A Step-Indexed Model of Substructural State

Amal Ahmed Matthew Fluet ∗ Greg Morrisett ∗

Harvard University Cornell University Harvard University
amal@eecs.harvard.edu fluet@cs.cornell.edu greg@eecs.harvard.edu

Abstract at line 3, we read the second cell, using the contents in a context
The concept of a “unique” object arises in many emerging program- expecting an integer. If the function is called with actual arguments
ming languages such as Clean, CQual, Cyclone, TAL, and Vault. In that are different ref cells, then there is nothing in the function that
each of these systems, unique objects make it possible to perform will cause a run-time type error.1 Yet, if the same ref cell is passed
operations that would otherwise be prohibited (e.g., deallocating for each formal argument, then the update on line 2 will change the
an object) or to ensure that some obligation will be met (e.g., an contents of both r1 and r2, causing a run-time type error to occur
opened file will be closed). However, different languages provide at line 3.
different interpretations of “uniqueness” and have different rules SML (and most imperative languages) reject the above program,
regarding how unique objects interact with the rest of the language. because references are unrestricted, that is, they may be freely
Our goal is to establish a common model that supports each of aliased. In general, reasoning about unrestricted references is hard
these languages, by allowing us to encode and study the interac- because we need additional information to understand what other
tions of the different forms of uniqueness. The model we provide values are affected by an update. In the absence of this information,
is based on a substructural variant of the polymorphic λ-calculus, we must be conservative. For instance, in SML, we must assume
augmented with four kinds of mutable references: unrestricted, rel- that an update to an int ref could affect any other int ref. To
evant, affine, and linear. The language has a natural operational ensure type soundness, we must therefore require the type of the
semantics that supports deallocation of references, strong (type- ref’s contents be preserved by the update. In other words, most type
varying) updates, and storage of unique objects in shared refer- systems can only track invariants on refs, instead of program-point-
ences. We establish the strong soundness of the type system by specific properties. As a result, we are forced to weaken the type of
constructing a novel, semantic interpretation of the types. the ref to cover all possible program points. In the example above,
we must weaken r1’s type to “(int + bool) ref” and pay the
Categories and Subject Descriptors D.3.1 [Programming Lan- costs of tagging values, and checking those tags when the pointer
guages]: Formal Definitions and Theory—Semantics; D.3.3 [Pro- is dereferenced.
gramming Language]: Language Constructs and Features Unfortunately, in many settings, this weakened invariant is in-
sufficient. Hence, researchers have turned to more powerful sys-
General Terms Languages
tems that do provide a means of ensuring exclusive access to state.
Keywords substructural type system, mutable references, step- In particular, many projects have introduced some form of linearity
indexed model to “tame” state. Linear logic [15] and other substructural logics give
rise to more expressive type systems, because they are designed to
1. Introduction precisely account for resources.
For instance, the Clean programming language [26] relies upon
Consider the following imperative code fragment, written with a form of uniqueness to ensure equational reasoning in the pres-
SML syntax: ence of mutable data structures. The Cyclone programming lan-
1. fun f(r1:int ref, r2:int ref):int = guage [17] uses unique pointers to allow fine-grained memory
2. (r1 := true ; management. For example, a unique pointer may be updated from
3. !r2 + 42)
uninitialized to initialized, and its contents may also be deallocated:
At line 1, we assume ref cells r1 and r2 whose contents are 1. x = malloc(4); // x: --- *‘U
integers. At line 2, we update the first cell with a boolean. Then, 2. *x = 3; // x: int *‘U
3. free(x); // x: undefined
∗ This material is based upon work supported by the Air Force Office of
In both of these languages, a unique object may be implicitly
Scientific Research under Award No. F49620-03-1-0156 and Award No. discarded, yielding a weak form of uniqueness called affinity.
F49620-01-1-0298 and by the Office of Naval Research under Award No.
N00014-01-1-0968. Any opinions, findings, and conclusions or recommen-
The Vault programming language [13] uses tracked keys to en-
dations expressed in this publication are those of the author and do not force resource management protocols. For example, the following
necessarily reflect the views of these organizations or the U.S. Government. interface specifies that opening a file returns a new tracked key,
which must be present when reading the file, and which is con-
sumed when closing the file:
1. interface IO {
2. type FILE;
Permission to make digital or hard copies of all or part of this work for personal or 3. tracked($F) FILE open(string) [ +$F ];
classroom use is granted without fee provided that copies are not made or distributed 4. char read (tracked($F) FILE) [ $F ];
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. To copy otherwise, to republish, to post on servers or to redistribute
5. void close (tracked($F) FILE) [ -$F ]; }
to lists, requires prior specific permission and/or a fee.
ICFP’05 September 26–28, 2005, Tallinn, Estonia. 1 We assume that values are represented uniformly so that, for instance, unit,
Copyright
c 2005 ACM 1-59593-064-7/05/0009. . . $5.00. booleans, and integers all take up one word of storage.

78
Because tracked keys may be neither duplicated nor discarded, 2. λURAL : A Substructural λ-Calculus
Vault supports a strong form of uniqueness technically termed
linearity, which ensures that an opened file must be closed exactly Advanced type systems for state rely upon limiting the ordering
once. Other projects [32, 12] have also incorporated linearity to and number of uses of data and operations to ensure that state is
handled in a safe manner. For example, (safely) deallocating a data
ensure that memory is reclaimed.
structure requires that the data structure is never used in the future.
Both forms of uniqueness (linearity and affinity) support strong
In order to establish this property, a type system may ensure that the
updates, whereby the type of a stateful object is changed in re-
data structure is used at most once; after one use, the data structure
sponse to stateful operations. For example, the Cyclone code frag-
may be safely deallocated, since there can be no further uses.
ment above demonstrates the type of the unique pointer changing
A substructural type system provides the core mechanisms nec-
from uninitialized to initialized (with an integer) in response to the
assignment. The intuitive understanding is that a unique object can- essary to restrict the number and order of uses of data and opera-
not be duplicated, and thus there are no aliases to the object; hence, tions. A conventional type system, such as that employed by the
no other portion of the program may observe the change in the ob- simply-typed λ-calculus, with a typing judgement like Γ
e : τ ,
ject’s type, so it is safe to perform a strong update. satisfies three structural properties:
Yet, programming in a language with only unique (i.e., linear or Exchange If Γ1 , x:τx , y:τy , Γ2  e : τ ,
affine) objects is much too painful. In such a setting, one can only then Γ1 , y:τy , x:τx , Γ2  e : τ .
construct tree-like data structures. Hence, it is not surprising that Contraction If Γ1 , x:τz , y:τz , Γ2  e : τ ,
both Cyclone and Vault allow a programmer to put unique objects then Γ1 , z:τz , Γ2  e[z/x][z/y] : τ .
in shared objects, with a variety of restrictions to ensure that these Weakening If Γ  e : τ , then Γ, x:τx  e : τ .
mixed objects behave in a safe manner. In fact, understanding the In contrast, a substructural type system is designed so that one or
various mechanisms by which unique objects (with strong updates) more of these structural properties do not hold in general. Among
may safely coexist and mix with shared objects is currently an the most widely studied substructural type systems are the linear
active area of research [5], though much of it has focused on type systems [29, 24], derived from Girard’s linear logic [15], in
high-level programming features, often without a complete formal which all variables satisfy Exchange, but linearly typed variables
account. satisfy neither Contraction nor Weakening.
Therefore, it is natural to study a core language with mutable In this section, we present a substructural polymorphic λ-
references of all sorts mentioned above: linear, affine, and unre- calculus, similar in spirit to Walker’s linear lambda calculus [30].
stricted. The study of substructural logics immediately suggests In our calculus, types and variables are qualified as unrestricted
one more sort — relevant, which describes data that may be dupli- (U), relevant (R), affine (A), or linear (L). All variables will sat-
cated but not implicitly discarded. Having made these distinctions, isfy Exchange, while only unrestricted variables will satisfy both
a number of design questions arise: What does it mean to duplicate Contraction and Weakening, allowing such variables to be used
or to discard a reference? What operations may be safely performed an arbitrary number of times. We will require
with the different sorts of references? What combinations of sorts
for a reference and its contents are safe? • linear variables to satisfy neither Contraction nor Weakening,
A major contribution of this paper is to answer these questions, ensuring that such variables are used exactly once,
giving an integrated design of references for all of these substruc- • affine variables to satisfy Weakening (but not Contraction),
tural sorts (Section 3). Our design allows unique (linear and affine) ensuring that such variables are used at most once, and
values to be stored in shared (unrestricted and relevant) references, • relevant variables to satisfy Contraction (but not Weakening),
while preserving the desirable feature that resources are tracked ensuring that such variables are used at least once.2
accurately. Our language extends a core λ-calculus with a straight- The diagram below demonstrates the relationship between these
forward type system that provides data of each of the substruc- qualifiers, inducing a lattice ordering .
tural sorts mentioned above (Section 2). The key idea, present in
linear (L)
other substructural type systems, is to break out the substructural ??
 ??
sorts as type “qualifiers.” Rather than prove soundness via a syn-  
tactic subject-reduction proof, we adopt an approach compatible affine (A) relevant (R)
??
with that used in Foundational Proof Carrying Code [6, 7]. We con- ?? 
struct a step-indexed model (Section 4) where types are interpreted  
as sets of store description / value pairs, which are further refined unrestricted (U)
using an index representing the number of steps available for future
evaluation. We believe this model improves on previous models of 2.1 Syntax
mutable state, contributing a compositional notion of aliasing and Figure 1 presents the syntax for our core calculus, dubbed the
ownership that directly addresses the subtleties of allowing unique λURAL -calculus. Most of the types, expressions, and values are
values to be stored in shared references. Furthermore, we achieve a based on a traditional polymorphic λ-calculus.
simple model, in comparison to denotational and domain-theoretic
approaches, that easily extends to impredicative polymorphism and Kind and Type Levels We structure our types τ as a qualifier
first-class references. Constructing a (well-founded) set-theoretic ξ applied to a pre-type τ , yielding the four sorts of types noted
model means that our soundness and safety proofs are amenable above. The qualifier of a type dictates the structural operations that
to formalization in the higher-order logic of Foundational PCC. may be applied to values of the type, while the pre-type dictates
Hence, our work provides a useful foundation for future extensions the introduction and elimination forms. The pre-types 1
, τ1
τ2 ,
of Foundational PCC, which currently only supports unrestricted and τ1
τ2 correspond to the unit, pair, and function types of the
references, but is an attractive target for source languages wishing polymorphic λ-calculus.
to carry high-level security guarantees, enforced by type states and
2 In the logic community, it is perhaps more accurate to use the qualifier
linear resources, through to machine code.
“strict” for such variables. However, “strict” is already an overloaded term
in the functional programming community; so, like Walker [30], we use
“relevant.”

