# Example $$l: \underline{r1} := l; \underline{r2} := l'; \underline{jump \ r2}$$ $l': \underline{\underline{jump \ r1}}$ We have the heap $H = \{ I \mapsto I, I' \mapsto I' \}$ . $\Gamma_1 = \{ \mathsf{r1} : \mathsf{Top}, \mathsf{r2} : \mathsf{Top} \}$ Define register file types $\Gamma_2 = \{ \mathsf{r1} : \Psi(\mathsf{I}), \mathsf{r2} : \mathsf{Top} \}$ $\Gamma_3 = \{ \mathsf{r1} : \Psi(\mathsf{I}), \mathsf{r2} : \Psi(\mathsf{I}') \}$ claim 1: $\Psi \vdash I$ : Code $(\Gamma_1)$ # claim 1: $\Psi \vdash I$ : $\mathsf{Code}(\Gamma_1)$ $$\frac{\mathsf{I} : \mathsf{Code}\{\mathsf{r1} : \mathsf{Top}, \mathsf{r2} : \mathsf{Top}\} \in \Psi}{\Psi, \Gamma_1 \vdash \mathsf{I} : \Psi(\mathsf{I})} (\mathsf{T}\text{-}\mathsf{Lab})$$ $$\frac{\Psi, \Gamma_1 \vdash \mathsf{I} : \Psi(\mathsf{I})}{\Psi \vdash \mathsf{r1} := \mathsf{I} : \Gamma_1 \to \Gamma_2} (\mathsf{T}\text{-}\mathsf{Mov})$$ # claim 1: $\Psi \vdash I$ : $\mathsf{Code}(\Gamma_1)$ ``` \frac{\mathsf{I} : \mathsf{Code}\{\mathsf{r1} : \mathsf{Top}, \mathsf{r2} : \mathsf{Top}\} \in \Psi}{\Psi, \Gamma_1 \vdash \mathsf{I} : \Psi(\mathsf{I})} \qquad \qquad \vdots \\ \frac{\Psi, \Gamma_1 \vdash \mathsf{I} : \Psi(\mathsf{I})}{\Psi \vdash \mathsf{r1} := \mathsf{I} : \Gamma_1 \to \Gamma_2} (\mathsf{T}\text{-Mov}) \qquad \qquad \Psi \vdash \mathsf{r2} := \mathsf{I}' : \Gamma_2 \to \Gamma_3 ``` # claim 1: $\Psi \vdash I$ : $\mathsf{Code}(\Gamma_1)$ ``` \frac{ \text{I}: \mathsf{Code}\{\mathsf{r1}: \mathsf{Top}, \mathsf{r2}: \mathsf{Top}\} \in \Psi}{ \Psi, \Gamma_1 \vdash \mathsf{I}: \Psi(\mathsf{I})} \text{ (T-Lab)} \qquad \vdots \\ \frac{ \Psi, \Gamma_1 \vdash \mathsf{I}: \Psi(\mathsf{I})}{ \Psi \vdash \mathsf{r1}:= \mathsf{I}: \Gamma_1 \to \Gamma_2} \text{ (T-Mov)} \qquad \Psi \vdash \mathsf{r2}:= \mathsf{I}': \Gamma_2 \to \Gamma_3 \\ \frac{ \Psi, \Gamma_3 \vdash \mathsf{r2}: \Psi(\mathsf{I}') \quad \mathsf{Code}(\Gamma_3) \sqsubseteq \Psi(\mathsf{I}')}{ \Psi, \Gamma_3 \vdash \mathsf{r2}: \mathsf{Code}(\Gamma_3)} \text{ (T-Sub)} \\ \frac{ \Psi, \Gamma_3 \vdash \mathsf{r2}: \mathsf{Code}(\Gamma_3)}{ \Psi \vdash \mathsf{jump r2}: \mathsf{Code}(\Gamma_3)} \text{ (T-Jump)} ``` $$Code(\Gamma_3) = Code\{r1 : \Psi(I), \quad r2 : \Psi(I')\}$$ $$\sqsubseteq \Psi(I') = Code\{r1 : \Psi(I), \quad r2 : Top\}$$ $$because \Psi(I) \sqsubseteq_1 \Psi(I) \text{ and } \Psi(I') \sqsubseteq_1 Top.$$ $$\vdots \qquad \vdots \qquad \vdots \\ \underline{\Psi : \mathsf{r2} := \mathsf{l}' : \Gamma_2 \to \Gamma_3 \quad \Psi \vdash \mathsf{jump} \ \mathsf{r2} : \mathsf{Code}(\Gamma_3)}_{\Psi \vdash \mathsf{r1} := \mathsf{l} : \Gamma_1 \to \Gamma_2} \ (\mathsf{T}\text{-}\mathsf{Seq})$$ $$\underline{\Psi \vdash \mathsf{r1} := \mathsf{l}' : \Gamma_1 \to \Gamma_2} \qquad \underline{\Psi \vdash \mathsf{r2} := \mathsf{l}' : \mathsf{jump} \ \mathsf{r2} : \mathsf{Code}(\Gamma_2)}_{\Psi \vdash \mathit{l}} \ (\mathsf{T}\text{-}\mathsf{Seq})$$ This proves claim 1. $$\vdots \\ \underline{\Psi \vdash \mathbf{r1} := \mathbf{l} : \Gamma_1 \to \Gamma_2} \qquad \underline{\Psi : \mathbf{r2} := \mathbf{l}' : \Gamma_2 \to \Gamma_3 \qquad \Psi \vdash \mathsf{jump} \ \mathbf{r2} : \mathsf{Code}(\Gamma_3) }_{ \Psi \vdash \mathbf{r2} := \mathbf{l}'; \ \mathsf{jump} \ \mathbf{r2} : \mathsf{Code}(\Gamma_2) } (\mathsf{T}\text{-Seq})$$ This proves claim 1. claim 2: $$\Psi \vdash I' : \mathsf{Code}(\Gamma_2)$$ $$\frac{\Psi, \Gamma_2 \vdash \textbf{r1} : \Psi(\textbf{I}) \quad \mathsf{Code}(\Gamma_2) \sqsubseteq \Psi(\textbf{I})}{\Psi, \Gamma_2 \vdash \textbf{r1} : \mathsf{Code}(\Gamma_2)} (\text{T-Sub})$$ $$\frac{\Psi, \Gamma_2 \vdash \textbf{r1} : \mathsf{Code}(\Gamma_2)}{\Psi \vdash \mathsf{jump r1} : \mathsf{Code}(\Gamma_2)} (\text{T-Jump})$$ ``` Recall that H = \{ \mathsf{I} \mapsto I, \mathsf{I'} \mapsto I' \} and \Psi = \{ \mathsf{I} : \mathsf{Code}(\Gamma_1), \mathsf{I'} : \mathsf{Code}(\Gamma_2) \}. \vdots \qquad \vdots \qquad \vdots \\ \Psi \vdash I : \mathsf{Code}(\Gamma_1) \qquad \Psi \vdash I' : \mathsf{Code}(\Gamma_2) \\ \vdash H : \Psi (T-Heap) ``` Recall that $$H = \{ \mathsf{I} \mapsto I, \mathsf{I'} \mapsto I' \}$$ and $\Psi = \{ \mathsf{I} : \mathsf{Code}(\Gamma_1), \mathsf{I'} : \mathsf{Code}(\Gamma_2) \}.$ $$\vdots \qquad \qquad \vdots \qquad \qquad \vdots$$ $$\Psi \vdash I : \mathsf{Code}(\Gamma_1) \qquad \Psi \vdash I' : \mathsf{Code}(\Gamma_2)$$ $$\vdash H : \Psi \qquad \qquad (\text{T-Heap})$$ ### Well typing of register file Suppose we want to start running the machine with the register file $$R = \{\mathsf{r1} \mapsto \mathsf{0}, \mathsf{r2} \mapsto \mathsf{0}\}$$ Recall that $$H = \{ \mathsf{I} \mapsto I, \mathsf{I'} \mapsto I' \}$$ and $\Psi = \{ \mathsf{I} : \mathsf{Code}(\Gamma_1), \mathsf{I'} : \mathsf{Code}(\Gamma_2) \}.$ $$\vdots \qquad \qquad \vdots \qquad \qquad \vdots$$ $$\Psi \vdash I : \mathsf{Code}(\Gamma_1) \qquad \Psi \vdash I' : \mathsf{Code}(\Gamma_2)$$ $$\vdash H : \Psi \qquad \qquad (\text{T-Heap})$$ #### Well typing of register file Suppose we want to start running the machine with the register file $$R = \{\mathsf{r1} \mapsto \mathsf{0}, \mathsf{r2} \mapsto \mathsf{0}\}$$ Define register file type $\Gamma = \{r1 : Int, r2 : Int\}$ Recall that $$H = \{ \mathsf{I} \mapsto I, \mathsf{I}' \mapsto I' \}$$ and $\Psi = \{ \mathsf{I} : \mathsf{Code}(\Gamma_1), \mathsf{I}' : \mathsf{Code}(\Gamma_2) \}.$ $$\vdots \qquad \qquad \vdots \qquad \qquad \vdots$$ $$\Psi \vdash I : \mathsf{Code}(\Gamma_1) \qquad \Psi \vdash I' : \mathsf{Code}(\Gamma_2)$$ $$\vdash H : \Psi \qquad \qquad (\text{T-Heap})$$ #### Well typing of register file Suppose we want to start running the machine with the register file $$R = \{\mathsf{r1} \mapsto \mathsf{0}, \mathsf{r2} \mapsto \mathsf{0}\}$$ Define register file type $\Gamma = \{\mathsf{r1} : \mathsf{Int}, \mathsf{r2} : \mathsf{Int}\}$ $$\frac{}{\Psi, \_\vdash \mathsf{0} : \mathsf{Int}} \overset{\text{(T-Int)}}{}{} \frac{}{\Psi, \_\vdash \mathsf{0} : \mathsf{Int}} \overset{\text{(T-Int)}}{}{} \text{(TRegfile)}$$ Suppose the initial instruction sequence we want to execute is I. We have shown that $\Psi \vdash I : \mathsf{Code}(\Gamma_1)$ (claim 1). Similarly we show $\Psi \vdash I : \mathsf{Code}(\Gamma)$ . Suppose the initial instruction sequence we want to execute is I. We have shown that $\Psi \vdash I : \mathsf{Code}(\Gamma_1)$ (claim 1). Similarly we show $\Psi \vdash