On Decidability of Nominal Subtyping with Variance

Home , Decidability (logic), Type constructor

University of Pennsylvania ScholarlyCommons

Departmental Papers (CIS) Department of Computer & Information Science

9-2006

Andrew J. Kennedy Microsoft Research Cambridge

Benjamin C. Pierce University of Pennsylvania, [email protected]

Follow this and additional works at: https://repository.upenn.edu/cis_papers

Part of the Computer Sciences Commons

Recommended Citation Andrew J. Kennedy and Benjamin C. Pierce, "On Decidability of Nominal Subtyping with Variance", . September 2006.

Andrew J. Kennedy and Benjamin C. Pierce. On Decidability of Nominal Subtyping with Variance, September 2006. FOOL-WOOD '07. ACM COPYRIGHT NOTICE. Copyright © 2006 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a ee.f Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or [email protected].

This paper is posted at ScholarlyCommons. https://repository.upenn.edu/cis_papers/671 For more information, please contact [email protected]. On Decidability of Nominal Subtyping with Variance

Abstract We investigate the algorithmics of subtyping in the presence of nominal inheritance and variance for generic types, as found in Java 5, Scala 2.0, and the .NET 2.0 Intermediate Language. We prove that the general problem is undecidable and characterize three different decidable fragments. From the latter, we conjecture that undecidability critically depends on the combination of three features that are not found together in any of these languages: contravariant type constructors, class hierarchies in which the set of types reachable from a given type by inheritance and decomposition is not always finite, and class hierarchies in which a type may have multiple supertypes with the same head constructor. These results settle one case of practical interest: subtyping between ground types in the .NET intermediate language is decidable; we conjecture that our proof can also be extended to show full decidability of subtyping in .NET. For Java and Scala, the decidability questions remain open; however, the proofs of our preliminary results introduce a number of novel techniques that we hope may be useful in further attacks on these questions.

Disciplines Computer Sciences

Comments Andrew J. Kennedy and Benjamin C. Pierce. On Decidability of Nominal Subtyping with Variance, September 2006. FOOL-WOOD '07.

ACM COPYRIGHT NOTICE. Copyright © 2006 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or [email protected].

This conference paper is available at ScholarlyCommons: https://repository.upenn.edu/cis_papers/671 On Decidability of Nominal Subtyping with Variance

Andrew J. Kennedy Benjamin C. Pierce Microsoft Research Cambridge University of Pennsylvania

