Parametric Polymorphism Through Run-time Sealinglkuper/talks/multilang-param/multilang... · Parametric Polymorphism Through Run-time Sealing or, ... Northeastern University Programming

Parametric Polymorphism Through Run-time Sealingor, Theorems for Low, Low Prices!

Amal AhmedLindsey Kuper

Jacob Matthews

Northeastern UniversityProgramming Languages Seminar

February 23, 20111

Thursday, February 24, 2011

What is parametricity?

2


Data abstraction

3


Data abstraction

3

Separation of implementation and interface


Data abstraction

3

Counter = ∃α. {new : α, inc : α → α, get : α → Nat}



Data abstraction

3


c1 = {new = 0, inc = λx: Nat. x + 1, get = λx: Nat. x}

ctr1 = pack Nat, c1 as Counter



Data abstraction

3




c2 = {new = 0, inc = λx: Int. x - 1, get = λx: Int. toNat(0 - x)}

ctr2 = pack Int, c2 as Counter



Data abstraction

3






indistinguishable



Existential types...

4





indistinguishable



4





indistinguishable

■ If two expressions have the same existential type, no program context can distinguish them.



4





indistinguishable


∃α.τ ctr1

∃α.τ ctr2

client


Existential types...and their dual, universal types

5

■ No two program contexts (instantiations) can cause an expression of type ∀α.τ to behave differently.

Λα.e

Natvalues

Intvalues


∃α.τ ctr1

∃α.τ ctr2

client



6


Λα.e

Natvalues

Intvalues



6

f : ∀α. α → α


Λα.e

Natvalues

Intvalues



6

f : ∀α. α → α

Nat


Λα.e

Natvalues

Intvalues



6

f : ∀α. α → α

Nat Int


Λα.e

Natvalues

Intvalues



6

f : ∀α. α → α

Nat Int

indistinguishable asfar as f is concerned


Λα.e

Natvalues

Intvalues



6

f : ∀α. α → α

Nat Int


Bool


Λα.e

Natvalues

Intvalues



6

f : ∀α. α → α

Nat Int


Bool%*$@!


Λα.e

Natvalues

Intvalues



6

f : ∀α. α → α

Nat Int


f = Λα. λx: α. x

Bool%*$@!


Λα.e

Natvalues

Intvalues



7



7

parametricity

∃α.τ

∀α.τ

representation independence


Breaking parametricity

8


9

How to break parametricity in one easy step

Λα. λx: α. (if (nat? x) (+ x 1) x)


9


Λα. λx: α. (if (nat? x) (+ x 1) x)

behaves differently at run-time depending on how α is instantiated


9


Λα. λx: α. (if (nat? x) (+ x 1) x)

behaves differently at run-time depending on how α is instantiated

Putting dynamically typed code in an otherwise statically typed program

provides a way to “smuggle values past the type system”

(Abadi et al., 1989)


A two-language system

10



10

■ How can we assign a type to a program that’s written in two languages?



10


■ We’ll combine a minimal “Scheme” and a minimal “ML” in a multi-language embedding (Matthews & Findler, 2007):



10



!!



10



!!

!



10



!!

!!. "!



10



!!

!1 !2

!!. "!



10



!!

...

!1 !2

!!. "!



10



!!

(!"!!)

...

!1 !2

!!. "!



10



!

!

!

(!"!!)

...

!1 !2

!!. "!



10



!

!! : " . "!

!

(!"!!)

...

!1 !2

!!. "!



10



!

!1 !2

!! : " . "!

!

(!"!!)

...

!1 !2

!!. "!



10



!

...

!1 !2

!! : " . "!

!

(!"!!)

...

!1 !2

!!. "!



10



!

(!!" !)...

!1 !2

!! : " . "!

!

(!"!!)

...

!1 !2

!!. "!


Using a Scheme procedure in ML

11

(!1!!2!" (!!. ")) !"# (!! : "1. (!2!" (!!. ") ("!!1 !)))



11

(!1!!2!" (!!. ")) !"# (!! : "1. (!2!" (!!. ") ("!!1 !)))

have to choose some type at which to embed the procedure



11

(!1!!2!" (!!. ")) !"# (!! : "1. (!2!" (!!. ") ("!!1 !)))




