A core calculus for dynamic delta-oriented programming

Abstract

Delta-oriented programming (DOP) is a flexible approach to the implementation of software product lines (SPLs). Delta-oriented SPLs consist of a code base (a set of delta modules encapsulating changes to object-oriented programs) and a product line declaration (providing the connection of the delta modules with the product features). In this paper, we present a core calculus that extends DOP with the capability to switch the implemented product configuration at runtime. A dynamic delta-oriented SPL is a delta-oriented SPL with a dynamic reconfiguration graph that specifies how to switch between different feature configurations. Dynamic DOP supports also (unanticipated) software evolution such that at runtime, the product line declaration, the code base and the dynamic reconfiguration graph can be changed in any (unanticipated) way that preserves the currently running product, which is essential when evolution affects existing features. The type system of our dynamic DOP core calculus ensures that the dynamic reconfigurations lead to type safe products and do not cause runtime type errors.

Appendix: Proof of Theorem 1 (Type Soundness)

In order to be able to formulate the type soundness of IFD\(\Delta \)J by means of a subject-reduction theorem and a progress theorem for the small-step semantics, we need to formulate a type system for runtime expressions. Expressions containing a stupid selection, i.e., a field selection \(\texttt {null}.\texttt {f}\) or a method invocation \(\texttt {null}.\texttt {m}(\cdot \cdot \cdot )\), are not well typed according to the \(\textsc {IFJ}\) source level type system (cf. Fig. 10). However, a runtime expression without stupid selections may reduce to a runtime expression containing a stupid selection. The type system for runtime expressions contains a rule for assigning any type \(\texttt {T}\) to the value \(\texttt {null}\) (so that stupid selection can be typed).

Fig. 15

IFD\(\Delta \)J: Rules for well-formed heap environments

An heap (type) assumption \(\varSigma \) is a mapping from addresses to class names. The empty-heap assumption is denoted by \({\bullet }\). A lazy-heap assumption \(\varTheta \) is either a heap assumption \(\varSigma \) or a partially reconfigured heap assumption of the form

$$\begin{aligned} \varSigma _n :\texttt {R}_n( \varSigma _{n-1} :\texttt {R}_{n-1}( \cdots \varSigma _1 :\texttt {R}_{1}( \varSigma _0)\cdots )) \end{aligned}$$

The head domain of \(\varTheta \) is \(\textit{head-dom}(\varTheta )=\textit{dom}(\varSigma _n)\), the tail domain of \(\varTheta \) is \(\textit{tail-dom}(\varTheta )=\bigcup _{i\in 0..n-1}\textit{dom}(\varSigma _i)\), the full domain of \(\varTheta \) is \(\textit{full-dom}(\varTheta )=\textit{head-dom}(\varTheta )\cup \textit{tail-dom}(\varTheta )\). We say that the lazy-heap assumption is well formed w.r.t. the feature configuration \(\overline{\psi }\) to mean that the judgement \(\Vdash _{\overline{\psi }} \varTheta \) can be derived by the rules in Fig. 15. All the lazy-heap assumptions mentioned in the rest of this paper are well-formed w.r.t. a feature configuration that is either explicitly mentioned or understood from the context. According to rule (WF-HeapEnv), a heap assumption \(\varSigma \) is well formed in the configuration \(\overline{\psi }\) if every class mentioned in \(\varSigma \) is defined in \(\overline{\psi }\). A lazy heap assumption \(\varSigma : \texttt {R}(\varTheta )\) is well formed in the configuration \(\overline{\psi }\) if so is \(\varSigma \) and if \(\varTheta \) is well formed in the target reconfiguration \(\overline{\psi }'\) of \(\texttt {R}\). Additionally, all addresses in \(\textit{dom}(\varSigma )\) that are not in the domain of the topmost heap in \(\varTheta \) must refer to objects created after any other object in \(\varTheta \), and the correspondence between the class of the objects whose address in \(\varSigma \) and the class of the same objects in \(\varTheta \) is given by \(\texttt {R}\).

