Resource Usage Analysis

Transcription

1 Resource Usage Anaysis ATSUSHI IGARASHI Kyoto University and NAOKI KOBAYASHI Tohoku University It is an important criterion of program correctness that a program accesses resources in a vaid manner. For exampe, a memory region that has been aocated shoud eventuay be deaocated, and after the deaocation, the region shoud no onger be accessed. A fie that has been opened shoud be eventuay cosed. So far, most of the methods to anayze this kind of property have been proposed in rather specific contexts (ike studies of memory management and verification of usage of ock primitives), and it was not cear what the essence of those methods was or how methods proposed for individua probems are reated. To remedy this situation, we formaize a genera probem of anayzing resource usage as a resource usage anaysis probem, and propose a type-based method as a soution to the probem. Categories and Subject Descriptors: D.3.1 [Programming Languages]: Forma Definitions and Theory; D.3.2 [Programming Languages]: Language Cassifications Appicative (functiona) anguages; F.3.1 [Logics and Meaning of Programs]: Specifying and Verifying and Reasoning about Programs; F.3.2 [Logics and Meaning of Programs]: Semantics of Programming Languages Program anaysis; Operationa Semantics; F.3.3 [Logics and Meaning of Programs]: Studies of Program Constructs Type structure Genera Terms: Languages, Reiabiity, Theory, Verification Additiona Key Words and Phrases: resource usage, type inference 1. INTRODUCTION It is an important criterion of program correctness that a program accesses resources in a vaid manner. For exampe, a memory ce that has been aocated shoud This is a revised and extended version of a paper presented in the proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principes of Programming Languages (POPL2002), ACM SIGPLAN Notices voume 37 number 1, pages , January This work was supported in part by the Ministry of Education, Science, Sports and Cuture, Grant-in-Aid for Scientific Research on Priority Areas Research No , Authors addresses: A. Igarashi, Graduate Schoo of Informatics, Kyoto University, Yoshida- Honmachi, Sakyo-ku, Kyoto , Japan; emai: igarashi@kuis.kyoto-u.ac.jp; N. Kobayashi, Graduate Schoo of Information Sciences, Tohoku University, Aoba, Aramaki, Aoba-ku, Sendai , Japan; e-mai:koba@ecei.tohoku.ac.jp. Permission to make digita/hard copy of a or part of this materia without fee for persona or cassroom use provided that the copies are not made or distributed for profit or commercia advantage, the ACM copyright/server notice, the tite of the pubication, and its date appear, and notice is given that copying is by permission of the ACM, Inc. To copy otherwise, to repubish, to post on servers, or to redistribute to ists requires prior specific permission and/or a fee. ACM Transactions on Programming Languages and Systems, Vo. TBD, No. TDB, Month Year, Pages 1 50.

2 2 A. Igarashi and N. Kobayashi. eventuay be deaocated 1, and after the deaocation, the ce shoud not be read or updated. A fie that has been opened shoud be eventuay cosed. A ock shoud be acquired before a shared resource is accessed. After the ock has been acquired, it shoud be eventuay reeased. A number of program anayses have been proposed to ensure such a property. Type systems for region-based memory management [Aiken et a. 1995; Birkeda et a. 1996; Tofte and Tapin 1994; Waker et a. 2000] ensure that deaocated regions are no onger read or written. Linear type systems [Kobayashi 1999; Turner et a. 1995; Wader 1990; Wansbrough and Peyton Jones 1999] ensure that a inear (use-once) vaue that has been aready accessed is never accessed again. Abadi and Fanagan s type systems for race detection [Fanagan and Abadi 1999a; 1999b] ensure that appropriate ocks wi be acquired before a reference ce or a concurrent object is accessed. Freund and Mitche s type system [Freund and Mitche 1999] for the Java Virtua Machine (JVM) ensures that every object is initiaized before it is accessed. Bigiardi and Laneve s type system [Bigiardi and Laneve 2000] for the JVM ensures that an object that has been ocked wi be eventuay unocked. DeLine and Fähndrich s type system [DeLine and Fähndrich 2001] keeps track of the state of each resource in order to contro access to the resource. The probems attacked in the above-mentioned pieces of work are simiar: There are different types of primitives to access resources (initiaization, read, write, deaocation, etc.) and we want to ensure that those primitives are appied in a vaid order. In spite of such simiarity, however, most of the soutions (except for DeLine and Fähndrich s work [DeLine and Fähndrich 2001]) have been proposed for specific probems. As a resut, soutions are often rather ad hoc, and it is not cear how they can be appied to other simiar probems and how soutions for different probems are reated. This is in contrast with standard program anaysis probems ike fow anaysis: For the fow anaysis probem, there is a standard definition and there are severa standard methods, whose properties (computationa cost, precision, etc.) are we studied. Based on the observation above, our aims are: (1) To formaize a genera probem of anayzing how each resource is accessed as a resource usage anaysis probem (usage anaysis probem, in short 2 ), to make it easy to reate existing methods and to stimuate further studies of the probem. (2) To propose a type-based method for usage anaysis. Unike DeLine and Fähndrich s type system [DeLine and Fähndrich 2001], our type-based anaysis does not need programmers type annotation to guide the anaysis. Our anaysis automaticay gathers information about how resources are accessed, and checks whether it matches the programmer s intention. We give an overview of each point beow. 1 Or, a program can just ca exit() before memory is exhausted. 2 The term usage anaysis is aso used to refer to inearity anaysis [Gustavsson and Svenningsson 2000]. Our resource usage anaysis probem can be considered generaization of the probem of inearity anaysis.

