Reconciling Noninterference and Gradual Typing

Total Page:16

File Type:pdf, Size:1020Kb

Reconciling Noninterference and Gradual Typing Reconciling noninterference and gradual typing Arthur Azevedo de Amorim Matt Fredrikson Limin Jia Carnegie Mellon University Carnegie Mellon University Carnegie Mellon University Abstract let f x = One of the standard correctness criteria for gradual typing is let b (* : Bool<S> *) = true in the dynamic gradual guarantee, which ensures that loosening let y = ref b in type annotations in a program does not affect its behavior in let z = ref b in arbitrary ways. Though natural, prior work has pointed out if x then y := false else (); that the guarantee does not hold of any gradual type system if !y then z := false else (); !z for information-flow control. Toro et al.’s GSLRef language, for example, had to abandon it to validate noninterference. We show that we can solve this conflict by avoiding a fea- f (<S>true) ture of prior proposals: type-guided classification, or the use of type ascription to classify data. Gradual languages require Figure 1. Prototypical failure of the DGG due to NSU checks. run-time secrecy labels to enforce security dynamically; if The program throws an error when run, but successfully type ascription merely checks these labels without modifying terminates if we uncomment the type annotation Bool<S>. them (that is, without classifying data), it cannot violate the dynamic gradual guarantee. We demonstrate this idea with GLIO, a gradual type system based on the LIO library that Sadly, the guarantee does not hold in any existing gradual enforces both the gradual guarantee and noninterference, language for information-flow control (IFC) [33]. featuring higher-order functions, general references, coarse- The goal of this paper is to remedy the situation for IFC lan- grained information-flow control, security subtyping and guages without giving up on noninterference. The difficulty, first-class labels. We give the language a domain-theoretic we argue, stems from what we call type-guided classification: semantics, using Pitts’ framework of relational structures to the ability to classify values through static type annotations. prove noninterference and the dynamic gradual guarantee. This issue is illustrated in Figure1, which shows a program in λinfo [4], a typical language for dynamic IFC. Values in λinfo 1 Introduction carry a confidentiality label that is checked and propagated during execution to prevent information leaks. Unannotated Gradual type systems allow incomplete type annotations for values such as true are marked with a default label (in λinfo, combining the safety of static typing with the flexibility of Public), which can be overridden with < >. For example, the dynamic languages. In the gradual λ-calculus of Siek and function f is given a Secret argument. Taha [27], for example, we can declare the argument of a For now, ignore the commented type (* ... *). If we function f as an integer but omit its return type. This causes ran this program in a typical language with no IFC checks, it the type checker to reject an expression such as f ¹trueº while would have the effect of leaking the secret input x through accepting f ¹0º + 1, understanding that the latter will trig- the reference z, returning true when x = true and false ger a run-time error if f ¹0º returns a string. Many language when x = false. Dynamic IFC prevents this breach with features have been adapted to gradual typing, including ref- a discipline known as no-sensitive-upgrade (NSU) [4, 5, 31], erences [29], polymorphism [2, 17, 21, 34], among others. which forbids updates to public references when the control Unlike other approaches that mix static and dynamic typ- flow is influenced by secrets. In f, the reference y is implicitly ing, ascribing types in a gradual language should barely labeled public because it is allocated in a public context and affect a program’s behavior, a property known asthe dy- initialized with a public variable. This causes the NSU check namic gradual guarantee (DGG) [28]: the program might be to fail and terminate execution. rejected by the type checker or encounter more cast errors, An extension of λinfo with gradual types could allow us but its output should not change from 0 to 1. Albeit natural, to annotate b with the type in comments, declaring it as a this isolation can be challenging for languages that strive secret boolean. What would this declaration mean? Current for more than basic type safety. It had to be abandoned in a gradual IFC languages (GSLRef [33], ML-GS [12], etc.) inter- 1 gradual variant of System F to enforce parametricity [34], pret it as classification, thus setting b’s dynamic secrecy label and in the GSLRef language [33] to enforce noninterference. to S. This causes the program to terminate successfully: b’s label is propagated to y and z, the program accepts the two 1Recent work has managed to lift this restriction using ideas similar to assignments (because x has