Fra n oisPot tie r
Franois.Pottierinria.fr
Vin entSimo ne t
Vinent.Simonetinria.fr
Abstr at
T hi s pa perprese ntsatype-ba sedi nf orma tionowanalysi s
f ora a ll-by-val ue -al ulusequi ppedw ithrefe renes,ex-
e ptio ns a nd let-pol ymo rphis m, w hi h we refer to as Co re
M L.Thetypes ystemiso ns traint-bas edandhasdei da bl e
typ einfere ne.Itsno n-interfere neproofisreas onablylig ht-
weig ht, thanks to the us eo fa numberof o rtho gona l te h-
niques. Firs t, a synta ti seg rega ti on betwee n values a nd
e xpress ion s al low sali ghterfo rmula tiono fthetypes yste m.
Seo nd,no n-interfere nei sredu edtos ubjetredu tion fo r
anon-standardl anguag ee xtensio n. Lastl y,asemi- syn ta ti
a pproa htotypes oundness al low sdea lingwi thonstra int-
bas edpol ymo rphis mse pa rately.
1 Intr od uti on
Informat ionowanalysisonsi stsins tatia llydetermi ni ng
howapro gra m'so utputsa rerel atedtoi tsi nputs ,i. e.how
thef ormerde pend ,di retlyori ndire tl y,onthela tter.T hi s
a llowsestabli shings ere y andint eg rit ypropertie so fapro-
g ram,i.e .provi ngtha tsomea spetso fitsb e havio ronvey
noi nf orma tionabo ut thoseo f i ts inputsdeemed \s eret" ,
o rremai ni ndepende ntoftho sedeemed\unreli able" . T hes e
properti es a rei ns tanes ofnon- int erferene [7℄ : they s ta te
theabseneoferta independe ni es.
B eauseinf ormati onowanal ys isisomplexa nderror-
prone, i t mustbe automa ted. During the past f ew years ,
s evera lrese arhershavea dvoa tedi tsformula tionasatype
s yst em. Then, existing type i nf erene te hnique s provide
a uto matio n, while typ e s ignatures provide oni se, f orma l
s eurityspei a tions.
Our inte rest is i n desi gning { a nd provi ng orret { a
typ e -base d inf ormati onow analysi s for (the kernel of) a
re ali stisequentia lprog rammi ngla ng ua ge. (Inthepres ene
o fo nurreny,thetermina ti onofaproes siso bserva bl eby
o therproes ses,re atingnewwaystol eaki nf orma ti ona nd
re quiringmore res tritivetypes ystems . Hene,it a ppea rs
re aso na bl etorstexperi mentw ithi nf orma tionowo ntro l
i na sequentia l setting. ) To date, mo st fo rmal results o b-
ta inedi nthisa reao n erne xtremel yreduedpro grammi ng
INR IA,BP105,F- 78153LeChes nayCedex,Frane.
Tobep re se nte datth e29 th
ACMSymposiumo nPrin-
iplesOfProg ra mmingLang uage s,Port la nd,Orego n,
J anua ry200 2.
la ng uage s. Se vera l pa persaddresspure-al ul i[8 ,1,1 6℄.
Vo lpano et al. [2 2, 21℄ study a or e imperati ve prog ram-
mingl anguage ,w herea llva ria bl esstorei nteg ers. Standi ng
ins ha rpontrast,M yers[10 ,1 1℄onsi dersthefullJavalan-
gua ge,i n ludi ngo bje ts ,exeptions, pa rameteri zed las ses,
et. However,hedoesnotg iveaforma lpr oofofo rretness;
indeed,ourfo rmala ppro ahunovereda oupl eofawsin
histypesystem(s eesetio n7. 3).
In an a tte mpt to bridge the g ap betwee n thes e ap-
proa hes , we o ns ider a a ll-by-val ue -al ul us equipped
w ithrefe ren es,e xeptio nsandle t-polymorphism,whihwe
ref er toas C oreML.(Prese ntati onse tas ide,i tis identi al
to Wright andFell eisen's Core M L [ 24 ℄, exeptour e xep-
tio n na mes have g lo ba l s ope a nd are no t rs t-l ass va l-
ues. ) Suh a a lulus an be vi ewed a s the ore of the
f untio na lprogra mming la nguage C aml -Li ght [ 9℄. We en-
dow i t witha pol ymo rphi , onstrai nt-ba sed type system,
a lledmlif,whihha sde idabletypeinfere nea ndg uaran-
teesnon-i nterf erene.
A (mo no morphi ) trea tment of re ferenes i n a hi gher-
or derla ng ua geanb e f oundin[2 5℄ . Exeptionshavebeen
studiedby Myers[1 0, 1 1℄f orJ ava . Howe ver, M yers'treat-
mentrelie sonJava' sexpl iit,monomor phithrow sla uses,
w here asourtypes ystemusesamoreexi bl e,po lymo rphi
eeta na lysis ,givingri setoiss uesdisuss edi nsetio n10.
T he ombinatio no fref erenes, exepti onsa nd o ns tra ined
le t-polymorphism, aswel la s o ur us eof astandardsubje t
redutionte hniquetoestabli shnon-i nterf erene,a renovel.
Ourtrea tmentofun-anno tatedtupletypesa ndofp o lymor-
phi e qual ityfo rma ni lla ryo ntributi ons.
2 Overvi ew
Type s ystems are typia lly used to esta bl ish s afe ty prop-
ertie s, i .e. prove that a ertai ninvari ant holdsthroughout
thee xeutio nofapro gra m. Typ es afe tyissuhaproperty.
However,non-i nterf erene[7 ℄requi restwoi ndepende ntpro-
gr amruns,g ivendierentinputs ,toyi eldthesameo utput.
Asaresult,itsproo fisof tenmoredeli ate.
Aba die tal.[2 ℄devise dalabelledopera tionals emantisof
the- alulus,w her ethela b e lsa ttahedtoatermindia te
howmuhi nf orma ti onitarri es. Exe utingapro gramun-
dersuhas emanti s amo untstoperfo rmingadyn amide-
pende nya na lys isalo ngw iththeatualomputatio n. Pot-
tier and Co nhon [ 16℄ la tershowedhow s tat i , type-ba sed
dependeny a na lys es ould be systemati all y de rived, and
prove nsa fe,f romsuhala b e lledsemantis .
Unf ortunately,inapro gra mmingla ng ua gew ithsi dee f-
o fae rta ineet. Indeed,o ns idertheprog ram fr agment
\ ifx =1theny:=1" . If, af terexeuting thi s s ta tement, y
i sn't1,the nxanno tb e1either. T hus, intha t ase ,e xe-
utio ntra ns fersinforma tionabo ut x toy, eve nthough no
a ssi gnmenttakespl ae ,sinethes tatementy: =1isskipped.
Ita ppea rsdiÆ ul tfo rala b e lleds emantistoa ountfo rthe
ee to f ode tha t isn ot exeuted;so, the approah must
bereo ns idered.
Dire tnon-i nterf ereneproof s,al tho ug hstrai ghtforward
f ors implepro grammi ngla ng ua ges[2 2℄,beomeinreas ingly
o mplex inriher la ng ua ges , requiri ng umbers ome i nva ri-
a ntstobemanipul ated[25 ℄. Toavoidthispitf al l,webreak
o ur pr oof dow n into s evera l independent steps. Firs t, we
dene a s p e ial -purpose extensio n of the la ng ua ge, whih
a llows expli itrea so ni ng aboutthe o mmonal itiesand di f-
f erenesb e tweentwoa rbitraryprog ramo ngura ti ons,a nd
prove it adequa te i n a ertain sense . Then, we dene a
typ e system fo rthis extended la ng ua ge, and prove that it
enj oys as ubj etredu ti onproperty. Las tl y,we s how that
non-inte rferene f or the base languag eis a o nse queneof
theseresults . Inotherwords,wereduetheinitia lpro bl em
to subje t redution{ a saf ety pro perty { fo ro ur spei al-
purp o sel anguag e. Thei nvaria nt prese rvedby redutioni s
thuse xpress edi nthetypesys temitsel f,ma ki ngi te asi erto
re aso nabout.
Inkeeping w iththeML traditio n, ourtype sys temha s
let-pol ymo rphis mandtypeinfe ren e. Ina dditi onto s tru-
ture,o urtyp esde sribee e tsandseurityleve ls;polymor-
phismall ow sw ritingodetha tisge neri w ithres p e ttoal l
three. Typei nf erenei sa nindi spens ablehel p,beauseour
typ e sareverbo seandi nf ormati onowisof tenun-intui tive .
B eause we e mpl oy subtyping (as wel l as o ther f orms of
o nstraints),ourtypei nf erenes ystemis o ns traint-bas ed.
Yet, i fg ene rali zatio n, insta ntia tion, andonstrai nt ma ni p-
ula tion were part o f the typ e s ys te m f rom the outset,our
s ubj et reduti on proof would b e s ig ni a ntlyobfusa ted.
To work a round this problem, we ado pt a semi- syn ta ti
a pproa h [ 15℄ , w hi h ag ain onsi sts in brea ki ng dow n the
o nstruti on into two steps. Firs t, we pre sent a system
equipp e dw itha nextens ionalfor mo fpolymorphism,whos e
f orma ltrea tmentisremarka bl yun-intrusi ve. T he n,webuild
aonstrai nt-ba sedsys teminthestyleofHM (X)[ 12℄ ,whih
weproveorret wi threspettothefo rmer.
We w il l now proee d as fo llow s. We rst present the
s yntax of C ore ML (setio n 3). Then, we i ntrodue our
tehnia lextensi ono fit,whihwerefe r toa s\C oreM L 2
" ,
g iveano peratio nalsemantistobothla ng ua gesatone,a nd
s how how theyrel ate to eah o ther(seti on4 ). Se tion5
i ntroduesmlif0,atypesystem fo rC ore M L 2
,a ndesta b-
l ishessubje tredution. Co mbi ningtheseresults ,weobta in
anon-inte rferenepropertyf orCo reM L(s etio n6). Inse-
ti on 7, we di gres s and disuss a f ew languag e extensio ns .
C ul minating o ur development, setio n 8 pre sents ml if, a
o nstraint-bas edtype system whihwe prove orre t with
re spettomlif
0
,a llowi ngtypeinferene. Setio ns9and10
g iveso meexa mpl esando nl ude.
B yla kofspae,manyproof sa reomitted;theya nbe
f oundinthefull ve rsio nofthispaper[1 7℄.
