dx) let a = 1 p = Point(7) in move(p,a) 7

8 Typing, Gradually struct Point { x : int } fun move(p : Point, dx) { } Point(p.x + dx) let a = 1 p = Point(7) in move(p,a) 8

9 Typing, Gradually struct Point { x : int } fun move(p : Point, dx : int) { Point(p.x + dx) } More Annotations let a : int = 1 p : Point = Point(7) in move(p,a) = More Static Checks! 9

10 Typing, Gradually if (SomethingTrue()) { x = 7.0 } else { x = Good Grief! } y = sqrt(x) Flexibility On Demand! 10

11 Static Languages Recurring Trend Dynamic Languages Haskell 11 Scheme

12 Static Languages Recurring Trend Dynamic Languages DLR DuctileJ Haskell Deferred Type Errors 12 Racket Scheme

13 Facebook wanted its coders to keep moving fast in the comfort of their native tongue, but it didn t want them to have to break things as they did it. James Somers, Toolkits for the Mind Technology Review, April 2, 2015

14 Why would I want to use it? When you re prototyping, you may not want the compiler bothering you about broken code that you don t care about. Or you may want to use duck typing while you re fleshing out the design of your interfaces DuctileJ homepage DuctileJ

15 Lots of Theories Hybrid Type Checking Dynamic typing: Quasi-static Typing Gradual Typing 15

16 Lots of Theories Hybrid Type Checking Dynamic typing: Quasi-static Typing Gradual Typing 16

17 Synopsis 17

18 Synopsis Levels of Reading: Elementary Inspectional Analytical Synoptical 18

19 Synopsis The difficulty begins as soon as we examine the phrase two or more books on the same subject. 19

20 Synopsis The difficulty begins as soon as we examine the phrase two or more books on the same subject. What do we mean by same subject? 20

21 Structure of the Talk Synopsis: Dynamic and Static Type Checking Focus: Gradual Information-Flow Typing 21

22 1: Which Comes First?! 22

23 A Theory of Type Polymorphism in Programming ROBIN MILNER Computer Science Department, Vm+ersity of Edinburgh, Edinburgh, Scotland Received October 10, 1977; revised April 19,

24 A Theory of Type Polymorphism e..- a*- x I(ee )l ife then e else e 1 Ax-eIfixx*ejletx=eine. b[(e,e,)]v = vl E F -+ (vz E W - wrong, (q I F)v,), wrong where vi is 6[e& (i = 1, 2). a[$ e, then e2 else e,]r] = vl E B, -+ (vl 1 B, -+ v2, vj, wrong where vi is &[e& (i = 1, 2, 3) S@X. en7 = (A0. S/p] 77(2)/x)) in V &jj-ji~ x - e]7j = Y(hv - b~el7){7$}) b[zet x = e, in e,jq = v1 E W-+ wrong, b[e2] 7.1&/x} where q = &[e&. 24

25 A Theory of Type Polymorphism e..- a*- x I(ee )l ife then e else e 1 Ax-eIfixx*ejletx=eine. b[(e,e,)]v = vl E F -+ (vz E W - wrong, (q I F)v,), wrong where vi is 6[e& (i = 1, 2). a[$ e, then e2 else e,]r] = vl E B, -+ (vl 1 B, -+ v2, vj, wrong where vi is &[e& (i = 1, 2, 3) S@X. en7 = (A0. S/p] 77(2)/x)) in V &jj-ji~ x - e]7j = Y(hv - b~el7){7$}) b[zet x = e, in e,jq = v1 E W-+ wrong, b[e2] 7.1&/x} where q = &[e&. Starts with a Dynamic Language! 25

26 A Theory of Type Polymorphism discipline. A Semantic Soundness Theorem (based on a formal semantics for the language) states that well-type programs cannot go wrong and a Syntactic Soundness Theorem states that if fl accepts a program then it is well typed. We also discuss extending these THEOREM 1 (Semantic Soundness). If 7 respects jj and p 1 & is well typed then &[djt : 7. i.e., If = : and ` t : T then = ˆ (t) :T. 26

27 A Theory of Type Polymorphism discipline. A Semantic Soundness Theorem (based on a formal semantics for the language) states that well-type programs cannot go wrong and a Syntactic Soundness Theorem states that if fl accepts a program then it is well typed. We also discuss extending these THEOREM 1 (Semantic Soundness). If 7 respects jj and p 1 & is well typed then &[djt : 7. i.e., If = : and ` t : T then = ˆ (t) :T. i.e., If ` t : T then = t : T. 27

28 A Theory of Type Polymorphism discipline. A Semantic Soundness Theorem (based on a formal semantics for the language) states that well-type programs cannot go wrong and a Syntactic Soundness Theorem states that if fl accepts a program then it is well typed. We also discuss extending these THEOREM 1 (Semantic Soundness). If 7 respects jj and p 1 & is well typed then &[djt : 7. i.e., If = : and ` t : T then = ˆ (t) :T. i.e., If ` t : T then = t : T. Proof Theory BNF on steroids 28

29 A Theory of Type Polymorphism discipline. A Semantic Soundness Theorem (based on a formal semantics for the language) states that well-type programs cannot go wrong and a Syntactic Soundness Theorem states that if fl accepts a program then it is well typed. We also discuss extending these THEOREM 1 (Semantic Soundness). If 7 respects jj and p 1 & is well typed then &[djt : 7. i.e., If = : and ` t : T then = ˆ (t) :T. i.e., If ` t : T then = t : T. Formal claim about Execution Model Theory 29

30 1996 John C. Mitchell 30

31 1996 John C. Mitchell 31

32 1993 (née 1969) 32

33 What do types mean? - From intrinsic to extrinsic semantics Jobn C. Reynolds 2003 [[D :: ` t : T ]] [[t]] Intrinsic Semantics Extrinsic Semantics 33

34 2: Mixing Static and Dynamic Checking! 34

35 PLDI 1991 A Practical Soft Type System for Scheme ANDREW K. WRIGHT NEC Research Institute and ROBERT CARTWRIGHT Rice University TOPLAS

36 Soft Typing Extend Milner 1978 with: constructor types bare union types equi-recursive types union-induced subtyping 36

37 Soft Typing Program Type-Directed Coercion Insertion Dynamic Program 1991: Extrinsic, Denotational 1997: Intrinsic Operational 37

38 Quasi-static (Preliminary Typing Report) Satish R. Thatte* Department of Mathematics and Computer Science Clarkson University, Potsdam, NY POPL 1990 sarily goes wrong at run-time. Given the undecidability of semantically complete typechecking for most languages, a system that permits ill-typing proofs has to make a three way division of programs into welltyped, ill-typed, and ambivalent ones. Such a system 38

39 Quasi-static Typing Lack of Information Type T<: All types are a subtypes of the Omega type r 5 R. 39

40 Quasi-static Typing ` t 1 : T 1! T 2 ` t 2 : T 3 T 1 <: T 3 ` t 1 t 2 : T 2 ` t 1 : ` t 2 : T 3 ` t 1 t 2 : Automatic Downcasts 40

41 Quasi-static Typing ` t 1 : T 1! T 2 ` t 2 : T 3 T 1 <: T 3 ` t 1 t 2 : T 2 ` t 1 : ` t 2 : T 3 [T 3! <: ] ` t 1 t 2 : Automatic Downcasts 41

42 Quasi-static Typing ` t 1 : T 1! T 2 ` t 2 : T 3 T 1 <: T 3 ` t 1 t 2 : T 2 ` t 1 : ` t 2 : T 3 [T 3! <: ] ` t 1 t 2 : Automatic Downcasts (Nearly) Every Program Type Checks 42

43 Quasi-Static Typing Program Type-Directed Coercion Insertion Dynamic Program Plausibility Checking Quasi-Static Program Type Error! 43

44 Hybrid Type Checking KENNETH KNOWLES CORMAC FLANAGAN University of California at Santa Cruz POPL 2006, TOPLAS 2009 Ill-typed programs Well-typed programs Clearly ill-typed Subtle programs Clearly well-typed Rejected by type checker Accepted Accepted without casts with casts Casts Casts may never fail fail 44

45 Hybrid Type Checking h i S, T ::= x:s! T {x:b t} First-order Subset Types First-Order Type Boolean Term 45

46 Hybrid Type Checking h i S, T ::= x:s! T {x:b t} Dependent Function Types 46

47 Hybrid Type Checking ` { } Subtyping E ` S<: T E ` T 1 <: S 1 E,x : T 1 ` S 2 <: T 2 E ` (x:s 1! S 2 ) <: (x:t 1! T 2 ) E,x : B ` s ) t E ` {x:b s} <: {x:b t} [S-Arrow] [S-Base] Boolean Term Entailment Undecidable Subtyping Judgment 47

48 Hybrid Type Checking 3-valued Subtyping Procedure E `aalg S<:! T a 2 { p,,?} { } Yes No Maybe 48

49 Hybrid Type Checking Program Type-Directed Coercion Insertion Hybrid Program `! # E ` s,! t : S E `?alg S<: T E ` s,! ht / Si t # T 49