3 Resource Usage Anaysis Resource Usage Anaysis Probem We formaize a resource usage anaysis probem in a manner simiar to a formaization of the fow anaysis probem [Nieson et a. 1999]. Suppose that each expression of a program is annotated with a abe, and et L be the set of abes. The standard fow anaysis probem for λ-cacuus is to obtain a function fow L 2 L (2 L denotes the powerset of L) where fow() = { 1,..., n } means that an expression abeed with evauates to a vaue generated by an expression abeed with one of 1,..., n. (Or, equivaenty, the probem is to obtain a function fow 1 L 2 L where fow 1 () = { 1,..., n } means that ony expressions abeed with 1,..., n can evauate to the vaue generated by an expression abeed with.) From a fow function, we know what access may occur to each resource. For exampe, consider the foowing fragment of an ML-ike program: et x = (fopen(s)) o in... fread(m R )... fcose(n C )... Here, we assume that fopen opens a fie of name s and returns a fie pointer to access the fie, and that fread (fcose, resp.) takes a fie pointer as an input and reads (coses, resp.) the fie. If fow 1 ( o ) = { R }, then we know that the fie opened at o may be read, but is not cosed (since expression N C cannot evauate to the fie by the definition of fow 1 ). A fow function does not provide information about the order of resource accesses. Suppose that fow 1 ( o ) is { C, R } in the above program. From the fow information, we cannot te whether the fie created at o is cosed after it has been read, or the fie is read after it has been cosed. Let us write L for the set of finite sequences of abes. We formaize resource usage anaysis as a probem of (1) computing a function use L 2 L where 1 n use() means that a vaue generated by an expression abeed with may be accessed by primitives abeed with 1,..., n in this order, and then (2) checking whether use() contains ony vaid access sequences. Let us reconsider the above exampe: et x = fopen o (s) in... fread R (M)... fcose C (N)... (Here, abes are moved to primitives for creating or accessing resources, rather than expressions fopen(s), M, or N to be evauated to fie pointers.) If use( o ) = { R C, R R C }, we know that the fie opened at o may be cosed after it is read once or twice, and the fie is never read after being cosed. On the other hand, if use( o ) = { R C, C R }, the fie may be read after it has been cosed. Many probems can be considered instances of the usage anaysis probem. In region-based memory management [Tofte and Tapin 1994; Birkeda et a. 1996; Aiken et a. 1995; Waker et a. 2000], we can regard regions as resources. Suppose that every primitive for reading a vaue from a region (writing a vaue into a region, deaocating a region, resp.) is annotated with R ( W, F, resp.). Then, a regionannotated program is correct if use() ( R + W ) F, where the reguar expression ( R + W ) F denotes the set of sequences consisting of zero or more occurrences of R or W foowed by one F. In inear type systems [Wader 1990; Turner et a. 1995; Kobayashi 1999; Wansbrough and Peyton Jones 1999], we can regard vaues as resources. A inear type system is correct if for every abe of a primitive for creating inear (use-once) vaues, use() contains ony sequences of ength 1. The

4 4 A. Igarashi and N. Kobayashi. object initiaization is correct [Freund and Mitche 1999] if for every abe of an (occurrence of) object creation primitive, every sequence in use() begins with the abe of a primitive for object initiaization. The probem of checking usage of ock primitives [Bigiardi and Laneve 2000] is reduced to that of checking whether in every sequence in use(), each occurrence of a abe of the ock primitive is foowed by an occurrence of a abe of the unock primitive. The contro fow anaysis probem can aso be considered an instance of the usage anaysis probem. We can regard functions as resources, function abstraction as the primitive for creating a function, and function appication as the primitive for accessing a function. Then, a function created at may be caed at if use() contains. 1.2 Type-Based Usage Anaysis We present a type-based resource usage anaysis for a ca-by-vaue, simpy typed λ-cacuus extended with primitives for creating and accessing resources. The main idea is to augment types with information about a resource access order. For exampe, the type of a fie is written as (Fie, U), where U, caed a usage, expresses how the fie is accessed. Its syntax is given by: U ::= U 1 ; U 2 U 1 & U 2 (We sha introduce other usage constructors ater.) Usage means that the resource is accessed by a primitive abeed with. U 1 ;U 2 means that the resource is accessed according to U 1 and then accessed according to U 2. U 1 &U 2 means that the resource is accessed according to either U 1 or U 2. For exampe, a fie that is accessed by a primitive abeed with 1 and then by a primitive abeed with 2 has type (Fie, 1 ; 2 ). A type judgment of our type system is of the usua form Γ M : τ except that types are extended. Here, whie the type τ of M expresses how the resource M shoud be accessed by the context in which M appears, the type environment Γ expresses how the resources pointed to by free variabes shoud be accessed during the evauation of M (stricty speaking, it is not aways the case that those accesses happen during the evauation of M, as we wi see beow). For exampe, x : (Fie, R ; W ) specifies that the resource x shoud be read once and then written once. So, x : (Fie, R ; W ) fread R (x); fwrite W (x) : boo is a vaid judgment, but x : (R, R ; W ) fwrite W (x); fread R (x) : boo is not. Then, we extend typing rues for the simpy typed λ-cacuus so that the evauation order is taken into account. For exampe, the ordinary rue for et-expressions is: Γ M : τ It is repaced by the foowing rue: Γ, x : τ N : σ Γ et x = M in N : σ Γ M : τ, x : τ N : σ Γ; et x = M in N : σ Type environment Γ; (connected by ; ) indicates that the resources referred to by free variabes are first accessed according to Γ and then according to, refecting

5 Resource Usage Anaysis 5 the evauation rue that M is evauated and then N is evauated. For exampe, if we have y : (Fie, 1 ) M : boo (which impies that y is a fie accessed at 1 in M) and y:(fie, 2 ), x:boo N :boo, then we get y:(fie, 1 ; 2 ) et x = M in N :boo. The resuting type environment indicates that y is a fie accessed at 1 and then at 2. Actuay, the type system is a itte more compicated than it might seem. Consider an expression M = et x = y in (fread R (y); fwrite W (x, c)) where c is a character. If we naivey appy the above rue, we get: y : (Fie, W ) y : (Fie, W ) y : (Fie, R ), x : (Fie, W ) fread R (y); fwrite W (x, c) : boo (y : (Fie, W )); (y : (Fie, R ))(= y : (Fie, W ; R )) M : boo The concusion impies that y is first written at W and then read at R, which is wrong. This wrong reasoning comes from the fact that the access represented by the type environment y : (Fie, W ) occurs not when y is evauated but when the body of the et-expression fread R (y); fwrite W (x) is evauated. To sove this probem, we introduce a usage constructor U. Both U and U mean that the resource must be used according to U, but they differ in the specification about the timing of resource access: If an expression M is to be typed under the assumption that x s usage is U, x must be accessed according to U now, when the expression M is evauated. On the other hand, if x s usage is U, x can be accessed at any time, either when M is evauated, or when the vaue of M is used ater. Using the constructor, we repace the above inference with: y : (Fie, W ) y : (Fie, W ) y : (Fie, R ), x : (Fie, W ) fread R (y); fwrite W (x, c) : boo y : (Fie, W ; R ) M : boo The premise y : (Fie, W ) y : (Fie, W ) refects the fact that the resource y is accessed ony when the vaue of y is used ater (when fwrite W (x) is evauated). The usage W ; R in the concusion means that an access at W may occur immediatey before an access at R occurs, or ater after an access at R occurs. So, the concusion impies that y may be accessed at W and R in any order. (In order to obtain a more accurate usage R ; W, we need to keep dependencies between different variabes: See Section 7.) In order to get accurate information about the access order, we aso need to have a rue to remove. Suppose that x : (Fie, ) M : τ is derived and that we know that the vaue (evauation resut) of M cannot contain a reference to x. Then, we know that x is accessed at when M is evauated, not ater. To aow such reasoning, we introduce the foowing rue: Γ, x : τ M : σ x does not escape from M Γ, x : τ M : σ Here, is a constructor to cance the -constructor.

