Subtyping Delimited

Marek Materzok Dariusz Biernacki Institute of Computer Science Institute of Computer Science University of Wrocław University of Wrocław Wrocław, Poland Wrocław, Poland [email protected] [email protected]

Abstract tant role among the most fundamental concepts in the landscape We present a type system with subtyping for first-class delimited of functional programming—a language equipped with shift and continuations that generalizes Danvy and Filinski’s type system for reset is monadically complete, i.e., any computational monad can shift and reset by maintaining explicit information about the types be represented in direct style with the aid of these control op- of contexts in the metacontext. We exploit this generalization by erators [18, 19]. A long list of non-trivial applications of delim- ited continuations includes normalization by evaluation and partial considering the control operators known as shift0 and reset0 that can access arbitrary contexts in the metacontext. We use subtyping evaluation [3, 12, 15], mobile computing [33], linguistics [4], and to control the level of information about the metacontext the ex- operating systems [25] to name but a few. pression actually requires and in particular to coerce pure expres- The intuitive semantics of delimited-control operators such as sions into effectful ones. For this type system we prove strong type shift (S) and reset (hi) can be explained as follows. When the ex- soundness and termination of evaluation and we present a provably pression Sk.e is evaluated, the current—delimited by the nearest correct type reconstruction algorithm. We also introduce two CPS dynamically-enclosing reset— is captured, i.e., it is re- moved and the variable k is bound to it. When later k is applied to a translations for shift0 and reset0: one targeting the untyped lambda calculus, and another—type-directed—targeting the simply-typed value, the then-current continuation is composed with the captured lambda calculus. The latter translation preserves typability and is continuation. For example, the following expression (where ++ is selective in that it keeps pure expressions in direct style. string concatenation): “Alice” ++ h“ has ” ++ Categories and Subject Descriptors D.3.3 [Programming Lan- (Sk.(k “a dog ”) ++ “and the dog” ++ (k “a cat.”))i guages]: Language Constructs and Features—Control structures; F.3.3 [Logics and Meanings of Programs]: Studies of Program Con- evaluates to the string “Alice has a dog and the dog has a cat.” structs In their first article on delimited continuations [13], Danvy and Filinski briefly described a variant of shift and reset, known as General Terms Languages, Theory shift0 (S0) and reset0, where the operational semantics of the con- Keywords Delimited Continuation, Continuation-Passing Style, trol delimiter reset0 coincides with that of reset, but shift0, when Type System, Subtyping capturing a continuation, instead of resetting it, replaces it with the inner-most delimited continuation pending on the metacontin- 1. Introduction uation. In other words, in contrast to shift, shift0 removes the con- trol delimiter along with the captured continuation, which makes it Control operators for first-class delimited continuations, introduced possible to use shift0 to access continuations arbitrarily deep in the independently by Felleisen [17] and by Danvy and Filinski [13, 14], metacontinuation by repeatedly shifting continuations. For exam- serve to abstract control in functional programming languages by ple, the following expression: reifying the current continuation as a first-class value. However, in contrast to the well-known abortive control operator call/cc h“Alice” ++ h“ has ” ++ (S0k1.S0k2.“A cat” ++ (k1(k2 “.”))ii present in Scheme [23] and SML/NJ [20], delimited-control oper- evaluates to the string “A cat has Alice.”, since the second shifting ators model composition of delimited (partial) continuations rather has access to the continuation that prepends the string “Alice” than jumps to undelimited continuations. In particular, while call/cc to a given string. The ability to access arbitrary contexts (a first- offers the programmer the power of the continuation-passing style order representation of continuations [9]) in the metacontext (a (CPS) in direct style, Danvy and Filinski’s shift and reset offer first order representation of the metacontinuation [9])) makes S0 the power of the continuation-composing style (CCS) characteris- a particularly interesting and powerful control operator. tic of the success-failure continuation model of backtracking [14]. In the untyped setting, shift and reset have been investigated It has been shown by Filinski that shift and reset play an impor- 0 0 by Shan [32], who presented a CPS translation for shift0 and reset0 that conservatively extends Plotkin’s call-by-value CPS transla- tion [28] and that leads to a simulation of shift0 and reset0 in terms of shift and reset. This CPS translation and simulation hinge on Permission to make digital or hard copies of all or part of this work for personal or the requirement that the continuations be represented by recursive classroom use is granted without fee provided that copies are not made or distributed functions taking a list of continuations as one of their arguments. for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute (The converse simulation is trivial—one simply resets the body of to lists, requires prior specific permission and/or a fee. each shift0 expression.) ICFP’11, September 19–21, 2011, Tokyo, Japan. In a typed setting, Kiselyov and Shan [26] introduced a sub- Copyright c 2011 ACM 978-1-4503-0865-6/11/09. . . $10.00 structural type system for shift0 and reset0 that abstractly interprets (in the sense of abstract interpretation of Cousot and Cousot [11]) added to the language. Unfortunately, in this type system, functions small-step reduction semantics of the language. Their type system without control effects (when C and D are the same arbitrary type allows for continuation answer type modifications and, in a sense, in the rule for λ-abstraction) still have an answer type chosen up- extends Danvy and Filinski’s type system which is the most ex- front and are subject to the same restrictions as described above. pressive of the known monomorphic type systems for shift and re- In a way, one can treat the continuation types from [6] as more set. Judgments in Danvy and Filinski’s type system have the form general than function types—continuations can be applied in any Γ; B ` e : A; C, with the interpretation that expression e can context, whereas functions can only be applied in contexts with be plugged into a context expecting a value of type A and produc- matching answer types. The type system of this article removes ing a value of type B, and a metacontext expecting a value of type the syntactic distinction between continuations and functions by C, where B and C can be different types. Hence, expressions are the means of subtyping of effect annotations. The subtyping rela- allowed to change the answer type of the context in which they tion allows functions to be called when more is known about the are embedded. For example, the expression h1 + Sk. truei is well types of the contexts in the metacontext than the function actually typed in this type system. The typing rules of Danvy and Filinski’s requires. In particular, a pure function, possibly representing a cap- type system have been derived from a left-to-right call-by-value tured continuation, can be arbitrarily coerced into an effectful one. evaluator in continuation-passing style [13]. The rest of this article is structured as follows. In Section 2.1, In this article we present a new type-and-effect system for we introduce the syntax and reduction semantics for the call-by- shift0 and reset0 that generalizes Danvy and Filinski’s original type value λ-calculus with shift0 and reset0. In Section 2.2, we present system for shift and reset. To this end, we first introduce a new a CPS translation for the language and we relate it to the reduc- CPS translation for shift0 and reset0 which conservatively extends tion semantics. In Section 2.3, we derive a type-and-effect system Plotkin’s call-by-value CPS translation and which turns out to be a` la Danvy and Filinski from the CPS. In Sections 3.1 and 3.2, we close to a curried version of Shan’s CPS translation [32]. From introduce subtyping to the type system and we prove several stan- this CPS translation, we derive an abstract machine and a type- dard properties for the system, including strong type soundness. In and-effect system a` la Danvy and Filinski which we refine by al- Section 3.3, we use a context-based method of reducibility pred- lowing for subtyping of types and effect annotations. We show that icates to prove termination of evaluation of well-typed programs. the type system with subtyping we present satisfies several cru- In Section 3.4, we present and prove correct a type inference al- cial properties such as strong type soundness and termination of gorithm for our type system. In Section 3.5, we present a selective evaluation, and we describe and prove correct a type inference al- type-directed CPS translation for the language. In Section 4, we gorithm for this type system. Compared to Kiselyov and Shan’s consider some practical applications of the presented language. In type system [26], the one presented here is more conventional, it Section 5, we show how the type system for shift0 and reset0 can corresponds directly to the CPS translation it has been obtained be restricted to Danvy and Filinski’s type system for shift and reset, from, and it heavily relies on subtyping built in the system. Fur- and we discuss the CPS translations for shift and reset induced by thermore, we take advantage of the fact that our type system dis- the presented CPS translations for shift0 and reset0. In Sections 6 tinguishes between pure and effectful expressions and we present and 7, we discuss related and future work and we conclude in Sec- a selective type-directed CPS translation from the language with tion 8. shift0 and reset0 to the simply-typed λ-calculus that transforms to The article is accompanied by a Haskell implementation of the CPS only effectful expressions, leaving pure ones in direct style. presented and by a Twelf formalization of We also show that Danvy and Filinski’s original type system for its metatheory, both available at http://www.tilk.eu/shift0/. shift and reset can naturally be embedded into our type system, and that when restricted, our type system gives rise to a type system a` la Danvy and Filinski with subtyping for shift and reset. Similarly, the 2. The language λS0 CPS translations for shift0 and reset0 that we present induce new CPS translations for shift and reset. 2.1 Syntax and semantics It is worth stressing that the subtyping mechanism of our type In this subsection, we define the language we will be working with. system addresses one of the subtle limitations of Danvy and Fil- The language, which we call λS0 , is the call-by-value λ-calculus inski’s type system concerning the typing rules for shift and λ- ˙ extended with the two control operators shift0 (S0) and reset0 (hi). abstraction: We introduce three syntactic categories of terms, evaluation Γ, f : A F −→ F B; E ` e : E; C contexts and trails (i.e., stacks of evaluation contexts): Γ; B ` Sf.e : B; C values v ::= λx.e | x Γ, x : A; C ` e : B; D terms e ::= v | e e | hei | S0f.e Γ; B ` λx.e : A C −→ DB; C contexts K ::= • | K e | v K According to the above rule for shift, the type system assigns the trails T ::= | K · T captured continuation a functional type with a single, chosen up-  front answer type (F ), which prevents it from being resumed in We use the notation T · T 0 for trail concatenation, defined as contexts with a different answer type. But the continuations cap- follows: tured by shift do not modify the context of their resumption, and 0 0 therefore they should be applicable in any context. One way to deal  · T = T (K · T ) · T = K · (T · T ) with this shortcoming is to introduce polymorphism into the lan- guage, as in Asai and Kameyama’s work [2]. In their type system, Contexts and trails are represented inside-out, which is formalized the continuation captured by shift is assigned a functional type with by the following definition of the plugging of a term inside a polymorphic answer type. Another approach is to distinguish be- context: tween continuations and functions in such a way that a captured continuation is given a type which does not mention the answer •[e] = e [e] = e type [6]. In this approach, additional syntactic construct—a con- (K e0)[e] = K[e e0](K · T )[e] = T [hK[e]i] tinuation application, distinct from function application—has to be (v K)[e] = K[v e] hx, ρ, k : mkieval ⇒ hk, ρ(x), mkicont Environments: ρ ::= ρinit | ρ[x 7→ v] hλx.e, ρ, k : mkieval ⇒ hk, [x, e, ρ], mkicont Values: v ::= [x, e, ρ] | k he1e2, ρ, k : mkieval ⇒ he1, ρ, Arg(e2, ρ, k): mkieval Contexts: k ::= End | Arg(e, ρ, k) | Fun(v, k) hS0f.e, ρ, k : mkieval ⇒ he, ρ[f 7→ k], mkieval Metacontexts: mk ::= [ ] | k : mk hhei, ρ, mkieval ⇒ he, ρ, End : mkieval

