TYPES
ARE NOT
SETS*
James
H. Morris,
Jr.
Xerox
Corporation
Palo
Alto
Research
Center
(PARC)
Palo
Alto,
California
94304
Introduction
.——
value
that
is
not
a
valid
representation
of
any of
the
objects
he has undertaken
to
process.
This
is
the
authentication
problem.
He could
begin
operation
each
with
a well-formedness
check,
but
in many
cases
the
cost
would
exceed
that
of
the
useful
processing.
Second,
users
may
write
programs
that
depend
upon
the
particular
representation
he chooses
for
objects.
This
precludes
his
re-designing
the
representation.
This
is
the
secrecy
problem.
fact,
of
The title
is not
a statement
of
course,
but
an opinion
about
how language
There
designers
should
think
about
types.
to
look
to
tendency
has been
a natural
precise
for
a
consistent,
mathematics
The
point
of
notion
of what
types
are.
a type
is a
extensional:
view
there
is
values.
While
subset
of
the
universe
of
this
approach
may have
served
its
purpose
defining
quite
adequately
in
mathematics,
this
way
language
types
in
programming
Some
ideas.
ignores
some
vital
following
the
developments
interesting
extensional
approach
are
the
ALGOL-68
type
and
Scott
~s
theory
[S],
system
[vW],
While
each
of
these
Reynolds’
system
[R].
to
programming
lend
valuable
insight
languages,
I feel
they
miss
an
important
aspect
of
types.
to
Type
checking
is
a
way
All
things
from
happening.
the
abstract
represent
considered
to
be of a certain
rules
are:
Rather
than
worry
about
what
types
are
I
checking.
shall
focus
on the
role
of
type
Type
checking
seems
to
serve
two
distinct
secrecy.
and
authentication
purposes:
when
a
programmer
are
useful
Both
class
of
implement
a
undertakes
to
objects
to be used
by many
other
abstract
proceeds
by
programmers.
He
usually
a representation
for
the
objects
choosing
writes
in terms
of
other
objects
and then
to
manipulate
operations
the
required
them.
This
work
was supprted
was at the
the
author
Berkeley.
by NSF Grant
University
Only
values
submitted
(authentication)
(2)
Only
the
procedures
applied
to objects
(secrecy).
of
that
for
.
type
can
processing
given
of
that
be
can be
type
The
remaining
question
is
how to
decide
has
a
particular
value
whether
a given
discussion
should
The
foregoing
type.
that
the
persuade
the
reader
serve
to
question
should
not
turn
on what
the
value
is,
but
rather
where
it
ca=?rom
or @Q
type
should
words
In other
created
it.
not
be an extensional
property.
about
the
problems
two
There
are
his
programs
with
ethers
interaction
of
solving
has
great
difficulty
that
he
system
to
ty Fe
without
the
aid
of
a
users
First,
constrain
the
interactions.
of
his
programs
may ask
them
to
operate
a
*
(1)
prevent
such
values
used
to
are
objects
type.
The
I
shall
extendible
foregoing
outline
now
system
type
considerations.
the
design
for
based
on
an
the
Modules
——
The overall
permit
different
to
have
language
with
property
to
subroutine
local
variables.
GJ34342x
while
of
Californiar
120
structure
of
the
language
must
parts
of the
same program
different
capabilities.
Any
textual
scope
rules
has this
FCRT’RAN
e.g.
a
some extent;
to
its
exclusive
access
has
(large)
modules
construct
module
is
The
syntactic
to
provide
such
structure.
introduced
has
the
form
of
a
Basicallyv
a module
program
complete
ALGOL- 60
main
the
(delimited
by godule,
~Q~);
program
part
(if
any)
may
be
used
to
may
A
module
perform
initialization.
declaration
can.
Any
appear
anywhere
a
identifiers
declared
at
the
outer-most
level
of
the
module
may be tagged
(with
+)
signify
that
they
are
entries
in which
to
enclosing
case
they
are
known
in
the
block
.
If
the
identifier
denotes
storage
that
storage
may be read
(but
not
written)
If
it
denotes
a
from
outside
the
module.
procedure,
the
procedure
may
be called
from
outside.
A module
is very
similar
to
a SIMULA
class
[D].
end:
Bo~~an
integer
procedure
+Equiv
x,y:
:= R(x)
= R(y)
Equ iv
~cedure
+Equate
(x,Y);
_
~nte9er
U*V;
u:=R(x)
; v:=R(y);
beqin
(xry)
Seali
produces
limited
1 until
a
value
properties
Print
(Equiv
X,Y:
with
is
the
following
true
Createseal(true)
sealing
operation
value
XS=Seal
count:=count-1:
A[u]:=v
produces
a
Sealiv
along
(X)
except
retains
all
the
properties
of
X
is
true.
