\titlebanner

— Technical Report —
Version 2.0: revised and extended January 2016. Initially published July 2015.

\authorinfo

Tiark Rompf ${}^{\;\ast}$ and Nada Amin^† ^∗Purdue University: {first}@purdue.edu
^†EPFL: {first.last}@epfl.ch

From F to DOT: Type Soundness Proofs with Definitional Interpreters

Abstract

Scala’s type system unifies aspects of ML modules, object-oriented, and functional programming. The Dependent Object Types (DOT) family of calculi has been proposed as a new theoretic foundation for Scala and similar expressive languages. Unfortunately, it is not clear how DOT relates to well-studied type systems from the literature, and type soundness has only been established for very restricted subsets. In fact, it has been shown that important Scala features such as type refinement or a subtyping relation with lattice structure break at least one key metatheoretic property such as environment narrowing or subtyping transitivity, which are usually required for a type soundness proof.

The first main contribution of this paper is to demonstrate how, perhaps surprisingly, even though these properties are lost in their full generality, a rich DOT calculus that includes both type refinement and a subtyping lattice with intersection types can still be proved sound. The key insight is that narrowing and subtyping transitivity only need to hold for runtime objects, but not for code that is never executed. Alas, the dominant method of proving type soundness, Wright and Felleisen’s syntactic approach, is based on term rewriting, which does not a priori make a distinction between runtime and type assignment time.

The second main contribution of this paper is to demonstrate how type soundness proofs for advanced, polymorphic, type systems can be carried out with an operational semantics based on high-level, definitional interpreters, implemented in Coq. We present the first mechanized soundness proof in this style for System F_<: and several extensions, including mutable references. Our proofs use only straightforward induction, which is another surprising result, as the combination of big-step semantics, mutable references, and polymorphism is commonly believed to require co-inductive proof techniques.

The third main contribution of this paper is to show how DOT-like calculi emerge from straightforward generalizations of the operational aspects of F_<:, exposing a rich design space of calculi with path-dependent types inbetween System F and DOT, which we collectively call System D. Armed with the insights gained from the definitional interpreter semantics, we also show how equivalent small-step semantics and soundness proofs in the style of Wright and Felleisen can be derived for these systems.

1 Introduction

Modern expressive programming languages such as Scala integrate and generalize concepts from functional programming, object oriented programming and ML-style module systems DBLP:journals/cacm/OderskyR14 . While most of these features are understood on a theoretical level in isolation, their combination is not, and the gap between formal type theoretic models and what is implemented in realistic languages is large.

In the case of Scala, developing a sound formal model that captures a relevant subset of its type system has been an elusive quest for more than a decade. After many false starts, the first mechanized soundness proof for a calculus of the DOT (Dependent Object Types) dotfool family was finally presented in 2014 DBLP:conf/oopsla/AminRO14 .

The calculus proved sound by Amin et al. DBLP:conf/oopsla/AminRO14 is $\mu$ DOT, a core calculus that distills the essence of Scala’s objects that may contain type members in addition to methods and fields, along with path-dependent types, which are used to access such type members. $\mu$ DOT models just these two features–records with type members and type selections on variables–and nothing else. This simple system already captures some essential programming patterns, and it has a clean and intuitive theory. In particular, it satisfies the intuitive and mutually dependent properties of environment narrowing and subtyping transitivity, which are usually key requirements for a soundness proof.

Alas, Amin et al. also showed that adding other important Scala features such as type refinement, mixin composition, or just a bottom type breaks at least one of these properties, which makes a soundness proof much harder to come by.

The first main contribution of this paper is to demonstrate how, perhaps surprisingly, even though these properties are lost in their full generality, a richer DOT calculus that includes both type refinement and a subtyping lattice with full intersection and union types can still be proved sound. The key insight is that narrowing and subtyping transitivity only need to hold for types assigned to runtime objects, but not for arbitrary code that is never executed.

But how can we leverage this insight in a type safety proof? The dominant method of proving type soundness, Wright and Felleisen’s syntactic approach DBLP:journals/iandc/WrightF94 , relies on establishing a type preservation (or subject reduction) property of a small-step operational semantics based on term rewriting, which does not distinguish terms given by the programmer from (partially) reduced terms resulting from prior reductions. The cornerstone of most soundness proofs is a substitution lemma that establishes type preservation of function application via $\beta$ -reduction. But in the case of DOT, this very property does not hold!

Among the many desirable properties of the syntactic approach to type soundness is its generality: almost anything can be encoded as a term rewriting system, and dealt with in the same uniform way using ordinary inductive techniques, as opposed to requiring different and complicated proof techniques for different aspects of the semantics (state, control, concurrency, …) DBLP:journals/iandc/WrightF94 . But the downside is that few realistic languages actually preserve types across arbitrary substitutions, and that no realistic language implementation actually proceeds by term rewriting. Thus, coaxing the syntax, reduction relation, and type assigment rules to enable subject reduction requires ingenuity and poses the question of adequacy: are we really formalizing the language we think we do?

In this paper, we present a different approach. Our second main contribution is to demonstrate how type soundness for advanced, polymorphic, type systems can be proved with respect to an operational semantics based on high-level, definitional interpreters, implemented directly in a total functional language like Coq. While this has been done before for very simple, monomorphic, type systems siek3lemmas ; DBLP:conf/icfp/Danielsson12 , we are the first to demonstrate that, with some additional machinery, this approach scales to realistic, polymorphic type systems that include subtyping, abstract types, and types with binders.

Our proofs use only straightforward induction, even if we add features like mutable references. This in itself is a surprising result, as the combination of big-step semantics, mutable references, and polymorphism is commonly believed to require co-inductive proof techniques.

We develop our mechanization of DOT gradually: we first present a mechanized soundness proof for System F_<: based on a definitional interpreter that includes type values as runtime objects. Perhaps surprisingly, many of the DOT challenges already arise in this simpler setting, in particular because F_<: already requires relating abstract types across contexts at runtime.

From there, as our third main contribution, we illustrate how DOT-like calculi emerge as generalizations of the static typing rules to fit the operational typing aspects of the F_<: based system—in some cases almost like removing artifical restrictions. By this, we put DOT on a firm theoretical foundation based on existing, well-studied, type systems, and we expose a rich design space of calculi with path-dependent types inbetween System F and DOT, which we collectively call System D.

Based on the development of the definitional interpreter semantics, we also show how equivalent rewriting semantics and soundness proofs in the style of Wright and Felleisen can be derived for these systems.

We believe that this angle, taking the runtime aspects of (abstract and even polymorphic) types as a starting point of investigation, is an interesting but not very well developed approach that nicely complements the more traditional ‘start from static terms’ approach and may lead to interesting novel type system developments. A key take-away is that the static aspects of a type system most often serve to erect abstraction boundaries (e.g. to enforce representation independence), whereas the dynamic aspects of a type system must serve to relate types across such abstraction boundaries.

The paper is structured around the three main contributions:

•

We present the first sound calculus of the DOT family that includes type refinement and a subtyping lattice with intersection and union types: first informally with examples (Section 2), then formally (Section 3), and we discuss the key properties that make a soundness proof difficult (Section 4).
•

We discuss liminations of the syntactic approach to soundness and demonstrate that a proof strategy based on high-level definitional interpreters (Section 5) scales to advanced polymorphic type systems, presenting the first soundness proof for F_<: in this style (Section 6).
•

We demonstrate how DOT emerges through extensions of F_<:, and we present new foundations for DOT through newly discovered intermediate systems such as D_<:, which may also be of independent interest (Section 7). Finally, we derive equivalent reduction semantics and soundness proofs from the definitional interpreter construction (Section 8).

We discuss related work in Section 9 and offer concluding remarks in Section 10. Our mechanizations of F_<:, D_<:, DOT, and their variations are available from:

http://github.com/tiarkrompf/minidot

2 Types in Scala and DOT

Scala is a large language that combines features from functional programming, object-oriented programming and module systems. Scala unifies many of these features (e.g. objects, functions, and modules) DBLP:journals/cacm/OderskyR14 but still contains a large set of distinct kinds of types. These can be broadly classified troubleWithTypes into modular types:

⬇

named type: scala.collection.BitSet

compound type: Channel with Logged

refined type: Channel { def close(): Unit }

And functional types :

⬇

parameterized type: List[String]

existential type: List[T] forSome { type T }

higher-kinded type: List

While this variety of types enables programming styles appealing to programmers with different backgrounds (Java, ML, Haskell, …), not all of them are essential. Further unification and an economy of concepts can be achieved by reducing functional to modular types as follows:

⬇

class List[Elem] {}

\rightarrow

class List { type Elem }

List[String]

\rightarrow

List { type Elem = String }

List[T] forSome { type T }

\rightarrow

List

\rightarrow

List

This unification is the main thrust of the calculi of the DOT family. A further thrust is to replace Scala’s compound types A with B with proper intersection types A & B. Before presenting our DOT variant in a formal setting in Section 3, we introduce the main ideas with some high-level programming examples.

Objects and First Class Modules

In Scala and in DOT, every piece of data is conceptually an object and every operation a method call. This is in contrast to functional languages in the ML family that are stratified into a core language and a module system. Below is an implementation of a functional list data structure:

⬇

val listModule = new { m =>

type List = { this =>

type Elem

def head(): this.Elem

def tail(): m.List & { type Elem <: this.Elem }

}

def nil() = new { this =>

type Elem = Bot

def head() = error()

def tail() = error()

}

def cons[T](hd: T)(tl: m.List & { type Elem <: T }) = new { this =>

type Elem = T

def head() = hd

def tail() = tl

}

The actual List type is defined inside a container listModule, which we can think of as a first-class module. In an extended DOT calculus error may signify an ‘acceptable’ runtime error or exception that aborts the current execution and transfers control to an exception handler. In the case that we study, without such facilities, we can model the abortive behavior of error as a non terminating function, for example def error(): Bot = error().

Nominality through Ascription

In most other settings (e.g. object-oriented subclassing, ML module sealing), nominality is enforced when objects are declared or constructed. Here we can just assign a more abstract type to our list module:

⬇

type ListAPI = { m =>

type List <: { this =>

type Elem

def head(): this.Elem

def tail(): m.List & { type Elem <: this.Elem }

}

def nil(): List & { type Elem = Bot }

def cons[T]: T =>

m.List & { type Elem <: T } =>

m.List & { type Elem <: T }

}

Types List and Elem are abstract, and thus exhibit nominal as opposed to structural behavior. Since modules are just objects, it is perfectly possible to pick different implementations of an abstract type based on runtime parameters.

⬇

val mapImpl = if (size < 100) ListMap else HashMap

Polymorphic Methods

In the code above, we have still used the functional notation cons[T](...) for parametric methods. We can desugar the type parameter $T$ into a proper method parameter $t$ with a modular type, and at the same time desugar the multi-argument function into nested anonymous functions:

⬇

def cons(t: { type T }) = ((hd: t.T) => ... )

References to $T$ are replaced by a path dependent type $t.T$ . We can further desugar the anonymous functions into objects with a single apply method:

⬇

def cons(t: { type T }) = new {

def apply(hd: t.T) = new {

def apply(tl: m.List & { type Elem <: t.T }) = new { this =>

type Elem = t.T

def head() = hd

def tail() = tl

}}}

Path-Dependent Types

Let us consider another example to illustrate path-dependent types: a system of services, each with a specific type of configuration object. Here is the abstract interface:

⬇

type Service {

type Config

def default: Config

def init(data: Config):Unit

}

We now create a system consisting of a database and an authentication service, each with their respective configuration types:

⬇

type DBConfig { def getDB: String }

type AuthConfig { def getAuth: String }

val dbs = new Service {

type Config = DBConfig

def default = new DBConfig { ... }

def init(d:Config) = d.getDB

}

val auths = new Service {

type Config = AuthConfig

def default = new AuthConfig { ... }

def init(d:Config) = d.getAuth

}

We can inititialize dbs with a new DBConfig, and auths with a new AuthConfig, but not vice versa. This is because each object has its own specific Config type member and thus, dbs.Config and auths.Config are distinct path dependent types. Likewise, if we have a service lambda: Service without further refinement of its Config member, we can still call lam.init(lam.default) but we cannot create a lam.Config value directly, because Config is an abstract type in Service.

Intersection and Union Types

At the end of the day, we want only one centralized configuration for our system, and we can create one by assigning an intersection type:

⬇

val globalConf: DBConfig & AuthConfig = new {

def getDB = "myDB"

def getAuth = "myAuth"

}

Since globalConf corresponds to both DBConfig and AuthConfig, we can use it to initialize both services:

⬇

dbs.init(globalConf)

auths.init(globalConf)

But we would like to abstract even more.

With the List definition presented earlier, we can build a list of services (using :: as syntactic sugar for cons):

⬇

val services = auths::dbs::Nil

We define an initialization function for a whole list of services:

⬇

def initAll[T](xs:List[Service { type Config >: T }])(c: T) =

xs.foreach(_ init c)

Which we can then use as:

⬇

initAll(services)(globalConf)

How do the types play out here? The definition of List and cons makes the type member Elem covariant. Thus, the type of auths::dbs::Nil corresponds to

⬇

List & {

type Elem = Service & {

type Config: (DBConfig & AuthConfig) .. (DBConfig | AuthConfig)

}

This means that we can treat the Config member as lower bounded by DBConfig & AuthConfig, so passing an object of that type to init is legal.

Records and Refinements as Intersections

Subtyping allows us to treat a type as a less precise one. Scala provides a dual mechanism that enables us to create a more precise type by refining an existing one.

