Syntactic Control of Interference Revisited
Total Page:16
File Type:pdf, Size:1020Kb
Syracuse University SURFACE College of Engineering and Computer Science - Former Departments, Centers, Institutes and College of Engineering and Computer Science Projects 1995 Syntactic Control of Interference Revisited Peter W. O'Hearn Syracuse University A. J. Power University of Edinburgh M. Takeyama University of Edinburgh R. D. Tennent Queen's University Follow this and additional works at: https://surface.syr.edu/lcsmith_other Part of the Programming Languages and Compilers Commons Recommended Citation O'Hearn, Peter W.; Power, A. J.; Takeyama, M.; and Tennent, R. D., "Syntactic Control of Interference Revisited" (1995). College of Engineering and Computer Science - Former Departments, Centers, Institutes and Projects. 12. https://surface.syr.edu/lcsmith_other/12 This Article is brought to you for free and open access by the College of Engineering and Computer Science at SURFACE. It has been accepted for inclusion in College of Engineering and Computer Science - Former Departments, Centers, Institutes and Projects by an authorized administrator of SURFACE. For more information, please contact [email protected]. OHearn et al Syntactic Control of Interference Revisited P W OHearn Syracuse University Syracuse New York USA A J Power and M Takeyama University of Edinburgh Edinburgh Scotland EH JZ R D Tennent Queens University Kingston Canada KL N Dedicated to John C Reynolds in honor of his th birthday Abstract In Syntactic Control of Interference POPL J C Reynolds prop oses three design principles intended to constrain the scop e of imp erative state eects in Algol like languages The resulting linguistic framework seems to b e a very satisfac tory way of combining functional and imp erative concepts having the desirable attributes of both purely functional languages such as pcf and simple imp erative languages such as the language of while programs However Reynolds p oints out that the obvious syntax for interference control has the unfortunate prop erty that reductions do not always preserve typings Reynolds has subsequently presented a solution to this problem ICALP but it is fairly complicated and requires intersection typ es in the typ e system Here we present a much simpler solution which do es not require intersection typ es We rst describ e a new typ e system inspired in part by linear logic and verify that reductions preserve typings We then dene a class of bireective mo dels which provide a categorical analysis of structure underlying the new typing rules a companion pap er Bireectivity in this volume exp oses wider ramications of this structure Finally we describ e a concrete mo del for an illustrative programming language based on the new typ e system this improves on earlier such eorts in that states are not assumed to b e structured using lo cations OHearn et al Contents Intro duction Syntax Passive Uses The SCIR Typ e System An Illustrative Programming Language Examples Typing and Reduction Relation and NonRelation to Linear Logic Semantics Bireective Mo dels Interpretation of the Typing Rules Coherence Discussion NonBireective Mo dels A FunctorCategory Mo del The Category of Worlds Semantic Category and Basic Functors NonInterference Passivity Interpretation of the Constants An Alternative Presentation Concluding Remarks Intro duction It has long been known that a variety of anomalies can arise when a programming language combines assignment with a suciently powerful procedure mechanism J C Reynolds In an imp erative programming language a term C is said to interfere with a term E if executing or as appropriate assigning to or calling C can aect the outcome of E For example command x a interferes with expression x but not vice versa In purely functional languages there is no interference b etween terms and it is usually taken for granted that this explains why reasoning 1 Current address Department of Computer Science Queen Mary and Westeld College London England E NS This author was supp orted by NSF grant CCR 2 This author gratefully acknowledges the supp ort of ESPRIT Basic Research Action Typ es for pro ofs and programs 3 Current address Department of Computing Science Chalmers University of Technology Eklandagatan Gteb org Sweden This author was supp orted by an Edinburgh University Postgraduate Studentship 4 This author was supp orted by an op erating grant from the Natural Sciences and Engi neering Research Council of Canada OHearn et al ab out purely functional programs is relatively straightforward However for simple imp erative languages without full pro cedures Hoares logic and totalcorrectness variants of it are quite satisfactory This suggests that it is simplistic to attribute the serious diculties that arise in reasoning ab out programs in conventional pro cedural languages to the presence of interference J C Reynolds has provided a more rened analysis He argues that conventional pro cedural languages are problematical primarily b ecause they p ermit covert interference that is to say interference that is not syn tactically obvious For example if identiers x and y are aliases denote the same storage variable then y a interferes with x and this is prob lematic b ecause the interference is not obvious from insp ecting these phrases In general alias detection in a conventional higherorder pro cedural language requires complex interpro cedural dataow analysis of an entire program Similarly if a pro cedure accesses a nonlo cal variable and the value of that variable can b e changed b etween calls of the pro cedure then identical calls of the pro cedure may have dierent eects Covert interference via nonlo cal variables can also result in subtle bugs in the use of pro cedural parameters For example supp ose Traverse p applies pro cedural parameter p to every no de of a data structure and Remove has the eect of deleting the no de to which it is applied then a call such as Traverse Remove will often fail to have the eect the programmer intends b ecause removing a no de can interfere with a traversal The problem of covert interference also aects language designers For example programmers exp ect that immediately after assigning a value to a variable the variable has the value just assigned but this obvious prop erty fails for socalled bad variables such as the subscripted variable AAi whose subexpression Ai is interfered with by the array variable A when Ai i A language designer might want to forbid bad variables syntactically but covert interference makes this very dicult for example Aj is a bad variable if j is an alias for Ai Similar diculties arise for a language designer trying to provide a blo ck expression a command within an expression without allowing side eects to nonlo cal variables trying to provide secure features for unions of typ es or trying to allow concurrent comp osition of non interfering commands The diculties created by covert interference are esp ecially evident if one considers reasoning principles For example in sp ecication logic a Hoare like logic for full Algollike languages the axiom for assignments is gvV V P fP E g V E fP V g The consequent is essentially the familiar axiom from but assumption V P asserts that assignments to variable V do not covertly interfere with the pre and p ostconditions and assumption gvV asserts that V is a go o d variable Similarly the Constancy axiom in sp ecication logic diers from the corresp onding axiom in Hoares logic in that a simple syntactic side con dition must b e replaced by a noninterference assumption Finally b ecause of p ossible covert interference pro cedure sp ecications must b e more com OHearn et al plex explicit assumptions ab out what pro cedures do not do are required cf the frame problem in articial intelligence in order to discharge noninterference assumptions in the context of pro cedure calls All of these complexities are clearly evident in the examples in For these reasons many language designers have argued that program ming languages should b e designed so that it is easy for programmers and compilers to verify that program phrases do not interfere some early exam ples are In three general design principles intended to facilitate verication of noninterference are prop osed i There should b e no anonymous channels of interference then the prob lem of verifying that C do esnt interfere with E reduces to showing that no free identier of C interferes with any free identier of E ii Distinct identiers should not interfere then if two sets of identiers are disjoint they are guaranteed not to interfere iii Some typ es of phrases such as side eectfree expressions are passive do not interfere with anything and so the disjointness requirement can b e relaxed to allow sharing of identiers used only passively In summary to verify in this setting that C do es not interfere with E it is sucient to ensure that no actively o ccurring free identier of C is also free in E But of course the programming language must b e designed so that there are no anonymous channels of interference and in every context distinct iden tiers do not interfere The rst requirement is straightforward but to achieve the second it is prop osed that the following basic constraint b e imp osed on pro cedure calls P A the pro cedure part P and the argument part A should b e mutually noninterfering and similarly for dened language constructs such as lo cal denitions that have implicit pro cedure calls Note the elegant circularity of the approach the syntactic restriction ensures