Compositional type checking of delta-oriented software product lines

Abstract

Delta-oriented programming is a compositional approach to flexibly implementing software product lines. A product line is represented by a code base and a product line declaration. The code base consists of a set of delta modules specifying modifications to object-oriented programs. A particular product in a delta-oriented product line is generated by applying the modifications contained in the suitable delta modules to the empty program. The product-line declaration provides the connection of the delta modules with the product features. This separation increases the reusability of delta modules. In this paper, we provide a foundation for compositional type checking of delta-oriented product lines of Java programs by presenting a minimal core calculus for delta-oriented programming. The calculus is equipped with a constraint-based type system that allows analyzing each delta module in isolation, such that the results of the analysis can be reused. By relying only on the analysis results for the delta modules and on the product line declaration, it is possible to establish whether all the products of the product line are well typed according to the fragment of the Java type system modeled by the calculus.

Appendices

Appendix A: IFJ reduction and type soundness

The length of a sequence \({\bar{{\mathtt{e}}}}{}\) is denoted by \(\#({{\bar{{\mathtt{e}}}}})\).

1.1 A.1 IFJ reduction

In order to properly model imperative features of IFJ, we introduce the concepts of address and heap. Addresses, ranged over by the metavariable \(\iota \), are the elements of the denumerable set \(\mathbf{{I}}\). Values, ranged over by the metavariable \({\mathtt{v}}\) are either addresses or \({\mathtt{null}}\). Objects are denoted by \({\langle \mathtt{{C}}, {{\bar{{\mathtt{f}}}} = {\overline{{\mathtt{v}}}}}\rangle }\), where \(\mathtt{{C}}\) is the class of the object, \({\bar{{\mathtt{f}}}}\) are the name of the fields and \(\bar{{\mathtt{v}}}\) are the values of the fields. A heap \({\fancyscript{H}}\) is a mapping from addresses to objects. The empty heap will be denoted by \(\emptyset \). Runtime expressions are obtained from expressions by replacing all the variables (including \({\mathtt{this}}\)) by addresses. We will use \({ e}\) to denote runtime expressions.

The states of a computation are represented by means of configurations. A configuration is a pair consisting of a heap and a runtime expression, written \({{\fancyscript{H}}, { e}}\). The reduction relation has the form \({{\fancyscript{H}}, { e}}\longrightarrow {{\fancyscript{H}}^{\prime }, { e}^{\prime }}\), to read “the configuration \({{\fancyscript{H}}, { e}}\) reduces to the configuration \({{\fancyscript{H}}^{\prime }, { e}^{\prime }}\) in one step”. The initial configuration associated to a program \({\mathtt{CT}}\) is \(\emptyset ,{\mathtt{e}}\) (where \({\mathtt{e}}\) is the body of method main of class Main).

The reduction rules shown in Fig. 14, using the standard notions of computation rules and congruence rules, ensure that the computation is carried on according to a call-by-value reduction strategy.

Fig. 14

IFJ: operational semantics

The operational semantics uses the auxiliary functions mbody and fields, which are defined in Fig. 15.

Fig. 15

IFJ: auxiliary functions

1.2 A.2 IFJ type soundness

In order to be able to formulate the type soundness of \({\text{ IFJ}}\) as a subject reduction theorem and a progress theorem for the small-step semantics, we need to formulate a type system for runtime expressions. Expressions containing either a stupid cast (a notion introduced in [26]), i.e., a cast where the subject and the target are unrelated, or a stupid selection, i.e., a field selection \({\mathtt{null}}.{\mathtt{f}}\) or a method invocation \({\mathtt{null}}.{\mathtt{m}}(\cdot \cdot \cdot )\), are not well typed according to the \({\text{ IFJ}}\) (source level) type system. However, a runtime expression without stupid casts and stupid selections may reduce to a runtime expression containing either a stupid cast or a stupid selection. The type system for runtime expressions contains a rule for typing stupid casts, and a rule for assigning any type \(\mathtt{T}\) to the value \({\mathtt{null}}\) (so that stupid selection can be typed).

Typing rules for runtime expressions are shown in Fig. 16; these rules use the environment \({\varSigma }\), which is a finite (possibly empty) mapping from addresses to class names, and they are of the form \({{\varSigma } {\vdash ^{\prime }}{ e}: \mathtt{T}}\). In Fig. 16 we also present the notion of well-formed heap and of well-formed configuration. The notion of well-formed heap ensures that the environment \({\varSigma }\) maps all the addresses in the heap into the type of the corresponding object and that for every object stored in the heap, the fields of the object contain appropriate values.

Fig. 16

IFJ: typing rules for runtime expressions and heaps

Type soundness can be proved by using the standard technique of subject reduction and progress theorems.

Lemma 1

If \(aType {\mathtt{{C}}_0}{{\mathtt{m}}} = {\bar{{\mathtt{D}}}}\rightarrow \mathtt{D}\) and \({\textit{mbody}}(\mathtt{{C}}_0, {\mathtt{m}})={({\bar{{\mathtt{x}}}}, {\mathtt{e}})}\) then for some \(\mathtt{D}_0\) and some \({\mathtt{T}}\,<:\,{\mathtt{D}}\) we have \({\mathtt{{C}}_0}\, <: \,{\mathtt{D}_0}\) and \({\mathtt{this}}:\mathtt{D}_0,\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{D}}}} \vdash {\mathtt{e}}: \mathtt{T}\).

Proof

By straightforward induction on the derivation of \({\textit{mbody}}(\mathtt{{C}}_0,{\mathtt{m}})\), that is, on \({ aDef} ({\mathtt{{C}}_0})({{\mathtt{m}}})\).

Lemma 2

( Substitution) If

1. 1.

   \({{\varSigma } {\vdash ^{\prime }}\iota .{\mathtt{m}}({\overline{{\mathtt{v}}}}): \mathtt{D}}\) where \({\varSigma }(\iota )=\mathtt{{C}}_0\) for some \({\varSigma }\), \(\mathtt{{C}}_0\) and \(\mathtt{D}\),

2. 2.

   \({ aType}(\mathtt{{C}}_0)({\mathtt{m}}) = {\bar{{\mathtt{A}}}}\rightarrow \mathtt{D}\), and

3. 3.