As reductions may create and reconfigure objects, (lazy) heap assumptions need to be updated accordingly. To this aim, we define the relation \(\Supset \) between lazy heap assumptions inductively as follows:

$$\begin{aligned} \frac{\varSigma \supseteq \varSigma ' }{\varSigma \Supset \varSigma '} \qquad \frac{ \varSigma \supseteq \varSigma '\quad \varTheta \Supset \varTheta ' }{\varSigma : \texttt {R}(\varTheta ) \Supset \varSigma ' : \texttt {R}(\varTheta ')} \end{aligned}$$

Fig. 16

Typing rules for runtime expressions, lazy heaps and states for Imperative Featherweight Dynamic Delta Java (IFD\(\Delta \)J)

Evaluation contexts, which reflect the congruence rules (see Fig. 13), are defined as follows:

$$\begin{aligned} \begin{array}{@{}r@{~}c@{~}l@{}} E&\mathbf{{:}{:}=}&[\,] \;\big \vert \;E.\texttt {f}\;\big \vert \;E.\texttt {m}(\overline{\texttt {e}}) \;\big \vert \;\texttt {v}.\texttt {m}(\overline{\texttt {v}},E,\overline{\texttt {e}}) \;\big \vert \;E.\texttt {f}=\texttt {e}\;\big \vert \;\texttt {v}.\texttt {f}=E\;\big \vert \;\texttt {return}(E) \end{array} \end{aligned}$$

A run-time expression \(\textit{e}\) is well formed w.r.t. a stack \(\overline{\iota }=\iota _1\iota _2\cdots \iota _n\,(n\ge 0)\), written \(\mathbf wf (\overline{\iota },\textit{e})\), if \(\textit{e}\) is of the form

$$\begin{aligned} E_1[ \texttt {return}(E_2[ \texttt {return}(\cdots E_n[\texttt {return}(\textit{e})]\cdots )]) ] \end{aligned}$$

where \(E_1\), ..., \(E_n, \textit{e}\) do not contain occurrences of \(\texttt {return}\).

Typing rules for runtime expressions are shown in Fig. 16; these rules are of the shape \(\varTheta \vdash _{\overline{\psi }}\overline{\iota },\,\textit{e}: \texttt {T}\). In Fig. 16 we also present the notion of well-formed lazy heap and of well-formed state. The notion of well-formed lazy heap ensures that the environment \(\varTheta \) maps all the addresses in the lazy heap into the type of the corresponding object and that for every object stored in the lazy heap, the fields of the object contain appropriate values.

The next lemma states that the \(\textit{olookup}\) function returns an object of the expected type and a new lazy heap that is well typed if so is the original lazy heap. In fact, the statement of the lemma involves a number of auxiliary functions of Fig. 14 as these functions are mutually recursive and therefore it is necessary to prove their correctness collectively. Well-foundedness of these functions (and of the proof of the lemma) is guaranteed by the fact that a lazy heap consists of a finite number of reconfigurations.

Lemma 1

Let (*) \(\varTheta \Vdash _{\overline{\psi }} {\mathscr {L}}\) and suppose \(\vdash \texttt {R}~\mathbf {ok}\) for all clauses \(\texttt {R}\) occurring in \({\mathscr {L}}\). Then:

1. 1.

   if \(\textit{olookup}(\iota ,{\mathscr {L}}) = \mathtt {o},{\mathscr {L}}'\), then there exists \(\varTheta ' \Supset \varTheta \) such that \(\varTheta ' \Vdash _{\overline{\psi }} {\mathscr {L}}'\) and \({\mathscr {L}}'(\iota ) = \mathtt {o}\);

2. 2.