79
 Kind Level:
Kinds κ ::= QUAL | |

Type Level:
Constant Qualifiers q ∈ Quals = {U, R, A, L}
Qualifiers ξ ::= α|q
PreTypes τ ::= α | 1
| τ1
τ2 | τ1
τ2 | ∀α:κ. τ
Types τ ::= α | ξτ
Type-level Terms ι ::= ξ|τ |τ

Expression Level:
Values v ::= x |  | v1 , v2 | λx. e | Λ. e
Expressions e ::= v | let  = e1 in e2 | let x1 , x2 = e1 in e2 | e1 e2 | e []

Figure 1. λURAL Syntax

Polymorphism over qualifiers, pre-types, and types is provided ∆  ξ1 ξ2

by a single pre-type ∀α:κ. τ ; we introduce a kind level to distin-
guish among the type-level terms that may be used to instantiate a ∆  α : QUAL q1 q2 ∆  α : QUAL
polymorphic pre-type (with kinds QUAL, , and  for qualifiers, ∆U α ∆  q1 q2 ∆α L
pre-types, and types, respectively).
 
In an accompanying technical report [3], we show that it is also ∆  ξ : QUAL ∆  ξ1 ξ ∆ξ ξ2
easy to extend our results to include sum (τ1  τ2 ), existential ∆ξ ξ ∆  ξ1 ξ2
(∃α:κ. τ ), and recursive (µα:. τ ) pre-types and recursive func-
tions in the calculus, though we elide such constructs in this pre- ∆τ ξ
sentation. ∆α: ∆  τ : ∆  ξ ξ
This structuring of types as a qualifier applied to a pre-type fol- ξ

∆α L ∆ τ ξ
lows that of Walker [30], but differs from other presentations of
linear lambda calculi that use exactly one modality (!τ ) to distin- ∆Γ ξ
guish unrestricted from linear types. It seems possible to introduce
alternative modalities (e.g, −τ for affine and +τ for relevant), but ∆  ξ : QUAL ∆Γ ξ ∆τ ξ
then we would have to consider their interaction (e.g., what does ∆• ξ ∆  Γ, x:τ
−!+τ denote?). Also, with four distinct qualifiers, it is natural to
introduce qualfier polymorphism, which is best formulated by sep-
arating qualifiers from pre-types. Figure 4. λURAL Statics (Sub-Qual Rules)

Expression Level Each pre-type has an associated value intro-

duction form. The pattern matching expression forms let  =
e1 in e2 and let x1 , x2  = e1 in e2 are used to eliminate units Despite these requirements, the type system is relatively simple.
(1
) and pairs (
), respectively. As usual, a function with pre-type λURAL typing judgements have the form ∆; Γ
e : τ where the
τ1
τ2 is eliminated via application e1 e2 , while a type-level ab- contexts ∆ and Γ are defined as follows:
straction ∀α:κ. τ is eliminated via instantiation e []. Type-level Term Context ∆ ::= • | ∆, α:κ
Note that expressions are not decorated with type-level terms. Value Context Γ ::= • | Γ, x:τ
This simplifies the semantic model presented in Section 4, where Thus, ∆ is used to track the set of type-level variables in scope
soundness is with respect to typing derivations, and is appropriate (along with their kinds), whereas Γ, as usual, is used to track the
for an expressive “internal” language. We leave as an open problem set of (expression-level) variables in scope (along with their types).
the formulation of appropriate inference and elaboration algorithms There may be at most one occurrence of a type-level variable α in
yielding derivations in the type system of the next section, which ∆ and, similarly, at most one occurrence of a variable x in Γ.
would likely require some type-level annotations on expressions in Figure 2 presents the λURAL kinding rules and Figure 3 presents
a “surface” language. the λURAL typing rules. In order to ensure the correct relationship
between a data structure and its components, we extend the lattice
2.2 Static Semantics ordering on constant qualifiers to types and contexts (see Figure 4).
The goal of the type system for λURAL is to approximate the re- In the presence of qualifier and type polymorphism, we include the
quirements of languages like Vault and Cyclone, which ensure that rules ∆
U  α and ∆
α  L, a conservative extension,
linear values are used exactly once, affine values are used at most since U and L are the bottom and top of the lattice. A more general
once, and relevant values are used at least once. Dually, the type approach would incorporate bounded qualifier constraints, which
system should ensure that only unrestricted and relevant values are we believe is straightforward, but doing so does not add to the
duplicated and only unrestricted and affine values are discarded. To discussion at hand.
prevent values from being implicitly copied or dropped when their As is usual in a substructural setting, our type system relies
containing value is duplicated or discarded, the type system must upon a judgement ∆
Γ ❀ Γ1  Γ2 that splits the assumptions
also ensure that a (functional) value with a qualifier lower in the in Γ between the contexts Γ1 and Γ2 (see Figure 5). Splitting the
lattice may not contain values with qualifiers higher in the lattice. context is necessary to ensure that variables are used appropriately
For example, an affine (A) pair may not contain linear (L) compo- by sub-expressions. Note that  ensures that an A or L assumption
nents, since we could end up dropping the linear components by appears in exactly one sub-context. On the other hand, U and R
dropping the pair, so the type sytem must rule out expressions of assumptions may appear in both sub-contexts, corresponding to
type A (L τ 1
L τ 2 ). implicit duplication of the variables.

80
∆ι:κ
α:κ ∈ ∆ ∆  ξ : QUAL ∆τ :
(VarKn) (Qual) (Type) ξ
∆α:κ ∆  q : QUAL ∆ τ :

∆  τ1 : ∆  τ2 : ∆  τ1 : ∆  τ2 : ∆, α:κ  τ :
(MUnitPTy) (MPairPTy) (FnPTy) (AllPTy)
∆  1
: ∆  τ1
τ2 : ∆  τ1
τ2 : ∆  ∀α:κ. τ :

Figure 2. λURAL Statics (Kinding Rules)

∆; Γ  e : τ

∆  Γ ❀ Γ1  Γ2 ∆  ξ : QUAL
∆; Γ1  v1 : τ1 ∆  τ1 ξ
∆τ : ∆  ξ : QUAL ∆; Γ2  v2 : τ2 ∆  τ2 ξ
(Var) (MUnit) (MPair)
∆; •, x:τ  x : τ ∆; •   : ξ 1
∆; Γ  v1 , v2 : ξ (τ1
τ2 )

∆  ξ : QUAL ∆Γ ξ ∆; Γ, x:τ1  e : τ2 ∆  ξ : QUAL ∆Γ ξ ∆, α:κ; Γ  e : τ

(Fn) ξ
(All) ξ
∆; Γ  λx. e : (τ1
τ2 ) ∆; Γ  Λ. e : ∀α:κ. τ

∆  Γ ❀ Γ1  Γ2 ∆  Γ ❀ Γ1  Γ2
∆; Γ1  e1 : ξ 1
∆; Γ2  e2 : τ ∆; Γ1  e1 : ξ (τ1
τ2 ) ∆; Γ2 , x1 :τ1 , x2 :τ2  e2 : τ
(Let-MUnit) (Let-MPair)
∆; Γ  let  = e1 in e2 : τ ∆; Γ  let x1 , x2 = e1 in e2 : τ

∆  Γ ❀ Γ1  Γ2 ∆; Γ1  e1 : ξ (τ1
τ2 ) ∆; Γ2  e2 : τ1 ∆; Γ  e : ξ ∀α:κ. τ ∆ι:κ

(App) (Inst)
∆; Γ  e1 e2 : τ2 ∆; Γ  e [] : τ [ι/α]

∆  Γ ❀ Γ1  Γ2 ∆; Γ1  e : τ ∆  Γ2 A
(Weak)
∆; Γ  e : τ

Figure 3. λURAL Static Semantics (Typing Rules)