   \({\textit{mbody}}(\mathtt{{C}}_0, {\mathtt{m}})={({\bar{{\mathtt{x}}}}, {\mathtt{e}})}\),

then for some \({\mathtt{{C}}^{\prime }}\, <: \,{\mathtt{D}}\) we have \({{\varSigma } {\vdash ^{\prime }}{[{{\bar{{\mathtt{x}}}}} \leftarrow {{\overline{{\mathtt{v}}}}}, {{\mathtt{this}}} \leftarrow {\iota }]{\mathtt{e}}}: \mathtt{{C}}^{\prime }}\).

Proof

By hypothesis 1. and 2. and by Lemma 1, for some \(\mathtt{{C}}\) and some \({\mathtt{T}}\, <: \,{\mathtt{D}}\), we have \({\mathtt{{C}}_0}\, <: \,{\mathtt{{C}}}\) and \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}: \mathtt{T}\).

The proof then proceeds by structural induction on the derivation of \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}: \mathtt{T}\). We present only a few interesting cases (the cases for casts are the same as in FJ, in particular, for (\({{\textsc {T-DCast}}}\)) we can use (\({{\textsc {RT-SCast}}}\))). Note that, by rule \(({{\textsc {RT-Invk}}}), {{\varSigma } {\vdash ^{\prime }}{\overline{{\mathtt{v}}}}: {\bar{{\mathtt{C}}}}}\) for some \({\bar{{\mathtt{C}}}}\) such that \({{\bar{{\mathtt{C}}}}}\, <: \,{{\bar{{\mathtt{A}}}}}\) (in particular, \(\mathtt{{C}}_i={\mathtt{A}}_i\) when \({\mathtt{v}}_i={\mathtt{null}}\) by rule (\({{\textsc {RT-Null}}}\))).

• Case (\({{\textsc {T-Var}}}\)) In this case \({\mathtt{e}}= {\mathtt{x}}_i\) for some \({\mathtt{x}}_i \in {\bar{{\mathtt{x}}}}\); \({[{{\bar{{\mathtt{x}}}}} \leftarrow {{\overline{{\mathtt{v}}}}}, {{\mathtt{this}}} \leftarrow {\iota }]{\mathtt{x}}_i} = {\mathtt{v}}_i\) and \({{\varSigma } {\vdash ^{\prime }}{\mathtt{v}}_i: \mathtt{{C}}_i}\) for some \(\mathtt{{C}}_i\) such that \({\mathtt{{C}}_i}\, <: \,{{\mathtt{A}}_i}\); letting \(\mathtt{{C}}_i = \mathtt{{C}}^{\prime }\) finishes the case.

• Case (\({{\textsc {T-Field}}}\)) In this case \({\mathtt{e}}= {\mathtt{e}}^{\prime }.{\mathtt{f}}\). By rule (\({{\textsc {T-Field}}}\)) we have \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}^{\prime }: \mathtt{{C}}^{\prime }\) and \({ aType}(\mathtt{{C}}^{\prime })({\mathtt{f}})={\mathtt{A}}\). By the induction hypothesis, \({{\varSigma } {\vdash ^{\prime }}{[{{\bar{{\mathtt{x}}}}} \leftarrow {{\overline{{\mathtt{v}}}}}, {{\mathtt{this}}} \leftarrow {\iota }]{\mathtt{e}}^{\prime }}: \mathtt{{C}}^{\prime \prime }}\) for some \({\mathtt{{C}}^{\prime \prime }}\, <: \,{\mathtt{{C}}^{\prime }}\). The thesis follows from \({ aType}(\mathtt{{C}}^{\prime \prime })({\mathtt{f}})={ aType}(\mathtt{{C}}^{\prime })({\mathtt{f}})={\mathtt{A}}\).

• Case (\({{\textsc {T-Invk}}}\)) In this case \({\mathtt{e}}= {\mathtt{e}}^{\prime }.{\mathtt{m}}({\bar{{\mathtt{e}}}})\). Similar to the previous case, using the induction hypothesis on \({\mathtt{e}}^{\prime }\) and \({\bar{{\mathtt{e}}}}\), and using the fact that \({ aType}(\mathtt{{C}}^{\prime \prime })({\mathtt{m}})={ aType}(\mathtt{{C}}^{\prime })({\mathtt{m}})\) if \({\mathtt{{C}}^{\prime \prime }}\, <: \,{\mathtt{{C}}^{\prime }}\).

• Case (\({{\textsc {T-Assig}}}\)) In this case \({\mathtt{e}}\) is of the form \({\mathtt{e}}_0.{\mathtt{f}}= {\mathtt{e}}_1\). By (\({{\textsc {T-Assig}}}\)) we have \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}_0.{\mathtt{f}}: {\mathtt{A}}\), \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}_1: \mathtt{T}_1\) for some \({\mathtt{T}_1}\, <: \,{{\mathtt{A}}}\). The thesis follows from the induction hypothesis and the transitivity of \(\, <: \,\).

Lemma 3

(Weakening)  If \({{\varSigma } {\vdash ^{\prime }}{ e}: \mathtt{T}}\) then \({\varSigma }, \iota : \mathtt{{C}}{\vdash ^{\prime }}{{ e}}:{\mathtt{T}}\).

Proof

Straightforward induction on the derivation of \({{\varSigma } {\vdash ^{\prime }}{ e}: \mathtt{T}}\).

Theorem 3

(Subject reduction) If \({{\varSigma } \Vdash {\fancyscript{H}}}, {{\varSigma } {\vdash ^{\prime }}{ e}: \mathtt{T}}\) and \({{\fancyscript{H}}, { e}}\longrightarrow {{\fancyscript{H}}^{\prime }, { e}^{\prime }}\) then there exists \({\varSigma }^{\prime } \supseteq {\varSigma }\) such that \({{\varSigma }^{\prime } \Vdash {\fancyscript{H}}^{\prime }}, {{\varSigma }^{\prime } {\vdash ^{\prime }}{ e}^{\prime }: \mathtt{T}^{\prime }}\) for some \({\mathtt{T}^{\prime }}\, <: \,{\mathtt{T}}\).

Proof

The proof is by induction on a derivation of \({{\fancyscript{H}}, { e}}\longrightarrow {{\fancyscript{H}}^{\prime }, { e}^{\prime }}\), with a case analysis on the reduction rule used. We show only the most interesting cases for computation rules; for congruence rules simply use the induction hypothesis (using Lemma 3).

