Rely-Guarantee References for Refinement Types

Reasoning about side effects and aliasing is the heart of verifyingimperative programs. Unrestricted side effects through one refer-ence can invalidate assumptions about an alias. We present a newtype system approach to reasoning about safe assumptions in thepresence of aliasing and side effects, unifying ideas from referenceimmutability type systems and rely-guarantee program logics. Ourapproach, rely-guarantee references, treats multiple references toshared objects similarly to multiple threads in rely-guarantee pro-gram logics. We propose statically associating rely and guaranteeconditions with individual references to shared objects. Multiplealiases to a given object may coexist only if the guarantee conditionof each alias implies the rely condition for all other aliases. Wedemonstrate that existing reference immutability type systems arespecial cases of rely-guarantee references.In addition to allowing precise control over state modification,rely-guarantee references allow types to depend on mutable datawhile still permitting flexible aliasing. Dependent types whosedenotation is stable over the actions of the rely and guaranteeconditions for a reference and its data will not be invalidated byany action through any alias. We demonstrate this with refinement(subset) types that may depend on mutable data. As a specialcase, we derive the first reference immutability type system withdependent types over immutable data.We show soundness for our approach and describe experienceusing rely-guarantee references in a dependently-typed monadicDSL in COQ.