⬇

type PersistentService = Service { a =>

def persist(config: a.Config)

}

To express the type PersistentService by desugaring the refinement into an intersection type, we need a “self” variable (here a) to close over the intersection type, in order to refer to the abstract type member Config of Service:

⬇

type PersistentService = { a => Service & {

def persist(config: a.Config)

}}

Our variant of DOT uses intersections also to model records with multipe type, value, or method members:

⬇

{ def foo(x)=..; def bar(y)=..} = { def foo(x)=..} & { def bar(y)=..}

With this encoding of records, we benefit again from an economy of concepts.

3 Formal Model of DOT

Syntax $\begin{array}[]{l|l|l}\begin{array}[]{ll}x,y,z&\mbox{Variable}\\ L&\mbox{Type label}\\ l&\mbox{Value label}\\ m&\mbox{Method label}\\[28.45274pt] \end{array}&\begin{array}[]{ll}S,T,U::=&\mbox{Type}\\ \quad\quad\top&\quad\quad\mbox{top type}\\ \quad\quad\bot&\quad\quad\mbox{bottom type}\\ \quad\quad L:S..U&\quad\quad\mbox{type member}\\ \quad\quad l:T&\quad\quad\mbox{value member}\\ \quad\quad m(x:S):U^{x}&\quad\quad\mbox{method member}\\ \quad\quad x.L&\quad\quad\mbox{type selection}\\ \quad\quad\{z\Rightarrow T^{z}\}&\quad\quad\mbox{recursive self type}\\ \quad\quad T\wedge T&\quad\quad\mbox{intersection type}\\ \quad\quad T\vee T&\quad\quad\mbox{union type}\end{array}&\begin{array}[]{ll}t::=&\mbox{Term}\\ \quad\quad x&\quad\quad\mbox{variable reference}\\ \quad\quad\{z\Rightarrow\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}d}\color[rgb]{0,0,0}\}&\quad\quad\mbox{new instance}\\ \quad\quad{t.l}&\quad\quad\mbox{field selection}\\ \quad\quad{t.m(t)}&\quad\quad\mbox{method invocation}\\ d::=&\mbox{Initialization}\\ \quad\quad L=T&\quad\quad\mbox{type initialization}\\ \quad\quad l=t&\quad\quad\mbox{field initialization}\\ \quad\quad m(x)=t&\quad\quad\mbox{method initialization}\end{array}\end{array}$

Subtyping

\Gamma\,\vdash\,S<:U

Lattice structure

\displaystyle\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\bot<:T\end{array}

(Bot)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}\wedge T_{2}<:T\end{array}}

(And11)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{2}<:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}\wedge T_{2}<:T\end{array}}

(And12)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:T_{1}~,~T<:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:T_{1}\wedge T_{2}\end{array}}

(And2)

\displaystyle\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:\top\end{array}

(Top)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:T_{1}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:T_{1}\vee T_{2}\end{array}}

(Or21)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:T_{1}\vee T_{2}\end{array}}

(Or22)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T~,~T_{2}<:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}\vee T_{2}<:T\end{array}}

(Or1)

Type, field and method members

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,l:T_{1}<:l:T_{2}\end{array}}

(Fld)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,S_{2}<:S_{1}~,~U_{1}<:U_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,L:S_{1}..U_{1}<:L:S_{2}..U_{2}\end{array}}

(Mem)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,S_{2}<:S_{1}\\ \Gamma,x:S_{2}\,\vdash\,U_{1}^{x}<:U_{2}^{x}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,m(x:S_{1}):U_{1}^{x}<:m(x:S_{2}):U_{2}^{x}\end{array}}

(Fun)
Path selections

\displaystyle\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x.L<:x.L\end{array}

(SelX)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:(L:T..\top)\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:x.L\end{array}}

(Sel2)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:(L:\bot..T)\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x.L<:T\end{array}}

(Sel1)

Recursive self types

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,z:T_{1}^{z}\,\vdash\,T_{1}^{z}<:T_{2}^{z}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\{z\Rightarrow T_{1}^{z}\}<:\{z\Rightarrow T_{2}^{z}\}\end{array}}

(BindX)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,z:T_{1}^{z}\,\vdash\,T_{1}^{z}<:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\{z\Rightarrow T_{1}^{z}\}<:T_{2}\end{array}}

(Bind1)
Transitivity

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T_{2}~,~T_{2}<:T_{3}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T_{3}\end{array}}

(Trans) Type assignment

\Gamma\,\vdash\,t:T

Variables, self packing/unpacking

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma(x)=T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T\end{array}}

(Var)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T^{x}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:\{z\Rightarrow T^{z}\}\end{array}}

(VarPack)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma_{[x]}\,\vdash\,x:\{z\Rightarrow T^{z}\}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T^{x}\end{array}}

(VarUnpack)

Subsumption

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:T_{1}~,~T_{1}<:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:T_{2}\end{array}}

(Sub)
Field selection, method invocation

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:(l:T)\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t.l:T\end{array}}

(TFld)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:(m(x:T_{1}):T_{2}^{x})~,~y:T_{1}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t.m(y):T_{2}^{y}\end{array}}

(TFunVar)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:(m(x:T_{1}):T_{2})~,~t_{2}:T_{1}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t.m(t_{2}):T_{2}\end{array}}

(TFun)
Object creation and member initialization

\displaystyle\frac{\begin{array}[]{@{}c@{}}\text{\scriptsize(labels disjoint)}\\ \Gamma,x:T_{1}^{x}\wedge\ldots\wedge T_{n}^{x}\,\vdash\,d_{i}:T_{i}^{x}\quad\quad\forall i,1\leq i\leq n\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\{x\Rightarrow d_{1}\ldots d_{n}\}:\{z\Rightarrow T_{1}^{z}\wedge\ldots\wedge T_{n}^{z}\}\end{array}}

(TNew)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,(l=t):(l:T)\end{array}}

(DFld)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T<:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,(L=T):(L:T..T)\end{array}}

(DMem)

\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,x:T_{1}\,\vdash\,t:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,(m(x)=t):(m(x:T_{1}):T_{2})\end{array}}

(DFun)

Figure 1: DOT: Syntax and Type System

Figure 1 shows the syntax and static semantics of the DOT calculus we study. For readability, we omit well-formedness requirements from the rules, and assume all types to be syntactically well-formed in the given environment. We write $T^{x}$ when $x$ is free in $T$ .

Compared to the original DOT proposal dotfool , which used several auxiliary judgments such as membership and expansion, the presentation here is vastly simplified, and uses only subtyping to access function and type members. Compared to $\mu$ DOT DBLP:conf/oopsla/AminRO14 , the calculus is much more expressive, and includes key features like intersection and union types, which are absent in $\mu$ DOT.

The Scala syntax used above maps to the formal notation in a straighforward way:

⬇

{ type T = Elem }

\rightarrow

T:\text{Elem}..\text{Elem}

{ type T >: S <: U }

\rightarrow

T:S..U

{ def m(x: T) = t }

\rightarrow

m(x)=t

A & B, A | B

\rightarrow

A\wedge B,\ A\vee B

Intersection and union types, along with the $\bot$ and $\top$ types, provide a full subtyping lattice.

In subtyping, members of the same label and kind can be compared. The field type, type member upper bound, and method result type are covariant while the type member lower bound and the method parameter type are contravariant – as is standard. We allow some dependence between the parameter type and the return type of a method, when the argument is a variable. This is another difference to previous versions of DOT dotfool ; DBLP:conf/oopsla/AminRO14 , which did not have such dependent method types.

If a variable $x$ can be assigned a type member $L$ , then the type selection $x.L$ is valid, and can be compared with any upper bound when it is on the left, and with any lower bound when it is on the right. Furthermore, a type selection is reflexively a subtype of itself. This rule is explicit, so that even abstract type members can be compared to themselves.

Finally, recursive self types can be compared to each other as intuitively expected. They can also be dropped if the self identifier is not used. During type assignment, the rules for variable packing and unpacking serve as introduction and elimination rules, enabling recursive types to be compared to other types as well. Since subtype comparisons may introduce temporary bindings that may need to be unpacked, the unpack rule comes with a syntactic restriction to ensure termination in the proofs (Section 7.5). In general, environments have the form $\Gamma=\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}y:T}\color[rgb]{0,0,0},\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}z:T}\color[rgb]{0,0,0}$ , with term bindings followed by bindings introduced by subtype comparisons. The notation $\Gamma_{[x]}$ in the unpacking rule signifies that all $z\!:\!T$ bindings to the right of $x$ are dropped from $\Gamma$ . While this restriction is necessary for the proofs, it does not seem to limit expressiveness of the type system in any significant way. Outside of subtyping comparisons involving binders, $\Gamma_{[x]}$ is just $\Gamma$ . Thus, the restriction is irrelevant for variable unpacking in normal type assignment.

In the version presented here, we make the transitivity rule explicit, although, as we will see in Section 4, we will sometimes need to ensure that we can eliminate uses of this rule from subtyping derivations so that the last rule is a structural one.

The aim of DOT is to be a simple, foundational calculus in the spirit of FJ DBLP:journals/toplas/IgarashiPW01 . The aim is not to commit to specific decisions for nonessential things. Hence, implementation inheritance, mixin strategy, and prototype vs class dispatch are not considered.

4 Static Properties of DOT

Having introduced the syntax and static semantics of DOT, we turn to its metatheoretic properties. Our main focus of interest will be type safety: establishing that well-typed DOT programs do not go wrong. Of course, type safety is only meaningful with respect to a dynamic semantics, which we will discuss in detail in Sections 5 and 6. Here, we briefly touch some general static properties of DOT and then discuss specific properties of the subtyping relation, which (or their absence!) makes proving type safety a challenge.

Decidability

Type assignment and subtyping are undecidable in DOT. This follows directly from the fact that DOT can encode F_<:, and that these properties are undecidable there.

Type Inference

DOT has no principal types and no global Hindley-Milner style type inference procedure. But as in Scala, local type inference based on subtype constraint solving DBLP:journals/toplas/PierceT00 ; DBLP:conf/popl/OderskyL96 is possible, and in fact easier than in Scala due to the existence of universal greatest lower bounds and least upper bounds through intersection and union types. For example, in Scala, the least upper bound of the two types C and D is approximated by an infinite sequence:

⬇

trait A { type T <: A }

trait B { type T <: B }

trait C extends A with B { type T <: C }

trait D extends A with B { type T <: D }

lub(C, D) ~ A with B { type T <: A with B { type T <: ... } }

DOT’s intersection and union types remedy this brittleness.

While the term syntax and type assignment given in Figure 1 is presented in Curry-style, without explicit type annotations except for type member initializations, a Church-style version with types on method arguments (as required for local type inference) is possible just as well.

4.1 Properties of Subtyping

The relevant static properties we are interested in with regard to type safety are transitivity, narrowing, and inversion of subtyping and type assignment. They are defined as follows.

Inversion of subtyping (example: functions):

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,m(x:S_{1}):U_{1}^{x}<:m(x:S_{2}):U_{2}^{x}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,S_{2}<:S_{1}\quad\quad\Gamma,x:S_{2}\,\vdash\,U_{1}^{x}<:U_{2}^{x}\end{array}}$ (InvFun)

Transitivity of subtyping:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T_{2}~,~T_{2}<:T_{3}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T_{3}\end{array}}$ (Trans)

Narrowing:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma_{1}\,\vdash\,T_{1}<:T_{2}\quad\quad\Gamma_{2}\,\vdash\,T_{3}<:T_{4}\\ \Gamma_{1}=\Gamma_{2}(x\rightarrow T_{1})\quad\quad\Gamma_{2}(x)=T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma_{1}\,\vdash\,T_{3}<:T_{4}\end{array}}$ (Narrow)

On a high-level, the basic challenge for type safety is to establish that some value that e.g. has a function type actually is a function, with arguments and result corresponding to the given type. This is commonly known as the canonical forms property. Inversion of subtyping is required to extract the argument and result types from a given subtype relation between two function types, in particular to derive

T_{2}<:T_{1}\text{ and }U_{1}<:U_{2}

from

m(x:T_{1}):U_{1}<:m(x:T_{2}):U_{2}

when relating method types from a call site and the definition site.

Transitivity is required to collapse multiple subsumption steps that may have been used in type assignment. Narrowing can be seen as an instance of the Liskov substitution principle, preserving subtyping if a binding in the environment is replaced with a subtype.

Unfortunately, as we will show next, these properties do not hold simultaneously in DOT, at least not in their full generality.

4.2 Inversion, Transitivity and Narrowing

First of all, let us take note that these properties are mutually dependent. In Figure 1, we have included $(\textsc{Trans})$ as an axiom. If we drop this axiom, the rules become syntax directed and we obtain rules like $(\textsc{InvFun})$ by direct inversion of the corresponding typing derivation. But then, we would need to prove $(\textsc{Trans})$ as a lemma.

Transitivity and narrowing are also mutually dependent. Transitivity requires narrowing in the following case:

\{z\Rightarrow T_{1}\}<:\{z\Rightarrow T_{2}\}<:\{z\Rightarrow T_{3}\}

By inversion we obtain

z:T_{1}\,\vdash\,T_{1}<:T_{2}\quad\quad z:T_{2}\,\vdash\,T_{2}<:T_{3}

and we narrow the right-hand derivation to $z:T_{1}\,\vdash\,T_{2}<:T_{3}$ before we apply transitivity inductively to obtain $z:T_{1}\,\vdash\,T_{1}<:T_{3}$ .