Abstract 22], and the declaration-site variance of Scala [18], algorithmic subtyping rules have never been presented, and decidability is still We investigate the algorithmics of subtyping in the presence of 1 nominal inheritance and variance for generic types, as found in an open problem. This is the starting point for our investigation. Java 5, Scala 2.0, and the .NET 2.0 Intermediate Language. We Language features Each of these languages supports generic in- prove that the general problem is undecidable and characterize heritance, in which a named class is declared with type parameters three different decidable fragments. From the latter, we conjecture and (multiple) supertypes referencing the type parameters. Here are that undecidability critically depends on the combination of three equivalent definitions in .NET 2.0 IL, C] 2.0, Java 5 and Scala 2.0: features that are not found together in any of these languages: con- .class C extends class D> // .NET IL travariant type constructors, class hierarchies in which the set of implements class I types reachable from a given type by inheritance and decomposi- class C : D>, I // C# tion is not always finite, and class hierarchies in which a type may class C extends D> implements I // Java have multiple supertypes with the same head constructor. class C[X,Y] extends D[E[X]] with I[Y] // Scala These results settle one case of practical interest: subtyping be- A second feature shared by these languages is covariant and tween ground types in the .NET intermediate language is decidable; contravariant subtyping of generic types. Scala 2.0 and .NET 2.0 IL we conjecture that our proof can also be extended to show full de- support declaration-site variance, where the variance behaviour of cidability of subtyping in .NET. For Java and Scala, the decidability type parameters is declared up-front on the declaration of the class; questions remain open; however, the proofs of our preliminary re- this feature is also a strong candidate for a future version of C]. sults introduce a number of novel techniques that we hope may be For example, here are equivalent headers for a contra/co-variant useful in further attacks on these questions. function type in .NET IL, an imaginary future version of C], and Scala: 1. Introduction .class interface Func<-A,+B> // .NET IL The core of the subtype relation in most object-oriented program- interface Func<-A,+B> // C# ?.0 trait Func[-A,+B] // Scala ming languages is nominal, in the sense that basic inclusions between type constructors are explicitly declared by the program- In contrast, Java 5 supports use-site variance, where annotations on mer. However, most languages also support a modicum of struc- the use of a generic type determine its variance behaviour, as in the tural subtyping; for example, array types in Java and C] behave co- cast function below: variantly. More recent designs feature richer structural features—in interface Func { B apply(A a); } particular, covariant and contravariant subtyping of constructor pa- class C { } rameters, such as the variance annotations of Scala’s generic types class D extends C { and the wildcard types supported by Java 5. static Func Formally, subtyping is typically presented in a declarative cast(Func f) { return f; } } style. For many systems, an equivalent syntax-directed presenta- tion is easily derived, and termination of the corresponding sub- Here, the ? extends annotation induces covariant subtyping on type checker is easy to demonstrate. For example, in the case of the type argument, and ? super annotation induces contravariant C] 2.0 and the original “GJ” design for generics in Java [3, 13], subtyping. (In an earlier variance design for Java [14] the annota- it is straightforward to derive an algorithm by building transitivity tions were the more concise + and -.) into the subtyping rules for superclasses and upper bounds and to For all of these languages, decidability of subtyping is an open then prove termination by constructing a measure on subtype judg- problem. The Java 5 design [12, 22] is based on an earlier extension ments that strictly decreases from conclusion to premises in the to Java generics whose decidability is not known [14, §4.1]. A algorithmic rules. core calculus for Scala has been studied recently and type-checking For more sophisticated systems, such as the original use-site and subtyping proved decidable [8], but variance is not supported. variance proposal for Java [14], the wildcard design of Java 5 [12, Finally, an extension to C] 2.0 modeled on variance in .NET IL 2.0 has been studied by the first author and others [10], but without considering generic inheritance in its full generality (in particular, support for multiple instantiation inheritance). Permission to make digital or hard copies of all or part of this work for personal or Contributions We present here a collection of results regard- classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation ing the algorithmics of nominal subtyping in the presence of on the first page. To copy otherwise, to republish, to post on servers or to redistribute (declaration-site) variance. First, we show that a general form of to lists, requires prior specific permission and/or a fee. 1 Readers may enjoy attempting to compile the examples in Appendix A Copyright c ACM [to be supplied]. . . $5.00 using their favorite Java compiler! the problem, where the subtype hierarchy may involve multiple We require that inheritance be acyclic, in the following sense: inheritance from arbitrary supertypes (in particular, from multiple if C <::+ D then C 6= D. In the presence of mixins instances of the same type constructor) is undecidable. Second, we it is not immediately apparent how to check acyclicity for a given show various restricted fragments of the system are decidable: (1) class table: consider, for example, the definitions CX <:: X and a system with only covariant and invariant constructors (no con- D <:: CD. Fortunately, a straightforward procedure does exist [1], travariance); (2) a system (like the .NET CLR) where unbounded and for the remainder of the paper we simply assume that the expansion of types is disallowed—i.e, where the class hierarchy is acyclicity property holds. restricted so that the set of types reachable from a given type by Individual parameters of type constructors may be marked as inheritance and decomposition is always finite; and (3) finally, a co- or contra-variant. The general form of a class declaration is: system in which (as in Scala and Java) multiple instantiation inheritance is prohibited—class hierarchies are restricted so that a type C <:: T1 may not have multiple supertypes with the same head constructor— . . and where some technical restrictions (detailed below) are imposed T on unbounded expansion. n These results settle the decidability issue for one case of practi- where each vi is ◦ (invariant, also written as an empty string), + cal interest: subtyping between ground types in the .NET interme- (covariant), or - (contravariant). We write C#i to stand for the i’th diate language (which is used for runtime type tests); we conjecture type parameter in the definition of the class C , and var(C#i) for that the argument can be extended without major new insights to the the variance of that type parameter. case of subtyping between open types in .NET. For Java and Scala, the decidability questions remain open—we discuss the remaining Subtyping Figure 1 presents the ground subtype relation <: to- gaps in Section 6. However, even for these languages, our results gether with an auxiliary variance-indexed relation <:v (the last do begin to give a feel for the lay of the land, and their proofs in- three rules). Rule SUPER is the familiar generic inheritance rule ] troduce a number of novel techniques that we hope may be useful from Generic Java and C 2.0. Note the side-condition, which en- in further attacks on the decision problems. sures that the subtyping rules are syntax-directed; moreover, given the absence of cycles in the inheritance hierarchy, two instantia- 2. Definitions tions of the same class cannot be related by inheritance. Subtyping can be extended to open types through the addition of an axiom Syntax Types, ranged over by T , U , V and W , are of two forms: X <: X asserting reflexivity for type variables. type variables, ranged over by X , Y , and Z and constructed types Although the rules are syntax-directed, rule SUPER presents a C , where C is a type constructor (such as List) and T is a choice for V in its premise if C inherits from multiple superclasses. list of argument types. We define the height of a type by So a subtype checker may need to employ backtracking. height(X ) = 1 In rule VAR, the variance annotation of a parameter C#i de- height(C ) = 1 + max height(T ) termines the behaviour of the i’th argument in an instantiation of C with respect to subtyping. Suppose Ti is a subtype of As usual, nullary constructor applications are written without Ui. If var(C#i) = + then C is a sub- brackets (C means C <>). It is also convenient to write unary type of C ; dually, if var(C#i) = - then applications without the angle brackets (CT means C ), and C is a subtype of C . to declare that application associates to the right (not to the left, This declaration-site variance is supported by Scala 2.0 [18], as usual), so that we can write long nested applications without and has also been studied as an extension to C] by the first au- brackets. For example, CDEX is shorthand for C >>. thor and others [10]. Java 5, in contrast, supports use-site variance, Class tables We are working in a nominal subtyping world, where where the variance behaviour of a type is determined by annota- the basic inclusions between constructors are explicitly declared in tions on its actual instantiation. Suppose that T is a subtype of U . a global class table. A class table is a set of class declarations, each Then C is a subtype of C ; du- of the form ally, C is a subtype of C . In fact, wildcard types in Java are best thought of as bounded ex- C <:: T 1 istentials, so C is essentially ∃X <:T .C and . . C is ∃X :>T .C . This existential interpretation leads to somewhat more complex (and more powerful) subtyping Tn where the class name C is unique to the declaration, and the T s rules, particularly in combination with inheritance and F-bounded i type parameters. Nevertheless, it is quite straightforward to define a may mention the parameter variables X . This says that, given translation from declaration-site to use-site variance that preserves a tuple of arguments U , the application C U is a subtype of < > and reflects subtyping. Hence rather than dive in at the deep end [U /X ]Ti for each i. We write C <:: [U /X ]Ti when this with use-site/wildcard variance, we choose to start our investiga- holds and define <::+ and <::∗ to be the transitive and reflexive ] tion with the declaration-site variety. transitive closures of this relation. (In Java and C , exactly one of Also note that we do not consider bounds (also called con- the supertypes of C will be an actual class; the rest will be straints) on type parameters, a feature supported by Java 5, C] 2.0, interfaces. Since we are only interested in subtyping in this paper, .NET IL 2.0, and Scala 2.0. Formally, these require subtyping judg- we elide the difference.) ments of the form ∆ ` T <: U , where ∆ is a set of assumptions: Note that the class table is allowed to be both singly and mu- upper bounds on type parameters, for Java, C], and .NET, and both tually recursive: the supertypes of C can mention C, can mention lower and upper bounds, for Scala. We believe that for declaration- a class D whose supertypes involve C, etc. Moreoever, in the ab- site variance, our results can be generalized to open subtyping in sence of further restrictions, we have already gone beyond generic the presence of bounds; we return to this point in Section 6. inheritance in the style of Java, Scala, and C], as we have not imposed a single root (such as java.lang.Object), and we permit Properties of subtyping It is easy to prove that ground subtyping both mixin-style inheritance [1] of the form C <:: Xi and is reflexive, by a derivation consisting only of instances of VAR. multiple-instantiation inheritance (e.g., C <:: DE1, DE2). To prove transitivity, we need to make use of a well-formedness 3. Examples for each i Ti <:var(C#i) Ui (VAR) Is the subtype relation we have defined decidable, for any class ta- C <: C ble? It is not clear, on the face of it, what we should expect. On one hand, this type system has something of the flavor of System C <:: V [T /X ]V <: D ω (SUPER) C 6= D F≤ [5, 7, 20], the higher-order extension of System F≤ [6] (the type constructors in the present system are intuitively something C <: D ω like bounded type variables of higher kind in F≤ ), so we might T <: U U <: T worry about the possibility of undecidability [19]. Indeed, the possibility of recursion in the class table introduces elements of F- T <:+ U T <:◦ T T <:- U bounded quantification [4, 11, 2]. On the other hand, some features of F≤ that play a prominent role in its proof of undecidability (in Figure 1. The subtyping relation particular, “free-standing” universal quantifiers, which allow intro- ducing new type variables into the environment) are missing here. And the other complicating feature, the variance annotations, has 8 -, if v = +, been shown to be well-behaved (though complex to analyze) in at <> ¬v = ◦, if v = ◦, least some situations [21]. (Appendix A presents Java 5 code for the examples below). :>+, if v = - Example 1 The first observation that hints at the full system’s vi ∈ {◦, +} undecidability is that the subtype checker defined by the algorithmic rules above does not always halt. (This is not a proof of un- vX ` Xi ok decidability, of course—it is always possible that there is another, smarter algorithm that does always terminate.) var(C#i) ∈ {◦, +} ⇒ vX ` T ok for each i i Define the classes N and C as follows: var(C#i) ∈ {◦, } ⇒ ¬vX ` T ok - i N<-Z> <:: vX ` C ok C <:: NNC vX ` T ok That is, N is a contravariant constructor with no declared supertypes and C is an invariant nullary constructor whose immediate C <:: T ok supertype is NNC. Now, suppose we want to know whether C <: NC. If we try Figure 2. Well-formed types and class declarations to construct a proof of this fact from the algorithmic subtyping rules (following the steps of the subtyping algorithm), we enter an infinite regress: condition on supertype declarations that restricts covariant type parameters to appear only in positive positions in the supertype and, C <: NC dually, restricts contravariant parameters to appear only in nega- −→ NNC <: NC by SUPER tive positions. (This condition is necessary for semantic soundness, −→ C <: NC by VAR but observe that if it were not enforced, one could make the defini- −→ NNC <: NC by SUPER tion C <+X > <:: NX for contravariant N, and have CT <: CU −→ C <: NC by VAR and CU <: NU but not CT <: NU .) Formally, we intro- −→ etc. duce a well-formedness judgment vX ` T ok which can be read Of course, this infinite regress is easy to detect. And clearly, if “type T respects the variance annotations v on type parameters T <: U can only be proved by a derivation containing as a X .” This is shown in Figure 2 together with its application in spec- subderivation a proof of T <: U , then T is not a subtype of ifying well-formedness of class declarations. (For the type system U . (Under a co-inductive interpretation of the subtyping rules, T proper, well-formedness is also used to restrict field and method would be considered a subtype of U . We believe that this more signatures appropriately [10].) For example, if class C is invari- generous definition is semantically sound; but it does not affect ant in its parameter and N is contravariant, then the declaration decidability, as an algorithm must in any case detect infinite regress, D<-X , +Y > <:: NNY is allowed, because -X , +Y ` NNY ok returning true in place of false.) is derivable, but D<-X , +Y > <:: NY and D<-X , +Y > <:: CX are rejected. Example 2 Unfortunately, slightly trickier examples lead to more Using these assumptions, we can prove that subtyping is transi- complicated patterns of regress. For example, if we define N as tive. above and consider LEMMA 1 (Transitivity). If T <: U and U <: V then T <: V . CX <:: NNCCX then the regress involves longer and longer types as it goes on: PROOF: See Appendix B. CT <: NCU It follows that the syntax-directed formulation of subtyping we −→ NNCCT <: NCU by SUPER are working with here is equivalent to a declarative formulation −→ CU <: NCCT by VAR where reflexivity and transitivity are included as separate rules −→ NNCCU <: NCCT by SUPER and rule SUPER is replaced by a simpler version that concludes −→ CCT <: NCCU by VAR T <: U from premise T <:: U . This observation gives some −→ NNCCCT <: NCCU by SUPER assurance that the decidability issues we are addressing do not −→ CCU <: NCCCT by VAR arise just from some peculiarity in the way we have formulated our −→ NNCCCU <: NCCCT by SUPER algorithmic rules, but rather are inherent to the notion of subtyping −→ CCCT <: NCCCU by VAR under consideration. −→ etc. In general, there is no way to describe and detect all such patterns The representation of a non-empty word u, denoted u, is defined as of regress. u = u·E. Example 3 Another observation that illustrates the bad behavior It is easy to see that u = v iff u = v. of the subtyping relation is that successful derivations can be ex- The class table entries for C and B are: ponentially larger than the class table. For example, consider the following definitions: C <:: NN1C (C1) 0 N1NC (C1) C0X <:: NNX . C1X <:: C0C0X . . . NNnC (Cn) . 0 NnNC (Cn) CnX <:: Cn−1Cn−1X NN0SX (CL) The derivation of the valid subtyping assertion CnNT <: NCnT n+1 N0SY (CR) uses 2 instances of the VAR rule!

