FRANCOIS POTTIERandVINCENTSI MONET
INRI A
Thisp aperpre se nt satype-base dinforma tionowan alysisfo raa ll-by-valu e- alulusequip-
pe dwithreferen es,ex ept ionsand let -po ly mo rph ism,whihwerefert oasCo reML.Thetype
syste miso nstraint-basedandha sde id abletypeinfere ne . I tsnonint erferen eproofisre ason-
ablylight -we ight, th anks t o th e useof a numbe ro f o rt hogo nal te hnique s. First ,a synt at i
segreg ationbetwee nva luesandexpressio ns allowsalight erformu lat io no fthetypesyste m.S e-
ond ,nonint erferen eisre du edtosu bjetred utio nforanon st and ardlang uagee xte nsio n.Lastly,
asemi-syntatia pproaht otypesoun dnessa llowsdealingwit h onstraint-base dpo ly mo rph ism
sepa rat ely.
Cat ego riesandSubjetDesrip tors:F.3 .2[LogisandMeanin gsofPrograms℄:Semantisof
Pro grammingLan guag es|Operation al sem antis;P rogra ma nalysis;F.3 .3[Logis andMean -
ingsofP rograms ℄:S tudieso fProgramConst ru ts|Contro lp rimitives;Fu ntio nalonstruts;
Types tru ture;D.4 .6[O peratingsystems℄:Se urityandProt e tion|Inform ationowo ntrol s
Ge neralTe rms:Lang uage s,Se urity,Theo ry
1. INTRODUCTION
Info rma ti on o w a na lysi s onsists i nstatial ly determininghowaprogram'sout-
put sarerelatedto itsinputs,i.e.howtheform erde pend,diret lyorind iretly,on
the latter. Th is allows est ablishing serey or i ntegri ty properties of a program,
i.e.p rovingthatsomeaspetsofit sbehavioronveynoinf ormationaboutthoseof
its inpu ts deemed\seret ", or remain indepen dent of those deemed \unreliable".
These properties are instan es of noninte rferene [Goguen and Meseguer 1982℄:
theystat eth eabsen eofertaindependenies.
Beause informationowanalysi s isomplexanderror-prone, itmustbeaut o-
mated. D urin g thep astfewyears, severalresearh ershaveadvo ateditsf ormu la-
tionasatypesystem. Then,exi st ingtypeinferen etehniquesprovideaut omation,
whiletypesignaturesprovi de onise,form alseu rityspeiati ons.
Ourinterestis indesignin g, andprovingorret ,atype-basedi nformationow
analysis f or ( thekernelof)a reali sti , sequenti al programm ing language. ( Int he
presene of onu rren y, the termination ofa pro ess is observable byoth er pro-
esses, reat ing newways to leak inf ormat ion an drequiring more restrit ivetype
syst em s. Hene, i t appears reasonable t o rst experiment wit h inf ormat ion ow
ont rol i n a sequenti al setting.) To date, most formal results obtai ned in this
Aut hors'a ddress:INRIA,B.P.10 5,78 153LeChesn ayCedex ,Frane .
Permission to maked igit al/ hard opy o f all or pa rt o f thisma teria l wit hou t fe e for perso nal
orlassroomusep rov ide dt hat the o pie sarenotmadeordist ribut edforprot orommerial
advant age ,theACMopyright /serve rnot i e,t hetitleoft hepu blia tion,a ndit sda tea ppea r,an d
not ieisgivent hatopy in g isbypermissio noftheACM,I n. Too pyot herwise ,torep ublish,
topo stonse rvers,o rtore dist ribut etolistsre quire sprio rspeipe rmissionand/ orafe e.
areaonernextremelysim pliedprogramminglanguages. S everalpapersaddress
pure -aluli [H eint ze and Rieke1998; Abadi et al. 1999; Pott ier and Conhon
2000℄. Volpan oetal .[Volpanoetal.1996;Volpan oandSmit h1997b℄studyaore
imperativep rogrammi nglanguage,whereallvariablesstoreint egers. Volpan oand
Smit h[Volpanoan dSmith1997a℄alsost udyalanguageequippedwithaf at al(non-
at hable) exeption, orresponding to failure of arithmet i operation s. Banerjee
andNaumann[Banerj eeandNaumann2002℄d ealwit hafragmentof Java,whih
inludes lasses and m ethods. Stan ding in sharp ontrast, Myers [Myers 1999a;
1999b℄ on sid ers thefull Java language, inludingobjets,exept ions, param et er-
izedlasses, et. However, hedoesnotgive af ormalpro of oforretness; indeed,
our formal approah unovered a ou ple of aws in his type system, wh ih are
desribedin t heonferen eversion ofthispaper[Pot tierand Simon et2002a℄.
Inanat tempttobridget hegap,weonsideraall-by-val ue -alulusequipped
with let-polymorph ism , produt s and sums, referenes, exeptions, and generi
primitive operations. (These last appear on ly in Setion 7.) We refer to it as
Core ML, beause of it s simi larity wi th Wright and Felleisen's CoreML [Wright
and Fel lei sen 1994℄. In ourversion, however, exepti on nam es have gl obalsope,
and neitherexept ion names nor exeptionsare rst-lassval ues. Our alulus is
verylose to theoreof thefunti onalp rogrammi nglan guageCaml-Light[Leroy
etal.1997℄. Weendowitwithapolymorp hi,onst raint-basedtypesyst em,alled
mlif,whihh asd eid abletypeinfereneandguaranteesnoninterf erene.
A( monomorphi)t reatmentofref erenesinahigher-orderlanguageanbefou nd
in[ZdanewiandMyers2001;2002℄ . Exept ionsh avebeenstud iedbyMyers[My-
ers 1999a; 1999b℄ for Java. However, Myers' t reatment relies on Java's expliit ,
monom orphithrowslauses, wh ereasour typesystemuses amoreexible, poly-
morphi eetanalysi s,givin grisetoissuesdisussedinSetion10. Theombin a-
tionofreferenes,exept ionsandonstrainedlet-polym orphism,aswellasou ruse
of ast andard subjetreduti on teh nique to establishnonint erferene, arenovel.
Ouruseofunan not atedpro d uttypesan dourtreat mentofgenerip rimit iveoper-
ations( suhaspolymorphiequ ality),whih requireu st om onstraintform s, are
alsooriginalontributionsofthispaper.
This p aper i s a revised and ext ended version of [Pottier and S imonet 2002a℄.
Themain noveltywit hrespetto t heonf erene version resid esin ourdei sion to
makeexept ionsseond-lassentities,rathert hanrst-lassvalu es. Thi ssimplies
thetypesystem, byallowin g several not ions to besup pressed;namely, exeption
types, alt ernatives, and on ditional onstraints. (More explanati ons are given in
Setion 5.4.) Eliminating ondit ional onstraints, in partiular, makes it more
straight forwardto design aneÆienton st raintsolvingpro edure,andhelpsinfer
morereadabletypes. Webel ievethatthelossofexpressivenessasso iatedwit hthis
designdei sionrem ainsmin imal. Anotherimprovem entonsistsinamoredetailed
desript ionof onstraintsolving,inludingaorretnessproof .
2. OV ERVIEW
Type systems are typially used to est ablish saf ety p ropert ies, i. e. prove that a
ert aininvarianthol dsthroughou tt heexeu tionofaprogram. Typesafetyissuh
a p roperty. However, n oninterferen e [G oguen and Meseguer 1982℄ requires two
independentprogramruns,givendi erentinpu ts, t oyield thesameout put. A sa
result , it sproofisof tenm oredeliate.
Abadi et a l. [Ab adi et al. 1996℄ devi sed a label ed operat ional sem antis of t he
-alu lus, where t he labels attah ed to a term in diate how muh information
it arries. Exeuting a program under suh a semanti s amounts t o performing
a d ynami dependeny analysis al ong with the at ual omputation. Pott ier and
Con hon [Pot tier an d Conh on 2000℄ l ater showed how sta ti , type-based depen-
denyanalysesoul dbesystematiallyderived,an dp rovensafe,fromsuhalabeled
semanti s.
Unf ortunately,inaprogramminglan guagewit hsideeet s,itispossiblet oleak
inf ormat iont hroughthea bsene of aert ain eet. Indeed,onsidert heprogram
fragment\ifx=1theny:=1". If,aft erexeutingth is st at em ent ,y isn't 1,thenx
an notbe1eith er. Thus, int hatase,exeuti on t ransfersinformationaboutx to
y,event houghnoassignm enttakesp lae, si nethest at em enty:=1i sskip ped. It
appearsdiÆultforalabel edsemantist oaountfortheeetofodet hati snot
exeuted;so,theapproah mustbereonsidered.
Di retn oninterferen eproofs,althoughst raightf orwardforsim pleprogramming
languages [Volpano et al. 1996℄, beome inreasingly omplex in t he presene of
advanedfeaturessu hasd ynamimemoryalloation,higher-orderfunt ions,and
typepolymorphism. An oninterferen eproofanbeviewedasabi si mul ationp roof .
Fort hisreason,itrequiresman ipulat ingalarge,andoftenumbersom e,invariant :
seee.g.[ZdanewiandMyers2001℄ . Toavoidth isp itfall,webreakourpro ofd own
into severalind ependentsteps. First,wedene aspeial-purpose ext ensi on oft he
language,whih allowsexpliitreasoning abouttheom monalitiesanddi erenes
betweentwo arbitraryprogramon gurat ions, an dproveitad equatein aertain
sense. Then, wed e ne atypesyst em forthis extend ed langu age, and prove that
it enjoys a subj et redution property. Lastly, we sh ow th at noninterf erene f or
theb aselan guageis aonsequene oftheseresult s. Inot herwords, weredu et he
init ial problem to subjet redu t ion|a safety property|f or our speial-p urpose
language. The bisimulat ion invariantis thus expressed in t he type system it self ,
makingiteasiert oreasonabout .
In keep ing wit h the ML trad ition, our type system has let-polymorphism and
type inf erene. In addit ion to st rutu re, our types desribe e ets and seurity
levels; polym orphismallowswrit ingodet hatisgeneri withrespet t oall three.
Typeinf erene isindispensable,beause ourtypesareverbose,andbeauseinfor-
mation ow often o urs in unexpeted ways. Beau se we employ subtypin g ( as
well as other forms ofonstrai nt s) , ou rtype inferenesystemis onstrai nt -based.
Yet ,iftypegeneralization,instanti ation,andon st raintm anipul ationwerepartof
thetypesyst emfromtheoutset,oursu bj etred utionproofwouldbesigniantly
obfusat ed . Toworkarou ndt hisproblem,weadoptasemi-synta tiapproah[Pot-
tier2001℄, whih againonsi st sin breakin g down theonst rutioninto twosteps.
First, we present a syst em equipped with an extensional form of polymorp hism,
whose form al treatm entis unintrusive. Then, webuild aonstraint-basedsyst em
in thestyleofHM( X)[Oderskyet al.1999℄, whih weproveorretwith respet
tot hef ormer.
Wenowproeedasfoll ows. WerstpresentthesyntaxofCoreML( Setion 3) .
Then,weintrodueourext ensionofCoreML,whi hweref ert oas\CoreML 2
",give
v ::= xj( )jkjxf: x:ejmj(v;v)jinj
j v
a ::= vjr aise"v
e ::= ajvvjre fvjv:=vj!vjproj
j
vjvasexeejletx=vinejE[e℄
E ::= bin dx=[℄inej[℄hand le"xej[℄han dleed onej[℄han dleeraisej[℄nallye
Fig.1 . Thesynt axofCoreML
anoperati onalsemantisf orbot hl anguagesat one,and showhowt heyrelate to
eahot her(Seti on4) . Setion5introduesmlif
0
,atypesyst emforCoreML 2
,and
estab lish essubjetredution. Combi ningt heseresult s,weob tainanon int erf erene
property f or Core ML (Setion 6). In Setion 7, we ext end the l anguage wit h
gen eri primitive operations. Cul minat ing our devel opment, Setion 8 presents
mlif,aon st raint-b asedtypesystemwhihweproveorretwit hrespettomlif
0 .
We show that on st raint solving is deidab le, allowing typein ferene. Set ion 9
lists som e example programs with their types. Last ly, we disu ss a few design
alternativesinSetion10.
3. COREML
Letkrangeoverintegers;letx,mrangeoverdisjointdenumerablesetsofp rogra m
va ria bles,andme mo ry loa ti ons, respetively;letj range overf1;2g. Let"range
overadenumerabl e setE of exe ptio n name s. Then, val ues, answers, expressi ons
ande valuatio no ntexts areden edasingure1.
Values inlude variables, aunit onstant, integers, -abstrations, memory lo-
at ions, pairs, an dappliations of an in jetion. An abstration xf: x:emay re-
ursively refer t oitself t hrough t he p rogram variable f. (This is done merely to
avoid introduing a sep arate x-point ombinator. We writ e x:e when f does
notappear free ine.) Answersrepresentompleted ompu tat ions;t heyareeither
valuesorunhan dledexeptionsofthef ormr aise"v. Anexpressionisananswer,a
so-alledbasi expressi on,aletonstru t ,oranotherexpressionenlosedwit hinan
evaluat ionontext.
Basiexpression si nludefunt ionappliations, inst anesofthree prim itiveop-
erations, whih allow alloatin g, u pdating, and dereferening memory ells, pair
projetions,and su m elimin ation (ase) onst ruts. They arebu ilt outofvalues,
rather than ou t of arbitrary sub -expressions. This syntat i restrit ion, whih is
rem inisent of Fl anagan et al .'s A-no rmal f orms [Flanagan et al. 1993℄, o ers a
numberofadvant ages. Fi rstan df oremost ,itenablesamuhlighterf ormu lationof
ourtype-and-eetsystem. In deed ,beausevalueshaven oomput ationaleet,a
basiexpression 'somponentsn ow ontribute nothingto its eet. Furthermore,
it allowsour systemt o rem ain independent of the evaluationstrategy, i.e. oft he
hoie of lef t-to-right vs. right -t o-left evaluationorder. U serprograms, expressed
in a m oreliberal syntax, must be t ranslated down i nt o ourrestrited syntax be-
foretheyanbeanalyzed. Di erentevaluationstrat egiesaret henimp lement edby
di erenttranslat ion sh em es. Wewillom ebaktot hispointinsetion5.6.
The let onstrut let x = v in e h as t he sam e meaning as theb asi expression
(xf:x :e)v (where f is not free in e) . However, as usual in ML [Wright and
Felleisen 1994℄, the let keyword d irets t he type heker to give x pol ym orphi
type. FollowingWright[Wright1995℄,werequireth ebindi ngtoont ainavaluev,
rathert hananarbitrarysub-expression,soast oavoidu nsoundnessinthepresene
ofimperat ivefeatures. Asaresult,letonstrutsdonotappearam ongevaluation
ont ext s.
Evaluationontextsprovidegluet oombineexp ressionsandspeifyt heirevalu a-
tionorder. Theexpressionbindx=e
1 ine
2
evaluatese
1
,b indsxtoitsvalue,t hen
evaluat es e
2
. Th e bind keyword does not request type generalizat ion; it m erely
expresses sequent iality. Our d eision of making let and bind separate onstruts
emphasizesthisdist intion. Wewritee
1
; e
2
f orbindx=e
1 ine
2
,wherexdoesnot
ourin e
2 .
Therem ainingeval uationont ext soeravarietyofwaysofhan dlingexeptions.
If the expression in the hole red ues to raise "v, t hen [ ℄ handle "x e binds x
to v and evaluates e; otherwise, it has n o e et . The ontext [ ℄ handle e done
is analogous, but athes every exeption, regardless of its name. It does not
bind avari able, beause exeptionsarenot values. Theontext [ ℄ handlee raise
also athes every exep tion , an d exeutes the handler e; then, h owever, it lets
the answer raise "v esape, inst ead of om pleting norm ally. Lastly, the ontext
[℄nallyealwaysexeut ese, regardlessoftheanswerpro d ued bytheexpression
in the hole, before proeedin g; it is similar to Lisp's unwind-pr otet and Java's
try -nallyonstru t s.
Why doweprovideso many di st int ways of handlingexeptions? Th e exp la-
nation liesin ourdei sion to make exept ions seond-lass entities: an exeption
is notavalu e, soavariab le an notbebound to an exep tion ,and raising anex-
eption requires its name " to be statially speied. This desi gn hoie will be
motivated i nsetion 5.4. Tom itigate thelossin expressiveness, wemu st provide
enoughontext f ormstooverallommonprogram mingidioms.
Wedonotyetgi veanoperati onalsemant isforCoreML,beauseweviewitas
af ragmentofCoreML 2
,whihwedenein then extsetion.
4. COREML 2
4.1 Pr esentation
Non-int erf erene requires reasoning about two programs an d provi ng t hat they
sharesome sub-terms t hroughout exeu tion . To m ake suh reasoning easier, we
hoose to represent them as a single t erm of an extended langu age, alled Core
ML 2
,ratherthan asapairofCoreMLterms. Theextensionisasfollows:
v ::= :::jh vjvijvoid
a ::= :::jh ajai
e ::= :::jh ejei
The Core ML 2
term h e
1 j e
2
i is intend ed to enode th e pai r of Core ML terms
(e
1
;e
2
). It is i mportant t o note t hat brakets an appear at an arbit rary dept h
withinaterm. Forin st ane,ifvisaCoreM Lvalue,thenhv
1 jv
2
ivandhv
1 vjv
2 vi
botheno d ethep air(v
1 v;v
2
v) . Th eformer,h owever,ismoreinformative,beause
itexpl iitlyreord sthef atthattheappli ationnodeanditsargu mentvareshared,
while the lat ter doesn 't. Wedo notallow nestingh j ionstru t s, beause that
wouldnotmakesense givenourintendedint erpretat ion;so,thesub-termsofsuh
aonst rutmustbeCoreMLterms.
TheorrespondenebetweenCoreMLandCoreML 2
ismad eexpliitbym eans
oftwop roje ti on funt ionsb
i
,wherei rangesoverf1;2g. Thesef untionssatisfy
bhe
1 je
2 i
i
=e
i
andarehom omorphi smson otherexpressionf orms.
Beforegivin gmoredeni tion s,letusgiveahintofhowCoreML 2
allowskeeping
trakofthedierenesbetweentwoCoreMLprogramsthroughoutexeut ion. For
instane, letus onsider thefunti on x :0. Clearly, itsresult d o esnotreveal any
inf ormat ion about it s argu ment , sine it is aon st ant. Indeed, the type syst em
whih we will p resent in t he following laims that t his fun t ion maps \seret"
input sto\publi"output s. Now,inordertoprovethatt hetypesystemisorret ,
wemustestablishanonint erfereneresult : forallint egersk
1 andk
2
,t heprograms
e
1
=( x :0)k
1 ande
2
=( x:0)k
2
yieldt hesam evalue. Todoso,ween odethese
twoprograms int oasingle Core ML 2
term, namely e =( x:0)hk
1 j k
2
i . Its two
projetionsare the origin al Core ML programs: for i 2 f1;2g, be
i is e
i . Note
thatth e\seret"input sk
1 andk
2
ap pearunder braketsin e,whilethestruture
om montoe
1 ande
2
,namelyth eappliat ionofx:0,i sshared|thatis,itappears
outside the braket s. Aordin g to Core ML 2
's operational semant is, whi h we
will desribef urt her on, the omposite term (x :0)hk
1 j k
2
i redues t othe Core
ML 2
term0. Thef att hatt histerm d o esnotontainanybraket sissuÆientto
ensure t hat its two projetions oinid e, that is, the original programs e
1 and e
2
bothproduethe sam e result. Thenoninterf erene proofd evelopedin thi s paper
(Theorem15)isbasedonthesameapproah: wewillprovet hat ,underapprop riate
typing hypot heses,theresu lt ofa CoreML 2
redut ion sequene doesnotontain
anybrakets.
