We present a system for extending standard type systems with flow-sensitive type qualifiers. Users annotate their programs with type qualifiers, and inference checks that the annotations are correct. In our system only the type qualifiers are modeled flow-sensitively - the underlying standard types are unchanged, which allows us to obtain an efficient constraint-based inference algorithm that integrates flow-insensitive alias analysis, effect inference, and ideas from linear type systems to support strong updates. We demonstrate the usefulness of flow-sensitive type qualifiers by finding a number of new locking bugs in the Linux kernel.

Functional programming may be beautiful, but to write real applications we must grapple with awkward real-world issues: input/output, robustness, concurrency, and interfacing to programs written in other languages. These lecture notes give an overview of the techniques that have been developed by the Haskell community to address these problems. I introduce various proposed extensions to Haskell along the way, and I offer an operational semantics that explains what these extensions mean. This tutorial was given at the Marktoberdorf Summer School 2000. It will appears in the book “Engineering theories of software construction, Marktoberdorf Summer School 2000”, ed CAR Hoare, M Broy, and R Steinbrueggen, NATO ASI Series, IOS Press, 2001, pp47-96. This version has a few errors corrected compared with the published version. Change summary: Apr 2005: some examples added to Section 5.2.2, to clarifyevaluate. March 2002: substantial revision 1

... This paper develops type systems which can statically guarantee the success of these checks. Our systems allow security properties of programs to be clearly expressed within the types themselves, which thus serve as static declarations of the security policy. We develop these systems using a systematic methodology: we show that the security-passing style translation, proposed by Wallach, Appel and Felten as a dynamic implementation technique, also gives rise to static security-aware type systems, by composition with conventional type systems. To de ne the latter, we use the general HM(X) framework, and easily construct several constraint- and unification-based type systems.

We study the problem of certifying programs combining imperative and functional features within the general framework of type theory. Type theory constitutes a powerful specification language, which is naturally suited for the proof of purely functional programs. To deal with imperative programs, we propose a logical interpretation of an annotated program as a partial proof of its specification. The construction of the corresponding partial proof term is based on a static analysis of the effects of the program, and on the use of monads. The usual notion of monads is refined in order to account for the notion of effect. The missing subterms in the partial proof term are seen as proof obligations, whose actual proofs are left to the user. We show that the validity of those proof obligations implies the total correctness of the program. We also establish a result of partial completeness. This work has been implemented in the Coq proof assistant. It appears as a tactic taking an ann...

Launchbury and Peyton Jones came up with an ingenious idea for embedding regions of imperative programming in a pure functional language like Haskell. The key idea was based on a simple modification of Hindley-Milner's type system. Our first contribution is to propose a more natural encapsulation construct exploiting higher-order kinds, which achieves the same encapsulation effect, but avoids the ad hoc type parameter of the original proposal. The second contribution is a type safety result for encapsulation of strict state using both the original encapsulation construct and the newly introduced one. We establish this result in a more expressive context than the original proposal, namely in the context of the higher-order lambda-calculus. The third contribution is a type safety result for encapsulation of lazy state in the higher-order lambda-calculus. This result resolves an outstanding open problem on which previous proof attempts failed. In all cases, we formalize the intended implementations as simple big-step operational semantics on untyped terms, which capture interesting implementation details not captured by the reduction semantics proposed previously. 1

this paper the author was partially supported by an SERC/EPSRC Advanced Research Fellowship, EPSRC Research grant GR/L54639, and EU Working Group APPSEM

An effects system can be used to delimit the scope of computational effects within a program. This information is not only useful for the programmer, but also can be used in the definition of a number of optimizations. Most effects systems have been defined for functional languages with simple state. Greenhouse and Boyland have recently suggested how an effects system could be used within Java. In this paper we take a core imperative calculus for Java, and consider its extension with an effects system, following the suggestions of Greenhouse and Boyland. We define formally the effects system and an instrumented operational semantics and prove the correctness of the effects system; a question left open by Greenhouse and Boyland. We also consider the question of effect inference for our calculus, detailing an algorithm for inferring effects information and prove it correct.

In their purest formulation, monads are used in functional programming for two purposes: (1) to hygienically propagate effects, and (2) to globalize the effect scope -- once an effect occurs, the purity of the surrounding computation cannot be restored. As a consequence, monadic typing does not provide very naturally for the practically important ability to handle effects, and there is a number of previous works directed toward remedying this deficiency. It is mostly based on extending the monadic framework with further extra-logical constructs to support handling. In this paper we adopt...

Monads were introduced in computer science to express the semantics of programs with computational effects, while type and e ect inference was introduced to mark out those effects. In this article, we propose a combination of the notions of effects and monads, where the monadic operators are parameterized by effects. We establish some relationships between those generalized monads and the classical ones. Then we use a generalized monad to translate imperative programs into purely functional ones. We establish the correctness of that translation. This work has been put into practice in the Coq proof assistant to establish the correctness of imperative programs.

. The Java JDK 1.2 Security Architecture includes a dynamic mechanism for enforcing access control checks, so-called stack inspection. This paper studies type systems which can statically guarantee the success of these checks. We develop these systems using a new, systematic methodology: we show that the security-passing style translation, proposed by Wallach and Felten as a dynamic implementation technique, also gives rise to static security-aware type systems, by composition with conventional type systems. To dene the latter, we use the general HM(X) framework, and easily construct several constraint- and unication-based type systems. They oer signicant improvements on a previous type system for JDK access control, both in terms of expressiveness and in terms of readability of inferred type specications. 1 Introduction The combined forces of increased use of the Internet for sensitive data and operations, and the greatly increased mobility of code has led to a need ...