;2DVIcopy 1.5 output from TeX output 2003.10.14:1316!papersize=845.03174pt,597.50366pt+Ս.color push Blackfd$0 color popԍ XGcolor push Black color popύuVcolor push rgb 0.9 0 0>8s( phvb8rGlobal Zabstraction-safremarc?shalling1獒ԇ^>8s$z phvb8rvia Zhashtypes color pop@42>8s phvb8rJamesJ.LeifÀerkGillesPJeskinegPJeterSeLwell KLeithWansbrough7%-=INRIARocquencourxtUniverLsityofCambridg<eW.color push Black$0 color popA+Ս.color push Blackfd$0 color popԍ!f ε/color push Black color pop.color push rgb 0.9 0 0>8s] phvb8rPrnobdlem color pop*.]b phvr8rConsiderinter-machinecommÀunication(orpersistentstorage):荍јcolor push Black color pop]bٕ phvr8r(A)]ffffaڟ``ff߆T cmtt12...sendBv(marshal(v:color push gray 0 color popbool4))`ffffffaڎS+bՍS+&Ս 3߆TH cmtt12vcolor push gray 1 C:color push gray 1t color pop color pop je!", cmsy10 %q "qqqqG!mڰ(B)]ffmڟffxS@``ff...let y=unmarshalBv(receive():color push gray 0 color popintlist]])wt`ffffffxS@<I.color push gray 1Acolor push gray 1dynamictypecheck color popofcolor push gray 1t=t !",q cmsy1004 color popcanensurethesafJetyofunmarshal. color pop,)ύ.color push gray 1Butwhatifcolor push gray 1t color popandcolor push gray 1t04 color popareML-likeabstrÀacttypesL,e.g. color pop $ color push gray 1Akcolor push gray 1 color popǨecolor push gray 1t color popcolor push gray 1 ͇=UnbalancedBinaryTree.ty color popecolor push gray 1t04 color popcolor push gray 1 ͇=BalancedBinaryTree.ty color pop/E?.ɟ Ǯ color pop ?color push gray 1Could ;justconsidertheirconcreterepresentationtypestogettypesafJety,butwÀewLantcolor push gray 1abstractionsafJety color poptoo. color popW.color push Black_ڄ$0W] ]b  phvr8rLeiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes1$0 color popˠ+Ս.color push Blackfd$0 color popԍ!f ε/color push Black color pop.color push rgb 0.9 0 0Prnobdlem color pop*.ɯConsiderinter-machinecommÀunication(orpersistentstorage):荍јcolor push Black color pop(A)]ffffaڟ``ff...sendBv(marshal(v:color push gray 0 color popcolor push rgb 0.9 0 0t color pop4))`ffffffaڎS+bՍS+&Ս 3vcolor push gray 0 color pop C:color push rgb 0.9 0 0t color pop je %q "qqqqG!mڰ(B)]ffmڟffxS@``ff...let y=unmarshalBv(receive():color push gray 0 color popcolor push rgb 0.9 0 0t04 color pop]])wt`ffffffxS@<I.color push gray 0 color popAcolor push cmyk 0 0.51 1. 0dynamictypecheck color popofcolor push rgb 0.9 0 0t=t04 color popcanensurethesafJetyofunmarshal.,)ύ.color push gray 1Butwhatifcolor push gray 1t color popandcolor push gray 1t04 color popareML-likeabstrÀacttypesL,e.g. color pop $ color push gray 1Akcolor push gray 1 color popǨecolor push gray 1t color popcolor push gray 1 ͇=UnbalancedBinaryTree.ty color popecolor push gray 1t04 color popcolor push gray 1 ͇=BalancedBinaryTree.ty color pop/E?.ɟ Ǯ color pop ?color push gray 1Could ;justconsidertheirconcreterepresentationtypestogettypesafJety,butwÀewLantcolor push gray 1abstractionsafJety color poptoo. color popW.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes2$0 color pop Ϡ+Ս.color push Blackfd$0 color popԍ!f ε/color push Black color pop.color push rgb 0.9 0 0Prnobdlem color pop*.ɯConsiderinter-machinecommÀunication(orpersistentstorage):荍јcolor push Black color pop(A)]ffffaڟ``ff...sendBv(marshal(v:color push gray 0 color popcolor push rgb 0.9 0 0t color pop4))`ffffffaڎS+bՍS+&Ս 3vcolor push gray 0 color pop C:color push rgb 0.9 0 0t color pop je %q "qqqqG!mڰ(B)]ffmڟffxS@``ff...let y=unmarshalBv(receive():color push gray 0 color popcolor push rgb 0.9 0 0t04 color pop]])wt`ffffffxS@<I.color push gray 0 color popAcolor push cmyk 0 0.51 1. 