   if \(\textit{oreconf}(\iota ,\texttt {R},{\mathscr {L}}) = \mathtt {o},\mathscr {H},{\mathscr {L}}'\), then there exist \(\varSigma \) and \(\varTheta ' \Supset \varTheta \) such that \(\{ \iota : \texttt {R}(\textit{clookup}(\iota ,\varTheta )) \},\varSigma :\texttt {R}(\varTheta ') \Vdash _{\overline{\psi }} \{\iota \mapsto \mathtt {o}\},\mathscr {H}:\texttt {R}({\mathscr {L}}')\) where \(\texttt {R}= \overline{\psi }' \Rightarrow \overline{\psi } \{ {\cdots } \}\);

3. 3.

   if \(\overline{\psi };\textit{clookup}(\iota ,\varTheta ) \vdash \texttt {A}\,\texttt {y}=\texttt {p} \; {\mathbf {ok}}\) and \(\textit{preeval}(\texttt {p}[\iota /\texttt {this}],{\mathscr {L}}) = \texttt {v}, {\mathscr {L}}'\), then there exists \(\varTheta ' \Supset \varTheta \) such that \(\varTheta ' \vdash _{\overline{\psi }} \texttt {v}: \texttt {D}\) and \(\texttt {D}<:_{\overline{\psi }} \texttt {A}\);

4. 4.

   if \(\overline{\psi }; \textit{clookup}(\iota ,\varTheta ) \vdash \texttt {p}: \texttt {D}\) and \(\textit{preeval}(\texttt {p}[\iota /\texttt {this}],{\mathscr {L}}) = \texttt {v}, {\mathscr {L}}'\), then there exists \(\varTheta ' \Supset \varTheta \) such that \(\varTheta ' \Vdash _{\overline{\psi }} {\mathscr {L}}'\) and \(\varTheta ' \vdash _{\overline{\psi }} \texttt {v}: \texttt {D}'\) and \(\texttt {D}' <:_{\overline{\psi }} \texttt {D}\).

Proof

We prove all items simultaneously, and we proceed by induction on the depth of \({\mathscr {L}}\), where the depth of a lazy heap is the number of reconfigurations that occur in it (an heap \(\mathscr {H}\) has depth 0):

1. 1.

   In the base case it must be \({\mathscr {L}}= \mathscr {H}\) for some \(\mathscr {H}\) and \(\mathtt {o} = \mathscr {H}(\iota )\). We conclude immediately by taking \(\varTheta ' = \mathscr {H}\).

   In the inductive case we have \({\mathscr {L}}= \mathscr {H}:\texttt {R}({\mathscr {L}}_1)\) where \(\texttt {R}= \overline{\psi }' \Rightarrow \overline{\psi } \{ {\cdots } \}\) and we distinguish two subcases. If \(\iota \in \textit{dom}(\mathscr {H})\), then \(\mathtt {o} = \mathscr {H}(\iota )\) and we conclude immediately by taking \(\varTheta ' = \varTheta \). Suppose \(\iota \not \in \textit{dom}(\mathscr {H})\). Then (O1) \(\textit{olookup}(\iota ,{\mathscr {L}}_1) = \_,{\mathscr {L}}_1'\) and (O2) \(\textit{oreconf}(\iota ,\texttt {R},{\mathscr {L}}_1') = \mathtt {o},\mathscr {H}',{\mathscr {L}}_1''\) and \({\mathscr {L}}' = \mathscr {H}\cup \{ \iota \mapsto \mathtt {o} \} \cup \mathscr {H}' : \texttt {R}({\mathscr {L}}_1'')\). From (*) we deduce \(\varTheta = \varSigma : \texttt {R}(\varTheta _1)\) for some \(\varSigma \) and \(\varTheta _1\) such that \(\varTheta _1 \Vdash _{\overline{\psi }'} {\mathscr {L}}_1\). From (O1) and the induction hypothesis we deduce that there exist \(\varTheta _1' \Supset \varTheta _1\) such that \(\varTheta _1' \Vdash _{\overline{\psi }'} {\mathscr {L}}_1'\). From (O2) and item (2) we deduce that there exist \(\varSigma '\) and \(\varTheta _1'' \Supset \varTheta _1'\) such that \(\{ \iota : \texttt {R}(\textit{clookup}(\iota ,\varTheta )) \},\varSigma ':\texttt {R}(\varTheta _1'') \Vdash _{\overline{\psi }} \{\iota \mapsto \mathtt {o}\},\mathscr {H}:\texttt {R}({\mathscr {L}}_1'')\). We conclude by taking \(\varTheta ' = \varSigma \cup \{ \iota : \textit{clookup}(\iota ,\varTheta )) \} \cup \varSigma ' : \texttt {R}(\varTheta _1'')\).