the same secrecy as the refer- ours [21]; cf. Section7. ences), and returns <S>true. Unfortunately, this behavior Arthur Azevedo de Amorim, Matt Fredrikson, and Limin Jia violates the DGG, because dynamic errors are not allowed let b : Bool<S> = true in labelOf b == S to disappear when we provide type annotations. let b : Bool<P> = true in labelOf b == S This scenario suggests two possibilities for repairing the let b = true in labelOf b == S DGG: dropping the NSU discipline in favor of type-guided classification, or vice versa. The first option is problematic Figure 2. Failure of the DGG with first-class labels and type- because it is hard to find other ways of enforcing noninter- guided classification. The first two programs have no reason ference. One possibility would be to modify the semantics to fail, and with type-guided classification they terminate of conditionals so that they raise the secrecy of all refer- successfully with different results. The DGG would force the ences that could be updated in either branch [25]. In Fig- third program must behave the same way as the first two, ure1, this would mean raising y’s label above x’s even when which is impossible. the else branch is taken. Apart from the potential perfor- mance impact, implementing this solution in any realistic language would require a rich analysis to compute write programs to richer type disciplines. The literature on gradual sets, which would likely push us further towards a static IFC offers different answers to this question; ML-GS[12], for type system. And even if we decided that this was worth it, example, requires references to be given an explicit secrecy keeping type-guided classification would be problematic for label, and thus does not directly apply to legacy programs, another popular feature of IFC: first-class labels. while GSLRef [33] allows omitting all such annotations. By Labels are first class if they can be manipulated program- extending LIO, GLIO adopts a mixed stance in that regard. matically; for instance, we might write labelOf b == S On the one hand, LIO does require programs to provide term- to test whether b holds a secret. First-class labels are often level annotations for certain operations, including reference adopted in practically minded IFC systems [31, 36] because allocation. On the other hand, LIO’s coarse-grained design they enable rich data-dependent policies. Unfortunately, they obviates the need for tracking labels in most of the program; can easily break the DGG with type-guided classification. most values are protected by the PC label, a state component Consider Figure2, for instance: if the DGG were true, the used in NSU checks. unannotated program would behave the same way as the In principle, it would be possible to allow missing label two annotated ones, which is impossible because they re- annotations for references in GLIO by choosing a default turn different results. Similar issues have been observed in value for them, such as the current PC label. Unfortunately, languages with dynamic type tests [9, 28]: if programs can the benefits of this approach would be limited for gradual test anything about a value’s type, they can discern between typing: in the presence of first-class labels, no analog of the different static annotations. DGG can hold when overriding these defaults. We do not Thus, to reconcile noninterference and gradual typing, know if the situation fundamentally changes if first-class we are led to the second option: abandoning type-guided labels are absent, but missing reference annotations are not classification. The effect of an annotation should be merely the only source of violations for the DGG: similar issues arise to check labels, not to modify them. For Figure1, this would in GSLRef even if all reference annotations are present, by mean that b, y and z would still be dynamically labeled P adapting the counterexample of Figure1 to its syntax. despite the static annotation Bool<S>, triggering an NSU Our contributions, in sum, are as follows. We introduce error without any harm to the gradual guarantee. Likewise, GLIO, a gradual language based on LIO with higher-order the annotations in Figure2 could lead to a cast error, but functions and storage, flow-insensitive references, coarse- they would not change the result of the test. Modifying labels grained IFC, security subtyping and public, first-class la- should still be possible, but through a term-level operation bels. After an informal tour of the language in Section2, that is not covered by the DGG. we present its syntax and type system in Section3, and We realize this idea with GLIO, a gradual language based define its semantics in Section4. We prove that GLIO satis- on the LIO library [32]. LIO exposes an API for securely fies both termination- and error-insensitive noninterference manipulating secret data, to which GLIO adds optional an- (Section5) and the gradual guarantee of Siek et al .[28] (Sec- notations for preventing security errors statically.
