Intersection Types and Computational Effects ∗ Rowan Davies Frank Pfenning Department of Computer Science Department of Computer Science Carnegie Mellon University Carnegie Mellon University Pittsburgh, PA 15213, U.S.A. Pittsburgh, PA 15213, U.S.A. [email protected] [email protected] ABSTRACT (see, for example, [3]). However, conventional type systems We show that standard formulations of intersection type sys- for realistic programming languages can not express, and tems are unsound in the presence of computational effects, therefore not check, many interesting program properties. and propose a solution similar to the value restriction for In prior research we have designed an extension of ML’s polymorphism adopted in the revised definition of Standard type system to capture invariants of data structures. In ML.Itdiffersinthatitisnottiedtolet-expressions and re- the resulting language of refinement types [7,5,4]wecan quires an additional weakening of the usual subtyping rules. define subtypes of data types, essentially via regular tree We also present a bi-directional type-checking algorithm for grammars. Experiments with refinement types and related the resulting language that does not require an excessive work on soft types [1, 21] have demonstrated the utility of amount of type annotations and illustrate it through some the additional expressive power to catch more programmer examples. We further show that the type assignment sys- errors and give stronger guarantees at module boundaries. tem can be extended to incorporate parametric polymor- For practical purposes, refinements require at least some phism. Taken together, we see our system and associated form of intersection types, because a given function may type-checking algorithm as a significant step towards the in- have more than one property. As a simple example (elabo- troduction of intersection types into realistic programming rated in Section 5), consider the types nat of natural num- ≤ languages. The added expressive power would allow many bers and pos of positive natural numbers where pos nat. more properties of programs to be stated by the programmer Then the function double maps natural numbers to nat- → and statically verified by a compiler. ural numbers (nat nat), but also maps positive num- bers to positive numbers (pos → pos) and hence has type (nat → nat) ∧(pos → pos). Categories and Subject Descriptors In this paper we demonstrate that general intersection F.3.3 [Logics and Meanings of Programs]: Studies of types are unsound in the presence of computational effects Program Constructs—type structure; D.3.3 [Programming and make two major contributions towards the use of inter- Languages]: Language Constructs and Features—polymor- section types in practical programming languages: phism; F.3.1 [Logics and Meanings of Programs]: Spec- 1. We propose a simple type assignment system for a core ifying and Verifying and Reasoning about Programs functional language with mutable references and inter- section types and prove that it is sound, and General Terms 2. we design a corresponding source language that per- Languages,Theory,Verification mits bi-directional type-checking without being pro- hibitively verbose. 1. INTRODUCTION We illustrate the resulting core language with some small The advantages of statically typed programming lan- examples. Our restriction is similar to the value restriction guages are well known, and have been described many times employed in ML [10] in order to avoid unsound uses of para- ∗ metric polymorphism (see [17, 20]). However, in addition This work was sponsored in part by the Advanced Research to a value restriction on the introduction of intersections, Projects Agency CSTO under the title “The Fox Project: Advanced Languages for Extensible Systems”, ARPA Order we also need to discard the distributivity law for subtyping, No. C533. leading to a system which is overall significantly simpler than general intersection types without a noticeable loss in expressive power or accuracy. Refinement types differ from intersection types in that Permission to make digital or hard copies of all or part of this work for the intersection A ∧ B can only be formed if A and B are personal or classroom use is granted without fee provided that copies are specializations of the same simple type. We do not impose not made or distributed for profit or commercial advantage and that copies this additional requirement here, since it is orthogonal to bear this notice and the full citation on the first page. To copy otherwise, to both soundness in the presence of effects and the issue of bi- republish, to post on servers or to redistribute to lists, requires prior specific directional type checking. So our results apply, for example, permission and/or a fee. ICFP ’00, Montreal, Canada. to operator overloading and even self-application. On the Copyright 2000 ACM 1-58113-202-6/00/0009 ..