2. 2.

   Follows from item (3) and Lemma 3.

3. 3.

   From (T-PreAssign) we deduce \(\overline{\psi }; \textit{clookup}(\iota ,\varTheta ) \vdash \texttt {p}: \texttt {A}'\) and \(\texttt {A}' <:_{\overline{\psi }} \texttt {A}\). By item (4) we deduce that there exists \(\varTheta ' \Supset \varTheta \) such that \(\varTheta ' \vdash _{\overline{\psi }} \texttt {v}: \texttt {D}\) with \(\texttt {D}<:_{\overline{\psi }} \texttt {A}'\). We conclude by transitivity of \(<:_{\overline{\psi }}\).

4. 4.

   We proceed by induction on the structure of \(\texttt {p}\) and by cases on the rule for \(\textit{preeval}\) applied:

   • (\(\texttt {p}= \texttt {this}\)) Then \(\texttt {v}= \iota \) and we conclude by taking \(\varTheta ' = \varTheta \) and \(\texttt {D}= \texttt {D}' = \textit{clookup}(\iota ,\varTheta )\).

   • (\(\texttt {p}= \texttt {p}'.\texttt {f}\) and \(\textit{preeval}(\texttt {p}'[\iota /\texttt {this}],{\mathscr {L}}) = \texttt {null}, {\mathscr {L}}'\)). Then \(\texttt {v}= \texttt {null}\). By induction hypothesis there exists \(\varTheta ' \Supset \varTheta \) such that \(\varTheta ' \Vdash _{\overline{\psi }} {\mathscr {L}}'\). We conclude by taking \(\texttt {D}' = \texttt {D}\).

   • (\(\texttt {p}= \texttt {p}'.\texttt {f}\) and \(\textit{preeval}(\texttt {p}'[\iota /\texttt {this}],{\mathscr {L}}) = \iota ', {\mathscr {L}}''\) and \(\textit{olookup}(\iota ',{\mathscr {L}}'') = \langle \texttt {C}', \overline{\texttt {f}} = \overline{\texttt {u}}\rangle , {\mathscr {L}}'\)). From rule (T-PreExpField) we deduce \(\overline{\psi }; \textit{clookup}(\iota ,\varTheta ) \vdash \texttt {p}' : \texttt {D}_0\) and \(\texttt {D}\,\texttt {f}\in { fields}_{\overline{\psi }}(\texttt {D}_0)\). By induction hypothesis (on \(\texttt {p}'\)) there exists \(\varTheta '' \Supset \varTheta \) such that \(\varTheta '' \vdash \iota ' : \texttt {D}_0'\) and \(\texttt {D}_0' <:_{\overline{\psi }} \texttt {D}_0\), therefore \(\texttt {D}\,\texttt {f}\in { fields}_{\overline{\psi }}(\texttt {D}_0')\). By induction hypothesis (on the depth of \(\varTheta ''\)) there exists \(\varTheta ' \Supset \varTheta ''\) such that \(\varTheta ' \Vdash _{\overline{\psi }} {\mathscr {L}}'\). From (*) and (WF-Heap) we conclude \(\varTheta ' \vdash _{\overline{\psi }} \texttt {v}: \texttt {D}'\) for some \(\texttt {D}' <:_{\overline{\psi }} \texttt {D}\).

\(\square \)

The next two lemmas prove fundamental properties about the post-reconfiguration clauses. As the code in these clauses can only create objects in the current feature configuration, the lazy heap is unaffected by their execution except for the topmost level.