Narrowing depends on transitivity in the case for type selections

x.L<:T\text{ or its counterpart }T<:x.L

Assume that we want to narrow $x$ ’s binding from $T_{2}$ in $\Gamma_{2}$ to $T_{1}$ in $\Gamma_{1}$ , with $\Gamma_{1}\,\vdash\,T_{1}<:T_{2}$ . By inversion we obtain

x:(L:\bot..T)

and, disregarding rules (VarPack) and (VarUnpack) we can deconstruct this assignment as

\Gamma_{2}(x)=T_{2}\quad\quad\Gamma_{2}\,\vdash\,T_{2}<:(L:\bot..T).

We first apply narrowing inductively and then use transitivity to derive the new binding

\Gamma_{1}(x)=T_{1}\quad\quad\Gamma_{1}\,\vdash\,T_{1}<:T_{2}<:(L:\bot..T).

On first glance, the situation appears to be similar to simpler calculi like F_<:, for which the transitivity rule can be shown to be admissible, i.e. implied by other subtyping rules and hence proved as a lemma and dropped from the definition of the subtyping relation. Unfortunately this is not the case in DOT.

4.3 Good Bounds, Bad Bounds

The transitivity axiom (or subsumption step in type assignment) is essential and cannot be dropped. Let us go through and see why we cannot prove transitivity directly.

First of all, observe that transitivity can only hold if all types in the environment have ‘good bounds’, i.e. only members where the lower bound is a subtype of the upper bound. Here is a counterexample. Assume a binding with ‘bad’ bounds like $\texttt{Int}..\texttt{String}$ . Then the following subtype relation holds via transitivity

x:\{A=\texttt{Int}..\texttt{String}\}\,\vdash\,\texttt{Int}<:x.A<:\texttt{String}

but Int is not a subtype of String. Of course core DOT does not have Int and String types, but any other incompatible types can be taken as well.

But even if we take good bounds as a precondition, we cannot show

\{z\Rightarrow T_{1}\}<:\{z\Rightarrow T_{2}\}<:\{z\Rightarrow T_{3}\}

because we would need to use $x:T_{1}$ as extended environment for the inductive call, but we do not know that T1 has indeed good bounds.

Of course we could modify the $\{z\Rightarrow T_{1}\}<:\{z\Rightarrow T_{2}\}$ rule to require $T_{1}$ to have good bounds. But then this evidence would need to be narrowed, which unfortunately is not possible. Again, here is a counterexample:

x:\{A:\bot..\top\}\,\vdash\,x.A\wedge\{B=\texttt{Int}\}

This type has good bounds, but when narrowing $x$ to the smaller type $\{A=\{B=\texttt{String}\}\}$ (which also has good bounds), its bounds become contradictory.

In summary, even if we assume good bounds in the environment, and strengthen our typing rules so that only types with good bounds are added to the environment, we may still end up with bad bounds due to narrowing and intersection types. This refutes one conjecture about possible proof avenues from earlier work on DOT DBLP:conf/oopsla/AminRO14 .

4.4 No (Simple) Substitution Lemma

To finish off this section, we observe how typing is not preserved by straightforward substitution in DOT, for the simple existence of path-dependent types:

\Gamma,x:\{z\Rightarrow L:S^{z}..U^{z}\wedge l:T^{z}\}\,\vdash\,t:x.L

First, $t$ might access field $x.l$ and therefore require assigning type $(l:T^{x})$ to $x$ . However, the self bind layer can only be removed if an object is accessed through a variable, otherwise we would not be able to substitute away the self identifier $z$ . Second, we cannot derive $\Gamma\,\vdash\,t:x.L$ with $x$ removed from the environment, but we also cannot replace $x$ in $x.L$ with a term that is not an identifier.

Of course we can think about clever ways to circumvent these issues but the details become intricate quickly, with relating variables before and after reduction becoming a key concern dotfool . Moreover, the issues with narrowing and bad bounds remain, and if we assign type String to an Int value through a transitivity step, we have an actual type safety violation.

While ultimately, suitable substitution strategies have been found (see Section 8), these results have been enabled by changing the perspective, and taking a very high-level execution model based on definitional interpreters as a starting point.

Intuitively, all the questions related to bad bounds have a simple answer: we ensure good bounds at object creation time, so why do we even need to worry about all the intermediate steps in such a fine-grained way?

5 Definitional Interpreters for Type Soundness

Today, the dominant method for proving soundness of a type system is the syntactic approach of Wright and Felleisen DBLP:journals/iandc/WrightF94 . Its key components are the progress and preservation lemmas with respect to a small-step operational semantics based on term rewriting. While this syntactic approach has a lot of benefits, as described in great detail in the original 1994 paper DBLP:journals/iandc/WrightF94 , there are also some drawbacks. An important one is that reduction semantics often pose a question of adequacy: realistic language implementations do not proceed by rewriting, so if the aim is to model an existing language, at least an informal argument needs to be made that the given reduction relation faithfully implements the intended semantics. Furthermore, few realistic languages actually enjoy the subject reduction property. If simple substitution does not hold, the syntactic approach is more difficult to apply and requires stepping into richer languages in ways that are often non-obvious. Again, care must be taken that these richer languages are self-contained and match the original intention.

We have already seen that naive substitution does not preserve types in DOT (Section 4.4). In fact, this is also true for many other languages, or language features.

Example 1: Return statements

Consider a simple program in a language with return statements:

⬇

def fun(c) = if (c) return x; y

fun(true)

Taking a straightforward small-step execution strategy, this program will reduce to:

⬇

\;\rightarrow\;

if (true) return x; y

But now the return has become unbound. We need to augment the language and reduce to an auxiliary construct like this:

⬇

\;\rightarrow\;

scope { if (true) return x; y }

This means that we need to work with a richer language than we had originally intended, with additional syntax, typing, and reduction rules like the following:

⬇

scope E[ return v ]

\;\rightarrow\;

v scope v

\;\rightarrow\;

Example 2: Private members

As another example, consider an object-oriented language with access modifiers.

⬇

class Foo { private val data = 1; def foo(x) = x * this.data }

Starting with a term

⬇

val a = new Foo; a.foo(7) / S

where S denotes a store, small-step reduction steps may lead to:

⬇

\;\rightarrow\;

l0.foo(7) / S, (l0 -> Foo(data=1))

\;\rightarrow\;

x * l0.data / S, (l0 -> Foo(data=1))

But now there is a reference to private field data outside the scope of class Foo.

We need a special rule to ignore access modifiers for ‘runtime’ objects in the store, versus other expresssions that happen to have type Foo. We still want to disallow a.data if a is a normal variable reference or some other expression.

Example 3: Method overloading

Looking at a realistic language, many type preservation issues are documented in the context of Java, which were discussed at length on the Types mailing list, back in the time when Java’s type system was an object of study ¹¹1Subject Reduction fails in Java: http://www.seas.upenn.edu/~sweirich/types/archive/1997-98/msg00452.html.

Most of these examples relate to static method overloading, and to Java’s conditional expressions c ? a : b, which require a and b to be in a subtype relationship because Java does not have least upper bounds. It is worth noting that these counterexamples to preservation are not actual type safety violations.

5.1 Alternative Semantic Models

So what can we do if our object of study does not naturally fit a rewriting model of execution? Of course one option is to make it fit (perhaps with force), but an easier path may be to pick a different semantic model. Before the syntactic approach became popular, denotational semantics DBLP:conf/icalp/Scott82 , Plotkin’s structural operational semantics DBLP:journals/jlp/Plotkin04a and Kahn’s natural semantics (or ‘big-step’ semantics) DBLP:conf/stacs/Kahn87 were the tools of the trade.

Big-step semantics in particular has the benefit of being more ‘high-level’, in the sense of being closer to actual language implementations. Their downside for soundness proofs is that failure cases and nontermination are not easily distinguished. This often requires tediously enumerating all possible failure cases, which may cause a blow-up in the required rules and proof cases. Moreover, in the history of big-step proofs, advanced language features such as recursive references have required specific proof techniques (e.g. coinduction) Tofte88operationalsemantics which made it hard to compose proofs for different language features. In general, polymorphic type systems pose difficulties, because type variables need to be related across different contexts.

But the circumstances have changed since 1994. Today, most formal work is done in proof assistants such as Coq, and no longer with pencil and paper. This means that we can use software implementation techniques like monads (which, ironically were developed in the context of denotational semantics DBLP:journals/iandc/Moggi91 ) to handle the complexity of failure cases. Moreover, using simple but clever inductive techniques such as step counters we can avoid the need for coinduction and other complicated techniques in many cases.

In the following, we present our approach to type soundness proofs with definitional interpreters in the style of Reynolds DBLP:journals/lisp/Reynolds98a : high-level evaluators implemented in a (total) functional language. In a functional system such as Coq or Agda, implementing evaluators is more natural than implementing relational transition systems, with the added benefit of always having a directly executable model of the language at hand.

We present a fully mechanized type safety proof for System F_<:, which we gradually extend to DOT. This proof of F_<: alone is significant, because it shows that indeed type safety proofs for polymorphic type systems can be nice and simple using big-step techniques, which correspond closely to actual language implementations. Deriving DOT as an extension of F_<: has also lead to important insights that were not apparent in previous models of the calculus. In particular, the intermediate systems like D_<: in Section 7 inhabit interesting points in the design space of dependently typed calculi between F_<: and full DOT.

5.2 Simply Typed Lambda Calculus: Siek’s 3 Easy Lemmas

We build our exposition on Siek’s type safety proof for a dialect of simply typed lambda calculus (STLC) siek3lemmas , which in turn takes inspiration from Ernst, Ostermann and Cook’s semantics in their formalization of virtual classes vc .

The starting point is a fairly standard definitional interpreter for STLC, shown in Figure 2 together with the STLC syntax and typing rules. We opt to show the interpreter in actual Coq syntax, but stick to formal notation for the language definition and typing rules. The interpreter consists of three functions: one for primitive operations (which we elide), one for variable lookups, and one main evaluation function eval, which ties everything together. Instead of working exclusively on terms, as a reduction semantics would do, the interpreter maps terms to a separate domain of values v. Values include primitives, and closures, which pair a term with an environment.

Syntax

${{{{\begin{array}[]{lll}T&::=&B\ |\ T\rightarrow T\\ t&::=&c\ |\ x\ |\ \lambda x:T.t\ |\ t\ t\\ v&::=&c\ |\ \left<H,\lambda x:T.t\right>\\ r&::=&\leavevmode\lstinline{{\lst@@@set@language\lst@@@set@numbers\lst@@@set@frame\lst@@@set@rulecolor\lst@@@set@language\tt{\@listingGroup{ltx_lst_identifier}{Timeout}}}}}\ |\ \leavevmode\lstinline{{\lst@@@set@language\lst@@@set@numbers\lst@@@set@frame\lst@@@set@rulecolor\lst@@@set@language\tt{\@listingGroup{ltx_lst_identifier}{Done}}}}}\ (\leavevmode\lstinline{{\lst@@@set@language\lst@@@set@numbers\lst@@@set@frame\lst@@@set@rulecolor\lst@@@set@language\tt{\@listingGroup{ltx_lst_identifier}{Error}}}}}\ |\ \leavevmode\lstinline{{\lst@@@set@language\lst@@@set@numbers\lst@@@set@frame\lst@@@set@rulecolor\lst@@@set@language\tt{\@listingGroup{ltx_lst_identifier}{Val}}}}}\ v)\\ \Gamma&::=&\emptyset\ |\ \Gamma,x:T\\ H&::=&\emptyset\ |\ H,x:v\end{array}$

Type assignment $\Gamma\,\vdash\,t:T$

$\displaystyle\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,c:B\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}x:T\in\Gamma\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,x:T_{1}\,\vdash\,t:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\lambda x:T_{1}.t:T_{1}\rightarrow T_{2}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}:T_{1}\rightarrow T_{2}~,~t_{2}:T_{1}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}t_{2}:T_{2}\end{array}}$

Consistent environments $\Gamma\,\vDash\,H$

$\displaystyle\begin{array}[]{@{}c@{}}\emptyset\,\vDash\,\emptyset\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\quad\quad v:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma,x:T\,\vDash\,H,x:v\end{array}}$

Value type assignment $H\,\vdash\,v:T$

$\displaystyle\begin{array}[]{@{}c@{}}c:B\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\quad\quad\Gamma,x:T_{1}\,\vdash\,t:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\left<H,\lambda x:T_{1}.t\right>:T_{1}\rightarrow T_{2}\end{array}}$

Definitional Interpreter

⬇

(* Coq data types and auxiliary functions elided *)

Fixpoint eval(n: nat)(env: venv)(t: tm){struct n}:

option (option vl) :=

DO n1 <== FUEL n; (* totality *)

match t with

| tcst c => DONE VAL (vcst c) (* constant *)

| tvar x => DONE (lookup x env) (* variable *)

| tabs x ey => DONE VAL (vabs env x ey) (* lambda *)

| tapp ef ex => (* application *)

DO vf <== eval n1 env ef;

DO vx <== eval n1 env ex;

match vf with

| (vabs env2 x ey) =>

eval n1 ((x,vx)::env2) ey

| _ => ERROR

end

end.

