ofeverysubexpressionisarenementofitsMLtype.Third,inanyvalidtypederiva - PDF document

ofeverysubexpressionisarenementofitsMLtype.Third,inanyvalidtypederivation,thetypesofcertainexpressions,suchas-abstractions,if-then-elseexpressions,andrecursivefunctionsmustbeliquid.Thus,inferencebecomesdecidable,asthespaceofpossibletypesisbounded.Weusethesefeaturestodesignathree-stepalgorithmfordependenttypeinference(Section4).Step1:Hindley-MilnerTypeInference:First,ouralgorithmin-vokesHindley-Milner[7]toinfertypesforeachsubexpressionandthenecessarytypegeneralizationandinstantiationannotations.Next,ouralgorithmusesthecomputedMLtypestoassigntoeachsubexpressionatemplate,adependenttypewiththesamestruc-tureastheinferredMLtype,butwhichhasliquidtypevariablesrepresentingtheunknowntyperenements.Step2:LiquidConstraintGeneration:Second,weusethesyntax-directedliquidtypingrulestogenerateasystemofconstraintsthatcapturethesubtypingrelationshipsbetweenthetemplatesthatmustbemetforaliquidtypederivationtoexist.Step3:LiquidConstraintSolving:Third,ouralgorithmusesthesubtypingrulestosplitthecomplextemplateconstraintsintosim-pleconstraintsovertheliquidtypevariables,andthensolvesthesesimpleconstraintsusingaxpointcomputationinspiredbypredi-cateabstraction[1,15].Ofcourse,theremaybesafeprogramswhichcannotbewell-typedinoursystemdueeithertoaninappropriatechoiceofquali-ersortheconservativenessofournotionofsubtyping.Inthefor-mercase,wecanusethereadableresultsoftheinferencetomanu-allyaddmorequaliers,andinthelattercasewecanusetheresultsoftheinferencetoinsertaminimalsetofrun-timechecks[22,10].Tovalidatetheutilityofourtechnique,wehavebuiltDSOLVE,whichinfersliquidtypesforOCAMLprograms.Whileliquidtypescanbeusedtostaticallyproveavarietyofproperties[24],inthispaperwefocusonthecanonicalproblemofprovingthesafetyofarrayaccesses.WeuseadiversesetofchallengingbenchmarkstakenfromtheDMLprojecttodemonstratethatDSOLVE,togetherwithasimplesetofarrayboundscheckingqualiers,canprovesafetycompletelyautomaticallyformanyprograms(Section5).Forthefewprogramswheretheseboundscheckingqualiersareinsufcient,theprogrammertypicallyonlyneedstospecifyoneortwoextraqualiers.Evenintheserarecases,thedependenttypesinferredbyDSOLVEusingonlytheboundscheckingqualiershelptheprogrammertorapidlyidentifytherelevantextraqualiers.Weshowthat,overallthebenchmarks,DSOLVEreducesthemanualannotationrequiredtoprovesafetyfrom31%ofprogramtext(or17%bynumberoflines)tounder1%.Finally,wedescribeacasestudywhereDSOLVEwasabletopinpointanerrorinanopen-sourceOCAMLbitvectorlibraryimplementation,inafunctionthatcontainedanexplicit(butinsufcient)safetycheck.2.OverviewWebeginwithanoverviewofouralgorithmforinferringdependenttypesusingasetoflogicalqualiersQ.First,wedescribedepen-denttypes,logicalqualiers,andliquidtypes,andthen,throughaseriesofexamples,weshowhowoursysteminfersdependenttypes.DependentTypes.Following[2,10],oursystemallowsbasere-nementsoftheformf:Bjeg,whereisaspecialvaluevari-ablenotappearingintheprogram,Bisabasetypeandeisaboolean-valuedexpressionconstrainingthevaluevariablecalledtherenementpredicate.Intuitively,thebaserenementpredicatespeciesthesetofvaluescofthebasetypeBsuchthatthepredi-cate[c=]eevaluatestotrue.Forexample,f:intj0gspec-iesthesetofpositiveintegers,andf:intjngspeciesthesetofintegerswhosevalueislessthanorequaltothevalueofthevariablen.Thus,Bisanabbreviationforf:Bjtrueg.Weusethebaserenementstobuildupdependentfunctiontypes,writtenx:T1!T2(following[2,10]).Here,T1isthedomaintypeofthefunction,andtheformalparameterxmayappearinthebaserene-mentsoftherangetypeT2.LogicalQualiersandLiquidTypes.Alogicalqualierisaboolean-valuedexpression(i.e.,predicate)overtheprogramvari-ables,thespecialvaluevariablewhichisdistinctfromtheprogramvariables,andthespecialplaceholdervariable?thatcanbeinstantiatedwithprogramvariables.Fortherestofthissection,letusassumethatQisthesetoflogicalqualiersf0;?;?;len?g.InSection5wedescribeasimplesetofqualiersforarrayboundschecking.Wesaythataqualierqmatchesthequalierq0ifreplacingsomesubsetofthefreevariablesinqwith?yieldsq0.Forexample,thequalierxmatchesthequalier?.WewriteQ?forthesetofallqualiersnotcontaining?thatmatchsomequalierinQ.Forex-ample,whenQisasdenedasabove,Q?includesthequaliersf0;x;y;k;n;lenag.AliquidtypeoverQisadependenttypewheretherenementpredicatesareconjunctionsofqualiersfromQ?.WewriteliquidtypewhenQisclearfromthecontext.Whencheckingorinferringdependenttypesoverthelogicalqualiers,oursystemensuresthatthetypesarewell-formed,i.e.,foreachsubexpression,thefreevariablesap-pearingintheinferredtypeareboundintheenvironmentforthatsubexpression.LiquidTypeInference.Ourliquidtypeinferencealgorithmpro-ceedsinthreesteps.First,weperformHindley-Milner(HM)typeinferenceandusetheresultstogeneratetemplates,whicharede-pendenttypeswithunknownbaserenementsrepresentedbyliquidtypevariables.Second,wegenerateconstraintsonthetemplatesthatcapturethesubtypingrelationshipsbetweentherenements.Third,wesolvetheconstraintsbyusingpredicateabstractiontond,foreach,thestrongestconjunctionofqualiersfromQ?thatsatisesalltheconstraints.Notethatforthethirdstep,weneedonlyconsiderthenitesubsetofQ?whosefreevariablesbelongtotheprogram.Next,throughaseriesofexamples,weshowhowourtypeinferencealgorithmincorporatesfeaturesessentialforinfer-ringprecisedependenttypes—namelypath-sensitivity,recursion,higher-orderfunctions,andpolymorphism—andthuscanstati-callyprovethesafetyofarrayaccesses.Notation:WewriteBasanabbreviationforf:Bjtrueg.Ad-ditionally,whenthebasetypeBisclearfromthecontext,weabbreviatef:Bjgaswhenisaliquidtypevariable,andf:Bjegasfegwheneisarenementpredicate.Forexample,x:int!y:int!fx^ygdenotesthetypeofafunctionthattakestwo(curried)integerargumentsx,yandreturnsaninte-gernolessthanxandy.Example1:PathSensitivity.ConsiderthemaxfunctionshowninFigure1asanOCAMLprogram.Wewillshowhowweinferthatmaxreturnsavaluenolessthanbotharguments.(Step1)HMinfersthatmaxhasthetypex:int!y:int!int.Usingthistype,wecreateatemplatefortheliquidtypeofmax,x:x!y:y!1,wherex,y,1areliquidtypevariablesrepre-sentingtheunknownrenementsfortheformalsx,yandthebodyofmax,respectively.(Step2)Asthebodyisanifexpression,ouralgorithmgeneratesthefollowingtwoconstraintsthatstipulatethat,undertheappropri-atebranchcondition,thethenandelseexpressions,respectivelyx,y,havetypesthataresubtypesoftheentirebody'stype:x:x;y:y;(x&#x]TJ/;ུ ;.96;d T; 23;&#x.747; 0 ;&#xTd[0;y)`f=xg:1(1.1)x:x;y:y;:(x&#x]TJ/;༥ ;.96;d T; 7.;ᙵ&#x 0 T; [00;y)`f=yg:1(1.2)Constraint(1.1)(resp.(1.2))stipulatesthatwhenxandyhavethetypesxandyrespectivelyandx&#x]TJ/;༥ ;.96;d T; 7.;ᙵ&#x 0 T; [00;y(resp.:(x&#x]TJ/;༥ ;.96;d T; 7.;ᙵ&#x 0 T; [00;y)),thetype oftheexpressionx(resp.y),namelythesetofallvaluesequaltox(resp.y),mustbeasubtypeofthebody1.(Step3)Sincetheprogramis“open”,i.e.,therearenocallstomax,weassignx,ytrue,meaningthatanyintegerargumentscanbepassed,anduseatheoremprovertondthestrongestconjunctionofqualiersinQ?thatsatisesthesubtypingconstraints.Thetheoremproverdeducesthatwhenx�y(resp.:(x�y))if=x(resp.=y)thenxandy.Hence,ouralgorithminfersthatx^yisthestrongestsolutionfor1thatsatisesthetwoconstraints.Bysubstitutingthesolutionfor1intothetemplateformax,ouralgorithminfersmax::x:int!y:int!f:intj(x)^(y)gExample2:Recursion.Next,weshowhowouralgorithminfersthattherecursivefunctionsumfromFigure1alwaysreturnsanon-negativevaluegreaterthanorequaltoitsargumentk.(Step1)HMinfersthatsumhasthetypek:int!int.Usingthistype,wecreateatemplatefortheliquidtypeofsum,k:k!2,wherekand2representtheunknownrenementsfortheformalkandbody,respectively.Duetotheletrec,weusethecreatedtemplateasthetypeofsumwhengeneratingconstraintsforthebodyofsum.(Step2)Again,asthebodyisanifexpression,wegeneratecon-straintsthatstipulatethatundertheappropriatebranchconditions,the“then”and“else”expressionshavesubtypesofthebody2.Forthe“then”branch,wegetaconstraint:sum::::;k:k;k0`f=0g:2(2.1)Theelsebranchisaletexpression.First,consideringtheexpres-sionthatislocallybound,wegenerateaconstraintsum::::;k:k;:(k0)`f=k�1g:k(2.2)fromthecalltosumthatforcestheactualpassedinatthecallsitetobeasubtypeoftheformalofsum.Thelocallyboundvariablesgetsassignedthetemplatecorrespondingtotheoutputoftheapplication,[k�1=k]2,i.e.,theoutputtemplateofsumwiththeformalreplacedwiththeactualargument,andwegetthenextconstraintthatensuresthe“else”expressionisasubtypeofthebody2.:(k0);s:[k�1=k]2`f=s+kg:2(2.3)(Step3)Here,assumiscalled,wetrytondthestrongestcon-junctionofqualiersforkand2thatsatisestheconstraints.Tosatisfy(2.2),kcanonlybeassignedtrue(theemptyconjunc-tion),aswhen:(k0),thevalueofk�1canbeeithernegative,zeroorpositive.Ontheotherhand,2isassigned0^k,thestrongestconjunctionofqualiersinQ?thatsatises(2.1)and(2.3).Constraint(2.1)istriviallysatisedasthetheoremproverde-ducesthatwhenk0,if=0then0andk.When2isassignedtheaboveconjunction,thebindingforsintheenviron-mentforconstraint(2.3)becomess:f0^k�1g.Thus,constraint(2.3)issatisedasthetheoremproverdeducesthatwhen:(k0)and[s=](0^k�1),if=s+kthen0andk.Thesubstitutionsimpliesto0s^k�1s,whicheffectivelyassertstothesolvertheknowledgeaboutthetypeofs,andcruciallyallowsthesolvertousethefactthatsisnon-negativewhendeterminingthetypeofs+k,andhence,theoutputofsum.Thus,recursionentersthepicture,asthesolutionfortheoutputoftherecursivecall,whichisboundtothetypeofs,isusedinconjunctionwiththebranchinformationtoprovethattheoutputexpressionisnon-negative.Pluggingthesolutionsforkand2intothetemplate,oursysteminferssum::k:int!f:intj0^kgletmaxxy=ifx&#x]TJ/;༥ ;.96;d T; 9.;牴&#x 0 T; [00;ythenxelseyletrecsumk=ifk0then0elselets=sum(k-1)ins+kletfoldnnbf=letrecloopic=ifinthenloop(i+1)(fic)elsecinloop0bletarraymaxa=letamlm=max(subal)minfoldn(lena)0amFigure1.ExampleOCAMLProgramExample3:Higher-OrderFunctions.Next,consideraprogramcomprisingonlythehigher-orderaccumulatorfoldnshowninFigure1.Weshowhowouralgorithminfersthatfisonlycalledwithargumentsbetween0andn.(Step1)HMinfersthatfoldnhasthepolymorphictype8:n:int!b:!f:(int!!)!.FromthisMLtype,wecreatethenewtemplate8:n:n!b:!f:(3!!)!forfoldn,wherenand3representtheunknownrenementsfortheformalnandtherstparameterfortheaccumulationfunctionfpassedintofoldn.Thisisapolymorphictemplate,astheoccur-rencesofarepreserved.Thiswillallowustoinstantiatewithanappropriatedependenttypeatplaceswherefoldniscalled.HMinfersthatthetypeofloopisi:int!c:!,fromwhichwegenerateatemplatei:i!c:!forloop,whichwewillusewhenanalyzingthebodyofloop.(Step2)First,wegenerateconstraintsinsidethebodyofloop.AsHMinfersthatthetypeofthebodyis,weomitthetrivialsubtypingconstraintsonthe“then”and“else”expressions.Instead,thetwointerestingconstraintsare::::;i:i;in`f=i+1g:i(3.1)whichstipulatesthattheactualpassedintotherecursivecalltoloopisasubtypeoftheexpectedformal,and:::;i:i;in`f=ig:3(3.2)whichforcestheactualitobeasubtypeoftherstparameterofthehigher-orderfunctionf,intheenvironmentcontainingthecriticalbranchcondition.Finally,theapplicationloop0yields:::`f=0g:i(3.3)forcingtheactual0tobeasubtypeoftheformali.(Step3)Here,asfoldnisnotcalled,weassignntrueandtrytondthestrongestconjunctionofqualiersinQ?foriand3.Wecanassigntoithepredicate0,whichtriviallysatises(3.3),andalsosatises(3.1)aswhen[i=](0),if=i+1then0.Thatis,thetheoremprovercandeducethatifiisnon-negative,thensoisi+1.To3wecanassigntheconjunction0^nwhichsatises(3.2)aswhen[i=](0)andin,if=ithen0andn.Bypluggingthesolutionsfor3,nintothetemplateouralgorithminfersfoldn::8:n:int!b:!f:(f0^ng!!)!Example4:PolymorphismandArrayBoundsChecking.Con-siderthefunctionarraymaxthatcallsfoldnwithahelperthat pretedfunctionterms.Wewrite:[[�]]^feje2�g^^f[[[x=]e]]jx:f:Bjeg2�gastheembeddingfortheenvironment.Noticethatweusetheguardpredicatesandbasetypebindingsintheenvironmenttostrengthentheantecedentoftheimplication.However,wesubstitutealloccurrencesofthevaluevariableintherene-mentsfrom�withtheactualvariablebeingrened,therebyassertingintheantecedentthattheprogramvariablesatisesthebaserenementpredicate.Thus,intheembeddedformula,alloccurrencesofrefertothetwotypesthatarebeingcheckedforsubtyping.Theembeddingisconservative,i.e.,thevalidityoftheembeddedimplicationimpliesthethestandard,weaker,exactrequirementforsubtypingofrenedtypes[10,22].Forexample,forthethenexpressioninmaxfromSection2,thesubtypingre-lation:x:int;y:int;x�y`f=xg:fx^ygholdsasthefollowingimplicationisvalidinEUFA:((true^true^x&#x]TJ/;༥ ;.96;d T; 7.;ᙵ&#x 0 T; [00;y)^(=x)))(x^y)3.RecursionviaPolymorphism.Tohandlepolymorphism,ourtypesystemincorporatestypegeneralizationandinstantiationan-notations,whichareoverMLtypevariablesandmonomor-phicMLtypes,respectively,andthuscanbereconstructedviaastandardtypeinferencealgorithm.Therule[LT-INST]allowsatypeschematobeinstantiatedwithanarbitraryliquidtype^Tofthesameshapeas,themonomorphicMLtypeusedforinstantiation.Weusepolymorphismtoencoderecursionviathepolymorphictypegiventofix.Thatis,letrecbindingsaresyntacticsugar:letrecf=eine'isinternallyconvertedtoletf=fix(funf&#x]TJ/;༥ ;.96;d T; 7.;ᙵ&#x 0 T; [00;-e)ine'.Theexpressiontype-checksifthereisanappropriateliquidtypethatcanbeinstantiatedfortheinthepolymorphictypeoffix;thisliquidtypecorre-spondstothetypeoftherecursivefunctionf.4.TheLiquidTypeRestriction.Themostcriticaldifferencebe-tweentherulesforliquidtypecheckingandotherdependentsys-temsisthatourrulesstipulatethatcertainkindsofexpressionshaveliquidtypes.Inessence,theseexpressionsarethekeypointswhereappropriatedependenttypesmustbeinferred.Byforcingthetypestobeliquid,weboundthespaceofpossiblesolutions,thusmakinginferenceefcientlydecidable.