3 CoreML
Let k range over inte gers; le t x, m, " ra ng e over disj oint
denumer able se ts of program variables , me mo ry loations ,
ex pre ssions a ndevaluat io nonte xt s arede neda sfol low s:
v : := xjxf: x:ejkj()jmj"v
o : := vjr aise("v)
e : := o
j vv
j r efvjv:=vj!v
j r aisev
j letx=vine
j E[e℄
E : := bindx=[℄ine
j [℄handle"xe
j [℄handlexe
Ourvaluesi nl udeva riable s,-a bs tr atio ns ,integ ers, a
uni t onsta nt, memory loati ons, and exe ptio ns. An ab-
stra tion xf: x:e may re urs ive ly ref er to itsel f thr ough
theprog ramvari ablef. (Thisi sdonemerelytoavoiddea l-
ingwithreursi onsepara te ly.) Everyexe ptio nna me" an
be us edas a dataonstrutor to buil d ex epti on va lues of
thef orm"v.Outo mes,knowna sanswer sin[ 24℄ ,represent
ina ti veo mputatio ns ; theyareeitherva luesorunhandl ed
exeptionso fthefo rm rais e("v). Anexpres sio ni s ano ut-
o me,as o-all edbasiex press ion,aletonstrut,o ra nothe r
expre ssi onenl osedwithinanevaluati ono ntext.
B asi expressi onsinludef untio napplia tionsaswellas
insta ne sof fourprimiti ve opera tions,w hi ha llowal loat-
ing, updating , de refere ni ng memo ryell s, a ndra is ing ex-
eptio ns . T heyar ebuil to utofval ues ,rathertha no utofar-
bitrarysub-expre ssi ons. T hi ssyntati restri ti on,whihis
remi ni sento fFla na ganeta l.'sA-n ormalforms[ 6℄,oersa
numbero fa dvantages . Fi rst,itenablesal ighterf ormulati on
ofo urtyp e -a nd-e e tsystem. Indeed,bea us eva lues have
noomputatio na leet,abas iexpres sio n' ssub-expres sio ns
donot ontr ibuteto its eet. Fur thermo re, it a llows our
systemtoremai nindependento ftheeva luatio nstra tegy,i .e.
ofthehoi eofl eft-to-rightvs.right-to -le fteva luatio norder.
Userprogra ms,expresse dinamoreli b e ralsynta x,mustb e
transl ateddownintoo urres tritedsyntaxbef orethey an
beanalyzed; dierentevaluati onstra tegi eswil lsimply or-
res p o ndtodi e renttransla tionshemes.
T he let o ns tr ut let x = v in e has the same mean-
inga sthebasi expres sio n(xf: x:e)v(w he refisnotfree
in e). However, a s us ua l in ML [2 4℄ , the let keywor d di-
rets thetypehekerto g ive xpolymorphitype. Fo llow-
ing Wri ght [23 ℄, werequire the binding to ontaina val ue
v, ra therthan an arbitra ry sub-e xpress ion, so as to avo id
uns oundness inthe pres ene of i mp e rative f eatures. As a
res ul t,leto ns trutsdono t appeara mongevaluati on on-
texts.
Evaluati on ontexts provide g lue to o mbine expres-
si ons a nd s peif y their eva luatio n order. The expre ssi on
bindx=e1ine2 e val ua tese1,bindsi ts va lue(ifany)tox,
thenevaluatese
2
. Thebindkeywo rddoesnotreque sttyp e
ge ner ali zatio n;i t merel yexpres sessequentia li ty. Our de i-
si ono fma ki ngle t andbinds eparateonstrutsemphas izes
thisdis ti n ti on. Thehandleo ns trutsaredua ltobind:they
spei fy what ha ppens a fter the expressi on under s ruti ny
ra isesa nexepti on,ratherthanaf te ri treturnsavalue.
T heme aningofthememoryloatio ns whiho uri na
C oreM Lexpres sio nisg ivenbyas tore,i .e. aparti almap
f rom memo ryloati onsto values. We wri te [m7!v℄and
[ m7!v℄f orthes to rew hi hma psmtova ndo therw ise
ag reesw ith;thelatterisdenedonlyifm62dom().
i i
re fv=
i
! m=
i
[m7!newiv℄ (ref)
m:=v=
i
! ()=
i
[ m7!update
i
(m)v℄ (as sig n)
!m=
i
! rea di(m)=
i
(deref)
letx=vine=
i
! e[x(v℄=
i
(let)
Sequeni ng bindx=vine=
i
! e[x(v℄=
i
(bind)
raise("v)handle"xe=
i
! e[x(v℄=
i
(handl e)
raise("v)handlexe=
i
! e[x("v℄=
i
(handl e-a ll )
E[o℄=
i
! o=
i
(throw-ontext)
i f:(Eha ndl esbo
1
_Eha ndl esbo
2 )
Lift ing E[ ho
1 jo
2
i℄= ! hbE
1 [o
1
℄jbE
2 [o
2
℄i= (li ft-ontext)
i fno neo fthesequen ingr ul esappl ies
hv
1 jv
2
iv= ! hv
1 bv
1 jv
2 bv
2
i= (li ft-app)
hv
1 jv
2
i:=v= ! hv
1 :=bv
1 jv
2 :=bv
2
i= (li ft-ass ign)
!hv
1 jv
2
i= ! h!v
1 j!v
2
i= (li ft-dere f)
r aiseh"1v1j"2v2i= ! hraise("1v1)jraise("2v2)i= (li ft-rais e)
Reduti on underao nt ext
e=
i !e
0
=
i
0
E[ e℄=
i
!E[ e 0
℄=
i
0
(o ntext)
ei=
i !e
0
i
=
i
0
ej=e 0
j
fi ;jg=f 1;2 g
he1je2i=!he 0
1 je
0
2 i=
0
(brake t)
Au xi li aryfu nti ons
newv = v upda te
vv
0
= v
0
rea dv = v
new1v = hvjv oidi update
1 vv
0
= hv 0
jbv2i re ad1v = bv1
new2v = hv oidjvi update
2 vv
0
= hbv1jv 0
i re ad2v = bv2
Fig ure1 :Operatio na lsema ntiso fCo reM L 2
4 CoreML
2
4 .1 Pr esent ati on
Non-interf erenerequire sre aso ni ngabo uttwopro gramsa nd
provingtha ttheys ha resomesub-terms throughoutexe u-
ti on.Tomakesuhre aso ni nge asi er,wehoosetorepresent
thema sasingle termofanextendedl anguag e, all edCo re
M L 2
,ra therthana sapairofCo reMLte rms. T heextensi on
i sasfo llows:
v :: = :::jhvjvijv oid
o :: = :::jhojoi
e :: = :::jhejei
T heCo reML 2
termhe1je2iisintendedtoenodethepai r
o fC oreMLterms(e1;e2). Iti simpo rtanttonotethati tan
a ppea ra t a narbitra rydepthwithin ate rm. Forinsta ne ,
a ssuming v is a Co re M L val ue, the terms hv1 jv2iv a nd
hv
1 v jv
2
vi b o th enodethe pai r (v
1 v;v
2
v). The f ormer ,
however, is more info rmati ve, be auseit e xpli itlyreo rds
the fa ttha t the appl iati onnode and itsa rgument v a re
s ha red, whil e the la tte rdoes n' t. We do nota llownes ti ng
hjio ns truts .
Weneed tokeep trak ofsharing no to nlybetwe enex-
press ions,butal sob etweenstores . Howe ver, di stintstore s
mayhavedis tintdoma ins.Toa ountfo rthisfa t,wei n-
trodueas p e ialonstantvoid. B yrea tingbi ndingso fthe
f ormm 7! hv j vo idia ndm 7! hvo idj vi in thesto re, we
re pres ent situatio ns where a me moryloatio nm is b o und
w ithinonlyoneofthetwoCo reMLexpre ssi onsenodedby
aC oreML 2
te rm.
Aon guratione=
i
i satripleo fa ne xpress ione,astore
,a nda nindexi2f ;1;2 g,whos epur p o sei se xplai ne din
se tion4.2 . Wew ritee=fo re=
.
Werestri to ura tte ntio ntowell -f ormed,l ose do ngu-
ra ti ons. (Thes etehni alno tions aredenedinthef ul lver-
si onofthispaper[1 7℄ . T hey arepreservedbyredutionand
gua rante etha tvoidi susedex lusivelyinstorebindings,as
desri beda bove. ) Furthermore , we identi fy onguratio ns
uptoonsi stentrenami ng sofmemo ryloatio ns .
T he or respondene between Core ML and C ore ML 2
is ma dee xpli itby mea ns o ftwoprojet ion f untio ns b i,
w herei ra ng es overf 1;2g . T he y sati sfybhe1 j e2ii = ei
and are ho momo rphis ms o no ther expres sio nf orms . They
ar eextendedtostore sasf ol low s: b ima psmto b (m)i
if and o nl y if the la tte r i s dened and is n' t v oid. La stly,
the proje ti on of a o ngura ti on i s de ned by be=
i
=
be
i
=b
i .
4.2 S emanti s
T hesma ll-stepo peratio na lsema ntiso fCo reM L 2
isg ivenin
gure1. Thersttwogro upso fredutionrul esar ethos eof
C oreML,w ithafe wtehnia ltwis tse xplai ne dbelow . T he
rulesi nthethirdgroupa respeitoCo reML 2
;the yal low
dis ardingshari ngi nf orma tionifredutio na nno to therw ise
take pla e. Therules inthe f ourth groupal low reduti on
underaontext.
T herul esa redesig ne ds othattheima geo fa nyreduti on
stepthroug haproje ti onf untio nisag ainavali dreduti on
step. Redu ti onmay ta ke pla e outside brake ts , ausi ng
s idebrake ts,l ettingo neproj etiono mputei ndepende ntly,
w hi le the o therremai ns statio na ry; o r lif t up the braket
bo undary,dis ardingsomes ha ringinfo rmatio n,w hileleav-
i ngbo thproje tionsunhange d.
T he apture -f ree substitution of v fo r x i n e, w ritten
e[x(v℄ ,isdenedintheusualway,exepta thj inodes ,
w he re we mustuse an a ppro pri ateproje tion o f v i neah
branh: he
1 je
2
i[x(v℄ishe
1
[x(b v
1
℄je
2
[x(bv
2
℄i.
We would like the rul es in the rs t two gro ups to be
a ppli ableunde rany o ntext. However, (ref),(as sig n)a nd
(deref)ne edasmal la mount ofo ntextua li nf orma tion. In-
deed, the store must be a ess ed i n a o ntext-dependent
ma nner: o p e ratio ns w hi hta ke pla e ins ide a h j i o n-
s tr utmustus e o r aetonly oneproje tion o f the store .
T he indexi a rriedby o ng ura tionsi s used f orthis pur-
po se. Itsva lueis w he n deal ing wi thtop-level redu ti on
s te ps ;itismade1(resp.2 )byrule(brake t)w henredui ng
w ithinthelef t(re sp. right)bra nho fahjio ns trut. It
i sused intheauxili ary fun ti onsnew
i
, update
i
a ndrea d
i
toa essthes toreina nappropria teway.