6 6 A. Igarashi and N. Kobayashi. Based on the above idea, we formaize a type system for usage anaysis and prove its correctness. We aso deveop a type inference agorithm to infer resource usage information automaticay so that programmers ony have to decare what access sequences are vaid: the type inference agorithm automaticay computes the function use, and checks whether use() contains ony vaid access sequences for each resource creation point. 1.3 The Rest of This Paper Section 2 introduces a target anguage and Section 3 defines the probem of resource usage anaysis. After Section 4 presents a type system for resource usage anaysis and Section 5 proves its correctness, Section 6 gives a type inference agorithm. Section 7 discusses extensions of the type-based method. Section 8 discusses reated work and Section 9 concudes. 2. TARGET LANGUAGE This section introduces λ R, a ca-by-vaue λ-cacuus extended with primitives to create and access resources. We assume that there is a countaby infinite set L of abes, ranged over by the meta-variabe. We write L for the set of finite sequences of abes, and write L, for the set L {s s L }. The specia symbo is used to denote the termination of program execution. We ca an eement of L, a trace. We write ɛ for the empty sequence, and s 1 s 2 for the concatenation of two traces s 1 and s 2. A trace set, denoted by the meta-variabe Φ, is a subset of L, that is prefix-cosed, i.e., ss Φ impies s Φ. S denotes the set of a prefixes of eements of S, i.e., {s L, ss S}. Definition 2.1 (Terms). The syntax of λ R terms is given by: M ::= true fase x fun(f, x, M) if M 1 then M 2 ese M 3 M 1 M 2 new Φ () acc (M) et x = M 1 in M 2 Here, we have extended the standard λ-cacuus with two constructs: new Φ () for creating a new resource and acc (M) for accessing resource M. For simpicity, we consider a singe kind of resource (hence the singe primitive for resource creation). Aso, we assume that access primitives aways return true or fase. This is not so restrictive from the viewpoint of usage anaysis: For exampe, the behavior of a primitive that accesses a resource and then returns the updated resource can be simuated by λr.(et x = acc (r) in r). fun(f, x, M) denotes a recursive function f that satisfies f = λx.m. A et-expression et x = M 1 in M 2 is computationay equivaent to (fun(f, x, M 2 )) M 1 (where f is not free in M 2 ), but we incude it to make our type-based anaysis in Section 4 more precise (aso see Section 7). A forma operationa semantics of the anguage is defined in the next section. The trace set Φ attached to an occurrence of resource creation primitive represents the programmer s intention on how the resource shoud be accessed during evauation. A trace of the form s is a possibe sequence of accesses performed to a resource by the time when evauation terminates, whie a trace of the form s( L ) is a possibe sequence of accesses performed by some time during evauation. For exampe, new { 2, 1 2 } () creates a resource that shoud be accessed at

7 Resource Usage Anaysis 7 1 at most once and then accessed once at 2 before the evauation of the whoe term terminates. It is important to distinguish between traces ending with and those without. For exampe, for a fie, the trace set may contain R ; W but not R ; W, since the fie shoud be cosed before the program terminates. We do not fix a particuar way to specify trace sets Φ. They coud be specified in various ways, for exampe, using reguar expressions, shuffe expressions [Gischer 1981; Jȩdrzejowicz and Szepietowski 2001] context-free grammars, moda ogics [Emerson 1990], or usage expressions we introduce in Section 4. Bound and free variabes are defined in a standard manner. We write FV(M) for the set of free variabes in M. We often write M ; M for et x = M in M when x FV(M), and write λx.m for fun(f, x, M) when f FV(M). Exampe 2.2. Let init, read, write, and free be primitives to initiaize, read, update, and deaocate a resource respectivey. (In exampes, we often use more readabe names for primitives, rather than acc.) The foowing program creates a new resource r, initiaizes it, and then cas function f. Inside function f, resource r is read and updated severa times and then deaocated. et f = fun(f, x, if read R (x) then free F (x) ese (write W (x); f x)) in et r = new Φr () in (init I (r); f r) Here, Φ r = ( I ( R + W ) F ) (where I ( R + W ) F is a reguar expression). Φ r specifies that r shoud be initiaized first and deaocated at the end. Aternativey, Φ r can be a more precise specification ( I ( R W ) R F ). This kind of access pattern (initiaized, accessed, and then deaocated) often occurs to various types of resources (e.g., memory, fies, Java objects [Freund and Mitche 1999]). 3. RESOURCE USAGE ANALYSIS PROBLEM The purpose of resource usage anaysis is to infer how each resource is used in a given program, and check whether the inferred resource usage matches the programmer s intention (specified by using trace sets). We give beow a forma definition of the resource usage anaysis probem, by using an operationa semantics that takes the usage of resources into account. 3.1 Operationa Semantics We first introduce the notion of heaps to keep track of how each resource is used during evauation: Formay, a heap is a mapping from variabes to trace sets. Definition (Heap). A heap H is a function from a finite set of variabes to trace sets. We write {x 1 Φ 1,..., x n Φ n } (n may be 0) for the heap H such that dom(h) = {x 1,..., x n } and H(x i ) = Φ i. When dom(h 1 ) dom(h 2 ) =, we write H 1 H 2 for the heap H such that dom(h) = dom(h 1 ) dom(h 2 ) and H(x) = H i (x) if x dom(h i ). Foowing [Kobayashi 1999; Morrisett et a. 1995; Turner et a. 1995], program execution is represented by reduction of pairs of a heap and a term. When a resource is used at a program point, the attached traces are consumed the abe at the head of a trace is removed (if the trace begins with ; the traces not beginning

