Abstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report)
Felipe Bañados Schwerter, Alison M. Clark, Khurram A. Jafery, Ronald Garcia
aa r X i v : . [ c s . P L ] N ov FELIPE BAÑADOS SCHWERTER,
University of British Columbia, Canada
ALISON M. CLARK ∗ KHURRAM A. JAFERY ∗ , Amazon
RONALD GARCIA,
University of British Columbia, CanadaAbstracting Gradual Typing (AGT) is a systematic approach to designing gradually-typed languages. Lan-guages developed using AGT automatically satisfy the formal semantic criteria for gradual languages iden-tified by Siek et al. [2015]. Nonetheless, vanilla AGT semantics can still have important shortcomings. First,a gradual language’s runtime checks should preserve the space-efficiency guarantees inherent to the under-lying static and dynamic languages. To the contrary, the default operational semantics of AGT break propertail calls. Second, a gradual language’s runtime checks should enforce basic modular type-based invariantsexpected from the static type discipline. To the contrary, the default operational semantics of AGT may failto enforce some invariants in surprising ways. We demonstrate this in the GTFL . language of Garcia et al.[2016].This paper addresses both problems at once by refining the theory underlying AGT’s dynamic checks.Garcia et al. [2016] observe that AGT involves two abstractions of static types: one for the static semanticsand one for the dynamic semantics. We recast the latter as an abstract interpretation of subtyping itself, whilegradual types still abstract static types. Then we show how forward-completeness [Giacobazzi and Quintarelli2001] is key to supporting both space-efficient execution and reliable runtime type enforcement.Additional Key Words and Phrases: gradual typing, cast calculi, abstract interpretation, subtyping,coinduction Gradual typing is an increasingly popular approach to designing programming languages thatseamlessly blend dynamic and static type checking. Work in this space has produced a variety oflanguage models, e.g., [Ina and Igarashi 2011; Sergey and Clarke 2012; Siek and Taha 2007, 2006;Tobin-Hochstadt and Felleisen 2006; Wadler and Findler 2009], evaluation criteria [Siek et al. 2015],and extensions of the concept to new contexts, e.g., [Bañados Schwerter et al. 2014; Disney and Flanagan2011].However, each excursion raises new questions about how language designers can produce sen-sible gradually-typed counterparts to their chosen static type discipline, and compare and evaluatealternative potential designs. To address these problems, Garcia et al. [2016] proposed AbstractingGradual Typing (AGT), a methodology for developing gradually-typed extensions of pre-existing ∗ Work done while at UBCAuthors’ addresses: Felipe Bañados Schwerter, [email protected], Software Practices Lab, Department of Computer Sci-ence, University of British Columbia, 201-2366 Main Mall, Vancouver, BC, V6T1Z4, Canada; Alison M. Clark, [email protected]; Khurram A. Jafery, [email protected], Amazon; Ronald Garcia, [email protected], Software Prac-tices Lab, Department of Computer Science, University of British Columbia, 201-2366 Main Mall, Vancouver, BC, V6T1Z4,Canada.Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without feeprovided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice andthe full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses,contact the owner/author(s).© 2021 Copyright held by the owner/author(s).2475-1421/2021/1-ART1https://doi.org/10.1145/nnnnnnn.nnnnnnnProc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :2 Bañados Schwerter et al. static type disciplines. Their approach systematizes the construction of static and dynamic seman-tics for gradual languages that by construction admit straightforward proofs of broadly acceptedformal criteria for gradually typed languages [Siek et al. 2015].Despite its metatheoretical gains, the AGT approach still requires extra work and human cre-ativity to achieve some operational and semantic goals for a gradually-typed language. First, AGT-induced semantics do not automatically provide space-efficient runtime checking. Second, AGT’sruntime checking regime sometimes requires manual tuning to ensure that in addition to Siek etal.’s criteria, desired and expected modular type-based semantic invariants are properly enforced.This paper addresses both of these concerns, but first explains them in more detail.
Space-Efficient Runtime Checking . Herman et al. [2010] showed that naïvely implementingruntime checks using wrappers can introduce space leaks and break proper tail calls. For example,consider the gradually-typed program: even ( 𝑛 : Int ) : ? = if ( 𝑛 = ) then True else odd ( 𝑛 − ) odd ( 𝑛 : Int ) : Bool = if ( 𝑛 = ) then False else even ( 𝑛 − ) Some terms are ascribed the unknown type ? , which marks absent type information and enablesruntime checking. The program looks tail-recursive, but is instrumented as follows : even ( 𝑛 : Int ) : ? = if ( 𝑛 = ) then h ? ⇐ Bool i True else h ? ⇐ Bool i odd ( 𝑛 − ) odd ( 𝑛 : Int ) : Bool = if ( 𝑛 = ) then False else h Bool ⇐ ? i even ( 𝑛 − ) In this program, the highlighted bracket expressions denote runtime type casts. In Siek and Taha[2006] semantics, runtime casts accumulate at each recursive call: odd ( ) −→ h Bool ⇐ ? i even ( ) −→ h Bool ⇐ ? i h ? ⇐ Bool i odd ( )−→ h Bool ⇐ ? i h ? ⇐ Bool i h
Bool ⇐ ? i even ( )−→ h Bool ⇐ ? i h ? ⇐ Bool i h
Bool ⇐ ? i h ? ⇐ Bool i True −→ h
Bool i h ? i True −→ True
This means that programs that appear to be tail-recursive, and thus consume constant stack space,now consume linear space, simply because of how their types are checked. A variant of the sameprogram written in continuation-passing-style demonstrates how (higher-order) casts, which can-not be resolved immediately, accumulate around values if one is not careful. evenk ( 𝑛 : Int ) ( 𝑘 : ? → ? ) : Bool = if ( 𝑛 = ) then ( 𝑘 True ) else oddk ( 𝑛 − ) 𝑘 oddk ( 𝑛 : Int ) ( 𝑘 : Bool → Bool ) : Bool : Bool = if ( 𝑛 = ) then ( 𝑘 False ) else evenk ( 𝑛 − ) 𝑘 This program elaborates to the following: evenk ( 𝑛 : Int ) ( 𝑘 : ? → ? ) : Bool = if ( 𝑛 = ) then ( 𝑘 h ? ⇐ Bool i True ) else oddk ( 𝑛 − ) ( h Bool → Bool ⇐ ? → ? i 𝑘 ) oddk ( 𝑛 : Int ) ( 𝑘 : Bool → Bool ) : Bool = if ( 𝑛 = ) then ( 𝑘 False ) else evenk ( 𝑛 − ) ( h ? → ? ⇐ Bool → Bool i 𝑘 ) and its evaluation also accumulates casts: odd ( ) 𝑘 −→ even ( ) h ? → ? ⇐ Bool → Bool i 𝑘 −→ odd ( ) h Bool → Bool ⇐ ? → ? i h ? → ? ⇐ Bool → Bool i 𝑘 −→ even ( ) h ? → ? ⇐ Bool → Bool i h
Bool → Bool ⇐ ? → ? i h ? → ? ⇐ Bool → Bool i 𝑘 −→ . . . For clarity, these examples use a type cast notation with source and destination types. Our formal semantics exhibit thesame concepts, albeit using a necessarily less transparent representation.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:3
The solution to this problem is to aggressively compose casts, in tail position and around valuesrespectively, rather than allowing them to accumulate. However, doing so requires some notion ofbounded-space cast-composition whose behavior is equivalent to the standard semantics. Manygradual language semantics use coercions [Henglein 1994] or threesomes [Siek and Wadler 2010]to coalesce casts as they arise. At first glance, AGT appears to immediately support space effi-ciency, since it provides an operator for composing checks. However, this only suffices to preventaccumulation on values. To see why, consider how space-efficient tail-recursion must proceed: odd ( ) −→ h Bool ⇐ ? i even ( ) −→ h Bool ⇐ ? i h ? ⇐ Bool i odd ( ) −→ h Bool ⇐ Bool i odd ( )−→ h Bool ⇐ Bool i h
Bool ⇐ ? i even ( ) −→ h Bool ⇐ ? i even ( ) −→ h Bool ⇐ Bool i True −→ True
To preserve proper tail calls the semantics must aggressively compose tail-position checks as theyarise, rather than waiting until a final tail call returns a value before resolving checks up the callstack, as in the first trace. This only works if composing checks is equivalent in either direction:cast composition must be associative. Unfortunately this is not always the case: in particular, thechecks introduced by Garcia et al. [2016] for GTFL . , a gradual language with record subtyping,do not compose associatively. Some cast sequences succeed when composed in one order, but failwhen composed in the other. We show a detailed example in Sec. 2.4. Type-Based Reasoning . Prior work on gradualizing sophisticated typing disciplines like information-flow security [Toro et al. 2018] or parametricity (e.g., Ahmed et al. [2017]; New et al. [2019]; Toro et al.[2019]) has demonstrated that AGT applied naïvely does not automatically enforce the modularinvariants that a programmer may expect from the intended static type discipline. Unfortunatelythe same phenomenon arises in GTFL . , even though its type discipline—record subtyping—is com-paratively simple and well-understood. The following scenario demonstrates the problem. Consider the following program fragment: let q : [ x : Int ] = [ x = , y = true ] in h body i According to standard subtype-based reasoning, the body cannot access the y field of the record.Such modular reasoning is a hallmark of static typing, and programmers who mix static and dy-namic typing want to reason about their code using static types where available [Tunnell Wilson et al.2018]. Unfortunately, the following completed GTFL . program compiles and runs successfully: let q : [ x : Int ] = [ x = , y = true ] in ( q :: ? :: [ x : Int , y : Bool ]) . y In essence, casting q to the unknown type and then back to a record type exposes the extra fieldthat should have been hidden by q ’s assumed type. In other words, the language satisfies standardtype safety, as AGT does by construction, but its runtime treatment of type abstractions does notstrictly enforce the type abstraction properties one expects from subtyping. Forward-completeness is the key . Space efficiency and type-based enforcement problems havethe same source: an insufficiently-precise runtime type enforcement mechanism. Previous AGT-based systems have had to tune their runtime abstractions. Toro et al. [2018] tuned their AGTabstraction to achieve type enforcement. Guided by intuition, Toro and Tanter [2020] tuned theirabstraction to achieve a space-efficient implementation. This work develops a principled approachto tuning the runtime checks in an AGT-based language, and shows that it suffices to address thetwo challenges above. For simplicity this example suppresses some details: see Herman et al. [2010]. Formally speaking, information-flow and parametricity are hyperproperties : relationships among multiple runs of a pro-gram, whereas record subtyping is not.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :4 Bañados Schwerter et al.
Our contributions are as follows: • We revisit the foundations of AGT’s dynamic checks and refine their conception. Garcia et al.[2016] conceive of them via post hoc manipulation of abstractions for tuples of types: we re-define them as a direct abstract interpretation of the subtyping relation itself . This reframingis subtle and equivalent to the original, but now techniques from the abstract interpretationliterature become immediately applicable (Sec. 3). • AGT, applied naïvely, does not support space-efficiency because composing checks out of or-der may not preserve behaviour. We explore this issue in the context of Garcia et al. [2016]’sGTFL . language, and introduce bounded records and rows , a new abstraction for runtime evi-dence that retains precise information about gradual types and how they interact at runtime.This precise representation admits associative cast composition. Bounded rows uncover asubtle interplay between static record subtyping and gradual row types . • As others observed, AGT-designed semantics do not automatically ensure all desired type-based reasoning principles. This problem appeared in prior work on sophisticated typingdisciplines that enforce properties fundamentally about multiple runs of a program (i.e., hy-perproperties). Subtyping, in contrast, is a standard unary type property, yet still requirescare to enforce when gradual types are sufficiently rich. Ours is the first work to witnessthis phenomenon in a simple setting. • Since AGT is a framework for designing languages, it is desirable to frame these improve-ments in a general form. To do so, we devise sufficient conditions for space-efficiency andprecise runtime monitoring. Both properties can be achieved, while satisfying the formalcriteria of Siek et al. [2015], by ensuring that the dynamic monitoring semantics is forwardcomplete , a concept from abstract interpretation [Giacobazzi and Quintarelli 2001]. Forwardcompleteness guarantees that an AGT semantics can be made space-efficient, and equatesreasoning about the dynamic semantics to reasoning up to precision (⊑) about static sub-typing. . : A GRADUALLY TYPED LANGUAGE As a concrete starting point for our investigations, this section presents the semantics of GTFL . ,a gradually-typed language with records and subtyping that also supports migration between dy-namic and static type checking. Garcia et al. [2016] developed this language using the AGT method-ology, and its semantics exhibits the shortcomings that this paper addresses.We first present GTFL . with little reference to the AGT machinery used to construct and justifyit. Furthermore, we state correctness properties here without proof, because AGT exploits calcu-lational abstract interpretation techniques [Cousot and Cousot 1977] to intertwine the proof anddefinition processes, making the design “correct by construction.” Sec. 3 connects GTFL . ’s designto AGT, and briefly connects the correctness properties to proofs. Ultimately our improvementsare presented in terms of AGT to ensure that they generalize across AGT-based languages. Fig. 1 presents the GTFL . syntax and type system. Its terms are typical: numbers, booleans, func-tions, records, and type ascriptions. All of the novelty lies in its type structure, where commonstatic types—atomics, functions, and records—are augmented with two gradual type constructsthat denote imprecise type information. The now-standard unknown type ? denotes the completeomission of type information [Siek and Taha 2006]. The gradual row type [ ℓ : 𝑆, ? ] , on the otherhand, represents a record type with incomplete field information. It surely constrains the list 𝑙 offields with corresponding (gradual) types 𝑆 , but the gradual row designator ? denotes the possibility Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:5
Syntax 𝑥 ∈ Var , 𝑏 ∈ Bool , 𝑛 ∈ Z , 𝑙 ∈ Label , Γ ∈ Env = Var fin ⇀ Type 𝑇 ∈ Type :: = Int | Bool | 𝑇 → 𝑇 | [ 𝑙 : 𝑇 ] (static types) 𝑆 ∈ GType :: = ? | Int | Bool | 𝑆 → 𝑆 | [ 𝑙 : 𝑆 ] | [ 𝑙 : 𝑆, ? ] (gradual types) 𝑡 ∈ Term :: = 𝑛 | 𝑏 | 𝑥 | 𝜆𝑥 : 𝑆.𝑡 | 𝑡 𝑡 | 𝑡 + 𝑡 | if 𝑡 then 𝑡 else 𝑡 | [ 𝑙 = 𝑡 ] | 𝑡.𝑙 | 𝑡 :: 𝑆 (terms) Γ ⊢ 𝑡 : 𝑆 Gradual Typing ( 𝑆 x) 𝑥 : 𝑆 ∈ ΓΓ ⊢ 𝑥 : 𝑆 ( 𝑆 n) Γ ⊢ 𝑛 : Int ( 𝑆 b) Γ ⊢ 𝑏 : Bool ( 𝑆 app) Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 𝑆 . (cid:157) dom ( 𝑆 ) Γ ⊢ 𝑡 𝑡 : g cod ( 𝑆 ) ( 𝑆 +) Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 𝑆 𝑖 . Int Γ ⊢ 𝑡 + 𝑡 : Int ( 𝑆 if) Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 𝑆 . Bool Γ ⊢ if 𝑡 then 𝑡 else 𝑡 : 𝑆 e ∨ 𝑆 ( 𝑆 proj) Γ ⊢ 𝑡 : 𝑆 Γ ⊢ 𝑡.𝑙 : g proj ( 𝑆, 𝑙 ) ( 𝑆𝜆 ) Γ , 𝑥 : 𝑆 ⊢ 𝑡 : 𝑆 Γ ⊢ ( 𝜆𝑥 : 𝑆 .𝑡 ) : 𝑆 → 𝑆 ( 𝑆 :: ) Γ ⊢ 𝑡 : 𝑆 𝑆 . 𝑆 Γ ⊢ ( 𝑡 :: 𝑆 ) : 𝑆 ( 𝑆 rec) Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 Γ ⊢ [ 𝑙 𝑖 = 𝑡 𝑖 ] : [ 𝑙 𝑖 : 𝑆 𝑖 ] Helper Functions (cid:157) dom : GType ⇀ GType (cid:157) dom ( 𝑆 → 𝑆 ) = 𝑆 (cid:157) dom ( ? ) = ? (cid:157) dom ( 𝑆 ) undefined otherwise g cod : GType ⇀ GType g cod ( 𝑆 → 𝑆 ) = 𝑆 g cod ( ? ) = ? g cod ( 𝑆 ) undefined otherwise g proj : GType × Label ⇀ GType g proj ([ 𝑙 : 𝑆, 𝑙 𝑖 : 𝑆 𝑖 , ∗] , 𝑙 ) = 𝑆 g proj ([ 𝑙 𝑖 : 𝑆 𝑖 , ? ] , 𝑙 ) = ? if 𝑙 ∉ { 𝑙 𝑖 } g proj ( ? , 𝑙 ) = ? g proj ( 𝑆, 𝑙 ) undefined otherwise 𝑆 . 𝑆 Consistent Subtyping ? . 𝑆 𝑆 . ? Int . Int Bool . Bool 𝑆 . 𝑆 𝑆 . 𝑆 𝑆 → 𝑆 . 𝑆 → 𝑆 𝑆 𝑖 . 𝑆 𝑖 [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ] . [ 𝑙 𝑖 : 𝑆 𝑖 , ∗] 𝑆 𝑖 . 𝑆 𝑖 [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , ? ] . [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 , ∗] 𝑆 ⊑ 𝑆 Precision 𝑆 ∈ { Int , Bool } 𝑆 ⊑ 𝑆 𝑆 ⊑ 𝑆 𝑆 ⊑ 𝑆 𝑆 → 𝑆 ⊑ 𝑆 → 𝑆 𝑆 𝑖 ⊑ 𝑆 𝑖 [ 𝑙 𝑖 : 𝑆 𝑖 ] ⊑ [ 𝑙 𝑖 : 𝑆 𝑖 ] 𝑆 𝑖 ⊑ 𝑆 𝑖 [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , ∗] ⊑ [ 𝑙 𝑖 : 𝑆 𝑖 , ? ] 𝑆 ⊑ ?Fig. 1. GTFL . : Static Semantics of additional statically unknown fields. Gradual rows are somewhat analogous to polymorphicrows [Rémy 1989], except that their presence induces dynamic checks. As such, a gradual row typeis only partially static with respect to record fields.As is now standard for gradual typing, the concept of “imprecise type information” is formalizedusing the precision judgment 𝑆 ⊑ 𝑆 , which says that 𝑆 is less imprecise than 𝑆 . Static types arethe least elements of this partial order, while the greatest element is the unknown type ? . Throughout we use overlines to denote zero or more repetitions, + -annotated overlines to denote one or more repetitions,and [ 𝑙 : 𝑆, ∗] to simultaneously denote both traditional record types [ 𝑙 : 𝑆 ] and gradual row types [ 𝑙 : 𝑆, ? ] .Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :6 Bañados Schwerter et al. The rules for the typing judgment Γ ⊢ 𝑡 : 𝑆 are structured in the style of Garcia and Cimini[2015]: each typing judgment in the premise of a rule has an arbitrary type metavariable 𝑆 𝑖 , butthese premise types are constrained by side conditions. The result type in the conclusion of arule is either a particular type or a (partial) function of its premise types. For example, the twopremises of the (Sapp) rule have types 𝑆 and 𝑆 respectively; these premise types are constrainedby the consistent subtyping side condition 𝑆 . (cid:157) dom ( 𝑆 ) ; and the result type (Sapp) is the gradualcodomain g cod ( 𝑆 ) of the operator type. This structure keeps the typing rules syntax-directed, whilesubsuming the type system for the corresponding statically typed language STFL < : (introducedby Garcia et al. [2016]). Consider, for instance, how g cod ( 𝑆 ) extends the idea of “the codomain ofa function type”. For function types 𝑆 → 𝑆 , its behaviour is as expected, but for the unknowntype ? , the codomain is completely unknown because the operator’s type is completely unknown:the operator may have a function type, but we do not know for sure. We formalize this behaviouras a correctness criterion. Definition 2.1 (Candidate Codomain). (1) A plausible function type is a gradual type 𝑆 such that 𝑇 → 𝑇 ⊑ 𝑆 for some 𝑇 ,𝑇 ∈ Type;(2) A gradual type 𝑆 ′ is a candidate codomain of a plausible function type 𝑆 if 𝑇 → 𝑇 ⊑ 𝑆 implies 𝑇 ⊑ 𝑆 ′ , for all 𝑇 ,𝑇 ∈ Type.Proposition 2.2 (Codomain Correctness).