∆  Γ ❀ Γ1  Γ2 incorporated into the judgement ∆
Γ ❀ Γ1  Γ2 , which allows

an arbitrary number of U and R variables to be copied at once.
∆  Γ ❀ Γ1  Γ2 ∆τ :
∆  • ❀ • • ∆  Γ, x:τ ❀ Γ1 , x:τ  Γ2
3. λrefURAL : A Substructural λ-Calculus with
∆  Γ ❀ Γ1  Γ2 ∆τ : References
∆  Γ, x:τ ❀ Γ1  Γ2 , x:τ
Languages like Vault and Cyclone include objects that change state
∆  Γ ❀ Γ1  Γ2 ∆τ R
(e.g., file descriptors), so it is natural to include some stateful
values. We consider the difficult case of references, which can serve
∆  Γ, x:τ ❀ Γ1 , x:τ  Γ2 , x:τ as mutable containers for both functional values and stateful values.
Hence, we extend the λURAL -calculus with mutable references, to
Figure 5. λURAL Statics (Context Split Rules) yield the λrefURAL -calculus. The reference pre-type ref τ may be
combined with a qualifier ξ to yield the four sorts (U, R, A, L)
of references discussed earlier. We also introduce operations to
allocate (newq ) and deallocate (free) references, as well as to read
The rule (MPair) is representative: the context is split by  to (rd), write (wr), and swap (sw) their contents. Not all of these
type each of the pair components, and the types of each component operations can be safely performed with all sorts of references,
are bounded by the qualifier assigned to the pair. Intuitively, the as we discuss in Section 3.2. The syntactic extensions to support
L and A assumptions in the context are exclusively “owned” by references are as follows:
exactly one of the two components. Likewise, in the rule (Fn), the Type Level:
free variables of Γ, which constitute the closure of the function, PreTypes τ ::= . . . | ref τ
must be bounded by the qualifier assigned to the function. Note that
the qualifier assigned to a function type is unrelated to the types Expression Level:
of the argument and result; rather, it is related to the abstracted Locations l ∈ Locs
components that are used when the function is executed. Values v ::= ... | l
The rule (Weak) splits the context into a sub-context used to Expressions e ::= . . . | newq e | free e |
rd e | wr e1 e2 | sw e1 e2
type the expression e and a discardable sub-context, consisting of
U and A variables, that are not required to type the expression. Note
that the rule (Weak) acts as a strengthened Weakening property, 3.1 Operational Semantics
allowing an arbitrary number of U and A variables to be dropped Figure 6 gives the small-step operational semantics for λrefURAL
at once. The corresponding strengthened Contraction property is as a relation between configurations of the form (s, e), where

81
 Store s ::= {l1 → (q1 , v1 ), . . . , ln → (qn , vn )} Ref Ops Contents and Ops
8 U R A L
(let-munit) (s, let  =  in e) −→ (s, e) >
>
rd
>
newU wr
(let-mpair) (s, let x1 , x2 = v1 , v2 in e) −→
(s, e[v1 /x1 ][v2 /x2 ])
< U
(weak updates)
wr
sw

sw


(s, (λx. e) v) −→ (s, e[v/x])

shared
>
> rd
(app)
>
: R
newR
wr
rd wr
sw sw
sw
8
(weak updates)
(inst) (s, (Λ. e) []) −→ (s, e) sw
(new) (s, newq v) −→ (s  {l → (q, v)}, l) >
>
newA rd
>
wr
(free) (s  {l → (q, v)}, free l) −→ (s, v) < A free
(strong updates)
wr
sw

sw


(read) (s  {l → (q, v)}, rd l) −→

unique
>
> newL rd
(s  {l → (q, v)}, l, v ) >
: L free wr
rd wr
sw sw
sw
(strong updates) sw
(write) (s  {l → (q, v1 )}, wr l v2 ) −→
(s  {l → (q, v2 )}, l) Figure 7. Operations for Substructural State
(swap) (s  {l → (q, v1 )}, sw l v2 ) −→
(s  {l → (q, v2 )}, l, v1 )
The reader may well wonder why each reference is “stamped”
(s, e) −→ (s , e ) with a qualifier at its allocation when the remainder of the opera-
(ctxt)
(s, E[e]) −→ (s , E[e ]) tional rules are entirely agnostic with respect to a reference’s qual-
ifier. Essentially, the qualifier is a form of instrumentation, which,
Figure 6. λrefURAL Operational Semantics when combined with the semantic model presented in Section 4,
allows us to guarantee that linear and relevant references cannot be
implicitly discarded. Such a property is difficult to capture exclu-
sively in the operational semantics (i.e., by ensuring that the ab-
s is a global store mapping locations to qualifiers and values.3 stract machine “gets stuck” when a linear or relevant reference is
The notation s1 s2 denotes the disjoint union of the stores s1 implicitly dropped). On the other hand, the abstract machine does
and s2 ; the operation is undefined if the domains of s1 and s2 “get stuck” when attempting to access a reference after it has been
are not disjoint. We use evaluation contexts E (omitted in this deallocated.
presentation) to lift the primitive rewriting rules to a standard, left-
to-right, innermost-to-outermost, call-by-value interpretation of the 3.2 Static Semantics
language. As with the type system for λURAL , we would like the type system
Most of the rules are standard, so we highlight only those in-
for λrefURAL to ensure the property that no linear or affine value is
volving references. The expressions newq e and free e perform
implicitly duplicated and no linear or relevant value is implicitly
the complementary actions of allocating and deallocating mutable
discarded. With that in mind — and noting that only unrestricted
references in the global store. Specifically, the expression newq e
and relevant references may be implicitly copied (by the ∆

evaluates e to a value v, allocates a fresh (unallocated) location l
Γ ❀ Γ1  Γ2 judgement), while only unrestricted and affine
to store the qualifier q and value v, and returns l. The expression
references may be implicitly dropped (by the (Weak) rule) — we
free e performs the reverse: it evaluates e to a location l, deallo-
now answer the questions we laid out in Section 1: What operations
cates l, and returns the value previously stored at l.
may be safely performed with the different sorts of references?
The expressions for reading and writing a mutable reference
What combinations of sorts for a reference and its contents are
implicitly duplicate and discard (respectively) the contents of the
safe? These answers are summarized in Figure 7.
reference. The expression rd e evaluates e to a location l, duplicates
First, consider what it means to duplicate a reference. Opera-
the value v stored at l, and returns l, v, leaving the value stored at
tionally, a reference is a location in the global store. Therefore, du-
l unchanged. Meanwhile, wr e1 e2 evaluates e1 to a location l and
plicating an unrestricted or relevant reference l, simply yields two
e2 to value v2 , stores v2 at location l, discards the value previously
copies of l — while the value stored at l is not duplicated. Since
stored at l, and returns l.
duplicating a shared reference does not alter the uniqueness of its
In languages with only unrestricted (ML-style) references, it is
contents, it is not only reasonable but also extremely useful to al-
customary for rd to return only the contents of l and for wr to re-
low shared references to store unique values. In particular, it per-
turn . However, we do not wish to consider reading or writing a
mits the sharing of (large) unique data structures without expensive
linear (resp. affine) reference as the exactly-one-use (resp. at-least-
copying.
one-use) of the value. Therefore, the rd and wr (and sw) operations
On the other hand, dropping an unrestricted or affine reference l
return the location l that was read or written, which remains avail-
effectively drops its contents, since this reference may (must, in the
able for future use. The behavior of ML-style references may be
case of affine) have been the only copy of l. If the contents were a
recovered by implicitly discarding the returned location.
linear or relevant value, then the exactly-one-use and at-least-one-
The expression sw e1 e2 combines the operations of dereferenc-
use invariants (respectively) would be violated. Hence, we cannot
ing and updating a mutable reference, but has the attractive property
allow linear and relevant values (which cannot be discarded) to be
that it neither duplicates nor discards a value. Notice that perform-
stored in unrestricted or affine references (which can be discarded).
ing a write or swap operation on a location may change the type
Considering yet another axis, we note that linear and affine
of the location’s contents. The static semantics will permit weak
references must be unique. Hence, we can free unique references,
(type-invariant) updates on all references (with some additional
and also perform strong updates on them. Shared references, on the
caveats), but will restrict strong (type-varying) updates to unique
other hand, can never be deallocated and can only support weak
references.
updates.
As we noted above, the rd operator induces an implicit copy
3 We write squal (l) and sval (l) for the respective projections of s(l). while the wr operator induces an implicit drop. Therefore, whether

82
 ∆ι:κ
∆τ :
(RefPTy)
∆  ref τ :

∆; Γ  e : τ

q A ∆; Γ  e : τ ∆τ A R q ∆; Γ  e : τ
(New(U,A)) (New(R,L))
∆; Γ  newq e : q ref τ ∆; Γ  newq e : q ref τ

∆; Γ  e : ξ ref τ ∆A ξ ∆; Γ  e : ξ ref τ ∆τ R

(Free) (Read) L ξ
∆; Γ  free e : τ ∆; Γ  rd e : ( ref τ
τ )

∆  Γ ❀ Γ1  Γ2 ∆  Γ ❀ Γ1  Γ2
∆; Γ1  e1 : ξ ref τ1 ∆  τ1 A ∆A ξ ∆; Γ1  e1 : ξ ref τ ∆τ A
∆; Γ2  e2 : τ2 ∆  τ2 ξ ∆; Γ2  e2 : τ
(Write(Strong)) (Write(Weak))
∆; Γ  wr e1 e2 : ξ ref τ2 ∆; Γ  wr e1 e2 : ξ ref τ

∆  Γ ❀ Γ1  Γ2 ∆  Γ ❀ Γ1  Γ2
∆; Γ1  e1 : ξ ref τ1 ∆A ξ ∆; Γ1  e1 : ξ ref τ
∆; Γ2  e2 : τ2 ∆  τ2 ξ ∆; Γ2  e2 : τ
(Swap(Strong)) (Swap(Weak))
∆; Γ  sw e1 e2 : L (ξ ref τ2
τ1 ) ∆; Γ  sw e1 e2 : L (ξ ref τ
τ )