8 8 A. Igarashi and N. Kobayashi. z fresh (H, E[new Φ ()]) (H {z Φ}, E[z]) b = true or fase Φ (H {x Φ}, E[acc (x)]) (H {x Φ }, E[b]) (R-New) (R-Acc) Φ = (H {x Φ}, E[acc (x)]) Error (H, E[fun(f, x, M) v]) (H, E[[fun(f, x, M)/f, v/x]m]) (H, E[if true then M 1 ese M 2 ]) (H, E[M 1 ]) (H, E[if fase then M 1 ese M 2 ]) (H, E[M 2 ]) (R-AccErr) (R-App) (R-IfT) (R-IfF) Fig. 1. Reduction Rues with are discarded). We define Φ, which represents the trace set after the use at, by {s s Φ}. The forma reduction reation is defined beow, using evauation contexts. Definition (Vaues, Substitution). A vaue v is either a variabe, fun(f, x, M), true, or fase. We write [v 1 /x 1,..., v n /x n ] for the standard (simutaneous) capture-avoiding substitution of v i for x i. Definition (Evauation Contexts). The syntax of evauation contexts is given by: E ::= [ ] if E then M 1 ese M 2 E M v E acc (E) et x = E in M We write E[M] for the expression obtained by repacing [ ] with M in E. Definition A reduction reation (H, M) P, where P is either Error or a pair (H, M ), is defined as the east reation cosed under the rues in Figure 1. We write for the refexive transitive cosure of. Most of the rues are straightforward. In rue R-Acc, the attached trace set must incude a trace beginning with (represented by Φ ). On the other hand, if no such traces are incuded, a usage error is signaed (R-AccErr). Since we do not care about the resut of resource access here, it is eft unspecified which booean vaue is returned in R-Acc, hence reduction is nondeterministic. When an ordinary type error ike appication of a non-functiona vaue occurs, the reduction wi get stuck. Exampe Let M be the foowing program, obtained by removing init I (r) from the program in Exampe 2.2 (et Φ r be ( I ( R + W ) F ) ): et f = fun(f, x, if read R (x) then free F (x) ese (write W (x); f x)) in et r = new Φ r () in f r

9 Resource Usage Anaysis 9 The evauation of M fais because r is read before it is initiaized. ({}, M) ({z ( I ( R + W ) F ) }, fun(f, x, if read R (x) then ese ) z) ({z ( I ( R + W ) F ) }, if read R (z) then ese ) Error 3.2 Resource Usage Anaysis Now, we define the probem of resource usage anaysis. Intuitivey, M is resourcesafe if evauation of M does not cause any usage errors and if a the resources are used up when the evauation terminates. Definition M is resource-safe iff (1) ({}, M) Error and (2) if ({}, M) (H, v), then for any x dom(h), H(x). The resource usage anaysis probem is, given a program M, to check whether M is resource-safe. Since the probem is undecidabe, the resource usage anaysis technique deveoped here is ony sound (not compete): If the answer is yes, the program shoud indeed be resource-safe, but even if the answer is no, the program may be resource-safe. Exampe The program M in Exampe 2.2 is resource-safe. Exampe Let M be the foowing program, obtained from the program in Exampe 2.2 by repacing free F (x) in the definition of f with true (et Φ r be ( I ( R + W ) F ) ): et f = fun(f, x, if read R (x) then true ese (write W (x); f x)) in et r = new Φr () in (init I (r); f r) It is evauated as foows: ({}, M) ({z {( R + W ) F } }, if true then true ese (write W (z); fun(f, x, ) z)) ({z {( R + W ) F } }, true) In the fina state of the execution, the trace set associated to x 2 indicates that the resource sti needs to be accessed at F before the execution terminates. Since the term cannot be reduced further, the program M is not resource-safe (the second condition of Definition is vioated). According to the second condition of Definition 3.2.1, a resource-safe program must use up a resources before it terminates; For exampe, the program must cose a fies of usage ( R + W ) C. If a programmer wants to rey on the operating system to cose a fie, the usage of the fie shoud be specified as ( R + W ) ( C + ɛ) instead of ( R + W ) C. Remark Aternativey, we can formaize usage anaysis as a probem of giving not ony a yes / no answer but aso a trace set (consisting of possibe access sequences) for each resource, as expained in Section 1. Our type-based anaysis presented in the foowing sections can sove this probem, too.

10 10 A. Igarashi and N. Kobayashi. 4. A TYPE SYSTEM FOR RESOURCE USAGE ANALYSIS In this section, we present a type system that guarantees that every we-typed (cosed) program is resource-safe. As hinted in Section 1, a main idea is to augment the type of a resource with a usage expression (a usage, in short), which expresses how the resource may be accessed. We first define the syntax and semantics of usages in Subsection 4.1. We then define types, type environments, and typing rues in Subsections Note that programmers need not expicity decare any usage in their programs: the type inference agorithm described in Section 5 can automaticay recover usage information from (untyped) terms. 4.1 Usages Syntax of Usages. As expained in Section 1, usage expressions defined beow are used to describe how each resource can be accessed. Definition (Usages). The set U of usages, ranged over by U, is defined by: U ::= 0 α U 1 & U 2 U 1 ; U 2 U 1 U 2 µα.u U U U 1 U 2 We assume that the unary usage constructors and bind tighter than the binary constructors (&, ;, and ), so that 1 ; 2 means ( 1 ) ; 2. 0 is the usage of a resource that cannot be accessed at a. α denotes a usage variabe (which is bound by µα.). Usages, U 1 ;U 2, and U 1 &U 2 have been expained in Section 1. U 1 U 2 is the usage of a resource that can be accessed according to U 1 and U 2 in an intereaved manner. So, ( 1 ; 2 ) 3 is equivaent to ( 3 ; 1 ; 2 ) & ( 1 ; 3 ; 2 )&( 1 ; 2 ; 3 ). µα.u denotes a recursive usage such that α = U. For exampe, µα.(0 & (; α)) means that the resource is accessed at an arbitrary number of times. We write!u as a shorthand notation for µα.(0 & (U α)). As mentioned in Section 1, U means that the resource may be accessed now or ater according to U. So, a resource of usage 1 ; 2 may be accessed either at 1 and then at 2, or at 2 and then at 1. U means that the access represented by U must occur now. So, for exampe, ( 1 ; 2 ; 3 ) is equivaent to 1 ( 2 ; 3 ). Usage U 1 U 2 means that the access represented by U 2 occurs for each singe access represented by U 1. For exampe, ( 1 2 ) U is equivaent to U U. The precise meaning of each usage is defined ater in this subsection. Probaby, we do not need some of the usage constructors (ike ) to express the fina resut of resource usage inference, but we need them to define the type system and the type inference agorithm. Remark Our usage constructors and & correspond to mutipicative conjunction and additive conjunction (aso denoted by and &) of inear ogic [Girard 1987], respectivey. In inear ogic, A B intuitivey means that we have A and B at the same time, whie A & B means that we can choose either of A and B, but cannot have both at the same time. This intuition matches the intuition of the usages U 1 U 2 and U 1 & U 2 : U 1 U 2 means that we have both the capabiity to access a resource according to U 1 and the capabiity to access a resource according to U 2, whie U 1 & U 2 means that we can choose one from the capabiity to access a resource according to U 1 and the capabiity to access a resource according to U 2, but cannot exercise both capabiities.