• Case (\({{\textsc {R-Field}}}\)) The last applied rule is \({{{\fancyscript{H}}, \iota .{\mathtt{f}}_i} \longrightarrow {{\fancyscript{H}}, {\mathtt{v}}_i}}\) where \({\fancyscript{H}}(\iota ) = {\langle \mathtt{{C}}, {{\bar{{\mathtt{f}}}} = {\overline{{\mathtt{v}}}}}\rangle }\). By hypothesis \({{\varSigma } {\vdash ^{\prime }}\iota .{\mathtt{f}}_i: \mathtt{T}_i}\). and by (\({{\textsc {WF-Heap}}}\)) we have \({{\varSigma } {\vdash ^{\prime }}{\mathtt{v}}_i: \mathtt{T}^{\prime }_i}\) for some \({\mathtt{T}^{\prime }_i}\, <: \,{\mathtt{{C}}_i}\). Thus we have the thesis.

• Case (\({{\textsc {R-Invk}}}\)) The last applied rule is \(\frac{{\fancyscript{H}}(\iota ) = {\langle \mathtt{{C}}, {{\bar{{\mathtt{f}}}} = {\overline{{\mathtt{v}}}}}\rangle }\, {\textit{mbody}}({\mathtt{m}}, \mathtt{{C}}) = {({\bar{{\mathtt{x}}}}, {\mathtt{e}}_0)}}{{{\fancyscript{H}}, \iota .{\mathtt{m}}({\overline{{\mathtt{v}}}})}\, \longrightarrow \, {{\fancyscript{H}}, {[{{\bar{{\mathtt{x}}}}\,} \leftarrow {\,{\overline{{\mathtt{v}}}}}, {{\mathtt{this}}\,} \leftarrow {\,\iota }]{\mathtt{e}}_0}}} \) By hypothesis \({{\varSigma } {\vdash ^{\prime }}\iota .{\mathtt{m}}({\overline{{\mathtt{v}}}}): \mathtt{T}}\). Since the last applied typing rule must be (\({{\textsc {RT-Invk}}}\)), we have \(\mathtt{T}={\mathtt{B}}\) for some \({\mathtt{B}}\). Then the thesis follows by applying Lemma 2.

• Case (\({{\textsc {R-New}}}\)) Let \({\varSigma }^{\prime } = {\varSigma }\cup \{\iota : \mathtt{{C}}\}\). By hypothesis \({{\varSigma } \Vdash {\fancyscript{H}}}\), and by applying (\({{\textsc {WF-Heap}}}\)) we also have \({{\varSigma }^{\prime } \Vdash {\fancyscript{H}} \cup \{ \iota \mapsto {\mathtt{{C}}}, {{\bar{{\mathtt{f}}}}}={{\mathtt{null}}} \}}. {{\varSigma }^{\prime } {\vdash ^{\prime }}\iota : \mathtt{{C}}}\) follows from (\({{\textsc {RT-Addr}}}\)).

• Case (\({{\textsc {R-Assign}}}\)) By rule \(({{\textsc {RT-Assign}}})\) we have that \({{\varSigma } {\vdash ^{\prime }}{\mathtt{v}}: \mathtt{T}^{\prime }}\) and \({\mathtt{T}^{\prime }}\, <: \,{\mathtt{T}}\) for some \(\mathtt{T}^{\prime }\). By hypothesis \({{\varSigma } \Vdash {\fancyscript{H}}}\), and by applying (\({{\textsc {WF-Heap}}}\)) we also have \({{\varSigma } \Vdash {\fancyscript{H}} [ {\fancyscript{H}}(\iota ) \mapsto {\langle \mathtt{{C}}, \ldots , {{\mathtt{f}}_i}={{\mathtt{v}}} , \ldots \rangle } ]}\).

Lemma 4

Let \({{\fancyscript{H}}, { e}}{}\) be a well-typed configuration.

1. 1.

   If \({ e}=\iota .{\mathtt{f}}\) then \({\fancyscript{H}}(\iota )= \langle {\mathtt{C}}, \cdot \cdot \cdot \rangle \) with \({ aType}(\mathtt{{C}})({\mathtt{f}})={\mathtt{A}}\) for some class name \({\mathtt{A}}\).

2. 2.

   If \({ e}=\iota .{\mathtt{m}}(\bar{e})\) then \({\fancyscript{H}}(\iota )= \langle {\mathtt{C}}, \cdot \cdot \cdot \rangle \) with \({ aType}(\mathtt{{C}})(m)={\bar{{\mathtt{A}}}}\rightarrow {\mathtt{B}}\) and \(\sharp ({\bar{{\mathtt{A}}}})=\sharp (\bar{e})\).

Proof

Straightforward.

In order to formulate in a compact way the statement of the progress theorem we introduce the notion of evaluation context for IFJ runtime expressions. The set of evaluation context for IFJ runtime expressions is defined as follows:

$$\begin{aligned} { E}\;\;\; \text{::=} \;\;\; [\,] \;\; \bigr |\;\; { E}.{\mathtt{f}}\;\; \bigr |\;\; { E}.{\mathtt{m}}({\bar{{\mathtt{e}}}}) \;\; \bigr |\;\; {\mathtt{v}}.{\mathtt{m}}(\bar{{\mathtt{v}}},{ E}.{\bar{{\mathtt{e}}}}) \;\; \bigr |\;\; (\mathtt{{C}}){ E}\;\; \bigr |\;\; {\mathtt{v}}.{\mathtt{f}}={ E}\end{aligned}$$

Theorem 4

(Progress) Let \({{\fancyscript{H}}, { e}}{}\) be a well-typed normal form. Then

1. 1.

   either \({ e}\) is a value, or

2. 2.

   for some evaluation context \({ E}\) we can express \({ e}\) as

   1. (a)

      either E \([({\mathtt{A}})\iota ]\) such that \({\fancyscript{H}}(\iota )= \langle {\mathtt{B}}, \cdot \cdot \cdot \rangle \) with \({\mathtt{B}}\not <: {\mathtt{A}}\), or

   2. (b)

      E \([{\mathtt{null}}.{\mathtt{f}}]\) for some \({\mathtt{f}}\), or

   3. (c)

      E \([{\mathtt{null}}.{\mathtt{m}}(\bar{{\mathtt{v}}})]\) for some \({\mathtt{m}}\) and \(\bar{{\mathtt{v}}}\), or

   4. (d)

      E \([{\mathtt{null}}.{\mathtt{f}}={\mathtt{v}}]\) for some \({\mathtt{f}}\) and \({\mathtt{v}}\).