Figure 8. λrefURAL Static Semantics (Kinding and Typing Rules)

we can read from or write to a reference depends entirely on 4. A Step-Indexed Model

the qualifier of its contents: rd is permitted if the contents are
We prove the type soundness of λrefURAL in a manner similar to that
unrestricted or relevant (i.e., duplicable), wr is permitted if the
employed by Appel’s Foundational PCC project [6]. The technique
contents are unrestricted or affine (i.e., discardable). The operation
uses syntactic logical relations (that is, relations based on the op-
sw is permitted on any sort of reference, regardless of the qualifier
erational semantics) where relations are further refined by an index
of its contents. As noted above, strong writes and strong swaps,
that, intuitively, records the number of steps available for future
which change the type of the contents of the location, are only
evaluation. This stratification is essential for modeling the recur-
permitted on unique references.
sive functions (available via backpatching unrestricted references)
Figure 8 gives the additional typing rules for λrefURAL . We note and impredicative polymorphism present in the language.
that the typing rules for core λURAL terms remain unchanged. There
is no rule for locations, as locations are not allowed in the external
language. Also note that the (New) and (Free) rules act as the in- 4.1 Background: A Model of Unrestricted References
troduction and elimination rules for ξ ref τ types, while the (Read), Our model is based on the indexed model of ML-style references
(Write), and (Swap) rules maintain an exactly-one-use invariant on by Ahmed, Appel, and Virga [1, 4], henceforth AAV. In their
references by consuming a value of type ξ ref τ1 and by producing model, the semantic interpretation T τ  of a (closed) type τ is
a value of type ξ ref τ2 (possibly with τ1 = τ2 ). a set of triples of the form (k, Ψ, v), where, k is a natural number
Finally, we note that wr may be encoded using an explicit sw (called the approximation index or step index), Ψ is a (global) store
and an implicit drop:4 typing that maps locations to (the interpretation of) their designated
∆  Γ ❀ Γ1  Γ2 types, and v is a (closed) value. Intuitively, (k, Ψ, v) ∈ T τ 
∆; Γ1  e1 : ξ ref τ ∆τ A says that in any computation running for no more than k steps, v
∆; Γ2  e2 : τ cannot be distinguished from values of type τ . Furthermore, since
(Write(Weak)) dereferencing a location consumes an execution step, in order to
∆; Γ  wr e1 e2 : ξ ref τ
determine whether v has type τ for k steps it suffices to know the
def
= let r, x = sw e1 e2 in // using (Swap(Weak)) type of each store location for k − 1 steps; hence, Ψ need only
// drop x, noting ∆  τ A specify each location’s type to approximation k − 1. We use a
r similar indexing approach which is key to ensuring that our model
However, rd may not be encoded using an explicit sw and an is well-founded (as we shall demonstrate in Section 4.3).
implicit copy, as a suitable (discardable) dummy value cannot in
general be synthesized. 4.2 Towards a Model of λrefURAL
∆; Γ  e : ξ ref τ ∆τ R Aliasing and Ownership Though our model is similar to AAV,
(Read)
∆; Γ  rd e : L (ξ ref τ
τ ) the presence of shared and unique references places very differ-
def ent demands on the model, which we illustrate by considering
= let r, x = sw e ? in // where ∆; Γ  ? : τ
// copy x, noting ∆  τ R the interpretation of product types in various settings. In a lan-
let r, y = sw r x in // using (Swap(Weak)) guage with only unrestricted references (e.g. AAV), one would say
// drop y, but not necessarily ∆  τ A (k, Ψ, v1 , v2 ) ∈ T τ1
τ2  if and only if (k, Ψ, v1 ) ∈ T τ1 
r, x and (k, Ψ, v2 ) ∈ T τ2 , where the store typing Ψ describes every
location allocated by the program thus far. In this setting, every lo-
4 The encoding of a wr typed by the (Write(Strong)) rule makes use of the cation (in Ψ) may be aliased; hence, the model allows v1 and v2 to
same term, but an alternate typing derivation. point to data structures that overlap in the heap.

83
 x y x, y
{ CC y EE
}{{ C! y| y E"
l1 l1 l6

L l6 L L L
  
l2 ?? A l2 BB A 
??
? 
BB
BB 

l3 l3 U
U l3 U
  
l4 l4 A
A l4 A
  
l5 l5 A
A l5 A
(a) (k, Ψ, Ω1 , x) ∈ T τ1  (b) (k, Ψ, Ω2 , y) ∈ T τ2 
(c) Problem: Ω1  Ω2 = undefined

Figure 9. Unique References in Shared References: Aliased or Owned?

In a language with only linear references [23, 2], however, one the form (k, Ψ, Ω, Θ, v) where Ψ is as before, but now Ω describes
must ensure that the set of (linear) locations reachable from v1 is unique owned locations, (i.e., those reachable from v without in-
disjoint from the set of locations reachable from v2 . This mirrors directing through a shared reference), while Θ describes unique
the fact that we can only construct tree-like data structures in this aliased locations, (i.e., those that cannot be reached without indi-
setting. Furthermore, it guarantees the safety of strong updates recting through a shared cell). The intuition is that the interpretation
by providing a notion of exclusive ownership. Hence, to model of τ1
τ2 splits Ω into disjoint pieces for each component of the
a language with only linear references, it is useful to replace the pair, but allows each component to use Ψ and Θ unchanged.
global store description Ψ with a description of only the accessible This proposal, however, is fraught with complications. In par-
(reachable) locations in the store, say Ω. Intuitively, when we write ticular, whether a unique location belongs in Ω or Θ depends on
(k, Ω, v) ∈ T τ , we intend for Ω to describe only the subset of the configuration of the entire program, rather than just the type of
store locations that are accessible from, and hence, “owned” by v. the location. This limits the compositionality of the model. For in-
Thus, one would say (k, Ω, v1 , v2 ) ∈ T τ1
τ2  if and only if stance, consider l5 in Figure 9(c). Clearly l5 must appear in Θ as
(k, Ω1 , v1 ) ∈ T τ1  and (k, Ω2 , v2 ) ∈ T τ2 , where the Ω is the it is reachable from an unrestricted location. However, if locations
disjoint union of Ω1 and Ω2 . l1 , l2 , l3 , and l6 did not exist, then l5 could appear in Ω. In the next
For the λrefURAL -calculus, we tried to build a model that supports section, we propose a far simpler solution that we consider one of
both aliasing and ownership as follows. We defined the semantic the main technical contributions of our work.
interpretation of a type T τ  as the set of tuples of the form
(k, Ψ, Ω, v) where Ψ describes every U and R location allocated 4.3 A Model with Local Store Descriptions
by the program and Ω describes only those A and L locations that
In our model of the λrefURAL -calculus, the semantic interpretation
are reachable from (and owned by) v. The interpretation of τ1
τ2
of a type T τ  is a set of tuples of the form (k, q, ψ, v), where
then naturally yields: (k, Ψ, Ω, v1 , v2 ) ∈ T τ1
τ2  if and only
the local store description ψ describes only a part of the global
if (k, Ψ, Ω1 , v1 ) ∈ T τ1  and (k, Ψ, Ω2 , v2 ) ∈ T τ2 , where the
store. Intuitively, ψ is the set of “beliefs” about the locations that
Ω is the disjoint union of Ω1 and Ω2 .
appear as sub-expressions of the value v. Such locations are said to
Unfortunately, the above model did not suffice for λrefURAL ,
be directly accessible from the value v. Conversely, locations that
since it assumes that every unique location reachable from v is ex-
are indirectly accessible from the value v are those locations that
clusively owned by v, which is not the case when unique references
are reachable from v only by indirecting through one (or more)
may be stored in shared references.
references. The local store description ψ says nothing about these
indirectly-accessible locations. This enhances the compositionality
Unique References in Shared References: Aliased or Owned? of our model, making it straightforward to combine local store
Consider the situation depicted in Figure 9(a) where x maps to descriptions with one another.
l1 and locations l1 through l5 are reachable from x. Locations
“owned” by x are shaded. Notice that l1 and l2 are unique locations 4.3.1 Definitions
owned by x, while l4 and l5 are unique locations that x must
consider aliased, since they can be reached (from other program We use the meta-variable χ to denote sets of tuples of the form
subexpressions) via the unrestricted location l3 . Figure 9(b) depicts (k, q, ψ, v) and the meta-variable ψ to denote partial maps from
such a subexpression, y. Note that y maps to l6 whose contents locations l to tuples of the form (q, χ).5 When χ corresponds to the
alias l3 , making l4 and l5 reachable from y. semantic interpretation of a type and (k, q, ψ, v) ∈ χ, we intend
In λrefURAL we may safely construct the pair x, y (shown in that q is the qualifier of v, ψ is the local store description of v, and
Figure 9(c)), but the interpretation of τ1
τ2 that we proposed v is a closed value. When ψ corresponds to a local store description
above prohibits such a pair since locations l4 and l5 occur in both and ψ(l) = (q, χ), we intend that q is the qualifier of the reference
Ω1 and Ω2 , violating the requirement that their domains be disjoint. and χ is the semantic interpretation of the type of its contents.
To model the λrefURAL -calculus, we tried to further refine our
model so that the interpretation of a type T τ  is a set of tuples of 5 We write ψqual (l) and ψtype (l) for the respective projections of ψ(l).