11 Resource Usage Anaysis 11 Exampe The usage of a read-ony fie can be expressed by µα.(0 & ( R ; α)); C (or (! R ); C ), whie that of a writabe fie can be expressed by µα.(0 & (( R & W ); α)); C (or!( R & W ); C ). The usage of a stack is expressed by!( push ; pop ), and push and pop are the abes for the push and pop primitives respectivey. The usage expressions are stricty more expressive than the context-free grammar due to the presence of and recursion. One may wonder why we do not use a simper anguage (ike a reguar anguage) for describing usages. There are two reasons for this: (1) Usage of some resources cannot be specified using a reguar expression. For exampe, consider a stack-ike resource, on which the pop operation shoud be performed the same number of times as the push operation. (2) Even if the usage of a resource can be specified using a reguar expression (as we have shown in the exampe of fies), the usage of the resource in a certain part of the program may not be expressed using a reguar expression. For exampe, consider the foowing recursive function (where b is some booean expression that does not contain any access to x): fun(f, x, if b then true ese (g(x); f(x); h(x)) Function g is first appied to the argument x of the function, and then h is appied the same number of times. In order to perform type reconstruction, we need to be abe to assign a most genera type for each expression. Using reguar expressions, however, we cannot assign the most genera type to the above function. The type judgment g : (R, α g ) boo, h : (R, α h ) boo fun(f, x, ) : (R, α gα h) boo is correct but there are type judgments that express more precise information: g : (R, α g ) boo, h : (R, α h ) boo fun(f, x, ) : (R, ɛ + α g α h + α g α + g α h α + h ) boo g : (R, α g ) boo, h : (R, α h ) boo fun(f, x, ) : (R, ɛ + α g α h + α g α g α h α h + α 2 gα + g α 2 h α+ h ) boo The above exampe suggests that we need at east a context-free anguage to express the most genera typing. In fact, in our type system, the function is typed as: g : (R, α g ) boo, h : (R, α h ) boo fun(f, x, ) : (R, µα.(0 & (α g ; α; α h ))) boo, where the usage µα.(0 & (α g ; α; α h )) denotes sequences of the form α n g α n h. Moreover, as we have aready expained in Section 1, we need the -constructor for expressing information about not ony the order between accesses but aso the timing of accesses. A usage constructor is necessary for expressing usage of a resource accessed through the invocation of a function cosure. For exampe, consider a function λy.read R (x). The resource x is read once each time the function is caed. Therefore, if the function is caed n times, the resource x is read n times. More generay,

12 12 A. Igarashi and N. Kobayashi. if x is accessed according to U in an expression e, and the function λy.e is caed n times, the usage of x is expressed by: U U }{{} n Since we may not be abe to staticay determine exacty how often each function is caed, we express information about how often a function may be caed by using usage expressions (but with ony a specia abe 1, as we are ony interested in how often a function is caed, not in the ca sites 3 ). For exampe, the usage of a function that may be caed at most twice is expressed by the usage 0 & 1 & (1 1). The usage of a resource in a function cosure can be computed from the usage of the function cosure (expressing how often the function may be caed) and the usage of a resource in the function body: If x is accessed according to U in an expression e, and the function λy.e is caed according to U, the usage of x is expressed by U U. Intuitivey, the usage: expresses and the usage: expresses (1 1) U }{{} n U U, }{{} n (U 1 & & U n ) U (U 1 U) & & (U n U). We shoud note that ordering information in the usage of a function is not as usefu as might be expected, to estimate the usage of the resource referred to by a free variabe in this function. Suppose, for instance, x is accessed according to U in an expression e. Even if the usage of the function λy.e is given 1 ; 1 (the order between the two cas is known), the usage of x is not necessariy U ; U. As it is usuay the case for recursive functions, the same (non-recursive) function may be caed twice before the execution of the first ca is finished. Thus, we estimate the usage of x to be U U and define the semantics of usages so that (1 ; 1) U is equivaent to U U. Semantics of Usages. We define the meaning of usages using a abeed transition semantics. A usage denotes a set of traces, obtained from possibe transition sequences. We aso define a subusage reation, which induces a subtyping reation, using the abeed transition system and the usua notion of simuation. In what foows, we assume the meta-variabe ranges over L {1}. We sha define a transition reation U U, which means that a resource of usage U can be first accessed at and then accessed according to U. The transition reation is basicay defined in a manner simiar to those for process cacui [Miner 3 As we wi see in Section 4.2, usages incuding ony 1 as a abe are attached to function types.

13 Resource Usage Anaysis 13 U 1 & U 2 U 1 U 1 & U 2 U 2 µα.u [µα.u/α]u U 1 U 1 U 2 U 2 U 1 ; U 2 U 1 ; U 2 U 1 U 1 U 2 U 2 U 1 U 2 U 1 U 2 U U U U U 1 U 1 U 2 U 2 U U U U U 1 U 2 U 1 U 2 Fig. 2. Reation U U 1989; Sangiorgi and Waker 2001]. A itte compication, however, arises for defining the semantics of usage U 1 ; U 2. A resource of usage U 1 ; U 2 can be used according to U 2 ony if U 1 no onger contains accesses that must be performed immediatey. So, the usage R ; W shoud have ony the transition sequence: R ; W R W W 0 since R means that the resource must be read immediatey, whie the usage R ; W shoud have two transition sequences: R ; W R ; W R W W 0 W R R 0, since R means that the read access may be deayed. In genera, the part U 2 in usage U 1 ; U 2 can be reduced ony when a the accesses specified in U 1 are guarded by. We express this condition by a unary predicate U 1, defined beow. Before defining the transition reation, we first define auxiiary reations, incuding U 1 mentioned above. Definition A reation is the east refexive and transitive reation on usages that satisfies the rues in Figure 2. U 1 U 2 hods when U 2 is obtained from U 1 by unfoding some recursive usages (µα.u) and removing some branches from choices (U & U ). For exampe, 1 ; ( 2 & 3 ) 1 ; 2 and µα.(0 & (U ; α)) 0 & (U ; µα.(0 & (U ; α))) U ; µα.(0 & (U ; α)). Definition Unary reations void( ), and are the east reations on usages that satisfy the rues in Figure 3. Intuitivey, void(u) means that the resource cannot be used at a. In other words, void(u) hods if U expresses essentiay the same usage as 0. For exampe, void(0 & 0) hods. U means that some branch of the usage is equivaent to 0, and thus the resource need not be accessed before evauation of the whoe term terminates. For exampe, (0 & R ) hods, athough void(0 & R ) does not hod. Now we define the transition reation U U. Definition A transition reation U cosed under the rues in Figure 4. U on usages is the east reation The rues (UR-ParR) and (UR-SeqR) highight the difference between U 1 U 2 and U 1 ;U 2 : (UR-ParR) aows a resource of usage U 1 U 2 to be accessed according to U 2 without any condition, whie (UR-SeqR) requires U, which specifies that U 1 does not contain any obigation to access the resource immediatey, in order for