Recommended publications
  • Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder
    Gradual Typing with Inference Jeremy Siek University of Colorado at Boulder joint work with Manish Vachharajani Overview • Motivation • Background • Gradual Typing • Unification-based inference • Exploring the Solution Space • Type system (specification) • Inference algorithm (implementation) Why Gradual Typing? • Static and dynamic type systems have complimentary strengths. • Static typing provides full-coverage error checking, efficient execution, and machine-checked documentation. • Dynamic typing enables rapid development and fast adaption to changing requirements. • Why not have both in the same language? Java Python Goals for gradual typing Treat programs without type annotations as • dynamically typed. Programmers may incrementally add type • annotations to gradually increase static checking. Annotate all parameters and the type system • catches all type errors. 4 Goals for gradual typing Treat programs without type annotations as • dynamically typed. Programmers may incrementally add type • annotations to gradually increase static checking. Annotate all parameters and the type system • catches all type errors. dynamic static 4 Goals for gradual typing Treat programs without type annotations as • dynamically typed. Programmers may incrementally add type • annotations to gradually increase static checking. Annotate all parameters and the type system • catches all type errors. dynamic gradual static 4 The Gradual Type System • Classify dynamically typed expressions with the type ‘?’ • Allow implicit coercions to ? and from ? with any other type • Extend coercions to compound types using a new consistency relation 5 Coercions to and from ‘?’ (λa:int. (λx. x + 1) a) 1 Parameters with no type annotation are given the dynamic type ‘?’. 6 Coercions to and from ‘?’ ? (λa:int. (λx. x + 1) a) 1 Parameters with no type annotation are given the dynamic type ‘?’.
    [Show full text]
  • Principal Type Schemes for Gradual Programs with Updates and Corrections Since Publication (Latest: May 16, 2017)
    Principal Type Schemes for Gradual Programs With updates and corrections since publication (Latest: May 16, 2017) Ronald Garcia ∗ Matteo Cimini y Software Practices Lab Indiana University Department of Computer Science [email protected] University of British Columbia [email protected] Abstract to Siek and Taha (2006) has been used to integrate dynamic checks Gradual typing is a discipline for integrating dynamic checking into into a variety of type structures, including object-oriented (Siek a static type system. Since its introduction in functional languages, and Taha 2007), substructural (Wolff et al. 2011), and ownership it has been adapted to a variety of type systems, including object- types (Sergey and Clarke 2012). The key technical pillars of grad- oriented, security, and substructural. This work studies its applica- ual typing are the unknown type, ?, the consistency relation among tion to implicitly typed languages based on type inference. Siek gradual types, and support for the entire spectrum between purely and Vachharajani designed a gradual type inference system and dynamic and purely static checking. A gradual type checker rejects algorithm that infers gradual types but still rejects ill-typed static type inconsistencies in programs, accepts statically safe code, and programs. However, the type system requires local reasoning about instruments code that could plausibly be safe with runtime checks. type substitutions, an imperative inference algorithm, and a subtle This paper applies the gradual typing approach to implicitly correctness statement. typed languages, like Standard ML, OCaml, and Haskell, where This paper introduces a new approach to gradual type inference, a type inference (a.k.a. type reconstruction) procedure is integral to type checking.