Example 4 Analogously, there are patterns of regress where the B <:: NN1C (B1) 0 “cycle” is exponentially larger than the class table. One such is N1NC (B1) obtained by making a small change to the declaration of Cn above: . . C0X <:: NNX NNnC (Bn) C1X <:: C0C0X 0 NnNC (Bn) . . Now, the given word problem has a solution iff the subtyping CnX <:: Cn−1Cn−1CnX judgment B <: NB is derivable. To see why, consider the progress of the proof search procedure starting from B <: NB. Its first The reduction of CnNT <: NCnT enters a cycle (i.e., generates step must be to use some instance of SUPER on the left-hand a subgoal that has already been seen) after passing through 2n+1 side. If it chooses one of the even-numbered supertypes (the ones instances of VAR. beginning with Ni), then it will fail on the next step: since none of the N s have declared supertypes, there is no rule that can derive 4. Undecidability of the general case i NiS <: NT . Among the odd-numbered rules, however, it has To show undecidability of subtyping, we perform a reduction from a free choice—i.e., algorithmically, it must try each of them in the Post Correspondence Problem, or PCP for short. turn, backtracking and trying the others if the proof search for the corresponding subgoal fails. So suppose it tries the first one, rule The Post Correspondence Problem Let {(u , v ),..., (u , v )} 1 1 n n (B ) in the class table. The active goal then becomes be a set of pairs of non-empty words over a finite alphabet 1 Σ. The Post Correspondence Problem is to determine whether NN1C <: NB. or not there exists a sequence of indices i1, . . . , ir such that The next step of proof search necessarily applies rule VAR, yielding ui1 ··· uir = vi1 ··· vir . B <: N1C. THEOREM 2. PCP is undecidable. At this point, there is again just one choice that allows us to make PROOF: See, for example, [15]. progress: the only way to avoid failing on the very next step is to 0 Reduction The construction uses the following classes: choose rule (B1) E empty sequence N1NC <: N1C, SX stop and another use of VAR yields N<-X > negation C <: NC. Ni<-X > negation, for 0 6 i 6 n 1 1 1 1 LX letter, for each L ∈ Σ At this point, the proof search algorithm again has a choice to C crank make. It can either apply SUPER with one of the odd-numbered B boot supertypes of C, or apply the special “stop rule” (CL) (again, The first five of these have no declared supertypes; the supertype the even numbered rules and rule (CR) all lead to failure on the 0 declarations for the last two are given below. The general idea is next step). If it chooses one of the (Ci) rules—say, (C4)—then an that words over Σ are represented as types, while instances of PCP analogous sequence of forced steps leads to the subgoal are represented as class tables in which each pair of words from the C <: NC. PCP instance corresponds to a different supertype declaration for 4 1 4 1 4 1 4 1 the constructor C. This process might continue in the same way with yet another of the We represent words as sequences of applications of classes, (Ci) rules, but suppose, instead, that the proof search now chooses using the nullary class E to represent the empty sequence. So, the stop rule (CL): for example, if Σ = {P, Q, R} then our class table will contain NN S <: NC, declarations for classes P , Q, and R, each taking one parameter 0 4 1 4 1 4 1 and with no supertypes, and the word P QP can be represented by which leads to the type P QP E (i.e., P >>>). C <: N S, Let u·T denote the representation of a non-empty word u con- 4 1 4 1 0 4 1 catenated onto a word represented by type T : from which the only choice that does not fail at the next step is (C ), L·T = LT R (Lu)·T = L N0S <: N0S, from which VAR yields then there exists a (not necessarily proper) subderivation whose conclusion is S <: S. C u , v <: NC u , v Now the proof search immediately succeeds or fails. The construc- < JI JI > < JI JI > tor S has no declared supertypes and no variance annotation, so such that uJI = vJI for some (possibly empty) J. the only way S <: S can hold is by reflexivity. This rule applies if the two types being compared are exactly the PROOF: By induction on the height of the derivation. u = v same—i.e., if u4u1 = v4v1. Summing up, we can see that there From Lemma 3, we have either I I , in which case we’re exists some way of constructing a successful subtyping derivation done (J is the empty sequence), or else we have a proper subderiva- for the judgment B <: NB iff there is some sequence I such that tion whose conclusion is uI = vI —that is (since the translation from words to types is in- C <: NC jective), such that uI = vI . for some i. We now apply the induction hypothesis to get a (not Formalities The rest of the section recapitulates this argument necessarily proper) subderivation of more formally. Let i and j range over positive integers, used to index the C <: NC words, and let I and J range over (possibly empty) sequences 0 for some J such that uJ0iI = vJ0iI . This is the result we desire of positive integers. We write IJ to denote the concatenation of (let J = J 0i). sequences I and J, and we identify i with the single-element sequence containing i. For I = i1 ··· ir we write uI to denote the THEOREM 5. Subtyping is undecidable. concatenated word ui1 ··· uir . We begin with a couple of lemmas. PROOF: We show that an instance of PCP can be reduced to an LEMMA 3 (Single step). Suppose instance of subtype validity under some class table.