In addition,
that
Testseal(XC)
was
is
false
unless
y
Testseal
(y,i)
seal
succession
of
produced
by
a
which
was
Seali.
In
operations
one of
transparent
seals
are
like
words,
other
number
may
be
that
any
trademarks
in
each
other
or
without
obscuring
affixed
any other
properties
of
the
object.
@
(10,5))
It
is
implementing
operations
The
programmer
of
a module
is
supposed
to
the
Frograms
that
about
assume
nothing
He should
use private
access
its
entries.
storage
to
maintain
the
integrity
of his
data
structures
and treat
parameters
with
suspicion.
(The
previous
example
violates
the
latter
unless
array-bounds
checking
is
assumed.)
A module~s
initialization
enclosing
whenever
its
The question
of whether
each
other
recursively
Testseal(X*,i)
Unseali(X~)=X
The
operation
transparent
with
i.
7%e
(10,20);
(20,5);
(count);
xc
:
integer
100
(X)
In addition,
unless
y is
a value
produced
by
Seali
,
Testseal(y,i)
is
false
and
Unseal
(y)
causes
an error.
The
seal
is
in
the
sense
that
no properties
of
S2E2Q42
X can
be
discovered;
i.e.
a
primitive
applied
to X! causes
an error.
i$
*;
count:=l
-Q
~count]:=O:
count
:=100
and
Performing
the
operation
Createseal(false)
delivers
to
the
caller
two
capabilities
(in
the
form
of
procedures)
Seali
and
Unseali
along
with
the
integer
i.
These
things
are
unique
in
the
sense
that
Createseal
returns
different
versions
every
time
it
is
called.
Its
role
is
analogous
to
a locksmiths.
~Q
~
directories
[w].
(i)
(ii)
array
A [1:100];
+count:
~ocedure
R(i)
;integer
integer
t;
t:=i$
while
A[t]#O
@i t:=A[t];
R:=t
file
First,
a
thoroughly
dynamic
type
mechanism,
similar
to
that
in
[M]
will
be
presented.
It
seems
more
appropriate
for
operating
systems
and
is
similar
also
the
one designed
for
Carnegiees
HYDRA
system
module
integer
integer
integer
=
into
ZYL?SS
Example
~.
The following
program
defines
and tests
a scheme
to
remember
equivalence
classes.
The array
A and
Grocedure
R are
unknown
outside
the
module,
while
count
,
Equiv,
and Equate
are
known.
end
E~te
Equate
Print
blocks
into
files.
part
is
executed
block
is
entered.
can
call
modules
is
ducked.
while
it
is
conceptually
simpler
to regard
piece
of
text.
in
every
program
as
one
must
break
them
UF
to
practice
one
compiling,
etc.
The
facilitate
editing,
to
map
most
natural
way to
do this
seems
suggested
in
that
new
following
a
type
programmer
use
these
way.
(1)
During
module
initialization
he
createseal,
with
false
if
calls
true
type,
he wishes
an oFaque
otherwise.
(2)
Every
time
an object
type
is
passed
out
of
he guarantees
that
it
(3)
Every
time
a value
allegedly
the
new tyFe
is
passed
into
tests
seal
its
module
he
it
is
opaque.
unseals
it
if
This
scheme
extra-module
121
a
the
code
detects
since
of
the
new
the
module
is
sealed.
type
errors
only
the
module
of
the
and
by
is
able
to put
its
seal
on
if
the
seal
is
opaque
of the
new type
is
kept
clarity
in
achieved
are
valid.
A
considerable
gain
can
efficiency
be
following
assumptions
(a)
A fixed
number
created
by
independent
of
(b)
Each
new
a set
of
compile-time
ALGOL-68
sense)
the
ALGOL-68
implements
intervals
as
complex
numbers
third,
new
types
Each
of
*he
declarations
outside
its
and
interval
realpair
type
value
of
types
a
array
treated
like
an
However,
an
reading.
intervals
component
things.
Further,
the
representation
a secret.
and
the
if
of
new types
are
program,
the
the
data.
int[l]
type
values
is
represented
describable
(e.g.
tyFe
by
as a
an
is not
permitted
the
assignment
(d)
is
and
unsealing
only
at
module
manner
the
never
~~g
a new type
a declaration
<name>
(2)
(3)
{>12]
in
the
static
of
the
form
<type
beain
system
as
<5,int[2]>
yk;~i~r
t;
t[l]:=x;
[1:2];
(x,y)
;
real.
x,y;
t[2]:=y;
: =t
end;
—-
description>
end
‘—
module
~~
+intervalZrealpair;
procedure
interval
mkinterval:=~~
interval
mkinterval
x<y
~cedure
——
sumint:=mkpair
then
-—
Q=
sumint
(x[l]+y[l],
(xry)
;
real
x,y;
mkpair
(x,y)
mkpair
(y,x)
;
(xry)
;
interval
x,y;
x[2]+y[2])
end;
module
—~g
+Complex>realpair;
procedure
complex
Outside
the
module
an
opaque
type
cannot
be coerced
at all;
i.e.
something
declared
a <name>
reside
can
only
in
contexts
declared
such.