    [Show full text]
  • Gradual Typing for a More Pure Javascript
    ! Gradual Typing for a More Pure JavaScript Bachelor’s Thesis in Computer Science and Engineering JAKOB ERLANDSSON ERIK NYGREN OSKAR VIGREN ANTON WESTBERG Department of Computer Science and Engineering CHALMERS TEKNISKA HÖGSKOLA GÖTEBORGS UNIVERSITET Göteborg, Sverige 2019 Abstract Dynamically typed languages have surged in popularity in recent years, owing to their flexibility and ease of use. However, for projects of a certain size dynamic typing can cause problems of maintainability as refactoring becomes increas- ingly difficult. One proposed solution is the use of gradual type systems, where static type annotations are optional. This results in providing the best of both worlds. The purpose of this project is to create a gradual type system on top of JavaScript. Another goal is to explore the possibility of making guarantees about function purity and immutability using the type system. The types and their relations are defined and a basic type checker is implemented to confirm the ideas. Extending type systems to be aware of side effects makes it easier to write safer software. It is concluded that all of this is possible and reasonable to do in JavaScript. Sammanfattning Dynamiskt typade programmeringsspråk har ökat kraftigt i popularitet de se- naste åren tack vare deras flexibilitet och användbarhet. För projekt av en viss storlek kan dock dynamisk typning skapa underhållsproblem då omstrukture- ring av kod blir allt svårare. En föreslagen lösning är användande av så kallad gradvis typning där statiskt typad annotering är frivillig, vilket i teorin fångar det bästa av två världar. Syftet med det här projektet är att skapa ett gradvist typsystem ovanpå Javascript.
    [Show full text]
  • Safe & Efficient Gradual Typing for Typescript
    Safe & Efficient Gradual Typing for TypeScript (MSR-TR-2014-99) Aseem Rastogi ∗ Nikhil Swamy Cedric´ Fournet Gavin Bierman ∗ Panagiotis Vekris University of Maryland, College Park MSR Oracle Labs UC San Diego [email protected] fnswamy, [email protected] [email protected] [email protected] Abstract without either rejecting most programs or requiring extensive an- Current proposals for adding gradual typing to JavaScript, such notations (perhaps using a PhD-level type system). as Closure, TypeScript and Dart, forgo soundness to deal with Gradual type systems set out to fix this problem in a principled issues of scale, code reuse, and popular programming patterns. manner, and have led to popular proposals for JavaScript, notably We show how to address these issues in practice while retain- Closure, TypeScript and Dart (although the latter is strictly speak- ing soundness. We design and implement a new gradual type sys- ing not JavaScript but a variant with some features of JavaScript re- tem, prototyped for expediency as a ‘Safe’ compilation mode for moved). These proposals bring substantial benefits to the working TypeScript.1Our compiler achieves soundness by enforcing stricter programmer, usually taken for granted in typed languages, such as static checks and embedding residual runtime checks in compiled a convenient notation for documenting code; API exploration; code code. It emits plain JavaScript that runs on stock virtual machines. completion; refactoring; and diagnostics of basic type errors. Inter- Our main theorem is a simulation that ensures that the checks in- estingly, to be usable at scale, all these proposals are intentionally troduced by Safe TypeScript (1) catch any dynamic type error, and unsound: typeful programs may be easier to write and maintain, but (2) do not alter the semantics of type-safe TypeScript code.
    [Show full text]
  • The Dynamic Practice and Static Theory of Gradual Typing Michael Greenberg Pomona College, Claremont, CA, USA [email protected]
    The Dynamic Practice and Static Theory of Gradual Typing Michael Greenberg Pomona College, Claremont, CA, USA http://www.cs.pomona.edu/~michael/ [email protected] Abstract We can tease apart the research on gradual types into two ‘lineages’: a pragmatic, implementation- oriented dynamic-first lineage and a formal, type-theoretic, static-first lineage. The dynamic-first lineage’s focus is on taming particular idioms—‘pre-existing conditions’ in untyped programming languages. The static-first lineage’s focus is on interoperation and individual type system features, rather than the collection of features found in any particular language. Both appear in programming languages research under the name “gradual typing”, and they are in active conversation with each other. What are these two lineages? What challenges and opportunities await the static-first lineage? What progress has been made so far? 2012 ACM Subject Classification Social and professional topics → History of programming lan- guages; Software and its engineering → Language features Keywords and phrases dynamic typing, gradual typing, static typing, implementation, theory, challenge problems Acknowledgements I thank Sam Tobin-Hochstadt and David Van Horn for their hearty if dubious encouragment. Conversations with Sam, Ron Garcia, Matthias Felleisen, Robby Findler, and Spencer Florence improved the argumentation. Stephanie Weirich helped me with Haskell programming; Richard Eisenberg wrote the program in Figure 3. Ross Tate, Neel Krishnaswami, Ron, and Éric Tanter provided helpful references I had overlooked. Ben Greenman provided helpful feedback. The anonymous SNAPL reviewers provided insightful comments as well as the CDuce code in Section 3.4.3. Finally, I thank Stephen Chong and Harvard Computer Science for hosting me while on sabbatical.
