type safety kangwon national university 임현승 programming languages

Type Safety

Kangwon National University

임현승

Programming Languages

2

Abstract Syntax

3

Operational Semantics

4

Reduction Rules for Booleans

5

Typing Rules

6

Typing Rules for Booleans

7

Type Safety• Slogan

"well-typed expressions never go wrong"

• Two theorems– Type preservation:

"A well-typed expression reduces to another expression of the same type."

– Progress:"A well-typed expression does not get stuck: either it is a value or

reduces to another expression."

8

Type Preservation + Progress• A well-typed expression e:

– If it is a value, we are finished.– If it is not,

• it reduces to another e' [Progress]• e' has the same type as e. [Type

preservation]

Inductive Proof Recap

9

Inductive Definition• A technique of defining a set by specifying an

element of the set using another element.• Needs a base case.• Starting from the base elements, builds more

elements.– E.g.,

• Recursively defined data structures such as lists and trees can be seen also inductively defined.– E.g., type ‘a list = Nil | Cons of ‘a * ‘a list

10

Inductive Proof• A method of proving properties of recursive functions

defined on inductively (or recursively) defined data structures.

• Apply natural (or structural) induction on the argument of the function

# let rec fact n = if n = 0 then 1

else n * fact (n – 1)

# let rec pow2 n = if n = 0 then 1

else 2 * pow2 (n – 1)

• Prove fact n >= pow2 n when n >= 4!

11

Proof of fact n >= pow2 n• By mathematical induction on n• Base case: n = 4

fact 4 >= pow2 4 by simple calculation

• Inductive case: n = (k + 1)

fact (k + 1)

= (k + 1) * fact k by definition of fact

>= (k + 1) * pow2 k by induction hypothesis

> 2 * pow2 k by simple calculation

= pow2 (k + 1) by definition of pow2

12

Proof by Structural Inductionlet rec concat xs ys = match xs with | [] -> ys | z :: zs -> z :: (concat zs ys)

•We obtain the following equations:Nil ++ ys = ys

(x :: xs) ++ ys = x :: (xs ++ ys)

•Prove the identity of Nil and associativity of ++:xs ++ Nil = xsNil ++ xs = xs

(xs ++ ys) ++ zs = xs ++ (ys ++ zs)

•Can be proved by structural induction on xs 13

Proof of xs ++ Nil = xs• By structural induction on xs• Base case: xs = Nil

Nil ++ Nil = Nil by definition of ++

• Inductive case: xs = z :: zs

(z :: zs) ++ Nil

= z :: (zs ++ Nil) by definition of ++

= z :: zs by induction hypothesis

14

(xs ++ ys) ++ zs = xs ++ (ys ++ zs)

• By structural induction on xs• Base case: xs = Nil

LHS:

(Nil ++ ys) ++ zs

= (ys) ++ zs by definition of ++

RHS:

Nil ++ (ys ++ zs)

= (ys ++ zs) by definition of ++

15

Inductive Case: xs = v :: vs• We can use induction hypothesis on vs• LHS:

((v :: vs) ++ ys) ++ zs

= (v :: (vs ++ ys)) ++ zs by definition of ++

= v :: ((vs ++ ys) ++ zs) by definition of ++

= v :: (vs ++ (ys ++ zs)) by IH

= (v :: vs) ++ (ys ++ zs) by definition of ++

: RHS• This inductive reasoning can also be applied to

judgments and inference rules as they also define a set in an inductive manner.

16

Back to the Type Safety

17

18

Type Safety• Type preservation

• Progress

19

20

21

22

23

24

25

Canonical Forms Lemma• Required by the proof of the progress theorem

"How" is boring.But "what" is not boring.

27

Type Preservation

• Apply rule induction to:

28

Which case first?

29

Some theorem to prove• Case the easiest • ...• Case easy• ...• Case difficult• ...• Case the most difficult

Which case first?

30

Some theorem to refute• Case the easiest• ...• Case easy• ...• Case difficult• ...• Case the most difficult

Which case first?

31

So the most difficult case App first!

32

33

Substitution Lemma

• Apply rule induction to

Why ? •

– analyzes the structure of , not .– searches for every occurrence of variable in

only to replace it by .– thus, does not need to know the structure of .

• Proof of substitution lemma – By rule induction on – Proof can be found in Section 4.4.2 of POSTECH

PL Course Notes.34