Well-typed programs cant be blamed Philip Wadler University of - PowerPoint PPT Presentation

Well-typed programs can’t be blamed Philip Wadler University of Edinburgh Robert Bruce Findler University of Chicago

A repeated theme Thatte (1988): Partial types Henglein (1994): Dynamic typing Findler and Felleisen (2002): Contracts Flanagan (2006): Hybrid types Siek and Taha (2006): Gradual types

A repeated theme Javacript 4.0 Perl 6.0 C# 4.0 Visual Basic 9.0

Evolving a program

An untyped program ⌈ let x = 2 f = λy. y + 1 h = λg. g ( g x ) in h f ⌉ − → ⌈ 4 ⌉

A typed program let x = 2 f = λy : Int . y + 1 h = λg : Int → Int . g ( g x ) in h f − → 4 : Int

A partly typed program—narrowing let x = 2 f = � Int → Int ⇐ Dyn � p ⌈ λy. y + 1 ⌉ h = λg : Int → Int . g ( g x ) in h f − → 4 : Int

A partly typed program—narrowing let x = 2 f = � Int → Int ⇐ Dyn � p ⌈ λy. ’b’ ⌉ h = λg : Int → Int . g ( g x ) in h f − → blame p Positive (covariant): blame the term contained in the cast

Another partly typed program—widening let x = ⌈ 2 ⌉ f = � Dyn ⇐ Int → Int � p ( λy : Int . y + 1 ) h = ⌈ λg. g ( g x ) ⌉ in ⌈ h f ⌉ − → ⌈ 4 ⌉

Another partly typed program—widening let x = ⌈ ’a’ ⌉ f = � Dyn ⇐ Int → Int � p ( λy : Int . y + 1 ) h = ⌈ λg. g ( g x ) ⌉ in ⌈ h f ⌉ − → blame ¯ p Negative (contravariant): blame the context containg the cast

Untyped and supertyped

Untyped = Uni-typed ⌈ x ⌉ = x ⌈ n ⌉ = � Dyn ⇐ Int � n ⌈ λx. N ⌉ = � Dyn ⇐ Dyn → Dyn � ( λx : Dyn . ⌈ N ⌉ ) ⌈ L M ⌉ = ( � Dyn → Dyn ⇐ Dyn � ⌈ L ⌉ ) ⌈ M ⌉ (slogan due to Bob Harper)

Contracts Nat = { x : Int | x ≥ 0 } let x = � Nat ⇐ Int � 2 f = � Nat → Nat ⇐ Int → Int � ( λy : Int . y + 1 ) h = λg : Nat → Nat . g ( g x ) in h f − → 4 Nat : Nat

The Blame Game

Blame � Int ⇐ Dyn � p ⌈ 2 ⌉ − → 2 � Int ⇐ Dyn � p ⌈ ’a’ ⌉ − → blame p

The Blame Game—widening ( � Dyn → Dyn ⇐ Int → Int � p ( λy : Int . y + 1 )) ⌈ 2 ⌉ − → � Dyn ⇐ Int � p (( λy : Int . y + 1 ) ( � Int ⇐ Dyn � ¯ p ⌈ 2 ⌉ )) − → ⌈ 3 ⌉

The Blame Game—widening ( � Dyn → Dyn ⇐ Int → Int � p ( λy : Int . y + 1 )) ⌈ ’a’ ⌉ − → � Dyn ⇐ Int � p (( λy : Int . y + 1 ) ( � Int ⇐ Dyn � ¯ p ⌈ ’a’ ⌉ )) − → blame ¯ p Widening can give rise to negative blame, but never positive blame

The Blame Game—narrowing ( � Int → Int ⇐ Dyn → Dyn � p ( λy : Dyn . ⌈ y + 1 ⌉ )) 2 − → � Int ⇐ Dyn � p (( λy : Dyn . ⌈ y + 1 ⌉ ) ( � Dyn ⇐ Int � ¯ p 2 )) − → 3

The Blame Game—narrowing ( � Int → Int ⇐ Dyn → Dyn � p ( λy : Dyn . ⌈ ’b’ ⌉ )) 2 − → � Int ⇐ Dyn � p (( λy : Dyn . ⌈ ’b’ ⌉ ) ( � Dyn ⇐ Int � ¯ p 2 )) − → blame p Narrowing can give rise to positive blame, but never negative blame

And now a word from our sponsor

Subtyping < : + < : − < : < : n

Subtype Dyn < : Dyn Int < : Dyn S ′ < : S T < : T ′ S → T < : S ′ → T ′ Example: Dyn → Int < : Int → Dyn

Positive subtype—widening S < : + Dyn S ′ < : − S T < : + T ′ S → T < : + S ′ → T ′ Example: Int → Int < : + Dyn → Dyn

Negative subtype—narrowing Dyn < : − T Int < : − Dyn S ′ < : + S T < : − T ′ S → T < : − S ′ → T ′ Example: Dyn → Dyn < : − Int → Int

Naive subtype S < : n Dyn S < : n S ′ T < : n T ′ S → T < : n S ′ → T ′ Example: Int → Int < : n Dyn → Dyn

The Blame Theorem

Safety t safe for p s safe for p t safe for p λx. t safe for p s t safe for p x safe for p S < : + T s safe for p � T ⇐ S � p s safe for p S < : − T s safe for p p s safe for p � T ⇐ S � ¯ p � = q p � = q ¯ s safe for p � T ⇐ S � q s safe for p

� The Blame Theorem Preservation If s safe for p and s − → t then t safe for p . Progress − → blame p . If s safe for p then s

� � The First Tangram Theorem S < : T if and only if S < : + T and S < : − T The First Blame Corollary Let t be a term where � T ⇐ S � p s is the only subterm with label p . If S < : T then t − → blame p and t − → blame ¯ p .

� � The Second Tangram Theorem S < : n T if and only if S < : + T and T < : − S The Second Blame Corollary Let t be a term where � T ⇐ S � p s is the only subterm with label p . If S < : n T then t − → blame p . Let t be a term where � T ⇐ S � p s is the only subterm with label p . If T < : n S then t − → blame ¯ p .

Conclusion

A new slogan for type safety Milner (1978): Well-typed programs can’t go wrong. Harper; Felleisen and Wright (1994): Well-typed programs don’t get stuck. Wadler and Findler (2008): Well-typed programs can’t be blamed.