I : \mathsf{Code}(\Gamma)$ . Finally, well typing of the machine $$\frac{\vdots}{\vdash H : \Psi} \qquad \frac{\vdots}{\Psi \vdash R : \Gamma} \qquad \frac{\vdots}{\Psi \vdash I : \mathsf{Code}(\Gamma)} \text{ (T-Mach)} \\ \vdash (H, R, I)$$ # Another example loop: if r1 jump done; prod: r3 := 0; r3 := r2 + r3; jump loop r1 := r1 + -1; jump loop done: jump r4 # Another example To complete the example we will have r4 contain the halt label. halt: jump halt # Another example ``` loop: if r1 jump done; prod : r3 := 0; r3 := r2 + r3; jump r4 done: r1 := r1 + -1; jump loop jump loop To complete the example we will have r4 contain the halt label. halt: jump halt Name the instructions \iota_1, \ldots, \iota_8 and the instruction sequences I_1, I_2, I_3, I_4. Let \Gamma' = \{ r1 : Int, r2 : Int, r3 : Int, r4 : Top \} Let \Gamma = \{ r1 : Int, r2 : Int, r3 : Int, r4 : Code(\Gamma') \} Let H = \{\mathsf{prod} \mapsto I_1, \mathsf{loop} \mapsto I_2, \mathsf{done} \mapsto I_3, \mathsf{halt} \mapsto I_4\}. Let \Psi = \{\mathsf{prod} : \mathsf{Code}(\Gamma), \mathsf{loop} : \mathsf{Code}(\Gamma), \mathsf{done} : \mathsf{Code}(\Gamma), \mathsf{halt} : \mathsf{Code}(\Gamma')\}. ``` $$\frac{\overline{\Psi,\Gamma \vdash \textbf{r3}: \mathsf{Int}} \ (\text{T-Reg}) \ \overline{\Psi,\Gamma \vdash \textbf{0}: \mathsf{Int}} \ (\text{T-Int})}{\Psi \vdash \iota_1:\Gamma \to \Gamma} \ (\text{T-Mov}) \ \overline{\Psi \vdash \mathsf{jump loop}: \mathsf{Code}(\Gamma)} \ (\text{T-Jump})} \\ \underline{\Psi \vdash \iota_1:\Gamma \to \Gamma} \ (\text{T-Seq})$$ $$\frac{\Psi, \Gamma \vdash \mathsf{r3} : \mathsf{Int}}{\Psi, \Gamma \vdash \mathsf{r3} : \mathsf{Int}} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Reg}) \\ \overline{\Psi, \Gamma \vdash \mathsf{0} : \mathsf{Int}} \end{array}}_{\Psi, \Gamma \vdash \mathsf{0} : \mathsf{Int}} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Int}) \\ \overline{\Psi, \Gamma \vdash \mathsf{loop} : \mathsf{Code}(\Gamma)} \end{array}}_{\Psi, \Gamma \vdash \mathsf{loop} : \mathsf{Code}(\Gamma)} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Lab}) \\ \overline{\Psi, \Gamma \vdash \mathsf{loop} : \mathsf{Code}(\Gamma)} \end{array}}_{\Psi \vdash \mathsf{jump loop} : \mathsf{Code}(\Gamma)} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Jump}) \\ \overline{\Psi \vdash \mathsf{I}} : \mathsf{Code}(\Gamma) \end{array}}_{\Psi \vdash \mathsf{I}} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Lab}) \\ \overline{\Psi, \Gamma \vdash \mathsf{loop} : \mathsf{Code}(\Gamma)} \end{array}}_{\Psi \vdash \mathsf{Imp loop} : \mathsf{Code}(\Gamma)} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Lab}) \\ \overline{\Psi, \Gamma \vdash \mathsf{loop} : \mathsf{Code}(\Gamma)} \end{array}}_{\Psi \vdash \mathsf{Imp loop} : \mathsf{Im$$ Similarly, $\Psi \vdash I_2 : \mathsf{Code}(\Gamma)$ . $$\frac{\Psi, \Gamma \vdash \mathsf{r3} : \mathsf{Int}}{\Psi, \Gamma \vdash \mathsf{r3} : \mathsf{Int}} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Reg}) \\ \hline \Psi, \Gamma \vdash \mathsf{0} : \mathsf{Int} \end{array}}_{\Psi, \Gamma \vdash \mathsf{0} : \mathsf{Int}} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Int}) \\ \hline \Psi, \Gamma \vdash \mathsf{loop} : \mathsf{Code}(\Gamma) \end{array}}_{\Psi \vdash \mathsf{jump loop} : \mathsf{Code}(\Gamma)} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Lab}) \\ \hline \Psi \vdash \mathsf{jump loop} : \mathsf{Code}(\Gamma) \end{array}}_{\Psi \vdash \mathsf{Jest}} (\mathsf{T}\text{-}\mathsf{Seq})$$ Similarly, $\Psi \vdash I_2 : \mathsf{Code}(\Gamma)$ . $$\frac{\Psi,\Gamma \vdash \mathsf{r4} : \mathsf{Code}\{\mathsf{r1} : \mathsf{Int},\mathsf{r2} : \mathsf{Int},\mathsf{r3} : \mathsf{Int},\mathsf{r4} : \mathsf{Top}\}}{\Psi,\Gamma \vdash \mathsf{r4} : \mathsf{Code}(\Gamma)} \underbrace{\Psi,\Gamma \vdash \mathsf{r4} : \mathsf{Code}(\Gamma)}_{\Psi \vdash I_3} (\mathsf{T-Jump})$$ $$\frac{\Psi, \Gamma \vdash \mathsf{r3} : \mathsf{Int}}{\Psi, \Gamma \vdash \mathsf{r3} : \mathsf{Int}} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Reg}) \\ \hline \Psi, \Gamma \vdash \mathsf{0} : \mathsf{Int} \end{array}}_{\Psi, \Gamma \vdash \mathsf{0} : \mathsf{Int}} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Int}) \\ \hline \Psi, \Gamma \vdash \mathsf{loop} : \mathsf{Code}(\Gamma) \end{array}}_{\Psi \vdash \mathsf{jump loop} : \mathsf{Code}(\Gamma)} \underbrace{\begin{array}{c} (\mathsf{T}\text{-}\mathsf{Lab}) \\ \hline \Psi \vdash \mathsf{jump loop} : \mathsf{Code}(\Gamma) \end{array}}_{\Psi \vdash \mathsf{Jest}} (\mathsf{T}\text{-}\mathsf{Seq})$$ Similarly, $\Psi \vdash I_2 : \mathsf{Code}(\Gamma)$ . $$\frac{\Psi, \Gamma \vdash \mathsf{r4} : \mathsf{Code}\{\mathsf{r1} : \mathsf{Int}, \mathsf{r2} : \mathsf{Int}, \mathsf{r3} : \mathsf{Int}, \mathsf{r4} : \mathsf{Top}\}}{\Psi, \Gamma \vdash \mathsf{r4} : \mathsf{Code}(\Gamma)} \underbrace{\frac{\Psi, \Gamma \vdash \mathsf{r4} : \mathsf{Code}(\Gamma)}{\Psi \vdash I_3 : \mathsf{Code}(\Gamma)}}_{(\mathsf{T-Jump})} (\mathsf{T-Jump})}_{\Psi, \Gamma' \vdash \mathsf{halt} : \mathsf{Code}(\Gamma')} (\mathsf{T-Jump})}_{\Psi \vdash I_4 : \mathsf{Code}(\Gamma')} (\mathsf{T-Jump})$$ Hence we have well typing of the machine: ``` \begin{array}{cccc} & \vdots & & \vdots & & \vdots \\ \underline{I_1:\mathsf{Code}(\Gamma)} & \underline{I_2:\mathsf{Code}(\Gamma)} & \underline{I_3:\mathsf{Code}(\Gamma)} & \underline{I_4:\mathsf{Code}(\Gamma')} \\ & & & \vdash H:\Psi \end{array} \tag{T-Heap} ``` Hence we have well typing of the machine: Define initial register file: $R = \{r1 \mapsto 0, r2 \mapsto 0, r3 \mapsto 0, r4 \mapsto halt\}$ $$\frac{\overline{\Psi, \bot \vdash 0 : \mathsf{Int}}}{\Psi, \bot \vdash 0 : \mathsf{Int}} (\mathsf{T}\text{-}\mathsf{Int}) \qquad \frac{\overline{\Psi, \bot \vdash 0 : \mathsf{Int}}}{\Psi, \bot \vdash \mathsf{halt} : \mathsf{Code}(\Gamma')} (\mathsf{T}\text{-}\mathsf{Int}) \qquad \qquad \Psi \vdash R : \Gamma$$ $$(\mathsf{T}\text{-}\mathsf{Int}) \qquad \qquad \Psi \vdash R : \Gamma$$ Hence we have well typing of the machine: Define initial register file: $R = \{r1 \mapsto 0, r2 \mapsto 0, r3 \mapsto 0, r4 \mapsto halt\}$ $$\frac{\overline{\Psi, \_ \vdash 0 : \mathsf{Int}} \; (\mathsf{T\text{-}Int})}{\Psi, \_ \vdash 0 : \mathsf{Int}} \; \dots \; \frac{\overline{\Psi, \_ \vdash 0 : \mathsf{Int}} \; (\mathsf{T\text{-}Int})}{\Psi, \_ \vdash \mathsf{halt} : \mathsf{Code}(\Gamma')} \frac{(\mathsf{T\text{-}Int})}{(\mathsf{T\text{-}Regfile})}$$ $$\frac{\vdash H : \Psi \qquad \Psi \vdash R : \Gamma \qquad \Psi \vdash I_1 : \mathsf{Code}(\Gamma)}{\vdash (H, R, I_1)} \text{ (T-Mach)}$$ $$l1 : r1 := l2; r3 := r2 + 1; \dots$$ $$13 : r1 := 5; jump r1$$ $$l1: r1 := l2; r3 := r2 + 1; \dots$$ 13 : r1 := 5; jump r1 • We haven't discussed how to check if a mchine is well typed. Alternative: use proof carrying code. ``` 11 : r1 := 12; r3 := r2 + 1; \dots 13 : r1 := 5; jump r1 ``` - We haven't discussed how to check if a mchine is well typed. Alternative: use proof carrying code. - It is straightforward to translate TAL-0 programs to code for some real processor. If the TAL-0 program is well-typed then the translated code will behave properly. ``` 11 : r1 := 12; r3 := r2 + 1; \dots 13 : r1 := 5; jump r1 ``` - We haven't discussed how to check if a mchine is well typed. Alternative: use proof carrying code. - It is straightforward to translate TAL-0 programs to code for some real processor. If the TAL-0 program is well-typed then the translated code will behave properly. ... for that we of course need to prove type safety for TAL-0 ... "well typed machines do not get stuck" Progress: If $\vdash M$ then there is some M' such that $M \to M'$ . Preservation: If $\vdash M$ and $M \to M'$ then $\vdash M'$ . "well typed machines do not get stuck" Progress: If $\vdash M$ then there is some M' such that $M \to M'$ . Preservation: If $\vdash M$ and $M \to M'$ then $\vdash M'$ . Proof: by easy induction, case analysis... "well typed machines do not get stuck" Progress: If $\vdash M$ then there is some M' such that $M \to M'$ . Preservation: If $\vdash M$ and $M \to M'$ then $\vdash M'$ . Proof: by easy induction, case analysis... Q: Why bother doing proofs about programming languages? They are almost always boring if the definitions are right. "well typed machines do not get stuck" Progress: If $\vdash M$ then there is some M' such that $M \to M'$ . Preservation: If $\vdash M$ and $M \to M'$ then $\vdash M'$ . Proof: by easy induction, case analysis... Q: Why bother doing proofs about programming languages? They are almost always boring if the definitions are right. A: The definitions are almost always wrong. — Anonymous #### An extension: TAL-1 We now also deal with memory safety. Besides registers, we now have a potentially infinite memory, stack, pointers, and facilities for allocating space for data. Already expressive enough for implementing simple programs from high level languages. Memory safety: no reads to or writes from illegal memory locations. • r1 := Mem[r2 + 4] r2 stores a pointer. We access the 4th location past the corresponding memory location. The value there is loaded in r1. - r1 := Mem[r2 + 4] - r2 stores a pointer. We access the 4th location past the corresponding memory location. The value there is loaded in r1. - Mem[r2 + 4] := r1 The reverse store operation. - r1 := Mem[r2 + 4] - r2 stores a pointer. We access the 4th location past the corresponding memory location. The value there is loaded in r1. - Mem[r2 + 4] := r1 The reverse