;
real
X.V:
mkcomplex
:= mkpair
(sqrt(x*x+y*y)
,
&g x=6 tpi/2*(y/abs(y)”)
- ~
arctan
(y/x))
;
procedur~
re(c)
: complex
c;
real
(C[21):
:= C[l]
* Cos
re
procedure
ire(c);
complex
c;
real
im := C[l]
* sin
(c[2])
mkcomFlex(x,y)
-4.
Outside
the
module
a transparent
type
may
be
coerced
downward;
i.e.
something
of
<name>
type
may move
into
contexts
with
type
<type
description>,
but
not
back.
The
~.
and
exercises
implements
pairs
(assuming
arrays
:=
~~
+realpair
2 real
array
realpair
procedure
+mkpair
to
Inside
the
module
<name>
“
simply
an
abbreviation
f:
<type
description>;
i.e.
coercions
in
either
direction
are
allowed.
It
should
be emphasized
that
never
induces
any
computation.
to
control
simply
serve
values
may move between.
~xample
regarded
module
—.
at
Normally
the
name will
be
tagged
as
an
entry,
indicating
that
the
type
name can
be used
outside
the
module.
used
If
> is
the
type
is
opaque,
if
2
it
is
transparent.
The type
checking
rules
can
be
summarized
bv
some
simt)le
coercion
.
rules
(1)
is
type
and the
right-hand
side
has implicit
upward
which
implies
an
array
real
Since
complex
is
an opaque
type
coercion.
atoms
complex
numbers
must
be treated
as
outside
the
module,
using
the
procedures
re and im to get
at
their
components.
used.
In such
cases
the
type
checking
(exclusive
of
testing)
can
be
done
union
compile-time
and
the
sealing-unsealing
becomes
so
activity
imElicit
as
disappear.
To invent
one makes
it
mode).
Sealing,
testing,
are
performed
boundaries
in
described
above.
Testseal
:=5
because
int
(c)
second
The
the
pairs:
real
Fairs.
be
used
in
Since
module.
transparent
are
interval
may be
for
purposes
of
to an
assignment
.
real
as
may
~g
real
array
a [ 1:2];
real
t:
interval
y; complex
z;
x:=y;
Y := mkinterval(5,10);
y:=sumint
(ycy) ; z:=mkcomplex
t:=re(z);
t:=im(z)
coercion
here
The
rules
the
contexts
There
not
them
following
program
defines
three
The first
modules.
of
real
numbers
as arrays
are
heap
allocated,
in
are
several
be
legal
in
are
x:=a;
.- z;
x --
122
Y:=x;
y:=z;
statements
the
main
Y[2]:=6;
t:=z[l]
realpair
x;
a:=y;
t:=y[2];
(3,6.5)
:
that
Frogram.
sumint(y,x);
would
Among
The first
four
call
for
upward
which
are
never
permitted
remaining
three
attempt
to
opaque
type.
coercions
while
the
coerce
an
Then
the
internal
the
module
writer
R at appropriate
R(mkcomplex
R(z)=<x,y>
R(z)=<x,y>
This
type
system
has
been
designed
to
facilitate
program
verification
on
a
modular
basis.
The general
principle
is
that
a module
writer
should
not
have
to
look
outside
his
module
to
verify
its
correctness.
Part
of this
is
achieved
by
defining
correctness
judiciously
and the
rest
by having
the
type
checker
restrict
how
the
outside
world
communicates
with
a
module.
Associated
invarian~
with
a new
of
the
form
type
T may
be
=>
xc
interval=>
a ~
Remarks
——
system
presented
here
is
like
The
type
SIMULA~S
class
construction
but
improves
First,
it
allows
on it
in
a few
respects.
absolutely
writer
to
have
the
module
private
data
while
SIMULA
allows
outside
to access
all
a classms
storage.
programs
binary
makes
implementing
Second,
it
operations
on new types
simple,
something
SIMULA.
