You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: blog/_posts/2016-02-17-scaling-dot-soundness.md
+26-18Lines changed: 26 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -50,8 +50,7 @@ categories:
50
50
lazy val p: S = p
51
51
... p.T ...
52
52
53
-
Note that trying to access the lazy value `p` would result in an infinite loop. But using `p` in a type does not force its evaluation, so we might never evaluate `p`. Since `p` is not initialized
54
-
with a `new`, bad bounds for `T` would go undetected.
53
+
Note that trying to access the lazy value `p` would result in an infinite loop. But using `p` in a type does not force its evaluation, so we might never evaluate `p`. Since `p` is not initialized with a `new`, bad bounds for `T` would go undetected.
55
54
56
55
2. The prefix value might be initialized to `null`, as in
57
56
@@ -62,7 +61,7 @@ with a `new`, bad bounds for `T` would go undetected.
62
61
with a `new` so we know nothing about the bounds of `T`.
63
62
64
63
3. The prefix might be a type `T` in a type projection `T # A`, where `T`
65
-
is not associated with a runtime value.
64
+
is not associated with a runtime value.
66
65
67
66
We can in fact construct soundness issues in all of these cases. Look
68
67
at the discussion for issues [#50](https://github.com/lampepfl/dotty/issues/50)
@@ -118,23 +117,32 @@ an exception or `System.exit` call before reaching the initialization
118
117
point of `f`. It's a valid question whether type soundness guarantees
119
118
should extend to this class of "strange" programs. We might want to
120
119
draw the line here and resort to runtime checks or exclude "strange"
121
-
programs from any soundness guarantees we can give.
120
+
programs from any soundness guarantees we can give. The research community
121
+
has coined the term [soundiness](http://soundiness.org/) for
122
+
this kind of approach and has [advocated](http://cacm.acm.org/magazines/2015/2/182650-in-defense-of-soundiness/fulltext) for it.
122
123
123
124
The necessary restrictions on type projection `T # A` are problematic
124
-
because they invalidate a common idiom in type-level programming. To
125
-
ease the transition, we will continue to allow unrestricted type
126
-
projections for a while under a flag, even though they are
127
-
potentially unsound. In the current dotty compiler, that flag is a
128
-
language import `-language:Scala2`, but it could be something
129
-
different for other compilers, e.g. `-unsafe`. Maybe we can find
130
-
rules that are less restrictive than the ones we have now, and are
131
-
still sound. But one aspect should be non-negotiable: Any fundamental
132
-
deviations from the principles laid down by DOT needs to be proven
133
-
mechanically correct just like DOT was. We have achieved a lot with
134
-
the DOT proofs, so we should make sure not to back-slide. And if the
135
-
experience of the past 10 years has taught us one thing, it is that
136
-
the meta theory of type systems has many more surprises in store than
137
-
one might think. That's why mechanical proofs are essential.
125
+
because they invalidate some idioms in type-level programming. For
126
+
instance, the cute trick of making Scala's type system Turing complete
0 commit comments