[LT-INST]Forpolymorphicinstantiation,alsothemechanismforhandlingrecursion,theliquidtyperestrictionenablesefcientin-ferencebymakingthesetofcandidatedependenttypesnite.[LT-FUN]For-abstractions,weimposetherestrictionthattheinputandoutputbeliquidtoensurethetypesremainsmall,therebymakingalgorithmiccheckingandinferenceefcient.Thisisanal-ogoustoprocedure“summarization”forrst-orderprograms.[LT-IF]Forconditionalexpressionsweimposetheliquidrestric-tionandimplicitlyforcethethenandelseexpressionstobesub-typesofafreshliquidtype,insteadofanexplicit“join”operatorasindataowanalysis.Wedosoastheexpressionmayhaveafunc-tiontypeandwithajoinoperator,inputtypecontravariancewouldintroducedisjunctionsintothedependenttypewhichwouldhaveunpleasantalgorithmicconsequences.[LT-LET]Forlet-inexpressionsweimposetheliquidrestrictionasameansofeliminatingthelocallyboundvariablefromthede-pendenttypeofthewholeexpression(asthelocalvariablegoesoutofscope).Theantecedent�`^Trequiresthattheliquidtypebewell-formedintheouterenvironment,which,togetherwiththecondition,enforcedviaalpharenaming,thateachvariableisboundonlyonceintheenvironment,isessentialforensuringthesound-nessofoursystem[24].Thealternativeofexistentiallyquantifyingthelocalvariable[18]makesalgorithmiccheckinghard.LiquidTypeChecking �`Qe:S �`Qe:S1�`S1:S2�`S2 �`Qe:S2[LT-SUB]�(x)=f:Bjeg �`Qx:f:Bj=xg[LT-VAR]�(x)notabasetype �`Qx:�(x)[LT-VAR] �`Qc:ty(c)[LT-CONST]�;x:^Tx`Qe:^T�`x:^Tx!^T �`Qx:e:(x:^Tx!^T)[LT-FUN]�`Qe1:(x:Tx!T)�`Qe2:Tx �`Qe1e2:[e2=x]T[LT-APP]�`Qe1:bool�;e1`Qe2:^T�;:e1`Qe3:^T�`^T �`Qife1thene2elsee3:^T[LT-IF]�`Qe1:S1�;x:S1`Qe2:^T�`^T �`Qletx=e1ine2:^T[LT-LET]�`Qe:Snotfreein� �`Q[]e:8:S[LT-GEN]�`Qe:8:S�`^TShape(^T)= �`Q[]e:[^T=]S[LT-INST]DecidableSubtyping �`S1:S2 Valid([[�]]^[[e1]])[[e2]]) �`f:Bje1g:f:Bje2g[DEC-:-BASE]�`T0x:Tx�;x:T0x`T:T0 �`x:Tx!T:x:T0x!T0[DEC-:-FUN] �`:[:-VAR]�`S1:S2 �`8:S1:8:S2[:-POLY]Well-FormedTypes �`S �;:B`e:bool �`f:Bjeg[WT-BASE] �`[WT-VAR]�;x:Tx`T �`x:Tx!T[WT-FUN]�`S �`8:S[WT-POLY]Figure3.RulesforLiquidTypeChecking5.PlaceholderVariablesand-Renaming.Weusetheplace-holdervariables?insteadof“hard-coded”programvariablestomakeourtypesystemrobustto-renaming.IfQisfxg,then;`Q(x:x+1):x:int!fxgisavalidjudgment,but;`Q(y:y+1):y:int!fygisnot,asyisnotinQ?.IfinsteadQisf?g,thenQ?includesfx;ygandsobothoftheabovearevalidjudgments.Ingeneral,ourtypesystemisrobusttorenaminginthefollowingsense:if�`Qe1:S1ande1is-equivalenttoe2andthefreevariablesofQarebound1in�,thenforsomeS2thatis-equivalenttoS1,wehave�`Qe2:S2. 1Recallthatvariablesareboundatmostonceinanyenvironment 4.LiquidTypeInferenceWenowturntotheheartofoursystem:thealgorithmInfer(showninFigure4)thattakesasinputatypeenvironment�,anexpressione,andanitesetoflogicalqualiersQanddetermineswhethereiswell-typedoverQ,i.e.,whetherthereexistssomeSsuchthat�`Qe:S.Ouralgorithmproceedsinthreesteps.First,weob-servethatthedependenttypeforanyexpressionmustbearene-mentofitsMLtype,andsoweinvokeHindley-Milner(HM)toinferthetypesofsubexpressions,andusetheMLtypestogen-eratetemplatesrepresentingtheunknowndependenttypesforthesubexpressions(Section4.1).Second,weusethesyntax-directedliquidtypingrulesfromFigure3tobuildasystemofconstraintsthatcapturethesubtypingrelationshipsbetweenthetemplatesthatmustholdforaliquidtypederivationtoexist(Section4.2).Third,weuseQtosolvetheconstraintsusingatechniqueinspiredbypredicateabstraction(Section4.3).4.1MLTypesandTemplatesOurtypeinferencealgorithmisbasedontheobservationthattheliquidtypederivationsarerenementsoftheMLtypederivations,andhencethedependenttypesforallsubexpressionsarerene-mentsoftheirMLtypes.MLTypeInferenceOracle.LetHMbeanMLtypeinferenceoracle,whichtakesanMLtypeenvironment�andanexpres-sioneandreturnstheMLtype(schema)ifandonlyif,us-ingtheclassicalMLtypederivationrules[7],thereexistsaderivation�`e:.Theliquidtypederivationrulesarerene-mentsoftheMLtypederivationrules.Thatis,if�`Qe:SthenHM(Shape(�);e)=Shape(S).Moreover,weassumethattheMLtypederivationoraclehas“inserted”suitabletypegen-eralization([]e)andinstantiation([]e)annotations.Thus,theproblemofdependenttypeinferencereducestoinferringappropri-aterenementsoftheMLtypes.Templates.LetKbeasetofliquidtypevariablesusedtorepresentunknowntyperenementpredicates.AtemplateFisadependenttypeschemadescribedviathegrammarshownbelow,wheresomeoftherenementpredicatesarereplacedwithliquidtypevariableswithpendingsubstitutions.Atemplateenvironmentisamap�fromvariablestotemplates.::=j[e=x];(PendingSubstitutions)F::=S(E[