0dynamictypecheck color popofcolor push rgb 0.9 0 0t=t04 color popcanensurethesafJetyofunmarshal.,)ύ.color push gray 0 color popButwhatifcolor push rgb 0.9 0 0t color popandcolor push rgb 0.9 0 0t04 color popareML-likeabstrÀacttypesL,e.g. $ color push gray 0 color popAkcolor push Black color popǨecolor push rgb 0.9 0 0t color popcolor push rgb 0.9 0 0 ͇=UnbalancedBinaryTree.ty color popecolor push rgb 0.9 0 0t04 color popcolor push rgb 0.9 0 0 ͇=BalancedBinaryTree.ty color pop/E?A\퍑.color push gray 0 color popCould ;justconsidertheirconcreterepresentationtypestogettypesafJety,.butwÀewLantcolor push cmyk 0 0.51 1. 0abstractionsafJety color poptoo.W.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes3$0 color pop+Ս.color push Blackfd$0 color popԍ"ε/color push Black color pop.color push rgb 0.9 0 0OverHvie%w color popi.color push Black S color pop𢰯Examples:!\commÀunicationwithabstracttypesg.color push Black S color pop𢰯Solution:!\hashtypesL,compilation,andtyping.color push Black S color pop𢰯Theorems.color push Black S color pop𢰯ConclusionsandfuturewÀorZkW.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes4$0 color poph+Ս.color push Blackfd$0 color popԍ 0ε/color push Black color pop.color push rgb 0.9 0 0Ane%vencounter:color push gray 0 color popmanifdestsignature color popf%+ycolor push Black color popdV module ͇EvenC=(#@!structtIBcolor push rgb .82 .82 1 u%nڒ color pop color push rgb .82 .82 1 ?6 color popintIBcolor push rgb .82 .82 1 u%nڒ color pop color push rgb .82 .82 1  t color popend color push rgb .82 .82 1 )P color popW.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes5$0 color pop +Ս.color push Blackfd$0 color popԍ 0ε/color push Black color pop.color push rgb 0.9 0 0Ane%vencounter:color push gray 0 color popabstractsignature color popf%+ycolor push Black color popdV module ͇EvenC=(#@!structtIBcolor push rgb .82 .82 1 u%nڒ color pop color push rgb .82 .82 1 ?6 color popintIBcolor push rgb .82 .82 1 u%nڒ color pop color push rgb .82 .82 1 Z color popendK color push rgb .82 .82 1 Ց0nZ color popW.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes6$0 color pop,0+Ս.color push Blackfd$0 color popԍ!ε/color push Black color pop.color push rgb 0.9 0 0Example:identicalabstracttypes color pop9uגcolor push Black color pop㍍ b(A) bmodule EvenC=(structtype t=intlet start=0let upx=x+2let getx=x bend :EvenCSig)' blet x=EvenC.startinsendBv(marshal(x:EvenC.t))㍍g[color push gray 0 color pop(B)g[color push gray 0 color popmodule EvenC=(structg[color push gray 0 color poptype t=intg[color push gray 0 color poplet start=0g[color push gray 0 color poplet upx=x+2g[color push gray 0 color poplet getx=xg[color push gray 0 color popend :EvenCSig)'g[color push gray 0 color poplet y=g[color push gray 0 color popunmarshalBv(receive():EvenC.t)@HJ Gcolor push gray 0 color popcolor push rgb 0 0.5 0\9U !",H cmsy10p#t2succeed color pop5͍.ɰWithin masingleprogram, Jtwo mabstracttypeswiththesamedenitionwouldbe.diff %X;erent(MLgenerativity).Betweenprograms',that'Qsnotwhatwew'ant.W.