hEnd, v, k : mkicont ⇒ hk, v, mkicont

hArg(e, ρ, k), v, mkicont ⇒ he, ρ, Fun(v, k): mkieval Initial configurations: he, ρinit, End :[]ieval 0 0 hFun(k , k), v, mkicont ⇒ hk , v, k : mkicont Final configurations: hEnd, v, []icont hFun([x, e, ρ], k), v, mkicont ⇒ he, ρ[x 7→ v], k : mkieval

Figure 1. Abstract machine for λS0

x = λk.k x x @ = λl(k : ks).k x @ ks J K J K λx.e = λk.k (λx. e ) λx.e @ = λl(k : ks).k (λx. e @)@ ks J K J K J K J K e1e2 = λk. e1 (λf. e2 (λx.f x k)) e e @ = λl(k : ks). e @ @ ((λf.λlks0. e @ @ J K J K J K 1 2 1 2 hei = e (λx.λk.k x) J K ((λx.λlks00J.fK x @(k : ks00)) : ksJ 0))K : ks) J K J K S0f.e = λf. e hei @ = λlks. e @ @ ((λx.λl(k : ks0).k x @ ks0): ks) J K J K J K@ l J K @ S0f.e = λ (f : ks). e @ ks Figure 2. Untyped CPS translation for λS0 J K J K Figure 3. Untyped uncurried CPS translation for λS0 There are three contraction rules:

(λx.e)v e[x/v] lation for reset0 introduces a new context represented by the CPS- hvi v translated identity continuation. Hence, just like in Shan’s work, our CPS accounting for shift0 relies on continuations accepting hK[S0f.e]i e[f/λx.hK[x]i] continuations as parameters. The entire CPS translation is shown where e[x/e0] stands for the usual capture-avoiding substitution of in Figure 2. Evaluating a well-delimited (i.e., with no dangling 0 e for x in e. A term matching the left-hand side of a contraction shift0’s) CPS-translated program requires an initial continuation rule is called a redex. λx.x. The translation preserves the semantics:

The reduction rule for shift0 differs from the rule for shift ∗ S0 Theorem 1. If e1 −→ e2 in λ , then e1 =βη e2 in λ→. hK[Sf.e]i he[f/λx.hK[x]i]i J K J K For reference, and to make it possible for the reader to compare in that it removes the reset0 at the root of the redex. This small the evaluation model encoded in our initial CPS translation with difference enables the shift0 operator to inspect the entire context the existing ones [10, 16, 32], we briefly discuss possible modifi- stack, where shift has access only to the topmost context. This cations of the CPS translation. First of all, the translation can be feature has a big impact on the type systems that we present later modified so that every translated term takes all its continuation pa- in the article. rameters in one list parameter. Figure 3 presents such an uncurried Finally, we define the reduction relation on terms representing CPS translation that targets the untyped lambda-calculus extended programs (i.e., triples he, T, Ki): with a separate syntactic category of lists and two new kinds of l 0 0 expressions: list abstraction λ and list application @. The trans- K[T [e]] −→ K[T [e ]] if e e lation underlies a continuation-passing style interpreter that, when where any closed non-value term can be uniquely represented as defunctionalized [1, 29], gives rise to the abstract machine of Fig- K[T [e]]. The context K (at the bottom of the stack) is the only ure 1. This abstract machine can be seen to be equivalent with the one not delimited by a reset0. As we shall see later, having this abstract machine for shift0/reset0 described by Biernacki et al. [10]. last context distinguished from the others is important from the (An alternative way to obtain an abstract machine for the language viewpoint of the type system, because it can be assigned a simpler we consider would be to follow Biernacka and Danvy’s syntactic type than the other contexts. A trail T along with the distinguished correspondence between context-based reduction semantics with evaluation context K will be called a metacontext. explicit substitutions and abstract machines [7, 8].) Had we decided to translate terms in such a way that the head and tail of the continu- 2.2 CPS translation ation list are passed as separate arguments, we would have obtained

The shift0 control operator allows access to every context in the a CPS translation that coincides with Shan’s [32] and which corre- trail. What is more, unlike with shift, control effects in a captured sponds exactly to the abstract machine of Biernacki et al. [10]. context are not isolated—the captured context, when applied, can capture contexts present at the invocation site. This ability must be 2.3 From CPS translation to a type system reflected in the CPS translation for the shift0 operator. In the trans- With the CPS translation defined, one can use the approach of lation presented by Shan [32], the trail is represented explicitly as Danvy and Filinski [13] and build a type system based on this a list of contexts which must be passed to every continuation. In translation. Let us thus limit our attention to those terms of λS0 , our approach, the contexts below the current one are captured by whose translations are well-typed terms in λ→. One can then easily additional lambda abstractions. The translation for the shift0 oper- see that the types for variables, lambda abstractions and application ator captures a context using a lambda abstraction, and the trans- must have the same form as in the type system of Danvy and Γ, x : τ1 ` e : τ2 σ ABS VAR σ 0 0 Γ, x : τx ` x : τx [τ σ] τ σ Γ ` λx.e : τ1 −→ τ2 [τ σ ] τ σ

0 0 [τ1 σ1] τ3 σ3 0 0 0 0 Γ ` f : τ1 −−−−−−−−→ τ2 [τ4 σ4] τ2 σ2 Γ ` e : τ1 [τ3 σ3] τ4 σ4 0 0 APP Γ ` fe : τ2 [τ1 σ1] τ2 σ2

σ1 0 0 00 00 00 00 Γ, f : τ1 −→ τ2 ` e : τ3 σ2 Γ ` e : τ [τ [τ σ ] τ σ ] τ σ SHIFT0 RESET0 Γ ` S0f.e : τ1 [τ2 σ1] τ3 σ2 Γ ` hei : τ σ