C <: NC For the particular instance of PCP, define a class table as de- scribed above. We now show that the instance of PCP has a solution is derivable for a non-empty sequence I. Then either uI = vI , or if and only if B <: NB is derivable. there is a proper subderivation whose conclusion is (⇒). Suppose that I is a solution to the problem, so that C <: NC uI = vI . Then S <: S by reflexivity. By two uses of VAR, and SUPER through C and C we obtain a derivation of for some i. L R C <: NC. We now show B <: NB is derivable PROOF: Since C 6= N, the derivation must end with an instance by induction on the length of I. For the base case, suppose I = i. UPER Then we can easily construct a derivation, using VAR twice and of S . There are two cases. 0 SUPER through Bi and Bi. For the inductive step, suppose that • Declaration (CL) was used, and so the premise was 0 I = iJ. By two uses of VAR and SUPER, through Ci and then Ci, NN0SuI <: NC. we obtain C <: NC. Applying the induction hypothesis gives us the desired result. Since both sides begin with N, the final rule in this subderiva- (⇐). The derivation must end with an instance of SUPER, with tion must be VAR, with premise premise NNiC <: NB for some i. This in turn must have C <: N0SuI . been derived using VAR, with premise B <: NC. Another use of SUPER and VAR takes us to C <: N C. Again, the subderivation for this premise must end with an i i i i i 0 Now we can apply Lemma 4, to obtain a derivation of instance of SUPER. None of CL, Ci, or Ci lead to a successful derivation (for any i), but CR does, giving us the premise C <: NC

N0SvI <: N0SuI . for some I such that uIi = vIi. In other words, we have some J such that uJ = vJ , as required. By VAR again, this was derived from

