Softwaretechnik. Lecture 03: Types and Type Soundness. Peter Thiemann. University of Freiburg, Germany SS 2008

Transcription

1 Softwaretechnik Lecture 03: Types and Type Soundness Peter Thiemann University of Freiburg, Germany SS 2008 Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 1 / 35

2 Table of Contents Types and Type correctness JAUS: Java-Expressions (Ausdrücke) Evaluation of expressions Type correctness Result Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 2 / 35

3 Types and Type correctness big software systems : many involved people project manager, designer, programmer,... essential : divide into components with clear defined interfaces and specifications How to divide the problem? How to divide the work? How to divide the tests? problems Are suitable libraries available? Do the components match each other? Do the components fulfill their specification? Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 3 / 35

4 Requirements Programming language/-environment has to ensure: each component implements their interfaces the implementation fulfills the specification each component is used correctly Main Problem : meet the interfaces and specifications: simplest interface : management of names Which operations does the component offer? simplest specification: types Which types do the arguments and the result of the operations have? see interfaces in Java Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 4 / 35

5 Questions Which kind of security do types provide? Which kind of errors can be detected by using types? How do we provide type safety? How can we formalize type safety? Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 5 / 35

6 JAUS: Java-Expressions (Ausdrücke) JAUS: Java-Expressions (Ausdrücke) The language specifies a subset of Java expressions x ::=... variables n ::= numbers b ::= true false truth values e ::= x n b e+e!e expressions Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 6 / 35

7 JAUS: Java-Expressions (Ausdrücke) Correct and incorrect expressions type correct expressions boolean flag;... 0 true 17+4!flag expressions with type errors int rain since April20; boolean flag;...!rain since April20 flag+1 17+(!false)!(2+3) Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 7 / 35

8 JAUS: Java-Expressions (Ausdrücke) Typing Rules for each kind of expression there exists a typing rule, that defines: if an expression is type correct how to obtain the result type of the expression from the types of the subexpressions. five kinds of expressions (at first using words): Constant numbers have type int. truth values have type boolean. The expression e 1 +e 2 has type int, if e 1 and e 2 have type int. The expression!e has type boolean, if e has type boolean. A variable x has the type, with which it was declared. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 8 / 35

9 JAUS: Java-Expressions (Ausdrücke) Formalization of type correct expressions The language of types t ::= int boolean types Type judgment : expression e has type t e : t Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 9 / 35

10 JAUS: Java-Expressions (Ausdrücke) Formalization of Typing rules A type judgment is valid, if it is derivable according to the typing rules. To infer a valid type judgment J we use a deduction system. A deduction system consists of a set of type judgments and a set of typing rules. A typing rule (inference rule) is a pair (J 1... J n, J 0 ) which consists of a list of judgments (assumptions, J 1... J n ) and a judgment (conclusion, J 0 ) that is written as If n = 0, a rule (ε, J 0 ) is an axiom. J 1... J n J 0 Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 10 / 35

11 JAUS: Java-Expressions (Ausdrücke) Example: typing rules for JAUS numbers n has type int. (INT) truth values has type boolean. n : int (BOOL) b : boolean an expression e 1 +e 2 has type int if e 1 and e 2 has type int. (ADD) e 1 : int e 2 : int e 1 +e 2 : int an expression!e has type boolean, if e has type boolean. (NOT) e : boolean!e : boolean Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 11 / 35

12 JAUS: Java-Expressions (Ausdrücke) Derivation trees and validity A judgment is valid if a suitable derivation tree exists. A derivation tree for the judgment J is defined by J, if is an axiom J J 1... J n J, if 1... J n J J suitable for J k. is a rule and each J k is a derivation tree Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 12 / 35

13 JAUS: Java-Expressions (Ausdrücke) Example: derivation trees (INT) 0 : int is a derivation tree with judgment 0 : int. (BOOL) true : boolean is a derivation tree for true : boolean. The judgment : int holds, because of the derivation tree (ADD) (INT) (INT) 17 : int : int 4 : int Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 13 / 35

14 JAUS: Java-Expressions (Ausdrücke) Variable Programs declare variables Programs use them according to the declaration Declarations are collected in a type environment. A ::= A, x : t type environment An extended type judgment contains a type environment: The expression e has the type t in the type environment A. A e : t typing rule for variables: A variable has the type, with which it is declared. (VAR) x : t A A x : t Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 14 / 35