84
 (a) PreType/Type Interpretation (Notation) χ ::= {(k, q, ψ, v), . . .}
Local Store Description (Notation) ψ ::= {l → (q, χ), . . .}

(b) CandAtom k
def
=
S
{(j, q, ψ, v) ∈ N × Quals × j<k CandLocalStoreDesc j × CValues |
j < k ∧ ψ ∈ CandLocalStoreDesc j }
def
CandUberType k = 2CandAtom k
def
CandLocalStoreDesc k = Locs  Quals × CandUberType k

CandAtom ω
def
=
S CandAtom k
CandUberType ω
def
=
k≥0

2CandAtom ω ⊇
S CandUberType
k

CandLocalStoreDesc ω
def
= Locs  Quals × CandUberType ω ⊇
Sk≥0 CandLocalStoreDesc
k≥0 k

def
(c) χk = {(j, q, ψ, v) | j < k ∧ (j, q, ψ, v) ∈ χ}
∈ CandUberType ω → CandUberType k

def
ψk = {l → (q, χk ) | l ∈ dom (ψ) ∧ ψ(l) = (q, χ)}
∈ CandLocalStoreDesc ω → CandLocalStoreDesc k

def
P(q, ψ) = ∀l ∈ dom(ψ). ψqual (l) q
∈ Quals × CandLocalStoreDesc ω → P

def
R(ψ) = ∀l ∈ dom (ψ). (ψqual (l) A ⇒ ∀( , q  , , ) ∈ ψtype (l). q  A)
∈ CandLocalStoreDesc ω → P

def
(d) Atom k = {(j, q, ψ, v) ∈ CandAtom k | ψ ∈ LocalStoreDesc j ∧ P(q, ψ)} ⊆ CandAtom k
def
PreType k = {χ ∈ 2Atom k | ∀(j, q, ψ, v) ∈ χ. ∀i ≤ j. (i, q, ψi , v) ∈ χ} ⊆ CandUberType k
def
Type k = {χ ∈ PreType k | ∃q  ∈ Quals. ∀( , q, , ) ∈ χ. q = q  } ⊆ CandUberType k
def
LocalStoreDesc k = {ψ ∈ Locs  Quals × Type k | R(ψ)} ⊆ CandLocalStoreDesc k

PreType
def
= {χ ∈ CandUberType ω | ∀k ≥ 0. χk ∈ PreType k } ⊇
S PreType
k

Type
def
= {χ ∈ CandUberType ω | ∀k ≥ 0. χk ∈ Type k } ⊇
Sk≥0 Type
k≥0 k

Figure 10. λrefURAL Model (Definitions)

Well-Founded & Well-Behaved Interpretations If we attempt to tion index j strictly less than k. Hence, our definitions are well-
naı̈vely construct a set-theoretic model based on these intentions, defined at k = 0:
we are led to specify: CandAtom 0 = ∅
CandUberType 0 = {∅}
Type = 2N×Quals×LocalStoreDesc×CValues CandLocalStoreDesc 0 = Locs  Quals × {∅}
LocalStoreDesc = Locs  Quals × Type
While our candidate sets establish the existence of sets of our in-
However, there is a problem with this specification: a simple di- tended form, our semantic interpretations will need to be well-
agonalization argument will show that the set Type of type inter- behaved in other ways. There are key constraints associated with
pretations has an inconsistent cardinality (i.e., it’s an ill-founded atoms, pre-types, types, and local store descriptions that will be en-
recursive definition). forced in our final definitions. Functions and predicates supporting
We can eliminate the inconsistency by stratifying our defini- these constraints are given in Figure 10(c).
tions, making essential use of the approximation index. To simplify For any set χ, we define the k-approximation of the set (written
the development, we first construct candidate sets, which are well- χ k ) as the subset of its elements whose indices are less than k; we
founded sets of our intended form. Next, we define some useful extend the notion pointwise to local store descriptions ψ (written
functions and predicates on these candidate sets. Finally, we con- ψ k ). Note that χ k and ψ k necessarily yield elements of
struct our semantic interpretations by filtering the candidate sets, CandUberType k and CandLocalStoreDesc k .
making use of the functions and predicates defined in the previous Figure 10(c) defines our semantic interpretations, again by
step. Our semantic interpretations impose a number of constraints (strong) induction on k. Note that our semantic interpretations can
(e.g., relating the qualifier of a reference to the qualifier of its con- be seen as filtering their corresponding candidate sets. Next, we
tents) that are ignored in the construction of the candidate sets. examine each of these filtering constraints.
Figure 10(b) defines our candidate sets by (strong) induction on Recall that we intend for Atom k to define tuples of the form
k. Note that elements of CandAtom k are tuples with approxima- (j, q, ψ, v) where q is the qualifier of v and ψ is the local store

85
 K QUAL = Quals K  = PreType K  = Type

T ∆  α : κ δ = δ(α)

T ∆  q : QUAL δ = q

T ∆  1
:  δ = {(k, q, {},  )}

T ∆  τ1
τ2 :  δ = {(k, q, ψ, v1 , v2 ) | ψ = (ψ1 k ψ2 ) ∧

(k, q1 , ψ1 , v1 ) ∈ T ∆  τ1 :  δ ∧ q1 q∧
(k, q2 , ψ2 , v2 ) ∈ T ∆  τ2 :  δ ∧ q2 q}

T ∆  τ1
τ2 :  δ = {(k, qc , ψc , λx. e) | ψc ∈ LocalStoreDesc k ∧ P(qc , ψc ) ∧

∀j < k, qa , ψa , va .
(j, qa , ψa , va ) ∈ T ∆  τ1 :  δ ∧ (ψc j ψa ) defined ⇒
Comp(j, (ψc j ψa ), e[va /x], T ∆  τ2 :  δ)}

T ∆  ∀α:κ. τ :  δ = {(k, q, ψ, Λ. e) | ψ ∈ LocalStoreDesc k ∧ P(q, ψ) ∧

∀j < k, I ∈ K κ .
Comp(j, ψj , e, T ∆, α:κ  τ :  δ[α → I])}

T ∆  ref τ :  δ = {(k, q, {l → (q, χ)}, l) | χ = T ∆  τ :  δk ∧

(q A ⇒ ∀( , q  , , ) ∈ χ. q  A)}
 
T ∆  ξτ : δ = {(k, q, ψ, v) | q = T ∆  ξ : QUAL δ ∧
(k, q, ψ, v) ∈ T ∆  τ :  δ}

def
Comp(k, ψs , es , χ) = ∀j < k, ss , ψr , sf , ef .
ss :k (ψs k ψr ) ∧ (ss , es ) −→j (sf , ef ) ∧ irred (sf , ef ) ⇒
∃qf , ψf .
sf :k−j (ψf k−j ψr ) ∧ (k − j, qf , ψf , ef ) ∈ χ

Figure 11. λrefURAL Model (Interpretations)

description of v. Filtering CandAtom k by the predicate P(q, ψ) Type respectively, while the interpretation of the kind QUAL is the
enforces the requirement that if v is a value with qualifier q, then set of (constant) qualifiers Quals.
each location directly accessible from v must have a qualifier q
Units: No Location Beliefs Consider the interpretation of the
such that q  q. We further require the local store description ψ to
pre-type 1
. Clearly, no locations appear as sub-expressions of the
be a member of LocalStoreDesc j .
value ; hence, the interpretation of 1
demands an empty local
We define PreType k as those χ ∈ 2Atom k ⊆ CandUberType k store description {}. Furthermore, the value  may be ascribed any
that are closed with respect to a decreasing step-index. We define qualifier q.
Type k by further requiring that all values in χ share the same quali-
fier. Looking ahead, we will need to extend our semantic interpreta- References: Single Location Beliefs Next, consider the interpre-
tions to a predicate Comp(k, ψ, e, T τ ), where e is a (closed) ex- tation of the pre-type ref τ . From the value l, the only directly-
pression. Intuitively, an expression e that is indistinguishable from accessible location is l itself. Hence, the local store description ψ
a value of type τ for k steps must also be indistinguishable for for the location l in the interpretation of ref τ must take the form
j < k steps. Since we will define the predicate Comp(·, ·, ·, ·) on {l → (q, χ)}. Furthermore, χ, the semantic interpretation of the
elements of Type, we incorporate this closure property into the de- type of l’s contents, must match T τ .
finition of PreType k . Figure 12 graphically depicts the local store description ψ =
Finally, we define LocalStoreDesc k using the predicate R(ψ), {l → (q, T τ )} (slightly abusing notation in the interest of
which requires that every unrestricted or affine location in ψ is brevity). Our intention is to express the idea that ψ “believes” that l
mapped to a type with only unrestricted and affine values. The is allocated with qualifier q and contents of type τ , but ψ “believes”
predicate R(ψ) disallows relevant or linear values as the contents nothing about any other location in the store, represented by “?”.
of unrestricted or affine locations (recall Figure 7).
(k, q, ψ = {l → (q, T τ )}, l) ∈ T ref τ 
4.3.2 Semantic Interpretations ψ
Figure 11 gives our semantic interpretation of kinds K κ, quali- ? ? ?
fiers T q, pre-types T τ , and types T τ .6 The interpretation _ _ _ _ _ _ 
of the kinds  and  are the semantic interpretations PreType and ?  l → (q, T τ )  ?
_ _ _ _ _ _
? ? ?
6 Since our language supports polymorphic types, we must give the inter-
pretations of type-level terms with free variables. While, technically, we Figure 12. A Local Store Description in T ref τ 
should write T ∆  ι : κ δ, where the substitution δ is in the interpreta-
tion of the term context ∆ (see D ∆ in Figure 17), we will use the more Note that the definition of T ref τ  requires that if l is an
concise notation T ι in the text. unrestricted or affine location, then χ should never contain local

86
 8
>
> {l → ψ1 k (l) | l ∈ dom (ψ1 ) ∩ dom (ψ2 )} if ∀l ∈ dom(ψ1 ) ∩ dom (ψ2 ). ψ1 k (l) = ψ2 k (l)
def
<  {l → ψ1 k (l) | l ∈ dom(ψ1 ) \ dom (ψ2 )} and ∀l ∈ dom (ψ1 ). A ψ1qual (l) ⇒ l ∈/ dom(ψ2 )
ψ1 k ψ2 =  {l → ψ2 k (l) | l ∈ dom(ψ2 ) \ dom (ψ1 )}
>
>
and ∀l ∈ dom (ψ2 ). A ψ2qual (l) ⇒ l ∈/ dom(ψ1 )
: undefined otherwise

Figure 13. λrefURAL Model (Join Partial Function)

(a) (k, q1 , ψ1 = {l1 → (q1 , T τ1 )}, l1 ) ∈ T q1 ref τ1 

(k, q2 , ψ2 = {l2 → (q2 , T τ2 )}, l2 ) ∈ T q2 ref τ2 

ψ1  ψ2 _ _ _ _ _ _ _ 
ψ1 _ _ _ _ _ _ _  ψ2
?  l1 → (q1 , T τ1 )  J ? ? ?  l1 → (q1 , T τ1 ) 
_ _ _ _ _ _ _ _ _ _ _ _ _ _  =
_ _ _ _ _ _ _  _ _ _ _ _ _ _
? ?  l2 → (q2 , T τ2 )  ?  l2 → (q2 , T τ2 )  ?
_ _ _ _ _ _ _ _ _ _ _ _ _ _
 
(b) (k, U, ψ1 = {l → (U, T τ )}, l) ∈ T U ref τ 
(k, U, ψ2 = {l → (R, T τ  )}, l) ∈ T R ref τ 

ψ1 _ _ _ _ _ _  ψ1 _ _ _ _ _ _  ψ1 _ ψ_1 _ _ _ _ 
?  l → (U, T τ )  J ?  l → (U, T τ )  ?  l → (U, T τ ) 
_ _ _ _ _ _ _ _ _ _ _ _ = _ _ _ _ _ _
? ? ? ? ? ?