K)(Templates)VariableswithPendingSubstitutions.Asequenceofpendingsubstitutionsisdenedusingthegrammarabove.Tounderstandtheneedfor,considerrule[LT-APP]fromFigure3whichspeci-esthatthedependenttypeofafunctionapplicationisobtainedbysubstitutingalloccurrencesoftheformalargumentxintheoutputtypeofe1withtheactualexpressione2passedinattheapplication.Whengeneratingtheconstraints,theoutputtypeofe1isunknownandisrepresentedbyatemplatecontainingliquidtypevariables.Supposethatthetypeofe1isx:B!f:Bjg,whereisaliq-uidtypevariable.Inthiscase,wewillassigntheapplicatione1e2thetypef:Bj[e2=x]
g,where[e2=x]
isavariablewithapendingsubstitution[18].Notethatsubstitutioncanbe“pushedin-side”typeconstructors,e.g.,
(f1g!f2g)isthesameasf
1g!f
2gandsoitsufcestoapplythependingsubsti-tutionsonlytotherootofthetemplate.4.2ConstraintGenerationWenowdescribehowouralgorithmgeneratesconstraintsovertem-platesbytraversingtheexpressioninthesyntax-directedmannerofatypechecker,generatingfreshtemplatesforunknowntypes,con-straintsthatcapturetherelationshipsbetweenthetypesofvarioussubexpressions,andwell-formednessrequirements.Thegeneratedconstraintsaresuchthattheyhaveasolutionifandonlyiftheex-pressionhasavalidliquidtypederivation.Ourinferencealgorithmusestwokindsofconstraintsovertemplates.Well-formednessconstraintsoftheform�`F,where�istemplateenvironment,andFisatemplate,ensurethatthetypesinferredforeachsubex-pressionareoverprogramvariablesthatareinscopeatthatsubex-pression.Subtypingconstraintsoftheform�`F1:F2where�isatemplateenvironmentandF1andF2aretwotemplatesofthesameshape,ensurethatthetypesinferredforeachsubexpres-sioncanbecombinedusingappropriatesubsumptionrelationshipstoyieldavalidtypederivation.Ourconstraintgenerationalgorithm,Cons,showninFigure4,takesasinputatemplateenvironment�andanexpressionethatwewishtoinferthetypeofandreturnsasoutputapairofatypetemplateF,whichcorrespondstotheunknowntypeofe,andasetofconstraintsC.Intuitively,ConsmirrorsthetypederivationrulesandgeneratesconstraintsCwhichcaptureexactlytherelationshipsthatmustholdbetweenthetemplatesofthesubexpressionsinorderforetohaveavalidtypederivationoverQ.TounderstandhowConsworks,noticethattheexpressionsofLcanbesplitintotwoclasses:thosewhosetypesareconstructablefromtheenvironmentandthetypesofsubexpressions,andthosewhosetypesarenot.1.ExpressionswithConstructableTypes.Therstclassofex-pressionsarevariables,constants,functionapplicationsandpoly-morphicgeneralizations,whosetypescanbeimmediatelycon-structedfromthetypesofsubexpressionsortheenvironment.Forsuchexpressions,Consrecursivelycomputestemplatesandcon-straintsforthesubexpressionsandappropriatelycombinesthemtoformthetemplateandconstraintsfortheexpression.Asanexample,considerCons(�;e1e2).First,Consiscalledtoobtainthetemplatesandconstraintsforthesubexpressionse1ande2.IfavalidMLtypederivationexists,thene1mustbeafunctiontypewithsomeformalx.Thereturnedtemplateistheresultofpushingthependingsubstitutionofxwiththeactualargumente2intothe“leaves”ofthetemplatecorrespondingtothereturntypeofe1.Thereturnedconstraintsaretheunionoftheconstraintsforthesubexpressionsandasubtypingconstraintensuringthatthetypeoftheargumente2isasubtypeoftheinputtypeofe1.2.ExpressionswithLiquidTypes.Thesecondclassareexpres-sionswhosetypescannotbederivedasabove,asthesubsumptionruleisrequiredtoperformsomekindof“over-approximation”oftheirconcretesemantics.Theseinclude-abstractions,if-then-elseexpressions,let-bindings,andpolymorphicinstantiations(whichincludesrecursivefunctions).Weusetwoobservationstoinferthetypesoftheseexpressions.First,theshapeofthedependenttypeisthesameastheMLtypeoftheexpression.Second,fromtheliquidtyperestriction,weknowthattherenementpredicatesfortheseexpressionsareconjunctionsoflogicalqualiersfromQ?