T herules inthe seo ndg roupdes ribehowval ue sa nd
exeptio nsare bo und (i.e.handl ed)or propag ated. Wesay
that E handl es o if a nd onlyi f E[ o℄ is re duible through
(bind),(handle)or(handle-al l).
T herule sinthethi rdg rouphavenoo mputati onalo n-
tent:theyleavebothproj etio nsunhanged. T hei rpurpos e
i stopre venthjio nstru tsfro mblokingreduti on,whih
i sdonebylif tingthemup,thusa usings omesub-termstobe
dupl ia te d,butall owi ngredutiontoproeedi ndepende ntly
w ithinea hbra nh. For instane,the le ft-ha ndexpressi on
i n(l ift-app)i snota-re dex. Initsredut,the appl ia ti on
node and the sub-term v a re dupl ia te d, all owi ng two -
re dexestoapp e ar.Aso mewhatanalo go usruleanb efo und
i nAbadietal.'slabel leds emantisofthe-al ul us[ 2℄. To
under standthesi gnianeo fthe\l ift"rul es,onemus tbea r
i nmi ndthat theo ntents ofeveryh ji o ns trutw ill be
vieweda s \se ret". By ausingnew sub-terms to beo me
s eretduring redutio n,thes erulesa tual lyprovidea nex-
pli itdes riptionofinfo rmatio now. Ourde sig n attempts
todis ard asli ttl e sharingi nf ormati onas poss ible;indeed,
re pl ainga llo ftheserule swi the!hbe
1 jbe
2
i,whil eom-
putatio na lly o rret, wo ul dause the types ystemto view
everyexpressi ona s\se ret".
T hes emantisofCoreM La nbeobtainedasafr agment
o ftha to fCor eM L 2
.
4 .3 Relati ngCore ML 2
t oCo re ML
WenowshowthatC oreM L 2
i sa na ppro pri atetoo ltorea-
s on s imul taneousl y about the exe uti on o f two Co re M L
prog rams . T hi s i s e xpress ed by two propertie s. First, a s
explai ne d a bove, the i mag e of a val id redution through
projeti on rema ins a va lid re dutio n. Co nversel y, if both
projeti onsofa terma nbe reduedto anoutome,then
s oanthetermi tself .
Lemma4.1 ( Soundness) Leti2f1;2g. Ife=!e 0
= 0
,
t henbe=i!
=
be 0
= 0
i.
Lemma4.2 ( Comp leteness) Ass umebe=
i
!
?
o
i
= 0
i
foralli2f 1;2 g. Th en,t here exist s a ong urat io no= 0
s uht hat e=!
?
o= 0
and , foralli2f 1;2g ,b o= 0
i
=
o
i
= 0
i .
ve rge;itisno ta ppli ablei foneofthemdiverges . Inde ed,de-
neeasbindx=hj0iin0,whereisano n-terminati ng
expre ssi on. Its ri ght proj etio nis bind x = 0 in 0, whih
reduesto 0 ; yet, e anno t b eredued to a ny te rm whose
rig htproj etionis0,b e auseeonlyreduestoi ts elf .Suha
f ormulatio nofo mpl etene sswil lnatural lylea dustoestab-
li sha weak non-inte rferene res ul t, whereby two pro grams
a nbeg ua ranteedtoyieldthesa mere sul to nl yiftheyboth
termina te . Wedono tai ma ta strong no n-inte rfere ne re-
sult,bea us ei twouldma kelittl es ens etopluginf ormati on
le aksrela tedtoterminatio nwithoutattakingtimi nglea ks
ing eneral . Furthe rmore,suhares ul two ul drequireamuh
mor eres tritivetypes ystem.
Iness en e,the o mpl etene sslemmaguara ntees thatwe
haveprovidedenough\li ft"rulestoal lowr eduinga llmean-
ingf ul Co re ML 2
expres sio ns . In the next se ti on, eah of
theserul eswil la ddonea setoo ursubje tredu ti onproo f,
f oring us to ens urethat o ur type s ystema ounts fo rall
pos sibleki ndsofinf orma tionow.
5 Typ ingCore ML 2
Wenowg iveatypes ys te m,a lledmlif0,f orC oreM L 2
. It
isag roun d typesystem: ithasnotypeva riable sandde als
w ithpol ymor phisminasimple, abstra tway. Asaresult,
itdoesnotdes ribeana lgo rithm;wew illaddressthisis sue
insetio n8 .
T hro ug ho utthepaper, everyourreneofsta ndsfo r
adisti ntanonymo usmeta -varia bl eofappropria tekind.
5.1 Types
Let(L;)b eala tti ewho seele ments,denotedby`andp,
represe nt seurity le vels. (Fo llowing Denning [4 ℄, we typ-
i all y use the meta-va ria bl e p, rather tha n `, w hen on-
si de ringi nf orma tiono bta inedbyo bs ervi ngthevalueofthe
\pro gram ounter" .) Ty pes, rows and alt erna tives are de-
ne dasf oll ows :
t ::= unit
j int
`
j (t p[r℄
!t)
`
j tref
`
j rex n
`
r ::= f"7!ag
"2E
a ::= Abs
j Prep
Arow risa ninni te,qua si-onstant fami lyo falter na ti ves
indexe dbyE. (Af amil yisqu asi-o nst ant ifa llbutani te
numberofi tsentri esare equa l.) Wew rite(":a;r)f orthe
roww ho seelementatindex"i saa ndw ho seotherel ements
ar eg ive nbythesub-rowr,w hi hisindexedbyEnf"g. We
w ritea2rtoi ndia tethataisame mberofr' s odoma in.
Ourtypesarethos eofML'stypesys tem,deora tedw ith
extraanno tatio nso ftwoki nds.
Fi rst, we empl oy rows to keep trak of exe ptio ns, as
in existi ng type-a nd-eet systems, suh as Pessa ux and
Leroy's [ 13 ℄. If an ex epti on value has type r exn
, then
therowrontainsinf ormati ona bouttheex epti on'sname.
Speial ly,fo revery" 2E,ifr(")is A bs ,thenthe e xep-
tio n' s namea nnotbe"; if ,onthe otherhand, itisP re,
then the exeptio n may be named ". Furthermore, f un-
tio ntypesa rry aneet[r℄. Itis al soarow ,and gi vesa
exeutingthef untio n.
Seo nd,weusese uri tyl evel stokeeptrako fhowmuh
i nf orma ti on anbe obtained by lookingupinteger values ,
exeuting fun ti ons, de refere ni ng memo ry lo atio ns, a nd
handlingexeptions. Theremai nderofthiss etio ndesri b e s
theirmea ni ng .
B eause ther e is onlyone va lueo f type unit, the va lue
o faunitexpres sio nyi eldsnoi nf orma tionwhatsoever . Asa
re sul t,itwo ul dbesuperuo usfo rtheunittyp eo nstru to r
toar ryas eurityleve l. Immuta bl etuplea ndreordtyp e s
a nb ede altw ithsimi larl y;seesetio n7.1 . Thus,webreak
theonve ntio nse tf orthinanumberofprevio uspa p e rs[8 ,
1 6℄thata lltypesb eofthefo rm
`
. Wee xpetthisf eature
tohelpredueve rb o sityi npratie .
T hetype int
`
desri b e si nteg erexpressi onswhoseva lue
mayreeti nf orma ti ono fse uri tyl evel`.
Fun ti ontypesarrytwose uri ty anno tatio ns . Theex-
ternala nnota ti on`repres entsinfo rmatio naboutthe f un-
ti on's i dentity. When the f untio nis a ppli ed, pa rtof thi s
i nf orma ti onmaybereetedi nitsres ul to ri notheras p e ts
o fthefun ti on'sbehavio r(i .e.i ni tseet);a sares ul t,thei r
s eurityl evelwi llbema de`org reater. Theannotati onp ,
f oundabovethe!symbo l,tell showmuhinf ormati onthe
f untio nobtai nsmere lybyga iningontro l{inde ed,o bs erv-
i ng that a par ti ular f untio n is all ed may a llow telli ng
w hi hbra nhes wereprevio us lyta ken. p a nbe thought
o f as a nextra paramete r to the fun ti on, a ndindeed i t i s
o ntravari ant (seese ti on5 .2). Toavo idl eakingthi s i nf or-
ma tion,the f unti on w illbea llowedto w riteinto memory
e lls ,o rtorais eexe pti ons,onlya tl evelpo rgreate r. T hi s
explai nswhytheanno tatio npiss ometime sde sribedasa
l owerboundonthelevelofthef unti on'seets[8 ℄.
Ref erenetypesarryo neannotati on`,whihrepresents
i nf orma ti onabouttheref erene' sidenti ty,i.e .aboutitsa d-
dress . Inf orma tiona b o ut there ferene' s o ntentsis fo und
w ithinthepa rametert.
E xeptio ns a re des ribed by rows , w ithi n whih every
non-Absentry, ofthe fo rm " 7!Prep ,a rries anannota-
ti onp, tell inghow muhinfo rmatio n wi ll be o bta ined by
o bs ervi ng(i .e.handling)theexeption,i fitisnamed". We
f ol lowMyers[ 10,11 ℄andas so iate adisti nts eurityl eve l
w itheve ryexeptio nname ,soastoobtai nbetterprei sio n.
Our row s ar elo sely rel atedto M yers ' se ts of pa th label s
X,whihma peve rye xeptio nna metoeitheras p e ialo n-
s ta nt;oras eurityl eve l;o mpa rethesewithoura lterna-
ti vesA bsandPr ep. (Sees etio n1 0fo rfurthe romparis on
w ith[ 10,1 1℄. )
Ina dditio nto arow , ex epti on typesal so arrya nex-
ternal anno tatio n`. It i s,infa t, redundant w iththerow
r. T ha tis ,manipul atingane xeptio nasars t-l assva lue
a usesitsexternalle vel`toinreas e,le avi ngtherowrun-
hange d; whenthe exeptionislaterrai sed, everynon-A bs
entryinri sra ise dtol evel`o r gr eater. Itwo ul dbepos si-
bletosuppressthee xternalannotati on,attheostofso me
extra implementatio n omple xity. Anotherrea so na bl e a p-
proa hwouldb etorestri tthela ng ua ges otha texe ptio ns
a reno lo ng errst-la ss val ues ; this would a llow us to do
awayw ithex nentirely.
T hereadermayno tiethatrow sdono treordthetype
o fexeptio na rguments ,i.e.theonstrutorPr ehasnotype
para meter. Indeed,asinML,wemakeexeptionsmo no mor-
phibyass umi nggivenaxedma ppingt ype xnfro mexe p-
ti on namesto typ e s. This de isi on is usef ul intwo ways .
int
( [℄
!)
ref
exn
f"7!g
"2E
Pre AbsPre
Figure2: Subtyping
Fi rst, itshouldma kef untio ntypes(w hi hinl ude arow )
muh mo re o mpa t. Seo nd, it makes o ur subtypi ng re-
la tionatomi (s eesetio n5 .2),whihwebeli eveopens the
way to si mpl er and (in pra tie) more eÆi ent o ns tr aint
so lvingtehniques.