Proof

Straightforward induction on typing derivations using Lemma 4.

Lemma 5

If \(\bullet \vdash {\mathtt{e}}: \mathtt{T}\) then \({\bullet {\vdash ^{\prime }}{\mathtt{e}}: \mathtt{T}}\).

Proof

Straightforward induction on typing derivations.

Theorem 5

(Type Soundness) If \(\vdash {\mathtt{CT}} \, {\text{ OK}}\), \({\mathtt{CT}}(\mathtt{Main})=\mathtt{\mathtt{class}}\;\mathtt{Main}\; \{\;\mathtt{C}\;\mathtt{main()} \;\{\;{\mathtt{return}}\;{\mathtt{e}};\;\}\;\}\), \(\bullet \vdash {\mathtt{e}}: \mathtt{T}\) and \({\emptyset , { e}} \longrightarrow ^{\star }{\fancyscript{H}},{\mathtt{e}}^{\prime }\) with \({{\fancyscript{H}}, { e}^{\prime }}\) a normal form. Then \({ e}^{\prime }\) is

1. 1.

   either \({\mathtt{null}}\),

2. 2.

   or an address \(\iota \) such that \({\fancyscript{H}}(\iota )= \langle \mathtt{{C}}, \cdot \cdot \cdot \rangle \) with \({\mathtt{{C}}}\, <: \,{\mathtt{T}}\),

3. 3.

   or an expression containing \(({\mathtt{A}})\iota \) such that \({\fancyscript{H}}(\iota )= \langle {\mathtt{B}}, \cdot \cdot \cdot \rangle \) with \({\mathtt{B}}\not <: {\mathtt{A}}\),

4. 4.

   or an expression containing either \({\mathtt{null}}.{\mathtt{f}}\) or \({\mathtt{null}}.{\mathtt{m}}(\bar{{\mathtt{v}}})\) for some \({\mathtt{f}}\), \({\mathtt{m}}\) and \(\bar{{\mathtt{v}}}\).

Proof

Follows from Lemma 5, Theorems 3 and  4.

Appendix B: Soundness and completeness of IFJ constraint-based typing

Lemma 6

Let \({\mathtt{CT}}\) be a \({\text{ IFJ}}\) program, \(\mathtt{{C}}\in { dom}({\mathtt{CT}})\), \({\mathtt{m}}\in { dom}(\mathtt{{C}})\), \({\mathtt{CST}}={ signature}({{\mathtt{CT}}})\), \({\mathtt{CST}}\) satisfy the sanity conditions for class signature tables, \({\mathtt{CT}}(\mathtt{{C}})({\mathtt{m}})={\mathtt{B}}\;{\mathtt{m}}\;({\bar{{\mathtt{A}}}}\; {\bar{{\mathtt{x}}}})\{{\mathtt{return}}\; {\mathtt{e}}^{\prime };\}\) and \({\mathtt{e}}\) be a subexpression of \({\mathtt{e}}^{\prime }\).

• (Soundness) Let \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}: \tau \, \vert \, {\fancyscript{E}}\) and \({\mathtt{CST}} \models {\fancyscript{E}}\Rightarrow \mathbf{s }\). Then \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}: \mathbf{s }(\tau )\).

• (Completeness) Let \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}: \mathtt{T}\). Then there exist \(\tau \), \({\fancyscript{E}}\) and \(\mathbf{s }\) such that: \({\mathtt{this}}:\mathtt{{C}},\,{\bar{{\mathtt{x}}}}:{\bar{{\mathtt{A}}}} \vdash {\mathtt{e}}: \tau \, \vert \, {\fancyscript{E}}\), \({\mathtt{CST}} \models {\fancyscript{E}}\Rightarrow \mathbf{s }\) and \(\mathbf{s }(\tau )=\mathtt{T}\).

Proof

• (Soundness) By structural induction on the derivations in the constraint-based type system for expressions in Fig. 9, exploiting the rules in Fig. 8. The cases (\({{\textsc {CT-Var}}}\)), (\({{\textsc {CT-Null}}}\)) and (\({{\textsc {CT-New}}}\)) are immediate by rules (\({{\textsc {T-Var}}}\)), (\({{\textsc {T-Null}}}\)) and (\({{\textsc {T-New}}}\)), respectively. For rule (\({{\textsc {CT-New}}}\)) observe that \({\mathtt{CST}} \models \{\mathbf{c lass}({\mathtt{{C}}})\}\) implies \(\mathtt{{C}}\in { dom}({\mathtt{CST}})\). Case (\({{\textsc {CT-Invk}}}\)). Assume \({\mathtt{this}}:\mathtt{{C}},\,{\mathtt{x}}_1:{\mathtt{A}}_1,\ldots ,{\mathtt{x}}_p:{\mathtt{A}}_p \vdash {\mathtt{e}}_0.{\mathtt{m}}({\mathtt{e}}_1,...,{\mathtt{e}}_n): \beta \, \vert \, (\cup _{i\in \{0,\ldots ,n\}}{\fancyscript{E}}_i)\cup {\fancyscript{E}}\) and \({\mathtt{CST}} \models {\fancyscript{E}}\cup (\cup _{i\in \{0,\ldots ,n\}}{\fancyscript{E}}_i)\Rightarrow \mathbf{s }\). From the premises of rule (\({{\textsc {CT-Invk}}}\)) we have that:

  • \(\Gamma \vdash {\mathtt{e}}_0: \eta \, \vert \, {\fancyscript{E}}_0\),

  • \(\Gamma \vdash {\mathtt{e}}_i: \tau _i \, \vert \, {\fancyscript{E}}_i^{\;(i\in 1..n)}\),

  • \(\alpha _1, ...,\alpha _n,\beta \text{ fresh}\), and

  • \({\fancyscript{E}}= \{\mathbf{meth }(\eta ,{\mathtt{m}},\alpha _1\cdots \alpha _n\rightarrow \beta ), \mathbf{subtype }({\tau _1}{\alpha _1}),\ldots ,\mathbf{subtype }({\tau _n}{\alpha _n})\}\).

