Behavioural Types for Memory and Method Safety in a Core Object-Oriented Language
Mario Bravetti, Adrian Francalanza, Iaroslav Golovanov, Hans Hüttel, Mathias Steen Jakobsen, Mikkel Klinke Kettunen, António Ravara
aa r X i v : . [ c s . P L ] F e b Behavioural Types for Memory and Method Safety in a CoreObject-Oriented Language
ADRIAN FRANCALANZA,
University of Malta
ANTÓNIO RAVARA,
Universidade Nova de Lisboa
HANS HÜTTEL,
Aalborg University
IAROSLAV GOLOVANOV,
Aalborg University
MARIO BRAVETTI,
Universitá di Bologna
MATHIAS STEEN JAKOBSEN,
Aalborg University
MIKKEL KLINKE KETTUNEN,
Aalborg UniversityWe present a type-based analysis ensuring memory safety and object protocol completion in the Java-like lan-guage
Mungo . Objects are annotated with usages, typestates-like specifications of the admissible sequences ofmethod calls. The analysis entwines usage checking, controlling the order in which methods are called, witha static check determining whether references may contain null values. The analysis prevents null pointerdereferencing and memory leaks and ensures that the intended usage protocol of every object is respectedand completed. The type system has been implemented in the form of a type checker.
The notion of references is central to object-oriented programming. This also means that object-oriented programs are particularly prone to the problem of null-dereferencing [14]: a recent sur-vey [27, Table 1.1] analysing questions posted to StackOverflow referring to java.lang exceptiontypes notes that, as of 1 November 2013, the most common exception was precisely null-dereferencing.Existing approaches for preventing null-dereferencing require annotations, e.g., in the form ofpre-conditions or type qualifiers, together with auxiliary reasoning methods.
E.g.,
Fähndrich andLeino [9] use type qualifiers and a data flow analysis to determine if fields are used safely, whileHubert et al. rely on a constraint-based flow analysis [16]. These approaches all rely on program-mer intervention which can be viewed as a limitation, as the absence of null-dereferencing doesnot come “for free” in well-typed programs. Static analysis tools like the Checker framework [7]can be used to check the code once it is in a stable state. However, both type qualifiers and staticanalyses suffer from a common problem: to be compositional they are either rather restrictive ordemands a lot of explicit checks in the code, resulting in a “defensive programming” style.By including the analysis as part of the type system, one obviates the need for additional anno-tations or auxiliary reasoning mechanisms. The Eiffel type system [21] now distinguishes betweenattached and detachable types: variables of an attached type can never be assigned to a void value,which is only allowed for variables of detachable type. However, it is the execution of a methodbody that typically changes the program state, causing object fields to become nullified. The in-terplay between null-dereferencing and the order in which methods of an object are invoked istherefore important. A recent manifestation of this is the bug found found in Jedis [18], a Re-dis [22] Java client, where a close method could be called even after a socket had timed out [18,Issue 1747].One can therefore see an object as following a protocol describing the admissible sequences ofmethod invocations . The intended protocol can be expressed as a behavioural type , which allows
Authors’ addresses: Adrian Francalanza, University of Malta, [email protected]; António Ravara, Universi-dade Nova de Lisboa, [email protected]; Hans Hüttel, Aalborg University, [email protected]; Iaroslav Golovanov, AalborgUniversity, [email protected]; Mario Bravetti, Universitá di Bologna, [email protected]; Mathias Steen Jakobsen,Aalborg University, [email protected]; Mikkel Klinke Kettunen, Aalborg University, [email protected]. or a rich type-based approach that can be used to ensure memory safety via static type check-ing [3, 17]. In this paper we present (to our knowledge) the first behavioural type system for a real-istic object-oriented language that rules out null-dereferencing and memory leaks as a by-productof a safety property, i.e., protocol fidelity, and of a (weak) liveness property, i.e., object protocolcompletion for terminated programs. Protocol fidelity is an expected property in behavioural typesystems, but it does not usually guarantee protocol completion for mainstream-like languages, nordoes it usually guarantee memory safety, i.e., no null-dereferencing or memory leaks .There are two main approaches to behavioural type systems. The notion of typestates has itsorigin in the work by Strom and Yemini [25]; the idea is to annotate the type of an object withinformation pertaining to its current state. Later work includes that of Vault [8], Fugue [6] andPlaid [1, 28]. Garcia et al. [11] describe a gradual typestate system that integrates access permis-sions with gradual types [23] to control aliasing in a more robust way.There appears to have been little work on memory safety; the closest is work by Suenaga etal. [26, 29] studies behavioural type systems for memory deallocation in an imperative languagewithout objects.The second approach taken is that of session types [15]. This originated in a π -calculus settingwhere the session type of a channel is a protocol that describes the sequence of communicationsthat the channel must follow. Channels are linear : they are used exactly once with the given pro-tocol, and evolves as a result of each communication that it is involved in.The work by Gay et al. [12] is a meeting of the two approaches; the type of a class C is annotatedwith a usage denoting a session that any instance of C must follow. The type system ensuresa fidelity property, where the actual sequences of method calls to any object will follow thosespecified by its usage. The Mungo / StMungo tool suite [19] is based on this work for a subset ofJava. Objects are used linearly: an object reference can be written to and subsequently read at mostonce. This controls aliasing and permits compositional reasoning via the type system, making itpossible to statically verify properties such object usage fidelity. However, the
Mungo type systemdoes not provide guarantees ruling out null-dereferencing and memory leaks. In particular, threeunpleasant behaviours are still allowed: ( i ) null-assignment to a field/parameter containing anobject with an incomplete typestate; ( ii ) null-dereferencing (even null.m() ); ( iii ) not returning anobject with incomplete protocol from a method call.In this work we present a new behavioural type system for Mungo that handles these outstand-ing issues. Following preliminary work by Campos, Ravara and Vasconcelos [5, 30], our type sys-tem guarantees that well-typed programs never give rise to null-dereferencing, memory leaks, orincorrect method calls. The system has been implemented in the form of a type checker. Thisis the first “pure” type-checking system for
Mungo . Previous systems did not support typestatesfor method parameters and return types. Moreover, the safety guarantees of our system ensureboth memory safety (a novelty) and protocol fidelity, while enforcing a weak liveness property formethods (another novelty), i.e., protocol completion for terminated programs. The approach andtechniques developed for this work may easily be adaptable to other languages and systems.The rest of our paper is structured as follows. Section 2 discusses related work, while Section 3describes the underlying ideas of our type system. In Section 4 we present the syntax of
Mungo ,while Section 5 presents its operational semantics. Section 6 describes the central features of ourtype system, while Section 7 outlines the major soundness results of the system. Section 8 brieflypresents our implementation, and Section 9 contains the conclusion of our paper. https://github.com/MungoTypesystem/Mungo-Typechecker RELATED WORK
In our work we consider null as a value of a specific ⊥ type (and only of that type). This idea isrelated to that of Vekris et al. [31] who modify the type system of Typescript, which uses undefinedand null types to represent the eponymous values, so that such types are not related (by subtyping)to any other type: in this way misuse of such a values can be effectively detected by the type system.Our approach differs in that our type system is behavioural; fields follow a protocol of linearity,where the field type ⊥ type indicates the introduction of a null value at the level of the semantics.A notion similar to our notion of usages can be found in Lerner et al. who use a similar mech-anism for controlling access to potentially uninitialised references and to reason about null refer-ences [20]. They use the idea in a setting that attempts to retrofit (different notions of) static typinganalyses for Javascript. More concretely, they use regular expression types to describe objects thatevolve over the course of their lifetime, and employ modalities to describe the presence of fields inan object such as "possibly present", "definitely present either on this object or via the prototypechain" and "cannot be accessed”.The idea of considering that objects have usage protocols is more closely related to how type-states are used in the languages and Plural and Plaid [1, 11]. There, the approach is to define theabstract states an object can be in, and associate with methods pre- and post-conditions that de-scribe in which states a method can be called and the state that will be the result of the execution ofa method. Statically, a type system checks the correctness of the code with respect to the assertionsand that client code follows the protocols of the objects it uses.However, this approach requires a demanding logical language [28] for pre- and postconditions.It is not always not obvious or even clear which post-conditions imply which pre-conditions, sothat the protocol (as, for instance, an automaton) is not easily visualisable from the annotated code.In contrast, our approach uses simply usage annotations that are checked directly in the typerules. As method bodies are type-checked in the rules for class declarations by following classusage annotations, this prevents the problem that follows from the possibility that some pre-conditions might not even be implied by any post-conditions, namely the presence of unreachablecode [24]. A crucial observation for our work is that protocol fidelity and null-dereferencing are interdepen-dent. Particularly, we require that a well-typed program never leaves the protocol incomplete bylosing a reference to an object at some point during its execution. To see the importance of this,consider the class
File in Listing 1 with the usage defined on lines 3-9. Here, the type C [U] of aclass C contains a usage U that specifies the admissible sequences of method calls for any objectinstance of C . enum F i l e S t a t u s { EOF NOTEOF }23 c l a s s
F i l e {4 { open ; X } [5 X = {6 isEOF ;
The usage tells us that the object must first be open ed, going then into state X (a usage variable)where only the method isEOF can be called. When isEOF is called the continuation of the protocoldepends on the method result: if it returns EOF one can only close the file (line 6); if it returns
NOTEOF one can read and check again (line 7). This ensures that all methods of a
File object arecalled according to the safe order declared. In particular, a null-dereferencing caused by calling read before open is prohibited, and no memory leaks can be caused by dropping an object orleaving it open before the protocol is completed.To achieve this, both methods and fields should obey their associated protocols. Within any in-stance of a class, its field objects must respect their usage protocols and executed to completion,whereas methods must be invoked in the expected usage order until completion. Importantly,avoiding field null-dereferencing is crucial to attain this. In Listing 2 a class
FileReader is intro-duced. The usage information on line 18 requires that the init() method is called first, followed bymethod readFile() . c l a s s F i l e R e a d e r {18 { i n i t ; { r e a d F i l e ; end } } [ ]1920 F i l e f i l e2122 void i n i t ( ) {23 f i l e = new
F i l e24 }2526 void r e a d F i l e ( ) {27 f i l e . open ( u n i t ) ;28 l o o p :29 switch ( f i l e . isEOF ( ) ) {30 EOF : f i l e . c l o s e ( )31 NOTEOF : f i l e . r e a d ( ) ;32 continue l o o p33 }34 }35 }
Listing 2. An example class intended for reading files
One must also use objects of type
File with usage information on line 4. Method readFile followsthe protocol by first open ing the file , and then entering a loop (lines 28 to 33) to read until its end.Then, it close s it.Combining the checks on following the protocols of the
FileReader and the
File is not trivial.Crucially, simply requiring protocol fidelity does not suffice to avoid certain problems: Protocol fidelity allows the omission of line 23 that initialises field file with a new
File object.However, calling read() on field file , even if we follow the prescribed protocol of
FileReader and invoke init() first, would result in a null-dereferencing. • Similarly, protocol fidelity also permits the addition of the command file = null at line 24. Thiswould result in not only losing the reference to the object, but also lead to null-dereferencingagain. • Protocol fidelity permits the addition of file = new
File () at line 30 before calling close () . Oncemore, this would result in losing the reference to the previous object stored in file that hasnot yet completed its protocol.Usages are vital for permitting a finer analysis that guarantees the absence of null dereferenc-ing that is also compositional . To that end, our proposed analysis provides such guarantees forprograms following the intended usage protocols. Moreover, we are able to do so by analysing thesource code of each individual class in isolation . MUNGO
LANGUAGE: SYNTAX
Mungo is a Java-like programming language and programming tool developed at Glasgow Univer-sity by Kouzapas et al. [19]. In this section we present the syntax of the
Mungo language, includingthe notion of usages that will be central to our type system. The formation rules are given in Figure1. A
Mungo program or declaration −→ D is a sequence of enumeration declarations followed by asequence of class declarations. An important distinction from the version of the Mungo languageof [19] is that we now allow generic classes.A
Mungo class declaration class h α [ β ]i C {U , F , M } , where C ∈ CNames , consists of a classname C and defines a set of methods M , a set of fields F and an usage U ; this we will describelater. The variables α and β denote class and usage variables respectively and are used for ouraccount of generic classes.A method named m is declared as t m ( t x ){ e } , where t denotes the argument type of m ,while the return type is t . The body of m is an expression e . In our presentation we do notdistinguish between statements and expressions; we allow values v as expressions but we alsoinclude statement-like expressions such as conditionals if ( e ) { e } else { e } , selection statements switch r . m ( r . m ( e )) { l i : e i } i i ∈ L , sequential compositions e ; e , method calls r . m ( e ) and assignments f = e . Note that assignment is always made to a field, meaning that assignment can only happento a field inside the object on which a method is evaluated. Objects therefore cannot access thefields of another object directly.Following [19], iteration in Mungo is possible by means of jumps. Expressions can be labelled as k : e , where k must be a unique label; the execution can then jump back to the expression labelled k by evaluating the expression continue k .Classes in Mungo are instantiated with either new C for simple classes or new C h д i for genericclasses.The set Values is ranged over by v and denotes the set of all values and contains booleanvalues, unit , labels and null . References ranged over by r describe how objects are accessed, eitheras method parameters ranged over by x ∈ PNames or field names ranged over by f ∈ FNames .The enumeration types are ranged over by L ∈ ENames ; each enum contains a set of labels l .Fields, classes and methods are annotated with types . The set of base types BTypes consistsof the type for booleans bool , the void type and enumerations L . A central component of thebehavioural type system presented later is that of typestates C h t i[U] ∈ Typestates . Typestatesappear as part of class declarations and can involve generic classes; we use the typestate notion :: = enum L { ˜ l } | class h α [ β ]i C {U , M , F }| class C {U , M , F } F :: = z fM :: = t m ( t x ){ e } v :: = unit | true | false | l | null r :: = x | fe :: = v | r | new C | new C h д i | f = e | r . m ( e )| e ; e | if ( e ) { e } else { e }| switch r . m ( r . m ( e )) { l i : e i } i i ∈ L | k : e | continue k b :: = void | bool | Lд :: = η [W] | α [ β ] η :: = C | C h η [W]i | C h α [ β ]i z :: = b | η | αt :: = b | η [U] | α [ β ] u :: = { m i ; w i } i ∈ I | Xw :: = u | h l i : u i i l i ∈ L E :: = X = u U :: = u E Fig. 1. Syntax of Mungo to capture the current value of class and usage parameters α [ β ] by using a type parameter in thetypestate C h t i[U] , where t is the actual parameter of the class and α and β are type and usagevariables, respectively.A central notion from Kouzapas et al. is that of usages ; in the syntax usages are ranged overby U and W . A usage specifies the admissible sequences of method calls allowed for an object.A usage { m i ; w i } i ∈ I describes that any one of the methods m i can be called, following which theusage is then w i . A usage h l i : u i i specifies that the usage continues as u i depending on a label l i . This is useful when the flow of execution depends on the return value of a function. To allowfor iterative behaviour, we introduce recursive usages. A defining equation X = u specifies thebehaviour of the usage given by the usage variable X ; X can occur in u .Usages have a labelled transition semantics that appears in the semantics in Section 5 as well asin the type system in Section 6. Transitions are of the form U m −→ U ′ and U l −→ U ′ . The availabletransitions for usages are shown in Table 1. (Branch) j ∈ I { m i : w i } Ei ∈ I m j −−→ w Ej (Unfold) u E ∪{ X = u } m −→ W X E ∪{ X = u } m −→ W (Sel) l j ∈ L h l i : u i i El i ∈ L l j −→ u Ej Table 1. Transitions for usages
We write
W → ∗ W ′ if usage W evolves to W ′ using zero or more usage transitions. Example 4.1.
Consider the
File class from Listing 1. Its usage U is U = { open ; X } E :: = . . . | oe :: = . . . | return { e } | switch r . m ( e ){ l i : e i } l i ∈ L Fig. 2. Run-time syntax of Mungo E = { X = { isEOF ; (cid:28) EOF : { close ; end } NOTEOF : { read ; X } (cid:29) }} The only transition here is U open −−−→ U ′ where U ′ = X E . Moreover, by applying the (Unfold) rule we have that U ′ isEOF −−−−→ U ′′ where U ′′ = h EOF : { close ; end } NOTEOF : { read ; X }i E . MUNGO
LANGUAGE: SEMANTICS
In this section we present the operational semantics of
Mungo . The semantics is a small-stepsemantics that uses a stack-based state model.
We extend the syntax to include run-time expressions and values in order to describe partiallyevaluated expressions and thereby the evaluation order of expressions. The syntactic categories ofvalues and expressions are extended as shown in Figure 2.The return { e } construct allows us to encapsulate the ongoing evaluation of a method body e . Wealso introduce a general switch construct that allows arbitrary expressions in switch statements.This will allow us to express the partial evaluation of switch constructs. Finally, we allow forobjects o to appear as values in expressions. This will allow us to express that the evaluation of anexpression can return an object that can then be used. Transitions in our semantics are relative to a program definition D and are of the form ⊢ D h h , env S , e i → h h ′ , env ′ S , e ′ i where h is a heap, env S is a parameter stack and e is the run-time expression that is being evaluated.A heap records the bindings of object references. In the heap, every object reference o is bound tosome pair ( ( C h t i[W] , env F ) where C h t i[W] is a typestate and env F ∈ Env F is a field environment.A typestate is the current state of an object with respect to its class definition and current usage.A field environment is a partial function that maps field names to the values stored in the fields.We introduce notation for selectively updating components in the image of a heap. Given a heap h = h ′ ⊎ { o
7→ ( C h t i[W] , env F )} , we use the notation h {W ′ / h ( o ) . usage } to stand for the heap h ′ ⊎ { o
7→ ( C h t i[W ′ ] , env F )} . We write h { v / o . f } for h ′ ⊎ { o
7→ ( C h t i[W] , env F { f v })} . Andwe use the notation h { o . f C h t i[U]} to denote the heap h ′ ⊎ { o
7→ ( C h t i[W ′ ] , env ′ F )} where env ′ F = env F { f C h t i[U]} .The parameter stack records to the bindings of formal parameters. It is a sequence of bindingswhere each element ( o , s ) contains an active object o and a parameter instantiation s = [ x v ] .We define ε to be the empty stack. We let env S · env ′ S denote the concatenation of the stacks env ′ S and env S .In a parameter stack env S · ( o , s ) we call the bottom element o the active element . Often, we shallthink of the parameter stack as defining a function. The domain dom ( env S ) of the parameter stack We use ⊎ to denote disjoint union. nv S is the multiset of all object names on the stack. The range of the parameter stack ran ( env S ) is the multiset of all parameter instantiations on the stack. Definition 5.1 (Class information).
Let C be a class. If class h α [ β ]i C {U , F , M } , then C is a genericclass, and we define the following functions. If class C {U , F , M } then only the functions with C h⊥i are defined. C h η [U ′ ]i . methods D def = M { α [ β ]/ η [U ′ ]} C h η [U ′ ]i . fields D def = F { α / η } C h η [U ′ ]i . usage D def = U C h⊥i . methods D def = MC h⊥i . fields D def = FC h⊥i . usage D def = U Likewise, we introduce the following notation that lets us refer to the attributes of an object o bound in a heap h . Definition 5.2 (Heap information).
Let h ( o ) = h C h t i[W] , env F i , then: h ( o ) . class def = C h t i h ( o ) . env F def = env F h ( o ) . usage def = W h ( o ) . f def = env F ( f ) h ( o ) . fields def = dom ( env F ) We define F . initvals D to be a field environment where fields are set to an initial value, whichis null for class types, false for booleans and unit for void types. F . inittypes D is a field type envi-ronment, where fields have an initial type – ⊥ for classes, Bool for booleans and void for unit.
We now define the set of valid transitions. The transition rules are split into four parts. First, wepresent the transition rules describing field access. Here the concept of linearity is also describedin detail as it is especially important for assignment and dereferencing. Then, we describe thetransition rules for method calls and control structures. Finally, the transition rules for compositeexpressions are presented.
Field access.
An important aspect of our semantics is that field access must follow a protocol of linearity , if the field value is that of an available object. If the field denotes a terminated object ora ground value, field access is unrestricted . Definition 5.3 (Linearity).
A value v is said to be linear w.r.t. a heap h written lin ( v , h ) iff v hastype C h t i[U] in h and U , end .In Table 2 we define the ground reduction rules for parameters, fields and objects. In (New) weuse the type ⊥ in order to type the class as non-generic. The rules for reading linear parameters (lParam) and reading linear fields (lDeref) illustrate the linearity concept we enforce, wherewe update a linear field or parameter to null after we have read it. Additionally, in the rule forassigning to fields (Upd) we check that the value we overwrite is not linear. Method calls.