Figure 4. Type system for λS0 without subtyping

Filinski. And what types should we assign to shift0 and reset0? 3. The type system with subtyping Suppose that e has type τ, then S f.e = λf. e must have the 0 3.1 The type system λS0 type τ 0 −→ τ, whereJ K τ 0 is the type ofJ the capturedK J continuation.K For ≤ S S reset0, for hei = e (λx.λk.kx) to have type τ, e has to have 0 0 The type system with subtyping for λ , called λ≤ , is shown in a type of theJ formK (Jτ 0K−→ (τ 0 −→ τ 00) −→ τ 00) −→ τ. ThusJ K every use of Figure 5. In this type system, the term λx.S0f.f hf xi, which could shift0 introduces a new function arrow into the type, and every use not be typed before, is well typed and can be assigned the type of reset removes one. This leads us to a recursive definition of [α] α 0 α −−−→ α. effect annotations, which in a sense “remembers” the number of We define three subtyping relations: one defined on types, one shift nested uses of 0 inside a term. on effect annotations, and (for convenience) one on pairs of types We now introduce the syntactic categories of types and effect and effect annotations. annotations: σ Lemma 1. The subtyping relations are partial orders—they are types τ ::= α | τ −→ τ reflexive, transitive and weakly antisymmetric. annotations σ ::=  | [τ σ] τ σ All subtyping rules are rather straightforward, except the rule The resulting type system for λS0 is shown in Figure 4. for  ≤ [τ σ] τ σ, which seems non-intuitive. To get some under- The type annotations require some explanation. Their meaning standing of what this rule means, let us consider an effect-annotated 0 0 is best understood together with types they annotate. The typing type where the contexts are effect-free: τ1 [τ1] τ2 . . . τn [τn] τf . For 0 0 judgment Γ ` e : τ1 [τ1 σ1] τ2 ... [τn σn] τ (we omit  for brevity) a pure τ to be a subtype of this type, it is required by the rule for 0 can be read as follows: “the term e in a typing context Γ may  ≤ [τ σ] τ σ that τk ≤ τk+1 for all k; in other words, that the evaluate to a value of type τ when plugged in a trail of contexts contexts can be composed. 0 σ1 0 σn of types τ1 −→ τ1, . . . , τn −−→ τn”. As a special case, Γ ` e : τ The type system has two distinct rules for function application: means: “the term e in a typing context Γ may evaluate to a value one for pure expressions (i.e., those without control effects), and of type τ without observable control effects.” Function types also one for impure expressions. The rule for pure application seems have effect annotations, which can be thought to be associated with not strictly necessary, but its removal reduces the expressiveness of the return type. the type system—for example, the following term This type system preserves types as stated in Theorem 2 below, where translations on types and annotated types are defined as (λf.λy.(λz.h(λv.λw.y)(f y)i) hf yi)(λx.(λx.x) x) follows: can no longer be typed without this rule. The reason is that the α = α function application inside the subterm λx.(λx.x) x would then σ J K force it into “impure” typing, which makes the typing fail in the τ1 −→ τ2 = τ1 −→ τ2 σ J K J K J K left part of the term because of answer type incompatibility. τ  = τ 0 Theorem 3 (Subject reduction). If ` e : τ σ and e −→ e for some J K 0 0 τ [τ1 σ1] τ2 σ2 = ( τ −→ τ1 σ1 ) −→ τ2 σ2 e , then ` e : τ σ. J K J K J K J K 0 Theorem 2. If Γ ` e : τ σ, then Γ ` e : τ σ in λ→. Theorem 4 (Progress). If ` e : τ σ, then e is a value, e −→ e for J K J K J K some e0, or e = K[S f.e]. If σ = , the third case cannot occur. While interesting, this type system is very restrictive. For ex- 0 0 ample, the term λx.S0f.f hf xi is translated (with administrative Theorem 5 (Unique decomposition). If ` e : τ and e −→ e for redexes reduced for clarity) to some e0, then e = K[T [r]] for exactly one context K, trail T and redex r. λk.k (λx.λf.λk.(λk.f x k)(λx.λk.k x)(λx.f x k)) This term cannot be given a type in the simply typed lambda 3.2 Typing contexts and trails calculus. The reason is that the type of functions restricts their Even though it is not strictly necessary, it is useful to have sepa- use to only those locations in a term, where the number and types rate typing rules for contexts and trails as a proof device and for of contexts match exactly. This is an unnecessary restriction—a improving the understanding of the system. function which requires the top k contexts to be of some type can We first have to introduce a different way of looking at the obviously be run safely when more contexts are present, if the other types of expressions. In the type system shown in Figure 5, we put contexts can be composed together and accept the function’s return emphasis on the argument type of the first context on the trail (or of value. This observation leads us to another, much more expressive the bottom context, if the trail is empty). In the current, alternative type system, which we present in the next section. approach, the final answer type will be emphasized. 0 0 0 0 0 0 τ σ ≤ τ σ τ2 σ2 ≤ τ1 σ1 τ1 σ1 ≤ τ2 σ2 0 0 0 0 0 0  ≤   ≤ [τ σ] τ σ [τ1 σ1] τ1 σ1 ≤ [τ2 σ2] τ2 σ2

0 0 0 0 τ ≤ τ σ ≤ σ τ2 ≤ τ1 τ1 σ1 ≤ τ2 σ2 0 0 0 σ1 0 σ2 τ σ ≤ τ σ α ≤ α τ1 −→ τ1 ≤ τ2 −→ τ2

Γ ` e : τ σ τ σ ≤ τ 0 σ0 VAR SUB Γ, x : τ ` x : τ Γ ` e : τ 0 σ0

Γ, x : τ1 ` e : τ2 σ Γ ` f : τ1 −→ τ2 Γ ` e : τ1 σ ABS APP-PURE Γ ` λx.e : τ1 −→ τ2 Γ ` fe : τ2

0 0 [τ1 σ1] τ3 σ3 0 0 0 0 Γ ` f : τ1 −−−−−−−−→ τ2 [τ4 σ4] τ2 σ2 Γ ` e : τ1 [τ3 σ3] τ4 σ4 0 0 APP Γ ` fe : τ2 [τ1 σ1] τ2 σ2

σ1 0 0 Γ, f : τ1 −→ τ2 ` e : τ3 σ2 Γ ` e : τ [τ ] τ σ SHIFT0 RESET0 Γ ` S0f.e : τ1 [τ2 σ1] τ3 σ2 Γ ` hei : τ σ

S0 S0 Figure 5. Type system for λ with subtyping (λ≤ )

Let us introduce the syntactic category of trail types (which are Pure typing of contexts is a restricted version of the impure just sequences of function types): typing, in the sense that even when considering only contexts with 0 π ::= (τ σ τ)∗ a pure type (i.e., of the form τ −→ τ ), there are strictly fewer pure −→ contexts than impure ones. For example, we have We use ι to denote the empty trail type, and we use juxtaposition [α] α for trail type concatenation. y : α ` λx.hx (S0f.y)i :(α −−−→ α) −→ α We define three functions: τ−→ σ, which extracts the trail type, ↓(τ σ) which extracts the answer type, and the composition π(τ σ), but it is not a valid typing for λx.x (S0f.y). which appends a trail type to an effect-annotated type. These func- However, every pure context is an impure one: tions are defined as follows: 0 −→ Lemma 5 (Impure typing of pure contexts). If Γ `P K : τ −→ τ, τ = ι then Γ ` K : τ 0 −→ τ. −−−−−−−−→ τ 0 [τ σ ] τ σ = (τ 0 σ1 τ ) τσ−→ 1 1 1 1 −→ 1 We can now introduce the typing relation for programs. As ↓τ = τ witnessed by the unique-decomposition theorem, we can view a ↓(τ 0 [τ σ ] τ σ) = ↓(τ σ) program as composed of three parts: an expression, a trail, and a 1 1 1 pure context at the bottom. The following theorem establishes the ι (τ σ) = τ σ correctness of the rule PROG: π (τ 0 σ1 τ )(τ σ) = π (τ 0 [τ σ ] τ σ) 1 −→ 1 1 1 1 Lemma 6 (Typing programs). Γ ` he, T, Ki : τ if and only if We will omit the parentheses when there is no confusion about Γ ` K[T [e]] : τ. the meaning of the given expression. −→ Next, we formally introduce the notion of metacontexts, which Property 1. For any τ and σ, we have τ σ = τ σ ↓τ σ. will play a role in proving termination. A metacontext in our system 0 0 0 Property 2. For any π, π , τ and σ we have (π π)τ σ = π (πτ σ). is a pair of a trail TM , typed Γ ` TM : π for some π, and a pure 00 0 0 00 context K, typed Γ `P K : τ −→ τ for some τ and τ , and The typing rules for contexts and trails are shown in Figure 6. where for some τ we have τ ≤ π τ 00. The intuitive meaning of this Contexts are assigned function types, and the types of trails are restriction is that the contexts in the trail cannot access contexts just lists of context types. We can relate these typings to the typing outside of it and they can be composed, so that when given a value relation for terms: of type τ, they produce a value of type τ 00, which can be put into Lemma 2 (Typing contexts). Γ ` K : τ 0 −→σ τ if and only if the pure context at the bottom. 0 σ Γ ` λx.hK[x]i : τ −→ τ. 0 Lemma 7 (Typing metacontexts). Γ ` hTM ,Ki : τ → τ if and 0 Lemma 3 (Typing trails). Γ ` T : π is derivable if and only if for only if Γ, x : τ ` K[TM [x]] : τ . every e, τ, σ such that Γ ` e : π τ σ one can derive Γ ` T [e]: τ σ. Finally, we introduce a different notion of program decomposi- Additionally, we introduce the notion of pure contexts, which tion. In a well-typed program, the trail can be split into two parts: are not allowed to have occurrences of the shift operator not sur- 0 the top part, which is accessible by the expression inside, and the rounded by a reset . For this typing relation the following lemma 0 bottom part, which is guaranteed by the type of the expression to holds: be inaccessible. This bottom part of the trail, together with the pure 0 Lemma 4 (Typing pure contexts). Γ `P K : τ −→ τ if and only if context at the very bottom, form a metacontext. This is made formal Γ ` λx.K[x]: τ 0 −→ τ. by the following theorem: Contexts σ1 0 Γ ` K : τ −→ τ1 Γ ` e : τ [τ2 σ2] τ3 σ3 EMPTY APPL 0 [τ1 σ1] τ2 σ2 σ3 Γ ` • : τ −→ τ Γ ` Ke :(τ −−−−−−−−→ τ) −→ τ3

σ 0 0 0 σ1 0 [τ1 σ1] τ2 σ2 Γ ` K : τ −→ τ1 Γ ` v : τ −−−−−−−−→ τ Γ ` K : τ1 −→ τ2 τ1 ≤ τ1 τ2 σ ≤ τ2 σ APPR 0 SUB 0 σ2 0 σ 0 Γ ` vK : τ −→ τ2 Γ ` K : τ1 −→ τ2 Pure contexts