  Assume (without loss of generality) that for all \(i\not =j\in 0..n\) the set of the type variables in \(\{\tau _i\}\cup {\fancyscript{E}}_i\) and the set of the type variables in \(\{\tau _j\}\cup {\fancyscript{E}}_j\) (with \(\tau _0=\eta \)) are pairwise disjoint. From the rules in Fig. 8 we have that \(\mathbf{s }=\mathbf{s }^{\prime }\circ \mathbf{s }_n\circ \cdots \circ \mathbf{s }_0\) for some \(\mathbf{s }^{\prime },\mathbf{s }_n,\ldots ,\mathbf{s }_0\) such that:

  • \({\mathtt{CST}} \models {\fancyscript{E}}_0\Rightarrow \mathbf{s }_0\) and \(\mathbf{s }_0(\eta )=\mathtt{{C}}_0\), for some \(\mathtt{{C}}_0\),

  • (for all \(i\in 1..n\)) \({\mathtt{CST}} \models {\fancyscript{E}}_i\Rightarrow \mathbf{s }_i\) and \(\mathbf{s }_i(\tau _i)=\mathtt{T}_i\), for some \(\mathtt{T}_i\),

  • \({\mathtt{CST}} \models \mathbf{s }_n\circ \cdots \circ \mathbf{s }_0({\fancyscript{E}})\Rightarrow \mathbf{s }^{\prime }\) where \(\mathbf{s }^{\prime }=[{\mathtt{B}}{\mathtt{A}}_{1}\cdot \cdot \cdot {\mathtt{A}}_{n}/\beta \alpha _{1}\cdot \cdot \cdot \alpha _{n}]\), \({ aType}(\mathtt{{C}}_0)({\mathtt{m}})={\mathtt{A}}_1\cdots {\mathtt{A}}_n\rightarrow {\mathtt{B}}\) and \({\mathtt{T}_i}\, <: \,{{\mathtt{A}}_i}^{\;(i\in 1..n)}\).

  By induction we have that:

  • \(\Gamma \vdash {\mathtt{e}}_0: \mathtt{{C}}_0\),

  • \(\Gamma \vdash {\mathtt{e}}_i: \mathtt{T}_i^{\;(i\in 1..n)}\).

  Then, by rule (\({{\textsc {T-Invk}}}\)), we get \(\Gamma \vdash {\mathtt{e}}_0.{\mathtt{m}}({\mathtt{e}}_1,\ldots ,{\mathtt{e}}_n): {\mathtt{B}}\). The remaing cases (\({{\textsc {T-Field}}}\)), (\({{\textsc {T-Invk}}}\)), (\({{\textsc {T-New}}}\)), (\({{\textsc {T-Assig}}}\)),\(({{\textsc {T-Cast}}})\) are similar to the previous case.

• (Completeness) By structural induction on the derivations in the type system for expressions in Fig. 4, exploiting the rules in Fig. 8.

  • The cases (\({{\textsc {T-Var}}}\)), (\({{\textsc {T-Null}}}\)) and (\({{\textsc {T-New}}}\)) are immediate by rules (\({{\textsc {CT-Var}}}\)), (\({{\textsc {CT-Null}}}\)) and (\({{\textsc {T-New}}}\)), respectively. For rule (\({{\textsc {T-New}}}\)) observe that \(\mathtt{{C}}\in { dom}({\mathtt{CST}})\) implies \({\mathtt{CST}} \models \{\mathbf{c lass}({\mathtt{{C}}})\}\).

  • Case (\({{\textsc {T-Invk}}}\)). Assume \(\Gamma \vdash {\mathtt{e}}_0.{\mathtt{m}}({\mathtt{e}}_1,\ldots ,{\mathtt{e}}_n): {\mathtt{B}}\). From the premises of (\({{\textsc {T-Invk}}}\)) we have that:

  • \(\Gamma \vdash {\mathtt{e}}_0: \mathtt{{C}}_0\),

  • \(\Gamma \vdash {\mathtt{e}}_i: \mathtt{T}_i^{\;(i\in 1..n)}\),

  • \({ aType}(\mathtt{{C}}_0)({\mathtt{m}})={\mathtt{A}}_1\cdots {\mathtt{A}}_n\rightarrow {\mathtt{B}}\), and

  • \({\mathtt{T}_i}\, <: \,{{\mathtt{A}}_i}^{\;(i\in 1..n)}\).

  By induction we have that:

  • \(\Gamma \vdash {\mathtt{e}}_0: \eta \, \vert \, {\fancyscript{E}}_0\) and \({\mathtt{CST}} \models {\fancyscript{E}}_0\Rightarrow \mathbf{s }_0\) with \(\mathbf{s }_0(\eta )=\mathtt{{C}}_0\), and

  • \(\Gamma \vdash {\mathtt{e}}_i: \tau _i \, \vert \, {\fancyscript{E}}_i^{\;(i\in 1..n)}\) and for all \(i\in 1..n\): \({\mathtt{CST}} \models {\fancyscript{E}}_i\Rightarrow \mathbf{s }_i\) with \(\mathbf{s }_i(\tau _i)=\mathtt{T}_i\),

  where, for all \(i\not =j\in 0..n\), the set of the type variables in \(\{\tau _i\}\cup {\fancyscript{E}}_i\) and the set of the type variables in \(\{\tau _j\}\cup {\fancyscript{E}}_j\) (with \(\tau _0=\eta \)) are pairwise disjoint. Consider

  • \(\alpha _1, ...,\alpha _n,\beta \text{ fresh}\), and

  • \({\fancyscript{E}}= \{\mathbf{meth }(\eta ,{\mathtt{m}},\alpha _1\cdots \alpha _n\rightarrow \beta ), \mathbf{subtype }({\tau _1}{\alpha _1}),\ldots ,\mathbf{subtype }({\tau _n}{\alpha _n})\}\).

  From the rules in Fig. 8 we have that:

  • \({\mathtt{CST}} \models \mathbf{s }_n\circ \cdots \circ \mathbf{s }_0({\fancyscript{E}})\Rightarrow \mathbf{s }^{\prime }\) where \(\mathbf{s }^{\prime }=[{\mathtt{B}}{\mathtt{A}}_{1}\cdot \cdot \cdot {\mathtt{A}}_{n}/\beta \alpha _{1}\cdot \cdot \cdot \alpha _{n}]\).