The ground reduction rules for method calls are found in Table 3. In the rules forcalling methods on parameters (CallP) and fields (CallF) we see the second property we enforce,namely, that objects must follow the usage described by its type. In the premise of both rules wehave that a method m can only be called if the usage of the object allows an m transition and the uParam) ¬ lin ( v , h )⊢ D h h , ( o , [ x v ]) · env S , x i −→ h h , ( o , [ x v ]) · env S , v i (lParam) lin ( v , h )⊢ D h h , ( o , [ x v ]) · env S , x i −→ h h , ( o , [ x null ]) · env S , v i (uDeref) h ( o ) . f = v ¬ lin ( v , h )⊢ D h h , ( o , s ) · env S , f i −→ h h , ( o , s ) · env S , v i (lDeref) h ( o ) . f = v lin ( v , h )⊢ D h h , ( o , s ) · env S , f i −→ h h { null / o . f } , ( o , s ) · env S , v i (Upd) h ( o ) . f = v ′ ¬ lin ( v ′ , h )⊢ D h h , ( o , s ) · env S , f = v i −→ h h { v / o . f } , ( o , s ) · env S , unit i (New) o fresh C h⊥i . fields D = F C h⊥i . usage D = W⊢ D h h , env S , new C i −→ h h ∪ { o
7→ h C h⊥i[W] , F . initvals D i} , env S , o i (NewGen) o fresh C h д i . fields D = F C h д i . usage D = W⊢ D h h , env S , new C h д ii −→ h h ∪ { o
7→ h C h д i[W] , F . initvals D i} , env S , o i Table 2. Ground reduction rules for fields and objects result of this evaluation is that the usage of the object is updated and the next evaluation step isset to the method body e by wrapping the expression in a return { e } statement. The (Ret) ruledescribes how a value is returned from a method call, by unpacking the return statement into thevalue, while popping the call stack. (CallP) env S = ( o , [ x ′ o ′ ]) · env ′ S _ m ( _ x ){ e } ∈ h ( o ′ ) . class . methods D h ( o ′ ) . usage m −→ W⊢ D h h , env S , x ′ . m ( v )i −→ h h {W/ h ( o ′ ) . usage } , ( o ′ , [ x v ]) · env S , return { e }i (CallF) env S = ( o , s ) · env ′ S o ′ = h ( o ) . f _ m ( _ x ){ e } ∈ h ( o ′ ) . class . methods D h ( o ′ ) . usage m −→ W⊢ D h h , env S , f . m ( v )i −→ h h {W/ h ( o ′ ) . usage } , ( o ′ , [ x v ]) · env S , return { e }i (Ret) v , v ′ ⇒ ¬ lin ( v ′ , h )⊢ D h h , ( o , [ x v ′ ]) · env S , return { v }i −→ h h , env S , v i Table 3. Ground reduction rules for method calls
Control Structures.
The ground reduction rules for control structures are found in Table 4. Therules (SwF) and (SwP) specify how a switch involving a field or parameter is performed. Theexpression switch f . m ( l i ) tell us that we switch on label l i which is returned from a method call . m . In both (SwF) and (SwP) a usage U is chosen based on the label l i and the updated usageis reflected in the heap by updating either field f or parameter x . The rule (Lbl) shows how aloop iteration is performed by substituting instances of continue k with the expression definedfor the associated label. Finally, in rule (Seq) we see that linearity is also relevant for sequentialexpressions since a value on the left-hand side of a sequential expression should be non-linear.Otherwise, we risk loosing a reference to a linear object and thereby breaking protocol completion. (IfTrue) ⊢ D h h , env S , if ( true ){ e ′ } else { e ′′ }i −→ h h , env S , e ′ i (IfFls) ⊢ D h h , env S , if ( false ){ e ′ } else { e ′′ }i −→ h h , env S , e ′′ i (SwF) h ( o ) . f = o ′ h ( o ′ ) . usage l i −→ U l i ∈ L ⊢ D h h , ( o , s ) · env S , switch f . m ( l i ){ l j : e j } l j ∈ L i −→h h { o . f C h t ′ i[U]} , ( o , s ) · env S , e i i (SwP) h ( o ′ ) . usage l i −→ U l i ∈ L ⊢ D h h , ( o , [ x o ′ ]) · env S , switch x . m ( l i ){ l j : e j } l j ∈ L i −→h h { o ′ C h t ′ i[U]} , ( o , [ x o ′ ]) · env S , e i i (Lbl) ⊢ D h h , env S , k : e i −→ h h , env S , e { k : e / continue k }i (Seq) ¬ lin ( v , h )⊢ D h h , env S , v ; e i −→ h h , env S , e i Table 4. Ground reduction rules for control structures
Composite expressions.
The transition rules for composite expressions are found in Table 5. Therules define a call-by-value evaluation strategy for expressions, that is, expressions are evaluatedwhen they are first encountered: parameters are evaluated before the method body, the left-handside of sequential composition is evaluated before the right-hand side, etc.
We only consider configurations that are reachable from our initial configuration. A configurationis initial if it is the configuration right after main () was invoked in an object of class Main . FldC) ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i⊢ D h h , env S , f = e i −→ h h ′ , env ′ S , f = e ′ i (MthdC) ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i⊢ D h h , env S , r . m ( e )i −→ h h ′ , env ′ S , r . m ( e ′ )i (RetC) ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i⊢ D h h , env S · ( o , s ) , return { e }i −→ h h ′ , env ′ S · ( o , s ) , return { e ′ }i (SeqC) ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i⊢ D h h , env S , e ; e ′′ i −→ h h ′ , env ′ S , e ′ ; e ′′ i (IfC) ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i⊢ D h h , env S , if ( e ) { e } else { e }i −→ h h ′ , env ′ S , if ( e ′ ) { e } else { e }i (SwC) ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i⊢ D h h , env S , switch ( e ){ l i : e i } l i ∈ L i −→ h h ′ , env ′ S , switch ( e ′ ){ l i : e i } l i ∈ L i Table 5. Reduction rules for composite expressions
Definition 5.4 (Initial configuration). An initial configuration ic is of the form ic = h{ o main
7→ h
Main h⊥i[ end ∅ ] , Main h⊥i . fields D . initvals D i} , ( o main , s main ) , e i where: • o main is the main object mapped to a typestate with the usage [ end ∅ ] , since at this point wehave just called main, and a field environment where all fields values are initial values. Theinitial values of fields is defined in the following way: initval ( bool ) def = false , initval ( unit ) def = void and initval ( C h t i) def = null . • s main is the initial parameter binding [ x unit ]• void main ( void x ){ e } ∈ Main h⊥i . methods D .We define reachability for both configurations and usages. A configuration c is reachable if ic → ∗ c , while a usage W ′ is reachable from W if W → ∗ W ′ .One of the approximations made in our analysis is that we only consider expressions where thenumber of return statements in e does not depend on conditional execution and where objects areonly mentioned once.In order to define this, we need to define the sets of return statements and objects mentioned inan expression as functions. Definition 5.5 (Occurrences of returns and object references).
Let e be an expression, then we definethe following functions on e .(1) returns ( e ) is the multiset of all subexpressions of the form return { e ′ } (where e ′ is someexpression) that occur in e (2) objects ( e ) is the multiset of the objects occurring in e We call expressions that satisfy the above conditions well-formed . Definition 5.6 (Well-formed expressions).
An expression e is well-formed if it satisfies the follow-ing conditions:
1) For each subexpression e ′ in e we have that: • if e ′ = e ′′ ; e ′′′ then returns ( e ′′′ ) = ∅• if e ′ = if ( e ′′ ){ e ′′′ }{ e ′′′′ } then returns ( e ′′′ ) = ∅ and returns ( e ′′′′ ) = ∅• if e ′ = switch r . m ( r . m ( e ′′ )){ l i : e i } l i ∈ L then ∀ l i ∈ L . returns ( e i ) = ∅ (2) objects ( e ) is a set(3) If returns ( e ) , ∅ and return { e ′ } is the innermost return, then we have that objects ( e ) = objects ( e ′ ) A configuration h h , env S , e i is well-formed if its information is consistent. The expression e mustbe well-formed and all objects mentioned must be bound in the heap and the stack and contain thefields required by the declaration of C . The objects mentioned in the stack must be ones that arealso mentioned in the heap. And finally, the objects must satisfy a property of no aliasing, namelythat they are mentioned exactly once.To capture the property of no aliasing precisely, we define the multiset of objects occurring infields and the multiset of objects that occur in the parameter stack. If both these multisets are sets,we know that there can be no aliasing involved. Definition 5.7 (Object occurrences). • objargs ( env S ) is the multiset of objects occurring in the parameter stack: objargs ( env S ) = { o | ∃ s ∈ ran ( env S ) . x : o = s ( x )}• objfields ( h ) is the multiset of objects occurring in fields: objfields ( h ) = { o | ∃ o ′ ∈ dom ( h ) . f : o = h ( o ′ ) . f } Definition 5.8 (Well-formed configurations).
A configuration h h , env S , e i is well-formed if it sat-isfies the following conditions:(1) env S = env ′ S · ( o main , s main ) and | env ′ S | = returns ( e ) (2) env S is a set dom ( env S ) ⊆ dom ( h ) (3) e is a well-formed expression(4) objects ( e ) ⋒ objfields ( h ) ⋒ objargs ( env S ) is a set and it is a subset of dom ( h ) .(5) For every o ∈ dom ( h ) we have that if h ( o ) = ( C h t i[W] , env F ) then C h t i is declared in D , W is a reachable usage, and h ( o ) . fields = C h t i . fields Proposition 5.9. If c is a reachable configuration, then c is well-formed. In this section we describe the type system for
Mungo . The type system described check that theorder of method calls imposed by a class usage is correct. This is achieved by statically followingusage transitions and ensuring the method body associated with the transitions do not result inprotocol errors. We proceed by defining types, linearity in the typesystem, and type environmentsbefore explaining the type rules in detail.
In the type system values have either a base type b , a typestate C h t i[U] or the type of null objects, ⊥ .The notion of linearity reappears in the type system; a type is linear if it is a typestate whoseusage is not terminated. Definition 6.1 (Linear type).
Let t be a type. We write lin ( t ) if t = C h t ′ i[W] for some usage W where W , end . n our treatment of generics we need a special type in order to describe instantiations. Wedefine a special usage ⊤ U that is different from end , but has no transitions. We define a specialclass class ⊤ C {⊤ U ; ∅ ; ∅} We see directly from the definition that ⊤ C h⊥i[⊤ U ] is linear. The intention is that the type system will give us a sound overapproximation of the operationalsemantics. The bindings in the type system should therefore be counterparts of the associatednotions in the semantics.A field type environment envT F is the approximation of field environments from the operationalsemantics. A field type environment maps field name to types, that is, typestates, base types or thebottom type ⊥ . Object field environments , denoted by Λ , is the approximation of the heap, and maps objects totheir typestate along with a field typing environment, describing the fields of the object.We add an additional environment to capture the typestate of the objects mentioned in theexpression that is checked (free object names). We call this environment an object type environment envT O . It simply maps objects to typestates.To model the parameter stack of a configuration we introduce a parameter type stack environ-ment envT S and define it as a sequence of pairs ( o , S ) where o is an objects and S is a parameterbinding [ x t ] .For readability in the typing rules, we collapse envT O and envT S in a combined environment ∆ . ∆ is a sequence of object type and parameter type environments defined as ∆ = envT O · envT S .Finally, since usages can be recursive, we need to keep track of usages associated with recursionvariables. We do this by introducing a usage recursion environment Θ which is a partial functionfrom usage variables to field typing environments. They are used to ensure consistency betweenthe field of an object before and after a labelled expression. We now present the central type rules. The description of the type rules are divided into threemain parts: expressions, declarations, and usages.
The main intention behind our type system is to provide a sound overapprox-imation of terminating transition sequences in the semantics of expressions. Typing judgementsfor expressions are therefore of the form Λ ; ∆ ⊢ Ω D e : t ⊲ Λ ′ ; ∆ ′ These are to be read as follows: Evaluating e in the initial environments Λ , ∆ and Ω will result infinal typing environments Λ ′ and ∆ ′ . Here Ω is a label environment that is used to map a label k to a pair of environments ( Λ , ∆ ), Ω is only used in continue expressions and is therefore omittedin most rules. Type rules for fields and methods.
Table 6 contains the rules of the type system that describe theprotocols followed by fields and objects. The rule (TFld) is concerned with field assignment, ittells us that a field assignment is well-typed if the field is unrestricted and the type of expression e and field f agree. Here we must to ensure that the type of the right-hand side is compatible withthe field. In order to capture this we define the agree predicate. It denotes that types agree witha declaration of that specific type. For objects, the usage is ignored, such that a field declared fortype C h t i can contain objects of type C h t i[U] for any usage U . efinition 6.2 (Agree predicate). agree ( b , b ) agree ( C h t i , C h t i[W]) agree ( C , C h⊥i[W]) agree ( C h t i , ⊥) The type rule (TNew) shows how objects without a generic class parameter are to be typed; theclass parameter is instantiated with ⊥ and (TNewGen) tell us how objects with a generic classparameter are typed.For method calls we must check if the usage of the object that owns the method will permit thecall. The rule (TCallF) handles method calls on a field; for a method call o . f to be well-typed, theusage U of the field f in o must allow an m transition and the final type environment contains anupdated typestate for f . The rule (TCallP) handles method calls on a parameter in a similar wayto (TCallF) , but the updated typestate associated with parameter x is contained in the parameterstack type environment envT S instead of the object field environment Λ . Note, that the body ofthe method is not type checked in this rule; this will be handled at the class declarations and isexplained later. Example 6.3.
We again return to the
File class from Listing 1. In the rule (TCallF) we see that inorder for a call of the close method to be well-typed, there must be a transition labelled with close .Therefore, this method call would fail to be well-typed under the initial usage U from Example4.1.The rule (TRet) tell us that a return { e } expression is well-typed if the expression body e is well-typed and the method parameter used in the expression body is terminated after the execution. Thefinal type environment is one, in which the parameter stack environment does not mention thecalled object and its associated parameter. The intention is that this mirrors the modification ofthe stack environment in the semantics as expressed in the reduction rule (Ret) . (TNew) Λ ; ∆ ⊢ D new C : C h⊥i[ C h⊥i . usage ] ⊲ Λ ; ∆ (TNewGen) Λ ; ∆ ⊢ D new C h д i : C h д i[ C h д i . usage ] ⊲ Λ ; ∆ (TFld) C h t ′′ i = Λ ( o ) . class agree ( C h t ′′ i . fields D ( f ) , t ′ ) Λ ; ∆ · ( o , S ) ⊢ e : t ′ ⊲ Λ ′ , o . f t ; ∆ ′ · ( o , S ′ ) ¬ lin ( t ) Λ ; ∆ · ( o , S ) ⊢ D f = e : void ⊲ Λ ′ { o . f t ′ } ; ∆ ′ · ( o , S ′ ) (TCallF) Λ ; ∆ · ( o , S ) ⊢ e : t ⊲ Λ ′ { o . f C h t ′′ i[U]} ; ∆ ′ · ( o , S ′ ) t ′ m ( t x ){ e ′ } ∈ C h t ′′ i . methods D U m −→ W Λ ; ∆ · ( o , S ) ⊢ f . m ( e ) : t ′ ⊲ Λ ′ { o . f C h t ′′ i[W]} ; ∆ ′ · ( o , S ′ ) (TCallP) Λ ; ∆ · ( o , S ) ⊢ D e : t ⊲ Λ ′ ; ∆ ′ · ( o , [ x C h t ′′ i[U]]) t ′ m ( t x ){ e ′ } ∈ C h t ′′ i . methods D U m −→ W Λ ; ∆ · ( o , S ) ⊢ D x . m ( e ) : t ′ ⊲ Λ ′ ; ∆ ′ · ( o , [ x C h t ′′ i[W]]) (TRet) Λ ; ∆ ⊢ D e : t ⊲ Λ ′ ; ∆ ′ ∆ ′ = ∆ ′′ · ( o ′ , [ x t ′ ]) terminated(t’) Λ ; ∆ · ( o , S ) ⊢ D return { e } : t ⊲ Λ ′ ; ∆ ′′ · ( o , S ) Table 6. Type rules for fields and methods ype rules for control structures. Table 7 contains type rules for control structures in
Mungo .The importance of terminal and final environments becomes apparent in the type rule (TSeq) forsequential composition. This type rule tell us that e ; e is well-typed if the type of e is terminated,and that e can be evaluated using the resulting environments from the first expression. The rule (TIf) handles if-expressions here it is important to note that the type and the final environmentsof both branches must be the same, otherwise typing later expressions would be impossible.The rule (TSwF) is a rule for typing a switch f . m expression that involves a field. An expressionof this form is well-typed if the type of the condition e is a set of labels L and the typestate for thefield f allows for branching on the labels in L . The rule (TSwP) handle switch x . m expressions thatinvolve a reference. It is similar to (TSwF) , except the updated typestate is contained in parameterstack type environment envT S instead of the field type environment Λ .The rules TLab and
TCon for labelled expressions allows environments to change during theevaluation of continue-style loops. However, if a continue expression is encountered, the environ-ments must match the original environments, in order to allow an arbitrary number of iterations. (TSeq) Λ ; ∆ ⊢ D e : t ⊲ Λ ′′ ; ∆ ′′ ¬ lin ( t ) Λ ′′ ; ∆ ′′ ⊢ D e ′ : t ′ ⊲ Λ ′ ; ∆ ′ Λ ; ∆ ⊢ D e ; e ′ : t ′ ⊲ Λ ′ ; ∆ ′ (TIf) Λ ; ∆ ⊢ D e : Bool ⊲ Λ ′′ ; ∆ ′′ Λ ′′ ; ∆ ′′ ⊢ D e ′ : t ⊲ Λ ′ ; ∆ ′ Λ ′′ ; ∆ ′′ ⊢ D e ′′ : t ⊲ Λ ′ ; ∆ ′ Λ ; ∆ ⊢ D if ( e ) { e ′ } else { e ′′ } : t ⊲ Λ ′ ; ∆ ′ (TSwP) Λ ; ∆ · ( o , S ) ⊢ D e : L ⊲ Λ ′′ ; ∆ ′′ · ( o , [ x C h t ′ i[(h l i : u i i l i ∈ L ) E ]]) ∀ l i ∈ L . Λ ′′ ; ∆ ′′ · ( o , [ x C h t ′ i[ u Ei ]]) ⊢ D u i : t ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) Λ∆ · ( o , S ) ⊢ D switch x . m ( e ){ l i : u i } l i ∈ L : t ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) (TSwF) Λ ; ∆ · ( o , S ) ⊢ D e : L ⊲ Λ ′′ , o . f C h t ′ i[(h l i : u i i l i ∈ L ) E ]] ; ∆ ′′ ∀ l i ∈ L . Λ ′′ , o . f C h t ′ i[ u Ei ] ; ∆ ′′ ⊢ D e i : t ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) Λ ; ∆ · ( o , S ) ⊢ D switch f . m ( e ){ l i : e i } l i ∈ L : t ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) (TLab) Ω ′ = Ω , k : ( Λ , ∆ ) Λ ; ∆ ⊢ Ω ′ D e : void ⊲ Λ ′ ; ∆ ′ Λ ; ∆ ⊢ Ω D k : e : void ⊲ Λ ′ ; ∆ ′ (TCon) Ω ′ = Ω , k : ( Λ , ∆ ) Λ ; ∆ ⊢ Ω ′ D continue k : void ⊲ Λ ′ ; ∆ ′ Table 7. Typing rules for control structures
In Section 3 a class
FileReader was introduced with a loop repeated in Listing 3. Even thoughcalling the close method leaves the field in another state than calling read , the code is well typed.The reason is that after calling read , the field is left in the initial state when entering the loop, andanother iteration occurs. When calling close the loop is ended. Hence the only resulting state forthe field after the loop, is
File [ end ] .
26 [ . . . ]27 f i l e . open ( u n i t ) switch ( f i l e . isEOF ( ) ) {30 EOF : f i l e . c l o s e ( )31 NOTEOF : f i l e . r e a d ( ) ;32 continue l o o p33 }34 [ . . . ] Listing 3. Loop from class FileReader
Typing rules for values.
Table 8 define rules for typing values in
Mungo . The rules are straight-forward since typing any of these values do not change any environments. The rules cover fourtypes from the core
Mungo language: booleans, litterals, void, and ⊥ . (TLit) l ∈ L Λ ; ∆ ⊢ D l : L ⊲ Λ ; ∆ (TVoid) Λ ; ∆ ⊢ D unit : void ⊲ Λ ; ∆ (TBool) v ∈ { true , false } Λ ; ∆ ⊢ D v : Bool ⊲ Λ ; ∆ (TBot) Λ ; ∆ ⊢ D null : ⊥ ⊲ Λ ; ∆ Table 8. Typing rules for values
Type rules for objects and references.