5.2 S ubtyp ing
Weequi ptypes,row sa nda lternativeswithasubtypi ngrel a-
tio n,whihextendstheparti alo rder(L;). Itisdened
by the a xi oms in gure 2. The a xi om int
i s a o mpa t
ve rsio n of the as sertio n int
`1
int
`2
() `
1
`
2 . In
otherwo rds ,itstatesthatint'spa rameterisovari ant. T he
othera xio ms ar eto beunderstood simi la rly; , a nd
represe ntovari ant,o ntravaria nta ndi nva ria ntpara meters,
res p e tivel y. T he fth axio m extends subtyping to rows,
poi nt-wis ea ndova ria ntly.
T he la st axiomis the only o ne w hi h rela tes two on-
strutorsofdiere ntari ties,apparentlymaki ngthes ubtyp-
ingre lati onno n-ato mi.Howeve r,i tisonlysuperial lyso.
Indeed, i t is pos sible to gi ve a pres enta ti onof the s ys te m
w here the set o f a lternatives is me rely the di sj oint uni on
fA bs g[L,ausi ngtheexpli itinj etionPr e todi sappear,
bea us es euritylevels beomeasubset ofal terna tive s. In
thispre senta tion,subtypingisatomi [1 8℄ :a lternativesfo rm
ase tofa toms.
T heuseofsubtypingininfo rmatio nowo ntro lisubiq-
uitous [3 , 4, 21 , 8 ℄ and appear s e ssential , bea use it a l-
lowsbuilding adire ted view ofthepro gram' s inf ormati on
owgra ph,yi eldingb e tte rpreis iontha naunia ti on-ba sed
ana lys is.
5.3 Addi ti onalno tati on
A polyty pe si s anonempty,upward-los eds et oftyp e s. A
po lyt ype environ me nt i sapa rti almappi ngfro mpro gra m
va ria bl es topol ytypes . [ x7!s℄denote sthe e nvironment
w hi hma psxtosa ndag reesw ith otherwi se.Amemory
en vironmentMisaparti almappi ngf rommemo ryloatio ns
totypes.
Wedene`Ct(read: `guardst)a sfol low s:
`` 0
`Cunit `Cint
` 0
`C( [℄
!)
` 0
`Cref
` 0
`Cex n
` 0
T he a sse rti on ` C t requires t to have se uri ty le vel ` o r
gr eater, andi suse dtoreo rdapotentia linfor matio now.
Note that, fo rany gi ven `and t, the re exi sts a s upertyp e
t 0
o ft s uhthat`Ct 0
hol ds . Thus, theprese ne of`Ct
as a premi se typia lly neverpre vents the applia tion of a
typing rul e: indeed, preeding tha t rul e w ith a subtypi ng
step wi ll sa tisf ythe premis e. One exepti on is e-Assign,
w heret anno t b epro motedto asupertypebea useit ap-
pearsa sa ninvaria nt argument tothereftyp e onstrutor.
T heprediateChastra ns itivebehavior:
Lemma5.1 If` `a nd`Ctandtt t hen` Ct.
Toe veryrowr,weass oi atetwoseurityl evel s,dened
bytr=tfpjPrep2rgandur=uf pjPrep2rg .
NotethatAbsentriesinrdonoto ntributetothes elevels .
5 .4 Typ ingjudgements
Wedi stinguishtwofor ms o f typing judg ements: o nedeal s
w ithval ue sonly,theothe rwi tha rbi traryexpres sio ns . Be-
a useva luesarenorma lf orms,theyhavenosi dee e ts,so
thefor merl oo kquitesimple :
;M`v:t
(We als o wri te ;M ` v : s when ;M ` v :t ho lds fo r
a llt2s. ) Ontheo ther ha nd,e xpress ionsdoprodues ide
ee ts ,sothel attera remoreela borate:
p; ;M `v:t [r℄
T heppara metera gai ntell showmuhinforma tiontheex-
press ionmayaqui rebyga iningontro l;iti salowerb o und
o ntheleve loftheexpres sio n' seets. Pre vio usworks[2 1,8 ℄
employasi mila rpa rameter. Therowrapproximatestheset
o fex epti onswhihtheexpress ionmayra ise.
T woextraj udgeme ntf ormsareempl oye dtotypes tores :
M`a ndong ura tions: `e=
i
:t [r℄.
Intypi ngj udgeme nts,weomit a ndM w hentheya re
empty;weso metimesomitpa ndrw hentheya reunspei-
ed(i .e.whenthey ouldbewri tten).
E ven though the se uri ty la ttie (L;) is arbitra ry, it
i sdesi rableto esta bl ishasimpledi ho tomybetween\l ow"
a nd\high"se uri tyl evel s. Suhadisti nti onsi mpl iesour
proofs ; fullge nera litywi ll b ereoveredinse ti on6. Inthe
prese ntseti on,weassumeHi saxed,upwa rd-lo sedsub-
s et of L. We wi ll vie w l evel s i ns ide (resp. outside) H a s
\ hi gh"(resp.\low" ).
Non-inte rferene demands that two expressi ons whih
dier only in high-level s ub-te rms have identi al low -l eve l
behavior . To a hieve this, our type system require s ex-
press ions o f the fo rm he1 j e2i { whih we use to enode
thediere ne sbetwee ntwoC oreMLexpres sio ns{tohave
hig h-se uri ty res ul t and s ideeets. (See v- Bra keta nd
e-Brak etingure3. ) Thiswil lbeo ur onlyus eo fH in
thisse tion.
5 .5 Typ ingru les
We now omment o n the typing rules , g iven in g ure 3 .
v-Unitandv-Inta ssi gn basetypesto onsta nts. v-Vo id
a llows typi ng va lues o f the f orm hv j vo idi or hv oid j vi
by pr etending vo id has the sa me type as v. v-Lo a nd
v-Var ass ign typesto memo ry loatio ns a nd to va riable s
bylookinguptheappro pr iateenviro nme nt. No tethat (x)
i sapol ytyp e,ofwhihv-Varsele tsanarbitra ryinsta ne .
Asus ua li ntype-a nd-eets ystems , v-Absreords,o ntop
o fthe !typ e o nstru to r, i nf orma tion abouta f untio n' s
s ide ee ts . v-Exn assoia tes to the exe pti on va lue "v
a r ow whih maps the na me " to Pre and l eaves other
entriesuno ns tra ined,a llowi ngthemtobeAbs. v- Bra ket
re quires the o mp o ne nts of a h j i onstru t to have a
o mmon typ e , whih must have \high" seurity l evel , i.e .
be g ua rde d by s ome (arbitra ry) el ement o f H. v-Sub i s
s ta nda rd.
e-Value a ll ows view ing a val ue a s a n expressi on, and
reetsthef attha tva lueshavenosideeet.
e-Appg overnsfuntiona ppli atio n.B eausethee e tof
af unti ona ppl iati onisexatlythef unti on'sla tenteet,
thes euritylevelp ,whihshouldrepres entalowerbo und
onthelevelo fthefo rmer,mustal sobealowerboundonthe
la tter's. B eause afuntion'ssideee ts may revea linf or-
mati onaboutitsidentity,the ir levelmustequal o rexeed
the f untio n' s ownse uri ty l evel , name ly `. Asares ul t of
theserema rks ,thefuntion'sb odymustruna tl eve lpt`.
Be ause the funtion'sres ul t, too , may reveal inf ormati on
abo utitsidenti ty,werequirei tstyp etobeguardedby`.
e-Refande-Ass ignrequi repCttoensurethatpis
indeed a lowerboundo n theseurity levelo f thememory
el ltha tisw ritten.e-Assigna nde- Derefr equire`Ctto
reetthefa ttha twri ti ngorr eadingaellmayindi retly
reveali nf ormati ona boutitsidentity.
e-Raise requi res p ur , ensuringthat p is a lowe r
boundo nthel evelofever ynon-A bsentryi ntherowr. T hus,
anyodefra gmenta bl etoobservethisexpre ssio n' ssidee f-
f etmustrunatlevelporg reater(seee-Bind,e-Handle
ande-Handl eAl l). Theseurityl evel`,w hi hreetsad-
ditio na l, exepti on-name -i ndepende nt inf ormati on,i s deal t
w ithsi mila rly.
B eauseleto nl ybindsvalues,e-Leti snea rlyassimple
asinM L.Notetha tva nbegi venapol ytypes,all owi ngx
tobeuse datdi erenttypeswi thi ne.
In a bi nding onstrut bind x = e1 in e2, the expres-
si on e2 obse rves, i f it re eive s ontro l, tha t no ex epti on
wa srai sed by e1. Toao unt forthis inf ormati onhannel,
e-Bind typeheks e2 a t a seurity level a ug mented w ith
tr1,the ombinedle velofal lexeptio ns w hi he1 a npo-
tential lyra ise. Thisi saonser vativeappr oxi matio n,whih
wo rkswellintheo mmonasewheree1 isstati all yknown
neverto ra iseexe pti ons;s eese tion1 0f ordetai ls. r1tr2
denotesthel eastommo nsupertypeofr
1 andr
2 .
Li ke e-Bind, e- Handle typeheks e
2
at an inrea sed
se uri tyl evel ,ree tingthef atthat,byg ainingontrol,e
2
obse rvesthat e
1
ra ised anexepti onna med ". Theinre-
ment is e xa tl y p 0
,the se uri ty levela ssoia ted with" in
e
1
' s eet, so the a na lysisi s, in this a se, quite aurate.
Be ause the res ul t of the handle o ns tr utmay a lso al low
determiningwhetherthe ha ndler wa s exe uted, we require
p 0
Ct. e-Handl eAllis a na log ous; howe ver, bea usethe
o ns truta llows observing a ny exeption, reg ardles s of its
name,wea ga inusetr
1
asao nse rvati veapproxi matio nof
how muhinforma tion is gai ne d. M yers [1 0, 11 ℄ perf orms
thes ameapproxi matio n.
As expla inede arli er, e-Braketrequi resboth o mpo-
nents of a h j i expressi on to have a ommon type, and
demands that i ts s ide eets and its result be of \hig h"
se uri ty l evel , i .e. guarded by an a rbi trary p 0
2 H. T he
auxili ary prediate e*holdsifand onlyif e i so f the fo rm
E1[:::En[raise ("v)℄:::℄ where n 0 and no ne o f the Ei
handl esrais e("v).Theuseofthispredia tei ne-Braket's
la stpremis eistehni al ;itisrequi redfo rsubje treduti on
tohold.