ψ1 _ _ _ _ _ _  ψ2 _ _ _ _ _ _ 
?  l → (U, T τ )  J ?  l → (R, T τ  ) 
_ _ _ _ _ _ _ _ _ _ _ _ = undefined
? ? ? ?
 
(c) (k, L, ψa = {l1 → (U, T τ1 ), l2 → (L, T τ2 ), va = l1 , l2 ) ∈ T  L (U ref τ1
L ref τ2 )
(k, L, ψb = {l1 → (U, T τ1 ), l3 → (L, T τ3 ), vb = l1 , l3 ) ∈ T L (U ref τ1 
L ref τ3 )
(k, L, ψc = {l3 → (L, T τ3 ), vc = l3 ,  ) ∈ T L (L ref τ3
U 1
)

ψa _ _ _ _ _ _  ψb _ _ _ _ _ _  ψa  ψb _ _ _ _ _ _ 
?  l1 → (U, T τ1 )  J ?  l1 → (U, T τ1 )  ?  l1 → (U, T τ1 ) 
_ _ _ _ _ _  _ _ _ _ _ _ __ __ __ __ __ __ =
_ _ _ _ _ _  __ __ __ __ __ __
 l2 → (L, T τ2 )  ? ?  l3 → (L, T τ3 )   l2 → (L, T τ2 )   l3 → (L, T τ3 ) 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
ψb _ _ _ _ _ _  ψc
?  l1 → (U, T τ1 )  J ? ?
__ __ __ __ __ __ _ _ _ _ _ _  = undefined
?  l3 → (L, T τ3 )  ?  l3 → (L, T τ3 ) 
_ _ _ _ _ _ _ _ _ _ _ _
Figure 14. ψ1  ψ2 Examples

store descriptions that include relevant or linear locations; i.e., the First, we require that for any location l that is described by both
definition of T ref τ  incorporates the predicate R(·) specialized ψ1 and ψ2 , it must be the case that ψ1 and ψ2 have identical beliefs
to {l → (q, χ)}. about l to approximation k. Note that ψ1 and ψ2 must agree on
both the qualifier of the location as well as the type of the location’s
Pairs: Compatible Location Beliefs A pair v1 , v2  (such that contents (see Figure 14(b)).
(k, q1 , ψ1 , v1 ) ∈ T τ1  and (k, q2 , ψ2 , v2 ) ∈ T τ2 ) is in the The second requirement is more subtle, having to do with the
interpretation of τ1
τ2 if and only if the pair is ascribed a qualifier notion of directly-accessible locations. Suppose that l3 is a linear
greater than that of its components and the two sets of beliefs or affine location mapped by ψb . Therefore, a value vb with local
about the store, ψ1 and ψ2 , can be combined into a single set of store description ψb must contain l3 as a sub-expression. Since l3 is
beliefs sufficient for safely executing k steps (written ψ1 k ψ2 , see linear or affine, this occurrence of l3 in the value vb must be the one
Figure 13). Informally, local store descriptions can be combined (and only) occurrence of l3 in the entire program state. Now, sup-
only if they are compatible; that is, if the beliefs in one local pose that l3 is also in the domain of a local store description ψc . As
store description do not contradict the beliefs in the other store before, a value vc with local store description ψc must contain l3 as
description. a sub-expression. If we were to attempt to form the value vb , vc ,
Clearly, if ψ1 and ψ2 have disjoint sets of beliefs about the store, then we would have a value with two distinct occurrences of l3 ,
then ψ1 k ψ2 is defined and equal to the union of their beliefs (see violating the uniqueness of the location l3 . Hence, we consider ψb
Figure 14(a)). In the more general case, where the same location and ψc to represent incompatible (contradictory) beliefs about the
may be found in the domain of both ψ1 and ψ2 , there are two current store (see Figure 14(c)).
requirements enforced by the definition of ψ1 k ψ2 .

87
Functions & Abstractions: Closure Location Beliefs Since D • = {∅}
functions and abstractions are suspended computations, their in- D ∆, α:κ = {δ[α → I] | δ ∈ D ∆ ∧ I ∈ K κ}
terpretations are given in terms of the interpretation of types as
computations (see below). A function λx. e with qualifier qc and G ∆  • δ = {(k, q, {}, ∅)}
local store description ψc (where ψc describes the locations di- G ∆  Γ, x:τ  δ =
{(k, q, ψ, γ[x → v]) |
rectly accessible from the function’s closure and, hence, must sat- ψ = (ψΓ k ψx ) ∧
isfy P(qc , ψc )) is in the interpretation of τ1
τ2 for k steps if, at (k, qΓ , ψΓ , γ) ∈ G ∆  Γ δ ∧ qΓ q ∧
some point in the future, when there are j < k steps left to execute, (k, qx , ψx , v) ∈ T ∆  τ :  δ ∧ qx q}
and there is an argument va such that (j, , ψa , va ) ∈ T τ1  and
the beliefs ψc and ψa are compatible, then e[va /x] looks like a def
∆; Γ  e : τ  =
computation of type τ2 for j steps. The interpretation of ∀α:κ. τ is ∀k ≥ 0. ∀δ, qΓ , ψΓ , γ.
analogous, except that we quantify over (type-level term) interpre- δ ∈ D ∆ ∧ (k, qΓ , ψΓ , γ) ∈ G ∆  Γ δ ⇒
tations I ∈ K κ. Comp(k, ψΓ , γ(e), T ∆  τ :  δ)
Store Satisfaction: Tracing Location Beliefs The interpretation
of types as computations (Comp) makes use of an auxiliary relation Figure 17. λrefURAL Model (Additional Interpretations)
s :k ψ (given in Figure 15), which says that the store s satisfies
local store description ψ (to approximation k). We motivate the hold. First, ef must be a value with a qualifier qf and a set of
definition of s :k ψ by drawing an analogy with the specification beliefs ψf such that (k − j, qf , ψf , ef ) ∈ χ. Second, the following
of a tracing garbage collector (see Figure 16). As described above, two sets of beliefs must be compatible: ψf (what ef believes) and
ψ corresponds to (beliefs about) the portion of the store directly ψr (what the rest of the computation believes — note that these
accessible from a value (or multiple values, when ψ corresponds beliefs remain unchanged). Third, the final store sf must satisfy
to k -ed store descriptions). Hence, we can consider dom(ψ) as the combined set of these beliefs.
a set of root locations. In the definition of s :k ψ, S corresponds Note that since ψr is an arbitrary set of beliefs compatible
to the set of reachable (root and non-root) locations in the store with ψs , one instantiation of ψr is the local store description that
that would be discovered by the garbage collector. The function includes all of the shared locations of ψs . By requiring that ψf and
Fψ maps each location in S to a local store description, while the sf are compatible with ψr , we ensure that the types and qualifiers
function Fq maps each location to a qualifier. It is our intention that, and allocation status of shared locations are preserved.
for each location l, Fq (l) is an appropriate qualifier and Fψ (l) is
an appropriate local store description for the value sval (l). Hence, Judgements: Type Soundness Finally, the semantic interpreta-
we can consider dom(Fψ (l)) as the set of child locations traced tion of a typing judgement ∆; Γ
e : τ  (see Figure 17) asserts
from the contents of l. that for all k ≥ 0, if δ is a mapping from type-level variables to an
Having chosen the set S and the functions Fψ and Fq , we element of the appropriate kind interpretation, and γ is a mapping
require that they satisfy three criteria. The congruity criteria en- from variables to closed values, and ψΓ is a local store description
sures that our choices are both internally consistent and consistent for the values in the range of γ, then (k, ψΓ , γ(e)) is in the inter-
with the store s. The “global” store description ψ∗ combines the pretation of τ as a computation (Comp(k, ψΓ , γ(e), T τ )).
local store descriptions of the roots with the local store descrip- Our extended technical report [3] gives the proof of the follow-
tions of the contents of every reachable location; the implicit re- ing theorem which shows the soundness of the λrefURAL typing rules
quirement that ψ∗ is defined ensures that the local beliefs of the with respect to the model.
roots and individual store contents are all compatible. The clause T HEOREM 1. (λrefURAL Soundness)
dom(ψ∗ ) = S requires that S and Fψ are chosen such that
S includes all the reachable locations (and not just some of the If ∆; Γ
e : τ , then ∆; Γ
e : τ .
reachable locations), while the clause dom(s) ⊇ S requires that An immediate corollary is type-safety of λrefURAL . Another in-
all of the reachable locations are actually in the store. Finally, teresting corollary is that if we evaluate a closed, well-typed term
(j, Fq , Fψ (l) j , sval (l)) ∈ ψ∗type (l) k ensures that the contents of base type (e.g., q 1
) to a value, then the resulting store will have
of l, with the qualifier assigned by Fq and local store description no linear or relevant references.
assigned by Fψ , is in the type assigned by the global store descrip-
tion ψ∗ (for j < k steps). C OROLLARY 2. (λrefURAL Safety)
The minimality criteria ensures that our choice for the set S does If •; •
e1 : τ and ({}, e1 ) −→∗ (s2 , e2 ),
not contain any locations not reachable from the roots. For exam- then either ∃v2 . e2 ≡ v2 or ∃s3 , e3 . (s2 , e2 ) −→ (s3 , e3 ).
ple, in Figure 16, including l11 in S would not violate congruity,
but would violate minimality. Finally, the reachability criteria en- C OROLLARY 3. (λrefURAL Collection)
sures that every linear and relevant location is reachable from the If •; •
e1 : q 1
and ({}, e1 ) −→∗ (s2 , v2 ),
roots (and, hence, has not been implicitly discarded).
then ∀l ∈ dom(s2 ). squal
2 (l)  A.
Computations: Relating Current to Future Beliefs Informally, Proof (λrefURAL Safety)
the interpretation of types as computations Comp(k, ψs , es , χ) (see
Figure 11) says that if the expression es (with beliefs ψs , again, Suppose •; •
e1 : τ and ({}, e1 ) −→∗ (s2 , e2 ).
corresponding to the locations appearing as sub-expressions of es ) If ¬irred (s2 , e2 ), then ∃s3 , e3 . (s2 , e2 ) −→ (s3 , e3 ).
reaches an irreducible state in less than k steps, then it must have If irred (s2 , e2 ), then ∃i. ({}, e1 ) −→i (s2 , e2 ).
reduced to a value vf (with beliefs ψf ) that belongs to the type Theorem 1 applied to •; •
e1 : τ yields •; •
e1 : τ .
interpretation χ. More precisely, we pick a starting store ss such •; •
e1 : τ  instantiated with i + 1 ≥ 0, ∅ ∈ D •,
that ss :k (ψs k ψr ), where ψr is the set of beliefs about the and (i + 1, U, {}, ∅) ∈ G • ∅
store held by the rest of the computation (alternatively, the set of yields Comp(i + 1, {}, e1 , T •
τ :  ∅).
beliefs held by es ’s continuation). If (ss , es ) steps to an irreducible Comp(i+1, {}, e1 , T •
τ :  ∅) instantiated with i < i+1,
configuration (sf , ef ) in j < k steps, then the following conditions s1 :i+1 ({} i+1 {}), ({}, e1 ) −→i (s2 , e2 ),