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes7$0 color pop7+Ս.color push Blackfd$0 color popԍ!f ε/color push Black color pop.color push rgb 0.9 0 0Example:concretetoabstract color pop;Zגcolor push Black color pop㍍ b(A) b...' blet x=color push rgb 0.9 0 03 color popinsendBv(marshal(x:int))㍍g[(B)g[module EvenC=(structAtype t=intAlet start=0Alet upx=x+2Alet getx=xg[end :EvenCSig)'g[let y=AunmarshalBv(receive():EvenC.t)@HJ Gcolor push rgb 0.9 0 0 !",# cmsy10#t2fJail{y4 color pop7{V.AlloLwingunmarshaltosucceedwÀouldbreak(B)'usinvharZiants.W.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes8$0 color pop >+Ս.color push Blackfd$0 color popԍ!ε/color push Black color pop.color push rgb 0.9 0 0Example:samee%xternalbehaviour$.color push gray 1Example: color popbnutdiffXderentinternalinݘvariants color pop7yגcolor push Black color pop㍍ b(A) bmodule EvenC=(structtype t=intlet start=0let upx=color push rgb 0.9 0 0x+1 color poplet getx=color push rgb 0.9 0 02*x color pop bend :EvenCSig)' blet x=EvenC.startinsendBv(marshal(x:EvenC.t))㍍g[(B)g[module EvenC=(structAtype t=intAlet start=0Alet upx=color push rgb 0 0 1x+2 color popAlet getx=color push rgb 0 0 1x color popg[end :EvenCSig)'g[let y=AunmarshalBv(receive():EvenC.t)@HJ Gcolor push rgb 0.9 0 0з#t2fJail{y4 color pop3䍑.Again,successwÀouldnotrespect(B)'usinvharZiantsL.W.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes9$0 color pop Ba+Ս.color push Blackfd$0 color popԍ!ε/color push Black color pop.color push rgb 0.9 0 0Example:sameinternalinݘvnariants color pop9ʍגcolor push Black color pop㍍ b(A) bmodule EvenC=(structtype t=intlet start=0let upx=color push rgb 0.9 0 02+x color poplet getx=x bend :EvenCSig)' blet x=EvenC.startinsendBv(marshal(x:EvenC.t))㍍g[(B)g[module EvenC=(structAtype t=intAlet start=0Alet upx=color push rgb 0 0 1x+2 color popAlet getx=xg[end :EvenCSig)'g[let y=AunmarshalBv(receive():EvenC.t)@HJ Gcolor push cmyk 0 0.51 1. 0C ]b" P phvr8r?#t2maJybe{y4 color pop5".SuccessϲwÀouldrequireatheoremproLvhertoperfJorDmtheverZication.(unrealistic)orauser-suppliedcoercion.W.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes 10$0 color pop H+Ս.color push Blackfd$0 color popԍ"ε/color push Black color pop.color push rgb 0.9 0 0SummarHyofthemaincases color popύ%Pcolor push Black color pop> color push rgb 0 0 1InterfJace color pop&Pcolor push rgb 0 0 1Implementation color popdcolor push rgb 0 0 1Desiredbehavior color pop ffC!ߍsameǨfsamecodezcolor push rgb 0 0.5 0\9Up#t2succeed color popffCsameǨfsameinterDnalinvharZiantszcolor push cmyk 0 0.51 1. 0C?#t2maJybe{y4 color popffC0ߍsameǨfsameeJxterDnalbehaviourfbutdiff $4JerentinterDnalinvharZiantszcolor push rgb 0.9 0 0з#t2fJail{y4 color pop$ffC!\samefdiff $4JerentexterDnalbehaviourzcolor push rgb 0.9 0 0з#t2fJail{y4 color popffCdiff $4Jerentf...zcolor push rgb 0.9 0 0з#t2fJail{y4 color popffC...fdiff $4Jerentrepresentationtypeszcolor push rgb 0.9 0 0з#t2fJail{y4 color popffCW.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes 11$0 color pop Ma+Ս.color push Blackfd$0 color popԍ!ε/color push Black color pop.color push rgb 0.9 0 0color push gray 0 color popHo%wdowegHetthedesiredbehaviour? color pop=.color push Black S color pop𢰯FJorjcommÀunicationbetweencolor push cmyk 0 0.51 1. 0programswithidenticalsources color pop,Ait'useasytocompareqabstrÀacttypesbytheirsource-codenamesL,e.g.qcolor push rgb 0 0 1EvenC color pop.twouldmeanthesamethinginallcopiesL.1 .color push Black S color pop𢰯HoLwÀeJvheru, [for 3;programsthatshareonlysomemodulesL, [thatwouldbeunsound.' .HoLwdowÀeobtaincolor push cmyk 0 0.51 1. 0globallymeaningfultypenames color pop?.Solution:!