The redutionsequ en e (x :0)h k
1 j k
2
i! 0, whi h we desribed above, is ex-
tremelysimple. In gen eral, however, redutions in CoreML 2
an be mu h more
om plex: severalofitsredutionrulesmustliftbraket swhentheyblokredution.
For in st ane, beause the appliation h x:xj x:0i1is not a-redex,it must be
takenareofbyaredutionru leotherthan(). Weint rodueanewrule,(lif t-app) ,
whihreduesittoh( x:x )1j( x:0)1i . Note thatthisstepa etsn ei therproje-
tion,soithasnoomput ationalontent: bym ovingbraket s,itonlykeepst rakof
inf ormat ionow. Eah side ofthenewt ermis nowa-redex, allowingredution
top roeed: weob tain h (x :x)1j( x:0)1i!
?
h1j0i .
4.2 Stor esandongurations
The meanin g of memory loati ons is gi ven by a store , i.e. a part ial map f rom
memory loation s t ovalues. We writ e[m 7! v℄ and [m 7! v℄ for t he store
whihmaps mt ov and otherwiseagreeswith; thelatteris d e nedonly ifm62
dom(). Wen eedt okeep trakofsharingnotonly betweenexp ressi ons, b ut al so
between st ores. H owever, dist intstores may havedistint domain s. To aount
forthisf at ,weintrodueaspeialonstantvoid. Byreat ingbindingsoft hef orm
m 7! hv j voidi and m 7! hvoid j vi i n the store, we rep resent situation s where
a memory loation m is boun d wit hinonly one ofthe two Core ML expressions
enodedbyaCoreML 2
term.
A ongura ti on e=
i
is a triple of an expression e, a store , and an index
i2f;1;2g,whosepu rposeisexplainedinSetion4.3. Itisstuk ifitisirreduible
and eisn 't ananswer. It is suessf ul if ei san answer. Wewrite e=fore=
.
Toguarant eethatbraketsannotbeomenestedduringredutionandthatvoidis
usedexlu sivelyin st orebindings,asdesribedabove,wemustintrodueaouple
ofteh nialnotions, whosedenitions onemaywishto skipuponrstreadin g. A
on gurat ion e=
i
iswell-fo rmed ift hef ollowi ngondi tion shold:
|edoesnotontainv oid;furtherm ore,ifi2f1;2g,theneisaCoreMLexpression;
|for everym 2 dom(), (m) is of t he form v, hv j v oidi or hvoid j vi, wherev
doesnotontainvoid.
Furthermore,weonsideramemoryloat ionmt obeboundwithi neandaord-
ingt othefollowingrules:
|if(m)isoft hef orm hvjv oidi(resp. hv oidjvi ),then:
|misin sopewithint heleft( resp.ri ght)b ranhofeveryhjion st ruti n;
|ifi=,t hen misin sopewithin theleft(resp.right )b ranhofevery hj i
on st rutine;ifi=1(resp .i=2),thenm isinsopewit hine;
|otherwise,misinsopeeverywh erewithin eand.
A ongurat ion e=
i
is lo sed if al l ourrenes of memory lo ations in it are
in sope. We rest rit our attenti on to well-f ormed, losed on gurati ons. (We
let the interest ed reader hek th at th is subset of ongurations is st able under
the redut ion ru les introdued in Setion 4.3.) We identify ongurations up to
on sistentren amingsofmemoryloations.
The projetion f untions are extended t o stores as fol lows: b
i
maps m to
b(m)
i
i fandonlyifthelat ter isdened andisn'tvoid. Last ly,thep roj et ion of
aongurationisdened bybe=
i
=be
i
=b
i .
4.3 Semantis
Thesmall-step operat ional semantis of CoreML 2
isgiven in Figure 2. Therst
two groups of redutionrules are those of Core ML, wit h a few tehnial twists
explain ed below. Theru lesinthet hirdgrouparespeitoCoreML 2
;theyallow
disardingsharinginformati onifredutionannotot herwiset akeplae. Therules
inthefourt hgroupall owredutionunderaont ext .
The rules are designed sothat the image of any redutionst ep th rough apro-
jeti on funt ion is again a valid red ution step. Redution may t ake plae out-
sidebrakets,ausing bot hprojet ionsto performt hesameredutionst ep ;inside
brakets, lett ing one projetion progress independently, whi le the ot her remains
station ary; or lif tu p thebraket bound ary, disarding some shari ng i nformation,
whileleavingbothprojetionsu nhanged .
Theapture-free su bst itution ofv forx in e,writt ene[x(v℄,is dened int he
usualway, exeptat hjinodes, wherewemu stusean appropriate projetionof
v ineahbranh : he
1 je
2
i[x(v℄ishe
1
[x(bv
1
℄je
2
[x(bv
2
℄i .
Roughly speaking, the rules in th e rst two group s are app liable under any
ont ext . However, (ref), (assign)and (deref) need asmall amount of ontextual
inf ormat ion. In deed ,the st ore must be aessed in a ontext-depen dent m anner:
red ution s whih take p lae inside a h j i onstrut must use or aet only one
projetion of the st ore. The index i arried by ongurations is used for this
purpose. Its value is whend ealing wit h top-level reduti on st eps; it is made1
(resp .2) byrule( braket) whenredu in gwithin theleft ( resp. right)branh ofa
Basired u tion s
(xf: x:e)v=i ! e[x(v℄[f(xf:x:e℄=
i
()
re fv=
i
! m=
i
[m7!ne w
i
v℄ (ref)
m:=v=
i
! ()=
i
[m7!updat e
i
( m)v℄ (assign)
!m=
i
! re ad
i (m )=
i
( deref)
proj
j (v
1
;v
2 )=
i ! v
j
=
i
( proj)
(in j
j
v) asexe1e2=i ! ej[x(v℄=
i
( ase)
le tx=vine=
i
! e[x(v℄=
i
( le t)
Se qu en ing
b in dx=vine=
i
! e[x(v℄=
i
(bind)
raise"vhan dle"xe=i ! e[x(v℄=
i
(h andle)
raise"vhan dleed one=i ! e=i ( hand le -do ne)
r aise"vhan dleeraise=i ! e;raise"v=i (ha ndle-raise)
anallye=
i
! e;a=
i
(na lly)
E[a℄=
i
! a=
i
( pop)
ifE ha ndlesneith erba
1 no rb a
2
L iftin g
h v
1 jv
2
iv= ! hv
1 bv
1 jv
2 bv
2
i= ( lift-a pp)
hv
1 jv
2
i:=v= ! hv
1 :=bv
1 jv
2 :=bv
2
i= (lift -assign)
!hv
1 jv
2
i= ! h!v
1 j!v
2
i= (lift-deref)
proj
j h v
1 jv
2
i= ! hproj
j v
1 jpro j
j v
2
i= (lift-proj)
h v
1 jv
2
i asexe
1 e
2
= ! hv
1
asexbe
1
1 b e
2
1 j
v
2
asexbe
1
2 b e
2
2
i= ( lift - ase)
E[ha
1 ja
2
i ℄= ! hb E
1 [a
1
℄jb E
2 [a
2
℄i= (lift-ontex t)
ifno neof th esequ eningr ulesa pp lies
Red ut ionun de raon te xt
e=
i !e
0
=
i
0
E[e℄=i!E[e 0
℄=i 0
( ontex t)
ei=
i !e
0
i
=
i
0
ej=e 0
j
fi;jg=f1 ;2g
h e1je2i=!he 0
1 je
0
2 i=
0
( bra ke t)
Au xiliaryfu n tion s
ne w
v = v upda te
vv
0
= v 0
re ad
v = v
new
1
v = h vjvoidi update
1 vv
0
= hv 0
jbv
2
i read
1
v = bv
1
new
2
v = h voidjvi update
2 vv
0
= hb v
1 jv
0
i read
2
v = bv
2
Fig.2 . Operation alsemant iso fCoreML 2
hj i onstrut. It is used in t he auxi liary funt ions n ew
i
, update
i
an d read
i to
aesst hestoreinan appropriateway.
Therulesint heseondgroupdesribehowanswers(i.e.valuesandexeptions)
arehandledorpropagatedbyevaluat ionontexts. WesaythatEha ndle s aifand
onlyifE[a℄ anbereduedviaasequeningruleot herthan(pop).
The rules in the t hird group have no om putation al ont ent : they leave bot h
projetions u nhanged . Theirpurposeist opreventhjionstru tsf rombloking
red ution , whih is done by lift ing them up, thus ausing som e sub-term s to be
dupliated, but all owingredut ion to proeed in dependently wit hin eah branh.
Forinstane, t heleft-handexp ressi on in(l ift-ap p) is nota-redex. Initsredu t ,
the appliation node an d the sub-term v are d upliat ed, al lowing two -redexes
to appear. A som ewh atanalogous rule appears in thesemantisofAbad ie t al .'s
labeled -alulus[Abadietal. 1996℄. Tounderst andthesignianeoft he\lift"
rules, one must bear in mind t hat the ontents of every h j i onstru t will be
viewedas\seret". Byausingnewsub-terms tobeomeseret d uringredution,
theserulesatuallyprovideanexpliitdesrip tionofinform ationow.