88
 def
s :k ψ = ∃S : 2Locs .
∃Fψ : S → LocalStoreDesc.
∃Fq : S → Quals.
J F (l)) in 9
let ψ∗ = (ψ k l∈S k ψ >
>
dom (ψ∗ ) = S ∧ dom(s) ⊇ S ∧ =
∀l ∈ S.
∀j < k. (j, Fq (l), Fψ (l)j , sval (l)) ∈ ψ∗type (l)k ∧
>
>
congruity
;
squal (l) = ψ∗type (l) ∧ 
∀S † ⊆ S.
minimality
dom (ψ) ⊆ S † ∧ (∀l ∈ S † . dom(Fψ (l)) ⊆ S † ) ⇒ S = S † ∧
∀l ∈ dom (s).

reachability
R squal (l) ⇒ l ∈ S

Figure 15. λrefURAL Model (Store Satisfaction)

s _ _ _ _ _ _ _ 
ψ
l0 → (q0 , v0 ) / l4 → (q4 , v4 ) / l7 → (q7 , v7 ) l11 → (q11 , v11 )  l0 → (q0 , T τ0 )  ? ? ?
GF GF _ _ _ _ _ _ _
BC  BC  _ _ _ _ _ _ _ 
l1 → (q1 , v1 ) l5 → (q5 , v5 ) l8 → (q8 , v8 ) l12 → (q12 , v12 )
U  l1 → (q1 , T τ1 )  ? ? ?
_ _ _ _ _ _ _
:
_ _ _ _ _ _ _ 
l2 → (q2 , v2 ) BC / l9 → (q9 , v9 ) l13 → (q13 , v13 )  l2 → (q2 , T τ2 )  ? ? ?
GF U _ _ _ _ _ _ _
GF
 BC   _ _ _ _ _ _ _ 
l3 → (q3 , v3 ) / l6 → (q6 , v6 ) l10 → (q10 , v10 ) l14 → (q14 , v14 )  l3 → (q3 , T τ3 )  ? ? ?
_ _ _ _ _ _ _
s_: ψ_ _ _ _ _ _ _  _ _ _ _ _ _ _ _  _ _ _ _ _ _ _ _ 
 l0 → (q0 , v0 : T τ0 )  / l4 → (q4 , v4 : T τ4 )  / l7 → (q7 , v7 : T τ7 )  l11 → (q11 , v11 )
_ _ _ _ _ _ _ _ GF _ _ _ _ _ _ _ _ GF _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ BC  _ _ _ _  _ _ _ _ BC  _ _ _ _  _ _ _ _ 
 l1 → (q1 , v1 : T τ1 )   l5 → (q5 , v5 : T τ5 )   l8 → (q8 , v8 : T τ8 )  l12 → (q12 , v12 )
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ U

_ _ _ _ _ _ _ _  _ _ _ _ _ _ _ _ 
≡  l2 → (q2 , v2 : T τ2 )  BC / l9 → (q9 , v9 : T τ9 )  l13 → (q13 , v13 )
_ _ _ _ _ _ _ _ GF _ _ _ _ _U _ _ _
GF
_ _ _ _  _ _ _ _  _ _ _ _ _ _ _ _ BC  _ _ _ _ _ _ _ _ _ _  
 l3 → (q3 , v3 : T τ3 )  / l6 → (q6 , v6 : T τ6 )   l10 → (q10 , v10 : T τ10 )  l14 → (v14 , v14 )
|_ _ _ _{z_ _ _ _} _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
dom (ψ)
| {z }
dom(ψ∗ ) = S

where
Fψ (l1 ) Fψ (l5 ) _ _ _ _ _ _ _ 
_ _ _ _ _ _ _ 
?  l4 → (q4 , T τ4 )  ? ? ? ?  l7 → (q7 , T τ7 )  ?
_ _ _ _ _ _ _ _ _ _ _ _ _ _

? ? ? ? ? ? ? ?
etc.

? ? ? ? ? ? ? ?

_ _ _ _ _ _ _ 
? ? ? ?  l3 → (q3 , T τ3 )  ? ? ?
_ _ _ _ _ _ _
Figure 16. s : ψ Example

89
 and irred (s2 , e2 ) an inclusion interpretation of subtyping. Finally, a (well-founded)
yields q2 and ψ2 such that s2 :1 (ψ2 1 {}) set-theoretic model means that soundness and safety proofs are
and (1, q2 , ψ2 , e2 ) ∈ T •
τ :  ∅. amenable to formalization in the higher-order logic of FPCC.
Recall that T •
τ :  ∅ ∈ Type While we are partial to the step-indexed approach, we acknowl-
and Type ⊆ CandUberType ω = 2CandAtom ω . S
Hence, (1, q2 , ψ2 , e2 ) ∈ CandAtom ω = k≥0 CandAtom k ,
edge that there is no fundamental difficulty in adopting a purely
syntactic approach to proving the type soundness of substructural
which implies that e2 ∈ CValues and ∃v2 . e2 ≡ v2 . "
# state. However, we believe that any proof of type soundness must
adopt many of the insights presented here. For example, we conjec-
Proof (λrefURAL Collection) ture that the typing rule for well-typed configurations would natu-
Suppose •; •
e1 : q 1
and ({}, e1 ) −→∗ (s2 , v2 ). rally take the form:
By the reasoning above, (1, q2 , ψ2 , v2 ) ∈ T •
q 1
:  ∅, Kl∈S
ψ∗ = ψ  Fψ (l)
which implies that q2 = q, ψ2 = {}, and v2 = .
dom (ψ∗ ) = S dom(s) ⊇ S
Recall that s2 :1 ({} 1 {}) ≡ s2 :1 {} ≡ ∃S, Fψ , Fq . . . ..
∀l ∈ S. ·; ·; Fψ (l)  sval (l) : ψ∗type (l) ∧
The minimality criteria of s2 :1 {} instantiated with ∅ ⊆ S,
dom({}) ⊆ ∅, and (∀l ∈ ∅. dom(Fψ (l)) ⊆ ∅) squal (l) = ψ∗qual (l)
yields S = ∅. s:ψ ·; ·; ψ  e : τ
The reachability criteria of s2 :1 {}  (s, e) : τ
yields ∀l ∈ dom(s2 ). R  squal 2 (l) ⇒ l ∈ ∅, Note that the judgement
s : ψ mirrors the store satisfaction pred-
which implies ∀l ∈ dom(s2 ). squal 2 (l)  A. #
" icate given in Figure 15. The store typing component complicates
the judgement ∆; Γ; ψ
e : τ , which must further rely upon an
4.4 Discussion operator ψ1  ψ2 = ψ to split the locations in ψ between the store
A key difference in the model presented here, as compared to previ- typings ψ1 and ψ2 . Splitting the store typing is necessary to ensure
ous models of mutable state, is the localization of the store descrip- that a given unique location is used by at most one sub-expression.
tion. Recall that we identify the local store description of a value The  operator in the syntactic approach would need to satisfy
with those locations that are directly accessible from the value. This many of the same properties as the k operator in the step-indexed
is in contrast to the AAV model of unrestricted references [1, 4], approach (e.g., identical beliefs about locations in the common do-
where the global store description of any value describes every lo- main and no unique locations in the common domain).
cation that has been allocated. It is also in contrast to our previous
model of linear references [23, 2], where the store description of a
value describes the reachable locations from that value. 5. Related Work
The transition from a global store description to a local store de- Our λURAL is most directly influenced by the presentation of sub-
scription is motivated by the insight that storing a unique object in structural type systems by Walker [30], which in turn draws upon
a shared reference “hides” the unique object in some way. Note that the work of Wansbrough and Peyton-Jones [33] and Walker and
the shared reference must mediate all access to the unique object. Watkins [32]. Relative to that work, we have added both relevant
The authors have found it hard to construct a model where the store and affine qualifiers, which is necessary to account for the var-
description of a value (in the interpretation of a type) describes the ied forms of linearity found in higher-level programming-language
entire store or even the store reachable from the value. When one proposals.
attempts to describe the entire store, there is a difficulty identify- A related body of work is that on type systems used to track
ing where the “real” occurrence of a unique location is to be found. resource usage [28, 22, 33, 21, 16, 19]. We note that the usage
When one attempts to describe the reachable store, there is a diffi- subsumption found in these systems (e.g., a “possibly used many
culty defining the  relation; it cannot be defined point-wise, and times” variable may be subsumed to appear in a context requiring
one is required to formally introduce the notions of directly- and a “used exactly once” value) is not applicable in our setting (e.g., it
indirectly-accessible locations. Furthermore, the reachable store is is clearly unsound to subsume U ref τ to L ref τ ), due to differences
a property of the actual store, not of the type; hence, it seems bet- in the interpretation of type qualifiers.
ter to confine reachability to the store satisfaction relation. We fur- Section 1 noted a number of projects that have introduced some
ther note that the model of mutable references given in this paper form of linearity to “tame” state. An underlying theme is that
subsumes the models of mutable references cited above. Hence, linearity and strong updates can be used to provide more effective
the technique of localizing the store description subsumes the tech- memory management (c.f. [10, 18, 9, 8]).
niques used by previous approaches. More recent research has explored other ways in which unique
Although our model of substructural references is different from and shared data may be mixed. For example, Cyclone’s alias
the previous model of unrestricted references, our model retains the construct [17] takes a unique pointer and returns a shared pointer
spirit of the step-indexed approach used in Foundational PCC [6, 7] to the same object, which is available for a limited lexical scope.
and may be applicable in future extensions of FPCC. This ap- Vault’s focus and CQuals’s restrict constructs [14, 5] provide
proach, in which the model mixes denotational and operational the opposite behavior: temporarily giving a linear view of an object
semantics, offers a number of distinct advantages over a purely of shared type. Both behaviors are of great practical significance.
syntactic approach to type soundness. One obvious advantage of Our model’s semantic interpretations seem strongly related to
this approach is that it gives rise to a simpler set of typing rules; the logic of Bunched Implications (BI) [20] and Reynolds’ separa-
note that our typing judgement requires neither a store description tion logic [25]. In particular, our interpretation of
and
resem-
component nor a rule for locations. A less obvious advantage of ble the resource semantics for the ∗ and −∗ connectives in BI.
this approach is that it gives rise to stronger meta-theoretic results. Finally, Boyland and Retert have recently proved the soundness
For example, the impredicative polymorphism of λrefURAL implies a of a variation of Vault by giving an operational semantics of “adop-
strong parametricity theorem: an element of T ∀α:  . τ  behaves tion” [11]. The authors note that adoption may be used to embed
uniformly on all elements of Type, which includes elements that do a unique pointer within another object; their notion of uniqueness
not correspond to the interpretation of any syntactic type. This ap- most closely resembles our affine references, as access keys may
proach also naturally extends to union and intersection types and to be dropped.