15 JAUS: Java-Expressions (Ausdrücke) Extension of the remaining typing rules The typing rules forward the environment. (INT) A n : int (BOOL) A b : int (ADD) A e 1 : int A e 2 : int A e 1 +e 2 : int (NOT) A!e : boolean A e : boolean Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 15 / 35

16 JAUS: Java-Expressions (Ausdrücke) Example: derivation with variable The declaration boolean flag; matches the type assumption A =, flag : boolean Hence flag : boolean A A flag : boolean A! flag : boolean Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 16 / 35

17 JAUS: Java-Expressions (Ausdrücke) Intermediate result Formal system for syntax of expressions and types (CFG, BNF) type judgments validity of type judgments Open Questions How to evaluate expressions? coherence between evaluation and type judgments Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 17 / 35

18 Evaluation of expressions Evaluation of expressions Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 18 / 35

19 Evaluation of expressions (One possible) Approach Define a binary reduction relation e e over expressions e is in relation to e (e e ) if one computational step leads from e to e. example: (5+2) Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 19 / 35

20 Evaluation of expressions Result of computations A value v is a number or a truth value. An expression can reach a value in many steps: 0 steps: 0 1 step: steps: (5+2) but! false (1+2)+false 3+false These expressions can not perform a reduction step. They correspond to runtime errors. Observation: these errors are type errors! Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 20 / 35

21 Evaluation of expressions Formalization: results and reduction steps A value is a number or a truth value. v ::= n b values one reduction step If the two operands are number, we can add the two numbers to obtain a number as result. (B-ADD) n1 + n 2 n 1 + n 2 n represents the syntactic representation of the number n. If the operand of a negation is a truth value, the negation can be performed. (B-TRUE)!true false (B-FALSE)!false true Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 21 / 35

22 Evaluation of expressions Formalization: nested expressions What happens if the operands of operations are not values? At first evaluate the subexpressions. The negation addition, first operand (B-NEG) e e!e!e (B-ADD-L) e 1 e 1 e 1 +e 2 e 1 +e 2 addition, second operand (only evaluate the second, if the first is a value) e e (B-ADD-R) v+e v+e Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 22 / 35

23 Evaluation of expressions Variable An expression that contains variables cannot be evaluated with the reduction steps. But we can eliminate the variable using substitution. This replaces the variable with a value, and then reduction is possible. Apply a substitution [v 1 /x 1,... v n /x n ] to an expression e, written as e[v 1 /x 1,... v n /x n ] changes in e each occurrence of x i to the corresponding value v i. example: (!flag)[false/flag]!false (m+n)[25/m, 17/n] Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 23 / 35

24 Type correctness Type correctness informally Type correctness: If there exists a type for an expression e, then e evaluates to a value in a finite number of steps. In particular, no runtime error happens. For the language JAUS the converse also holds (this is not correct in general, like in full Java) Prove in two steps (after Wright and Felleisen) Assume e has a type, then it holds: Progress: Either e is a value or there exists a reduction step for e. Preservation: If e e, then e and e have the same types. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 24 / 35

25 Type correctness Progress If e : t is derivable, then e is a value or there exists e with e e. Prove Induction over the derivation tree of J = e : t. If (INT) n : int is the final step of J, then e n is a value (and t int). If (BOOL) b : boolean is the last step of J, then e b is a value (and t boolean). Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 25 / 35

26 Type correctness Progress: Addition If (ADD) e 1 : int e 2 : int is the final step of J, then it holds e 1 +e 2 : int that e e 1 +e 2 and t int. Moreover, it is derivable that e 1 : int and e 2 : int. The induction hypothesis tells us that e 1 is a value or there exists an e 1 with e 1 e 1. If e 1 e 1 holds, we obtain that e e 1+e 2 e e 1 +e 2 cause of rule (B-ADD-L). This is the desired result. In the case e 1 v 1 is a value, we concentrate on e 2 : int. The induction hypothesis says that e 2 is either a value or there exists an e 2 with e 2 e 2. In the second case we can use rule (B-ADD-R) and get: e v 1 +e 2 e v 1 +e 2. In the first case (e 2 = v 1 ), we can prove easily that v 1 n 1 and v 2 n 2 are both numbers. Hence, we can apply the rule (B-ADD) and obtain the desired e. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 26 / 35