The h j i onst rut is remi nisent of the f ork no d e introdued by F ield and
Teitelbaum t o perf orm inrem ent al redution of -t erms [Field and Teitelbau m
1990℄. Inf at ,( lift-app)isoneoftheirredutionrules. However,t hed et ailsdier;
inp artiular,weworkwithterms,whereasField andTeitelbau mon sid ergraphs,
allowingaredext obesharedbetweentwoproj etionsofaterm.
Ourdesignat temptst odisardaslittlesharinginform ati on aspossible; indeed,
rep laingallofthe\lif t"ruleswiththesinglerul ee!hbe
1 jbe
2
i,whileomput a-
tional lyorret ,would ausethetypesystemtovieweveryexpressionas\seret".
Yet ,theredutionrulesofCoreML 2
arenotanonial: wehaveimaginedanum-
berofslightvariat ions thatworkequallywell. Th is is aom mondef et ofpurely
synt atiprooftehniques. Thispointsh ouldnotbet akentooseriously: CoreML 2
isat ehnialdevie,whosesolepurposeistoproveapartiulartypesystemsoun d.
Onemaywonderhowgeneralthissyntat iapproahis. Wedonothaveaden ite
answer, although we have u sed it suessf ully in dierent sett ings [Pottier 2002;
Simonet2002℄.
4.4 RelatingCor eML 2
toCor eML
Wenowshowt hatCoreML 2
i sanappropriatetooltoreasonsimult aneousl yabou t
theexeutionoftwoCoreM Lprograms. Thisisexpressedbytwoproperties. First ,
as explained above, the image of a valid redution t hrough proj etion rem ains a
valid redu t ion. Conversely, if both projetions of a term an be redued to a
suessfu longu ration ,t hensoantheterm itself .
Lemma 1. Leti2f1;2g. If e=
i !e
0
=
i
0
,thene=b
i
!e 0
=b 0
i .
Proof . Byinspet ionof( ref),(assign)an d( deref).
Lemma 2 (Soundness) . Le ti2f1;2g. Ife=!e 0
= 0
,th enbe=
i
!be 0
= 0
i .
Proof . Byinspet ionoft heredutionrulesandbyLemm a1.
Lemma 3. If e=i sstuk, thenbe=
i
isstukf orsomei2f1;2g.
Proof . Byindu t ion ont hestrutureofe.
ÆC ases e=v,e=r efv,e=(letx=vine 0
) ,e=raise"v. e=isn otstuk.
ÆC ase e=v
1 v
2
. Beause neither()nor(lif t-app) isappliab le, v
1
annot be
oftheform hv
11 jv
12
iorxf:x :e 0
. A saresu lt,foranyi2f1;2g,bv
1
i
annotbe
oftheformxf: x:e 0
. Itf ollowsthat be=
i
isstu k.
ÆC ases e=(v
1 :=v
2
),e =!v, e=proj
j
v, e=v asex e
1 e
2
aresimilar to
thepreviousase.
ÆC ase e=E[e
1
℄ . e
1
=mustbeirreduible,otherwi se,by(ont ext ),e=wou ld
bereduible. Letustemporarilyassume thate
1
isananswera. Then,E doesnot
handle a, otherwise E[a℄ would bereduible viaone oft he sequ en ing rules. If a
wereoft heformha
1 ja
2
i ,thenlearlyE[a℄wouldbered uibleviaeitheroneoft he
sequ en ing rulesor( lift-ontext ). S o, a mustbeof theform v orraise"v, whih,
on sideringthatEd o esnothandlea,im pliesthatEh andlesneit herba
1
n orba
2 .
Asaresult ,( pop )mu stbeappliable,aontraditi on.
So,e
1
isnotananswer,whihimpl iesth ate
1
=isstuk. Byindu t ionhypothesis,
be
1
=
i
is stuk, for somei 2f1;2g. Byinspetion of t heredu tion rules, so is
F[be
1
i
℄=b
i
,foranyCoreMLevaluationontextF;inpartiul ar,soisbE[e
1
℄
i
=
b
i
,whihisbe=
i .
ÆC ase e=he
1 je
2
i. Assum ee=isstuk. By(braket) ,bot he
1
=
1
ande
2
=
2
areirreduible. Beauseeisn'tananswer,th ereexi st si2f1;2gsuht hate
i isn' t
ananswer. Asaresult ,e
i
=
i
isst uk. Itfollowsthate
i
=b
i
isst ukaswell.
Lemma 4 (Complete ne ss). Assumebe=
i
!
?
a
i
= 0
i
fo ra lli2f1;2g. The n,
thereexistsao nguration a= 0
suhthat e=!
?
a= 0
.
Proof . Tobegin,letusestabli shth ate=doesnotadm itaninnit eredution
sequ en e. Werstnoti et hatnoinnit eredutionsequeneanonsistexlusi vely
ofinstanes of the\lif t" redut ion rules. (Indeed, eah of theseru les movessome
h j i onstru t or stritly l oserto th e term's root.) Furth ermore, t hese are t he
only ruleswhih leave bot h projetions of aongurationunhanged. In light of
this remark, if e= admit s an in nite reduti on sequene, t hen Lem ma 2 yields
aninni teredutionsequeneou tofbe=
i
,forsomei2f1;2g. However,t hisis
impossible,beausebot hbe=
1
andbe=
2
anbered uedt onormalf orms,and
thesemantisoft heCoreMLfragm entisdeterministi.
So,e=reduestoanirreduib leonguration. Letustemporarilyassumethat
itisst uk. Then,byLemm a3,atleastoneofitsp roj et ionsisstu k,wh ihimplies,
byLem ma2,th atbe=
i
reduesto astukonguration, f orsomei2f1;2g|a
ont radition . Thus, e=reduestoasuessf ulonguration.
Ourompl et enessresultrequiresbothprojetions toonverge;it isnotappliable
if one of them diverges. Ind eed , dene e asbind x = h j 0i in 0, where is a
nont ermin atin g exp ressi on. Its right proj etion is bind x =0in 0, whih redues
to 0; yet,e annotbereduedto anytermwhoseright projetionis 0, beausee
onlyreduestoit self . S uhaf ormulat ionofompl et enesswillnat urallyleadusto
estab lish aw eak non int erf ereneresult, wherebytwoprograms anbeguaranteed
to yield the same resul t only ifthey bothterminate. We don ot aim at astro ng
noninterf ereneresult,beauseitwouldmakel ittlesen setopl uginform ationleaks
relatedtotermi nationwithoutat takingt imingleaksingen eral . Fu rthermore,suh
aresul tm ightrequireamuhmorerestritivetypesyst em.
In essen e, t he omplet eness lemma guarantees that we have provided en ough
\lift" ru les t o allow reduing all meaningful Core ML 2
expressions. In t he next
setion ,eahoft heseruleswillad doneaset ooursubjetredutionproof ,foring
us t oensu re t hat our type system aount s for all possible kinds of information
ow.
5. TYPI NGCO REML 2
Wen owgi veatypesyst em,alledmlif
0
,forCoreML 2
. Itisaground typesyst em:
ithasnotypevari ablesanddealswithpolymorphi sminasimple,abstratway. As
aresul t,itdoesnotd esribeanalgorith m;weaddressthi sissueinSetion8.
Throughou t th e paper, every ourren e of stan ds for ad ist int anonymous
meta-variabl eof approp riatekin d.
5.1 Types
Let (L ;) be a latt ie whose elements, d en oted by ` an d p, rep resent seuri ty
lev els. (FollowingDenn ing [D enning1982℄, wetypiallyu set he meta-variable p,
rather than `, when onsiderin g inf ormat ion obt ained by observing the value of
the \program ounter".) Wewrite ?and> for L' s least and greatest elements,
respet ively. Types andro ws arethendened asfollows:
t::=unitjint
`
j(t p[r℄
!t)
`
jt ref
`
jttj(t+t)
`
r::=f"7!pg
"2E
ThesearethetypesofML'stypesystem,deoratedwithext raseuri tyan notations.
A row r is an in nite, quasi-onstant family of seurity levels, indexed by E. ( A
familyisquasi-onstant ifallbutani tenu mberofit sentriesareequal.) Wewrite
(":p;r)f ort herowwhoseelem entat index"ispandwhoseotherelem ent sare
givenbythesub-rowr,whihisin dexedbyEnf"g. Wewrit epfort heonstant
rowwhi hmaps everyexeptionnam etop. Wewrite trf ort
"2E r( ") .
Thetypeint
`
desribesintegerexpressionswh osevaluemay reet information
ofseuritylevel`.
Fun t ion typesarry severalseurity annotations. Thean notation ` represents
inf ormat ion about th e fu ntion 's identity. Whenthe f untion is appl ied, part of
this information m ay be reet ed in its resu lt orin other aspets of its behavior
(i.e. in its eet); asa result , th ei r seurity level will be made` or greater. The
annot ation p tells h ow muh inf ormation is assoiat ed with the knowledge that
this fun t ion gains ontrol . To avoid leaking this inf ormat ion, t he f untion will
beallowed to writeinto memory ells, orto raise exepti ons, only at level p or
great er. In oth erwords, t heannot at ion p represents alower bound on the level
ofthefuntion'seet s. Theannotat ions`andparestandard,andanbefou nd
(un derdi erentnam es)e.g.inHeintzeandRieke'swork[Heint zeandRieke1998℄.
Weorretaslightoversightontheirpart,however,bynot iingt hatpanbemade
ont ravari ant,rathert haninvariant(seeSetion5.2). InSet ion10,wewillsuggest
mergingt heannotation s `andp;wekeept hemdistintin thebulkofthepaper.