A gradual type 𝑆 has a candidate codomain if and onlyif it has a least (with respect to ⊑ ) candidate codomain, denoted g cod ( 𝑆 ) . Prop. 2.2 implicitly defines g cod as a partial function on GType, which is defined for exactly theplausible function types. The notion of “candidate codomain” can be interpreted as a soundness property of g cod : it broadly approximates the idea of “codomain” even in the face of imprecision.The proposition can then be interpreted as an optimality property: there is a “best” candidatecodomain, if any, so g cod never loses precision needlessly. Analogous correctness criteria apply tothe other type operators, completely characterizing the gradual versions in terms of their staticcounterparts.The consistent subtyping relation . [Siek and Taha 2007] extends static subtyping < : to opti-mistically account for imprecision in gradual types. In essence, 𝑆 . 𝑆 means that it is plausible that 𝑆 is a subtype of 𝑆 , when the imprecision of gradual types is taken into account. For instance, ? is both a consistent supertype and consistent subtype of each gradual type 𝑆 , because it couldrepresent any static type whatsoever, including 𝑆 itself. As above, we formally relate consistentsubtyping to static subtyping .Proposition 2.3. 𝑆 . 𝑆 if and only if 𝑇 < : 𝑇 for some 𝑇 ⊑ 𝑆 and 𝑇 ⊑ 𝑆 . One key benefit to defining gradual operators and relations using static counterparts and grad-ual type precision is that the resulting language naturally satisfies static criteria for gradual typingset forth by Siek et al. [2015]. First, the STFL < : type system can be recovered from that of GTFL . by simply restricting source programs to only mention static types 𝑇 . Doing so: restricts the (cid:157) dom , g cod , and g proj partial functions to simple arrow type and record type destructors; restricts the consistent subtyping relation . to a typical definition of static subtyping < : ; and restricts the e ∨ partial function to the subtype join partial function < : , which yields the least upper bound of twostatic types (if there is one) according to static subtyping < : . Thus, by construction, GTFL . con-servatively extends the static language. Furthermore, the static gradual guarantee , which ensuresthat increasing the precision of a program’s types cannot fix extant type errors, follows from the For STFL < : , static subtyping < : is standard relation induced by width and depth record subtyping [Pierce 2002]Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:7 correctness criteria for each operator and relation, each of which monotonically preserves thisproperty, yielding a direct compositional proof.Though the syntax of gradual rows is simple, its implications for the language semantics arenontrivial. Gradual rows expose a subtle interplay between gradual type precision and static widthsubtyping that does not arise in most gradual type systems developed to date. Consider [ 𝑥 : Int , 𝑦 : Bool ] . [ 𝑥 : Int , ? ] : This judgement is justified by two static subtypings: [ 𝑥 : Int , 𝑦 : Bool ] < : [ 𝑥 : Int ] and [ 𝑥 : Int , 𝑦 : Bool ] < : [ 𝑥 : Int , 𝑦 : Bool ] . If this instance of consistent subtyping is viewed as aform of coercion, then it indicates two different behaviours: in the first the 𝑦 field is obscured viastatic subtyping. In the second, the y field is obscured via precision: not by static subtyping, butby gradual typing. The static and runtime semantics must reckon with these two different expla-nations simultaneously, and all outcomes must be consistent with one, the other, or both. Thishappens in no other language featuring consistent subtyping, and can be improved upon with amore precise abstraction. The abstraction of Garcia et al. [2016] sometimes loses information atruntime that was obscured due to loss of precision (See Sec. 2.1.1). By contrast, the BRR abstrac-tion introduced in Sec. 5 preserves all obscured information at runtime, but hides some of it fromthe programmer: the abstraction always reflects instances of static subtyping. The following (somewhat contrived) example program demonstrates some ofthe features and intended capabilities of GTFL . , especially the semantics of gradual rows. Forsuccinctness, we assume let binding, which can be easily added to the language. let sum = 𝜆 ( hasM : Bool ) . 𝜆 ( x : [ f : Int , ? ]) . if hasM then x . f + x . m else x . f + x . qin ( sum true [ f = , m = ]) + ( sum false [ f = , q = ]) The sum function takes a record f , and a Boolean value hasM , and uses hasM to determine whichfield to add to x . f . The gradual row type ascribed to x ensures statically that the record argumentcontains an f field of type Int , but makes no commitment regarding what other fields may bepresent. Thus the body of the function type checks despite referring to x . m and x . q .The program successfully calculates the sum for two different records that have different fields.The hasM argument indicates which branch of execution is the right one. This small programdemonstrates the possibility of at least partially statically checking the program, while deferringchecks for extra fields to runtime. We can extrapolate from this program to a larger applicationthat fruitfully exploits field dynamism, while statically checking stable record components.This language design makes the possibility of dynamic checking evident in the types. The grad-ual type [ f : Int , ? ] indicates that the record may have more fields, which might be used by theprogram.Furthermore, the type structure of a program can be exploited to control the amount and scopeof necessary dynamic checking. For instance, if the branches of the conditional made repeated useof extra fields, then each access would require a runtime check. However, we can ensure that theseare checked statically (and centralize the type assumptions) using a type ascription. For example,we can replace the consequent branch x . f + x . m with let y = ( x :: [ f : Int , m : Int ]) in y . f + y . m This change would move the initial field check (for x . m ) and field type check (that its type is Int )to the ascription: the body of the consequent let would be fully statically checked. This use ofascription is similar to downcasting in object-oriented languages, but is justified by the presenceof the imprecise gradual row in the type of sum ’s argument.Now for some bad news. Unfortunately, GTFL . as designed by Garcia et al. [2016] does notenforce its type abstractions to the extent that one might expect. Sound gradual type regimes Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :8 Bañados Schwerter et al. typically have the property that precise type information is persistent . For instance, if we replacethe record [ f = , m = ] in the example with ( [ f = , m = ] :: [ f : Int ]) , then one would expectthe program to type check, but fail at runtime. In this way, the language would guarantee that the 𝑚 field’s very existence is encapsulated: no client would be able to violate that guarantee.To our surprise, however, GTFL . executes this program successfully, for essentially the samereason that the errant example from Sec. 1 succeeds. We consider this a flaw in the GTFL . seman-tics: type abstractions should be respected. Bear in mind that a language designer may desire agradual language that treats all gradual record types as gradual rows, thereby baking downcast-ing into the semantics. This can easily be supported as syntactic sugar over the GTFL . surfacesyntax, rather than as an accident of AGT-induced semantics. In short, the semantics of an AGT-induced language should precisely enforce types. In the following, we diagnose this failure of typeabstraction and show how to properly ensure this with a refinement to the AGT framework. Since a gradual language defers some checks to runtime, its dynamic semantics must account forthose checks. Using an approach inspired by Toro et al. [2018], we capture GTFL . checks in aninternal language that decorates programs with runtime type information. Fig. 2 presents the syntax and type system of the GTFL . Run-time Language (RL). RL mirrors GTFL . , but for a few differences. First, runtime terms have nosource typing information: since RL programs are constructed by type-directed translation fromGTFL . (Sec. 2.3), we can presume the existence of a corresponding typing derivation, and we neednot reconstruct one by analyzing RL terms. Omitting static types also lets us formally distinguishtype information that is used for static checking from information that is used for runtime enforce-ment.Second, many RL terms, in particular the subterms of elimination forms and ascriptions, are dec-orated with evidence objects 𝜀 , which summarize runtime consistent subtyping judgments. Recallthat consistent subtyping denotes the plausibility that a subtyping relationship holds between twogradual types. Evidence objects reify that plausibility, and evolve as part of runtime type enforce-ment. We describe this in more detail below.The typing judgment for runtime terms is unusual in that it classifies a runtime term e withrespect to a source typing judgment Γ ⊢ 𝑡 : 𝑆 . The judgment e ◮ Γ ⊢ 𝑡 : 𝑆 says that the runtimeterm e represents a source gradual typing derivation Γ ⊢ 𝑡 : 𝑆 , where 𝑡 is a source-language GTFL . term. The motivation for this structure is that in a gradually-typed language, type enforcementis not necessarily completed at type-checking time. Some type enforcement may be deferred toruntime, and this enforcement is construed as an attempt to complete (or refute) the type safetyargument at runtime. Thus one can think of an RL term’s execution as playing out type progressand preservation, which may ultimately fail and justifiably signal a runtime type error. In short,RL terms represent the computationally relevant residual of a GTFL . typing derivation.Naturally, the structure of RL typing rules closely mirror those of GTFL . , but differ on a fewdetails. First, the (Sx) and (S::) rules show how missing source type information appears only as partof the corresponding source derivation, and not as part of the term. Gradual types highlighted ingrey are artifacts of source type-checking that cannot be recovered by examining the runtime termitself. We exploit this information only to establish the type safety of RL programs: the runtimenever needs to reconstruct a typing derivation from a naked RL term. Second, each instance ofconsistent subtyping from GTFL . is now decorated with an evidence object that supports thejudgment. For instance, the RL term 𝜀 e corresponds via typing directly to an ascription expression 𝑡 :: 𝑆 . The evidence judgment 𝜀 ⊢ 𝑆 . 𝑆 says that 𝜀 confirms that 𝑆 . 𝑆 is plausible. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:9
Syntax 𝜀 ∈ Ev = { h 𝑆 , 𝑆 i | ⊢ h 𝑆 , 𝑆 i wf } (evidence objects) e ∈ RTerm :: = n | b | x | 𝜆 x . e | 𝜀 e 𝜀 e | 𝜀 e + 𝜀 e | if 𝜀 e then 𝜀 e else 𝜀 e | [ l = e ] | 𝜀 e .𝑙 | 𝜀 e (runtime terms) u ∈ RawValue :: = n | b | x | 𝜆 x . e | [ l = v ] (raw values) v ∈ Value :: = u | 𝜀 u (values) e ◮ Γ ⊢ 𝑡 : 𝑆 Runtime Typing ( 𝑆 x) 𝑥 : 𝑆 ′ ∈ Γ x ◮ Γ ⊢ 𝑥 : 𝑆 ′ ( 𝑆 n) n ◮ Γ ⊢ 𝑛 : Int ( 𝑆 b) b ◮ Γ ⊢ 𝑏 : Bool ( 𝑆 app) e 𝑖 ◮ Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 𝜀 ⊢ 𝑆 . 𝑆 ′ → 𝑆 ′ 𝜀 ⊢ 𝑆 . 𝑆 ′ ( 𝜀 e 𝜀 e ) ◮ Γ ⊢ 𝑡 𝑡 : 𝑆 ′ ( 𝑆 +) e 𝑖 ◮ Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 𝜀 𝑖 ⊢ 𝑆 𝑖 . Int ( 𝜀 e + 𝜀 e ) ◮ Γ ⊢ 𝑡 + 𝑡 : Int ( 𝑆 if) e 𝑖 ◮ Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 𝜀 ⊢ 𝑆 . Bool 𝜀 ⊢ 𝑆 . 𝑆 e ∨ 𝑆 𝜀 ⊢ 𝑆 . 𝑆 e ∨ 𝑆 ( if 𝜀 e then 𝜀 e else 𝜀 e ) ◮ Γ ⊢ if 𝑡 then 𝑡 else 𝑡 : 𝑆 e ∨ 𝑆 ( 𝑆 proj) e ◮ Γ ⊢ 𝑡 : 𝑆 𝜀 ⊢ 𝑆 . [ 𝑙 : 𝑆 ′ ] 𝜀 e .𝑙 ◮ Γ ⊢ 𝑡.𝑙 : 𝑆 ′ ( 𝑆𝜆 ) e ◮ Γ , 𝑥 : 𝑆 ⊢ 𝑡 : 𝑆 ( 𝜆𝑥. e ) ◮ Γ ⊢ ( 𝜆𝑥 : 𝑆 .𝑡 ) : 𝑆 → 𝑆 ( 𝑆 :: ) e ◮ Γ ⊢ 𝑡 : 𝑆 𝜀 ⊢ 𝑆 . 𝑆 ′ 𝜀 e ◮ Γ ⊢ ( 𝑡 :: 𝑆 ′ ) : 𝑆 ′ ( 𝑆 rec) e 𝑖 ◮ Γ ⊢ 𝑡 𝑖 : 𝑆 𝑖 [ l 𝑖 = e 𝑖 ] ◮ Γ ⊢ [ 𝑙 𝑖 = 𝑡 𝑖 ] : [ 𝑙 𝑖 : 𝑆 𝑖 ] 𝜀 ⊢ 𝑆 . 𝑆 Evidence for Consistent Subtyping ⊢ h 𝑆 ′ , 𝑆 ′ i wf 𝑆 ′ ⊑ 𝑆 𝑆 ′ ⊑ 𝑆 h 𝑆 ′ , 𝑆 ′ i ⊢ 𝑆 . 𝑆 ⊢ 𝜀 wf Well-formed Evidence 𝑆 ∈ { Int , Bool , ? }⊢ h 𝑆, 𝑆 i wf ⊢ h 𝑆 , 𝑆 i wf ⊢ h 𝑆 , 𝑆 i wf ⊢ h 𝑆 → 𝑆 , 𝑆 → 𝑆 i wf ⊢ h 𝑆 𝑖 , 𝑆 𝑖 i wf h∗ , ∗ i ≠ h· ‘ , ? i⊢ h[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i wf ⊢ h 𝑆 𝑖 , 𝑆 𝑖 i wf ⊢ h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i wf Fig. 2. GTFL . : Runtime Language Static Semantics The ( 𝑆 if) and ( 𝑆 app) rules consider evidence for extra consistent subtyping judgments that wereonly implicitly required by the GTFL . rules. For instance, ( 𝑆 app) demands that 𝑆 . (cid:157) dom ( 𝑆 ) → g cod ( 𝑆 ) . This extra constraint is implied by the GTFL . requirement that (cid:157) dom ( 𝑆 ) and g cod ( 𝑆 ) , an argument and a result type, respectively, are well defined. The elab-oration rule, and the corresponding RL term, make this implicit constraint explicit so as to enforce Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :10 Bañados Schwerter et al. type structure at runtime. Similarly, the ( 𝑆 if) type 𝑆 e ∨ 𝑆 imposes implicit consistent subtypingconstraints on each branch of the conditional.In RL, an evidence object is a pair of gradual types that are tightly related to one another, and alsorelated to the consistent subtyping judgment that they support. The well-formedness judgment ⊢ 𝜀 wf imposes several invariants on evidence.Proposition 2.4. The judgment ⊢ h 𝑆 , 𝑆 i wf is equivalent to the combination of the followingcriteria:(1) 𝑆 . 𝑆 , i.e. 𝑇 < : 𝑇 for some 𝑇 ⊑ 𝑆 and 𝑇 ⊑ 𝑆 .(2) Suppose 𝑆 ′ , 𝑆 ′ ∈ GType and whenever 𝑇 < : 𝑇 , 𝑇 ⊑ 𝑆 , and 𝑇 ⊑ 𝑆 , we also have 𝑇 ⊑ 𝑆 ′ and 𝑇 ⊑ 𝑆 ′ . Then 𝑆 ⊑ 𝑆 ′ and 𝑆 ⊑ 𝑆 ′ . In short, an evidence object is the least (with respect to ⊑ ) pair of gradual types that subsumessome set of static subtype instances 𝑇 < : 𝑇 . In this sense they are minimal sound representativesof consistent subtyping. For instance, Int . ? , but h Int , ? i is not well-formed evidence, because Int < : Int is the only pair of static types that justifies that particular consistent subtyping instance.The well-formed evidence object h Int , Int i captures the same information. From the definition ofwell-formed evidence, it follows immediately that if 𝜀 ⊢ 𝑆 . 𝑆 for any 𝜀 , then indeed 𝑆 . 𝑆 holds in general. Evidence ensures that Prop. 2.4 is maintained during evaluation. Fig. 3 presents a reduction semantics for RL. The notions of reductionaugment standard reduction steps with operations that manipulate evidence. We first considerthese reductions at a high-level, and then delve into the role of evidence in these reductions. Ad-dition ignores its associated evidence and behaves as usual. The intuition behind this is that theevidence is now superfluous: n and n evidently have type Int because they are integers. Similarly,conditionals ignore the evidence associated with the predicate, because it is evidently a Booleanvalue. The chosen branch’s evidence is propagated as-is to enforce its type invariants. Record pro-jection selects the relevant field of a record, but also applies the iproj operator to the evidencethat is associated to the projection operator, in order to extract evidence that is relevant to the pro-jected value. Function application is the most complex rule. Using the idom and icod operators,it extracts evidence associated with the domain and codomain of the function subterm, composesthe domain evidence with the argument evidence, and then associates the codomain evidence withthe eventual result of the call. If composition fails, then the entire application fails. To understand the above behaviours, it helps to think of the operators like iproj as runtimerepresentations of inversion principles on consistent subtyping. For instance, given the inductivedefinition of consistent subtyping in Fig. 1, we have the following inversion lemma.Proposition 2.5. If 𝑙 𝑘 ∈ { 𝑙 𝑗 } and [ 𝑙 𝑖 : 𝑆 𝑖 ] . [ 𝑙 𝑗 : 𝑆 ′ 𝑗 ] then 𝑆 𝑘 . 𝑆 ′ 𝑘 . The iproj operator reifies this inversion principle (and those for gradual rows) at runtime: If 𝜀 ⊢ [ 𝑙 𝑖 : 𝑆 𝑖 ] . [ 𝑙 𝑗 : 𝑆 ′ 𝑗 ] then iproj ( 𝜀, 𝑙 𝑘 ) ⊢ 𝑆 𝑘 . 𝑆 ′ 𝑘 . So just as inversion principles are used to provestatic type safety, evidence inversion operators are used to enforce type invariants at runtime.The three inversion operators are total functions over appropriate subdomains of evidence, whichproperly reflect the kind of runtime evidence that they are used to manipulate during reduction.As such, inversion never fails if it is encountered.While evidence inversion operations are used to simluate inversion principles, evidence compo-sition 𝜀 𝜀 is used to monitor transitivity of consistent subtyping. For this reason, this composition Appendix B in the accompanying technical report [Bañados Schwerter et al. 2020] directly defines composition; we pro-vide a succinct indirect definition in Sec. 3 using some additional concepts.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:11
Syntax 𝐸 ∈ ECtxt :: = (cid:3) | 𝐸 [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]] | 𝐸 [ 𝐹 [ 𝜀 (cid:3) K (evaluation contexts) 𝐹 ∈ EvFrame :: = (cid:3) | (cid:3) + 𝜀 e | 𝜀 u + (cid:3) | (cid:3) 𝜀 e | 𝜀 u (cid:3) | (cid:3) .𝑙 | if (cid:3) then 𝜀 e else 𝜀 e (evidence frame) e { e , e { error Notions of Reduction 𝜀 n + 𝜀 n { n n = n + n 𝜀 ( 𝜆 x . e ) 𝜀 u { ((cid:0) icod ( 𝜀 ) (cid:1) (cid:0) [( 𝜀 u )/ x ] e (cid:1) error if 𝜀 not defined 𝜀 = ( 𝜀 idom ( 𝜀 )) if 𝜀 true then 𝜀 e else 𝜀 e { 𝜀 e if 𝜀 false then 𝜀 e else 𝜀 e { 𝜀 e 𝜀 [ 𝑙 𝑖 = v 𝑖 ] .𝑙 𝑗 { iproj ( 𝜀, 𝑙 𝑗 ) v 𝑗 e −→ e , e −→ error Contextual Reduction e { e ′ 𝐸 [ e ] −→ 𝐸 [ e ′ ] e { error 𝐸 [ e ] −→ error 𝐸 [ 𝐹 [ 𝜀 𝜀 u K −→ 𝐸 [ 𝐹 [( 𝜀 𝜀 ) u K 𝜀 𝜀 not defined 𝐸 [ 𝐹 [ 𝜀 𝜀 u K −→ errorHelper Functions FunEv = { 𝜀 ∈ Ev | 𝜀 ⊢ 𝑆 → 𝑆 . 𝑆 → 𝑆 } IProjDomain = { h 𝜀, 𝑙 i ∈ Ev × Label | 𝜀 ⊢ [ 𝑙 : 𝑆, 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] . [ 𝑙 : 𝑆 ′ , 𝑙 𝑗 : 𝑆 𝑗 , ∗ ] } idom : FunEv → Ev idom ( 𝑆 , 𝑆 ) = h (cid:157) dom ( 𝑆 ) , (cid:157) dom ( 𝑆 )i icod : FunEv → Ev icod ( 𝑆 , 𝑆 ) = h g cod ( 𝑆 ) , g cod ( 𝑆 )i iproj : IProjDomain → Ev iproj (h 𝑆 , 𝑆 i , 𝑙 ) = h g proj ( 𝑆 , 𝑙 ) , g proj ( 𝑆 , 𝑙 )i Fig. 3. GTFL . : Runtime Language Dynamic Semantics operation is called consistent transitivity [Garcia et al. 2016]. The defining correctness criteria forconsistent transitivity are as follows. Definition 2.6.
Suppose 𝜀 = h 𝑆 ′ , 𝑆 ′ i ⊢ 𝑆 . 𝑆 and 𝜀 = h 𝑆 ′ , 𝑆 ′ i ⊢ 𝑆 . 𝑆 .(1) Call ( 𝜀 , 𝜀 ) plausibly transisitive if 𝑇 ⊑ 𝑆 ′ and 𝑆 ′ ⊒ 𝑇 ⊑ 𝑆 ′ , and 𝑇 ⊑ 𝑆 ′ hold for sometriple 𝑇 < : 𝑇 < : 𝑇 ;(2) call 𝜀 ′ = h 𝑆 ′′ , 𝑆 ′′ i a candidate for transitivity of ( 𝜀 , 𝜀 ) if ( 𝜀 , 𝜀 ) is plausibly transisitive andevery triple 𝑇 < : 𝑇 < : 𝑇 such that 𝑇 ⊑ 𝑆 ′ and 𝑆 ′ ⊒ 𝑇 ⊑ 𝑆 ′ , and 𝑇 ⊑ 𝑆 ′ implies 𝑇 ⊑ 𝑆 ′′ and 𝑇 ⊑ 𝑆 ′′ ;Proposition 2.7. Suppose 𝜀 = h 𝑆 ′ , 𝑆 ′ i ⊢ 𝑆 . 𝑆 and 𝜀 = h 𝑆 ′ , 𝑆 ′ i ⊢ 𝑆 . 𝑆 . Then ( 𝜀 , 𝜀 ) hasa candidate for transitivity if and only if it has a least candidate over the precision ( ⊑ ) order, denoted 𝜀 𝜀 . Furthermore, ( 𝜀 𝜀 ) ⊢ 𝑆 . 𝑆 . Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :12 Bañados Schwerter et al.
As Siek and Taha [2006] first observed, consistent subtyping is not transitive in general, and thatproperty is fundamental to gradual type checking. However, transitivity of subtyping is fundamen-tal to proving type safety. Thus, GTFL . distills runtime type errors down to a failure of transitivity.So unlike the evidence inversion functions, consistent transitivity is a partial function.Contextual reduction formalizes three kinds of reduction. First, it captures how notions of re-duction apply in evaluation position. Second, it captures how an error during a notion of reductionaborts the entire computation. Third, it reflects how sequences of evidence objects are composed,producing new evidence on success or signaling a runtime type error on failure. RL satisfies standard safety [Wright and Felleisen 1994]: the semantics explic-itly categorizes all well-typed terms as reducible or as canonical forms. Programs do not get stuck,but they may signal runtime type errors. Proposition 2.8 (Progress [Garcia et al. 2016]). If e ◮ ∅ ⊢ 𝑡 : 𝑆 , then one of the following holds:(1) e is a value v ;(2) e → e ′ ;(3) e → error . Proposition 2.9 (Preservation [Garcia et al. 2016]). If e ◮ ∅ ⊢ 𝑡 : 𝑆 and e → e ′ then e ′ ◮ ∅ ⊢ 𝑡 ′ : 𝑆 for some source 𝑡 ′ . The statement of type preservation is unusual because the runtime typing judgment expressesa crisp relationship between source terms and runtime terms. The source terms 𝑡 in the runtimetyping judgment evolve in lock-step with the runtime terms e . We say more about this in Sec. 2.3.Unlike typical preservation theorems for languages with subtyping [Pierce 2002], the type ofthe resulting term remains exactly the same as the source term. This is critical because consistentsubtyping does not denote safe substitutibility. Safety requires that any use of consistent subtypingmust be mediated by runtime evidence. Even if a subterm does evolve to a consistent subtype, itwill be wrapped with runtime evidence that explicitly coerces it back to the original consistentsupertype.
GTFL . source programs are elaborated to RL programs by type-directed translation (Fig. 4). Theelaboration process is quite uniform, exhibiting the tight connection between GTFL . and RL. Inessence RL terms represent GTFL . derivation trees, adding essential runtime type information ( i.e. evidence) and erasing superfluous source type information.Each elaboration rule corresponds directly to a source GTFL . typing rule. In particular, eachpremise typing judgment becomes a corresponding elaboration judgment, and each consistentsubtyping judgment introduces an evidence object, using the initial evidence operator. The ini-tial evidence operator
I[[ 𝑆 . 𝑆 ]] computes the largest evidence object 𝜀 ≡ h 𝑆 ′ , 𝑆 ′ i , such that h 𝑆 ′ , 𝑆 ′ i ⊢ 𝑆 . 𝑆 . From the definition of well-founded evidence in Sec. 2.2.1, we can deduce that h 𝑆 ′ , 𝑆 ′ i is the smallest pair of gradual types that subsumes all of the same static subtype instances 𝑇 < : 𝑇 as 𝑆 . 𝑆 does (i.e. if 𝑇 < : 𝑇 then h 𝑇 ,𝑇 i ⊑ h 𝑆 , 𝑆 i iff h 𝑇 ,𝑇 i ⊑ h 𝑆 ′ , 𝑆 ′ i ). Natu-rally, initial evidence is undefined if 𝑆 . 𝑆 , but that circumstance does not arise if type checkingsucceeds. GTFL . RL’s safety follows from how its dynamic semantics were calculated, using AGT, from STFL < : ’s safety proof. This is most evident in the fact that consistent subtyping is not transitive. An inductive definition of initial evidence is presented in the accompanying technical report [Bañados Schwerter et al.2020], see Fig. 14Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:13 Γ ⊢ 𝑡 { e : 𝑆 Elaboration ( { x) 𝑥 : 𝑆 ∈ ΓΓ ⊢ 𝑥 { x : 𝑆 ( { n) Γ ⊢ 𝑛 { n : Int ( { b) Γ ⊢ 𝑏 { b : Bool ( { app) Γ ⊢ 𝑡 { e : 𝑆 𝜀 = I[[ 𝑆 . (cid:157) dom ( 𝑆 ) → g cod ( 𝑆 )]] Γ ⊢ 𝑡 { e : 𝑆 𝜀 = I[[ 𝑆 . (cid:157) dom ( 𝑆 )]] Γ ⊢ 𝑡 𝑡 { 𝜀 e 𝜀 e : g cod ( 𝑆 ) ( { +) Γ ⊢ 𝑡 𝑖 { e 𝑖 : 𝑆 𝑖 𝜀 𝑖 = I[[ 𝑆 𝑖 . Int ]] Γ ⊢ 𝑡 + 𝑡 { 𝜀 e + 𝜀 e : Int ( { if) Γ ⊢ 𝑡 𝑖 { e 𝑖 : 𝑆 𝑖 𝜀 = I[[ 𝑆 . Bool ]] 𝜀 𝑖 = I[[ 𝑆 𝑖 . 𝑆 e ∨ 𝑆 ]] 𝑖 ∈ { , } Γ ⊢ if 𝑡 then 𝑡 else 𝑡 { if 𝜀 e then 𝜀 e else 𝜀 e : 𝑆 e ∨ 𝑆 ( { proj) Γ ⊢ 𝑡 { e : 𝑆 𝜀 = I[[ 𝑆 . [ 𝑙 : g proj ( 𝑆, 𝑙 )]]] Γ ⊢ 𝑡.𝑙 { 𝜀 e .𝑙 : g proj ( 𝑆, 𝑙 ) ( { 𝜆 ) Γ , 𝑥 : 𝑆 ⊢ 𝑡 { e : 𝑆 Γ ⊢ ( 𝜆𝑥 : 𝑆 .𝑡 ) { ( 𝜆 x . e ) : 𝑆 → 𝑆 ( { :: ) Γ ⊢ 𝑡 { e : 𝑆 𝜀 = I[[ 𝑆 . 𝑆 ]] Γ ⊢ ( 𝑡 :: 𝑆 ) { 𝜀 e : 𝑆 ( { rec) Γ ⊢ 𝑡 𝑖 { e 𝑖 : 𝑆 𝑖 Γ ⊢ [ 𝑙 𝑖 = 𝑡 𝑖 ] { [ 𝑙 𝑖 = e 𝑖 ] : [ 𝑙 𝑖 : 𝑆 𝑖 ] Fig. 4. GTFL . : Elaboration The ( { if) and ( { app) elimination rules produce evidence for extra consistent subtyping judg-ments that were not evident in the corresponting ( 𝑆 if) and ( 𝑆 app) GTFL . rules. For instance,( { app) demands that 𝑆 . (cid:157) dom ( 𝑆 ) → g cod ( 𝑆 ) . This extra constraint was implied by the GTFL . requirement that g cod ( 𝑆 ) be well-defined. The elaboration rule, and the corresponding RL term,make this implicit constraint explicit because it must be enforced at runtime. Similarly, the ( { if)type 𝑆 e ∨ 𝑆 imposes implicit consistent subtyping constraints on each branch of the conditional.The tight connection between GTFL . and RL is confirmed by preservation of well-typedness.Proposition 2.10 (Well-formed Translation). If Γ ⊢ 𝑡 { e : 𝑆 then e ◮ Γ ⊢ 𝑡 : 𝑆 . So the source term 𝑡 elaborates to a runtime term e that represents 𝑡 ’s static typing derivation.We are now equipped to better explain the statement of preservation in Prop. 2.9. We relateruntime terms to source terms using the runtime typing judgment e ◮ Γ ⊢ 𝑡 : 𝑆 and source termsto runtime terms using the translation judgment Γ ⊢ 𝑡 { e : 𝑆 . Preservation clarifies how runtimeterms “learn” new type constraints that are not evident in source programs.Proposition 2.11 (Replicant). If e ◮ Γ ⊢ 𝑡 : 𝑆 and Γ ⊢ 𝑡 { e ′ : 𝑆 then e ⊑ e ′ . In this proposition, e ⊑ e ′ refers to the pointwise extension of evidence precision from typesto terms. This proposition says that a runtime term e embodies at least as many runtime typeconstraints as any source term that it represents. In the above term, we call e ′ a replicant of e ,because it amounts to cloning the structure of e but omitting its “memory” of any additional typeconstraints acquired while evaluating the program. The e ′ term starts with a clean slate, yet to bejaded by the tribulations of runtime type enforcement.The key idea is that a source program contains enough local type information to justify its plausible typeability, but the runtime term e must account for type invariants imposed at runtime. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :14 Bañados Schwerter et al.