Table 9 contains type rules for typing references and objectvalues. The rule (TObj) handles object typing and it describes that once we type an object, corre-sponding to reading it, we remove it from the object type environment. (TNoLpar) and (TNoLFld) handle typing non-linear parameters and fields, where no updates should happen to the environ-ments. The rules (TLinPar) and (TLinFld) handle typing linear parameters and fields such thatafter typing the value, the linear parameter or field is updated to the type ⊥ in either the parameterstack environment or field type environment. The type rules for program and class declarations are seen in Table 10. Aprogram declaration D is well-typed if each of its class declarations is well-typed; this is rule (TProg) . For a class to be well-typed, it usage must be well-typed and the result of following theclass usage U must result in a field typing environment envT F that is terminated i.e. all fields areunrestricted. This is captured by the rules (tClass) and (TClassGen) . The latter rule capturesour treatment of generic classes. A generic class declaration is well-typed if we can substitute thetype variable and usage parameter with the top type ⊤ C h⊥i[⊤ U ] . This substitution ensures thatthe class is well-typed for all types, by checking that the class does not call any of the methods ofthe type variable. Table 11 contains the rules for typing class usages; it is here that method bod-ies are examined. The rule (TCBr) is of particular importance, since it tells us that method bodiesare type-checked according to the class usage and that only reachable methods are examined. Foreach method m i mentioned in the class usage we check that the body e i is well-typed. TObj) envT O = envT ′ O , o t Λ ; envT O · envT S ⊢ D o : t ⊲ Λ ; envT ′ O · envT S (TLinPar) lin ( t ) Λ ; ∆ · ( o , [ x t ]) ⊢ D x : t ⊲ Λ ; ∆ · ( o , [ x
7→ ⊥]) (TNoLPar) ¬ lin ( t ) Λ ; ∆ · ( o , [ x t ]) ⊢ D x : t ⊲ Λ ; ∆ · ( o , [ x t ]) (TLinFld) t = Λ ( o ) . f lin ( t ) Λ ; ∆ · ( o , S ) ⊢ D f : t ⊲ Λ { o . f
7→ ⊥} ; ∆ · ( o , S ) (TNoLFld) ¬ lin ( t ) Λ { o . f t } ; ∆ · ( o , S ) ⊢ D f : t ⊲ Λ { o . f t } ; ∆ · ( o , S ) Table 9. Typing rules for references (TProg) ∀ D ∈ D . ⊢ D D ⊢ D (TClass) ∅ ; F . inittypes D ⊢ D C h⊥i[U] ⊲ envT F terminated ( envT F )⊢ D class C {U , F , M } (TClassGen) ∅ ; F . inittypes D ⊢ D C h⊤ C h⊥i[⊤ U ]i[U] ⊲ envT F terminated ( envT F )⊢ D class h α [ β ]i C {U , F , M } Table 10. Typing program and class definitions (TCCh) handles the case where a usage is a choice usage. A usage of this form is well-typed ifevery branch of the usage is well-typed.The rules (TCVar) and (TCRec) handle recursive usages. (TCVar) tells us that a recusive usagevariable is well-typed if the variable X is in the usage environment Θ and mapped to the initialfield type environment and (TCRec) tells us that a recursive usage is well-typed if the recursiveusage variable is in the usage environment and the class where we use the usage associated withthe recursive usage variable is well-typed. Example 6.4.
Let us return to the class
File in the code example of Listing 1. Recall the usage forthe
File class is U = { open ; X } E E = { X = { isEOF ; (cid:28) EOF : { close ; end } NOTEOF : { read ; X } (cid:29) }} To type this class, we inspect the
File usage. The usage U starts as a branch usage where onlymethod open is available. The rule (TCBr) is then applied which checks that the method body of open is well-typed and move on to check the remaining usage U ′ . U ′ is X E which is a recursive TCBr) I , ∅ ∀ i ∈ I . ∃ envT ′′ F . { this envT F } ; ∅ · ( this , [ x i t ′ i ]) ⊢ D e i : t i ⊲ { this envT ′′ F } ; ∅ · ( this , [ x i t ′′ i ]) terminated ( t ′′ i ) t i m i ( t ′ i x i ){ e i } ∈ C h t i . methods D Θ ; envT ′′ F ⊢ D C h t i[ u Ei ] ⊲ envT ′ F Θ ; envT F ⊢ D C h t i[{ m i ; u i } Ei ∈ I ] ⊲ envT ′ F (TCCh) ∀ l i ∈ L . Θ ; envT F ⊢ D C h t i[ u Ei ] ⊲ envT ′ F Θ ; envT F ⊢ D C h t i[h l i : u i i El i ∈ L ] ⊲ envT ′ F (TCEn) Θ ; envT F ⊢ D C h t i[ end E ] ⊲ envT F (TCVar) ( Θ , [ X envT F ]) ; envT F ⊢ D C h t i[ X E ] ⊲ envT ′ F (TCRec) ( Θ , [ X envT F ]) ; envT F ⊢ D C h t i[ u E ] D ⊲ envT ′ F Θ ; envT F ⊢ D C h t i[ X E ⊎{ X = u } ] ⊲ envT ′ F Table 11. Typing class usage definitions variable, hence (TCRec) is used to unfold it. Unfolding X results in a branch usage where thebody of method isEOF is checked using (TCBr) . The resulting usage U ′′ is a choice usage sorule (TCCh) is used to check the usages associated with each label. The usage associated withlabel EOF is { close ; end } a branch usage, hence (TCBr) is used. The remaining usage is end andrule (TCEn) is used to terminate the deviation. The usage associated with label NOTEOF is alsoa branch usage, hence (TCBr) is used again and its checks that the body of method read is well-typed. The resulting usage is the recursive variable X that has already been checked, so (TCVar) is applied to terminate the derivation. This concludes the type check of class File [U] . In this section we state and prove the soundness of our type system. We present a safety theorem,which guarantees that a well-typed program does not attempt null-derefencing , and that programsfollow the specified usages.
Since the type system must be an overapproximation of the semantics of
Mungo , we must relatethe notions of program states and type bindings. Central to this is that the type information atrun-time (as expressed in the heap) can be retrieved and compared to the type information in atype environment. In order to do this, we define a partial function getType that returns the typeof a value v in a given heap h . Definition 7.1 (Heap value types). getType ( v , h ) = void if v = unitbool if v = true or v = false ⊥ if v = null L if v = l and l ∈ LC h t i[W] if h ( v ) = h C h t i[W] , env F i e now use this function to define what it means to be a well-typed configuration wrt. typeenvironments Λ and ∆ , written Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′ . A configuration is well-typed ifits bindings match the type information given: The heap matches the field typing environment Λ ,the stack ∆ in the type system matches the stack from the semantics, the objects mentioned in thetype system match those of e , the expression e itself is well typed and the field type environment Λ is compatible with the program D . Well typed heaps.
A heap h is well typed in a field typing environment Λ ( Λ ⊢ D h ) if the typesof all objects in the heap matches those of the field typing environment. Furthermore all objectsmentioned in the heap must also be mentioned in the field typing environment and vice versa. (WTH) ∀ f ∈ h ( o ) . fields . Λ ( o ) . envT F ( f ) = getType ( h ( o ) . f , h ) dom ( Λ ) = dom ( h ) ∀ o ∈ dom ( h ) . h ( o ) . fields = Λ ( o ) . fields = h ( o ) . class . fields D Λ ⊢ D h Well typed parameter stacks.
A parameter stack is well typed in a parameter typing sequence inthe context of expression e ( envT S ⊢ he env S ), if all levels of the parameter stack match with whatis known in the parameter typing sequence. The parameter typing sequence can contain moreinformation than what is in the parameter stack. If the expression does not match any of the rules,then (WTP-Base) is used. (WTP-Base) t ⊥ = getType ( v , h ) envT S · ( o , [ x t ⊥ ]) ⊢ h _ ( o , [ x v ]) (WTP-Ret) envT S ⊢ he env S getType ( v , h ) = t ⊥ envT S · ( o , [ x t ⊥ ]) ⊢ h return { e } env S · ( o , [ x v ]) (WTP-Sw) envT S ⊢ he env S envT S ⊢ h switch r . m ( e ){ l i : e i } li ∈ L env S (WTP-Mthd) envT S ⊢ he env S envT S ⊢ hr . m ( e ) env S (WTP-Fld) envT S ⊢ he env S envT S ⊢ hf = e env S (WTP-Seq) envT S ⊢ he env S envT S ⊢ he ; e ′ env S (WTP-If) envT S ⊢ he env S envT S ⊢ h if ( e ) { e } else { e } env S Well typed expressions.
An expression is well typed in a object typing environment ( envT O ⊢ h e )if the objects mentioned in e are precisely those bound in the envT O . (WTE) ∀ o ∈ dom ( envT O ) . envT O ( o ) = getType ( o , h ) dom ( envT O ) = objects ( e ) envT O ⊢ h e Well typed declarations.
A program is well typed in a field typing environment ( Λ ⊢ h D ) if thecurrent objects mentioned in the field typing environment or the heap, can all continue executionand terminate – no objects are stuck. (WTD) ∃ Γ ′ ∅ ; Λ ( o ) . envT F ⊢ D getType ( o , h ) ⊲ Γ ′ terminated ( Γ ′ ) ∀ o ∈ dom ( h ) Λ ( o ) . class = h ( o ) . class dom ( h ) = dom ( Λ ) Λ ⊢ h D ell typed configurations. We now combine the notion of well typed heaps, stacks, expressionsand declarations into well typed configurations . A well typed configuration describes that the cur-rent state of the evaluating program is in accordance with the type system, and is defined below. (WTC) Λ ⊢ D h envT S ⊢ he env S envT O ⊢ h e Λ ; envT O · envT S ⊢ D e : t ⊥ ⊲ Λ ′ ; ∆ Λ ⊢ h D Λ ; envT O · envT S ⊢ D h h , env S , e i : t ⊥ ⊲ Λ ′ ; ∆ We now show that the initial configuration presented in Definition 5.4 is in fact a well-typedconfiguration and thereby relating initial configurations to well typed programs.
Lemma 7.2 (Well typed initial configuration).
Let D be a program such that ⊢ D . The initialconfiguration of D is well typed. Proof.
Recall the initial configuration is defined as the configuration right after main was in-voked in an object of class
Main : ic = h{ o main
7→ h
Main h⊥i[ end ∅ ] , Main h⊥i . fields D . initvals D i} , ( o main , s main ) , e i Assume that ⊢ D then from (TProg) we also have the class Main is well typed.From (TClass) we know: • ∅ ; F . inittypes ⊢ D Main h⊥i[{ main ; end } ∅ ] ⊲ envT F • terminated ( envT F ) From (TCBr) we know: • { this F . inittypes } ; ∅ · ( this , [ x void ]) ⊢ D e : void ⊲ { this envT F } ; ∅ · ( this , [ x t ])• ∅ ; envT F ⊢ D Main [ end ] ∅ ⊲ envT ′ F • envT F = envT ′ F follows from (TCen) , since an end usage does not change any fields.We now show that Λ ; ∆ ⊢ D h{ o main
7→ h
Main h⊥i[ end ∅ ] , Main h⊥i . fields D . initvals D i} , ( o main , [ x unit ]) , e i ⊲ Λ ′ ; ∆ ′ Where Λ = { this F . inittypes } and ∆ = ∅ · ( this , [ x void ]) .By showing the premises of (WTC) are satisfied. • { this F . inittypes } ⊢ D { o main
7→ h
Main h⊥i[ end ∅ ] , Main h⊥i . fields D . initvals D i} is satis-fied since the field types in Λ clearly correspond with the heap and their domains are thesame. • ( this , [ x void ]) ⊢ he ( o main , [ x unit ]) is concluded with (WTP-Base) (potentially afterapplying other (WTP) rules except (WTP-Ret) ). • ∅ ⊢ h e is satisfied since e is not a run-time expression hence objects ( e ) = ∅ . • Λ ; ∆ ⊢ D e : t ⊲ Λ ′ ; ∆ ′ from (TCBr) . • { this F . inittypes } ⊢ h D satisfied from (TCBr) and (TClass) . Namely, ∅ ; envT F ⊢ D Main [ end ] ∅ ⊲ envT F and terminated ( envT F ) . (cid:3) We can finally present the subject reduction theorem for our system. It states that if a well-typedconfiguration can perform a step, then the resulting configuration will also be well-typed.
Theorem 7.3 (Subject reduction).
Let D be such that ⊢ D and let h h , env S , e i be a configuration.If D ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i then: ∃ Λ , ∆ . Λ , ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′ = ⇒ ∃ Λ N , ∆ N . Λ N , ∆ N ⊢ D h h ′ , env ′ S , e ′ i : t ⊲ Λ ′′ ; ∆ ′ here Λ ′ ( o ) = Λ ′′ ( o ) and o is the active object in the resulting configuration. Proof.
By induction in the structure of the reduction rules. (cid:3)
We can now formulate an important result guaranteed by the type system, that well-typed pro-grams do not exhibit run-time errors.Here we need to define the notion of run-time error by means of an error predicate for config-urations. If a configuration h h , env S , e i has an error, we write h h , env S , e i −→ err .Examples of the types of error we can catch using this notation includes the two importantproblems we set out to solve, namely null-dereferencing and protocol errors.In Table 12 we present the rules defining the error predicate. Each rule captures a particularrun-time error, and each of corresponds to one of four kinds of errors for methods and fields.Thus, the rules (MthNotAv-1) and (MthNotAv-2) together define the occurrences of the run-time error method not available . The rules (NullCall-1) and (NullCall-2) describe two cases ofnull dereferencing that occur when the object whose method m is to be called has been nullified. (NullCall-1) is an instance of a field not available error, whereas (NullCall-2) is an instance ofa parameter not available error. Lemma 7.4 (Error freedom). If ∃ Λ , ∆ . Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′ then h h , env S , e i 6−→ err Proof.
Induction in the structure of −→ err . (cid:3) We can now state our main theorem: that a well-typed configuration will never experience therun-time errors captured by −→ err . This is a direct consequence of Theorem 7.3 and Lemma 7.4. Theorem 7.5 (Safety). If Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′ and h h , env S , e i → ∗ h h ′ , env ′ S , e ′ i then h h ′ , env ′ S , e ′ i 6−→ err A prototype of the type system for the presented version of
Mungo has been implemented inHaskell. The language supported by the implementation is the language presented in this report,extended with integers and boolean expressions. These extensions does not introduce any interest-ing challenges in the type system, and as such is not presented in this work. The implementationis available at https://github.com/MungoTypesystem/Mungo-Typechecker.The implementation has three main components, the parser, the type system and an inferencemodule for usages. The inference module can infer usages for classes based on the usages of itsfields. A description of the method for usage inference is outside the scope of this report, and willbe presented elsewhere. In this presentation we focus on the type system.
Mungo
Program A Mungo program consists of a number of enum declarations, followed by a number of classdeclarations, as illustrated in Listing 4. A class declaration can be seen on lines 6-18, and consistsof the class usage, followed by the fields and methods. As shown in line 8, the syntax for usagesis slightly adapted for writability in the implementation and is on the form u [ X i = u i ] i ∈ I ratherthan the usual u E . NullCall-1) h ( o ) . f = null h h , ( o , s ) · env S , f . m ( v )i −→ err (NullCall-2) h h , ( o , [ x null ]) · env S , x . m ( v )i −→ err (MthdNotAv-1) h ( o ) . f = o ′ h ( o ′ ) . usaдe m −→h h , ( o , s ) · env S , f . m ( v )i −→ err (MthdNotAv-2) h ( o ′ ) . usaдe m −→h h , ( o , [ x o ′ ]) · env S , x . m ( v )i −→ err (FldErr) h ( o ) = h C h t i[U] , env F i f < dom ( env F )h h , ( o , S ) · env S , f i −→ err (IfCErr) h h , env S , e i −→ err h h , env S , if ( e ) { e } else { e }i −→ err (FldCErr) h h , env S , e i −→ err h h , env S , f = e i −→ err (CallCErr) h h , env S , e i −→ err h h , env S , r . m ( e )i −→ err (RetCErr) h h , env S , e i −→ err h h , env S · ( o , s ) , return { e }i −→ err (SeqCErr) h h , env S , e i −→ err h h , env S , e ; e ′ i −→ err (SwCErr) h h , env S , e i −→ err h h , env S , switch r . m ( e ){ l i : e i } l i ∈ L i −→ err Table 12. Error predicates enum S t a t e {2 l 13 l 24 }56 c l a s s C {7 / / Usag e end l 2 : { n ; X } > } [ X = { o ; end m; X } ]910 / / F i e l d s bool f 112 O t h e r C l a s s f 21314 / / Method s
15 S t a t e m( void x ) { . . . ; l 1 } void o ( void x ) { . . . }18 } Listing 4. Structure of a Mungo program in the implementation
The implementation of the type checking of
Mungo programs follows the structure of the typesystem presented in Section 6. Type checking of a class follows the defined usage and a field typingenvironment is updated in accordance with the bodies of the methods declared by the usage. Itis ensured that following the usage of a class results in a terminated field typing environment,and if this is not the case for a class in the program, this is reported to the programmer. Furtherwork the implementation includes translating real-life Java programs to
Mungo , and verify theircorrectness and the absence of errors.
In this paper we present a behavioural type system for the
Mungo language that has also beenimplemented in the form of a type-checker.In the system, each class is annotated with usages that describe the protocol to be followedby method calls to object instances of the class. Moreover, object fields that are references in theform of objects can only be used in a linear fashion. The type system extends that of [19], and thesoundness results that we have established provide a formal guarantee that a well-typed programwill satisfy two important properties: That null dereferencing does not occur and that objectscomplete the protocol that their usage annotations require. Here, behavioural types are essential,as they allow the type of a field to evolve to ⊥ , the only type inhabited by the null value null . Thisis in contrast to most type systems for Java like languages that do not let types evolve during acomputation and overload null to have any type.Our notion of generics is similar to that of universal types from the typed λ -calculus, and doesnot allow for bounds to be placed on the typing parameters. On one hand this creates a limitationfor the use of such generics, since class parameters of type α [ β ] cannot be used for method calls,as there is no knowledge of the actual type when typechecking the class. As it stands now, thegenerics can be used to type collections such as the classes in java.util.Collections .To be able to type a larger subset of Java, than what Mungo currently allows, further workalso includes adding inheritance to the language in a type-safe manner. Inheritance is commonin object oriented programming, and would allow Mungo to be used for a larger set of programs.This is particularly important, since classes in languages like Java always implicitly inherit fromthe class
Object . However, Amin and Tate have shown that the type system of Java [2], whichuses bounds on type parameters in definitions of generic classes, is unsound. Moreover, Grigorehas shown that type checking in the presence of full subtyping is undecidable [13]. Therefore, infurther work, we need to be extremely careful when introducing subtyping into our system.Our present type system requires a non-aliasing property of fields; it would be highly desirableto also deal with this limitation of the system. A possible approach would be to use ideas from thework on behavioural separation of Caires and Seco [4] and on SHAPES [10] by Franco et al.
REFERENCES [1] Jonathan Aldrich. The Plaid Programming Language, 2010.
2] Nada Amin and Ross Tate. Java and scala’s type systems are unsound: The existential crisis of null pointers. In
Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages,and Applications , OOPSLA 2016, pages 838–848, New York, NY, USA, 2016. ACM.[3] Davide Ancona, Viviana Bono, Mario Bravetti, Joana Campos, Pierre-Malo Deniélou, Nils Gesbert, Elena Giachino,Raymond Hu, Einar Broch Johnsen, Francisco Martins, Fabrizio Montesi, Rumyana Neykova, Vasco T. Vasconcelos,and Nobuko Yoshida. Behavioral types in programming languages.
Foundations and Trends in Programming Languages ,3(2–3):95–230, 2016.[4] Luís Caires and João Costa Seco. The type discipline of behavioral separation. In
The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’13, Rome, Italy - January 23 - 25, 2013 , pages275–286, 2013.[5] Joana Campos and Vasco T. Vasconcelos. Channels as objects in concurrent object-oriented programming. In
Proceed-ings of the 3rd Workshop on Programming Language Approaches to Concurrency and communication-cEntric Software(PLACES’10) , volume 69 of
EPTCS , pages 12–28, 2010.[6] Robert DeLine and Manuel Fähndrich. Typestates for objects. In
Proceedings of the 18th European Conference onObject-Oriented Programming (ECOOP’04) , volume 3086 of
Lecture Notes in Computer Science , pages 465–490, Berlin,Heidelberg, 2004. Springer.[7] Werner Dietl, Stephanie Dietzel, Michael D. Ernst, Kivanç Muslu, and Todd W. Schiller. Building and using plug-gable type-checkers. In Richard N. Taylor, Harald C. Gall, and Nenad Medvidovic, editors,
Proceedings of the 33rdInternational Conference on Software Engineering, ICSE 2011 , pages 681–690. ACM, 2011.[8] Manuel Fähndrich and Robert DeLine. Adoption and focus: Practical linear types for imperative programming. In
Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’02) , pages13–24, Berlin, Germany, 2002. ACM.[9] Manuel Fähndrich and K. Rustan M. Leino. Declaring and checking non-null types in an object-oriented language.In
Proceedings of the 18th Annual ACM SIGPLAN Conference on Object-oriented Programming, Systems, Languages, andApplications , OOPSLA ’03, pages 302–312, New York, NY, USA, 2003. ACM.[10] Juliana Franco, Alexandros Tasos, Sophia Drossopoulou, Tobias Wrigstad, and Susan Eisenbach. Safely abstractingmemory layouts.
CoRR , abs/1901.08006, 2019.[11] Ronald Garcia, Éric Tanter, Roger Wolff, and Jonathan Aldrich. Foundations of typestate-oriented programming.
Transactions on Programming Languages and Systems , 36(4):1–44, 2014.[12] Simon J. Gay, Nils Gesbert, António Ravara, and Vasco Thudichum Vasconcelos. Modular session types for objects.