Lemma 2

Let \(\texttt {R}= \overline{\psi } \Rightarrow \overline{\psi }'\{{\cdots }\}\) and:

1. 1.

   \(\varSigma _1 \vdash \texttt {v}_i : \texttt {C}_i\) and \(\texttt {C}_i <:_{\overline{\psi }} \texttt {A}_i\) for every \(i\in 1..|\overline{\texttt {v}}|\);

2. 2.

   \(\varSigma _2 \vdash \texttt {u}_i : \texttt {D}_i\) and \(\texttt {D}_i <:_{\overline{\psi }'} \texttt {B}_i\) for every \(i\in 1..|\overline{\texttt {u}}|\);

3. 3.

   \(\texttt {R}; \overline{\texttt {y}:\texttt {A}}; \overline{\texttt {z}:\texttt {B}} \vdash \texttt {B}\,\texttt {z}=\texttt {q} \; {\mathbf {ok}}\);

4. 4.

   \(\textit{posteval}(\overline{\psi }',\texttt {q}[\overline{\texttt {v}}/{\overline{\texttt {y}}}][\overline{\texttt {u}}/{\overline{\texttt {z}}}]) = \texttt {u}, \mathscr {H}\).

Then there exists \(\varSigma \) such that:

• \(\texttt {R}(\varSigma _1), \varSigma _2, \varSigma \vdash _{\overline{\psi }'} \mathscr {H}\);

• \(\texttt {R}(\varSigma _1), \varSigma _2, \varSigma \vdash \texttt {u}: \texttt {D}\) and \(\texttt {D}<:_{\overline{\psi }'} \texttt {B}\).

Proof

By cases on the shape of \(\texttt {q}\).

• (\(\texttt {q}= \texttt {null}\)) We conclude by taking \(\varSigma = {\bullet }\) and \(\texttt {D}= \texttt {B}\).

• (\(\texttt {q}= \texttt {y}_i\)) By hypothesis we have \(\varSigma _1 \vdash \texttt {v}_i : \texttt {C}_i\) and \(\texttt {C}_i <:_{\overline{\psi }} \texttt {A}_i\). From (T-PostAssignVar) we deduce \(\texttt {R}(\varSigma _1) \vdash \texttt {v}_i : \texttt {R}(\texttt {C}_i)\) and \(\texttt {R}(\texttt {C}_i) <:_{\overline{\psi }'} \texttt {B}\). We conclude by taking \(\varSigma = {\bullet }\) and \(\texttt {D}= \texttt {R}(\texttt {C}_i)\).

• (\(\texttt {q}= \texttt {new}~\texttt {C}(\texttt {z}_1,\dots ,\texttt {z}_n)\)) Then \(\texttt {u}= \iota \) and \(\mathscr {H}= \{ \iota \mapsto \langle \texttt {C}, \texttt {f}_1 = \texttt {z}_1[\overline{\texttt {u}}/{\overline{\texttt {z}}}],\dots , \texttt {f}_n = \texttt {z}_n[\overline{\texttt {u}}/{\overline{\texttt {z}}}] \rangle \}\). Let \(\varSigma = \{ \iota : \texttt {C}\}\) and \(\texttt {D}= \texttt {C}\) and \(\texttt {D}_1\,\texttt {f}_1,\ldots ,\texttt {D}_n\,\texttt {f}_n = { fields}_{\overline{\psi }'}(\texttt {C})\). From rule (T-PostAssignNew) we have \(\texttt {D}= \texttt {C}<:_{\overline{\psi }'} \texttt {B}\). Also, from the same rule we deduce that for every \(i\in 1..n\) we have \(\texttt {z}_i : \texttt {B}_i \in \overline{\texttt {z}:\texttt {B}}\) and \(\texttt {B}_i <:_{\overline{\psi }'} \texttt {D}_i\). Now \(\texttt {z}_i[\overline{\texttt {u}}/{\overline{\texttt {z}}}] = \texttt {u}_j\) for some \(j\in 1..|\overline{\texttt {u}}|\). By hypothesis we have \(\varSigma _2 \vdash \texttt {u}_j : \texttt {D}_j\) and \(\texttt {D}_j <:_{\overline{\psi }'} \texttt {B}_j\). We conclude \(\texttt {R}(\varSigma _1),\varSigma _2,\varSigma \vdash _{\overline{\psi }'} \mathscr {H}\) by transitivity of \(<:_{\overline{\psi }}\).