14 14 A. Igarashi and N. Kobayashi. void(u): void(0) void(u) void( U) void(u) void( U) void(u) void(u U ) void(u) void(u U) op = or ; or & void(u 1 ) void(u 2 ) void(u 1 op U 2 ) void([µα.u/α]u) void(µα.u) U : U U void(u ) U U : ( U) void(u) U U op = or ; or & U 1 U 2 ([µα.u/α]u) (U U) (U 1 op U 2 ) (µα.u) Fig. 3. Predicates void(u), U, and U a resource of usage U 1 ; U 2 to be accessed according to U 2. As shown in the rues (UR-Box) and (UR-Unbox), the constructors and do not directy affect the transition of a usage. Those constructors affects ony the side condition U 1 in the rue (UR-SeqR). The premise U 1 1 U 1 of the rue (UR-Mut) (actuay 1 is aways the same usage 1 in our type system) impies that a resource of U 1 U 2 can be used according to U 2 (U 1 U 2 ) (reca that (1 1) U 2 intuitivey means U 2 U 2 ). The other premise U 2 2 U 2 means that a resource of U 2 may be used first at 2 and then U 2. So, a resource of usage U 1 U 2, which subsumes U 2 (U 1 U 2 ), may be first used at 2 and then used according to U 2 (U 1 U 2 ), as specified in the concusion of rue (UR-Mut). Rue (UR-PCong) aows eimination of & and expansion of recursive usages to be performed before the reduction. For exampe, we can derive 1 & by: 1 & & Exampe ; 2 has two transition sequences: 1 ; 1 2 0; 2 2 0; 0 and 1 ; ; 0 1 0; 0 but 1 ; 2 has ony the transition sequence: 1 ; 1 2 0; 2 2 0; 0. (Note the righthand premise of rue (UR-SeqR).) ( 1 ; 2 ); 3 has two transition sequences: ( 1 ; 2 ); 1 3 ( 0; 2 ); 2 3 ( 0; 0); 3 3 ( 0; 0); 0 ( 1 ; 2 ); 2 3 ( 1 ; 0); 1 3 ( 0; 0); 3 3 ( 0; 0); 0

15 Resource Usage Anaysis 15 0 U 1 U 1 U 1 U 2 U 1 U 2 U 2 U 2 U 1 U 2 U 1 U 2 U 1 U 1 U 1 ; U 2 U 1 ; U 2 U 2 U 2 U 1 U 1 ; U 2 U 1 ; U 2 (UR-Zero) (UR-ParL) (UR-ParR) (UR-SeqL) (UR-SeqR) U U U U U U U U U 1 1 U 1 U 2 2 U 2 U 1 U 2 2 U 2 (U 1 U 2) U U U U U U (UR-Box) (UR-Unbox) (UR-Mut) (UR-PCong) Fig. 4. Usage Reduction Rues (1; 1) ( 1 ; 2 ) has the foowing transition sequences (For the sake of readabiity, we sha simpy write U for 0; U): (1; 1) ( 1 ; 2 ) 1 2 (1 ( 1 ; 2 )) 2 0 (1 (1 ; 2 )) (0 ( 1 ; 2 )) (0 (1 ; 2 )). (1; 1) ( 1 ; 2 ) 1 2 (1 ( 1 ; 2 )) (0 ( 1 ; 2 )) (0 ( 1 ; 2 )) (0 (1 ; 2 )). So, (1; 1) ( 1 ; 2 ) has the same transition sequences as ( 1 ; 2 ) ( 1 ; 2 ). The set of traces denoted by a usage U, written [[ U ]], is defined as foows. Definition Let U be a usage. [[ U ]] denotes the set: { 1 n U 1,..., U n.(u 1 U 1 U n 1 { 1 n U 1,..., U n.((u Here, n can be 0 (so ɛ [[ U ]] for any U). n 1 U 1 U n 1 Un )} n Un ) U n )} It is trivia by definition that [[ U ]] is a trace set (i.e., prefix-cosed).

16 16 A. Igarashi and N. Kobayashi. Exampe [[ 0 ]] = {ɛ, } [[ µα.α ]] = {ɛ} [[ ( 1 ; 2 ); 3 ]] = { 1 2 3, 1 3 2, } [[ µα.(0 & (; α)) ]] = {,,,,...} We define subusage and subtype reations U 1 U 2 and τ 1 τ 2 beow. Intuitivey, U 1 U 2 means that U 1 represents a more genera usage than U 2, so that a resource of usage U 1 may be used as that of usage U 2. Simiary, τ 1 τ 2 means that a vaue of type τ 1 may be used as a vaue of type τ 2. In order for U 1 U 2 to hod, the condition [[ U 1 ]] [[ U 2 ]] is not sufficient. For exampe, [[ ]] = [[ ]] = {ɛ,, } hods, but shoud not be considered a subusage of : Note that, which says that the resource must be accessed now, expresses a more restrictive usage than, which says that the resource may be accessed at any time. We, therefore, require the subusage reation to be cosed under usage contexts. Formay, a usage context, written C, is an expression obtained from a usage by repacing one occurrence of a free usage variabe with [ ]. Suppose that the set of free usage variabes in U are disjoint from the set of bound usage variabes in C. We write C[U] for the usage obtained by repacing [ ] with U. For exampe, if C = µα.([ ] ; α), then C[U] = µα.(u ; α). Let C = [ ] ;. Then, [[ C[] ]] = {ɛ,,, } and [[ C[ ] ]] = {ɛ,,,,, }, so that usages and can be distinguished. Using the usage contexts, one coud define the subusage reation by: U 1 U 2 if and ony if [[ C[U 1 ] ]] [[ C[U 2 ] ]] for any usage context C. We, however, impose a stronger condition for the convenience of proving type soundness. Definition The subusage reation is the argest binary reation such that for any usages U 1 and U 2, if U 1 U 2, then the foowing conditions are satisfied: (1) C[U 1 ] C[U 2 ] for any usage context C; (2) If U 2 U 2, then U 1 U 1 and U 1 U 2 for some U 1. (3) If U 2, then U 1. Intuitivey, U 1 is a subusage of U 2 if for any context C, every transition step of C[U 1 ] is simuated by a transition of C[U 2 ]. It is trivia that if U 1 U 2 hods, then [[ C[U 1 ] ]] [[ C[U 2 ] ]] hods for any usage context C. We write U 1 = U2 if and ony if U 1 U 2 and U 2 U 1. Some properties of and usage constructors, incuding refexivity, transitivity of, commutativity and associativity of, etc. are shown in Appendix A. Exampe U µα.α hods for any U. U 1 & U 2 U 1 hods for any U 1 and U 2. U = U 0 hods for any U. More aws are given in Appendix A. Exampe does not hod, since 0 hods but does not hod, which vioates the third condition of Definition