SuI <: SvJ . 5. Some decidable fragments Finally, by VAR once more, we must have a subderivation of The reduction from PCP in the previous section used the following uI = vI , and so uI = vI , as required. vital ingredients: • Declaration (C ) was used, for some i, so the premise was i • Contravariance was used in a “double-negation” fashion to NNiC <: NC. send a term to the opposite side of the subtype assertion and By VAR, this must have been derived from then back again. (Interestingly, it is possible to devise a slightly more complex reduction from PCP that uses only a single con- C <: NiC. travariant constructor.) 0 Then by SUPER through declaration Ci we have premise • Unbounded growth in the size of the subtype assertion was used to accumulate a concatenation of words in the encoding. NiNC <: NiC • Multiple instantiation inheritance—applying a type constructor and by VAR we have the premise at different type instantiations in inheritance declarations—was C <: NC used to encode a choice of words. (Note, though, that the instan- as required. tiations are non-overlapping: instantiation of C does not lead to identification of any of its supertypes.) LEMMA 4 (Multiple step). For any non-empty sequence I, if there In this section, we explore different ways to recover decidability is a derivation of by restricting the class table to eliminate one or more of these C <: NC ingredients. 1 5.1 Contravariance • if Xi is a proper subterm of Tj add an expansive edge C#i → THEOREM 6. Suppose that no type constructors are contravariant. D#j. Then subtyping is decidable. We write X → Y if X →e Y for some e ∈ {0, 1} and write →+ for the transitive closure of →. PROOF: Define the following order on subtype assertions: Infinitary class tables are characterized precisely by those (T1 <: U1) ≺ (T2 <: U2) graphs that contain a cycle with at least one expansive edge. iff Consider Example 2 and its graph, using dotted arrows for non- height(U1) < height(U2) expansive edges and solid arrows for expansive ones: + or (height(U1) = height(U2) and T2 <:: T1) N<-Z> <:: The acyclicity condition on inheritance ensures that the inverse X Z of <::+ is well-founded; so ≺ is well-founded also. It is easy to C <:: NNCCX M 6 see that this order strictly decreases from conclusion to premises of the subtyping rules: rule VAR reduces the height of both sides of The type parameter X appears in three edges: a non-expansive edge the assertion for covariant parameters, whilst rule SUPER leaves the represents its use as argument to the second occurrence of C, an right-hand-side alone and reduces the left-hand-side with respect to expansive cyclic edge represents its use inside the argument to the the inheritance ordering. first occurrence of C, and an expansive edge to Z represents its use inside the argument to the two occurrences of N. 5.2 Expansive inheritance Now consider a more complex class table and its graph: The undecidability reduction made crucial use of the ability to grow the subtype assertion in an unbounded fashion. We now show how 0 C <:: DP ZX h Z to check this growth by restricting the form of types in the class P <:: Q O > O table. Q <:: Given a particular class table, a set of types S is said to be closed D <:: × under decomposition and inheritance—or inheritance closed, for Y W o Y 0 C T S T short—if (a) whenever < > is in , so are all the , and (b) if The type parameter X is used in three ways: its appearance in the T S T <:: U U S inheritance is in and , then is in . Define the instantiation of D is represented by an edge to the “sink” node W , closure S cl(S) of a set , written , to be the least inheritance-closed its use as first argument to P is represented by an edge in a non- S superset of . expansive cycle through Y , and its use as second argument to P The types appearing in subtype judgments in the subtyping rules is represented by an edge in an expansive cycle through Y 0. The are clearly closed with respect to decomposition and inheritance: existence of this latter expansive cycle implies that the class table a derivation of T <: U involves only types in cl({T , U }). If m is infinitary; indeed cl({CT }) ⊇ {CD T | m > 0}. the subtype checker remembers a set of “visited goals” and rejects In order to show that expansiveness is a sufficient condition for assertions that appear in this set, then it must terminate if the infinitary closure, we make use of the following relationship be- inheritance closure of the types in the original problem is finite. tween inheritance closure and type parameter dependency graphs. We say that a class table is finitary if any finite set of types has a finite inheritance closure with respect to the class table; otherwise, LEMMA 7. Suppose S is inheritance closed and C ∈ S. the class table is infinitary. The class table in Example 1 is finitary, 0 while that in Example 2 is infinitary: cl({CT }) = {N mC nT | 1. If C#i → D#j then D ∈ S for some U with Uj = Ti. 1 0 6 m 6 2 and n > 0}. Likewise, the “crank” class C in 2. If C#i → D#j then D ∈ S for some U such that Ti is a Section 4 induces an infinitary closure. proper subterm of Uj . Even disregarding subtyping, infinite closure presents a problem for language implementers, as they must take care not to create PROOF: type representations for supertypes in an eager fashion, else non- 1. From the definition of a type parameter dependency graph, we termination is the result. For example, the .NET Common Lan- must have C <:: V for some V with some type D guage Runtime supports generic instantiation and generic inheri- a subterm of V and Vj = Xi. By inheritance closure of S we ] tance in its intermediate language targeted by C . The class loader have [T /X ]V ∈ S and then by decomposition closure we have maintains a hash table of types currently loaded, and when loading D<[T /X ]V > ∈ S, from which the result follows. a new type it will attempt to load its supertypes, add these to the ta- 2. Similar. ble, and in turn load the type arguments involved in the supertype. Fortunately, there is a syntactic characterization of infinitary THEOREM 8. If a class table is expansive, then it is infinitary. class tables due to Viroli [23] that can be used to reject such definitions; the specification of the .NET CLR includes such a restric- PROOF: Suppose that the class table is expansive. Then its type § parameter dependency graph contains a cycle, at least one of whose tion [9, Partition II, 9.2]. Here we recast Viroli’s definitions in our 1 framework and present a (somewhat slicker) proof of correctness. edges (say the first) is expansive—i.e., either C#i → C#i (a one- Define a type parameter dependency graph as follows. The cycle), or C#i →1 D#j →+ C#i. By repeated use of Lemma 7 vertices are all the type parameters to classes in the class table; we we can see that, if C ∈ S and S is inheritance closed, then will denote these interchangeably by either C#i—the i’th formal C ∈ S for some U with Ti a proper subterm of Ui. In type parameter to class C —or by their alphabetic names, which other words, for any instantiation of C in S there is a larger one; it we assume are (α-converted to be) distinct. Boolean-labeled edges follows that S is infinite. represent uses of formal type parameters in class instantiations in the class table. For each declaration C <:: T and each Showing that expansiveness is a necessary condition is a bit subterm D of T , more tricky. We need two further notions. First, we rank the vertices in the graph, assigning each type pa- 0 • if Tj = Xi add a non-expansive edge C#i → D#j; rameter X a natural number level(X ) with the following property. + Suppose X → Y . If Y → X then level(X ) = level(Y ), else ∗ T <:: D for each i, Ti <:var(D#i) Ui level(X ) > level(Y ). (One means of assigning levels is first to (SUPERVAR) identify nodes in strongly-connected components and then to topo- T <: D logically sort the resulting DAG.) For the example above, we can make the assignment level(Z) = level(Z0) = level(W ) = 0 and T <: U U <: T level(Y ) = level(Y 0) = level(X) = 1. Second, we introduce the notion of a path. A particular subterm T <:+ U T <:◦ T T <:- U of a type can be identified by a path, which we represent as a sequence of formal type parameters, writing for the empty path Figure 3. Deterministic subtyping and X .p (or C#i.p) for the path consisting of the formal type parameter X (or C#i) concatenated onto the path p. We interpret a path p as a partial function from terms to subterms, as follows: p(T ) = U “A class may not at the same time be a subtype of two i interface types which are different invocations of the same (T ) = T (C#i.p)(C ) = U generic interface, or an invocation of a generic interface and a raw type naming that same generic interface.” [12, §8.1.5] For example, let T = C . Then (C#1.)(T ) = DU , and (C#1.D#1.)