Inaddition,everyfu ntiontypearriesaneet[r℄. Foreveryexeptionname",
theseuritylevelr( ")in diates howmuh inf ormat ion isgai nedbyobservingthat
thef untionraises an exept ion n amed ". FollowingMyers[ Myers1999a;1999b℄,
we assoiat ea distint seurity level with everyexept ion nam e, soas to obtain
bet terpreision. Ourrowsareloselyrelated toMyers'sets ofpat hlabelsX; see
Setion 10 f or more details. The reader may notie th at rows do not reord t he
typeofexept ionarguments. Indeed,asin ML,wemakeexept ionsmonom orphi
by assum ing given axed map pingtypexn from exep tion names t otypes. This
deision makesfuntiontypesmuhmoreompat.
Referenetypesarryoneannot ation`, whih representsinf ormat ionaboutt he
ref erene'sidentity, i.e.about itsad dress. Inform ationaboutitsont ent sisfou nd
withint heparametert.
int
( [℄
!)
ref
( +)
f "7!g
" 2E
Fig .3. S ubty pin g
`Cun it
`` 0
`Cin t
` 0
`` 0
`C( [℄
! )
` 0
`` 0
`Cref
` 0
`Ct1 `Ct2
`Ct
1 t
2
`` 0
`C(+)
` 0
Fig.4 . Gu ard s
Beauset hereisonl yoneval ueoftypeunit,thevalueofaunitexpressionyieldsno
inf ormat ionwhatsoever. Asaresult,itwou ldbesuperuousfort heunittypeon-
strutortoarryaseuritylevel. Sim ilarly, produttypesarry noseurityann o-
tation,beause,int heabseneofaphysialequalityoperatorsu hasCam l-Light's
==, all of the inf ormat ion arried by atupl e is in fat arriedby itsomponents.
Thus,webreaktheonventi on,estab lish edinanumberofpreviouspapers[Heintze
andRieke1998;Potti erand Conhon 2000℄,th atall typesshould beoft he f orm
`
. Thisd esigndeision,whihweexpettoh el predueverbosity,hasimp liations
ononstraintsolving,asexplainedinS et ion5. 2.
Sum types arry a seu rity annot ation `, whih reets how muh information
thetagarries,i.e.h owmuhinf ormationisobtainedbydeterminingwhethert he
valuewasbuiltu singaleftorrightinjetion.
5.2 Subtypingandguar ds
We equip typesandrows witha subtyping relati on , whih extend sthe partial
order(L;). Itisde nedbytheaxiom sinFigure3. Theaxiomint
i saompat
version of t heassertionint
`1
int
`2
() `
1 `
2
. In ot herwords, itstates that
int's paramet erisovariant . Theotheraxiomsaret obeu nderstoodsimilarly; ,
andrepresentovariant ,ontravariantandinvariantp arameters,respetively.
The l ast axiom extends subtypin g to rows, point-wise an d ovariantly. The use
of subtyping in inform ation ow ontrol is ubiquit ous [Bell an d LaPadula 1975;
Denn ing 1982; Volpano andSmith 1997b; H ei nt ze andRieke1998℄ an d appears
essential, beause it allowsbuildi ng a di re ted vi ew of t heprogram's information
owgraph,yieldi ngbett erpreisiont hanaun iati on-basedan alysis.
Figure4denesthebinaryprediat eC,whihrel atesaseuri tylevelandatype.
Inshort , t he assert ion ` Ct (read: ` g ua rd s t) requires t to haveseurity level `
orgreater, and is used to reord a pot ent ial informati on ow. This is similar to
Abadieta l.' s\tisprot etedatlevel`"[Abadietal.1999℄. Insyst emswhereevery
type onstrutor arries aseurity annot ation [Heintze and Rieke 1998; Pottier
and Con hon 2000℄, Cwoul d be syntat i sugarf or . Indeed, every instane of
itwouldth en beoft heform `C
` 0
and equivalentto `` 0
. Here,the situation
ismoreomp lex,beauseunitandp roduttypesarrynoannot ation. Asaresult ,
Const raintsmustreeiveat reatmentoft heirownduring onstrai ntsol vin g; see
Setion8.5.
Foranygiven`andt,t hereexistsa(mini mal)supertypet 0
oftsuht hat`Ct 0
holds. Thus, thepresene of`Ct among atyping ru le's prem isesu sually annot
irremediablyprevent theappliation oft hatrule: the premisean besatisedby
rst promoting t to t 0
using the su btyp ing rule. One exept ion is e- Assig n (see
Figure 6), where t annot be promoted t o a supertype beause it appears as an
invariantargumenttot her ef typeonstru t or.
TheprediateCinteratsnielywithsubtyping:
Lemma 5. If ` 0
`a nd `Ct andtt 0
th en` 0
Ct 0
.
Proof . ` C t is equ ivalent to ` l evel( t) , f or an appropriat e funt ion leve l,
whose dening lauses inlude l evel(unit) = > and level( t
1 t
2
) = level( t
1 )u
lev el(t
2
) . Furtherm ore,le vel i sovariantin i tsargument. Theresultfollows.
5.3 Typingjudgements
A poly type s is anonempty set of types. Byabuse of notat ion, atype t may be
viewed as a polytype ftg. A pol ytype enviro nment is a partial mapping f rom
program variablest opolytypes. A memory enviro nment M isa part ial mapping
frommem oryloat ionstotypes.
Wedistinguishtwoforms oftypin gj udgem ent s: onedealswit hvaluesonly,t he
other with arbi trary expressions. Beause valu es are normal forms, theyhaveno
sidee ets,sot herstjudgementform isquit esimple:
;M`v:t
(Wewrite ;M`v:sifandonlyif ;M`v:tholdsforall t2s.) Ont heother
hand, expressions do pro d ue side e ets,so the seond j udgem ent f orm is more
elaborat e:
p; ;M `e:t [r℄
Theassump tionpagaint ellshowmuhinform ationisassoiat edwiththeknowl-
edge that eis evalu ated; itis alowerbound on th elevel of it se ets. It i sstan-
dard [Volpano and Smith 1997b; H eintze and Rieke 1998℄. The row r tells how
muhin formationoneobtainsbyob servi ngexep tionsesapeou t ofe.
Two extrajud gement form s are employed to reason about st ores: M ` and
on gurat ions: `e=
i
:t [r℄. Theseareanalogoustothosef oundine.g.[Pottier
2001℄. Weomit andM inaju dgementwhentheyareempty.
Eventhought heseuritylattie(L;) isarbitrary, wewishto establishatem-
porarydihotomybetween\low"and\high "seuritylevels. ( This distint ion will
beeliminatedinSet ion6.) Int hepresentsetion,weassum eH isaxed,upward-
losedsubsetofL,andviewlevelsinside(resp.outside)H as\h igh"(resp.\low") .
Beause noninterferene i s about two expressions that di er only in \hi gh"-level
sub-term s,ourtypesystemwillrequireexpressionsof theform h e
1 je
2
i,whihwe
use to enode the dierenes betweentwoCoreML exp ressions, t ohave \high "-
seurity result and side e ets. (See v-Bra ke t and e- Braket in Figures 5
and6.) Thiswill beouronlyuseofH inthisset ion.
5.4 Typingrules
Wenowomm entont hetypingrules,giveninF igures5and6. v-Unitandv-Int
assignbasetypestoon st ants. v-Voidallowstypingvaluesofthef ormhvjv oidior
hv oidjvibypretend ingv oidhasthesametypeasv. v-Loandv-Varassigntypes
v-Unit
;M `():u nit
v-Int
;M`k:in t
v-Vo id
;M`void:
v-Lo
;M`m:M(m )ref
v-Var
t2 (x)
;M`x:t
v- Abs
p; [x7!t 0
℄[f7!( t 0
p[r ℄
!t)
`
℄;M`e:t [r℄
;M`xf: x:e:(t 0
p[r ℄
!t)
`
v-Pair
;M `v1:t1 ;M`v2:t2
;M`(v
1
;v
2 ):t
1 t
2
v- Inj
;M`v:t
;M`in j
j v:( t+
j
)
v-Brak et
;M`v
1
:t ;M`v
2 :t
p 0
2H p
0
Ct
;M`hv
1 jv
2 i:t
v-Sub
;M`v:t 0
t 0
t
;M`v:t
Fig.5 . Thety pesy st emmlif0 ( values)
to m em oryloat ions andto variablesbylookingupth eappropri ate environ ment .
Note t hat (x ) is a polytype, of whih v- Var selet s an arbitrary instane. As
usualintype-and -e etsystems,v-Absreords,ontopofthe!typeonstru t or,
inf ormat ionaboutth ef untion'ssi dee ets. v-Pairisentirelyst andard. Inv-Inj ,
(t
1 +
j
t
2 )
`
st andsfor(t
j +t
i )
`
, wherei andj are1and2, notneessarily in that
order,i.e.fi;jg=f1;2g. v- Braketrequirestheomponentsofahj ionstru t
tohaveaommontype,whihmusthave\high"seurityl evel,i.e.beguardedby
some(arbi trary)elementofH. v-Subisstandard.
e- Valueallowsviewingavalueasanexpression,andreetst hefatthatvalues
haven osi dee et .
e- Raise's prem ise heks that the exepti on's argum ent v has an approp riate
type, as determined by the xed mapping typexn and theexeption n ame ". Its
on lu sion ensu res t hat th e expression' s eet is a row that m aps " to p. In
on juntionwithe-Bind,e -Handle,e -HandleDoneande-Handle Raise,this
guaranteest hatanyodefragmentwhi hob servesthisexeptionmustrunatlevel
porgreater.
e- Ap pgovernsfun t ionappliation . Th eseuri tylevelp,whihisanassu mption
in t he onlusi on, appears on top of the ! type onstrutor in the premise. It
rep resent sinformationthatowsf romallert oallee,asaresultoftheinvo ation
itself. Fu rth ermore,beauseafunt ion'ssidee et smayrevealinformationabou t
itsidentity,th eirlevelmu stequalorexeedthefu ntion 'sownseuritylevel,namely
`. Asaresu lt of theserem arks, t hef untion's body mu stbetypehekedat level
pt`. Lastly,thef untion'sresult,t o o,mayrevealinformationaboutitsidentity,
sowerequ ireitstypet obeguardedby`.
e- Ref an d e-Assign require pCt to ensure t hat p is ind eed alowerbou nd
on theseurity level ofthe memoryell t hat is writt en . e-Assign and e -Deref
require`Cttoreett hefatthatwrit ingorreadin gaellm ayindiret lyreveal
inf ormat ionabou ti tsidentity.