store operation. - r1 := malloc 10 allocate 10 words on the heap, and store corresponding pointer in r1. - r1 := Mem[r2 + 4] - r2 stores a pointer. We access the 4th location past the corresponding memory location. The value there is loaded in r1. - Mem[r2 + 4] := r1 The reverse store operation. - r1 := malloc 10 allocate 10 words on the heap, and store corresponding pointer in r1. - salloc 10 allocate 10 words on the stack (and update stack pointer) Example code. ``` r1 := malloc 5; // allocate 5 words on heap Mem[r1] := 10; // store data in the first word Mem[r1 + 1] := 20; // store data in the first word r2 := Mem[r1] // load 10 into r2 ``` Example code. ``` r1 := malloc 5; // allocate 5 words on heap Mem[r1] := 10; // store data in the first word Mem[r1 + 1] := 20; // store data in the first word r2 := Mem[r1] // load 10 into r2 ``` The following code has no well-defined behavior. ``` r1 := malloc 5; // allocate 5 words on heap r2 := malloc 5; // allocate 5 words on heap r3 := r1 + r2 // add the two pointers ``` Example code. ``` r1 := malloc 5; // allocate 5 words on heap Mem[r1] := 10; // store data in the first word Mem[r1 + 1] := 20; // store data in the first word r2 := Mem[r1] // load 10 into r2 ``` The following code has no well-defined behavior. ``` r1 := malloc 5; // allocate 5 words on heap r2 := malloc 5; // allocate 5 words on heap r3 := r1 + r2 // add the two pointers ``` Hence for type safety, we should at least have a different type for pointers. Further the type system should distinguish between pointers to different types of data. ``` r1 := malloc 5; Mem[r1] := 9; r2 := Mem[r1] // r1 stores a pointer, hence this is ok jump r2 // not ok, since r1 was a pointer to an integer ``` Hence the type-system should deal with types like ptr(Int), $ptr(Code(\Gamma))$ , ptr(ptr(Int)), . . . ``` // currently r1 : ptr(Code(...)) r3 := 5; Mem[r1] := r3; // now r1 : ptr(Int) r4 := Mem[r1]; // r4 : Int jump r4 // of course ill-typed ``` Hence type of a register should be updated after a store through it. ### Aliasing problem Should the following be well typed? ``` // currently r1 : ptr(Code(...)), r2 : ptr(Code(...)) r3 := 5; Mem[r1] := r3; // now r1 : ptr(Int) r4 := Mem[r2]; // load through r2. r4 :??? jump r4 // is this well-typed??? ``` # Aliasing problem Should the following be well typed? Answer: depends on whether r1 and r2 point to the same location (aliasing). # Aliasing problem Should the following be well typed? Answer: depends on whether r1 and r2 point to the same location (aliasing). Problem: how should the type system keep track of aliasing? Solution: have two kinds of memory locations. Shared pointers: support aliasing. Different type of data cannot be written. Unique pointers: no aliasing. Different kind of data can be written. Useful for allocating and initializing shared data structures, and for stack frames. The instruction commit $r_d$ declares a pointer to be shared, its type cannot change now. The TAL-1 syntax: we make the following extensions to the TAL-0 syntax. ``` registers r ::= r1 | ... | rk | sp ordinary registers and stack pointer instructions \iota ::= mov/add/if-jump r_d := \mathsf{Mem}[r_s + n] load from memory \mathsf{Mem}[r_d + n] := r_s store to memory r_d := \mathsf{malloc}\ n allocate n heap words commit r_d make the pointer shared salloc n allocate n stack words sfree n free n stack words ``` ``` operands \nu ::= registers r integers n code or shared data pointers uptr(h) unique data pointers h ::= heap values instruction sequences \langle \nu_1, \ldots, \nu_n \rangle tuples ``` Instruction sequences I are in TAL-0: list of instructions followed by a jump Values are operands other than registers. Heaps map labels l to heap values h. Register files and abstract machine states are defined as for TAL-0. The TAL-1 abstract machine: Unique data values are not stored in the heap. #### TAL-1 evaluation rules We fix a constant MaxStack: the maximum allowed size of the stack. All TAl-0 evaluation rules remain the same except the (E-Mov) rule. This rule now needs to ensure that unique pointers are not copied. $$\frac{\hat{R}(\nu) \neq \mathsf{uptr}(h)}{(H, R, r_d := \nu; I) \to (H, R \oplus \{r_d \mapsto \hat{R}(\nu)\}, I)} \text{ (E-Mov1)}$$ The $\hat{R}$ function is as for TAL-0. Further we have $\hat{R}(\mathsf{uptr}(h)) = \mathsf{uptr}(h)$ . If $\hat{R}(\nu)$ is uptr(h) then the machine gets stuck. #### TAL-1 evaluation rules We fix a constant MaxStack: the maximum allowed size of the stack. All TAl-0 evaluation rules remain the same except the (E-Mov) rule. This rule now needs to ensure that unique pointers are not copied. $$\frac{\hat{R}(\nu) \neq \mathsf{uptr}(h)}{(H, R, r_d := \nu; I) \to (H, R \oplus \{r_d \mapsto \hat{R}(\nu)\}, I)} \text{ (E-Mov1)}$$ The $\hat{R}$ function is as for TAL-0. Further we have $\hat{R}(\mathsf{uptr}(h)) = \mathsf{uptr}(h)$ . If $\hat{R}(\nu)$ is uptr(h) then the machine gets stuck. The other evaluation rules of TAL-0 are unmodified. We now add new rules for the new instructions . . . ### Allocation generates a unique pointer ``` (H, R, r_d := \mathsf{malloc}\ n; I) \to (H, R \oplus \{r_d \mapsto \mathsf{uptr}\langle m_1, \dots, m_n \rangle\}, I) \quad (\text{E-Malloc}) ``` - A unique pointer to a tuple of n words is created and stored in the destination register. - The initial values in the words are arbitrary integers $m_1, \ldots, m_n$ (uninitialized values) - Typically we would make the pointer shared once the words have been initialized. - malloc instruction takes a constant as argument. Useful for implementing tuples, records, etc but not yet for variable sized arrays. # Allocation Examples The following code will lead to stuck states. • copying of unique pointers: ``` \dots r1 := malloc 5; r2 := r1; \dots ``` • using unique pointers in place of integers ``` \dotsr1 := malloc 5; if r1 jump l; \dots ``` ### Declaring a pointer to be shared $$\frac{r_d \neq \mathsf{sp} \quad R(r_d) = \mathsf{uptr}(h) \quad l \notin dom(H)}{(H, R, \mathsf{commit} \ r_d; I) \to (H \oplus \{l \mapsto h\}, R \oplus \{r_d \mapsto l\}, I)} \ (\text{E-Commit})$$ - The stack is always a unique data value. - commit moves the unique data in the heap (i.e. it is now considered shared data) - A fresh label is associated with the data and is stored in the destination register.