(cf.rules[LT-LET],[LT-FUN],[LT-IF],[LT-INST]ofFigure3).Thus,toinferthetypesoftheseexpressions,weinvokeHMtodeterminetheMLtypeoftheexpressionandthenuseFreshtogenerateatemplatewiththesameshapeastheMLtypebutwithfreshliquidtypevariablesrepresentingtheunknownrenements.Asanexample,considerCons(�;ife1thene2elsee3).First,afreshtemplateisgeneratedusingtheMLtypeoftheexpres-sion.Next,Consrecursivelygeneratestemplatesandconstraintsforthethenandelsesubexpressions.Notethatforthethen(resp.else)subexpression,theenvironmentisextendedwithe1(resp.:e1)asinthetypederivationrule([LT-IF]fromFigure3).Thefreshtemplateisreturnedasthetemplateforthewholeexpression.Theconstraintsreturnedaretheunionofthoseforthesubexpres-sions,awell-formednessconstraintforthewholeexpression'stem-plate,andsubtypingconstraintsforcingthetemplatesforthethenandelsesubexpressionstobesubtypesofthewholeexpression'stemplate Example:Constraints.Thewell-formednessconstraint;`x:x!y:y!1isgeneratedforthefreshtemplateformax(fromFigure1).Theconstraintensuresthattheinferredtypeformaxonlycontainsprogramvariablesthatareinscopeatthepointwheremaxisbound.Theifexpressionthatisthebodyofmaxisanexpressionwithliquidtype.Forthisexpression,afreshtemplate10isgenerated,andthesubtypingconstraints:x:x;y:y;(x�y)`f=xg:10x:x;y:y;:(x&#x]TJ/;༥ ;.96;d T; 7.;ᙵ&#x 0 T; [00;y)`f=yg:10x:x;y:y`10:1aregenerated,capturingtherelationshipsbetweenthethenandtheifexpression,theelseandtheifexpression,andtheifandtheoutputexpression,respectively.Theconstraints(1.1)and(1.2)aretheaboveconstraintssimpliedforexposition.Therecursiveapplicationsum(k-1)fromFigure1isanexpressionwithaconstructabletype.Forthisexpressionthesubtypingconstraint(2.2)isgenerated,forcingtheactualtobeasubtypeoftheformal.Theoutputoftheapplication,i.e.,theoutputtype2ofsum,withthependingsubstitutionoftheformalkwiththeactual(k�1)isshownboundtosin(2.3).4.3ConstraintSolvingNext,wedescribeourtwo-stepalgorithmforsolvingthecon-straints,i.e.,assigningliquidtypestoallvariablessuchthatallconstraintsaresatised.Intherststep,weusethewell-formednessandsubtypingrulestosplitthecomplexconstraints,whichmaycontainfunctiontypes,intosimpleconstraintsovervariableswithpendingsubstitutions.Inthesecondstep,weiter-ativelyweakenatrivialassignment,inwhicheachliquidtypevari-ableisassignedtheconjunctionofalllogicalqualiers,untilwendtheleastxpointsolutionforallthesimpliedconstraintsordeterminethattheconstraintshavenosolution.Werstformalizethenotionofasolutionandthendescribethetwo-stepalgorithmthatcomputessolutions.SatisfyingLiquidAssignments.ALiquidAssignmentoverQisamapAfromliquidtypevariablestosetsofqualiersfromQ?.AssignmentscanbeliftedtomapsfromtemplatesFtodependenttypesA(F)andtemplateenvironments�toenvironmentsA(�),bysubstitutingeachliquidtypevariablewithVA()andthenapplyingthependingsubstitutions.AsatisesaconstraintcifA(c)isvalid.Thatis,Asatisesawell-formednessconstraint�`FifA(�)`A(F),andasubtypingconstraint�`F1:F2ifA(�)`A(F1):A(F2).AisasolutionforasetofconstraintsCifitsatiseseachconstraintinC.Step1:SplittingintoSimpleConstraints.First,wecallSplit,whichusestherulesforwell-formednessandsubtyping(Figure3)toconvertalltheconstraintsovercomplextypes(i.e.,functiontypes)intosimpleconstraintsoverbasetypes.AnassignmentisasolutionforCifandonlyifitisasolutionforSplit(C).Example:Splitting.Thewell-formednessconstraint;`x:x!y:y!1splitsintothethreesimpleconstraints:;`x,x:x`yandx:x;y:y`1,whichensurethat:theparameterxmusthavearenementoveronlyconstantsandthevaluevariableastheenvironmentisempty;theparameterymusthavearenementoveronlyxand;andtheoutputtype'srenementcanrefertobothparametersx,yandthevaluevariable.Thefunctionsubtypingconstraintgeneratedbythecallfoldn(lena)0amshownin(4.4)splitsintothesimplesubtypingconstraints(4.6),(4.7),(4.8).Noticehowsubstitutionandcontravariancecombinetocausetheowoftheboundsinformationintoinputparameterl(4.6)thusallowingthesystemtostaticallycheckthearrayaccess.Step2:IterativeWeakening.Duetothewell-formednesscon-straints,anysolutionoverQmustmaptheliquidtypevariablestosetsofqualierswhosefreevariablesareeitherthevaluevariableorthevariablesintheinputenvironment�(writtenVar(�)),orthevariablesintheinputexpressione(writtenVar(e)).Thatis,anysolutionmapstheliquidvariablestoasetofqualierscontainedinInst(�;e;Q)whichisdenedasfqjq2Q?andFreeVar(q)fg[Var(�)[Var(e)gwhereVar(�)andVar(e)arethesetofvariablesin�anderespectively.NoticethatifQisnite,thenInst(�;e;Q)isalsoniteastheplaceholdervariablescanonlybeinstantiatedwithnitelymanyvariablesfrom�ande.Thus,tosolvetheconstraints,wecalltheprocedureSolve,showninFigure4,withthesplitconstraintsandatrivialinitialassignmentthatmapseachliquidtypevariabletoInst(�;e;Q).SolverepeatedlypicksaconstraintthatisnotsatisedbythecurrentassignmentandcallsWeakentoremovethequaliersthatpreventtheconstraintfrombeingsatised.Forunsatisedcon-straintsoftheform:(1)�`f:Bj