Γ `P K : τ1 −→ τ2 Γ ` e : τ3 EMPTY APPL Γ `P • : τ −→ τ Γ `P Ke :(τ3 −→ τ1) −→ τ2

0 0 Γ `P K : τ1 −→ τ2 Γ ` v : τ3 −→ τ1 Γ `P K : τ1 −→ τ2 τ1 ≤ τ1 τ2 ≤ τ2 APPR 0 0 SUB Γ `P vK : τ3 −→ τ2 Γ `P K : τ1 −→ τ2 Trails 0 Γ ` K : τ −→σ τ Γ ` M : π CONS EMPTY 0 σ Γ `  : ι Γ ` K · M : τ −→ τ π Subtyping for trail types

σ 0 σ0 0 0 τ1 −→ τ2 ≤ τ1 −→ τ2 π ≤ π ι ≤ ι σ 0 σ0 0 0 τ1 −→ τ2 π ≤ τ1 −→ τ2 π Metacontexts, programs 00 0 00 −→ 0 Γ ` TM : π Γ `P K : τ −→ τ τ ≤ π τ Γ ` e : τ σ Γ ` T : τ σ Γ `P K : ↓τ σ −→ τ 0 META 0 PROG Γ ` hTM ,Ki : τ −→ τ Γ ` he, T, Ki : τ

S0 Figure 6. Typing rules for contexts and trails in λ≤

Theorem 6. If Γ ` e : τ σ and Γ ` he, T, Ki : τ 0, then there Lemma 8. If τ ≤ π τ , Γ ` T : π, Γ ` hT ,Ki : τ −→ τ , then −→ 1 M 1 2 exist T1 and TM such that T = T1 · TM , Γ ` T1 : τ σ, and Γ ` hT · TM ,Ki : τ −→ τ2. 0 Γ ` hTM ,Ki : ↓τ σ −→ τ . 0 0 Proof. From Γ ` hTM ,Ki : τ1 −→ τ2 for some τ , π we have Γ ` 0 0 0 0 0 3.3 Termination TM : π , Γ `P K : τ −→ τ2 and τ1 ≤ π τ . So Γ ` T · TM : π π . 0 0 0 0 We now prove termination of evaluation of closed well-typed ex- From τ1 ≤ π τ we have π τ1 ≤ π π τ , by transitivity from the 0 0 pressions using a variant of the method described in [5, 6]. We be- assumption τ ≤ π τ1 we have τ ≤ π π τ . lieve that it is instructive to see the proof in full detail. First, the proof reveals otherwise hidden nuances of how the reduction se- Lemma 9. 1. The predicates respect the subtyping relations: 0 mantics and the type system interact. Second, it contains explicit R. If τ ≤ τ and Rτ(v), then Rτ 0(v). 0 information on how well-typed terms in our language are evalu- T. If π ≤ π and T π(T ), then T π0(T ). 0 ated: each case of the proof of Lemma 12 corresponds exactly to a M. If τ ≤ τ and Mτ(TM ,K), then Mτ 0(TM ,K). 0 0 clause of an evaluator which can be extracted from this proof [5, 6]. 2. If τ σ ≤ τ σ, T τ−→ σ(T ) and M↓τ σ(TM ,K), then for some −−−→ 0 0 0 0 0 0 0 0 Let us start by defining three families of mutually inductive T , TM we have T τ σ (T ), M↓τ σ (TM ,K) and T · TM = 0 0 predicates. The families are defined by induction on types: Rτ is T · TM . defined on well-typed values and is indexed by their types, T π is defined on well-typed trails and is indexed by trail types, and finally Proof. Proof by simultaneous induction. The proofs refer to other Mτ is defined on metacontexts and is indexed by their argument cases of the lemma with smaller subtyping derivations. The only types. We also define a predicate N (e, T, K) defined on well- exception is a reference from (1M) to (1R), but since it does not typed programs, which means that the evaluation of this program introduce a cycle, the induction is justified. terminates, i.e., that K[T [e]] −→ ∗v for some value v. σ 0 0 σ0 0 0 1R. τ = τ1 −→ τ2, τ = τ1 −→ τ2. We have τ1 ≤ τ1 and Rα(v) := > 0 0 −−−→ τ2 σ ≤ τ2 σ . Let v, T , TM , K be such that Rτ 0 (v), T τ 0 σ0(T ), 0 σ 0 0 0 −→ 1 2 Rτ −→ τ(v) := ∀v ,T,TM ,K.Rτ (v ) ⇒ T τ σ(T ) 0 0 M↓τ2 σ (TM ,K). By induction hypothesis for case (2) we ⇒ M↓τ σ(TM ,K) 0 0 −−→ 0 0 0 have T and TM such that T τ2 σ(T ), M↓τ2 σ(TM ,K) and ⇒ N (v v ,T · TM ,K) 0 0 T · TM = T · TM . Thus from the assumption Rτ(v) follows T ι() := > the thesis. 0 σ 0 σ σ 1T. The case π = π = ι is trivial. Let π = τ τ π and π = T τ 0 τ π(K · T ) := Rτ 0 τ(λx.hK[x]i) ∧ T π(T ) 1 −→ 2 1 −→ −→ 0 σ0 0 0 σ 0 σ0 0 0 τ1 −→ τ2π1. Then we have τ1 −→ τ2 ≤ τ1 −→ τ2, π1 ≤ π1, T = Mτ(TM ,K) := ∀v.Rτ(v) ⇒ N (v, TM ,K) σ K · T1, Rτ1 −→ τ2(λx.hK[x]i) and T π1(T1). By induction hy- 0 0 σ 0 For the proof, we need several lemmas about the subtyping rela- pothesis for case (1R) and (1T) we get Rτ1 −→ τ2(λx.hK[x]i) 0 tion and its connection to the typing rules and the above predicates. and T π1(T1), which give us the thesis. 0 0 1M. Let v be such that Rτ 0(v). By case (1R) we have Rτ(v), with e {~x/~v}{x/v}, it suffices to show N (e {~x/~v}{x/v},T · Mτ(TM ,K) this gives us N (v, TM ,K). TM ,K), which follows from the induction hypothesis. 2. Induction on the subtyping derivation. • D = APP(D1,D2), e = e1 e2. Then σ = [τA σA] τD σD, • 0 0 0 σA −−−−→ 0 σ = , σ = . Then T = , τ ≤ τ, Mτ(TM ,K). T = K1 · T , T τ −−→ τA(K1), T τB σB (T ), Γ ` e1 : 0 0 0 [τA σA] τB σB 0 Let T = , TM = TM . We thus need to show that τ −−−−−−−−−→ τ [τC σC ] τD σD, Γ ` e2 : τ [τB σB ] τC σC . 0 0 0 0 0 Mτ (TM ,K), but that follows from case (1M). Let e1 = e1{~x/~v} and e2 = {~x/~v}. To show that N (e1 e2,K1· 0 0 0 0 0 0 • σ = , σ = [τ1 σ1]τ2 σ2. Then τ ≤ τ, τ1 σ1 ≤ τ2σ2 , T = T · TM ,K), we can show instead that N (e1,K1 e2 · T · 0 σ1 −−−→ 0 K1 · T , T τ −→ τ1(K1), T τ2 σ2(T ), M↓τ2 σ2(TM ,K). TM ,K) using the induction hypothesis for D1, providing 0 0 [τ σ ] τ σ σ 0 Let T = , T = T · TM . Trivially we have T ι( ), 0 A A B B C  M  that T (τ −−−−−−−−−→ τ) −−→ τC (K1 e2). To show that, let 0 we need to show that Mτ (T · TM ,K). The metacontext us unfold the definitions. Let vL, TL, TKL and ML sat- hT · T ,Ki v 0 [τA σA] τB σB M is well-typed by Lemma 8. Let be such that isfy the appropriate predicates, i.e., Rτ −−−−−−−−−→ τ(vL), Rτ 0(v), I will show that N (v, T · TM ,K). From case (1T) −−−−→ T τC σC (TL) and M↓τC σC (TKL,ML). Then we have to 0 σ2 0 σ2 we have T τ −→ τ2(K1), by definition of T τ −→ τ2 we show that N ((λx.hK1[x e2]i) vL,TL · TKL,ML). Because 0 σ2 0 −−−→ 0 have Rτ −→ τ2(λx.hK1[x]i). With Rτ (v), T τ2 σ2(T ) (λx.hK1[x e2]i) vL reduces in one step to hK1[vL e2]i, we 0 and M↓τ2 σ2(TM ,K) we have N ((λx.hK1[x]i) v, T · can show instead that N (hK1[vL e2]i,TL · TKL,ML). We TM ,K). Because (λx.hK1[x]i) v reduces in single step will show instead that N (e2, vL K1 · TL · TKL,ML). This 0 to hK1[v]i, we have N (hK1[v]i,T · TM ,K), which is follows for the induction hypothesis for D2, providing that 0 equivalent to N (v, K1 · T · TM ,K), which we wanted to 0 σB T τ −−→ τB (vL K1). To show that, let us unfold the defini- prove. tions again. Let vR, TR, TKR and MR be such that Rτ 0(vR), • 0 0 0 0 0 −→ σ = [τ1 σ1] τ2 σ2, σ = [τ1 σ1] τ2 σ2. Then T = T ( τB σB (TR) and M↓τB σB (TKR,MR). We have to show σ1 −−−→ K1 · T1, T τ −→ τ1(K1), T τ2 σ2(T1), M↓τ2 σ2(TM ,K), that N ((λx.hK1[vL x]i) vR,TR ·TKR,MR). Using analogous 0 0 0 τ ≤ τ and τ2 σ2 ≤ τ2 σ2. By induction hypothesis we reasoning as before, it is sufficient to show that N (vL vR,K1 · 0 0 −−−→ 0 0 0 0 0 0 [τA σA] τB σB have T1, TM such that T τ2 σ2(T1), M↓τ2 σ2(TM ,K) and TR ·TKR,MR), which follows from Rτ 0 τ(vL). 0 0 0 −−−−−−−−−→ T · T = T · T M 0 0 (T ,K) 1 M 1 M . From ↓τ2 σ2 M we have • D = APP-PURE(D1,D2), e = e1 e2. The proof is similar to 0 0 0 0 0 0 0 M↓τ σ (TM ,,K). Let T = K1 · T1. From τ1 σ1 ≤ τ1 σ1, the case for APP. 0 σ1 0 0 0 0 00 00 τ ≤ τ, T τ −→ τ1(K1) and the induction hypothesis for • D = SHIFT0(D ), e = S f.e . So σ = [τ σ ]τ σ , T = K · 0 0 1 σ −−−→ 0 0 −−−→ 0 1 0 0 0 0 σ 0 00 00 0 00 00 case (1T) we have T τ −→ τ1(K1). With T τ2 σ2(T1) we T , Rτ τ (λx.hK1[x]i), T τ σ (T ) and M↓τ σ (TM ,K). −−−→ −→ 0 0 0 0 have T τ σ (K1 · T1). We want to show N (S0f.e{~x/~v},K1 · T · TM ,K), which 0 is equivalent to N (hK1[S0f.e{~x/~v}]i,T · TM ,K). Because hK1[S0f.e{~x/~v}]i reduces to e{~x/~v}{f/λx.hK[x]}, it suf- 0 fices to show that N (e{~x/~v}{f/λx.hK[x]},T · TM ,K), Lemma 10. For every type τ, T τ −→ τ(•) holds. which follows from the induction hypothesis. • D = RESET0(D0), e = he0i. Then for some τ 0 we have Proof. By the definition of T τ −→ τ it is sufficient to prove that 0 0 0 Γ ` e : τ [τ ] τ σ. From Lemma 10 have T τ 0 −→ τ 0(•), Rτ −→ τ(λx.hxi). Let v, TM , and K be such that Rτ(v) and −−−−−−−→ and thus T τ 0 [τ 0] τ σ(•· T ). The induction hypothesis gives us Mτ(TM ,K). We have to show that N ((λx.hxi) v, TM ,K). The 0 N (e {~x/~v}, •· T · TM ,K), which is equivalent to the thesis, expression (λx.hxi) v reduces in two steps to v, so it suffices to 0 N (he i{~x/~v}, ·T · TM ,K). prove N (v, TM ,K), which follows from Rτ(v).