11

(!1!!2!" (!!. ")) !"# (!! : "1. (!2!" (!!. ") ("!!1 !)))




11

(!1!!2!" (!!. ")) !"# (!! : "1. (!2!" (!!. ") ("!!1 !)))

direction of conversion reverses for arguments



A first attempt at polymorphism

12

(!!. "!" (!!. ")) !"# (!". ("

!" (!!. ")))



12

(!!. "!" (!!. ")) !"# (!". ("

!" (!!. ")))

embedding a Scheme procedure in ML at a universal type



12

(!!. "!" (!!. ")) !"# (!". ("

!" (!!. ")))




12

(!!. "!" (!!. ")) !"# (!". ("

!" (!!. ")))




12

(!!. "!" (!!. ")) !"# (!". ("

!" (!!. ")))


evaluation stops here, and continues when we apply to a concrete type:(!!. !) "#$ !"# ![! := "#$]


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.

A first attempt at polymorphism: example

13


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13

first-order values are assumed to be

convertible


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


convertible


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


convertible


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


convertible


(!!. !"!!" (!!. !)) !"# 3

!" (!". (!"!!" (!!. !)) !"# 3

!" (!"#"!"#!" (!!. !)) 3

!" (!$ : !"#. (!"#!" (!!. !) ("!!"# $))) 3

!" (!"#!" (!!. !) ("!!"# 3))

!" (!"#!" (!!. !) 3)

!" (!"#!" 3)

!" 3

.


13


convertible


(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))

How parametricity breaks

14


(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))


14

well-typed expression of type ∀α. α → α


(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))


14



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))


14



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))


14



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))


14



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))


14


not the identity function!


What went wrong?

15

not the identity function!

The problem:Scheme is able to observe the concrete

choice of type for α and behave accordingly.

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $)))

# (!$ : !"#. (!"#!" (!!. (+ ! 1)) ("!!"# $)))


Restoring parametricity

16


Data abstraction, revisited

17



■ Using type abstraction to enforce data abstraction is a static, compile-time approach

17




17





indistinguishable




17





indistinguishableat compile time


Another approach to data abstraction

18



18

■ Programs can create unique seals in their local scope and hand out opaque, sealed values to clients



18


(define create-seal) (gensym))

(define (seal-value v seal) (lambda (s) (if (eq? s seal) v (error ...))))

(define (unseal sealed-v seal) (sealed-v seal))



18





sealed value 2

client

sealed value 1



18





sealed value 2

client

sealed value 1

indistinguishableat run-time


! (!". !) # !"# !, s ![" := $s; #%]

Updating our system to use dynamic sealing

■ Operational semantics defined not just on expressions, but on configurations that include a seal store

19


! (!". !) # !"# !, s ![" := $s; #%]



19


! (!". !) # !"# !, s ![" := $s; #%]



19

contains all seals generatedduring evaluation so far


! (!". !) # !"# !, s ![" := $s; #%]



19



! (!". !) # !"# !, s ![" := $s; #%]



19

instead of regular type substitution, sealing

substitution



! (!". !) # !"# !, s ![" := $s; #%]



19

if you think this looks stateful, you’re right

instead of regular type substitution, sealing

substitution



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)

Back to our example...

20


(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20



(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20


opaque value


(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20


opaque value


(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20


opaque value


(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"#

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"#

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)))

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $)))

# (!$ : !"#. (#s;!"#$!" ("!#s;!"#$ $)))

!" (!$ : !"#. $)


20


the identity function! :D

opaque value


Another example

21

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Another example

21

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Another example

21

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Another example

21

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Another example

21

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Another example

21

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Another example

21

can’t unseal something that isn’t a seal

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Another example

21

can’t unseal something that isn’t a seal

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!"% (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Proving parametricity

22


23

When are two expressions indistinguishable?

■ The property we really want is contextual equivalence: e1 and e2, when dropped into the same context, have the same observable behavior.

e1 e2


23

When are two expressions indistinguishable?