Figure 2: STLC: Syntax and Semantics

Notions of Type Soundness

What does it mean for a language to be type safe? We follow Wright and Felleisen DBLP:journals/iandc/WrightF94 in viewing a static type system as a filter that selects well-typed programs from a larger universe of untyped programs. In their definition of type soundness, a partial function evalp defines the semantics of untyped programs, returning Error if the evaluation encounters a type error, or any other answer for a well typed result. We assume here that the result in this case will be Val v, for some value v. For evaluations that do not terminate, evalp is undefined.

The simplest soundness property states that well-typed programs do not go wrong.

Weak soundness:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\emptyset\,\vdash\,e:T\end{array}}{\begin{array}[]{@{}c@{}}\text{evalp }e\ \neq\text{ Error}\end{array}}$

A stronger soundness property states that if the evaluation terminates, the result value must have the same type as the program expression, assuming that values are classified by types as well.

Strong soundness:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\emptyset\,\vdash\,e:T\quad\quad\text{evalp }e=r\end{array}}{\begin{array}[]{@{}c@{}}r=\text{ Val }v\quad\quad v:T\end{array}}$

In our case, assigning types to values is achieved by the rules in the lower half of Figure 2.

Partiality Fuel

To reason about the behavior of our interpreter, and to implement it in Coq in the first place, we had to get a handle on potential nontermination, and make the interpreter a total function. Again we follow siek3lemmas by first making all error cases explicit by wrapping the result of each operation in an option data type with alternatives Val v and Error. This leaves us with possible nontermination. To model nontermination, the interpreter is parameterized over a step-index or ‘fuel value’ n, which bounds the amount of work the interpreter is allowed to do. If it runs out of fuel, the interpreter returns Timeout, otherwise Done r, where r is the option type introduced above.

It is convenient to treat this type of answers as a (layered) monad and write the interpreter in monadic do notation (as done in Figure 2). The FUEL operation in the first line desugars to a simple non-zero check:

⬇

match n with

| z => TIMEOUT

| S n1 => ...

end

There are other ways to define monads that encode partiality (see e.g. DBLP:conf/icfp/Danielsson12 for a treatment that involves a coinductively defined partiality monad), but this simple method has the benefit of enabling easy inductive proofs about all executions of the interpreter, by performing a simple induction over $n$ . If a fact is proved for all executions of length $n$ , for all $n$ , then it must hold for all finite executions. Specifically, infinite executions are by definition not ‘stuck’, so they cannot violate type soundness.

Proof Structure

For the type safety proof, the ‘three easy lemmas’ siek3lemmas are as follows. There is one lemma per function of the interpreter. The first one shows that well-typed primitive operations are not stuck and preserve types. We are omitting primitive operations for simplicity, so we skip this lemma. The second one shows that well-typed environment lookups are not stuck and preserve types.

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\quad\quad\text{lookup }x\ \Gamma=\text{ Some }T\end{array}}{\begin{array}[]{@{}c@{}}\text{lookup }x\ H=\text{ Val }v\quad\quad v:T\end{array}}$

This lemma is proved by structural induction over the environment and case distinction whether the lookup succeeds.

The third lemma shows that, for all $n$ , if the interpreter returns a result that is not a timeout, the result is also not stuck, and it is well typed.

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,e:T\quad\quad\Gamma\,\vDash\,H\quad\quad\text{eval }n\ H\ e=\text{Done }r\end{array}}{\begin{array}[]{@{}c@{}}r=\text{Val }v\quad\quad v:T\end{array}}$

The proof is by induction on $n$ , and case analysis on the term $e$ .

It is easy to see that this lemma corresponds to the strong soundness notion above. In fact, we can define a partial function $\text{evalP }e$ to probe $\text{eval }n\ \emptyset\ e$ for all $n=0,1,2,...$ and return the first non-timeout result, if one exists. Restricting to the empty environment then yields exactly Wright and Felleisen’s definition of strong soundness:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\emptyset\,\vdash\,e:T\quad\quad\text{evalp }e=r\end{array}}{\begin{array}[]{@{}c@{}}r=\text{ Val }v\quad\quad v:T\end{array}}$

Using classical reasoning we can conclude that either evaluation diverges (times out for all n), or there exists an n for which the result is well typed.

6 Type Soundness for System F_<:

We now turn our attention to System F_<: DBLP:journals/iandc/CardelliMMS94 , moving beyond type systems that have been previously formalized with definitional interpreters. The syntax and static typing rules of F_<: are defined in Figure 3.

Syntax

$\begin{array}[]{lll}X&::=&Y\ |\ Z\\ T&::=&X\ |\ \top\ |\ T\rightarrow T\ |\ \forall Z<:T.T^{Z}\\ t&::=&x\ |\ \lambda x:T.t\ |\ \Lambda Y<:T.t\ |\ t\ t\ |\ t\ [T]\\ \Gamma&::=&\emptyset\ |\ \Gamma,x:T\ |\ \Gamma,X<:T\end{array}$

Subtyping $\Gamma\,\vdash\,S<:U$

$\displaystyle\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,S<:\top\end{array}$

$\displaystyle\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,X<:X\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\ni X<:U\quad\quad\Gamma\,\vdash\,U<:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,X<:T\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:S_{1}~,~S_{2}<:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,S_{1}\rightarrow S_{2}<:T_{1}\rightarrow T_{2}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:S_{1}\\ \Gamma,Z<:T_{1}\,\vdash\,S_{2}^{Z}<:T_{2}^{Z}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\forall Z<:S_{1}.S_{2}^{Z}<:\forall Z<:T_{1}.T_{2}^{Z}\end{array}}$

Type assignment $\Gamma\,\vdash\,t:T$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\ni x:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,x:T_{1}\,\vdash\,t_{2}:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\lambda x:T_{1}.t_{2}:T_{1}\rightarrow T_{2}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}:T_{1}\rightarrow T_{2}~,~t_{2}:T_{1}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}t_{2}:T_{2}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,Y<:T_{1}\,\vdash\,t_{2}:T_{2}^{Y}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\Lambda Y<:T_{1}.t_{2}:\forall Z<:T_{1}.T_{2}^{Z}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}:\forall Z<:T_{11}.T_{12}^{Z}~,~T_{2}<:T_{11}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}[T_{2}]:T_{12}^{T_{2}}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:S~,~S<:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t:T\end{array}}$

Figure 3: F_<:: syntax and static semantics

In addition to STLC, we have type abstraction and type application, and subtyping with upper bounds. The calculus is more expressive than STLC and more interesting from a formalization perspective, in particular because it contains type variables. These are bound in the environment, which means that we need to consider types in relation to the environment they were defined in.

What would be a suitable runtime semantics for passing type arguments to type abstractions? The usual small-step semantics uses substitution to eliminate type arguments:

(\Lambda X<:T.t)[T]\longrightarrow t[T/X]

We could do the same in our definitional interpreter:

⬇

| ttapp ef T =>

DO vf <== eval n1 env ef;

match vf with

| (vtabs env2 x ey) => eval n1 env2 (substitute ey x T)

| _ => ERROR

end

But then, the interpreter would have to modify program terms at runtime. This would be odd for an interpreter, which is meant to be simple. It would also complicate formal reasoning, since we would still need a substitution lemma like in small step semantics.

6.1 Types in Environments

Syntax

$\begin{array}[]{lll}v&::=&\left<H,\lambda x:T.t\right>\ |\ \left<H,\Lambda Y<:T.t\right>\\ H&::=&\emptyset\ |\ H,x:v\ |\ H,Y=\left<H,T\right>\\ J&::=&\emptyset\ |\ J,Z<:\left<H,T\right>\end{array}$

Runtime subtyping $J\,\vdash\,H_{1}\ T_{1}<:H_{2}\ T_{2}$

$\displaystyle\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ T<:H_{2}\ \top\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{2}\ T_{1}<:H_{1}\ S_{1}\quad\quad J\,\vdash\,H_{1}\ S_{2}<:H_{2}\ T_{2}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ S_{1}\rightarrow S_{2}\;<:\;H_{2}\ T_{1}\rightarrow T_{2}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{2}\ T_{1}<:H_{1}\ S_{1}\\ J,Z\!<:\!\left<H_{2},T_{1}\right>\,\vdash\,H_{1}\ S_{2}^{Z}\;<:\;H_{2}\ T_{2}^{Z}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ \forall Z\!<:\!S_{1}.S_{2}^{Z}\;<:\;H_{2}\ \forall Z\!<:\!T_{1}.T_{2}^{Z}\end{array}}$

Abstract type variables

$\displaystyle\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ Z<:H_{2}\ Z\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J\ni Z<:\left<H,U\right>\quad\quad J\,\vdash\,H\ U<:H_{2}\ T\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ Z<:H_{2}\ T\end{array}}$

Concrete type variables

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H_{1}\ni Y_{1}=\left<H,T\right>\quad\quad H_{2}\ni Y_{2}=\left<H,T\right>\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ Y_{1}<:H_{2}\ Y_{2}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H_{1}\ni Y=\left<H,U\right>\quad\quad J\,\vdash\,H\ U<:H_{2}\ T\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ Y<:H_{2}\ T\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ T<:H\ L\quad\quad H_{2}\ni Y=\left<H,L\right>\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ T<:H_{2}\ Y\end{array}}$

Transitivity

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ T1<:H_{2}\ T2\quad\quad H_{2}\ T_{2}<:H_{3}\ T_{3}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ T_{1}<:H_{3}\ T_{3}\end{array}}$

Consistent environments $\Gamma\,\vDash\,H\ J$

$\displaystyle\begin{array}[]{@{}c@{}}\emptyset\,\vDash\,\emptyset\ \emptyset\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\ J\quad\quad H\,\vdash\,v:T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma,x:T\,\vDash\,(H,x:v)\ J\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\ J\quad\quad J\,\vdash\,H_{1}\ T_{1}<:H\ T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma,Y<:T\,\vDash\,(H,Y=\left<H_{1},T_{1}\right>)\ J\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\ J\quad\quad J\,\vdash\,H_{1}\ T_{1}<:H\ T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma,Z<:T\,\vDash\,H\ (J,Z<:\left<H_{1},T_{1}\right>)\end{array}}$

Value type assignment $H\,\vdash\,v:T$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\ \emptyset\quad\quad\Gamma,x:T_{1}\,\vdash\,t:T_{2}\end{array}}{\begin{array}[]{@{}c@{}}H\,\vdash\,\left<H,\lambda x:T_{1}.t\right>:T_{1}\rightarrow T_{2}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\ \emptyset\quad\quad\Gamma,Y<:T_{1}\,\vdash\,t:T_{2}^{Y}\end{array}}{\begin{array}[]{@{}c@{}}H\,\vdash\,\left<H,\Lambda Y<:T_{1}.t\right>:\forall Z<:T_{1}.T_{2}^{Z}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H_{1}\,\vdash\,v:T_{1}\quad\quad\emptyset\,\vdash\,H_{1}\ T_{1}<:H_{2}\ T_{2}\end{array}}{\begin{array}[]{@{}c@{}}H_{2}\,\vdash\,v:T_{2}\end{array}}$

Figure 4: F_<:: dynamic typing

A better idea, more consistent with an environment-passing interpreter, is to put the type argument into the runtime environment as well:

⬇

| (vtabs env2 x ey) => eval n1 ((x,T)::env2) ey

However, this leads to a problem: the type T may refer to other type variables that are bound in the current environment at the call site. We could potentially resolve all the references, and substitute their occurrences in the type, but this will no longer work if types are recursive. Instead, we pass the caller environment along with the type.

⬇

| (vtabs env2 x ey) => eval n1 ((x,vty env T)::env2) ey

In effect, type arguments become very similar to function closures, in that they close over their defining environment. Intuitively, this makes a lot of sense, and is consistent with the overall workings of our interpreter.

But now we need a subtyping judgement that takes the respective environments into account when comparing two types at runtime. This is precisely what we do. The runtime typing rules are shown in Figure 4. We will explain the role of the $J$ environments shortly, in Section 6.2 below, but let us first take note that the runtime subtyping judgement takes the form

J\,\vdash\,H_{1}\ T_{1}<:H_{2}\ T_{2},

pairing each type $T$ with a corresponding runtime environment $H$ .

Note further that the rules labeled ‘concrete type variables’ are entirely structural: different type variables $Y_{1}$ and $Y_{2}$ are treated equal if they map to the same $H\ T$ pair. In contrast to the surface syntax of F_<:, there is not only a rule for $Y<:T$ but also a symmetric one for $T<:Y$ , i.e. with a type variable on the right hand side. This symmetry is necessary to model runtime type equality through subtyping, which gives us a handle on those cases where a small-step semantics would rely on type substitution.

Another way to look at this is that the dynamic subtyping relation removes abstraction barriers (nominal variables, only one sided comparison with other types) that were put in place by the static subtyping relation.

We further note in passing that subtyping transitivity becomes more difficult to establish than for static F_<: subtyping, because we now may have type variables in the middle of a chain $T_{1}<:Y<:T_{2}$ , which should contract to $T_{1}<:T_{2}$ . We will get back to this question and related ones in Section 6.5.

6.2 Abstract Types

So far we have seen how to handle types that correspond to existing type objects. We now turn to the rule that compares $\forall$ types, and which introduces new type bindings when comparing two type abstractions.

How can we support this rule at runtime? We cannot quite use only the facilities discussed so far, because this would require us to ‘invent’ new hypothetical objects $\left<H,T\right>$ , which are not actually created during execution, and insert them into another runtime environment. Furthermore, to support transitivity of the $\forall$ rule we need narrowing, and we would not want to think about potentially replacing actual values in a runtime environment with something else, for the purpose of comparing types.