  Then, by rule (\({{\textsc {CT-Invk}}}\)), we get \({\mathtt{this}}:\mathtt{{C}},\,{\mathtt{x}}_1:{\mathtt{A}}_1,\ldots ,{\mathtt{x}}_p:{\mathtt{A}}_p \vdash {\mathtt{e}}_0.{\mathtt{m}}({\mathtt{e}}_1,...,{\mathtt{e}}_n): \beta \, \vert \, (\cup _{i\in \{0,\ldots ,n\}}{\fancyscript{E}}_i)\cup {\fancyscript{E}}\) and \({\mathtt{CST}} \models {\fancyscript{E}}\cup (\cup _{i\in \{0,\ldots ,n\}}{\fancyscript{E}}_i)\Rightarrow \mathbf{s }^{\prime }\circ \mathbf{s }_n\circ \cdots \circ \mathbf{s }_0\). Cases (\({{\textsc {T-Field}}}\)), (\({{\textsc {T-Assig}}}\)), (\({{\textsc {T-UCast}}}\)), (\({{\textsc {T-DCast}}}\)) are similar to the previous case.

Lemma 7

Let \({\mathtt{CT}}\) be a \({\text{ IFJ}}\) program, \(\mathtt{{C}}\in { dom}({\mathtt{CT}})\), \({\mathtt{m}}\in { dom}(\mathtt{{C}})\), \({\mathtt{CST}}={ signature}({{\mathtt{CT}}})\) and \({\mathtt{CST}}\) satisfy the sanity conditions for class signature tables.

• (Soundness) Let \({\mathtt{this}}:\mathtt{{C}} \vdash {\mathtt{CT}}(\mathtt{{C}})({\mathtt{m}}) : {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}\) and \({\mathtt{CST}} \models {\fancyscript{E}}\). Then \({\mathtt{this}}:\mathtt{{C}} \vdash {\mathtt{CT}}(\mathtt{{C}})({\mathtt{m}}) \, {\text{ OK}}\).

• (Completeness) Let \({\mathtt{this}}:\mathtt{{C}} \vdash {\mathtt{CT}}(\mathtt{{C}})({\mathtt{m}}) \, {\text{ OK}}\). Then there exists \({\fancyscript{E}}\) such that: \({\mathtt{this}}:\mathtt{{C}} \vdash {\mathtt{CT}}(\mathtt{{C}})({\mathtt{m}}) : {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}\) and \({\mathtt{CST}} \models {\fancyscript{E}}\).

Proof

Straightforward by Lemma 6.

Lemma 8

Let \({\mathtt{CT}}\) be a \({\text{ IFJ}}\) program, \(\mathtt{{C}}\in { dom}({\mathtt{CT}})\), \({\mathtt{CST}}={ signature}({{\mathtt{CT}}})\) and \({\mathtt{CST}}\) satisfy the sanity conditions for class signature tables.

• (Soundness) Let \(\vdash {\mathtt{CT}}(\mathtt{{C}}) : \mathtt{{C}} \, \mathbf{w ith} \, {\fancyscript{M}}\) and \({\mathtt{CST}} \models {{\textsc {flat}}}({\fancyscript{M}})\). Then \(\vdash {\mathtt{CT}}(\mathtt{{C}}) \, {\text{ OK}}\).

• (Completeness) Let \(\vdash {\mathtt{CT}}(\mathtt{{C}}) \, {\text{ OK}}\). Then there exists \({\fancyscript{M}}\) such that: \(\vdash {\mathtt{CT}}(\mathtt{{C}}) : \mathtt{{C}} \, \mathbf{w ith} \, {\fancyscript{M}}\) and \({\mathtt{CST}} \models {{\textsc {flat}}}({\fancyscript{M}})\).

Proof

Straightforward by Lemma 7.

Restatement of Theorem 1 (Soundness and completeness of IFJ constraint-based typing) Let \({\mathtt{CT}}\) be a \({\text{ IFJ}}\) program and \({\mathtt{CST}}={ signature}({{\mathtt{CT}}})\).

• (Soundness) Let \({\mathtt{CST}}\) satisfy the sanity conditions for class signature tables, \(\vdash {\mathtt{CT}} : {\fancyscript{C}}\) and \({\mathtt{CST}} \models {{\textsc {flat}}}({\fancyscript{C}})\). Then

  1. 1.

     \(\vdash {\mathtt{CT}} \, {\text{ OK}}\), and

  2. 2.

     if \({{\textsc {flat}}}({\fancyscript{C}})\) is cast-safe with respect to \({\mathtt{CST}}\), then \({\mathtt{CT}}\) is cast-safe.

• (Completeness) Let \(\vdash {\mathtt{CT}} \, {\text{ OK}}\). Then there exists \({\fancyscript{C}}\) such that:

  • \(\vdash {\mathtt{CT}} : {\fancyscript{C}}\) and \({\mathtt{CST}} \models {{\textsc {flat}}}({\fancyscript{C}})\), and

  • if \({\mathtt{CT}}\) is cast-safe, then \({{\textsc {flat}}}({\fancyscript{C}})\) is cast-safe with respect to \({\mathtt{CST}}\).

Proof

• (Soundness)

  1. 1.

     Straightforward by Lemma 8 (Soundness).

  2. 2.

     If \({{\textsc {flat}}}({\fancyscript{C}})\) is cast safe w.r.t. \({\mathtt{CST}}\), then (\({{\textsc {T-DCast}}}\)) is not used.

• (Completeness)

  1. 1.

     Straightforward by Lemma 8 (Completeness).

  2. 2.

     Observe that, if (\({{\textsc {T-DCast}}}\)) is not used, then \({{\textsc {flat}}}({\fancyscript{C}})\) is cast safe w.r.t. \({\mathtt{CST}}\).