■ The property we really want is contextual equivalence: e1 and e2, when dropped into the same context, have the same observable behavior.

e1 e2

(if (> ⃞ 0) 5 500)

(if ⃞ 5 500)


24

A different notion of equivalence

■ Because contextual equivalence is hard to show directly, we need a different notion of equivalence.

■ We’ll define our own equivalence relation and show that it is sound with respect to contextual equivalence.

e1 e2


Reflexivity: the Fundamental Property

■ In order to be an equivalence relation, our relation has to be reflexive: every expression must be related to itself.

■ But this corresponds nicely to what we mean by parametricity anyway!

25

e e

open expressions, two different

closing type environments


26

What’s “logical” about it?

Two values of type...

...are related if...

they’re equal

their first components are related at type τ1

and their second components are related at type τ2

given values related at type τ1

they produce expressions related at type τ2

■ The relation we’re defining is called a logical relation. Why?


26


!"#



they’re equal







26


!"#



they’re equal







26


!"#

!1 ! !2



they’re equal







26


!"#

!1 ! !2



they’re equal







26


!"#

!1 ! !2

!1 ! !2



they’re equal







26


!"#

!1 ! !2

!1 ! !2



they’re equal







26


!"#

!1 ! !2

!1 ! !2



they’re equal






■ A logical relation “respects the actions of the logical operators...that correspond to the language’s type constructors” (Crary, 2005)


27

!"#

!1 ! !2

!1 ! !2



they’re equal






27

A type-indexed relation

!"#

!1 ! !2

!1 ! !2



they’re equal






27


!"#

!1 ! !2

!1 ! !2



they’re equal






27


!"#

!1 ! !2

!1 ! !2



they’re equal





! they belong to the relation R in δ(α)

given types τ1 and τ2 and a relation Rthey produce expressions related at type τ

under a δ extended with α → (τ1, τ2, R)


27


!"#

!1 ! !2

!1 ! !2



they’re equal








???


27


!"#

!1 ! !2

!1 ! !2



they’re equal








???


27


!"#

!1 ! !2

!1 ! !2



they’re equal








(!!. "! : !. ...!...) #1 (!!. "! : !. ...!...) #2

???


27


!"#

!1 ! !2

!1 ! !2



they’re equal








(!!. "! : !. ...!...) #1 (!!. "! : !. ...!...) #2

related at type α iff they’re in some relation R that relates values of type τ1 and τ2

???


27


!"#

!1 ! !2

!1 ! !2



they’re equal








(!!. "! : !. ...!...) #1 (!!. "! : !. ...!...) #2


We parameterize the ML side of our relation with a type interpretation δ mapping type variables α to triples (τ1, τ2, R)

???


27


!"#

!1 ! !2

!1 ! !2



they’re equal








(!!. "! : !. ...!...) #1 (!!. "! : !. ...!...) #2


We parameterize the ML side of our relation with a type interpretation δ mapping type variables α to triples (τ1, τ2, R)


27


!"#

!1 ! !2

!1 ! !2



they’re equal









27


!"#

!1 ! !2

!1 ! !2



they’re equal





!

!!. "

they belong to the relation R in δ(α)




27


!"#

!1 ! !2

!1 ! !2



they’re equal





!

!!. "



under a δ extended with α → (τ1, τ2, R)???


27


!"#

!1 ! !2

!1 ! !2



they’re equal





!

!!. "





28

!"#

!1 ! !2

!1 ! !2



they’re equal





!

!!. "





28

Would something like this work for Scheme?

!"#

!1 ! !2

!1 ! !2



they’re equal





!

!!. "





28


!"#

!1 ! !2

!1 ! !2



they’re equal





!

!!. "




■ Since Scheme only has one (static) type, a relation defined inductively on the structure of types would be ill-founded


28


■ Since Scheme only has one (static) type, a relation defined inductively on the structure of types would be ill-founded


Solving the ill-foundedness problem

29



29

■ For Scheme values, index the relation by number of steps available for future computation



29

Values of the syntactic form...

...are related for j steps if...

they’re equal

their first components are related for j stepsand

their second components are related for j steps

???




29

n



they’re equal



???




29

n



they’re equal



???




29

n

(!"#$ %1 %2)



they’re equal



???