90
6. Conclusion and Future Work [13] Robert DeLine and Manuel Fähndrich. Enforcing high-level protocols
in low-level software. In Proc. Programming Language Design and
We have presented the λ refURAL
-calculus, a substructural polymor- Implementation (PLDI), pages 59–69, June 2001.
phic λ-calculus with mutable references of unrestricted, relevant,
[14] Manuel Fähndrich and Robert DeLine. Adoption and focus: Practical
affine, and linear sorts. We motivated the design decisions, gave linear types for imperative programming. In Proc. Programming
a type system, and constructed a step-indexed model of λrefURAL , Language Design and Implementation (PLDI), pages 13–24, June
where types are interpreted as sets of store description / value pairs, 2002.
which are further refined using an index representing the number of [15] Jean-Yves Girard. Linear logic. Theoretical Computer Science,
steps available for future evaluation. 50:1–102, 1987.
In previous work [23, 2], we separated the typing components [16] Jörgen Gustavsson and Josef Svenningsson. A usage analysis with
of a mutable object into two pieces: an unrestricted pointer to the bounded usage polymorphism and subtyping. In Proc. International
object and a linear capability for accessing the contents of the Workshop on Implementation of Functional Languages (IFL), pages
object. We believe that we can extend the current language and 140–157, September 2001.
model in the same way. The advantage of this approach is that [17] Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim.
separating the name of a reference from what it currently holds Experience with safe manual memory-management in Cyclone. In
gives us a model of alias types [27, 31]. Proc. International Symposium on Memory Management (ISMM),
As noted in the previous section, allowing a unique pointer to pages 73–84, October 2004.
be temporarily treated as shared (and vice versa) can be useful [18] Martin Hofmann. A type system for bounded space and functional
in practice. Understanding how to model these advanced features in-place update. In Proc. European Symposium on Programming
is a long-term goal of this research. A promising aproach is to (ESOP), pages 165–179, March 2000.
model regions as a linear capability to access objects in the region [19] Atsushi Igarashi and Naoki Kobayashi. Resource usage analysis. In
and allow changes in reference qualifiers to be mediated by this Proc. ACM Principles of Programming Languages (POPL), pages
331–342, January 2002.
capability.
[20] Samin Ishtiaq and Peter O’Hearn. BI as an assertion language
for mutable data structures. In Proc. Principles of Programming
Languages (POPL), pages 14–26, January 2001.
Acknowledgments [21] Naoki Kobayashi. Quasi-linear types. In Proc. Principles of
We would like to thank Dan Grossman, Aleks Nanevski, and Dan Programming Languages (POPL), pages 29–42, January 1999.
Wang for their helpful comments. [22] Torben Æ. Mogensen. Types for 0, 1 or many uses. In Proc.
International Workshop on Implementation of Functional Languages
(IFL), pages 112–122, 1998.
[23] Greg Morrisett, Amal Ahmed, and Matthew Fluet. L3 : A linear
References language with locations. In Proc. International Conference on Typed
[1] Amal Ahmed, Andrew W. Appel, and Roberto Virga. An indexed Lambda Calculi and Applications (TLCA), pages 293–307, April
model of impredicative polymorphism and mutable references. 2005.
Available at http://www.cs.princeton.edu/~ appel/papers/ [24] Peter W. O’Hearn and John C. Reynolds. From Algol to polymorphic
impred.pdf, January 2003. linear lambda-calculus. Journal of the ACM, 47(1):167–223, 2000.
[2] Amal Ahmed, Matthew Fluet, and Greg Morrisett. L3 : A linear [25] John C. Reynolds. Separation Logic: A Logic for Shared Mutable
language with locations. Technical Report TR-24-04, Harvard Data Structures. In Proc. Logic in Computer Science (LICS), pages
University, October 2004. 55–74, July 2002.
[3] Amal Ahmed, Matthew Fluet, and Greg Morrisett. A step-indexed [26] Sjaak Smetsers, Erik Barendsen, Marko C. J. D. van Eekelen, and
model of substructural state. Technical Report TR-16-05, Harvard Rinus J. Plasmeijer. Guaranteeing safe destructive updates through
University, July 2005. a type system with uniqueness information for graphs. In Dagstuhl
[4] Amal Jamil Ahmed. Semantics of Types for Mutable State. PhD Seminar on Graph Transformations in Computer Science, volume
thesis, Princeton University, 2004. 776 of Lecture Notes in Computer Science, pages 358–379. Springer-
[5] Alex Aiken, Jeffrey S. Foster, John Kodumal, and Tachio Terauchi. Verlag, 1994.
Checking and inferring local non-aliasing. In Proc. Programming [27] Fred Smith, David Walker, and Greg Morrisett. Alias types. In Proc.
Language Design and Implementation (PLDI), pages 129–140, June European Symposium on Programming (ESOP), pages 366–381,
2003. March 2000.
[6] Andrew W. Appel. Foundational proof-carrying code. In Proc. Logic [28] David N. Turner, Philip Wadler, and Christian Mossin. Once upon
in Computer Science (LICS), pages 247–258, June 2001. a type. In Proc. Functional Programming Languages and Computer
[7] Andrew W. Appel and David McAllester. An indexed model Architecture (FPCA), pages 1–11, June 1995.
of recursive types for foundational proof-carrying code. ACM [29] Philip Wadler. Linear types can change the world! In Programming
Transactions on Programming Languages and Systems, 23(5):657– Concepts and Methods, April 1990. IFIP TC 2 Working Conference.
683, September 2001. [30] David Walker. Substructural type systems. In Benjamin Pierce, editor,
[8] David Aspinall and Adriana Compagnoni. Heap bounded assembly Advanced Topics in Types and Programming Languages, chapter 1,
language. Journal of Automated Reasoning, 31:261–302, 2003. pages 3–43. MIT Press, Cambridge, MA, 2005.
[9] David Aspinall and Martin Hofmann. Another type system for [31] David Walker and Greg Morrisett. Alias types for recursive data
in-place update. In Proc. European Symposium on Programming structures. In Proc. Workshop on Types in Compilation (TIC), pages
(ESOP), pages 36–52, March 2002. 177–206, September 2000.
[10] Henry Baker. Lively linear LISP—look ma, no garbage. ACM [32] David Walker and Kevin Watkins. On regions and linear types. In
SIGPLAN Notices, 27(8):89–98, 1992. Proc. International Conference on Functional Programming (ICFP),
[11] John Tang Boyland and William Retert. Connecting effects and pages 181–192, September 2001.
uniqueness with adoption. In Proc. Principles of Programming [33] Keith Wansbrough and Simon Peyton-Jones. Once upon a polymor-
Languages (POPL), pages 283–295, January 2005. phic type. In Proc. Principles of Programming Languages (POPL),
[12] James Cheney and Greg Morrisett. A linearly typed assembly pages 15–28, January 1999.
language. Technical Report 2003-1900, Department of Computer
Science, Cornell University, 2003.

91