5.6 S ubje t reduti on
Letus rs t stateaf ew auxi lia ry lemmas ,w ho seproofsare
stra ightfo rward.
Lemma 5.2(S ubsump ti on) p 0
pan dp; ;M ` e:
t [r℄imp lyp 0
; ;M`e:t [r℄ .
v- Unit
;M `():unit
v- Int
;M`k:int
v-Void
;M `v oid:
v-Lo
;M `m:M(m)re f
v-Var
t2 (x)
;M`x:t
v-Abs
p ; [x7!t 0
℄ [f 7!(t 0
p[r ℄
!t)
`
℄;M `e:t [r℄
;M`xf:x: e:(t 0
p[r℄
!t)
`
v-Exn
;M `v:t ype xn(")
;M `"v:(":Pre; )ex n
v-Braket
;M `v
1
:t ;M `v
2 :t
p 0
2H p
0
Ct
;M`hv
1 jv
2 i:t
v- Sub
;M `v:t 0
t 0
t
;M `v:t
Expr essio ns
e- Val ue
;M `v:t
; ;M `v:t [℄
e-App
;M`v1:(t 0
pt`[r ℄
!t)
`
;M `v2:t 0
`Ct
p; ;M `v1v2:t [r℄
e- Ref
;M `v:t pCt
p; ;M` refv:tref
[℄
e-Assign
;M `v1:tref
`
;M`v2:t
pt`Ct
p; ;M `v
1 :=v
2
:unit [℄
e- Deref
;M `v:t 0
r ef
`
t 0
t `Ct
p; ;M `!v:t [℄
e-Raise
;M`v:rexn
`
pt`ur
p; ;M`raisev: [r℄
e- Let
;M` v:s p; [ x7!s℄ ;M`e:t [r℄
p; ;M `letx=vine:t [r℄
e-Bind
p; ;M `e
1 :t
0
[r
1
℄
pt(tr1); [x7!t 0
℄;M`e2:t [r2℄
p; ;M` bindx=e1ine2 :t [r1tr2℄
e- Handle
p; ;M`e
1
:t [":Prep 0
;r℄
ptp 0
; [x7!t ype xn(")℄ ;M `e
2
:t [":a;r℄ p 0
Ct
p ; ;M `e
1
handle"xe
2
:t [":a;r℄
e-HandleAll
p; ;M`e
1 :t [r
1
℄
pt(tr
1
); [ x7!r
1 e xn
℄;M `e
2 :t [r
2
℄ (tr
1 )Ct
p ; ;M`e
1
handlexe
2 :t [r
2
℄
e-Brak et
ptp 0
; ;M`e1:t [r℄ ptp 0
; ;M `e2:t [r℄
p 0
2H (p
0
Ct)_(e1*)_(e2*)
p; ;M`he1je2i:t [r℄
e-Sub
p; ;M `e:t 0
[r 0
℄ t
0
t r
0
r
p; ;M `e:t [r℄
Con gurat io ns
St ore
dom(M)=do m()
8m2dom() M `(m):M(m)
M `
Conf
p ; ;M `e:t [r℄ M `
`e=:t [r℄
Fi gure3:T hetyp esystemmlif0
t hen ;M `bv
i :t.
Lemma5.4 ( Guar d) If ;M ` hv
1 j v
2
i : t th en t here
e xistsp 0
2H su hthatp 0
Ct.
Lemma5.5 ( Substi tut ion ) M ` v : s a nd p; [x 7!
s℄;M `e:t [r℄implyp; ;M `e[x(v℄:t [r℄.
Weannows tateourma inl emma:
Lemma5.6 ( Subjet redut ion ) Let e=
i
! e
0
=
i
0
.
As sumep;M` e:t [r℄andM `. Ifi2f1 ;2g ,ass ume
p 2 H. Th en, the re exist s a memory enviro nme nt M 0
,
whihex te ndsM,su hthatp;M 0
` e 0
:t [r℄andM 0
` 0
.
Proof. Byindutio n o nthe derivatio no f e=
i !e
0
=
i
0
.
Weass ume ,w. l.o .g. ,thatthederiva tionofp;M `e:t [r℄
doesno tendw ithaninstaneofe-Sub .Asare sult,i tmust
endw ithani ns taneo fthesingl es yntax-diretedrulethat
ma these'ss truture. Byl ak o fspae ,weonlygiveafew
re pres enta ti vea ses;a llothersanb ef oundin[ 17℄ .
Æ Cas e (). e is (xf: x:e
0
)v. Let = (t 0
pt`[r℄
!
t)
`
. By e-App, we have M ` xf:x: e0 : a nd M ` v :
t 0
. T he fo rmer's deri vatio n muste nd wi th a n i ns tane of
v-Ab s,fo llowedbyanumberofinstaneso fv-Sub. Bea us e
!i s o ntravaria nt (re sp.ovari ant)i nitsrst andseo nd
(res p.thirdandf ourth)para meters,appl yi ngl emma5 .2a nd
e-Subtov-Abs' spremis e yieldsp;(x7!t 00
;f 7!
0
);M `
e0 :t [r℄ ,for some t 00
and 0
suhtha tt 0
t 00
and
0
.
B yv- Sub,M ` v:t 00
a ndM ` xf:x: e0 : 0
ho ld. Then,
l emma5. 5yie ldsp;M `e0[x(v℄[ f ( xf:x:e0℄:t [r℄.
ÆCas e (deref). eis!m. B ye-Deref,wehaveM` m:
t 0
ref
,w here t 0
t. B y v-Lo , v-Suba ndby invaria ne
o fthere f typeo ns trutor ,thisentail sM ` (m):t 0
. By
l emma 5 .3, M ` rea d
i
(m) : t 0
f oll ows . C onlude with
v-Subande-Value.
ÆCase(l ift-app). eishv1jv2iv. Le t=(t 0
pt`[r℄
!t)
`
.
e-App' s premis esa reM ` hv1 jv2i: andM ` v:t 0
a nd
`Ct. Le mma5.3 yie lds M ` vi: andM ` bvi :t 0
,fo r
i2f1 ;2g . Then, e-Appyi elds pt`;M ` v
i bv
i :t [r℄ .
Furthermo re,a pplyingl emma5.4tothers tpremiseabove
a ndreal lingtha tHisupward-los edyields`2H. Bea us e
`Ct,e- Bra ketisappli ablea ndyiel dsp ;M `e 0
:t [r℄ .
ÆCas e (l ift-de ref). e is!hv
1 jv
2
i. e-Deref's premise s
a reM ` hv1 jv2i:t 0
re f
`
a ndt 0
t and`Ct. As a bove ,
a pplyingl emma5 .3a ndbui ldingnewinstaneso fe-Deref ,
we o bta inpt`;M ` !vi :t [r℄,fo ri2 f 1;2 g. Simil arly,
l emma5. 4yields `2H. La stly,bye-Braket,weobta in
p;M`h!v1j!v2i:t [r℄ .
T heprevi ousl emmae ntai lsthefol low ing,mo rea bs tra t
s ta tement:
Theorem5.1 ( Subjetredut io n) If `e=:t [r℄a nd
e=!e 0
= 0
the n`e 0
= 0
:t [r℄ .
Wedonotesta bl ishprogre ss (i.e .\nowel l-typedo ng-
urati onis stuk" ), e ven tho ug h i tdoesho ld, b e ause it i s
unrela te dtoour onerns.
Fromhere o n, thes et H is nolonge r xed. We introdue
it expli itlywhenneeded, w riting`H i ns teadof` i nCore
ML 2
typi ng j udgeme nts. (This is no t neess ary fo rthose
j udgeme nts whih invo lve pl ai n C ore ML e xpress ions, be-
a us eH i sus edonlyinv-Brak etande-Brak et .) We
w ritee!
?
oifthereexis tsastores uhtha te=?!
?
o=,
w here?istheemptystore.
Our types ystemkeepstra kof hji onstrutsby a s-
si gningthem\ hi gh"s eurityleve ls(i .e.levelsinH). B ys ub-
j etre dutio n,anyexpressi onw hihmayeva luatetosuha
o ns trutmustal so arrya\hig h"annotati on. C onvers ely,
noexpress io nwitha\ low "anno tatio naneval ua tetosuh
ao ns trut, a ss tated,inthepar ti ularas eo finte gers,by
thef ol low inglemma :
Lemma 6.1 Le t H be an u pward -los ed s ubs et of L. Let
`62H. If `
H e:int
`
ande!
?
v the nbv
1
=b v
2 .
Proof. By theorem 5. 1 and Conf, there exi sts a memory
envi ronmentM suhthatM `
H v:int
`
[℄holds. Aval ue
oftyp eint
mus tbeo ftheformko rhk
1 jk
2
i. Ifthelatter,
then, by v-Brak eto r e-Brak et, the re exis ts p 0
2H
suh that p 0
`, whih i mpl ies ` 2 H, a ontr aditio n.
T hus,wemusthavev=k=b v
1
=bv
2
.
We an now use theorr esponde ne betweenCo re M L
and C oreML 2
develo pedinsetio n4. 3torefo rmula tethis
res ul tinaCor eM Ls etti ng :
Theo rem 6.1( Non-i nterferene) Ch oos e `;h2Lsuh
t hath6`. LethCt. As sume(x7!t)`e:int
`
, where eis
aCore MLex pre ssion. If ` v
i
:tande[x(v
i
℄!
?
v 0
i , for
i2f 1;2 g,th env 0
1
=v 0
2 .
Proof. LetH="f hg. Denev=hv
1 jv
2
i. Byv-Braket,
`
H
v:tho lds. Lemma5 .5yiel ds `
H
e[x(v℄:int
`
. Now,
be[x (v℄
i
i s e[ x(v
i
℄, whih,by hyp o the sis,redues to
v 0
i
. A ordingtol emma4.2 ,thereexistsano uto meosuh
that e[x(v℄!
?
oand,fo ri2f1 ;2g ,boi=v 0
i
. B ea use
ofthelatter,omus tbeaval ue. Las tl y,h6`yi elds`62H.
T heresultfo llowsbylemma6 .1.
In words, h a nd ` a re seuri ty leve ls suh that inf or-
mati onowfro mhto`isdi sal lowedbytheseurityl attie.
Assumingtheho lexhasa\high"-le veltypet,theexpre ssi on
e an b eg ive nthe \low"-le veltyp e int
`
. T hen,noma tte r
w hi hval ue(oftyp et)i spla edi nthehole,ewi llompute
thes ameval ue(thati s,ifi tdoe sprodueava luea ta ll).
7 Ext ensi ons
Inthissetio n,wedes ribeanumb e roflanguag eexte ns ions.
Someares tanda rdprog rammingf ail itieswhihwehavelef t
outs ofar ,na melyproduts,sums,a ndprimi tiveopera tions.