Lemma 11. For every type τ, Mτ(, •) holds. Theorem 7 (Termination). If ` e : τ, then the evaluation of e Proof. v τ N (v, , •) Let be a value of type , then  is trivially terminates, i.e., N (e, , •) holds. true.  Proof. T ( ) M ( , •) We now state the main lemma: We have ι  and from Lemma 11 we have τ  , thus the theorem follows from Lemma 12. Lemma 12. Let Γ ` e : τ σ, where Γ = x1 : τ1, . . . , xn : τn. Assume that ~v is a sequence of values of length n such that for every 3.4 Type inference −→ i, Rτi(vi) holds. Then for every trail T such that T τ σ(T ) holds, S0 Type inference in λ≤ is decidable. For the purpose of type infer- and for every metacontext hTM ,Ki such that M↓τ σ(TM ,K,) holds, N (e{~x/~v},T · T ,K) holds. ence, we replace the rules APP and APP-IND with the following M (equivalent) rule:

0 σ3 Proof. Induction on the structure of the typing derivation D of e. Γ ` f : τ −→ τ σ1 0 0 0 0 0 0 Γ ` e : τ σ2 σ  σ1 σ2 σ3 • D = SUB(D , τ σ ≤ τ σ). From Lemma 9 we have T , TM −−−→ APP-COMP, 0 0 0 0 0 0 0 0 such that T τ σ (T ), M↓τ σ (TM ,K) and T · TM = T · TM . Γ ` fe : τ σ The conclusion follows from the induction hypothesis. where the relation  is defined as follows: • D = VAR, e = xi. So we have e{~x/~v} = vi, τ = τi, σ =  ,T = , Mτi(TM ,K). By assumption Rτi(vi) and the definition of Mτi we have N (vi,TM ,K).   [τ σ] τ σ  • D = ABS(D0), e = λx.e0. So τ = τ 00 −→ σ0τ 0, σ = , T = , Mτ(TM ,K). As in the previous case, to show that   ~σ [τf σf ] τ2 σ2  ~σ 0 0 N ((λx.e ){~x/~v},TM ,K) we need Rτ(λx.e {~x/~v}). −−−→    ~σ [τf σf ] τ1 σ1  [τ2 σ2] τ1 σ1 ~σ Let v, T , TM , K be such that we have Rτ 00(v), T τ 0 σ0(T ) and 0 ? M↓τ 0 σ0(TM ,K). We need to show that N ((λx.e {~x/~v}) v, T · Expressions of the form σ ≤ σ will be called subtyping 0 ? TM ,K). Because (λx.e {~x/~v}) v reduces in one step to constraints, and expressions of the form σ  ~σ will be called α = α σ J K τ1 −→ τ2 = τ1 −→ τ2 σ J K J K J K τ  = τ J K J K τ [τ1 σ1] τ2 σ2 = ( τ −→ τ1 σ1 ) −→ τ2 σ2 J K J K J K J K α ≤ α = λx.x 0 σ1 0J σ2 K 0 0 τ1 −→ τ1 ≤ τ2 −→ τ2 = λf.λx. τ1 σ1 ≤ τ2 σ2 (f( τ2 ≤ τ1 x)) J K J K J K τ  ≤ τ 0  = τ ≤ τ 0 0 J K J K 0 τ  ≤ τ [τ1 σ1] τ2 σ2 = λx.λf. τ1 σ1 ≤ τ2 σ2 (f( τ ≤ τ x)) 0J 0 0 0 0 K J 0 0 0 0 K J K 0 τ [τ1 σ1] τ1 σ1 ≤ τ [τ2 σ2] τ2 σ2 = λf.λg. τ1 σ1 ≤ τ2 σ2 (f(λx. τ2 σ2 ≤ τ1 σ1 (g( τ ≤ τ x)))) J K J K J K J K x VAR = x J K 0 0 e SUB(D,τ σ≤τ 0 σ0) = τ σ ≤ τ σ e D J K J KJ K λx.e ABS(D) = λx. e D J K J K fe APP-PURE(D1,D2) = f D1 e D2 J K J K J K fe APP(D1,D2) = λk. f D1 (λf. e D2 (λe.fek)) J K J K J K S0f.e SHIFT0(D) = λf. e D J K J K hei RESET0(D) = e D(λx.x) J K J K

S0 Figure 7. Type-directed CPS translation for λ≤ composition constraints. Inside the constraints, the syntax of effect tive translations presented in [24], [27], and recently in [31], which annotations is extended by annotation variables δ. also use effect annotations to distinguish pure terms from effectful We will be using substitutions defined on both the type variables ones. The property suggests that the translation presented here may and annotation variables. We call a substitution σ-grounding, if be useful in implementing shift0/reset0 in functional programming its values do not contain any annotation variables. We say that a languages. ? ? substitution s solves a constraint σ1 ≤ σ2 (σ1  ~σ) if and only Unfortunately, the translation does not preserve reductions. For if s(σ1) ≤ s(σ2) (s(σ1)  s(~σ)) is derivable. example, let us consider the term hS0f.fi. We have ` hS0f.fi : τ → τ and hS f.fi → λx.hxi. For the simplest derivation D, we Theorem 8 (Principal types). For every term e and typing environ- 0 have ment Γ there exist: α, δ, a set of τσ-subtyping constraints S, and a set of composition constraints C, such that: hS0f.fi D = (λf.f)(λx.x) J K 1. For every σ-grounding substitution s which solves S and C we and for the simplest derivation D0, we have have Γ ` e : s(α) s(δ). λx.hxi D0 = λx.(λx.λk.(λx.x)(k ((λx.x) x))) x (λx.x). 2. For every τ, σ satisfying Γ ` e : τ σ there exists a σ-grounding J K substitution s such that s(α) = τ, s(δ) = σ and s solves S and So we cannot β-reduce hS0f.fi D to λx.hxi D0 , although they C. are β-equal. For this reason,J this CPSK translationJ K could not be used The type inference algorithm finds the principal type (along as-is for proving termination of evaluation of well-typed terms in S0 with the unsolved constraints) in polynomial time and it also gener- λ≤ . ates a typing derivation skeleton, where subtyping derivations have to be filled in. In order to check if the term is actually well-typed (and to obtain a concrete typing derivation), one has to find a σ- 4. Programming examples grounding substitution which solves the inequalities. 4.1 Prototype implementation