Below, we observe that these discovered type constraints must be represended precisely in orderto enforce type-based invariants at runtime in mixed-type programs. . Shortcomings Revisited
Using the semantics of GTFL . presented above, we can more closely examine the program fromSec. 1 that failed to protect type invariant boundaries. Our example program: let q : [ x : Int ] = [ x = , y = true ] in ( q :: ? :: [ x : Int , y : Bool ]) . y elaborates to the following: let q = 𝜀 [ x = , y = true ] in 𝜀 ( 𝜀 𝜀 𝑞 ) . y where 𝜀 = I[[[ x : Int , y : Bool ] . [ x : Int ]]] = h[ x : Int , y : Bool ] , [ x : Int ]i 𝜀 = I[[[ x : Int ] . ? ]] = h[ x : Int ] , [ ? ]i 𝜀 = I[[ ? . [ x : Int , y : Bool ]]] = h[ x : Int , y : Bool , ? ] , [ x : Int , y : Bool ]i 𝜀 = I[[[ x : Int , y : Bool ] . [ y : Bool ]]] = h[ x : Int , y : Bool ] , [ y : Bool ]i Evaluation proceeds as follows: let q = 𝜀 [ x = , y = true ] in 𝜀 ( 𝜀 𝜀 𝑞 ) . y −→ 𝜀 ( 𝜀 𝜀 𝜀 [ x = , y = true ]) . y −→ 𝜀 ( 𝜀 ( 𝜀 𝜀 )) [ x = , y = true ]) . y −→ 𝜀 ((( 𝜀 𝜀 ) 𝜀 ) [ x = , y = true ]) . y −→ ((( 𝜀 𝜀 ) 𝜀 ) 𝜀 ) [ x = , y = true ] . y −→ 𝜀 true where ( 𝜀 𝜀 ) = h[ x : Int , y : Bool ] , [ ? ]i ((( 𝜀 𝜀 ) 𝜀 ) 𝜀 ) = h[ x : Int , y : Bool ] , [ y : Bool ]i(( 𝜀 𝜀 ) 𝜀 ) = h[ x : Int , y : Bool ] , [ x : Int , y : Bool ]i 𝜀 = h Bool , Bool i This program should signal a run-time type error, but it does not. Tracing its evaluation revealswhat went wrong. First, observe that 𝜀 𝜀 is undefined, even though (( 𝜀 𝜀 ) 𝜀 ) is defined. Thisdemonstrates that composition is not associative. Now consider ( 𝜀 𝜀 ) = h[ x : Int , y : Bool ] , [ ? ]i more closely. Appealing to our notion of well-formed evidence, this object contains via precision,every valid static subtyping pair [ x : Int , y : Bool ] < : 𝑇 , including 𝑇 = [ x : Int , y : Bool ] .However, if we consider the correctness criteria for Prop. 2.7, as applied to composing 𝜀 with 𝜀 , then the only static types that complete the relevant triples 𝑇 < : 𝑇 < : 𝑇 are 𝑇 = [ x : Int ] and 𝑇 = [ ] . Thus [ x : Int , y : Bool ] is a spurious potential supertype due solely to the choice ofevidence abstraction. These phenomena suggest that our abstraction for evidence is insufficientlyprecise . We fix this problem in Sec. 5. Since our goal is to develop a general solution to the demonstrated issues, our approach must becouched in terms of the AGT framework itself. This section presents a brief introduction to the AGTmethodology and its basis in abstract interpretation [Cousot and Cousot 1977]. We reconceivesome of the concepts involved in a manner that is equivalent to the original. Our new approachimproves on the original in that it clarifies the nature of two distinct but related abstractions:one for the static semantics and one for the dynamic semantics. This refinement is critical to ourcontributions. Along the way, we explain relevant aspects of AGT that we suppressed in Sec. 2. The typing and elaboration rules for let can be deduced from the rules for lambda and application.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:15
Given a pre-existing statically typed language and its type safety argument, AGT starts by ex-tending the syntax of types to form gradual types, in our case 𝑆 ∈ GType. In addition to the syntaxfor gradual types, we endow gradual types with a semantics: each gradual type 𝑆 is given an inter-pretation as a non-empty set of static types from the static language, denoted P + ( Type ) . Followingabstract interpretation terminology, this function is called concretization . 𝛾 : GType → P + ( Type ) 𝛾 ( 𝑆 ) = { 𝑇 ∈ Type | 𝑇 ⊑ 𝑆 } . Thus, a gradual type denotes every static type that it could represent. Since every static type is a(minimal) gradual type, this implies that 𝛾 ( 𝑇 ) = { 𝑇 } . When starting from scratch, concretizationis typically defined by recursion on the structure of gradual types [Garcia et al. 2016], and thenthe precision relation is determined by the following correctness criterion:Proposition 3.1 ([Garcia et al. 2016]). 𝑆 ⊑ 𝑆 if and only if 𝛾 ( 𝑆 ) ⊆ 𝛾 ( 𝑆 ) . Here we reverse the development, defining concretization in terms of precision, since precisionis introduced in Sec. 2. These approaches are equivalent, though a structurally recursive definitionof concretization is critical to calculating functions and relations on gradual types like g proj and I .The concretization function in turn induces a converse function, typically called abstraction . 𝛼 : P + ( Type ) →
GType 𝛼 (C) = l { 𝑆 ∈ GType | C ⊆ 𝛾 ( 𝑆 ) } In this definition, d denotes the greatest lower-bound with respect to precision ⊑ . Abstraction 𝛼 (C) yields the most precise gradual type that summarizes a given set of static types. In order for 𝛼 to be well-defined, we must ensure that the right-hand side of the above equation is well-definedfor any collection C to be considered: in particular there must exist an appropriate greatest lower-bound. In general, a gradual type system does not need to account for every arbitrary subset ofstatic types C ∈ P + ( Type ) as part of concretization and abstraction. In fact, in Sec 5.3 it will becritical to restrict the space of sets of types (with no loss of expressiveness) to ensure that 𝛼 iswell-defined. If abstraction 𝛼 is well-defined, then it is uniquely determined by concretization 𝛾 . To facilitate the calculation of operators and relations on gradual types, abstraction is typicallypresented as a recursive function definition [Garcia et al. 2016].By design, concretization and abstraction are related by two properties that together character-ize a Galois connection [Cousot and Cousot 1977].Proposition 3.2 ([Garcia et al. 2016]). (1) Soundness:
C ⊆ 𝛾 ( 𝛼 (C)) (2) Optimality: If C ⊆ 𝛾 ( 𝑆 ) then 𝛾 ( 𝛼 (C)) ⊆ 𝛾 ( 𝑆 ) . These functions satisfy the stronger property that 𝛼 ( 𝛾 ( 𝑆 )) = 𝑆 . This makes them a Galois insertion .Garcia et al. [2016] use concretization and abstraction to define all of the gradual typing artifactsused to define GTFL . . For example, consider the codomain of a function type, rendered as a partial Unlike Garcia et al. [2016], we define 𝛼 to be a total function over a family of (non-empty) sets of types, rather than a partial function over arbitrary sets of types P (
Type ) . This approach pushes partiality into the collecting operators ( cf. cod + below), rather than the Galois connection itself. We find this approach more general, intuitive, and mathematicallypleasant. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :16 Bañados Schwerter et al. function cod on static types: cod : Type ⇀ Type cod ( 𝑇 → 𝑇 ) = 𝑇 cod ( 𝑇 ) undefined otherwiseWe can idiomatically lift cod to a partial function cod + on non-empty sets of types. cod + : P + ( Type ) ⇀ P + ( Type ) cod + (C) = C ′ if C ′ ≠ ∅ cod + (C) undefined if C ′ = ∅ where C ′ = { 𝑇 ′ ∈ Type | 𝑇 ∈ C and cod ( 𝑇 ) = 𝑇 ′ } The cod + function applies cod pointwise to a set of types, and produces the resulting set ofcodomains, so long as there are some codomains: if not, then the function is undefined. Usingthis lifted function, we can define the g cod function as follows. g cod ( 𝑆 ) = 𝛼 ( cod + ( 𝛾 ( 𝑆 )) . Given the definitions of g cod , 𝛾 , and 𝛼 , the correctness criteria of Prop. 2.2 follow. From there, therecursive characterization of g cod from Fig. 1 can be calculated by induction on the structure of 𝑆 . Analogous constructions can be used to first define and then calculate algorithms for all ofthe operations on gradual types from Sec. 2. The definitions directly imply their own correctnesscriteria, and the corresponding algorithms require tedious but straightforward calculations. Evidence is its own abstraction . The concept of evidence for consistent subtyping arises throughan analogous process. Garcia et al. [2016] define evidence by abstracting tuples of static types, fil-tering them post-hoc. Our approach refines theirs in a small but fundamental way. In particular,we introduce a second
Galois connection, but this one is directly between consistent subtyping, re-garded as a set of pairs of gradual types h 𝑆 , 𝑆 i ∈ . , and nonempty subsets of the static subtypingrelation, i.e. sets of pairs R ⊆ < : .The key difference in this new approach is that the set of evidence objects form in their en-tirety an abstract interpretation of static subtyping. In contrast, the evidence objects introducedby [Garcia et al. 2016] were arbitrary pairs of gradual types. The concretization of an evidence ob-ject could therefore contain pairs of types not related by subtyping. Integrating subtyping into theconception of abstraction, and viewing composition as relational composition specifically for frag-ments of subtyping is critical to formulating the possibility, let alone the significance, of forwardcompleteness.We begin with concretization. 𝛾 < : : . → P + ( < : ) 𝛾 < : ( 𝑆 , 𝑆 ) = { h 𝑇 ,𝑇 i | 𝑇 𝑖 ∈ 𝛾 ( 𝑆 𝑖 ) and 𝑇 < : 𝑇 } . The corresponding notion of abstraction is defined as follows 𝛼 < : : P + ( < : ) → . 𝛼 < : (R) = h 𝛼 ( 𝜋 (R)) , 𝛼 ( 𝜋 (R))i . Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:17
Abstraction appeals to two point-wise projection functions that operate on sets of pairs. Theserecur in later developments. 𝜋 , 𝜋 : P (
Type ) → P ( Type ) 𝜋 𝑖 ({ h 𝑇 ,𝑇 i }) = { 𝑇 𝑖 } The functions 𝛾 < : and 𝛼 < : form a Galois connection, but they do not form a Galois insertion . Forexample: 𝛼 < : ( 𝛾 < : ( Int , ? )) = h Int , Int i . In fact, 𝛼 < : ( 𝛾 < : ( 𝑆 , 𝑆 )) is equivalent, by design, to the initialevidence function I[[ 𝑆 . 𝑆 ]] from Fig. 4. The I function simply extends its domain to accept, butbe undefined for, inconsistent gradual types 𝑆 . 𝑆 . Thus, evidence objects 𝜀 are exactly thosepairs of gradual types in the image of 𝛼 < : ◦ 𝛾 < : .Furthermore, composing evidence objects using the consistent transitivity operator can be de-fined in terms of relational composition of subsets of static subtyping < : . 𝜀 𝜀 = 𝛼 < : ( Id + ( 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ))) where R ; R = { h 𝑇 ,𝑇 i | 𝑇 R 𝑇 and 𝑇 R 𝑇 for some 𝑇 } and Id + (R) = ( R R ≠ ∅ undefined otherwise . This definition can be used to calculate a direct recursive characterization of consistent transitivity(see technical report [Bañados Schwerter et al. 2020]), but we can also prove that it is equivalentto a combination of simpler operations. Proposition 3.3. h 𝑆 , 𝑆 i h 𝑆 , 𝑆 i = I[[ 𝜋 (I[[ 𝑆 . ( 𝑆 ⊓ 𝑆 )]]) . 𝜋 (I[[( 𝑆 ⊓ 𝑆 ) . 𝑆 ]])]] where 𝑆 ⊓ 𝑆 = 𝛼 ( Id + ( 𝛾 ( 𝑆 ) ∩ 𝛾 ( 𝑆 ))) . A key observation here is that pairs of gradual types are but one arbitrary, albeit convenient,abstraction for subsets of the static subtyping relation. This analysis of evidence as abstractions ofstatic subtyping fragments, and consistent transitivity as abstract relational composition, is criticalto our analysis and improvement of evidence in Sec. 5.
The dynamic semantics presented in Fig. 3 follows the standard AGT methodology. Evidence iscomposed after an ascribed expression is reduced, in an order that accumulates evidence on aresulting value. Thus RL, and every other AGT-based language, suffers from the same space issuesdescribed by Herman et al. [2010]. This section presents an alternate reduction semantics, RL + , thatcomposes evidence as soon as possible to prevent the accumulation of pending evidence objects.RL + requires associative evidence composition to guarantee that it will evaluate to the same resultsas RL. Unfortunately, this property does not hold for GTFL . , but Sec. 5 addresses this limitationby providing a better evidence abstraction. Sec. 6 describes criteria that guarantee associativity forevidence composition. Sec. 7 proves that the criteria hold for our novel abstraction, and proves anupper-bound on space consumption. Garcia et al. [2016] erroneously omits the outermost instance of I in their definition.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :18 Bañados Schwerter et al. Syntax 𝜀 ⊥ :: = ⊥ | 𝜀 (total evidence) 𝑒 ∈ RTerm :: = 𝑛 | 𝜀 ⊥ 𝑒 + 𝜀 ⊥ 𝑒 | 𝑥 | 𝜆𝑥.𝑒 | 𝜀 ⊥ 𝑒 𝜀 ⊥ 𝑒 | 𝜀 ⊥ 𝑒 | [ 𝑙 = 𝑒 ] | 𝜀 ⊥ 𝑒.𝑙 (runtime terms) | if 𝜀 ⊥ 𝑒 then 𝜀𝑒 else 𝜀𝑒𝐹 ∈ EvFrame :: = (cid:3) 𝜀𝑒 | 𝜀𝑢 (cid:3) | (cid:3) + 𝜀𝑒 | 𝜀𝑢 + (cid:3) | (cid:3) .𝑙 (runtime frames) | if (cid:3) then 𝜀𝑒 else 𝜀𝑒𝐺 ∈ ACtxt :: = (cid:3) | 𝐸 [ 𝐹 [ (cid:3) K | 𝐸 [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]] (Evaluation contextswithout an innermost ascription) 𝐸 ∈ ECtxt :: = 𝐺 | 𝐺 [ 𝜀 ⊥ (cid:3) ] (Evaluation contexts) Contextual Reduction 𝑒 −→ 𝑒, 𝑒 −→ error 𝑒 { 𝑒 ′ 𝐸 [ 𝑒 ] −→ 𝐸 [ 𝑒 ′ ] 𝑒 { error 𝐸 [ 𝑒 ] −→ error 𝐺 [ 𝜀 ⊥ 𝜀 ⊥ 𝑒 ] −→ 𝐺 [ 𝜀 ⊥ ⊥ 𝜀 ⊥ 𝑒 ] 𝐺 [⊥ 𝑢 ] −→ error Fig. 5. Syntax and Contextual Reduction of RL + . All other parts of the semantics are as in RL. Space-efficient, but observationally equivalent . To preserve tail recursion, a semantics mustcompose evidence eagerly, thereby keeping evidence objects from accumulating in tail position.However, to keep the semantics equivalent to the original, the space-efficient one must not failearly in case a program diverges. To preserve this behavior, a space-efficient semantics must re-member “latent failure” until evaluation yields a value, while avoiding unbounded stack growth.The RL + semantics applies the standard technique of explicitly representing failure. It introduces “total” evidence , 𝜀 ⊥ , which represents either normal evidence 𝜀 , or a latent failure ⊥ , which servesthe same purpose as the failure coercion of [Herman et al. 2010]. A latent failure indicates thatsome evidence composition was undefined, and will trigger an error after its argument finishesreducing. The syntax for RL + terms (Fig. 5), essentially mirrors RL, but substitutes total evidencefor evidence. To emphasize this distinction, we color the terms in the RL + differently e.g., 𝑒 .One key difference in the definition of RL + is its runtime frames: the empty (cid:3) frame, whichallows evidence objects to accumulate on the RL evaluation stack, is omitted. Frames otherwiseremain the same: For example, RL + does not need a frame of the form 𝜀 ⊥ 𝑢 (cid:3) because when thefunction position of an application reduces to ⊥ 𝑢 , the original semantics would trigger an error. + RL + has the same the notions of reduction as RL. Thus, it suffices to change the definition ofcontextual reduction −→ . To compose evidence objects ahead of time without failing too early,we replace the partial evidence composition operation used in RL with a related total operationdenoted ⊥ , which yields latent failures ⊥ when is undefined: 𝜀 ⊥ ⊥ 𝜀 ⊥ = ( 𝜀 𝜀 𝑖 𝑓 𝜀 ⊥ = 𝜀 and 𝜀 ⊥ = 𝜀 and composition is defined ⊥ otherwiseSince the definition of frames no longer includes holes, ascriptions can no longer nest in evalu-ation contexts. In fact, evidence objects that come from ascriptions, rather than elimination forms,do not form evaluation contexts: they must be handled explicitly. Composition no longer waits forvalues, but proceeds when nested ascriptions become the immediate redex.Finally, to preserve divergent behaviour, errors are triggered by notions of reduction only uponreaching a value ( 𝐺 [⊥ 𝑢 ] ). Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:19 𝑒 ≈ 𝑒, error ≈ error Sim-Casts 𝑒 ≠ 𝜀 ′ 𝑒 ′ 𝑒 ≠ 𝜀 ⊥′ 𝑒 ′ 𝑒 ≈ 𝑒 𝜀 𝑛 ⊥ (cid:0) · · · ⊥ 𝜀 (cid:1) = (cid:0) 𝜀 ⊥ 𝑚 ⊥ · · · (cid:1) ⊥ 𝜀 ⊥ 𝜀 · · · 𝜀 𝑛 𝑒 ≈ 𝜀 ⊥ · · · 𝜀 ⊥ 𝑚 𝑒 Sim-Err error ≈ error Sim-U 𝑢 ≈ 𝑢 Sim-App 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 ⊥ 𝑒 Sim-Plus 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 + 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 + 𝜀 ⊥ 𝑒 Sim-Rec 𝑒 𝑖 ≈ 𝑒 ′ 𝑖 [ 𝑙 𝑖 = 𝑒 𝑖 ] ≈ [ 𝑙 𝑖 = 𝑒 ′ 𝑖 ] Sim-If 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 if 𝜀 𝑒 then 𝜀 𝑒 else 𝜀 𝑒 ≈ if 𝜀 ⊥ 𝑒 then 𝜀 ⊥ 𝑒 else 𝜀 ⊥ 𝑒 Sim-Proj 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 .𝑙 ≈ 𝜀 ⊥ 𝑒 .𝑙 Fig. 6. Bisimulation Relation for space efficiency
We prove that RL and RL + are weakly bisimilar. Fig. 6 introduces a bisimulation relation betweenterms in the both languages to carry the proof. While most rules follow inductively, rule [Sim-Casts] accepts terms with differing stacks of evidence compositions, as long as the final composedresult (in each language’s order) is the same.Theorem 4.1 (Weak Bisimulation between RL and RL + ). If 𝑒 ≈ 𝑒 , and evidence compositionis associative , then: • If there exists 𝑒 ′ in RL such that 𝑒 −→ 𝑒 ′ , then there exists 𝑒 ′ such that 𝑒 → ∗ 𝑒 ′ and 𝑒 ′ ≈ 𝑒 ′ . • If there exists 𝑒 ′ in RL + such that 𝑒 −→ 𝑒 ′ , then there exists 𝑒 ′ such that 𝑒 → ∗ 𝑒 ′ and 𝑒 ′ ≈ 𝑒 ′ .Therefore, the relation · ≈ · forms a Weak Bisimulation [Sangiorgi 2011] between −→ and −→ . + The RL + dynamic semantics never accumulate evidence compositions in tail position, but this alonedoes not guarantee space efficiency. If evidence objects themselves can grow without bound, thenthe changes to the semantics amount to simply shuffling space usage without eradicating it. Toensure space efficiency we must quantify the overhead of evidence throughout evaluation.Following Herman et al. [2010], we provide a bound for the space consumption of a program.The space 𝑓 ( 𝑒 ) function (Fig. 7) is parameterized by a function 𝑓 for the space consumption of anevidence object. We use this structural function to compare the space consumption of a programwith “0-cost” evidence to RL + programs. Definition 4.2 (Space-efficiency of evidence).
Let size be the function that computes the spaceconsumption of an evidence object. A reduction semantics is space efficient with respect to evidenceobjects if the overhead due to carrying evidence is bound throughout evaluation and ascriptionsnever wait on the stack: • Bound for overhead . There exists a bound function 𝐵 : RTerm → N such that, for any pro-grams 𝑒 and 𝑒 ′ such that 𝑒 −→ ∗ 𝑒 ′ , space size ( 𝑒 ′ ) ≤ space 𝜆 _ .𝐵 ( 𝑒 ) ( 𝑒 ′ ) .This bound is equivalent to requiring that for any evidence 𝜀 appearing in 𝑒 ′ , size ( 𝜀 ) ≤ 𝐵 ( 𝑒 ) . • Bound for stack . For any programs 𝑒 and 𝑒 ′ such that 𝑒 −→ 𝑒 ′ , if there exists an evaluationcontext without nested ascriptions 𝐺 such that 𝑒 = 𝐺 [ 𝜀𝜀 ′ 𝑒 ′′ ] , then there must exist an 𝜀 ′′ such that 𝑒 ′ = 𝐺 [ 𝜀 ′′ 𝑒 ′′ ] . The proof of the theorem appears in the technical report [Bañados Schwerter et al. 2020]. See Sec. D.3Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :20 Bañados Schwerter et al. space 𝑓 ( 𝑒 ) Space consumption of a program space · (·) · : (cid:0)(cid:0) Ev < : ∪ { ⊥ } (cid:1) → N (cid:1) → RTerm → N space 𝑓 ( 𝑛 ) = space 𝑓 ( 𝑥 ) = space 𝑓 ( 𝜀 ⊥ 𝑒 + 𝜀 ⊥ 𝑒 ) = + 𝑓 ( 𝜀 ⊥ ) + space 𝑓 ( 𝑒 ) + 𝑓 ( 𝜀 ⊥ ) + space 𝑓 ( 𝑒 ) space 𝑓 ( 𝜀 ⊥ 𝑒 𝜀 ⊥ 𝑒 ) = + 𝑓 ( 𝜀 ⊥ ) + space 𝑓 ( 𝑒 ) + 𝑓 ( 𝜀 ⊥ ) + space 𝑓 ( 𝑒 ) space 𝑓 ( 𝜆𝑥.𝑒 ) = + space 𝑓 ( 𝑒 ) space 𝑓 ( 𝜀 ⊥ 𝑒 ) = + space 𝑓 ( 𝜀 ⊥ ) + space 𝑓 ( 𝑒 ) space 𝑓 ( 𝜀 ⊥ 𝑒.𝑙 ) = + 𝑓 ( 𝜀 ⊥ ) + space 𝑓 ( 𝑒 ) space 𝑓 (cid:16) [ 𝑙 = 𝑒 ] (cid:17) = + Í (cid:16) space 𝑓 ( 𝑒 ) (cid:17) Fig. 7. Space consumption of a program in RL + From this definition, a bound in the style of Herman et al. [2010] follows as a corollary:Corollary 4.3 (Fixed overhead a-la-Herman et al. [2010]). If 𝑒 −→ ∗ 𝑒 ′ is bound for overhead withan evidence bound function 𝐵 , then space size ( 𝑒 ′ ) ≤ ∗ 𝐵 ( 𝑒 ) ∗ space ( 𝑒 ′ ) Proof. By induction over the structure of 𝑒 ′ . (cid:3) Evidence requirements that make RL + space efficient . The development of space-efficient se-mantics can be completed with a new evidence abstraction for the RL + runtime semantics. Beforeintroducing the abstraction, we present all the properties we need from this evidence. RL + seman-tics is space efficient for any abstraction whose evidence composition satisfies the following twoproperties:Proposition 4.4 (Evidence composition is associative). For any evidence 𝜀 ⊥ , 𝜀 ⊥ and 𝜀 ⊥ , (cid:0) 𝜀 ⊥ ⊥ 𝜀 ⊥ (cid:1) ⊥ 𝜀 ⊥ = 𝜀 ⊥ ⊥ (cid:0) 𝜀 ⊥ ⊥ 𝜀 ⊥ (cid:1) Proposition 4.5 (Evidence composition has a bound).
