In this section we prove that programs running under preemptive type checking can never raise a TypeError. We also show that under preemptive type checking, if a program raises a controlled exception Exception, then if the same program is run using the original semantics, the program will never reduce to End.
Theorem 5.5. Let RSC be defined as
{hΣ, Si, hΣ, Si | hΣ0, εi→hΣ, Si ∧ hΣ, Si ∈ StateComp}∗ (5.2) RSC is an error-preserving simulation.
Proof. Wherever hΣ, SiRSChΣ, Si holds, hΣ, Si ∈ StateComp, i.e. for all variables u then τr <: τf such that
Σ(u) : τr hs, T∅i `f u : τf
(5.3) where s = bSc.
From the definition of error-preserving simulation in Definition5.4, we need to prove that all of the following hold:
hΣ, Si 6→ TypeError (5.4)
if hΣ, Si → End then hΣ, Si99K End (5.5)
if hΣ, Si → Exception then hΣ, Si99K Exception (5.6) We also need to prove that the following hold:
if hΣ, Si → hΣ0, S0i then hΣ, Si 99K hΣ0, S0i ∧ hΣ0, S0iRSChΣ0, S0i (5.7) or hΣ, Si 99K Exception ∧ hΣ, Si ∈ ⇑ (5.8) By definition of the checked semantics, if hΣ, Si → End then hΣ, Si 99K End. Therefore we have shown that (5.5) holds as required. The same is true for Exception, i.e., (5.6).
We now proceed to prove that a type error cannot be raised, i.e., (5.4). We prove this, i.e., we assume hΣ, Si → TypeError holds and find a contradiction. We analyse all cases of the µPython semantics where hΣ, Si → TypeError.
CasefJIF, i.e., u is tos, s has the form hP, pci :: ... and Ppcis JIF n. and ¬(Σ(tos) : Bool) From (5.3), we infer for this case that τf is Bool. Since hΣ, Si ∈ StateComp, we know that τr <: τf. As there is no valid runtime type that is a subtype of Bool other than Bool, this implies that:
τr0 = Bool and hence, from (5.3):
Σ(tos) : Bool This contradicts the assumption of the current case.
All other cases where hΣ, Si → TypeError, i.e., fJIF, fSTR and fINT, follow this pattern and lead to a contradiction. In fCF1, τf <: Fn so a contradiction may arise earlier. We therefore conclude that hΣ, Si 6→ TypeError as required.
We now consider cases where hΣ, Si → hΣ0, S0i. Since we know that hΣ0, εi
∗
→hΣ, Si, we can conclude that hΣ0, εi ∗
→hΣ0, S0i. We also need to show that either (5.7) or (5.8) holds. We proceed by case analysis on99K for the cases where hΣ, Si → hΣ0, S0i.
Casehs, s0, Σ0i 6∈ EdgeComp
From the definition of our checked µPython semantics in Definition5.3 for this case, we can conclude that
hΣ, Si 99K Exception (5.9)
By analysing the definition of EdgeComp, i.e. Definition5.1, the current case implies that there is a u such that τr0 6<: τpu· τf0, where
hs, T∅i `p u : τp hs0, T∅i `f u : τf0 Σ0(u) : τr0
Now since we know from Theorem4.2 that τr0 <: τp, we can say that there is a u such that τr0 6<: τ0
f. This means that hΣ0, S0i 6∈ StateComp (see Definition4.6).
Hence we know from Theorem 4.7 that hΣ0, S0i ∈ ⇑. From the definition of diverge-error relation, this means that hΣ, Si ∈ ⇑ also holds. Therefore combining this result with (5.9), we have shown that (5.8) holds as required.
Casehs, s0i ∈ FailEdge
From the checked µPython semantics hΣ, Si 99K Exception. Using coinduction, this means that we need to show that hΣ, Si ∈ ⇑. To do this we must show that FailEdge projects to a diverge-error relation.
That is, let R be {hΣ, Si | hΣ, Si → hΣ0, S0i ∧ hs, s0i ∈ FailEdge} and we show that R is a diverge-error relation.
Suppose hΣ, Si ∈ R, then hs, s0i ∈ FailEdge, so either hs, s0, Σ0i 6∈ EdgeComp and hence hΣ, Si ∈ ⇑, or hs0, s00i ∈ FailEdge for all s00∈ next(s0), as required.
Casehs, s0, Σ0i ∈ EdgeComp
From Definition5.3of our checked µPython semantics, we can conclude that
In order to prove that (5.7) holds, we need to show that: hΣ0, S0iRSChΣ0, S0i holds, that is,
hΣ0, εi ∗
→hΣ0, S0i ∧ hΣ0, S0i ∈ StateComp
hΣ0, εi→hΣ∗ 0, S0i is clear. We therefore need to show that hΣ0, S0i ∈ StateComp, i.e., that for any u, where
Σ0(u) : τr0 hs0, T∅i `f u : τf0 we have
τr0 <: τf0 (5.11)
In order to prove (5.11), we start by looking at the definition of EdgeComp. This states that τf = τf0 or τp<: τf0 or τ 0 r<: τpu· τf0 where hs, T∅i `f u : τf hs0, T∅i `f u : τf0 hs, T∅i `p u : τp Σ0(u) : τr0 (5.12)
With Theorem4.2guaranteeing τr0 <: τp, this implies τf = τf0 or τ 0 r<: τf0.
If τr0 <: τf0, then we are done. On the other hand, if τf = τf0 it is sufficient to show that
τr0 <: τf (5.13)
If Σ(u) = Σ0(u) then τr = τr0 where τris given by Σ(u) : τr. Because hΣ, Si ∈ StateComp, we know that τr<: τf and therefore τr0 <: τf0 as required.
We now assume that Σ(u) 6= Σ0(u), and keep in mind that hΣ, Si 6→ TypeError. The instruc- tions for which this is the case are typed using fSET/SG1.
The proof for all these cases follows a similar pattern. We give an example for fSET, where we need to show that
τr0 <: τf
holds. In this case τf is such that hs, T∅i `f tos : τf and by fSET, τf = > and therefore τr0 <: >
We have therefore demonstrated that (5.11) holds as required.
Since RSC is an error-preserving simulation and. is the largest error-preserving simulation, then RSC ⊆..
The next corollary is an important result we get from our proofs. This signifies that any program that is run using the checked semantics can never get stuck, but reduces to End or Exception. Corollary 5.6. Consider a maximal trace hΣ0, εi
∗
99K N 699K. Then N is either End or Exception. Proof. We note immediately that hΣ0, εi ∈ StateComp holds by virtue of rule fINIT of Figure 4.5. Therefore we have hΣ0, εi RSChΣ0, εi and hence by the above corollary we have hΣ0, εi . hΣ0, εi. Now, suppose for contradiction that N is neither End or Exception. Then we must have N being some hΣ, Si such that hΣ, Si . hΣ, Si. This tells us that hΣ, Si 6→ TypeError and, by the definition of → we must have hΣ, Si → hΣ0, S0i for some hΣ0, S0i. This means that N 99K N0 for some N0also, contradicting maximality.