Othe rsarenewla ng uageo ns trutsw hiha ptureo mmon
idio ms,soa stomakethemmo rea mena bl etoa na lysis . We
omi ta llproo fsinthiss etion;theyanb ef oundin[ 17℄ .
7.1 P rodu ts and sums
Extendi ng o urs ys te m w ithprodutsa nd sums is s tr aig ht-
f orwa rd. Thegra mmaroftypesi sextendedasf ol low s:
t :: = :::jttj(t+t)
`
unitJ`
` 0
`
int
` 0
J`
t1J` t2J`
t1t2J`
` 0
` t
1
J` t
2 J`
(t
1 +t
2 )
` 0
J`
tJ` ` 0
`
tref
` 0
J`
F igure4: Col leti ngs eurityannotatio ns
P rodu ts arry nose uri ty anno tatio n beause , inthe a b-
s en eofaphysi alequa lityoperato r,a llo fthei nf orma ti on
a rriedbyatupleis i nf atarri edby itso mponents . To
re etthis ,wedene `Ct
1 t
2
as`Ct
1
^`Ct
2 . Mo re
detai lsappearin[17 ℄.
Ourtreatmentofprodutsiss lig htlyinnova tive,andha s
i mpl ia ti ons on onstra int s olving. Indeed, if e very type
a rriedaseurityannotati on,asinpreviousworks[ 8,1 ,1 6℄ ,
then`C m
wo ul db esyntati suga r fo r`m. Bea us e
i tisno tthea sehere,o ns tra intsi nvo lvingCmustr eeive
s p e ialtrea tmentbytheonstra intso lver(seese tion8.4 ).
7 .2 Pr imit ive operat io ns
P ratia l pro grammi ng la ng ua ges usuall y provide ma ny
primi tive o peratio ns , suha s integer a rithmeti o p er ators .
Somelanguag es,suhasC aml -Li ght[ 9℄,providegeneri (i.e .
po lymo rphi )ompari son,ha shingo rmars ha lli ngf untio ns .
Inthefullversi onofthi spaper[1 7℄ ,wepresentawayofas-
s igningtypestos uhpri mitiveoperati ons, wi tho utknow l-
edg eof thei rsemantis ,i. e.by o ns ideringthemas \blak
boxes"w hi hp o tentia ll yuseal lo fthei nf orma tiono ntent
o fthei ra rguments . Here,weo nl yde sribeitbri ey.
Weintrodueatwo -pla epre di ateJ,whos earguments
a reatypeandase uri tyle vel(gure4 ). Ins ho rt,tJ`re-
quiresallofthese uri tya nnota tionswhihappearinta nd
i tssub-termstobel esstha n(o requa lto )`.Ital sorequire s
t to have nof untio n o r exe ptio ntyp e s in itssub-terms .
(Funti onsareno tvali da rgumentstothepo lymorphi om-
pari sono perators ;ex epti onsmustberule doutbeauseexn
i s,i npra tie,a nextensi bl etype,i.e.themappingt ype xni s
neverf ul lyknow n.) T hen,useso ftheompari sono perato rs
a nbetypeda sf ol low s:
;M`v1:t ;M `v2:t tJ`
; ;M `v1?v2 :bool
`
[℄
?2f =;;;:::g
(T he typ e bool
`
a nbe denedas (unit+unit)
`
or a dded
a sapri mi tivetype.) B ea us ethes eopera torstraverseda ta
s tr utures reursi vel y, the result of a omparis on may re-
veal inf ormati on abo ut any sub-term. The pre mise t J `
re etsthisbyre quiring`todominatea llse uri tyannota-
ti onsw hiha ppea ri nt.
G ene rihashinga ndmarsha lli ngo peratio nsanb edea lt
w iths imil arly:
;M `v:t tJ`
; ;M`hashv:int
`
[℄
;M `v:t tJ`
; ;M `marshalv:int
`
[℄
B yontrast,inM yers'J ava -bas edfra mewo rk[10 ,11℄ ,has h-
i ngi sdo nebyhavingeveryla ssoverridethesta ndardhas h-
Codemethod,whihisde laredi nl assObj etwi thsi gna-
tureintfthis ghashCode(). Are-impleme ntati onofhas hC ode
res ul t,i tmayonlyrelyonel dslabel ledthis . T hepa ramet-
ri las s Vetor[ L℄ , fo rinstane, mus t ompute hashodes
inawaythat doe snotdependuponthe ve tor's lengtho r
o ntents, bea use thei r label is L. Of ourse, this seve rely
li mitshas hCode'susef ul ne ss.
7.3 Co mmon idi oms
Be auseo urtypesystemi squi teonservative,so meo mmon
prog rammingidiomsdes ervespeia ltrea tme nt,eventhough
theyarea lreadyexpressi bl ei nthel anguag e.
For i ns tane, onsiderthe expressi onfo rm e
1
nallye
2 ,
akin to Lisp's unwind-pro te t and Java's try -nally on-
struts. Suh an e xpress ion ould be vi ewed as syntati
suga r f or bind x = (e
1
handle y e
2
; rais e y) in e
2
; x.
However,bydupli atinge
2
,thisenodingpreventsthetype-
hekerf romdis overingtha te
2
isexeutedal ways,i. e.re-
ga rdless o f e
1
's behavi or. As a re sult, e
2
i s typ e heked
under aninrea sed se uri tya ssumptionp. Zda ne wi and
Myers[2 5℄showhoworderedlinea ro ntinuatio nsprovidea
ge ner al so lutiontothispro bl em. Inour ase, iti s simple r
tomakee1nallye2 aprimi ti veonstrut:
e-Final ly
p; ;M` e1:t [r1℄
p; ;M `e2: [r2℄ tr2ur1
p; ;M `e1nallye2:t [r1tr2℄
Fol low ing M yers [ 10 , 11 ℄, we typehek e
1 and e
2 at a
o mmon p. However, we add the premis e tr
2 ur
1 ,
w hi hr ee ts that, by o bs ervi ng an exeption throw n by
e
1
, o ne may dedue that e
2
te rminatednorma lly. Its ab-
se ne in M yers' wo rk isa aw . M yers 'typi ngrule i nfa t
exhi bi tsaseo ndaw : itsoveral le e tsho ul dbeX1X2,
ra therthanX1[ n:=;℄X2,bea useno rmalterminati onof
thew ho lestatementimpli esnor malte rminatio nofe1. This
f at is ta keninto a ount i no ur typing rul e, even though
wedonotexpli itlyass oi ateaseurityl eveltonor malter-
minati on; s ees etio n 10. B oth aws inM yers 'f ramework
we reunoveredbyourfo rmala pproa h[ AndrewC .Myers,
perso na lommuni ati on,June20 01 ℄.
8 Aon st rai nt -basedtype system
We now g ive amore al go rithmi pres enta ti ono f our typ e
system, all edmlif. Itdi ersf romml if0 mai nl y byintro-
du ingtyp e va riables , o ns tr aints,a ndusi ngthemto fo rm
uni vers all yquantied,onstrai ne dtypes heme s,inthestyle
ofHM(X)[ 12 ℄. LikeHM(X),ithaspri n ipaltypesa ndde-
i da bl etypei nf erene. Bea us etheonstrutio nis notthe
entraltopiofthi spaper,wewil ldes ribei tonlys ui n tl y;
there aderi srefer redto[1 2,15 ℄formo redetai ls.
8.1 Types and onstr aints
Inmlif, thegra mmar o ftyp e s,rows,al terna tive sand lev-
el s is e xtende d w ith t ype var iab les . (We let ra ng e ove r
type va riable s o f al l fo ur ki nds; no ambi guity w ill a rise. )
Fur thermo re,Remy' s[19 ℄rowsynta xisintrodued,turni ng
row s into nite lis ts o f bi ndings f rom exepti on name s to
v-Unit
C ; `():unit
v-I nt
C ; `k:int
v-Var
(x)=8[ D℄: C9:D
C^D; `x:
v-Abs
C ;; [ x7!
0
℄ [f 7!( 0
[℄
!)
℄`e: [℄
C ; `xf: x:e:( 0
[℄
!)
v-Exn
C ; `v:ty pex n(")
C ; `"v:(":Pr e ;)exn
v- Sub
C ; `v: 0
C
0
C ; `v:
Expr essio ns
e-Val ue
C ; `v:
C ; ; `v: [℄
e-App
C ; `v
1 :(
0 t[℄
!)
C ; `v
2 :
0
CC
C ;; `v
1 v
2 : [℄
e-Ref
C ; `v: CC
C ;; `refv: r ef
[℄
e-Ass ign
C ; `v
1 : ref
C ; `v
2 :
CtC
C ;; `v1: =v2:unit [℄
e-Deref
C ; `v: 0
ref
C
0
CC
C ;; `!v: [℄
e-Raise
C ; `v:exn
Ctu
C ;; `rais ev: [℄
e-Let
C^D; `v: 0
C ;; [ x7!8 [D℄:
0
℄`e: [℄ \fv (C ; )=?
C^9:D;; `letx=vine: [℄
e-Bind
C ;; `e
1 :
0
[
1
℄
C ;t(t1); [ x7!
0
℄`e2: [2℄
C;; `bindx=e1 ine2: [1t2℄
e-Handl e
C ;; `e
1
: [":Pre 0
;℄
C ;t 0
; [ x7!t ypexn(")℄`e2: [":;℄ C 0
C
C;; `e1handle"xe2: [":;℄
e- HandleAll
C ;; `e
1 : [
1
℄
C ;t(t1); [x7!1 exn
℄`e2: [2℄ C(t1)C
C ;; `e
1
handlexe
2 : [
2
℄
e-Sub
C ;; `e: 0
[ 0
℄ C
0
C
0
C ;; `e: [℄
F igure5:Thetypes yste mmlif
a lternatives,termi na te dwi tharowva ria bl e.
: := junitjint
j( [℄
!)
j ref
jex n
: := j(":;)
: := jAbsjPre
; : := j`
T he va riable-f ree types (resp.rows , al terna tive s, le vel s)of
mlifare is omo rphito thetypes(resp. rows , alternati ves ,
l evel s) o f mlif
0
; we identi fy them a nd refer to the m a s
g roun d. T hen,o nst raints a redeneda sf ol low s:
C :: = t ruejC^Cj9: C
j jjj
j Cjtjuj J
T he onstrai nt f orms o n the rst li ne a re sta ndard [1 2℄ .
T ho se o nthe se ond l ine are subtyping onstrai nts; thos e
o nthethi rdli neareustomonstrai nt forms , whih orre-
s p o ndto the no ti onsdeve lopedins etions 5 and 7. 2. We
o mit the sorti ng rules nees sary to ensuretha t terms a nd
o nstraintsinvol vi ngrowsarewe ll-fo rmed;s ee[19 ℄.