Ine-Proj,bothpandrareu nonstrained, beausepairprojet ionhasnoside
eet. Ine -Case , thebranh e
j
, bybeingexeut ed,gainsin formationaboutt he
sum'stag, wh oseseurityleveli s`. Asaresult,itmustbetypeh eked undert he
striterseurityassump tionpt`,andi tsresulttypetmustbeguardedby`. This
ruleisastraightforwardgeneralizationoft hetreat mentofif onstrutsinprevious
e- Value
;M`v:t
; ;M`v:t [℄
e -Rai se
;M `v:typexn( ")
p; ;M`rais e"v: [":p;℄
e-App
;M`v
1 :(t
0 pt`[r℄
!t )
`
;M`v
2 :t
0
`Ct
p; ;M`v
1 v
2 :t [r℄
e-Ref
;M`v:t pCt
p; ;M`refv:tref
[℄
e-Ass ign
;M`v1:tre f
`
;M`v2:t pt`Ct
p; ;M`v
1 :=v
2
:un it [℄
e-Deref
;M`v:t 0
ref
`
t 0
t `Ct
p; ;M`!v:t [℄
e-Proj
;M`v:t1t2
; ;M`proj
j
v:tj [℄
e-Case
;M `v:( t
1 +t
2 )
`
8j2f1;2g pt`; [x7!t
j
℄;M`e
j
:t [r℄ `Ct
p; ;M`vasexe
1 e
2 :t [r℄
e-Let
;M`v:s p; [x7!s℄;M`e:t [r℄
p; ;M`le tx=vine:t [r℄
e- Bind
p; ;M`e
1 :t
0
[r
1
℄
pt( tr
1
) ; [x7!t 0
℄;M`e
2 :t [r
2
℄
p; ;M`bindx=e1ine2:t [r1tr2℄
e-Hand le
p; ;M`e1:t [":p";r℄
ptp"; [x7!typexn( ") ℄;M`e2:t [":p 0
;r℄ p"Ct
p; ;M`e
1
han dle"xe
2
:t [":p 0
;r℄
e-Hand leDone
p; ;M`e
1 :t [r
1
℄
pt( tr
1
); ;M`e
2 :t [r
2
℄ (tr
1 )Ct
p; ;M`e
1 han dlee
2
do ne:t [r
2
℄
e-Hand leRaise
p; ;M`e
1 :t [r℄
pt(tr); ;M`e
2
: [?℄
p; ;M`e
1 han dlee
2
raise:t [r℄
e-F inally
p; ;M`e1:t [r℄
p; ;M`e2: [?℄
p; ;M`e
1 n allye
2 :t [r℄
e-Braket
ptp 0
; ;M`e1:t [r℄ ptp 0
; ;M`e2:t [r℄
p 0
2H (p 0
Ct)_(e1*)_(e2* )
p; ;M`h e
1 je
2 i:t [r℄
e-Sub
p; ;M`e:t 0
[r 0
℄ t
0
t r
0
r
p; ;M`e:t [r℄
St ore
dom(M)=dom( )
8m2dom( ) M` (m ):M(m )
M`
Conf
p; ;M`e:t [r℄ M`
`e=:t [r℄
Fig.6. Thetypesy st emmlif0(e xpressio nsa nd on gurations)
inf ormat ion ow analyses for i mperative languages [Denn ing 1982; Volpano and
Smit h1997b ℄.
Beause let on lybinds values, e-Let isnearlyassimpleasin M L. Notethat v
anbegivenapolytypes,allowingxtobeusedatdi erenttypeswi thine.
Inab indingonstrutbindx=e
1 ine
2
,t heexpressione
2
observes,ifitreeives
ont rol,thatnoexeptionwasraisedbye
1
. Toaountf ort hisin formationhannel,
e- Bindtypehekse
2
ataseurityl evelau gmentedwit htr
1
,theombin edlevelof
allexept ionswhihe
1
anpotentiallyraise. Th isisaonservativeapproximation,
whih works well in t he ommonase where e
1
is st atially known neverto raise
exeption s;seeSet ion10formored et ails.
Likee-Bind, e-Handle typeh eks e
2
at aninreased seuritylevel, reeting
thefatthat ,bygainingont rol,e
2
ob servest hate
1
raisedanexeptionnamed ".
Theinrementisexat lyp
"
,theseuritylevelassoiat edwith"i ne
1
'seet,sot he
analysisis, i nt his ase, quiteaurat e. Beause theresultof thehandleonstru t
mayalsoallowdeterminingwhet herthehan dlerwasexeuted,werequirep
"
Ct.
e- HandleDoneisanalogous;h owever,beausethisonstrutallowsobservingany
exeption ,regardlessofit sname,weagainusetr
1
asaonservat iveapp roximation
ofhowmu hinformationisgained. Myers[Myers1999a;1999b℄perf ormsthesame
approxim ation. Likee -HandleDone,e- HandleRaisetypeheksthehandlere
2
at an in reasedlevel. e-Finally, on th eother han d, typehekse
1 and e
2 att he
samelevelp. Indeed,beausee
2
' sinvoationmustou r,regard lessoft heanswer
pro d uedbye
1
,noinformationi s assoiat ed wit hit .
Bot h e -HandleR aise and e- Finally require e
2
not t o leak any information
throu gh exeptions. (This is done by requirin g its eet to be the on st ant row
?.) Th is design hoie may seem restrit ive, but we believe it st rikes a good
balane between expressiveness and simpliity. In th e onf erene version of this
paper [Pot tier andSimonet 2002a; 2002b ℄,wepresented m oregeneral versions of
these rules, whereby e
2
was allowedto raisearbitraryexeptions. This, however,
requiredaddingat hird prem ise,oft heformtr
2 ur
1
,reetingth efatt hat ,if
anexep tion raisedbye
1
esapes,t hene
2
musth aveompleted su essfully. This
additional premi se invol ved a f orm of ondit ional onstraint, m aking on st raint
solving moreint riateand yieldingm oreomplexin ferredtypes, whih iswhywe
proposesimp lerversionsofthese ruleshere.
In e -HandleR ai se, t he eet of t he whole expression, namely r, is exatly
e
1
's e et , beause i t is kn own t hat any inform ative exeption t hat esapes ou t
of e
1
handlee
2
r aise was originally raised bye
1
. ( By \informative" exept ion, we
mean one whose seurity level is stri t ly great er t han ?. ) This is more preise
thanweouldhopetoahieveift hisidi om wasemulat edinalanguagewith rst-
lass exeptions, by writing, say, e
1
handle x (e
2
; r aise x) . Indeed, in t he
type syst em given in the onf erene versi on of this paper [Pott ier an d Simon et
2002a℄, the sub-expression raise x woul d be typeheked at an inreased seurity
levelpt(tr). Asaresult,everyexept ion"liabletoesapeoutofe
1
wouldbere-
raisedatleveltr,insteadofitsorigin allevelr("),wh ihwoulddefeatthep urpose
of disrim inat ing betweenexeption names. This expl ains why, in t his paper, we
relysolelyonspeial-purposeonstruts,suhashandle r aise,andaban don rst-
lassexeptions. ( Again, in theonferenepaper, e -Raiseinvolved aondit ional
on st raint , whih is no longerneessary here, beauseeveryr aise form exp liitly
speiesanexept ionname".)
Asexpl ainedearlier,e-Bra ke trequiresbot homponentsofahjiexpression
to have a ommon type, and demands that it s side e et s and i ts result be of
\high" seurity level, i. e. guarded by an arbitrary p 0
2 H. The fou rth premise,
however, is slightly more general t han that of v- Braket. By denition, t he
auxi liaryprediat ee*holdsifandonly iftheCoreMLexpressioneisoft hef orm
raise "v or bindx =r aise"v in e 0
orr aise "v handlee 0
raise ore 0
; raise"v. This
synt ati riterion , whih is preserved by substitut ion and by redu t ion, ensures
that eannot reduet oavalue,t hatis, emust diverge orred ueto ar aisef orm.
There is no way, in the synt ax of typ ing j udgements, to express the knowledge
that th e expression at hand annot possibly ret urn a valu e; yet, t he ability to
keep trak of suh kn owledge is needed, in a small numberof plaes, for su bj et
red utiontohold. Theuseofth epred iate*ine -Braket'slastpremiseanbe
viewedasaheapwayofa ordingthisexpressiveness. Inshort ,e-Brake t'slast
premiserequiresttohavea\high"seuritylevel,unlessitisknownth atoneoft he
expressionsath andwillneverp rodueavalue. Thisisinaordanewiththefat
that ournoninterfereneresu lt,t obegivenin Set ion 6,requiresboth expressions
top roduevalu es.
Rulese-Sub,Store andConfarest andard.
5.5 Subjet redution
Wenowgi veasubj etredutionproof forCoreML 2
.
Lemma 6 (Weakening). p 0
p and p; ;M ` e : t [r℄ impl y p 0
; ;M `
e:t [r℄.
Proof . Byindutiononthederivationofp; ;M`e:t [r℄. Bymon otoniity
oft,ontravarian eof!wit hrespett oit spparameter,rulev- Sub,Lem ma5,
andtheindution hypothesis,itis easyto h ekth ateverypremiseremainsvalid
whenpdereases. Theresultf ollows.
