Well-typed programs cant be blamed Philip Wadler University of - - PowerPoint PPT Presentation

Well-typed programs can’t be blamed

Philip Wadler University of Edinburgh Robert Bruce Findler University of Chicago

A repeated theme

Thatte (1988): Partial types Henglein (1994): Dynamic typing Findler and Felleisen (2002): Contracts Flanagan (2006): Hybrid types Siek and Taha (2006): Gradual types

A repeated theme

Javacript 4.0 Perl 6.0 C# 4.0 Visual Basic 9.0

Evolving a program

An untyped program

⌈let x = 2 f = λy. y + 1 h = λg. g (g x) in h f⌉ − → ⌈4⌉

A typed program

let x = 2 f = λy : Int. y + 1 h = λg : Int → Int. g (g x) in h f − → 4 : Int

A partly typed program—narrowing

let x = 2 f = Int → Int ⇐ Dynp ⌈λy. y + 1⌉ h = λg : Int → Int. g (g x) in h f − → 4 : Int

A partly typed program—narrowing

let x = 2 f = Int → Int ⇐ Dynp ⌈λy. ’b’⌉ h = λg : Int → Int. g (g x) in h f − → blame p Positive (covariant): blame the term contained in the cast

Another partly typed program—widening

let x = ⌈2⌉ f = Dyn ⇐ Int → Intp (λy : Int. y + 1) h = ⌈λg. g (g x)⌉ in ⌈h f⌉ − → ⌈4⌉

Another partly typed program—widening

let x = ⌈’a’⌉ f = Dyn ⇐ Int → Intp (λy : Int. y + 1) h = ⌈λg. g (g x)⌉ in ⌈h f⌉ − → blame ¯ p Negative (contravariant): blame the context containg the cast

Untyped and supertyped

Untyped = Uni-typed

⌈x⌉ = x ⌈n⌉ = Dyn ⇐ Int n ⌈λx. N⌉ = Dyn ⇐ Dyn → Dyn (λx : Dyn. ⌈N⌉) ⌈L M⌉ = (Dyn → Dyn ⇐ Dyn ⌈L⌉) ⌈M⌉ (slogan due to Bob Harper)

Contracts

Nat = {x : Int | x ≥ 0} let x = Nat ⇐ Int 2 f = Nat → Nat ⇐ Int → Int (λy : Int. y + 1) h = λg : Nat → Nat. g (g x) in h f − → 4Nat : Nat

The Blame Game

Blame

Int ⇐ Dynp ⌈2⌉ − → 2 Int ⇐ Dynp ⌈’a’⌉ − → blame p

The Blame Game—widening

(Dyn → Dyn ⇐ Int → Intp (λy : Int. y + 1)) ⌈2⌉ − → Dyn ⇐ Intp ((λy : Int. y + 1) (Int ⇐ Dyn¯

p ⌈2⌉))

− → ⌈3⌉

The Blame Game—widening

(Dyn → Dyn ⇐ Int → Intp (λy : Int. y + 1)) ⌈’a’⌉ − → Dyn ⇐ Intp ((λy : Int. y + 1) (Int ⇐ Dyn¯

p ⌈’a’⌉))

− → blame ¯ p Widening can give rise to negative blame, but never positive blame

The Blame Game—narrowing

(Int → Int ⇐ Dyn → Dynp (λy : Dyn. ⌈y + 1⌉)) 2 − → Int ⇐ Dynp ((λy : Dyn. ⌈y + 1⌉) (Dyn ⇐ Int¯

p 2))

− → 3

The Blame Game—narrowing

(Int → Int ⇐ Dyn → Dynp (λy : Dyn. ⌈’b’⌉)) 2 − → Int ⇐ Dynp ((λy : Dyn. ⌈’b’⌉) (Dyn ⇐ Int¯

p 2))

− → blame p Narrowing can give rise to positive blame, but never negative blame

And now a word from our sponsor

Subtyping

<: <:+ <:− <:n

Subtype

Dyn <: Dyn Int <: Dyn S′ <: S T <: T ′ S → T <: S′ → T ′ Example: Dyn → Int <: Int → Dyn

Positive subtype—widening

S <:+ Dyn S′ <:− S T <:+ T ′ S → T <:+ S′ → T ′ Example: Int → Int <:+ Dyn → Dyn

Negative subtype—narrowing

Dyn <:− T Int <:− Dyn S′ <:+ S T <:− T ′ S → T <:− S′ → T ′ Example: Dyn → Dyn <:− Int → Int

Naive subtype

S <:n Dyn S <:n S′ T <:n T ′ S → T <:n S′ → T ′ Example: Int → Int <:n Dyn → Dyn

The Blame Theorem

Safety

x safe for p t safe for p λx. t safe for p s safe for p t safe for p s t safe for p s safe for p S <:+ T T ⇐ Sp s safe for p s safe for p S <:− T T ⇐ S¯

p s safe for p

s safe for p p = q ¯ p = q T ⇐ Sq s safe for p

The Blame Theorem

Preservation If s safe for p and s − → t then t safe for p. Progress If s safe for p then s

• −

→ blame p.

The First Tangram Theorem

S <: T if and only if S <:+ T and S <:− T

The First Blame Corollary

Let t be a term where T ⇐ Sp s is the only subterm with label p. If S <: T then t

• −

→ blame p and t

• −

→ blame ¯ p.

The Second Tangram Theorem

S <:n T if and only if S <:+ T and T <:− S

The Second Blame Corollary

Let t be a term where T ⇐ Sp s is the only subterm with label p. If S <:n T then t

• −

→ blame p. Let t be a term where T ⇐ Sp s is the only subterm with label p. If T <:n S then t

• −

→ blame ¯ p.

Conclusion

A new slogan for type safety

Milner (1978): Well-typed programs can’t go wrong. Harper; Felleisen and Wright (1994): Well-typed programs don’t get stuck. Wadler and Findler (2008): Well-typed programs can’t be blamed.