A
that
is
nearly
impossible
in
has
John
Elder,
Hoarets,
student
of
designed
revisions
of
the
SIMULA
ClaSS
mechanism
to
overcome
these
problems.
x[1]<x[2]
holds
verifier
everywhere
must
outside
(1)
prove
P (v)
variable
v of
of
initialization
(2)
at
each
entry
of
the
module
assume
the
invariant
holds
and
prove
P (x)
for
all
changed
variables
and
returned
values
of
type
T
at
the
exits
of
the
module.
holds
for
every
type
T at the
end
(if
any).
The
notion
of
a transparent
type
provides
a very
limited
form
of
polymorphism.
If
types
are
coerceable
transparent
several
UUWII
U-I
.S
SLIIYLe
base
type
it
is
possible
to
write
a single
procedure
that
accepts
any of those
types
as a parameter.
It
is
not
clear
how
to achieve
true
entirely
polymorphism
since
such
a
procedure
is
unable
to
return
values
of varying
type,
dependent
on the
input
type.
For
example,
to
prcve
the
interval
invariant
above
one must
prove
that
the
rnkpair
j.n
parameters
of
each
call
of
mkinterval
and
sumint
are
non-decreasing;
in
summint
one
may assume
the
invariant
holds
for
the
formal
parameters
x and y.
Opaque
types
do not
facilitate
proofs
per
se
but
their
significance
can
be
illustrated
by
considering
proofs.
The
external
specification
of a module
might
be given
as a set
of
statements
of
the
form
comes
when
one
An interesting
point
up
tries
to
justify
the
proof
rule
for
type
what
constitutes
a
module
invariants:
entry
or exit?
If
one has
a language
like
with
and
non-local
recursion
ALGOL- 60
transfers,
each
procedure
call
in
the
module
must
be
regarded
as
an
exit
This
can
followed
by an entry.
be
quite
thdt
bothersome
because
it
requires
everything
the
be
cleaned
UE
(i.e.
before
every
invariants
truth
assured)
It
is
therefore
appealing
procedure
call.
constraints
on
the
to put
the
following
control
structure.
Q(x,fi(x))
where
f ~ is
function
of the
lth
procedure
mkcomplex
z=<x,y>
z=<x,y>
=>
=>
describing
entry.
(x,y)
=
re(z)=x
im(z)=y
the
effect
E.g.
<x,y>
(1)
Since
values
of
an opaque
type
cannot
be
sampled
directly
there
is
no
need
for
these
statements
to
be
literally
true;
indeed
they
are
not
for
the
current
example.
The
actual
situation
can
be
described
by
assuming
an
implicit
representation
function
R which
maps the
underlying
representation
into
the
externally
assumed
one.
E.g.,
R(z)
=
<z[l]*cos(z[2]),
to
free
to
choose
Now the
module
writer
is
any R he likes
and prove
that
the
programs
For
specifications.
obey
the
internal
wiser
this
particular
example
he would
be
R
to be the
identity
function
to
choose
The
accordingly.
and revise
the
program
that
he
is
free
to
important
point
is
the
time
he
likes
and
change
R
any
external
specifications
need
not
change.
e.g.,
it
given
inserfinq
(x,y))=<x,y>
=> re(z)=x
=> im(z)=y
P(x)
xeT
To prove
that
the
module
the
specifications
are
derived
by
places.
E.g.,
(2)
Any
procedures
within
involve
recursive
must
one
module
entries
of
A
non-local
cross
any
module
transfer
boundary.
mitigate
the
effect
To
restriction
one can provide
to
PL/1
mechanism
similar
2+n error
signal
propagates
z[l]*sin(z[2])>
123
of
chain
entirely
cannot
and
the
module.
be
cannot
the
lattez
of
exit
an error
on-conditions.
the
back
along
chain
up so
call
things
allowing
as to
each
restore
module
to clean
its
invariant.
References
[v$+]
van
Wijngaarden,
Algorithmic
Mathematische
[S]
Scott,
D.,
Theory
of
University.
Woutline
Reynolds,
Approach
Argonne
[D]
Dahl,
O.J.,
ItHierarchical
Structural
—.
____
Press,
1972.
Morris,
Programming
~
[w]
(l),
of
Computation,tt
a Mathematical
PRG-2,
Oxford
llA
J.C.,
Set-Theoretic
to
the
Concept
of
Type,vt
National
Laboratories,
1969.
[R]
[M]
A.,
“Report
on
the
Language
ALGOL-68,*!
Centrum,
1969.
and
Hoare,
C.A.R..
Program
Structure,
Proqrammi~,
Academic
J.H.,
Jan.
Ilprotection
Languages,
1973.
81 —.
Comm
9*
“
AC:
the
Wulf,
w.A.,
et.
al.,
“Hydra:
of
a Multiprocessor
Operating
Kernal
Computer
Department
of
System,qn
Science,
Carnegie
Mellon
University,
June
1973.
124