\(\square \)

Lemma 3

Let \(\texttt {R}= \overline{\psi } \Rightarrow \overline{\psi }'\{{\cdots }\}\) and:

1. 1.

   \(\varSigma _1 \vdash \texttt {v}_i : \texttt {C}_i\) and \(\texttt {C}_i <:_{\overline{\psi }} \texttt {A}_i\) for every \(i\in 1..|\overline{\texttt {v}}|\);

2. 2.

   \(\varSigma _2 \vdash \texttt {u}_i : \texttt {D}_i\) and \(\texttt {D}_i <:_{\overline{\psi }'} \texttt {B}_i\) for every \(i\in 1..|\overline{\texttt {u}}|\);

3. 3.

   \(\texttt {R}; \overline{\texttt {y}:\texttt {A}}; \overline{\texttt {z}:\texttt {B}} \vdash \overline{\texttt {B}'\,\texttt {z}'=\texttt {q}} \; {\mathbf {ok}}\);

4. 4.

   \(\textit{postassign}(\overline{\psi }',\overline{\texttt {B}'\,\texttt {z}'=\texttt {q}}[\overline{\texttt {v}}/{\overline{\texttt {y}}}][\overline{\texttt {u}}/{\overline{\texttt {z}}}]) = \overline{\texttt {u}}', \mathscr {H}\);

Then there exists \(\varSigma \) such that:

• \(\texttt {R}(\varSigma _1), \varSigma _2, \varSigma \vdash _{\overline{\psi }'} \mathscr {H}\);

• \(\texttt {R}(\varSigma _1), \varSigma _2, \varSigma \vdash \texttt {u}'_i : \texttt {D}_i'\) and \(\texttt {D}_i' <:_{\overline{\psi }'} \texttt {B}'_i\) for every \(i\in 1..|\overline{\texttt {u}}'|\).

Proof

By induction on \(|\overline{\texttt {u}}'|\). If \(|\overline{\texttt {u}}'| = 0\), then \(\mathscr {H}= \emptyset \) and we conclude immediately by taking \(\varSigma = {\bullet }\). Suppose \(|\overline{\texttt {u}}'| > 0\). Then \(\overline{\texttt {B}'\,\texttt {z}'=\texttt {q}} = \texttt {B}'\,\texttt {z}'=\texttt {q}\overline{\texttt {B}''\,\texttt {z}''=\texttt {q}'}\) and \(\overline{\texttt {u}}' = \texttt {u}'\overline{\texttt {u}}''\) where

• \(\textit{posteval}(\overline{\psi }',\texttt {q}'[\overline{\texttt {v}}/{\overline{\texttt {y}}}][\overline{\texttt {u}}/{\overline{\texttt {z}}}]) = \texttt {u}', \mathscr {H}\)

• \(\textit{postassign}(\overline{\psi }',\overline{\texttt {B}''\,\texttt {z}''=\texttt {q}'}[\overline{\texttt {v}}/{\overline{\texttt {y}}}][\overline{\texttt {u}}\texttt {u}'/{\overline{\texttt {z}}}\texttt {z}']) = \overline{\texttt {u}}'', \mathscr {H}'\)

From Lemma 2 we deduce that there exists \(\varSigma '\) such that \(\texttt {R}(\varSigma _1),\varSigma _2,\varSigma ' \vdash _{\overline{\psi }'} \mathscr {H}\) and \(\texttt {R}(\varSigma _1),\varSigma _2,\varSigma ' \vdash \texttt {u}' : \texttt {D}'\) and \(\texttt {D}' <:_{\overline{\psi }'} \texttt {B}'\).