Appendix C: soundness and completeness of IF\(\varDelta \)J constraint-based typing

1.1 C.1 Proof of Proposition 2

Lemma 9

For every delta module \(\delta \) and for every class table \({\mathtt{CT}}\) such that \(\delta \) is applicable to \({\mathtt{CT}}\), and for every class \(\mathtt{{C}}\in { dom}(\delta )\cap { dom}({\mathtt{CT}})\) such that \(\vdash \delta (\mathtt{{C}}) : { cco}\) and \(\vdash {\mathtt{CT}}(\mathtt{{C}}) : { cc}\) it holds that

1. 1.

   for every method \({\mathtt{m}}\in { dom}(\delta (\mathtt{{C}}))\cap { dom}({\mathtt{CT}}(\mathtt{{C}}))\) if

   • \({\mathtt{this}}:\mathtt{{C}} \vdash \delta (\mathtt{{C}})({\mathtt{m}}) : \{{ mco}\}\), and

   • \({\mathtt{this}}:\mathtt{{C}} \vdash {\mathtt{CT}}(\mathtt{{C}})({\mathtt{m}}) : {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}\),

   then

   1. (a)

      (\(\delta (\mathtt{{C}})({\mathtt{m}}) = {\mathtt{modifies}}\; \cdot \cdot \cdot \) and (\({ mco}={\mathtt{replaces}}\; \cdot \cdot \cdot \) or \({ mco}={\mathtt{wraps}}\; \cdot \cdot \cdot \))) or (\(\delta (\mathtt{{C}})({\mathtt{m}}) = {\mathtt{removes}}\; \cdot \cdot \cdot \) and \({ mco}={\mathtt{removes}}\; \cdot \cdot \cdot \)),

   2. (b)

      \({ mco}={\mathtt{replaces}}\; {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}^{\prime }\) implies that

      1. i

         \({\mathtt{this}}:\mathtt{{C}} \vdash {{\textsc {apply}}}_{\delta } ({\delta (\mathtt{{C}})}{{\mathtt{CT}}(\mathtt{{C}})})({\mathtt{m}}) : {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}^{\prime }\),

      2. ii

         \({\mathtt{m}}\$\cdots \not \in { dom}({{\textsc {consApply}}}_{\delta }({ cco},{ cc}))\),

   3. (c)

      \({ mco}={\mathtt{wraps}}\; {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}^{\prime }\) implies that

      1. i

         \({\mathtt{this}}:\mathtt{{C}} \vdash {{\textsc {apply}}}_{\delta } ({\delta (\mathtt{{C}})}{{\mathtt{CT}}(\mathtt{{C}})}) ({\mathtt{m}}) : {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}^{\prime }[{\mathtt{m}}\$\delta /{\mathtt{original}}]\),

      2. ii

         \({\mathtt{this}}:\mathtt{{C}} \vdash {{\textsc {apply}}}_{\delta } ({\delta (\mathtt{{C}})}{{\mathtt{CT}}(\mathtt{{C}})}) ({\mathtt{m}}\$\delta ) : {\mathtt{m}}\$\delta \, \mathbf{w ith} \, {\fancyscript{E}}\) where \({ cc}({\mathtt{m}})={\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}\),

   4. (d)

      \({ mco}={\mathtt{removes}}\; {\mathtt{m}}\) implies that \({\mathtt{m}}\not \in { dom}({{\textsc {consApply}}}_{\delta }({ cco},{ cc}) )\) and \({\mathtt{m}}\$\cdots \not \in { dom}({{\textsc {consApply}}}_{\delta }({ cco},{ cc}))\);

2. 2.

   for every method \({\mathtt{m}}\in { dom}(\delta (\mathtt{{C}}))-{ dom}{{\mathtt{CT}}(\mathtt{{C}})}\) if

   • \({\mathtt{this}}:\mathtt{{C}} \vdash \delta (\mathtt{{C}})({\mathtt{m}}) : \{{ mco}\}\),

   then

   1. (a)

      \(\delta (\mathtt{{C}})({\mathtt{m}}) = {\mathtt{adds}}\; \cdot \cdot \cdot \) and \({ mco}={\mathtt{adds}}\; \cdot \cdot \cdot \),

   2. (b)

      \({ mco}={\mathtt{adds}}\; {\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}^{\prime }\) implies \({\mathtt{this}}:\mathtt{{C}} \vdash \) : apply \({({\delta },{{\mathtt{CT}}}) (\mathtt{{C}})({\mathtt{m}})} {{\mathtt{m}} \, \mathbf{w ith} \, {\fancyscript{E}}^{\prime }}\).

Proof

Both points 1 and 2 follow straightforwardly by the definition of apply \(({\delta }{\delta (\mathtt{{C}})}) {{\mathtt{CT}}(\mathtt{{C}})}\) (given in Sect. 5.2) and the definition of \({{\textsc {consApply}}}_{\delta }({ cco},{ cc})\) (given in Sect. 7.2). By observing that rules \(({{\textsc {CT-S-addM}}})\), \(({{\textsc {CT-S-repM}}})\) and \(({{\textsc {CT-S-wraM}}})\) in Fig. 12 rely on rule \(({{\textsc {CT-Method}}})\) in Fig. 9.

Lemma 10

For every delta module \(\delta \) and for every class table \({\mathtt{CT}}\) such that \(\delta \) is applicable to \({\mathtt{CT}}\), \(\vdash {\mathtt{delta}}\;\delta \;\cdots : {\fancyscript{D}}\), and \(\vdash {\mathtt{CT}}: {\fancyscript{C}}\) it holds that

1. 1.

   for every class \(\mathtt{{C}}\in { dom}(\delta )\cap { dom}{{\mathtt{CT}}}\) if

   • \(\vdash \delta (\mathtt{{C}}) : { cco}\), and

   • \(\vdash {\mathtt{CT}}(\mathtt{{C}}) : \mathtt{{C}} \, \mathbf{w ith} \, {\fancyscript{M}}\),

   then

   1. (a)

      (\(\delta (\mathtt{{C}}) = {\mathtt{modifies}}\; \cdot \cdot \cdot \) and \({ cco}={\mathtt{modifies}}\; \cdot \cdot \cdot \)) or (\(\delta (\mathtt{{C}}) = {\mathtt{removes}}\; \cdot \cdot \cdot \) and \({ cco}={\mathtt{removes}}\; \cdot \cdot \cdot \)),

   2. (b)

      \({ cco}={\mathtt{modifies}}\; \mathtt{{C}} \, \mathbf{w ith} \, {\fancyscript{O}}\) implies that \(\vdash {{\textsc {apply}}}_{\delta } ({\delta (\mathtt{{C}})}{{\mathtt{CT}}(\mathtt{{C}})}) : {{\textsc {consApply}}}_{\delta } ({\mathtt{modifies}}\;\mathtt{{C}} \, \mathbf{w ith} \, {\fancyscript{O}},\mathtt{{C}} \, \mathbf{w ith} \, {\fancyscript{M}})\),