Let 𝜀 and 𝜀 be any evidence objects ap-pearing in program 𝑒 . For any evidence objects 𝜀 ′ and 𝜀 ′ such that size ( 𝜀 ′ ) ≤ size ( 𝜀 ) and size ( 𝜀 ′ ) ≤ size ( 𝜀 ) , size ( 𝜀 ′ 𝜀 ′ ) ≤ 𝐵 ( 𝑒 ) . Theorem 4.6 (Properties of RL + ). If evidence composition is associative and has a bound, then thesemantics of RL + is space-efficient and is observationally equivalent to the semantics of RL. . : BOUNDED RECORDS AND ROWS Previous sections identify the need for a more precise abstraction for runtime evidence. This sec-tion delivers that abstraction, and finds a natural characterization of precision that meets the pa-per’s goals. We devise a notion of evidence that admits an associative consistent transitivity op-eration, and preserves the type invariants implied by the concrete fragments of static subtypingthat each evidence object represents. This notion of evidence has some features in common withrecord-typing systems from the literature, though used here for runtime type checking, e.g. [Rémy1989]. We replace gradual rows in evidence with a more precise gradual type abstraction, which wecall bounded records and rows (BRR). We prove that evidence objects based on BRR are associativeand precise using a general concept from abstract interpretation called forward completeness . Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:21
To motivate and introduce the structure of BRR, consider once again the failing example fromSec. 2.4. The key observation in that example is that in the following evidence composition, (h[ x : Int , y : Bool ] , [ x : Int ]i h[ x : Int ] , [ ? ]i) = h[ x : Int , y : Bool ] , [ ? ]i the second resulting gradual type represents too many possible static types, in particular the spu-rious cases [ 𝑦 : Bool ] and [ 𝑥 : Int , 𝑦 : Bool ] . A precise analysis of the two composed evidenceobjects admits only two possible supertypes: [ ] or [ 𝑥 : Int ] .To faithfully capture this circumstance, BRR first introduces a distinction between required fieldsand optional fields. For instance, the BRR type [ x : Int 𝑅 ] uses the 𝑅 annotation to indicate that the x field is required: this BRR is equivalent to the [ x : Int ] gradual record type (and static recordtype). In contrast, the BRR type [ x : Int 𝑂 ] uses the 𝑂 annotation to indicate that the x field is op-tional. Given the appropriate definition of concretization for BRR, we have [ ] ∈ 𝛾 ( [ x : Int 𝑂 ]) and [ x : Int ] ∈ 𝛾 ( [ x : Int 𝑂 ]) , and no other static type. This BRR type precisely captures the intendedrecord types in the example above, and as we might expect, the above evidence and compositioncan be replaced by the precise BRR-based version: (h[ x : Int 𝑅 , y : Bool 𝑅 ] , [ x : Int 𝑅 ]i h[ x : Int 𝑅 ] , [ x : Int 𝑂 ]i) = h[ x : Int 𝑅 , y : Bool 𝑅 ] , [ x : Int 𝑂 ]i Because the BRR abstraction is strictly more precise than the gradual row abstraction, the crite-ria set forth in Prop. 2.4 leads to more well-formed evidence objects. As a result, h[ x : Int 𝑅 ] , [ x : Int 𝑂 ]i is well formed and, unlike gradual rows, it precisely captures the static subtype instances of inter-est. Unfortunately, adding optional fields is not enough to achieve associativity. Consider the followingtrio of BRR-based evidence: h[ x : Int 𝑂 , ? ] , [ x : Int 𝑂 , ? ]i h[ x : Bool 𝑂 , ? ] , [ x : Bool 𝑂 , ? ]i h[ x : Int 𝑅 ] , [ ]i BRR must somehow represent rows to subsume the expressiveness of gradual row types. However,evaluating this composition reveals the need for more precise information. Composing left-to-rightyields h[ x : Int 𝑂 , ? ] , [ x : Int 𝑂 , ? ]i because composing the first two yields h[ x : Int 𝑂 , ? ] , [ ? ]i whichcomposes with the third to yield the above. On the other hand, composing them right-to-left fails!The reason is that the requirements of the second and third evidence objects are incompatible: thesecond can only have a Bool -typed x field, while the third demands an Int -typed one.Closer inspection of the first two evidence objects reveals that after composing them, the result-ing evidence object should have no x field in the super type position: the only instances of staticsubtyping that could have transitively composed were those lacking an x field. Then the necessaryabsence of x is incompatible with requiring x to have Int type as in the third evidence.This observation leads us to represent necessarily absent fields. Then the result of composingthe first two evidence objects above is: h[ x : Int 𝑂 , ? ] , [ x : ∅ , ? ]i . The BRR [ x : ∅ , ? ] represents theset of record types with any fields except x . Composing this with h[ x : Int 𝑅 ] , [ ]i should alwaysfail. Adding absent and optional fields suffices to ensure that evidence objects need never loseinformation about plausible subtype relations, admitting implausible fields via the unknown row ? . Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :22 Bañados Schwerter et al.
We now give a full formal definition of Bounded Records and Rows (BRR) , as well BRR-basedevidence objects. The syntax of BRR is follows: 𝑀 ∈ Mapping 𝑀 :: = ∅ | 𝑆 𝑅 | 𝑆 𝑂 (mappings for records and rows) 𝑆 :: = Bool (cid:12)(cid:12)(cid:12)(cid:12)
Int (cid:12)(cid:12)(cid:12)(cid:12) 𝑆 → 𝑆 (cid:12)(cid:12)(cid:12)(cid:12) ? (cid:12)(cid:12)(cid:12)(cid:12) (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 (cid:21) (cid:12)(cid:12)(cid:12)(cid:12) (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 , ? (cid:21) (gradual types)As its name implies, the only interesting aspects of the BRR abstraction are its record and row typedefinitions. Each field maps to a type (qualified as required 𝑅 or optional 𝑂 ), or to the absent fieldindicator ( ∅ ). Individual static record types are represented in BRR by simply marking all fields asrequired. BRR is a runtime abstraction, so its annotations do not affect GTFL . syntax.Though technically we need missing field annotations only for rows and not for records, weopt for a uniform representation. A mapping x : ∅ in a record is redundant; similarly, a mapping x : ? 𝑂 is redundant in a row. This redundancy has algorithmic advantages: we can extract a defaultmapping for labels in either a row or a record, which simplifies inductive rules in those cases wherethe domains of two types differ.The notation 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 is equivalent to the previous notation ℓ 𝑖 : 𝑀 𝑖 , but avoids confusion whentrying to distinguish shared subdomains in two record-like types. Empty record and row types arestill allowed (i.e. 𝑛 can be ).A concretization function (Fig. 8) determines the meaning of BRR types. An intermediate notionof decompositions simplifies our definitions. Decompositions encode uniformity restrictions on setsof static types. These restrictions are made explicit by use of the generator function 𝒞 .The interesting equations are those for records, which recursively describe sets of records thatmeet the constraints described informally above. Note that the concretization of non-empty boundedrecords is described in terms of the concretization of smaller bounded records.Fig. 9 defines the corresponding abstraction for bounded records and rows. The equations dis-tinguish between relevant sets of static types. This abstraction function has a subtlety regardingits domain (which we do not explicitly name). The domain cannot be arbitrary sets of types. Tosee why, consider the set { [ ℓ : Int ] | ℓ ∈ Label } : what is the most precise abstraction of this setwhen Label is an infinite set? The answer is that there is none, because this set features an infinitenumber of “optional” fields, and since bounded records only have finite fields, there is no best rep-resentative. The solution is to restrict the domain to hereditarily admit only collections of recordsthat (1) have non- ? bound for a finite set of field types; and (2) have either a finite set of potentiallypresent fields (abstracts to a bounded record) or a finite set of absent fields (abstracts to a boundedrow). The image of concretization satisfies these constraints, as do our operations on evidence.These finitary restrictions are analogous to the restrictions on the open sets of an infinite producttopology [Munkres 2000].Theorem 5.1. 𝛼 and 𝛾 for bounded records and rows form a Galois Connection. Proof. Consequence of Soundness and Optimality Lemmas (see technical report [Bañados Schwerter et al.2020]). (cid:3) While not
Rows in the sense of[Wand Mitchell ’91],
Bounded Rows are derived from Gradual Rows introducedby [Garcia et al. 2016]. We keep the
Row designation to highlight the connection with the latter paper.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:23
Decompositions 𝐶 ∈ P ( Type ) , 𝐶 ∅ ∈ P ( Type ∪ { ∅ }) , 𝑑 ∈ Decomp 𝑑 :: = J Bool K (cid:12)(cid:12)(cid:12)(cid:12) J Int K (cid:12)(cid:12)(cid:12)(cid:12) J 𝐶 → 𝐶 K (cid:12)(cid:12)(cid:12)(cid:12) J ? K (cid:12)(cid:12)(cid:12)(cid:12) s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { (cid:12)(cid:12)(cid:12)(cid:12) s ? 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { 𝒞 : ( Decomp ) → P (
Type ) 𝒞 J Bool K = { Bool } 𝒞 J Int K = { Int } 𝒞 J 𝐶 → 𝐶 K = { 𝑇 → 𝑇 | 𝑇 ∈ 𝐶 and 𝑇 ∈ 𝐶 } 𝒞 s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { = { [ ℓ 𝑖 : 𝑇 𝑖 ] (cid:12)(cid:12)(cid:12) 𝑇 𝑖 ∈ 𝐶 ∅ 𝑖 } if ∅ ∉ 𝐶 ∅ 𝑖 for every 𝑖 𝒞 s ℓ 𝑛 : 𝐶 ∅ 𝑛 𝑛 − Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { = 𝒞 s 𝑛 − Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { Ð 𝒞 s ℓ 𝑛 : (cid:0) 𝐶 ∅ 𝑛 \ { ∅ } (cid:1) 𝑛 − Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { if ∅ ∈ 𝐶 ∅ 𝑛 𝒞 s ? 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { = [ ℓ 𝑖 : 𝑇 𝑖 ℓ 𝑗 : 𝑇 𝑗 ] (cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12)(cid:12) [ ℓ 𝑖 : 𝑇 𝑖 ] ∈ 𝒞 s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { and [ ℓ 𝑗 : 𝑇 𝑗 ] ∈ 𝒞 t 𝑚 Í 𝑗 = ℓ 𝑗 : P (
Type ∪ { ∅ }) | where ℓ 𝑖 𝑎𝑛𝑑ℓ 𝑗 are disjoint. 𝛾 : ( GType ) → P + ( Type ) 𝛾 ( ? ) = Type 𝛾 ( Bool ) = 𝒞 J Bool K 𝛾 ( Int ) = 𝒞 J Int K 𝛾 ( 𝑆 → 𝑆 ) = 𝒞 J 𝛾 ( 𝑆 ) → 𝛾 ( 𝑆 ) K 𝛾 (cid:18) (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21)(cid:19) = 𝒞 s ∗ 𝑛 Í 𝑖 = ℓ 𝑖 : 𝛾 𝑀 ( 𝑀 𝑖 ) { 𝛾 𝑀 : ( Mapping ) → P + ( Type ∪ { ∅ }) 𝛾 𝑀 (∅) = { ∅ } 𝛾 𝑀 ( 𝑆 𝑅 ) = 𝛾 ( 𝑆 ) 𝛾 𝑀 ( 𝑆 𝑂 ) = 𝛾 𝑀 (∅) ∪ 𝛾 ( 𝑆 𝑅 ) Fig. 8. Decompositions and BRR Concretization Function 𝛼 ( 𝒞 J Bool K ) = Bool 𝛼 ( 𝒞 J Int K ) = Int 𝛼 ( 𝒞 J 𝐶 → 𝐶 K ) = 𝛼 ( 𝐶 ) → 𝛼 ( 𝐶 ) 𝛼 (cid:18) 𝒞 s ∗ 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { (cid:19) = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝛼 𝑀 (cid:0) 𝐶 ∅ 𝑖 (cid:1) ∗ (cid:21) 𝛼 (∅) undefined 𝛼 ( 𝐶 ) = ? otherwise 𝛼 𝑀 ({ ∅ }) = ∅ 𝛼 𝑀 ({ ∅ } ∪ 𝐶 ) = ( 𝛼 ( 𝐶 )) 𝑂 if 𝐶 is not empty 𝛼 𝑀 ( 𝐶 ) = ( 𝛼 ( 𝐶 )) 𝑅 if ∅ ∉ 𝐶 Fig. 9. BRR Abstraction Function
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :24 Bañados Schwerter et al. ⊢ 𝜀 wf Well-formed Evidence 𝑆 ∈ { Int , Bool , ? }⊢ h 𝑆, 𝑆 i wf ⊢ h 𝑆 , 𝑆 i wf ⊢ h 𝑆 , 𝑆 i wf ⊢ h 𝑆 → 𝑆 , 𝑆 → 𝑆 i wf 𝐷 (·) = ∅ 𝐷 ( ? ) = ? 𝑂 h∗ , ∗ i ≠ h· , ? i ∀ 𝑖, ⊢ h 𝑀 𝑖 , 𝑀 𝑖 i wf ∀ 𝑗, ⊢ h 𝑀 𝑗 , 𝐷 (∗ )i wf ∀ 𝑘, ⊢ h 𝐷 (∗ ) , 𝑀 𝑘 i wf where ℓ 𝑖 , ℓ 𝑗 , and ℓ 𝑘 are disjoint. ⊢ * " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 𝑗 ∗ , (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑜 Í 𝑘 = ℓ 𝑘 : 𝑀 𝑘 ∗ (cid:21) + wf ⊢ h 𝑀, 𝑀 i wf Well-formed Mappings ⊢ h 𝑀, ∅i wf ⊢ h 𝑆 , 𝑆 i wf ⊢ h( 𝑆 ) 𝑅 , ( 𝑆 ) 𝑅 i wf 𝑆 ⊑ 𝑆 ⊢ h 𝑆 , 𝑆 i wf ⊢ h( 𝑆 ) ∗ , ( 𝑆 ) 𝑂 i wf Fig. 10. BRR . ’s definition of well-formed evidence Well-formed evidence . Using bounded records and rows, we develop a refined notion of evidencefor GTFL . . Fig. 10 defines the inductive structure of well-formed BRR evidence. Its structure issomewhat analogous to the original, but with richer distinctions. We motivate the introduction of bounded records and rows to solve associativity issues and to guar-antee that programs with inconsistent ascriptions always fail. Associativity more broadly couldalso support program optimizations such as inlining and pre-composing evidence objects. Con-sider the following program: ( 𝜆𝑥 : [ ? ] . ( if true then ( if true then 𝑥 else 𝑥 :: [ 𝑙 : Int , ? ]) else 𝑥 :: [ 𝑙 : Bool , ? ])) This program relies on if branching to generate uses of consistent subtype join which will gen-erate evidence objects that use the optional annotation. This program will produce an error whengiven as an argument any record that has an 𝑙 mapping. This is because the ascriptions imposeinconsistent constraints: the function body must have type [ 𝑙 : Bool 𝑂 , ? ] in the outermost if , and [ 𝑙 : Int 𝑂 ? ] in the innermost if , thus 𝑥 must go through the composition of evidence on both types,reaching an inconsistency whenever the label is present.While the sole introduction of optional fields would suffice to run this program properly, con-sider now an optimizing compiler that performs constant propagation in this function. The bodyof the function might then be optimized to 𝜆𝑥 .𝜀 𝜀 𝑥 , with 𝜀 = h[ 𝑙 : Bool 𝑂 , ? ] , [ 𝑙 : Bool 𝑂 , ? ]i and 𝜀 = h[ 𝑙 : Int 𝑂 , ? ] , [ 𝑙 : Int 𝑂 , ? ]i . A more advanced optimizing compiler could try to perform thisevidence composition ahead of time. Unfortunately, unless we introduce absent labels as in BRR,the only possible composition would be to coalesce the label 𝑙 into the row portion to generatethe evidence pair h[| ? ] , [| ? ]i . This “optimization” changes the behaviour of our program, as argu-ments with a mapping for 𝑙 will now be accepted instead of producing an error. To achieve fullassociativity and soundness in the presence of optimizations like the above, we need absent labels. The previous section delves into the shortcomings of GTFL . ’s evidence abstraction, diagnosessome evident information loss, and devises a new abstraction that retains the relevant information. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:25
Are these improvements sufficient? An example-driven approach can drive us closer to a solution,but ultimately we need more rigorous and comprehensive confirmation, which we now provide.Moreover, we do so by generalizing beyond GTFL . , seeking sufficient criteria that can apply tofuture applications of AGT, regardless of the particulars of the type discipline or gradualization.First, consider associativity. We must prove that 𝜀 ( 𝜀 𝜀 ) = ( 𝜀 𝜀 ) 𝜀 holds for our newnotion of evidence. A direct proof of this property is possible, but does not scale well. Each evidenceobject 𝜀 is a pair of BRR types, and associativity must consider not only how they compose with oneanother, but also with the results of intermediate compositions. The case explosion is staggering.Even after proving associativity, how does one confirm that the evidence abstraction is preciseenough to protect type-based invariants? Is a second complex formal development necessary?Fortunately no: there is another way. In the context of abstract model-checking, Giacobazzi and Quintarelli[2001] introduce the concept of forward completeness , which is dual to the concept of (backward)completeness that arises more naturally for abstract interpretation-based static analysis. The ideaapplies to any abstract function, but we present it here in domain-specific terms. Definition 6.1 (Forward completeness).
Let 𝜀 denote evidence objects, denote consistent transi-tivity, and ; denote relational composition over fragments of static subtyping. Then is forwardcomplete with respect to its evidence abstraction if 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) = 𝛾 < : ( 𝜀 𝜀 ) for any twoevidence objects 𝜀 and 𝜀 .Soundness of with respect to relational composition ; implies 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) ⊆ 𝛾 < : ( 𝜀 𝜀 ) , which ensures that , operating on abstract evidence objects, sufficiently overapproximates thebehavior of ; on the meanings of those objects. Forward completeness implies that the reverse-containment also holds, which means that exactly approximates ; for abstract objects. This meansthat is a perfect stand-in for ; if we need only consider sets in the image of evidence concretization .In the case of AGT, such is exactly the case: evidence is initially introduced in terms of sourcegradual types, which are even less precise than evidence objects.Lemma 6.2 (Relational Composition is closed wrt concretization). For any ⊢ 𝜀 wf and ⊢ 𝜀 wf ,either 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) = ∅ , or there exists an ⊢ 𝜀 wf such that 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) = 𝛾 < : ( 𝜀 ) . Proof. By double induction over ⊢ 𝜀 wf and ⊢ h 𝑀, 𝑀 i wf for 𝜀 and 𝜀 . (cid:3) Theorem 6.3.
In BRR, is forward complete.
Proof. Consequence of Lemma 6.2. (cid:3)
It is straightforward to prove that forward completeness suffices for space-efficiency.Theorem 6.4. If is forward-complete with respect to its evidence abstraction, then 𝜀 ( 𝜀 𝜀 ) = ( 𝜀 𝜀 ) 𝜀 for any evidence objects 𝜀 , 𝜀 and 𝜀 . Proof. A generalized Coq mechanization of this property can be found in Bañados Schwerter[2020]. (cid:3)
The basic intuition is that relational composition is associative, so a forward-complete defini-tion must also be. Of more practical interest, though, is that the statement of forward completenessinvolves only two evidence objects, compared to the three needed to state associativity. Thus, prov-ing forward completeness requires far fewer cases than proving associativity directly. Additionally,forward completeness ensures that reasoning about transitivity of subtyping is as precise as op-erating directly with fragments of subtyping, as alluded to in Sec. 3. This precision matters mostwhen considering precise enforcement of type invariants. Sometimes called gamma-completeness or exactnessProc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :26 Bañados Schwerter et al. size ( 𝑆 ) size : GType → N size ( Int ) = size ( Bool ) = size ( ? ) = size ( 𝑆 → 𝑆 ) = + size ( 𝑆 ) + size ( 𝑆 ) size (cid:18) (cid:20) 𝑛 Í 𝑖 = 𝑙 𝑖 : 𝑆 𝑖 ∗ (cid:21) (cid:19) = + 𝑛 Í 𝑖 = size ( 𝑆 𝑖 ) height ( 𝑆 ) height : GType → N height ( Int ) = height ( Bool ) = height ( ? ) = height ( 𝑆 → 𝑆 ) = + max ( height ( 𝑆 )) ( height ( 𝑆 )) height (cid:18) (cid:20) 𝑛 Í 𝑖 = 𝑙 𝑖 : 𝑆 𝑖 ∗ (cid:21) (cid:19) = + max 𝑛𝑖 = height ( 𝑆 𝑖 ) Fig. 11. Size and height of a gradual type
As the previous section proved that evidence composition is associative, we must only find a boundfor evidence composition in the style of Herman et al. [2010] to guarantee that BRR is space effi-cient. Since an evidence object is just a pair of types, we can use the size of a gradual type as aproxy for the size of evidence. Fig. 11 defines structurally the size and the height of a gradual type.The size of a gradual type can be bound in terms of its height, and thus we can find a bound forthe size of an evidence object in terms of the height of its components.Lemma 7.1 (Bound for size of Gradual Types in BRR).
For any gradual type 𝑆 , size ( 𝑆 ) ≤ ( + dom 𝑙 ( 𝑆 )) + height ( 𝑆 ) where dom 𝑙 corresponds to the size of the label domain for records in type 𝑆 . While this bound seems quite high, it is comparable to the bound established by Herman et al.[2010] for the size of coercions: Their structural types only include functions and references, sothey only needed to consider binary tree branching at any level in their types. Once we introducerecords, we must instead deal with arbitrarily-wide n-ary tree branching.
Definition 7.2 (Size and height of evidences in BRR). size ( 𝜀 ) = size ( 𝜋 ( 𝜀 )) + size ( 𝜋 ( 𝜀 )) height ( 𝜀 ) = max height ( 𝜋 ( 𝜀 )) height ( 𝜋 ( 𝜀 )) dom 𝑙 ( 𝜀 ) = max dom 𝑙 ( 𝜋 ( 𝜀 )) dom 𝑙 ( 𝜋 ( 𝜀 )) Since BRR is forward-complete, we can rely on Prop. 3.3 to reach a bound for evidence compo-sition through a combination of bounds for gradual meet and initial evidence:Lemma 7.3 (Height bounds in BRR). height ( 𝑆 ⊓ 𝑆 ) ≤ max ( height ( 𝑆 )) ( height ( 𝑆 )) ; height (I[[ 𝑆 . 𝑆 ]]) ≤ max ( height ( 𝑆 )) ( height ( 𝑆 )) ; height ( 𝜀 𝜀 ) ≤ max ( height ( 𝜀 )) ( height ( 𝜀 )) . We can use these lemmas to prove the following bound for evidence composition:Theorem 7.4 (Bound for the size of evidence composition). size ( 𝜀 𝜀 ) ≤ ∗ ( + max ( dom 𝑙 ( 𝜀 )) ( dom 𝑙 ( 𝜀 ))) + max ( height ( 𝜀 )) ( height ( 𝜀 )) Proof. A Coq proof for Lemma 7.3 and Theorem 7.4 can be found in Bañados Schwerter [2020]. (cid:3)
Since any evidence composition is bound by the height and label domain of its components,we can establish a bound for any evidence composition happening in a program by collecting thegreatest height and domain, respectively:
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:27
Theorem 7.5 (Bound for evidence compositions in a program).