Our solution is rather simple: we split the runtime environment into abstract and concrete parts. Careful readers may have already observed that we use two disjoint alphabets of variable names, one for variables bound in terms $Y$ and one for variables bound in types $Z$ . We use $X$ when refering to either kind. Where the type-specific environments $H$ , as discussed above, map only term-defined variables to concrete type values created at runtime (indexed by $Y$ ), we use a shared environment $J$ (indexed by $Z$ ), that maps type-defined variables to hypothetical objects: $\left<H,T\right>$ pairs that may or may not correspond to an actual object created at runtime.

Implementation-wise, this approach fits quite well with a locally nameless representation of binders DBLP:journals/jar/Chargueraud12 that already distinguishes between free and bound identifiers. The runtime subtyping rules for abstract type variables in Figure 4 correspond more or less directly to their counterparts in the static subtype relation (Figure 3), modulo addition of the two runtime environments.

6.3 Relating Static and Dynamic Subtyping

How do we adapt the soundness proof from Section 5.2 to work with this form of runtime subtyping? First, we need to show that the static typing relation implies the dynamic one in well-formed consistent environments:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T_{2}\quad\quad\Gamma\,\vDash\,H\ J\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H\ T_{1}<:H\ T_{2}\end{array}}$

The proof is a simple structural induction over the subtyping derivation. Static rules involving $Z$ variables map to coressponding abstract rules. Rules on $Y$ variables map to concrete dynamic rules.

Second, for the cases where F_<: type assignment relies on substitution in types (specifically, in the result of a type application), we need to prove a lemma that enables us to replace a hypothetical binding with an actual value:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J,Z<:\left<H,T\right>\,\vdash\,H_{1}\ T_{1}^{Z}<:H_{2}\ T_{2}^{Z}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1},Y_{1}=\left<H,T\right>\ T_{1}^{Y_{1}}<:H_{2},Y_{2}=\left<H,T\right>\ T_{2}^{Y_{2}}\end{array}}$

The proof is again by simple induction and case analysis. We actually prove a slighty more general lemma that incorporates the option of weakening, i.e. not extending $H_{1}$ or $H_{2}$ if $Z$ does not occur in $T_{1}$ or $T_{2}$ , respectively.

6.4 Inversion of Value Typing (Canonical Forms)

Due to the presence of the subsumption rule, the main proof can no longer just rely on case analysis of the typing derivation, but we need proper inversion lemmas for lambda abstractions:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H\,\vdash\,\ v:T_{1}\rightarrow T_{2}\end{array}}{\begin{array}[]{@{}c@{}}v=\left<H_{c},\lambda x:S_{1}.t\right>\quad\quad\Gamma_{c}\,\vDash\,H_{c}\ \emptyset\\ \Gamma_{c},x:S_{1}\,\vdash\,t:S_{2}\quad\quad\emptyset\,\vdash\,H_{c}\ S_{1}\to S_{2}<:H\ T_{1}\to T_{2}\end{array}}$

And for type abstractions:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H\,\vdash\,\ v:\forall Z<:T_{1}.T_{2}^{Z}\end{array}}{\begin{array}[]{@{}c@{}}v=\left<H_{c},\Lambda Y<:S_{1}.t\right>\quad\quad\Gamma_{c}\,\vDash\,H_{c}\ \emptyset\\ \Gamma_{c},Y<:S_{1}\,\vdash\,t:S_{2}^{Y}\\ \emptyset\,\vdash\,H_{c}\ \forall Z\!<:\!S_{1}.S_{2}^{Z}\;<:\;H\ \forall Z\!<:\!T_{1}.T_{2}^{Z}\end{array}}$

We further need to invert the resulting subtyping derivations, so we need additional inversion lemmas to derive $T_{1}<:S_{1}$ and $S_{2}<:T_{2}$ from $S_{1}\rightarrow S_{2}<:T_{1}\rightarrow T_{2}$ and similarly for $\forall$ types.

As already discussed in Section 4.2 with relation to DOT, the inversion lemmas we need here depend in a crucial way on transitivity and narrowing properties of the subtyping relation (similar to small-step proofs for F_<: DBLP:conf/tphol/AydemirBFFPSVWWZ05 ). However, the situation is very different, now that we have a distinction between runtime values and only static types: as we can see from the statements above, we only ever require inversion of a subtyping rule in a fully concrete dynamic context, without any abstract component ( $J=\emptyset$ )! This means that we always have concrete objects at hand, and that we can immediately rely on any properties enforced during their construction, such as ‘good bounds’ in DOT.

6.5 Transitivity Pushback and Cut Elimination

For the static subtyping relation of $F_{<:}$ , transitivity can be proved as a lemma, together with narrowing, in a mutual induction on the size of the middle type in a chain $T_{1}<:T_{2}<:T_{3}$ (see e.g. the POPLmark challenge documentation DBLP:conf/tphol/AydemirBFFPSVWWZ05 ).

Unfortunately, for the dynamic subtyping version, the same proof strategy fails, because dynamic subtyping may involve a type variable as the middle type: $T_{1}<:Y<:T_{3}$ . This setting is very similar to DOT, but arises surprisingly already when just looking at the dynamic semantics of $F_{<:}$ . Since proving transitivity becomes much harder, we adopt a strategy from previous DOT developments DBLP:conf/oopsla/AminRO14 : admit transitivity as an axiom, but prove a ‘pushback’ lemma that allows to push uses of the axiom further up into a subtyping derivation, so that the top level becomes invertible. We denote this as precise subtyping $T_{1}<!\ T_{2}$ . Such a strategy is reminiscent of cut elimination in natural deduction, and in fact, the possibility of cut elimination strategies is already mentioned in Cardelli’s original $F_{<:}$ paper DBLP:journals/iandc/CardelliMMS94 .

Cutting Mutual Dependencies

Inversion of subtyping is only required in a concrete runtime context, without abstract component ( $J=\emptyset$ ). Therefore, transitivity pushback is only required then. Transitivity pushback requires narrowing, but only for abstract bindings (those in $J$ , never in $H$ ). Narrowing requires these bindings to be potentially imprecise, so that the transitivity axiom can be used to inject a step to a smaller type without recursing into the derivation. In summary, we need both (actual, non-axiom) transitivity and narrowing, but not at the same time. This is a major advantage over the purely static setting described in Section 4.2, where these properties were much more entangled, with no obvious way to break cycles.

6.6 Finishing the Soundness Proof

The interesting case is the one for type application. We use the inversion lemma for type abstractions (Section 6.4) and then invert the resulting subtyping relation on $\forall$ types to relate the actual type at the call site with the expected type at the definition site of the type abstraction. In order to do this, we invoke pushback once and obtain an invertible subtyping on $\forall$ types. But inversion then gives us evidence for the return type in a mixed, concrete/abstract environment, with $J$ containing the binding for the quantified type variable. Thus we cannot apply transititivy pushback again directly. We first need to apply the substitution lemma (Section 6.3) to replace the abstract variable reference with a concrete reference to the actual type in a runtime environment $H$ . After that, the abstract component is gone ( $J=\emptyset$ ) and we can use pushback again to further invert the inner derivations.

With that, we have everything in place to complete our soundness proof for $F_{<:}$ :

For all $n$ , if the interpreter returns a result that is not a timeout, the result is also not stuck, and it is well typed.

6.7 An Alternative Dynamic Typing Relation

In the system presented here, we have chosen to include a subsumption rule in the dynamic typing relation (see Figure 4), which required us to prove the typing inversion lemmas from Section 6.4 and to further handle inversion of subtyping via transitivity pushback (Section 6.5).

An alternative design, which we mention for completeness, is to turn this around: design the dynamic type assignment relation in such a way that it is directly invertible, and prove the subsumption property (upwards-closure with respect to subtyping) as a lemma. To achieve this, we can define type assignment for lambda abstractions as follows, pulling in the relevant bits of the dynamic subtyping relation:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma_{c}\,\vDash\,H_{c}\ \emptyset\quad\quad\Gamma_{c},x:S_{1}\,\vdash\,t:S_{2}\\ \emptyset\,\vdash\,H\ T_{1}<:H_{c}\ S_{1}\quad\quad\emptyset\,\vdash\,H_{c}\ S_{2}<:H\ T_{2}\end{array}}{\begin{array}[]{@{}c@{}}H\,\vdash\,\ \left<H_{c},\lambda x:S_{1}.t\right>:T_{1}\rightarrow T_{2}\end{array}}$

The rule for type abstractions is analogous.

But since we no longer have a built-in subsumption rule, we also need to pull in the remaining subtyping cases into the type assignment relation, such that we can assign $\top$ and concrete type variables $Y$ :

$\displaystyle\begin{array}[]{@{}c@{}}H\,\vdash\,v:\top\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H\,\vdash\,v:T\quad\quad H_{2}\ni Y=\left<H,T\right>\end{array}}{\begin{array}[]{@{}c@{}}H_{2}\,\vdash\,v:Y\end{array}}$

Note, however, that we crucially never assign an abstract type variable $Z$ as type to a value, because value typing is only defined in fully concrete environments ( $J=\emptyset$ , see Figure 4).

With these additional type assignment cases the proof of the subsumption lemma is straightforward, and dynamic type assignment remains directly invertible.

In essence, this model performs cut elimination or transitivity pushback directly on the type assignment, whereas in Section 6.5, we performed cut elimination on the subtyping relation. Both models lead to valid soundness proofs for F_<: and DOT, but working directly with the subtyping relation appears to lead to somewhat stronger auxiliary results. For this reason, we continue with definitions in the spirit of Figure 4 for the remainder of this paper.

7 From F to D to DOT

While we have set out to ‘only’ prove soundness for $F_{<:}$ , we have already had to do much of the work for proving DOT. We will now extend the calculus to incorporate more DOT features. As we will see, the changes required to the runtime typing system are comparatively minor, and in many cases we just remove restrictions of the static typing discipline.

First of all let us note that $\left<H,T\right>$ pairs are already treated de-facto as first-class values at runtime. So why not let them loose and make their status explicit?

\begin{array}[]{llll}\lx@intercol\text{FSub}\ (\text{F}_{<:})\hfil\lx@intercol\\ &T&::=&\top\mid X\mid T\rightarrow T\mid\forall Z<:T.T^{Z}\\ &t&::=&x\mid\lambda x:T.t\mid\Lambda Y<:T.t\mid t\ t\mid t\ [T]\\ \\ \lx@intercol\text{DSub}\ (\text{D}_{<:})\hfil\lx@intercol\\ &T&::=&\top\mid x.\text{Type}\mid\{\text{Type}=T\}\mid\{\text{Type}<:T\}\mid(z:T)\rightarrow T^{z}\\ &t&::=&x\mid\{\text{Type}=T\}\mid\lambda x:T.t\mid t\ t\\ \\ \lx@intercol\text{DSubBot}\hfil\lx@intercol\\ &T&::=&\bot\mid\top\mid x.\text{Type}\mid\{\text{Type}=T..T\}\mid(z:T)\rightarrow T^{z}\\ &t&::=&x\mid\{\text{Type}=T\}\mid\lambda x:T.t\mid t\ t\\ \\ \lx@intercol\text{DSubBotAndOr}\hfil\lx@intercol\\ &T&::=&\bot\mid\top\mid T\wedge T\mid T\vee T\mid x.\text{Type}\\ &&&\{\text{Type}=T..T\}\mid(z:T)\rightarrow T^{z}\\ &t&::=&x\mid\{\text{Type}=T\}\mid\lambda x:T.t\mid t\ t\\ \\ \lx@intercol\text{DSubBotAndOrRec}\hfil\lx@intercol\\ &T&::=&\bot\mid\top\mid T\wedge T\mid T\vee T\mid x.\text{Type}\\ &&&\{\text{Type}=T..T\}\mid\{l:T\}\mid(z:T)\rightarrow T^{z}\\ &t&::=&x\mid\{\text{Type}=T\}\mid\{\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}d}\color[rgb]{0,0,0}\}\mid t.l\mid\lambda x:T.t\mid t\ t\\ &d&::=&l=t\\ \\ \lx@intercol\text{DSubBotAndOrRecFix}\hfil\lx@intercol\\ &T&::=&\bot\mid\top\mid T\wedge T\mid T\vee T\mid x.\text{Type}\\ &&&\{\text{Type}=T..T\}\mid\{l:T\}\mid(z:T)\rightarrow T^{z}\mid\{z\Rightarrow T\}\\ &t&::=&x\mid\{\text{Type}=T\}\mid\{\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}d}\color[rgb]{0,0,0}\}\mid t.l\mid\lambda x:T.t\mid t\ t\mid\mu x.t\\ &d&::=&l=t\\ \\ \lx@intercol\text{DSubBotAndOrRecFixMut}\hfil\lx@intercol\\ &T&::=&\bot\mid\top\mid T\wedge T\mid T\vee T\mid x.\text{Type}\\ &&&\{\text{Type}=T..T\}\mid\{l:T\}\mid(z:T)\rightarrow T^{z}\mid\{z\Rightarrow T\}\mid\text{Ref}\ T\\ &t&::=&x\mid\{\text{Type}=T\}\mid\{\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}d}\color[rgb]{0,0,0}\}\mid t.l\mid\lambda x:T.t\mid t\ t\mid\mu x.t\mid\text{ref}\ t\mid t\text{!}\mid t\text{:=}\ t\\ &d&::=&l=t\\ \\ \lx@intercol\text{DOT}\hfil\lx@intercol\\ &T&::=&\bot\mid\top\mid T\wedge T\mid T\vee T\mid x.L\\ &&&\{L=T..T\}\mid\{l:T\}\mid m(z:T):T^{z}\mid\{z\Rightarrow T\}\\ &t&::=&x\mid t.l\mid t.m(t)\mid\{x\Rightarrow\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}d}\color[rgb]{0,0,0}\}\\ &d&::=&l=t\mid L=T\mid m(x)=t\\ \end{array}

Figure 5: Reconstructing DOT bottom-up from F_<:

To give an intuition what this means, let us take a step back and consider two ways to define a standard List data type in Scala:

⬇

class List[E] // parametric, functional style

class List { type E } // modular style, with type member

The first one is the standard parametric version. The second one defines the element type E as a type member, which can be referenced using a path-dependent type. To see the difference in use, here are the two respective signatures of a standard map function:

⬇

def map[E,T](xs: List[E])(f: E => T): List[T] = ...

def map[T](xs:List)(f:xs.E=>T):List & { type E=T } = ...