    [Show full text]
  • Refined Criteria for Gradual Typing
    Refined Criteria for Gradual Typing∗ Jeremy G. Siek1, Michael M. Vitousek1, Matteo Cimini1, and John Tang Boyland2 1 Indiana University – Bloomington, School of Informatics and Computing 150 S. Woodlawn Ave. Bloomington, IN 47405, USA [email protected] 2 University of Wisconsin – Milwaukee, Department of EECS PO Box 784, Milwaukee WI 53201, USA [email protected] Abstract Siek and Taha [2006] coined the term gradual typing to describe a theory for integrating static and dynamic typing within a single language that 1) puts the programmer in control of which regions of code are statically or dynamically typed and 2) enables the gradual evolution of code between the two typing disciplines. Since 2006, the term gradual typing has become quite popular but its meaning has become diluted to encompass anything related to the integration of static and dynamic typing. This dilution is partly the fault of the original paper, which provided an incomplete formal characterization of what it means to be gradually typed. In this paper we draw a crisp line in the sand that includes a new formal property, named the gradual guarantee, that relates the behavior of programs that differ only with respect to their type annotations. We argue that the gradual guarantee provides important guidance for designers of gradually typed languages. We survey the gradual typing literature, critiquing designs in light of the gradual guarantee. We also report on a mechanized proof that the gradual guarantee holds for the Gradually Typed Lambda Calculus. 1998 ACM Subject Classification F.3.3 Studies of Program Constructs – Type structure Keywords and phrases gradual typing, type systems, semantics, dynamic languages Digital Object Identifier 10.4230/LIPIcs.SNAPL.2015.274 1 Introduction Statically and dynamically typed languages have complementary strengths.
    [Show full text]
  • Gradual Session Types
    JFP 29, e17, 56 pages, 2019. c The Author(s) 2019. This is an Open Access article, distributed under 1 the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited. doi:10.1017/S0956796819000169 Gradual session types ATSUSHI IGARASHI Kyoto University, Japan (e-mail: [email protected]) PETER THIEMANN University of Freiburg, Germany (e-mail: [email protected]) YUYA TSUDA Kyoto University, Japan (e-mail: [email protected]) VASCO T. VASCONCELOS LASIGE, Department of Informatics, Faculty of Sciences, University of Lisbon, Portugal (e-mail: [email protected]) PHILIP WADLER University of Edinburgh, Scotland (e-mail: [email protected]) Abstract Session types are a rich type discipline, based on linear types, that lifts the sort of safety claims that come with type systems to communications. However, web-based applications and microser- vices are often written in a mix of languages, with type disciplines in a spectrum between static and dynamic typing. Gradual session types address this mixed setting by providing a framework which grants seamless transition between statically typed handling of sessions and any required degree of dynamic typing. We propose Gradual GV as a gradually typed extension of the functional session type system GV. Following a standard framework of gradual typing, Gradual GV consists of an external language, which relaxes the type system of GV using dynamic types; an internal language with casts, for which operational semantics is given; and a cast-insertion translation from the former to the latter.