(T ) = U . We say that p is a path in T if p(T ) To put it another way, generic instantiations are uniquely deter- is defined. mined by the inheritance relation: if T <::∗ C and T <::∗ C then U = V . The Java 5 specification goes on to say: THEOREM 9. If a class table is infinitary, then it is expansive. “This requirement was introduced in order to support trans- PROOF: We argue the contrapositive—that non-expansive class lation by type erasure.” tables are finitary. Let S be a finite set of types. Let δ be a bound on the height of types in S and in the class table (if T ∈ S then C] 2.0, which does not erase types, has no such restriction. Instead, height(T ) δ C X <:: T height(T ) δ 6 ; if < > then 6 ) and let it merely requires supertypes to be non-overlapping: if C <:: L be the number of levels (so 0 level(X ) < L for any formal 6 T and C <:: U , then, for all instantiations V , if [V /X ]T = type parameter X ). We prove that the height of types in cl(S) is [V /X ]U T = U bounded by δL; then, because the set of types of a certain height is , then . finite, it follows that cl(S) must be finite. If multiple instantiation inheritance is prohibited, we can refor- Let φ(p) hold for a path p if it can be divided into a sequence mulate subtyping so that derivations are unique. Figure 3 presents of (possibly empty) sequences of type parameters whose levels the revised rules, in which SUPERVAR combines variance and in- are bounded by 0,...,L−1 and whose lengths are bounded by δ. heritance in a single rule. It is easy to show that the rules define the same relation. (For an example of non-unique derivations under That is, φ(p) means that p has the form X X ··· X , with 0 1 L−1 single instantiation inheritance in the original system, consider the level(X l) 6 l and |X l| 6 δ for 0 6 l < L. Let φ(T ) hold for declarations CX <:: IX and D <:: C E,IE and the assertion a type T if φ(p) holds for every path p in T . It is easy to see that D <: IE. In the revised rules, such non-determinism is ‘hidden’ φ(T ) implies height(T ) δL. ∗ 6 inside the <:: side-condition on rule SUPERVAR.) Clearly φ holds for the types in S. We show that φ is preserved Of course, uniqueness of derivations in a syntax-directed system under the closure operations used to construct cl(S). For decom- does not imply decidability: derivations in F≤ are unique, but sub- position, it’s clear that, if φ(C ) holds, then so does φ(Ti) typing is undecidable [19]. However, it does simplify the problem for each i. For inheritance, suppose that C <:: U ; we must somewhat, as the search for a derivation does not involve a choice show that φ(C ) implies φ([T /X ]U ). If U is simply a type of paths, but must determine merely whether a particular linear path parameter (mixin inheritance), then the result follows directly. Oth- is finite (and, if so, whether it ends in a successful state). erwise, consider a path p in [T /X ]U . There are two possibilities. Fortunately, for all examples in Section 3—and for many other First, p could be simply a path in U that maps to a non-variable more complex ones—it is possible to detect the infinite regress us- subterm (p(U ) = D for some D and U ). In this case we ing a notion of accessibility, which we describe next. (Unfortu- know that |p| 6 δ and so we have φ(p) immediately. Otherwise, nately, we do not yet have a general result for all class tables with- 0 0 0 p = p .q for some non-empty p and q such that p (U ) = Xi out multiple instantiation inheritance; our proof requires an addi- and q is a path in Ti. Hence C#i.q is a path in C , and so tional, somewhat artificial, technical condition on class tables, de- from φ(C ) we can deduce φ(C#i.q), or written another way, scribed below. It is possible that, without this restriction, the prob- φ(Xi.q). Now if level(Xi) = k then q = Yk.Yk+1.....YL−1, lem is still undecidable.) T with level(Yl) 6 l for k 6 l < L and with |Yk| < δ and Consider Example 2 once more. Observe that the types and 0 U actually play no role in the reduction: they can be replaced |Yl| 6 δ for k < l < L. Suppose p = Z .Z . By the definition 1 by arbitrary types without affecting the validity of the subtype of the type parameter dependency graph, we know that Xi → Zj 0 assertion. Indeed, at any point in the reduction, all but the first for each j and that Xi → Z . Because the graph contains no expan- occurrence of C in the types can be replaced without affecting + sive cycles (that is, we do not have Zj → Xi), we can deduce that validity, because that part of the type is never “accessed.” To make level(Zj ) < level(Xi) = k for each j. Finally, because |Z | < δ, things a little clearer, we adapt the example to use a different type we can see that p = Z .Z .Yk.....YL−1 satisfies φ, as required. inside C. The definitions and type parameter dependency graph are as follows: COROLLARY 10. Non-expansive subtyping is decidable. N Z <:: 5.3 Multiple instantiation inheritance <- > D <:: YXo 6 Z We now consider the third ingredient of the reduction from PCP: C <:: NNCDX multiple instantiation inheritance. Java 5 prohibits it: Using the new rules from Figure 3, the pattern of regress is as application of the inner induction hypothesis on the (ac- follows: cessible) path p.D#i. CT <: NCU For the rest of the argument, it is convenient to introduce a −→ CU <: NCDT by SUPERVAR notation for “reduction” between subtyping goals. We write J −→ −→ CDT <: NCDU by SUPERVAR J 0 if judgments J and J 0 are respectively the conclusion and −→ CDU <: NCDDT by SUPERVAR premise of an instance of SUPERVAR. (We have been relying on −→ CDDT <: NCDDU by SUPERVAR the same informal intuition all along, of course, in arguments of the −→ etc. form “subtyping judgment J1 can only be provable if J2 is,” but Notice that C is invariant and recursive through X : the former the notion is particularly easy to formalize in the present setting, property means that it cannot be “passed through” using variance where we have imposed enough conditions to make proof search to reach a goal involving its arguments—the only thing we can do deterministic.) This relation is specified by the following inference with it is to use the inheritance relation to replace it (on the left rules: of <:) by some supertype—and the latter means that, when an T <::∗ D var(D#i) = + instantiation of C is replaced by something else in this way, the type replacing it is another instantiation of C itself or of another T <: D −→ Vi <: Ui class in mutual recursion with C. ∗ Of course, a type parameter may be used both recursively and T <:: D var(D#i) = - non-recursively in different subterms of the same type, or in differ- T <: D −→ U <: V ent supertype declarations. To obtain our (preliminary) decidability i i result, we impose a somewhat artificial restriction on the class ta- The following key lemma captures our intuition that only the ble: if a type parameter X appears in an expansive cycle in the accessible part of a type affects reducibility. type parameter dependency graph, then (a) it is an invariant type LEMMA 12. Suppose J1 and J2 are subtyping judgments with parameter, and (b) it appears exactly once in a single supertype 0 0 0 J1 ∼ J2. If J1 −→ J1, then J2 −→ J2 for some J2 such that declaration. We call such a type parameter expansive-recursive. 0 0 J1 ∼ J2. We can now formalize the idea of accessibility by defining a 0 0 relation ∼ between types, read “same accessible parts” and defined PROOF: Suppose J1 = T <: D and J2 = T <: D. as follows: C ∼ D if C = D and for each i either C#i Then J1 is reducible only if var(D#i) 6= ◦ for some i. Suppose is expansive-recursive or else Ti ∼ Ui. We extend the definition var(D#i) = + (the case for var(D#i) = - is similar). We must 0 0 ∗ 0 to subtype judgments: (T <: T ) ∼ (U <: U ) iff T ∼ U have T <:: D for some V and J1 = Vi <: Ui. By and T 0 ∼ U 0. Alternatively, we say that a path p is accessible if it Lemma 11 we have T 0 <::∗ U 0 for some V 0 such that D ∼ 0 0 0 0 0 does not contain an expansive-recursive type parameter. It is easy V , so V = D for some V , and hence J2 −→ J2 0 0 0 0 to show that T ∼ U iff T and U have the same set of accessible where J2 = Vi <: Ui . Finally, since D ∼ D and paths. D ∼ D it follows immediately from the definition of ∼ The following technical lemma relates this notion of accessibil- 0 0 that Ui ∼ Ui and Vi ∼ Vi , as required. ity to the inheritance relation. + 0 0 ∞ ∗ 0 0 ∗ 0 COROLLARY 13. If J −→ J and J ∼ J then J −→ . LEMMA 11. Suppose T <:: U and T ∼ T . Then T <:: U for some U 0 such thatU ∼ U 0. We now have a sufficient condition for non-termination: if we en- counter a goal that matches a goal already seen up to accessibility, PROOF: By induction on the number of steps of inheritance used ∗ then we can return false immediately. to derive T <:: U . Example 4 demonstrates that many reductions may occur before • Suppose U = T . Then set U 0 = T 0 and we’re done. such a matching goal is reached. Fortunately, we can show that the • Suppose T = C and T 0 = C , with C <:: V number of reductions is bounded: although the inaccessible part of and [T /X ]V <::∗ U . We will show that, if p is an accessible a type can grow unboundedly (as in Example 2), the accessible part 0 cannot. Hence, there are only a finite number of possible types up path in V , then [T /X ](p(V )) ∼ [T /X ](p(V )); setting to accessibility. This is the key to decidability. p = then gives us [T /X ]V ∼ [T 0/X ]V , from which the Let δ be a bound on the height of a supertype (if C <:: T desired result follows by the induction hypothesis. then height(T ) 6 δ), and let L be the number of levels (so 0 6 We proceed by an inner induction on the size of term p(V ). level(X ) < L). Given a particular subtyping problem T <: U , First, suppose p(V ) = Xi for some i. We deduce that Xi we can always arrange for δ to be larger than both height(T ) and is not expansive-recursive by the following argument. Sup- height(U ). pose it were. Then p would represent the only occurrence of Define a notion of accessible height as follows. Xi (by our linearity restriction), and the only edges from Xi in the type parameter dependency graph would be to nodes acc(T ) = max{|p| | p is an accessible path in T } in p, as they represent all arguments to constructors in V We now show that the accessible height of subtype judgments is for which Xi is a subterm. By the definition of expansive- bounded by δL. recursive edges, one of these edges would belong to an ex- 0 0 pansive cycle in the graph, and hence one of the type pa- LEMMA 14. If acc(J) 6 δL and J −→ J then acc(J ) 6 δL. rameters in p would itself be expansive-recursive. This con- PROOF: Let φ(p) hold for a path p if it can be divided into (possibly tradicts our assumption that p is accessible; hence