Logical Methods in Computer Science , 11(4):1–76, 2015.[13] Radu Grigore. Java generics are turing complete. In
Proceedings of the 44th ACM SIGPLAN Symposium on Principlesof Programming Languages , POPL 2017, pages 73–85, New York, NY, USA, 2017. ACM.[14] Tony Hoare. Null References; The Billion Dollar Mistake, 2009.[15] Kohei Honda. Types for dyadic interaction. In
Proceedings of the 4th International Conference on Concurrency Theory(CONCUR’93) , volume 715 of
Lecture Notes in Computer Science , pages 509–523, New York, 1993. Springer.[16] Laurent Hubert, Thomas Jensen, and David Pichardie. Semantic foundations and inference of non-null annotations. InGilles Barthe and Frank S. de Boer, editors,
Formal Methods for Open Object-Based Distributed Systems , pages 132–149,Berlin, Heidelberg, 2008. Springer Berlin Heidelberg.[17] Hans Hüttel, Ivan Lanese, Vasco T. Vasconcelos, Luís Caires, Marco Carbone, Pierre-Malo Deniélou, Dimitris Mostrous,Luca Padovani, António Ravara, Emilio Tuosto, Hugo Torres Vieira, and Gianluigi Zavattaro. Foundations of sessiontypes and behavioural contracts.
ACM Computing Surveys , 49(1):1–36, 2016.[18] Jedis. Jedis, 2019.[19] Dimitrios Kouzapas, Ornela Dardha, Roly Perera, and Simon J. Gay. Typechecking protocols with Mungo andStMungo: A session type toolchain for Java.
Science of Computer Programming , 155:52 – 75, 2018. Selected andExtended papers from the International Symposium on Principles and Practice of Declarative Programming 2016.[20] Benjamin S. Lerner, Joe Gibbs Politz, Arjun Guha, and Shriram Krishnamurthi. Tejas: Retrofitting type systems forjavascript.
SIGPLAN Not. , 49(2):1–16, October 2013.[21] Bertrand Meyer. Ending null pointer crashes.
Communications of the ACM , 60(5):8–9, 2017.[22] Redis. Redis, 2019.[23] Jeremy G. Siek and Walid Taha. Gradual typing for objects. In
Proceedings of the 21st European Conference on Object-Oriented Programming ECOOP’07 , volume 4609, pages 2–27, Berlin, Heidelberg, 2007. Springer.[24] Radu I. Siminiceanu, Ijaz Ahmed, and Néstor Cataño. Automated verification of specifications with typestates andaccess permissions.
ECEASST , 53, 2012.[25] R E Strom and S Yemini. Typestate: A programming language concept for enhancing software reliability.
IEEETransactions in Software Engineering , 12(1):157–171, 1986.
26] Kohei Suenaga, Ryota Fukuda, and Atsushi Igarashi. Type-based safe resource deallocation for shared-memory con-currency.
SIGPLAN Not. , 47(10):1–20, October 2012.[27] Joshua Sunshine.
Protocol Programmability . PhD thesis, Carnegie Mellon University, Pittsburgh, PA, USA, 2013.AAI3578659.[28] Joshua Sunshine, Sven Stork, Karl Naden, and Jonathan Aldrich. Changing state in the plaid language. In
Companionto the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications,OOPSLA’11 , pages 37–38, Portland, Oregon, USA, 2011. ACM.[29] Qi Tan, Kohei Suenaga, and Atsushi Igarashi. An Extended Behavioral Type System for Memory-Leak Freedom.Technical report, Kyoto University, September 2016.[30] Cláudio Vasconcelos and António Ravara. From object-oriented code with assertions to behavioural types. In
Pro-ceedings of the Symposium on Applied Computing, SAC 2017, Marrakech, Morocco, April 3-7, 2017 , pages 1492–1497,Marrakech, Morocco, 2017. ACM.[31] Panagiotis Vekris, Benjamin Cosman, and Ranjit Jhala. Refinement types for typescript.
SIGPLAN Not. , 51(6):310–325,June 2016. APPENDIX: FULL PROOFS FROM
BEHAVIOURAL TYPES FOR MEMORY ANDMETHOD SAFETY IN JAVA
In this appendix we include the full proofs for the properties described in the main paper.
A.1 Weakening proof
The weakening lemma tells us we can expand the context of a typing judgment for expressionswithout affecting its validity. The context we expand is the three environments; Λ , envT O , and envT S . Note that we require the active object of envT S to remain the active object, hence we cannotadd elements to the bottom of this environment. We use weakening in the subject reduction proofspecifically the cases (CallF) and (CallP) where we need to extend the environments Λ and envT S , used when the method body was typed in (TCbr) , with the additional elements of thecurrent context for the method body. Lemma A.32.
Weakening Lemma. Suppose Λ ; envT O · envT S ⊢ D e : t ′ ⊲ Λ ′ ; envT ′ O · envT ′ S , o < dom ( Λ ) and o ′ < dom ( envT O ) , then Λ , o
7→ ( C h t i , envT F ) ; ( envT O , o ′ t ′′ ) · ( o ′′ , S ) · envT S ⊢ D e : t ′ ⊲ Λ ′ , o
7→ ( C h t i , envT F ) ; ( envT ′ O , o ′ t ′′ ) · ( o ′′ , S ) · envT ′ S . Proof.
Proof by induction in the structure of the derivation for expression type judgements.Most of the cases follow from applying the induction hypothesis to the premises of a rule, wetherefore only include the cases that do not follow this approach.Case (TFld) . C h t ′′ i = Λ ( o ) . class Λ ; ∆ · ( o , S ) ⊢ e : t ′ ⊲ Λ ′ , o . f t ; ∆ ′ · ( o , S ′ ) ¬ lin ( t ) agree ( C h t ′′ i . fields D ( f ) , t ′ ) Λ ; ∆ · ( o , S ) ⊢ D f = e : void ⊲ Λ ′ { o . f t ′ } ; ∆ ′ · ( o , S ′ ) We assume that Λ ; ∆ · ( o , S ) ⊢ D f = e : void ⊲ Λ ′ { o . f t ′ } ; ∆ ′ · ( o , S ′ ) is correct, o ′′ < dom ( Λ ) and o ( ) < dom ( envT O ) .We then show that Λ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ′ ) · envT S · ( o , S ) ⊢ D f = e : void ⊲ Λ ′ , o ′′
7→ ( C ′ h t N i , envT F ){ o . f t ′ } ; ( envT ′ O , o ( ) t ( ) ) · ( o ′ , S ′ ) · envT ′ S · ( o , S ′′ ) (1) • C h t ′′ i = Λ ( o ) . class from the definition of weakening we have that o ′′ < dom ( Λ ) hence o , o ′′ and ( Λ , o ′′
7→ ( C ′ h t N i , envT F ))( o ) . class = Λ ( o ) . class = C h t ′′ i (2)The premise is therefore satisfied from the assumption and (2) • lin ( t ) from the assumption. • agree ( C h t ′′ i . fields D ( f ) , t ′ ) from the assumption. • Λ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ′ ) · envT S · ( o , S ) ⊢ e : t ′ ⊲ Λ ′ , o ′′ C ′ h t N i , envT F ) , o . f t ; ( envT ′ O , o ( ) t ( ) )·( o ′ , S ′ )· envT ′ S ·( o , S ′′ ) from the inductionhypothesis.We can now conclude (1). ⊳ Case (TIf) . Λ ; ∆ ⊢ D e : Bool ⊲ Λ ′′ ; ∆ ′′ Λ ′′ ; ∆ ′′ ⊢ D e ′ : t ⊲ Λ ′ ; ∆ ′ Λ ′′ ; ∆ ′′ ⊢ D e ′′ : t ⊲ Λ ′ ; ∆ ′ Λ ; ∆ ⊢ D if ( e ) { e ′ } else { e ′′ } : t ⊲ Λ ′ ; ∆ ′ e assume that Λ ; ∆ ⊢ D if ( e ) { e ′ } else { e ′′ } : t ⊲ Λ ′ ; ∆ ′ is correct, o < dom ( Λ ) and o ′ < dom ( envT O ) .We then show that Λ , o
7→ ( C h t N i , envT F ) ; ( envT O , o ′ t ′ ) · ( o ′′ , S ) · envT S ⊢ D if ( e ) { e ′ } else { e ′′ } : t ⊲ Λ ′ , o
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ′ t ′ ) · ( o ′′ , S ) · envT ′ S )• Λ , o
7→ ( C h t N i , envT F ) ; ( envT O , o ′ t ′ ) · ( o ′′ , S ) · envT S ⊢ D e : Bool ⊲ Λ ′′ , o C h t N i , envT F ) ; ( envT ′′ O , o ′ t ′ ) · ( o ′′ , S ) · envT ′′ S follows from the induction hypoth-esis. • Λ , o
7→ ( C h t N i , envT F ) ; ( envT ′′ O , o ′ t ′ ) · ( o ′′ , S ) · envT ′′ S ⊢ D e ′ : t ⊲ Λ ′ , o C h t N i , envT F ) ; ( envT ′ O , o ′ t ′ )·( o ′′ , S )· envT ′ S follows from the induction hypothesis. • Λ , o
7→ ( C h t N i , envT F ) ; ( envT ′′ O , o ′ t ′ ) · ( o ′′ , S ) · envT ′′ S ⊢ D e ′′ : t ⊲ Λ ′ , o C h t N i , envT F ) ; ( envT ′ O , o ′ t ′ )·( o ′′ , S )· envT ′ S follows from the induction hypothesis.We can now conclude that Λ , o
7→ ( C h t N i , envT F ) ; ( envT O , o ′ t ′ ) · ( o ′′ , S ) · envT S ⊢ D if ( e ) { e ′ } else { e ′′ } : t ⊲ Λ ′ , o
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ′ t ′ ) · ( o ′′ , S ) · envT ′ S ⊳ Case (TSeq) . Λ ; ∆ ⊢ D e : t ⊲ Λ ′′ ; ∆ ′′ ¬ lin ( t ) Λ ′′ ; ∆ ′′ ⊢ D e ′ : t ′ ⊲ Λ ′ ; ∆ ′ Λ ; ∆ ⊢ D e ; e ′ : t ′ ⊲ Λ ′ ; ∆ ′ We assume that Λ ; ∆ ⊢ D e ; e ′ : t ′ ⊲ Λ ′ ; ∆ ′ is correct, o ′′ < dom ( Λ ) and o ( ) < dom ( envT O ) .We then show that Λ , o ′′
7→ ( C h t N i , envT F ) ; ( envT O , o ( ) t ′′ ) · ( o ′ , S ′ ) · envT S ⊢ D e ; e ′ : t ′ ⊲ Λ ′ , o ′′
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ( ) t ′′ ) · ( o ′ , S ′ ) · envT ′ S (3)From our induction hypothesis we have: Λ , o ′′
7→ ( C h t N i , envT F ) ; ( envT O , o ( ) t ′′ ) · ( o ′ , S ′ ) · envT S ⊢ D e : t ⊲ Λ ′′ , o ′′
7→ ( C h t N i , envT F ) ; ( envT ′′ O , o ( ) t ′′ ) · ( o ′ , S ′ ) · envT ′′ S (4)From our assumption we have: ¬ lin ( t ) .From our induction hypothesis and (4) we have: Λ ′′ , o ′′
7→ ( C h t N i , envT F ) ; ( envT ′′ O , o ( ) t ′′ ) · ( o ′ , S ′ ) · envT ′′ S ⊢ D e ′ : t ′ ⊲ Λ ′ , o ′′
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ( ) t ′′ ) · ( o ′ , S ′ ) · envT ′ S (5)From (4) and (5) we can conclude (3). ⊳ Case (TCallF) . Λ ; ∆ · ( o , S ) ⊢ e : t ⊲ Λ ′ { o . f C h t ′′ i[U]} ; ∆ ′ · ( o , S ′ ) U m −→ W t ′ m ( t x ){ e ′ } ∈ C h t ′′ i . methods D Λ ; ∆ · ( o , S ) ⊢ D f . m ( e ) : t ′ ⊲ Λ ′ { o . f C h t ′′ i[W]} ; ∆ ′ · ( o , S ′ ) Assume that Λ ; ∆ · ( o , S ) ⊢ D f . m ( e ) : t ′ ⊲ Λ ′ { o . f C h t ′′ i[W]} ; ∆ ′ · ( o , S ′ ) is correct, o ′ < dom ( Λ ) and o ′′ < dom ( envT O ) .We then show that Λ , o ′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ′′ t ( ) ) · ( o ( ) , S ′ ) · envT S · ( o , S ) ⊢ D f . m ( e ) : t ′ ⊲ Λ ′ , o ′
7→ ( C ′ h t N i , envT F ){ o . f C h t ′′ i[W]} ; ( envT ′ O , o ′′ t ( ) )·( o ( ) , S ′ )· envT ′ S ·( o , S ′′ ) (6) Λ , o ′
7→ ( C ′ h t N i , envT F ) ; ( envT O , x ′ t ( ) , ( o ′ , S ′ ) · envT S · ( o , S )) ⊢ D e : t ⊲ Λ ′ , o ′ C ′ h t N i , envT F ){ o . f C h t ′′ i[W]} ; ( envT ′ O , x ′ t ( ) ) · ( o ′ , S ′ ) · envT ′ S · ( o , S ′′ ) fromthe induction hypothesis. • U m −→ W from the assumption • t ′ m ( t x ){ e ′ } ∈ C h t ′′ i . methods D from the assumptionWe can now conclude (6) is correct. ⊳ Case (TCallP) . Λ ; ∆ · ( o , S ) ⊢ D e : t ⊲ Λ ′ ; ∆ ′ · ( o , [ x C h t ′′ i[U]]) U m −→ W t ′ m ( t x ′ ){ e ′ } ∈ C h t ′′ i . methods D Λ ; ∆ · ( o , S ) ⊢ D x . m ( e ) : t ′ ⊲ Λ ′ ; ∆ ′ · ( o , [ x C h t ′′ i[W]]) We assume that Λ ; ∆ · ( o , S ) ⊢ D x . m ( e ) : t ′ ⊲ Λ ′ ; ∆ ′ · ( o , [ x C h t ′′ i[W]]) is correct, o ′′ < dom ( Λ ) and o ( ) < dom ( envT O ) .We then show that Λ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ′ ) · envT S · ( o , S ) ⊢ D x . m ( e ) : t ′ ⊲ Λ ′ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ′ ) · envT ′ S · ( o , [ x C h t ′′ i[W]]) (7) • Λ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ′ ) · envT S · ( o , S ) ⊢ D e : t ⊲ Λ ′ , o ′′ C ′ h t N i , envT F ) ; ( envT ′ O , o ( ) t ( ) ) · ( o ′ , S ′ ) · envT ′ S · ( o , [ x C h t ′′ i[U]]) from theinduction hypothesis. • U m −→ W from the assumption. • t ′ m ( t x ′ ){ e ′ } ∈ C h t ′′ i . methods D from the assumption.We can now conclude (7). ⊳ Case (TSwF) & (TSwP) . The proof for (TSwF) and (TSwP) are very similar. So below we onlyshow the proof for (TSwF) . Λ ; ∆ · ( o , S ) ⊢ D e : L ⊲ Λ ′′ , o . f C h t i[(h l i : u i i l i ∈ L ) E ] ; ∆ ′′ · ( o , S ′′ ) ∀ i . Λ ′′ , o . f C h t i[ u Ei ] ; ∆ ′′ · ( o , S ′′ ) ⊢ D e i : t ′ ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) Λ ; ∆ · ( o , S ) ⊢ D switch f . m ( e ) { l i : e i } l i ∈ L : t ′ ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) Assume that: Λ ; ∆ · ( o , S ) ⊢ D switch f . m ( e ) { l i : e i } l i ∈ L : t ′ ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) where ∆ = ( envT O · envT S ) , o ′′ < dom ( Λ ) and o ( ) < dom ( envT O ) .From the premise of (TSwF) we have the following: • Λ ; ∆ · ( o , S ) ⊢ D e : L ⊲ Λ ′′ , o . f C h t i[(h l i : u i i l i ∈ L ) E ] ; ∆ ′′ · ( o , S ′′ )• ∀ i . Λ ′′ , o . f C h t i[ u Ei ] ; ∆ · ( o , S ) ⊢ D e i : t ′ ⊲ Λ ′ ; ∆ ′ · ( o , S ′ ) We must show Λ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ( ) ) · envT S · ( o , S ) ⊢ D switch f . m ( e ) { l i : e i } l i ∈ L : t ′ ⊲ Λ ′ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT ′ O , o ( ) t ( ) )·( o ′ , S ( ) )· envT ′ S ·( o , S ′ ) (8)From our induction hypothesis we have Λ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ( ) ) · envT S · ( o , S ) ⊢ D e : L ⊲ Λ ′′ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT ′′ O , o ( ) t ( ) ) · ( o ′ , S ( ) ) · envT ′′ S · ( o , S ′′ ) (9) nd from our induction hypothesis and (9) we have ∀ i . Λ ′′ , o ′′
7→ ( C ′ h t N i , envT F ) , o . f C h t i[ u Ei ] ; ( envT O , o ( ) t ( ) ) · ( o ′ , S ( ) ) · envT S · ( o , S ) ⊢ D e i : t ′ ⊲ Λ ′ , o ′′
7→ ( C ′ h t N i , envT F ) ; ( envT ′ O , o ( ) t ( ) ) · ( o ′ , S ( ) ) · envT ′ S · ( o , S ′ ) (10)From (9) and (10) we can conclude (8). ⊳ Case (TLinPar) & (TNoLPar) . The proof for (TNoLPar) is similar to (TLinPar) , hence we onlyshow (TLinPar) . We assume that Λ ; ∆ · ( o , [ x t ]) ⊢ D x : t ⊲ Λ ; ∆ · ( o , [ x t ]) is correct, o ′′ < dom ( Λ ) and o ( ) < dom ( envT O ) .We show that Λ , o ′′
7→ ( C h t N i , envT F ) ; ( envT O , o ( ) t ′ , ( o ′ , S ′ ) · envT S · ( o , [ x t ])) ⊢ D x : t ⊲ Λ , o ′′
7→ ( C h t N i , envT F ) ; ( envT O , o ( ) t ′ , ( o ′ , S ′ ) · envT S · ( o , [ x t ])) (11)From our assumption we have that ¬ lin ( t ) , hence (11) is correct. ⊳ Case (TLinFld) & (TNoLFld) . The proofs for (TLinFld) and (TNoLFld) are very similar so weonly show the former. Assume Λ ; ∆ · ( o , S ) ⊢ D f : t ⊲ Λ { o . f
7→ ⊥} ; ∆ · ( o , S ) , o ′ < dom ( Λ ) and o ′′ < dom ( envT O ) , then from (TLinFld) we have that t = Λ ( o ) . f and lin ( t ) .We must now show Λ , o ′
7→ ( C h t N i , envT F ) ; ( envT O , o ′′ t ′ ) · ( o ( ) , S ′ ) · envT S · ( o , S ) ⊢ D f : t ⊲ ( Λ { o . f t }) , o ′
7→ ( C h t N i , envT F ) ; ( envT O , o ′′ t ′ ) · ( o ( ) , S ′ ) · envT S · ( o , S ) (12)Since o ′ < dom ( Λ ) we can see that (( Λ { o . f t }) , o ′
7→ ( C h t N i , envT F ))( o ) . f = ( Λ { o . f t })( o ) . f = t , and from our assumption, we know that lin ( t ) , hence we can conclude that (12)is satisfied. ⊳ Case (TRet) . Λ ; ∆ ⊢ D e : t ⊲ Λ ′ ; ∆ ′ ∆ ′ = ∆ ′′ · ( o ′ , [ x t ′ ]) terminated(t’) Λ ; ∆ · ( o , S ) ⊢ D return { e } : t ⊲ Λ ′ ; ∆ ′′ · ( o , S ) We assume that Λ ; ∆ · ( o , S ) ⊢ D return { e } : t ⊲ Λ ′ ; ∆ ′′ · ( o , S ) , o ( ) < dom ( Λ ) and o ( ) < dom ( envT O ) . We let ∆ = envT S · envT O .We then show that: Λ , o ( )
7→ ( C h t N i , envT F ) ; ( envT O , o ( ) t ′′ ) · ( o ′′ , S ′ ) · envT S · ( o , S ) ⊢ D return { e } : t ⊲ Λ ′ , o ( )
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ( ) t ′′ ) · ( o ′′ , S ′ ) · envT ′ S · ( o , S ) (13)From our induction hypothesis: Λ , o ( )
7→ ( C h t N i , envT F ) ; ( envT O , o ( ) t ′′ ) · ( o ′′ , S ′ ) · envT S ⊢ D e : t ⊲ Λ ′ , o ( )
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ( ) t ′′ ) · ( o ′′ , S ′ ) · envT ′ S (14)From our assumption we have: terminated ( t ′ ) and from (14) we can now conclude (13). ⊳ Case (TObj) . envT O = envT ′ O , o t Λ ; envT O · envT S ⊢ D o : t ⊲ Λ ; envT ′ O · envT S We assume that Λ ; envT O · envT S ⊢ D o : t ⊲ Λ ; envT ′ O · envT S , o ′ < dom ( Λ ) and o ′′ < dom ( envT O ) . e then show that Λ , o ′
7→ ( C h t N i , envT F ) ; ( envT O , o ′′ t ′ ) · ( o ( ) , S ) · envT S ⊢ D o : t ⊲ Λ , o ′
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ′′ t ′ ) · ( o ( ) , S ) · envT S (15)From our assumption we have that ( envT O , o ′′ t ′ ) = ( envT ′ O , o t ) , o ′′ t ′ = ( envT ′ O , o ′′ t ) , o t (16)Because o , o ′′ .We can now conclude (15) is correct from (16). ⊳ Case (TCon) .