By induction hypothesis we deduce that there exists \(\varSigma ''\) such that \(\texttt {R}(\varSigma _1),\varSigma _2,\varSigma '' \vdash _{\overline{\psi }'} \mathscr {H}'\) and for every \(i\in 1..|\overline{\texttt {u}}''|\) we have \(\texttt {R}(\varSigma _1),\varSigma _2,\varSigma '' \vdash \texttt {u}_i'' : \texttt {D}_i'\) and \(\texttt {D}_i' <:_{\overline{\psi }'} \texttt {B}_i'\).

We conclude by taking \(\varSigma = \varSigma ',\varSigma ''\). \(\square \)

We are now ready to formally state the subject reduction theorem, whose proof relies upon the auxiliary lemmas just presented.

Theorem 2

(Subject reduction) Let \(\varTheta \vdash _{\overline{\psi }}{\mathscr {L}}, \overline{\iota }, \textit{e}: \texttt {T}\) and \(\textit{meth}_{\overline{\psi }}(\texttt {main}, \texttt {Main}) = \texttt {C}_0 \; \texttt {main}()\{\_\}\). Then:

1. 1.

   if \(\overline{\psi }, {\mathscr {L}}, \overline{\iota }, \textit{e} \longrightarrow \overline{\psi }, {\mathscr {L}}', \overline{\iota }', \textit{e}'\), then there exist \(\varTheta ' \Supset \varTheta \) and \(\texttt {T}' <:_{\overline{\psi }} \texttt {T}\) such that \(\varTheta ' \vdash _{\overline{\psi }}{\mathscr {L}}', \overline{\iota }', \textit{e}': \texttt {T}'\).

2. 2.

   if \(\overline{\psi }, {\mathscr {L}}, \overline{\iota }, \textit{e} \Longrightarrow \overline{\psi }', \emptyset :\texttt {R}({\mathscr {L}}), \overline{\iota }, \textit{e}\), then there exists \(\texttt {T}' <:_{\overline{\psi }'} \texttt {C}_0\) such that \({\bullet }: \texttt {R}(\varTheta ) \vdash _{\overline{\psi }'} (\emptyset : \texttt {R}({\mathscr {L}})), \overline{\iota }, \textit{e} : \texttt {T}'\).

Proof

The proof of item (1) is almost standard, the only notable exception being the fact that heap is accessed through the auxiliary function \(\textit{olookup}(\_,\_)\) which may trigger object reconfiguration. Lemma 1 guarantees that the object returned by \(\textit{olookup}(\_,\_)\) has the right type and that the new heap is still well formed in the current configuration. Item (2) is obvious, since the new heap environment is updated according to the structure of the new heap and the \(\mathbf {Enabled}\) predicate guarantees that the runtime expression \(\textit{e}\) is still well typed in the new configuration. \(\square \)

The progress theorem and its proof are standard.

Theorem 3

(Progress) Let \(\varTheta \vdash _{\overline{\psi }}{\mathscr {L}}, \overline{\iota }, \textit{e}: \texttt {T}\) and . Then:

1. 1.

   either \(\textit{e}\) is a value, or

2. 2.

   for some evaluation context \(E\) we can express \(\textit{e}\) as

   1. (a)

      \(E[\texttt {null}.\texttt {f}]\) for some \(\texttt {f}\), or

   2. (b)

      \(E[\texttt {null}.\texttt {f}= \texttt {v}]\) for some \(\texttt {f}\) and \(\texttt {v}\), or

   3. (c)

      \(E[\texttt {null}.\texttt {m}(\overline{\texttt {v}})]\) for some \(\texttt {m}\) and \(\overline{\texttt {v}}\).

We conclude with type soundness, which is a straightforward corollary of subject reduction and progress.

Proof of Theorem 1

(Type Soundness) Immediate by Theorems 2 and 3. \(\square \)