Xi is not empty) sequences of type parameters whose levels are bounded by expansive-recursive. This being the case, we immediately 0,...,L−1 and whose lengths are bounded by δ. That is, p has have T ∼ T 0 because C ∼ C . i i the form X 0X 1 ··· X L−1 such that level(X i) 6 i, and |X i| 6 δ Next, suppose p(V ) is some compound type D. We for 0 6 i < L. Let φ(T ) hold for a type T if φ(p) holds for must show that, for each Vi with D#i not expansive- every accessible path p in T . It is easy to see that φ(T ) implies 0 recursive, [T /X ]Vi ∼ [T /X ]Vi. This follows by an acc(T ) 6 δL. We now show that, if φ(T ) and φ(U ), and T <: U −→ For Java 5, other features must be explored. First, variance T 0 <: U 0, then φ(T 0) and φ(U 0). The argument is very similar behaviour for wildcard types is actually a consequence of the to that pursued in Theorem 9, but this time relies on the fact that interpretation—intuitively, and in the subtyping rules—of wild- accessible paths contain no expansive-recursive type parameters. cards as bounded existential types [22]. It is not immediately apparent how to adapt our decidability results to these very different COROLLARY 15. Suppose that the class table makes no use of rules. Second, the combination of Java’s wildcards and F-bounded multiple instantiation inheritance and that any expansive-recursive type parameters is particularly intricate, and can lead to unbounded type parameters are invariant and used exactly once. Then subtyp- growth in the typing context during subtype checking. ing is decidable. Finally, our undecidability result highlights a hazard in extend- ing the type systems of any of these languages: if some future ver- 6. Discussion sion of Java or Scala were to support multiple instantiation inheritance, or the .NET CLR were adapted to support expansive inher- Starting with only basic restrictions on class tables (acyclicity and itance through lazy loading of supertypes, then subtyping would well-formedness with respect to variance), we have proved the fol- (most definitely!) be undecidable. lowing results about subtyping under inheritance and declaration- site variance: Acknowledgements • The general problem is undecidable (§4). The work was begun while the second author was a visiting re- • If the class table makes no use of contravariance, then subtyping searcher at Microsoft Research, Cambridge. We would like to is decidable (§5.1). thank Nick Benton, Gavin Bierman, Karl Mazurak, Martin Oder- • If the class table is not expansive, then subtyping is decidable sky, Claudio Russo, and the members of the Penn PL Club for (§5.2). helpful discussions, and the FOOL reviewers for their extremely • If there is no use of multiple instantiation inheritance, and all careful and detailed comments. expansive-recursive type parameters are invariant and linear, then subtyping is decidable (§5.3). References Of these results, decidability of non-expansive subtyping can be [1] E. Allen, J. Bannet, and R. Cartwright. A first-class approach to applied directly to ground subtyping in .NET (that is, subtyping genericity. In Object-Oriented Programming: Systems, Languages, between closed types). It is straightforward to generalize the result Applications (OOPSLA), Anaheim, California, October 2003. ACM. to incorporate other features of the .NET type system such as [2] P. Baldan, G. Ghelli, and A. Raffaeta.` Basic theory of F-bounded covariant arrays, invariant managed pointer types, and boxed types. quantification. Information and Computation, 153(1):173–237, 1999. (Decidability even of ground subtyping is important, as subtype [3] G. Bracha, M. Odersky, D. Stoutamire, and P. Wadler. Making the tests at runtime involve un-erased generic types.) To generalize future safe for the past: Adding genericity to the Java programming to open subtyping, as employed by the .NET CLR verifier (type- language. In C. Chambers, editor, ACM SIGPLAN Conference on Ob- checker), we must support upper bounds on type parameters, and ject Oriented Programming: Systems, Languages, and Applications the associated subtyping rule (∆ ` X <: U can be derived from (OOPSLA), ACM SIGPLAN Notices volume 33 number 10, pages premise ∆ ` T <: U if X <: T ∈ ∆). For instance, an analog 183–200, Vancouver, BC, Oct. 1998. of Example 1 can be given using bounds:2 X <: NNX ` X <: [4] P. Canning, W. Cook, W. Hill, W. Olthoff, and J. Mitchell. F-bounded NX . Observe, though, that bounds alone cannot induce arbitrary quantification for object-oriented programming. In ACM Symposium expansion of types, because type parameters cannot range over on Functional Programming Languages and Computer Architecture type constructors: they are not higher-kinded. Put another way, (FPCA), London, England, pages 273–280, Sept. 1989. ω there is no analog of Example 2 using bounds. We believe that [5] L. Cardelli. Notes about F<:. Unpublished manuscript, Oct. 1990. our decidability result generalizes to the complete type system of [6] L. Cardelli, S. Martini, J. C. Mitchell, and A. Scedrov. An extension .NET 2.0. of System F with subtyping. Information and Computation, 109(1– ] Supertype declarations in Java, C and Scala have the form 2):4–56, 1994. Summary in TACS ’91 (Sendai, Japan, pp. 750–770). C <:: T . The constraint-bounded polymorphism studied [7] A. B. Compagnoni. Decidability of higher-order subtyping with by Litvinov [17, 16] also supports “lower bounds” of the form intersection types. In Computer Science Logic, Sept. 1994. T <:: C . It is easy to adapt the reduction from PCP to show Kazimierz, Poland. Springer Lecture Notes in Computer Science 933, that subtyping is undecidable in the presence of covariance and June 1995. Also available as University of Edinburgh, LFCS technical ω both upper and lower bounds in the class table, without the need report ECS-LFCS-94-281, titled “Subtyping in F∧ is decidable”. for contravariance. [8] V. Cremet, F. Garillot, S. Lenglet, and M. Odersky. A core calculus One obvious direction for future work is to generalize the result for Scala type checking. In Proc. MFCS, Springer LNCS, Sept. 2006. of Section 5.3, removing the special requirement on expansive- [9] ECMA International. ECMA Standard 335: Common Language recursive type parameters. If expansive subtyping in the absence of Infrastructure, 3rd edition, June 2005. Available at http:// multiple instantiation inheritance turned out to be decidable, then www.ecma-international.org/publications/standards/ perhaps this could be combined with the existing result on a subset Ecma-335.htm. of Scala [8] to prove that Scala has decidable subtyping. [10] B. Emir, A. Kennedy, C. Russo, and D. Yu. Variance and generalized An undecidability result for expansive subtyping, on the other constraints for C] generics. In European Conference on Object- hand, would imply that both Scala 2.0 and Java 5 have undecidable Oriented Programming (ECOOP), Nantes, France, July 2006. subtyping. A fix for Scala might be to apply the non-expansiveness [11] G. Ghelli. Termination of system F-bounded: A complete proof. restriction on class tables discussed in Section 5.2. We do not be- Information and Computation, 139(1):39–56, 1997. lieve that this restriction adversely affects expressivity—at least, we have been unable to devise any practical application of expansive [12] J. Gosling, B. Joy, G. Steele, and G. Bracha. The Java Language inheritance. Specification. Addison Wesley, 3rd edition, June 2005. [13] A. Igarashi, B. Pierce, and P. Wadler. Featherweight Java: A 2 Thanks to Martin Odersky for observing this. minimal core calculus for Java and GJ. In ACM SIGPLAN Conference on Object Oriented Programming: Systems, Languages, and Applications (OOPSLA), Oct. 1999. Full version in ACM Transactions on Programming Languages and Systems (TOPLAS), 23(3), May 2001. [14] A. Igarashi and M. Viroli. Variant parametric types: A flexible subtyping scheme for generics. ACM Transactions on Programming Languages and Systems (TOPLAS), 28(5), September 2006. [15] N. D. Jones. Computability and Complexity From a Programming Perspective. The MIT Press, 1997. [16] V. Litvinov. Constraint-based polymorphism in Cecil: Towards a practical and static type system. In Object-Oriented Programming: Systems, Languages, and Applications (OOPSLA), Vancouver, October 1998. ACM. [17] V. Litvinov. Constraint-Bounded Polymorphism: an Expressive and Practical Type System for Object-Oriented Languages. PhD thesis, University of Washington, 2003. [18] M. Odersky and M. Zenger. Scalable component abstractions. In Object-Oriented Programming: Systems, Languages, Applications (OOPSLA). ACM, 2005. [19] B. C. Pierce. Bounded quantification is undecidable. Information and Computation, 112(1):131–165, July 1994. Also in C. A. Gunter and J. C. Mitchell, editors, Theoretical Aspects of Object- Oriented Programming: Types, Semantics, and Language Design, MIT Press, 1994. Summary in ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages (POPL), Albuquerque, New Mexico. [20] B. C. Pierce and M. Steffen. Higher-order subtyping. In IFIP Working Conference on Programming Concepts, Methods and Calculi (PROCOMET), 1994. Full version in Theoretical Computer Science, vol. 176, no. 1–2, pp. 235–282, 1997 (corrigendum in TCS vol. 184 (1997), p. 247). [21] M. Steffen. Polarized Higher-Order Subtyping. PhD thesis, Universitat¨ Erlangen-Nurnberg,¨ 1998. [22] M. Torgensen, E. Ernst, and C. P. Hansen. Wild FJ. In Workshop on Foundations of Object-Oriented Languages (FOOL), January 2005. [23] M. Viroli. On the recursive generation of parametric types. Technical Report DEIS-LIA-00-002, Universita` di Bologna, 2000. A. Java examples 1. If wY ` V ok then vX ` [T /Y ]V ok. We present the Java 5 equivalent of the examples from Section 3. 2. If ¬wY ` V ok then ¬vX ` [T /Y ]V ok.

