Set-based analysis (SBA) produces good predictions about the behavior of functional and objectoriented programs. The analysis proceeds by inferring constraints that characterize the data flow relationships of the analyzed program. Experiences with MrSpidey, a static debugger based on SBA, indicate that SBA can adequately deal with programs of up to a couple of thousand lines of code. SBA fails, however, to cope with larger programs because it generates systems of constraints that are at least linear, and possibly quadratic, in the size of the analyzed program. This article presents theoretical and practical results concerning methods for reducing the size of constraint systems. The theoretical results include a proof-theoretic characterization of the observable behavior of constraint systems for program components, and a complete algorithm for deciding the observable equivalence of constraint systems. In the course of this development we establish a close connection between the observable equivalence of constraint systems and the equivalence of regular-tree grammars. We then exploit this connection to adapt a variety of algorithms for simplifying grammars to the problem of simplifying constraint systems. Based on the resulting algorithms, we have developed componential set-based analysis, a modular and polymorphic variant of SBA. Experimental results verify the effectiveness of the simplification

A constrained type is a type that comes with a set of subtyping constraints on variables occurring in the type. Constrained type inference systems are a natural generalization of Hindley/Milner type inference to languages with subtyping. This paper develops several subtyping relations on polymorphic constrained types of a general form that allows recursive constraints and multiple bounds on type variables. We establish a full type abstraction property that equates a novel operational notion of subtyping with a semantic notion based on regular trees. The decidability of this notion of subtyping is open; we present a decidable approximation. Subtyping constrained types has applications to signature matching and to constrained type simplification. The relation will thus be a critical component of any programming language incorporating a constrained typing system. 1 Introduction A constrained type is a type that is additionally constrained by a set of subtyping constraints on the free ty...

This paper formalizes the folklore result that strongly-typed applets are more secure than untyped ones. We formulate and prove several security properties that all well-typed applets possess, and identify sufficient conditions for the applet execution environment to be safe, such as procedural encapsulation, type abstraction, and systematic type-based placement of run-time checks. These results are a first step towards formal techniques for developing and validating safe execution environments for applets.

. This paper argues that for many algorithms, and static analysis

We observe that the principal typing property of a type system is the enabling technology for modularity and separate compilation [10]. We use this technology to formulate a modular and polyvariant closure analysis, based on the rank 2 intersection types annotated with control-flow information. Modularity manifests itself in a syntax-directed, annotated-type inference algorithm that can analyse program fragments containing free variables: a principal typing property is used to formalise it. Polyvariance manifests itself in the separation of different behaviours of the same function at its different uses: this is formalised via the rank 2 intersection types. As the rank 2 intersection type discipline types at least all (core) ML programs, our analysis can be used in the separate compilation of such programs. 1

. This paper describes a general purpose program analysis that computes global control-flow and data-flow information for higher-order, call-by-value programs. This information can be used to drive global program optimizations such as inlining and run-time check elimination, as well as optimizations like constant folding and loop invariant code motion that are typically based on special-purpose local analyses. The analysis employs a novel approximation technique called polymorphic splitting that uses let-expressions as syntactic clues to gain precision. Polymorphic splitting borrows ideas from Hindley-Milner polymorphic type inference systems to create an analog to polymorphism for flow analysis. Experimental results derived from an implementation of the analysis for Scheme indicate that the analysis is extremely precise and has reasonable cost. In particular, it eliminates significantly more run-time checks than simple flow analyses (i.e. 0CFA) or analyses based on type ...

. We establish a series of equivalences between type systems and control-flow analyses. Specifically, we take four type systems from the literature (involving simple types, subtypes and recursion) and conservatively extend them to reason about control-flow information. Similarly, we take four standard control-flow systems and conservatively extend them to reason about type consistency. Our main result is that we can match up the resulting type and control-flow systems such that we obtain pairs of equivalent systems, where the equivalence is with respect to both type and control-flow information. In essence, type systems and control-flow analysis can be viewed as complementary approaches for addressing questions of type consistency and control-flow. Recent and independent work by Palsberg and O'Keefe has addressed the same general question. Our work differs from theirs in two respects. First, they only consider what happens when control-flow systems are used to reason about types. In co...

We present a linear-time algorithm for boundedtype programs that builds a directed graph whose transitive closure gives exactly the results of the standard (cubic-time) Control-Flow Analysis (CFA) algorithm. Our algorithm can be used to list all functions calls from all call sites in (optimal) quadratic time. More importantly, it can be used to give linear-time algorithms for CFAconsuming applications such as: ffl effects analysis: find the side-effecting expressions in a program. ffl k-limited CFA: for each call-site, list the functions if there are only a few of them ( k) and otherwise output "many". ffl called-once analysis: identify all functions called from only one call-site. 1 Introduction The control-flow graph of a program plays a central role in compilation -- it identifies the block and loop structure in a program, a prerequisite for many code optimizations. For first-order languages, this graph can be directly constructed from a program because information about flow of ...

Starting from a denotational semantics of the eager untyped lambda-calculus with explicit runtime errors, the standard collecting semantics is defined as specifying the strongest program properties. By a first abstraction, a new sound type collecting semantics is derived in compositional fixpoint form. Then by successive (semi-dual) Galois connection based abstractions, type systems and/or type inference algorithms are designed as abstract semantics or abstract interpreters approximating the type collecting semantics. This leads to a hierarchy of type systems, which is part of the lattice of abstract interpretations of the untyped lambda-calculus. This hierarchy includes two new à la Church/Curry polytype systems. Abstractions of this polytype semantics lead to classical Milner/Mycroft and Damas/Milner polymorphic type schemes, Church/Curry monotypes and Hindley principal typing algorithm. This shows that types are abstract interpretations. 1

A variety of program analysis methods have worst case time complexity that grows cubicly in the length of the program being analyzed. Cubic complexity typically arises in control flow analyses and the inference of recursive types (including object types). It is often said that such cubic performance can not be improved because these analyses require "dynamic transitive closure". Here we prove linear time reductions from the problem of determining membership for languages defined by 2-way nondeterministic pushdown automata (2NPDA) to problems of flow analysis and typability in the Amadio-Cardelli type system. An O(n 3 ) algorithm was given for 2NPDA acceptability in 1968 and is still the best known. The reductions are factored through the problem of "monotone closure" and we propose linear time reduction of the monotone closure as a method of establishing "monotone closure hardness" for program analysis problems. A sub-cubic procedure for a monotone closure hard problem would imply a ...