1 A Dependently Typed Assembly Language Hongwei Xi University of Cincinnati and Robert Harper Carnegie Mellon University
2 Compilation Certification Transfer source-language guarantees to object-languages of interests Eliminate the “closed world” assumption by making the transferred properties independently verifiable Source program e Target code | e | compilation |. ||. |
3 Type-directed compilation e > |e| e: > |e|:| | At target level: Use types to enforce program properties of interests (e.g., memory safety) Use type-checking to verify enforced properties
4 Proof-carrying code (PCC) Both type safety and memory safety are expressed by first-order logic assertions about program variables, and are checked by a verification condition generator (VCG) and a theorem prover Object code is certified by an explicit representation of the proof
5 Typed assembly language ( TAL) Type safety is expressed by type annotations, and is checked by a type-checker Memory safety is ensured by making critical instructions such as array subscripting atomic Object code requires no additional certification
6 DTAL DTAL is designed to allow for more fine- grained control over memory safety, supporting array bound check elimination efficient representation of sum types The design of DTAL draws on ideas from DML as the general framework in particular, the separation of type indices from values, linked by “singleton” types
7 Xanadu Xanadu is an imperative programming language with C/Java-like syntax The type system of Xanadu supports a DML-style dependent types Xanadu is currently used as a source language for generating DTAL code
8 A copy function in Xanadu {m:nat,n:nat | m <= n} unit copy(int src[m], int dst[n]) { var: int i, len;; len = arraysize (src); [a:nat] (i: int(a)) /* loop invariant */ for (i = 0; i < len; i = i + 1) { dst[i] = src[i]; }
9 A copy function in DTAL copy: {m:nat,n:nat | m <= n} [r1: int array(m), r2: int array(n)] arraysize r3, r1 mov r4, 0 loop: {m:nat,n:nat, i:nat | m <= n} [r1: int array(m), r2: int array(n), r3:int(m), r4:int(i)] sub r5, r4, r3 bgte r5, finish load r5, r1(r4) store r2(r4), r5 add r4, r4, 1 jmp loop finish: [] halt
10 Integer Constraint Domain We use a for index variables and i for integers index expressions x, y ::= a | i | x + y | x – y | x * y | x/ y | … index propositions P, Q ::= x y | x >= y | x = y | x <> y | P Q | P Q index sorts ::= int | {a : | P } index variable contexts ::=. | , a: | , P index constraints ::= P | P | a:
11 Limitations Currently, we only handle linear constraints The constraint solver first checks the linearity of each constraint It then uses an approach to integer programming based on the simplex method to solve constraints E.g., a:nat. b:nat. a * b >= 0 is rejected
12 Instructions in DTAL values v ::= i | l | r types ::= | | top | int | array(x) instructions ins ::= aop r1, r2, v | bop r, v | mov r, v | load r1, r2(v) | store r1(v), r2 | newarray[ ] r1, r2, r3 | jmp v | halt | arraysize r1, r2 instruction sequences I ::= jmp v | halt | ins; I
13 Programs in DTAL regfile types R ::= {r 1 : 1,..., r nr : nr } state types ::= state( .R) blocks B ::= .(R, I) label mappings ::= {l 1 : 1,..., l n : n } programs P ::= l 1 :B 1 ;...; l n :B n
14 A typing rule ; ;R |- r2: array(x) ; ;R |- v: int(y) |= 0 <= y < x ; ;R[r1: ] |- I ; ;R |- load r1, r2(v); I
15 Another typing rule ; ;R |- v: state( ’ ’ R’) |- : ’ ; |- : ’ ; ;R |= R’[ ][ ] ; ;R |- jmp v; I
16 Entailment relation (I) H |= hc : means that hc, a constant or a heap address, has type under the heap mapping H The following rule (heap-array) is for typing arrays H (h) = (hc 1,..., hc n ) H |= hc 1 : H |= hc n : H |= h : array(n)
17 Entailment relation (II) We use R for register file The entailment relation ( H,R ) |= R means that for each register r i, H |= R (i): R(i)
18 A potential problem H (h) = (0, 0), R (1) = R (2) = h R(1) = int array(2), R(2) = nat array(2) Note that ( H, R ) |= R If we now store a negative integer into the array pointed by r 1, then the type of r 2 is invalidated
19 Regularity condition A derivation of ( H, R ) |= R is regular if each heap address is associated with at most one type, and whenever the rule (heap-array) is applied, the type must equal the type associated with h Regular derivations are preserved under execution
20 Soundness Theorem Let P = (l 1 :B 1 ;...; l n :B n ) and = (P). Assume |- P[well-typed] is derivable. Then the execution of P either terminates normally or continues forever.
21 Extension with sum types choose(i; 0,..., n-1 ) stands for a type which much be one of ’s, determined by the value of i n-1 is represented as [a:nat | a < n] (int(a) choose (a; 0,..., n-1 ))
22 An example: lists List constructors: Nil: list(0) Cons: {n:nat} ‘a * list(n) -> list(n+1) The list type is represented as follows in DTAL: t. n:nat. unit t n where is n=0, and is a:nat, n=a+1
23 Generating DTAL code For a proof of concept, we have built a compiler from Xanadu to DTAL The types for labels in DTAL code are constructed from the type annotations in Xanadu programs Currently, there is no formalization of the compiler
24 DTAL vs. TPCC DTAL requires a constraint solver for handling linear constraints in TBC; but TPCC requires none We plan to translate proofs of constraints from Xanadu to DTAL to address the issue With source language support, DTAL can handle cases that could be difficult for TPCC, which uses a synthesis approach to array bound check elimination
25 Some Related Work Here is a list of some closely related work Dependent types in practical programming (Xi & Pfenning) Typed assembly language (TAL) (Morrisett et al) LTT, an expressive, scalable type theory for certified code (Crary and Vanderwaart) Proof-carrying code (Necula & Lee) TILT compiler (the Fox project at CMU) Flint compiler (Zhong Shao et al)
26 End of the Talk Thank You! Questions?
27 Another typing rule typing judgment: ; ;R |- I ; ;R |- r2:int(x) ; ;R |- v:int(y) ; ;R[r1:int(x+y)] |- I ; ;R |- add r1, r2, v; I
28 A copy function in DML fun copy (src, dst) = let fun loop (i, len) = if i unit in loop (0, length src) end withtype {m:nat,n:nat | m unit (* length: {n:nat} ‘a array(n) -> int(n) *)