50 Gradual Typing for Functional Languages Jeremy G. Siek University of Colorado Walid Taha Rice University 50

51 Gradual Typing for Functional Languages Jeremy G. Siek University of Colorado Walid Taha Rice University Static Types Gradual Types T ::= B T! T et ::= B? e T! e T 51 The Unknown Type

52 Gradual Typing static type equality Int = Int Bool = Bool Int! Bool 6= Bool! Int extend gradual type consistency Int Int Bool Bool Int! Bool 6 Bool! Int? Bool?! Bool Bool!? Consistency conservatively extends equality 52

53 Gradual Typing replace equality with consistency ` t 1 : Int ` t 2 : Int ` t 1 + t 2 : Int ` t 1 : T f 1 T1 f Int ` t 2 : T f 2 T2 f Int ` t 1 + t 2 : Int 53

54 Dynamic Checking Static Semantics Gradual Language Type-Directed Translation Dynamic Semantics Cast Language 54

55 Many Many More! 55

56 Synthesis Intrinsic vs. Extrinsic Typing Accept All Programs vs. Reject Ill-Typed Type-directed Translation is Ubiquitous Subtyping vs. Consistency Dynamic, Simple, Refinement Typing It s all relative! 56

57 3: Gradual Information-Flow Typing!! sec 57

58 erating tems R.S. Gaines Editor A Lattice Model of ecure Information low rothy E. Denning rdue University [CACM 1976] 58

59 Security as a Lattice Classification Permitted Readers Zdancewic. Programming Languages for Information Security 59

60 Security as a Lattice Low-security information may flow to high-security contexts Zdancewic. Programming Languages for Information Security 60

61 Security as a Lattice High-security information may not flow to low-security contexts Zdancewic. Programming Languages for Information Security 61

62 Example let age : Int = 31 let salary : Int = let inttostring : Int! String =... let print : String! Unit =... print(inttostring(salary)) Disney and Flanagan. Gradual Information Flow Typing 62

63 Example Low Security Data let age : Int = 31 let salary : Int = let inttostring : Int! String =... let print : String! Unit =... print(inttostring(salary)) Disney and Flanagan. Gradual Information Flow Typing 63

64 Example Low Security Data let age : Int = 31 let salary : Int = let inttostring : Int! String =... let print : String! Unit =... print(inttostring(salary)) High Security Data Disney and Flanagan. Gradual Information Flow Typing 64

65 Example Low Security Data let age : Int = 31 let salary : Int = let inttostring : Int! String =... let print : String! Unit =... print(inttostring(salary)) High Security Data Low Security Channel Disney and Flanagan. Gradual Information Flow Typing 65

66 Example Low Security Data let age : Int = 31 let salary : Int = let inttostring : Int! String =... let print : String! Unit =... print(inttostring(salary)) High Security Data Low Security Channel Security Leak!! Unchecked Semantic Error Disney and Flanagan. Gradual Information Flow Typing 66

67 Security Typing Int! Int Simple Type Structure 67

68 Security Typing Higher Security Lower Security Int H! L Int H Security-Indexed Type Constructors 68

69 Security Typing Higher Security Lower Security Int L <: Int H Int H! L Int L <: Int L! H Int H Induced Subtyping Structure 69

70 Example let age : Int = 31 let salary : Int = let inttostring : Int! String =... let print : String! Unit =... print(inttostring(salary)) Security Leak!! Unchecked Semantic Error Disney and Flanagan. Gradual Information Flow Typing 70

71 Example let age : IntL = 31 let salary : IntH = let inttostring : IntL!L StringL =... let print : StringL!L UnitL =... print(inttostring(salary)) Type Error Checked Semantic Error Disney and Flanagan. Gradual Information Flow Typing 71

72 Example let age : IntL = 31 let salary : IntH = let inttostring : IntL!L StringL =... let print : StringL!L UnitL =... print(inttostring(age)) Security Typed Disney and Flanagan. Gradual Information Flow Typing 72

73 Implicit Security Flows High-Security information can affect the control flow of a program, and thereby leak information. Upgrade the security of the results of high-value computations. 73

74 Implicit Security Flows fun b : BoolH => let tt : BoolL = true let ff : BoolL = false if b then tt else ff High-Security data can affect control flow of a program 74

75 Effects Can Leak Information High-Security values can flow from a computation via mutable reference cells 75

76 Security Typing Int H! L Int H ; ` t : S 76

77 Security Typing Int H L!L Int H ; ; ` ` t : S Latent Security Effects 77

78 Security Typing Gap Simple Typing Security Typing 78

79 Security Typing Gap Simple Typing + Dynamic Information-Flow Security Typing 79

80 Gradual Typing! Simple Typing Gradual Information Flow Typing Tim Disney and Cormac Flanagan University of California Santa Cruz Security Typing [STOP 2011] 80