Letagroundas signmentmape verytypevaria bl etoa
gr oundtyp e ,r ow,al ternative,orl eve l,ao rdi ngtoitskind.
T hemeaningoftermsando ns traintsundera nass ignment
i sdene dintheo bvio usway. Wewri teCC 0
(rea d: C
entail sC 0
)ifa ndo nl yifeve rya ssi gnmentwhihs atis es
C sa ti sesC 0
aswe ll.
Letat ypeshe me beatri pl eofase to fqua ntiers, a
o ns tra intCa ndatype;wew rite=8 [C℄: . T hetyp e
va ria bl es i nareb o undin;typeshemesa reo ns idered
equa lmodul o-o nve rsio n. Byabus eofnotati on,atype
may be viewe d a sa type sheme 8?[t rue℄:. Anen viron-
ment i sapa rtialmappingf rompro gra mvari ablestotyp e
shemes .
8.2 Typi ng rul es
T hetyping rules fo rmlifare giveningure5 . They look
ve rysi mila rtothos eofmlif
0
;letusbri eydi sussthedi f-
f erenes. We restri t o ur attention to s oure e xpress ions,
i. e.Cor e MLexpres sio ns whihdonoto ntai nmemoryl o-
a ti ons;thisise no ug hf orourpurpose s. T hus,typingjudg e-
mentsnolo ng ero ntai namemoryenvi ronment M. E very
a ssumpti ona boutitsf reetypevaria bles;f orthejudgement
tobeva lid,C mustbesa tisable. (WeomitC whenit i s
t rue.) Co ns trainedtypeshemesarei ntroduedbye- Let ,
w hi h perf orms g ene rali zatio n, a nd eli minated by v- Var,
w hi hperfo rms instantiati on. For the sa ke ofo ni seness ,
s omerulesus ethebinaryopera tortonle velsando nrows ,
a s wel l as the unary operato r t on row s, as i f they we re
parto fourtermsynta x;wel etthere aderhe kthat thes e
nota tionsa n bede -s ug ared into extrame ta -varia bles a nd
o nstraints.
8 .3 Non- interferene
We prove the fo llowing s ta tement by indu ti on on type
deri vatio ns ,alo ngthelineso f[15 ℄.
Lemma8.1 ( Soundness) Assu me C ;; ` e : [℄.
Let be anar bit ra ryg round ass ign me ntwhihs atis esC.
The n,();( );?`e:() [()℄holdsinmlif0.
(Wedonotdene ( )here ;see[15 ℄.) Inpa rtiula r, every
g roundtypi ngjudgeme ntinml if i sa lsoaval idjudgement
i nmlif
0
. T hi sal low sustolif tourno n-interfere nere sultto
mlif. T ha ti s, thestate mentof theorem6. 1re mains va lid
i f(x 7! t) ` e : int
`
and ` v
i
: tare read a s ml if typi ng
j udg ements .
8 .4 Type i nfer en e
It is eas yto hek that the ree xis ts a type i nf erenealg o-
ri thmwhihomputesprinipa l typesfor mlif. Sulzma nn
e tal. [ 20 ℄show howto deri ve ase tof type i nf erene rule s
f romas et oftyping rulessimi lar too ur s. Thema inpoint
that rema insto be settle d i sw he ther onstrai nt so lvingi s
dei da bl e.
As expl ained i n se tion 5.2 , our subtypi ng re lati on i s
a tomi;o ns tra ints olvingfo ratomi s ubtypingisdei da bl e
a ndwellunders tood[18 ℄. Thei ntrodutio nofrow sisesse n-
ti all y orthogo na l to o ther onstra int so lvi ngi ssues [5 , 1 4℄ .
La stly,o urustomo nstraintf ormsanbes olvedina\la zy"
ma nner. T hat i s, ao ns tra int ofthe for m C, J ,
tor u re mainssuspende das lo ng asnothi ng
i sknow nabout,andisdeo mp o sedintoanumb e rofsub-
o nstraintsonlywhenisuniedw ithanon-varia bl eterm
orrow. Furtherdeta ils ,i nl udingproof sandal gori thms ,
w illbegi veni nala terpa p er .
9 Exampl es
We i ntend to inte grate mlif into a rea li sti pro grammi ng
l anguag e,s uh as Ca ml-Light [ 9℄ . In this se ti on, we give
atas teo fthatbydes ribingthepri ni pa ltypes heme si n-
f erred f or so me l ibrary funtions by our prototyp e imple-
mentatio n. Weus eCa ml-Lig htsynta x,whiha nb eeas ily
de-sugar edintoCo reM L.
We omit type a nnota tions on top of !w hen they a re
unonstrai ne d,a no nymoustyp eva riable s. B eauseno neof
thetypes he mesb e lowhasf reetypevari ables,weomi tthe
unive rsal lyqua ntiedvaria blesaf ter8.
Wehavenotexpl ainedhowtoinludeda tatypedela ra-
ti ons inthel anguag e. Sinewe alre adyhave produta nd
s umtypes, thi s s ho ul d be straig htf orwa rd. Letus as sume
thetype onstru to rlis tisdela reda sfol low s:
| [ ℄
| ( ::) of ' a * ( 'a, 'b) l ist
Inlist
,thepara meteristhetypeoftheli st'seleme nts,
asusual ,whileisaseurityle vel.Theanno tatio n<'b >on
therig ht-handsidei sme anttoi ndia tethat istheseu-
rityannotati on arri edbythesumtype. Ourrste xample
f untio nomputesthelengthofali st:
let r e l engt h = f unt ion
| [ ℄ -> 0
| _ :: l -> 1 + leng th l
A val idtypeshemef orlen gth i s8[℄:list
!int
.
As expeted, the result' s seurity a nnota ti on does no t
depend onthe type of the l ist's el ements. T he o ns tr aint
des ribestheinfo rmatio nowindue dbythe f un-
tio n: the l eng th o f alis t onta insso me info rmatio nabout
its struture. This type sheme is in f at equivalent to
8[℄: lis t
! int
, a simpli atio n whih o ur implemen-
tati onperf ormsautoma tial ly.
let r e i ter f = f unt ion
| [ ℄ -> ()
| x :: l -> f x; ite r f l
it er a ppli es f sue ssively to eve ry element o f a li st. Its
inf erredtypeshemeis
8[t℄:(
[℄
!)
!lis t
[℄
!unit
Here, repres entsf'seet. Be ausei terdoesnotthrow
anyexeptio nsofi tsow n,isa lsoiter' seet.i sf' sp
para meter. Itmus tdomina teite r'sow nppara meter(be-
a us efi sinvokedbyit er),thel ist'ss eurityle vel(bea use
ga ining ontrol tell s f tha t the l ist i s no nempty) and t
(beausega iningontrol tell sfthati tsprevio usinvoati on
termina te dnormal ly).
let i nr r =
r : = !r + 1
in r ha s 8[ ℄:int
ref
[℄
!unit as prinipaltypesheme.
Indeed, by e- As sign, the s eurity l evel of the ref erene's
o ntentsmustdomi na tebo thin r'sp parame te ra ndthe
ref erene'sow ns eurityl eve l. Wenowre-imple mentle ngth
inimperati vestyl e:
let l engt h' l =
let ou nt = ref 0 in
ite r (f un ( ) -> inr oun t) l ;
!o unt
Weo bta in8[℄ :list
[℄
!int
. T hisappearsmoreres tri-
tive thanle ngth 's type s heme: the result'sse uri ty l evel
mustnowbegre aterthano requa ltothefuntion'sppa-
ra meter. However, thediere ne i s onlys uperia l;i t an
behekedtha tb o thtypesi nfa thavethes ameexpress ive
powe r. Fo rmal izing thi sla im,and understandingi ts on-
se quenes,arele ftfo rfutur ework. Weo nti nuewi thafew
li bra ryfuntio nsw hi hde alwi thas so iatio nli sts.
let r e m em_a sso x = funt ion
| [ ℄ -> fal se
| ( y, _ ) :: l ->
if x = y the n tr ue el se m em_a sso x l
thestrutureo ftheli standthekeyss toredini t,weo bta in:
8[J℄: !()list
!bool
T he onstra intJ,w hihari sesdueto theus eof pol y-
mo rphiequa lity,speiestha t mus tbea nupperb o und
f orall se uri ty a nnota tionswhihour inthe typ e ofthe
keys .
let re asso x = fun tion
| [℄ - > ra ise N ot_f ound
| (y, d) : : l - > if x = y th en d else ass o x l
a ssoreturnsthepie eofdataa ssoia tedwithagivenkey.
If no suh key exis ts, Notfoun d is ra is ed, a s reeted in
a sso' seet:
8[ J;C;Æ℄: !()list
Æ[Notf oun d:Æ;℄
!
Here,a sinme mas so, re pres entsthe informa tiona ssoi-
a tedwi ththeli st'sstruturea ndkeys . Be ausethi s i nf or-
ma tionisreetedbothinas so' sno rmalandexeptiona l
re sul ts,thetypesystemrequire sC andÆ.
La stly, we re-implement memasso interms of a sso ,
usi nga nexepti onhandler:
let mem_ asso ' x l =
tr y
let _ = asso x l in
true
wi th N ot_f ound ->
fals e
Asintheas eof len gthvs .leng th',thene wtypesheme
re quiresthere sult'ss eurityl eve ltobeg reaterthano requa l
tothef unti on'sppara meter:
8[J℄ : !( )list
[℄
!boo l
T hi s betrays the f at that the f untio n' s imple menta ti on
useseets,butdoesno totherwi sere striti tsappli abili ty.
1 0 Dis ussion
T here adermaynotiethatnormala ndexepti onalres ul ts
a reno tdeal tw ithinasymme tri waybyourtypes yste m.
Inde ed,i natypi ngjudgeme ntp; ;M ` e:t [r℄,therow
r assoia tesas euritylevel witheveryexepti onname, so
a sto reo rdhowmuhinf ormati on isga ined by o bs ervi ng
thatpa rtiularexeption. Howe ver,noi nf ormati onl eveli s
explii tlya ssoia tedw ithno rmalte rminatio n. Instea d,the
typi ngrulefo rse quenti alompo sitio n,namelye-Bind,use s
trasanapproxi matio nofi t.
M yers '[ 10,11 ℄s etsofpathla b e lsX,ontheotherhand,
re ordthese uri tyl evelas so iatedw ithnormaltermi na ti on
underaspeia ll abeln,w hi histhenusedi nthesequentia l
o mposi tionrule . It is ,howe ver, typia llya nupperb o und
f orthe va luereahedby p inside every s ub-e xpress ionof
theexpres sio nathand,sothisdes ignalo newouldma kethe
typ esystemve ryrestri ti ve. Topreventtha t,Myersaddsa
non-syntax-dire tedrul e, the single-path rul e, sta ti ng that
X[n℄a nberesetto;i ftheexpressi onathanda nbeshown
toa lwaysterminatenormal ly.
w hen all entries in r
1
a re A bs , then tr
1
is the lea st e le-
ment ofL,and e- Bindtyp e hekse
1 ande
2
a tao mmon
p, as des ired. Myers' sys tem is more pre ise than o urs
inaf ewa ses ,w hihi nvolveexpres sio ns tha tne ver termi-
nate normal ly; e xperie ne w ill te llhow o mmonthey are.