S0 3.5 Type-directed CPS translation In order to study the applications of the type system λ≤ , presented in this article, to practical programming, we have developed its pro- Having extended the type system with subtyping, we can derive totype implementation. The implementation adds some standard from it a type-directed CPS translation, which takes into account syntactic sugar to the language and extends it with integers, alge- the additional information given by the subtyping. This translation, braic data types and recursion. defined in Figure 7, targets the simply-typed lambda calculus, and We extend the syntax as follows: as the CPS translation of Figure 2, it preserves types: Theorem 9 (Type preservation). If D is a typing derivation of e ::= ... | true | false | if e then e else e S0 Γ ` e : τ σ in λ≤ , then Γ ` e D : τ σ in λ→. | nil | cons(e, e) | case e {nil −→ e; cons(x1, x2) −→ e} J K J K J K The derivations of the subtyping relation are translated to coer- | k | e ⊕ e | e R e | fixx.e cion functions, which are typed as expected: τ ::= ... | int | bool | list(τ) Lemma 13. If τ σ ≤ τ 0 σ0, then ` τ σ ≤ τ 0 σ0 : τ σ −→ τ 0 σ0 0 0 0 The typing rules for new expressions introduced above are given in in λ→. If τ ≤ τ , then ` τ ≤ τ :J τ −→ τ Kin λJ→. K J K J K J K J K Figure 8. Another interesting property of the translation is that it keeps In the implementation language, the string @f.e means S0f.e, terms annotated as pure in direct style. This is similar to the selec- and means hei. The rest of the syntax used is ML-like. let prefixes xs = TRUE FALSE Γ ` true : bool Γ ` false : bool let w l = case l { Nil -> @k. Nil | Cons(x, xs) -> Γ ` b : bool σ1 Cons(x, @k. )>) Γ ` e1 : τ σ2 Γ ` e2 : τ σ2 σ  σ1 σ2 IF } in Γ ` if b then e1 else e2 : τ σ

INT Figure 9. Example program—prefixes Γ ` k : int let partition a l = Γ ` k1 : int σ1 Γ ` k2 : int σ2 σ  σ1 σ2 ARITH let part l = case l { Γ ` k1 ⊕ k2 : int σ Nil -> [] | Cons(h,t) -> Γ ` k1 : int σ1 Γ ` k2 : int σ2 σ  σ1 σ2 if h > a REL then Cons(h, part t) Γ ` k1 R k2 : bool σ else if h == a NIL then @f. Cons(h, ) Γ ` nil : list(τ) else @f g. Cons(h, >) } in <> Γ ` h : τ σ1 Γ ` t : list(τ) σ2 σ  σ1 σ2 CONS Γ ` cons(h, t): list(τ) σ Figure 10. Example program—partition

Γ ` e : list(τl) σ1 Γ ` e1 : τ σ2 Γ, h : τl, t : list(τl) ` e2 : τ σ2 σ  σ1 σ2 The subtyping relation is crucial for typing this example. In CASE Γ ` case e{nil −→ e ; cons(h, t) −→ e } : τ σ particular, in the non-recursive Nil case, the following subtyping 1 2 is used: Γ, x : τ ` e : τ list(int) ≤ list(int)[list(int)] list(int)[list(int)] list(int), FIX Γ ` fix x.e : τ where the subtyping derivation for the effect annotations is as follows: Figure 8. Typing rules for booleans, integers, lists and recursion list(int) ≤ list(int)  ≤  list(int) ≤ list(int)  ≤ [list(int)] list(int) 4.2 Example—prefixes  ≤ [list(int)] list(int)[list(int)] list(int) The prefixes example shown in Figure 9 has been considered in [2] Using the translation from Figure 7 we obtain the following coer- and in [6]. The function prefixes lists prefixes of a given list, cion function (reduced to normal form for clarity): e.g., yields . This prefixes [1,2,3] [[1],[1,2],[1,2,3]] λx.λk .λk .k (k x) example cannot be typed in the original type system of Danvy 1 2 2 1 and Filinski, because the captured continuation is applied in con- We can see that in the translated term the composition of the texts with different answer types. In our type system, this prob- “accumulator” contexts after traversing the entire input list is done lem is taken care of by the subtyping relation. In the first oc- by the coercion function. currence (k []) the continuation is simply given the pure type list(int) −→ list(int). In the second (k (w xs)), it is given a more 5. Relation to shift/reset complex type list(int) −−−−−−−−→[list(int)] list(int) list(int). The shift operator can be defined with shift0 and reset0 by putting a reset0 inside a shift0: Sf.e = S0f.hei; reset0 then behaves just 4.3 Example—partition like reset. Using this definition, one can check how the type system The prefixes example does not take advantage of the semantics of presented here relates to the type system for shift/reset introduced S shift0, because it can be typed with flat effect annotations. This by Danvy and Filinski [14] (let us call their system λ→). First, S S0 is not the case for partition, shown in Figure 10. This program we define a translation from λ→ to λ≤ on terms and types (the partitions a list of integers into three parts: the ones less than, syntactic forms not mentioned below translate homomorphically): equal, and greater than a number given as a parameter, maintain- ing the original order between the integers in each group, e.g., τ = τ [τ3] τ4 partition 3 [4,1,3,5,2,3] yields [1,2,3,3,4,5]. The idea τ1 τ3 −→ τ4 τ2 = τ1 −−−−→ τ2 behind this example is that the two reset ’s are used as “markers” 0 Sf.e = S f.hei for the positions in the result where we insert new elements, and 0 shift0 is used to reach those markers. The translation on typing derivations is shown in Figure 11. The inner function part is given the following type: Using this translation, one can prove the following result: S [list(int)] list(int)[list(int)] list(int) If Γ; τ ` e : τ; τ in λ , then Γ ` e : τ [τ ] τ in list(int) −−−−−−−−−−−−−−−→ list(int) Theorem 10. 1 2 → 1 2 S0 λ≤ . Hence, it requires two contexts, both of the type list(int) −→ list(int), S and returns a final value of type list(int). These contexts are the One can also consider the CPS translations in both systems λ→ S0 “accumulators” for the elements less than and equal to the given and λ≤ . First, we notice that the CPS translations of the typing value. derivations resulting from the translation in Figure 11 are β-equal ... VAR Γ, x : τ ` x : τ τ ≤ τ [τ 0] τ 0 VAR SUB Γ, x : τ; τ 0 ` x : τ; τ 0 Γ, x : τ ` x : τ [τ 0] τ 0

0 Γ, x : τ ` e : τ [τ1] τ2 ... ABS 0 [τ1] τ2 0 [τ1] τ2 0 [τ1] τ2 0 00 00 Γ, x : τ; τ1 ` e : τ ; τ2 Γ ` λx.e : τ −−−−→ τ τ −−−−→ τ ≤ τ −−−−→ τ [τ ] τ ABS SUB 00 0 00 [τ1] τ2 0 00 00 Γ; τ ` λx.e :(τ τ1 −→ τ2 τ ); τ Γ ` λx.e : τ −−−−→ τ [τ ] τ

0 0 Γ; τ4 ` f :(τ1 τ 0 −→ τ 0 τ2); τ2 1 3 0 0 0 0 [τ1] τ3 0 0 0 0 Γ; τ3 ` e : τ2; τ4 Γ ` f : τ1 −−−−→ τ2 [τ4] τ2 Γ ` e : τ1 [τ3] τ4 0 0 APP 0 0 APP Γ; τ1 ` fe : τ2; τ2 Γ ` fe : τ2 [τ1] τ2

[τ0] τ0 Γ, f : τ −−−−→ τ1 ` e : τ3 [τ3] τ2 RESET0 [τ0] τ0 Γ, f : τ −−−−→ τ1 ` hei : τ2 ... 0 0 SHIFT0 0 0 Γ, f :(τ τ 0 −→ τ 0 τ1); τ3 ` e : τ3; τ2 Γ ` S0f.hei : τ [τ1 [τ ] τ ] τ2 τ [τ1 [τ ] τ ] τ2 ≤ τ [τ1] τ2 SHIFT SUB Γ; τ1 ` Sf.e : τ; τ2 Γ ` S0f.hei : τ [τ1] τ2

Γ ` e : τ1 [τ1] τ ... RESET0 0 0 Γ; τ1 ` e : τ1; τ Γ ` hei : τ τ ≤ τ [τ ] τ RESET SUB Γ; τ 0 ` hei : τ; τ 0 Γ ` hei : τ [τ 0] τ 0