81 Security Lattice 81

82 Security Lattice Dynamic Security as Top 82

83 Example let age : Int = 31 let salary : Int = let inttostring : Int! String =... let print : String! Unit =... print(inttostring(salary)) Disney and Flanagan. Gradual Information Flow Typing 83

84 Dynamic Program let age : Int? = 31 let salary : Int? = let inttostring : Int?!? String? =... let print : String?!? Unit? =... print(inttostring(salary)) Disney and Flanagan. Gradual Information Flow Typing 84

85 Gradual Program let age : Int? = 31 let salary : IntH = let inttostring : Int?!? String? =... let print : StringL!? Unit? =... print((stringl)inttostring(salary)) Disney and Flanagan. Gradual Information Flow Typing 85

86 Gradual Program let age : Int? = 31 let salary : IntH = let inttostring : Int?!? String? =... let print : StringL!? Unit? =... print((stringl)inttostring(salary)) Static Security Labels Disney and Flanagan. Gradual Information Flow Typing 86

87 Gradual Program let age : Int? = 31 let salary : IntH = let inttostring : Int?!? String? =... let print : StringL!? Unit? =... print((stringl)inttostring(salary)) Explicit Runtime Downcasts closer to Quasi-static than Gradual Disney and Flanagan. Gradual Information Flow Typing 87

88 Quasi-Static Style Program Type-Directed Coercion Insertion Dynamic Program Plausibility Checking Quasi-Static Program Type Error! 88

89 Gradual Information Flow Me Éric Tanter Matías Toro (A Whirlwind Tour) 89

90 static type system & type safety proof interpretation of gradual types Abstracting Gradual Typing Ronald Garcia Alison M. Clark Software Practices Lab Department of Computer Science University of British Columbia, Canada Éric Tanter PLEIAD Laboratory Computer Science Department (DCC) University of Chile, Chile POPL 2016 gradual language TYPE SYSTEM DYNAMIC SEMANTICS 90

91 Gradual Security ` 2 Label è 2 GLabel ::= `? Unknown Label 91

92 Interpret Gradual Labels : GLabel! P(Label) (L) ={L} (H) ={H} (?) = Label Concretization 92

93 Interpret Gradual Labels : GLabel! P(Label) (L) =L (H) =H (?) = Label : P(Label) * GLabel ({L}) =L ({L, H}) =? Abstraction 93

94 Gradual Label Precision e l v e l 94

95 Gradual Label Precision e l v e l ( e l 1 ) ( e l 2 ) 95

96 Consistent Ordering e l e4 e l l 1 4 l 2 for some l 1 2 ( e l 1 ),l 1 2 ( e l 1 ) 96

97 Consistent Ordering L e4 H L 6e4 H L e4 L? e4 L L e4? Not really an order 97

98 Lifted Join e l e e l ( ( e l 1 ) ( e l 2 )) 98

99 Lifted Join L e H = H H e H = H? e H =? 99

100 Interpret Gradual Types : GType! P(Type) (Int? )={Int?, Int L, Int H, Int > } Concretization 100

101 Interpret Gradual Types : GType! P(Type) (Int? )={Int?, Int L, Int H, Int > } : P(Type) * GType ({Int L })=Int L ({Int L, Int H })=Int? Abstraction 101

102 Lifting Judgments Subtyping T<: T Consistent Subtyping et. e T 102

103 Lifting Typing Rules `0 ; ; `c ` t 1 : T 11 T!`x 12 ; ; `c ` t 2 : T 2 S 2 <: S 11 `c `x 4 `0 ; ; `c ` t 1 t 2 : T 12 `x ; ; è c ` et 1 : T e è0 11 T!`x 12 ; ; è c ` et 2 : T e 2 et 2. e T 11 èc ; ; è c ` et 1 et 2 : e T 12 e è x ^è x v è0 103

104 Lift Type Safety Argument D =) D 0 ` t : T t 7! t 0 Preservation Theorem 104 ` t 0 : T

105 Gradual Program let age : Int? = 31 let salary : IntH = let inttostring : Int?!? String? =... let print : StringL!? Unit? =... print((stringl)inttostring(salary)) No Casts Necessary! Disney and Flanagan. Gradual Information Flow Typing 105

106 106

107 Conclusion Hybrid Type Checking Dynamic typing: Quasi-static Typing Gradual Typing 107

108 Conclusion Hybrid Type Checking Dynamic typing: Quasi-static Typing Gradual Typing 108

109 Synopsis it is in a sense true that the identification of the subject matter must follow the reading, not precede it. 109