Lemma 7 (Proj etion). Leti2f1;2g. If ;M `v:tth en ;M`bv
i :t. If
p; ;M`e:t [r℄ th enp; ;M`be
i
:t [r℄.
Proof . Byi ndutionontheinputderivation. Theonlyaseofinterestis that
of e -Braket, wh ere t heexpressionat han dis he
1 j e
2
i. Th en , one oft he rst
twopremisesisptp 0
; ;M `e
i
:t [r℄. Lemma6yieldsp; ;M`e
i
:t [r℄, as
required.
Lemma 8 (Guard) . If ;M`h v
1 jv
2
i:tthe ntheree xi stsp 0
2H s. t.p 0
Ct.
Proof . Thanks t oLemm a 5, we may assum e, w.l.o. g., t hat the derivation of
;M`h v
1 jv
2
i:tdoesnotendwit haninstaneofv- Sub. Thus,itmustendwit h
ani nst aneofv-Braket,amongwhoseprem iseswen dp 0
Ctandp 0
2H.
Lemma 9 (Store ae ss). Let i be in f;1;2g. Assume ;M ` v : t a nd
;M ` v 0
: t. Th en, ;M ` read
i
v : t h old s. Moreo ver, i f i 2 f1;2g, assume
there e xi sts so me p 0
2H suh th at p 0
Ct. T hen, ;M ` new
i
v :t and ;M `
update
i vv
0
:t h old .
Proof . By d e nition of the fun t ions new, u pdate and read (Figure 2), by
Lemma7,byv-Void andv-Bra ke t.
Lemma 10 (Sub stitution). Assume M ` v : s. The n, [x 7!s℄;M ` v 0
: t
imp lie s ;M ` v 0
[x(v℄ :t. Also , p; [x7!s℄;M ` e: t [r℄ i mpli esp; ;M `
e[x(v℄:t [r℄.
Proof . Bothstatementsareprovedsimultaneously,byind ution .
ÆC asev- Var. Ifv 0
isx ,thent hepremiseist2s. Thus,thehypothesisM `v:s
implies M ` v : t, and, a forti ori, ;M ` v : t. Con sidering v 0
[ x ( v℄ = v,
this was the goal. If , on the other hand, v 0
i sn't x , t hen th e result stems f rom
[x7!s℄ (v 0
)= (v 0
)an dv 0
[x(v℄=v 0
.
ÆC ase v- Abs. Then,t hepremi semustbeoftheformp 0
; [x7!s℄[y7!t 0
℄[f7!
t
f
℄;M`e 0
:t 00
[r 0
℄. Beausetypingjudgementsarest ableunder-onversion,we
willassume, w.l.o.g.,th atx ,f andy aredistint. Then, [ x7!s℄[y7!t 0
℄[f7!t
f
℄
oin i des with [y7! t 0
℄[f 7!t
f
℄[x 7!s℄. We onludebyapplying t hei ndution
hypothesis,f ollowedbyanin st aneofv- Abs.
ÆC ase v-Braket. Therst premise isofthef orm [x7!s℄;M ` v 0
1
:t. By
Lemma 7, th e hypothesis M ` v : s im plies M ` bv
1
: s. Thus, by i ndution
hypothesis, ;M ` v 0
1
[x ( bv
1
℄ : t holds. The seond premise is d ealt wit h
similarly. Byv-Braket, we obt ain ;M ` hv 0
1
[x ( bv
1
℄ j v 0
2
[ x ( bv
2
℄i : t,
whih,onsideri ngour denitionofsubstit ution( Setion4.3) ,wasou rgoal.
ÆC ase e-Bra ke t. Sim ilartot heaseofv- Braket. Weuset hefatt hat*
isp reservedbysu bst ituti on, i.e.e*impliese[x(v℄*.
Theoth erasesareimmediateoranalogous tooneofthoseabove.
Lemma 11 (Value) . p;M `v:t [r℄i mp li es M`v:t.
Proof . Byindu t ion ont heproofofp;M`v:t [r℄.
ÆC ase e- Value. Imm ediat e.
ÆC ase e- Sub . Th eresultf ollowsfrom t heind ution hypothesisandv-Sub.
ÆC ase e- Brake t. The pred iate* is nevertrueof avalu e, so p 0
Ct must
hold. Theresultfollowsf romtheindutionhypoth esisandv-Bra ke t.
Lemma 12 (Sub jet redution). Let e=
i ! e
0
=
i
0
. Assume p;M ` e :
t [r℄ and M ` . If i 2 f1;2g, a ssume p 2 H. T hen, there exists a memory
envi ro nmentM 0
,w hi hextendsM,su hth at p;M 0
`e 0
:t [r℄andM 0
` 0
.
Proof . Byindu t ion ont hederivationof e=
i !e
0
=
i
0
. Weassu me,w.l .o.g.,
that th e derivation ofp;M ` e : t [r℄ do esnot end with an instane of e -Sub.
As a result, it must end with an instane of the single syntax-direted rule that
mathese'sstruture.
ÆC ase (). e i s (xf:x :e
0
)v. Let stand for (t 0
pt`[r℄
! t)
`
. In e- Ap p's
premises, we have M ` xf:x :e
0
: and M ` v : t 0
. The former's d erivation
mustend withan instaneofv-Abs,f ollowed by anumberof instan esofv-Sub.
Beause ! is ontravariant (resp. ovariant) in its rst and seond (resp. third
and fourt h)parameters, applyingLemm a6ande -Subto v-Abs's premiseyields
p;(x 7! t 0 0
;f 7!
0
);M ` e
0
: t [r℄, for some t 00
and 0
suh that t 0
t 00
and
0
. Byv- Sub, M ` v : t 00
and M ` xf: x:e
0 :
0
hold. Then, Lemma 10
yieldsp;M`e
0
[ x(v℄[f (xf:x :e
0
℄:t [r℄.
ÆC ase (ref). e is ref v, e 0
is m an d 0
is [m 7!new
i
v℄. e-R ef 's premises
are M ` v : t 0
and p C t 0
, provided t = t 0
ref
. By Lemma 9, these imply
M ` new
i v : t
0
. D ene M 0
=M[m 7! t 0
℄. A ording to Store, M ` implies
dom(M) = dom() . Beause [m 7! new
i
v℄ is d e ned, m isn't amember of
dom(). So, M 0
extends M. Beau se M 0
( m) = t 0
, v- Lo and e -Value yield
p;M 0
`e 0
:t [r℄. Lastly,M`andM `new
i v:t
0
entailM 0
` 0
.
ÆC ase (assign). e is m:=v and e 0
is () . e-Assign's premises are M ` m :
t 0
r ef
and M ` v : t 0
and p Ct 0
. Furt hermore, t must be unit, whih implies
p;M`e 0
:t [r℄. Byv-Lo,v- Subandbyinvarianeofth er eftypeonstru t or,
M ` m : t 0
ref
imp lies M( m) = t 0
. Thus, M ` ent ails M ` ( m) : t 0
. By
Lemma9,wehaveM `upd ate
i
(m)v:t 0
,wh ihyieldsM ` 0
.
ÆC ase ( deref). eis !m. e -Dere f's rsttwopremises areM ` m:t 0
ref
and
t 0
t. Asabove,t heform erent ailsM`(m):t 0
. ByLemm a9,M`read
i (m):
t 0
follows. Conlu dewit hv- Subande-Value.
ÆC ase (proj) . eisproj
j (v
1
; v
2 )ande
0
isv
j
. e-Proj'spremiseisM`(v
1
; v
2 ):
t
1 t
2
, wheret
j
is t. Aordingt ov-Pairandv- Sub ,t hisim pliesM`v
j :t
j .
ÆC ase (ase). e is ( inj
j
v) ase x e
1 e
2 an d e
0
is e
j
[x ( v℄. e -Case' s rst
premise is M ` inj
j v : ( t
1 +t
2 )
`
. A ord ing to v-Inj and v- Sub , this implies
M `v :t
j
. This allowsapplying Lemma10 toe -Case' s seondpremise,yielding
pt`;M `e
j
[x(v℄:t [r℄. TheresultfollowsbyLemma 6.
ÆC ase (let ). Bye- LetandLemma10.
ÆC ase (bind ). eisbindx =v ine
2 and e
0
ise
2
[x(v℄. e -Bind'spremisesare
p;M ` v : t 0
[r
1
℄ and pt(tr
1
) ;( x 7!t 0
);M ` e
2 : t [r
2
℄, wherer
2
r. By
Lemma11,thef ormerim pliesM` v:t 0
. ByLemma6,t helat terimp liesp;(x7!
t 0
) ;M`e
2 :t [r
2
℄. ByLemma10ande -Sub,weobtainp;M `e
2
[ x(v℄:t [r℄.
ÆC ase (h andle) . eis raise"v handle"xe
2 ande
0
ise
2
[x(v℄. e- Handle's
rst two p remises are of t he form p;M ` raise "v : t [℄ and pt;(x 7!
typexn("));M ` e
2
:t [r℄. Aordingto e-Suband e -Raise , the f ormerimplies
M`v:typexn("). ByLemm as10and6, thisyieldsp;M `e
2
[x(v℄:t [r℄.
ÆC ase (h andle-done). e is a handle e
2
done and e 0
is e
2
. e -HandleDone's
seondpremiseispt;M`e
2
:t [r℄. Lem ma6yieldsp;M`e
2 :t [r℄.
ÆC ases (handle-raise),( nal ly) . eisofth ef orm ahandlee
2
raise oranallye
2 ,
while e 0
is (e
2
; a) . e -HandleR aise or e- Finally's rst prem ise is p;M ` a :
t [r℄. Its seond prem ise, modul o an appliation of Lemma 6, is p;M ` e
2 :
[?℄. Giventh eident itiespt(t(?))=pt?=pandrt( ?)=r,e -Bind
yieldsp;M`(e
2
; a):t [r℄.