29

n

(!"#$ %1 %2)



they’re equal



???




29

n

(!"#$ %1 %2)

(!!. ")



they’re equal



???




29

n

(!"#$ %1 %2)

(!!. ")



they’re equal



???



5 6

v1 v2Related

(indistinguishable) for...

0 steps

1 step

2 steps

Examples of related Scheme values

30


5 6

v1 v2Related


0 steps

1 step

2 steps


30


5 6

v1 v2Related


0 steps

1 step

2 steps


30


5 6

(!!. 5) (!!. 6)

v1 v2Related


0 steps

1 step

2 steps


30


5 6

(!!. 5) (!!. 6)

v1 v2Related


0 steps

1 step

2 steps


30

Substitution uses up 1 step

(!!. 5) 1 !"# 5[! := 1] !"# 5(!!. 6) 1 !"# 6[! := 1] !"# 6


5 6

(!!. 5) (!!. 6)

v1 v2Related


0 steps

1 step

2 steps


30

Substitution uses up 1 step

(!!. 5) 1 !"# 5[! := 1] !"# 5(!!. 6) 1 !"# 6[! := 1] !"# 6


5 6

(!!. 5) (!!. 6)

v1 v2Related


0 steps

1 step

2 steps


30


5 6

(!!. 5) (!!. 6)

(!!. (!". 5)) (!!. (!". 6))

v1 v2Related


0 steps

1 step

2 steps


30


5 6

(!!. 5) (!!. 6)

(!!. (!". 5)) (!!. (!". 6))

v1 v2Related


0 steps

1 step

2 steps


30


5 6

(!!. 5) (!!. 6)

(!!. (!". 5)) (!!. (!". 6))

v1 v2Related


0 steps

1 step

2 steps


30

(!!. (!". 5)) 1 !"# (!". 5)[! := 1] !"# (!". 5)(!!. (!". 6)) 1 !"# (!". 6)[! := 1] !"# (!". 6)


5 6

(!!. 5) (!!. 6)

(!!. (!". 5)) (!!. (!". 6))

v1 v2Related


0 steps

1 step

2 steps


30

(!!. (!". 5)) 1 !"# (!". 5)[! := 1] !"# (!". 5)(!!. (!". 6)) 1 !"# (!". 6)[! := 1] !"# (!". 6)


5 6

(!!. 5) (!!. 6)

(!!. (!". 5)) (!!. (!". 6))

v1 v2Related


0 steps

1 step

2 steps


30


5 6

(!!. 5) (!!. 6)

(!!. (!". 5)) (!!. (!". 6))

v1 v2Related


0 steps

1 step

2 steps


30

■ Intuitively, wrapping layers of λ around values makes them indistinguishable for 1 more step


A step-indexed relation

31

n

(!"#$ %1 %2)

(!!. ")

Two values of the syntactic

form......are related for j steps if...

they’re equal


their second components are related for j stepsgiven values related for i < j steps

they produce expressions related for i steps ???



31

n

(!"#$ %1 %2)

(!!. ")



they’re equal



they produce expressions related for i steps


The little step-indexer

32


The little step-indexer■ Chapter 9 of The Little Schemer gives

examples of functions length0, length≤1, length≤2, and so on

32




■ length≤j takes a list and returns the length of that list, as long as that length is ≤j; otherwise, length≤j goes into an infinite loop

32





32

■ Think of the subscript ≤j as a behavioral contract guaranteeing that length≤j belongs to a certain type for up to j steps of execution





32

■ Think of the subscript ≤j as a behavioral contract guaranteeing that length≤j belongs to a certain type for up to j steps of execution

■ This is exactly the intuition behind the step-indexed model of recursive types (Appel & McAllester, 2001)



33

n

(!"#$ %1 %2)

(!!. ")



they’re equal



they produce expressions related for i steps the inner ML expressions are related for j-1 steps



33

n

(!"#$ %1 %2)

(!!. ")

(!"!s;!"!)



they’re equal






33

n

(!"#$ %1 %2)

(!!. ")

(!"!s;!"!)



they’re equal



they produce expressions related for i steps the inner ML expressions are related for j-1 steps???