Let e be a program. There existsan 𝜀 ℎ appearing in a subterm of e , such that for any evidences 𝜀 and 𝜀 appearing in any subtermsof e , size ( 𝜀 𝜀 ) ≤ ∗ ( + dom 𝑙 ( e )) + height ( 𝜀 ℎ ) where dom 𝑙 ( e ) denotes the domain of labels for evidence appearing in subterms of e . We can use this bound as a proof of Prop. 4.5. Combining this with Theorems 6.3 and 6.4 as aproof of Prop. 4.4, thus we have a space efficient semantics.
As part of their analysis of counter-example guided abstraction refinement, Giacobazzi and Quintarelli[2001] develop a constructive approach to systematically refine abstractions to be complete withrespect to an operation. Though we developed BRR manually, future AGT-based designs couldemploy their techniques to more systematically produce a forward complete evidence abstractionstarting from the default proposed by Garcia et al. [2016].Space efficiency is but one operational criteria of gradually-typed languages. In future work wewill develop generalized techniques for reducing the density of evidence objects in programs. UsingAGT off-the-shelf leads to a semantics that saturates even precisely typed code with evidence. Webelieve that the refined notions of evidence in this work may help with understanding how tominimize the amount of runtime checks in programs.As has been observed by others [Toro et al. 2018, 2019], the guarantees provided automaticallyby AGT are not sufficient to yield a satisfactory gradually typed language. Strong type-based rea-soning may necessitate additional tuning and proof obligations. The two works cited above demon-strate this in the context of relational type invariants like parametricity and information-flow con-trol. Furthermore, the evidence composition developed by Toro et al. [2018] is associative, but thisalone did not suffice to achieve their noninterference result. This is the first work to demonstratethat an AGT-based gradual type system that enforces non-relational type invariants can need ad-ditional tuning. However, in the non-relational case, forward-completeness suffices. Nonetheless,these experiences suggest a desire for additional properties beyond those proposed by Siek et al.[2015]. It is worth noting that blame, another facet of gradual typing, does not appear to help here:blame theorems do not indicate which programs should fail, only which parties may or may notbe responsible when they do.In this paper we have grounded our exposition in the concrete example of Bounded Rows andRecords (BRR). While forward-completeness guarantees associativity of composition, and thussuffices for an observationally equivalent semantics that is bound for stack , it does not guaranteespace-efficiency on its own, as one must still prove that evidence composition is itself bounded.In the particular case of BRR, this last proof is supported by the fact that the underlying staticsubtyping is a transitive and syntax-directed relation. Our work should transfer to other typingdisciplines with these constraints, and provides more precise guidelines for future AGT develop-ments to systematically provide space-efficiency. To the best of our knowledge, we are the first toprove space efficiency in a gradual language with records (and record subtyping).
Abstracting gradual typing provides a powerful scaffold, based in the theory of abstract interpreta-tion, that helps designers construct gradually typed variants of static type disciplines. This paperdraws on additional concepts from abstract interpretation to inform and improve those designs.In doing so, we provide a deeper analysis of the concept of evidence in AGT, and devise a general,though not necessarily universally feasible, tool for constructing space-efficient semantics that
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :28 Bañados Schwerter et al. precisely enforce the invariants implied by source gradual types. We propose that, regardless ofthe source gradual type abstraction, a forward-complete runtime abstraction should be the newdefault when possible. Space-efficiency, and precise runtime semantics are sufficient motivation.
ACKNOWLEDGMENTS
We acknowledge the support of the Natural Sciences and Engineering Research Council of Canada(NSERC). Cette recherche a été financée par le Conseil de recherches en sciences naturelles et engénie du Canada (CRSNG). The authors also thank Phil Wadler, Yuchong Pan, Peter Thiemann,and the anonymous reviewers.
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:29
REFERENCES
Amal Ahmed, Dustin Jamner, Jeremy G. Siek, and Philip Wadler. 2017. Theorems for Free for Free: Parametricity, with andwithout Types.
Proc. ACM Program. Lang.
1, ICFP, Article 39 (Aug. 2017), 28 pages. https://doi.org/10.1145/3110283Felipe Bañados Schwerter. 2020.
Coquihalla/agt-moving-forward: Supporting Artifacts from POPL ’21 submission .https://doi.org/10.5281/zenodo.4111019Felipe Bañados Schwerter, Alison M. Clark, Khurram A. Jafery, and Ronald Garcia. 2020. Abstracting Gradual TypingMoving Forward: Precise and Space-Efficient (Technical Report). arXiv:2010.14094 [cs.PL]Felipe Bañados Schwerter, Ronald Garcia, and Éric Tanter. 2014. A Theory of Gradual Effect Systems. In . ACM Press, Gothenburg, Sweden, 283–295.Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: A unified lattice model for static analysis of programs byconstruction or approximation of fixpoints. In
POPL . ACM Press, Los Angeles, CA, USA, 238–252.Tim Disney and Cormac Flanagan. 2011. Gradual information flow typing.https://users.soe.ucsc.edu/~cormac/papers/stop11.pdfRonald Garcia and Matteo Cimini. 2015. Principal Type Schemes for Gradual Programs. In . ACM Press, New York, NY, USA, 303–315.Ronald Garcia, Alison M. Clark, and Éric Tanter. 2016. Abstracting Gradual Typing. In (St Petersburg, FL, USA). ACM Press, New York, NY, USA, 429–442.Roberto Giacobazzi and Elisa Quintarelli. 2001. Incompleteness, Counterexamples, and Refinements in Abstract Model-Checking. In
Proceedings of the 8th International Symposium on Static Analysis (SAS ’01) . Springer-Verlag, London, UK,UK, 356–373. http://dl.acm.org/citation.cfm?id=647170.718288Fritz Henglein. 1994. Dynamic typing: syntax and proof theory.
Science of Computer Programming
22, 3 (June 1994),197–230.David Herman, Aaron Tomb, and Cormac Flanagan. 2010. Space-efficient Gradual Typing.
Higher Order Symbol. Comput.
23, 2 (June 2010), 167–189. https://doi.org/10.1007/s10990-011-9066-zLintaro Ina and Atsushi Igarashi. 2011. Gradual typing for generics. In . ACM Press, New York, NY, USA, 609–624.James R. Munkres. 2000.
Topology: Second Edition . Prentice Hall, Upper Saddle River, NJ.Max S. New, Dustin Jamner, and Amal Ahmed. 2019. Graduality and Parametricity: Together Again for the First Time.
Proc.ACM Program. Lang.
4, POPL, Article 46 (Dec. 2019), 32 pages. https://doi.org/10.1145/3371114Benjamin C. Pierce. 2002.
Types and programming languages . MIT Press, Cambridge, MA, USA.D. Rémy. 1989. Type Checking Records and Variants in a Natural Extension of ML. In
POPL (Austin, Texas, USA). ACM,New York, NY, USA, 77–88. https://doi.org/10.1145/75277.75284Davide Sangiorgi. 2011.
Introduction to Bisimulation and Coinduction . Cambridge University Press, New York, NY, USA.Ilya Sergey and Dave Clarke. 2012. Gradual Ownership Types. In
Proc. European Symposium on Programming Languagesand Systems (ESOP ’12, Vol. 7211) , Helmut Seidl (Ed.). Springer-Verlag, Tallinn, Estonia, 579–599.Jeremy Siek and Walid Taha. 2007. Gradual typing for objects. In
Proc. European Conference on Object-oriented Programming(ECOOP ’07, 4609) , Erik Ernst (Ed.). Springer-Verlag, Berlin, Germany, 2–27.Jeremy Siek and Philip Wadler. 2010. Threesomes, with and without blame. In
Proc. Symposium on Principles of ProgrammingLanguages (Madrid, Spain) (POPL ’10) . ACM, New York, NY, USA, 365–376.Jeremy G. Siek and Walid Taha. 2006. Gradual Typing for Functional Languages. In
Proc. Scheme andFunctional Programming Workshop . University of Chicago Technical Report, Chicago, IL, USA, 81–92.http://scheme2006.cs.uchicago.edu/scheme2006.pdfJeremy G. Siek, Michael M. Vitousek, Matteo Cimini, and John Tang Boyland. 2015. Refined Criteria for Gradual Typing.In
SNAPL . Schloss Dagstuhl, Asilomar, California, USA, 274–293. https://doi.org/10.4230/LIPIcs.SNAPL.2015.274Sam Tobin-Hochstadt and Matthias Felleisen. 2006. Interlanguage Migration: From Scripts to Programs. In
OOPSLA . ACM,New York, NY, USA, 964–974. https://doi.org/10.1145/1176617.1176755Matías Toro, Ronald Garcia, and Éric Tanter. 2018. Type-Driven Gradual Security with References.
ACM Transactions onProgramming Languages and Systems
40, 4, Article 16 (Dec. 2018), 55 pages. https://doi.org/10.1145/3229061Matías Toro, Elizabeth Labrada, and Éric Tanter. 2019. Gradual Parametricity, Revisited.
Proc. ACM Program. Lang.
3, POPL,Article 17 (Jan. 2019), 30 pages. https://doi.org/10.1145/3290330Matías Toro and Éric Tanter. 2020. Abstracting gradual references.
Science of Computer Programming
197 (2020), 102496.https://doi.org/10.1016/j.scico.2020.102496Preston Tunnell Wilson, Ben Greenman, Justin Pombrio, and Shriram Krishnamurthi. 2018. The Behavior of Gradual Types:A User Study. In
DLS (Boston, MA, USA). ACM, New York, NY, USA, 1–12. https://doi.org/10.1145/3276945.3276947Philip Wadler and Robert Bruce Findler. 2009. Well-Typed Programs Can’t Be Blamed. In
Proc. European Symposium onProgramming Languages (York, UK) (ESOP ’09) . Springer-Verlag, Berlin, 1–16.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :30 Bañados Schwerter et al.
Andrew K. Wright and Matthias Felleisen. 1994. A Syntactic Approach to Type Soundness.
Information and Computation bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:31 𝑆 e ∨ 𝑆 Consistent Subtype Join e ∨ : GType × GType ⇀ GType 𝑆 e ∨ 𝑆 = 𝑆 e ∨ 𝑆 ? e ∨ ? = ? Int e ∨ Int = IntInt e ∨ ? = IntBool e ∨ Bool = BoolBool e ∨ ? = Bool ( 𝑆 → 𝑆 ) e ∨ ( 𝑆 → 𝑆 ) = ( 𝑆 e ∧ 𝑆 ) → ( 𝑆 e ∨ 𝑆 )( 𝑆 → 𝑆 ) e ∨ ? = ( 𝑆 → 𝑆 ) e ∨ ( ? → ? )[ 𝑙 𝑖 : 𝑆 𝑖 , ∗] e ∨ ? = [ 𝑙 𝑖 : 𝑆 𝑖 , ∗] e ∨ [ ? ][ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ] e ∨ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 ] = [ 𝑙 𝑖 : 𝑆 𝑖 e ∨ 𝑆 𝑖 ][ 𝑙 𝑖 : 𝑆 𝑖 , ∗] e ∨ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 , ? ] = [ 𝑙 𝑖 : 𝑆 𝑖 e ∨ 𝑆 𝑖 , ∗][ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗] e ∨ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 , ? ] = [ 𝑙 𝑖 : 𝑆 𝑖 e ∨ 𝑆 𝑖 , ? ] 𝑆 e ∨ 𝑆 undefined otherwise 𝑆 e ∧ 𝑆 Consistent Subtype Meet e ∧ : GType × GType ⇀ GType 𝑆 e ∧ 𝑆 = 𝑆 e ∧ 𝑆 ? e ∧ ? = ? Int e ∧ Int = IntInt e ∧ ? = IntBool e ∧ Bool = BoolBool e ∧ ? = Bool ( 𝑆 → 𝑆 ) e ∧ ( 𝑆 → 𝑆 ) = ( 𝑆 e ∨ 𝑆 ) → ( 𝑆 e ∧ 𝑆 )( 𝑆 → 𝑆 ) e ∧ ? = ( 𝑆 → 𝑆 ) e ∧ ( ? → ? )[ 𝑙 𝑖 : 𝑆 𝑖 , ∗] e ∧ ? = [ 𝑙 𝑖 : 𝑆 𝑖 , ∗] e ∧ [ ? ][ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ] e ∧ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 ] = [ 𝑙 𝑖 : 𝑆 𝑖 e ∧ 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , 𝑙 𝑘 : 𝑆 𝑘 ][ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , ? ] e ∧ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 ] = [ 𝑙 𝑖 : 𝑆 𝑖 e ∧ 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , 𝑙 𝑘 : 𝑆 𝑘 e ∧ ? , ? ][ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , ? ] e ∧ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 , ? ] = [ 𝑙 𝑖 : 𝑆 𝑖 e ∧ 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 e ∧ ? , 𝑙 𝑘 : 𝑆 𝑘 e ∧ ? , ? ] 𝑆 e ∧ 𝑆 undefined otherwise Fig. 12. GTFL . : Consistent Subtype Extrema ABOUT THESE APPENDIXES
These appendixes provide a variety of definitions and proofs that could not appear in the paperfor lack of space. Not all of the proofs undertaken in this work have been typeset. A let TYPING AND TRANSLATION JUDGMENTS ( 𝑆 let) Γ ⊢ 𝑡 : 𝑆 𝑆 . 𝑆 Γ , 𝑥 : 𝑆 ⊢ 𝑡 : 𝑆 Γ ⊢ let 𝑥 : 𝑆 = 𝑡 in 𝑡 : 𝑆 ( 𝑆 let) e ◮ Γ ⊢ 𝑡 : 𝑆 𝜀 ⊢ 𝑆 . 𝑆 e ◮ Γ , 𝑥 : 𝑆 ⊢ 𝑡 : 𝑆 let 𝑥 = 𝜀 e in e ◮ Γ ⊢ let 𝑥 : 𝑆 = 𝑡 in 𝑡 : 𝑆 ( { let) Γ ⊢ 𝑡 { e : 𝑆 𝜀 = I[[ 𝑆 . 𝑆 ]] Γ , 𝑥 : 𝑆 ⊢ 𝑡 { e : 𝑆 Γ ⊢ let 𝑥 : 𝑆 = 𝑡 in 𝑡 { let 𝑥 = 𝜀 e in e : 𝑆 B GTFL . OPERATOR DEFINITIONS
This section presents the full algorithmic definitions for some GTFL . operators that were omittedfrom the paper for lack of space.Fig. 12 presents consistent subtype join and meet, which are used to define the type judgmentfor source and runtime programs. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :32 Bañados Schwerter et al. 𝑆 ⊓ 𝑆 Gradual Meet 𝑆 ⊓ 𝑆 = 𝑆 ⊓ 𝑆 ? ⊓ ? = ? Int ⊓ Int = IntBool ⊓ Bool = Bool 𝑆 ⊓ ? = 𝑆 ( 𝑆 → 𝑆 ) ⊓ ( 𝑆 → 𝑆 ) = ( 𝑆 ⊓ 𝑆 ) → ( 𝑆 ⊓ 𝑆 )[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] ⊓ [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] = [ 𝑙 𝑖 : 𝑆 𝑖 ⊓ 𝑆 𝑖 , ∗ ⊓ ∗ ] ∗ ⊓ ∗ = ( ? h∗ , ∗ i = h ? , ? i∅ otherwise [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ] ⊓ [ 𝑙 𝑖 : 𝑆 𝑖 , ? ] = [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ] ⊓ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : ? + , ? ][ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ? ] ⊓ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ? ] = [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , 𝑙 𝑘 : ? + , ? ] ⊓ [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : ? + , 𝑙 𝑘 : 𝑆 𝑘 + , ? ] 𝑆 ⊓ 𝑆 undefined otherwise Fig. 13. Gradual Meet
I[[ 𝑆 . 𝑆 ]] : GType × GType ⇀ Ev Initial Evidence
I[[ 𝑆 . 𝑆 ]] = h 𝑆, 𝑆 i 𝑆 ∈ { Int , Bool , ? }I[[ 𝑆 . ? ]] = h 𝑆, 𝑆 i 𝑆 ∈ { Int , Bool , [∗] }I[[ ? . 𝑆 ]] = h 𝑆, 𝑆 i 𝑆 ∈ { Int , Bool }I[[ 𝑆 → 𝑆 . ? ]] = I[[ 𝑆 → 𝑆 . ? → ? ]]I[[ ? . 𝑆 → 𝑆 ]] = I[[ ? → ? . 𝑆 → 𝑆 ]]I[[ 𝑆 → 𝑆 . 𝑆 → 𝑆 ]] = h 𝑆 ′ → 𝑆 ′ , 𝑆 ′ → 𝑆 ′ i I[[ 𝑆 . 𝑆 ]] = h 𝑆 ′ , 𝑆 ′ iI[[ 𝑆 . 𝑆 ]] = h 𝑆 ′ , 𝑆 ′ iI[[ ? . [ 𝑙 𝑖 : 𝑆 𝑖 , ∗]]] = I[[[ ? ] . [ 𝑙 𝑖 : 𝑆 𝑖 , ∗]]]I[[[ 𝑙 𝑖 : 𝑆 𝑖 + , ∗] . ? ]] = h[ 𝑙 𝑖 : 𝑆 𝑖 + , ∗] , [ ? ]iI[[[ 𝑙 𝑖 : 𝑆 𝑖 ] . [ 𝑙 𝑖 : 𝑆 𝑖 , ∗]]] = h[ 𝑙 𝑖 : 𝑆 ′ 𝑖 ] , [ 𝑙 𝑖 : 𝑆 ′ 𝑖 ]i I[[ 𝑆 𝑖 . 𝑆 𝑖 ]] = h 𝑆 ′ 𝑖 , 𝑆 ′ 𝑖 iI[[[ 𝑙 𝑖 : 𝑆 𝑖 , ? ] . [ 𝑙 𝑖 : 𝑆 𝑖 , ∗]]] = h[ 𝑙 𝑖 : 𝑆 ′ 𝑖 , ? ] , [ 𝑙 𝑖 : 𝑆 ′ 𝑖 , ∗]i I[[ 𝑆 𝑖 . 𝑆 𝑖 ]] = h 𝑆 ′ 𝑖 , 𝑆 ′ 𝑖 iI[[[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ] . [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]]] = h[ 𝑙 𝑖 : 𝑆 ′ 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ] , [ 𝑙 𝑖 : 𝑆 ′ 𝑖 , ∗ ]i I[[ 𝑆 𝑖 . 𝑆 𝑖 ]] = h 𝑆 ′ 𝑖 , 𝑆 ′ 𝑖 iI[[[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , ? ] . [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ∗]]] = I[[[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 , 𝑙 𝑘 : ? + , ? ] . [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ∗]]]I[[ 𝑆 . 𝑆 ]] undefined otherwise Fig. 14. GTFL . : Definition of Initial Evidence Fig. 14 introduces an Inductive Definition of Initial Evidence, and Fig. 13 introduces an InductiveDefinition of gradual meet. With these two, given Prop. 3.3, we can produce an inductive definitionof consistent transitivity.