17 Resource Usage Anaysis Types Now we introduce the syntax of types. As expained above, we associate both resource types and function types with usages. Definition (Types). The set of types, ranged over by τ, is defined by: τ ::= boo (τ 1 τ 2, U) (R, U) (τ 1 τ 2, U) is the type of a function that is accessed (i.e., caed) according to U. For exampe, (boo boo, 1 1) is the type of a booean function that is caed twice. (R, U) is the type of a resource that is accessed according to U. The outermost usage of τ, written Use(τ), is defined by: Use(boo) = 0, Use(τ 1 τ 2, U) = U, and Use(R, U) = U. We extend the subusage reation to the foowing subtype reation on types. As usua, τ 1 is a subtype of τ 2, written τ 1 τ 2, when a vaue of type τ 1 may be used as a vaue of type τ 2. Definition The subtype reation is the east binary reation on types that satisfies the foowing rues: boo boo U U (τ 1 τ 2, U) (τ 1 τ 2, U ) U U (R, U) (R, U ) (Sub-Boo) (Sub-Fun) (Sub-Res) Remark Actuay, we coud reax the above subtype reation by repacing rue (Sub-Fun) with the foowing rue. τ 1 τ 1 τ 2 τ 2 U U (τ 1 τ 2, U) (τ 1 τ 2, U ) The repacement woud make our type-based anaysis more precise. We did not do so in this paper for the sake of simpicity. 4.3 Type Judgments and Type Environments We consider a type judgment of the form Γ M : τ, where Γ is a type environment, which is a mapping from a finite set of variabes to types. We use meta-variabes Γ and for type environments. We write for the type environment whose domain is empty. When x dom(γ), we write Γ, x : τ for the type environment such that dom( ) = dom(γ) {x}, (x) = τ, and (y) = Γ(y) for y dom(γ). A type environment specifies how the resources pointed to by free variabes shoud be accessed. For exampe, x : (R, R ), y : (R, W ) specifies that the resource x shoud be read once, and y shoud be written once. The type environment x : (R, R ; W ) specifies that the resource x shoud be first read once and then written once. A type judgment Γ M : τ means that the expression M obeys the resource usage specified

18 18 A. Igarashi and N. Kobayashi. by Γ, and evauates to a vaue of type τ. So, x:(r, R ; W ) read R (x); write W (x) : boo is a vaid judgment, but x : (R, R ; W ) write W (x); read R (x) : boo is not. We introduce operations on type environments so that a compex specification of resource usage may be constructed from simper specifications. For exampe, the type environment Γ 1 ; Γ 2, defined beow, specifies that resources shoud be first accessed according to Γ 1 and then according to Γ 2. As expained in Section 1, these operations are usefu for defining typing rues. We aso define reations on type environments. Definition (Operations on Types and Type Environments). Let C be a usage context. Suppose that the set of free usage variabes appearing in τ or Γ is disjoint from the set of bound usage variabes in C. We define C[τ] and C[Γ] by: C[boo] = boo C[(τ 1 τ 2, U)] = (τ 1 τ 2, C[U]) C[(R, U)] = (R, C[U]) dom(c[γ]) = dom(γ) C[Γ](x) = C[Γ(x)] Let op be a binary usage constructor ; or &. It is extended to operations on types and type environments by: boo op boo = boo (τ 1 τ 2, U 1 ) op (τ 1 τ 2, U 2 ) = (τ 1 τ 2, U 1 op U 2 ) (R, U 1 ) op (R, U 2 ) = (R, U 1 op U 2 ) dom(γ 1 op Γ 2 ) = dom(γ 1 ) dom(γ 2 ) Γ 1 (x) op Γ 2 (x) if x dom(γ 1 ) dom(γ 2 ) (Γ 1 op Γ 2 )(x) = Γ 1 (x) op 0 if x dom(γ 1 )\dom(γ 2 ) 0 op Γ 2 (x) if x dom(γ 2 )\dom(γ 1 ). The type environment x Γ is defined by { Γ if x dom(γ) x Γ = Γ, x : (R, U) if Γ = Γ, x : (R, U) Note that if Γ(x) = boo or Γ(x) = (τ 1 τ 2, U), then x Γ is undefined. Exampe Let Γ be x : (R, U) and be x : (R, U ), y : boo. Then, Γ = [Γ] = x : (R, U) = x : (R, U) and Γ; = x : ((R, U); (R, U )), y : (0; boo) = x : (R, U; U ), y : boo. We write Γ 1 Γ 2 when dom(γ 1 ) dom(γ 2 ), Γ 1 (x) Γ 2 (x) for a x dom(γ 2 ), and Use(Γ 1 (x)) 0 for a x dom(γ 1 )\dom(γ 2 ). 4.4 Typing Now we introduce typing rues to define the type judgment reation Γ M : τ. As mentioned in Section 1, an escape anaysis [Banchet 1998; Hannan 1995] is usefu to refine the accuracy of our type-based usage anaysis. To make our type system simpe and carify its essence, we assume that a kind of escape anaysis has been aready performed and that a program is annotated with the resut of the