27 Type correctness Progress: Negation e If (NOT) 1 : boolean!e 1 : boolean is the last step of J, it holds that e!e 1 and t boolean and e 1 : boolean is derivable. Using the induction hypothesis (e 1 is a value or there exists e with e e ) there are two cases. In the case that e 1 e 1, we conclude that there exists e with e e using rule (B-NEG). If e 1 v is a value, it s easy to prove that v is a truth value. Hence, we can apply the rule (B-TRUE) or (B-FALSE). QED Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 27 / 35

28 Type correctness Preservation If e : t and e e, then e : t. Prove Induction on the derivation e e. If (B-ADD) is the reduction step, then it n1 + n 2 n 1 + n 2 holds that t int because of (ADD). We can apply (INT) to e = n 1 + n 2 and obtain the desired result n 1 + n 2 : int. If (B-TRUE)!true false is the reduction step it holds that t boolean because of (NOT). We can apply (BOOL) to e = false and get the desired result false : boolean. The case for rule B-FALSE is analoguous. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 28 / 35

29 Type correctness Preservation: Addition e If (B-ADD-L) 1 e 1 e 1 +e 2 e 1 +e 2 obtain through e : t that is the occasion for the last step, we (ADD) e 1 : int e 2 : int e 1 +e 2 : int holds with e e 1 +e 2 and t int. From e 1 : int and e 1 e 1 it follows by induction that e 1 : int holds. Another application of (ADD) on e 1 : int and e 2 : int yields e 1 +e 2 : int. The case of rule (B-ADD-R) is analoguous. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 29 / 35

30 Type correctness Preservation: Negation e If (B-NEG) 1 e 1!e 1!e 1 is the occasion for the last step, we get through e : t, that (NOT) e 1 : boolean!e 1 : boolean holds with e!e 1 and t boolean. From e 1 : boolean and e 1 e 1 we conclude (using induction) that e 1 : boolean holds. Another application of rule (NOT) to e 1 : boolean yields!e 1 : boolean. QED Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 30 / 35

31 Type correctness Elimination of variables throw substitution Intention If x 1 : t 1,..., x n : t n e : t and v i : t i (for all i), then it holds e[v 1 /x 1,..., v 1 /x 1 ] : t. Assertion If A, x 0 : t 0 e : t and A e 0 : t 0, then it holds A e[e 0 /x 0 ] : t. Prove Induction over derivation of A e : t with A A, x 0 : t 0. If (VAR) x : t A is the latest step of the derivation, there are two A x : t cases: Either x x 0 or not. If x x 0 holds, then e[e 0 /x 0 ] e 0. Because of the rule (VAR) is holds t t 0. Hence it holds A e 0 : t 0 (use the assumption). If x x 0, then e[e 0 /x 0 ] x and it holds x : t A. Due to (VAR) it holds A x : t. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 31 / 35

32 Type correctness Substitution: Constants If (INT) is the latest step, it holds (INT) A n : int A n : int. If (BOOL) is the latest step, it holds A b : boolean (BOOL) A b : boolean. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 32 / 35

33 Type correctness Substitution: Addition If (ADD) A e 1 : int A e 2 : int is the latest step, then the A e 1 +e 2 : int induction hypothesis yields A e 1 [e 0 /x 0 ] : int and A e 2 [e 0 /x 0 ] : int. Apply rule (ADD) yields A (e 1 +e 2 )[e 0 /x 0 ] : int. Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 33 / 35

34 Type correctness Substitution: Negation A e If (NOT) 1 : boolean is the latest step, the induction hypothesis A!e 1 : boolean yields A e 1 [e 0 /x 0 ] : boolean. Apply rule (NOT) yields A (!e 1 )[e 0 /x 0 ] : boolean. QED Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 34 / 35

35 Result Theorem: Soundness of JAUS If e : t, then there exists a value v with v : t and reduction steps with e e 0 and e n v. e 0 e 1, e 1 e 2,..., e n 1 e n If e contains variables, then we have to substitute them with suitable values (choose values with same types as the variables). Peter Thiemann (Univ. Freiburg) Softwaretechnik SWT 35 / 35