$5.00 other hand, we have chosen an inclusion interpretation of 1 subtyping which allows us to give an untyped operational 2. the progress theorem demonstrates that an untyped semantics without explicit coercions. This is sufficient for operational semantics is sound (i.e., types may, but refinement types and could easily be extended to a coercive need not be carried at runtime), and interpretation of subtyping and intersections [2, 15]. Finally, we show how our type assignment system can be 3. formulating reduction rules directly on terms with extended to include a value-restricted form of parametric some type annotations as in Section 3 is awkward at polymorphism. However, we do not show how to extend our best. source language, since a generalization of bi-directional type Type inference for this language is most likely undecid- checking to local type inference [13] in the presence of poly- able, and principal types do not exist. Therefore we present morphism, subtyping, intersections, and a value restriction a more practical source language which includes some type does not appear straightforward. information and an associated bi-directional type checking We close the introduction with a simple example that il- algorithm in Section 3. The untyped terms in this section lustrates the unsoundness of intersection in the presence of can be obtained simply by erasure which would naturally mutable references. Similar counterexamples can be con- be part of the compilation process (see Theorem 7). We structed for other computational effects such as exceptions. avoid coercions by considering only subtype relations which Assume,asabove,thatpos ≤ nat. We work with a represen- are inclusions, but this is not an essential restriction of our tation of natural numbers as bit strings so that represents approach. 0and1represents1. 2.1 Syntax let x = ref( 1):nat ref ∧ pos ref The syntax is relatively standard for a call-by-value lan- in let y =(x:= ) guage in the ML family. We allow general fixed-points in let z = ! x with eager unrolling, which means we should distinguish two in z : pos kinds of variables: those bound in λ, let and case expres- In this example, we create a new cell with initial contents sions which stand for values (denoted by x), and those bound 1 and assign the type nat ref ∧ pos ref. Certainly, both in fix expressions which stand for arbitrary terms (denoted of these are valid types for x, since the contents of the cell by u). As proposed by Leroy [9], we can also easily admit is both of type nat and type pos. Then we assign to x, a“byname”let expression. We further use identifiers l to which is well-typed since x has type nat ref, among others. address cells in the store during evaluation. Then we read the contents, requiring the result to have type We represent natural numbers as bit-strings in standard pos, which is valid since x has type pos ref, among others. form, with the least significant bit rightmost and no leading During evaluation, however, z will be bound to ,sothe zeroes. We view 0 and 1 as constructors written in postfix type system is unsound: the whole expression has type pos, form, and stands for the empty string. For example, 6 but evaluates to which represents zero and does not have would be represented as 110. type pos. The remainder of this paper is organized as follows. In Types A ::= A1 → A2 | A ref | unit Section2weshowthatavaluerestrictiononintersection | bits | nat | pos | A1 ∧ A2 introduction leads to a sound type assignment system for a Terms M ::= x | λx. M | M M small functional language including mutable references. In 1 2 | let x = M1 in M2 Section 3 we present a corresponding source language and | u | fix u. M a bi-directional type-checking algorithm. Our type system | l | ref M | ! M | M1 := M2 | () is generalized to include parametric polymorphism in Sec- | | M 0 | M 1 tion 4 and illustrated by various examples in Section 5. We | case M of ⇒ M | x 0 ⇒ M | y 1 ⇒ M conclude with some remarks about future work in Section 6. 1 2 3 We use A, B for types and M, N for terms. We write {M 0/x}M for the result of substituting M 0 for x in M,re- 2. A VALUE RESTRICTION FOR INTER- naming bound variables as necessary to avoid the capture SECTION TYPES of free variables in M 0. In this section we present a small language with functions, We distinguish the following terms as values: mutable references, and intersection types. We also include Values V ::= x | λx. M | l | () | | V 0 | V 1 an example datatype bits for strings of bits, along with two subtypes nat for natural numbers (bit-strings without lead- For type-checking, we need to assign types to variables ing zeroes) and pos for positive natural numbers. We place and cells in contexts Γ and ∆, respectively. Moreover, dur- a value restriction on the introduction of intersections, omit ing execution of a program we need to maintain a store C.