33

n

(!"#$ %1 %2)

(!!. ")

(!"!s;!"!)



they’re equal






33

n

(!"#$ %1 %2)

(!!. ")

(!"!s;!"!)



they’re equal




step indices “leak” back into the ML relation


34

(!"!s;!"!) the inner ML expressions

are related for j-1 steps


But wait!

34




But wait!

34



(!"!s1;!1" !1) (!"!s2;!2" !2)

At what type are v1 and v2 related?


But wait!

34



(!"!s1;!1" !1) (!"!s2;!2" !2)


■ The type of these sealed values was originally a type variable...


But wait!

34



(!"!s1;!1" !1) (!"!s2;!2" !2)


■ The type of these sealed values was originally a type variable...

■ We need a dynamic counterpart to δ


Possible worlds

■ An idea from modal logic (Kripke, 1963)■ Useful for reasoning about properties that only

hold under certain conditions

35


What’s in a world?

36

“Meanwhile, in the world where e1 and e2 are related...”



36

seals s1 generated during evaluation of e1




36






36



mappingsα → (s1, s2)




36



mappingsα → (τ1, τ2, R)





36



mappingsα → (τ1, τ2, R)


■ Worlds capture the relationship between static type variables and dynamic seals



Relatedness in a world

37

(!"!s1;!1" !1) (!"!s2;!2" !2)




■ The answer: v1 and v2 must belong to a relation R that relates values of type τ1 and τ2

37

(!"!s1;!1" !1) (!"!s2;!2" !2)




■ The answer: v1 and v2 must belong to a relation R that relates values of type τ1 and τ2

■ We can find R in the current world

37

(!"!s1;!1" !1) (!"!s2;!2" !2)



A possible-worlds model

38



■ Expressions are now related at a type, for a given number of steps, and in a world

38




■ Whenever we do type application, we extend the current world with new seals s1 and s2 and new bindings for α

38





■ Whenever we need to determine relatedness of sealed values, we consult the current world to find the R that would relate them

38





■ Whenever we need to determine relatedness of sealed values, we consult the current world to find the R that would relate them

■ Upshot of all this: now we can prove parametricity!

38


Sage advice

39


Sage advice

39


The Fundamental Property / Parametricity

40



40

■ The bridge lemma:



40

!" #$%&'(( )1 '*+ )2,

-. (j, w, )1, )2) ! VS

/0)* (j, w, (!1(")!" )1), (!2(")!" )2)) ! VM !!"""

1" #$%&'(( !1 '*+ !2,

-. (j, w, !1, !2) ! VM !!""/0)* (j, w, ("!!1(")

!1), ("!!2(")!2)) ! VS "

■ The bridge lemma:



40

!" #$%&'(( )1 '*+ )2,

-. (j, w, )1, )2) ! VS

/0)* (j, w, (!1(")!" )1), (!2(")!" )2)) ! VM !!"""

1" #$%&'(( !1 '*+ !2,

-. (j, w, !1, !2) ! VM !!""/0)* (j, w, ("!!1(")

!1), ("!!2(")!2)) ! VS "

■ The bridge lemma: carries relatednessbetween languages



40

!" #$%&'(( )1 '*+ )2,

-. (j, w, )1, )2) ! VS

/0)* (j, w, (!1(")!" )1), (!2(")!" )2)) ! VM !!"""

1" #$%&'(( !1 '*+ !2,

-. (j, w, !1, !2) ! VM !!""/0)* (j, w, ("!!1(")

!1), ("!!2(")!2)) ! VS "




40

!" #$%&'(( )1 '*+ )2,

-. (j, w, )1, )2) ! VS

/0)* (j, w, (!1(")!" )1), (!2(")!" )2)) ! VM !!"""

1" #$%&'(( !1 '*+ !2,

-. (j, w, !1, !2) ! VM !!""/0)* (j, w, ("!!1(")

!1), ("!!2(")!2)) ! VS "


■ From there we can show the Fundamental Property:



40

!" #$%&'(( )1 '*+ )2,

-. (j, w, )1, )2) ! VS

/0)* (j, w, (!1(")!" )1), (!2(")!" )2)) ! VM !!"""