Assume Λ ; ∆ ⊢ Ω ′ D continue k : void ⊲ Λ ′ ; ∆ ′ , o < dom ( Λ ) and o ′ < dom ( envT O ) .Then we have Ω ′ = Ω , k : ( Λ , ∆ ) . We now show that Λ , o
7→ ( C h t N i , envT F ) ; ( envT O , o ′ t )·( o ′′ , S ) · envT S ⊢ Ω ′ D continue k : void ⊲ Λ ′ , o
7→ ( C h t N i , envT F ) ; ( envT ′ O , o ′ t ) · ( o ′′ , S ) · envT ′ S .This is trivially satisfied, as the premise for Ω ′ is still satisfied, and the environments are notchanged in the rule. ⊳ (cid:3) A.2 Well-typed sub-configurations proof
Well-typed sub-configurations tells us that we can type the first sub-configuration of a larger con-figuration using the same environments. We use this lemma in the subject reduction proof in allcases of composite expressions, except (RetC) where a similar lemma is employed. This lemmaallows us say that the sub-configuration before a small-step transition is well-typed in the samecontext as the overall configuration in a composite expression.
Lemma A.35 (Well-typedness of sub-configurations).
For any configuration c on the follow-ing form: • h h , env S , if ( e ) { e } else { e }i• h h , env S , r . m ( e )i• h h , env S , f = e i• h h , env S , e ; e ′ i• h h , env S , switch r . m ( e ){ l i : e i } l i ∈ L i We have that: ∃ Λ , ∆ . Λ ; ∆ ⊢ D c : t ⊲ Λ ′ ; ∆ ′ = ⇒ Λ ; ∆ ⊢ D h h , env S , e i : t ′ ⊲ Λ ′′ ; ∆ ′′ Proof.
We prove this result by a case analysis of the typing rules for expression used to showthat the expression in the configuration is well typed.Case (IfC) .
Assume that the configuration is well typed, that is: Λ ; ∆ ⊢ D h h , env S , if ( e ) { e } else { e }i : t ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S . We now showthat h h , env S , e i is a well typed configuration.From (WTC) we know: • Λ ⊢ D h • envT S ⊢ h if ( e ) { e } else { e } env S • envT O ⊢ h if ( e ) { e } else { e }• Λ ; ∆ ⊢ D if ( e ) { e } else { e } : t ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (TIf) we know that Λ ; ∆ ⊢ D e : Bool ⊲ Λ ′′ ; ∆ ′′ .We can show that Λ ; ∆ ⊢ D h h , env S , e i : Bool ⊲ Λ ′′ ; ∆ ′′ , by showing each premise of (WTC) . Λ ⊢ D h follows from assumption • envT S ⊢ he follows from the premise of (WTP-If) that we know is true from the as-sumptions. • envT O ⊢ h e follows from our assumption, and that it is a well formed expression, henceno objects can be mentioned in neither e nor e , before e is evaluated completely,hence objects ( if ( e ) { e } else { e }) = objects ( e ) . • Λ ; ∆ ⊢ D e : Bool ⊲ Λ ′′ ; ∆ ′′ follows directly from assumptions. • Λ ⊢ h D follows from assumptionAll premises of (WTC) are satisfied, hence we can conclude Λ ; ∆ ⊢ D h h , env S , e i : Bool ⊲ Λ ′′ ; ∆ ′′ . ⊳ Case (MthdC) .
The case is split into two cases, one for parameter calls and one for field calls. Weonly show the case for fields, since the two cases are very similar.Assume Λ ; ∆ ⊢ D h h , env S , f . m ( e )i : t ′ ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S .From (WTC) we know: • Λ ⊢ D h • envT S ⊢ hf . m ( e ) env S • envT O ⊢ h f . m ( e )• Λ ; ∆ ⊢ D f . m ( e ) : t ′ ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D We can now show that Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ { o . f C h t ′′ i[W]} ; ∆ ′′ · ( o , S ′ )• Λ ⊢ D h follows from assumption • envT S ⊢ he env S follows from (WTP-Mthd) premise • envT O ⊢ h e is trivial since objects ( f . m ( e )) = objects ( e )• Λ ; ∆ ⊢ D e : t ⊲ Λ ′ { o . f C h t ′′ i[W]} ; ∆ ′′ · ( o , S ′ ) follows from (TCallF) • Λ ⊢ h D follows from assumptionHence we have Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ { o . f C h t ′′ i[W]} ; ∆ ′′ · ( o , S ′ ) . ⊳ Case (FldC) .
Assume that the configuration is well typed, that is: Λ ; ∆ ⊢ D h h , env S , f = e i : void ⊲ Λ ′ ; ∆ ′ , where ∆ = envT O · envT S .From (WTC) : • Λ ⊢ D h • envT S ⊢ hf = e env S • envT O ⊢ h f = e • Λ ; ∆ ⊢ D f = e : void ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (TFld) we know Λ ; ∆ ⊢ D e : t ⊲ Λ { o . f t } ; ∆ ′′ · ( o , S ) . We can now show that Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ { o . f t } ; ∆ ′′ · ( o , S ) is a well typed configuration, by showingthe premises of (WTC) . • Λ ⊢ D h follows from assumption • envT S ⊢ he env S follows from the premise of (WTP-Fld) • envT O ⊢ h e , trivial since objects ( f = e ) = objects ( e ) . • Λ ; ∆ ⊢ D e : t ⊲ Λ ′ { o . f t } ; ∆ ′′ · ( o , S ) follows from (TFld) • Λ ⊢ h D follows from assumptionAll premises of (WTC) are satisfied, hence we can conclude Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ { o . f t } ; ∆ ′′ · ( o , S ) . Case (SeqC) .
Assume that Λ ; ∆ ⊢ D h h , env S , e ; e ′ i : t ′ ⊲ Λ ′ ; ∆ ′ . where ∆ = envT O · envT S .From (WTC) we know: • Λ ⊢ D h • envT S ⊢ he ; e ′ env S • envT O ⊢ h e ; e ′ • Λ ; ∆ ⊢ D e ; e ′ : t ′ ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D Then we can show the premises of (WTC) for Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′′ ; ∆ ′′ . • Λ ⊢ D h • envT S ⊢ he env S follows from the premise of (WTP-Seq) • envT O ⊢ h e is satisfied, since because e ; e ′ is well formed, we know that objects ( e ; e ′ ) = objects ( e ) . • Λ ; ∆ ⊢ D e : t ⊲ Λ ′′ ; ∆ ′′ follows from (TSeq) . • Λ ⊢ h D follows from assumptionHence we have Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′′ ; ∆ ′′ . ⊳ Case (SwC) .
The proof is split into two cases, one for parameters and one for fields. Since the twocases are very similar, we only show the case for parameters.Assume Λ ; ∆ ⊢ D h h , env S , switch x . m ( e ){ l i : e i } l i ∈ L i : t ′ ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S .From (WTC) we know: • Λ ⊢ D h • envT S ⊢ h switch x . m ( e ){ l i : e i } li ∈ L env S • envT O ⊢ h switch x . m ( e ){ l i : e i } l i ∈ L • Λ ; ∆ ⊢ D switch x . m ( e ){ l i : e i } l i ∈ L : t ′ ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D We then show Λ ; ∆ ⊢ D h h , env S , e i : L ⊲ Λ ′′ ; ∆ ′′ . • Λ ⊢ D h follows from assumption • envT S ⊢ he env S follows from (WTP-Sw) • envT O ⊢ h e follows since switch x . m ( e ){ l i : e i } l i ∈ L is well formed, hence objects ( switch x . m ( e ){ l i : e i } l i ∈ L ) = objects ( e )• Λ ; ∆ ⊢ D e : L ⊲ Λ ′′ ; ∆ ′′ follows from (TSwP) • Λ ⊢ h D follows from assumptionHence we have Λ ; ∆ ⊢ D h h , env S , e i : L ⊲ Λ ′′ ; ∆ ′′ ⊳ (cid:3) A.3 Object agreement proof
Here we present results about typing expressions in the same environments. These results are usedwhen typing branching expressions, where all branches are typed using the same environments.
Proposition A.39. If Λ ; envT O · envT S ⊢ D e : t ⊲ Λ ′ ; envT ′ O · envT ′ S and o ∈ objects ( e ) then o ∈ dom ( envT O ) and o < dom ( envT ′ O ) . Proof.
We proceed with proof by induction in the type rules. In the cases (TNew) , (TNewGen) , (TLit) , (TVoid) , (TBool) , (TBot) , (TLinPar) , (TNoLPar) , (TLinFld) and (TNoLFld) this istrivially true, since objects ( e ) is empty.In the case of (TObj) we can see that if Λ ; envT O · envT S ⊢ D o : t ⊲ Λ ; envT ′ O · envT S , then envT O = envT ′ O , o t . From this definition we can see that o ∈ dom ( envT O ) but o < dom ( envT ′ O ) ,hence the proposition is satisfied. n the remaining cases, it follows directly from the induction hypothesis. (cid:3) Proposition A.40. If Λ ; envT O · envT S ⊢ D e : t ⊲ Λ ′ ; envT ′ O · envT ′ S , o ∈ dom ( envT O ) and o < objects ( e ) then o ∈ dom ( envT ′ O ) . Proof.
We proceed with proof by induction in the type rules. In the cases (TNew) , (TNewGen) , (TLit) , (TVoid) , (TBool) , (TBot) , (TLinPar) , (TNoLPar) , (TLinFld) and (TNoLFld) envT O = envT ′ O , hence the result is trivially true.In the case of (TObj) we assume Λ ; envT O · envT S ⊢ D o ′ : t ⊲ Λ ; envT ′ O · envT ′ S . Since o < objects ( o ′ ) ,we must have o ′ , o . But then envT ′ O is equal to envT O except in the case of o ′ , so if o ∈ dom ( envT O ) ,we must have that o ∈ dom ( envT ′ O ) , hence the proposition is satisfied.In the remaining cases, it follows from the induction hypothesis. (cid:3) Lemma A.41. (Object agreement.) If Λ ; envT O · envT S ⊢ D e : t ⊲ Λ ′ ; envT ′ O · envT ′ S and Λ ; envT O · envT S ⊢ D e ′ : t ′ ⊲ Λ ′ ; envT ′ O · envT ′ S then objects ( e ) = objects ( e ′ ) . Proof.
We proceed with proof by contradiction. Assume the contradictory situation, where o ∈ objects ( e ) and o < objects ( e ′ ) . If o ∈ objects ( e ) then by Lemma A.39 we have o ∈ envT O and o < envT ′ O . But since o < objects ( e ′ ) and o ∈ dom ( envT O ) then by Lemma A.40 o ∈ envT O . This isa contradiction, hence objects ( e ) = objects ( e ′ ) . (cid:3) Corollary A.42 (Empty objects for expressions). If Λ ; ∆ ⊢ D e : t ⊲ Λ ; ∆ then objects ( e ) = ∅ Proof.
Since Λ ; ∆ ⊢ D true : Bool ⊲ Λ ; ∆ can be concluded using (TBool) , we can concludeusing Lemma A.41 that objects ( e ) = objects ( true ) = ∅ . (cid:3) A.4 Consistency proof
When typechecking expressions, we only consider the updates to the currently active object. Thismeans that field updates in other objects are assumed to be correct, since it has been checkedpreviously by (TClass) . Therefore we only require the field typing environment to be consistentacross reductions, for the active object.
Definition A.43 (Field typing environment consistency).
We say that Λ is consistent with Λ ′ w.r.tobject o , written Λ = o Λ ′ iff Λ ( o ) = Λ ′ ( o ) . Lemma A.44 (Field typing consistency reduction). If Λ ; ∆ ⊢ D e : t ⊲ Λ ′ ; ∆ ′ , Λ N = o Λ and returns ( e ) = then Λ N ; ∆ ⊢ D e : t ⊲ Λ N ′ ; ∆ ′ where Λ N ′ = o Λ ′ . Proof.
Induction in the structure of type judgments of expressions. It is easy to see that thelemma must be satisfied, since only (TRet) can access other objects in Λ than the currently activeobject, and in that case we do not have returns ( e ) = (cid:3) A.5 Subject reduction proof
In this section we present the complete proof of the subject reduction (preservation) property ofour type system which represents one part of the safety theorem. Subject reduction tells us thatan well-typed expression remains well-typed after a reduction step in its evaluation. The generalapproach for this proof is to use the information gained from the premises of (WTC) and otherrules that must have been used to type the expression of the configuration. This information tellus about the context after a reduction step and then we can verify that the premises of (WTC) arestill valid in the new configuration. heorem A.34 (Subject reduction). Let D be such that ⊢ D and let h h , env S , e i be a configura-tion. If D ⊢ D h h , env S , e i −→ h h ′ , env ′ S , e ′ i then: ∃ Λ , ∆ . Λ , ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′ = ⇒ ∃ Λ N , ∆ N . Λ N , ∆ N ⊢ D h h ′ , env ′ S , e ′ i : t ⊲ Λ ′′ ; ∆ ′ where Λ ′ = o Λ ′′ and o is the active object in the resulting configuration. Proof.
By induction in the structure of the reduction rules. For each reduction rule, we assumethat the configuration is well typed, and show that the resulting configuration after the reductionis also well typed. We construct new environments Λ N , ∆ N and use the premises of the (WTC) rule, to conclude that the resulting configuration is well typed, based on the construction.Case (uDeref) . h ( o ) . f = v ¬ lin ( v , h )⊢ D h h , ( o , s ) · env S , f i −→ h h , ( o , s ) · env S , v i Assume that ∃ Λ , ∆ . Λ ; ∆ ⊢ D h h , env S , f i : t ⊲ Λ ′ ; ∆ ′ , where ∆ = ( envT O · envT S ) .From (WTC) we know: • Λ ⊢ D h • envT S ⊢ hf ( o , s ) · env S • envT O ⊢ h f • Λ ; envT O · envT S ⊢ D f : t ⊥ ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (WTE) we know: • dom ( envT O ) = objects ( f ) = ∅ From (uDeref) we know: • h ( o ) . f = v • ¬ lin ( v , h )• h ′ = h • ( o , s ) · env ′ S = ( o , s ) · env S Since ¬ lin ( v , h ) we must have ¬ lin ( t ⊥ ) , hence we must have concluded Λ ; envT O · envT S ⊢ D f : t ⊥ ⊲ Λ ′ ; ∆ ′ using (TNoLFld) .From (TNoLFld) and (WTC) we have: • Λ ′ = Λ • ∆ ′ = ∆ = envT O · envT S We wish to show that ∃ Λ N , ∆ N . Λ N ; ∆ N ⊢ D h h , ( o , s ) · env S , v i : t ⊲ Λ ′ ; ∆ ′ .For the cases where v is not an object, we can let Λ N = Λ , ∆ N = (∅ · envT S ) . We have thefollowing from our hypothesis: • Λ ⊢ D h • envT S ⊢ hv ( o , s ) · env S , by definition of (WTP-Base) Since dom (∅) = objects ( v ) = ∅ , we can conclude that ∅ ⊢ h v . For each of the basic typeswe can use the corresponding rule (TLit) , (TBool) , (TVoid) , (TNull) to conclude that Λ N ; ∆ N ⊢ D v : t ⊲ Λ N ; ∆ N . Finally we can conclude that since Λ N = Λ = Λ ′ we have that Λ N ⊢ h D . In fact, since Λ N = Λ ′ and ∆ N = ∅ · envT S , we have Λ N ; ∆ N ⊢ D v : t ⊲ Λ ′ ; ∆ ′ . Thismeans that all premises are satisfied and that Λ N ; ∆ N ⊢ D h h , ( o , s ) · env S , v i : t ⊲ Λ ′ ; ∆ ′ .For the case where v is an object that is terminated, we let Λ N = Λ , ∆ N = (∅ , v t ) · envT S .Now we have ∅ , v t ⊢ h v since objects ( v ) = { v } = dom (∅ , v t ) and getType ( v , h ) = t = (∅ , v t )( v ) .We can conclude that Λ N ; ∆ N ⊢ D v : t ⊲ Λ N ; ∅ · envT S using the (TObj) . Since envT O = ∅ ,we have that Λ N ; ∆ N ⊢ D v : t ⊲ Λ ′ ; ∆ ′ Using the same reasoning as the previous case, we can onclude that Λ N ; ∆ N ⊢ D h h , env S , v i : t ⊲ Λ ′ ; ∆ ′ . Λ ′ = o Λ ′ is satisfied because of reflexivityof = o . ⊳ Case (TCallF) . env S = ( o , s ) · env ′ S o ′ = h ( o ) . f _ m ( _ x ){ e } ∈ h ( o ′ ) . class . methods D h ( o ′ ) . usage m −→ W⊢ D h h , env S , f . m ( v )i −→ h h {W/ h ( o ′ ) . usage } , ( o ′ , [ x v ]) · env S , return { e }i Assume Λ ; ∆ ⊢ D h h , env S , f . m ( v )i : t ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S From (CallF) we know • t m ( t ′ x ){ e } ∈ h ( o ′ ) . class . methods D • h ( o ′ ) . usage m −→ W From (WTC) we know • Λ ⊢ D h • envT S ⊢ hf . m ( v ) env S • envT O ⊢ h f . m ( v )• Λ ; ∆ ⊢ D f . m ( v ) : t ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (WTP) we know • envT S = envT ′′ S · ( o , S )• env S = ( o , s ) From (TCallF) and typing rules for values we know • Λ ; ∆ ⊢ v : t ′ ⊲ Λ { o . f C h t ′′ i[U]} ; ∆ ′ • Λ ( o ) . f = C h t ′′ i[U]• U m −→ W• Λ ′ = Λ { o . f C h t ′′ i[W]} From (WTE) we know • dom ( envT O ) = objects ( f . m ( v )) From (TCallF) and typing rules for values we know • Λ ′ = ∅ · envT S Let h ′ = h {W/ h ( o ′ ) . usage } Let Λ N = Λ ′ , ∆ N = ∅ · envT ′′ S · ( o ′ , [ x t ′ ]) · ( o , S ) We must now conclude Λ N ; ∆ N ⊢ D h h ′ , ( o ′ , [ x v ]) · env S , return { e }i : t ⊲ Λ N ′ ; ∆ N ′ • Λ N ⊢ D h ′ since we only update the field o . f in both Λ N and h ′ and by assumption weknow Λ N ( o ) . envT F ( f ) = getType ( o ′ , h ′ ) = C h t ′′ i[W] . • envT NS ⊢ h ′ return { e } ( o ′ , [ x v ]) · env S is satisfied by (WTP-Ret) • envT NO ⊢ h ′ return { e } since objects ( return { e }) = ∅ We wish to show Λ N ; ∅ · envT ′′ S · ( o ′ , [ x t ′ ]) · ( o , S ) ⊢ D return { e } : t ⊲ Λ N ′ ; ∆ N ′ From (TCBR) have that: • { this Λ N ( o ′ ) . envT F } ; ∅ · ( o ′ , [ x t ′ ]) ⊢ D e : t ⊲ { this envT ′ F } ; ∅ · ( o ′ , [ x t ′′′ ])• terminated ( t ′′′ ) We can then use Lemma A.32 to conclude Λ N ; ∅ · envT ′′ S · ( o ′ , [ x t ′ ]) ⊢ D e : t ⊲ Λ N { o ′ C h t ′′ i , envT ′ F )} ; ∅ · envT ′′ S · ( o ′ , [ x t ′′′ ]) Since we have that terminated ( t ′′′ ) , we can conclude with (TRet) : • Λ N ; ∆ N ⊢ D return { e } : t ⊲ Λ N ′ ; ∆ ′ The only difference between Λ ′ and Λ N ′ is for the object o ′ , hence we must have that Λ ′ = o Λ N ′ . Case (TCallP) . env S = ( o , [ x ′ o ′ ]) · env ′ S _ m ( _ x ){ e } ∈ h ( o ′ ) . class . methods D h ( o ′ ) . usage m −→ W⊢ D h h , env S , x ′ . m ( v )i −→ h h {W/ h ( o ′ ) . usage } , ( o ′ , [ x v ]) · env S , return { e }i Assume Λ ; ∆ ⊢ D h h , env S , x ′ . m ( v )i : t ⊲ Λ ′ ; ∆ ′ , where ∆ = envT O · envT S .From (CallP) we know • env s = ( o , [ x ′ o ′ ]) · env ′ S • t m ( t ′ x ){ e } ∈ h ( o ′ ) . class . methods D • h ( o ′ ) . usage m −→ W From (WTC) we know • Λ ⊢ D h • envT S ⊢ hx ′ . m ( v ) env S • envT O ⊢ h x ′ . m ( v )• Λ ; ∆ ⊢ D x ′ . m ( v ) : t ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (WTP-Base) we know • envT S = envT ′′ S · ( o , [ x ′ C h t ′′′ i[U]])• env S = ( o , [ x ′ o ′ ]) From (WTE) we know: • dom ( envT O ) = objects ( x ′ . m ( v )) = objects ( v ) From (TCallP) and typing rules for values we have • U m −→ W• Λ ′ = Λ • ∆ ′ = ∅ · env ′′ T · ( o , [ x ′ C h t ′′′ i[W]]) Now let Λ N = Λ , ∆ N = ∅ · envT ′′ S · ( o ′ , [ x t ′ ]) · ( o , [ x ′ C h t ′′′ i[W]]) We must now conclude Λ N ; ∆ N ⊢ D h h {W/ h ( o ′ ) . usaдe } , ( o ′ , [ x v ]) · env S , return { e }i . • Λ N ⊢ D h ′ since because of linearity we know that o ′ does not appear in any fields,and we have dom ( h ′ ) = dom ( h ) = dom ( Λ N ) . • envT NS ⊢ h ′ return { e } ( o ′ , [ x v ]) · env S is satisfied with (WTP-Ret) • ∅ ⊢ h return { e } is trivially true since objects ( return { e }) = ∅• Λ N ⊢ h ′ D is fulfiled since per (TCbr) we are following the usage of o ′ , which willeventually lead to a terminated environment.We must show that Λ N ; ∆ N ⊢ D return { e } : ⊲ Λ N ; ∆ ′ .From (TCbr) we have that • { this Λ N ( o ′ ) . envT F } ; ∅ ·( o ′ , [ x t ′ ]) ⊢ D e : t ⊲ { this envT ′ F } ; ∅ ·( this , [ x t ′′′ ])• terminated ( t ′′′ ) We can then use Lemma A.32 to conclude Λ N ; ∅ · envT ′′ S · ( o ′ , [ x t ′ ]) ⊢ D e : t ⊲ Λ N ′ ; ∅ · envT ′′ S · ( o ′ , [ x t ′′′ ]) .Since we have that terminated(t”’) , we can conclude with (TRet) that: • Λ N ; ∆ N ⊢ D return { e } : t ⊲ Λ N ′ ; ∆ ′ The only difference between Λ ′ and Λ N ′ is for the object o ′ , hence we must have that Λ ′ = o Λ N ′ . ⊳ ase (Ret) . v , v ′ ⇒ ¬ lin ( v ′ , h )⊢ D h h , ( o , [ x v ′ ]) · env S , return { v }i −→ h h , env S , v i We assume that Λ ; envT O · envT S ·( o ′ , S ) ⊢ D h h , ( o , [ x v ′ ])· env S , return { v }i : t ⊲ Λ ′ ; envT ′ O · envT ′′ S · ( o ′ , S ) .From (TRet) we have: • Λ , envT O · envT S ⊢ D v : t ⊲ Λ ′ ; envT ′ O · envT ′ S • envT ′ S = envT ′′ S · ( o ′′ , S ′ ) From the typing rules for values we have: • Λ ′ = Λ From (WTP-Ret) we have: • envT ′′ S · ( o ′′ , [ x t ′ ]) · ( o ′ , [ x ′ t ′′ ]) ⊢ h return v ( o , [ x v ′ ]) · ( o ′ , [ x ′ v ′′ ])• o = o ′′ • getType ( v ′′ , h ) = t ′′ • env S = ( o ′ , [ x ′ v ′′ ]) From (WTP-Base) we have: • envT ′′ S · ( o , [ x t ′ ]) ⊢ hv ( o , [ x v ′ ])• getType ( v ′ , h ) = t ′ Let Λ N = Λ , envT NO = envT O , envT NS = envT ′′ S · ( o ′ , [ x t ′′ ]) . We now need to show thatthe premises of (WTC) are satisfied.Show (WTP) using envT NS ⊢ hv env S then we have envT ′′ S · ( o ′ , [ x t ′′ ]) ⊢ hv ( o ′ , [ x ′ v ′′ ]) .From assumption we have that getType ( v ′′ , h ) = t ′′ , hence we conclude using (WTP-Base) Case where v is an object. • envT O = envT ′ O , v t • dom ( envT O ) = { v }• Λ N ⊢ D h (From hypothesis) • envT NO ⊢ h v trivial since objects ( return { v }) = objects ( v ) = { v } . • Λ N ; envT NO · envT NS ⊢ D v : t ⊲ Λ ′ ; envT ′ O · envT ′′ S · ( o ′ , S ) from (TObj) • Λ N ⊢ h D (From hypothesis)Case where v is not object. • envT O = envT ′ O • dom ( envT O ) = ∅• Λ N ⊢ D h (From hypothesis) • envT NO ⊢ h v trivial since objects ( return { v }) = objects ( v ) = ∅ . • Λ N ; envT NO · envT NS ⊢ D v : t ⊲ Λ ′ ; envT ′ O · envT ′′ S · ( o ′ , S ) from (TLit) • Λ N ⊢ h D (From hypothesis)Hence we can conclude Λ N ; envT NO · envT NS ⊢ D h h , env S , v i : t ⊲ Λ ′ ; envT ′ O · envT ′′ S · ( o ′ , S ) Λ ′ = o Λ ′ is satisfied because of reflexivity of = o . ⊳ Case (New) . o fresh C h⊥i . fields D = F C h⊥i . usage D = W⊢ D h h , env S , new C i −→ h h ∪ { o
7→ h C h⊥i[W] , F . initvals D i} , env S , o i Let h ′ = h ∪ { o
7→ h C h⊥i[W] , F . initvals D i} .Assume Λ ; envT O · envT S ⊢ D h h , env S , new C i : C h t i[W] ⊲ Λ ′ ; envT ′ O · envT ′ S .From (TNew) we have • Λ ′ = Λ envT ′ O = envT O • envT ′ S = envT S Now let Λ N = Λ { o
7→ h C h⊥i , F . inittypes D i} , envT NO = envT O , o C h⊥i[W] , envT NS = envT S , and show that Λ N ; envT NO · envT NS ⊢ D h h ∪ { o C h⊥i[W] , F . initvals D i} , env S , o i : C h⊥i[W] ⊲ Λ ′ ; ∆ ′ .To show Λ N ⊢ D h ′ , we must show that (WTH) holds for o , since the remaining objectsfollows from the assumption that Λ ⊢ D h .From the updates to h and Λ , we can conclude that h ′ ( o ) . fields = Λ N ( o ) . fields = h ′ ( o ) . class . fields D = F . It follows from the definition of F . initvals D and F . inittypes D that ∀ f ∈ F . Λ N ( o ) . envT F ( f ) = getType ( h ′ ( o ) . f , h ′ ) .Since we know that dom ( Λ ) = dom ( h ) , we can conclude that dom ( Λ N ) = dom ( h ′ ) , since o isnow in both domains.We can conclude that envT NS ⊢ ho env S since o must be concluded with (WTP-Base) and new C was concluded with (WTP-Base) , hence it follows from the assumption envT S ⊢ h new C env S . envT NO ⊢ h ′ o is satisfied, since based on the assumption dom ( envT O ) = objects ( new C ) = ∅ ,hence dom ( envT NO ) = objects ( o ) = {| o |} . Λ N ; envT NO · envT S ⊢ D o : C h⊥i[W] ⊲ Λ N ; ∆ follows directly from (TObj) .Finally Λ N ⊢ h ′ D must be shown to hold for o . Other objects follow from the assumption Λ ⊢ h D . It follows from (TProg) and in turn (TClass) that ∅ ; F . inittypes D ⊢ D C h⊥i[W] ⊲ Γ and that terminated ( Γ ) .All premises of (WTC) are satisfied, hence we can conclude Λ N ; envT NO · envT NS ⊢ D h h ∪{ o C h⊥i[W] , F . initvals D i} , env S , o i : C h⊥i[W] ⊲ Λ N ; ∆ .Since o < dom ( Λ ′ ) , and Λ N is equal to Λ except for o . We have that Λ ′ = o ′ Λ N for the activeobject o ′ . ⊳ Case (NewGen)
This case is the same as (New) , except all occurrences of ⊥ is replaced with д .Case (Seq) . ¬ lin ( v , h )⊢ D h h , env S , v ; e i −→ h h , env S , e i Assume Λ ; envT O · envT S ⊢ D h h , env S , v ; e i : t ⊲ Λ ′ ; envT ′ O · envT ′ S From (WTC) we have • Λ ⊢ h • envT S ⊢ hv ; e env S • envT O ⊢ h v ; e • Λ ; envT O · envT S ⊢ D v ; e : t ⊲ Λ ′ ; envT ′ O · envT ′ S • Λ ⊢ h D From (WTE) we have • ∀ o ∈ dom ( envTo ) . envT O ( o ) = getType ( o , h )• dom ( envT O ) = objects ( e ) From (Seq) we have • ¬ lin ( v , h ) From (TSeq) we have • Λ ; envT O · envT S ⊢ v : t ′ ⊢ D v : t ′ ⊲ Λ ′′ ; envT ′′ O · envT ′′ S • ¬ lin ( t ′ )• Λ ′′ ; envT ′′ O · envT ′′ S ⊢ e : t ⊲ Λ ′ ; envT ′ O · envT ′ S rom (WTP-Seq) we have envT S ⊢ hv env S From (WTP-Base) we have: • envT ′ S · ( o , [ x t ′ ]) ⊢ hv ( o , [ x v ′ ])• getType ( v ′ , h ) = t ′ Λ ; envT O · envT S ⊢ D v : t ′ ⊲ Λ ′′ · envT ′′ S must have been concluded with typing rules forvalues, hence we have: • case v , o : envT O = envT ′′ O from (TLit) , (TVoid) , (TBool) or (TBot) . • case v = o : envT O = envT ′′ O , o t ′′ • Λ = Λ ′′ • envT S = envT ′′ S Show ∃ Λ N , ∆ N . Λ N ; ∆ N ⊢ D h h , env s , e i Let Λ N = Λ , ∆ N = envT NO · envT NS , envT NO = envT ′′ O and envT NS = envT S then we have • Λ ⊢ h from assumption • envT Ns ⊢ he env S from assumption since returns ( e ) = e is a well formedexpression, hence it is concluded with (WTP-Ret) . • Λ N ; envT NO · envT NS ⊢ D e ⊲ Λ ′ ; envT ′ O · envT ′ S from assumption • Λ N ⊢ h D from assumptionWe need to show envT NO ⊢ h e . We have two casescase v , o : we know envT O = envT ′′ O then envT ′′ O ⊢ h e case v = o : • envT O = envT ′′ O , v t ′′ . • dom ( envT ′′ O ) = objects ( e )• ∀ o ∈ dom ( envT ′′ O ) . getType ( o , h ) = envT O ( o ) , we know that v < dom ( envT ′′ O ) All premises of (WTC) are satisfied, hence we can conclude Λ N ; envT NO · envT NS ⊢ D h h , env S , e i : t ⊲ Λ ′ ; envT ′ O · envT ′ S .Finally we can conclude that Λ ′ = o Λ ′ , because of reflexivity. ⊳ Case (IfTrue) . ⊢ D h h , env S , if ( true ){ e ′ } else { e ′′ }i −→ h h , env S , e ′ i Assume Λ ; envT O · envT S ⊢ D h h , env S , if ( true ) { e ′ } else { e ′′ }i : t ⊲ Λ ′ ; ∆ ′ .From (WTP-If) we know envT S ⊢ hv env S which must have been concluded using (WTP-If) and then (WTP-Base) .Let Λ N = Λ , envT NO = envT O and envT NS = envT S . We now show that Λ N ; envT NO · envT NS ⊢ D h h , env S , e ′ i : t ⊲ Λ ′ ; ∆ ′ .By Lemma A.41 we have that objects ( e ′ ) = objects ( e ′′ ) . Since objects ( true ) = ∅ we get that objects ( e ′ ) = objects ( if ( true ) { e ′ } else { e ′′ }) , hence from our assumption we get envT NO ⊢ h e ′ .We have envT NS ⊢ he ′ env S , Λ N ⊢ D h , e ′ is a well formed expression hence we have returns ( e ′ ) =
0, hence it is eventually concluded using (WTP-Base) . Λ ⊢ D D follows directly from our assumptions.We can conclude Λ N ; envT NO · envT NS ⊢ D e ′ : t ⊲ Λ ′ ; ∆ ′ from the premises of (TIf) .We have shown all premises of (WTC) , hence we can conclude Λ N ; envT NO · envT NS ⊢ D h h , env S , e ′ i : t ⊲ Λ ′ ; ∆ ′ . Λ ′ = o Λ ′ is satisfied because of reflexivity of = o . ⊳ Case (IfFls)
Follows the same structure as (IfTrue) . ase (Lbl) . ⊢ D h h , env S , k : e i −→ h h , env S , e { k : e / continue k }i Assume Λ ; ∆ ⊢ Ω D h h , env S , k : e i : t ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S .From (WTC) we know • Λ ⊢ h • envT S ⊢ hk : e env S • envT O ⊢ h k : e • Λ ; ∆ ⊢ Ω D k : e : t ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (TLab) we know • Ω ′ = Ω , k : ( Λ , ∆ )• Λ ; ∆ ⊢ Ω ′ D e : void ⊲ Λ ′ ; ∆ ′ There are two cases, either e contains continue k or it does not. The latter case is trivial,hence we will focus on the first case.If continue k does appear in e , then at some point during the type derivation, we must haveconcluded Λ ′′ ; ∆ ′′ ⊢ Ω ′′ continue k : void ⊲ Λ ′′′ ; ∆ ′′′ .We never remove elements from Ω , hence we know that Ω ′′ = Ω ′′′ , k : ( Λ , ∆ ) , as the bindingof k was added in (TLab) .But from (TCon) we must have that Λ ′′ = Λ and ∆ ′′ = ∆ .As continue expressions can only appear in blocks, and cannot appear on the left-hand sideof a sequential expression, we know that changes to environments cannot happen after de-riving the type of a continue expression. Together with the fact that all branches in if andswitch-expressions must have the same resulting environments, we see that the only choicefor Λ ′′′ and ∆ ′′′ is Λ ′ and ∆ ′ respectively.At this point we know Λ ; ∆ ⊢ Ω ′′ D continue k : void ⊲ Λ ′ ; ∆ ′ , Λ ; ∆ ⊢ Ω D k : e : void ⊲ Λ ′ ; ∆ ′ , and Λ ; ∆ ⊢ Ω ′ D = e : void ⊲ Λ ′ ; ∆ ′ Weakening and strengthening of Ω is trivial so replacing Ω with Ω ′′ will leave k : e welltyped, hence replacing continue k with k : e in e will leave the resulting environments thesame. This means that we can conclude Λ ; ∆ ⊢ Ω D e { k : e / continue k } : void ⊲ Λ ′ ; ∆ ′ . envT O ⊢ h e { k : e / continue k } follows from our assumption since objects ( e { k : e / continue k }) = objects ( k : e ) = ∅ as e has not been evaluated yet. envT S ⊢ he { k : e / continue k } env S is concluded with (WTP-Base) which follows from our assump-tion.The remaining premises for (WTC) follows directly from our assumptions. Λ ′ = o Λ ′ is satisfied because of reflexivity of = o . ⊳ ase (LDeref) . h ( o ) . f = v lin ( v , h )⊢ D h h , ( o , s ) · env S , f i −→ h h { null / o . f } , ( o , s ) · env S , v i let h ′ = h { null / o . f } Assume Λ ; envT O · envT S ⊢ D h h , ( o , s ) · env S , f i : t ⊲ Λ ′ ; ∆ ′ From (LDeref) we know: • lin ( v , h )• h ( o ) . f = v From (WTP-Base) we know envT S ⊢ hf ( o , s ) · env S From (TLinFld) we have: • envT S = envT ′ S · ( o , S )• t = Λ ( o ) . f • lin ( t )• Λ ; envT O · envT ′ S · ( o , S ) ⊢ D f : t ⊲ Λ { o . f
7→ ⊥} ; envT O · envT ′ S · ( o , S ) Let Λ N = Λ { o . f
7→ ⊥} , envT NO = envT O , v t and envT NS = envT S .Show Λ N ; envT NO · envT NS ⊢ D h h { null / h ( o ) . f } , ( o , s ) · env s , v i : t ⊲ Λ N ; ∅ · envT NS . We needto show (WTC) .To show Λ N ⊢ h ′ , we have to show that the premise is satisfied. • getType ( h ′ ( o ) . f , h ) = ⊥ = Λ N ( o ) . f is the only case, where the heap is changed. • dom ( Λ N ) = dom ( h ′ ) does not change, as we do not add or remove objects.Hence we can conclude Λ N ⊢ h ′ .We have envT NS ⊢ h ′ v ( o , s ) · env S , since v is an object and from linearity we have that h { null / o . f } does not change the type on the parameter stack, as x and o . f cannot referto the same object. Hence it is concluded using (WTP-Base) from assumption. envT NO ⊢ h ′ v is trivially true as dom ( envT NO ) = objects ( v ) = { v } . Λ N ; envT NO · envT NS ⊢ D v : t ⊲ Λ N ; ∅ · envT NS can be concluded with (TObj) .To show Λ N ⊢ h ′ D is satisfied, we need to show the premise is satisfied. • dom ( Λ N ) = dom ( h ′ ) . We do not remove or add any objects, hence this is trivially true. • ∀ o ∈ dom ( h ′ ) . Λ ( o ) . fields = h ′ ( o ) . fields = h ′ ( o ) . class . fields D is trivially true, since wedo not remove or add any fields. • ∀ f ∈ h ′ ( o ) . fields . Λ ( o ) . envT F ( f ) = getType ( h ′ ( o ) . f , h ′ ) holds for all unchanged fields.From definition we have h { null / o . f } , we have that getType ( h ′ ( o ) . f , h ′ ) = ⊥ and Λ ( o ) . envT F ( f ) = ⊥ from assumption.The premise is satisfied hence we have Λ N ⊢ h ′ D .The premises of (WTC) is satisfied, hence we have that Λ N ; envT NO · envT NS ⊢ D h h { null / h ( o ) . f } , ( o , s ) · env S , v i : t ⊲ Λ N ; ∅ · envT NS Since we have that Λ N = Λ { o . f
7→ ⊥} , it is clear that Λ N = o Λ { o . f