Again, the first one is the standard parametric version. The second one uses the path-dependent type xs.Elem to denote the element type of the particular list xs passed as argument, and uses a refined type type List & { type E=T } to define the result of map.

We can already infer from this example above that there must be a relation between parametric polymorphism and path-dependent types, an idea that is not surprising when thinking of Barendregt’s $\lambda$ cube DBLP:journals/jfp/Barendregt91 . But in contrast to these well-studied systems, DOT adds subtyping to the mix, with advanced features like intersection types and recursive types, which are not present in the $\lambda$ cube.

But as it turns out, subtyping is an elegant way to model reduction on the type level. Consider the usual definition of types and terms in System F girard1972interpretation ; DBLP:conf/programm/Reynolds74 :

{\begin{array}[]{llll}&T&::=&X\mid T\rightarrow T\mid\forall X.T^{X}\\ &t&::=&x\mid\lambda x:T.t\mid\Lambda X.t^{X}\mid t\ t\mid t\ [T]\\ \end{array}}

We can generalize this system to one with path-dependent types as well as abstract and concrete type values, which we call System D:

{\begin{array}[]{llll}&T&::=&x.\text{Type}\mid\{\text{Type}=T\}\mid\{\text{Type}\}\mid(z:T)\rightarrow T^{z}\\ &t&::=&x\mid\{\text{Type}=T\}\mid\lambda x:T.t\mid t\ t\\ \end{array}}

System D arises from System F by unifying type and term variables. References to type variables $X$ are replaced by path-dependent types $x.\text{Type}$ . Type abstractions become term lambdas with a type-value argument:

\Lambda X.t^{X}\quad\quad\leadsto\quad\quad\lambda x:\{\text{Type}\}.t^{x}

Universal types become dependent function types:

\forall X.T^{X}\quad\quad\leadsto\quad\quad(x:\{\text{Type}\})\to T^{x}

And type application becomes dependent function application with a concrete type value:

t\ [T]\quad\quad\leadsto\quad\quad t\ \{\text{Type}=T\}

But how do we actually type check such an application? Let us assume that $f$ is the polymorphic identity function, and we apply it to type $T$ . Then we would like the following to be an admissible type assignment:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}f:(x:\{\text{Type}\})\to(z:x.\text{Type})\to x.\text{Type}\end{array}}{\begin{array}[]{@{}c@{}}f\ \{\text{Type}=T\}:(z:T)\to T\end{array}}$

In most dependently typed systems there is a notion of reduction or normalization on the type level. Based on our definitional interpreter construction, we observe that we can just as well use subtyping. For this application to type check using standard dependent function types we need the following specific subtyping rules:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}x:\{\text{Type}=T\}\end{array}}{\begin{array}[]{@{}c@{}}T<:x.\text{Type}\quad\quad x.\text{Type}<:T\end{array}}$

$\displaystyle\begin{array}[]{@{}c@{}}\vskip 4.30554pt\{\text{Type}=T\}<:\{\text{Type}\}\end{array}$

It is easy to show that System D encodes System F, but not vice versa. For example, the following function does not have a System F equivalent: $\lambda x:\{\text{Type}\}.x$

In the following, we are going to reconstruct DOT bottom-up from System F, based on a series of intermediate calculi, shown in Figure 5, of increasing expressiveness. The starting point is System F_<:, with the full rules given in Figure 3. We generalize to System D_<:, similar to the exposition above. The main difference is that abstract types can be upper bounded. In the next step, we enable lower bounding of types, and we can remove the distinction between concrete and abstract types. We continue by adding intersection and union types, and then records. We add recursive types, and then mutable references. Finally, we fuse the formerly distinct notions of functions, records, type values, and recursive types into a single notion of object with multiple members. This leaves us with a calculus corresponding to previous presentations of DOT: a unification of objects, functions, and modules, corresponding to the rules shown in Figure 1.

7.1 Extension 1: First-Class Type Objects (D_<:)

The first step is to expose first-class type values on the static term level:

\begin{array}[]{lll}T&::=&\top\mid x.\text{Type}\mid\{\text{Type}=T\}\mid\{\text{Type}<:T\}\mid(z:T)\rightarrow T^{z}\\ t&::=&x\mid\{\text{Type}=T\}\mid\lambda x:T.t\mid t\ t\\ \end{array}

We present so modified typing rules in Figure 6. Type objects $\left<H,T\right>$ are now first class values, just like closures. We no longer need two kinds of bindings in $H$ environments, but we keep the existing structure for $J$ environments, since only types can be abstract. We introduce a ‘type of types’, $\{\text{Type}=T\}$ , and a corresponding introduction term. Note that there is no directly corresponding elimination form on the term level. References to type variables now take the form $x.\text{Type}$ , where $x$ is a regular term variable–in essence, DOT’s path dependent types but with a unique, global, label Type. Since type objects are now first class values, we can drop type abstraction and type application forms and just use regular lambdas and application, which we extended to dependent functions and (path) dependent application.

The definitional interpreter only needs an additional case for the new type value introduction form:

⬇

| ttyp T => (vty env T)

Everything else is readily handled by the existing lambda and application cases.

In the typing rules in Figure 6, we have a new case for type values, invariant in the embedded type. The rules for type selections (previously, type variables) are updated to require bindings in the environment to map to $\{\text{Type}=T\}$ types.

Syntax

$\begin{array}[]{lll}T&::=&x.\text{Type}\ |\ \top\ |\ (z:T)\rightarrow T^{z}\ |\ \{\text{Type}=T\}\\ t&::=&x\ |\ \lambda x:T.t\ |\ t\ t\ |\ \{\text{Type}=T\}\\ \Gamma&::=&\emptyset\ |\ \Gamma,x:T\\[4.30554pt] v&::=&\left<H,\lambda x:T.t\right>\ |\ \left<H,T\right>\\ H&::=&\emptyset\ |\ H,x:v\\ J&::=&\emptyset\ |\ H,z:\left<H,T\right>\end{array}$

Subtyping $\Gamma\,\vdash\,S<:U$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,T_{1}<:T_{2}\quad\quad\Gamma\,\vdash\,T_{2}<:T_{1}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\{\text{Type}=T_{1}\}\ <:\ \{\text{Type}=T_{2}\}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma(x)=U\quad\quad\Gamma\,\vdash\,U<:\{\text{Type}=T\}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x.T<:T\end{array}}$

$\ldots$

Type assignment $\Gamma\,\vdash\,t:T$

$\displaystyle\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\{\text{Type}=T\}:\{\text{Type}=T\}\end{array}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,x:T_{1}\,\vdash\,t_{2}:T_{2}^{x}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\lambda x:T_{1}.t_{2}:(z:T_{1})\rightarrow T_{2}^{z}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}:(z:T_{1})\rightarrow T_{2}^{z}~,~t_{2}:T_{1}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,t_{1}t_{2}:T_{2}\end{array}}$

$\ldots$

Runtime Subtyping $J\,\vdash\,H_{1}\ T_{1}<:H_{2}\ T_{2}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ T_{1}<:H_{2}\ T_{2}\quad\quad J\,\vdash\,H_{1}\ T_{2}<:H_{2}\ T_{1}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ \{\text{Type}=T_{1}\}\ <:\ H_{2}\ \{\text{Type}=T_{2}\}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J(z)=\left<H,U\right>\quad\quad J\,\vdash\,H\ U<:H_{2}\ \{\text{Type}=T\}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ z.\text{Type}<:H_{2}\ T\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H_{1}(x)\!=\!v\;\;\ H\!\,\vdash\,\!v\!:U\quad\quad J\,\vdash\,H\ U<:H_{2}\ \{\text{Type}=T\}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ x.\text{Type}<:H_{2}\ T\end{array}}$

$\ldots$

Value type assignment $H\,\vdash\,v:T$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\ \emptyset\quad\quad\Gamma\,\vdash\,\{\text{Type}=T\}:\{\text{Type}=T\}\end{array}}{\begin{array}[]{@{}c@{}}H\,\vdash\,\left<H,T\right>:\{\text{Type}=T\}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vDash\,H\emptyset\quad\quad\Gamma,x:T_{1}\,\vdash\,t:T_{2}^{x}\end{array}}{\begin{array}[]{@{}c@{}}H\,\vdash\,\left<H,\lambda x:T_{1}.t\right>:(z:T_{1})\rightarrow T_{2}^{z}\end{array}}$

Figure 6: D_<:: generalizing F_<: with first-class types

7.2 Another Level of Transitivity Pushback

The generalization in this section is an essential step towards DOT. Most of the changes to the soundness proof are rather minor. However, one piece requires further attention: the previous transitivity pushback proof relied crucially on being able to relate types across type variables:

H_{1}\ T_{1}<!\ H\ Y<!\ H_{3}\ T_{3}

Inversion of this derivation would yield another chain

H\ni\left<H_{2},T_{2}\right>\quad\quad H_{1}\ T_{1}<:\ H_{2}\ T_{2}<:\ H_{3}\ T_{3},

which, using an appropriate induction strategy, can be further collapsed into $H_{1}<!\ H_{3}$ .

But now the situation is more complicated: inversion of

H_{1}\ T_{1}<!\ H\ x.\text{Type }<!\ H_{3}\ T_{3}

yields

H(x)=v\quad\quad H_{2}\,\vdash\,v:T_{2}

H_{2}\ T_{2}<:\ H_{1}\ \{\text{Type}=T_{1}\}\quad\quad H_{2}\ T_{2}<:\ H_{3}\ \{\text{Type}=T_{3}\},

but there is no immediate way to relate $T_{1}$ and $T_{3}$ ! We would first have to invert the subtyping relations with $T_{2}$ , but this is not possible because these relations are imprecise and may use transitivity. Recall that they have to be, because they may need to be narrowed—but wait! Narrowing is only required for abstract types, and we only need inversion and transitivity pushback for fully concrete contexts. So, while the imprecise subtyping judgement is required for bounds initially, in the presence of abstract types, we can replace it with the precise version once we move to a fully concrete context.

This idea leads to a solution involving another pushback step. We define an auxiliary relation $T_{1}<<:T_{2}$ , which is just like $T_{1}<:T_{2}$ , but with precise lookups. For this relation, pushback and inversion work as before, but narrowing is not supported. To make sure we remain in fully concrete contexts only, where we do not need narrowing, we delegate to $<:$ in the body of the dependent function rule:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{2}\ T_{1}<:H_{1}\ S_{1}\\ J,z:\left<H_{2},T_{1}\right>\,\vdash\,H_{1}\ S_{2}^{z}<:H_{2}\ T_{2}^{z}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ \lambda x:S_{1}.S_{2}^{x}\ <<!\ \ H_{2}\ \lambda x:T_{1}.T_{2}^{x}\end{array}}$

In this new relation, we can again remove top-level uses of the transitivity axiom. A derivation $T_{1}<:T_{2}$ can be converted into $T_{1}<<:T_{2}$ and then further into $T_{1}<<!\ T_{2}$ . With that, we can again perform all the necessary inversions required for the soundness proof.

7.3 Extension 2: Subtyping Lattice and Records (DSubBotAndOrRec)

Abstract types in F_<: can only be bounded from above. But internally, the runtime typing already needs to support type symmetric rules, for type selections on either side. We can easily expose that facility on the static level as well. To do so, we add a bottom type $\bot$ and extend our type values to include both lower and upper bounds, as in DOT: $\{\text{Type}=S..U\}$ .

\begin{array}[]{lll}T&::=&...\mid\bot\mid T\wedge T\mid T\vee T\mid\{\text{Type}=T..T\}\\ \end{array}

What is key is that in any partially abstract context, such as when comparing two dependent function types, lower and upper bounds for an abstract type need not be in any relation. This is key for supporting DOT, because narrowing in the presence of intersection types may turn perfectly fine, ‘good bounds’ into contradictory ones (Section 4.3).

However, we do check for good bounds at object creation time, so we cannot ever create an object with bad bounds. In other words, any code path that was type checked using erroneous bounds will never be executed. With these facilities in place, we can add intersection and union types without much trouble.

We also introduce records:

\begin{array}[]{lll}T&::=&...\mid\{l:T\}\\ t&::=&...\mid\{\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}d}\color[rgb]{0,0,0}\}\mid t.l\\ d&::=&l=t\\ \end{array}

The type of a record will be an intersection type corresponding to its fields.

The modifications in this Section are all rather straighforward, so we elide a formal presentation of the modified rules for space reasons.