    [Show full text]
  • Gradual Typing for Objects Benjamin Chung, Paley Li, Francesco Zappa Nardelli, Jan Vitek
    KafKa: Gradual Typing for Objects Benjamin Chung, Paley Li, Francesco Zappa Nardelli, Jan Vitek To cite this version: Benjamin Chung, Paley Li, Francesco Zappa Nardelli, Jan Vitek. KafKa: Gradual Typing for Objects. ECOOP 2018 - 2018 European Conference on Object-Oriented Programming, Jul 2018, Amsterdam, Netherlands. hal-01882148 HAL Id: hal-01882148 https://hal.inria.fr/hal-01882148 Submitted on 26 Sep 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. KafKa: Gradual Typing for Objects Benjamin Chung Northeastern University, Boston, MA, USA Paley Li Czech Technical University, Prague, Czech Republic, and Northeastern University, Boston, MA, USA Francesco Zappa Nardelli Inria, Paris, France, and Northeastern University, Boston, MA, USA Jan Vitek Czech Technical University, Prague, Czech Republic, and Northeastern University, Boston, MA, USA Abstract A wide range of gradual type systems have been proposed, providing many languages with the ability to mix typed and untyped code. However, hiding under language details, these gradual type systems embody fundamentally different ideas of what it means to be well-typed. In this paper, we show that four of the most common gradual type systems provide distinct guarantees, and we give a formal framework for comparing gradual type systems for object- oriented languages.
    [Show full text]
  • Reconciling Noninterference and Gradual Typing Full Version with Definitions and Proofs
    Reconciling noninterference and gradual typing Full Version with Definitions and Proofs Arthur Azevedo de Amorim Matt Fredrikson Limin Jia Carnegie Mellon University Carnegie Mellon University Carnegie Mellon University Abstract let f x = One of the standard correctness criteria for gradual typing is let b (* : Bool<S> *) = true in the dynamic gradual guarantee, which ensures that loosening let y = ref b in type annotations in a program does not affect its behavior in let z = ref b in arbitrary ways. Though natural, prior work has pointed out if x then y := false else (); that the guarantee does not hold of any gradual type system if !y then z := false else (); !z for information-flow control. Toro et al.’s GSLRef language, for example, had to abandon it to validate noninterference. We show that we can solve this conflict by avoiding a fea- f (<S>true) ture of prior proposals: type-guided classification, or the use of type ascription to classify data. Gradual languages require Figure 1. Prototypical failure of the DGG due to NSU checks. run-time secrecy labels to enforce security dynamically; if The program throws an error when run, but successfully type ascription merely checks these labels without modifying terminates if we uncomment the type annotation Bool<S>. them (that is, without classifying data), it cannot violate the dynamic gradual guarantee. We demonstrate this idea with for more than basic type safety. It had to be abandoned in a GLIO, a gradual type system based on the LIO library that gradual variant of System F to enforce parametricity [33],1 enforces both the gradual guarantee and noninterference, and in the GSLRef language [32] to enforce noninterference.
    [Show full text]
  • Gradual Typing for Functional Languages
    Gradual Typing for Functional Languages Jeremy G. Siek Walid Taha University of Colorado Rice University [email protected] [email protected] Abstract ling the degree of static checking by annotating function parameters with types, or not. We use the term gradual typing for type systems Static and dynamic type systems have well-known strengths and that provide this capability. Languages that support gradual typing weaknesses, and each is better suited for different programming to a large degree include Cecil [8], Boo [10], extensions to Visual tasks. There have been many efforts to integrate static and dynamic Basic.NET and C# proposed by Meijer and Drayton [26], and ex- typing and thereby combine the benefits of both typing disciplines tensions to Java proposed by Gray et al. [17], and the Bigloo [6, 36] in the same language. The flexibility of static typing can be im- dialect of Scheme [24]. The purpose of this paper is to provide a proved by adding a type Dynamic and a typecase form. The safety type-theoretic foundation for languages such as these with gradual and performance of dynamic typing can be improved by adding typing. optional type annotations or by performing type inference (as in soft typing). However, there has been little formal work on type There are numerous other ways to combine static and dynamic typ- systems that allow a programmer-controlled migration between dy- ing that fall outside the scope of gradual typing. Many dynamically namic and static typing. Thatte proposed Quasi-Static Typing, but typed languages have optional type annotations that are used to im- it does not statically catch all type errors in completely annotated prove run-time performance but not to increase the amount of static programs.