7→ ⊥} . ⊳ Case (UParam) . ¬ lin ( v , h )⊢ D h h , ( o , [ x v ]) · env S , x i −→ h h , ( o , [ x v ]) · env S , v i Assume Λ ; envT S · envT S ⊢ h h , ( o , [ x v ])· env S , x i : t ⊲ Λ ′ ; envT ′ O · envT ′ S , Λ ; envT O · envT S ⊢ D x : t ⊲ Λ ′ ; envT ′ O · envT ′ S must have been concluded with (TNoLPar) , hence we know: • Λ ′ = Λ • envT S = envT ′′ S · ( o , [ x t ]) envT ′ S = envT S from (WTP-Base) we have envT S ⊢ hx ( o , [ x v ]) · env S Consider two cases case 1: v is an unrestricted object. From (WTP) we have t = getType ( v , h ) hence v ∈ dom ( h ) . Let Λ N = Λ , envT NO = envT O , v t and envT NS = envT S .Case 2: v is a base value. Let Λ N = Λ , envT NO = envT O and envT NS = envT S .Both cases. • Λ N ⊢ D h from hypothesis • envT NS ⊢ h ′ v env s from hypothesis as v must be concluded using (WTP-Base) .Case v is object. dom ( envT O ) = objects ( x ) = ∅ = ⇒ dom ( envT NO ) = ∅ ∪ { v } = objects ( v ) and envT NO ( v ) = t = getType ( v , h ) . Case v is a base value. dom ( envT NO ) = objects ( x ) = objects ( v ) is trivial.Both cases can be concluded Λ N ; envT NO · envT NS ⊢ D v : t ⊲ Λ N ; ∅ · envT S and we have Λ N ⊢ h ′ D from hypothesis. The premise of (WTC) is satisfied, hence we have that Λ N ; envT NO · envT NS ⊢ D h h , ( o , [ x v ]) · env S , v i : t ⊲ Λ N ; ∅ · envT S Since we have that Λ N = Λ = Λ ′ , we also have Λ N = o Λ ′ . ⊳ Case (LParam) . lin ( v , h )⊢ D h h , ( o , [ x v ]) · env S , x i −→ h h , ( o , [ x null ]) · env S , v i Assume Λ ; envT O · envT S ⊢ D h h , ( o , [ x v ]) · env S , x i : t ⊲ Λ ; envT ′ O · envT ′ S · ( o , [ x
7→ ⊥]) and envT S = envT ′ S · ( o , [ x t ]) From (LParam) we know lin ( v , h ) = ⇒ h ( o ) . class = C h t ′ i ∧ h ( o ) . usage , end From (TLinPar) we have • Λ ; envT O · envT ′ S · ( o , [ x t ]) ⊢ D x : t ⊲ Λ ′ ; envT O · envT ′ S · ( o , [ x
7→ ⊥])• lin ( t ) = ⇒ t = C h t ′ i[U] ∧ U , end From (TObj) we have • Λ ′ = Λ From (WTP-Base) we have • envT S ⊢ hx ( o , [ x v ])• envT ′ S · ( o , [ x t ]) ⊢ h ( o , [ x v ])• getType ( v , h ) = t • env S = ε Let Λ N = Λ , envT NO = envT O , v C h t ′ i[U] and envT NS = envT ′ S · ( o , [ x
7→ ⊥])
We now show that • Λ N ⊢ D h from hypothesis • To show envT NS ⊢ hv ( o , [ x null ]) · env S we have v is a base type and must be con-cluded using (WTP-Base) and getType ( null , h ′ ) = ⊥ from the definition of getType ,hence the premise is satisfied. • To show envT NO ⊢ h v we need to show that the premise is satisfied. – objects ( x ) = ∅ = dom ( envT O ) = ⇒ dom ( envT NO ) = {| v |} = objects ( v ) – envT NO ( v ) = t = getType ( v , h ) – From (WTP) v ∈ dom ( h ) and getType ( v , h ) = t • Λ N ; envT NO · envT NS ⊢ D v : t ⊲ Λ N ; envT O · envT NS • Λ N ⊢ h D from hypothesis.We have concluded the premises for (WTC) , hence we conclude Λ N ; envT NO · envT NS ⊢ D v : t ⊲ Λ N ; envT O · envT ′ S · ( o , [ x
7→ ⊥]) ince we have that Λ N = Λ , we also have Λ N = o Λ . ⊳ Case (SwF) . h ( o ) . f = o ′ h ( o ′ ) . usage l i −→ U l i ∈ L ⊢ D h h , ( o , s ) · env S , switch f . m ( l i ){ l j : e j } l j ∈ L i −→h h { o . f C h t ′ i[U]} , ( o , s ) · env S , e i i We assume Λ ; ∆ · ( o ′′ , S ) ⊢ D h h , ( o , s ) · env S , switch f . m ( l i ){ l j : e j } l j ∈ L i : t ⊲ Λ ′ ; ∆ ′ . Let envT O · envT S = ∆ · ( o ′′ , S ) and h ′ = h { o . f C h t ′ i[U]} .From (WTC) we know: • Λ ⊢ D h • envT S ⊢ h switch f . m ( l i ){ l j : e j } lj ∈ L ( o , s ) · env S • envT O ⊢ h switch f . m ( l i ){ l j : e j } l j ∈ L • Λ ; ∆ · ( o ′′ , S ) ⊢ D switch f . m ( l i ){ l j : e j } l j ∈ L : t ⊲ Λ ′ ; ∆ ′ • Λ ⊢ D D From (WTP-Sw) we know envT S ⊢ hl i ( o , s ) · env s From (WTP-Base) we know: • envT S · ( o ′′ , [ x t ′′ ]) ⊢ hl i ( o , [ x v ])• o = o ′′ From (TSwF) we know: • Λ ; ∆ · ( o , S ) ⊢ D l i : L ⊲ Λ ( ) , o . f C h t ′ i[(h l i : u i i l i ∈ L ) E ] ; envT ( ) O · envT ( ) S · ( o , S ′′ )• ∀ l i ∈ L . Λ ( ) , o . f C h t ′ i[ u Ei ] ; envT ( ) O · envT ( ) S · ( o , S ′′ ) ⊢ D e i : t ⊲ Λ ′′ ; ∆ ′′ · ( o , S ′ ) We know from (WTC) and (TSwF) : • Λ ′′ = Λ ′ • Λ ( ) = Λ • ∆ ′′ · ( o , S ′ ) = ∆ ′ Now let Λ N = Λ ( ) , o . f C h t ′ i[ u Ei ] and ∆ N = envT NO · envT NS = envT ( ) O · envT ( ) S · ( o , S ′′ ) .We now have to show that Λ N ; ∆ N ⊢ D h h { o . f C h t ′ i[U]} , ( o , s ) · envs , e i i : t ⊲ Λ N ′ ; ∆ N ′ where Λ ′ = o Λ N ′ by showing that the premises of (WTC) are satisfied.We can see that the only changes we have made to the heap h and field type environment Λ is updating the type state of field f , we therefore have that Λ N ⊢ D h { o . f C h t ′ i[U]} issatisfied. We know that we have not made any other changes to the environment becausetyping l i : L using (TLit) does not change the environment. Similarly, we have that envT NO = envT ( ) O = envT O and envT NS = envT ( ) S · ( o , S ′′ ) = envT S . We now have that envT NS ⊢ he i ( o , s ) · env S is satisfied from (WTP) since the parameter stack environment has not changed aftertyping a label and returns ( e i ) = e i is a well-formed expression, hence it can only beconcluded with (WTP-Base) and we know the premise is satisfied. envT NO ⊢ h ′ e i is satisfiedfrom Lemma A.41 and our assumption. We know that the object type environment has notchanged after typing a label and from linearity we know that the updated object in the heapdoes not occur in both envT O and Λ hence we do not have to consider the newly updatedobject in envT O and from Lemma A.41 objects ( switch f . m ( l i ) { l i : e i } l i ∈ L ) = objects ( e i ) hence from our assumption the premises of (WTE) are satisfied. Λ N ; envT NO · envT NS ⊢ D e i : t ⊲ Λ N ′ ; ∆ N ′ is satisfied from our assumption, specifically thesecond premise of (TswF) since we know the environments are the same. e now have to show Λ N ⊢ h ′ D , from (WTD) we have the premise ∀ o ∈ dom ( h ′ ) , Λ N ( o ) . class = h ′ ( o ) . class is satisfied since the field we have updated in h ′ is also updated accordingly in Λ N .From (TClass) and (TCCh) we have that Θ ; Λ ( h ′ ( o ) . f ) . envT F ⊢ D C h t ′ i[(h l i : u i i l i ∈ L ) E ] ⊲ envT ′ F and we reached C h t ′ i[ u Ei ] by following the usage then we have already checked thatwe can reach a terminated field type environment with (TCCh) and all premises of (WTD) are therefore satisfied. We know from the second premise of (TswF) that Λ N ′ = Λ ′ hence Λ ′ = o Λ N ′ and ∆ N ′ = ∆ ′ .The premises of (WTC) are all satisfied and we can conclude Λ N ; ∆ N ⊢ D h h { o . f C h t ′ i[U]} , ( o , s ) · envs , e i i : t ⊲ Λ ′ ; ∆ ′ . ⊳ Case (SwP) . h ( o ′ ) . usage l i −→ U l i ∈ L ⊢ D h h , ( o , [ x o ′ ]) · env S , switch x . m ( l i ){ l j : e j } l j ∈ L i −→h h { o ′ C h t ′ i[U]} , ( o , [ x o ′ ]) · env S , e i i We assume Λ ; ∆ · ( o ′′ , S ) ⊢ D h h , ( o , s ) · env S , switch x . m ( l i ){ l j : e j } l j ∈ L i : t ⊲ Λ ′ ; ∆ ′ . let envT O · envT S = ∆ · ( o ′′ , S ) .From (WTC) we know: • Λ ⊢ D h • envT S ⊢ h switch x . m ( l i ){ l j : e j } lj ∈ L ( o , s ) · env S • envT O ⊢ h switch x . m ( l i ){ l j : e j } l j ∈ L • Λ ; envT O · envT S ⊢ D switch x . m ( l i ){ l j : e j } l j ∈ L : t ⊲ Λ ′ ; ∆ ′ • Λ ⊢ D D From (WTP-Sw) we know envT S ⊢ hl i ( o , [ x o ′ ]) · env s From (WTP-Base) we know: • envT ′ S · ( o ′′ , [ x t ′′ ]) ⊢ hl i ( o , [ x o ′ ])• getType ( v , h ) = t ′′ • o = o ′′ • env S = ε From (TswP) we know: • Λ ; ∆ · ( o ′′ , S ) ⊢ D l i : L ⊲ Λ ( ) ; envT ( ) O · envT ( ) S · ( o , [ x C h t ′ i[(h l i : u i i l i ∈ L ) E ]])• ∀ l i ∈ L . Λ ( ) ; envT ( ) O · envT ( ) S · ( o , [ x C h t ′ i[ u i ]]) ⊢ D e i : t ⊲ Λ ′′ ; ∆ ′′ · ( o , S ′ ) We know from (WTC) and (TswP) : • Λ ′′ = Λ ′ • ∆ ′′ · ( o , S ′ ) = ∆ ′ From (TLit) we know: • envT ( ) O · envT ( ) S · ( o , [ x C h t ′ i[(h l i : u i i l i ∈ L ) E ]]) = envT O · envT S Now let Λ N = Λ ( ) and ∆ N = envT NO · envT NS · ( o , [ x C h t ′ i[ u Ei ]]) = envT ( ) O · envT ( ) S ·( o , [ x C h t ′ i[ u Ei ]]) . We now have to show that Λ N ; ∆ N ⊢ D h h { o ′ C h t ′ i[U]} , ( o , [ x o ′ ]) · envs , e i i : t ⊲ Λ ′ ; ∆ ′ by showing that the premises of (WTC) are satisfied.We have typed l i : L using (TLit) with this we know that the only change made to h is anupdate to the typestate of object o ′ , however, we still have dom ( h ) = dom ( Λ N ) and the fieldshave not changed, hence Λ N ⊢ D h { o ′ C h t ′ i[U]} is satisfied since the premises of (WTH) are satisfied. We also have that envT NO ⊢ h ′ e i is satisfied from our assumption, linearity, and emma A.41. We have envT NS · ( o , [ x C h t ′ i[ u Ei ]]) ⊢ h ′ e i ( o , [ x o ′ ]) · env S is satisfied from (WTP-Base) as a result of returns ( e i ) = e i is a well-formed expression, and onlythe topmost element on both parameter stack and envT NS is changed where this change isalso reflected in the heap h ′ , such that getType ( o ′ , h ′ ) = C h t ′ i[ u Ei ] hence the premises of (WTP-Base) are satisfied. Λ N ; ∆ N · ( o , [ x C h t ′ i[ u Ei ]]) ⊢ D e i : t ⊲ Λ N ′ ; ∆ N ′ · ( o , S ′ ) is satisfied from our assumption,specifically, the second premise of (TswP) since the environments are the same. Finally, wehave Λ N ⊢ h ′ D , from the premise we have that ∀ o ∈ dom ( h ′ ) , Λ N ( o ) . class = h ′ ( o ) . class is satisfied since we do not update any fields. From (TClass) and (TCCh) we have that Θ ; Λ ( o ) . envT F ⊢ D C h t ′ i[(h l i : u i i l i ∈ L ) E ] ⊲ envT ′ F and from reachability we have that theremaining premise of (WTD) is satisfied. We can therefore conclude Λ N ⊢ h ′ D .We know from the second premise of (TswP) that Λ N ′ = Λ ′ hence Λ ′ = o Λ N ′ and ∆ N ′ = ∆ ′ .The premises of (WTC) are all satisfied and we can conclude Λ N ; ∆ N ⊢ D h h { o ′ C h t ′ i[U]} , ( o , [ x o ′ ]) · envs , e i i : t ⊲ Λ ′ ; ∆ ′ . ⊳ Case (Upd) . h ( o ) . f = v ′ ¬ lin ( v ′ , h )⊢ D h h , ( o , s ) · env S , f = v i −→ h h { v / o . f } , ( o , s ) · env S , unit i Assume that Λ ; ∆ ⊢ D h h , ( o , s ) , f = v i : void ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S From (TFld) we know: • Λ ; envT O · envT ′ S · ( o ′ , S ) ⊢ D f = v : void ⊲ Λ { o . f t ′ } ; envT ′ O · envT ′′ S · ( o ′ , S ′ )• Λ ; envT O · envT ′ S · ( o ′ , S ) ⊢ D v : t ′ ⊲ Λ ′′ , o . f t ; envT ′ O · envT ′′ S · ( o ′ , S ′ )• ¬ lin ( t )• Λ ′ = Λ { o . f t ′ }• ∆ ′ = envT ′ O · envT ′′ S · ( o ′ , S ′ ) From (WTP-Base) we know: o = o ′ We have two cases, one where v is an object and one where v is a base value.Case 1 v is an object. From (TObj) we know: • Λ ′′ , o . f t = Λ • envT O = envT ′ O , v t ′ • envT ′′ S = envT ′ S • S = S ′ Case 2 v is not an object. From (TLit) , (TBool) , (TVoid) or (TBot) we know • Λ ′′ , o . f t = Λ • envT ′ O = envT O • envT ′′ S = envT ′ S • S = S ′ We know h ′ = h { v / o . f } Let Λ N = Λ { o . f t ′ } , envT NO = envT ′ O and envT NS = envT S First we show Λ N ⊢ D h ′ • getType ( h ′ ( o ) . f , h ′ ) = t ′ = Λ N ( o ) . f , is true, since we update the field in Λ N and h ′ . • dom ( Λ N ) = dom ( h ′ ) is trivially true as no objects are added. envT NS ⊢ h ′ unit env S is true from the premise of the assumption. envT NO ⊢ h ′ unit is trivially true because dom ( envT NO ) = dom ( unit ) = ∅ (TVoid) is trivially true for all environments, hence we can conclude. Λ N ; envT NO · envT NS ⊢ unit ⊲ Λ { o . f t ′ } ; envT ′ O · envT S o show Λ N ⊢ h ′ D we have to show the premise • dom ( Λ N ) = dom ( h ′ ) is trivially true. • Λ N ( o ) . class = h ′ ( o ) . class is trivially true. • ∅ ; Λ N ( o ) . envT F ⊢ D getType ( o , h ′ ) ⊲ Γ ′ we have from reachability.We have shown the premise of (WTC) and therefore we have Λ N ; envT NO · envT NS ⊢ h h { v / o . f } , ( o , s )· env S , unit i : void ⊲ Λ { o . f t ′ } ; envT ′ O · envT S We have that Λ { o . f t ′ } = o Λ { o . f t ′ } is trivially true. ⊳ Case (IfC) .
Assume h h , env S , if ( e ) { e } else { e }i −→ h h ′ , env ′ S , if ( e ′ ) { e } else { e }i and Λ ; ∆ ⊢ D h h , env S , if ( e ) { e } else { e }i : t ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S . Then from (WTC) wehave: • Λ ⊢ D h • envT S ⊢ h if ( e ) { e } else { e } env S • envT O ⊢ h if ( e ) { e } else { e }• Λ ; ∆ ⊢ D if ( e ) { e } else { e } : t ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (TIf) we have: • Λ ; ∆ ⊢ D e : Bool ⊲ Λ ′′ ; ∆ ′′ • Λ ′′ ; ∆ ′′ ⊢ D e i : t ⊲ Λ ′ ; ∆ ′ From (IfC) we have that h h , env S , e i −→ h h ′ , env ′ S , e ′ i , and from Lemma A.35 we know that Λ ; ∆ ⊢ D h h , env S , e i . From our induction hypothesis, we have that ∃ Λ ( ) , ∆ ( ) . Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : Bool ⊲ Λ S ; ∆ ′′ where Λ ′′ = o Λ S and ∆ ( ) = envT ( ) O · envT ( ) S We can now show that Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , if ( e ′ ) { e } else { e }i : t ⊲ Λ S ′ ; ∆ ′ , by showingthat all premises of (WTC) holds. • Λ ( ) ⊢ D h ′ follows from IH • envT ( ) S ⊢ h ′ if ( e ′ ) { e } else { e } env S is satisfied since we have envT ( ) S ⊢ h ′ e ′ env S which is thepremise of (WTP-If) • envT ( ) O ⊢ h if ( e ′ ) { e } else { e } since objects ( if ( e ′ ) { e } else { e }) = objects ( e ′ ) becauseof well-formedness • Λ ( ) ⊢ h ′ D follows from IH.Since we know Λ ( ) ; ∆ ( ) ⊢ D e ′ : Bool ⊲ Λ S ; ∆ ′′ from Lemma A.44 and that Λ ′′ = o Λ S , we canuse weakening to conclude Λ S ; ∆ ′′ ⊢ D e i : t ⊲ Λ S ′ ; ∆ ′ where Λ ′ = o Λ S ′ .These are the two premises of (TIf) , hence we can conclude Λ ( ) ; ∆ ( ) ⊢ D if ( e ′ ) { e } else { e } : t ⊲ Λ S ′ ; ∆ ′ .We have shown all premises of (WTC) , hence we can conclude Λ ; ∆ ⊢ D h h ′ , env ′ S , if ( e ′ ) { e } else { e }i : t ⊲ Λ S ′ ; ∆ ′ . ⊳ Case (RetC) .
Assume h h , env S · ( o , s ) , return { e }i −→ h h ′ , env ′ S · ( o , s ) , return { e ′ }i and that Λ ; ∆ ⊢ D h h , env S · ( o , s ) , return { e }i : t ⊲ Λ ′ ; ∆ ′ . Let ∆ = envT O · envT S .From (WTC) we have: • envT S ⊢ h return { e } env S · ( o , s )• envT S = envT ′ S · ( o , S ) from (WTP-Ret) • Λ ; ∆ ⊢ D return { e } : t ⊲ Λ ′ ; ∆ ′ From (TRet) we have that Λ ; envT O · envT ′ S ⊢ D e : t ⊲ Λ ′ ; ∆ ′′ , where ∆ ′′ = ∆ ( ) · ( o ′ , [ x t ′ ]) , terminated ( t ′ ) and that ∆ ′ = ∆ ( ) · ( o , S ) .From Lemma 36 we know that Λ ; envT O · envT ′ S ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′′ . hen from our induction hypothesis we have ∃ Λ ( ) , ∆ ( ) . Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : t ⊲ Λ S ; ∆ ′′ where Λ ′ = o ′ Λ S . We can also assume Λ ′ = o Λ S , since because of linearity we cannotaccess any fields in o inside e , hence e will also be well-typed if Λ ′ ( o ) = Λ S ( o ) .We now show that Λ ( ) ; ∆ ( ) · ( o , S ) ⊢ D h h ′ , env ′ S · ( o , s ) , return { e ′ }i : t ⊲ Λ S ; ∆ ′ , by showingthe premises of (WTC) are satisfied. • Λ ( ) ⊢ D h ′ is satisfied from our assumptions • envT ( ) S · ( o , S ) ⊢ h ′ return { e ′ } env ′ S · ( o , s ) is satisfied since we know that envT ( ) S ⊢ he ′ env ′ S ,we also know from linearity that the only binding of o is in the parameters, that arenot present when executing e ′ , hence we must have h ′ ( o ) = h ( o ) . But if this is the case,then from envT S ⊢ h return { e } env S · ( o , s ) we know that S and s matches types in h ′ . • envT ( ) O ⊢ h ′ return { e ′ } is trivial since objects ( return { e ′ }) = objects ( e ′ ) . • Λ ( ) ⊢ D D is satisfied by our induction hypothesis.We know from (WTC) that Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ; ∆ ′′ . We can then use (TRet) to conclude Λ ( ) ; ∆ ( ) · ( o , S ) ⊢ D return { e ′ } : t ⊲ Λ S ; ∆ ′ .Hence we can conclude that Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S · ( o , s ) , return { e ′ }i : t ⊲ Λ S ; ∆ ′ . ⊳ Case (FldC) .
