Abstract. How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F<:, a typed lambda-calculus with second-order polymorphism, subtyping, and records, these benchmarks embody many aspects of programming languages that are challenging to formalize: variable binding at both the term and type levels, syntactic forms with variable numbers of components (including binders), and proofs demanding complex induction principles. We hope that these benchmarks will help clarify the current state of the art, provide a basis for comparing competing technologies, and motivate further research. 1

The statement S T in a -calculus with subtyping is traditionally interpreted as a semantic coercion function of type [[S]]![[T ]] that extracts the "T part" of an element of S. If the subtyping relation is restricted to covariant positions, this interpretation may be enriched to include both the coercion and an overwriting function put[S; T ] 2 [[S]]![[T ]]![[S]] that updates the T part of an element of S.

We give a direct type-theoretic characterization of the basic mechanisms of object-oriented programming, including objects, methods, message passing, and subtyping, by introducing an explicit constructor for object types and suitable introduction, elimination, and equality rules. The resulting abstract framework provides a basis for justifying and comparing previous encodings of objects based on recursive record types (Cardelli, 1984; Cardelli, 1992; Bruce, 1994; Cook et al., 1990; Mitchell, 1990a) and encodings based on existential types (Pierce & Turner, 1994).

this paper (Compagnoni, Intersection Types and Bounded Polymorphism 3 1994; Compagnoni, 1995) has been used in a type-theoretic model of object-oriented multiple inheritance (Compagnoni & Pierce, 1996). Related calculi combining restricted forms of intersection types with higher-order polymorphism and dependent types have been studied by Pfenning (Pfenning, 1993). Following a more detailed discussion of the pure systems of intersections and bounded quantification (Section 2), we describe, in Section 3, a typed -calculus called F ("Fmeet ") integrating the features of both. Section 4 gives some examples illustrating this system's expressive power. Section 5 presents the main results of the paper: a prooftheoretic analysis of F 's subtyping and typechecking relations leading to algorithms for checking subtyping and for synthesizing minimal types for terms. Section 6 discusses semantic aspects of the calculus, obtaining a simple soundness proof for the typing rules by interpreting types as partial equivalence relations; however, another proof-theoretic result, the nonexistence of least upper bounds for arbitrary pairs of types, implies that typed models may be more difficult to construct. Section 7 offers concluding remarks. 2. Background

It is widely agreed that recursive types are inherent in the static typing of the essential mechanisms of objectoriented programming: encapsulation, message passing, subtyping, and inheritance. We demonstrate here that modeling object encapsulation in terms of existential types yields a substantially more straightforward explanation of these features in a simpler calculus without recursive types. 1 Introduction Static type systems for object-oriented programming languages have progressed significantly in the past decade. The line of research begun by Cardelli [11] and continued by Cardelli [18, 17, 14, 13], Mitchell [32, 10, 33], Bruce [8, 5, 7], and others [31, 39, 21, 10, 23, 20, 19, 26, 29, 44, 45, 46] has culminated in type-theoretic accounts [6, 14] of many of the features of languages like Smalltalk [28]. Our goal here is to reformulate the essential mechanisms of these accounts using a simpler type theory: we give a complete model of encapsulation, message passing, subtyping, ...

The calculus of higher order subtyping, known as F ω ≤ , a higher-order polymorphic λ-calculus with subtyping, is expressive enough to serve as core calculus for typed object-oriented languages. The versions considered in the literature usually support only pointwise subtyping of type operators, where two types S U and T U are in subtype relation, if S and T are. In the widely cited, unpublished note [Car90], Cardelli presents F ω ≤ in a more general form going beyond pointwise subtyping of type applications in distinguishing between monotone and antimonotone operators. Thus, for instance, T U1 is a subtype of T U2, if U1 ≤ U2 and T is a monotone operator. My thesis extends F ω ≤ by polarized application, it explores its proof theory, establishing decidability of polarized F ω ≤. The inclusion of polarized application rules leads to an interdependence of the subtyping and the kinding system. This contrasts with pure F ω ≤ , where subtyping depends on kinding but not vice versa. To retain decidability of the system, the equal-bounds subtyping rule for all-types is rephrased in the polarized setting as a mutual-subtype requirement of the upper bounds.

The standard formulation of bounded quantification, system F , is difficult to work with and lacks important syntactic properties, such as decidability. More tractable variants have been studied, but those studied so far either exclude significant classes of useful programs or lack a compelling semantics. We propose

A well-known shortcoming of the object model of Simula and Smalltalk is the inability to deal cleanly with methods that require access to the internal state of more than one object at a time. Recent language designs have therefore extended the basic object model with notions such as friends' methods and protected features, which allow external access to the internal state of objects but limit the scope in which such access can be used. We show that a variant of this idea can be added to any type-theoretic model of the basic object-oriented mechanisms (encapsulation, message passing, and inheritance), using a construction based on Cardelli and Wegner's partially abstract types, a refinement of Mitchell and Plotkin's type-theoretic treatment of abstract types.

Combining intersection types with higher-order subtyping yields a typed model of object-oriented programming with multiple inheritance. Objects, message passing, subtyping, and inheritance appear as programming idioms in a typed -calculus, a modelling technique that facilitates experimentation and helps in distinguishing between essential aspects of the object-oriented style ---encapsulation and subtype polymorphism, which are directly reflected in the low-level type system --- and useful but inessential programming idioms such as inheritance. The target calculus, a natural generalization of system F ! with intersection types, is of independent interest. We establish basic structural properties and give a proof of type soundness using a simple semantics based on partial equivalence relations.

We study a variant of System F that integrates and generalizes several existing proposals for calculi with structural typing rules. To the usual type constructors (!, \Theta, All, Some, Rec) we add a number of type destructors, each internalizing a useful fact about the subtyping relation. For example, in F with products every closed subtype of a product S\ThetaT must itself be a product S 0 \ThetaT 0 with S 0 !:S and T 0 !:T. We internalise this observation by introducing type destructors .1 and .2 and postulating an equivalence T = j T.1\ThetaT.2 whenever T !: U\ThetaV (including, for example, when T is a variable). In other words, every subtype of a product type literally is a product type, modulo j-conversion. Adding type destructors provides a clean solution to the problem of polymorphic update without introducing new term formers, new forms of polymorphism, or quantification over type operators. We illustrate this by giving elementary presentations of two well-known e...