ÆC ase (pop) . eisE[a℄ande 0
isa. Severalsub-asesarise.
Sub-aseE =bind x = [ ℄ in e
2
. e- Bind's rstpremise is p;M ` a: t 0
[r
1
℄,
where r
1
r. Beause E does not hand lea, a must be of the form raise "v or
hr aise "
1 v
1
j raise "
2 v
2
i. So, th is judgement must be aonsequene of e -Raise ,
e- Braket and e-Sub. A deri vat ion ofidential shapeanbebuiltto establish
p;M ` a : t [r
1
℄. (In the ase of e -Braket, the f ourth premise is sat ised,
though it s rst disjunt may be false, beause t he other two hold.) Th e resul t
followsbye- Sub.
Sub-aseE =[℄handle"xe
2
. e- Handle'srstpremise isp;M `a:t [":
;r 0
℄. amust be ofthe form v orraise"
0
v orhv
1
jr aise"
2 v
2
i or hraise"
1 v
1 jv
2 i
orh raise"
1 v
1
jraise"
2 v
2
i, where "
0
, "
1 and"
2
are distintfrom ". Asaresult,a
derivat ionofident ialshapeanbebuilttoestablishp;M`a:t [":p 0
;r 0
℄,that
is,p;M`a:t [r℄.
Sub-aseE =[℄ handlee
2
done. e -HandleDone'srst premiseis ofthe f orm
p;M ` a : t [℄. Beause a mu st be a valu e, Lemma 11 and e-Value yield
p;M`a:t [r℄.
Sub-aseE=[℄handlee
2
r aise. e- Handle Raise 'srstpremisei sthegoal .
ÆC ase (lif t-app) . e is hv
1 j v
2
iv. Let stand for (t 0
pt`[r ℄
! t)
`
. e- Ap p's
premisesareM` hv
1 jv
2
i:andM`v:t 0
and`Ct. Lemma7yieldsM`v
i :
and M ` bv
i :t
0
, f or i 2f1;2g. Th en,e -App yi eld spt`;M ` v
i bv
i
: t [r℄.
Furthermore,applyingLemma8t oth erstpremiseaboveandrealli ngth atH is
upward-losed yields ` 2 H. Beause ` Ct, e- Braket isappliable and yields
p;M`e 0
:t [r℄.
ÆC ase ( lift-assign). ei s hv
1 jv
2
i: =v. e- Assig n'spremises areM ` hv
1 jv
2 i:
t 0
ref
`
andM ` v :t 0
and pt` Ct 0
. A s above, applyingLemma 7and building
newin st anesof e -Assign,weobtainpt`;M ` v
i :=bv
i
:t [r℄ , f ori2f1;2g.
Similarly,Lemma 8allowsestab lish ing`2H. Theresultfollowsbye-Braket .
ÆC ase ( lift-deref) . e is!h v
1 jv
2
i . e -Dere f'spremisesareM `hv
1 jv
2 i:t
0
r ef
`
and t 0
t and ` C t. As above, appl yin g Lemm a 7and b uilding new in st anes
ofe -Dere f, weobt ain pt`;M ` !v
i
:t [r℄, for i2f1;2g. Sim ilarly, Lemma8
yields`2H. Last ly,bye-Braket ,weobtainp;M` h!v
1 j!v
2
i:t [r℄.
ÆC ase ( lift-proj) . eisproj
j hv
1 jv
2
i. e -Proj 'spremiseisM`h v
1 jv
2 i:t
1 t
2 ,
where t
j
is t. ByLemm a 8, t here exist s p 0
2 H suh t hat p 0
C t
1 t
2 , whih
implies,inp artiular,p 0
Ct
j
. Furt hermore,byLemma7,wehaveM`v
i :t
1 t
2 ,
forall i2f1;2g. Bye- Proj,thisi mpliesptp 0
;M `proj
j v
i :t
j
[r℄. Last ly,by
e- Braket,weob tainp;M`h pr oj
j v
1 jproj
j v
2 i:t
j [r℄.
ÆC ase (lift -ase) . e is hv
1 jv
2
iasex e
1 e
2
. Lem ma 8, applied to e-C ase's
rstpremise, yi eld s`2H. Byapp lyin gLemm a7t oe-C ase 's rsttwopremises
and re-b uilding new instanes of e -Case , we ob tain pt`;M ` v
i
ase x
be
1
i be
2
i
: t [r℄, f or all i 2 f1;2g. e-C ase's third premise is ` C t, whih
allowsapplyinge -Braket,yieldingt hegoal.
ÆC ase (lif t-ontext). e is E[ha
1 j a
2
i℄. If E is a bind ontext, then, beause
e annot be redued by (bin d), ha
1 j a
2
i ann ot be a value. If, on t he other
hand,E is ahandleont ext , th en ,beause(pop) isn't ap pliable, E must handle
a
1 or a
2
. Ineit herase, weonludethat a
j
is oftheform raise"v, forsom ej 2
f1;2g. Now,e'stypingderivationmustendwit hanin st aneofe- Bind,e- Handle ,
e- HandleDone ore -HandleR ai se, whose rstpremise is ofthe f orm p;M `
ha
1 j a
2 i :t
0
[r
1
℄. Beause ha
1 j a
2
i isn't a valu e, thi s mustbea onsequene of
e- Suband e- Brake t, whihyields pt`;M `a
i :t
0
[r
1
℄ , forsom e`2H and
foralli2f1;2g. Inp artiular,takin gi=j andaordingtoe-Subande -Raise ,
thisimplies`r
1
( ") ,wh en e`tr
1
. Thus, theseu rity assumptioni ne -Bind,
e- Handle,e -HandleDoneore -HandleRai se'sseond premiseisgreaterthan
orequ alto`. Asaresult,byapplyingLemm a7tothatpremise,thenbuildin gnew
instanes ofe -Bind,e -Handle, e -HandleDone or e- HandleRaise ,weobtain
pt`;M `bE
i [a
i
℄:t [r℄, f oralli2f1;2g. Thererem ains t oapplye-Brake t.
If E is a bind or handle raise ontext, then bE
j [ a
j
℄* hol ds. If , on t he other
hand, E is some other handle ontext, then ` C t holds, aording to e- Handle
ore -HandleDone's th ird premise. Ineith er ase, e- Braket's f ourth premise
holds.
ÆC ase (braket ). e is h e
1 j e
2 i and e
0
is he 0
1 j e
0
2
i . Wehave e
i
=
i ! e
0
i
=
i
0
and e
j
= e 0
j
, where fi;jg = f1;2g. Beause he
1 j e
2
i isn't a value, it s typing
derivat ionmustend wit hanin st aneofe-Bra ke t, whosersttwopremi sesare
ptp 0
;M `e
i
:t [r℄andptp 0
;M`e
j
:t [r℄. Beausep 0
2H,th ei ndution
hypothesis is ap pliable, yielding a memory environment M 0
, whih extend s M,
suh that ptp 0
;M 0
` e 0
i
: t [r℄ and M 0
`
0
. Beause M 0
extends M, t he
jud gementptp 0
;M 0
`e
j
:t [r℄holdsaswell. Theresultf ollowsbye-Brake t,
whosefourth prem iseispreservedbeause* ispreservedbyredution,i.e.forall
i2f1;2g,e
i
*i mpliese 0
i
*.
ÆC ase( ontext) . eisE[e
0
℄ande 0
isE[e 0
0
℄,wheree
0
=
i !e
0
0
=
i
0
. A pplyingt he
indut ionhypothesistoe-Bind,e- Handle,e-HandleDone,e- HandleRaiseor
e- Finally'srstpremiseyieldsaversi onofitwit hMande
0
replaedwit hM 0
and
e 0
0
,where M 0
extendsM and M 0
` 0
h olds. BeauseM extend sM 0
, theseond
premise remai nsvalid when t he former is replaed wit h the lat ter. Build a new
instaneof e- Bind,e- Handle,e -HandleDone,e -HandleR ai seore -Finally
toonlude.
Thepreviouslemmaent ailsthefollowing,moreabst ratst atem ent :
The ore m 13(Subje tre dut ion) . If `e=:t [r℄ ande=!e 0
= 0
th en
`e 0
= 0
:t [r℄.
Proof . ByConf andLem ma12.
Wedonotgiveap rogress statement( i.e.\nowell-typedongurationisstu k")
beausei tisu nrelatedtoouronerns; thatis,itwouldbeofnouseinthenonin-
terferen eproof. Ifdesired,progressforCoreMLanbeestablishedviaastrai ght-
forwardaseanalysis.
5.6 Onevaluationorder
As explained in Setion 3, ourrestritedsyntax is full y exp liit aboutevaluation
order. Inprat ie,itispossible toallowam orepermissivesyntax,providedsome
evaluat ionstrat egyisxed. Forinstan e,iflef t-to-rightevaluationorderishosen,
thene
1 e
2
(th eap pliati onofanexpressiontoan otherexpression)i ssyntatisugar
for bindx
1
=e
1
inbind x
2
=e
2 in x
1 x
2
. This givesriseto the following derived
typingrule:
p; ;M `e
1 :(t
0
pt`t(tr1)t(tr2)[r ℄
!t)
`
[r
1
℄
pt(tr
1
); ;M`e
2 :t
0
[r
2
℄ `Ct
p; ;M`e
1 e
2
:t [rtr
1 tr
2
℄
Conversely,underaright -t o-leftevaluat ionstrategy,theappliatione
1 e
2
isenoded
asbindx
2
=e
2
inbindx
1
=e
1 inx
1 x
2
, yieldingan otherderivedrul e, thatdi ers