Assume h h , env S , f = e i −→ h h ′ , env ′ S , f = e ′ i and Λ ; ∆ ⊢ D h h , env S , f = e i : void ⊲ Λ ′ ; ∆ ′ From (FldC) we have that h h , env S , e i −→ h h ′ , env ′ S , e ′ i .From (WTC) we know: • Λ ⊢ D h • envT O ⊢ h f = e • envT S ⊢ hf = e env S • Λ ; ∆ ⊢ D f = e : void ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (TFld) we have: • Λ ; ∆ ⊢ D e : t ⊲ Λ ′′ , o . f t ′ ; ∆ ′ • ∆ = ∆ ′′ · ( o , S )• C h t ′′′ i = Λ ( o ) . class • agree ( C h t ′′′ i . fields ( f ) , t )• ¬ lin ( t ′ ) From Lemma A.35 we know that Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′′ , o . f t ′ ; ∆ ′ .From our induction hypothesis we have ∃ Λ ( ) , ∆ ( ) . Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : t ⊲ Λ S ; ∆ ′ where Λ ′′ , o . f t ′ = o Λ S From (WTC) we now know: • Λ ( ) ⊢ D h ′ • envT ( ) O ⊢ h ′ e ′ • envT ( ) S ⊢ h ′ e ′ env ′ S • Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ; ∆ ′ • Λ ( ) ⊢ h ′ D We then show Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , f = e ′ i : void ⊲ Λ S { o . f t } ; ∆ ′ by showing that allpremises of (WTC) are satisfied. • Λ ( ) ⊢ D h ′ follows from assumption envT ( ) O ⊢ h ′ f = e ′ follows from assumption since objects ( f = e ′ ) = objects ( e ′ )• envT ( ) S ⊢ h ′ f = e ′ env ′ S follows from (WTP-Fld) since the premise envT ( ) S ⊢ h ′ e ′ env ′ S fol-lows from our assumptionWe now show that Λ ( ) ; ∆ ( ) ⊢ D f = e ′ : void ⊲ Λ S { o . f t } ; ∆ ′ .Since we have that Λ ′′ , o . f t ′ = o Λ S we know that Λ S = Λ S ′ , o . f t ′ . We also know that ¬ lin ( t ′ ) . We know that agree ( C h t ′′′ i , t ) , so we only need to argue for Λ ( ) ( o ) . class = C h t ′′′ i .This must be the case however, since we know that the class binding cannot be updated inany field typing environment, and we know that since Λ ( o ) . class = C h t ′′′ i , then Λ ′ ( o ) . class = C h t ′′′ i . But since Λ ′ = o Λ S { o . f t } , we must also have that Λ ( ) ( o ) . class = C h t ′′′ i (sincewe cannot update the class binding in e ′ ).We have shown all premises of (TFld) , hence we can conclude that Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , f = e ′ i : void ⊲ Λ S { o . f t } ; ∆ ′ . ⊳ Case (CallFC) . h h , env S , f . m ( e )i −→ h h ′ , env ′ S , f . m ( e ′ )i and Λ ; ∆ ⊢ D h h , env S , f . m ( e )i : t ′ ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S .From (MthdC) we have h h , env S , e i −→ h h ′ , env ′ S , e ′ i From (WTC) • Λ ⊢ D h • envT S ⊢ hf . m ( e ) env S • envT O ⊢ h f . m ( e )• Λ ; ∆ ⊢ D f . m ( e ) : t ′ ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (TCallF) we have: • Λ ; ∆ ′′ · ( o , S ) ⊢ D e : t ⊲ Λ ′′ { o . f C h t ′′ i[U]} ; ∆ ′′′ · ( o , S ′ )• U m −→ W• t ′ m ( t x ){ e ′′ } ∈ C h t ′′ i . methods D • ∆ ′ = ∆ ′′′ · ( o , S ′ )• Λ ′ = Λ ′′ { o . f C h t ′′ i[W]} From Lemma A.35 we have Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′′ { o . f C h t ′′ i[U]} ; ∆ ′ From our induction hypothesis we have ∃ Λ ( ) , ∆ ( ) . Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : t ⊲ Λ S ; ∆ ′ where Λ ′′ { o . f C h t ′′ i[U]} = o Λ S .From (WTC) we then have: • Λ ( ) ⊢ D h ′ • envT ( ) S ⊢ h ′ e ′ env ′ S • envT ( ) O ⊢ h ′ e ′ • Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ; ∆ ′ • Λ ( ) ⊢ h ′ D We can then show Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , f . m ( e ′ )i : t ⊲ Λ S ′ { o . f C h t ′′ i[W]} ; ∆ ′ . • Λ ( ) ⊢ D h ′ • envT ( ) S ⊢ h ′ f . m ( e ′ ) env ′ S follows from (WTP-Mthd) • envT ( ) O ⊢ h ′ f . m ( e ′ ) is trivial since objects ( f . m ( e ′ )) = objects ( e ′ ) . • Λ ( ) ⊢ h ′ D t only remains to show f . m ( e ′ ) is well typed. Since Λ ′′ { o . f C h t ′′ i[U]} ≤ Λ S , we knowthat Λ S = Λ S ′ { o . f C h t ′′ i[U]} .Then we know Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ′ { o . f C h t ′′ i[U]} ; ∆ ′ . From our assumptions wehave U m −→ W and t ′ m ( t x ){ e ′′ } ∈ C h t ′′ i . methods . Hence all premises of (TCallF) aresatisfied, and we have Λ ( ) ; ∆ ( ) ⊢ D f . m ( e ′ ) : t ′ ⊲ Λ S ′ { o . f C h t ′′ i[W]} ; ∆ ′ .We have that Λ ′ = o Λ S ′ { o . f C h t ′′ i[W]} since we have that Λ ′′ = o Λ S . The only changebetween Λ ′′ and Λ ′ is the binding of o . f , which is reflected in Λ S ′ { o . f C h t ′′ i[W]} .Hence we can conclude Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , f . m ( e ′ )i : t ⊲ Λ S ′ { o . f C h t ′′ i[W]} ; ∆ ′ . ⊳ Case (CallPC) .
Assume h h , env S , x ′ . m ( e )i −→ h h ′ , env ′ S , x ′ . m ( e ′ )i and Λ ; ∆ ⊢ D h h , env S , x ′ . m ( e )i : t ′ ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S · ( o , S ) .From (MthdC) we have: • h h , env S , e i −→ h h ′ , env ′ S , e ′ i From (WTC) we have: • Λ ⊢ D h • envT S ⊢ hx ′ . m ( e ) env S • envT O ⊢ h x ′ . m ( e )• Λ ; ∆ ⊢ D x ′ . m ( e ) : t ′ ⊲ Λ ′ ; ∆ ′ • Λ ⊢ h D From (TCallP) we have: • Λ ; envT O · envT S · ( o , S ) ⊢ D e : t ⊲ Λ ′ ; ∆ ′′ · ( o , [ x C h t ′′ i[U]])• U m −→ W• t ′ m ( t x ){ e ′′ } ∈ C h t ′′ i . methods D • ∆ ′ = ∆ ′′ · ( o , [ x C h t ′′ i[W]]) From Lemma A.35 we know that Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′′ · ( o , [ x C h t ′′ i[U]]) .From our induction hypothesis we have ∃ Λ ( ) , ∆ ( ) . Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : t ⊲ Λ S ; ∆ ′′ · ( o , [ x C h t ′′ i[U]]) where Λ ′ = o Λ S .From (WTC) we then have: • Λ ( ) ⊢ D h ′ • envT ( ) S ⊢ h ′ e ′ env ′ S • envT ( ) O ⊢ h ′ e ′ • Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ; ∆ ′′ · ( o , [ x C h t ′′ i[U]])• Λ ( ) ⊢ h ′ D We now have to show Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , x ′ . m ( e ′ )i : t ′ ⊲ Λ S ; ∆ ′ by showing that thepremises of (WTC) are satisfied: • Λ ( ) ⊢ D h ′ from assumption • envT ( ) S ⊢ h ′ x ′ . m ( e ′ ) env S from assumption and (WTP-Mthd) • envT ( ) O ⊢ h ′ x ′ . m ( e ′ ) from assumption since objects ( x ′ . m ( e ′ )) = objects ( e ′ )• Λ ( ) ⊢ h ′ D from assumptionWe now have to show that x ′ . m ( e ′ ) is well-typed. We know the following: Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ; ∆ ′′ · ( o , [ x C h t ′′ i[U]]) , U m −→ W , and t ′ m ( t x ){ e ′′ } ∈ C h t ′′ i . methods D .Hence all premises of (TCallP) are satisfied. We know Λ ′ = o Λ S and we can now conclude Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , x ′ . m ( e ′ )i : t ′ ⊲ Λ S ; ∆ ′ . Case (SeqC) .
Assume h h , env S , e ; e ′′ i −→ h h ′ , env ′ S , e ′ ; e ′′ i and Λ ; ∆ ⊢ D h h ′ , env ′ S , e ; e ′′ i : t ′ ⊲ Λ ′ ; ∆ ′ .We know from (SeqC) we know h h , env S , e i −→ h h ′ , env ′ S , e ′ i .From (WTC) we have: • Λ ; ∆ ⊢ D e ; e ′′ : t ′ ⊲ Λ ′ ; ∆ ′ From (TSeq) we know: • Λ ′ ; ∆ ⊢ D e : t ⊲ Λ ′′ ; ∆ ′′ • Λ ′′ ; ∆ ′′ ⊢ D e ′′ : t ′ ⊲ Λ ′ ; ∆ ′ From Lemma A.35 we know Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′′ ; ∆ ′′ .From our induction hypothesis we have ∃ Λ ( ) , ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : t ⊲ Λ S ; ∆ ′′ where Λ ′′ = o Λ S .From (WTC) • Λ ( ) ⊢ D h ′ • envT ( ) S ⊢ h ′ e ′ env ′ S • envT ( ) O ⊢ h ′ e ′ • Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ; ∆ ′′ • Λ ( ) ⊢ h ′ D We now show Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ ; e ′′ i : t ′ ⊲ Λ S ′ ; ∆ ′′ by showing the premises of (WTC) . • Λ ( ) ⊢ D h ′ follows from assumption • envT ( ) S ⊢ h ′ e ′ ; e ′′ env ′ S Follows from (WTP-Seq) • envT ( ) O ⊢ h ′ e ′ is trivial since objects ( e ′ ; e ′′ ) = objects ( e ′ )• Λ ( ) ⊢ h ′ D We need to show Λ ( ) ; ∆ ( ) ⊢ D e ′ ; e ′′ : t ′ ⊲ Λ S ′ ; ∆ ′ . We do this using (TSeq) .We know Λ ( ) ; ∆ ( ) ⊢ D e ′ : t ⊲ Λ S ; ∆ ′′ and ¬ lin ( t ) . Since e ; e ′′ is well formed, then we knowthat returns ( e ′′ ) =
0, we can use Lemma A.44 to conclude Λ S ; ∆ ′′ ⊢ D e ′′ : t ′ ⊲ Λ S ′ ; ∆ ′ where Λ S ′ = o Λ ′ .In total we can conclude Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ ; e ′′ i : t ′ ⊲ Λ S ′ ; ∆ ′ . ⊳ Case (SwFC) .
Assume h h , env S , switch f . m ( e ) { l i : e i } l i ∈ L i −→ h h ′ , env ′ S , switch f . m ( e ′ ) { l i : e i } l i ∈ L i and Λ ; ∆ ⊢ D h h , env S , switch f . m ( e ) { l i : e i } l i ∈ L i : t ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S .From (SwC) we have: • h h , env S , e i −→ h h ′ , env ′ S , e ′ i From (WTC) we have: • Λ ; ∆ ⊢ D switch f . m ( e ) { l i : e i } l i ∈ L : t ⊲ Λ ′ ; ∆ ′ From (TSwF) we have: • Λ ; ∆ ⊢ D e : L ⊲ Λ ′′ , o . f C h t ′ i[(h l i : u i i l i ∈ L ) E ]] ; ∆ ′′ • ∀ l i ∈ L . Λ ′′ , o . f C h t ′ i[ u Ei ] ; ∆ ′′ ⊢ D e i : t ⊲ Λ ′ ; ∆ ′ From Lemma A.35 we know that Λ ; ∆ ⊢ D h h , env S , e i : L ⊲ Λ ′′ , o . f C h t ′ i[(h l i : u i i l i ∈ L ) E ]] ; ∆ ′′ .Then from our induction hypothesis we have ∃ Λ ( ) ; ∆ ( ) . Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : L ⊲ Λ S ; ∆ ′′ where ∆ = envT ( ) O · envT ( ) S and Λ ′′ , o . f C h t ′ i[(h l i : u i i l i ∈ L ) E ]] = o Λ S .From (WTC) we have: Λ ( ) ⊢ D h ′ • envT ( ) O ⊢ h ′ e ′ • envT ( ) S ⊢ h ′ e ′ env ′ S • Λ ( ) ⊢ h ′ D • Λ ( ) ; ∆ ( ) ⊢ D e ′ : L ⊲ Λ S ; ∆ ′′ We can now show Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , switch f . m ( e ′ ) { l i : e i } l i ∈ L i : t ⊲ Λ S ′ ; ∆ ′ by showingthe premises of (WTC) . • Λ ( ) ⊢ D h ′ from assumption • envT ( ) S ⊢ h ′ switch f . m ( e ′ ) { l i : e i } li ∈ L env ′ S from (WTP-Sw) • envT ( ) O ⊢ h ′ switch f . m ( e ′ ) { l i : e i } l i ∈ L from assumption since objects ( switch f . m ( e ′ ) { l i : e i } l i ∈ L ) = objects ( e ′ )• Λ ( ) ⊢ h ′ D from assumptionWe now have to show that switch f . m ( e ′ ) { l i : e i } l i ∈ L is well formed, we have that returns ( e i ) =
0. From Lemma A.44 we know that Λ S ′ = o Λ ′ We now have that all premises of (TSwF) are satisfied and we can conclude Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , switch f . m ( e ′ ) { l i : e i } l i ∈ L i : t ⊲ Λ S ′ ; ∆ ′ . ⊳ Case (SwPC) .
Assume h h , env S , switch x . m ( e ) { l i : e i } l i ∈ L i −→ h h ′ , env ′ S , switch x . m ( e ′ ) { l i : e i } l i ∈ L i and Λ ; ∆ ⊢ D h h , env S , switch x . m ( e ) { l i : e i } l i ∈ L i : t ⊲ Λ ′ ; ∆ ′ where ∆ = envT O · envT S .From (SwC) we have h h , env S , e i −→ h h ′ , env ′ S , e ′ i .From (WTC) we know that Λ ; ∆ ⊢ D switch x . m ( e ) { l i : e i } l i ∈ L : t ⊲ Λ ′ ; ∆ ′ From (TSwP) we know • Λ ; ∆ ⊢ D e : L ⊲ Λ ′′ ; ∆ ′′′ · ( o , [ x C h t ′ i[(h l i : u i i l i ∈ L ) E ]])• ∀ l i ∈ L . Λ ′′ ; ∆ ′′′ · ( o , [ x C h t ′ i[ u Ei ]]) ⊢ D e i : t ⊲ Λ ′ ; ∆ ′ From Lemma A.35 we know that Λ ; ∆ ⊢ D h h , env S , e i : L ⊲ Λ ′′ ; ∆ ′′′ · ( o , [ x C h t ′ i[(h l i : u i i l i ∈ L ) E ]]) .Then from our induction hypothesis we have ∃ Λ ( ) ; ∆ ( ) . Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , e ′ i : L ⊲ Λ S ; ∆ ′′′ · ( o , [ x C h t ′ i[(h l i : u i i l i ∈ L ) E ]]) where Λ ′′ = o Λ S From (WTC) we have: • Λ ( ) ⊢ D h ′ • envT ( ) S ⊢ h ′ e ′ envT ′ S • envT ( ) O ⊢ h ′ e ′ • Λ ( ) ; ∆ ( ) ⊢ D e ′ : L ⊲ Λ S ; ∆ ′′′ · ( o , [ x C h t ′ i[(h l i : u i i l i ∈ L ) E ]])• Λ ( ) ⊢ h ′ D We can now show Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , switch x . m ( e ′ ) { l i : e i } l i ∈ L i : t ⊲ Λ S ′ ; ∆ ′ by showingthe premises of (WTC) . • Λ ( ) ⊢ D h ′ follows from assumption • envT ( ) S ⊢ h ′ switch x . m ( e ′ ) { l i : e i } li ∈ L env ′ S follows from (WTP-Sw) • envT ( ) O ⊢ h ′ switch x . m ( e ′ ) { l i : e i } l i ∈ L is trivial because objects ( switch x . m ( e ′ ) { l i : e i } l i ∈ L ) = objects ( e ′ )• Λ ( ) ⊢ h ′ D follows from assumption e only need to show Λ ( ) ; ∆ ( ) ⊢ D switch x . m ( e ′ ) { l i : e i } l i ∈ L : t ⊲ Λ S ′ ; ∆ ′ .We now have that switch x . m ( e ′ ) { l i : e i } l i ∈ L is a well formed, we have that returns ( e i ) = Λ S ′ = o Λ ′ Hence all premises of (TSwP) are satisfied, and we can conclude Λ ( ) ; ∆ ( ) ⊢ D h h ′ , env ′ S , switch x . m ( e ′ ) { l i : e i } l i ∈ L i : t ⊲ Λ S ′ ; ∆ ′ . ⊳ (cid:3) A.6 Error freedom proof
The second part of the safety theorem is error freedom. It tells us that a well-typed configura-tion does not have any of the runtime-errors we want to catch, that is, protocol deviation andnull-dereferencing errors. The errors are described in the −→ err relation, which shows how con-figurations exhibiting the unwanted behaviour must look. We then show that these configurationscannot be well-typed. Lemma A.37. (Error freedom). If ∃ Λ , ∆ . Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′ then h h , env S , e i 6−→ err Proof.
Induction on the structure of −→ err . For each error predicate, show that the configura-tion cannot be well typed.Case (NullCall-1) . Assume that the configuration is well typed, that is: Λ ; ∆ ⊢ D h h , ( o , s )· env S , f . m ( v )i : t ⊲ Λ ′ ; ∆ ′ and that h h , ( o , s ) · env S , f . m ( v )i −→ err . From (WTC) we know that Λ ; ∆ ⊢ D f . m ( v ) : t ⊲ Λ ′ ; ∆ ′ . Since no typing rules for values changes Λ , we know from (TCallF) that Λ = Λ { o . f C h t ′ i[U]} . But from (WTC) we must have Λ ⊢ D h . From (WTH) we have that Λ ( o ) . envT F ( f ) = getType ( h ( o ) . f , h ) . This however, is a contradiction since Λ ( o ) . envT F ( f ) = C h t i[U] but getType ( h ( o ) . f , h ) = ⊥ . Hence the configuration cannot bewell typed. ⊳ Case (NullCall-2) .
Assume that the configuration is well typed, that is: Λ ; envT O · envT S ·( o , S ) ⊢ D h h , ( o , [ x null ]) · env S , x . m ( v )i : t ⊲ Λ ′ ; ∆ ′ and that h h , ( o , [ x null ]) · env S , f . m ( v )i −→ err .From (WTC) we know that Λ ; envT O · envT S · ( o , S ) ⊢ D x . m ( v ) : t ⊲ Λ ′ ; ∆ ′ . Since no typingrules for values changes the parameter typing stack, we have that S = [ x C h t ′ i[U]] .But from (WTC) we know that envT S ⊢ hx . m ( v ) env S , hence we know that | env S | = C h t ′ i[U] = getType ( null , h ) . This however is a contradiction, since we know that getType ( null , h ) = ⊥ , hence the configuration cannot be well typed. ⊳ Case (MthdNotAv-1) .
Assume that the configuration is well typed, that is: Λ ; ∆ ⊢ D h h , ( o , s ) · env S , f . m ( v )i : t ⊲ Λ ′ ; ∆ ′ and that h h , ( o , s ) · env S , f . m ( v )i −→ err . From (WTC) we knowthat Λ ; ∆ ⊢ D f . m ( v ) : t ⊲ Λ ′ ; ∆ ′ . Since no typing rules for values changes Λ , we know from (TCallF) that Λ = Λ { o . f C h t ′ i[U]} and that U m −→ W . But since Λ ⊢ D h , we must havethat getType ( h ( o ) . f , h ) = Λ ( o ) . envT F ( f ) . But then we must have that h ( h ( o ) . f ) . usaдe m −→ W ,hence we have a contradiction, and the configuration cannot be well typed. ⊳ Case (MthdNotAv-2) .
Assume that the configuration is well typed, that is: Λ ; envT O · envT S ·( o , S ) ⊢ D h h , ( o , [ x o ′ ])· env S , x . m ( v )i : t ⊲ Λ ′ ; ∆ ′ and that h h , ( o , [ x o ′ ])· env S , f . m ( v )i −→ err .From (WTC) we know that Λ ; envT O · envT S · ( o , S ) ⊢ D x . m ( v ) : t ⊲ Λ ′ ; ∆ ′ . Since no typingrules for values changes envT S , we know from (TCallP) that S = [ x C h t ′ i[U]] and that U m −→ W . But from (WTP) we know that | env S | = getType ( o ′ , h ) = C h t ′ i[U] .This however is a contradiction, since we know that U m −→ W but h ( o ′ ) . usage m −→ , hencethe configuration cannot be well typed. ⊳ Case (FldErr) .
Assume that the configuration is well typed, that is: Λ ; ∆ · ( o , S ) ⊢ D h h , ( o , s ) · env S , f i : t ⊲ Λ ′ ; ∆ ′ and that h h , ( o , s ) · env S , f i −→ err . From (WTC) we know that Λ ; ∆ ⊢ D f : ⊲ Λ ′ ; ∆ ′ . This could have been concluded using either (TLinFld) or (TNoLFld) . Commonfor both of these cases is that Λ ( o ) . f is defined i.e. that the field f exists on the object o .From (WTH) we have that h ( o ) . fields = Λ ( o ) . fields . But we know that f ∈ Λ ( o ) . fields but f < dom ( env F ) , hence we have a contradiction and the configuration cannot be welltyped. ⊳ Case (IfCErr) , (FldCErr) , (SeqCErr) , (CallCErr) , (SwCErr) . Since we know from Lemma A.35that Λ ; ∆ ⊢ D h h , env S , e i : t ⊲ Λ ′ ; ∆ ′ , by our induction hypothesis we have h h , env S , e i 6−→ err ,which is a contradiction with the premise of rule used to conclude c −→ err , hence the con-figuration c cannot be well typed. ⊳ Case (RetCErr) .
Assume that Λ ; ∆ ⊢ D h h , env S · ( o , s ) , return { e }i : t ⊲ Λ ′ ; ∆ ′ , then from (WTC) and (TRet) we have that ∆ = envT O · envT S · ( o ′ , S ) . But then from Lemma 36 we knowthat Λ ; envT O · envT S ⊢ D h h , env S , e i : t ′ ⊲ Λ ′′ ; ∆ ′′ . But again this contradicts our induc-tion hypothesis that h h , env S , e i 6−→ err , since we have from the premise of (RetCErr) that h h , env S , e i −→ err . Hence our original configuration cannot be well typed. ⊳ (cid:3) rXiv:2002.12793v1 [cs.PL] 28 Feb 2020 T e ss