7.4 Extension 3: Recursive Self Types (DSubBotAndOrRecFix)

A key missing bit to reach the functionality of DOT is support for recursion and recursive self types.

\begin{array}[]{lll}T&::=&...\mid\{z\Rightarrow T\}\\ t&::=&...\mid\mu x.t\\ \end{array}

Recursive self types enable type members within a type to refer to one another. Similar to $\forall$ types, they introduce a new type variable binding, and they require narrowing, transitivity pushback, etc.

Recursive self types are somewhat similar to existentials. However they cannot readily be encoded in F_<:. In DOT, they are also key for encoding refinements, together with intersection types (see Section 2). Self types do not have explicit pack and unpack operations, but any variable reference can pack/unpack self types on the fly (rules from Figure 1):

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma(x)=T\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T^{x}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:\{z\Rightarrow T^{z}\}\end{array}}$

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma_{[x]}\,\vdash\,x:\{z\Rightarrow T^{z}\}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,x:T^{x}\end{array}}$

In full DOT, we assign recursive self types at object construction (see Figure 1). Here, we do not have a notion of objects yet. Instead, we provide an explicit fixpoint combinator $\mu x.t$ , with a standard implementation. The static type rule is as follows:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}\Gamma,x:T^{x}\,\vdash\,t:T^{x}\end{array}}{\begin{array}[]{@{}c@{}}\Gamma\,\vdash\,\mu x.t:\{z\Rightarrow T^{z}\}\end{array}}$

In the premise, we can always apply the pack rule to assign $x$ type $\{z\Rightarrow T^{z}\}$ .

To assign it a type, we first look at the context with the object itself bound to a fresh identifier. Then we apply the pack rule to that identifier to assign a self type.

Enabling unpacking of self types in subtyping is considerably harder.

7.5 Pushback, Once More

So far, the system was set up carefully to avoid cycles between required lemmas. Where cycles did occur, as with transitivity and narrowing, we broke them using a pushback technique. A key property of the system is that, in general, we are very lenient about things outside of concrete runtime contexts. The only place where we invert a $\forall$ type or dependent function type and go from hypothetical to concrete is in showing safety of the corresponding type assignment rules. This enables subtyping inversion and pushback to disregard abstract binding for the most part.

When seeking to unpack self types within lookups of type selections in subtype comparisons, these assumptions are no longer valid. Every lookup of a variable, while considering a path dependent type, may potentially need to unfold and invert self types. In particular, the pushback lemma itself that converts imprecise into precise bounds may unfold a self type. Then it will be faced with an abstract variable that first needs to be converted to a concrete value. More generally, whenever we have a chain

\{z\Rightarrow T_{1}\}<:T<:\{z\Rightarrow T_{2}\},

we first need to apply transitivity pushback to perform inversion. But then, the result of inversion will yield another imprecise derivation

T_{1}<:U<:T_{2}

which may be bigger than the original derivation due to transitivity pushback. So, we cannot process the result of the inversion further during an induction. This increase in size is a well-known property of cut elimination: removing uses of a cut rule (like our transitivity axiom) from a proof term may increase the proof size exponentially.

We solve this issue by yet another level of pushback, which this time also needs to work in partially abstract contexts. The key idea is to pre-transform all unpacking operations on concrete values, so that after inversion, only the previous pushback steps are necessary. We define the runtime subtyping rules with unpacking as follows:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}H_{1}(x)\!=\!v,\;H_{c}\!\,\vdash\,\!v\!:T_{c}\quad\quad\emptyset\,\vdash\,H_{c}\ T_{c}<:H_{2}\ \{z\Rightarrow L:\bot..U\}\end{array}}{\begin{array}[]{@{}c@{}}J\,\vdash\,H_{1}\ x.L<:H_{2}\ U\end{array}}$

The fact that $J=\emptyset$ in the premise is of key importance here, as it enables us to invoke the previous pushback level to $<<:$ and finally to $<<!$ even though we are in a partially abstract context when we traverse a larger derivation.

This restriction to $J=\emptyset$ delivers the explanation for the use of $\Gamma_{[x]}$ in the premise of the var unpacking rule in Figure 1.

7.6 Mutable References (DSubBotAndOrRecFixMut)

As a further extension, we add ML-style mutable references.

\begin{array}[]{lll}T&::=&\dots\mid\text{Ref}\ T\\ t&::=&\dots\mid\text{ref}\ t\mid t\text{!}\mid t\text{:=}\ t\\ v&::=&\dots\mid\text{loc}\ x\end{array}

The extension of the syntax and static typing rules is standard, with a new syntactic category of store locations. The evaluator is augmented with a runtime store, and reading or writing to a location accesses the store. How do we assign a runtime type to a store location? The key difficulty is that store bindings may be recursive, which has lead Tofte to discover coinduction as a proof technique for type soundness Tofte88operationalsemantics . We sidestep this issue by assigning types to values (in particular store locations) with respect to a store typing $S$ instead of the store itself. Store typings consist of $H\ T$ pairs, which can be related through the usual runtime subtyping judgements. The value type assignment judgement now takes the form $S\ H\,\vdash\,v:T$ and since subtyping depends on value type assignment, it is parameterized by the store typing as well: $S\ J\,\vdash\,H_{1}\ T_{1}<:H_{2}\ T_{2}$ . The type assignment rule for store locations simply looks up the correct type from the store typing:

$\displaystyle\frac{\begin{array}[]{@{}c@{}}S(x)=\left<H,T\right>\end{array}}{\begin{array}[]{@{}c@{}}S\ H\,\vdash\,\text{loc}\ x:\text{Ref}\ T\end{array}}$

When new bindings are added to the store, they are assigned the type and environment from their creation site in the store typing. When accessing the store, bindings in the store typing are always preserved, i.e. store typings are invariant under reads and updates.

Objects in the store must conform to the store typing at all times. With that, an update only has to provide a subtype of the type in the store typing, and it will not change the type of that slot. So if an update creates a cycle in the store, this does not introduce circularity in the store typing.

A canonical forms lemma for references states that if a value $v$ has type $\text{Ref}\ T$ , $v$ must be a store location with a type equal to $T$ in the store typing.

The main soundness statement is modified to guarantee that if evaluation terminates, it produces a well-typed value, and a store that corresponds to an extension of the initial store typing. Thus, the store typing is required to grow linearly, while the values in the store may change arbitrarily within the constraints given by the store typing.

We believe that the ease with which we were able to add mutable references is a further point in favor of definitional interpreters. Back in 1991, the fact that different proof techniques were thought to be required to support references in big-step style was a major criticism by Wright and Felleisen and a problem their syntactic approach sought to address DBLP:journals/iandc/WrightF94 .

7.7 The Final DOT Soundness Result

As the final step, we unify the separate constructs for recursion, records, and lambda abstractions, into a single notion of object.

\begin{array}[]{lll}T&::=&\bot\mid\top\mid T\wedge T\mid T\vee T\mid x.L\\ &&\{L=T..T\}\mid\{l:T\}\mid m(z:T):T^{z}\mid\{z\Rightarrow T\}\\ t&::=&x\mid t.l\mid t.m(t)\mid\{x\Rightarrow\definecolor{default}{rgb}{0,0,0}\color[rgb]{.5,.5,.5}\overline{\color[rgb]{0,0,0}d}\color[rgb]{0,0,0}\}\\ d&::=&l=t\mid L=T\mid m(x)=t\\ \end{array}

Objects can have type, value, and method members with distinct labels. We could also add mutable fields based on the handling of references above but we disregard this option for simplicity.

Integrating these features does not pose particular difficulties. Some aspects are even simplified, for example the treatment of recursion. Instead of having to support an explicit fixpoint combinator, we can implement recursion by passing the this object on which a method is called as an additional silent parameter to the method.

With all this, we obtain our final soundness result for DOT:

For all $n$ , if the interpreter returns a result that is not a timeout, the result is also not stuck, and it is well typed.

We have seen how DOT emerges from F_<: through relatively gentle extensions which we identify as variations of D_<:. This naturally raises the question what other interesting type systems can arise by devising suitable static rules from the dynamic ones given by the interpreter and environment structure. We believe this is an exciting new research angle.

8 Back to Small-Step Proofs

While our approach of using big-step evaluators has lead to important insights and produced the first soundness proof for DOT, the results can also be transferred to a small-step setting.

The general idea is to preserve the distinction between static type assignment to terms and dynamic type assignment to values. A key obstacle is that our definitional interpreter uses environments whereas our target reduction semantics will be based on substitution. As we have seen in Section 4.4, naive substitution of values for identifiers has no chance of working because it would break the structure of path-dependent types.

As a way out, we first introduce an additional level of indirection in our interpreter. Instead of storing values directly in environments, we allocate all objects in a store-like structure, which grows monotonically. In this setting, only store locations can be first-class values, i.e. passed around between functions and stored in environments. This additional level of indirection does not interfere with evaluation and clearly preserves the semantics of the interpreter.

But now the use of environments is no longer necessary: since we are dealing only with pointers into our auxiliary store data structure, we can just as well use substitution instead of explicit environments. For runtime subtyping, the two-handed judgement

J\,\vdash\,H_{1}\ T_{1}<:H_{2}\ T_{2}

where $J$ holds bindings from self-type comparisons and $H_{1}$ , $H_{2}$ hold runtime values becomes

H\ J\,\vdash\,T_{1}<:T_{2}

where $J$ remains as it is, and free names from $T_{1}$ and $T_{2}$ are now resolved in the shared store $H$ .

We can mechanically transform this substitution-based evaluator into a substitution-based reduction semantics by following the techniques of Danvy et al. DBLP:journals/jcss/DanvyJ10 ; DBLP:journals/tcs/DanvyMMZ12 ; DBLP:conf/ppdp/AgerBDM03 . We transform the interpreter to continuation passing style (CPS) and defunctionalize the continuations to arrive at a first small-step semantics in form of an abstract machine. After exploiting this functional correspondance between evaluators and abstract machines, we exploit the syntactic correspondance between abstract machines and reduction semantics, and obtain our desired term rewriting rules.

We can represent the store syntactically as a sequence of let-store bindings. The key reduction rule that allocates type values as new identifiers in the store can be phrased as follows (example from D_<:):

$\displaystyle\begin{array}[]{@{}c@{}}E[\{\textrm{Type}=T\}]\longrightarrow\texttt{let-store}\ x=\{\textrm{Type}=T\}\texttt{in}\ E[x]\end{array}$

Where $E$ is a let-store-free evaluation context and $x$ a fresh name. Thus, substitution in path-dependent types occurs only with store locations x.

Where the big-step evaluator had separate static and dynamic notions of subtyping, it is beneficial to combine them into one judgment in small-step, but we need to retain different behavior for path-dependent types depending on whether the variable is bound to a value in the store, to an identifier bound in a term or to an identifier introduced in a subtype comparison. The combined subtyping judgement thus takes the following form:

H\ G\ J\,\vdash\,T_{1}<:T_{2}

where $H$ contains the store bindings (i.e. runtime values), $G$ term bindings, and $J$ bindings from sub-type comparisons. Potentially, $J$ and $G$ can be merged into one.

With this, the same approach as in our big step model applies: we can freely narrow within $J$ because we do not need to check bounds, and we can just use the transitivity axiom. When we substitute a term variable with a store location (i.e. when we go from $J$ or $G$ to $H$ ), we know that type bounds are well-formed, so top-level uses of the transitivity axiom can be eliminated using push-back techniques (Section 6.5).

We treat only store locations as first-class values. For assigning types to store locations (and the objects they map to), inversion lemmas, and related issues, all the considerations from Sections 6.4 to 6.7 apply.

9 Related Work

Scala Foundations

Much work has been done on grounding Scala’s type system in theory. Early efforts included $\nu$ Obj nuObj , Featherweight Scala FS and Scalina scalina , all of them more complex than what is studied here. None of them lead to a mechanized soundness result, and due to their inherent complexity, not much insight was gained why soundness was so hard to prove. DOT dotfool was proposed as a simpler and more foundational core calculus, focusing on path dependent types but disregarding classes, mixin linearization and similar questions. The original DOT formulation dotfool had actual preservation issues because lookup was required to be precise. This prevented narrowing, as explained in section 4. The originally proposed small step rewriting semantics with a store exposed the difficulty of relating paths at different stages of reductions.

The $\mu$ DOT calculus DBLP:conf/oopsla/AminRO14 is the first calculus in the line with a mechanized soundness result, (in Twelf, based on total big step semantics), but the calculus is much simpler than what is studied in this paper. Most importantly, $\mu$ DOT lacks bottom, intersections and type refinement. Amin et al. DBLP:conf/oopsla/AminRO14 describe in great detail why adding these features causes trouble. Because of its simplicity, $\mu$ DOT supports both narrowing and transitivity with precise lookup. The soundness proof for $\mu$ DOT was also with respect to big-step semantics. However, the semantics had no concept of distinct runtime type assignment and would thus not be able to encode F_<: and much less full DOT.