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:33
Figures 15 and 16 present a full direct equational definition of consistent transitivity for theoriginal gradual rows-based representation. This definition was calculated from the AGT-baseddefinition, then used to prove Prop. 3.3. : Ev × Ev ⇀ Ev Consistent Transitivity h ? , ? i h ? , ? i = h ? , ? ih 𝑆, 𝑆 i h ? , ? i = h 𝑆, 𝑆 i where 𝑆 ∈ { Int , Bool }h ? , ? i h 𝑆, 𝑆 i = h 𝑆, 𝑆 i where 𝑆 ∈ { Int , Bool }h 𝑆 → 𝑆 , 𝑆 → 𝑆 i h ? , ? i = h 𝑆 → 𝑆 , 𝑆 → 𝑆 i h ? → ? , ? → ? ih ? , ? i h 𝑆 → 𝑆 , 𝑆 → 𝑆 i = h ? → ? , ? → ? i h 𝑆 → 𝑆 , 𝑆 → 𝑆 ih ? , ? i h[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑗 : 𝑆 𝑗 , ∗ ]i = h[ ? ] , [ ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑗 : 𝑆 𝑗 , ∗ ]ih[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑗 : 𝑆 𝑗 , ∗ ]i h ? , ? i = h[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑗 : 𝑆 𝑗 , ∗ ]i h[ ? ] , [ ? ]ih 𝑆, 𝑆 i h 𝑆, 𝑆 i = h 𝑆, 𝑆 i where 𝑆 ∈ { Int , Bool }h 𝑆 → 𝑆 , 𝑆 → 𝑆 i h 𝑆 → 𝑆 , 𝑆 → 𝑆 i = h 𝑆 → 𝑆 , 𝑆 → 𝑆 i where h 𝑆 , 𝑆 i h 𝑆 , 𝑆 i = h 𝑆 , 𝑆 i , h 𝑆 , 𝑆 i h 𝑆 , 𝑆 i = h 𝑆 , 𝑆 ih[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i where h 𝑆 𝑖 , 𝑆 𝑖 i h 𝑆 𝑖 , 𝑆 𝑖 i = h 𝑆 𝑖 , 𝑆 𝑖 i , h∗ , ∗ i h∗ , ∗ i = h∗ , ∗ ih∅ , ∅i h∗ , ∗ i h∅ , ∅ih ? , ? i h ? , ? i h ? , ? i else h ? , ∅ih[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ∗ ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : ? + , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]ih[ 𝑙 𝑖 : 𝑆 𝑖 , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : ? + , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : ? + , ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + ∗ ]ih[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 + , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , 𝑙 𝑘 : ? + , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 + , 𝑙 𝑘 : ? + , ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 , 𝑙 𝑗 : ? + , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑘 : 𝑆 𝑘 , ∗ ]i Fig. 15. Consistent Transitivity: Part 1
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :34 Bañados Schwerter et al. : Ev × Ev ⇀ Ev Consistent Transitivity (cont’d.) h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]ih[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑞 : 𝑆 𝑞 , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑞 : 𝑆 𝑞 ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑞 : 𝑆 𝑞 , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , ∗ ]ih[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑛 : 𝑆 𝑛 ⊕ 𝑛 , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑛 : 𝑆 𝑛 ⊕ 𝑛 , 𝑙 𝑟 : 𝑆 𝑟 ⊕ 𝑟 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑛 : 𝑆 𝑛 ⊕ 𝑛 , 𝑙 𝑟 : 𝑆 𝑟 ⊕ 𝑟 , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , ∗ ]i∗ = ? if { 𝑙 𝑝 , 𝑙 𝑟 ⊕ 𝑟 } ≠ ∅h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑛 : 𝑆 𝑛 ⊕ 𝑛 , 𝑙 𝑞 : 𝑆 𝑞 + , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑞 : 𝑆 𝑞 + , ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑛 : 𝑆 𝑛 ⊕ 𝑛 , 𝑙 𝑟 : 𝑆 𝑟 ⊕ 𝑟 , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , ∗ ]i = h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑛 : 𝑆 𝑛 ⊕ 𝑛 , 𝑙 𝑞 : 𝑆 𝑞 + , 𝑙 𝑘 : 𝑆 𝑘 ⊕ 𝑘 , ∗ ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑞 : 𝑆 𝑞 + , ? ]i h[ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , 𝑙 𝑗 : 𝑆 𝑗 ⊕ 𝑗 , 𝑙 𝑛 : 𝑆 𝑛 ⊕ 𝑛 , 𝑙 𝑟 : 𝑆 𝑟 ⊕ 𝑟 , 𝑙 𝑞 : ? + , ? ] , [ 𝑙 𝑖 : 𝑆 𝑖 , 𝑙 𝑚 : 𝑆 𝑚 , 𝑙 𝑝 : 𝑆 𝑝 , ∗ ]i where h 𝑆 𝑖 , 𝑆 𝑖 i h 𝑆 𝑖 , 𝑆 𝑖 i = h 𝑆 𝑖 , 𝑆 𝑖 i , h 𝑆 𝑗 , 𝑆 𝑗 i h 𝑆 𝑗 , 𝑆 𝑗 i = h 𝑆 𝑗 , 𝑆 𝑗 iI[[ 𝑆 𝑚 . ? ]] h 𝑆 𝑚 , 𝑆 𝑚 i = h 𝑆 𝑚 , 𝑆 𝑚 i , I[[ 𝑆 𝑛 . ? ]] h 𝑆 𝑛 , 𝑆 𝑛 i = h 𝑆 𝑛 , 𝑆 𝑛 ih ? , ? i h 𝑆 𝑝 , 𝑆 𝑝 i = h 𝑆 𝑝 , 𝑆 𝑝 i , h ? , ? i h 𝑆 𝑟 , 𝑆 𝑟 i = h 𝑆 𝑟 , 𝑆 𝑟 ih⊕ 𝑗 + 𝑛 + 𝑟 , ⊕ 𝑘 i ∈ { h∅ , +i , h+ , ∅i , h+ , +i } , ⊕ 𝑗 + 𝑛 + 𝑟 = ⊕ 𝑗 ⊕ 𝑛 , ⊕ 𝑟 do not appear ∅ h⊕ 𝑗 , ⊕ 𝑛 , ⊕ 𝑟 i = h∅ , ∅ , ∅i+ otherwise h 𝑆 , 𝑆 i h 𝑆 , 𝑆 i undefined otherwise Fig. 16. Consistent Transitivity: Part 2
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:35 𝑥 𝑆 ∈ Var 𝑆 (I 𝑆 n) 𝑛 ∈ Term
Int (I 𝑆 b) 𝑏 ∈ Term
Bool (I 𝑆 x) 𝑥 𝑆 ∈ Term 𝑆 (I 𝑆 +) 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . Int 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . Int 𝜀 𝑡 𝑆 + 𝜀 𝑡 𝑆 ∈ Term
Int (I 𝑆𝜆 ) 𝑡 𝑆 ∈ Term 𝑆 𝜆𝑥 𝑆 .𝑡 𝑆 ∈ Term 𝑆 → 𝑆 (I 𝑆 rec) 𝑡 𝑆 𝑖 ∈ Term 𝑆 𝑖 [ 𝑙 𝑖 = 𝑡 𝑆 𝑖 ] ∈ Term [ 𝑙 𝑖 : 𝑆 𝑖 ] (I 𝑆 :: ) 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . 𝑆 𝜀𝑡 𝑆 :: 𝑆 ∈ Term 𝑆 (I 𝑆 app) 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . 𝑆 → 𝑆 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . 𝑆 ( 𝜀 𝑡 𝑆 ) @ 𝑆 → 𝑆 ( 𝜀 𝑡 𝑆 ) ∈ Term 𝑆 (I 𝑆 proj) 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . [ 𝑙 : 𝑆 , ? ] 𝜀𝑡 𝑆 .𝑙 𝑆 , ∈ Term 𝑆 (I 𝑆 if) 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . Bool 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . 𝑆 e ∨ 𝑆 𝑡 𝑆 ∈ Term 𝑆 𝜀 ⊢ 𝑆 . 𝑆 e ∨ 𝑆 if 𝜀 𝑡 𝑆 then 𝜀 𝑡 𝑆 else 𝜀 𝑡 𝑆 ∈ Term 𝑆 e ∨ 𝑆 Fig. 17. Gradual Intrinsic Terms
C EXTRINSICALLY- AND INTRINSICALLY-TYPED TERMS ARE EQUIVALENT
Sec. 2 of the paper presents the dynamic semantics of GTFL . in terms of a runtime language RL,whose type system classifies runtime terms using source language typing judgments. This pre-sentation appears to differ substantially from the intrinsic terms of Garcia et al. [2016] (Fig. 17).This section shows that the differences are merely cosmetic: well-typed RL terms are equivalentto intrinsic terms. In particular, every closed intrinsically typed term corresponds to a closedextrinsically-typed term with the same type, and reduction of such terms preserves correspon-dence.Though formally interchangeable, we believe that the extrinsic presentation of GTFL . clarifiessome aspects of the language’s structure and semantics. First, the type structure of the runtimelanguage precisely formalizes the sense in which running a gradually-typed programming lan-guage corresponds to running a source typing derivation, which is reflected in its typing judgment.Second, RL terms are comprised only of constructs that are needed at runtime. Any static type in-formation that is needed only for metatheory is relegated to the typing judgment. In short, RLstrictly segregates computationally irrelevant source type information (found only in the RL type)from essential runtime type information (found only in the RL term). This separation can helpthe reader disambiguate what is essential only for typing and what is essential only for runtimeexecution. Third, this separation highlights the way that runtime execution uncovers more pre-cise type information (reflected in evidence) without affecting the static type reasoning (reflectedin the typing judgments). This deduced type information is not present in corresponding sourceterms, which appear as part of the runtime typing judgment. Finally, the extrinsic presentationmore closely connects with older cast-based presentations of gradual typing, where a distinct and Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :36 Bañados Schwerter et al. Ω ∈ CgrCtxt = { Ω ∈ Var ∗ ⇋ Var × GType | h 𝑥 ∗ , 𝑥, 𝑆 i ∈ Ω = ⇒ 𝑥 ∗ ∈ Var 𝑆 } Ω :: = 𝑥 𝑆 ∼ 𝑥 : 𝑆𝑡 𝑠 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆 Correspondence 𝑥 𝑆 ∼ 𝑥 : 𝑆 ∈ Ω 𝑥 𝑆 ∼ x ◮ Ω ⊢ 𝑥 : 𝑆 𝑛 ∼ n ◮ Ω ⊢ 𝑛 : Int 𝑏 ∼ b ◮ Ω ⊢ 𝑏 : Bool 𝑡 𝑆 𝑖 ∼ e 𝑖 ◮ Ω ⊢ 𝑡 𝑖 : 𝑆 𝑖 ( 𝜀 𝑡 𝑆 + 𝜀 𝑡 𝑆 ) ∼ ( 𝜀 e + 𝜀 e ) ◮ Ω ⊢ 𝑡 𝑡 : Int 𝑡 𝑆 𝑖 ∼ e 𝑖 ◮ Ω ⊢ 𝑡 𝑖 : 𝑆 𝑖 ( 𝜀 𝑡 𝑆 @ 𝑆 ′ → 𝑆 ′ 𝜀 𝑡 𝑆 ) ∼ ( 𝜀 e 𝜀 e ) ◮ Ω ⊢ 𝑡 𝑡 : 𝑆 ′ 𝑡 𝑆 ∼ e ◮ Ω , 𝑥 ∼ 𝑥 𝑆 : 𝑆 ⊢ 𝑡 : 𝑆 𝜆𝑥 𝑆 .𝑡 𝑆 ∼ 𝜆𝑥 . e ◮ Ω ⊢ 𝜆𝑥 : 𝑆 .𝑡 : 𝑆 𝑡 𝑆 𝑖 ∼ e 𝑖 ◮ Ω ⊢ 𝑡 𝑖 : 𝑆 𝑖 [ 𝑙 𝑖 = 𝑡 𝑆 𝑖 ] ∼ [ 𝑙 𝑖 = e 𝑖 ] ◮ Ω ⊢ [ 𝑙 𝑖 = 𝑡 𝑖 ] : [ 𝑙 𝑖 : 𝑆 𝑖 ] 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆 𝜀𝑡 𝑆 :: 𝑆 ∼ 𝜀 e ◮ Ω ⊢ 𝑡 : 𝑆 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆𝜀𝑡 𝑆 .𝑙 𝑆 ∼ 𝜀 e .𝑙 ◮ Ω ⊢ 𝑡 .𝑙 : 𝑆 𝑡 𝑆 𝑖 ∼ e 𝑖 ◮ Ω ⊢ 𝑡 𝑖 : 𝑆 𝑖 if 𝜀 𝑡 𝑆 then 𝜀 𝑡 𝑆 else 𝜀 𝑡 𝑆 ∼ if 𝜀 e then 𝜀 e else 𝜀 e ◮ Ω ⊢ if 𝑡 then 𝑡 else 𝑡 : 𝑆 e ∨ 𝑆 Fig. 18. Intrinsic-Extrinsic Correspondence seemingly unrelated internal language is used define evaluation. Here, RL plays that role, but itsconnection to the source program and its gradual type discipline is precise and firm.To clarify the correspondence between extrinsic RL terms and intrinsic terms, we define a cor-respondence relation between the two kinds of terms, and prove that reduction preserves andreflects correspondence. This correspondence can be used to prove that theorems about intrinsicterms due to Garcia et al. [2016] can be transported to well-typed RL terms.Fig. 18 defines a correspondence relationship between intrinsically-typed terms and their extrin-sic counterparts. The judgment 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆 says that given the typed variable corre-spondences in Ω , the intrinsic term 𝑡 𝑆 corresponds to the extrinsic term e as viewed through theruntime typing judgment e ◮ Γ ⊢ 𝑡 : 𝑆 , where Γ = { 𝑥 : 𝑆 | 𝑥 𝑆 ∼ 𝑥 : 𝑆 ∈ Ω } , a runtime typingcontext from the variable correspondence. We use the notation 𝐴 ⇋ 𝐵 × 𝐶 to denote subsets of 𝐴 × 𝐵 × 𝐶 that exhibit a bijective relationship between 𝐴 ’s and 𝐵 ’s when 𝐶 is omitted. Formally, 𝐴 ⇋ 𝐵 × 𝐶 = { 𝑆 ∈ 𝐴 × 𝐵 × 𝐶 | (cid:0) ∀ 𝑎 ∈ 𝐴. ∃ ≤ 𝑠 ∈ 𝑆.𝜋 ( 𝑠 ) = 𝑎 (cid:1) ∧ (cid:0) ∀ 𝑏 ∈ 𝐵. ∃ ≤ 𝑠 ∈ 𝑆.𝜋 ( 𝑠 ) = 𝑏 (cid:1) } where ∃ ≤ 𝑥 .𝑃 ( 𝑥 ) ≡ (∃ 𝑥 .𝑃 ( 𝑥 )) = ⇒ ∃ 𝑥 .𝑃 ( 𝑥 ) ∧ ∀ 𝑦.𝑃 ( 𝑦 ) = ⇒ 𝑥 = 𝑦. In other words, Ω uniquely relates intrinsic variables to extrinsic variables at the given type. Thewell-formedness of the intrinsic term 𝑡 𝑆 in the judgment implicitly imposes invariants on the evi-dence objects referenced in the rules.We formally establish the intended properties of the judgment as follows. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:37
Proposition C.1.
The extrinsic part of a correspondence is well-typed: let Ω be some variable corre-spondence, and Γ = { 𝑥 : 𝑆 | 𝑥 𝑆 ∼ 𝑥 : 𝑆 ∈ Ω } be its induced extrinsic typing context. Then 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆 implies e ◮ Γ ⊢ 𝑡 : 𝑆 Proof. By induction over 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆 . (cid:3) Furthermore, intrinsically-typed terms correspond uniquely (up to choice of bound variablenames) to well-typed RL terms. In the opposite direction, extrinsic typing derivations corresponduniquely to intrinsically-typed terms.Proposition C.2. (1) If 𝑡 𝑆 ∈ Term 𝑆 then there is a unique e , up to 𝛼 -equivalence, such that 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆 i.e., ∀ 𝑆 ∈ GType , 𝑡 𝑆 ∈ Term 𝑆 . ∃ e , Ω , 𝑡 . 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆 ∧ ∀ e ′ .𝑡 𝑆 ∼ e ′ ◮ Ω ⊢ 𝑡 : 𝑆 = ⇒ e ∼ 𝛼 e ′ ; (2) If e ◮ Γ ⊢ 𝑡 : 𝑆 , then there is a unique 𝑡 𝑆 , up to 𝛼 -equivalence, such that 𝑡 𝑆 ∼ e ◮ Ω ⊢ 𝑡 : 𝑆. Proof.(1) By induction on the formation of 𝑡 𝑆 ∈ Term.(2) By induction on the derivation of e ◮ Γ ⊢ 𝑡 : 𝑆 . (cid:3) Also, corresponding values are observationally equivalent.Proposition C.3 (Canonical Forms). (1) If 𝑛 ∼ n ◮ ∅ ⊢ 𝑛 : 𝑆 then 𝑛 = n = 𝑛 ;(2) If 𝑏 ∼ b ◮ ∅ ⊢ 𝑏 : 𝑆 then 𝑏 = b = 𝑏 .(3) If 𝜆𝑥 𝑆 .𝑡 𝑆 ′ ∼ e ◮ ∅ ⊢ 𝑡 : 𝑆 then e = 𝜆𝑥 . e and 𝑡 = 𝜆𝑥 : 𝑆 .𝑡 .(4) If 𝑡 𝑆 ∼ 𝜆𝑥 . e ◮ ∅ ⊢ 𝑡 : 𝑆 then 𝑡 𝑆 = 𝜆𝑥 𝑆 .𝑡 𝑆 ′ and 𝑡 = 𝜆𝑥 : 𝑆 .𝑡 . Finally, closed intrinsic terms and their corresponding well-typed RL terms have the same re-duction behaviour.Proposition C.4 (Bisimulation). If 𝑡 𝑆 ∼ e ◮ ∅ ⊢ 𝑡 : 𝑆 then:(1) If 𝑡 𝑆 −→ 𝑡 𝑆 then e −→ e and 𝑡 𝑆 ∼ e ◮ ∅ ⊢ 𝑡 : 𝑆 for some e , 𝑡 (2) If e −→ e then 𝑡 𝑆 −→ 𝑡 𝑆 and 𝑡 𝑆 ∼ e ◮ ∅ ⊢ 𝑡 : 𝑆 for some 𝑡 𝑆 , 𝑡 . Proof. By induction on derivations of 𝑡 𝑆 ∼ e ◮ ∅ ⊢ 𝑡 : 𝑆 (cid:3) This property shows that the static type information is irrelevant to computational results. Bythe structure of the inductive rules that define it, the correspondence relation is compatible withwell-typed term formation. It is not a congruence because the relation is between distinct lan-guages, so neither reflexive nor transitive.
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :38 Bañados Schwerter et al.
D ASSOCIATIVITY IMPLIES SPACE EFFICIENCY
If evidence composition is associative, we can construct a space efficient semantics that simulatesthe original semantics. This section aims to prove associativity suffices for semantic equivalence.To simplify the proof effort, we first develop an equivalent Structural Operational Semantics to theReduction Semantics presented on the paper. This makes it easier for us to appeal to the inductionhypothesis.
D.1 Non-Space Efficient Structural Operational Semantics
We first define our Structural Operational Semantics for the GTFL . runtime language. We will usecolors to distinguish our semantics: Our Non-Space Efficient Structural Operational Semanticsequivalent to the standard semantics previously presented in the paper will use the style 𝑒 −→ . . . . Syntax 𝑒 ∈ RTerm :: = 𝑛 | 𝜀𝑒 + 𝜀𝑒 | 𝑥 | 𝜆𝑥 .𝑒 | 𝑒 𝑒 | 𝜀𝑒 | [ 𝑙 = 𝑒 ] | 𝜀𝑒.𝑙 | if 𝜀𝑒 then 𝜀𝑒 else 𝜀𝑒 (runtime terms) 𝐹 ∈ EvFrame :: = (cid:3) | (cid:3) 𝜀𝑒 | 𝜀𝑢 (cid:3) | (cid:3) + 𝜀𝑒 | 𝜀𝑢 + (cid:3) | (cid:3) .𝑙 | if (cid:3) then 𝜀𝑒 else 𝜀𝑒 (runtime frames) Operational Semantics 𝑒 −→ 𝑒, 𝑒 −→ error Ev 𝑒 { 𝑒 ′ 𝑒 −→ 𝑒 ′ Ex 𝑒 { error 𝑒 −→ error Fv 𝑒 −→ 𝑒 ′ 𝐹 [ 𝜀𝑒 ] −→ 𝐹 [ 𝜀𝑒 ′ ] Fx 𝑒 −→ error 𝐹 [ 𝜀𝑒 ] −→ error Rec-v 𝑒 −→ 𝑒 ′ [ 𝑙 = v , 𝑙 = 𝑒, 𝑙 = e ] −→ [ 𝑙 = v , 𝑙 = 𝑒 ′ , 𝑙 = e ] Rec-x 𝑒 −→ error [ 𝑙 = v , 𝑙 = 𝑒, 𝑙 = e ] −→ error Cv 𝐹 [ 𝜀 𝜀 𝑢 ] −→ 𝐹 [ 𝜀 𝜀 𝑢 ] Cx 𝜀 𝜀 undefined 𝐹 [ 𝜀 𝜀 𝑢 ] −→ error The notions of reduction ( { ) are exactly the same as in GTFL . .We can prove that this semantics is equivalent to the one described in Fig. 3 by simple structuralinduction over the appropriate derivation on the assumption (the reduction semantics for ⇒ andthe structural operational semantics for ⇐ ).Lemma D.1 (Growing contexts). For any 𝐸 and 𝐸 ′ evaluation contexts in GTFL . , then also 𝐸 [ 𝐸 ′ ] ,where [] is the standard plugging operation, is also an evaluation context. (We do need to prove thislemma separately as we follow a construction order for contexts that is the opposite from the oneusual in Felleisen style reduction semantices) Proof. By structural induction on the definition of 𝐸 . • Case 𝐸 = (cid:3) is trivial, as 𝐸 [ 𝐸 ′ ] = 𝐸 ′ . • Case 𝐸 = 𝐸 ′′ [ 𝐹 [ 𝜀 (cid:3) K . By induction, then 𝐸 ′′ [ 𝐸 ′ ] is also an evaluation context. We can usethen the ( 𝐸 ′′ [ 𝐸 ′ ]) [ 𝐹 [ 𝜀 (cid:3) K constructor to build our evaluation context for 𝐸 [ 𝐸 ′ ] . • Case 𝐸 ′ = 𝐸 ′′ [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]] . Analogous to the previous case. (cid:3) Lemma D.2 (Contextual Reduction can grow contexts).
We will need this lemma for provingTheorem D.3. This lemma has two parts: • Let 𝐸 [ e ] −→ 𝐸 [ e ′ ] . Then for any 𝐸 ′ such that 𝐸 ′ = 𝐸 ′′ [ 𝐸 ] for some 𝐸 ′′ , then also 𝐸 ′ [ e ] −→ 𝐸 ′ [ e ′ ] . Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:39 • Let 𝐸 [ e ] −→ error . Then for any 𝐸 ′ such that 𝐸 ′ = 𝐸 ′′ [ 𝐸 ] for some 𝐸 ′′ , then also 𝐸 ′ [ e ] −→ error . Proof. By cases on the contextual reduction rule used to derive either 𝐸 [ e ] −→ 𝐸 [ e ′ ] or 𝐸 [ e ] −→ error . In each case, we can use the exact same rule template to derive either 𝐸 ′′ [ 𝐸 [ e K −→ 𝐸 ′′ [ 𝐸 [ e ′ K or 𝐸 ′′ [ 𝐸 [ e K −→ error , respectively. (cid:3) Theorem D.3 (Semantic equivalence between Reduction Semantics and SOS). e −→ e ′ in GTFL . if and only if e −→ e ′ in the SOS semantics as well. Also, e −→ error in GTFL . if and only if e −→ error in the SOS semantics as well. Proof. We begin by proving the only if direction ( = ⇒) .By cases on the definition of −→ we can pick the top-most rule that will be used in the SOS. Foreach rule template in the reduction semantics, we proceed by induction on the structure of 𝐸 ,adding rules on the derivation as needed, with the following protocol: 𝐸 = (cid:3) adds no rule as youhave a complete derivation by that point. 𝐸 = 𝐸 [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e K , adds an instance of rule[Rec-v] if the derivation so far steps to an expression and rule [Rec-x] if it steps to an error. 𝐸 = 𝐸 [ 𝐹 [ 𝜀 (cid:3) K adds an instance of rule [Fv] if the derivation so far steps to an expression and rule[Fx] if it steps to an error.For the top of the derivation, we chose rules as follows: • Rule e { e ′ 𝐸 [ e ] −→ 𝐸 [ e ′ ] . We apply rule [Ev] and we fill the stepping for evaluationcontexts as described. • Rule e { error 𝐸 [ e ] −→ error . We apply rule [Ex] and we fill the stepping for evaluationcontexts as described. • Rule 𝐸 [ 𝐹 [ 𝜀 𝜀 𝑢 K −→ 𝐸 [ 𝐹 [( 𝜀 𝜀 ) 𝑢 K . We apply rule [Cv] and we fill the stepping forevaluation contexts as described. • Rule 𝜀 𝜀 undefined 𝐸 [ 𝐹 [ 𝜀 𝜀 𝑢 K −→ error . We apply rule [Cx] and we fill the stepping for evaluationcontexts as described.We now proceed to prove the if case ( ⇐ = ). We proceed by structural induction on the definitionof −→ : • Rules [Ev], [Ex], [Cv] and [Cx] are trivial as we can build derivations for them in −→ using 𝐸 = (cid:3) . • Rule [Fv]. By induction, 𝑒 −→ 𝑒 ′ . By inversion on the definition of −→ , then there exists 𝑒 , 𝑒 ′ and 𝐸 such that 𝑒 = 𝐸 [ 𝑒 ] and 𝑒 ′ = 𝐸 [ 𝑒 ′ ] . We can then use 𝐸 ′′ = ( (cid:3) [ 𝐹 [ 𝜀 (cid:3) K ) [ 𝐸 ] andLemma D.2 to prove that 𝐹 [ 𝜀𝑒 ] −→ 𝐹 [ 𝜀𝑒 ′ ] . • Rule [Fx]. Analogous to Rule [Fv]. • Rule [Rec-v]. Analogous to Rule [Fv], but with context 𝐸 ′′ = ( (cid:3) [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e K ) [ 𝐸 ] . • Rule [Rec-x]. Analogous to Rule [Rec-v]. (cid:3)
D.2 Space-Efficient Structural Operational Semantics
We can now introduce the space-efficient language. Since we want the new language to beobservationally equivalent, we must deal with the fact that evidence composition ( ) is a partialfunction. We work around this issue by introducing a notation for “total” evidence , 𝜀 ⊥ . A term 𝜀 ⊥ can be a normal evidence 𝜀 or ⊥ , the latter acting as a marker for an output where an evidencecomposition was undefined. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :40 Bañados Schwerter et al.