S S0 Figure 11. Embedding of Danvy and Filinski’s type system λ→ into λ≤ to the standard CPS translations [14]. In order to formalize this Each of the CPS translations of Section 2.2 determines a defini- observation we introduce the following notation. If D is a typing tion of shift0 and reset0 in the corresponding continuation monad. S derivation in λ→, then D is the corresponding typing derivation in Since we can represent arbitrary computational monads in direct S0 style using shift and reset [18], we obtain two static simulations of λ≤ , obtained using the translation inductively defined in Figure 11. shift0 and reset0. The simulation obtained from the uncurried trans- S Lemma 14. Let De be a typing derivation for the term e in λ→. lation of Figure 3 is similar to the one presented by Shan [32], but Then the following equalities hold: the one obtained from the translation of Figure 2 is novel: 0 0 • Sf.e =β λk. e {f/λx.λk .k (k x)}(λx.x) S0f.e := Sk.λc.(λf.h(λx.λk.k x) ei) DSf.e De J K J K (λx.Sk0.λc0.k x c (λx0.k0 x0 c0)) • hei =β λk.k( e (λx.x)) Dhei De J K J K hei0 := Sk.λc.h(λx.λk.k x) ei (λx.λk.k x)(λx.k x c) As a corollary, we can prove the following theorem by straight- runS0 e := h(λx.λk.k x) ei (λx.x) forward induction: λS S We can also consider the type system of [6], which we call B. Theorem 11. Let e be a well-typed term in λ→, and let D be its Again, we first define a translation on terms, types and context typing derivation. Then e =β e D. types (as before, syntactic forms not mentioned below are trans- J K J K The untyped CPS translations of Section 2.2 also induce a lated homomorphically): CPS translation for shift and reset. For instance, the curried CPS b = τ translation of Figure 2 yields: b τ −→ τ = τ [τ3] τ4 τ Sf.e = λf. e (λx.λk.k x) 1 τ3 τ4 2 1 −−−−→ 2 τ τ = τ −→ τ J heiK = e (Jλx.λk.kK x) 1 B 2 1 2 J K J K It is interesting to observe that although this CPS translation k ←- e = k e validates the standard reduction semantics of shift and reset: Sk.e = S0k.hei hvi v Next, we can write a translation on typing derivations, which satisfies the following theorem: hK[Sf.e]i he[f/λx.hK[x]i]i Theorem 12. If Γ, ∆; τ ` e : τ; τ in λS , then Γ ∪ ∆ ` e : it generates a different equational theory than the one of the stan- 1 2 B S0 dard CPS translation for shift and reset [22]. For example, the equa- τ [τ1] τ2 in λ≤ . tion For both type systems for shift considered here, there exist terms hheii = hei which are not well-typed in those systems, but their translation to S0 is not sound with respect to the presented CPS translation. So in a λ≤ is well-typed. In particular, the following term: sense, by using the CPS translation for shift0 and reset0 we have (λf.λy.(λz.h(λv.λw.y)(f y)i) hf yi)(λx.x) obtained a variant of shift and reset. However, when considered in the type system with subtyping, shift0 and reset0 give rise to the is a valid term and cannot be typed in neither of the two systems. S0 standard shift and reset, as demonstrated by Lemma 14. However, it translates without changes to λ≤ , where it is well 0 0 0 τ ≤ τ τ2 ≤ τ1 τ1 ≤ τ2 0 0 0  ≤   ≤ [τ] τ [τ1] τ1 ≤ [τ2] τ2

0 0 0 0 τ ≤ τ σ ≤ σ τ2 ≤ τ1 τ1 σ1 ≤ τ2 σ2 0 0 0 σ1 0 σ2 τ σ ≤ τ σ α ≤ α τ1 −→ τ1 ≤ τ2 −→ τ2

Γ ` e : τ σ τ σ ≤ τ 0 σ0 VAR SUB Γ, x : τ ` x : τ Γ ` e : τ 0 σ0

Γ, x : τ1 ` e : τ2 σ Γ ` f : τ1 −→ τ2 Γ ` e : τ1 σ ABS APP-PURE Γ ` λx.e : τ1 −→ τ2 Γ ` fe : τ2

0 0 [τ1] τ3 0 0 0 0 Γ ` f : τ1 −−−−→ τ2 [τ4] τ2 Γ ` e : τ1 [τ3] τ4 0 0 APP Γ ` fe : τ2 [τ1] τ2

0 0 Γ, f : τ1 −→ τ2 ` e : τ3 Γ ` e : τ [τ ] τ SHIFT0 RESET0 Γ ` S0f.e : τ1 [τ2] τ3 Γ ` hei : τ

S0 S Figure 12. Type system for λ with flat effect annotations (λ≤)