    [Show full text]
  • Gradual Typing for First-Class Classes∗
    Gradual Typing for First-Class Classes ∗ Asumu Takikawa T. Stephen Strickland Christos Dimoulas Sam Tobin-Hochstadt Matthias Felleisen PLT, Northeastern University asumu, sstrickl, chrdimo, samth, matthias @ccs.neu.edu f g Abstract 1. Untyped Object-Oriented Style Dynamic type-checking and object-oriented programming The popularity of untyped programming languages such as often go hand-in-hand; scripting languages such as Python, Python, Ruby, or JavaScript has stimulated work on com- Ruby, and JavaScript all embrace object-oriented (OO) pro- bining static and dynamic type-checking. The idea is now gramming. When scripts written in such languages grow and popularly called gradual typing [27]. At this point, gradual evolve into large programs, the lack of a static type disci- typing is available for functional programming languages pline reduces maintainability. A programmer may thus wish such as Racket [33, 34], for object-oriented languages such to migrate parts of such scripts to a sister language with a as Ruby [12] or Thorn [38], and for Visual Basic [23] on the static type system. Unfortunately, existing type systems nei- .NET platform. Proposals for gradual typing also exist for ther support the flexible OO composition mechanisms found JavaScript [19] and Perl [31]. Formal models have validated in scripting languages nor accommodate sound interopera- soundness for gradual type systems, allowing seamless in- tion with untyped code. teroperation between sister languages [22, 27, 32]. In this paper, we present the design of a gradual typing system that supports sound interaction between statically- (define drracket-frame% and dynamically-typed units of class-based code. The type (size-pref-mixin system uses row polymorphism for classes and thus supports (searchable-text-mixin mixin-based OO composition.
    [Show full text]
  • Abstracting Gradual Typing
    Abstracting Gradual Typing Ronald Garcia ∗ Alison M. Clark y Eric´ Tanter z Software Practices Lab PLEIAD Laboratory Department of Computer Science Computer Science Department (DCC) University of British Columbia, Canada University of Chile, Chile frxg,[email protected] [email protected] Abstract 1. Introduction Language researchers and designers have extended a wide vari- Software developers and researchers alike see great promise in pro- ety of type systems to support gradual typing, which enables lan- gramming languages that seamlessly combine static and dynamic guages to seamlessly combine dynamic and static checking. These checking of program properties. One particularly promising and efforts consistently demonstrate that designing a satisfactory grad- vibrant line of work in this vein is gradual typing (Siek and Taha ual counterpart to a static type system is challenging, and this chal- 2006). Gradual typing integrates an unknown type ? and a notion lenge only increases with the sophistication of the type system. of type consistency into a pre-existing static type system. These Gradual type system designers need more formal tools to help them concepts lay the groundwork for designing languages that support conceptualize, structure, and evaluate their designs. fully dynamic checking, fully static checking, and any point on the In this paper, we propose a new formal foundation for grad- continuum, while supporting incremental migration in either direc- ual typing, drawing on principles from abstract interpretation to tion. Programmers using such languages enjoy a number of prop- give gradual types a semantics in terms of pre-existing static types. erties that are central to this language design discipline including Abstracting Gradual Typing (AGT for short) yields a formal ac- complete control over how much checking is done statically versus count of consistency—one of the cornerstones of the gradual typing dynamically.
    [Show full text]