The terms in the space efficient language are almost the same as in the structural one, except forthe fact that we replace evidence objects with total evidence objects. We also choose to colorthem differently: While a term 𝑒 represents a term in the SOS-version of the original semantics, aterm 𝑒 represents a term in the space-efficient version of the language. Syntax 𝜀 ⊥ :: = ⊥ | 𝜀 (total evidence) 𝑒 ∈ RTerm :: = 𝑛 | 𝜀 ⊥ 𝑒 + 𝜀 ⊥ 𝑒 | 𝑥 | 𝜆𝑥 .𝑒 | 𝜀 ⊥ 𝑒 𝜀 ⊥ 𝑒 | 𝜀 ⊥ 𝑒 | [ 𝑙 = 𝑒 ] | 𝜀 ⊥ 𝑒.𝑙 (runtime terms) 𝐹 ′ ∈ EvFrame :: = (cid:3) 𝜀𝑒 | 𝜀𝑢 (cid:3) | (cid:3) + 𝜀𝑒 | 𝜀𝑢 + (cid:3) | (cid:3) .𝑙 | if (cid:3) then 𝜀𝑒 else 𝜀𝑒 (runtime frames) Definitions required to propagate evidence
We substitute the partial evidence compositionoperation with a total equivalent, denoted ⊥ and defined as follows: 𝜀 ⊥ ⊥ 𝜀 ⊥ = ( 𝜀 𝜀 𝑖 𝑓 𝜀 ⊥ = 𝜀 and 𝜀 ⊥ = 𝜀 and composition is defined ⊥ otherwiseWith these definitions we are ready to present the definition of our space-efficient semantics: Operational Semantics
The operational semantics separates the cases that deal with nested casts (originally appearing asnested uses of the (cid:3) evaluation frames, such as (cid:3) [ 𝜀 . . . (cid:3) [ 𝜀𝑒 ′ K with 𝑒 ′ ≠ 𝜀𝑒 ′′ . We omit derivationslike those that would have happened through rules [Fv] and [Fx] and make explicit that evidencecomposition must happen first and thus we will always have at most one pending cast in thecontext surrounding a redex.It is also important to note that since our redexes now hold total evidence instead of plainevidence, the original notions of reduction are insufficient for this language, as they only dealwith the “not ⊥ ” cases. We introduce an extra rule to deal with the cases where a ⊥ totalevidence appears (Rule [SFx’]).With this extension we can present the full space-efficient operational semantics: 𝑒 −→ 𝑒, 𝑒 −→ error SEv 𝑒 { 𝑒 ′ 𝑒 −→ 𝑒 ′ SpEf-Ex 𝑒 { error 𝑒 −→ error SRec-v 𝑒 −→ 𝑒 ′ [ 𝑙 = v , 𝑙 = 𝑒, 𝑙 = e ] −→ [ 𝑙 = v , 𝑙 = 𝑒 ′ , 𝑙 = e ] SRec-x 𝑒 −→ error [ 𝑙 = v , 𝑙 = 𝑒, 𝑙 = e ] −→ error SCe 𝐹 ′ [ 𝜀 ⊥ 𝜀 ⊥ 𝑒 ] −→ 𝐹 ′ [ 𝜀 ⊥ ⊥ 𝜀 ⊥ 𝑒 ] SCe’ 𝜀 ⊥ 𝜀 ⊥ 𝑒 −→ 𝜀 ⊥ ⊥ 𝜀 ⊥ 𝑒 SFx ⊥ 𝑢 −→ error SFx’ 𝐹 ′ [⊥ 𝑢 ] −→ error SFe 𝑒 −→ 𝑒 ′ 𝑒 ≠ 𝜀 ⊥′ 𝑒 ′′ 𝐹 ′ [ 𝜀 ⊥ 𝑒 ] −→ 𝐹 ′ [ 𝜀 ⊥ 𝑒 ′ ] SCx 𝑒 −→ error 𝑒 ≠ 𝜀 ⊥′ 𝑒 ′ 𝐹 ′ [ 𝜀 ⊥ 𝑒 ] −→ error SStack 𝑒 ′ −→ 𝑒 ′′ 𝑒 ′ ≠ 𝜀 ⊥′ 𝑒 ′′′ 𝜀 ⊥ 𝑒 ′ −→ 𝜀 ⊥ 𝑒 ′′ SStack’ 𝑒 ′ −→ error 𝑒 ′ ≠ 𝜀 ⊥′ 𝑒 ′′ 𝜀 ⊥ 𝑒 ′ −→ error Rules [SEv] and [SpEf-Ex] are exactly as in the original semantics. Rules [SCe] and [SCe’]perform the cast composition eagerly, thus avoiding the stack growth present in the original
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:41 semantics. Once a ⊥ 𝑢 value is reached through cast composition, rules [SFx] and [SFx’] triggeran error just as in the original semantics, when composing evidence objects in an innermost tooutermost fashion. Rules [SFe] and [SCx] do grow the stack for redexes that do not represent anascription, and rules [SStack] and [SStack’] do grow the stack when an ascription is wrapping adifferent redex (not an ascription) that must be reduced first. It is important to note that, withthis approach, casts cannot arbitrarily nest and produce a space leak.Lemma D.4 (Outside-in inversion for Evaluation Contexts). For every evaluation context 𝐺 capable of producing valid syntactic terms once plugged, one of the following is true:(1) 𝐺 = (cid:3) .(2) 𝐺 = (cid:3) [ 𝐹 [ (cid:3) ]] .(3) Exists 𝐺 ′ , such that 𝐺 = ( (cid:3) [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]]) [ 𝐺 ′ ] .(4) Exists 𝐺 ′ , 𝜀 ⊥ such that 𝐺 = ( (cid:3) [ 𝜀 ⊥ (cid:3) ] [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]]) [ 𝐺 ′ ] .(5) Exists 𝐹, 𝐺 ′ , 𝜀 ⊥ such that 𝐺 = 𝐸 [ 𝐺 ′ ] with 𝐸 = ( (cid:3) [ 𝐹 [ (cid:3) ]] [ 𝜀 ⊥ (cid:3) ]) and 𝐺 ′ ≠ ( (cid:3) [ 𝜀 ⊥′ (cid:3) ]) [ 𝐺 ′′ ] .(6) Exists 𝐹, 𝐺 ′ , 𝜀 ⊥ such that 𝐺 = 𝐸 [ 𝐺 ′ ] with 𝐸 = ( (cid:3) [ 𝜀 ⊥ (cid:3) ] [ 𝐹 [ (cid:3) ]]) .Any 𝐺 ′ s would produce valid syntactic terms once the context is plugged. Proof. By structural induction on the definition of G after expansion of all E cases: • (cid:3) . Trivial. • 𝐺 [ 𝐹 [ (cid:3) ]] . By cases on the induction hypothesis: First trivial, second impossible (Frames ofthe form (cid:3) [ 𝐹 [ (cid:3) ]] [ 𝐹 [ (cid:3) ]] never produce valid syntactic terms), rest direct from inductionhypothesis. • 𝐺 [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]] By cases on the induction hypothesis: First exists 𝐺 ′ = (cid:3) and thus(3) holds, second impossible, rest direct from induction hypothesis. • 𝐺 [ 𝜀 ⊥ (cid:3) ] [ 𝐹 [ (cid:3) ]] By cases on the induction hypothesis: First exists 𝐺 ′ = (cid:3) and thus (6) holds,second case exists 𝜀 ⊥ = 𝜀 ⊥ and thus (5) holds, rest from induction hypothesis. • 𝐺 [ 𝜀 ⊥ (cid:3) ] [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]] By cases on the induction hypothesis: First exists 𝐺 ′ = (cid:3) andthus (4) holds, second case exists 𝜀 ⊥ = 𝜀 ⊥ and thus (5) holds. (cid:3) Lemma D.5 (Outside extension for evaluation contexts). . For any evaluation context 𝐺 ∈ ACtxt • (cid:3) [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]] [ 𝐺 ] is also a valid evaluation context in ACtxt. • If 𝐺 ≠ ( (cid:3) [ 𝜀 ⊥′ (cid:3) ]) [ 𝐺 ′ ] , then also (cid:3) [ 𝐹 [ 𝜀 ⊥ (cid:3) ]] [ 𝐺 ] and (cid:3) [ 𝜀 ⊥ (cid:3) ] [ 𝐺 ] are valid evaluation contextsin ECtxt.Note: since 𝐸 always has a 𝐺 in the end, this lemma generalizes to evaluation contexts 𝐸 as well. Proof. First case is obvious as we can replace the closing top hole (cid:3) in the original termderivation by the new term ( (cid:3) [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e ]]) .For the second case, the left-most case would be expanded as 𝐸 = 𝐺 = (cid:3) , we instead do 𝐸 = 𝐺 [ 𝜀 ⊥ (cid:3) ] = (cid:3) [ 𝜀 ⊥ (cid:3) ] . (cid:3) Theorem D.6 (Semantic equivalence between Reduction Semantics and SOS). e −→ e ′ in BRR . , ifand only if e −→ e ′ in the SOS semantics for BRR. Similarly, e −→ error in BRR . , if and only if e −→ error in the SOS semantics for BRR. Proof. We begin by proving the only if case ( = ⇒ ).We proceed by cases on the contextual reduction rule templates. For the first two cases, we beginour proof by cases on 𝐸 . We can then treat each of the 6 proofs by induction on the structure of Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :42 Bañados Schwerter et al.
G. Lemma D.4 exposes an alternative induction principle on the structure of G, which we chooseto use.We will group the proof by the cases of the induction principle, and deal in each case with thecontextual reduction rules.(1) 𝐺 = (cid:3) . We can use rules [SEv], [SpEf-Ex], [SCe’] and [SFx] to build a SOS reduction foreach respective case.(2) 𝐺 = (cid:3) [ 𝐹 [ (cid:3) ]] . Contextual reduction cannot happen on the cases that rely on notions ofreductions, as all terms that can take a step (either to another 𝑒 or to error ) arenon-ascription redexes. We are only left with the cases for evidence composition, forwhich we can build a derivation using rules [SCe] and [SFx’], respectively.(3) Exists 𝐺 ′ , such that 𝐺 = ( (cid:3) [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e K ) [ 𝐺 ′ ] . By induction, we can build aderivation on 𝐺 ′ [ 𝑒 ] in each case, and we can extend that derivation with a rule [SRec-v] or[SRec-x], respectively.(4) Exists 𝐺 ′ , 𝜀 ⊥ such that 𝐺 = ( (cid:3) [ 𝜀 ⊥ (cid:3) ] [[ 𝑙 = v , 𝑙 = (cid:3) , 𝑙 = e K ) [ 𝐺 ′ ] . By induction, we can build aderivation on 𝐺 ′ [ 𝑒 ] in each case, and we can extend that derivation with the sequence ofrules ([SRec-v], [SStack]) or ([SRec-x], [SStack’]), respectively.(5) Exists 𝐹, 𝐺 ′ , 𝜀 ⊥ such that 𝐺 = 𝐸 [ 𝐺 ′ ] with 𝐸 = ( (cid:3) [ 𝐹 [ (cid:3) K [ 𝜀 ⊥ (cid:3) ]) and 𝐺 ′ ≠ ( (cid:3) [ 𝜀 ⊥′ (cid:3) ]) [ 𝐺 ′′ ] . Byinduction, we can build a derivation on 𝐺 ′ [ 𝑒 ] in each case, and we can extend that rulewith rules [SFe] or [SCx], respectively.(6) Exists 𝐹, 𝐺 ′ , 𝜀 ⊥ such that 𝐺 = 𝐸 [ 𝐺 ′ ] with 𝐸 = ( (cid:3) [ 𝜀 ⊥ (cid:3) ] [ 𝐹 [ (cid:3) K ) .By the structure of evaluation contexts, two ascriptions cannot appear next to each otherin a 𝐺 . In the case of the contextual reduction rules dealing with notions of reduction, weknow these cannot reduce on ascriptions so there must be a 𝐺 ′′ such that 𝐺 ′ = ( (cid:3) [ 𝜀 ⊥ (cid:3) ] 𝐺 ′′ .We can thus apply either the sequence ([SFe], [SStack]) or ([SCx], [SStack’]), respectively.We can now deal with the if direction ( ⇐ = ).We proceed by induction on the derivation of the structural operational semantics ( −→ ). • Case [SEv]. We can build a derivation using 𝐸 = (cid:3) . • Case [SpEf-Ex]. We can build a derivation using 𝐸 = (cid:3) . • Case [SRec-v]. By induction hypothesis, we get some 𝐸 , or a 𝐺 , depending on thecontextual reduction in use. We can apply lemma D.5 to build the derivation with the samestructure for [SRec-v]’s conclusion. • Case [SRec-x]. Analogous to [SRec-v]. • Case [SCe]. We can build a derivation using 𝐸 = 𝐺 = (cid:3) [ 𝐹 [ (cid:3) ]] . • Case [SCe’]. We can build a derivation using 𝐸 = 𝐺 = (cid:3) . • Case [SFx]. Analogous to [SCe’]. • Case [SFx’]. Analogous to [SCe]. • Case [SFe]. Analogous to [SRec-v]. The extra restriction in this rule’s premise is alreadyhandled by lemma D.5. • Case [SCx]. Analogous to [SFe]. • Case [SStack]. Analogous to [SFe]. • Case [SStack’]. Analogous to [SFe]. (cid:3)
D.3 Bisimulation Relation
The bisimulation relation must be in charge of “giving leeway” on each point where bothsemantices diverge, bearing in mind that, for them to be bisimilar, we do want them to eventuallybe reconciled. We propose the following simulation relation. The rule of real interest is
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:43 [Sim-Casts], which encodes the leeway of changing orders in evaluation of casts, The rest of thesimulation rules are just there to complete the structural induction. 𝑒 ≈ 𝑒, error ≈ error Sim-Casts 𝑒 ≠ 𝜀 ′ 𝑒 ′ 𝑒 ≠ 𝜀 ⊥′ 𝑒 ′ 𝑒 ≈ 𝑒 𝜀 𝑛 ⊥ (cid:0) · · · ⊥ 𝜀 (cid:1) = (cid:0) 𝜀 ⊥ 𝑚 ⊥ · · · (cid:1) ⊥ 𝜀 ⊥ 𝜀 · · · 𝜀 𝑛 𝑒 ≈ 𝜀 ⊥ · · · 𝜀 ⊥ 𝑚 𝑒 Sim-Err error ≈ error Sim-U 𝑢 ≈ 𝑢 Sim-App 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 ⊥ 𝑒 Sim-Plus 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 + 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 + 𝜀 ⊥ 𝑒 Sim-If 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 if 𝜀 𝑒 then 𝜀 𝑒 else 𝜀 𝑒 ≈ if 𝜀 ⊥ 𝑒 then 𝜀 ⊥ 𝑒 else 𝜀 ⊥ 𝑒 Sim-Proj 𝜀 𝑒 ≈ 𝜀 ⊥ 𝑒 𝜀 𝑒 .𝑙 ≈ 𝜀 ⊥ 𝑒 .𝑙 Sim-Rec 𝑒 𝑖 ≈ 𝑒 ′ 𝑖 [ 𝑙 𝑖 = 𝑒 𝑖 ] ≈ [ 𝑙 𝑖 = 𝑒 ′ 𝑖 ] D.4 Proofs
Having set up all the required definitions, we can proceed to prove the properties we desire:Lemma D.7 (Substitution preserves simulation). If 𝑒 ≈ 𝑒 and 𝑒 ≈ 𝑒 , then [ 𝑒 / 𝑥 ] 𝑒 ≈ [ 𝑒 / 𝑥 ] 𝑒 . Proof. By simple structural induction over the definition of · ≈ · . (cid:3) Lemma D.8 (Notions of reduction preserve simulation). If 𝑒 ≈ 𝑒 , then if 𝑒 { 𝑒 ′ , then thereexists an 𝑒 ′ such that 𝑒 { 𝑒 ′ and 𝑒 ′ ≈ 𝑒 ′ . Proof. By cases on the applicable notions of reduction, and most follow by inversion on thesimulation relation. The only notion of reduction left is 𝛽 . In this case, theorem holds bysubstitution preserves simulation lemma. (cid:3) Lemma D.9 (Weak Simulation).
Let 𝑒 −→ 𝑒 ′ . If 𝑒 ≈ 𝑒 , then there exists 𝑒 ′ such that 𝑒 → ∗ 𝑒 ′ and 𝑒 ′ ≈ 𝑒 ′ . Proof. By structural induction on −→ , and proceed by cases on the simulation relation. • Rules [Ev] and [Ex] are trivial by “Notions of reduction preserve simulation” lemma. • Rule [Fv]. We distinguish two cases: • 𝐹 = (cid:3) . This is the key case of the proof . The only rules of the simulation relation thatapply in this case is [Sim-Casts], and thus 𝑒 = 𝜀 · · · 𝜀 𝑛 𝑒 ′ . We also know that 𝑒 ′ ≠ 𝜀 ′ 𝑒 ′′ .We can then proceed by case on the form of the derivation tree D : • If D = [ Ev ][ Fv ] ... or D = [ Ex ][ Fv ] ... , we can first apply on the related term Rule [ SCe ] asneeded to compose the evidence objects, and then, respectively, [SEv] or [SpEf-Ex] andthe notions of reduction preserves simulation lemma. • If D = [ Cv ][ Fv ] ... , we can first apply on the related term Rule [ SCe ] as needed to composethe evidence objects, and then we can rebuild the derivation tree using Rule[Sim-Casts]. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :44 Bañados Schwerter et al. • If D = [ Cx ][ Fv ] ... , we can first apply on the related term Rule [ SCe ] as needed to composethe evidence objects, and then apply rule [SFx] or [SFx’] to step to an error. Thesevalues are related by Rule [Sim-Err]. • If D = D ′ Fv 𝑒 ′′ −→ 𝑒 ′′′ 𝐹 [ 𝜀 ′ 𝑒 ′′ ] −→ 𝐹 [ 𝜀 ′ 𝑒 ′′′ ][ Fv ] ... , we also know that 𝑒 ′ = 𝐹 [ 𝜀 ′ 𝑒 ′′ ] with 𝐹 ≠ (cid:3) .As there exists 𝑒 ′ such that 𝑒 ′ ≈ 𝑒 ′ . we can use our induction hypothesis to infer thatthere exists 𝑒 ′′ such that 𝑒 ′ −→ ∗ 𝑒 ′′ and know that 𝐹 [ 𝜀 ′ 𝑒 ′′′ ] ≈ 𝑒 ′′ . We can also thenstep the original related term through as many [SCe’] as needed and then we can userule [SStack]. We have to deal now with two cases: • If 𝑒 ′′ ≠ 𝜀 ⊥′′ 𝑒 ′′ , we can rebuild the simulation derivation using rule [Sim-Casts]. • If 𝑒 ′′ = 𝜀 ⊥′′ 𝑒 ′′ , the simulation 𝑒 ′ ≈ 𝑒 ′ must end with a rule [Sim-Casts]. We can thentake as many more [SCe] steps as needed and rebuild the full derivation using rule[Sim-Casts]. • If D = D ′ Fx 𝑒 ′′ −→ error 𝐹 [ 𝜀 ′ 𝑒 ′′ ] −→ error [ Fx ] ... , we also know that 𝑒 ′ = 𝐹 [ 𝜀 ′ 𝑒 ′′ ] with 𝐹 ≠ (cid:3) . Asthere exists 𝑒 ′ such that 𝑒 ′ ≈ 𝑒 ′ . we can use our induction hypothesis to infer thatthere exists 𝑒 ′′ such that 𝑒 ′ −→ ∗ 𝑒 ′′ and know that error ≈ 𝑒 ′′ . Thus also 𝑒 ′′ = error .We can first take as many steps as needed through [SCe’] to reduce first the ascriptionscoming from [Sim-Casts], and then use [SStack’] to get to 𝑒𝑟𝑟𝑜𝑟 . • If D = D ′ Rec-v 𝑒 ′′ −→ 𝑒 ′′′ [ 𝑙 = v , 𝑙 = 𝑒 ′′ , 𝑙 = e ] −→ [ 𝑙 = v , 𝑙 = 𝑒 ′′′ , 𝑙 = e ][ Fv ] ... . Since records canonly be related through rule [Sim-Rec], then we know there exists 𝑒 ′ such that 𝑒 ′′ ≈ 𝑒 ′ .we can use our induction hypothesis to infer that there exists 𝑒 ′′ such that 𝑒 ′ −→ ∗ 𝑒 ′′ and know that 𝑒 ′′′ ≈ 𝑒 ′′ . We can again first step as many times as needed through[SCe’], then step the related term through [SRec-v] and then we can use rule [SStack].We can rebuild the relation through rule [Sim-Casts] as we have a record that we canre-relate through [Sim-Rec]. • If D = D ′ Rec-x 𝑒 ′′ −→ error [ 𝑙 = v , 𝑙 = 𝑒 ′′ , 𝑙 = e ] −→ error [ Fx ] ... .Since records can only be related through rule [Sim-Rec], then we know there exists 𝑒 ′ such that 𝑒 ′′ ≈ 𝑒 ′ . we can use our induction hypothesis to infer that there exists 𝑒 ′′ such that 𝑒 ′ −→ ∗ 𝑒 ′′ and know that error ≈ 𝑒 ′′ , thus 𝑒 ′′ = error .We can take as many [SCe’] steps to reduce first the casts from [Sim-Casts], and thentake [SRec-x] to step to the error. • 𝐹 ≠ (cid:3) . Thus the simulation relation on terms holds via either [Sim-App], [Sim-If],[Sim-Plus], or [Sim-Proj]. In each of these cases we would like to appeal directly toinduction, but we cannot as the stepping terms do not take into consideration the Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:45 evidence that appears in the assumptions of these rules. Instead we appeal inductively tothe fact that the next rule must be [Sim-Casts], and then we can follow an analogousby-cases analysis to the case where 𝐹 = (cid:3) at a nested level. • Rule [Fx] analogous to rule [Fv]. • Rules [Rec-v] and [Rec-x] can appeal directly to the induction hypothesis, and use theirrespective [SRec-v] and [SRec-x] counterparts in the space-efficient domain. • Rules [Cv] and [Cx] follow an analogous analysis to rule [Fv], but much simpler a there isno need to account for arbitrary nesting of casts. (cid:3)
Lemma D.10 (Reverse Weak Simulation).
Let 𝑒 −→ 𝑒 ′ . If 𝑒 ≈ 𝑒 , then there exists 𝑒 ′ such that 𝑒 → ∗ 𝑒 ′ and 𝑒 ′ ≈ 𝑒 ′ . Proof. By structural induction on −→ , and proceeding by cases on the simulation relation. • Rules [SEv] and [SpEf-Ex] are trivial by the “Notions of reduction preserve simulation”lemma. • Rule [SCe]. Terms are related via [Sim-App] and use [Sim-Casts] on the hole, and can berelated back using [Sim-Casts] after taking no steps on → ∗ . • Rule [SCe’]. Terms are related via [Sim-Casts], and we can simply take no steps on → ∗ . • Rule [SFx]. Terms can only be related via [Sim-Casts]. By associativity of evidencecomposition, we can take a combination of [Cv] steps and then a final [Cx] step to at somepoint reach an undefined evidence composition and produce an 𝑒𝑟𝑟𝑜𝑟 . • Rule [SFx’]. In the case for this rule, there is a subterm that has ⊥ as evidence, and thatterm must be related by [Sim-Casts] to a subterm of the related term.Since all 𝐹 ′ are also 𝐹 s, we will take a combination of [Cv] steps and then a [Cx] step toproduce a error . • Rule [SFe]
This is the key case of this proof . We would like to appeal directly to theinduction hypothesis, but we cannot because the term stepping in our assumption is notdirectly related by the simulation relation. Just like we did on the Weak Simulation proof,we can proceed by cases assuming that just as [Sim-App]/[Sim-If]/[Sim-Proj]/[Sim-Plus]will be the last rule, [Sim-Casts] will be the second-to-last, and we can then reason by caseson previous rules that could apply on the derivation of → . • Rule [SCx]. We can apply rules [Fv] and a final rule [Fx] at each step of the reduction weget from applying the induction hypothesis. Error terms are then related by [Sim-Err]. • Rule [SStack]. We can apply rule [Fv] at each step of the reduction we get from applyingthe induction hypothesis. Since the output terms are also related by the simulation relationaccording to the induction hypothesis, we can connect the full terms back together via[Sim-Casts]. • Rule [SStack’]. We can apply rule [Fv] at each step of the reduction we get from applyingthe induction hypothesis. Given the way we have defined all the rules in the simulationrelation that have an error term on the right, and given the presences of the [SFx] and[SFx’] rules (which imply that every redex that reduces to something with a ⊥ evidencewill eventually produce an error ), all terms will reduce to error, and thus we can use rule[Sim-Err] to build the simulation derivation. • Rules [SRec-v] and [SRec-x] can appeal directly to the induction hypothesis, and use theirrespective [Rec-v] and [Rec-x] counterparts in the non-space-efficient domain, as we caneither rebuild the related terms directly via [Sim-Rec] or [Sim-Err], respectively. (cid:3)
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :46 Bañados Schwerter et al.
Theorem D.11 (Weak Bisimulation).