typed (for example, it can be assigned the type α −→ (β −→ α)). In tion shift0 introduces a lambda abstraction and reset0 eliminates this sense, the type system presented here is strictly more expres- it. sive than the other systems. • Our annotation composition relation  introduced in Sec- An interesting feature of both translations is that a non-empty tion 3.4 corresponds to the comp control effect composition type annotation never occurs inside another type annotation—the operation. S0 annotations are “flat.” Thus one can consider a variant of the λ≤ type system, which enforces this restriction syntactically: The type system in [31] does not allow shift to be used inside τ ::= α | τ −→σ τ another shift—it has to be put inside a new reset. This is what σ ::=  | [τ] τ happens with the shift0 operator with flat effect annotations in our type system. This reinforces our opinion that Scala implements the S The typing rules for this system (called λ≤) are shown in Figure 12. restricted shift0/reset0 operators, which only happen to coincide In this type system shift0 is forbidden from being used inside with shift/reset. another shift0 without a corresponding control delimiter and, there- fore, only the top context of the stack can be accessed by control 6.2 Substructural type system of Kiselyov and Shan operations. It follows that in this type system shift0 has the seman- tics of shift. We can thus view this type system as an exotic type The type system for shift0/reset0 introduced by Kiselyov and system for the shift operator (that is why we call it λS ). Shan [26] shares many properties with the type system presented ≤ in this work—in particular, strong type soundness and termination. In their work, expressions and evaluation contexts are treated as 6. Related work structure in linear logic, where structural rules play a vital role. Moreover, their type system abstractly interprets (in the sense of 6.1 Relation to the Scala implementation abstract interpretation of Cousot and Cousot [11]) small-step re- The type system and the selective CPS-translation presented here duction semantics of the language and it does not require effect resemble strongly those presented by Rompf et al. in [31] for the annotations in judgments and arrow types. Instead these annota- programming language Scala. The presentation in [31] is based on tions occur in types and cotypes assigned to terms and coterms, Scala and is somewhat informal, so the exact comparison is not respectively. In terms of presentation, our system is very close to possible, but still one can see the following similarities: the well-known type system by Danvy and Filinski and seems more conventional than Kiselyov and Shan’s. Both type systems allow S • Our annotations (from the type system λ≤) correspond to @cps for answer type modifications and for exploring the stack of con- annotations. For example, our type α [β] γ corresponds to texts beyond the nearest control delimiter. While in our type system A @cps[B, C] in Scala. subtyping is built in and plays a major role, leading to a clever CPS translation, in Kiselyov and Shan’s work it is just an entailment of • The type system of Scala distinguishes pure and impure expres- the type system. sions as our type system does. In particular, as in our restricted Our type system can be embedded in the type system of Kise- system with flat annotations, the expression inside a shift must lyov and Shan. A converse translation appears to be impossible be- have a pure type, the entire expression has an impure type, and cause their language is richer: it includes an operator $, which is a the captured continuation has a pure function type. generalization of reset0 and, in a sense, the inverse of the shift0 op- • Scala’s Shift class used for implementing delimited control, erator. Because our language does not differentiate between func- which implements the continuation monad, is constructed by tions and contexts, it is currently not clear how to include this op- shift and consumed by reset, in the same way that in our transla- erator in it, so the subject requires further study. 7. Future work References The type system presented here is monomorphic. We are planning [1] M. S. Ager, D. Biernacki, O. Danvy, and J. Midtgaard. A func- to explore how adding polymorphism (let-polymorphism, system tional correspondence between evaluators and abstract machines. In F-like explicit polymorphism) affects the system. We expect that, as D. Miller, editor, Proceedings of the Fifth ACM-SIGPLAN Interna- in the polymorphic type system of Asai and Kameyama presented tional Conference on Principles and Practice of Declarative Program- ming (PPDP’03), pages 8–19, Uppsala, Sweden, Aug. 2003. ACM in [2], it should be safe to generalize the types of pure terms. Press. Also, because of the presence of subtyping, we will need to store constraints about generalized variables in the polymorphic types, [2] K. Asai and Y. Kameyama. Polymorphic delimited continuations. as in [21]. In Proceedings of the Fifth Asian symposium on Programming Lan- Because of the similarities of the system presented here to the guages and Systems, APLAS’07, number 4807 in Lecture Notes in Computer Science, pages 239–254, Singapore, Dec. 2007. Scala implementation of delimited continuations [31], we are going to investigate whether it would be possible to implement our sys- [3] V. Balat and O. Danvy. Memoization in type-directed partial evalu- tem in Scala. Our type annotations translate to Scala by nesting the ation. In D. Batory, C. Consel, and W. Taha, editors, Proceedings of @cps annotations already used by the current implementation of de- the 2002 ACM SIGPLAN/SIGSOFT Conference on Generative Pro- limited control. For example, the effect-annotated type α[α]α[α]α gramming and Component Engineering, GPCE 2002, number 2487 in Lecture Notes in Computer Science, pages 78–92, Pittsburgh, Penn- would translate to Scala’s type A @cps[A, A @cps[A, A]]. sylvania, Oct. 2002. Springer-Verlag. Another important aspect of this work that has not been re- [4] C. Barker. Continuations in natural language. In H. Thielecke, editor, searched yet are equational theories of shift0 and reset0 in the un- typed and typed settings as well as of the variant of shift and reset in Proceedings of the Fourth ACM SIGPLAN Workshop on Continua- tions (CW’04), Technical report CSR-04-1, Department of Computer the untyped setting, described in Section 5. In particular, it seems Science, Queen Mary’s College, pages 1–11, Venice, Italy, Jan. 2004. vital to understand the role of the subtyping relation in the equa- tional theories of the typed control operators. [5] M. Biernacka and D. Biernacki. A context-based approach to proving termination of evaluation. In Proceedings of the 25th Annual Confer- ence on Mathematical Foundations of Programming Semantics(MFPS 8. Conclusion XXV), Oxford, UK, Apr. 2009. We have presented a new type system for the delimited-control op- [6] M. Biernacka and D. Biernacki. Context-based proofs of termination erators shift0 and reset0 that has been derived from a CPS transla- for typed delimited-control operators. In F. J. Lopez-Fraguas,´ editor, tion for these control operators and that generalizes Danvy and Fil- Proceedings of the 11th ACM-SIGPLAN International Conference inski’s type system for shift and reset. The type system is equipped on Principles and Practice of Declarative Programming (PPDP’09), with two subtyping relations: one on types and the other one on Coimbra, Portugal, Sept. 2009. ACM Press. effect annotations describing a stack of contexts in which a given [7] M. Biernacka and O. Danvy. A syntactic correspondence between expression can be embedded. The subtyping mechanism makes it context-sensitive calculi and abstract machines. Theoretical Computer possible to coerce pure expressions into effectful ones. Science, 375(1-3):76–108, 2007. The effect annotations and the corresponding subtyping relation [8] M. Biernacka and O. Danvy. A concrete framework for environment are used to guide a selective CPS translation that precisely takes machines. ACM Transactions on Computational Logic, 9(1):1–30, into account the information about the contexts surrounding a trans- 2007. lated expression. In particular, it leaves pure expressions in direct style. Such a translation seems promising, if one would like to im- [9] M. Biernacka, D. Biernacki, and O. Danvy. An operational foundation for delimited continuations in the CPS hierarchy. Logical Methods in plement full-fledged shift0 and reset0, e.g., in Scala (instead of their Computer Science, 1(2:5):1–39, Nov. 2005. A preliminary version was flat version that accidentally coincides with shift and reset [31]). As presented at the Fourth ACM SIGPLAN Workshop on Continuations shown in Section 4, the full power of shift0 and reset0 can be very (CW’04). useful and we believe that there are other interesting applications of these operators waiting to be discovered. [10] D. Biernacki, O. Danvy, and K. Millikin. A dynamic continuation- passing style for dynamic delimited continuations. Technical Report The present article also demonstrates the effectiveness of the BRICS RS-05-16, DAIMI, Department of Computer Science, Aarhus context-based method of reducibility predicates [5, 6] that has University, Aarhus, Denmark, May 2005. turned out to be the right way to tackle the non-trivial problem of termination of evaluation for the case of the type-and-effect system [11] P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approxima- with subtyping considered here. It can be observed (and remains to tion of fixpoints. In R. Sethi, editor, Proceedings of the Fourth Annual be verified, e.g., in Coq) that the computational content of this con- ACM Symposium on Principles of Programming Languages, pages structive proof takes the form of a type-directed evaluator in CPS 238–252, Los Angeles, California, Jan. 1977. ACM Press. that corresponds to the type-directed CPS translation presented in this work. [12] O. Danvy. Type-directed partial evaluation. In G. L. Steele Jr., editor, Proceedings of the Twenty-Third Annual ACM Symposium on Principles of Programming Languages, pages 242–257, St. Petersburg Acknowledgments Beach, Florida, Jan. 1996. ACM Press. First of all, we would like to thank Małgorzata Biernacka for [13] O. Danvy and A. Filinski. A functional abstraction of typed contexts. numerous comments on the presentation of this work as well as DIKU Rapport 89/12, DIKU, Computer Science Department, Univer- for helping us to get the proof of termination of evaluation under sity of Copenhagen, Copenhagen, Denmark, July 1989. control. We also thank the anonymous referees and the PC members [14] O. Danvy and A. Filinski. Abstracting control. In M. Wand, editor, of ICFP’11 for their valuable comments on the presentation and Proceedings of the 1990 ACM Conference on Lisp and Functional contents of this article. Hugo Herbelin made the observation about Programming, pages 151–160, Nice, France, June 1990. ACM Press. the difference between the standard equational theory for shift [15] P. Dybjer and A. Filinski. Normalization and partial evaluation. In and reset and the one induced by the untyped CPS translation of G. Barthe, P. Dybjer, L. Pinto, and J. Saraiva, editors, Applied Seman- Section 2.2. tics – Advanced Lectures, number 2395 in Lecture Notes in Computer This work has been partially supported by the MNiSW grant Science, pages 137–192, Caminha, Portugal, Sept. 2000. Springer- number N N206 357436, 2009-2011. Verlag. [16] R. K. Dybvig, S. Peyton-Jones, and A. Sabry. A monadic framework [25] O. Kiselyov and C. Shan. Delimited continuations in operating sys- for delimited continuations. Journal of Functional Programming, 17 tems. In B. Kokinov, D. C. Richardson, T. R. Roth-Berghofer, and (6):687–730, 2007. L. Vieu, editors, Modeling and Using Context, 6th International and [17] M. Felleisen. The theory and practice of first-class prompts. In Interdisciplinary Conference, CONTEXT 2007, number 4635 in Lec- J. Ferrante and P. Mager, editors, Proceedings of the Fifteenth Annual ture Notes in Artificial Intelligence, pages 291–302, Roskilde, Den- ACM Symposium on Principles of Programming Languages, pages mark, Aug. 2007. Springer. 180–190, San Diego, California, Jan. 1988. ACM Press. [26] O. Kiselyov and C. Shan. A substructural type system for delimited [18] A. Filinski. Representing monads. In H.-J. Boehm, editor, Proceed- continuations. In S. R. D. Rocca, editor, Typed Lambda Calculi and ings of the Twenty-First Annual ACM Symposium on Principles of Pro- Applications, 8th International Conference, TLCA 2007, number 4583 gramming Languages, pages 446–457, Portland, Oregon, Jan. 1994. in Lecture Notes in Computer Science, pages 223–239, Paris, France, ACM Press. June 2007. Springer-Verlag. [19] A. Filinski. Representing layered monads. In A. Aiken, editor, Pro- [27] L. R. Nielsen. A selective CPS transformation. In S. Brookes and ceedings of the Twenty-Sixth Annual ACM Symposium on Principles M. Mislove, editors, Proceedings of the 17th Annual Conference on of Programming Languages, pages 175–188, San Antonio, Texas, Jan. Mathematical Foundations of Programming Semantics, volume 45 of 1999. ACM Press. Electronic Notes in Theoretical Computer Science, pages 201–222, Aarhus, Denmark, May 2001. Elsevier Science Publishers. [20] R. Harper, B. F. Duba, and D. MacQueen. Typing first-class continua- tions in ML. Journal of Functional Programming, 3(4):465–484, Oct. [28] G. D. Plotkin. Call-by-name, call-by-value and the λ-calculus. Theo- 1993. A preliminary version was presented at the Eighteenth Annual retical Computer Science, 1:125–159, 1975. ACM Symposium on Principles of Programming Languages (POPL [29] J. C. Reynolds. Definitional interpreters for higher-order program- 1991). ming languages. In Proceedings of 25th ACM National Conference, [21] F. Henglein. Syntactic properties of polymorphic subtyping. Tech- pages 717–740, Boston, Massachusetts, 1972. Reprinted in Higher- nical Report Semantics Report D-293, DIKU, Computer Science De- Order and Symbolic Computation 11(4):363–397, 1998, with a fore- partment, University of Copenhagen, May 1996. word [30]. [22] Y. Kameyama and M. Hasegawa. A sound and complete axiomati- [30] J. C. Reynolds. Definitional interpreters revisited. Higher-Order and zation of delimited continuations. In O. Shivers, editor, Proceedings Symbolic Computation, 11(4):355–361, 1998. of the 2003 ACM SIGPLAN International Conference on Functional [31] T. Rompf, I. Maier, and M. Odersky. Implementing first-class Programming (ICFP’03), SIGPLAN Notices, Vol. 38, No. 9, pages polymorphic delimited continuations by a type-directed selective 177–188, Uppsala, Sweden, Aug. 2003. ACM Press. cps-transform. In A. Tolmach, editor, Proceedings of the 2009 [23] R. Kelsey, W. Clinger, and J. Rees, editors. Revised5 report on the ACM SIGPLAN International Conference on Functional Program- algorithmic language Scheme. Higher-Order and Symbolic Computa- ming (ICFP’09), pages 317–328, Edinburgh, UK, Aug. 2009. ACM tion, 11(1):7–105, 1998. Press. [24] J. Kim, K. Yi, and O. Danvy. Assessing the overhead of ML exceptions [32] C. Shan. A static simulation of dynamic delimited control. Higher- by selective CPS transformation. In G. Morrisett, editor, Record Order and Symbolic Computation, 20(4):371–401, 2007. of the 1998 ACM SIGPLAN Workshop on ML and its Applications, [33] E. Sumii. An implementation of transparent migration on standard Baltimore, Maryland, Sept. 1998. Scheme. In M. Felleisen, editor, Proceedings of the Workshop on Scheme and Functional Programming, Technical Report 00-368, Rice University, pages 61–64, Montreal,´ Canada, Sept. 2000.