19 Resource Usage Anaysis 19 c = true or fase c : boo x : τ x : τ (T-Const) (T-Var) [[ U ]] Φ new Φ () : (R, U) (T-New) Γ, f : (τ 1 τ 2, U 1 ), x : τ 1 M : τ 2 α fresh (U 2 µα.(1 (U 1 α))) Γ fun(f, x, M) : (τ 1 τ 2, U 2 ) (T-Fun) Γ 1 M 1 : (τ 1 τ 2, 1) Γ 2 M 2 : τ 1 Γ 1 ; Γ 2 M 1 M 2 : τ 2 (T-App) Γ M : (R, ) Γ acc (M) : boo (T-Acc) Γ 1 M 1 : boo Γ 2 M 2 : τ Γ 3 M 3 : τ Γ 1 ; (Γ 2 & Γ 3 ) if M 1 then M 2 ese M 3 : τ (T-If) Γ 1 M 1 : τ 1 Γ 2, x : τ 1 M 2 : τ 2 Γ 1 ; Γ 2 et x = M 1 in M 2 : τ 2 (T-Let) Γ M : τ xγ M {x} : τ (T-Now) Γ M : τ Γ Γ τ τ Γ M : τ (T-Sub) Fig. 5. Typing Rues escape anaysis. We extend the syntax of terms by introducing a term of the form M {x}, which means that x does not escape from M, in the sense that a resource referred to by x is not contained in (is unreachabe from) the vaue of M. For exampe, (read (x)) {x} is a vaid annotation, but fun(f, y, read (x)) {x} is not. A simpest escape anaysis to check whether M may be annotated as M {x} woud be to compare the type of M and that of x, as in variants of inear type system [Wader 1990; Waker and Watkins 2001]: For exampe if the type of M is boo, x cannot escape from M (in the above sense). Typing rues are shown in Figure 5. The type judgment reation Γ M : τ is the east reation cosed under those rues. In rue (T-Var), the -constructor is appied to the type of x in the type environment, because x is used ony ater, not when x is evauated. In rue (T-New), the concusion means that new Φ () returns a resource that shoud be used according to U. The premise [[ U ]] Φ checks that the usage U

20 20 A. Igarashi and N. Kobayashi. conforms to the programmer s specification Φ about how the resource created here shoud be used. To understand rue (T-Fun) for recursive functions, it woud be hepfu to first consider the case of a non-recursive function λx.m. The rue for non-recursive functions woud be: Γ, x : τ 1 M : τ 2 U Γ λx.m : (τ 1 τ 2, U) (T-Abs) The premise Γ, x:τ 1 M :τ 2 says that, each time the function body M is evauated, a resource pointed to by the forma argument x is accessed according to τ 1 and those pointed to by free variabes in the function λx.m are accessed according to Γ. Whie the vaue of x can vary in each function ca, those of free variabes are determined when the function cosure is created and remain the same during its ife time. So, if the function λx.m is caed according to U, the resources pointed to by free variabes are accessed according to U Γ. (The constructor is necessary since the resources are accessed ony ater when the function is caed.) For exampe, the foowing is a derivation for the case where the function is caed twice: Γ, x : τ 1 M : τ 2 (1 1) Γ( = Γ Γ) λx.m : (τ 1 τ 2, 1 1) In the case of a recursive function, we have to carefuy count how often the function is caed. The type (τ 1 τ 2, U 2 ) in the concusion means that the function is caed according to U 2 from the outside of the function, and the type (τ 1 τ 2, U 1 ) in the premise means that each time the function is caed, it is recursivey caed according to U 1 inside the function. Therefore, the function is, in tota, caed according to: U 2 (1 U 1 (U 1 U 1 ) (U 1 U 1 U 1 ) ) (= U 2 µα.(1 (U 1 α))) (As we have aready discussed, ordering information between different function cas is not very usefu to estimate resource usage, hence rather than ;). Thus, the type environment for the function is (U 2 µα.(1 (U 1 α))) Γ. 4 For exampe, if the function is caed twice from the outside, and if there is no recursive ca, the usage of the function is: (1 1) µα.(1 (0 α)) = 1 1. If the function is caed once from the outside, and if there is zero or one recursive ca, the usage of the function is: 1 µα.(1 ((0 & 1) α)) = µα.(1 (0 & α)), which means that the function may be caed at east once. In rue (T-App), the premises impy that resources are accessed according to Γ 1 and Γ 2 in M 1 and M 2 respectivey. Because M 1 is evauated first, the usage of resources in tota is represented by Γ 1 ; Γ 2. Because the function M 1 is caed, the usage of M 1 must be 1. Simiary, in rue (T-Acc), the usage of M must be because it is accessed at. 5 4 A simiar cacuation is performed in inear type systems [Kobayashi 1999; Igarashi and Kobayashi 2000b; 2000a]. 5 Actuay, because the vaue of acc (M) cannot contain references to resources, it is safe to appy to Γ in the concusion.

21 Resource Usage Anaysis 21 x : (R, 1 ) x : (R, 1 ) (T-Var) x : (R, 1 ) acc 1 (x) : boo (T-Acc) x : (R, 1 ) acc 1(x) {x} : boo (T-Now) x : (R, (T-Sub) 2 ) x : (R, 2 ) (T-Var) x : (R, 1 ) acc 1(x) {x} : boo x : (R, 2 ), y : boo x : (R, 2 ) (T-Sub) (T-Let) x : (R, 1 ; 2 ) et y = acc 1 (x) {x} in x : (R, 2 ) Fig. 6. An Exampe of Type Derivation In rue (T-If), after M 1 is evauated, either M 2 or M 3 is evauated. Thus, the usage of resources in tota is represented by Γ 1 ; (Γ 2 & Γ 3 ). In rue (T-Now), M {x} asserts that x does not escape from M. So, the access represented by Γ(x) shoud happen now, i.e., when M is evauated. The operator x is appied to refect this fact. Exampe A derivation for the type judgment is shown in Figure TYPE SOUNDNESS x : (R, 1 ; 2 ) et y = acc 1 (x) {x} in x : (R, 2 ) The type system in the ast section is sound in the sense that every cosed wetyped expression of type τ where Use(τ) 0 is resource-safe, provided that the escape anaysis is sound. The condition Use(τ) 0 means that resources contained in the resut of the evauation may no onger be accessed. In this section, after stating the type soundness theorem formay in Section 5.1, we prove the theorem using a technique simiar to the one used in Kobayashi s quasi-inear type system [Kobayashi 1999]. We first introduce another operationa semantics to the target anguage the semantics takes into account not ony how but aso where in the expression each resource is used during evauation. This aternative semantics, defined in Section 5.2, is shown to be equivaent to the standard semantics in a certain sense and the type system is shown to be sound with respect to the aternative semantics in Section 5.3. Readers who are not interested in proofs may safey skip Sections Type Soundness Theorem To state the type soundness theorem formay, we first extend the operationa semantics of the target anguage to dea with terms of the form M {x}. The syntax of evauation contexts is extended by: E ::= E {x} We add the foowing reduction rue, which make sure that M {x} reduces ony when the escape anaysis is correct (in other words, if the escape anaysis were wrong, evauation woud get stuck): x FV(v) (H, E[v {x} ]) (H, E[v]) (R-ECheck)