   3. (c)

      \({ cco}={\mathtt{removes}}\; \mathtt{{C}}\) implies that \(\mathtt{{C}}\not \in { dom}({{\textsc {consApply}}}_{\delta }({\fancyscript{D}},{\fancyscript{C}}))\);

2. 2.

   for every class \(\mathtt{{C}}\in { dom}(\delta )-{ dom}{{\mathtt{CT}}}\) if

   • \(\vdash \delta (\mathtt{{C}}) : { cco}\)

   then

   1. (a)

      \(\delta (\mathtt{{C}}) = {\mathtt{adds}}\; \cdot \cdot \cdot \) and \({ cco}={\mathtt{adds}}\; \cdot \cdot \cdot \),

   2. (b)

      \({ cco}={\mathtt{adds}}\; { cc}\) implies \(\vdash {\textsc {apply}}({\delta },{{\mathtt{CT}}}) (\mathtt{{C}}) : { cc}\).

Proof

Both points 1 and 2 follow straightforwardly by the definition of \({{\textsc {apply}}}_{\delta } ({\delta (\mathtt{{C}})}{{\mathtt{CT}}(\mathtt{{C}})})\) (given in Sect. 5.2), the definition of \({{\textsc {consApply}}}_{\delta }({ cco},{ cc})\) (given in Sect. 7.2) and Lemma 9. By observing that rule \(({{\textsc {CT-C-addC}}})\) in Fig. 12 relies on rule \(({{\textsc {CT-Class}}})\) in Fig. 9, and rule \(({{\textsc {CT-C-modC}}})\) relies on rules \(({{\textsc {CT-S-addM}}})\), \(({{\textsc {CT-S-repM}}})\) and \(({{\textsc {CT-S-wraM}}})\) in Fig. 12.

Restatement of Proposition 2 For every delta module \(\delta \in { dom}({\mathtt{DMT}})\) and for every class table \({\mathtt{CT}}\) such that \(\delta \) is applicable to \({\mathtt{CT}}\), if \(\vdash {\mathtt{DMT}}(\delta ) : {\fancyscript{D}}\) and \(\vdash {\mathtt{CT}}: {\fancyscript{C}}\), then \( \vdash {\textsc {apply}}({\delta },{{\mathtt{CT}}}): {{\textsc {consApply}}}_{\delta }({\fancyscript{D}},{\fancyscript{C}})\).

Proof

Straightforward by the definition of apply \(({\delta },{{\mathtt{CT}}})\) (given in Sect. 5.2), the definition of \({{\textsc {consApply}}}_{\delta }({\fancyscript{D}},{\fancyscript{C}})\) (given in Sect. 7.2) and Lemma 10. By observing that rule \(({{\textsc {CT-Delta}}})\) in Fig. 12 relies on rules \(({{\textsc {CT-C-addC}}})\) and \(({{\textsc {CT-C-modC}}})\) in Fig. 12.

1.2 C.2: Proof of Theorem 2

Restatement of Theorem 2 (Soundness and completeness of  \({\text{ IF}}\varDelta {\text{ J}}\) constraint-based typing) Let \({\mathtt{L}}\) be a strongly unambiguous \({\text{ IF}}\varDelta {\text{ J}}\) SPL and \({\overline{\psi }}\in {\varPhi }\).

• (Soundness) If \({\mathtt{CST}}_{{{\overline{\psi }}}}\) is defined and satisfies the sanity conditions for class signature tables, \(\vdash {\mathtt{delta}}\;\delta \;\cdots : {\fancyscript{D}}_{\delta }\) for all \(\delta \in {\varDelta }({{\overline{\psi }}})\), and \({\mathtt{CST}}_{{{\overline{\psi }}}} \models {{\textsc {flat}}}({\fancyscript{C}}_{{\overline{\psi }}})\), then:

  1. 1.

     \(\vdash {\mathtt{CT}}_{{{\overline{\psi }}}} \, {\text{ OK}}\), and

  2. 2.

     if \({{\textsc {flat}}}({\fancyscript{C}}_{{\overline{\psi }}})\) is cast-safe with respect to \({\mathtt{CST}}_{{{\overline{\psi }}}}\), then \({\mathtt{CT}}_{{{\overline{\psi }}}}\) is cast-safe.

• (Completeness) Let \(\vdash {\mathtt{CT}}_{{{\overline{\psi }}}} \, {\text{ OK}}\).

  1. 1.

     If for all \(\delta \in {\varDelta }({{\overline{\psi }}})\) there exists \({\fancyscript{D}}_{\delta }\) such that \(\vdash {\mathtt{delta}}\;\delta \;\cdots : {\fancyscript{D}}_{\delta }\), then

     1. (a)

        \({\mathtt{CST}}_{{{\overline{\psi }}}} \models {{\textsc {flat}}}({\fancyscript{C}}_{{\overline{\psi }}})\), and

     2. (b)

        if \({\mathtt{CT}}_{{{\overline{\psi }}}}\) is cast-safe then \({{\textsc {flat}}}({\fancyscript{C}}_{{\overline{\psi }}})\) is cast-safe with respect to \({\mathtt{CST}}_{{{\overline{\psi }}}}\).

  2. 2.

     If there exists \(\delta \in {\varDelta }({{\overline{\psi }}})\) such that \(\delta \) is not \(\vdash \)-typable, then the body of the method-add/modify operation in \(\delta \) that is ill typed is not included in the product \({\mathtt{CT}}_{{{\overline{\psi }}}}\).

Proof

• (Soundness) Immediate by Corollary 2 and Theorem 1(Soundness).

• (Completeness)

  1. 1.

     Immediate by Corollary 2 and Theorem 1(Completeness).

  2. 2.

     If the body of a method-add/modify operation in \(\delta \) is ill typed, then it contains either an occurrence of a variable that is not a formal parameter of the method, or a stupid selection expression. Therefore, the inclusion of a method with a body containing either an occurrence of a variable that is not a formal parameter of the method or a stupid selection expression would contradict the assumption that \(\vdash {\mathtt{CT}}_{{{\overline{\psi }}}} \, {\text{ OK}}\).