g,WeakenremovesfromtheassignmentforallthequaliersqsuchthattheMLtypeof
q(theresultofapplyingthependingsubstitutionstoq)cannotbederivedtobeboolintheenvironmentShape(�);:B,(2)�`f:Bjg:f:Bj
g,whereiseitherarene-mentpredicateoraliquidvariablewithpendingsubstitutions,Weakenremovesfromtheassignmentforallthelogicalqual-iersqsuchthattheimplication([[A(�)]]^[[A()]]))
qisnotvalidinEUFA,(3)�`f:Bjg:f:Bjeg,Weaken,andthereforeSolve,returnsFailure.CorrectnessofSolve.FortwoassignmentsAandA0,wesaythatAA0ifforall,thesetoflogicalqualiersA()containsthesetoflogicalqualiersA0().Wecanprovethatifasetofcon-straintshasasolutionoverQthenithasauniqueminimumsolutionw.r.t..Intuitively,weinvokeSolvewiththeleastpossibleassign-mentthatmapseachliquidvariabletoallthepossiblequaliers.SolvethenusesWeakentoiterativelyweakentheassignmentuntiltheuniqueminimumsolutionisfound.ThecorrectnessofSolvefollowsfromthefollowinginvariantabouttheiterativeweakening:ifAistheminimumsolutionfortheconstraints,thenineachitera-tion,theassignmentAA.Thus,ifSolvereturnsasolutionthenitmustbetheminimumsolutionforCoverQ.Ifatsomepointaconstraint�`f:Bjg:f:Bjegisunsatised,subsequentweakeningcannotmakeitsatised.Thus,ifSolvereturnsFailurethenChasnosolutionoverQ.Bycombiningthestepsofconstraintgeneration,splittingandsolving,weobtainourdependenttypeinferencealgorithmInfershowninFigure4.Thealgorithmtakesasinputanenvironment�,anexpressioneandanitesetoflogicalqualiersQ,anddetermineswhetherthereexistsavalidliquidtypederivationoverQforeintheenvironment�.ThecorrectnesspropertiesofInferarestatedinthetheorembelow,whoseproofisin[24].FromTheorems1,2,weconcludethatifInfer(;;e;Q)=Stheneveryprimitiveoperationinvokedduringtheevaluationofesucceeds.THEOREM2.[LiquidTypeInference]1.Infer(�;e;Q)terminates,2.IfInfer(�;e;Q)=Sthen�`Qe:S,and,3.IfInfer(�;e;Q)=FailurethenthereisnoSs.t.�`Qe:S.RunningTime.MostofthetimetakenbyInfergoesinsideproce-dureSolvewhichasymptoticallydominatesthetimetakentogen-erateconstraints.Solvereturnsthesameoutputregardlessoftheorderinwhichtheconstraintsareprocessed.Forefciency,weim-plementSolveintwophases.First,Solvemakesa(linear)passthatsolvesthewell-formednessconstraints,thusrapidlypruningaway aresimilartostripandembedfrom[13].Liquidtypesextendqual-iersbyassigningthemsemanticsvialogicalpredicates,andourinferencealgorithmcombinesvalueow(viathesubtypingcon-straints)withinformationdrawnfromguardsandassignments.Theideaofassigningsemanticstoqualiershasbeenproposedrecently[5],butwiththeintentionofcheckingandinferringrulesforqual-ierderivations.Ourapproachiscomplementaryinthattherulesthemselvesarexed,butallowfortheuseofguardandvaluebind-inginformationintypederivations,therebyyieldingamorepow-erfulanalysis.Forexample,itisunclearwhethertheapproachof[5]wouldbeabletoprovethesafetyofanyofourbenchmarkprograms,duetotheinexpressivityofthequaliersandinferencerules.Ontheotherhand,ourtechniqueismorecomputationallyex-pensiveasthedecisionprocedureisintegratedwithtypeinference.Thenotionoftyperenementswasintroducedin[14]withrenementslimitedtorestrictionsonthestructureofalgebraicdatatypes,forwhichinferenceisdecidable.DML(C)[28]extendsMLwithdependenttypesoveraconstraintdomainC;typecheck-ingisshowntobedecidablemodulothedecidabilityofthedomain,butinferenceisstillundecidable.Liquidtypescanbeviewedasacontrolledwaytoextendthelanguageoftypesusingsimplepred-icatesoveradecidablelogic,suchthatbothcheckingandinfer-enceremaindecidable.Ournotionofvariableswithpendingsub-stitutionsisinspiredbyaconstructfrom[18],whichpresentsatechniquetoreconstructthedependenttypeofanexpressionthatcapturesitsexactsemantics(analogoustostrongestpostconditionsforimperativelanguages).Thetechniqueworksinarestrictedset-tingwithoutpolymorphismandthereconstructedtypesaretermscontainingexistentiallyquantiedvariables(duetovariablesthatarenotinscope),andthefixoperator(usedtohandlerecursion),whichmakestaticreasoningimpossible.7.ConclusionsandFutureWorkInthispaper,wehavepresentedadependenttypesystemcalledliq-uidtypes,atoolDSOLVEthatinfersliquidtypes,andexperimentsshowingthatDSOLVEcansignicantlyreducetheamountmanualannotationrequiredtostaticallyprovethesafetyofarrayaccesses.EveninverycomplexbenchmarkslikeBITV,DSOLVEneeds22linesofmanualhints,whichisonly5%oftheentirecodesize.Theotherannotations,namely,typesspecifyingcorrectusageofinter-facefunctions,areunavoidable.Thus,webelievethatliquidtypeswillproveusefulevenformodularverication.Ifthemodulesaredesignedwell,theirinterfacesshouldhavefarfewerfunctionsthantheirimplementationsandsothegainsfromnothavingtomanuallyspecifythetypesofalltop-levelbindingswillbesignicant.Severalchallengesneedtobeaddressedinordertorealizethefullpotentialofliquidtypes.First,wewouldliketomakethesystemmoreexpressive,forexample,byextendingthesystemtoallowrenementsfortypevariablesandrecursivedatatypes.Thiswillallowustoapplyliquidtypestoalargerclassofprogramsandproperties.Second,forthecaseswhentypecheckingfails,werequireerrorreportingtechniquesthathelptheprogrammerdeterminewhetherthereiseitheranerrorinherprogram,thesetofqualiersisinsufcient,or,theconservativenessofthesystemistoblame.Oneapproachwouldbetodeviseanotionoftypecounterexampleandadaptproof-basedmethodstocheckifthecounterexampleisfeasible(i.e.,thereisanerror)orifnot,tolazilyextractnewqualiersfromthecounterexample[6,3,16].Third,wewouldliketoextendthesystemtoincludereasoningaboutimperativefeatures.Withsuchanextension,liquidtypescouldbeprotablyappliedtoverifyC++,JavaandC#programswhichusegenericdatatypes.Acknowledgments.WethankAdamChlipala,CormacFlana-gan,RadhaJagadeesan,SureshJagannathan,KennKnowles,SorinLerner,BillMcLoskey,ToddMillstein,CorneliuPopea,PhilipWadler,WestleyWeimer,andtheanonymousrefereesfortheirhelpfulcommentsandsuggestionsforimprovingthispaper.References[1]TilakAgerwalaandJayadevMisra.Assertiongraphsforverifyingandsynthesizingprograms.TechnicalReport83,UniversityofTexas,Austin,1978.[2]L.Augustsson.Cayenne-alanguagewithdependenttypes.InICFP,1998.[3]T.BallandS.K.Rajamani.TheSLAMproject:debuggingsystemsoftwareviastaticanalysis.InPOPL,pages1–3.ACM,2002.[4]S.Chaki,E.M.Clarke,A.Groce,J.Ouaknine,O.Strichman,andK.Yorav.Efcientvericationofsequentialandconcurrentcprograms.FMSD,25(2-3):129–166,2004.[5]B.Chin,S.Markstrum,T.D.Millstein,andJ.Palsberg.Inferenceofuser-denedtypequaliersandqualierrules.InESOP,pages264–278,2006.[6]E.M.Clarke,O.Grumberg,S.Jha,Y.Lu,andH.Veith.Counterexample-guidedabstractionrenement.InCAV,LNCS1855,pages154–169.Springer,2000.[7]L.DamasandR.Milner.Principaltype-schemesforfunctionalprograms.InPOPL,1982.[8]E.W.Dijkstra.ADisciplineofProgramming.Prentice-Hall,1976.[9]B.DutertreandL.DeMoura.YicesSMTsolver.http://yices.csl.sri.com/.[10]C.Flanagan.Hybridtypechecking.InPOPL.ACM,2006.[11]C.FlanaganandS.Qadeer.Predicateabstractionforsoftwareverication.InPOPL.ACM,2002.[12]C.Flanagan,A.Sabry,B.F.Duba,andM.Felleisen.Theessenceofcompilingwithcontinuations.InPLDI,1993.[13]J.S.Foster.TypeQualiers:LightweightSpecicationstoImproveSoftwareQuality.PhDthesis,U.C.Berkeley,2002.[14]T.FreemanandF.Pfenning.RenementtypesforML.InPLDI,1991.[15]S.GrafandH.Sa¨di.ConstructionofabstractstategraphswithPVS.InCAV,LNCS1254,pages72–83.Springer,1997.[16]T.A.Henzinger,R.Jhala,R.Majumdar,andK.L.McMillan.Abstractionsfromproofs.InPOPL04.ACM,2004.[17]F.Ivancic,I.Shlyakhter,A.Gupta,andM.K.Ganai.Modelcheckingcprogramsusingf-soft.InICCD,pages297–308,2005.[18]K.KnowlesandC.Flanagan.Typereconstructionforgeneralrenementtypes.InESOP,2007.[19]P.LincolnandJ.C.Mitchell.Algorithmicaspectsoftypeinferencewithsubtypes.InPOPL,Albequerque,NewMexico,1992.[20]P.Martin-Lof.Constructivemathematicsandcomputerprogramming.RoyalSocietyofLondonPhilosophicalTransactionsSeriesA,312:501–518,October1984.[21]G.Nelson.Techniquesforprogramverication.TechnicalReportCSL81-10,XeroxPaloAltoResearchCenter,1981.[22]X.Ou,G.Tan,Y.Mandelbaum,andD.Walker.Dynamictypingwithdependenttypes.InIFIPTCS,pages437–450,2004.[23]F.Pottier.Simplifyingsubtypingconstraints.InICFP,NewYork,NY,USA,1996.ACMPress.[24]P.Rondon,M.Kawaguchi,andR.Jhala.Liquidtypes.TechnicalReportCSETechReport,UCSD,2008.[25]M.Sulzmann,M.Odersky,andM.Wehr.Typeinferencewithconstrainedtypes.InFOOL,1997.[26]H.Xi.DMLcodeexamples.http://www.cs.bu.edu/fac/hwxi/DML/.[27]H.XiandF.Pfenning.Eliminatingarrayboundcheckingthroughdependenttypes.InPLDI,1998.[28]H.XiandF.Pfenning.Dependenttypesinpracticalprogramming.InPOPL,pages214–227,1999.[29]Y.XieandA.Aiken.Scalableerrordetectionusingbooleansatisability.InPOPL,pages351–363,2005.