facilitating program verification with dependent types hongwei xi boston university
Post on 20-Dec-2015
218 views
TRANSCRIPT
Facilitating Program Verification with Dependent Types
Hongwei Xi
Boston University
Talk Overview
Motivation Detecting program errors (at compile-time) Detecting more program errors (at compile-time)
Dependently typed programming languages Imperative: Xanadu
Programming examples Current status and future work
A Wish List
We would like to have a programming language that should be simple and general support extensive error checking facilitate proofs of program properties possess correct and efficient implementation ... ...
But …
Reality
Invariably, there are many conflicts among this wish list
These conflicts must be resolved with careful attention paid to the needs of the user
Some Advantages of Types
Capturing errors at compile-time Enabling compiler optimizations Facilitating program verification
Using types to encode program properties and verifying the encoded properties through type-checking
Serving as program documentation Unlike informal comments, types can be fully
trusted after type-checking
Limitations of (Simple) Types
Not general enough Many correct programs cannot be typed For instance, type casts are widely used in C
Not specific enough Many interesting properties cannot be captured For instance, types in Java cannot handle safe
array access
Dependent Types
Dependent types are types that are more refined dependent on the values of expressions
Examples int(i): singleton type containing only integer i <int> array(n): type for integer arrays of size n
Examples of Dependent Types
int(i,j) is defined as [a:int | i < a < j] int(a),that is, the sum of all types int(a) for i < a < j
int[i,j), int(i,j] , int[i,j] are defined similarly nat is defined as
[a:int | a >=0] int(a)
Informal Program Comments
/* the function should not be applied toa negative integer */
int factorial (x: int) { /* defensive programming */ if (x < 0) exit(1); if (x == 0) return 1;
else return (x * factorial (x-1));}
Formalizing Program Comments
{n:nat}
int factorial (x: int(n)) {
if (x == 0) return 1;else return (x * factorial (x-1));
}
Note: factorial (-1) is ill-typed and thus rejected!
Informal Program Comments
/* arrays a and b are of equal size */ double dotprod (double a[], double b[]) { int i; double sum = 0.0; if (a.size != b.size) exit(1); for (i = 0; i < a.size; i = i + 1) { sum = sum + a[i] b[i]; } return sum; }
Formalizing Program Comments
{n:nat}
double dotprod (a: <double> array(n), b: <double> array(n)) {
/* dotprod is assigned the following type:
{n:nat}. (<float> array(n), <float> array(n)) -> float
*/
… … …
}
Xanadu
Xanadu is a dependently typed imperative programming language with C-like syntax
The type of a variable in Xanadu can change during execution
The programmer may need to provide dependent type annotations for type-checking purpose
Dependent Record Types (I)
A polymorphic type for arrays:
{n:nat} <‘a> array(n) { size: int(n); data[n]: ‘a}
Dependent Record Types (II)
A polymorphic type for 2-dimensional arrays:
{m:nat,n:nat} <‘a> array2(m,n) { row: int(m); col: int(n); data[m][n]: ‘a}
Dependent Record Types (III)
A polymorphic type for sparse arrays:
{m:nat,n:nat} <‘a>sparseArray(m,n) { row: int(m); col: int(n); data[m]: <int[0,n) ‘a> list}
A Program in Xanadu
{n:nat} unit init (int vec[n]) { var: int ind, size;; /* arraysize: {n:nat} <‘a> array(n) int(n) */ size = arraysize(vec); invariant: [i:nat] (ind: int(i)) for (ind=0; ind<size; ind=ind+1) { vec[ind] = ind; /* safe array subscripting */ }}
Binary Search in Xanadu
{n:nat}int bs(key: int, vec: <int> array(n)) { var: l: int [0, n], h: int [-1, n); int m, x;; l = 0; h = vec.size - 1; while (l <= h) { m = (l + h) / 2; x = vec.data[m]; if (x < key) { l = m - 1; } else if (x > key) { h = m + 1; } else { return m; } } return –1;}
Dependent Union Types
A polymorphic type for lists:
union <‘a> list with nat = { Nil(0); {n:nat} Cons(n+1) of ‘a <‘a> list(n) }
Nil: <‘a> list(0) Cons:
{n:nat} ‘a <‘a> list(n) <‘a> list(n+1)
Reverse Append on Lists
(‘a) {m:nat,n:nat}<‘a> list(m+n) revApp (xs:<‘a> list(m),ys:<‘a> list(n)) {
var: ‘a x;;invariant: [m1:nat,n1:nat | m1+n1=m+n] (xs:<‘a> list(m1), ys:<‘a> list(n1))while (true) { switch (xs) { case Nil: return ys; case Cons (x, xs): ys = Cons(x, ys); } } exit; /* can never be reached */
}
Constraint Generation
The following constraint is generated when the revApp example is type-checked:
m:nat,n:nat,m1:nat,n1:nat,m1+n1=m+n,a:nat,m1=a+1
implies
a+(n1+1)=m+n
Current Status of Xanadu
A prototype implementation of Xanadu in Objective Caml that performs two-phase type-checking, and generates assembly level code
An interpreter for interpreting assembly level code
A variety of examples athttp://www.cs.bu.edu/~hwxi/Xanadu/Xanadu.html
Conclusion (I)
It is still largely an elusive goal in practice to verify the correctness of a program
It is therefore important to identify those program properties that can be effectively verified for realistic programs
Conclusion (II)
We have designed a type-theoretic approach to capturing simple arithmetic reasoning
The preliminary studies indicate that this approach allows the programmer to capture many more properties in realistic programs while retaining practical type-checking
Future Work
Adding more programming features into Xanadu in particular, OO features
Certifying compilation: constructing a compiler for Xanadu that can translate dependent types from source level into bytecode level
Incorporating dependent types into (a subset of) Java and …
End of the Talk
Thank you!Questions
?