After the first version of this paper was circulated as a tech report, a small-step semantics and soundness proof sketch for a DOT variant close to the one described here was proposed by Odersky. It has recently been mechanized and accepted for publication wadlerfest . While on the surface similar to the DOT version presented here, there are some important differences. First, the calculus in wadlerfest is restricted to Administrative Normal Form (ANF) DBLP:conf/pldi/FlanaganSDF93 , requiring all intermediate subexpressions to be let-bound with explicit names. Second, the calculus does not support subtyping between recursive types, only their introduction and elimination as part of type assignment. This skirts the thorniest issues in the proofs (see Section 7.5) but also limits the expressiveness of the calculus. For example, an identifier $x$ bound to a refined type $\{z\Rightarrow T\wedge U^{z}\}$ can be treated as having type $T$ , but if it instead has type $S\to\{z\Rightarrow T\wedge U^{z}\}$ , it can not be assigned type $S\to T$ . Instead, one has to eta-expand the term into a function, let-bind the result of the internal call, and insert the required coercion to $T$ . Similar considerations apply to types in other non-toplevel positions such as bounds of type members, but it is not clear if an analogue of eta-expansion is always available. Third, the small-step proof in wadlerfest is presented without any formal connection to the earlier definitional interpreter result. The present revision of this paper lifts all these restrictions, by providing a mechanized small-step proof that is not restricted to ANF, supports full subtyping between recursive types, and is constructed in a systematic way from the definitional interpreter result (Section 8).

ML Module Systems

1ML DBLP:conf/icfp/Rossberg15 unifies the ML module and core languages through an elaboration to System F_ω based on earlier such work DBLP:journals/jfp/RossbergRD14 . Compared to DOT, the formalism treats recursive modules in a less general way and it only models fully abstract vs fully concrete types, not bounded abstract types. Although an implementation is provided, there is no mechanized proof. In good ML tradition, 1ML supports Hindler-Milner style type inference, with only small restrictions. Path dependent types in ML modules go back at least to SML Macqueen86usingdependent , with foundational work on transparent bindings by Harper and Lillibridge homl and Leroy leroy:manifest . MixML mixml drops the stratification requirement and enables modules as first class values.

Other Related Languages

Other languages and calculi that include features related to DOT’s path dependent types include the family polymorphism of Ernst DBLP:conf/ecoop/Ernst01 , Virtual Classes vc ; conf/ecoop/Ernst03 ; DBLP:conf/oopsla/NystromCM04 ; conf/oopsla/GasiunasMO07 , and ownership type systems like Tribe tribe ; tribalo . Nomality by ascription is also achieved in Grace DBLP:conf/ecoop/JonesHN15 .

Semantics and Proof Techniques

There is a vast body of work on soundness and proof techniques. The most relevant here is Wright and Felleisen’s syntactic approach DBLP:journals/iandc/WrightF94 , Kahn’s Natural Semantics DBLP:conf/stacs/Kahn87 , and Reynold’s Definitional Interpreters DBLP:journals/lisp/Reynolds98a . We build our proof technique on Siek’s Three Easy Lemmas siek3lemmas . Other work that discusses potential drawbacks of term rewriting techniques includes Midtgaard’s survey of interpreter implementations DBLP:conf/ppdp/MidtgaardRL13 , Leroy and Grall’s coinductive natural semantics DBLP:conf/esop/NeronTVW15 and Danielsson’s semantics based on definitional interpreters with coinductively defined partiality monads. Coinduction also was a key enabler for Tofte’s big-step soundness proof of core ML Tofte88operationalsemantics . In our setting, we get away with purely inductive proofs, thanks to numeric step indexes or depth bounds, even for mutable references. We believe that ours is the first purely inductive big-step soundness proof in the presence of mutable state. Step counters also play a key role in proofs based on logical relations DBLP:conf/esop/Ahmed06 . Our runtime environment construction bears some resemblance to Visser’s name graphs DBLP:conf/esop/NeronTVW15 and also to Flatt’s bindings as sets of scopes DBLP:conf/popl/Flatt16 . Big-step evaluators can be mechanically transformed into equivalent small-step semantics following the techniques of Danvy et al. DBLP:journals/jcss/DanvyJ10 ; DBLP:journals/tcs/DanvyMMZ12 ; DBLP:conf/ppdp/AgerBDM03 .

10 Conclusions

We have presented a soundness result for a variant of DOT that includes type refinement and a subtyping lattice with full intersection types, demonstrating how the difficulties that prevented such a result previously can be overcome with a semantic model that exposes a distinction between static terms and runtime values.

Along the way, we have presented the first type soundness proof for System F_<: that is based on a high-level functional evaluator instead of a term rewriting system, establishing that the ‘definitional interpreters approach to type soundness’ scales to sophisticated polymorphic type systems of broad interest.

By casting DOT as an extension of the runtime behavior of F_<: to the static term level, we have exposed new insights into the design of DOT-like calculi in particular, with intermediate systems such as F_<:, and a new avenue for the exploration and design of type systems in general.

Acknowledgements

The initial design of DOT is due to Martin Odersky. Geoffrey Washburn, Adriaan Moors, Donna Malayeri, Samuel Grütter and Sandro Stucki have contributed to previous or alternative developments. For insightful discussions we thank Amal Ahmed, Jonathan Aldrich, Derek Dreyer, Sebastian Erdweg, Erik Ernst, Matthias Felleisen, Ronald Garcia, Paolo Giarrusso, Scott Kilpatrick, Grzegorz Kossakowski, Alexander Kuklev, Viktor Kuncak, Alex Potanin, Jon Pretty, Didier Rémy, Lukas Rytz, Miles Sabin, Ilya Sergey, Jeremy Siek, Josh Suereth, Ross Tate, Eelco Visser, and Philip Wadler.

References

[1] M. S. Ager, D. Biernacki, O. Danvy, and J. Midtgaard. A functional correspondence between evaluators and abstract machines. In PPDP, 2003.
[2] A. J. Ahmed. Step-indexed syntactic logical relations for recursive and quantified types. In ESOP, volume 3924 of Lecture Notes in Computer Science, pages 69–83. Springer, 2006.
[3] N. Amin, S. Grütter, M. Odersky, T. Rompf, and S. Stucki. The essence of dependent object types. In WadlerFest, 2016. (to appear).
[4] N. Amin, A. Moors, and M. Odersky. Dependent object types. In FOOL, 2012.
[5] N. Amin, T. Rompf, and M. Odersky. Foundations of path-dependent types. In OOPSLA, 2014.
[6] B. E. Aydemir, A. Bohannon, M. Fairbairn, J. N. Foster, B. C. Pierce, P. Sewell, D. Vytiniotis, G. Washburn, S. Weirich, and S. Zdancewic. Mechanized metatheory for the masses: The PoplMark Challenge. In TPHOLs, 2005.
[7] H. Barendregt. Introduction to generalized type systems. J. Funct. Program., 1(2):125–154, 1991.
[8] N. R. Cameron, J. Noble, and T. Wrigstad. Tribal ownership. In OOPSLA, 2010.
[9] L. Cardelli, S. Martini, J. C. Mitchell, and A. Scedrov. An extension of system F with subtyping. Inf. Comput., 109(1/2):4–56, 1994.
[10] A. Charguéraud. The locally nameless representation. J. Autom. Reasoning, 49(3):363–408, 2012.
[11] D. Clarke, S. Drossopoulou, J. Noble, and T. Wrigstad. Tribe: a simple virtual class calculus. In AOSD, 2007.
[12] V. Cremet, F. Garillot, S. Lenglet, and M. Odersky. A core calculus for Scala type checking. In MFCS, 2006.
[13] N. A. Danielsson. Operational semantics using the partiality monad. In ICFP, 2012.
[14] O. Danvy and J. Johannsen. Inter-deriving semantic artifacts for object-oriented programming. J. Comput. Syst. Sci., 76(5):302–323, 2010.
[15] O. Danvy, K. Millikin, J. Munk, and I. Zerny. On inter-deriving small-step and big-step semantics: A case study for storeless call-by-need evaluation. Theor. Comput. Sci., 435:21–42, 2012.
[16] D. Dreyer and A. Rossberg. Mixin’ up the ML module system. In ICFP, 2008.
[17] E. Ernst. Family polymorphism. In ECOOP, 2001.
[18] E. Ernst. Higher-order hierarchies. In ECOOP, 2003.
[19] E. Ernst, K. Ostermann, and W. R. Cook. A virtual class calculus. In POPL, 2006.
[20] C. Flanagan, A. Sabry, B. F. Duba, and M. Felleisen. The essence of compiling with continuations. In PLDI, pages 237–247. ACM, 1993.
[21] M. Flatt. Binding as sets of scopes. In POPL, pages 705–717. ACM, 2016.
[22] V. Gasiunas, M. Mezini, and K. Ostermann. Dependent classes. In OOPSLA, 2007.
[23] J.-Y. Girard. Interprétation fonctionelle et élimination des coupures de l’arithmétique d’ordre supérieur. 1972.
[24] R. Harper and M. Lillibridge. A type-theoretic approach to higher-order modules with sharing. In POPL, 1994.
[25] A. Igarashi, B. C. Pierce, and P. Wadler. Featherweight java: a minimal core calculus for java and gj. ACM Trans. Program. Lang. Syst., 23(3), 2001.
[26] T. Jones, M. Homer, and J. Noble. Brand objects for nominal typing. In ECOOP, 2015.
[27] G. Kahn. Natural semantics. In STACS, 1987.
[28] X. Leroy. Manifest types, modules and separate compilation. In POPL, 1994.
[29] D. Macqueen. Using dependent types to express modular structure. In POPL, 1986.
[30] J. Midtgaard, N. Ramsey, and B. Larsen. Engineering definitional interpreters. In PPDP, 2013.
[31] E. Moggi. Notions of computation and monads. Inf. Comput., 93(1):55–92, 1991.
[32] A. Moors, F. Piessens, and M. Odersky. Safe type-level abstraction in Scala. In FOOL, 2008.
[33] P. Neron, A. P. Tolmach, E. Visser, and G. Wachsmuth. A theory of name resolution. In ESOP, 2015.
[34] N. Nystrom, S. Chong, and A. C. Myers. Scalable extensibility via nested inheritance. In OOPSLA, 2004.
[35] M. Odersky. The trouble with types. Presentation at StrangeLoop, 2013.
[36] M. Odersky, V. Cremet, C. Röckl, and M. Zenger. A nominal theory of objects with dependent types. In ECOOP, 2003.
[37] M. Odersky and K. Läufer. Putting type annotations to work. In POPL, 1996.
[38] M. Odersky and T. Rompf. Unifying functional and object-oriented programming with Scala. Commun. ACM, 57(4):76–86, 2014.
[39] B. C. Pierce and D. N. Turner. Local type inference. ACM Trans. Program. Lang. Syst., 22(1):1–44, 2000.
[40] G. D. Plotkin. A structural approach to operational semantics. J. Log. Algebr. Program., 60-61:17–139, 2004.
[41] J. C. Reynolds. Towards a theory of type structure. In Symposium on Programming, volume 19 of Lecture Notes in Computer Science, pages 408–423. Springer, 1974.
[42] J. C. Reynolds. Definitional interpreters for higher-order programming languages. Higher-Order and Symbolic Computation, 11(4):363–397, 1998.
[43] A. Rossberg. 1ML - core and modules united (f-ing first-class modules). In ICFP, 2015.
[44] A. Rossberg, C. V. Russo, and D. Dreyer. F-ing modules. J. Funct. Program., 24(5):529–607, 2014.
[45] D. S. Scott. Domains for denotational semantics. In Automata, Languages and Programming, 1982.
[46] J. Siek. Type safety in three easy lemmas.
http://siek.blogspot.ch/2013/05/type-safety-in-three-easy-lemmas.html, 2013.
[47] M. Tofte. Operational Semantics and Polymorphic Type Inference. PhD thesis, 1988.
[48] A. K. Wright and M. Felleisen. A syntactic approach to type soundness. Inf. Comput., 115(1):38–94, 1994.

From F to DOT: Type Soundness Proofs with Definitional Interpreters

Abstract

1 Introduction

2 Types in Scala and DOT

Objects and First Class Modules

Nominality through Ascription

Polymorphic Methods

Path-Dependent Types

Intersection and Union Types

Records and Refinements as Intersections

3 Formal Model of DOT

4 Static Properties of DOT

Decidability

Type Inference

4.1 Properties of Subtyping

4.2 Inversion, Transitivity and Narrowing

4.3 Good Bounds, Bad Bounds

4.4 No (Simple) Substitution Lemma

5 Definitional Interpreters for Type Soundness

Example 1: Return statements

Example 2: Private members

Example 3: Method overloading

5.1 Alternative Semantic Models

5.2 Simply Typed Lambda Calculus: Siek’s 3 Easy Lemmas

Notions of Type Soundness

Partiality Fuel

Proof Structure

6 Type Soundness for System F<:

6.1 Types in Environments

6.2 Abstract Types

6.3 Relating Static and Dynamic Subtyping

6.4 Inversion of Value Typing (Canonical Forms)

6.5 Transitivity Pushback and Cut Elimination

Cutting Mutual Dependencies

6.6 Finishing the Soundness Proof

6.7 An Alternative Dynamic Typing Relation

7 From F to D to DOT

7.1 Extension 1: First-Class Type Objects (D<:)

7.2 Another Level of Transitivity Pushback

7.3 Extension 2: Subtyping Lattice and Records (DSubBotAndOrRec)

7.4 Extension 3: Recursive Self Types (DSubBotAndOrRecFix)

7.5 Pushback, Once More

7.6 Mutable References (DSubBotAndOrRecFixMut)

7.7 The Final DOT Soundness Result

8 Back to Small-Step Proofs

9 Related Work

Scala Foundations

ML Module Systems

Other Related Languages

Semantics and Proof Techniques

10 Conclusions

Acknowledgements

References

6 Type Soundness for System F_<:

7.1 Extension 1: First-Class Type Objects (D_<:)