T he singl e-pathrule requires ounting thenumbero f non-
Abse ntriesina row; inthepresene ofrowvaria bl es,this
requi resnew (and quite heavy) onstrai nt forms , w hi h is
w hy we avo id i t. T hi s diÆ ul ty doesnot a ris e i nMyers'
f ramewo rkbea us ei tre lieso nJ ava' sexpli it,monomo rphi
thr ows lauses .
T her e e xis ts a simple mo na di en oding of e xeptio ns
into s ums . T hus, it is poss ible, in priniple, to derive a
type sys tem fo rexeptions out of a type system that an
handl esums. Thisa pproa hso undsinte resting,bea us ei t
issystema ti a ndpro misestoyie ldasymmetritre atmentof
norma lvs .exe pti onalres ul ts . However,so meexperi ments
showthat,ino rde rtoo bta ina eptablepreis ionintheend,
thetre atmentofsumstha tishos ena sastarti ngpo intmus t
beveryaura te(muhmo resothanthe onegi veninthis
paper). Weleaveita satopioff utureresea rh.
Our mai n dire tion f or f uture work is to re ate a full
imple menta ti onofthes ys te montopofCa ml-Li ght andto
as ses s i tsusa bi lity througha numb e r o f as es tudies . We
al so pla n tos tudya vari ant o fCo re ML w heree xeptio ns
ar eseo nd-la ssi tizens, i.e . w hererais exis di sal lowe d. In
exha ngefo rthiss lig htlo ssofexpress ivepower,weho p eto
beabletous eas implertypeandonstra intla ng ua ge.
Referenes
[ 1℄ Ma rtnAba di , AnindyaBanerj ee, Nevin Heintze, and
J onG .Rie ke.Aorea lulusofdepende ny.InCon-
fere ne Reordof the26t h ACM S ymposiumon Pr in-
iples ofProg rammingLangu ages ,pages14 7{ 160 , San
Antonio ,Te xa s,J anua ry19 99. UR L:http://www.soe.us.
edu/~abadi/Papers/flowpopl.ps.
[ 2℄ Ma rtn Abadi, B utl er Lampson, and Jea n-Ja ques
Levy. Analysi s a nda hi ngo f dependeni es. InPro-
eedings of t he 1996 ACM SIGPLAN Int ernat io nal
Conferene onFun tional Programming, pag es8 3{ 91,
Phil adelphia, Pennsyl vania , M ay 199 6. URL : http:
//www.soe.us.edu/~abadi/Papers/make-preprint.ps.
[ 3℄ D. E. Bell and Le onard J. LaPadula . Se ure om-
puter s ystems : Unied exposi tion and M ul tis inter-
pretatio n. Tehnial Re p o rt MT R-299 7, The M IT RE
C orp.,B edf ord,M ass ahuse tts , July1 975 . URL:http:
//www.mitre.org/resoures/enters/infose/infose.html.
[ 4℄ Doro thyE .Denning.Cr yptogra phyandDat aSe urity.
Addis on-Wesl ey,Rea ding,Ma ssa husetts,1 982 .
[ 5℄ Ma nuel Fahndri h. Bane: A L ibrary for Sa lab le
Cons traint -Ba sedProg ramAna lys is . PhDthesis ,Uni-
ve rsity of C al ifo rnia a t Berkeley, 199 9. URL: http:
//researh.mirosoft.om/~maf/diss.ps.
[ 6℄ C orma Fla na gan, Amr Sa bry, B rue F. Duba, and
Ma tthi asFel lei sen.Thee sseneofompil ingw ithon-
tinua tions. InProeedin gs of the SIGPLAN '93 Con-
fere ne on Programming Lang uage De sig n andImple-
ment ation, pa ges 23 7{ 247 , J une 19 93. URL: http:
//www.s.rie.edu/CS/PLT/Publiations/pldi93-fsdf.ps.gz.
a ndse uri ty model s. InProeedingso fth e 1982IEEE
Sy mposiumonSe uritya ndPriva y,pag es11{ 20,Apri l
1 982 .
[8℄ NevinHei ntzea ndJ onG.Rieke. T heSLa mal ul us :
P rogra mming w ith sere y a nd i ntegr ity. In Confer-
e neReo rdofthe25t hACMSy mposiumonPrin ip les
ofProgrammin gLangu ages ,pag es36 5{3 77 ,SanDi ego ,
C ali fo rni a,J anuary1 99 8. URL:http://m.bell-labs.om/
m/s/who/nh/slam.ps.
[9℄ XavierLeroy,Dami enDol ige z, eta l. TheCa mlLight
s ystem,re leas e0 .7 4. URL:http://aml.inria.fr/,1 99 7.
[ 10℄ Andrew C .Myers. J Flow: pra tia lmo stly-sta ti i n-
f orma ti on ow o ntro l. In Proeedings o f th e 26t h
ACM SIG PLAN-SIGACT on Priniple s of Progra m-
mingLangua ges , pages 22 8{ 241 , San Antonio , Texas ,
J anua ry19 99. ACMPr ess. URL:http://www.s.ornell.
edu/andru/papers/popl99/myers-popl99.ps.gz.
[ 11℄ Andrew C . Mye rs. Most ly- St ati Dee ntralized Infor-
mat ion Flow Cont rol. PhD thesi s, Ma ssa husetts In-
s ti tute of Tehno log y, Ja nuary 1 999 . Tehni al Re-
por tM IT /LC S/ TR-7 83. URL:http://www.s.ornell.edu/
andru/release/tr783.ps.gz.
[ 12℄ M artinOdersky,M artinSulzma nn,andMa rtinWehr .
Type inferene wi th onstrai ne d types. Theo ry a nd
Prat ie of Obje t Sy st ems, 5(1): 35{ 55 , 1 999 . URL:
http://www.s.mu.oz.au/~sulzmann/publiations/tapos.ps.
[ 13℄ Frano is Pess aux and Xavi er Leroy. Type-ba sed
a na lysis of unaught exeptio ns. ACM Trans at ions
on Programming Langu ages and Sy ste ms , 22 (2):3 40{
3 77, 20 00 . URL: http://pauilla.inria.fr/~xleroy/publi/
exeptions-toplas.ps.gz.
[ 14℄ Frano isPottie r. W alla e: ane Æientimple menta ti on
o ftypei nf erenew ithsubtyping,Februa ry20 00. URL:
http://pauilla.inria.fr/~fpottier/wallae/.
[ 15℄ Frano is Po tti er. A semi-synta ti so undnes s proof
f or HM (X). Resea rh Re p o rt 4 150 , INRIA, M arh
2 001 . URL: ftp://ftp.inria.fr/INRIA/publiation/RR/
RR-4150.ps.gz.
[ 16℄ Frano is Pottie r a nd Sylva in C onhon. Inf orma ti on
owi nf erenefor fre e. InProeeding sof th e th eFift h
ACM SIGPLAN Inte rnat io nal Confe ren e on Fun-
t io nalProgramming(ICFP'00) , pa ges46 {5 7, Se ptem-
ber2 00 0. URL:http://pauilla.inria.fr/~fpottier/publis/
fpottier-onhon-ifp00.ps.gz.
[ 17℄ Frano is Po ttier a nd Vi n ent Simo net. In-
f orma ti on ow i nf erene fo r M L. Ful l ver-
s ion. URL: http://pauilla.inria.fr/~fpottier/publis/
fpottier-simonet-popl02-long.ps.gz,J uly20 01 .
[ 18℄ J akob Reho f. Mi ni ma l typi ng s in a tomi subtyping .
In Co nfe rene Reord of t he 24 th ACM S ymposium
onPr in iples of Programming Lan guag es, pa ges 2 78{
2 91,Pa ris,Frane,J anua ry19 97 . URL:http://researh.
mirosoft.om/~rehof/popl97.ps.
tensio nofM L.InC arlA.GunterandJ ohnC.M ithe ll,
editor s, Th eoretial Aspet s Of Obje t-Or ien ted Pro-
gramming. Type s, Semant is and La nguag e Design.
MITPres s,19 93. URL:ftp://ftp.inria.fr/INRIA/Projets/
ristal/Didier.Remy/taoop1.ps.gz.
[2 0℄ Ma rtin Sul zmann, Marti n Mul ler, a nd C hri stoph
Zenger. Hindl ey/Mi lner styl e type systems in on-
stra intfo rm. Re sear hReportACRC{ 99{ 00 9,Univer-
si tyo fSouthAustra lia ,Shoo lo fC ompute randInf or-
mati onSi en e, J ul y 19 99 . URL:http://www.ps.uni-sb.
de/~mmueller/papers/hm-onstraints.ps.gz.
[2 1℄ Denni sVol pa noandGeoreySmith. Atype-ba sedap-
proa htoprog ramseurity.Letu reNot esinCompu ter
Siene,12 14: 60 7{6 21 ,April199 7. UR L:http://www.s.
nps.navy.mil/people/faulty/volpano/papers/tapsoft97.ps.Z.
[2 2℄ Denni s Vol pa no , Geo rey Smith, a nd Cynthia
Irvi ne . A sound type system f or seure ow a na l-
ysis . Jour nal of Comput er Se urity, 4(3): 167 {1 87,
19 96 . URL: http://www.s.nps.navy.mil/people/faulty/
volpano/papers/js96.ps.Z.
[2 3℄ Andrew K. Wrig ht. Simple impera tive p o lymor-
phi sm. L isp an d Sy mboli Comput ation, 8 (4 ):34 3{
35 6,Deember19 95. URL:http://www.s.rie.edu/CS/PLT/
Publiations/las95-w.ps.gz.
[2 4℄ Andrew K. Wrig ht a nd Matthias Fell eise n. A syn-
tati appro ah to type so undne ss. Info rmation and
Comput ation, 11 5(1):3 8{ 94, November 1 994 . URL:
http://www.s.rie.edu/CS/PLT/Publiations/i94-wf.ps.gz.
[2 5℄ Steve Zdanewi andAndrew C .Myers. Se ureinf or-
mati on ow and CPS. In Davi d Sands, editor , Pro-
eedingsoft he2 001EuropeanSympo siumo nProgram-
ming(ESOP'01), Le tureNo tesi nComputerSiene.
Spri ng erVerla g,April2 001 . UR L:http://www.s.ornell.
edu/zdane/linont.ps.