1" #$%&'(( !1 '*+ !2,

-. (j, w, !1, !2) ! VM !!""/0)* (j, w, ("!!1(")

!1), ("!!2(")!2)) ! VS "


!" #$ !;" !M ! : ! % &'() !;" !M ! !M ! : ! "

*" #$ !;" !S ( : "#"% &'() !;" !S ( !S ( : "#""




40

!" #$%&'(( )1 '*+ )2,

-. (j, w, )1, )2) ! VS

/0)* (j, w, (!1(")!" )1), (!2(")!" )2)) ! VM !!"""

1" #$%&'(( !1 '*+ !2,

-. (j, w, !1, !2) ! VM !!""/0)* (j, w, ("!!1(")

!1), ("!!2(")!2)) ! VS "


!" #$ !;" !M ! : ! % &'() !;" !M ! !M ! : ! "

*" #$ !;" !S ( : "#"% &'() !;" !S ( !S ( : "#""



Parametric contracted Scheme terms

41



■ One way to enforce a contract τ on a Scheme expression is by exporting it into ML at the type τ and then importing it back into Scheme...

41




41

!! = (!"! (!

"! !))




41

!! = (!"! (!

"! !))

■ ...so we can leverage our parametricity result to immediately show that contracted Scheme terms behave parametrically too


Conclusion

42


The three points I want you to remember

43



■ Aside from giving us free theorems, parametricity makes existential-style data abstraction possible.

43




■ Parametricity breaks when we incorporate dynamically typed code into otherwise statically typed programs, but we can restore it using dynamic seal generation.

43




■ Parametricity breaks when we incorporate dynamically typed code into otherwise statically typed programs, but we can restore it using dynamic seal generation.

■ Seal generation is a stateful notion akin to dynamic memory allocation, so we can use possible worlds to reason about the semantics of seals in order to prove parametricity.

43


44Photo by mroach on Flickr. Thanks!

Thanks!Email: [email protected]

Web: www.cs.indiana.edu/~lkuperResearch group: lambda.soic.indiana.edu


mailto:[email protected]

mailto:[email protected]

Detailed non-parametricity example

45

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"# 5

!" (!"#"!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !))) 5

!" (!$ : !"#. (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# $))) 5

!" (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!!"# 5))

!" (!"#!" (!!. ("#$ (%&'? !) (+ ! 1) !)) 5)

!" (!"#!" ("#$ (%&'? 5) (+ 5 1) 5))

!" (!"#!" ("#$ 0 (+ 5 1) 5))

!" (!"#!" (+ 5 1))

!" (!"#!" 6)

!" 6


Detailed dynamic sealing example

46

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) !))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) !)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ 5))

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) !)) ("!#s;!"#$ 5))

!" (#s;!"#$!" ("#$ (%&'? ("!#s;!"#$ 5)) (+ ("!#s;!"#$ 5) 1) ("!#s;!"#$ 5)))

!" (#s;!"#$!" ("#$ 1 (+ ("!#s;!"#$ 5) 1) ("!#s;!"#$ 5)))

!" (#s;!"#$!" ("!#s;!"#$ 5))

!" 5


Another detailed dynamic sealing example

47

(!!. !"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) !"# 5

!" (!". (!"!!" (!!. ("#$ (%&'? !) (+ ! 1) 2)))) !"# 5

!" (#s;!"#$"#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2))) 5

!" (!$ : !"#. (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ $))) 5

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!" (#s;!"#$!" (!!. ("#$ (%&'? !) (+ ! 1) 2)) ("!#s;!"#$ 5))

!" (#s;!"#$!" ("#$ (%&'? ("!#s;!"#$ 5)) (+ ("!#s;!"#$ 5) 1) 2))

!" (#s;!"#$!" ("#$ 1 (+ ("!#s;!"#$ 5) 1) 2))

!" (#s;!"#$!" 2)

!" %&&'&( )&*+,&-./


Documents

Parametric Polymorphism Through Run-time Sealinglkuper/talks/multilang-param/multilang... · Parametric Polymorphism Through Run-time Sealing or, ... Northeastern University Programming