Relation · ≈ · forms a Weak Bisimulation [Sangiorgi 2011]between −→ and −→ . Proof. By Weak Simulation and Reverse Weak Simulation lemmas. (cid:3)
E BOUNDED RECORDS AND BOUNDED ROWSE.1 Proofs of Galois Connection
Lemma E.1 ( 𝛼 is Sound). If u 𝑇 is not empty, then u 𝑇 ⊆ 𝛾 (cid:0) 𝛼 (cid:0) u 𝑇 (cid:1) (cid:1) . Proof. By mutual induction on the structure of sets induced by the definition of the abstractionfunctions 𝛼 and 𝛼 𝑀 . 𝛼 cases • 𝛼 ( 𝒞 J Int K ) = Int .It is the case that 𝒞 J Int K ⊆ { Int }• 𝛼 ( 𝒞 J Bool K ) = Bool .It is the case that 𝒞 J Bool K ⊆ { Bool }• 𝛼 ( 𝒞 J 𝐶 → 𝐶 K ) = 𝛼 ( 𝐶 ) → 𝛼 ( 𝐶 ) .Let 𝑇 𝑎 → 𝑇 𝑏 ∈ 𝒞 J 𝐶 → 𝐶 K . By Induction Hypothesis, 𝑇 𝑎 ∈ 𝛾 ( 𝛼 ( 𝐶 )) and 𝑇 𝑏 ∈ 𝛾 ( 𝛼 ( 𝐶 )) .By the definition of the concretization function, then 𝑇 𝑎 → 𝑇 𝑏 ∈ 𝛾 ( 𝛼 ( 𝒞 J 𝐶 → 𝐶 K )) . • 𝛼 (cid:18) 𝒞 s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { (cid:19) = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝛼 𝑀 ( 𝐶 ∅ 𝑖 ) (cid:21) .Let (cid:20) 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑇 𝑗 (cid:21) ∈ 𝒞 s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { .By mutual induction hypothesis on each label, (cid:20) 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑇 𝑗 (cid:21) ∈ 𝒞 s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝛾 𝑀 ( 𝛼 𝑀 ( 𝐶 ∅ 𝑖 )) { .The labels missing in 𝑗 from 𝑖 must come from a set 𝐶 ∅ 𝑖 such that ∅ ∈ 𝐶 ∅ 𝑖 , and for all 𝐶 ∅ , ∅ ∈ 𝐶 ∅ ⇒ ∅ ∈ 𝛾 𝑀 ( 𝛼 𝑀 ( 𝐶 ∅ )) . • 𝛼 (cid:18) 𝒞 s ? 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { (cid:19) = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝛼 𝑀 ( 𝐶 ∅ 𝑖 ) ? (cid:21) .Let (cid:20) 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑇 𝑗 (cid:21) ∈ 𝒞 s ? 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { . Therefore, 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑇 𝑗 = 𝑝 Í 𝑘 = ℓ 𝑝 : 𝑇 𝑝 𝑞 Í ℎ = ℓ 𝑞 : 𝑇 𝑞 , where (cid:20) 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑇 𝑘 (cid:21) ∈ 𝒞 s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝐶 ∅ 𝑖 { and (cid:20) 𝑞 Í ℎ = ℓ ℎ : 𝑇 ℎ (cid:21) ∈ 𝒞 s 𝑞 Í ℎ = ℓ ℎ : P (
Type ∪ { ∅ }) { , where dom ( ℓ 𝑖 ) ∩ dom ( ℓ ℎ ) = ∅ . We follow the mutual induction hypothesis on each restrictedlabel ℓ 𝑘 as in the previous case to know (cid:20) 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑇 𝑘 (cid:21) ∈ 𝒞 s 𝑛 Í 𝑖 = ℓ 𝑖 : 𝛾 𝑀 ( 𝛼 𝑀 ( 𝐶 ∅ 𝑖 )) { , and sincethe abstraction generates a bounded row, we can extract from its concretization theappropriate type for the rest of the mappings. • 𝛼 ( 𝐶 ) = ? .Trivial since 𝛾 ( 𝛼 ( 𝐶 )) = Type. 𝛼 𝑀 cases • 𝛼 𝑀 ({ ∅ }) = ∅ . It is the case that { ∅ } ⊆ { ∅ } . • 𝛼 𝑀 ( 𝐶 ) = ( 𝛼 ( 𝐶 )) 𝑅 , ∅ ∉ 𝐶 .Let 𝑇 ∈ 𝐶 . By mutual induction hypothesis, 𝑇 ∈ 𝛾 ( 𝛼 ( 𝐶 )) . • 𝛼 𝑀 ({ ∅ } ∪ 𝐶 ) = ( 𝛼 ( 𝐶 ) 𝑂 ) .If 𝐶 is empty, we fall back to the previous case. If 𝐶 is not empty, we case by the kind ofelements of the set: Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:47 • ∅ ∈ { ∅ } ∪ 𝐶 . By definition of 𝛾 𝑀 ( 𝑆 𝑂 ) , ∅ ∈ 𝛾 ( 𝛼 ( 𝐶 ) 𝑂 ) . • 𝑇 ∈ 𝐶 . By mutual induction hypothesis, 𝑇 ∈ 𝛾 ( 𝛼 ( 𝐶 )) . (cid:3) Lemma E.2 ( 𝛼 is Optimal). If u 𝑇 is not empty and u 𝑇 ⊆ 𝛾 ( 𝑆 ) , then 𝛼 (cid:0) u 𝑇 (cid:1) ⊑ 𝑆 Proof. Remember that 𝑆 ⊑ 𝑆 iff 𝛾 ( 𝑆 ) ⊆ 𝛾 ( 𝑆 ) . Then we proceed by mutual structural inductionon the definitions of 𝑆 and 𝑀 . 𝑆 cases • 𝑆 = Int .Only nonempty subset of 𝛾 ( 𝑆 ) is { Int } , and 𝛼 ({ Int }) = Int . • 𝑆 = Bool .Only nonempty subset of 𝛾 ( 𝑆 ) is { Bool } , and 𝛼 ({ Bool }) = Bool . • 𝑆 = 𝑆 → 𝑆 . By induction hypothesis. • 𝑆 = ? Trivial since 𝛾 ( ? ) = Type. • 𝑆 = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 (cid:21) Since u 𝑇 ⊆ 𝛾 ( 𝑆 ) , 𝛼 ( u 𝑇 ) = (cid:20) 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 𝑗 (cid:21) , where dom ( ℓ 𝑗 ) ⊆ dom ( ℓ 𝑖 ) .Let 𝑇 = [ 𝑙 𝑎 : 𝑇 𝑎 ] ∈ 𝛾 ( 𝛼 ( u 𝑇 )) . The label domain for 𝑇 must be a subset of the domain of 𝑆 andfor every mapping ℓ 𝑎 : 𝑇 𝑎 , by definition and induction hypothesis, 𝑇 𝑎 ∈ 𝛾 𝑀 ( 𝑀 𝑗 ) for some 𝑗 such that ℓ 𝑎 = ℓ 𝑗 . • 𝑆 = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ? (cid:21) Depending on the subset taken from the concretization, abstraction might generate abounded row or a bounded record. In any case, all types in the concretization of that typewould be a subset of those in the original row.The interesting case is when we get a smaller set that still generates a row. For any recordtype in this concretization, there is a potential set labels for which their type came fromthe row designator ? , but those will all have been in the original concretization of the row.For those mappings in the type that now come from declared labels in the bounded row, byinduction hypothesis, their types will be in the concretization. We do not need to worryabout the set of absent labels, as by shrinking the set on the left, the set of absent labels canonly grow, which will only impact the concretization by making it smaller, as we want to. 𝑀 cases • 𝑀 = { ∅ } .Only nonempty subset of 𝛾 𝑀 ( 𝑀 ) is { ∅ } , and 𝛼 𝑀 ({ ∅ }) = ∅ . • 𝑀 = 𝑆 𝑅 .Since ∅ is not a member of 𝛾 𝑀 ( 𝑆 𝑅 ) , we can appeal to the mutual induction hypothesisdirectly. • 𝑀 = 𝑆 𝑂 .Let’s consider separately the case we take a subset containing ∅ or not. • If ∅ not in the set, then we can appeal to the mutual induction hypothesis directly. • If ∅ in the set, we must check for the rest of the set contents. If the set is the singleton { ∅ } , 𝛾 𝑀 ( 𝑆 𝑂 ) contains it. If there is any other elements, we remove ∅ for the set andappeal to the mutual induction hypothesis, while later adding ∅ on both sides of theinequality. (cid:3) Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :48 Bañados Schwerter et al.
Theorem E.3 (Bounded Rows form a Galois Connection).Proof. By Sound and Optimality Lemmas. (cid:3)
E.2 BRR is Gamma-Complete
In this section we prove the property that BRR is gamma-complete.Lemma E.4 (Consistent transitivity preserves evidence well-formedness).
For every two evidenceobjects ⊢ 𝜀 wf and ⊢ 𝜀 wf , if there exists 𝜀 = 𝜀 < : 𝜀 , then ⊢ 𝜀 wf . Proof. By structural induction over the definition of the well-formedness judgment. The onlyinteresting cases are those with Bounded Records/Rows in both evidence objects, and thedefinition of < : in terms of 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) guarantees that a well-formed evidence object isproduced. (cid:3) Theorem E.5 (Gamma-completeness of BRR).
For every two evidence objects ⊢ 𝜀 wf and ⊢ 𝜀 wf , 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) = 𝛾 < : ( 𝜀 < : 𝜀 ) Proof. By definition of evidence composition, 𝛾 < : ( 𝜀 < : 𝜀 ) = 𝛾 < : ( 𝛼 < : ( 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ))) .By Soundness of the Galois Connection, 𝛾 < : ( 𝜀 < : 𝜀 ) ⊇ 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) , thus we are only left toprove set containment on the other direction.Now, by Lemma 6.2, if 𝛾 < : ( 𝜀 < : 𝜀 ) is defined, there exists 𝜀 such that 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 ) = 𝛾 < : ( 𝜀 ) ,and thus by Optimality of the galois connection, 𝛾 < : ( 𝜀 < : 𝜀 ) ⊆ ( 𝛾 < : ( 𝜀 ) ; 𝛾 < : ( 𝜀 )) . (cid:3) E.3 Definition of Initial Evidence
We present Initial evidence for BRR as if Bounded Records and Rows were available to theprogrammer in Fig. 19 . This presentation is useful in writing an inductive definition of evidencecomposition, and does not impact the definition of initial evidence with BRRs for GTFL . , as wecan apply the same rules for Gradual Rows and Record, under the condition for building initialevidence that Gradual Records become Bounded Records where every mapping in the GradualRecord is included and annotated as Required, and Gradual Rows become Bounded Rows whereevery mapping in the Gradual Row is included and annotated and Required.In combination with the definition of gradual meet for BRR presented in Fig. 20, we can build analgorithmic definition of evidence composition. E.4 Definition of Consistent Subtype Meet and Join for BRR
The original statically typed language we are basing our systems upon includes conditionalbranching via the if construct. To assign appropriate types in the context of branching, the staticsystem includes the Meet ( < : ) and Join ( < : ) operations traversing the subtyping lattice over statictypes defined in Fig. 21:We include the gradual versions of these definitions in the context of BRR in Fig. 22. E.5 Space efficiency theorems
Corollary E.6 (Fixed overhead a-la-Herman et al. [2010]). If 𝑒 −→ ∗ 𝑒 ′ is bound for overhead, then space size ( 𝑒 ′ ) ≤ ∗ 𝐵 ( 𝑒 ) ∗ space ( 𝑒 ′ ) Proof. By induction over the structure of 𝑒 ′ .At every level of the AST where evidence objects occur, in the worst case, the definition of space 𝑓 (·) equals 1 plus recursion over two subterms plus applying 𝑓 over two evidences 𝜀 and 𝜀 . By the bound for overhead, + size ( 𝜀 ) + size ( 𝜀 ) ≤ ∗ ( 𝐵 ( 𝑒 ) ∗ ( + + )) , and we can applythe induction hypothesis over each of the subterms to get the desired bound. (cid:3) Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:49
I[[ 𝑆 . 𝑆 ]] : GType × GType ⇀ Ev I[[ 𝑆 . 𝑆 ]] = h 𝑆, 𝑆 i 𝑆 ∈ { Int , Bool , ? }I[[ 𝑆 . ? ]] = h 𝑆, 𝑆 i 𝑆 ∈ { Int , Bool }I[[ ? . 𝑆 ]] = h 𝑆, 𝑆 i 𝑆 ∈ { Int , Bool }I[[ 𝑆 → 𝑆 . ? ]] = I[[ 𝑆 → 𝑆 . ? → ? ]]I[[ ? . 𝑆 → 𝑆 ]] = I[[ ? → ? . 𝑆 → 𝑆 ]]I[[ 𝑆 → 𝑆 . 𝑆 → 𝑆 ]] = h 𝑆 ′ → 𝑆 ′ , 𝑆 ′ → 𝑆 ′ i where I[[ 𝑆 . 𝑆 ]] = h 𝑆 ′ , 𝑆 ′ iI[[ 𝑆 . 𝑆 ]] = h 𝑆 ′ , 𝑆 ′ iI[[ ? . (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) ]] = I[[[ ? ] . (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) ]]I[[ (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) . ? ]] = I[[ (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) . [ ? ]]]I[[ " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 𝑗 ∗ . (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑀 𝑘 ∗ (cid:21) ]] = * " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 ′ 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 ′ 𝑗 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑀 ′ 𝑘 ∗ , " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 ′ 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 ′ 𝑗 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑀 ′ 𝑘 ∗ wherefor every 𝑖, I[[ 𝑀 𝑖 . 𝑀 𝑖 ]] = h 𝑀 ′ 𝑖 , 𝑀 ′ 𝑖 i for every 𝑗, I[[ 𝑀 𝑗 . 𝐷 (∗ )]] = h 𝑀 ′ 𝑗 , 𝑀 ′ 𝑗 i for every 𝑘, I[[ 𝐷 (∗ ) . 𝑀 𝑘 ]] = h 𝑀 ′ 𝑘 , 𝑀 ′ 𝑘 i∗ = ( ? if ∗ = ∗ = ? · otherwise 𝐷 (·) = ∅ 𝐷 ( ? ) = ? 𝑂 I[[ 𝑀 . 𝑀 ]] : Mapping × Mapping ⇀ Mapping ∗ Mapping
I[[ 𝑀 . ∅]] = h 𝑀, ∅iI[[( 𝑆 ) ∗ . ( 𝑆 ) 𝑅 ]] = h (cid:0) 𝑆 ′ (cid:1) 𝑅 , (cid:0) 𝑆 ′ (cid:1) 𝑅 i where I[[ 𝑆 . 𝑆 ]] = h 𝑆 ′ , 𝑆 ′ iI[[( 𝑆 ) ∗ . ( 𝑆 ) 𝑂 ]] = ( h 𝑆 ∗ , (cid:0) 𝑆 ′ (cid:1) 𝑂 i where I[[ 𝑆 . 𝑆 ]] = h 𝑆 ′ , 𝑆 ′ ih 𝑆 ∗ , ∅i if I[[ 𝑆 . 𝑆 ]] is undefined. Fig. 19. Definition of Initial Evidence for Bounded Rows
Theorem E.7 (Properties of RL + ). If evidence composition is associative and has a bound, then thesemantics of RL + is space-efficient and is observationally equivalent to the semantics of RL. Proof. Theorem 4.1 guarantees observational equivalence in the presence of associative evidencecomposition. For space-efficiency, we must separately prove stack and overhead bounds. Thestack bound holds by the definition of contextual reduction in RL + .We prove the overhead bound by structural induction over the transitive closure of RL + . Thereflective case holds if Prop. 4.5 holds. For a particular step, we proceed inductively over thedefinition of the reduction relation. We only need to deal with the cases that modify theevidences in the program: Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :50 Bañados Schwerter et al. 𝑆 ⊓ 𝑆 Gradual Meet for BRR 𝑆 ⊓ 𝑆 = 𝑆 ⊓ 𝑆 ? ⊓ ? = ? Int ⊓ Int = IntBool ⊓ Bool = Bool 𝑆 ⊓ ? = 𝑆 ( 𝑆 → 𝑆 ) ⊓ ( 𝑆 → 𝑆 ) = ( 𝑆 ⊓ 𝑆 ) → ( 𝑆 ⊓ 𝑆 ) 𝑛 Õ 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑚 Õ 𝑗 = ℓ 𝑗 : 𝑀 𝑗 ∗ ⊓ " 𝑛 Õ 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑝 Õ 𝑘 = ℓ 𝑘 : 𝑀 𝑘 ∗ = 𝑛 Õ 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ⊓ 𝑀 𝑖 𝑚 Õ 𝑗 = ℓ 𝑗 : 𝑀 𝑗 ⊓ 𝐷 (∗ ) 𝑝 Õ 𝑘 = ℓ 𝑘 : 𝐷 (∗ ) ⊓ 𝑀 𝑘 ∗ where ∗ = ( ? if ∗ = ∗ = ? · otherwise 𝑆 ⊓ 𝑆 undefined otherwise 𝑀 ⊓ 𝑀 Gradual Meet for BRR Mappings 𝑀 ⊓ 𝑀 = 𝑀 ⊓ 𝑀 ∅ ⊓ ∅ = ∅∅ ⊓ 𝑆 𝑂 = ∅( 𝑆 ) 𝑅 ⊓ ( 𝑆 ) ∗ = ( 𝑆 ⊓ 𝑆 ) 𝑅 ( 𝑆 ) 𝑂 ⊓ ( 𝑆 ) 𝑂 = ( ( 𝑆 ⊓ 𝑆 ) 𝑂 if 𝑆 ⊓ 𝑆 defined ∅ if 𝑆 ⊓ 𝑆 undefined Fig. 20. Gradual Meet for BRR 𝑇 < : 𝑇 Static Subtype Join < : : Type × Type ⇀ Type 𝑇 < : 𝑇 = 𝑇 < : 𝑇 Int < : Int = IntBool < : Bool = Bool ( 𝑇 → 𝑇 ) < : ( 𝑇 → 𝑇 ) = ( 𝑇 < : 𝑇 ) → ( 𝑇 < : 𝑇 ) " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑇 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑇 𝑗 < : (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑇 𝑖 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑇 𝑘 (cid:21) = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑇 𝑖 < : 𝑇 𝑖 (cid:21) 𝑇 < : 𝑇 Static Subtype Meet < : : Type × Type ⇀ Type 𝑇 < : 𝑇 = 𝑇 < : 𝑇 Int < : Int = IntBool < : Bool = Bool ( 𝑇 → 𝑇 ) < : ( 𝑇 → 𝑇 ) = ( 𝑇 < : 𝑇 ) → ( 𝑇 < : 𝑇 ) " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑇 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑇 𝑗 < : (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑇 𝑖 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑇 𝑘 (cid:21) = " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑇 𝑖 < : 𝑇 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑇 𝑗 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑇 𝑘 Fig. 21. Static Subtype Meet and Join
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. bstracting Gradual Typing Moving Forward: Precise and Space-Efficient (Technical Report) 1:51 𝑆 e ∨ 𝑆 Consistent Subtype Join with BRR e ∨ : GType × GType ⇀ GType 𝑆 e ∨ 𝑆 = 𝑆 e ∨ 𝑆 ? e ∨ ? = ? Int e ∨ Int = IntInt e ∨ ? = IntBool e ∨ Bool = BoolBool e ∨ ? = Bool ( 𝑆 → 𝑆 ) e ∨ ( 𝑆 → 𝑆 ) = ( 𝑆 e ∧ 𝑆 ) → ( 𝑆 e ∨ 𝑆 )( 𝑆 → 𝑆 ) e ∨ ? = ( 𝑆 → 𝑆 ) e ∨ ( ? → ? ) (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) e ∨ ? = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) e ∨ [ ? ] " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 𝑗 ∗ ∨ (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑀 𝑘 ∗ (cid:21) = " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 e ∨ 𝑀 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 𝑗 e ∨ 𝐷 (∗ ) 𝑝 Í 𝑘 = ℓ 𝑘 : 𝐷 (∗ ) e ∨ 𝑀 𝑘 ∗ where ∗ = (cid:26) ? if ∗ = ∗ = ? · otherwise 𝑆 e ∨ 𝑆 undefined otherwise 𝑆 e ∧ 𝑆 Consistent Subtype Meet with BRR e ∧ : GType × GType ⇀ GType 𝑆 e ∧ 𝑆 = 𝑆 e ∧ 𝑆 ? e ∧ ? = ? Int e ∧ Int = IntInt e ∧ ? = IntBool e ∧ Bool = BoolBool e ∧ ? = Bool ( 𝑆 → 𝑆 ) e ∧ ( 𝑆 → 𝑆 ) = ( 𝑆 e ∨ 𝑆 ) → ( 𝑆 e ∧ 𝑆 )( 𝑆 → 𝑆 ) e ∧ ? = ( 𝑆 → 𝑆 ) e ∧ ( ? → ? ) (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) e ∧ ? = (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 ∗ (cid:21) e ∧ [ ? ] " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 𝑗 ∗ ∧ (cid:20) 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 𝑝 Í 𝑘 = ℓ 𝑘 : 𝑀 𝑘 ∗ (cid:21) = " 𝑛 Í 𝑖 = ℓ 𝑖 : 𝑀 𝑖 e ∧ 𝑀 𝑖 𝑚 Í 𝑗 = ℓ 𝑗 : 𝑀 𝑗 e ∧ 𝐷 (∗ ) 𝑝 Í 𝑘 = ℓ 𝑘 : 𝐷 (∗ ) e ∧ 𝑀 𝑘 ∗ where ∗ = (cid:26) · if ∗ = ∗ = · ? otherwise 𝑆 e ∧ 𝑆 undefined otherwise 𝑀 e ∨ 𝑀 Consistent Subtype Join with BRR e ∨ : Mapping × Mapping ⇀ Mapping 𝑀 e ∨ 𝑀 = 𝑀 e ∨ 𝑀 ∅ e ∨ 𝑀 = ∅( 𝑆 ) 𝑅 e ∨ ( 𝑆 ) 𝑅 = (cid:0) 𝑆 e ∨ 𝑆 (cid:1) 𝑅 ( 𝑆 ) 𝑂 e ∨ ( 𝑆 ) ∗ = ((cid:0) 𝑆 e ∨ 𝑆 (cid:1) 𝑂 if 𝑆 e ∨ 𝑆 defined ∅ if 𝑆 e ∨ 𝑆 undefined 𝑀 e ∧ 𝑀 Consistent Subtype Meet with BRR e ∧ : Mapping × Mapping ⇀ Mapping 𝑀 e ∧ 𝑀 = 𝑀 e ∧ 𝑀 ∅ e ∧ 𝑀 = 𝑀 ( 𝑆 ) 𝑅 e ∧ ( 𝑆 ) ∗ = (cid:0) 𝑆 e ∧ 𝑆 (cid:1) 𝑅 ( 𝑆 ) 𝑂 e ∧ ( 𝑆 ) 𝑂 = ((cid:0) 𝑆 e ∧ 𝑆 (cid:1) 𝑂 if 𝑆 e ∧ 𝑆 defined ∅ if 𝑆 e ∧ 𝑆 undefined Fig. 22. Consistent Subtype Extrema with BRR • Case 𝐺 [ 𝜀 ⊥ 𝜀 ⊥ 𝑒 ] −→ 𝐺 [ 𝜀 ⊥ ⊥ 𝜀 ⊥ 𝑒 ] holds if size ( 𝜀 ⊥ ⊥ 𝜀 ⊥ ) ≤ + ∗ size ( 𝐵 ( 𝑒 )) , whichholds when Prop. 4.5 holds. • Cases for addition and conditionals always produce smaller terms independently of thedefinition of composition. • Case for projection holds as iproj always produces a smaller evidence and v 𝑗 is alwayssmaller than the record it belongs to. • Case for functions holds if 𝜀 idom ( 𝜀 ) ≤ 𝐵 ( 𝑒 ) . Since idom always produces a smaller orequally sized evidence, size ( 𝜀 idom ( 𝜀 )) ≤ 𝐵 ( 𝑒 ) by Prop. 4.5. (cid:3) Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2021. :52 Bañados Schwerter et al.
F FORWARD COMPLETENESS IMPLIES ASSOCIATIVITY
The following is a generic proof that forward completeness suffices to ensure that the idealabstract counterpart to an associative concrete operator is itself associative.Let: • 𝐶 ∈ Concrete be a set of concrete objects; • 𝐴 ∈ Abstract be a set of abstract objects; • 𝛾 : Concrete → Abstract and 𝛼 : Abstract → Concrete form a Galois connection; • • : Concrete × Concrete → Concrete be an associative function on concrete objects; • b • : Abstract × Abstract → Abstract • b • is forward complete: 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 ) = 𝛾 ( 𝐴 b • 𝐴 ) .By properties of Galois connections, we have 𝛾 ◦ 𝛼 ◦ 𝛾 = 𝛾 .Proposition F.1. ( 𝐴 b • 𝐴 ) b • 𝐴 = 𝐴 b • ( 𝐴 b • 𝐴 ) . Proof. The following proof depends on b • being the best abstraction of • with respect to its inputand output abstractions (Abstract ⊣ Concrete and Abstract ⊣ Concrete respectively): Let b • bedefined by 𝐴 b • 𝐴 = 𝛼 ( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 )) . ( 𝐴 b • 𝐴 ) b • 𝐴 = 𝛼 ( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 )) b • 𝐴 (defn of b • ) = 𝛼 ( 𝛾 ( 𝐴 b • 𝐴 )) b • 𝐴 (forward-completeness) = 𝛼 ( 𝛾 ( 𝛼 ( 𝛾 ( 𝐴 b • 𝐴 ))) • 𝛾 ( 𝐴 )) (defn of b • ) = 𝛼 ( 𝛾 ( 𝐴 b • 𝐴 )) • 𝛾 ( 𝐴 )) ( 𝛾 ◦ 𝛼 ◦ 𝛾 = 𝛾 ) = 𝛼 (( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 )) • 𝛾 ( 𝐴 )) (forward-completeness) = 𝛼 ( 𝛾 ( 𝐴 ) • ( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 ))) (associativity of • ) = 𝛼 ( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 b • 𝐴 )) (forward-completeness) = 𝐴 b • ( 𝐴 b • 𝐴 ) . (defn of b • ) (cid:3) Proof. The following proof depends on 𝛼, 𝛾 forming a Galois insertion, 𝛼 ◦ 𝛾 = . It does notdepend on the particulars of b • ’s definition. ( 𝐴 b • 𝐴 ) b • 𝐴 = 𝛼 ( 𝛾 (( 𝐴 b • 𝐴 ) b • 𝐴 )) (Galois insertion) = 𝛼 ( 𝛾 ( 𝐴 b • 𝐴 ) • 𝛾 ( 𝐴 )) (forward-completeness) = 𝛼 (( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 )) • 𝛾 ( 𝐴 )) (forward-completeness) = 𝛼 ( 𝛾 ( 𝐴 ) • ( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 ))) (associativity of • ) = 𝛼 ( 𝛾 ( 𝐴 ) • 𝛾 ( 𝐴 b • 𝐴 )) (forward-completeness) = 𝛼 ( 𝛾 ( 𝐴 b • ( 𝐴 b • 𝐴 ))) (forward-completeness) = 𝐴 b • ( 𝐴 b • 𝐴 ) . (Galois insertion) (cid:3)(cid:3)