\wÀeconstrZuctthemfrommodulecolor push rgb 0.9 0 0>8s phvbo8rhashesU color pop.Acolor push Black color pop#!(A)]ff#!ff-5a``ff...,h`ffffff-5aj/ፍ./ፍ.xv:color push rgb 0.9 0 0hash(struct...end:sig...end) color pop.tkҍm~Up˄> ;̍25nUmsend ͇(marshal(color push rgb 1 1 0.6color push rgb 1 1 0.6+0c6 color popcolor push Blackcolor push rgb 1 1 0.6߆T# cmtt12[ color pop0color push rgb 1 1 0.6]2color push rgb 1 1 0.6 ;̎ȎEX.ɯwhere.=hcolor push Black color popcolor push rgb 0.9 0 0h/ color pop ͇=hashcolor push rgb 0.2 0.2 0.2;Pcolor push gray 0Ǩ%structjtypet=int!letstart=0f...iend:sigjtypet!valstart:tf...iend+color push rgb 0.2 0.2 0.2;P color pop color pop color popJo/.]b phvr8rColouredz+br͑ac%ketsareadaptedfrom[Zdancewicd,Grossman,&MorrKisett]W.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes 19$0 color pop+Ս.color push Blackfd$0 color popԍ"ε/color push Black color pop.color push rgb 0.9 0 03.Compile-timereduction:colouredbracnkets color popƍHȟTYG ̍oLl}mܲmodule ͇color push rgb 0 0 1EvenC color pop=-8X+color push rgb 0.2 0.2 0.2;Pcolor push gray 0Ǩ%structjtype ͇t=int!let ͇start=0f...iend: ͇sigjtype ͇t!val ͇start:tf...iend+color push rgb 0.2 0.2 0.2;P color pop color pop color pop:}mܲsend ͇(marshal(color push rgb .82 .82 1color push rgb .82 .82 1 $͎ color popcolor push Blackcolor push rgb 0 0 1EvenC color pop.start color pop color pop:color push rgb .82 .82 1color push rgb .82 .82 1 $_ color popcolor push Blackcolor push rgb 0 0 1EvenC color pop.t color pop_ color pop))m0 ̎H]Ȏr$.ɻn5!zcΈinliningcolor push rgb 0 0 1EvenC color popDw썍ȟ%>p˄> ;̍25nUmsend ͇(marshal(color push rgb 1 1 0.6color push rgb 1 1 0.6+0c6 color popcolor push Blackcolor push gray 0 color pop[0color push gray 0 color pop]2color push rgb 0.9 0 0hZ color pop.t܆color push rgb 0.9 0 0hZ color pop]6 color popc6 color pop:color push rgb 1 1 0.6color push rgb 1 1 0.6 $4wI color popcolor push Blackcolor push rgb 0.9 0 0h/ color pop.t color pop4wI color pop))m0> ;̎ȎEX.ɯwhere.=hcolor push Black color popcolor push rgb 0.9 0 0h/ color pop ͇=hashcolor push rgb 0.2 0.2 0.2;Pcolor push gray 0Ǩ%structjtypet=int!letstart=0f...iend:sigjtypet!valstart:tf...iend+color push rgb 0.2 0.2 0.2;P color pop color pop color popJo/.Colouredz+br͑ac%ketsareadaptedfrom[Zdancewicd,Grossman,&MorrKisett]W.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes 20$0 color pop%+Ս.color push Blackfd$0 color popԍ!f ε/color push Black color pop.color push rgb 0.9 0 0Thecalculus color pop1.color push Black S color pop𢰯call-by-vhaluelambda-calculus;/.color push Black S color pop𢰯second-classL,rst-ordermodules;.color push Black S color pop𢰯commÀunicationandparallelcomposition;.color push Black S color pop𢰯marshalandunmarshal;.color push Black S color popcolor push cmyk 0 0.51 1. 0hashesinthetypegÀrammar{: color popAT,xdcolor push Black color pop$RxdT'Dt#Gcmr17::=릲...+jcolor push rgb 0.9 0 01}Qho"6e0w..AswÀesaid,y==1pT̪1,^(u)qD ,&T̪0>=)SDT̪11color push rgb 0.9 0 0statictyping| color pop,^(u)qcolor push rgb 0.9 0 0checkperfJorDmedbyunmarshalLl color popW.color push Black_ڄ$0W]Leiferf,Peskineۋ,Se_well,Wansbrough.DGlobalabstraction-safemarshallingviahashtypes 27$0 color popǗ;ji#!",G cmsy10"DtqGcmr17!gH cmmi12 q msam10DtHGcmr17߆Tq cmtt12qGcmss17߆T cmtt12߆T cmtt12g# cmmi128s phvbo8r ]b" P phvr8r !",# cmsy10 !",H cmsy10 ]b  phvr8r !",q cmsy10!", cmsy10߆TH cmtt12߆T cmtt12]bٕ phvr8r]b phvr8r>8s] phvb8r>8s phvb8r>8s$z phvb8r>8s( phvb8r,