Example 1 This one causes javac 1.5 to run out of stack. On We proceed by simultaneous induction on both derivations. javac 1.6.0-beta2 the program is rejected (correctly). class N { } class C extends N> { With this in hand, we are ready for the main proof of transitivity. N cast(C c) { return c; } PROOFOF LEMMA 1: Suppose the derivation of T <: U has } size m and the derivation of U <: V has size n. We proceed by induction on m + n. When both derivations end in rule VAR or when Example 2 The following example causes both javac 1.5 and the ﬁrst ends in rule SUPER, the result follows by straightforward javac 1.6.0-beta2 to run out of stack. applications of the induction hypothesis. class T { } The interesting case is when the ﬁrst derivation ends in rule class N { } VAR and the second derivation ends in rule SUPER. Suppose T = class C extends N>>> { C and U = C . Then we have derivations concluding as N> cast(C c) { return c; } follows: } for each i Ti <:v Ui C <:: V0 [U /X ]V0 <: V Example 3 The following example causes javac 1.5 to run i out of stack. If the test uses C7 instead, the program is accepted C <: C C <: V (correctly). On javac 1.6.0-beta2 the failure happens at C13. By well-formedness of class declarations, we know vX ` V ok. class T { } 0 class N { } We will now show that [T /X ]V0 <: V , from which the result class C0 extends N> { } follows using an instance of rule SUPER. To do this, we essentially class C1 extends C0> { } transform the derivation of [U /X ]V0 <: V into a derivation class C2 extends C1> { } of [T /X ]V0 <: V by replacing each subderivation of the form class C3 extends C2> { } [U /X ]Xi <: W by a derivation of Ti <: W and replace each class C4 extends C3> { } subderivation of the form W <:[U /X ]Xi by W <: Ti. class C5 extends C4> { } Under the assumptions from rule VAR above (namely, that class C6 extends C5> { } Ti <:vi Ui for each i), we prove the following. For any types W class C7 extends C6> { } and W0, (1) if vX ` W0 ok, and [U /X ]W0 <: W has a deriva- class C8 extends C7> { } tion of size smaller than n, then [T /X ]W0 <: W is derivable; class Test { and (2) if ¬vX ` W0 ok, and W <:[U /X ]W0 has a derivation N> cast(C8> c) of size smaller than n, then W <:[T /X ]W0 is derivable. We { return c; } proceed by induction on both subtype derivations simultaneously. } Example 4 Finally, this example causes javac 1.5 to run out • Suppose W0 = Xi. For (1) well-formedness of W0 tells us that of stack. On javac 1.6.0-beta2 the program is rejected (cor- vi ∈ {◦, +}. Consider the case when vi = +. Then we have a rectly); but again, fails at C13. derivation of Ui <: W of size smaller than n; we can apply the outer induction hypothesis to get a derivation of Ti <: W , class T { } as required. Now suppose vi = ◦. We must have Ui = W so class N { } Ti <: W follows trivially. For (2) well-formedness of W0 tells class C0 extends N> { } us that ¬vi ∈ {◦, +}, that is vi ∈ {◦, -}. Consider the case class C1 extends C0> { } when vi = -. Then we have a derivation of W <: Ui of size class C2 extends C1> { } smaller than n; we can apply the outer induction hypothesis to class C3 extends C2> { } get a derivation of W <: Ti, as required. Again, vi = ◦ is class C4 extends C3> { } trivial. class C5 extends C4> { } class C6 extends C5> { } • Suppose W0 = D. There are two sub-cases to consider. class C7 extends C6> { } The derivation ends with an instance of VAR, so W = class C8 extends C7>> { } D for some W 0. We show (1), and (2) is similar. Then 0 class Test { we must have for each j that [U /X ]Wj <:var(D#j) Wj . N> cast(C8> c) Suppose var(D#j) = +. Then by the well-formedness { return c; } derivation for W0 we know that vX ` Wj ok, so we } can apply the inner induction hypothesis part (1) to ob- 0 tain [T /X ]Wj <: Wj . Suppose var(D#j) = -. Then B. Proof of Transitivity by the well-formedness derivation for W0 we know that The proof that the subtype relation is transitive relies on one tech- ¬vX ` Wj ok, so we can apply the inner induction hy- 0 nical lemma: pothesis part (2) to obtain Wj <:[T /X ]Wj . Finally suppose var(D#j) = ◦. We have vX ` Wj ok and LEMMA 16. Suppose vX ` C ok. If C <:: U then ¬vX ` W ok [U /X ]W = W 0 vX ` [T /Y ]U ok. j and j j . By a simple induction on the well-formedness derivations we can deduce PROOF: We prove the following, from which the result follows that [T /X ]Wj = [U /X ]Wj . Hence we have shown for 0 because by well-formedness of class declarations we have wY ` all j that [T /X ]Wj <:var(D#j) Wj , and the result follows U ok. by an application of rule VAR. For (1), the derivation must conclude with the following instance of SUPER:

D <:: T0 [[U /X ]W /Y ]T0 <: W [U /X ]D <: W

By Lemma 16, we have vX ` [W /Y ]T0 ok. Hence [T /X ][W /Y ]T0 <: W follows by an application of the inner induction hypothesis part (1) to the premise above. For (2), we have a derivation ending in:

E <:: T0 [V /Y ]T0 <:[U /X ]W0

E <:[U /X ]W0 The result follows by applying the inner induction hypothesis part (2) to the premise.